Threat Advisories

Top Middle East Cyber Threats – January 27th, 2026

By Help AG

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.  

PurpleBravo Targets Software Developers Using Social Engineering Lures

PurpleBravo is an East Asia-aligned threat actor identified as part of the Contagious Interview campaign, initially reported in November 2023. This actor primarily targets software developers, with a particular focus on the software development and cryptocurrency sectors. Their tactics include social engineering methods such as fraudulent recruiter outreach, fake coding assessments, and ClickFix-style prompts.

Throughout 2025, investigations have linked PurpleBravo to several inauthentic LinkedIn profiles and malicious GitHub repositories, often posing as fictitious companies to support their luring operations. The group utilizes a range of malicious tools, including BeaverTail, a JavaScript-based infostealer and loader, as well as cross-platform remote access trojans specifically PyLangGhost and GolangGhost designed to extract browser credentials and cryptocurrency wallet data.

RECOMMENDATIONS     

Verify recruiter identities before sharing any code, accounts, or credentials, and carefully check official company contacts and LinkedIn profiles.

Exercise caution when recieving unsolicited interview invitations, particularly from unknown or suspicious LinkedIn profiles or fake recruitment brands.

Analyze any submitted code or testing environments for malware or hidden scripts before executing them locally.

Educate employees and hiring teams on social engineering tactics, fake recruiter profiles, and commonthreat actor techniques to enhance awareness and reduce risk.

Avoid executing untrusted files from unknown recruiters on personal or corporate devices.

Report suspicious recruitment activity to internal security teams or relevant threat intelligence channels.

Microsoft Releases Critical Azure Security Fix

Microsoft has released one critical security fix.

The update addresses the following CVE:

[Critical] CVE-2026-24304 – Azure Resource Manager:
Improper access control in Azure Resource Manager allows an authorized attacker to elevate privileges over a network.

RECOMMENDATIONS     

Ensure all systems are patched and updated.

Attackers Exploit Legitimate Driver to Evade Endpoint Defenses

Threat actors are exploiting a legitimate Windows kernel-mode driver, TrueSight.sys, to disable endpoint detection and antivirus protections prior to malware deployment. The driver is validly signed and originates from Adlice Software’s RogueKiller antivirus allows for arbitrary process termination.

This flaw enables attackers to terminate security processes typically resistant to user-mode tampering, effectively bypassing Microsoft’s security defenses. Over 2,500 signed variants of the vulnerable driver have been observed in active use, demonstrating the widespread exploitation of trusted but flawed drivers to evade detection and enhance attack success.

RECOMMENDATIONS     

Enable real-time monitoring for emerging malicious or abused driver threats.

Apply certificate-based and behavior-based detection mechanisms.

Implement Windows Defender Application Control (WDAC).

Enable Hypervisor-Protected Code Integrity (HVCI).

Monitor and investigate connections to *.oss-cn-*.aliyuncs.com domains.

Proactively hunt for drivers signed before July 29, 2015.

Enable the Microsoft Vulnerable Driver Blocklist to block the TrueSight certificate identified by TBS hash 1D7E838ACCD498C2E5BA9373AF819EC097BB955C for truesight.sys.

Cisco Releases Security Fixes for Critical and Medium Vulnerabilities

Cisco has released five security updates addressing the following CVEs:

[High] CVE-2026-20045 – Cisco Unified Communications Manager & Unity Connection:
A flaw in the HTTP interface could allow an unauthenticated remote attacker to execute arbitrary commands and escalate privileges to root on affected devices. The advisory is rated Critical due to potential root access.

[Medium] CVE-2026-20080 – Cisco Ultra-Reliable Wireless Backhaul:
A vulnerability in the SSH service could allow a remote attacker to cause a temporary denial of service (DoS) by exploiting the absence of flood protection mechanisms.

[Medium] CVE-2026-20092 – Cisco Intersight Virtual Appliance:
Improper file permissions in the maintenance shell could allow an authenticated local attacker with admin rights to escalate privileges to root, gaining full control of the appliance.

[Medium] CVE-2026-20109 – Cisco Packaged & Unified Contact Center Enterprise:
Multiple vulnerabilities in the web interface could allow an authenticated attacker to execute cross-site scripting (XSS) attacks on interface users.

[Medium] CVE-2026-20055 – Cisco Packaged & Unified Contact Center Enterprise:
Similar XSS vulnerabilities exist in the web interface, allowing authenticated attackers to execute arbitrary scripts and access browser-based information.

RECOMMENDATIONS     

Ensure all systems are patched and updated.

Google Chrome Addresses Denial-of-Service Vulnerability

A vulnerability has been identified in Google Chrome that could allow a remote attacker to cause a DoS on affected systems. Exploitation of this flaw may render the browser or system unresponsive, disrupting normal operations.

Affected Systems / Technologies: