ThreatsDay Bulletin: New RCEs, Darknet Busts, Kernel Bugs & 25+ More Stories  Ravie Lakshmanan  Jan 29, 2026 Cybersecurity / Hacking News This week’s updates show how small changes can create real problems. Not loud incidents, but quiet shifts that are easy to miss until they add up. The kind that affects systems people rely on every day. Many of the stories point to the same trend: familiar tools being used in unexpected ways. Security controls are being worked on. Trusted platforms turning into weak spots. What looks routine on the surface often isn’t. There’s no single theme driving everything — just steady pressure across many fronts. Access, data, money, and trust are all being tested at once, often without clear warning signs. This edition pulls together those signals in short form, so you can see what’s changing before it becomes harder to ignore. Major cybercrime forum takedown FBI Seizes RAMP Forum The U.S. Federal Bureau of Investigation (FBI) has seized the notorious RAMP cybercrime forum. Visitors to the forum's Tor site and its clearnet domain, ramp4u[.]io, are now greeted by a seizure banner that states the "action has been taken in coordination with the United States Attorney's Office for the Southern District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice." On the XSS forum, RAMP's current administrator Stallman confirmed the takedown, stating , "This event has destroyed years of my work to create the most free forum in the world, and although I hoped that this day would never come, in my heart I always knew it was possible." RAMP was launched in July 2021 after both Exploit and XSS banned the promotion of ransomware operations. It was established by a user named Orange , who has since been outed as Mikhail Pavlovich Matveev (aka Wazawaka, m1x, Boriselcin, and Uhodiransomwar). "Groups such as Nova and DragonForce are reportedly shifting activity toward Rehub, illustrating the underground's ability to reconstitute quickly in alternative spaces," Tammy Harper, senior threat intelligence researcher at Flare.io, said. "These transitions are often chaotic, opening new risks for threat actors: loss of reputation, escrow instability, operational exposure, and infiltration during the scramble to rebuild trust." WhatsApp privacy claims challenged Lawsuit Claims Meta Can See WhatsApp Chats in Breach of Privacy A new lawsuit filed against Meta in the U.S. has alleged the social media giant has made false claims about the privacy and security of WhatsApp. The lawsuit claims Meta and WhatsApp "store, analyze, and can access virtually all of WhatsApp users' purportedly 'private' communications" and accuse the company of defrauding WhatsApp's users. In a statement shared with Bloomberg, Meta called the lawsuit frivolous and said that the company "will pursue sanctions against plaintiffs' counsel." Will Cathcart, head of WhatsApp at Meta, said , "WhatsApp can't read messages because the encryption keys are stored on your phone, and we don’t have access to them. This is a no-merit, headline-seeking lawsuit brought by the very same firm defending NSO after their spyware attacked journalists and government officials." Complainants claim that WhatsApp has an internal team with unlimited access to encrypted communications, which can grant access to data requests. These requests are sent to the Meta engineering team, which then grants access to a user's messages, often without scrutiny, as the lawsuit laid out. These allegations go beyond scenarios where up to five recent messages are sent to WhatsApp for review when a user reports another user in an individual or group chat. The crux of the debate is whether WhatsApp's security is a technical lock that can't be picked, or a policy lock that employees can open. WhatsApp has stressed that the messages are private and that "any claims to the contrary are false." Post-quantum shift accelerates CISA Publishes Guidance for PQC Adoption The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published an initial list of hardware and software product categories that support or are expected to support post-quantum cryptography (PQC) standards. The guidance covers cloud services, collaboration and web software, endpoint security, and networking hardware and software. The list aims to guide organizations in shaping their PQC migration strategies and evaluating future technological investments. "The advent of quantum computing poses a real and urgent threat to the confidentiality, integrity, and accessibility of sensitive data — especially systems that rely on public-key cryptography," said Madhu Gottumukkala, Acting Director of CISA. "To stay ahead of these emerging risks, organizations must prioritize the procurement of PQC-capable technologies. This product categories list will support organizations making that critical transition." Government agencies and private sector firms are preparing for the threat posed by the advent of a