⚡ Weekly Recap: Fortinet Exploits, RedLine Clipjack, NTLM Crack, Copilot Attack & More

Ravie LakshmananJan 19, 2026Hacking News / Cybersecurity

In cybersecurity, the line between a normal update and a serious incident keeps getting thinner. Systems that once felt reliable are now under pressure from constant change. New AI tools, connected devices, and automated systems quietly create more ways in, often faster than security teams can react. This week’s stories show how easily a small mistake or hidden service can turn into a real break-in.

Behind the headlines, the pattern is clear. Automation is being used against the people who built it. Attackers reuse existing systems instead of building new ones. They move faster than most organizations can patch or respond. From quiet code flaws to malware that changes while it runs, attacks are focusing less on speed and more on staying hidden and in control.

If you’re protecting anything connected—developer tools, cloud systems, or internal networks—this edition shows where attacks are going next, not where they used to be.

⚡ Threat of the Week

Critical Fortinet Flaw Comes Under Attack — A critical security flaw in Fortinet FortiSIEM has come under active exploitation in the wild. The vulnerability, tracked as CVE-2025-64155 (CVSS score: 9.4), allows an unauthenticated attacker to execute unauthorized code or commands via crafted TCP requests. In a technical analysis, Horizon3.ai described the issue as comprising two issues: an unauthenticated argument injection vulnerability that leads to arbitrary file write, allowing for remote code execution as the admin user, and a file overwrite privilege escalation vulnerability that leads to root access and complete compromise of the appliance. The vulnerability affects the phMonitor service, an internal FortiSIEM component that runs with elevated privileges and plays an integral role in system health and monitoring. Because the service is deeply embedded in FortiSIEM’s operational workflow, successful exploitation grants attackers full control of the appliance.

