SolarWinds Web Help Desk

Our very own sfewer-r7 has developed an exploit module for the SolarWinds Web Help Desk vulnerabilities CVE-2025-40536 and CVE-2025-40551. On successful exploitation the session will be as running as NT AUTHORITY\SYSTEM. For more information see the Rapid7’s SolarWinds Web Help Desk Vulnerabilities guidance.

Contributions

A big thanks to our contributors who have been adding some great content this release. rudraditya21 has added MITRE ATT&CK metadata to lots of our existing modules. Chocapikk has added support for GHSA (GitHub Security Advisory) references support in Metasploit modules. rudraditya21 also added a change which adds negative caching to the LDAP entry cache, which will now mean missing objects are recorded. It also introduces a missing-entry sentinel, tracks misses per identifier type, and updates AD lookup helpers to short‑circuit on cached misses and record misses when a lookup returns no entry.

New module content (5)

FreeBSD rtsold/rtsol DNSSL Command Injection

Authors: Kevin Day and Lukas Johannes Möller

Type: Exploit

Pull request: #20798 contributed by JohannesLks

Path: freebsd/misc/rtsold_dnssl_cmdinject

AttackerKB reference: CVE-2025-14558

Description: This adds a new command-injection exploit in the FreeBDS rtsol/rtsold daemons (CVE-2025-14558). The vulnerability can be triggered by the Domain Name Search List (DNSSL) option in IPv6 Router Advertisement (RA) messages, which is passed to the resolvconf script without sanitization. It requires elevated privilege as it needs to send IPv6 packets. The injected commands are executed as root.

Ivanti Endpoint Manager Mobile (EPMM) unauthenticated RCE

Authors: sfewer-r7 and watchTowr

Type: Exploit

Pull request: #20932 contributed by sfewer-r7

Path: linux/http/ivanti_epmm_rce

AttackerKB reference: CVE-2026-1340

Description: Adds an exploit module for the recent command injection vulnerability, CVE-2026-1281, affecting Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron. Exploited in-the-wild as a zero-day by an unknown threat actor.

GNU Inetutils Telnet Authentication Bypass Exploit CVE-2026-24061

Authors: Kyu Neushwaistein and jheysel-r7

Type: Exploit

Pull request: #20929 contributed by jheysel-r7

Path: linux/telnet/gnu_inetutils_auth_bypass

AttackerKB reference: CVE-2026-24061

Description: This adds an exploit module for the authentication bypass in GNU Inetutils telnetd tracked as CVE-2026-24061. During negotiation, if the USER environment variable is passed in with a value of "-f root" authentication can be bypassed resulting in command execution as the root user.

SolarWinds Web Help Desk unauthenticated RCE

Authors: Jimi Sebree and sfewer-r7

Type: Exploit

Pull request: #20917 contributed by sfewer-r7

Path: multi/http/solarwinds_webhelpdesk_rce

AttackerKB reference: CVE-2025-40551

Description: This adds an exploit module for SolarWinds Web Help Desk vulnerable to CVE-2025-40536 and CVE-2025-40551. The exploit triggers session opening as NT AUTHORITY\SYSTEM and root.

Xerte Online Toolkits Arbitrary File Upload - Upload Image

Author: Brandon Lester

Type: Exploit

Pull request: #20849 contributed by haicenhacks

Path: multi/http/xerte_authenticated_rce_uploadimage

Description: This adds three RCE modules for Xerte Online Toolkits affecting versions 3.14.0 and <= 3.13.7. Two are unauthenticated while one is authenticated.

Enhancements and features (10)

• #20710 from Chocapikk - Adds support for GHSA (GitHub Security Advisory) and OSV (Open Source Vulnerabilities) references in Metasploit modules.
• #20886 from cdelafuente-r7 - Updates services to now also have child services. This allows for more detailed reporting for the services and vulns commands which can now report parent -> child services e.g. SSL -> HTTPS.
• #20895 from rudraditya21 - Adds negative caching to the LDAP entry cache so missing objects are recorded and subsequent lookups by DN, sAMAccountName, or SID return nil without re-querying the directory.
• #20934 from rudraditya21 - This adds MITRE ATT&CK tags to modules related to LDAP and AD CS. This enables users to find this content using Metasploit's search functionality and the att&ck keyword.
• #20935 from rudraditya21 - Adds the MITRE ATT&CK tag T1558.003 to the kerberoast modules. This enables users to find this content using Metasploit's search functionality and the att&ck keyword.
• #20936 from rudraditya21 - This adds MITRE ATT&CK tags to SMB modules related to accounts. This enables users to find the content by using Metasploit's search capability and the att&ck keyword.
• #20937 from rudraditya21 - This adds MITRE ATT&CK tags to the two existing SCCM modules that fetch NAA credentials using different techniques. This enables users to find this content using Metasploit's search functionality and the att&ck keyword.
• #20941 from rudraditya21 - Adds a MITRE ATT&CK technique reference to the Windows password cracking module to support ATT&CK‑driven discovery.
• #20942 from rudraditya21 - Adds MITRE ATT&CK technique references to getsystem, cve_2020_1472_zerologon, and atlassian_confluence_rce_cve_2023_22527 modules to support ATT&CK‑driven discovery.
• #20943 from g0tmi1k - Adds affected versions the description in the ‎exploits/unix/webapp/twiki_maketext module.

Bugs fixed (7)

• #20599 from BenoitDePaoli - Fixes an issue where running services -p <ports> -u -R to set RHOSTS with values from the database could lead to a silently failing file not found error.
• #20775 from rmtsixq - Fixes a database initialization failure when using msfdb init with the --connection-string option to connect to PostgreSQL 15+ instances (e.g., Docker containers).
• #20817 from randomstr1ng - Adds a fix to ensure the output of sap_router_portscanner no longer causes module crashes.
• #20903 from jheysel-r7 - Fixes an issue so #enum_user_directories no longer returns duplicate directories.
• #20906 from rudraditya21 - Implements a fix for SSH command shells dying on cmd_exec when a trailing newline was present.
• #20953 from zeroSteiner - Improves the stability of socket channeling support for SSH sessions opened via scanner/ssh/ssh_login.
• #20955 from adfoster-r7 - Ensures the cleanup of temporarily created RHOST files when using the services -p <ports> -u -R command to set RHOST values from the database.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.112...6.4.114
• Full diff 6.4.112...6.4.114

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

With sleet, snow, swirling wind from the banks of the Humber and most importantly, a Hull City side pushing hard for promotion to the Premier League this season, it was hard not to believe pre-match that this had all the makings of a difficult evening’s work for Chelsea.

Liam Rosenior holds this city close to his heart, given how some of his family hail from Hull and he had an enjoyable spell in charge of the Tigers: well, until he was unceremoniously sacked nearly two years ago, that is. But his happy association with Hull continued with a magnificent display from his Chelsea side, who ultimately sauntered into the next round of the FA Cup.

Continue reading...

© Photograph: Scott Heppell/Reuters

© Photograph: Scott Heppell/Reuters

© Photograph: Scott Heppell/Reuters

⚽ FA Cup fourth-round updates, 7.45pm (GMT) kick-off
⚽ Live scoreboard | Follow us on Bluesky | Email John

First thing to say is that Hadziahmetovic will be tonight’s copy and paste player.

Hull: Phillips, Coyle, Egan, McNair, McCarthy, Giles, Hadziahmetovic, Slater, Hirakawa, Koumas, Millar. Subs: Pandur, Lunstram, Jacob, Drameh, Gerhardt, Joseph, Famewo, Dowell, Tinsdale

Continue reading...

© Photograph: Mike Egerton/PA

© Photograph: Mike Egerton/PA

© Photograph: Mike Egerton/PA

• Defeat by West Indies leaves England needing a win

• ‘It’s about playing with personality,’ says opening batter

It turns out England’s self-confidence might be a bit more resolute than their batting. It will take more than a couple of teetering performances to set this team’s morale atremble. So despite being nervy against Nepal and wobbly against West Indies, England could hardly have been more cocksure on the eve of a crucial T20 World Cup group fixture against Scotland. As Phil Salt put it: “When we’re at our best nobody can live with us.”

England arrived in India having lost once in 11 Twenty20 games over the previous 12 months, and that run continues to be a source of belief. “It’s just about getting to that space more often than we have in the last two games,” Salt said. “We’re not talking about 10 [bad] games or 12 games, we’re talking about two games where it’s fair to say we haven’t been at our best. But the good news is the competition is in front of us and we’ve got these opportunities to come. And if we can be that authentic side of ourselves – chests out, taking the game on and being smart – there’s nothing to stop us.

Continue reading...

© Photograph: Nikhil Patil/Getty Images

© Photograph: Nikhil Patil/Getty Images

© Photograph: Nikhil Patil/Getty Images

As Iranian authorities restore some online services after crushing antigovernment demonstrations, they are using a technological dragnet to target attendees of the protests.

© Getty Images

Americans have a new set of diet guidelines. Robert F. Kennedy Jr. has taken an old-fashioned food pyramid, turned it upside down, and plonked a steak and a stick of butter in prime positions.

Kennedy and his Make America Healthy Again mates have long been extolling the virtues of meat and whole-fat dairy, so it wasn’t too surprising to see those foods recommended alongside vegetables and whole grains (despite the well-established fact that too much saturated fat can be extremely bad for you).

Some influencers have taken the meat trend to extremes, following a “carnivore diet.” “The best thing you could do is eliminate out everything except fatty meat and lard,” Anthony Chaffee, an MD with almost 400,000 followers, said in an Instagram post.

And I almost choked on my broccoli when, while scrolling LinkedIn, I came across an interview with another doctor declaring that “there is zero scientific evidence to say that vegetables are required in the human diet.” That doctor, who described himself as “90% carnivore,” went on to say that all he’d eaten the previous day was a kilo of beef, and that vegetables have “anti-nutrients,” whatever they might be.

You don’t have to spend much time on social media to come across claims like this. The “traditionalist” influencer, author, and psychologist Jordan Peterson was promoting a meat-only diet as far back as 2018. A recent review of research into nutrition misinformation on social media found that the most diet information is shared on Instagram and YouTube, and that a lot of it is nonsense. So much so that the authors describe it as a “growing public health concern.”

What’s new is that some of this misinformation comes from the people who now lead America’s federal health agencies. In January Kennedy, who leads the Department of Health and Human Services, told a USA Today reporter that he was on a carnivore diet. “I only eat meat or fermented foods,” he said. He went on to say that the diet had helped him lose “40% of [his] visceral fat within a month.”

“Government needs to stop spreading misinformation that natural and saturated fats are bad for you,” Food and Drug Administration commissioner Martin Makary argued in a recent podcast interview. The principles of “whole foods and clean meats” are “biblical,” he said. The interviewer said that Makary’s warnings about pesticides made him want to “avoid all salads and completely miss the organic section in the grocery store.”

For the record: There’s plenty of evidence that a diet high in saturated fat can increase the risk of heart disease. That’s not government misinformation. 

The carnivore doctors’ suggestion to avoid vegetables is wrong too, says Gabby Headrick, associate director of food and nutrition policy at George Washington University’s Institute for Food Safety & Nutrition Security. There’s no evidence to suggest that a meat-only diet is good for you. “All of the nutrition science to date strongly identifies a wide array of vegetables … as being very health-promoting,” she adds.

To be fair to the influencers out there, diet is a tricky thing to study. Much of the research into nutrition relies on volunteers to keep detailed and honest food diaries—something that people are generally quite bad at. And the way our bodies respond to foods might be influenced by our genetics, our microbiomes, the way we prepare or consume those foods, and who knows what else.

Still, it will come as a surprise to no one that there is plenty of what the above study calls “low-quality content” floating around on social media. So it’s worth arming ourselves with a good dose of skepticism, especially when we come across posts that mention “miracle foods” or extreme, limited diets.

The truth is that most food is neither good nor bad when eaten in moderation. Diet trends come and go, and for most people, the best reasonable advice is simply to eat a balanced diet low in sugar, salt, and saturated fat. You know—the basics. No matter what that weird upside-down food pyramid implies. To the carnivore influencers, I say: get your misinformation off my broccoli.

This article first appeared in The Checkup, MIT Technology Review’s weekly biotech newsletter. To receive it in your inbox every Thursday, and read articles like this first, sign up here.

Nat West chief executive’s £6.6m pay package for 2025 is largest since disgraced predecessor’s £7.7m in 2006

• Business live – latest updates

A trio of bank bosses have been handed huge pay packets in the latest sign that the vast salaries and bonuses handed to Wall Street and City of London executives in the run-up to the 2008 financial crisis have started to return.

NatWest on Friday revealed a £6.6m pay package for its boss, Paul Thwaite, marking the largest payout for a chief executive of the banking group since his disgraced predecessor Fred Goodwin took home £7.7m in 2006.

Continue reading...

© Photograph: Ben Tritton

© Photograph: Ben Tritton

© Photograph: Ben Tritton

Manager’s unconventional techniques are designed to bring fun as well as results and he has West Ham in his sights

“At times the players must think I’m bonkers,” says Gary Bowyer, the Burton Albion manager, volunteering the time he walked into the dressing room with a tennis racket and ball. It is one of the unconventional techniques he has used to convey his message and tap into their psyche. Every week he explores different themes and stories with his squad – be it bullfighting or UFC – and brings them to life through imagery and props, everything from dragons to toy tigers.

He has leaned into boxing and particularly Mike Tyson during an FA Cup run that has led them to a fourth-round tie at home to West Ham on Saturday. “The theme for this week is The Ultimate,” he says, referencing Tyson’s 1987 bout with Tony Tucker to become the undisputed heavyweight champion. “We’ve created this idea of climbing into the ring, the pitch, and away you go. We’re fighting West Ham and we’re going to have to take some blows. What do you do if you get knocked on to the canvas? Get back up or lay there and take it?”

Continue reading...

© Photograph: Fabio De Paola/The Guardian

© Photograph: Fabio De Paola/The Guardian

© Photograph: Fabio De Paola/The Guardian

• Group B: Zimbabwe 169-2 bt Australia 146 by 23 runs

• Renshaw half-century in vain as Muzarabani shines

Australia’s T20 World Cup campaign is threatening to implode after suffering a shock 23-run loss to Zimbabwe in Colombo. Set 170 runs for victory after winning the toss, Australia slumped to a dismal 29 for 4 inside the powerplay and gave Zimbabwe, 11th on the ICC rankings, reason to dream.

Glenn Maxwell (31 off 32 balls) and top-scorer Matthew Renshaw (65 off 44 balls) spearheaded the rescue mission with a 77-run stand for the fifth wicket in pursuit of Zimbabwe’s 169-2. But when Maxwell chopped on and last recognised batter Marcus Stoinis (6) holed out, Zimbabwe were on their way to dismissing Australia for 146 with three balls left on Friday.

Continue reading...

© Photograph: Ishara S Kodikara/AFP/Getty Images

© Photograph: Ishara S Kodikara/AFP/Getty Images

© Photograph: Ishara S Kodikara/AFP/Getty Images

Preparing simple, repetitive meals is the key to 30 days of fasting

Ramadan arrives this year in February, in the heart of winter. Short days, cold evenings and the pressure of everyday work mean that preparation is no longer about producing abundance, but about reducing effort while maintaining care. For many households balancing jobs, children and long commutes, the question is not what to cook, but how to make the month manageable.

The most effective approach to Ramadan cooking is not variety but repetition. A small set of meals that are easy to digest, quick to prepare and gentle on the body can carry a household through 30 days of fasting with far less stress than daily reinvention. The aim is to do the thinking once, not every day.

