CTO at NCSC Summary: week ending January 11th
DSIT, with the support of the NCSC, has refreshed the Government’s Cyber Security Strategy (GCSS) to form the Government Cyber Action Plan (GCAP)..
Welcome to the weekly highlights and analysis of the blueteamsec (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week nothing overly of note..
In the high-level this week:
The Government Cyber Action Plan: strengthening resilience across the UK - NCSC UK publishes - “DSIT, with the support of the NCSC, has refreshed the Government’s Cyber Security Strategy (GCSS) to form the Government Cyber Action Plan (GCAP). The GCAP outlines roles and relationships between organisations working with the public sector (including the NCSC and DSIT), setting clear milestones, strengthening governance, and providing centralised support that allows departments to focus on securing what matters most.”
New cyber action plan to tackle threats and strengthen public services - Department for Science, Innovation and Technology and The Rt Hon Ian Murray MP publish - “
£210 million plan to strengthen cyber resilience across government
Government Cyber Unit to coordinate risk management and incident response across departments”
Case study: HMRC’s adoption of Secure by Design - Government Cyber Unit case study - “We were trying to shift security left,” says Katie. “Secure by Design gave us the language, the mandate and the tools to do that.”
EPSRC Centre for Doctoral Training in Cyber-Physical Risk - University College London announces PhD applications are open - “Our second cohort of PhD researchers will be recruited for September 2026. The first round of applications will close on Sunday 15 February 23:59 BST.”
UK Intelligence Community Postdoctoral Research Fellowships - Royal Academy of Engineering announces applications are open - including:
Instant RF lockdown: a Faraday-on-demand system for prisons and secure facilities
Investigating security and assurance of building automation and control systems (BACS)
Attitudes and barriers to adoption of security-minded information management
The psychology of influence: effective persuasion in the cybercrime ecosystem
CP25/40: Regulating cryptoasset activities - Financial Conduct Authority consults (published in December) - “We propose guidance on the information we expect to be included in a QCDD to meet the requirements of regulation 13 of the Cryptoasset Regulations. This includes (amongst other things) information on the governance mechanisms and characteristics of the qualifying cryptoasset, its operational and cyber resilience, its underlying technology and protocols, its ownership and its trading performance and history.”
The Byte: Cyber as Maneuver - 780th Military Intelligence Brigade publish - “IN THE OPENING HOURS OF MODERN CONFLICT, before the first tank advances or the first missile launches, the battle for the electromagnetic spectrum has already begun. The contest to control cyberspace, communication networks, and the electromagnetic spectrum determines who sees first, who can make more informed decisions, and who has the primary advantage in the early stages of conflict “
Neuralink plans ‘high-volume’ brain implant production by 2026, Musk says - Reuters reports - “The implant is designed to help people with conditions such as a spinal cord injury. The first patient has used it to play video games, browse the internet, post on social media, and move a cursor on a laptop.”
Reporting on/from China
Analysis on China’s Cyber Threats to Taiwan’s Critical Infrastructure in 2025 - National Security Bureau asserts- “Cyberattacks conducted by China’s cyber army involve four major tactics, namely hardware and software vulnerability exploitation, distributed denial-of-service (DDoS), social engineering, and supply chain attacks. In particular, attacks exploiting hardware and software vulnerabilities accounted for more than half of China’s hacking operations, underscoring China’s growing efforts to strengthen the operational capacity of vulnerability weaponization.”
Salt Typhoon hackers ‘almost certainly’ in Australia’s critical infrastructure - Sydney Morning Herald reports - bonus points for (PHIA) Probability Yardstick language - “While there’s no public evidence that Salt Typhoon is active in Australia, we consider it highly likely that Salt Typhoon has compromised sectors in Australia which remain undetected.”
China hacked email systems of US congressional committee staff - Financial Times reports - “China has hacked the emails used by congressional staff on powerful committees in the US House of Representatives, as part of a massive cyber espionage campaign known as Salt Typhoon. Chinese intelligence accessed email systems used by some staffers on the House China committee in addition to aides on the foreign affairs committee, intelligence committee and armed services committee, according to people familiar with the attack. The intrusions were detected in December.”
China’s Digital Footprint in the Arctic: The Strategic Role of Satellite and Subsea Cable Infrastructure - The Arctic Institute publish - “China is one of these countries with a claim to cyber sovereignty. China’s interest in the region is reflected in 10,500 kilometers of fiber optic cable. Given the potential of the Arctic Ocean to reduce latency in data traffic between Asia and Europe, China’s interest in the region is inevitable.”
