Microsoft Disrupts RedVDS Cybercrime Subscription Service Fueling Global Fraud Operations
Microsoft has announced a coordinated legal and law enforcement action to dismantle RedVDS, a global cybercrime-as-a-service platform that enabled large-scale fraud, phishing, and business email compromise operations. Operating since at least 2019, RedVDS sold low-cost, disposable virtual Windows servers with administrator access and minimal oversight, allowing cybercriminals to launch attacks that were cheap, scalable, and difficult to trace. Microsoft’s Digital Crimes Unit, working with Europol, German authorities, and partners in the United States and the United Kingdom, seized key infrastructure and took the RedVDS marketplace and customer portals offline. RedVDS-enabled activity has been linked to roughly $40 million in reported fraud losses in the United States alone, with real-world victims including healthcare providers and residential associations targeted through sophisticated payment diversion schemes. Microsoft’s investigation revealed that RedVDS infrastructure was heavily abused for phishing campaigns, credential theft, real estate payment diversion scams, and AI-enabled impersonation attacks leveraging generative text, voice cloning, and manipulated media. In just one month, more than 2,600 RedVDS virtual machines sent an average of one million phishing messages per day to Microsoft customers, contributing to the compromise or fraudulent access of more than 191,000 organizations worldwide since September 2025. The service functioned as a force multiplier for cybercrime, enabling attackers to rapidly provision geographically proximate infrastructure, evade defenses, and scale operations across sectors such as real estate, healthcare, manufacturing, and education. Organizations should prioritize phishing-resistant MFA, strict payment verification procedures, anomaly detection for email access and forwarding behavior, and rapid reporting of suspected fraud to help disrupt the shared infrastructure supporting cybercriminal services such as RedVDS.
Palo Alto Networks Patches High-Severity DoS Flaw Allowing Firewall Disruption
Palo Alto Networks has released fixes for a high-severity denial-of-service vulnerability, tracked as CVE-2026-0227, that allows unauthenticated attackers to force affected firewalls into maintenance mode, effectively disabling protections. The flaw affects PAN-OS next-generation firewalls running version 10.1 or later, as well as Prisma Access deployments when a GlobalProtect gateway or portal is enabled. Repeated network-based exploitation attempts can trigger the condition without credentials or user interaction, creating a low-effort path to service disruption. While no active exploitation has been observed at the time of disclosure, nearly 6,000 internet-exposed Palo Alto firewalls have been identified, underscoring the potential blast radius if the vulnerability is weaponized. This disclosure follows a sustained pattern of threat activity targeting PAN-OS environments, including prior zero-days, chained exploits, and brute-force campaigns against GlobalProtect portals, highlighting continued adversary focus on perimeter infrastructure. Palo Alto Networks has issued patched releases across supported PAN-OS and Prisma Access versions and confirmed that most cloud-hosted Prisma Access instances have already been upgraded, with remaining customers scheduled for remediation. Organizations should immediately upgrade to the fixed PAN-OS or Prisma Access versions, verify GlobalProtect exposure, restrict unnecessary internet-facing access, and monitor for abnormal firewall state changes indicative of attempted DoS activity.