Continue reading...

© Photograph: Astrid Templier/Food styling: Lina Saad.

© Photograph: Astrid Templier/Food styling: Lina Saad.

© Photograph: Astrid Templier/Food styling: Lina Saad.

As February 2026 progresses, this week’s The Cyber Express Weekly Roundup examines a series of cybersecurity incidents and enforcement actions spanning Europe, Africa, Australia, and the United States.   The developments include a breach affecting the European Commission’s mobile management infrastructure, a ransomware attack disrupting Senegal’s national identity systems, a landmark financial penalty imposed on an Australian investment firm, and the sentencing of a fugitive linked to a multimillion-dollar cryptocurrency scam.  From suspected exploitation of zero-day vulnerabilities to prolonged breach detection failures and cross-border financial crime, these cases highlights the operational, legal, and systemic dimensions of modern cyber risk.  

The Cyber Express Weekly Roundup 

European Commission Mobile Infrastructure Breach Raises Supply Chain Questions 

The European Commission reported a cyberattack on its mobile device management (MDM) system on January 30, potentially exposing staff names and mobile numbers, though no devices were compromised, and the breach was contained within nine hours. Read more... 

Ransomware Disrupts Senegal’s National Identity Systems 

In West Africa, a major cyberattack hit Senegal’s Directorate of File Automation (DAF), halting identity card production and disrupting national ID, passport, and electoral services. While authorities insist no personal data was compromised, the ransomware group. The full extent of the breach is still under investigation. Read more... 

Australian Court Imposes Landmark Cybersecurity Penalty 

In Australia, FIIG Securities was fined AU$2.5 million for failing to maintain adequate cybersecurity protections, leading to a 2023 ransomware breach that exposed 385GB of client data, including IDs, bank details, and tax numbers. The firm must also pay AU$500,000 in legal costs and implement an independent compliance program. Read more... 

Crypto Investment Scam Leader Sentenced in Absentia 

U.S. authorities sentenced Daren Li in absentia to 20 years for a $73 million cryptocurrency scam targeting American victims. Li remains a fugitive after fleeing in December 2025. The Cambodia-based scheme used “pig butchering” tactics to lure victims to fake crypto platforms, laundering nearly $60 million through U.S. shell companies. Eight co-conspirators have pleaded guilty. The case was led by the U.S. Secret Service. Read more... 

India Brings AI-Generated Content Under Formal Regulation 

India has regulated AI-generated content under notification G.S.R. 120(E), effective February 20, 2026, defining “synthetically generated information” (SGI) as AI-created content that appears real, including deepfakes and voiceovers. Platforms must label AI content, embed metadata, remove unlawful content quickly, and verify user declarations. Read More... 

Weekly Takeaway 

Taken together, this weekly roundup highlights the expanding attack surface created by digital transformation, the persistence of ransomware threats to national infrastructure, and the intensifying regulatory scrutiny facing financial institutions.  From zero-day exploitation and supply chain risks to enforcement actions and transnational crypto fraud, organizations are confronting an environment where operational resilience, compliance, and proactive monitoring are no longer optional; they are foundational to trust and continuity in the digital economy. 

• Updates from the R. Premadasa Cricket Stadium in Colombo

• Any thoughts? Email Martin

1st over: Zimbabwe 4-0 (Bennett 4, Marumani 0) Ben Dwarshuis makes a fine start on his return to the XI as he has the ball moving off the deck and he carves through Brian Bennett several times. Australia are excited by a noise after a delivery that jags off the seam and send a review upstairs. That is quickly declined and Bennett responds with two runs through point.

Zimbabwe openers Brian Bennett and Tadiwanashe Marumani are on their way out to the middle and hoping to set the tone for the underdogs who are facing their own injury concerns. Ben Dwarshuis is back in the XI and has the white ball in hand as we’re about to get under way in Colombo …

Continue reading...

© Photograph: Ishara S Kodikara/AFP/Getty Images

© Photograph: Ishara S Kodikara/AFP/Getty Images

© Photograph: Ishara S Kodikara/AFP/Getty Images

The heavy version of Europe's Ariane 6 rocket launched for the first time Thursday, hauling 32 spacecraft to low-Earth orbit for Amazon's satellite broadband constellation.

The Ariane 6 rocket lifted off from the Guiana Space Center on the northeastern coast of South America at 11:45 am EST (16:45 UTC), quickly soaring into a clear sky at the tropical spaceport on the power of a hydrogen-fueled main engine and four strap-on solid rocket boosters.

This Ariane 6 configuration, called Ariane 64, is the first to use the rocket's full complement of four boosters. Collectively, the rocket generated more than 3.4 million pounds of thrust (15,400 kilonewtons) of thrust as it steered northeast over the Atlantic Ocean. Less than two hours later, the rocket's upper stage released all 32 of Amazon's satellites into an on-target orbit at an altitude of 289 miles (465 kilometers).

Read full article

Comments

© ESA-CNES-Arianespace-P. Piron

Burnley have the chance of a Cup run, Leicester fear an unwelcome repeat and Brighton fans get a raw deal

Chelsea have kept two clean sheets in 10 games since appointing Liam Rosenior as head coach last month. Repeated doziness at the back has cost them. They have held commanding advantages against Charlton, Crystal Palace, Wolves and Leeds, only to give away silly goals. It is a bad habit and proved costly when a 2-0 lead was squandered during Tuesday’s draw with Leeds. Rosenior was livid afterwards, and is waiting for a consistent performance. Chelsea travel to Hull , Rosenior’s former club, on Friday night. They will surely advance against Championship opponents, but how they do it will matter. It is time for them to get serious. Jacob Steinberg

Hull City v Chelsea, Friday 7.45pm (all times GMT)

Burton Albion v West Ham, Saturday 12.15pm

Burnley v Mansfield, Saturday 3pm

Southampton v Leicester, Saturday 3pm

Continue reading...

© Composite: Getty Images

© Composite: Getty Images

© Composite: Getty Images

CMA and Ofcom to examine DMGT takeover amid fears merger could curb ‘diverging editorial stances’ in press

Lisa Nandy, the culture secretary, has referred the Telegraph’s proposed sale to the publisher of the Daily Mail to the competition and media watchdogs, weeks after she raised concerns about the consolidation of rightwing newspapers.

Nandy said she was using her powers to refer the £500m deal for the Telegraph titles, which include the Daily Telegraph and its Sunday sister paper, to the Competition and Markets Authority (CMA) and the media regulator Ofcom.

Continue reading...

© Photograph: Yui Mok/PA

© Photograph: Yui Mok/PA

© Photograph: Yui Mok/PA

Seamer was set to spend February helping at his father’s restaurant until late World Cup call – now he’s focused on another England upset

It is fair to say that England’s first two games at the T20 World Cup have not inspired much confidence – unless you’re one of their future opponents. For Scotland, last-minute call-ups after the decision to banish Bangladesh from the tournament last month, English travails have put some extra pep in their step ahead of the now-crucial Group C clash in Kolkata on Saturday.

“Definitely,” says the seamer Safyaan Sharif. “They’ll be feeling pressure because they know they have to win if they want to qualify. Obviously that’s the same with us, but I don’t think we have too much to lose. I think they have more to lose than us. Nepal gave them a good run and they were stressed in that game. They were panicking a lot – you could tell, the way they were playing in the final few overs. So it’s how they handle the pressure.

Continue reading...

© Photograph: Matt Roberts-ICC/ICC/Getty Images

© Photograph: Matt Roberts-ICC/ICC/Getty Images

© Photograph: Matt Roberts-ICC/ICC/Getty Images

The recent Senegal cyberattack on the Directorate of File Automation (DAF) has done more than disrupt government services. It has exposed how vulnerable the country’s most sensitive data systems really are, and why cybersecurity can no longer be treated as a technical issue handled quietly in the background. DAF, the government agency responsible for managing national ID cards, passports, biometric records, and electoral data, was forced to temporarily shut down operations after detecting a cyber incident. For millions of Senegalese citizens, this means delays in accessing essential identity services. For the country, it raises far bigger concerns about data security and national trust.

Senegal Cyberattack Brings Identity Services to a Standstill

In an official public notice, DAF confirmed that the production of national identity cards had been suspended following the cyberattack. Authorities assured citizens that personal data had not been compromised and that systems were being restored. However, as days passed and the DAF website remained offline, doubts began to grow. A Senegal cyberattack affecting such a critical agency is not something that can be brushed off quickly, especially when biometric and identity data are involved. [caption id="attachment_109392" align="aligncenter" width="500"] Image Source: X[/caption]

Hackers Claim Theft of Massive Biometric Data

The situation escalated when a ransomware group calling itself The Green Blood Group claimed responsibility for the attack. The group says it stole 139 terabytes of data, including citizen records, biometric information, and immigration documents. To back up its claims, the hackers released data samples on the dark web. They also shared an internal email from IRIS Corporation Berhad, a Malaysian company working with Senegal on its digital national ID system. In the email, a senior IRIS executive warned that two DAF servers had been breached and that card personalization data may have been accessed. Emergency steps were taken, including cutting network connections and shutting access to external offices. Even if authorities insist that data integrity remains intact, the scale of the alleged breach makes the Senegal cyberattack impossible to ignore.

Implications of the Senegal Cyberattack

DAF is not just another government office. It manages the digital identities of Senegalese citizens. Any compromise—real or suspected—creates long-term risks, from identity fraud to misuse of biometric data. What makes this incident more worrying is that it is not the first major breach. Just months ago, Senegal’s tax authority also suffered a cyberattack. Together, these incidents point to a larger problem: critical systems are being targeted, and attackers are finding ways in. Cybercrime groups are no longer experimenting in Africa. They are operating with confidence, speed, and clear intent. The Green Blood Group, which appeared only recently, has reportedly targeted just two countries so far—Senegal and Egypt. That alone should be taken seriously.

Disputes, Outsourcing, and Cybersecurity Blind Spots

The cyberattack also comes during a payment dispute between the Senegalese government and IRIS Corporation. While no official link has been confirmed, the situation highlights a key issue: when governments rely heavily on third-party vendors, cybersecurity responsibility can become blurred. The lesson from this Senegal cyberattack is simple and urgent. Senegal needs a dedicated National Cybersecurity Agency, along with a central team to monitor, investigate, and respond to cyber incidents across government institutions. Cyberattacks in Africa are no longer rare or unexpected. They are happening regularly, and they are hitting the most sensitive systems. Alongside better technology, organizations must focus on insider threats, staff awareness, and leadership accountability. If sensitive data from this attack is eventually leaked, the damage will be permanent. Senegal still has time to act—but only if this warning is taken seriously.

Cloud security titan Zscaler Inc. has acquired SquareX, a pioneer in browser-based threat protection, in an apparent move to step away from traditional, clunky security hardware and toward a seamless, browser-native defense. The acquisition, which did not include financial terms, integrates SquareX’s browser detection and response technology into Zscaler’s Zero Trust Exchange platform. Unlike traditional..

The post Zscaler Bolsters Zero-Trust Arsenal with Acquisition of Browser Security Firm SquareX appeared first on Security Boulevard.

Google Summer of Code 2026

Our very own Jack Heysel has added some documentation which outlines the Metasploit Framework project ideas for GSoC 2026. For anyone interested in applying please see GSoC-How-To-Apply documentation, or reach out on slack to any of the following GSoC mentors on Slack via the Metasploit Slack:

• @jheysel
• @zeroSteiner
• @h00die

Gladinet

This week Chocapikk has added some Gladinet CentreStack/Triofox exploitation capabilities. Adding two auxiliary modules and updating an existing exploit. The updated exploit module now accepts a custom MACHINEKEY option to leverage newly discovered vulnerabilities that allow the extraction of machineKeys from Web.config files. The gladinet_storage_path_traversal_cve_2025_11371 module exploits path traversal to read arbitrary files and extract machineKeys, while gladinet_storage_access_ticket_forge forges access tickets using hardcoded cryptographic keys.

New module content (1)

Gladinet CentreStack/Triofox Access Ticket Forge

Authors: Huntress Team, Julien Voisin, and Valentin Lobstein chocapikk@leakix.net

Type: Auxiliary

Pull request: #20768 contributed by Chocapikk 

Path: gather/gladinet_storage_access_ticket_forge

Description: This adds two auxiliary modules for Gladinet CentreStack/Triofox. Both modules can read arbitrary files and extract the machineKey, which is used to secure ASP.NET ViewState data. Furthermore, this change also includes a new mixin for Gladinet.

Enhancements and features (3)

• #20739 from cdelafuente-r7 - This adds MITRE ATT&CK metadata tags to modules relating to Kerberos and unconstrained delegation. This enables users to search for the content based on the ATT&CK technique ID.
• #20882 from karanabe - Adds the RSAKeySize advanced option and uses it when generating the CSR key pair, allowing users to increase key size to meet certificate template minimums and avoid CERTSRV_E_KEY_LENGTH errors when 2048-bit keys are rejected.
• #20883 from jheysel-r7 - Updates Kerberos modules to present a user friendly message when the user specifies the IMPERSONATE option when running a module but also forgets to specify IMPERSONATION_TYPE.

Bugs fixed (5)

• #20368 from isaac-app-dev - Fixes an issue that caused msfvenom to break if it were run from alternative directories.
• #20680 from cdelafuente-r7 - Improves the RPC API with multiple fixes and enhancements.
• #20834 from kuklycs - This fixes the NoMethodError in the team_viewer post module, caused by misuse of the each_key method. The keys array has been updated to a 1-D array to simplify the logic.
• #20916 from Chepycou - Fixes a crash when running the SAP modules sap_soap_rfc_system_info or sap_icf_public_info.
• #20920 from rudraditya21 - This fixes a bug in password cracking modules where the auto action would crash even when the path to a compatible executable was specified in CRACKER_PATH.

Documentation added (1)

• #20910 from jheysel-r7 - This adds documentation regarding the projects for which we are soliciting submissions for as part of the Google Summer of Code program.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.111...6.4.112
• Full diff 6.4.111...6.4.112

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

Last week, filmmaker Darren Aronofsky's AI studio Primordial Soup and Time magazine released the first two episodes of On This Day... 1776. The year-long series of short-form videos features short vignettes describing what happened on that day of the American Revolution 250 years ago, but it does so using “a variety of AI tools” to produce photorealistic scenes containing avatars of historical figures like George Washington, Thomas Paine, and Benjamin Franklin.

In announcing the series, Time Studios President Ben Bitonti said the project provides "a glimpse at what thoughtful, creative, artist-led use of AI can look like—not replacing craft but expanding what’s possible and allowing storytellers to go places they simply couldn’t before."

Outside critics were decidedly less excited about the effort. The AV Club took the introductory episodes to task for "repetitive camera movements [and] waxen characters" that make for "an ugly look at American history." CNET said that this "AI slop is ruining American history," calling the videos a "hellish broth of machine-driven AI slop and bad human choices." The Guardian lamented that the "once-lauded director of Black Swan and The Wrestler has drowned himself in AI slop," calling the series "embarrassing," "terrible," and "ugly as sin." I could go on.

Read full article

Comments

© Primordial Soup

As the first week of February 2026 concludes, The Cyber Express weekly roundup examines the developments shaping today’s global cybersecurity landscape. Over the past several days, governments, technology companies, and digital platforms have confronted a wave of cyber incidents ranging from disruptive attacks on public infrastructure to large-scale data exposures and intensifying regulatory scrutiny of artificial intelligence systems.  This week’s cybersecurity reporting reflects a broader pattern: rapid digital expansion continues to outpace security maturity. High-profile breaches, misconfigured cloud environments, and powerful AI tools are creating both defensive opportunities and significant new risks.  