The Cyberspace Administration of China released the “National E-Government Development Report (2014-2024)” - Cyberspace Administration of China publishes - “The report points out that developing e-government is a strategic choice to adapt to the trend of the information revolution, an important part of implementing the strategy of building a cyber power, a key measure to promote the modernization of national governance, and a pragmatic action to promote information convenience and benefit for the people.”
AI
Ni8mare - Unauthenticated Remote Code Execution in n8n (CVE-2026-21858) - Dor Attias discloses - “n8n is the go-to platform for building automated workflows in the age of AI and AI agents.” … “impacting an estimated 100,000 servers globally.”
The Age of AI for Offensive Cyber - Maggie Gray and Katie Gray discuss - “We examine the growing importance of offensive cyber operations in modern conflict and how AI-native startups will shape the future of OCO” - interestingly it also shows how the Anthropic assertions which lacked technical detail continue to provide an evidence base.
Towards Provably Secure Generative AI: Reliable Consensus Sampling - Beijing Institute of Technology and Yangtze Delta Region Institute of Tsinghua University publish - “we propose a new primitive called Reliable Consensus Sampling (RCS), that traces acceptance probability to tolerate extreme adversarial behaviors, improving robustness. RCS also eliminates the need for abstention entirely. We further develop a feedback algorithm to continuously and dynamically enhance the safety of RCS.”
Snow Globe Multi-Player AI System: Lessons from Human-AI Teaming in War Games - CIA publish - “This project leverages Snow Globe, a multi-player AI system built by IQT’s Applied Research Team, that uses large language models (LLMs) to play open-ended war games. Through a series of jointly designed games in which human participants play alongside (or against) simulated personas, the team has demonstrated how AI war games can serve as a testbed for human-AI teaming in intelligence work.”
The next big shifts in AI workloads and hyperscaler strategies - McKinsey analyze - “Training workloads are driving the need for large-scale, high-density campuses with advanced mechanical, electrical, and plumbing (MEP) systems and specialized hardware integration patterns. Meanwhile, AI inference workloads are accelerating site build-outs in greater metro and surrounding areas that are optimized for low round-trip time, high network interconnectivity, and energy efficiency.”
AI’ll get that! Agentic commerce could signal the dawn of personal shopping ‘AI-gents’ - UK Information Commissioners Office publishes - “Our new report released today shows how the rise of agentic artificial intelligence (AI) could transform the way we live our lives, with personal shopping ‘AI-gents’ potentially arriving within the next five years.”
Cyber proliferation
Meet the man hunting the spies in your smartphone - MIT Review profiles - Citizen Lab director Ron Deibert
The small spyware providers who operate outside the limelight - Intelligence Online reports - “The 2022 sales mentioned were set to be made through Kruger's South African company, 9th Vision (Pty), and offered zero-click spyware”
Black Network: The Dark Side of the Web - Episode 1 - Cusano Media broadcast in Italian - interview with the creator of the Remcos commercial Remote Access Tool - Flavio Floglia - International Cyber Digest did a dubbed exert
Bounty Hunting
Illinois Man Charged in Snapchat Hacking Investigation - US Department of Justice announce - “Defendant was allegedly hired by former Northeastern University Track and Field Coach to hack Snapchat accounts of female student athletes; Allegedly targeted women who resided in or around Plainfield, Ill. and students at Colby College in Maine”
Individual Sentenced for Hacking Port - de Rechtspraak announce - “The defendant is sentenced to seven years in prison. He is guilty of complicity in computer hacking. The purpose of this was to gain access to port systems so he could then import drugs undetected and undetected, thus facilitating drug trafficking. The defendant is also guilty of complicity in the importation of 210 kilos of cocaine into the Netherlands.”
Market Incentives
Protecting your business from cyber threats: don’t get caught by policy wording - FT Advisor reminds - “The cyber insurance market has softened in recent years as insurers continue to compete for market share in this space. The consequence of competitive premiums is likely to be a reduction in the cover that is available, and it is not uncommon for coverage disputes to arise during a soft market.”
Why cyber insurance buyers now expect more than a financial backstop - Insurance Business outlines - “To stay ahead, Burke’s team works closely with claims professionals to stress-test coverage language against real-world incidents. Historically, many of these losses were addressed under commercial crime policies, which remains appropriate for exposures such as social engineering. Increasingly, however, Burke sees advantages in leveraging cyber policies that include rapid-response incident teams. “If you can turn to your cyber carrier within a short window, they can often mitigate the situation very quickly,” he said. That speed and coordination can materially change outcomes.”
