End-of-Day report
Timeframe: Mittwoch 28-01-2026 18:00 - Donnerstag 29-01-2026 18:00
Handler: Alexander Riepl
Co-Handler: Guenes Holler
News
Aisuru botnet sets new record with 31.4 Tbps DDoS attack
The Aisuru/Kimwolf botnet launched a new massive distributed denial of service (DDoS) attack that peaked at 31.4 Tbps and 200 million requests per second, setting a new record.
https://www.bleepingcomputer.com/news/security/aisuru-botnet-sets-new-record-with-314-tbps-ddos-attack/
Von wegen Virenschutz: Malware über Update-Server von Antivirus-Tool verteilt
Angreifer haben über das Antivirus-Tool eScan Malware auf Nutzersysteme geschleust. Ein Update-Server des Anbieters war kompromittiert.
https://www.golem.de/news/von-wegen-virenschutz-malware-ueber-update-server-von-antivirus-tool-verteilt-2601-204754.html
Theres a Rash of Scam Spam Coming From a Real Microsoft Address
There are reports that a legitimate Microsoft email address -- which Microsoft explicitly says customers should add to their allow list -- is delivering scam spam.
https://it.slashdot.org/story/26/01/28/1849206/theres-a-rash-of-scam-spam-coming-from-a-real-microsoft-address?utm_source=rss1.0mainlinkanon&utm_medium=feed
Ransomware crims forced to take off-RAMP as FBI seizes forum
Ransomware crims have just lost one of their best business platforms. US law enforcement has seized the notorious RAMP cybercrime forum's dark web and clearnet domains.
https://go.theregister.com/feed/www.theregister.com/2026/01/28/fbi_seizes_ramp_forum/
Patch or perish: Vulnerability exploits now dominate intrusions
Apply fixes within a few hours or face the music, say the pros.
https://go.theregister.com/feed/www.theregister.com/2026/01/29/faster_patching_please_cry_infoseccers/
ConsentFix (a.k.a. AuthCodeFix): Detecting OAuth2 Authorization Code Phishing
ConsentFix (a.k.a. AuthCodeFix) is the latest variant of the fix-type phishing attacks, initially identified by Push Security1. In this technique, the adversary tricks the victim into generating an OAuth authorization code that is part of a localhost URL by signing in to the Azure CLI instance (or other vulnerable applications). Then, the victim is instructed to copy that URL and paste it into a phishing website, essentially handing over the authorization code to the adversary, who is now able to exchange it for an access token. Using the access token, the adversary gets access to the victim-s Microsoft account.
https://blog.nviso.eu/2026/01/29/consentfix-a-k-a-authcodefix-detecting-oauth2-authorization-code-phishing/
Dissecting UAT-8099: New persistence mechanisms and regional focus
Cisco Talos observed new activity from UAT-8099 spanning from August 2025 through early 2026. Analysis of Cisco's file census and DNS traffic indicates that compromised IIS servers are located across India, Pakistan, Thailand, Vietnam, and Japan, with a distinct concentration of attacks in Thailand and Vietnam. Furthermore, this activity significantly overlaps with the WEBJACK campaign; we have identified high-confidence correlations across malware hashes, C2 infrastructure, victimology, and the promoted gambling sites.
https://blog.talosintelligence.com/uat-8099-new-persistence-mechanisms-and-regional-focus/
Malicious Google Ads Target Mac Users with Fake Mac Cleaner Pages
Researchers at MacKeeper have found malicious Google Ads for -Mac cleaner- tools that trick users into running dangerous Terminal commands. Stay safe by learning how to spot these fake Apple sites.
https://hackread.com/malicious-google-ads-mac-fake-mac-cleaner/
Unveiling the Weaponized Web Shell EncystPHP
FortiGuard Labs has discovered a web shell that we named -EncystPHP.- It features several advanced capabilities, including remote command execution, persistence mechanisms, and web shell deployment. Incidents were launched in early December last year and propagated via exploitation of the FreePBX vulnerability CVE-2025-64328.
https://feeds.fortinet.com/~/943094408/0/fortinet/blogs~Unveiling-the-Weaponized-Web-Shell-EncystPHP
Vulnerabilities
Nvidia Sicherheitslücken: Attacken auf GPU-Treiber können zu Abstürzen führen
Softwareschwachstellen gefährden PCs mit Grafikkarten von Nvidia. Sicherheitspatches sind verfügbar.
https://www.heise.de/news/Nvidia-Sicherheitsluecken-Attacken-auf-GPU-Treiber-koennen-zu-Abstuerzen-fuehren-11158836.html
Security updates for Thursday
Security updates have been issued by AlmaLinux (java-25-openjdk, openssl, and python3.9), Debian (gimp, libmatio, pyasn1, and python-django), Fedora (perl-HarfBuzz-Shaper, python-tinycss2, and weasyprint), Mageia (glib2.0), Oracle (curl, fence-agents, gcc-toolset-15-binutils, glibc, grafana, java-1.8.0-openjdk, kernel, mariadb, osbuild-composer, perl, php:8.2, python-urllib3, python3.11, python3.11-urllib3, python3.12, and python3.12-urllib3), SUSE (alloy, avahi, bind, buildah, busybox, container-suseconnect, coredns, gdk-pixbuf, gimp, go1.24, go1.24-openssl, go1.25, helm, kernel, kubernetes, libheif, libpcap, libpng16, openjpeg2, openssl-1_0_0, openssl-1_1, openssl-3, php8, python-jaraco.context, python-marshmallow, python-pyasn1, python-urllib3, python-virtualenv, python311, python313, rabbitmq-server, xen, zli, and zot-registry), and Ubuntu (containerd, containerd-app and wlc).
https://lwn.net/Articles/1056544/
ZDI-26-049: Delta Electronics DIAView Exposed Dangerous Method Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-26-049/
ZDI-26-048: Fortinet FortiSandbox fortisandbox Server-Side Request Forgery Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-26-048/
ZDI-26-047: Hancom Office DOC File Parsing Type Confusion Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-26-047/
ZDI-26-046: Cisco Snort _bnfa_search_csparse_nfa Use-After-Free Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-26-046/