The Cyber Express Weekly Roundup 

Cyberattack Disrupts Spain’s Ministry of Science Operations 

Spain’s Ministry of Science, Innovation, and Universities confirmed that a cyberattack forced a partial shutdown of its IT systems, disrupting digital services relied upon by researchers, universities, students, and businesses nationwide. Initially described as a technical incident, the disruption was later acknowledged as a cybersecurity event that required the temporary closure of the ministry’s electronic headquarters. Read more.. 

OpenAI Expands Controlled Access to Advanced Cyber Defense Models 

OpenAI announced the launch of Trusted Access for Cyber, a new initiative designed to strengthen defensive cybersecurity capabilities while limiting the potential misuse of highly capable AI systems. The program provides vetted security professionals with controlled access to advanced models such as GPT-5.3-Codex, which OpenAI identifies as its most cyber-capable reasoning model to date. Read more.. 

French Authorities Escalate Investigations Into X and Grok AI 

French police raided offices belonging to the social media platform X as European investigations expanded into alleged abuses involving its Grok AI chatbot. Authorities are examining claims that Grok generated nonconsensual sexual deepfakes, child sexual abuse material (CSAM), and content denying crimes against humanity, including Holocaust denial. Read more.. 

AI-Generated Platform Moltbook Exposes Millions of Credentials 

Security researchers disclosed that Moltbook, a viral social network built entirely using AI-generated code, exposed 1.5 million API authentication tokens, 35,000 user email addresses, and thousands of private messages due to a database misconfiguration. Wiz Security identified the issue after discovering an exposed Supabase API key embedded in client-side JavaScript, which granted unrestricted access to the platform’s production database. Read more.. 

Substack Discloses Breach Months After Initial Compromise 

Substack revealed that attackers accessed user email addresses, phone numbers, and internal metadata in October 2025, though the breach went undetected until February 3, 2026. CEO Chris Best notified affected users, stating, “I’m incredibly sorry this happened. We take our responsibility to protect your data and your privacy seriously, and we came up short here.” Read more.. 

Weekly Takeaway 

This Cyber Express weekly roundup highlights a clear takeaway for the global cybersecurity community: digital expansion without equivalent security investment increases organizational and systemic risk. AI-built platforms, advanced security tooling, and large-scale public-sector systems are being deployed rapidly, often without adequate access controls, monitoring, or testing. As recent incidents show, these gaps lead to data exposure, prolonged breach detection, and service disruption. To reduce risk, organizations must embed security controls, clear ownership, and continuous monitoring into system design and daily operations, rather than relying on post-incident fixes or policy statements.

This week I want to tell you about an experimental surgical procedure that’s helping people have babies. Specifically, it’s helping people who have had treatment for bowel or rectal cancer.

Radiation and chemo can have pretty damaging side effects that mess up the uterus and ovaries. Surgeons are pioneering a potential solution: simply stitch those organs out of the way during cancer treatment. Once the treatment has finished, they can put the uterus—along with the ovaries and fallopian tubes—back into place.

It seems to work! Last week, a team in Switzerland shared news that a baby boy had been born after his mother had the procedure. Baby Lucien was the fifth baby to be born after the surgery and the first in Europe, says Daniela Huber, the gyno-oncologist who performed the operation. Since then, at least three others have been born, adds Reitan Ribeiro, the surgeon who pioneered the procedure. They told me the details.

Huber’s patient was 28 years old when a four-centimeter tumor was discovered in her rectum. Doctors at Sion Hospital in Switzerland, where Huber works, recommended a course of treatment that included multiple medications and radiotherapy—the use of beams of energy to shrink a tumor—before surgery to remove the tumor itself.

This kind of radiation can kill tumor cells, but it can also damage other organs in the pelvis, says Huber. That includes the ovaries and uterus. People who undergo these treatments can opt to freeze their eggs beforehand, but the harm caused to the uterus will mean they’ll never be able to carry a pregnancy, she adds. Damage to the lining of the uterus could make it difficult for a fertilized egg to implant there, and the muscles of the uterus are left unable to stretch, she says.

In this case, the woman decided that she did want to freeze her eggs. But it would have been difficult to use them further down the line—surrogacy is illegal in Switzerland.

Huber offered her an alternative.

She had been following the work of Ribeiro, a gynecologist oncologist formerly at the Erasto Gaertner Hospital in Curitiba, Brazil. There, Ribeiro had pioneered a new type of surgery that involved moving the uterus, fallopian tubes, and ovaries from their position in the pelvis and temporarily tucking them away in the upper abdomen, below the ribs.

Ribeiro and his colleagues published their first case report in 2017, describing a 26-year-old with a rectal tumor. (Ribeiro, who is now based at McGill University in Montreal, says the woman had been told by multiple doctors that her cancer treatment would destroy her fertility and had pleaded with him to find a way to preserve it.)

Huber remembers seeing Ribeiro present the case at a conference at the time. She immediately realized that her own patient was a candidate for the surgery, and that, as a surgeon who had performed many hysterectomies, she’d be able to do it herself. The patient agreed.

Huber’s colleagues at the hospital were nervous, she says. They’d never heard of the procedure before. “When I presented this idea to the general surgeon, he didn’t sleep for three days,” she tells me. After watching videos from Ribeiro’s team, however, he was convinced it was doable.

So before the patient’s cancer treatment was started, Huber and her colleagues performed the operation. The team literally stitched the organs to the abdominal wall. “It’s a delicate dissection,” says Huber, but she adds that “it’s not the most difficult procedure.” The surgery took two to three hours, she says. The stitches themselves were removed via small incisions around a week later. By that point, scar tissue had formed to create a lasting attachment.

The woman had two weeks to recover from the surgery before her cancer treatment began. That too was a success—within months, her tumor had shrunk so significantly that it couldn’t be seen on medical scans.

As a precaution, the medical team surgically removed the affected area of her colon. At the same time, they cut away the scar tissue holding the uterus, tubes, and ovaries in their new position and transferred the organs back into the pelvis.

Around eight months later, the woman stopped taking contraception. She got pregnant without IVF and had a mostly healthy pregnancy, says Huber. Around seven months into the pregnancy, there were signs that the fetus was not growing as expected. This might have been due to problems with the blood supply to the placenta, says Huber. Still, the baby was born healthy, she says.

Ribeiro says he has performed the surgery 16 times, and that teams in countries including the US, Peru, Israel, India, and Russia have performed it as well. Not every case has been published, but he thinks there may be around 40.

Since Baby Lucien was born last year, a sixth birth has been announced in Israel, says Huber. Ribeiro says he has heard of another two births since then, too. The most recent was to the first woman who had the procedure. She had a little girl a few months ago, he tells me.

No surgery is risk-free, and Huber points out there’s a chance that organs could be damaged during the procedure, or that a more developed cancer could spread. The uterus of one of Ribeiro’s patients failed following the surgery. Doctors are “still in the phase of collecting data to [create] a standardized procedure,” Huber says, but she hopes the surgery will offer more options to young people with some pelvic cancers. “I hope more young women could benefit from this procedure,” she says.

Ribeiro says the experience has taught him not to accept the status quo. “Everyone was saying … there was nothing to be done [about the loss of fertility in these cases],” he tells me. “We need to keep evolving and looking for different answers.”

This article first appeared in The Checkup, MIT Technology Review’s weekly biotech newsletter. To receive it in your inbox every Thursday, and read articles like this first, sign up here.

Ransomware attacks have soared 30% since late last year, and they’ve continued that trend so far in 2026, with many of the attacks affecting software and manufacturing supply chains. Those are some of the takeaways of new research published by Cyble today, which also looked at the top ransomware groups, significant ransomware attacks, new ransomware groups, and recommended cyber defenses. Ransomware groups claimed 2,018 attacks in the last three months of 2025, averaging just under 673 a month to end a record-setting year. The elevated attack levels continued in January 2026, as the threat groups claimed 679 ransomware victims. In the first nine months of 2025, ransomware groups claimed an average of 512 victims a month, so the recent trend has been more than 30% above that, Cyble noted. Below is Cyble’s chart of ransomware attacks by month since 2021, which shows a sustained uptrend since mid-2025.

Qilin Remains Top Ransomware Group as CL0P Returns

Qilin was once again the top ransomware group, claiming 115 victims in January. CL0P was second with 93 victims after claiming “scores of victims” in recent weeks in an as-yet unspecified campaign. Akira remained among the leaders with 76 attacks, and newcomers Sinobi and The Gentlemen rounded out the top five (chart below). [caption id="attachment_109255" align="aligncenter" width="845"] Top ransomware groups January 2026 (Cyble)[/caption] “As CL0P tends to claim victims in clusters, such as its exploitation of Oracle E-Business Suite flaws that helped drive supply chain attacks to records in October, new campaigns by the group are noteworthy,” Cyble said. Victims in the latest campaign have included 11 Australia-based companies spanning a range of sectors such as IT, banking and financial services (BFSI), construction, hospitality, professional services, and healthcare. Other recent CL0P victims have included “a U.S.-based IT services and staffing company, a global hotel company, a major media firm, a UK payment processing company, and a Canada-based mining company engaged in platinum group metals production,” Cyble said. The U.S. once again led all countries in ransomware attacks (chart below), while the UK and Australia faced a higher-than-normal attack volume. “CL0P’s recent campaign was a factor in both of those increases,” Cyble said. [caption id="attachment_109256" align="aligncenter" width="831"] Ransomware attacks by country January 2026 (Cyble)[/caption] Construction, professional services and manufacturing remain opportunistic targets for threat actors, while the IT industry also remains a favorite target of ransomware groups, “likely due to the rich target the sector represents and the potential to pivot into downstream customer environments,” Cyble said (chart below). [caption id="attachment_109258" align="aligncenter" width="819"] Ransomware attacks by industry January 2026 (Cyble)[/caption]

Ransomware Attacks Hit the Supply Chain

Cyble documented 10 significant ransomware attacks from January in its blog post, many of which had supply chain implications. One was an Everest ransomware group compromise of “a major U.S. manufacturer of telecommunications networking equipment ... Everest claims the data includes PDF documents containing sensitive engineering materials, such as electrical schematics, block diagrams, and service subsystem documentation.” Sinobi claimed a breach of an India-based IT services company. “Samples shared by the attackers indicate access to internal infrastructure, including Microsoft Hyper-V servers, multiple virtual machines, backups, and storage volumes,” Cyble said. A Rhysida ransomware group attack on a U.S. life sciences and biotechnology instrumentation company allegedly exposed sensitive information such as engineering blueprints and project documentation. A RansomHouse attack on a China-based electronics manufacturing for the technology and automotive manufacturers nay have exposed “extensive proprietary engineering and production-related data,” and “data associated with multiple major technology and automotive companies.” An INC Ransom attack on a Hong Kong–based components manufacturer for the global electronics and automotive industries may have exposed “client-related information associated with more than a dozen major global brands, plus confidential contracts and project documentation for at least three major IT companies.” Cyble also documented the rise of three new ransomware groups: Green Blood, DataKeeper and MonoLock, with DataKeeper and MonoLock releasing details on technical and payment features aimed at attracting ransomware affiliates to their operations.  

It’s a regrettable reality that there is never enough time to cover all the interesting scientific stories we come across each month. So every month, we highlight a handful of the best stories that nearly slipped through the cracks. January’s list includes a lip-syncing robot; using brewer's yeast as scaffolding for lab-grown meat; hunting for Leonardo da Vinci's DNA in his art; and new evidence that humans really did transport the stones to build Stonehenge from Wales and northern Scotland, rather than being transported by glaciers.

Humans, not glaciers, moved stones to Stonehenge

Credit: Timothy Darvill

Stonehenge is an iconic landmark of endless fascination to tourists and researchers alike. There has been a lot of recent chemical analysis identifying where all the stones that make up the structure came from, revealing that many originated in quarries a significant distance away. So how were the stones transported to their current location?

Read full article

Comments

© Yuhang Hu/Creative Machines Lab

FreeBPX Content Galore

This week brings 3 new pieces of module content for targeting FreePBX. All three chain multiple vulnerabilities together, starting with CVE-2025-66039. This initial vulnerability allows unauthenticated users to bypass the authentication process to interact with FreePBX. From this point, the different modules leverage either a SQL injection vulnerability (CVE-2025-61675) or a file upload vulnerability (CVE-2025-61678) to obtain remote code execution.

New module content (7)

FreePBX endpoint SQLi to RCE

Authors: Noah King and msutovsky-r7 Type: Exploit Pull request: #20857 contributed by msutovsky-r7 Path: unix/http/freepbx_custom_extension_rce AttackerKB reference: CVE-2025-61675

Description: This adds exploit module for FreePBX which chains an authentication bypass, CVE-2025-66039, with a SQLi, CVE-2025-61675, which allows for a cron job to be added to the cron_job table of the database to allow for Remote Code Execution.

FreePBX firmware file upload

Authors: Noah King and msutovsky-r7 Type: Exploit Pull request: #20858 contributed by msutovsky-r7 Path: unix/http/freepbx_firmware_file_upload AttackerKB reference: CVE-2025-61678

Description: This adds exploit module for FreePBX which chains an authentication bypass, CVE-2025-66039, with an unrestricted file upload (via firmware upload), CVE-2025-61678, which allows for a webshell to be uploaded to the webserver resulting in remote code execution.

FreePBX Custom Extension SQL Injection

Authors: Noah King and msutovsky-r7 Type: Auxiliary Pull request: #20846 contributed by msutovsky-r7 Path: gather/freepbx_custom_extension_injection AttackerKB reference: CVE-2025-61675

Description: This adds an exploit module for FreePBX which chains an authentication bypass, (CVE-2025-66039) with an SQLi (CVE-2025-61675) to create an admin user in the database.

Cacti Graph Template authenticated RCE versions prior to 1.2.29

Authors: Jack Heysel and chutchut Type: Exploit Pull request: #20799 contributed by jheysel-r7 Path: multi/http/cacti_graph_template_rce AttackerKB reference: CVE-2025-24367

Description: This adds an exploit for CVE-2025-24367 which is an unauthenticated RCE in Cacti.

SmarterTools SmarterMail GUID File Upload Vulnerability

Authors: Piotr Bazydlo, Sina Kheirkhah, and jheysel-r7 Type: Exploit Pull request: #20866 contributed by jheysel-r7 Path: multi/http/smartermail_guid_file_upload AttackerKB reference: CVE-2025-52691

Description: This adds a module for unauthenticated file upload in SmarterTools SmaterMail (CVE-2025-52691). The vulnerability allows an unauthenticated user to upload a file to any location on the system using path traversal using the guid variable. The module will either drop a webshell in the webroot directory (if the target is Windows) or create a cron job by dropping a file in /etc/cron.d (if the target is Linux).

Burp Extension Persistence

Author: h00die Type: Exploit Pull request: #19821 contributed by h00die Path: multi/persistence/burp_extension

Description: This adds a new persistence module for BurpSuite. The module adds a malicious extension to both the Pro and Community versions, which is triggered when the user starts BurpSuite.

SSH Key Persistence

Authors: Dean Welch dean_welch@rapid7.com and h00die mike@shorebreaksecurity.com Type: Exploit Pull request: #20778 contributed by h00die Path: multi/persistence/ssh_key

Description: Combines the Windows and Linux ssh key persistence modules.