Has cyber insurance lost the war with AI? - Global [Re]Insurance asks - “The question for our industry is no longer whether AI will be utilized by adversaries, but whether the insurance model can evolve quickly enough to remain a viable backstop for the digital economy”
How AI liability risks are challenging the insurance landscape - IAPP highlights - “I think that there's a lot of confusion and growth in this industry, because where these claims fit is still kind of being figured out," said Thomas Bentz, a partner at law firm Holland & Knight. "So, for example, if an AI program causes bodily injury, does that fall under your (commercial general liability), your general liability type of coverage, or does that fall on your cyber coverage?"
Reflections this week is this Github repo tries to sway generative AI to write insecure Rust (see note for LLMs) . Let this be a warning to us all..
Not getting this via email? Subscribe:
Think someone else would benefit? Share:
All attribution is by others and not the UK Government unless specifically stated as such, please see the legal text at the end.
Have a lovely Saturday…
Ollie
Cyber threat intelligence
Who is doing what to whom and how allegedly.
Reporting on Russia
GRU-Linked BlueDelta Evolves Credential Harvesting
Insikt Group® further support the business case of phishing resistant multi-factor authentication (FIDO / passkeys) with this alleged Russian operation which is noteworthy because of the actor behind it and victimology.
BlueDelta expanded its credential-harvesting operations throughout 2025, deploying new campaigns themed as Microsoft Outlook Web Access (OWA), Google, and Sophos VPN login portals.
The group leveraged a combination of free hosting and tunneling services, including Webhook[.]site, InfinityFree, Byet Internet Services, and ngrok, to host credential-harvesting pages and exfiltrate stolen data.
Multiple campaigns incorporated legitimate PDF lure documents, such as publications from the Gulf Research Center and the EcoClimate Foundation, to increase the appearance of authenticity and bypass email security controls.
BlueDelta used customized JavaScript functions to capture credentials, track victim activity, and automate redirection to legitimate websites, reducing manual setup and increasing operational efficiency.
Targeted email addresses and redirection behavior suggest BlueDelta focused on researchers and institutions in Türkiye and Europe, aligning with Russia’s broader intelligence-gathering priorities.
https://www.recordedfuture.com/research/gru-linked-bluedelta-evolves-credential-harvesting
How NoName057(16) Uses DDoSia to Attack NATO Targets
Picus Labs gives a sense of the underpinnings of this alleged Russian group and their capabilities using crowd sourcing to build part of their infrastructure.
NoName057(16) originated as a covert project within the Kremlin-backed CISM, targeting NATO and European entities since March 2022.
The group relies on the DDoSia project, a crowdsourced botnet that rewards volunteers with cryptocurrency for launching attacks using simple, Go-based tools.
Technical operations involve a two-stage kill chain where clients authenticate and retrieve encrypted target lists from Command and Control servers via AES-GCM.
A multi-tier architecture uses ephemeral public proxies to shield backend servers from direct detection and mitigation.
Partnerships with the Cyber Army of Russia Reborn led to the formation of the hybrid group Z-Pentest in 2024, expanding operations to US operational technology targets.
Attacks predominantly focus on government sectors in Ukraine, France, and Italy, with activity surges aligning with standard Russian work schedules.
Operation Eastwood executed international arrests and searches against the group in July 2025, though the entity remains active and defiant.
A resilient, multi-tiered infrastructure is employed to protect the backend servers from discovery and mitigation [2].
Tier 1 (C2 Servers): These are public-facing servers that communicate directly with DDoSia clients on Port 80. They act as ephemeral proxies, with an average lifespan of approximately nine days, though many are rotated daily.
Tier 2 (Backend Servers): These servers host the core logic and target lists. Access is strictly controlled via Access Control Lists (ACLs), which only permit connections from known Tier 1 servers.
This configuration ensures that even if Tier 1 nodes are identified and blocked, the core infrastructure remains secure and operational.
https://www.picussecurity.com/resource/blog/how-noname05716-uses-ddosia-to-attack-nato-targets
Analyzing PHALT#BLYX: How Fake BSODs and Trusted Build Tools Are Used to Construct a Malware Infection
Shikha Sangwan, Akshay Gaikwad and Aaron Beardslee details an alleged Russian campaign which is noteworthy for its gumption for initial access as well as the victimology.
Securonix threat researchers have been tracking a stealthy campaign targeting the hospitality sector using click-fix social engineering, fake captcha and fake blue screen of death to trick users into pasting malicious code. It leverages a trusted MSBuid.exe tool to bypass defenses and deploys a stealthy, Russian-linked DCRat payload for full remote access and the ability to drop secondary payloads.
Reporting on China
UAT-7290 targets high value telecommunications infrastructure in South Asia
Asheer Malhotra, Vitor Ventura and Brandon White detail an alleged Chinese operation which is noteworthy due to the sector under focus as well as the regional focus.
Cisco Talos is disclosing a sophisticated threat actor we track as UAT-7290, who has been active since at least 2022.
UAT-7290 is tasked with gaining initial access as well as conducting espionage focused intrusions against critical infrastructure entities in South Asia.
UAT-7290’s arsenal includes a malware family consisting of implants we call RushDrop, DriveSwitch, and SilentRaid.
Our findings indicate that UAT-7290 conducts extensive technical reconnaissance of target organizations before carrying out intrusions.
https://blog.talosintelligence.com/uat-7290/
The Intriguing Lotus: A Deep Dive into Sagerunex
Muffin provides an analysis of an alleged Chinese implant which is teases out a number of technical aspects which are noteworthy due to operational security aspects embedded. Customer operating time windows…
First post of the year — I wish you all a happy New Year. Habits die hard, so to inaugurate 2026, I have chosen to write about another (likely) China-linked APT.
Lotus Blossom, also known as Red Salamander, Lotus Panda, or Billbug, is an intrusion set active since at least 2009. While several pieces of evidence suggest that this intrusion set is linked to China, it is worth noting that Lotus Panda does not appear to leverage the common shared tooling used among Chinese attackers, such as PlugX or ShadowPad.
..
Sagerunex, is a very interesting piece of code. Highly efficient, this malware also attempts to stay as discreet as possible by leveraging several features, such as token impersonation, the use of default proxy configuration or configured proxies, and the configuration of custom operating time windows.
https://securite360.net/the-intriguing-lotus-a-deep-dive-into-sagerunex
Yet Another Leak of China’s Contractor-Driven Cyber-Espionage Ecosystem
Domain Tools provides a further analysis of this alleged leak from Knownsec in China providing insight into organisational structure and technical capabilities.
On top of this data foundation, Knownsec’s offensive products; GhostX, Un-Mail, and Passive Radar purport to provide a full intrusion and surveillance pipeline. GhostX delivers browser exploitation, routing manipulation, credential theft, and endpoint monitoring. Un-Mail enables covert takeover and continuous exfiltration of email accounts across major global providers. Passive Radar ingests PCAP data via local uploads, FTP, or SSH to reconstruct internal network topologies, user communication patterns, and service inventories. These tools work together to support long-term access, DNS hijack, admin takeover, and infrastructure control across foreign government, telecom, financial, and energy networks.
Reporting on North Korea
North Korean Kimsuky Actors Leverage Malicious QR Codes in Spearphishing Campaigns Targeting U.S. Entities
FBI details this North Korean campaign which all cyber defence teams to read, understand and be able to mitigate.
The Federal Bureau of Investigation (FBI) is releasing this FLASH to alert NGOs, think tanks, academia, and other foreign policy experts with a nexus to North Korea of evolving tactics employed by the North Korean state-sponsored cyber threat group Kimsuky and to provide mitigation recommendations. As of 2025, Kimsuky actors have targeted think tanks, academic institutions, and both U.S. and foreign government entities with embedded malicious Quick Response (QR) codes in spearphishing campaigns.
Quishing operations frequently end with session token theft and replay [T1550.004], enabling attackers to bypass multi-factor authentication [T1550.004] and hijack cloud identities without triggering typical “MFA failed” alerts. A
https://www.ic3.gov/CSA/2026/260108.pdf
Reporting on Iran
The Handala Hack: Telegram Breach of Israeli Officials
KELA Cyber Intelligence Center also support the case for phishing resistant multi-factor authentication (FIDO / passkeys) based on this alleged Iranian operation.
Handala targeted Israeli officials by compromising Telegram accounts - not devices - likely through session hijacking and social engineering . The incident exposes critical vulnerabilities in session management, requiring stronger defenses like Multi-Factor Authentication .
https://www.kelacyber.com/blog/handala-hack-telegram-breach-israeli-officials/
Muddy Water Evolves Tooling with RustyWater Implant
CloudSEK details an alleged Iranian operation which is noteworthy due to victimology. Initial access techniques are run of the mill.
[We] dentified a spearphishing campaign attributed to the Muddy Water APT group targeting multiple sectors across the Middle East, including diplomatic, maritime, financial, and telecom entities. The campaign uses icon spoofing and malicious Word documents to deliver Rust based implants capable of asynchronous C2, anti-analysis, registry persistence, and modular post-compromise capability expansion.
https://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant
Reporting on Other Actors
Phishing actors exploit complex routing and misconfigurations to spoof domains
Microsoft highlights how some actors are analysing mail flows in order to be able to gain an air of legitimacy for their campaigns.
