Trending Topics

Critical UniFi OS and UID Agent Flaws Expose Networks to High-Risk Compromise

Ubiquiti has disclosed multiple critical vulnerabilities affecting UniFi OS devices and the UID Enterprise Agent, with CVE-2026-47367 leading the pack at a CVSS score of 9.9. The flaw stems from improper input validation and allows a low-privilege attacker with network access to execute a command injection attack on the host system. Affected platforms include UniFi Dream Machine appliances, Cloud Gateways, Network Video Recorders, and UniFi OS Server deployments - covering a broad range of enterprise and small business environments.

The risk compounds significantly when CVE-2026-47367 is chained with related issues: CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910 introduce improper access control, path traversal, and additional command injection vectors. Together, these vulnerabilities can enable unauthorized configuration changes, access to sensitive files, privilege escalation, and deep lateral movement within internal networks. Given the widespread deployment of UniFi systems in branch and remote environments, even limited initial access can escalate quickly into a full network compromise.

Ubiquiti has released patches addressing these issues, including UID Enterprise Agent version 1.61.4 and updated UniFi OS builds at version 5.1.15 or later. Organizations should prioritize patching immediately, restrict management interfaces to trusted networks or VPN access, and review administrative controls and logs for signs of misuse. Strengthening segmentation between user and management networks is equally important - it limits an attacker's ability to pivot into core infrastructure if initial access is achieved.

GRU-Linked APT28 Weaponizes Moobot Botnet to Turn Ubiquiti Routers into Espionage Infrastructure

Recent reporting highlights how APT28, the Russia-linked threat actor associated with the GRU, has repurposed the Moobot botnet to support large-scale cyber espionage by hijacking vulnerable Ubiquiti EdgeRouter devices. Moobot is a Mirai-based malware strain that has been active for years, typically used by cybercriminals to compromise routers and IoT equipment through default or weak credentials and known device vulnerabilities.

In this latest activity, non-state actors first compromised hundreds of small office and home office routers with Moobot - then APT28 stepped in and used the existing botnet as ready-made infrastructure for stealthy operations rather than building its own network from scratch. According to public court documents and allied government advisories, APT28 operators deployed their own tools and scripts on Moobot-infected Ubiquiti routers to create a global proxy network that obscured the true origin of their operations. This infrastructure was used to harvest credentials and NTLMv2 hashes, host spear-phishing landing pages, conduct brute-force password attacks, and steal router login credentials to enable further lateral movement.

The same botnet has also been linked to distributed denial-of-service campaigns and broader criminal abuse, underscoring how shared criminal infrastructure can be co-opted by state-backed groups to expand their reach and complicate attribution.

Defenders should treat edge routers and other commonly overlooked network appliances as high-value assets. Recommended mitigations include factory resetting and reimaging compromised devices, upgrading to the latest firmware, replacing default or reused credentials, and tightening firewall rules to limit remote management exposure. Organizations should also improve visibility into unmanaged IoT-style assets, segregate them from critical systems, and monitor for unexpected outbound connections or configuration changes on Ubiquiti EdgeRouters and similar hardware.

Recent law enforcement takedown operations show that coordinated action can significantly disrupt these botnets - but long-term resilience still depends on basic hardening and hygiene at the device level.

Threat Actors Weaponize NinjaOne RMM Agents Through Stealthy PDF Phishing Lures

Attackers are increasingly abusing legitimate NinjaOne RMM agents as a stealthy backdoor into corporate environments. Rather than deploying obvious malware, threat actors send phishing emails with PDF attachments that claim an invoice failed to load or that a video payment error occurred, then prompt victims to click through to a fake Adobe or cloud viewer page. Once there, users are silently served a malicious NinjaOne installer built with NSIS, which fetches and installs the RMM agent from attacker-controlled infrastructure without clear user awareness or consent.

This technique gives adversaries fully featured remote access that blends into normal IT operations - NinjaOne is widely used and often implicitly trusted by defenders. After establishing access, attackers can move laterally, harvest data, deploy additional payloads, or stage ransomware, all while operating through a signed, enterprise-grade tool that many security products treat as benign.