Enhancements and features (1)

• #20778 from h00die - Combines the Windows and Linux ssh key persistence modules.

Bugs fixed (3)

• #20897 from h00die - This fixes a bug that was preventing collected hash data from being formatted as input for the John the Ripper cracker. The result is that users can now once again crack passwords using John.
• #20902 from rudraditya21 - This fixes a bug in the auxiliary/scanner/ssh/ssh_login module that would incorrectly state that a login failed when it in fact succeeded but the module was unable to open a session. This was only an issue when the CreateSession option is true.
• #20909 from adfoster-r7 - Fixes a bug in Metasploit Pro that reported false positives for HTTP bruteforcing.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.110...6.4.111
• Full diff 6.4.110...6.4.111

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

As January 2026 comes to a close, The Cyber Express takes a comprehensive look at the events defining the global cybersecurity landscape. Over the past week, organizations worldwide faced high-profile cyberattacks, emerging threats in AI and ad fraud, critical software vulnerabilities, and intensifying regulatory scrutiny affecting both public and private sectors. This week’s coverage highlights significant attacks on Russian and U.S. companies, the discovery of advanced post-exploitation frameworks, trends in EU data breach reporting, and actionable guidance for brands to enhance privacy, security, and compliance in an increasingly complex digital ecosystem.

The Cyber Express Weekly Roundup 

Cyberattack Hits Russian Security Firm Delta 

On January 26, 2026, Delta, a Russian alarm and vehicle security provider, suffered a major cyberattack, disrupting alarms, vehicle systems, and company communications for tens of thousands of customers. While no confirmed customer data breach occurred, an unverified leak circulated online. Read more... 

Ad Fraud and Data Privacy: Brands Must Act Now 

Ad fraud is escalating, costing the digital advertising industry billions and eroding consumer trust. Experts like Dhiraj Gupta of mFilterIt emphasize that brands can no longer rely on platform-reported metrics alone. Independent verification, real-time audits, and continuous monitoring of data flows are now essential to ensure privacy, enforce purpose limitations, and maintain accountability across complex advertising ecosystems. Read more… 

Ivanti Patches Critical Mobile Manager Zero-Days 

Ivanti released emergency fixes for two critical zero-day code injection vulnerabilities (CVE-2026-1281 and CVE-2026-1340) in Endpoint Manager Mobile. These flaws allow attackers to execute arbitrary code, access sensitive device and user data, and track locations. CISA added CVE-2026-1281 to its KEV catalog with a two-day remediation deadline for federal agencies. Read more... 

Cyble Discovers ShadowHS, a Stealthy Linux Post-Exploitation Framework 

Cyble Research & Intelligence Labs uncovered ShadowHS, a fileless, in-memory Linux framework providing attackers with long-term, operator-controlled access. ShadowHS uses AES-encrypted payloads and stealthy memory execution to evade traditional antivirus software, enabling credential theft, lateral movement, privilege escalation, cryptomining, and covert data exfiltration. Read more... 

EU Data Breach Notifications Rise Amid GDPR Reform Talks 

Data breach notifications in the EU surged 22% over the past year, averaging over 400 per day. GDPR fines remained high at approximately €1.2 billion in 2025. Discussions on the Digital Omnibus legislation highlight a need to balance efficiency in reporting with protecting fundamental privacy rights amid NIS2, DORA, and ongoing cybersecurity threats. Read more... 

New Cyberattacks Target U.S. Companies 

Several U.S. companies, including Bumble, Panera, Match Group, and CrunchBase, faced phishing and vishing attacks against employees. Bumble reported brief unauthorized access to a small portion of its network, while other firms experienced limited exposure. The ShinyHunters hacking group claims responsibility and has issued extortion demands, emphasizing social engineering as a growing threat to high-profile organizations. Read more... 

Weekly Takeaway 

The last week of January 2026 stresses that cybersecurity is no longer just a technical concern. From attacks on critical infrastructure in Russia to post-exploitation Linux frameworks, ad fraud, and regulatory scrutiny in the EU, organizations must combine technology, governance, and proactive monitoring to protect data, trust, and operations.  

For the last couple of years, I’ve been following the progress of a group of individuals who believe death is humanity’s “core problem.” Put simply, they say death is wrong—for everyone. They’ve even said it’s morally wrong.

They established what they consider a new philosophy, and they called it Vitalism.

Vitalism is more than a philosophy, though—it’s a movement for hardcore longevity enthusiasts who want to make real progress in finding treatments that slow or reverse aging. Not just through scientific advances, but by persuading influential people to support their movement, and by changing laws and policies to open up access to experimental drugs.

And they’re starting to make progress.

Vitalism was founded by Adam Gries and Nathan Cheng—two men who united over their shared desire to find ways to extend human lifespan. I first saw Cheng speak back in 2023, at Zuzalu, a pop-up city in Montenegro for people who were interested in life extension and some other technologies. (It was an interesting experience—you can read more about it here.)

Zuzalu was where Gries and Cheng officially launched Vitalism. But I’ve been closely following the longevity scene since 2022. That journey took me to Switzerland, Honduras, and a compound in Berkeley, California, where like-minded longevity enthusiasts shared their dreams of life extension.

It also took me to Washington, DC, where, last year, supporters of lifespan extension presented politicians including Mehmet Oz, who currently leads the Centers for Medicare & Medicaid Services, with their case for changes to laws and policies.

The journey has been fascinating, and at times weird and even surreal. I’ve heard biohacking stories that ended with smoking legs. I’ve been told about a multi-partner relationship that might be made possible through the cryopreservation—and subsequent reanimation—of a man and the multiple wives he’s had throughout his life. I’ve had people tell me to my face that they consider themselves eugenicists, and that they believe that parents should select IVF embryos for their propensity for a long life.

I’ve seen people draw blood during dinner in an upscale hotel restaurant to test their biological age. I’ve heard wild plans to preserve human consciousness and resurrect it in machines. Others have told me their plans to inject men’s penises with multiple doses of an experimental gene therapy in order to treat erectile dysfunction and ultimately achieve “radical longevity.”

I’ve been shouted at and threatened with legal action. I’ve received barefoot hugs. One interviewee told me I needed Botox. It’s been a ride.

My reporting has also made me realize that the current interest in longevity reaches beyond social media influencers and wellness centers. Longevity clinics are growing in number, and there’s been a glut of documentaries about living longer or even forever.

At the same time, powerful people who influence state laws, giant federal funding budgets, and even national health policy are prioritizing the search for treatments that slow or reverse aging. The longevity community was thrilled when longtime supporter Jim O’Neill was made deputy secretary of health and human services last year. Other members of Trump’s administration, including Oz, have spoken about longevity too. “It seems that now there is the most pro-longevity administration in American history,” Gries told me.

I recently spoke to Alicia Jackson, the new director of ARPA-H. The agency, established in 2022 under Joe Biden’s presidency, funds “breakthrough” biomedical research. And it appears to have a new focus on longevity. Jackson previously founded and led Evernow, a company focused on “health and longevity for every woman.”

“There’s a lot of interesting technologies, but they all kind of come back to the same thing: Could we extend life years?” she told me over a Zoom call a few weeks ago. She added that her agency had “incredible support” from “the very top of HHS.” I asked if she was referring to Jim O’Neill. “Yeah,” she said. She wouldn’t go into the specifics.

Gries is right: There is a lot of support for advances in longevity treatments, and some of it is coming from influential people in positions of power. Perhaps the field really is poised for a breakthrough.

And that’s what makes this field so fascinating to cover. Despite the occasional weirdness.

This article first appeared in The Checkup, MIT Technology Review’s weekly biotech newsletter. To receive it in your inbox every Thursday, and read articles like this first, sign up here.

A.I. companies are buying up memory chips, causing the prices of those components — which are also used in laptops and smartphones — to soar.

A new wave of cyberattacks has recently struck several prominent U.S. companies, including Bumble Inc., Panera Bread Co., Match Group Inc., and CrunchBase. Bumble Inc., the parent company of dating apps Bumble, Badoo, and BFF, reported that one of its contractor accounts was compromised in a phishing incident.   Similarly, it has been reported that Bumble confirmed a similar intrusion, stating that the breach allowed the hacker “brief unauthorized access to a small portion of our network.” However, the company noted that member databases, Bumble accounts, direct messages, profiles, and the Bumble application itself were not accessed. Bumble has engaged law enforcement to investigate the incident. 

Bumble, Panera Bread, Match Group, and CrunchBase Reports Cyberattacks 

Panera Bread also reported a cybersecurity incident affecting one of its software applications used to store data. A company spokesperson confirmed that law enforcement had been notified and that steps were taken to secure the system. The affected data primarily included contact information, although Panera did not provide additional specifics about the scope of the breach.  Similarly, Match Group reported on Wednesday that it had experienced a cybersecurity incident impacting a “limited amount of user data.” According to Bloomberg, a spokesperson for Match reassured users that there was no evidence of compromised login credentials, financial information, or private communications. The match’s system was breached on January 16, although the exact timing of the other incidents affecting Bumble, Panera Bread, and CrunchBase remains unclear.  CrunchBase, the business information platform, confirmed that documents on its corporate network were affected by cyberattacks but stated that the company had successfully contained the incident. No details were provided about whether any sensitive user or company data was accessed. 

Limited Data Exposure but Extortion Demands Reported 

A hacking group known as ShinyHunters has claimed responsibility for the attacks on Bumble, Panera Bread, Match, and CrunchBase. While these claims could not be independently verified at this time, their posts noted that they are using innovative vishing techniques. Voice phishing aimed at tricking employees into revealing credentials for single sign-on systems.   Additionally, it has been reported that hackers associated with the ShinyHunters group have reached out to some of the victims requesting payment. Despite these reports, none of the affected companies, including Bumble, Panera Bread, Match, or CrunchBase, have publicly commented on the extortion claims. 

Experts Warn of Rising Social Engineering Threats 

The recent incidents underline the growing threat of cyberattacks targeting U.S. businesses, particularly those handling large volumes of user data and corporate information. In most of these attacks, social engineering campaigns target unsuspecting victims, combining phishing, vishing, and exploitation of cloud-based systems to gain access.  The Cyber Express has reached out to Bumble, Panera Bread, CrunchBase, and Match Group for further comments. As of now, no additional information or updates on the extortion demands have been provided. Cybersecurity analysts and industry observers are closely monitoring the situation, noting that this series of attacks could signal a broader trend in high-profile cyber threats affecting both technology and consumer-facing companies.  This story is ongoing, and The Cyber Express will continue to provide updates as more details emerge about the scope of the cyberattacks and any responses from the affected organizations. 

The ShinyHunters and CL0P threat groups have returned with new claimed victims. ShinyHunters has resurfaced with a new onion-based data leak site, with the group publishing data allegedly stolen from three victims, with two apparently linked to recent vishing attacks targeting single sign-on (SSO) accounts at Okta, Microsoft and Google, which can lead to compromises of connected enterprise applications and services. In an email to The Cyber Express, a ShinyHunters spokesperson said “a lot more victims are to come from the new vishing campaign.” The CL0P ransomware group, meanwhile, has claimed 43 victims in recent days, its first victims since its exploitation of Oracle E-Business Suite vulnerabilities last year netted more than 100 victims. The group reportedly was targeting internet-facing Gladinet CentreStack file servers in its latest extortion campaign, but the threat group has posted no technical details to support the new claims.

ShinyHunters Returns

ShinyHunters has resurfaced following 2025 campaigns that saw breaches of PornHub and Salesforce environments and a “suspicious insider” at CrowdStrike. The group, which has also gone by Scattered LAPSUS$ Hunters, has claimed three new victims, all of whom have had confirmed breaches in recent weeks. One of the claimed victims is SoundCloud, which confirmed a breach in mid-December that the company said “consisted only of email addresses and information already visible on public SoundCloud profiles and affected approximately 20% of SoundCloud users.” Investment firm Betterment is another claimed victim with a recent confirmed breach. While it’s not clear if the incident is related to the ShinyHunters claims, the company reported a January 9 incident in which “an unauthorized individual gained access to certain Betterment systems through social engineering. This means the individual used identity impersonation and deception to gain access, rather than compromising our technical infrastructure. The unauthorized access involved third-party software platforms that Betterment uses to support our marketing and operations.” The third claimed victim is financial data firm Crunchbase, which confirmed a data exfiltration incident in a statement to SecurityWeek. ShinyHunters told The Cyber Express that only Crunchbase and Betterment are from the SSO vishing campaign. “We are releasing victims from many of our previous campaigns and ongoing campaigns onto our data leak site, not exclusively the SSO vishing campaign data thefts,” the spokesperson said. Meanwhile, a threat actor who goes by “LAPSUS-GROUP” has emerged recently on the BreachForums 5.0 cybercrime forum claiming data stolen from a Canadian retail SaaS company, but ShinyHunters told The Cyber Express that the actor is an “impersonator group” and has no connection to ShinyHunters.

CL0P Claims 43 New Victims

The Cl0p ransomware group appears to have launched a new extortion campaign, although it is not clear what vulnerabilities or services the group is targeting. The group listed 21 new victims last week, and then another 22 over the weekend. Alleged victims include a major hotel chain, an IT services company, a UK payment processing firm, a workforce management company, and a Canada-based mining company. In a note to clients today, threat intelligence company Cyble wrote, “At the time of reporting, Cl0p has not disclosed technical details, the volume or type of data allegedly exfiltrated, nor announced any ransom deadlines for these victims. No proof-of-compromise samples have been published. We continue to monitor the situation for further disclosures, validation of the victim listings, or escalation by the group.”

Oracle E-Business Suite Unauth RCE

This week, we are pleased to announce the addition of a module that exploits CVE-2025-61882, a pre-authentication remote code execution vulnerability in Oracle E-Business Suite versions 12.2.3 through 12.2.14. The exploit chains multiple flaws—including SSRF, path traversal, HTTP request smuggling, and XSLT injection—to coerce the target into fetching and executing a malicious XSL file hosted by the attacker. Successful exploitation results in arbitrary command execution and an interactive shell on both Linux/Unix and Windows targets. The module is reliable, repeatable, and we here at Metasploit hope you enjoy it, happy hacking!

New module content (3)

Authenticated RCE in Splunk (splunk_archiver app)

Authors: Alex Hordijk, Maksim Rogov, and psytester Type: Exploit Pull request: #20770 contributed by vognik Path: linux/http/splunk_auth_rce_cve_2024_36985 AttackerKB reference: CVE-2024-36985

Description: This adds two separate Metasploit exploit modules targeting Remote Code Execution (RCE) vulnerabilities in Splunk Enterprise. CVE-2024-36985 exploits unsafe use of the "copybuckets" lookup function within the splunk_archiver application, resulting in execution of the sudobash helper script with attacker-controlled arguments. Affected versions: All releases prior to 9.0.10, 9.1.2 through 9.1.5, 9.2.0 through 9.2.2 CVE-2022-43571, exploits a Python code injection vulnerability in Splunk SimpleXML dashboards by injecting malicious code into sparkline style parameters. Malicious code is executed when a user exports the dashboard to PDF. Affected versions: All releases prior to 8.1.12, 8.2.0 through 8.2.9, 9.0.0 through 9.0.2.