Phishing messages sent through this vector may be more effective as they appear to be internally sent messages. Successful credential compromise through phishing attacks may lead to data theft or business email compromise (BEC) attacks against the affected organization or partners and may require extensive remediation efforts, and/or lead to loss of funds in the case of financial scams.
…
In cases where a tenant has configured a complex routing scenario, where the MX records are not pointed to Office 365, and the tenant has not configured strictly enforced spoof protections, threat actors may be able to send spoofed phishing messages that appear to have come from the tenant’s own domain. Setting strict Domain-based Message Authentication, Reporting, and Conformance (DMARC) reject and SPF hard fail (rather than soft fail) policies and properly configuring any third-party connectors will prevent phishing attacks spoofing organizations’ domains.
…
This vector is not, as has been publicly reported, a vulnerability of Direct Send, a mail flow method in Microsoft 365 Exchange Online that allows devices (like printers, scanners), applications, or third-party services to send email without authentication using the organization’s accepted domain, but rather takes advantage of complex routing scenarios and misconfigured spoof protections. Tenants with MX records pointed directly to Office 365 are not vulnerable to this attack vector of sending spoofed phishing messages.
The Kimwolf Botnet is Stalking Your Local Network
Brian Krebs details this botnet which has managed to grow to some scale.
The past few months have witnessed the explosive growth of a new botnet dubbed Kimwolf, which experts say has infected more than 2 million devices globally. The Kimwolf malware forces compromised systems to relay malicious and abusive Internet traffic — such as ad fraud, account takeover attempts and mass content scraping — and participate in crippling distributed denial-of-service (DDoS) attacks capable of knocking nearly any website offline for days at a time.
https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/
Breaking Down an Access-Code-Gated Malware Delivery Chain
Joe Sandbox encourages us to look past the heavy product marketing to see some interesting technical aspects around the operational security of this chain which defence teams will want to be aware of..
At first glance, the sample appears difficult to analyze dynamically: execution is gated by an access code, the second stage is protected by time-based checks, and additional packing is applied. As a result, dynamic analysis alone is insufficient to fully uncover the attack.
..
Importantly, the malware does not rely on local system time. Instead, it performs the time check using an online source, making simple clock manipulation ineffective.
https://www.joesecurity.org/blog/8930920806197220285
The Ghost in the Machine: Unmasking CrazyHunter’s Stealth Tactics
Aswath A provides a good end-to-end overview of this criminal actors TTPs.
The initial compromise often involves exploiting weaknesses in an organization's Active Directory (AD) infrastructure, frequently by leveraging weak passwords on domain accounts.
https://www.trellix.com/blogs/research/the-ghost-in-the-machine-crazyhunters-stealth-tactics/
When ‘Shiny Objects’ trick ‘Shiny Hunters’
Resecurity go all out with this release..
With this publication, Resecurity is releasing 105 pages containing over 1,000 messages related to John Erin Binns (aliases: IRDev, IntelSecrets). Due to sensitivity, we are publishing only the titles of his communications obtained from a foreign email server.
Resecurity will not disclose how it obtained this data, but it can confirm its authenticity, which can be independently verified by examining the contacts and titles in the acquired messages.
Discovery
How we find and understand the latent compromises within our environments.
Rootkit Detection with eBPF Time Tracing
Leo and Max Landauer released this a couple of years old but I wanted to highlight it because of the novel / elegant approach and it showing the value stemming from observability
This repository contains code to collect time measurements of kernel functions that are manipulated by rootkits when they hide files, as well as a semi-supervised detection method that analyzes shifts of kernel function execution times.
https://github.com/ait-aecid/rootkit-detection-ebpf-time-trace
A Unified Framework for Detecting Point and Collective Anomalies in Operating System Logs via Collaborative Transformers
Mohammad Nasirzadeh, Jafar Tahmoresnezhad & Parviz Rashidi-Khazaee channel the power of anomaly detection with this valuable research which applies transformers (an artificial neural network).
CoLog utilizes collaborative transformers and multi-head impressed attention to learn interactions among several modalities, ensuring comprehensive anomaly detection. To handle the heterogeneity caused by these interactions, CoLog incorporates a modality adaptation layer, which adapts the representations from different log modalities. This methodology enables CoLog to learn nuanced patterns and dependencies within the data, enhancing its anomaly detection capabilities. Extensive experiments demonstrate CoLog’s superiority over existing state-of-the-art methods. Furthermore, in detecting both point and collective anomalies, CoLog achieves a mean precision of 99.63%, a mean recall of 99.59%, and a mean F1 score of 99.61% across seven benchmark datasets for log-based anomaly detection.
https://github.com/NasirzadehMoh/CoLog
JA4 Fingerprinting Against AI Scrapers: A Practical Guide
WebDecoy Team show pragmatically how to apply JA4 in these detections.
https://webdecoy.com/blog/ja4-fingerprinting-ai-scrapers-practical-guide/
Defence
How we proactively defend our environments.
