Maduro backdoor campaign π±, Illinois DHS breach ποΈ, n8n RCE vulnerability π¨, North Korean QR phishing π±, Fog ransomware VPN attacks π
Daily Threat Intel Digest - January 10, 2026
π΄ Critical Threats & Active Exploitation
[NEW] Maduro Arrest News Exploited for Backdoor Distribution
Cybercriminals are weaponizing fabricated reports of Venezuelan President NicolΓ‘s Maduro’s arrest to distribute backdoor malware through sophisticated social engineering campaigns. Attackers deploy spear-phishing emails containing ZIP archives that appear to contain news updates about the January 3, 2025 incident, but actually execute malicious payloads compromising victim systems. This high-profile geopolitical lure demonstrates threat actors’ rapid exploitation of breaking news to bypass user skepticism, requiring immediate user education about verifying unsolicited news attachments [GBHackers].
[NEW] Illinois DHS Misconfiguration Exposes 700K Residents
A massive data breach at the Illinois Department of Human Services (IDHS) resulted from incorrect privacy settings on internal mapping websites, exposing sensitive information of nearly 700,000 residents. The exposed data includes addresses, case numbers, demographic details, and medical assistance plan names for Medicaid/Medicare recipients from January 2022 through September 2025, plus additional identifiable information for 32,401 Division of Rehabilitation Services clients. The maps, intended for internal resource allocation decisions, remained publicly accessible for years before discovery on September 22, 2025, highlighting critical failures in data governance and access controls for state agencies handling protected health information [BleepingComputer].
[UPDATE] n8n Critical RCE Patched as “Ni8mare” Exploitation Surface Grows
Following the disclosure of mass n8n server hijacking campaigns, the critical CVE-2026-21858 “Ni8mare” vulnerability has been patched in version 1.121.0, addressing a maximum-severity flaw enabling unauthenticated remote code execution. The vulnerability stems from webhook request parsing flaws where attackers can manipulate the Content-Type header to overwrite file path variables, allowing arbitrary file copying and potential full system compromise. With over 26,500 internet-exposed n8n hosts detected by Censys, organizations running versions through 1.65.0 require immediate patching to prevent workflow hijacking and credential theft. Temporary mitigations include restricting publicly accessible webhook endpoints until patching can occur [SOC Prime; BleepingComputer].
π― Threat Actor Activity & Campaigns
[NEW] LLM Service Enumeration Campaign Targets Misconfigured Proxies
Threat actors are systematically scanning for misconfigured proxy servers providing access to paid large language model services, with over 80,000 enumeration requests detected against 73 LLM endpoints since December 28. Attackers use low-noise prompts to test access without triggering security alerts, targeting models from OpenAI, Anthropic, Meta, Google, and other major providers. GreyNoise attributes the campaign to infrastructure previously associated with widespread vulnerability exploitation, suggesting organized reconnaissance for future attacks. The operation represents significant investment in AI service mapping, likely preceding credential theft or model abuse campaigns [BleepingComputer].
[NEW] North Korean Actors Deploy QR Code Phishing
FBI warnings highlight North Korean threat actors incorporating malicious QR codes in spear-phishing attacks to bypass traditional email filters and deliver malware payloads. The technique leverages mobile device scanning behaviors to redirect victims to credential harvesting pages or malicious app downloads, particularly targeting government and critical infrastructure sectors. This adaptation reflects advancing evasion tactics as organizations improve email security defenses, requiring updated security awareness training that includes QR code verification protocols [SecurityWeek].
[NEW] Fog Ransomware Strikes via Compromised VPN Credentials
Arctic Wolf Labs has identified a new ransomware variant “Fog” targeting US education and recreation organizations through hijacked VPN credentials. First observed May 2, 2024, the group employs rapid encryption tactics following initial VPN access, enabling swift system compromise before detection. The campaign underscores ongoing vulnerabilities in remote access infrastructure, particularly in sectors with limited security resources implementing VPN services without robust multi-factor authentication or anomaly monitoring [GBHackers].
[NEW] Illinois Man Charged in Snapchat Credential Theft Operation
Federal prosecutors have charged Kyle Svara with operating a phishing scheme that compromised approximately 570 Snapchat accounts, primarily targeting women to steal and sell private photos. Between May 2020 and February 2021, Svara impersonated Snap representatives to harvest over 4,500 access codes, then monetized the stolen content through platforms including Reddit and Kik. The case highlights the persistent threat of credential harvesting against social media platforms, with Svara facing aggravated identity theft and wire fraud charges carrying potential 20-year sentences [BleepingComputer].
π Policy & Industry News
[NEW] Senators Pressure App Stores to Remove X Over Deepfake Scandal
Senate Democrats Ron Wyden, Ben Ray LujΓ‘n, and Ed Markey are demanding Apple and Google remove Elon Musk’s X from app stores following widespread distribution of nonconsensual sexual deepfakes through the platform’s Grok AI tool. The lawmakers cite violations of both companies’ terms of service prohibiting exploitative content, comparing the situation to previous app removals for immigration tracking apps. The pressure coincides with UK regulator investigations and EU demands for document preservation, as X reportedly considers restricting the feature to paid subscribers while facing potential app store removals [CyberScoop].
[NEW] Microsoft Introduces Teams External Collaboration Administrator Role
Microsoft will roll out a new “Teams External Collaboration Administrator” role in late January 2026, enabling organizations to implement principle of least privilege for external access management without granting full Teams admin permissions. The role manages federation policies and external access controls exclusively through PowerShell, with assignments handled through Microsoft Entra or Microsoft 365 admin centers. The feature addresses growing security concerns around external collaboration governance in hybrid work environments [GBHackers; CyberPress].
[NEW] CISA Closes 10 Emergency Directives
The Cybersecurity and Infrastructure Security Agency has officially closed 10 Emergency Directives as its new Vulnerability Catalog assumes responsibility for urgent vulnerability notifications. This transition streamlines federal vulnerability communication while maintaining rapid alert capabilities for critical security issues affecting government systems [SecurityWeek].