“`html
Cyber Threat Rundown: State-Sponsored Espionage, Critical Infrastructure Attacks, and Sneaky Extensions
The digital threat landscape continues to fracture along familiar yet dangerous lines. This week’s intelligence reveals a stark dichotomy: sophisticated state-aligned actors targeting human rights and critical national infrastructure, while financially motivated groups refine social engineering to breach corporate defenses. Simultaneously, the supply chain remains a weak point, with malicious browser extensions and server exploits offering low-cost, high-reward opportunities for adversaries. From Iranian information control to Polish power plants, the convergence of geopolitical tension and criminal innovation demands constant vigilance and a defense-in-depth strategy from organizations of all sizes.
🇮🇳 RedKitten Cyber Campaign Targets Human Rights Activists
A Farsi-speaking threat actor, suspected of alignment with Iranian state interests, has been linked to a new campaign dubbed “RedKitten.” Observed in January 2026, the activity targets non-governmental organizations (NGOs) and individuals involved in documenting human rights abuses within Iran. The campaign’s timing is notable, coinciding with nationwide unrest that began in late 2025, suggesting a clear objective of intelligence gathering and potential suppression of dissenting voices.
HarfangLab’s discovery highlights the ongoing use of cyber capabilities for domestic surveillance and information control by nation-states. The targeting of human rights groups represents a particularly insidious form of digital oppression, aiming to compromise the very organizations that hold power to account. This campaign underscores how cyber tools are weaponized not just for traditional espionage, but for silencing civil society.
Why this matters: This is a direct example of cyber operations being used to enable human rights abuses. It reinforces the need for enhanced digital security for activists and NGOs, who are often resource-light but high-value targets for adversarial states.
Read Source
🎣 ShinyHunters-Style Vishing Attacks Breach MFA Protections
Mandiant has identified an expansion in threat activity using tradecraft consistent with the financially motivated ShinyHunters group. The attacks employ advanced voice phishing (vishing) tactics, where threat actors use phone calls to manipulate victims. They combine this with counterfeit login pages designed to mimic a target company’s legitimate authentication portal, creating a highly convincing multi-channel attack.
This evolution is significant because it directly targets and bypasses Multi-Factor Authentication (MFA), a cornerstone of modern security postures. By using social engineering over the phone, attackers can trick users into approving push notifications or revealing one-time codes, rendering MFA ineffective. This shift demonstrates that criminal groups are continuously adapting their methods to overcome common security controls.
Why this matters: It proves that MFA, while essential, is not a silver bullet. Security awareness training must now emphatically cover vishing and the fact that legitimate-looking authentication prompts can be part of a scam. Organizations need to consider implementing phishing-resistant MFA methods.
Read Source
💥 Poland Attributes Coordinated Cyber Attacks on Energy Infrastructure
CERT Polska has disclosed coordinated cyber attacks targeting over 30 wind and solar farms, a manufacturing company, and a major combined heat and power (CHP) plant. The incident, occurring on December 29, 2025, impacted critical infrastructure supplying heat to nearly half a million customers. The agency has attributed these disruptive attacks to a known threat actor, highlighting a direct threat to national energy security.
This incident marks a serious escalation in the targeting of renewable energy infrastructure. The coordinated nature of the attacks, hitting multiple sites across the energy sector simultaneously, suggests a planned operation with potentially disruptive or destructive intent. It serves as a stark reminder of the vulnerability of operational technology (OT) networks to cyber intrusion.
Why this matters: Critical infrastructure, especially energy, remains a prime target for state and state-aligned actors. Such attacks can cause real-world physical disruption and pose national security risks, emphasizing the urgent need for robust OT/IT network segmentation and incident response plans in the energy sector.
Read Source
🛒 Malicious Chrome Extensions Hijack Links and Steal ChatGPT Logins
Researchers have uncovered malicious Google Chrome extensions, such as “Amazon Ads Blocker,” that pose as legitimate tools while carrying harmful payloads. These extensions are equipped to hijack affiliate marketing links, redirecting commissions to the attacker, and to steal sensitive user data. Notably, they also possess the capability to harvest authentication tokens for OpenAI’s ChatGPT service.
This represents a multi-pronged monetization scheme within a single piece of malware. By compromising the browser, attackers can engage in financial fraud (affiliate hijacking), credential theft, and the theft of valuable AI service access. The use of the official Chrome Web Store as a distribution channel lends these tools a false air of legitimacy, increasing their infection rate.
Why this matters: It highlights the persistent risk of supply chain attacks via browser extensions. Users and enterprises must rigorously vet extensions, limiting installations to only those absolutely necessary from verified developers. It also shows how any new, popular platform (like ChatGPT) quickly becomes a target for credential theft.
Read Source
🌏 China-Linked UAT-8099 Targets Asian IIS Servers with SEO Malware
A China-linked threat actor tracked as UAT-8099 has been found running a campaign from late 2025 to early 2026 targeting vulnerable Internet Information Services (IIS) servers across Asia, with a focus on Thailand and Vietnam. The attackers deploy a malicious payload known as “BadIIS,” which is designed to manipulate search engine optimization (SEO) by injecting malicious content into compromised websites.
Cisco Talos’s discovery points to a continued focus on web server compromise for broader strategic goals. By poisoning search results, attackers can distribute malware, conduct phishing, or spread disinformation, leveraging the trust and high traffic of legitimate but compromised websites. This campaign exploits unpatched or misconfigured public-facing servers, a common initial access vector.
Why this matters: It’s a reminder that outdated or unsecured public servers are low-hanging fruit. Compromising them can turn a legitimate business site into a weapon for further attacks. Organizations must prioritize patch management for internet-facing systems and monitor for unauthorized file changes.
Read Source
Key Takeaways for Security Teams:
- Geopolitics Drives Cyber Campaigns: State-aligned groups are actively targeting civil society (NGOs) and critical national infrastructure (energy), linking cyber activity directly to real-world political and strategic objectives.
- MFA is Being Actively Circumvented: Financially motivated actors are using sophisticated vishing attacks to bypass MFA, necessitating a move towards phishing-resistant authentication and renewed user training.
- Supply Chain Risks Are Everywhere: Threats persist in trusted platforms like the Chrome Web Store and through unpatched public servers (IIS). Rigorous vetting and aggressive patch management are non-negotiable.
- Monetization Methods are Diversifying: Attackers are blending affiliate fraud, credential theft, and SEO poisoning within single campaigns to maximize profit from a single compromise.
“`
