Iranian-Linked Hackers Dox Israeli Intel Agents; Critical Flaws in Fortinet &amp; Next.js Actively Exploited

Iran-Linked Handala Group Leaks Identities of Israeli SIGINT Officers in Targeted Information Warfare Campaign

The Iran-linked hacktivist group Handala has intensified its information warfare against Israel by publicly exposing the identities of 15 alleged Signal Intelligence (SIGINT) officers on January 3, 2026. This act of doxing is the latest in a series of campaigns designed to inflict psychological and reputational damage on Israeli intelligence and government officials. Investigations by cybersecurity firm KELA suggest Handala's primary attack vector is not sophisticated device hacking but rather the compromise of messaging applications like Telegram, likely through social engineering or session hijacking. The group, believed to be associated with Iran's Ministry of Intelligence and the 'Banished Kitten' cyber unit, frames these leaks as strategic blows, having previously targeted high-profile figures and released documents related to Israel's Iron Dome system and Unit 8200.

HandalaDoxingInformation WarfarePsychological OperationsTelegram +3 more

Handala Group Doxes Israeli Intel Agents in Psyops Campaign

Threat Actor

Data Breach

Tokyo FM Radio Hit by Massive Data Breach, 3 Million Records for Sale

Threat Actor Claims Breach of Tokyo FM, Allegedly Exfiltrating 3 Million User Records and Internal Data

A threat actor using the alias 'victim' has claimed responsibility for a major data breach against Tokyo FM Broadcasting Co., LTD., one of Japan's largest radio stations. On January 1, 2026, the attacker announced on a hacker forum that they had stolen a database containing over 3 million records. The compromised data allegedly includes a vast amount of personally identifiable information (PII) from listeners, such as names, addresses, and birth dates, as well as sensitive internal data like employee login credentials. The attacker stated they attempted to disclose the vulnerability to the company but received no response, prompting them to sell the data. If confirmed, this breach would represent a significant violation of Japan's Act on the Protection of Personal Information (APPI), exposing Tokyo FM to severe regulatory penalties and reputational damage.

Data BreachTokyo FMJapanPIIAPPI +2 more

Data Breach

KIOTI Tractor Discloses Wider Impact from 2024 Data Breach

Daedong-USA (KIOTI Tractor) Notifies Additional Individuals of Data Compromise from 2024 Cybersecurity Incident

Daedong-USA, Inc., parent company of the KIOTI® Tractor Division, issued a notice on January 2, 2026, expanding the scope of a data breach that originally occurred in October 2024. A prolonged investigation that concluded in late 2025 revealed that a wider range of highly sensitive personal information was stolen by an unauthorized party than first realized. The compromised data affects a number of current and former employees, their dependents, and some customers. The stolen information includes names, Social Security numbers, driver's licenses, passport numbers, financial account details, and private health information. The company has begun notifying the newly identified victims and has set up a call center to address concerns, emphasizing that this is an update to a past incident, not a new breach.

Data BreachDaedong-USAKIOTI TractorPIISSN +2 more

Data Breach

Incident Response

Resecurity Turns Tables on Hackers, Claims Breach Was a Honeypot

INFORMATIONAL

Resecurity Disputes Breach Claims, States 'Scattered Lapsus$ Hunters' Were Lured into Sophisticated Honeypot

Cybersecurity firm Resecurity has publicly refuted claims of a major data breach made by a hacking group known as 'Scattered Lapsus$ Hunters' (SLH). On January 3, 2026, the group announced on Telegram that it had compromised Resecurity's systems, stealing internal data and client information. Resecurity swiftly responded, asserting that the attackers had not breached any production systems but were instead contained within a sophisticated honeypot environment. The firm stated that the screenshots posted by SLH as 'proof' were from this decoy system, which was filled with synthetic data. Resecurity claims the successful deception allowed them to gather valuable threat intelligence on the attackers' TTPs, effectively turning a potential attack into an intelligence-gathering operation.