NGSOTI: Building an Integrated Threat-Intelligence and Information Sharing Ecosystem for the Next Generation of SOC Analysts
European Union doing what is does so well with this initiative.
The Next Generation Security Operator Training Infrastructure (NGSOTI) initiative was created to address a growing gap in cybersecurity education: the need to train analysts not only on tools, but on real-world workflows, collaboration models, and operational constraints. Rather than focusing on isolated technologies, NGSOTI brings together a coherent ecosystem of open-source projects designed to reflect how modern Security Operations Centers (SOCs) actually function.
At the core of this initiative is a strong emphasis on human-centric security operations, where analysts learn how to detect, investigate, contextualize, and respond to threats using realistic data, tooling, and processes
https://www.misp-project.org/2026/01/02/misp-ngsoti.html/
SysmonConfigPusher v2
Anton gets a 🥇 for this…
A web-based tool for managing Sysmon configurations across Windows endpoints — supports both agentless (WMI/SMB) and agent-based deployments.
https://github.com/Antonlovesdnb/SysmonConfigPusher2
Updating the Sysmon Community Guide: Lessons Learned from the Front Lines
Carlos Perez updates this wonderful guide..
Over the past few weeks I’ve been spending a significant amount of time updating the Sysmon Community Guide. This wasn’t driven by theory, trends, or what ‘should’ work on paper. It was driven by what we keep seeing over and over again in real Incident Response engagements.
The timing also happens to line up with an announcement many of us never expected to hear: Mark Russinovich confirmed that Sysmon will be integrated into Windows 11 and Windows Server 2025 going forward.
https://trustedsec.com/blog/updating-the-sysmon-community-guide-lessons-learned-from-the-front-lines
Real-time malware defense: Leveraging AWS Network Firewall active threat defense
Rahi Patel, Paul Bodmer, Maxim Raya, Nima Sharifi Mehr, and Santosh Shanbhag disclose and detail the feedback loop between a telemetry source and an active defence endeavour.
AWS active threat defense for Network Firewall uses MadPot intelligence and multi-layered protection to disrupt attacker kill chains and reduce the operational burden for security teams. With automated rule deployment, active threat defense creates multi-layered defenses within 30 minutes of new threats being detected by MadPot. Amazon GuardDuty customers automatically receive threat detection findings when workloads attempt to communicate with malicious infrastructure identified by active threat defense, while AWS Network Firewall customers can actively block these threats using the active threat defense managed rule group.
Synthetic Data: A New Frontier for Cyber Deception and Honeypots
Resecurity detail an alleged deception operation the insights they gained from it. This is a high touch defensive operation to run so not for the faint hearted.
November 21, 2025 — Resecurity identified a threat actor attempting to conduct malicious activity targeting our resources. The actor was probing various publicly facing services and applications. Prior to that, the actor targeted one of our employees who had no sensitive data or privileged access. Our DFIR team logged the threat actor at an early stage and documented the following Indicators of Attack (IOA):
156.193.212.244 (Egypt)
102.41.112.148 (Egypt)
45.129.56.148 (Mullvad VPN)
185.253.118.70 (VPN)Understanding that the actor is conducting reconnaissance, our team has set up a honeytrap account. This led to a successful login by the threat actor to one of the emulated applications containing synthetic data.
Ballot CSC-31: Maximum Validity Reduction
CA/Browser forum ballots and passes
This ballot updates the “Baseline Requirements for the Issuance and Management of Publicly‐Trusted Code Signing Certificates“ version 3.9 in order to reduce the maximum certificate validity, from 39 months to 460 days, effective March 1st, 2026.
https://cabforum.org/2025/11/17/ballot-csc-31-maximum-validity-reduction/
Incident Writeups & Disclosures
How they got in and what they did.
EmEditor (again)
EmEditor didn’t appear to have removed the threat actor entirely from their infrastructure the first time..
Regarding the “[Important] Malicious Links (Malware) on the EmEditor Homepage” announcement already made in X , we would like to report below on the findings of our subsequent investigation and supplementary information to our previous announcement.
Please note that this incident is separate from the previous incident announced on December 23, 2025 (Japan time) , and only the Japanese version of the EmEditor website (https://jp.emeditor.com/) is affected. Sites in other languages are not affected.
