Daily Threat Intel Digest - 2026-01-03

🔴 Critical Threats & Active Exploitation

[NEW] Kimwolf botnet weaponizes residential proxy networks to breach internal LANs A massive botnet has infected over 2 million devices globally by exploiting a critical vulnerability in residential proxy services that allows attackers to tunnel into protected internal networks. Attackers leverage compromised proxy endpoints to send DNS requests to RFC-1918 private address ranges (like 192.168.0.1), enabling them to scan and infect devices behind firewalls. Two-thirds of infected devices are Android TV boxes shipped with Android Debug Bridge (ADB) mode enabled by default, allowing unauthenticated administrative access. The botnet primarily targets devices through IPIDEA, the world’s largest residential proxy network, which has since patched the vulnerability after being notified in December. Affected devices are concentrated in Vietnam, Brazil, India, Saudi Arabia, Russia, and the United States. This attack breaks the fundamental security assumption that internal networks are safe from external threats, requiring organizations to implement network segmentation and device authentication [KrebsOnSecurity].

[NEW] Fortinet 2FA bypass - 10,000+ firewalls vulnerable to 5-year-old CVE Over 10,000 Fortinet firewalls remain exposed to ongoing attacks exploiting CVE-2020-12812, a critical authentication flaw that allows attackers to bypass two-factor authentication by changing the username’s case. The vulnerability (CVSS 9.8) affects FortiGate SSL VPNs when LDAP is enabled, with 1,300 exposed devices located in the United States. Fortinet warned customers last week about renewed exploitation, and while patches have been available since July 2020, organizations have failed to apply them. The FBI and CISA previously warned in 2021 that state-sponsored hacking groups were actively exploiting this flaw, which was added to CISA’s Known Exploited Vulnerabilities Catalog in 2021. Organizations must immediately apply available patches or disable username-case-sensitivity as a mitigation [BleepingComputer].

[NEW] RondoDoX botnet exploits newly disclosed React2Shell RCE vulnerability The RondoDoX botnet has begun actively exploiting the critical React2Shell vulnerability affecting Next.js Server Actions just three days after public disclosure on December 10, 2025. CloudSEK researchers observed the threat actors immediately pivoting to exploit the blind RCE flaw, deploying multiple payloads including a Linux coinminer (“poop”), persistent loader (“bolts”), and Mirai IoT variant (“x86”). The campaign has evolved from initial reconnaissance in March 2025 to automated exploitation of web applications and IoT devices, with at least six active C2 servers distributing malware across multiple geographies. The botnet demonstrates remarkable agility in weaponizing newly disclosed vulnerabilities, requiring organizations to patch Next.js applications immediately and block associated malicious IPs [CyberPress].

🎯 Threat Actor Activity & Campaigns

[UPDATE] Trust Wallet crypto theft linked to Shai-Hulud NPM supply chain attack Trust Wallet now attributes the $8.5 million cryptocurrency theft affecting over 2,500 wallets to the Shai-Hulud NPM malware campaign that exposed up to 400,000 developer secrets in late 2025. Attackers used stolen GitHub secrets and Chrome Web Store API keys to upload a trojanized version 2.68.0 of the Trust Wallet browser extension directly, bypassing internal approval processes. The malicious extension connected to attacker-controlled domains (metrics-trustwallet.com) to steal sensitive wallet data. The Shai-Hulud campaign previously compromised over 800 npm packages and published stolen data across 30,000 GitHub repositories, with 60% of exposed NPM tokens still valid as of December. This connection illustrates how supply chain compromises in development environments can directly lead to massive financial losses in cryptocurrency ecosystems [BleepingComputer].

[NEW] Infostealers fuel ClickFix attacks through legitimate business website compromise Cybercriminals have created a self-sustaining attack ecosystem where 13% of ClickFix campaign infrastructure (220 out of 1,635 tracked domains) consists of legitimate business websites compromised via stolen credentials. Attackers use infostealer malware to harvest website administrative credentials, then inject ClickFix scripts into trusted business domains to bypass security filters. The ClickFix technique tricks users into executing malicious PowerShell commands through fake CAPTCHA prompts or browser update dialogs. This victim-to-vector cycle proves highly effective as compromised legitimate domains inherit trusted reputations with security systems. Organizations must implement multi-factor authentication for all administrative access and monitor website file integrity to break this attack chain [CyberPress].

