Eye Security publishes “State of Incident Response 2026” from 630 investigations — Eye Security released a field report summarizing 630 anonymized incident-response investigations across Europe, detailing common entry points, dwell-time patterns, and operational outcomes for mid-market victims [EMEA]. For DFIR teams, the value is benchmark-driven triage: you can calibrate detection gaps, validate containment playbooks against observed attacker sequences, and justify logging/MDR investments using real case metrics that map directly to evidence collection and recovery timelines. (Source: Eye Security, 28-01-2026).

Ankura CTIX flags Russia-focused social engineering delivering Amnesia RAT and ransomware — Ankura CTIX reported campaigns targeting users in Russia using social engineering and malicious documents to deliver remote-access tooling (including Amnesia RAT) and ransomware, enabling theft, file manipulation, and remote control [EMEA]. For responders, this improves collection and scoping: prioritize document execution traces, persistence artefacts, and credential-access telemetry, then correlate outbound C2 and lateral movement to separate simple commodity delivery from deeper access operations. (Source: Ankura, 27-01-2026).

US charges 31 more defendants in massive ATM “jackpotting” probe — U.S. prosecutors filed additional charges in a wide ATM jackpotting investigation, raising the total to 87 defendants linked to coordinated cash-out operations and infrastructure abuse [AMER]. For investigators, the case underscores the evidentiary chain from malware deployment to cash-out crews: preserving terminal logs, mule communications, and device-imaging results early helps link physical withdrawals to remote operators and money-laundering nodes. (Source: SecurityWeek, 28-01-2026).

Tax-themed phishing targets Indian users with multi-stage “Blackmoon” malware — Researchers described an ongoing suspected espionage campaign targeting India using tax-phishing emails impersonating government processes to deliver a multi-stage backdoor dubbed Blackmoon [APAC]. For cyber investigations, preserving the full infection chain matters: collect lure emails, archives, and staging payloads with endpoint telemetry and network beacons so analysts can reconstruct initial access, persistence mechanisms, and data-exfiltration paths for attribution and victim notification. (Source: The Hacker News, 26-01-2026).

Nike investigates incident after extortion group leaks alleged stolen files — Nike said it is investigating a potential cybersecurity incident after an extortion group published material it claims was stolen, intensifying pressure through public leak tactics rather than pure encryption [AMER]. For DFIR leads, this is a containment-and-proof problem: prioritize log preservation and DLP evidence, validate access paths and tokens, and prepare communications and legal workflows to handle “sample data” claims without tipping investigative findings to the actor. (Source: BleepingComputer, 27-01-2026).

HCIactive says health-data theft incident affects 3.1 million people — A services firm described as “AI-powered” reported that a cyber incident affecting its environment has expanded to 3.1 million impacted individuals, reflecting large-scale health-data exposure concerns [AMER]. For incident responders, the scale shifts priorities toward defensible scoping: lock down identity and API access, preserve audit trails across vendors, and build patient-notification and fraud-monitoring playbooks that align with regulatory timelines and long-tail misuse. (Source: GovInfoSecurity, 28-01-2026).

Canada issues updated Fortinet advisory (AV26-059) for a critical FortiGate issue — The Canadian Centre for Cyber Security updated advisory AV26-059 following Fortinet’s disclosure of a critical vulnerability and guidance for affected products, noting active exploitation indicators and remediation urgency [AMER]. For defenders, firewall-edge flaws are rapid access multipliers: validate versions, review admin/SSO events and configuration export logs, rotate potentially exposed secrets, and assume post-exploit persistence until forensic review proves otherwise. (Source: Canadian Centre for Cyber Security, 28-01-2026).

Sandbox escape flaws expose n8n automation instances to remote code execution — Reporting on newly disclosed n8n vulnerabilities describes how sandbox escape conditions can allow attackers to compromise exposed workflow automation servers, access sensitive integrations, and execute code on hosts [GLOBAL]. This matters because automation nodes often hold high-trust tokens: prioritize patching and config hardening, review workflow execution histories for tampering, and hunt for credential reuse across connected SaaS and internal systems to contain blast radius quickly. (Source: BleepingComputer, 28-01-2026).