Vulnerability
Our attack surface.
Roundcube
I suspect exploited in the wild given previous instances but time will tell..
Fix Cross-Site-Scripting vulnerability via SVG’s animate tag reported by Valentin T., CrowdStrike.
Fix Information Disclosure vulnerability in the HTML style sanitizer reported by somerandomdev.
https://roundcube.net/news/2025/12/13/security-updates-1.6.12-and-1.5.12
Veeam Backup & Replication 13 and Updates
A number of post authentication remote code execution vulnerabilities are patched here..
CVE-2025-55125 | Severity: High (7.2)
This vulnerability allows a Backup or Tape Operator to perform remote code execution (RCE) as root by creating a malicious backup configuration file.CVE-2025-59468 | Severity: Medium (6.7)
This vulnerability allows a Backup Administrator to perform remote code execution (RCE) as the postgres user by sending a malicious password parameter.CVE-2025-59469 | Severity: High (7.2)
This vulnerability allows a Backup or Tape Operator to write files as root.CVE-2025-59470 | Severity: High (9.0)
This vulnerability allows a Backup or Tape Operator to perform remote code execution (RCE) as the postgres user by sending a malicious interval or order parameter.
https://www.veeam.com/kb4738#:~:text=CVE%2D2025%2D59470
Offense
Attack capability, techniques and trade-craft.
PatchGuard Peekaboo: Hiding Processes on Systems with PatchGuard in 2026
Ksawery Czapczyński details their journey and the value of race conditions in 2026..
The irony is that after months of complex experimentation, the working solution is almost boring in its simplicity. No exploitation required, no hardware vulnerabilities leveraged, no hypervisor bugs discovered. Just understanding what traditional PatchGuard checks, when it checks, and fixing the data right before those checks run.
However, there’s a critical caveat: this technique addresses PatchGuard’s validation mechanisms, but Secure Kernel PatchGuard (SKPG) remains largely unexplored territory. SKPG operates from VTL1 with privileged hypervisor access, monitoring the normal kernel from a security context that VTL0 drivers cannot observe or interfere with.
Predator iOS Malware: Building a Surveillance Framework
Tony Gorez walks through the architecture of and approach employed by this commercial implant framework.
How the malware initializes its control server after initial compromise
The Unix socket-based IPC mechanism for receiving commands
The factory pattern used to create surveillance modules on-demand
How operations are managed, cached, and destroyed
https://blog.reversesociety.co/blog/2025/predator-ios-malware-surveillance-framework-part-1
EvilNeko
CorvraLabs commoditises this capability which further drives the need for phishing resistant multifactor authentication.
EvilNeko is a project to automate orchestration of containers and operationalize Browser in the Browser (BITB) attacks for red teams. Inspired by research done by Mr. d0x here and to build off of the ideas in the EvilNoVNC project.
https://github.com/CorvraLabs/EvilNeko
BOF Cocktails
Rasta Mouse brings some further evasion tradecraft to beacon object files.
An alternative approach is to do away with the idea of propagating hooks from the Beacon, and just merge evasion tradecraft directly into the BOFs instead. This solves both of the aforementioned drawbacks - we no longer need to hook GetProcAddress, and each evasion PIC blob can be optimised to contain only the hook functions required for each capability.
https://rastamouse.me/bof-cocktails/
FsquirtCPLPoC
Askar provides a proof of concept for a DLL side loading opportunity which reminds why Application Control is a thing.
Fsquirt.exeWindows binary attempts to load a Control Panel applet (CPL) calledbthprops.cplfrom its current working directory. Whenbthprops.cplis present alongsidefsquirt.exe, the binary loads it and executes a MessageBox from DLLMain.
https://github.com/mhaskar/FsquirtCPLPoC
Exploitation
What is being exploited..
The Great VM Escape: ESXi Exploitation in the Wild
Anna Pham and Matt Anderson details this in the wild exploitation..
The toolkit analyzed in this report also includes simplified Chinese strings in its development paths, including a folder named “全版本逃逸--交付” (translated: “All version escape - delivery”), and evidence suggesting it was potentially built as a zero-day exploit over a year before VMware's public disclosure, pointing to a well-resourced developer likely operating in a Chinese-speaking region.
https://www.huntress.com/blog/esxi-vm-escape-exploit
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers
Windows ARM64 Internals: Pardon The Interruption! Interrupts on Windows for ARM
Connor McGarr provides a breakdown of how they work in practice..
