Crypto governance hijack π°, Botnet cryptominer deployment π₯οΈ, ClickFix automation toolkit π―, VS Code malware threat π», Healthcare enforcement βοΈ
Daily Threat Intel Digest - 2026-01-01
π΄ Critical Threats & Active Exploitation
[NEW] $3.9M Crypto Theft via Multisig Governance Hijack
Attackers compromised Unleash Protocol’s multisig governance system, executing unauthorized contract upgrades to drain $3.9M in WIP, USDC, and WETH assets [BleepingComputer]. The stolen funds were laundered through Tornado Cash, highlighting persistent weaknesses in blockchain governance controls. Unleash has paused operations amid investigations by external security firms.
[UPDATE] RondoDox Botnet Deploys Cryptominers via React2Shell
Expanding beyond prior RCE exploitation [BleepingComputer; CloudSEK], RondoDox now leverages CVE-2025-55182 to deliver coinminers (/nuts/poop) and Mirai variants (/nuts/x86) on 94,000+ exposed Next.js servers. The botnet’s payloads include persistence mechanisms via /etc/crontab and aggressive competitor malware removal, with hourly IoT exploitation waves targeting consumer routers.
π― Threat Actor Activity & Campaigns
[UPDATE] ErrTraffic v2 Industrializes ClickFix Attacks
The $800 ErrTraffic toolkit now automates ClickFix scams with 60% infection rates [CyberPress; QuoIntelligence], using fake UI glitches to trick users into executing PowerShell scripts. Its dashboard excludes CIS regions and routes stolen data via Telegram bots, enabling entry-level attackers to deploy platform-specific payloads (Windows/macOS/Android) from a single HTML injection point.
[NEW] GlassWorm Malware Targets macOS via VS Code Extensions
Three malicious VS Code extensions on the Open VSX marketplace delivered GlassWorm to 50,000+ macOS users [GBHackers]. The self-propagating malware evolved from its initial October Unicode-based attacks, now achieving persistence through compromised development environments.
β οΈ Vulnerabilities & Patches
[NEW] NYC Event Security Policy Names Specific Cyber Tools
The NYC mayoral inauguration explicitly banned Flipper Zero and Raspberry Pi devices [BleepingComputer], marking a rare instance of hardware-specific restrictions at public events. The policy creates confusion as laptops/phonesβcapable of greater exploitationβare permitted, reflecting nascent regulatory approaches to cybersecurity hardware.
[NEW] Trail of Bits Detects Go Integer Overflows via go-panikint
A modified Go compiler ($$) exposes silent arithmetic bugs by converting overflows to panics [Trail of Bits], revealing a live Cosmos SDK RPC pagination flaw. The tool targets a critical blind spot in Go’s memory safety design, enabling fuzzing campaigns to identify reachable logic vulnerabilities.
π‘οΈ Defense & Detection
[NEW] SIEM Integration Enables Custom Impossible Travel Detection
SOCFortress released an open-source architecture combining Wazuh, Graylog, and FastAPI to detect O365 impossible travel [SOCFortress]. The Python API geolocates IPs, tracks user history, and calculates travel thresholds, showcasing a modular approach for stateful detections beyond built-in rule engines.
[NEW] WordPress Phishing Harvests 3-D Secure OTPs via Telegram
Attackers spoofed domain renewal emails to steal credit cards and OTPs through fake 3-D Secure modals [Malware Analysis], exfiltrating data via PHP relays to Telegram bots. The campaign features artificial delays and forced OTP retries to increase credibility, exploiting weak DMARC policies (p=NONE) on compromised domains.
π Policy & Industry News
[UPDATE] Healthcare Fines Intensify for Data Protection Failures
New York AG Letitia James secured $500K from OrthopedicsNY for failing to protect patient data [DataBreaches], continuing enforcement trends seen in prior healthcare sector penalties [Dec 28 Summary]. The case underscores rising regulatory accountability for inadequate security controls.