Google Disrupts IPIDEA — One of the World’s Largest Residential Proxy Networks
Google announced on Wednesday that it worked together with other partners to disrupt IPIDEA, which it described as one of the largest residential proxy networks in the world. The company took legal action to take down dozens of domains used to control devices and proxy traffic through them. As of writing, IPIDEA’s website is no longer accessible. Google’s Threat Intelligence Group observed over 550 threat groups using the proxy network over a seven-day period, with millions of devices removed from the pool. The company also identified over 600 trojanized Android apps that were used to enroll devices into the network without user consent.
eScan confirms update server breached to push malicious update
MicroWorld Technologies, the maker of the eScan antivirus product, has confirmed that one of its update servers was breached and used to distribute an unauthorized update later analyzed as malicious to a small subset of customers earlier this month. The malicious file was delivered to customers who downloaded updates from the regional update cluster during a two-hour window on January 20, 2026. The attackers distributed a modified version of “Reload.exe,” a legitimate component of eScan’s update system. The trojanized component triggered the running of a downloader that connected to attacker-operated C2 infrastructure, tampered with the hosts file to block remote updates, and implemented persistence mechanisms.
Cyberattack on Poland’s power grid could have turned deadly in winter cold
Cybersecurity experts involved in the cleanup of the cyberattacks on Poland’s power network say the consequences could have been lethal. In a report published this week, Dragos said it is working with one of the approximately 30 facilities affected by the attacks, allegedly carried out by Russian intelligence. The attacks, attributed with medium confidence to Russian state-sponsored hacking group ELECTRUM (also known as Sandworm), marked the first major cyberattack aimed at distributed energy resources (DERs). While the attackers compromised operational technology systems and damaged key equipment beyond repair, they failed to disrupt power generation. Dragos noted the timing was deliberate, with an attack in the depths of winter being potentially lethal to the civilian population.
Fortinet starts patching exploited FortiCloud SSO zero-day (CVE-2026-24858)
Fortinet has begun releasing FortiOS versions that fix CVE-2026-24858, a critical zero-day vulnerability that allowed attackers to log into targeted organizations’ FortiGate firewalls. The vulnerability was found being exploited in the wild by two malicious FortiCloud accounts, which were locked out on January 22, 2026. CVE-2026-24858 is an authentication bypass vulnerability that may allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts if FortiCloud SSO authentication is enabled. To protect customers from further exploitation, Fortinet disabled FortiCloud SSO on January 26 and re-enabled it on January 27, blocking login from devices running vulnerable versions.
Malicious ChatGPT Chrome extensions are stealing account credentials
LayerX Research has identified at least 16 Chrome browser extensions for ChatGPT floating around the internet that promise to enhance work productivity. All show signs of being built by the same threat actor and designed for the same purpose: to pilfer account credentials. The malicious extensions do not deploy malware or attack the model directly, they instead exploit vulnerabilities in the web-based authentication process used to verify ChatGPT users. A script injected into chatgpt.com monitors outbound requests, and when a request goes out containing authorization details and the user’s session token data, the malicious extension extracts the information to a remote server. This allows attackers to authenticate ChatGPT sessions under the victim’s identity and access chat histories and connected applications.