HoneypotCyber DeceptionResecurityScattered Lapsus HuntersLapsus +2 more

Resecurity Turns Tables on Hackers, Claims Breach Was a Honeypot

Security Operations

Finland Arrests Two in Probe of Damaged Undersea Telecom Cable

Two Arrested in Finland as Investigation into Damaged Baltic Sea Telecom Cable Points to Sabotage

Finnish authorities have arrested two crew members of the cargo ship 'Fitburg' in connection with significant damage to an undersea telecommunications cable in the Gulf of Finland. The incident, which occurred around New Year's Eve, disrupted a critical data link owned by Elisa that connects Finland and Estonia. Investigators reported the ship was observed dragging its anchor at the exact time and location of the cable break. The investigation is being treated as potential sabotage and interference with telecommunications, heightening concerns about hybrid threats to critical infrastructure in the strategically sensitive Baltic Sea region. The incident follows a pattern of disruptions to undersea infrastructure since the start of the war in Ukraine.

Undersea CableSabotageHybrid WarfareFinlandEstonia +2 more

Finland Arrests Two in Probe of Damaged Undersea Telecom Cable

Industrial Control Systems

VVS Stealer Malware Uses PyArmor Obfuscation to Target Discord Users

New Python-Based VVS Stealer Uses PyArmor to Evade Antivirus and Steal Discord Credentials

A new information-stealing malware named VVS Stealer is being sold on Telegram and used to target Discord users. Written in Python, the stealer's key feature is its use of the legitimate tool PyArmor to heavily obfuscate its code, allowing it to bypass static analysis and signature-based antivirus detection. Once on a victim's system, VVS Stealer establishes persistence and proceeds to steal a wide range of data. It specifically targets Discord, using the Windows DPAPI to decrypt authentication tokens and malicious JavaScript injection to capture password changes in real-time. The malware also exfiltrates cookies, history, and saved passwords from nearly 20 different web browsers, sending the stolen data to an attacker-controlled Discord webhook.

VVS StealerMalwareInfostealerDiscordPyArmor +2 more

Malware

Phishing

Infostealers Fuel Vicious Cycle, Hijacking Victim Websites to Spread More Malware

Cybercrime Feedback Loop: Threat Actors Use Stolen Credentials to Turn Business Websites into Malware Distribution Platforms

A new report from Hudson Rock highlights a dangerous and self-perpetuating cybercrime trend where credentials stolen by infostealer malware are used to hijack legitimate business websites. Attackers gain administrative access to platforms like WordPress using the stolen logins, then inject malicious scripts to turn the trusted sites into malware distribution points. These compromised sites are then used in campaigns employing social engineering tactics like 'ClickFix,' which tricks visitors into executing malicious PowerShell commands. This creates a vicious feedback loop: infostealers harvest credentials, which are used to compromise websites, which then distribute more infostealers like Lumma and Vidar, amplifying the scale and effectiveness of their campaigns.

InfostealerFeedback LoopClickFixPowerShellWordPress +3 more

Malware

Over 10,000 Fortinet Firewalls Exposed to Critical 2FA Bypass Flaw

CRITICAL

Actively Exploited 2FA Bypass Flaw (CVE-2020-12812) Leaves Over 10,000 Fortinet Firewalls Vulnerable

Security watchdog Shadowserver revealed on January 2, 2026, that over 10,000 Fortinet FortiGate firewalls remain unpatched and vulnerable to a critical, five-year-old 2FA bypass flaw, CVE-2020-12812. This vulnerability, rated 9.8 on the CVSS scale, allows an attacker with valid credentials to bypass FortiToken-based two-factor authentication by simply changing the case of the username during login. The flaw stems from a mismatch where FortiGate is case-sensitive, but the backend LDAP server is not. Despite patches being available since July 2020 and CISA adding it to its Known Exploited Vulnerabilities (KEV) catalog, thousands of devices, including over 1,300 in the US, remain exposed and are being actively exploited by threat actors.

CVE-2020-12812FortinetFortiGateVulnerability2FA Bypass +3 more

Over 10,000 Fortinet Firewalls Exposed to Critical 2FA Bypass Flaw

Vulnerability

Patch Management