Microsoft Office zero-day π», React DoS vulnerabilities π, SLSH vishing attacks π, HoneyMyte backdoor upgrade πΌ, WD Discovery code execution πΎ
Daily Threat Intel Digest - 2026-01-27
π΄ Critical Threats & Active Exploitation
[NEW] Microsoft Office zero-day exploited in targeted attacks
Attackers are actively exploiting a critical security feature bypass vulnerability (CVE-2026-21509) in Microsoft Office that allows unauthorized code execution through malicious files. The vulnerability bypasses OLE mitigations designed to protect users from vulnerable COM/OLE controls, enabling attackers to compromise systems by convincing users to open specially crafted Office documents. Microsoft has released emergency out-of-band patches for Office 2021, LTSC 2024, and Microsoft 365 Apps, but fixes for Office 2016 and 2019 are still pending [BleepingComputer]. Organizations should apply available patches immediately and implement the registry-based workaround for unsupported versions to prevent potential system compromise.
[NEW] React Server Components vulnerable to unauthenticated DoS attacks
Multiple denial-of-service vulnerabilities (CVE-2026-23864) affecting React Server Components packages allow attackers to crash servers with low-complexity HTTP requests. The flaws impact react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack versions 19.0.0-19.0.3, 19.1.0-19.1.4, and 19.2.0-19.2.3, enabling infinite loops that exhaust CPU resources and hang server processes. Emergency patches are available in versions 19.0.4, 19.1.5, and 19.2.4, addressing incomplete fixes from previous security updates [Cyberpress]. Applications using React Server Functions should prioritize updates to prevent service disruption.
[UPDATE] SLSH “supergroup” escalates SSO vishing attacks against 100+ organizations
The SLSH allianceβcombining Scattered Spider, LAPSUS$, and ShinyHuntersβhas expanded voice phishing operations to target over 100 high-value enterprises through live phishing panels that intercept Okta SSO credentials and MFA tokens in real-time. Attackers call victims while simultaneously manipulating phishing pages to match authentication prompts, enabling immediate session hijacking and lateral movement into corporate environments. Recent victims span technology (Atlassian, Epic Games), financial services (Adyen, SoFi), healthcare (Alnylam, Moderna), and real estate sectors, with attackers following the LAPSUS$ playbook of rapid data exfiltration and extortion demands [Silent Push]. This represents a significant escalation from earlier ShinyHunters SSO vishing activity, requiring organizations to implement phishing-resistant MFA (FIDO2) and verify all IT support calls through out-of-band channels.
π― Threat Actor Activity & Campaigns
[NEW] HoneyMyte enhances CoolClient backdoor with new surveillance capabilities
HoneyMyte (aka Mustang Panda) has substantially upgraded its CoolClient backdoor with clipboard monitoring, HTTP proxy credential theft, and enhanced data exfiltration scripts targeting government entities across Southeast Asia. The latest variants include three new browser login data stealers targeting Chrome, Edge, and other Chromium-based browsers, along with PowerShell scripts that exfiltrate sensitive documents to cloud services like Pixeldrain. Attackers deploy the backdoor through DLL sideloading abuses of signed binaries from Sangfor, BitDefender, and VLC Media Player, with new capabilities enabling active surveillance of user behavior including keystrokes, clipboard contents, and window activity tracking [Malware.news]. Government organizations should monitor for unusual DLL loading behavior and implement application whitelisting to prevent execution of sideloaded components.
β οΈ Vulnerabilities & Patches
[NEW] Western Digital Discovery vulnerability enables arbitrary code execution
A critical DLL hijacking vulnerability (CVE-2025-30248) in Western Digital’s WD Discovery application for Windows allows attackers to execute arbitrary code with the same privileges as the application. The flaw stems from uncontrolled search path elements in the Tiny Installer component, enabling attackers to place malicious DLLs in directories prioritized during Windows DLL loading. Western Digital addressed the vulnerability in version 5.3 released December 19, 2025, but organizations using earlier versions remain at risk of complete system compromise through social engineering campaigns that trick users into running malicious installers [Cyberpress]. Administrators should immediately update to version 5.3 and monitor for unusual process execution originating from WD Discovery.
[NEW] OMB rescinds Biden-era software security attestation requirements
The Office of Management and Budget has revoked the 2022 memo mandating standardized software security attestations for federal agencies, replacing universal requirements with agency-specific risk-based approaches. The reversal eliminates the common “Secure Software Development Attestation Form” that contractors previously used to vouch for their security practices, potentially weakening supply chain security while reducing regulatory burden [CyberScoop]. Agencies must now develop individualized assurance policies, though they can still require software bills of materials (SBOMs) upon request. This policy shift follows criticism that the original requirements were “unproven and burdensome” despite responding to major incidents like the SolarWinds compromise [Nextgov].