Oracle E-Business Suite CVE-2025-61882 RCE

Authors: Mathieu Dupas and watchTowr (Sonny, Sina Kheirkhah, Jake Knott) Type: Exploit Pull request: #20750 contributed by MatDupas Path: multi/http/oracle_ebs_cve_2025_61882_exploit_rce AttackerKB reference: CVE-2025-61882

Description: This adds an exploit for CVE-2025-61882, a critical Remote Code Execution (RCE) vulnerability in Oracle E-Business Suite (EBS). The flaw allows unauthenticated attackers to execute arbitrary code by leveraging a combination of SSRF, HTTP request smuggling and XSLT injection. Affected Versions: Oracle E-Business Suite, 12.2.3-12.2.14.

Authenticated RCE in Splunk (SimpleXML dashboard PDF generation)

Authors: Danylo Dmytriiev, Maksim Rogov, and psytester Type: Exploit Pull request: #20770 contributed by vognik Path: multi/http/splunk_auth_rce_cve_2022_43571 AttackerKB reference: CVE-2022-43571

Description: This adds two separate Metasploit exploit modules targeting Remote Code Execution (RCE) vulnerabilities in Splunk Enterprise. CVE-2024-36985 exploits unsafe use of the "copybuckets" lookup function within the splunk_archiver application, resulting in execution of the sudobash helper script with attacker-controlled arguments. Affected versions: All releases prior to 9.0.10, 9.1.2 through 9.1.5, 9.2.0 through 9.2.2 CVE-2022-43571, exploits a Python code injection vulnerability in Splunk SimpleXML dashboards by injecting malicious code into sparkline style parameters. Malicious code is executed when a user exports the dashboard to PDF. Affected versions: All releases prior to 8.1.12, 8.2.0 through 8.2.9, 9.0.0 through 9.0.2.

Enhancements and features (3)

• #20755 from rudraditya21 - This adds an advanced datastore option, KrbClockSkew, to modules that use Kerberos authentication, allowing operators to adjust the Kerberos clock from the Metasploit side to fix clock skew errors.
• #20840 from xaitax - This updates the MongoBleed auxiliary module and adds new options. The module can now use Wiz Magic Packet to detect the vulnerability quickly; it can detect compression libraries used by MongoDB (and warns or stops the user if zlib is not enabled). The module can also reuse the MongoDB socket connection during memory scanning, which significantly improves performance. Finally, it can better leak secrets, either by pattern matching or by storing the extracted information in raw or JSON format.
• #20861 from bcoles - Adds multiple improvements to get_hostname resolution logic for post exploitation modules.

Bugs fixed (1)

• #20888 from jheysel-r7 - Fixes an issue that caused dMSA kerberos authentication to fail.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.108...6.4.110
• Full diff 6.4.108...6.4.110

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

This week marked a rather unpleasant anniversary: It’s a year since Texas reported a case of measles—the start of a significant outbreak that ended up spreading across multiple states. Since the start of January 2025, there have been over 2,500 confirmed cases of measles in the US. Three people have died.

As vaccination rates drop and outbreaks continue, scientists have been experimenting with new ways to quickly identify new cases and prevent the disease from spreading. And they are starting to see some success with wastewater surveillance.

After all, wastewater contains saliva, urine, feces, shed skin, and more. You could consider it a rich biological sample. Wastewater analysis helped scientists understand how covid was spreading during the pandemic. It’s early days, but it is starting to help us get a handle on measles.

Globally, there has been some progress toward eliminating measles, largely thanks to vaccination efforts. Such efforts led to an 88% drop in measles deaths between 2000 and 2024, according to the World Health Organization. It estimates that “nearly 59 million lives have been saved by the measles vaccine” since 2000.

Still, an estimated 95,000 people died from measles in 2024 alone—most of them young children. And cases are surging in Europe, Southeast Asia, and the Eastern Mediterranean region.

Last year, the US saw the highest levels of measles in decades. The country is on track to lose its measles elimination status—a sorry fate that met Canada in November after the country recorded over 5,000 cases in a little over a year.

Public health efforts to contain the spread of measles—which is incredibly contagious—typically involve clinical monitoring in health-care settings, along with vaccination campaigns. But scientists have started looking to wastewater, too.

Along with various bodily fluids, we all shed viruses and bacteria into wastewater, whether that’s through brushing our teeth, showering, or using the toilet. The idea of looking for these pathogens in wastewater to track diseases has been around for a while, but things really kicked into gear during the covid-19 pandemic, when scientists found that the coronavirus responsible for the disease was shed in feces.

This led Marlene Wolfe of Emory University and Alexandria Boehm of Stanford University to establish WastewaterSCAN, an academic-led program developed to analyze wastewater samples across the US. Covid was just the beginning, says Wolfe. “Over the years we have worked to expand what can be monitored,” she says.

Two years ago, for a previous edition of the Checkup, Wolfe told Cassandra Willyard that wastewater surveillance of measles was “absolutely possible,” as the virus is shed in urine. The hope was that this approach could shed light on measles outbreaks in a community, even if members of that community weren’t able to access health care and receive an official diagnosis. And that it could highlight when and where public health officials needed to act to prevent measles from spreading. Evidence that it worked as an effective public health measure was, at the time, scant.

Since then, she and her colleagues have developed a test to identify measles RNA. They trialed it at two wastewater treatment plants in Texas between December 2024 and May 2025. At each site, the team collected samples two or three times a week and tested them for measles RNA.

Over that period, the team found measles RNA in 10.5% of the samples they collected, as reported in a preprint paper published at medRxiv in July and currently under review at a peer-reviewed journal. The first detection came a week before the first case of measles was officially confirmed in the area. That’s promising—it suggests that wastewater surveillance might pick up measles cases early, giving public health officials a head start in efforts to limit any outbreaks.

There are more promising results from a team in Canada. Mike McKay and Ryland Corchis-Scott at the University of Windsor in Ontario and their colleagues have also been testing wastewater samples for measles RNA. Between February and November 2025, the team collected samples from a wastewater treatment facility serving over 30,000 people in Leamington, Ontario. 

These wastewater tests are somewhat limited—even if they do pick up measles, they won’t tell you who has measles, where exactly infections are occurring, or even how many people are infected. McKay and his colleagues have begun to make some progress here. In addition to monitoring the large wastewater plant, the team used tampons to soak up wastewater from a hospital lateral sewer.

They then compared their measles test results with the number of clinical cases in that hospital. This gave them some idea of the virus’s “shedding rate.” When they applied this to the data collected from the Leamington wastewater treatment facility, the team got estimates of measles cases that were much higher than the figures officially reported. 

Their findings track with the opinions of local health officials (who estimate that the true number of cases during the outbreak was around five to 10 times higher than the confirmed case count), the team members wrote in a paper published on medRxiv a couple of weeks ago.

There will always be limits to wastewater surveillance. “We’re looking at the pool of waste of an entire community, so it’s very hard to pull in information about individual infections,” says Corchis-Scott.

Wolfe also acknowledges that “we have a lot to learn about how we can best use the tools so they are useful.” But her team at WastewaterSCAN has been testing wastewater across the US for measles since May last year. And their findings are published online and shared with public health officials.

In some cases, the findings are already helping inform the response to measles. “We’ve seen public health departments act on this data,” says Wolfe. Some have issued alerts, or increased vaccination efforts in those areas, for example. “[We’re at] a point now where we really see public health departments, clinicians, [and] families using that information to help keep themselves and their communities safe,” she says.

McKay says his team has stopped testing for measles because the Ontario outbreak “has been declared over.” He says testing would restart if and when a single new case of measles is confirmed in the region, but he also thinks that his research makes a strong case for maintaining a wastewater surveillance system for measles.

McKay wonders if this approach might help Canada regain its measles elimination status. “It’s sort of like [we’re] a pariah now,” he says. If his approach can help limit measles outbreaks, it could be “a nice tool for public health in Canada to [show] we’ve got our act together.”

This article first appeared in The Checkup, MIT Technology Review’s weekly biotech newsletter. To receive it in your inbox every Thursday, and read articles like this first, sign up here.

The third week of 2026 highlights a series of cybersecurity events affecting businesses, critical infrastructure, and regulatory compliance. This week, network administrators are grappling with the exploitation of a previously patched FortiOS vulnerability, while ransomware attacks continue to expose sensitive data across major corporations.   Meanwhile, hacktivist groups are targeting industrial systems and government networks, and the European Union has introduced new rules to phase out high-risk telecom and ICT products from non-EU suppliers.  These incidents demonstrate that cybersecurity risks are no longer confined to IT systems. They now intersect with national security, operational continuity, and regulatory oversight, requiring organizations to adopt both technical defenses and strategic risk management measures.  

The Cyber Express Weekly Roundup 

Active Exploits Hit “Patched” FortiOS 7.4.9 

Administrators report active exploitation of CVE-2025-59718 on FortiGate devices running FortiOS 7.4.9. Attackers bypass authentication through forged FortiCloud SSO logins, creating local admin accounts to maintain access. Evidence suggests that the patch may be incomplete or bypassed. Experts advise manually disabling FortiCloud SSO via CLI and auditing logs for unusual SSO activity, new admin accounts, and configuration exports. Read more… 

Ingram Micro Data Breach Exposes 42,521 Individuals 

A ransomware attack in July 2025 compromised sensitive employee and job applicant data at Ingram Micro, affecting 42,521 individuals. Exposed information includes names, contact details, dates of birth, Social Security numbers, and employment records. The attack disrupted logistics operations for about a week and was discovered in December 2025. Affected individuals have been notified and offered two years of credit monitoring and identity protection. Read more… 

One in Ten UK Businesses Could Fail After Major Cyberattack 

A Vodafone Business survey found over 10% of UK business leaders fear their organizations could fail after a major cyberattack. While 63% acknowledge rising cyber risks and 89% say high-profile breaches increased alertness, only 45% provide basic cyber-awareness training to all staff. Weak passwords, phishing, and emerging AI/deepfake scams heighten vulnerabilities. Read more… 

EU Proposes Rules on “High-Risk” Telecom Products 

The European Commission proposed updates to the Cybersecurity Act to phase out “high-risk” ICT products from mobile, fixed, and satellite networks supplied by risky countries, including China and Russia. Mobile networks have 36 months to comply; timelines for other networks will follow. Read more… 

Hacktivist Activity Surges, Targeting Critical Infrastructure 

The Cyble 2025 Threat Landscape report shows hacktivists targeting ICS, OT, and HMI/SCADA systems. Groups like Z-Pentest, Dark Engine, and NoName057(16) focused on industrial sectors in Europe and Asia. Hacktivist activity rose 51% in 2025, driven largely by pro-Russian and pro-Palestinian collectives. Many groups aligned with state interests, including GRU-backed Russian operations and Iranian-linked teams. Read more… 

NCSC Warns UK Organizations of Russian-Aligned Hacktivists 

The UK National Cyber Security Centre (NCSC) warned that Russian-aligned hacktivists, including NoName057(16), increasingly target UK organizations with denial-of-service attacks on local government and critical infrastructure. While technically simple, these attacks can severely disrupt services. Read more… 

Weekly Roundup Takeaway 

This week’s events highlight that cybersecurity in 2026 continues to influence business continuity, infrastructure integrity, and regulatory compliance. From FortiOS exploits and large-scale ransomware breaches to rising hacktivist activity and evolving EU telecom rules, organizations must integrate operational, technical, and strategic measures to mitigate risk and protect assets across sectors. 

Hacktivists became significantly more dangerous in 2025, moving beyond their traditional DDoS attacks and website defacements to target critical infrastructure and ransomware attacks. That’s one of the conclusions of a new blog post from Cyble adapted from the threat intelligence company’s 2025 Threat Landscape report. The trend began in earnest with Z-Pentest’s targeting of industrial control systems (ICS) in late 2024, and grew from there. Cyble said it expects those attacks to continue to grow in 2026, along with growing use of custom tools by hacktivists and “deepening alignment between nation-state interests and hacktivists.”

Hacktivist Attacks on Critical Infrastructure Soar

Z-Pentest was the most active of the hacktivist groups targeting ICS, operational technology (OT) and Human Machine Interface (HMI) environments. Dark Engine (Infrastructure Destruction Squad) and Sector 16 also persistently targeted ICS environments, while Golden Falcon Team, NoName057(16), TwoNet, RipperSec, and Inteid also claimed multiple ICS attacks. HMI and web-based Supervisory Control and Data Acquisition (SCADA) interfaces were the systems most frequently targeted by hacktivists. Virtual Network Computing (VNC) environments were targeted less frequently, but “posed the greatest operational risks to several industries,” Cyble said. Building Management Systems (BMS) and Internet of Things (IoT) or edge-layer controllers were also targeted by the groups, reflecting a wider trend toward exploiting poorly secured IoT interfaces. Europe was the primary region targeted by pro-Russian hacktivist groups, with Spain, Italy, the Czech Republic, France, Poland, and Ukraine the most frequent targets of those groups.

State Interests and Hacktivism Align

Cyble also noted increasing alignment between hacktivist groups and state-aligned interests. When Operation Eastwood disrupted NoName057(16)’s DDoS infrastructure in July 2025, the group rapidly rebuilt its capacity and resumed operations against Ukraine, the EU, and NATO, “underscoring the resilience of state-directed ecosystems,” Cyble said. U.S. indictments “further exposed alleged structured cooperation between Russian intelligence services and pro-Kremlin hacktivist fronts,” the blog post said. The Justice Department revealed GRU-backed financing and direction of the Cyber Army of Russia Reborn (CARR) and state-sanctioned development of NoName057(16)’s DDoSia platform. Z-Pentest has also been identified as part of the CARR ecosystem and linked to GRU. Pro-Ukrainian hacktivist groups are less formally connected to state interests, but groups like the BO Team and the Ukrainian Cyber Alliance launched data destruction, encryption and wiper attacks targeting “key Russian businesses and state machinery,” and Ukrainian actors also claimed to pass exfiltrated datasets to national intelligence services. Hacktivist groups Cyber Partisans BY (Belarus) and Silent Crow significantly compromised Aeroflot’s IT environment in a long-term breach, claiming to exfiltrate more than 20TB of data, sabotaging thousands of servers, and disrupting airline systems, a breach that was confirmed by Russia’s General Prosecutor. Other hacktivists aligned with state interests include BQT.Lock (BaqiyatLock, aligned with Hezbollah) and Cyb3r Av3ngers/Mr. Soul Team, which has been linked to Iran’s Islamic Revolutionary Guard Corps (IRGC) and has also targeted critical infrastructure.

Hacktivist Sightings Surge 51%

Cyble said hacktivist sightings surged 51% in 2025, from 700,000 in 2024 to 1.06 million in 2025, “with the bulk of activity focused on Asia and Europe.” “Pro-Russian state-aligned hacktivists and pro-Palestinian, anti-Israel collectives continued to be the primary drivers of hacktivist activity throughout 2025, shaping the operational tempo and geopolitical focus of the threat landscape,” the researchers said. India, Ukraine and Israel were the countries most targeted by hacktivist activity in 2025 (chart below). [caption id="attachment_108842" align="aligncenter" width="825"] Hacktivist attacks by country in 2025 (Cyble)[/caption] Government & Law Enforcement, Energy & Utilities, Education, IT, Transportation & Logistics, and Manufacturing saw the most growth in hacktivist attacks, while the Agriculture & Livestock, Food & Beverages, Hospitality, Construction, Automotive, and Real Estate also saw increasing attack numbers. “Hacktivism has evolved into a geopolitically charged, ICS-focused threat, continuing to exploit exposed OT environments and increasingly weaponizing ransomware as a protest mechanism,” Cyble said. “In 2026, hacktivists and cybercriminals will increasingly target exposed HMI/SCADA systems and VNC takeovers, aided by public PoCs and automated scanning templates, creating ripple effects across the energy, water, transportation, and healthcare sectors,” the researchers predicted.

