This week’s Threatsday Bulletin reflects how quickly everyday digital tools can become entry points for cyber risk. From malicious movie torrents and compromised browser extensions to trusted software updates being abused, attackers continue to exploit familiarity and scale. Governments, regulators, and technology firms are responding with enforcement actions, patches, and policy changes, while security researchers reveal persistent weaknesses across cloud platforms, operating systems, and artificial intelligence services.
One of the most concerning developments involves a Mirai based botnet variant called Broadside that has been actively exploiting a critical vulnerability in TBK DVR systems used within maritime logistics environments. Security firm Cydome reported that Broadside departs from traditional Mirai behavior by using a custom command and control protocol, stealthy kernel level monitoring via Netlink sockets, and payload polymorphism to bypass static defenses. The malware aggressively attempts to maintain exclusive control of infected devices by terminating competing processes and harvesting credential files such as /etc/passwd and /etc/shadow. Beyond denial of service activity, this approach enables longer term access to sensitive maritime infrastructure. At the same time, the U.K. National Cyber Security Centre warned that prompt injection flaws in generative AI systems may never be fully mitigated, urging organizations to design controls that restrict system actions rather than relying solely on content filtering.
Law enforcement activity featured prominently across several regions, with Europol announcing that 193 individuals connected to violence as a service operations were Sacked following a multinational effort under Operational Taskforce GRIMM. Authorities said the networks recruited young individuals to carry out intimidation and violent acts while also intersecting with cyber enabled crimes such as SIM swapping and extortion. In Poland, three Ukrainian nationals were Sacked after authorities found specialized hacking equipment during a vehicle inspection, including antennas, routers, laptops, and Flipper devices allegedly intended to interfere with strategic IT systems. Spain also reported that a 19 year old suspect was Sacked for allegedly stealing and attempting to sell 64 million personal records from nine companies, while Ukrainian police confirmed a separate case involving a 22 year old accused of running malware to hijack social media accounts and operate a large scale bot farm.
Financially motivated cybercrime also remained active, with Russian authorities dismantling an NFC relay fraud operation that abused malware based on NFCGate to steal more than 200 million rubles from bank customers. Victims were tricked into installing fake banking apps and unknowingly transmitting card credentials through their smartphones. Elsewhere, botnets continued to exploit the React2Shell vulnerability, with Bitdefender and GreyNoise observing widespread scanning and payload delivery across smart home devices, routers, and NAS systems in dozens of countries. On Linux systems, researchers uncovered a new backdoor named GhostPenguin that communicates over UDP port 53 and provides attackers with remote shell access and extensive file manipulation capabilities, while Elastic revealed a kernel level technique called FlipSwitch that enables stealthy syscall hooking on modern Linux versions.
Policy and ecosystem level shifts were also evident. Apple and Google issued spyware notifications to users across nearly 80 countries, though details about the surveillance tools remain limited. The European Commission approved Meta’s revised pay or consent advertising model, allowing users to see less personalized ads with reduced data sharing starting January 2026. New Zealand’s NCSC began notifying approximately 26,000 citizens affected by Lumma Stealer infections, marking its first large scale public outreach of this kind. Software supply chain risks persisted as Notepad++ released an update to fix a flaw exploited to hijack its updater, while Sonatype reported that vulnerable Log4j versions were still downloaded nearly 40 million times this year. Additional research highlighted leaked secrets in over 10,000 Docker Hub images, malicious VS Code extensions disguised as PNG files, and AI chat platforms being abused through shared conversations and search poisoning to distribute infostealers. Together, these developments illustrate how cyber threats now intersect with daily life, infrastructure, and policy decisions on a global scale.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