🔔 Top News

• VoidLink Linux Malware Enables Long-Term Access — A new cloud-native Linux malware framework named VoidLink focuses on cloud environments, providing attackers with a wide assortment of custom loaders, implants, rootkits, and plugins that are designed for additional stealth and for reconnaissance, privilege escalation, and lateral movement inside a compromised network. The feature-rich framework is engineered for long-term access, surveillance, and data collection rather than short-term disruption, allowing an operator to control agents, implants, and plugins via a web-based dashboard localized for Chinese users. Key to the malware’s architecture is to “automate evasion as much as possible” by profiling a Linux environment and intelligently choosing the best strategy for operating without detection. Indeed, when signs of tampering or malware analysis are detected on an infected machine, it can delete itself and invoke anti-forensics modules designed to remove traces of its activity. It’s fitted with an “unusually broad” feature set, including rootkit-style capabilities, an in-memory plug-in system for extending functionality, and the ability to adjust runtime evasion based on the security products it detects. VoidLink draws inspiration from Cobalt Strike, an adversary simulation framework that has been widely adopted and misused by attackers over the years. It’s believed to be the work of Chinese developers. “Together, these plugins sit atop an already sophisticated core implementation, enriching VoidLink’s capabilities beyond cloud environments to developer and administrator workstations that interface directly with those cloud environments, turning any compromised machine into a flexible launchpad for deeper access or supply-chain compromise,” Check Point said. “Its design reflects a level of planning and investment typically associated with professional threat actors rather than opportunistic attackers.” However, its intended use remains unclear, and no evidence of real-world infections has been observed, which supports the assumption that the modular malware was created “either as a product offering or as a framework developed for a customer.”
• Microsoft Disrupts RedVDS Criminal Service — A cybercriminal subscription service responsible for fraud campaigns causing millions of dollars in losses has been disrupted in a coordinated action by Microsoft alongside legal partners in the U.S. and, for the first time, the U.K. The Windows makers said it seized the website and infrastructure of RedVDS, a platform that hosted cybercrime-as-a-service tools for phishing and fraud campaigns, which cost users as little as $24 a month. The subscription service is known to have cost victims in the U.S. alone over $40 million since March 2025. In total, Microsoft has identified nearly 190,000 organizations worldwide that fell victim to RedVDS-supported campaigns. In one month, the company noted approximately 2,600 RedVDS virtual machines sent an average of 1 million phishing messages to Microsoft customers daily. RedVDS provided cybercriminals with access to cheap, effective, and disposable virtual computers running unlicensed software, including Windows, allowing criminals to conduct phishing attacks and business email compromise (BEC) schemes. The service is also said to have been a player in the spread of real estate payment diversion scams, affecting more than 9,000 customers primarily in Canada and Australia. RedVDS did not own physical data centers and instead rented servers from third-party hosting providers in the U.S., Canada, the U.K., France, and the Netherlands. “Once provisioned, these cloned Windows hosts gave actors a ready‑made platform to research targets, stage phishing infrastructure, steal credentials, hijack mailboxes, and execute impersonation‑based financial fraud with minimal friction,” Microsoft said. “Threat actors benefited from RedVDS’s unrestricted administrative access and negligible logging, allowing them to operate without meaningful oversight. The uniform, disposable nature of RedVDS servers allowed cybercriminals to rapidly iterate campaigns, automate delivery at scale, and move quickly from initial targeting to financial theft.”
• Over 550 Kimwolf Botnet C2 Nodes Null-Routed — Lumen Technologies’ Black Lotus Labs has blocked more than 550 command-and-control (C2) nodes linked to Aisuru and Kimwolf’s servers since October 2025, as the botnets gained attention for their role in orchestrating hypervolumetric distributed denial-of-service (DDoS) attacks. Kimwolf, which is said to mainly target unsanctioned Android TV boxes, has caught on like wildfire, corralling over 2 million devices into its botnet. The disruption of RapperBot and the arrest of its alleged leader in August 2025 played a key factor in the rise of Aisuru and Kimwolf. Recent research by QiAnXin XLab and Synthient revealed how the botnet’s operators have leveraged proxy services to expand its reach. In a separate report, Infoblox said nearly 25% of its cloud customers made a query to a Kimwolf domain since October 1, 2025. “The main takeaway is these residential proxies are literally everywhere,” Chris Formosa, senior lead information security engineer at Lumen Technologies’ Black Lotus Labs, told The Hacker News. “Like everywhere and in most organizations you can think of. Given we know the actors were exploiting it, the story is mainly a story of a lot of networks you may think are secured, but have devices running residential proxies which can provide attackers with an opportunity to get an initial foothold, bypassing a large majority of your devices you likely have in place.”
• Reprompt Attack Targets Microsoft Copilot — Security researchers discovered a new attack named Reprompt that allowed them to exfiltrate user data from Microsoft Copilot once a victim clicks on a specifically crafted link pointing to the artificial intelligence (AI) chatbot. The attack bypasses data leak protections and allows for persistent session exfiltration even after the Copilot session was closed. The attack leverages a combination of Parameter 2 Prompt (P2P) injection (i.e., the exploitation of the “q” parameter), a double-request technique, and a chain-request technique to obtain a data exfiltration primitive. “Client-side monitoring tools won’t catch these malicious prompts, because the real data leaks happen dynamically during back-and-forth communication — not from anything obvious in the prompt the user submits,” Varonis said. The attack does not affect enterprise customers using Microsoft 365 Copilot. Microsoft has since addressed the issue.
• AWS CodeBuild Misconfiguration Creates Supply Chain Risks — A critical misconfiguration in Amazon Web Services (AWS) CodeBuild could have allowed complete takeover of the cloud service provider’s own GitHub repositories, including its AWS JavaScript SDK, putting every AWS environment at risk. The vulnerability, codenamed CodeBreach, was fixed by AWS in September 2025. “By exploiting CodeBreach, attackers could have injected malicious code to launch a platform-wide compromise, potentially affecting not just the countless applications depending on the SDK, but the Console itself, threatening every AWS account,” Wiz said.

‎️‍🔥 Trending CVEs

Hackers act fast. They can use new bugs within hours. One missed update can cause a big breach. Here are this week’s most serious security flaws. Check them, fix what matters first, and stay protected.