MonetaStealer macOS Stealer Targets Professional Users via Disguised Portfolio Files
MonetaStealer is a newly identified information-stealing malware targeting macOS users through deceptive file disguises and social engineering, primarily posing as a Windows executable named Portfolio_Review[.]exe. The threat abuses a Mach-O binary packaged with PyInstaller to conceal its malicious Python payload within a compressed CArchive, thereby bypassing basic static inspection. The malware explicitly checks for macOS environments before executing, indicating deliberate platform targeting rather than opportunistic spread. Researchers believe MonetaStealer is still in an early development phase and likely heavily assisted by AI-generated code, as evidenced by its lack of obfuscation and verbose debug output. Despite these limitations, the malware maintained a zero-detection rate on VirusTotal at the time of discovery, highlighting its ability to evade common defenses. Once executed, MonetaStealer attempts to harvest a broad range of sensitive data from the victim system, including Chrome browser credentials, cookies, browsing history, cryptocurrency wallet artifacts, Wi-Fi passwords, SSH private keys, clipboard contents, and financial documents. It leverages native macOS utilities such as security find-generic-password, pbpaste, and networksetup to extract credentials and perform host reconnaissance, generating noticeable system prompts in the process. Browser data theft is prioritized through keyword filtering to identify high-value financial and cryptocurrency sessions, increasing the likelihood of monetizable outcomes. Stolen data is staged locally into a compressed archive before being reported to an attacker-controlled Telegram bot infrastructure for exfiltration. While the malware lacks persistence mechanisms and advanced anti-analysis features, its functionality clearly indicates an intent to support credential theft and financial fraud.
DPRK “Contagious Interview” Campaign Abuses VS Code Tasks for Silent Developer Compromise
Security researchers at Radar detailed a sophisticated North Korean–linked campaign, dubbed Contagious Interview, that targets developers through malicious code repositories delivered as take-home technical assessments or partnership requests on LinkedIn. The attack abuses Visual Studio Code’s task automation by embedding a hidden task configured to execute on folder open, allowing malware execution even when victims do not manually run the code, provided the workspace is marked as trusted. The campaign uses a dual-stack architecture, combining a Node.js in-memory controller for immediate credential, wallet, and browser data theft with a Python backdoor derived from the InvisibleFerret family for follow-on access, surveillance, and in some cases, cryptomining. Consistent tooling, infrastructure, and commit metadata tied to KST+9 strongly attribute the activity to North Korea-aligned IT worker operations. The malware prioritizes rapid theft over stealthy long-term persistence, leveraging clipboard monitoring, browser database exfiltration, and wallet harvesting, while relying on social engineering and IDE trust mechanics rather than exploit chains. On Windows systems, deeper persistence is achieved through abuse of the startup folder, scheduled task hijacking, and Defender exclusions, while Linux and macOS infections are largely memory-resident unless re-triggered by reopening the malicious project. The campaign underscores a growing trend of supply-chain-style attacks against developers, in which development tools themselves serve as the execution vector. Developers should disable automatic VS Code tasks, treat untrusted repositories as untrusted workspaces, avoid enabling trust for unsolicited projects, audit .vscode/tasks.json files before opening folders, and rotate credentials or rebuild systems if suspicious [.]npm, [.]n2, or [.]n3 artifacts are discovered.
Verizon Wireless Nationwide Outage Disrupts Cellular Service Across the United States
Verizon Wireless experienced a widespread network outage that left many customers without cellular voice or data service, with affected devices displaying an “SOS” indicator allowing only emergency calls. Reports began surfacing around noon ET, with users across multiple states impacted rather than a single geographic region, suggesting a systemic network issue. Customers attempting to reach affected Verizon subscribers encountered automated messages stating the called party was temporarily unavailable. While early reports suggested other carriers might be experiencing similar issues, T-Mobile later confirmed its own network was operating normally, noting only an indirect impact when attempting to contact Verizon users. Verizon acknowledged the disruption publicly and stated that engineering teams were fully engaged in identifying and resolving the issue. The company did not initially disclose the root cause of the outage. By approximately 10:20 PM ET on 01/14/26, Verizon announced that service had been restored and advised customers to restart their devices to reconnect to the network. In follow-up communications on January 15, Verizon issued a formal apology and confirmed that affected customers would receive a $20 account credit, with business customers to be contacted separately regarding compensation. Despite the restoration of service, Verizon has not provided technical details explaining what caused the outage or whether it stemmed from a configuration error, an infrastructure failure, or another network event. The incident highlights the operational risk posed by large-scale carrier outages, particularly as mobile connectivity underpins emergency communications, business operations, and authentication services.