FBI seizes RAMP cybercrime forum infrastructure used by ransomware actors — U.S. authorities seized the RAMP cybercrime forum’s domains, disrupting a marketplace used to advertise malware, initial access, and ransomware-related services to criminal affiliates [AMER]. For defenders and investigators, takedowns can trigger rapid migration and retaliation: watch for new forum mirrors, leaked actor lists, and credential dumps, and use the disruption window to accelerate intelligence mapping of infrastructure and affiliate relationships. (Source: The Register, 28-01-2026).

DOJ: indictment details identity-theft and fraud scheme converting proceeds to crypto — The U.S. Attorney’s Office in Connecticut detailed an indictment alleging a broker-style fraud scheme using stolen identities, fraudulent payoff instructions, and money laundering, including conversion of stolen funds into cryptocurrency [AMER]. For cyber and fraud teams, the operational takeaway is preservation across channels: collect account-auth evidence, payment instructions, mailbox artefacts, and crypto tracing leads early so investigators can link social engineering to financial flows and recovery actions. (Source: U.S. Department of Justice, 28-01-2026).

EDPB Data Protection Day 2026 focuses on children’s personal data safety online — The European Data Protection Board marked Data Protection Day 2026 with materials aimed at helping children understand online privacy and digital rights, reinforcing expectations for clearer, age-appropriate transparency [EMEA]. For security and DFIR teams, policy direction translates into operational proof: ensure telemetry, retention, and incident reporting can demonstrate minimization and protective controls for minors’ data, and align breach response with heightened scrutiny on children’s risk exposure. (Source: EDPB, 28-01-2026).

ENISA publishes Stakeholder Strategy 2026–2028 and multiannual programming — ENISA published its Stakeholder Strategy 2026–2028 alongside updated programming documents, outlining how it will engage stakeholders to support EU cybersecurity resilience and coordination [EMEA]. For practitioners, this signals where influence and requirements may crystallize: track engagement priorities that affect certification, incident information sharing, and sector guidance, then align internal governance and reporting so your organization can respond quickly to emerging EU-driven expectations. (Source: ENISA, 28-01-2026).

NIST reminder: public comment open on proposed NICE Framework updates — NIST issued a reminder that public comment remains open on proposed NICE Framework updates, including new work roles and competency adjustments with a February 2, 2026 deadline [AMER]. For organizations, this matters because workforce taxonomy drives control ownership: aligning IR, SOC, and forensics responsibilities to standardized roles improves auditability, training plans, and incident execution consistency across teams and vendors. (Source: NIST, 26-01-2026).

Microsoft Edge security release notes acknowledge Chromium fixes and forthcoming patch — Microsoft’s Edge security release notes stated it is aware of recent Chromium security fixes and is actively working to release a corresponding security fix [GLOBAL]. For compliance and vulnerability management, documenting this vendor status helps prioritize compensating controls: tighten browser update enforcement, monitor exploit chatter, and ensure patch validation and exception workflows are ready so the moment the fix ships you can deploy quickly and prove remediation. (Source: Microsoft Learn, 27-01-2026).

Crunchbase confirms data breach after ShinyHunters leak claimed millions of records — Crunchbase confirmed a data breach after attackers published files they claim were stolen from corporate systems, with reporting indicating exposure of personal and company information at significant scale [AMER]. For defenders, the risk is downstream targeting: monitor for credential-stuffing and spearphishing using enriched business context, tighten SSO and API key hygiene, and coordinate rapid notification and takedown efforts for lookalike domains and impersonation campaigns. (Source: teiss, 27-01-2026).

ShinyHunters claims leak of 10M records tied to Match Group dating apps — Cybernews reported that ShinyHunters claims to possess over 10 million records from dating platforms including Hinge and OkCupid, with samples suggesting user and transaction-related fields and ongoing investigation by the company [GLOBAL]. This matters because dating data enables coercion and targeted fraud: advise users to reset passwords and enable MFA, and for enterprise teams, watch for credential reuse and social engineering that leverages sensitive relationship or location context. (Source: Cybernews, 28-01-2026).