This week’s list includes — CVE-2025-20393 (Cisco AsyncOS Software), CVE-2026-23550 (Modular DS plugin), CVE-2026-0227 (Palo Alto Networks PAN-OS), CVE-2025-64155 (Fortinet FortiSIEM), CVE-2026-20805 (Microsoft Windows Desktop Window Manager), CVE-2025-12420 (ServiceNow), CVE-2025-55131, CVE-2025-55131, CVE-2025-59466, CVE-2025-59465 (Node.js), CVE-2025-68493 (Apache Struts 2), CVE-2026-22610 (Angular Template Compiler), CVE-2025-66176, CVE-2025-66177 (Hikvision), CVE-2026-0501, CVE-2026-0500, CVE-2026-0498​, CVE-2026-0491 (SAP), CVE-2026-21859, CVE-2026-22689 (Mailpit), CVE-2026-22601, CVE-2026-22602, CVE-2026-22603, CVE-2026-22604 (OpenProject), CVE-2026-23478 (Cal.com), CVE-2025-14364 (Demo Importer Plus plugin), CVE-2025-14502 (News and Blog Designer Bundle), CVE-2025-14301 (Integration Opvius AI for WooCommerce plugin), CVE-2025-52493 (PagerDuty Runbook), CVE-2025-55315 (ASP.NET Core Kestrel server), CVE-2026-20965 (Microsoft Windows Admin Center), and CVE-2025-14894 (Livewire Filemanager).

📰 Around the Cyber World

• Unpatched Flaw in Livewire Filemanager — An unpatched security flaw was disclosed in Livewire Filemanager, a file manager component for Laravel-based websites that allows file uploads. The vulnerability (CVE-2025-14894, CVSS score: 7.5) can permit threat actors to upload malicious PHP files to a remote server and trigger its execution. “When a user uploads a PHP file to the application, it can be accessed and executed by visiting the web-accessible file hosting directory,” the CERT Coordination Center (CERT/CC) said. “This enables an attacker to create a malicious PHP file, upload it to the application, then force the application to execute it, enabling unauthenticated arbitrary code execution on the host device.”
• More GhostPoster Extensions Spotted — LayerX said it found a new cluster of 17 extensions related to GhostPoster impacting Google Chrome and Microsoft Edge. The new extensions, which are designed to hijack affiliate links, inject tracking code, and commit click and ad fraud, have a collective install base of over 840,000 users, and some of them date back to 2020. GhostPoster, first disclosed last month, is part of a broader campaign undertaken by a Chinese threat actor dubbed DarkSpectre. The new findings show that GhostPoster first originated on Microsoft Edge in February 2020 and then expanded to Firefox and Chrome.