cryptographically relevant quantum computer (CRQC), which the security community believes will be able to break open some forms of classical encryption. There are also concerns that threat actors could be harvesting encrypted data now in the hopes of accessing it once a quantum codebreaking machine is developed, a surveillance strategy known as harvest now, decrypt later ( HNDL ). Physical access systems exposed 20 Security Flaws in Dormakaba Access Control Systems More than 20 security vulnerabilities (from CVE-2025-59090 through CVE-2025-59109) discovered in Dormakaba physical access control systems could have allowed hackers to remotely open doors at major organizations. The flaws included hard-coded credentials and encryption keys, weak passwords, a lack of authentication, insecure password generation, local privilege escalation, data exposure, path traversal, and command injection. "These flaws let an attacker open arbitrary doors in numerous ways, reconfigure connected controllers and peripherals without prior authentication, and much more," SEC Consult said . There is no evidence that the vulnerabilities were exploited in the wild. Fake hiring lures steal logins Recruitment-Themed Emails Lead to Credential Theft A new phishing campaign is leveraging fake recruitment-themed emails that impersonate well-known employers and staffing companies, claiming to offer easy jobs, fast interviews, and flexible work. "The messages appear in multiple languages, including English, Spanish, Italian, and French, often tailored to the recipient's location," Bitdefender said . "Top targets include people in the U.S., the U.K., France, Italy, and Spain." Clicking on a confirmation link in the message takes recipients to a fake page that harvests credentials, collects sensitive data, or redirects to malicious content. Trusted cloud domains abused New Campaign Exploits Vercel App Domains To Drop GoTo Resolve A novel campaign has exploited the trust associated with *.vercel.app domains to bypass email filters and deceive users with financially themed lures, such as overdue invoices and shipping documents, as part of a phishing campaign observed from November 2025 to January 2026. The activity, which also employs a Telegram-gated delivery mechanism designed to filter out security researchers and automated sandboxes, is designed to deliver a legitimate remote access tool called GoTo Resolve, per Cloudflare . Details of the campaign were first documented by CyberArmor in June 2025. Cellular location precision reduced Apple Tests Limiting Precise Location From Cellular Networks in iOS With iOS 26.3, Apple is adding a new "limit precise location" setting that reduces the location data available to cellular networks to increase user privacy. "The limit precise location setting enhances your location privacy by reducing the precision of location data available to cellular networks," Apple said . "With this setting turned on, some information made available to cellular networks is limited. As a result, they might be able to determine only a less precise location — for example, the neighborhood where your device is located, rather than a more precise location (such as a street address)." According to a new support document, iPhone models from supported network providers will offer the feature. The feature is expected to be available in Germany (Telekom), the U.K. (EE, BT), the U.S. (Boost Mobile), and Thailand (AIS, True). It also requires iPhone Air, iPhone 16e, or iPad Pro (M5) Wi-Fi + Cellular. Legacy iOS support extended Apple Releases Updates for iOS 12 and iOS 15 In more Apple-related news, the iPhone maker has released security updates for iOS 12 and iOS 15 to extend the digital certificate required by features such as iMessage, FaceTime, and device activation to continue working after January 2027. The update is available in iOS 12.5.8 and iOS 15.8.6 . SEO poisoning-for-hire exposed Black Hat SEO Gets a Boost from Haxor A backlink marketplace has been discovered as a way to help customers get their malicious web pages ranked higher in search results. The group refers to themselves as Haxor, a slang word for hackers, and their marketplace as HxSEO, or HaxorSEO. The threat actors have established their operations and marketplace on Telegram and WhatsApp. The marketplace allows fraudsters to purchase a backlink to a website of their choice, from a selection of legitimate domains already compromised by the group. These compromised domains are typically 15-20 years old and have a "trust" score associated with them to show how effective the purchased backlink would be for increasing search engine rankings. Each legitimate website is compromised with a web shell that enables Haxor to upload a malicious backlink to the site. By buying and then inserting these links into their sites, threat actors can boost search rankings, drawing unsuspecting visitors to phishing pages designed to harvest their credentials