The campaign, described by AhnLab Security Intelligence Center, has been active since at least late 2025 and fits a broader trend: RMM abuse is surging as criminals and advanced threat actors pivot away from custom malware toward legitimate remote tools that are harder to flag and easier to explain away.

Organizations should tighten control over which RMM platforms are approved, monitor for unexpected NinjaOne installations or connections, and treat any new RMM agent appearing outside standard IT channels as a high-priority incident requiring immediate investigation.

ShinyHunters Target Oracle 0‑day in PeopleSoft to Steal Sensitive Data

The ShinyHunters extortion group is actively exploiting a zero-day in Oracle's PeopleSoft Enterprise PeopleTools to steal personal and financial data from large organizations. The flaw, tracked as CVE-2026-35273, enables remote code execution in PeopleTools versions 8.61 and 8.62 as well as PeopleSoft Enterprise Applications, and requires no authentication to exploit. It has already been linked to a major breach at the University of Nottingham involving roughly 40 GB of staff, student, and alumni data.

To execute the attack, ShinyHunters first stood up staging infrastructure using customized MeshCentral agents crafted to resemble legitimate cloud endpoints. Once a foothold was established, the attackers used administrative commands and custom scripts to move laterally, expand access, and exfiltrate high-value data across affected systems. The combination of stealthy remote management tooling and an unauthenticated RCE bug makes this campaign both difficult to detect and highly attractive to financially motivated threat actors.

Oracle has acknowledged the vulnerability but no public patch is currently available. In the meantime, Oracle and Google Threat Intelligence strongly recommend that organizations running PeopleSoft immediately block external access to affected components at the firewall, allowing access only from trusted internal networks. Security teams should audit WebLogic access logs for suspicious POST requests to relevant endpoints originating from untrusted IP addresses and pay close attention to loopback or internal addresses appearing in request parameters, which may indicate active exploitation.

Given Oracle's prevalence across large enterprises and higher education, the potential blast radius is significant. Defenders should treat this as a high-priority incident response item rather than routine maintenance. Organizations should verify they are running a supported PeopleSoft version, monitor Oracle's security advisories closely, and prepare to deploy patches or mitigations as soon as they become available. Until then, hardening perimeter controls, tightening monitoring of PeopleSoft and WebLogic infrastructure, and confirming that no unauthorized MeshCentral or similar remote-access agents exist in the environment are critical near-term steps.

Phishing Campaign Uses Tax Lures to Deliver In‑Memory Malware

A new phishing campaign is exploiting tax season anxiety to deliver stealthy in-memory malware that traditional defenses struggle to detect. Attackers are sending emails masquerading as W-2 forms or rejected tax notifications from recognizable brands like Intuit QuickBooks and H&R Block, with attached PDFs that appear legitimate. When victims open these PDFs, they are silently redirected to a ZIP archive containing an NSIS installer that loads a malicious DLL - bypassing security controls before the user realizes anything is wrong.

Once executed, the DLL performs anti-analysis checks, disables Windows Update, and injects itself into legitimate Windows processes so its activity blends into normal system behavior. The malware uses LLVM-based control flow flattening to obfuscate execution paths, complicate reverse engineering, and slow incident response. Operating entirely in memory and abusing built-in tools like PowerShell and Windows Management features, it leaves minimal artifacts on disk - significantly hampering both traditional antivirus detection and post-incident forensics.

Recent campaigns have been attributed to the Silver Fox threat group, which is specifically targeting Indian organizations and individuals with lures that mimic familiar local tax and financial workflows. Once established, the malware provides attackers with full remote access, including keylogging, file transfer, and arbitrary command execution.

To defend against these attacks, organizations should prioritize detection of in-memory shellcode execution, anomalous DLL load behavior, suspicious NSIS installers, and unusual outbound WebSocket connections from endpoints. Reinforcing user awareness around unsolicited tax-related documents delivered via email remains an equally important layer of defense.