Persistence, dMSA Abuse & RCE Goodies

This week, we have received a lot of contributions from the community, such as h00die, Chocapikk and countless others, which is greatly appreciated. This week’s modules and improvements in Metasploit Framework range from new modules, such as dMSA Abuse (resulting in escalation of privilege in Windows Active Directory environments), authenticated and unauthenticated RCE modules, as well as many improvements and additions to the persistence modules and techniques.

New module content (13)

BadSuccessor: dMSA abuse to Escalate Privileges in Windows Active Directory

Authors: AngelBoy, Spencer McIntyre, and jheysel-r7

Type: Auxiliary

Pull request: #20472 contributed by jheysel-r7 

Path: admin/ldap/bad_successor

Description: This adds an exploit for "BadSuccessor" which is a vulnerability whereby a user with permissions to an Organizational Unit (OU) in Active Directory can create a Delegated Managed Service Account (dMSA) account in such a way that it can lead to the issuance of a Kerberos ticket for an arbitrary user.

Control Web Panel /admin/index.php Unauthenticated RCE

Authors: Egidio Romano and Lukas Johannes Möller

Type: Exploit

Pull request: #20806 contributed by JohannesLks 

Path: linux/http/control_web_panel_api_cmd_exec 

AttackerKB reference: CVE-2025-67888

Description: This adds a new module for Control Web Panel (CVE-2025-67888). The vulnerability is unauthenticated OS command injection through an exposed API. The modules require Softaculous to be installed.

Prison Management System 1.0 Authenticated RCE via Unrestricted File Upload

Author: Alexandru Ionut Raducu

Type: Exploit

Pull request: #20811 contributed by Xorriath 

Path: linux/http/prison_management_rce 

AttackerKB reference: CVE-2024-48594

Description: This adds a new module for Prison Management System 1.0 (CVE-2024-48594). The module requires admin credentials, which are subsequently used to exploit unrestricted file upload to upload a webshell.

udev Persistence

Author: Julien Voisin

Type: Exploit

Pull request: #20796 contributed by h00die 

Path: linux/persistence/udev

Description: This moves the udev persistence module into the persistence category and adds the persistence mixin.

n8n Workflow Expression Remote Code Execution

Author: Lukas Johannes Möller

Type: Exploit

Pull request: #20810 contributed by JohannesLks 

Path: multi/http/n8n_workflow_expression_rce

AttackerKB reference: CVE-2025-68613

Description: This adds a new module for n8n (CVE-2025-68613). The vulnerability is authenticated remote code execution in the workflow expression evaluation engine. The module requires credentials to create a malicious workflow that executes system commands via a JavaScript payload.

Web-Check Screenshot API Command Injection RCE

Author: Valentin Lobstein chocapikk@leakix.net 

Type: Exploit

Pull request: #20791 contributed by Chocapikk 

Path: multi/http/web_check_screenshot_rce 

AttackerKB reference: CVE-2025-32778

Description: Adds an exploit module for CVE-2025-32778, a command injection vulnerability in Web-Check's screenshot API endpoint which allows unauthenticated remote code execution by injecting shell commands via URL query parameters in the /api/screenshot endpoint.

Accessibility Features (Sticky Keys) Persistence via Debugger Registry Key

Authors: OJ Reeves and h00die

Type: Exploit

Pull request: #20751 contributed by h00die 

Path: windows/persistence/accessibility_features_debugger

Description: This updates the Windows sticky keys post persistence module to use the new persistence mixin.

WMI Event Subscription Event Log Persistence

Authors: Nick Tyrer <@NickTyrer> and h00die

Type: Exploit

Pull request: #20706 contributed by h00die 

Path: windows/persistence/wmi/wmi_event_subscription_event_log

Description: Updated the Windows WMI to use a new way of managing persistence modules in Metasploit Framework. The Windows WMI module has been split into four modules, each representing their own technique.

WMI Event Subscription Interval Persistence

Authors: Nick Tyrer <@NickTyrer> and h00die

Type: Exploit

Pull request: #20706 contributed by h00die 

Path: windows/persistence/wmi/wmi_event_subscription_interval

Description: Updated the Windows WMI to use a new way of managing persistence modules in Metasploit Framework. The Windows WMI module has been split into four modules, each representing their own technique.

WMI Event Subscription Process Persistence

Authors: Nick Tyrer <@NickTyrer> and h00die

Type: Exploit

Pull request: #20706 contributed by h00die 

Path: windows/persistence/wmi/wmi_event_subscription_process

Description: Updated the Windows WMI to use a new way of managing persistence modules in Metasploit Framework. The Windows WMI module has been split into four modules, each representing their own technique.

WMI Event Subscription Logon Timer Persistence

Authors: Nick Tyrer <@NickTyrer> and h00die

Type: Exploit

Pull request: #20706 contributed by h00die 

Path: windows/persistence/wmi/wmi_event_subscription_uptime

Description: Updated the Windows WMI to use a new way of managing persistence modules in Metasploit Framework. The Windows WMI module has been split into four modules, each representing their own technique.

Linux Chmod

Author: bcoles bcoles@gmail.com 

Type: Payload (Single)

Pull request: #20845 contributed by bcoles 

Path: linux/armle/chmod and linux/aarch64/chmod

Description: Adds Linux ARM 32-bit / 64-bit Little Endian chmod payloads.

Enhancements and features (7)

• #20706 from h00die - Updated the Windows WMI to use a new way of managing persistence modules in Metasploit Framework. The Windows WMI module has been split into four modules, each representing their own technique.
• #20751 from h00die - This updates the Windows sticky keys post persistence module to use the new persistence mixin.
• #20785 from Chocapikk - This adds Waku framework support to the existing react2shell module. Waku is a minimal React framework which differs slightly compared to Node.js. The module maintains backward compatibility with existing Next.js targets while adding Waku support through a modular framework configuration system.
• #20786 from zeroSteiner - This updates the module code to merge the target Arch and Platform entries into the module's top level data. Prior to this change module developers had to define Arch and Platform entries twice, once at the module level and again per individual target. This updates over 500 modules and removes that duplication.
• #20796 from h00die - This moves the udev persistence into the persistence category and adds the persistence mixin.
• #20853 from zeroSteiner - Bumps metapsloit-payloads to 2.0.239.
• #20855 from h00die - Adds additional ATT&CK references to persistence modules.

Bugs fixed (2)

• #20738 from Shubham0699 - This fixes an issue in the bailiwicked DNS modules that was causing the module to fail with a stack trace due to a programming error.
• #20847 from dwelch-r7 - This updates the auxiliary/scanner/ssh/ssh_login module to remove stale documentation, remove unnecessary characters that were printed in the output and update the correct documentation with the new information about key usage.

Documentation added (1)

• #20665 from basicallyabidoof - Adds documentation for the ipv6_neighbor_router_advertisement module.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.106...6.4.107
• Full diff 6.4.106...6.4.107

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

The case could affect thousands of claims that the widely used weedkiller causes cancer.

© Goss Images, via Alamy

The second week of 2026 continues to fetch new cybersecurity issues that affect national security, public stability, business operations, and technology governance. Developments this week ranged from senior intelligence leadership appointments and nationwide internet shutdowns to data breaches, new cybercrime services, and regulatory pressure on generative AI platforms.  Across regions and sectors, the incidents reflect how cyber risks now extend beyond technical environments into policy decisions, civil rights, financial systems, and public trust. Governments, enterprises, and technology providers faced challenges tied to resilience, accountability, and threat escalation, reinforcing cybersecurity’s role as a strategic issue rather than a purely operational one. 

The Cyber Express Weekly Roundup 

X Tightens Grok AI Restrictions 

X (previously Twitter) introduced new restrictions on its AI chatbot Grok to prevent the creation of nonconsensual sexualized images, including content that may constitute child sexual abuse material. Measures include blocking sexualized image edits of real people, limiting image generation to paid users, and applying geoblocking where such content is illegal. The changes follow widespread abuse reports and ongoing investigations by U.S. and European authorities. Read more… 

NSA Appoints Timothy Kosiba as Deputy Director 

The National Security Agency announced the appointment of Timothy Kosiba as its 21st Deputy Director, making him the agency’s senior civilian official responsible for strategy execution, policy, and operational priorities. Kosiba brings more than 30 years of experience across the U.S. intelligence community, including senior roles at the NSA and U.S. Cyber Command, overseas liaison assignments, and leadership of major operational units. Read more… 

Iran Enters Fourth Day of Nationwide Internet Blackout 

Iran entered a fourth day of a nationwide internet blackout amid widespread unrest linked to the collapse of the rial, now trading at 1.4 million to the U.S. dollar. Authorities reduced national connectivity to approximately 1%, cutting off communications for more than 80 million people. Reports indicate thousands have been detained and hundreds killed since protests began, drawing international concern over censorship, human rights, and crisis communications. Read more… 

Dr. Amit Chaubey Warns of Expanding “Business Blast Radius” 

In an interview with The Cyber Express, Dr. Amit Chaubey said cyber incidents in 2026 are creating a broader “business blast radius,” extending beyond IT into national resilience, legal exposure, operational continuity, and public trust. He identified failures in external dependencies, such as cloud services, identity systems, connectivity, and key suppliers, as the primary drivers of large-scale disruption, warning that many organizations remain unprepared for sustained degraded operations. Read more… 

Endesa Data Breach Affects Energía XXI Customers 

Spanish energy provider Endesa disclosed a data breach involving unauthorized access to its commercial platform, impacting customers of its regulated operator Energía XXI. Exposed data includes identification details, contact information, national identity numbers, contract data, and possible payment information such as IBANs. Endesa stated that account passwords were not compromised and reported no evidence of data misuse as investigations continue. Read more… 

New Android Banking Malware deVixor Identified 

Cyble researchers identified a new Android banking malware called deVixor, a remote access trojan combining credential theft, device surveillance, and ransomware functionality. Active since October, the malware targets Iranian users through phishing sites distributing malicious APKs and is operated as a service-based criminal platform using Telegram and Firebase infrastructure. Researchers noted the malware’s scalability and long-term operational design. Read more… 

Microsoft Disrupts RedVDS Cybercrime Platform 

Microsoft announced the takedown of RedVDS, a cybercrime-as-a-service platform costing $24 per month that provided criminals with disposable virtual machines for fraud operations. In coordination with international law enforcement, Microsoft seized infrastructure linked to an estimated $40 million in reported U.S. fraud losses, with victims across healthcare, real estate, nonprofit, and other sectors. The action marks Microsoft’s 35th civil case against cybercrime infrastructure. Read more… 

Weekly Roundup Takeaway 

This week’s events highlight how cybersecurity in 2026 directly affects governance, economic stability, civil rights, and technology accountability. From intelligence leadership changes and state-imposed internet shutdowns to advanced malware, large-scale fraud platforms, and AI safety enforcement, cyber risks now demand coordinated action across policy, regulation, and operations rather than technical controls alone. 

Earlier this week, MIT Technology Review published its annual list of Ten Breakthrough Technologies. As always, it features technologies that made the news last year, and which—for better or worse—stand to make waves in the coming years. They’re the technologies you should really be paying attention to.

This year’s list includes tech that’s set to transform the energy industry, artificial intelligence, space travel—and of course biotech and health. Our breakthrough biotechnologies for 2026 involve editing a baby’s genes and, separately, resurrecting genes from ancient species. We also included a controversial technology that offers parents the chance to screen their embryos for characteristics like height and intelligence. Here’s the story behind our biotech choices.

A base-edited baby!

In August 2024, KJ Muldoon was born with a rare genetic disorder that allowed toxic ammonia to build up in his blood. The disease can be fatal, and KJ was at risk of developing neurological disorders. At the time, his best bet for survival involved waiting for a liver transplant.

Then he was offered an experimental gene therapy—a personalized “base editing” treatment designed to correct the specific genetic “misspellings” responsible for his disease. It seems to have worked! Three doses later, KJ is doing well. He took his first steps in December, shortly before spending his first Christmas at home.

KJ’s story is hugely encouraging. The team behind his treatment is planning a clinical trial for infants with similar disorders caused by different genetic mutations. The team members hope to win regulatory approval on the back of a small trial—a move that could make the expensive treatment (KJ’s cost around $1 million) more accessible, potentially within a few years.

Others are getting in on the action, too. Fyodor Urnov, a gene-editing scientist at the University of California, Berkeley, assisted the team that developed KJ’s treatment. He recently cofounded Aurora Therapeutics, a startup that hopes to develop gene-editing drugs for another disorder called phenylketonuria (PKU). The goal is to obtain regulatory approval for a single drug that can then be adjusted or personalized for individuals without having to go through more clinical trials.

US regulators seem to be amenable to the idea and have described a potential approval pathway for such “bespoke, personalized therapies.” Watch this space.

Gene resurrection

It was a big year for Colossal Biosciences, the biotech company hoping to “de-extinct” animals like the woolly mammoth and the dodo. In March, the company created what it called “woolly mice”—rodents with furry coats and curly whiskers akin to those of woolly mammoths.

The company made an even more dramatic claim the following month, when it announced it had created three dire wolves. These striking snow-white animals were created by making 20 genetic changes to the DNA of gray wolves based on genetic research on ancient dire wolf bones, the company said at the time.

Whether these animals can really be called dire wolves is debatable, to say the least. But the technology behind their creation is undeniably fascinating. We’re talking about the extraction and analysis of ancient DNA, which can then be introduced into cells from other, modern-day species.

Analysis of ancient DNA can reveal all sorts of fascinating insights into human ancestors and other animals. And cloning, another genetic tool used here, has applications not only in attempts to re-create dead pets but also in wildlife conservation efforts. Read more here.

Embryo scoring

IVF involves creating embryos in a lab and, typically, “scoring” them on their likelihood of successful growth before they are transferred to a person’s uterus. So far, so uncontroversial.

Recently, embryo scoring has evolved. Labs can pinch off a couple of cells from an embryo, look at its DNA, and screen for some genetic diseases. That list of diseases is increasing. And now some companies are taking things even further, offering prospective parents the opportunity to select embryos for features like height, eye color, and even IQ.

This is controversial for lots of reasons. For a start, there are many, many factors that contribute to complex traits like IQ (a score that doesn’t capture all aspects of intelligence at any rate). We don’t have a perfect understanding of those factors, or how selecting for one trait might influence another.

Some critics warn of eugenics. And others note that whichever embryo you end up choosing, you can’t control exactly how your baby will turn out (and why should you?!). Still, that hasn’t stopped Nucleus, one of the companies offering these services, from inviting potential customers to have their “best baby.” Read more here.

This article first appeared in The Checkup, MIT Technology Review’s weekly biotech newsletter. To receive it in your inbox every Thursday, and read articles like this first, sign up here.

A Kyowon Group cyberattack has just been revealed, making the incident one of the latest breaches affecting South Korean companies in recent weeks. Amid ongoing investigations into breaches at companies such as KT, the country’s three major telecommunications firms, and Lotte Card, the Kyowon Group cyberattack has raised concerns due to the company’s extensive customer base across its many subsidiaries.  According to the latest updates on its website, Kyowon Group detected signs of an external intrusion on the morning of January 10. After identifying abnormal activity, the company immediately shut down parts of its internal systems and began emergency recovery measures. The incident was publicly acknowledged on January 11, when access to Kyowon Group’s main website and several affiliated sites became unavailable. 

