5th January – Threat Intelligence Report - Check Point Research

5TH JANUARY – THREAT INTELLIGENCE REPORT January 5, 2026 For the latest discoveries in cyber research for the week of 5th January, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Two US banks, Artisans’ Bank and VeraBank, disclosed that customer data was exposed in an August ransomware attack on their vendor, Marquis Software. The vendor was breached via SonicWall vulnerability, and while the banks’ own systems were not compromised, researchers estimate the incident may have affected in total up to 1.35 million people across dozens of financial institutions. Romania’s largest coal-based power producer, Oltenia Energy Complex, has faced a ransomware attack attributed to the Gentlemen group. The company said files were encrypted and Enterprise Resource Planning systems, email, and the website were disrupted, partially affecting operations, while power supply remained stable and recovery continues. Emurasoft, maker of EmEditor software, reported a website compromise that redirected the homepage download button to a fake installer for 4 days. The installer deployed infostealer malware that harvested credentials and added a rogue extension enabling remote control and cryptocurrency swapping. US-based Sedgwick Government Solutions, which manages claims, workforce health, risk, and productivity for government agencies and federal employees, has experienced a cybersecurity incident. The incident was limited to an isolated file transfer system, with no evidence of access to claims servers. The company notified law enforcement and clients after the TridentLocker ransomware group claimed an attack on December 31. Korean Air, South Korean airline, has suffered a data breach via KC&D Service, a vendor managing inflight catering and duty free. The incident exposed personal data of roughly 30,000 employees, including names and bank account numbers, while customer information was not affected. Cl0p claimed responsibility and reportedly exploited an Oracle E-Business Suite flaw. Check Point IPS, Threat Emulation and Harmony Endpoint provide protection against this threat (Oracle Multiple Products Remote Code Execution; Ransomware.Win.Clop; Ransomware.Wins.Clop; Ransomware.Wins.Clop.ta.*) Trust Wallet, a cryptocurrency wallet provider, has disclosed a second Shai-Hulud supply-chain compromise of its Chrome extension, resulting in approximately $8.5 million in losses. Using a leaked Chrome store key, attackers published tampered v2.68 which exfiltrated wallet recovery phrases upon unlock. European Space Agency (ESA), has confirmed a cybersecurity incident affecting a very small number of external servers outside its corporate network. ESA began forensic analysis and secured potentially affected devices after a threat actor claimed to have stolen 200GB of source code and access credentials in mid-December. VULNERABILITIES AND PATCHES Researchers highlighted CVE-2025-14346, a critical missing-authentication flaw in WHILL Model C2 and Model F power wheelchairs that enables attackers within Bluetooth range to take control. CISA urged immediate mitigations, warning that compromise could manipulate wheelchair movements and cause physical harm in healthcare and public settings. No public exploitation has been reported yet. Security researchers disclosed CVE-2025-20700, CVE-2025-20701 (CVSS 8.8) and CVE-2025-20702 (CVSS 9.6) affecting Airoha Bluetooth SoCs. The flaws enabling unauthenticated access to the RACE protocol, arbitrary memory operations, and nearby takeover of headphones to extract link keys and impersonate devices to access paired smartphones. A patch has been released for CVE-2025-47411, an important privilege escalation in Apache StreamPipes 0.69.0 to 0.97.0 caused by flawed user ID creation enabling JWT token manipulation. Attackers can impersonate existing administrators to gain full control. IBM API Connect, an enterprise API management platform, is affected by a critical authentication bypass vulnerability (CVE-2025-13915, CVSS 