• RedLineCyber Distributes Clipboard Hijacking Malware — A threat actor named RedLineCyber has been observed leveraging the notoriety of the well-known RedLine information stealer to distribute an executable called “Pro.exe” (or “peeek.exe”). It’s a Python-based clipboard hijacking trojan that is designed for cryptocurrency theft by continuously monitoring the Windows clipboard for cryptocurrency wallet addresses and substituting them with a wallet address under their control to facilitate cryptocurrency theft. “The threat actor exploits trust relationships within Discord communities focused on gaming, gambling, and cryptocurrency streaming,” CloudSEK said. “Distribution occurs through direct social engineering, where the actor cultivates relationships with potential victims, particularly cryptocurrency streamers and influencers, over extended periods before introducing the malicious payload as a ‘security tool’ or ‘streaming utility.'”
• Fake Shipping Documents Deliver Remcos RAT — A new phishing campaign is using shipping-themed lures to trick recipients into opening a malicious Microsoft Word document that, in turn, triggers an exploit for a years-old security flaw in Microsoft Office (CVE-2017-11882) to distribute a new variant of Remcos RAT that’s executed directly in memory, Fortinet said. Successful exploitation of the vulnerability triggers the download of a Visual Basic Script, which executes Base64-code PowerShell code to download and launch a .NET DLL loader module responsible for launching the RAT in addition to setting up persistence using scheduled tasks. An off-the-shelf malware, Remcos RAT (version 7.0.4 Pro) enables comprehensive data gathering capabilities, including system management, surveillance, networking, communication, and agent control.
• Google Releases Rainbow Tables to Speed Up Demise of Net-NTLMv1 — Google’s Mandiant threat intelligence division released a comprehensive dataset of Net-NTLMv1 rainbow tables to emphasize the need for urgently moving away from the outdated protocol. While Microsoft previously announced its plans to deprecate NTLM in favor of Kerberos, Google said it continues to identify the use of Net-NTLMv1 in active environments, leaving organizations vulnerable to trivial credential theft. “While tools to exploit this protocol have existed for years, they often required uploading sensitive data to third-party services or expensive hardware to brute-force keys,” Google said. “The release of this dataset allows defenders and researchers to recover keys in under 12 hours using consumer hardware costing less than $600 USD.”
• Former U.S. Navy Sailor Sentenced to 200 Months for Spying for China — Jinchao Wei (aka Patrick Wei), 25, a former U.S. Navy sailor, was sentenced in the U.S. to 200 months in prison for selling secrets to China by abusing his security clearance and access to sensitive national defense information about the amphibious assault ship U.S.S. Essex. Wei was convicted of espionage charges in August 2025 following his arrest in August 2023. “By sharing thousands of documents, operating manuals, and export-controlled and sensitive information with a Chinese intelligence officer, Petty Officer Wei knowingly betrayed his fellow service members and the American people,” said NCIS Director Omar Lopez. Wei was recruited by a Chinese intelligence officer in February 2022 and sent photographs and videos of the Essex via an encrypted messaging application, and advised the officer of the location of various Navy ships. He also described the defensive weapons of the Essex, sent thousands of pages of technical and operational information about U.S. Navy surface warfare ships, and sold approximately 60 technical and operational manuals about U.S. Navy ships. In exchange, Wei received more than $12,000 over 18 months. Post his arrest, Wei admitted to the Federal Bureau of Investigation (FBI) that what he did amounted to espionage and that “I’m screwed.”
• Australia Warns Domestic Firms About AI Security Risks — The Australian Signals Directorate (ASD) has warned local businesses against uploading customer data and files to AI chatbots or genAI platforms without proper anonymization. “Some artificial intelligence providers may use customer‑submitted data to train or refine their models. This can depend on the configuration settings or the type of subscription,” ASD said. “As a result, information entered into these platforms could potentially be reused or disclosed in unexpected contexts later.” It also warned that AI systems are susceptible to hallucinations and can be tricked by malicious cyber actors through prompt injections, which refer to malicious inputs disguised as legitimate requests designed to confuse or mislead the AI into giving sensitive, wrong, or unsafe answers. Furthermore, ASD warned of potential supply chain risks resulting from AI integration, emphasizing the need for secure deployment of AI chatbots.
• Jordan National Pleads Guilty to Selling Access — A Jordanian national pleaded guilty in the U.S. to charges of selling access to the networks of at least 50 companies through a cybercriminal forum. Feras Khalil Ahmad Albashiti (aka r1z, Feras Bashiti, and Firas Bashiti), 40, is facing a maximum penalty of 10 years in prison after being charged with fraud and related activity in connection with access credentials. Albashiti was arrested in July 2024. His sentencing will take place in May 2026. The FBI, which contacted the defendant in September 2026 under cover, said it was able to trace the “r1z” cybercrime forum account to Albashiti because it was registered in 2018 with the same Gmail address that was used to apply for a U.S. visa in October 2016. According to a report from SentinelOne, the “r1z” account marketed a malware dropper and bypass service called EDR Killer on underground forums. The account was previously identified as advertising access to 50 vulnerable Confluence servers acquired by exploiting the critical Confluence unauthenticated RCE vulnerability, tracked as CVE-2022-26134, and claimed to be in possession of a list of over 10,000 vulnerable Confluence servers. Other tools included illicit versions of Cobalt Strike, private exploits for local privilege escalation (LPE) vulnerabilities in different services, access to 30 SonicWall VPN and 50 Microsoft Exchange servers with a working exploit, as well as a service that buys compromised VPN and RDP login credentials from other criminals on the XSS forum. R1z is said to have been active on XSS since 2019.
• Google Agrees to Pay $8.25M to Settle Children Privacy Violations — Google has agreed to pay $8.25 million to settle a class-action lawsuit that claimed the company illegally collected data from devices belonging to children under age 13, The Record reported. The case was brought more than two years ago by the parents of six minors who allegedly downloaded apps and games from the Play Store that were targeted at children, such as Fun Kid Racing, GummyBear, and Friends Speed Racing. The apps, according to the lawsuit, came with Google’s AdMob software development kit that collected data from children at scale, violating the Children’s Online Privacy Protection Act (COPPA).
• U.S. Bank Targeted by Keylogger — Sansec identified a keylogger on the employee merchandise store of a major U.S. bank. The store is used by the bank’s 200,000 employees to order company-branded items. “The malware intercepts everything typed into the site’s forms: login credentials, payment card numbers, personal information,” the Dutch company said. “The stolen data is exfiltrated via image beacon, a common technique that bypasses many security controls.” The malware has since been removed from the site. The activity is assessed to share overlaps with an October 2024 breach of the Green Bay Packers Pro Shop, citing infrastructure pattern similarities.
• Payroll Pirates Redirect Paychecks to Accounts Under Their Control — In a new social engineering attack targeting an unnamed organization, the threat actors behind Payroll Pirates reached out via a phone call, impersonating employees to manipulate multiple help desks and successfully perform password resets and re-enroll multi-factor authentication (MFA) devices. The threat actor has also been observed attempting to establish persistence by registering an external email address as an authentication method for a service account within the client’s Azure AD environment. “Once authenticated into the payroll system, the attacker moved quickly,” Palo Alto Networks Unit 42 said. “In total, they compromised multiple employee accounts, each one granting access to sensitive payroll information. The attacker then proceeded to modify direct-deposit details for multiple individuals, redirecting their paychecks into bank accounts under the attacker’s control. Because the credentials were valid and MFA appeared legitimate, the activity blended in with normal operations. The incident was discovered only when employees reported missing paychecks.”
• New Attack Uses DLL Side-Loading to Distribute PDFSIDER Malware — An unknown threat actor is leveraging DLL side-loading to deploy PDFSIDER, a backdoor with encrypted C2 capabilities, using a legitimate executable associated with PDF24 Creator (“pdf24.exe”). The malware operates primarily in memory, minimizing disk artifacts. “PDFSIDER blends traditional cyber-espionage behaviors with modern remote-command functionality, enabling operators to gather system intelligence and remotely execute shell commands covertly,” Resecurity said. “The malware uses a fake cryptbase.dll to bypass endpoint detection mechanisms. Once loaded, the malware provides attackers with an interactive, hidden command shell and can exfiltrate command output through its encrypted channel.” The malware is delivered via spear-phishing emails that guide victims to a ZIP archive attached to the message.

