ThreatsDay Bulletin: Pixel Zero-Click, Redis RCE, and the Rise of Trusted Service Abuse

The Silent Shift: Exploiting Trust Over Code

This week’s threat landscape reveals a disturbing pattern: attackers are no longer just breaking doors; they are using legitimate keys. From "Living-off-Trusted-Sites" (LOTS) to abusing background system processes, the friction required for a successful breach has reached an all-time low. Here are the top stories from the Kian Technologies intelligence desk.

1. Mobile Security: Pixel 9 Zero-Click Exploit Chain

Google Project Zero has detailed a dangerous zero-click exploit targeting the Google Pixel 9. The attack chain leverages a flaw in the Dolby audio decoder. Because the Google Messages app automatically processes audio attachments for transcription, an attacker can execute code just by sending a crafted audio file—no user interaction required. The chain uses CVE-2025-54957 for initial execution and CVE-2025-36934 (a use-after-free in the BigWave driver) to escalate to kernel privileges.

2. Critical Infrastructure: Redis "RediShell" RCE

A critical vulnerability dubbed RediShell (CVE-2025-49844) has hit Redis. This flaw allows an authenticated attacker to escape the Lua sandbox and achieve full Remote Code Execution (RCE) on the host. Shockingly, researchers found over 60,000 internet-exposed Redis instances with no authentication, making them sitting ducks for this exploit.

3. Global Infrastructure: China’s Massive C2 Footprint

Analysis from Hunt.io reveals that the Chinese internet space currently hosts over 18,000 active Command-and-Control (C2) servers. Nearly 50% are hosted by China Unicom, with over 9,000 IPs dedicated to the Mozi IoT botnet. This highlights the scale at which threat actors are rotating infrastructure within major cloud providers like Alibaba and Tencent.

4. E.U. Cybersecurity Act: Targeting High-Risk Suppliers

The European Commission has proposed a new Cybersecurity Act mandating the removal of high-risk suppliers from critical ICT supply chains. This move targets strategic risks from third-country suppliers and forces telecommunications networks to de-risk their infrastructure to protect against state-sponsored interference.

The "Quick-Hit" Bulletin

• Operation Nomad Leopard: A spear-phishing campaign targeting Afghanistan using GitHub-hosted ISO images to deploy the "FALSECUB" backdoor.
• DLL Side-Loading: New campaigns are abusing trusted executables to load CoreMessaging.dll, bypassing OS security to drop information stealers.
• WSL Abuse: A new Beacon Object File (BOF) allows attackers to execute commands inside the Windows Subsystem for Linux (WSL) without ever spawning wsl.exe, evading process-based detection.
• Malvertising RATs: Ads for image converters (Easy2Convert, PowerDoc) are serving as droppers for persistent Remote Access Trojans.
• Zendesk Relay Spam: Unsecured support ticket systems are being weaponized to send "relay spam," making malicious emails appear as legitimate customer service notifications.

Cryptocurrency: $17 Billion Lost in 2025

Final reports for 2025 show that crypto scams reached record heights, with an estimated $14B - $17B stolen. "Pig butchering" and impersonation scams surged by 1,400%, increasingly powered by AI-generated deepfakes and professional money-laundering networks across Southeast Asia.

The Visual Deception: Homoglyph Attacks

Threat actors are using the "rn" vs "m" trick to fool users. Domains like rnicrosoft.com or rnastercard.com look nearly identical to the real ones on high-resolution screens. This technique is being combined with Let’s Encrypt’s new 6-day certificates to create short-lived, highly credible-looking phishing sites.

Closing Analysis

At Kian Technologies, we believe the takeaway for January 2026 is clear: Exposure accumulates quietly. Whether it is a forgotten Redis server or a background audio transcription service, the "background layers" of our tech stack are the new front lines. Organizations must focus on Phishing-Resistant MFA and Kernel-Level Monitoring to survive this new era of automated, low-friction attacks.

Become a Malware Analysis Expert As hackers switch to modern languages like Golang to build evasive tools, the industry needs experts who can deconstruct and stop these threats. Join the Best Ethical Hacking Institute in Bhilai & Raipur: Learn Malware Analysis, Reverse Engineering, and Advanced Threat Hunting. Enroll now to start your journey in Cybersecurity!