Monday, January 5, 2026
Latest:

Threatshub.org sponsored-Post

The Register

Trump admin sends heart emoji to commercial spyware makers with lifted Predator sanctions

TH Author

infosec in brief The Trump administration has cleared a trio of individuals sanctioned by the Biden administration for involvement with the Intellexa spyware consortium behind the Predator surveillance tool, removing restrictions that had barred them from doing business with the US.

It’s the latest indicator that the Trump administration is a-okay with commercial spyware used by authoritarian countries to spy on dissidents, journalists, and political opponents, following a move in September that saw Team MAGA lift restrictions on Immigration and Customs Enforcement (ICE) purchasing software from commercial spyware maker Paragon Solutions. 

Predator has all the usual features of a commercial spyware product. It allows users to perform espionage-related activities on infected devices, including device tracking, surveillance, data theft, and the like. 

Predator has remained available through the Intellexa spyware consortium despite US sanctions imposed in 2024 on Intellexa-linked entities and executives. In its first round of sanctions in March 2024, the Biden-era Treasury Department described Intellexa as a “significant threat to … national security.” 

Sara Hamou, who was sanctioned in March 2024 for providing managerial services to Intellexa-linked firms, has now been removed from the Treasury Department’s Specially Designated Nationals list. The same applies to Andrea Gambazzi, the beneficial owner of Thalestris Limited, which held Predator distribution rights, and Merom Harpaz, described by US officials as a senior Intellexa executive. Both were sanctioned in September 2024.

According to Reuters, the Treasury Department said the delistings were carried out as part of the normal administrative process in response to petitions for reconsideration, adding that each individual had demonstrated measures to separate themselves from the Intellexa consortium. 

Separately, ICE in September lifted a stop-work order on a Biden-era surveillance contract, allowing the agency to proceed with acquiring commercial spyware it had previously been blocked from deploying.

According to the Atlantic Council, the United States recently earned the ignominious honor of becoming the largest investor in commercial spyware, with three times more investors than the next three highest countries. 

Korean Air employees’ PII exposed in breach

Korean Air posted an internal notice last week after its former in-flight catering and duty-free unit, KC&D, disclosed a security incident involving about 30,000 employees’ records, including names and bank account numbers in some cases.

As reported by Korean news outlet the JoongAng Daily, Korean Air said KC&D informed it of the leak and that no customer information appears to have been compromised – only the personally identifiable information (PII) of Korean Air staff.

As other outlets reported, the culprit seems to be notorious cyber extortion group Clop, which took credit for the incident and leaked the data online. 

Korean Air’s notice didn’t include any mention of how the breach occurred, but as The Register and other publications have noted, Clop has made extensive use of a vulnerability in Oracle Enterprise Business Suite that was exploited as a zero-day beginning in August of last year, before patches were made available.

Router maker ignoring researcher RCE report

Security researchers who claim to be the first to use an AI agent to identify a remotely exploitable zero day have shared the exploit with the manufacturer, who appears to be ignoring them. 

Researchers at Pwn.ai say they used an AI agent to identify CVE-2025-54322, a CVSS 10.0 remote code execution vulnerability in Chinese networking hardware maker Xspeeder’s SXZOS firmware more than seven months ago. 

The bug is a preauthorization vulnerability in the firmware, which, according to Pwn.ai, allows an attacker to gain total control of vulnerable devices. Pwn.ai said it found the vulnerability using emulated software that was able to hammer SXZOS from multiple angles.

Pwn.ai said it’s found other vulnerabilities in other systems, but is making the Xspeeder vuln its first disclosure “because, unlike other vendors, we have been unable to get any response from Xspeeder despite more than seven months of outreach.” 

EmEditor installer download hijacked

Bad news for anyone who downloaded Emurasoft’s EmEditor from its official website between 19 and 22 December: You probably downloaded a maliciously modified version. 

Emurasoft said shortly before the Christmas holiday that the EmEditor download on its website was altered, it suspects, by an “unauthorized … third party.” 

The company noted that the Download Now button was altered to point to an incorrect URL hosting a copy of the EmEditor MSI package that was signed by an unauthorized third party. It’s believed that the only file affected by the hack was the emed64_25.4.3.msi, which, instead of being signed by Emurasoft, Inc., was signed by Walsham Investments Limited, suggesting tampering.

The suspect file attempts to execute a PowerShell command that downloads and executes content from an outside domain when executed. Emurasoft didn’t disclose what the malicious file may be doing, but said that the malicious redirect has been fixed and provided instructions to determine whether users were affected. 

Westminster City Council admits sensitive data stolen in November breach

What began as a “cyber security incident” has since been confirmed as the unauthorized copying of council data likely to include sensitive and personal information, as Westminster City Council in the UK has disclosed more about the scope of a November breach.

The BBC reported last week that the late-2025 incident, which affected IT systems shared by Westminster, Kensington and Chelsea, and Hammersmith and Fulham, is now being considered one in which “potentially sensitive and personal information” was likely snagged by attackers targeting the boroughs. 

That’s in contrast to the initial claim from the trio in late November, and follow-up claims from Kensington and Chelsea that admitted some data was taken, but that it was just some old stuff. 

Now, Westminster appears to be saying it’s a legitimate concern for locals in that borough, as well as Kensington and Chelsea. Hammersmith and Fulham, the BBC noted, maintains its systems were unaffected. 

It’s still not clear what data was taken, but Westminster City Council, like Kensington and Chelsea, is warning citizens to be vigilant for scam calls, emails, and texts that may result from misuse of the stolen data. ®

READ MORE HERE