[NEW] Handala hackers exploit Telegram authentication gaps against Israeli officials The Iranian-linked Handala group has compromised Telegram accounts of high-profile Israeli targets including former Prime Minister Naftali Bennett and Chief of Staff Tzachi Braverman. KELA’s investigation revealed the attacks targeted Telegram rather than underlying mobile devices, exploiting gaps like disabled cloud passwords, session hijacking, or OTP interception. Of the allegedly leaked 1,900 chat conversations, only 40 contained actual messages, with the rest being empty contact cards. Handala operates since late 2023, primarily targeting Israeli entities through phishing, SIM swapping, and SS7 vulnerabilities. The incident demonstrates that optional security features like Telegram’s cloud password become critical when protecting high-value accounts [CyberPress].

⚠️ Vulnerabilities & Patches

[NEW] Google Tasks notifications abused to bypass enterprise email security Over 3,000 organizations fell victim to a sophisticated phishing campaign exploiting Google’s legitimate application infrastructure to send malicious emails from noreply-application-integration@google.com. The attacks successfully passed SPF, DKIM, DMARC, and CompAuth checks by abusing Google’s Application Integration service, rendering reputation-based security ineffective. Attackers impersonated Google Tasks notifications with high-fidelity UI replication, redirecting users to malicious pages hosted on Google Cloud Storage. The campaign primarily targeted manufacturing companies and highlights how trusted SaaS platforms with email capabilities can become attack vectors. Organizations must implement intent-centric detection that analyzes workflow legitimacy rather than relying solely on sender reputation [CyberPress].

[NEW] Covenant Health reports nearly 500K affected in May ransomware attack Covenant Health has revised the impact of its May 2025 data breach from 7,864 to 478,188 individuals after completing “bulk data analysis.” The Qilin ransomware group claimed responsibility for the May 18 attack, stating they stole 852 GB of data comprising 1.35 million files. Exposed information includes names, addresses, dates of birth, Social Security numbers, health insurance details, and treatment information. The Catholic healthcare provider operating across New England and Pennsylvania began mailing notification letters on December 31 and is offering 12 months of free identity protection services. The dramatic increase in affected individuals underscores challenges in accurately assessing breach scope in complex healthcare environments [BleepingComputer].

🛡️ Defense & Detection

[NEW] SOCFortress releases practical walkthrough for scheduled task incident response SOC teams now have a detailed methodology for responding to scheduled task creation alerts, which are high-signal events for detecting persistence mechanisms. The walkthrough covers endpoint identification, command-line analysis, task enumeration, validation of suspicious tasks, and secure remediation using specialized artifacts. Analysts are advised to isolate affected endpoints during investigation and focus on validating what scheduled tasks execute rather than just acknowledging alerts. The approach helps security teams distinguish between legitimate administrative tasks and malicious persistence mechanisms commonly used by attackers for lateral movement and privilege escalation [SOCFortress].

[NEW] Tenable predicts 2026 shift toward proactive defense and custom AI tools Security leaders forecast fundamental changes in 2026 as AI-powered attack acceleration renders reactive security ineffective. Key predictions include organizations building custom in-house AI security tools tailored to their needs, moving beyond commercial off-the-shelf solutions. Non-human identities (NHIs) will become the primary cloud breach vector as service accounts outnumber human users by orders of magnitude. Runtime detection tools will lose prominence to prevention-first strategies combining CNAPP and exposure management platforms. Automated remediation will gain acceptance as manual processes become unsustainable against AI-accelerated threats. These trends reflect the industry’s recognition that proactive defense must eliminate exposures before exploitation [Tenable].

📋 Policy & Industry News

[NEW] Treasury removes Intellexa-linked trio from sanctions list The Trump administration removed three Iranians previously sanctioned for developing the Predator spyware, citing their demonstrated separation from the Intellexa Consortium. Merom Harpaz (manager), Andrea Gambazzi (owner), and Sara Hamou (corporate off-shoring specialist) were delisted following reconsideration petitions, despite recent investigations showing Intellexa retained the ability to remotely access customer systems. Security researchers expressed concern over the removals, with Citizen Lab’s John Scott-Railton noting this could signal to mercenary spyware operators that “scoff at US & you can still skirt consequences.” The move highlights the complex interplay between diplomatic considerations and human rights enforcement in cyber mercenary operations [CyberScoop].