Systems Shut Down After the Kyowon Group Cyberattack  

As of January 12, a service disruption notice was displayed across Kyowon Group and subsidiary websites, stating, “Web service is unavailable due to unexpected disruptions.” At that time, users were still unable to access online services, indicating the impact of the Kyowon Group cyberattack was ongoing.  [caption id="attachment_108477" align="alignnone" width="807"] Kyowon Group alerts users to a cyberattack on its systems (Source: Kyowon Group)[/caption] A Kyowon Group representative confirmed the breach, stating, “We have confirmed indications of a breach,” while emphasizing that investigations were still underway. The representative added, “We are still investigating whether any personal information has been leaked.” The company also announced that it planned to release an official statement the following morning once more details were confirmed. 

Multiple Affiliate Websites Go Offline as Recovery Efforts Continue 

Further disclosures revealed that Kyowon Group believes the incident may be linked to ransomware activity. On Monday, the company said it had shut down parts of its internal network after detecting what it described as suspicious behavior consistent with a ransomware attack. Kyowon Group explained that abnormal activity was first identified at approximately 8 a.m. on Saturday, January 10, prompting immediate action to isolate affected systems and block external access.  Several websites operated by Kyowon Group affiliates remained inaccessible as of Monday. A notice on the Kyowon Tour website confirmed that the service was unavailable. These disruptions highlighted the broad operational impact of the Kyowon Group hacking incident, which affected multiple brands under the group’s umbrella.  Kyowon Group reported the suspected breach to the Korea Internet & Security Agency (KISA) and relevant investigative authorities shortly after identifying the issue. The company said it is currently restoring systems while conducting comprehensive security checks to determine the scope of the intrusion. 

Company Reports Incident to Authorities, Probes Possible Ransomware Involvement 

“We are working with professional security personnel and related agencies to conduct a detailed investigation into the cause of the breach, the scope of its impact, and whether any data was affected, while carrying out recovery work,” Kyowon Group said in an official statement. The company also addressed concerns over customer data, stating, “We are also checking whether any personal information was leaked. If a leak is confirmed, we will promptly and transparently notify customers in accordance with relevant laws and procedures.”  Kyowon Group added that it plans to gradually restore access to its websites and related services as systems are secured. “We will mobilize all available resources to stabilize services and prioritize customer protection as we work toward full recovery,” the company said.  The cyberattack on Kyowon Group is particularly important given the group’s diverse business portfolio and large customer base. Kyowon Group operates education-focused brands such as Kyowon Kumon and Red Pen, which provide after-school learning materials. It also runs lifestyle and service-oriented businesses, including the Wells home appliance brand, Kyowon Life, a funeral service company, Kyowon Invest, Kyowon Travel, The Suites Hotel, and Kyowon Tour. 

RISC-V Payloads

This week brings more RISC-V payloads from community member bcoles. One provides a new adapter which allows RISC-V payloads to be converted to commands and delivered as a Metasploit fetch-payload. The second is a classic bind shell, offering the user interactive connectivity to the target host. Both of these go a long way in improving Metasploit’s support for RISC-V systems.

Annual Wrap Up

With a new year comes a new annual wrap up. Earlier this week, the Metasploit project posted the annual wrap up covering notable changes from 2025.

New module content (4)

Taiga tribe_gig authenticated unserialize remote code execution

Authors: rootjog and whotwagner

Type: Exploit

Pull request: #20700 contributed by whotwagner 

Path: multi/http/taiga_tribe_gig_unserial

AttackerKB reference: CVE-2025-62368

Description: This adds a new module for authenticated deserialization vulnerability in Taiga.io (CVE-2025-62368). The module sends malicious data to exposed API, which performs unsafe deserialization, leading to remote code execution.

Python Site-Specific Hook Persistence

Author: msutovsky-r7

Type: Exploit

Pull request: #20692 contributed by msutovsky-r7 

Path: multi/persistence/python_site_specific_hook

Description: This adds a persistence module which leverages Python's startup mechanism, where some files can be automatically processed during the initialization of the Python interpreter. Someof those files are startup hooks (site-specific, dist-packages). If these files are present in site-specific or dist-packages directories, any lines beginning with import will be executed automatically. This creates a persistence mechanism if an attacker has established access to the target machine with sufficient permissions.

Add Linux RISC-V command payload adapters

Authors: bcoles bcoles@gmail.com 

Type: Payload (Adapter)

Pull request: #20734 contributed by bcoles

Description: This extends fetch payloads for RISC-V targets.

Linux Command Shell, Bind TCP Inline

Authors: bcoles bcoles@gmail.com and modexp

Type: Payload (Single)

Pull request: #20733 contributed by bcoles 

Path: linux/riscv32le/shell_bind_tcp

Description: This adds a new payload: a bind shell for Linux RISC-V targets.

Bugs fixed (2)

• #20370 from msutovsky-r7 - Fixes an issue that occurred when negotiating the SMB version and the server uses an unknown dialect. Now, the login function will throw an exception and exit gracefully.
• #20744 from ptrstr - This fixes a bug in unix/webapp/wp_reflexgallery_file_upload where the current year and month were being hardcoded in the request. This caused the server to reject the exploit if there was no folder in wp-content/uploads for that specific year and month. Now the year and month are configurable datastore options.

Documentation added (1)

• #20831 from DataExplorerX - This adds link to issues in Metasploit Framework Github repository.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.105...6.4.106
• Full diff 6.4.105...6.4.106

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

Bayer has asked the justices to decide whether federal law shields the company from lawsuits over its Roundup herbicide and cancer. Democrats and MAHA activists aren’t happy.

© Seth Perlman/Associated Press

The opening week of 2026 has already highlighted the complexity of global cyber threats, with incidents affecting governments, educational institutions, and corporations alike. From school closures to corporate breaches and international policy shifts, cybersecurity news demonstrates that attacks are no longer confined to technical systems; they have real-world consequences for operations, public trust, and the protection of sensitive data.  This week, digital risks have shown their reach across multiple sectors: schools are grappling with ransomware and system outages that disrupt learning, corporations face data breaches due to human error and weak authentication practices, and governments are reevaluating international cooperation in cybersecurity.  The early events of 2026 underline that managing cyber risk requires not just technology, but coordinated response, regulatory oversight, and awareness at every level, from individual users to global policymakers. 

The Cyber Express Weekly Roundup 

Higham Lane School Cyberattack Forces Temporary Closure 

Higham Lane School in Nuneaton, England, closed temporarily after a cyberattack disrupted IT systems, affecting 1,500 students. Staff and students must avoid platforms like Google Classroom while cybersecurity experts and the Department for Education investigate. Read more... 

Hacktivist Takes Down White Supremacist Websites Live at Conference 

Hacktivist Martha Root gained attention by deleting white supremacist websites live at the Chaos Communication Congress in Hamburg. Targeted platforms included WhiteDate, WhiteChild, and WhiteDeal. Root also exposed partial data from over 6,000 WhiteDate profiles, sharing it with controlled-access platforms DDoSecrets and HaveIBeenPwned. Read more... 

UK Announces £210 Million Cybersecurity Overhaul 

The UK government announced a £210 million cybersecurity initiative to address “critically high” risks across public sector systems, many of which rely on vulnerable legacy platforms. The plan includes creating a Government Cyber Unit for cross-department coordination and accountability, establishing the Government Cyber Coordination Centre (GC3) for strategic defense, and launching the first Government Cyber Profession to tackle skills shortages, supported by a Cyber Resourcing Hub. Read more... 

Australian Insurer Prosura Suffers Cyber Incident 

In Australia, Prosura temporarily shut down online policy management and claim portals following unauthorized access to internal systems on January 3, 2026. Customer names, emails, phone numbers, and policy details may have been exposed, though payment information remained secure. Read more... 

U.S. Withdraws from International Cyber Coalitions 

The United States announced its withdrawal from 66 international organizations related to cybersecurity, digital rights, and hybrid threat cooperation. These include the Hybrid CoE, GFCE, and Freedom Online Coalition. Officials cited misalignment with U.S. interests, raising concerns over reduced intelligence sharing and potential gaps in global cyber defense. Read more... 

Weekly Takeaway 

This week’s cybersecurity news from The Cyber Express shows that 2026 is already marked by complex threats. From school closures and corporate breaches to government reforms and international policy shifts, data breaches impact education, public services, and businesses. Protecting digital systems now requires vigilance, technical skill, and proactive governance, making strong cybersecurity strategies essential to protect operations, trust, and public safety worldwide. 

The new year has barely begun, but the first days of 2026 have brought big news for health. On Monday, the US’s federal health agency upended its recommendations for routine childhood vaccinations—a move that health associations worry puts children at unnecessary risk of preventable disease.

There was more news from the federal government on Wednesday, when health secretary Robert F. Kennedy Jr. and his colleagues at the Departments of Health and Human Services and Agriculture unveiled new dietary guidelines for Americans. And they are causing a bit of a stir.

That’s partly because they recommend products like red meat, butter, and beef tallow—foods that have been linked to cardiovascular disease, and that nutrition experts have been recommending people limit in their diets.

These guidelines are a big deal—they influence food assistance programs and school lunches, for example. So this week let’s look at the good, the bad, and the ugly advice being dished up to Americans by their government.

The government dietary guidelines have been around since the 1980s. They are updated every five years, in a process that typically involves a team of nutrition scientists who have combed over scientific research for years. That team will first publish its findings in a scientific report, and, around a year later, the finalized Dietary Guidelines for Americans are published.

The last guidelines covered the period 2020 to 2025, and new guidelines were expected in the summer of 2025. Work had already been underway for years; the scientific report intended to inform them was published back in 2024. But the publication of the guidelines was delayed by last year’s government shutdown, Kennedy said last year. They were finally published yesterday.

Nutrition experts had been waiting with bated breath. Nutrition science has evolved slightly over the last five years, and some were expecting to see new recommendations. Research now suggests, for example, that there is no “safe” level of alcohol consumption.

We are also beginning to learn more about health risks associated with some ultraprocessed foods (although we still don’t have a good understanding of what they might be, or what even counts as “ultraprocessed”.) And some scientists were expecting to see the new guidelines factor in environmental sustainability, says Gabby Headrick, the associate director of food and nutrition policy at George Washington University’s Institute for Food Safety & Nutrition Security in Washington DC.

They didn’t.

Many of the recommendations are sensible. The guidelines recommend a diet rich in whole foods, particularly fresh fruits and vegetables. They recommend avoiding highly processed foods and added sugars. They also highlight the importance of dietary protein, whole grains, and “healthy” fats.

But not all of them are, says Headrick. The guidelines open with a “new pyramid” of foods. This inverted triangle is topped with “protein, dairy, and healthy fats” on one side and “vegetables and fruits” on the other.

There are a few problems with this image. For starters, its shape—nutrition scientists have long moved on from the food pyramids of the 1990s, says Headrick. They’re confusing and make it difficult for people to understand what the contents of their plate should look like. That’s why scientists now use an image of a plate to depict a healthy diet.

“We’ve been using MyPlate to describe the dietary guidelines in a very consumer-friendly, nutrition-education-friendly way for over the last decade now,” says Headrick. (The UK’s National Health Service takes a similar approach.)

And then there’s the content of that food pyramid. It puts a significant focus on meat and whole-fat dairy produce. The top left image—the one most viewers will probably see first—is of a steak. Smack in the middle of the pyramid is a stick of butter. That’s new. And it’s not a good thing.

While both red meat and whole-fat dairy can certainly form part of a healthy diet, nutrition scientists have long been recommending that most people try to limit their consumption of these foods. Both can be high in saturated fat, which can increase the risk of cardiovascular disease—the leading cause of death in the US. In 2015, on the basis of limited evidence, the World Health Organization classified red meat as “probably carcinogenic to humans.” 

Also concerning is the document’s definition of “healthy fats,” which includes butter and beef tallow (a MAHA favorite). Neither food is generally considered to be as healthy as olive oil, for example. While olive oil contains around two grams of saturated fat per tablespoon, a tablespoon of beef tallow has around six grams of saturated fat, and the same amount of butter contains around seven grams of saturated fat, says Headrick.

“I think these are pretty harmful dietary recommendations to be making when we have established that those specific foods likely do not have health-promoting benefits,” she adds.

Red meat is not exactly a sustainable food, and neither are dairy products. And the advice on alcohol is relatively vague, recommending that people “consume less alcohol for better overall health” (which might leave you wondering: Less than what?).

There are other questionable recommendations in the guidelines. Americans are advised to include more protein in their diets—at levels between 1.2 and 1.6 grams daily per kilo of body weight, 50% to 100% more than recommended in previous guidelines. There’s a risk that increasing protein consumption to such levels could raise a person’s intake of both calories and saturated fats to unhealthy levels, says José Ordovás, a senior nutrition scientist at Tufts University. “I would err on the low side,” he says.

Some nutrition scientists are questioning why these changes have been made. It’s not as though the new recommendations were in the 2024 scientific report. And the evidence on red meat and saturated fat hasn’t changed, says Headrick.

In reporting this piece, I contacted many contributors to the previous guidelines, and some who had led research for 2024’s scientific report. None of them agreed to comment on the new guidelines on the record. Some seemed disgruntled. One merely told me that the process by which the new guidelines had been created was “opaque.”

“These people invested a lot of their time, and they did a thorough job [over] a couple of years, identifying [relevant scientific studies],” says Ordovás. “I’m not surprised that when they see that [their] work was ignored and replaced with something [put together] quickly, that they feel a little bit disappointed,” he says.

This article first appeared in The Checkup, MIT Technology Review’s weekly biotech newsletter. To receive it in your inbox every Thursday, and read articles like this first, sign up here.

This week, The Cyber Express takes a closer look at the events shaping the global cybersecurity landscape as we transition from 2025 to 2026. Throughout this week, we covered new cybersecurity laws, insider jobs involving ransomware, AI-driven disinformation, and data protection enforcement.   Coverage includes China’s updated cybersecurity law with stricter reporting and executive liability, Poland’s request for an EU investigation into TikTok’s AI-driven disinformation, and GDPR enforcement in France, with Nexpublica fined €1.7 million.  Insider threats remain a concern, highlighted by U.S. BlackCat ransomware convictions, while global ransomware campaigns by groups like CL0P continue to exploit third-party software vulnerabilities.   Here are the key stories from this week’s global cybersecurity landscape: 

The Cyber Express Weekly Roundup 

China’s New Cybersecurity Law: A Global Game-Changer 

As of January 1, 2026, China’s amended Cybersecurity Law has come into effect, representing the most significant update since 2017. The law drastically tightens reporting timelines, accountability, and enforcement, including near-real-time incident reporting for critical infrastructure operators—ranging from 60 minutes for severe incidents to four hours for major breaches. Read more.... 

TikTok Under the Microscope in Poland 

Poland has formally asked the European Commission to investigate TikTok over an AI-generated campaign promoting “Polexit,” the idea of Poland leaving the EU. Officials claim the platform failed to meet obligations under the Digital Services Act (DSA), putting democracy at risk, especially among younger users. Read more... 

Insider Threats: BlackCat Ransomware in the U.S. 

In the United States, two cybersecurity professionals pleaded guilty to deploying ALPHV BlackCat ransomware against five companies, extorting over $1.2 million. The attackers exploited privileged access in healthcare, pharmaceutical, and tech sectors. Read more... 

GDPR Enforcement: Nexpublica Fined €1.7 Million 

France’s CNIL imposed a €1.7 million fine on Nexpublica France for failing to secure sensitive personal data in its PCRM system. A 2022 breach exposed information about disabilities and other personal details. CNIL emphasized that awareness of vulnerabilities without timely remediation constitutes a serious lapse in responsibility. Read more... 

