Cybersecurity firm Arctic Wolf has issued a critical warning regarding a "new cluster of automated malicious activity" targeting Fortinet FortiGate devices. Starting around mid-January 2026, attackers have been observed exploiting FortiCloud Single Sign-On (SSO) vulnerabilities to perform unauthorized firewall configuration changes and exfiltrate sensitive data. This campaign bears a striking resemblance to a December 2025 attack wave involving CVE-2025-59718 and CVE-2025-59719, which allow for an unauthenticated bypass of SSO authentication via crafted SAML messages. Threat actors are using a malicious account, "cloud-init@mail.io," and creating several secondary administrative accounts to maintain persistence on affected networks. Perhaps most concerning are reports from the community suggesting that even fully patched devices, including FortiOS version 7.4.10, may still be susceptible to these exploits. This guide covers the specific indicators of compromise, including known malicious IP addresses, and provides the immediate mitigation step of disabling the FortiCloud SSO login feature to protect your infrastructure from these rapid, automated attacks.
Cybersecurity researchers are sounding the alarm on a dual-pronged threat targeting Brazil. In one campaign, threat actors are leveraging legitimate generative AI tools to create highly convincing phishing pages of Brazilian government agencies to trick users into making payments. These fraudulent sites are boosted with SEO poisoning to appear in top search results. Simultaneously, a separate malspam campaign is distributing the Efimer trojan, a potent malware designed to steal cryptocurrency, which has already impacted over 5,000 users.
