X marks the violation.

Grok’s non-consensual imagery draws scrutiny from the European Commission. Researchers link several major data breaches to a single threat actor. The UK unveils a new Cyber Action Plan. A stealthy ClickFix campaign targets the hospitality sector. VVS Stealer malware targets Discord users. Covenant Health and AFLAC report data leaks. Google silences a critical Dolby flaw. Ilona Cohen, Chief Legal and Policy Officer at HackerOne discusses “What the SolarWinds Dismissal Really Means for CISOs: Less Personal Risk, More Scrutiny on Disclosures.” UK students enjoy a digital snow day. 

Today is Tuesday January 6th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Grok’s non-consensual imagery draws scrutiny from the European Commission.  

The European Commission is considering enforcement action against X after its artificial intelligence tool, Grok, was used to generate sexualized images of a minor. The issue surfaced after Grok responded to prompts to digitally remove clothing from images, including one involving a 14-year-old actress, amid wider misuse to create non-consensual sexual imagery of women.

Commission spokesperson Thomas Regnier said officials are “very seriously” examining the matter, calling the outputs illegal and unacceptable in Europe. He noted this was not the first problematic incident involving Grok and referenced prior concerns, including the spread of Holocaust-denying material.

The scrutiny follows a €120 million fine issued to X under the Digital Services Act, which X criticized as political censorship. The controversy has intensified tensions between the EU and the United States over platform regulation. Meanwhile, investigations are also underway in France, and the UK regulator Ofcom has warned that creating non-consensual intimate images is a criminal offense and is assessing X’s compliance with UK law.

Researchers link several major data breaches to a single threat actor. 

Security firm Hudson Rock reports that several major data breaches are linked to a threat actor known as Zestix, also associated with the persona Sentap. The actor functions as an initial access broker, using stolen credentials harvested by information-stealing malware to break into enterprise networks, exfiltrate data, and sell both data and system access on underground forums.

Hudson Rock says the credentials were collected from infected employee devices, sometimes sitting in logs for years before being exploited. Weak protections, particularly the absence of multi-factor authentication on file-sharing services, enabled repeated compromises. Victims span aerospace, government, healthcare, legal, and robotics sectors, with stolen datasets reportedly sold for up to $150,000.

The findings highlight the long-running infostealer problem, where malware-as-a-service has commoditized cybercrime and made large-scale credential theft easier, faster, and harder to detect.

The UK unveils a new Cyber Action Plan. 

The UK government has unveiled a new Cyber Action Plan that includes a centralized Cyber Unit and a Software Security Ambassador Scheme to strengthen public sector cyber resilience. The measures follow several high-profile 2025 cyber incidents affecting organizations such as Jaguar Land Rover, Marks & Spencer, and The Co-op, as well as a recent attack on a supplier to the National Health Service.

Backed by £210 million in funding, the plan aims to raise baseline security standards and improve coordinated incident response. The new Government Cyber Unit, housed within the Department for Science, Innovation and Technology, will oversee cross-department risk management. The ambassador scheme promotes a voluntary Software Security Code of Practice to reduce supply chain risk. While widely welcomed, some experts warn the funding may fall short of the challenge’s scale.

A stealthy ClickFix campaign targets the hospitality sector. 

Security firm Securonix warns of a stealthy ClickFix phishing campaign targeting the hospitality sector to deliver remote access trojans. The attack uses fake Booking.com cancellation emails that lure victims to impersonation sites with deceptive CAPTCHA and fake blue screen messages. Victims are tricked into running PowerShell commands that deploy a customized DCRat. The malware disables defenses, establishes persistence, and uses resilient command-and-control techniques designed to survive infrastructure takedowns.

VVS Stealer malware targets Discord users. 

Researchers at Palo Alto Networks Unit 42 have disclosed details of VVS Stealer, a Python-based malware targeting Discord users. Active since at least April 2025, the malware is distributed as a PyInstaller package, allowing it to run easily on Windows systems. Its primary goal is to steal Discord authentication tokens, giving attackers access to private messages, accounts, and potentially billing data.

VVS Stealer uses fake error messages to trick users into rebooting, then performs a Discord injection that modifies application files to monitor activity in real time. It also harvests credentials from major browsers, captures screenshots, and exfiltrates data via webhooks. Unit 42 reports the malware is sold as a subscription service on Telegram, highlighting the continued commercialization of credential-stealing malware.

Covenant Health and AFLAC report data leaks. 

Nearly 478,000 patients of Covenant Health are being notified that their data may have been stolen in a May 2025 cyberattack. The incident, claimed by the Qilin ransomware group, initially appeared limited but was later found to have a far wider impact. Potentially exposed data includes personal, insurance, and medical information. Covenant says it shut down systems to contain the attack and has since strengthened security, though details remain limited.

Aflac is notifying 22.65 million people that their personal and health information may have been stolen in a June 2025 cyberattack. The insurer says the incident was quickly contained and did not involve ransomware, but compromised data may include Social Security numbers and health details. The breach could become the largest U.S. health data incident reported in 2025. Aflac is offering credit monitoring, while multiple class action lawsuits have been filed amid speculation, unconfirmed by the company, that Scattered Spider was involved.

Google silences a critical Dolby flaw. 

Google has patched a critical vulnerability affecting the Android implementation of Dolby software. The flaw, tracked as CVE-2025-54957, is a buffer overflow in Dolby UDC versions 4.5 through 4.13 within the DD+ codec. According to Wiz, the issue stems from improper buffer allocation when processing Evolution data, leading to out-of-bounds writes and potential data leakage.

Dolby rated the bug as moderate severity, noting it typically causes media player crashes. Google, however, classifies it as critical, warning that combined with other Android flaws it could have greater impact, particularly on Pixel devices. The vulnerability has now been fixed through Android security updates.

 

 

UK students enjoy a digital snow day. 

In a modern twist on the traditional snow day, students at Higham Lane School in Warwickshire earned an unscheduled extension to their Christmas break, not thanks to icy roads but a cyberattack that wiped out the school’s IT systems. Phones, email, servers, and management platforms all went dark, prompting leaders to close the school and call in a Cyber Incident Response Team from the Department for Education.

Headteacher Michael Gannon told parents the shutdown was advised by external experts and that staff and students should avoid all school systems while investigations continue. With Google Classroom and SharePoint off-limits, pupils were redirected to BBC Bitesize and Oak National Academy, proving revision can happen even when the network cannot.

The school has reported the incident to the Information Commissioner’s Office, acknowledging possible data protection implications. A reopening is planned, but only once systems are safe, turning this digital outage into a lesson in how fragile school IT can be.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.