9.8) enabling remote unauthorized access without credentials. The flaw impacts versions 10.0.8.0 through 10.0.8.5 and 10.0.11.0, with patches and iFixes available; no exploitation has been reported. THREAT INTELLIGENCE REPORTS Researchers exposed a new APT36 cyber espionage campaign targeting Indian government, academic, and strategic institutions. The Pakistan affiliated group delivers ZIP attachments disguised as PDFs that install ReadOnly and WriteOnly malware, which enables remote control, steals data, monitors clipboards, captures screenshots, and maintains access. DarkSpectre, a Chinese affiliated threat actor, has compromised 8.8 million Chrome, Edge, and Firefox users globally via campaigns including ShadyPanda, Zoom Stealer, and GhostPoster. The group employs malicious browser extensions with tactics such as time-bomb activation, dormant sleepers, PNG steganography, and heavy JavaScript obfuscation, exfiltrating corporate meeting data while impersonating videoconferencing tools and abusing browser platform permissions. Security researchers discovered two Chrome Web Store extensions, Chat GPT for Chrome with GPT-5 and AI Sidebar, that exfiltrate ChatGPT and DeepSeek chat histories, along with users’ browsing activity, every 30 minutes. The extensions collectively have over 900,000 installations, and one holds a Google Featured badge. Researchers identified the rapid expansion of the Kimwolf botnet, which has infected more than 2 million devices globally by abusing residential proxy networks to reach local devices behind home routers. The campaign leverages insecure Android TV boxes and digital photo frames to enable DDoS, ad fraud, account takeover, and mass scraping. GO UP BACK TO ALL POSTS POPULAR POSTS CHECK POINT RESEARCH PUBLICATIONS GLOBAL CYBER ATTACK REPORTS THREAT RESEARCH “The Turkish Rat” Evolved Adwind in a Massive Ongoing Phishing Campaign CHECK POINT RESEARCH PUBLICATIONS GLOBAL CYBER ATTACK REPORTS SECURITY REPORT THREAT RESEARCH 2024’s Cyber Battleground Unveiled: Escalating Ransomware Epidemic, the Evolution of Cyber Warfare Tactics and strategic use of AI in defense – Insights from Check Point’s Latest Security Report GLOBAL CYBER ATTACK REPORTS 8th May – Threat Intelligence Report BLOGS AND PUBLICATIONS CHECK POINT RESEARCH PUBLICATIONS GLOBAL CYBER ATTACK REPORTS THREAT RESEARCH January 22, 2020 THE 2020 CYBER SECURITY REPORT GLOBAL CYBER ATTACK REPORTS December 15, 2021 STEALTHLOADER MALWARE LEVERAGING LOG4SHELL CHECK POINT RESEARCH PUBLICATIONS GLOBAL CYBER ATTACK REPORTS THREAT RESEARCH February 17, 2020 “THE TURKISH RAT” EVOLVED ADWIND IN A MASSIVE ONGOING PHISHING CAMPAIGN CHECK POINT RESEARCH PUBLICATIONS GLOBAL CYBER ATTACK REPORTS THREAT RESEARCH January 22, 2020 THE 2020 CYBER SECURITY REPORT GLOBAL CYBER ATTACK REPORTS December 15, 2021 STEALTHLOADER MALWARE LEVERAGING LOG4SHELL CHECK POINT RESEARCH PUBLICATIONS GLOBAL CYBER ATTACK REPORTS THREAT RESEARCH February 17, 2020 “THE TURKISH RAT” EVOLVED ADWIND IN A MASSIVE ONGOING PHISHING CAMPAIGN CHECK POINT RESEARCH PUBLICATIONS GLOBAL CYBER ATTACK REPORTS THREAT RESEARCH January 22, 2020 THE 2020 CYBER SECURITY REPORT 123 This website uses cookies in order to optimize your user experience as well as for advertising and analytics.  For further information, please read our Privacy Policy and ourCookie Notice. When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer. More information Allow All Manage Consent Preferences Functional Cookies Functional Cookies These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly. Strictly Necessary Cookies Always Active These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information. Performance Cookies Performance Cookies These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance. Targeting Cookies Targeting Cookies These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising. Performance Cookies Clear checkbox label label Apply Cancel Consent Leg.Interest checkbox label label checkbox label label checkbox label label Reject All Confirm My Choices