January 5, 2026 Cyber Threat Intelligence Briefing

kroll logo
Kroll
Jan 5, 2026
Kroll

This week’s briefing covers:

00:00 – Intro

00:36 [VULNERABILITY] MongoBleed Vulnerability Exploited in the Wild (CVE-2025-14847)
MongoDB has disclosed a vulnerability that can be exploited remotely by unauthenticated attackers and potentially lead to exfiltration of sensitive data. A proof of concept was released publicly on December 26, 2025, and has since been added to the CISA known exploited vulnerabilities database, although full details of exploitation are not available at the time of writing.

02:20 [HACKTIVISM] Pro-Russian Hacktivists Conducting Attacks Against Critical Infrastructure
CISA has released an advisory detailing that multiple pro-Russia hacktivist groups are actively conducting opportunistic cyberattacks against critical infrastructure systems in the U.S. and globally. These attacks exploit basic weaknesses rather than using highly sophisticated techniques typical of advanced persistent threat actors.

04:04 [SUPPLY CHAIN] Shai-Hulud Potential Imminent Return
Researchers at Aikido have highlighted a newly discovered strain of Shai-Hulud in a package located in the Node Package Manager repository. The code appears to have not changed its overall functionality, continuing to use TruffleHog to gather credentials and publish them to GitHub.

06:00 [MALWARE] KIMWOLF Botnet Rapidly Grows via Proxy Service Vulnerability
Researchers report that KIMWOLF botnet has now infected over 2 million devices across the globe. KIMWOLF is primarily notable for distributed denial-of-service attacks, however the botnet infrastructure is also used to relay malicious traffic which might otherwise be blocked or mitigated.

07:37 [THREAT ACTOR] Mustang Panda Deploys Stealthy Kernel Rootkit
Chinese threat actor Mustang Panda is deploying an updated ToneShell backdoor using a signed kernel-mode rootkit to target Asian government entities. The group utilizes a driver named ProjectConfiguration.sys, signed with a stolen certificate from a Chinese ATM provider, to register as a mini filter.

Dive deeper:

Kroll’s Monthly Threat Intelligence Spotlight Report: https://www.kroll.com/en/reports/cyber/threat-intelligence-reports/cti-spotlight-trends-report

Kroll’s Q4 2024 Cyber Threat Landscape: https://www.kroll.com/en/reports/cyber/threat-intelligence-reports/q4-2024-threat-landscape-report-phishing

Kroll’s 2025 Cyber Threat Landscape Report: Cybercrime in the Crypto Era: https://www.kroll.com/Reports/Cyber/Threat-Intelligence-Reports/Threat-Landscape-Report-Lens-on-Crypto

Playlist of Kroll's Weekly Cyber Threat Intelligence Briefings: https://www.youtube.com/playlist

Kroll Cyber Blog: https://www.kroll.com/en/insights/cyber

Kroll Cyber Threat Intelligence: https://www.kroll.com/en/services/cyber/threat-intelligence-services

Kroll Threat Intelligence Reports: https://www.kroll.com/en/reports/cyber/threat-intelligence-reports

Kroll Responder MDR: https://www.kroll.com/en/services/cyber/kroll-responder

#krollcyber #threatintelligence #cyberthreats

Copyright © 2026 OpsMatters™. All rights reserved.