CL0P Expands Ransomware Assault on Oracle EBS 

The CL0P ransomware group continued targeting Oracle E-Business Suite systems globally, affecting institutions like the University of Phoenix and Korean Air. Millions of employees' and personal records were compromised, largely via third-party software vulnerabilities, underlining the risks of vendor dependencies in cybersecurity. Read more... 

MongoBleed and ASEAN: Trust as a Cyber Asset 

A critical MongoDB vulnerability, “MongoBleed” (CVE-2025-14847), allows attackers unauthenticated access to server memory, exposing credentials and confidential data. Meanwhile, a review of ASEAN cybersecurity in 2025 by Salleh Kodri, Sr Presales consultant, Cyble, found that brand abuse, executive impersonation, and digital reputation attacks caused more damage than traditional breaches. Read more... 

Governance and Corruption Spotlight: Georgia 

Former Georgian security chief Grigol Liluashvili was arrested on bribery and corruption charges involving energy contracts and public procurement. Prosecutors continue an active investigation into millions of dollars in illicit payments. Read more... 

Weekly Takeaway 

From AI-driven disinformation in Europe to insider ransomware attacks in the U.S., GDPR enforcement, and critical vulnerabilities worldwide, 2025 has underscored that cybersecurity is no longer just about technology. Protecting trust, brand integrity, and personal data is now as vital as firewalls and encryption; a lesson organizations must carry into 2026.

A non-Japanese-speaking first-time visitor used Apple’s new in-ear translation feature to connect with locals at bars, sushi classes and even a fire ritual.

© Wenjia Tang

Spotify has disabled multiple user accounts after an open-source group claimed it scraped millions of songs and related data from the music streaming platform. The move comes after Anna’s Archive published files over the weekend containing metadata and audio for 86 million tracks, triggering concerns around Spotify scraping and copyright enforcement. In a statement shared with The Cyber Express Spotify scraping, company confirmed that it identified and shut down user accounts involved in unlawful scraping activities. The company said it has also introduced new safeguards to prevent similar incidents in the future. “Spotify has identified and disabled the nefarious user accounts that engaged in unlawful scraping,” a Spotify spokesperson said. “We’ve implemented new safeguards for these types of anti-copyright attacks and are actively monitoring for suspicious behavior. Since day one, we have stood with the artist community against piracy.”

Spotify Says Spotify Scraping Was Not a Hack

Spotify clarified that the Spotify scraping incident did not involve a breach of its internal systems. According to the company, the people behind the dataset violated Spotify’s terms of service over several months by using stream-ripping techniques through third-party user accounts. “They did this through user accounts set up by a third party and not by accessing Spotify’s business systems,” the spokesperson said, adding that Anna’s Archive did not contact Spotify before releasing the files. The company stressed that this Spotify scraping case should not be classified as a hack, but rather as systematic abuse of user access, which falls under unlawful scraping and copyright violation.

Anna’s Archive Claims “Preservation” Motive

Anna’s Archive, which describes itself as the “largest truly open library in human history,” published a blog post explaining its decision to expand beyond books and research papers into music. The group said it discovered a method of Spotify scraping at scale and saw an opportunity to build what it calls a “preservation archive” for music. “Sometimes an opportunity comes along outside of text. This is such a case,” the group wrote, arguing that its goal is to preserve cultural content rather than profit from it. The released dataset includes a music metadata database covering 256 million tracks and a bulk archive of nearly 300 terabytes containing 86 million audio files. According to Anna’s Archive, these tracks account for roughly 99.6% of all listens on Spotify.

Data Spans Nearly Two Decades of Music

The scraped files cover music released on Spotify between 2007 and July 2025. The group also released a smaller dataset featuring the top 10,000 most popular songs on the platform. Using the scraped data, Anna’s Archive highlighted streaming trends, noting that the top three songs on Spotify—Billie Eilish’s “Birds of a Feather,” Lady Gaga’s “Die With a Smile,” and Bad Bunny’s “DtMF”—have more combined streams than tens of millions of lesser-known tracks. While Anna’s Archive framed the release as a cultural archive, copyright holders and technology companies have consistently challenged the group’s activities.

A History of Copyright Violations

Anna’s Archive emerged shortly after the 2022 shutdown of Z-Library, a massive online repository of pirated books. Following Z-Library’s takedown, the group aggregated content from several shadow libraries, including Library Genesis, Sci-Hub, and the Internet Archive. The platform is banned in multiple countries due to repeated copyright violations. As of December, it reportedly hosts more than 61 million books and 95 million academic papers. In November, Google removed nearly 800 million links to Anna’s Archive following takedown requests from publishers.

Spotify Reinforces Anti-Piracy Measures

Spotify said it is actively monitoring for suspicious behavior and working with industry partners to protect creators’ rights. The company reiterated its stance against piracy and emphasized that Spotify scraping undermines both artists and the broader music ecosystem. As streaming platforms continue to grow, incidents like this highlight the ongoing tension between open-access movements and copyright enforcement in the digital music industry.

The CL0P ransomware group appears to be targeting internet-facing Gladinet CentreStack file servers in its latest extortion campaign. The Curated Intelligence project said in a LinkedIn post that incident responders from its community “have encountered a new CLOP extortion campaign targeting Internet-facing CentreStack file servers.” Cyble said in a note to clients today that CL0P appears to be readying its dark web data leak site (DLS) for a new wave of victims following its exploitation of Oracle E-Business Suite vulnerabilities that netted more than 100 victims. “Monitoring of Cl0p's DLS indicates recent archiving and grouping of all previously listed victims associated with Oracle E-Business Suite exploitation under different folders, a move that strongly suggests preparation for a new wave of data leak publications,” Cyble said. “This restructuring activity is assessed to be linked to the ongoing exploitation of Gladinet CentreStack, with Cl0p likely staging victims for coordinated disclosure similar to its prior mass-extortion campaigns. No victim samples or deadlines related to the CentreStack victims have been published yet.”

CL0P May Be Targeting Gladinet CentreStack Vulnerabilities

It’s not clear if the CL0P campaign is exploiting a known or zero-day vulnerability, but in a comment on the LinkedIn post, Curated Intelligence said that an October Huntress report is “Likely related.” That report focused on CVE-2025-11371, a Files or Directories Accessible to External Parties vulnerability in Gladinet CentreStack and TrioFox that was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on Nov. 4. In a Dec. 10 report, Huntress noted that threat actors were also targeting CVE-2025-30406, a Gladinet CentreStack Use of Hard-coded Cryptographic Key vulnerability, and CVE-2025-14611, a Gladinet CentreStack and Triofox Hard Coded Cryptographic vulnerability. CVE-2025-30406 was added to the CISA KEV catalog in April, and CVE-2025-14611 was added to the KEV database on Dec. 15. In a Dec. 18 update to that post, Huntress noted the Curated Intelligence findings and said, “At present, we cannot say definitively that this is exploitation by the cl0p ransomware gang, but considering the timing of this reporting, we felt it was prudent to share this recent threat intel.” The latest release on Gladinet's CentreStack website as of December 8 is version 16.12.10420.56791, Huntress noted. “We recommend that potentially impacted Gladinet customers update to this latest version immediately and ensure that the machineKey is rotated,” the blog post said. Curated Intelligence noted that recent port scan data shows more than 200 unique IPs running the “CentreStack - Login” HTTP Title, “making them potential targets of CLOP who is exploiting an unknown CVE (n-day or zero-day) in these systems.”

CL0P’s History of File Transfer Attacks

Curated Intelligence noted that CL0P has a long history of targeting file sharing and transfer services. “This is yet another similar data extortion campaign by this adversary,” the project said. “CLOP is well-known for targeting file transfer servers such as Oracle EBS, Cleo FTP, MOVEit, CrushFTP, SolarWinds Serv-U, PaperCut, GoAnywhere, among others.” CL0P’s exploitation of Cleo MFT vulnerabilities led to a record number of ransomware attacks earlier this year, and CL0P has also successfully exploited Accellion FTA vulnerabilities. The group’s ability to successfully exploit vulnerabilities at scale has made it a top five ransomware group over its six-year-history (image below from Cyble). [caption id="attachment_107950" align="aligncenter" width="1200"] CL0P is a top five ransomware group over its six-year history (Cyble)[/caption]

React2Shell Payload Improvements

Last week Metasploit released an exploit for the React2Shell vulnerability, and this week we have made a couple of improvements to the payloads that it uses. The first improvement affects all Metasploit modules. When an exploit is used, an initial payload is selected using some basic logic that effectively would make a selection from the first available in alphabetical order. Now Metasploit will prefer a default of x86 Meterpreters for Windows systems (since 32-bit payloads work on both 32-bit and 64-bit versions of Windows) and x64 Meterpreters for all other platforms including Linux. In the context of React2Shell, this means the payload now defaults to x64 for Linux instead of AARCH64.

Another improvement that only affects this exploit was the change of the default payload to one leveraging Node.js which is more likely to be present than the wget binary that was required. These defaults should hopefully help users get started with this high-impact exploit with more ease, but of course any compatible payload can still be selected.

Stay tuned for the Metasploit annual wrap-up and roadmap announcement coming up!

New module content (2)

N-able N-Central Authentication Bypass and XXE Scanner

Authors: Valentin Lobstein chocapikk@leakix.net and Zach Hanley (Horizon3.ai)

Type: Auxiliary

Pull request: #20713 contributed by Chocapikk 

Path: scanner/http/nable_ncentral_auth_bypass_xxe

AttackerKB reference: CVE-2025-11700

Description: This adds an auxiliary module that exploits two CVEs affecting N-able N-Central. CVE-2025-9316, an Unauthenticated Session Bypass and CVE-2025-11700 a XXE (XML External Entity) vulnerability. The module combines both vulnerabilities to achieve unauthenticated file read on affected N-Central instances (versions < 2025.4.0.9).

Grav CMS Twig SSTI Authenticated Sandbox Bypass RCE

Author: Tarek Nakkouch

Type: Exploit

Pull request: #20749 contributed by nakkouchtarek 

Path: multi/http/grav_twig_ssti_sandbox_bypass_rce

AttackerKB reference: CVE-2025-66301

Description: This adds an exploit module for a Server-Side Template Injection (SSTI) vulnerability (CVE-2025-66294) in Grav CMS, versions prior to 1.8.0-beta.27 , that allows bypassing the Twig sandbox to achieve remote code execution. To inject the malicious payload into a form's process section, this module leverages CVE-2025-66301, a broken access control flaw in the /admin/pages/{page_name} endpoint.

Enhancements and features (2)

• #20424 from cdelafuente-r7 - Updates how vulnerabilities and services are reported by adding a resource field to both models. It also add a parents field to make layered services possible. An optional resource field can now be provided and the existing service field has been updated to also accept an option hash.
• #20771 from zeroSteiner - Updates Metasploit's default payload selection logic to preference x86 payloads over AARCH64 payloads.
• #20773 from jheysel-r7 - This updates the exploit for React2Shell with a better default payload.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.102...6.4.103
• Full diff 6.4.102...6.4.103

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

Trump Media plans to merge with a company developing nuclear fusion technology, putting the president’s financial interests in competition with other energy companies over which his administration holds sway.

© Pete Marovich for The New York Times

Denmark cyberattack allegations have escalated into a diplomatic confrontation with Russia, after Danish authorities accused Moscow of orchestrating two cyber incidents targeting critical infrastructure and democratic processes. On Thursday, Denmark announced it would summon the Russian ambassador following findings by the Danish Defence Intelligence Service (DDIS) linking Russia to a destructive cyberattack on a Danish water utility in 2024 and a series of distributed denial-of-service (DDoS) attacks on Danish websites ahead of elections last month.

Danish officials described the Denmark cyberattack incidents as part of Russia’s broader hybrid warfare campaign against European countries supporting Ukraine, marking a rare public attribution of state-linked cyber operations.

[caption id="attachment_107928" align="alignnone" width="709"] Denmark accuses Russia of cyberattacks (Source: Denmark MFA)[/caption] In an official statement, Danish authorities said, “Russia is responsible for destructive and disruptive cyberattacks against Denmark.” The DDIS assessed that the Z-Pentest group, which executed the 2024 water utility attack, has links to the Russian state. Similarly, the agency determined that NoName057(16), the group responsible for the election-related DDoS attacks, also maintains ties to Russian state interests. 

Denmark Cyberattack on Water Utility Exposed Infrastructure Weaknesses 

The cyberattack on Denmark’s water infrastructure occurred in 2024 and targeted a waterworks facility in Køge. According to Danish officials, a hacker gained control of operational systems and altered pump pressure levels, causing pipes to burst. While the physical damage was limited, the incident raised serious concerns about the security of critical infrastructure.  Denmark’s Defence Minister Troels Lund Poulsen condemned the attack, calling it “completely unacceptable” and warning that hybrid warfare is no longer a theoretical risk. He said the incident demonstrated how cyber operations could translate into real-world consequences. Poulsen confirmed that Denmark would summon the Russian ambassador in response to the findings. 

Election-Related DDoS Attacks and Influence Campaigns 

In the lead-up to Denmark’s 2025 municipal and regional elections, multiple government and public-sector websites were hit by DDoS attacks designed to overwhelm servers and disrupt access. The DDIS stated that the attacks were intended not only to disrupt digital services but also to attract public attention and amplify insecurity during a politically sensitive period.  “The aim is to create insecurity in the targeted countries and to punish those that support Ukraine,” the intelligence service said, adding that Russia’s cyber operations form part of a broader influence campaign designed to undermine Western backing for Kyiv.  The agency noted that Danish elections were used as a platform for disruption, a tactic that has been observed in several other European countries facing similar cyberattacks and election-related interference. 

November 2025 Cyberattacks on Government and Defense Websites 

Earlier reporting by The Cyber Express documented additional cyberattack on Denmark that occurred on November 13, when multiple government and defense-related websites experienced outages. Denmark’s Civil Protection Agency confirmed that the disruptions were caused by DDoS attacks affecting several Danish companies and public-sector platforms.  “Several Danish companies and websites were currently experiencing outages and operating disruptions because of DDoS attacks,” the agency said, noting that authorities were closely monitoring the situation alongside military intelligence.  Shortly after the incident, NoName057(16) claimed responsibility on social media, alleging it had targeted systems belonging to the Danish government, including the Ministry of Transport and the public-sector portal Borger.dk. Defense contractor Terma was also named, and later confirmed it had been affected.  Terma spokesperson Tobias Brun-Falkencrone urged caution, stating, “We’re aware that a Russian hacker group has claimed that it would disrupt our website, as well as the ones of several Danish authorities, but it’s too early to say they are responsible.” He added that the company responded effectively and that no data was lost. 

Part of a Broader European Pattern 

International reporting from outlets including AFP and Ukrinform has linked the cyberattack on Denmark to a wider wave of pro-Russia cyber activity across Europe. Recent incidents include data theft from a Dutch municipality, a payment system breach in Poland affecting a major tour company, and the exposure of sensitive employee data from a British defense contractor by Russia-linked hackers.  While Danish authorities have not reported long-term damage or data loss, officials warned that repeated cyberattacks highlight persistent vulnerabilities in public infrastructure. The Civil Protection Agency and military intelligence services continue to monitor the situation.  The DDIS concluded that Russia’s use of proxy hacker groups reflects an evolving hybrid threat environment in which cyber operations are increasingly used to exert pressure, destabilize societies, and influence political outcomes without crossing traditional military thresholds.