Recent coverage emphasized that phishing and social engineering via email remain a primary initial access vector, with attackers increasingly blending into routine workflows (emails, meeting invites, and trusted SaaS notifications). TechTarget highlighted that user judgment is often the last control when filters fail, citing the Microsoft Digital Defense Report 2025 claim that 28% of breaches trace back to phishing/social engineering, and noting reports of spam relayed through legitimate Zendesk domains/instances (e.g., leveraging recognizable brands) to bypass filtering and drive credential theft or follow-on access.
Separate reporting and guidance reinforced how attackers operationalize these patterns: The Hacker News described Operation Nomad Leopard, a spear-phishing campaign targeting Afghan government entities using government-themed decoys and a GitHub-hosted ISO that drops a LNK to execute a FALSECUB backdoor capable of remote command execution. Other items in the set were largely general best-practice or “common threats” explainers (password hygiene, generic threat overviews) rather than incident-specific intelligence, but they align with the same overarching risk theme: weak/reused passwords and routine email behaviors continue to enable account takeover and downstream compromise.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
15 events from the most recent confirmed update back to the earliest known activity.
A TechTarget news brief published on January 23, 2026, highlighted email scam activity and the need for employee vigilance. The reference does not provide enough detail to identify a more specific underlying incident.
U.S. law-enforcement and justice authorities were reported to have advanced prosecutions related to ATM jackpotting schemes. The item reflected continued legal action against financially motivated cyber-enabled crime.
The roundup referenced law-enforcement or judicial developments tied to Swedish espionage allegations. It was included as part of notable security-related legal actions reported during the period.
Critical security flaws affecting the Bluvoyix platform were highlighted in the bulletin. The disclosure added another enterprise software risk item to the late-January threat landscape.
Crates.io was reported to have made security visibility improvements intended to help users better assess package risk. The changes were presented as part of broader ecosystem hardening efforts.
New European Union proposals aimed at improving supply-chain cybersecurity were highlighted in the roundup. The measures reflected a policy response to growing software and third-party risk concerns.
Abuse of Zendesk ticketing systems as relays for spam or scam messages was reported. The technique showed how attackers can misuse legitimate business platforms to improve delivery and credibility.
A zero-click exploit chain affecting the Pixel 9 was described as leveraging Dolby and kernel driver vulnerabilities. The disclosure highlighted a sophisticated mobile attack path requiring no user interaction.
Reporting noted widespread command-and-control hosting activity in Chinese internet space. The observation pointed to infrastructure concentration trends relevant to threat hunting and attribution analysis.
Large-scale reconnaissance activity targeting WordPress plugins was reported, indicating broad scanning or pre-exploitation interest in plugin ecosystems. The item was included among multiple January 2026 developments involving abuse of common internet-facing software.
A fake Notepad++ installer was reported distributing proxyware to users in South Korea. The campaign abused the reputation of a legitimate software brand to monetize infected systems.
A malicious advertising campaign used Google Ads to distribute a trojanized PDF editor that dropped the TamperedChef infostealer. The campaign was identified as another example of attackers abusing legitimate ad ecosystems to reach victims.
Researchers highlighted a malvertising campaign in which fake file-converter websites delivered persistent remote access trojans to victims. The operation relied on deceptive advertising and trusted-looking utility themes instead of exploiting software vulnerabilities.
Russia-aligned hacktivist activity was reported targeting U.K. critical infrastructure and local government with denial-of-service attacks. The bulletin framed this as an ongoing disruptive campaign rather than a novel exploit-driven intrusion.
A spear-phishing campaign dubbed Operation Nomad Leopard targeted Afghan government entities, using a GitHub-hosted ISO file to deliver the FALSECUB backdoor. The activity was described in late-2025 to January-2026 reporting as part of a broader trend of attackers abusing trusted services and workflows.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.