In this blog post, there are likely going to be many omissions - including the fact that (Generic Interrupt Controller) GICv4 systems allow the direct injection of virtual interrupts (my WoA system, for instance, is only on GIC version 3), and many other nuances surrounding virtualization and interrupts in general (although we will touch on virtualization and Secure Kernel “secure interrupts”).
https://connormcgarr.github.io/windows-arm64-interrupts/
Building an eBPF/XDP NAT-Based Layer 4 Load Balancer from Scratch
Teodor Janez Podobnik brings some performance but also likely some other opportunities.
Traditional load balancers like NGINX and HAProxy typically operate in user space. Even when used purely for Layer 4 forwarding, every incoming packet must traverse the kernel’s networking stack to reach the user-space socket and then travel back down to the kernel before being forwarded to a backend.
Each of these traversals — crossing the user–kernel boundary, context switching, and buffer copying — adds microseconds of latency. It may sound small, but at millions of packets per second, this overhead quickly becomes a performance bottleneck that even modern hardware struggles to overcome.
To address this, eBPF/XDP-based Layer 4 load balancers were introduced — a concept that companies like Meta (Katran) and Cisco/Isovalent (Cilium) have already turned into production-grade systems.
https://labs.iximiuz.com/tutorials/xdp-load-balancer-700a1d74
IDontLikeFileLocks
EvilBytecode releases which will be useful for defence as well as offense.
Browsers lock their databases (Cookies, Login Data, History). You can't copy them while the browser is running. This tool steals the memory-mapped section handle from the target process and dumps the file. No file I/O, no lock checks.
https://github.com/EvilBytecode/IDontLikeFileLocks
DiaSymbolView
Diversenok releases this GUI to explore PDB files..
DiaSymbolView is a tool for visually inspecting debug information recorded in
.pdbfiles. It relies on MSDIA API and presents a hierarchy of debug symbols and their 200+ properties.
https://github.com/diversenok/DiaSymbolView
Malpedia FLOSSed
Daniel Plohmann provides this data set which will have various applications and a useful tool for researchers in academia and industry..
This repository contains the result of the FLARE FLOSS tool applied to all unpacked and dumped samples in Malpedia, pre-processed for further use.
We intend to update this collection periodically.
In the last run in January 2026, 9.202 files associated with 2.136 malware families were processed.
FLOSSing resulted in 61.135.522 raw strings, which were cleaned and deduplicated down to 5.666.515 unique strings.
Once decompressed, the collection currently sits at about 1300 MB.
https://github.com/malpedia/malpedia-flossed
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Annual, quarterly and monthly reports
Вопросы кибербезопасности - The journal "Voprosy Cyberbezopasnosti" (Cybersecurity Issues) is a scientific, periodical, and informational-methodological journal with a core focus on information security. The journal publishes articles by Russian and international scholars in the field of information security and information warfare, primarily covering cybersecurity, application security, technical information protection, system and software security audits, testing, security analysis, and compliance assessments for information security requirements, among other topics.
Securing information and communication networks: Best practices for developing a culture of cybersecurity - ITU/D published - “This output report, developed in response to ITU-D Question 3/2 for the 2022-2025 study period, synthesizes national experiences and practices to assist countries in formulating robust cybersecurity strategies.”
Reverse engineering my cloud-connected e-scooter and finding the master key to unlock all scooters
Coordinated Multi-Domain Deception: A Stackelberg Game Approach
China
Artificial intelligence
Fundamental
Applied non-cyber
Applied cyber specific
Towards Provably Secure Generative AI: Reliable Consensus Sampling
Detection of multi-vector attacks in IoT networks: a graph attention network-based approach
Detecting Android malware: A multimodal fusion method with fine-grained feature
Cyberattack Detection in Virtualized Microgrids Using LightGBM and Knowledge-Distilled Classifiers
OpenRT: An Open-Source Red Teaming Framework for Multimodal LLMs
Defense Against Indirect Prompt Injection via Tool Result Parsing
Books
Events
Nothing overly of note this week
Infrequent video of the week goes to Agentic ProbLLMs: Exploiting AI Computer-Use and Coding Agents
Finally finally the NCSC’s podcast series.
Unless stated otherwise, linked or referenced content does not necessarily represent the views of the NCSC and reference to third parties or content on their websites should not be taken as endorsement of any kind by the NCSC. The NCSC has no control over the content of third party websites and consequently accepts no responsibility for your use of them.
This newsletter is subject to the NCSC website terms and conditions which can be found at https://www.ncsc.gov.uk/section/about-this-website/terms-and-conditions and you can find out more about how will treat your personal information in our privacy notice at https://www.ncsc.gov.uk/section/about-this-website/privacy-statement.