🎥 Cybersecurity Webinars

• How Top MSSPs Are Using AI to Grow in 2026: Learn Their Formula — By 2026, MSSPs are under pressure to do more with less, and AI is becoming the edge that separates those who scale from those who stall. This session explores how automation reduces manual work, improves margins, and enables growth without adding headcount, with real-world insights from Cynomi founder David Primor and Secure Cyber Defense CISO Chad Robinson on turning expertise into repeatable, high-value services.
• Stop Guessing Your SOC Strategy: Learn What to Build, Buy, or Automate — Modern SOC teams are overloaded with tools, noise, and promises that don’t translate into results, making it hard to know what to build, buy, or automate. In this session, AirMDR CEO Kumar Saurabh and SACR CEO Francis Odum cut through the clutter with a practical, vendor-neutral look at SOC operating models, maturity, and real-world decision frameworks—leaving teams with a clear, actionable path to simplify their stack and make their SOC work more effectively.

🔧 Cybersecurity Tools

• AuraInspector — It is an open-source tool for auditing Salesforce Experience Cloud security. It helps find misconfigurations that could expose data or admin functions by checking accessible records, self-registration options, and hidden “home URLs.” The tool automates much of the testing, including object discovery through GraphQL methods, and works in both guest and authenticated contexts. It’s a research utility, not an official Google product, designed to make Salesforce Aura security testing faster and more reliable.
• Maltrail — It is an open-source tool for detecting malicious network traffic. It compares network activity against known blacklists of suspicious domains, IPs, URLs, and user agents linked to malware or attacks, and can also flag new threats using heuristics. The system uses sensors to monitor traffic and a central server to log and display events through a web interface, helping identify infected hosts or abnormal activity in real time.

Disclaimer: These tools are for learning and research only. They haven’t been fully tested for security. If used the wrong way, they could cause harm. Check the code first, test only in safe places, and follow all rules and laws.

Conclusion

The message is clear. Today’s threats aren’t just single break-ins. They come from connected weak spots, where one exposed service or misused tool can affect an entire system. Attackers don’t see cloud platforms, AI tools, and enterprise software as separate. They see one shared space. Defenders need to think the same way, treating every part of their environment as connected and worth watching all the time, not just after something goes wrong.

What happened this week isn’t unusual. It’s a warning. Every update, setting, and access rule matters, because the next attack will likely begin from something already inside. This recap shows how small gaps turned into big openings—and what’s being done to close them before the next round begins.