Microsoft today issued patches to plug at least 113 security holes in its various Windows operating systems and supported software. Eight of the vulnerabilities earned Microsoft’s most-dire “critical” rating, and the company warns that attackers are already exploiting one of the bugs fixed today.
January’s Microsoft zero-day flaw — CVE-2026-20805 — is brought to us by a flaw in the Desktop Window Manager (DWM), a key component of Windows that organizes windows on a user’s screen. Kev Breen, senior director of cyber threat research at Immersive, said despite awarding CVE-2026-20805 a middling CVSS score of 5.5, Microsoft has confirmed its active exploitation in the wild, indicating that threat actors are already leveraging this flaw against organizations.
Breen said vulnerabilities of this kind are commonly used to undermine Address Space Layout Randomization (ASLR), a core operating system security control designed to protect against buffer overflows and other memory-manipulation exploits.
“By revealing where code resides in memory, this vulnerability can be chained with a separate code execution flaw, transforming a complex and unreliable exploit into a practical and repeatable attack,” Breen said. “Microsoft has not disclosed which additional components may be involved in such an exploit chain, significantly limiting defenders’ ability to proactively threat hunt for related activity. As a result, rapid patching currently remains the only effective mitigation.”
Chris Goettl, vice president of product management at Ivanti, observed that CVE-2026-20805 affects all currently supported and extended security update supported versions of the Windows OS. Goettl said it would be a mistake to dismiss the severity of this flaw based on its “Important” rating and relatively low CVSS score.
“A risk-based prioritization methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned,” he said.
Among the critical flaws patched this month are two Microsoft Office remote code execution bugs (CVE-2026-20952 and CVE-2026-20953) that can be triggered just by viewing a booby-trapped message in the Preview Pane.
Our October 2025 Patch Tuesday “End of 10” roundup noted that Microsoft had removed a modem driver from all versions after it was discovered that hackers were abusing a vulnerability in it to hack into systems. Adam Barnett at Rapid7 said Microsoft today removed another couple of modem drivers from Windows for a broadly similar reason: Microsoft is aware of functional exploit code for an elevation of privilege vulnerability in a very similar modem driver, tracked as CVE-2023-31096.
“That’s not a typo; this vulnerability was originally published via MITRE over two years ago, along with a credible public writeup by the original researcher,” Barnett said. “Today’s Windows patches remove agrsm64.sys and agrsm.sys. All three modem drivers were originally developed by the same now-defunct third party, and have been included in Windows for decades. These driver removals will pass unnoticed for most people, but you might find active modems still in a few contexts, including some industrial control systems.”
According to Barnett, two questions remain: How many more legacy modem drivers are still present on a fully-patched Windows asset; and how many more elevation-to-SYSTEM vulnerabilities will emerge from them before Microsoft cuts off attackers who have been enjoying “living off the land[line] by exploiting an entire class of dusty old device drivers?”
“Although Microsoft doesn’t claim evidence of exploitation for CVE-2023-31096, the relevant 2023 write-up and the 2025 removal of the other Agere modem driver have provided two strong signals for anyone looking for Windows exploits in the meantime,” Barnett said. “In case you were wondering, there is no need to have a modem connected; the mere presence of the driver is enough to render an asset vulnerable.”
Immersive, Ivanti and Rapid7 all called attention to CVE-2026-21265, which is a critical Security Feature Bypass vulnerability affecting Windows Secure Boot. This security feature is designed to protect against threats like rootkits and bootkits, and it relies on a set of certificates that are set to expire in June 2026 and October 2026. Once these 2011 certificates expire, Windows devices that do not have the new 2023 certificates can no longer receive Secure Boot security fixes.
Barnett cautioned that when updating the bootloader and BIOS, it is essential to prepare fully ahead of time for the specific OS and BIOS combination you’re working with, since incorrect remediation steps can lead to an unbootable system.
“Fifteen years is a very long time indeed in information security, but the clock is running out on the Microsoft root certificates which have been signing essentially everything in the Secure Boot ecosystem since the days of Stuxnet,” Barnett said. “Microsoft issued replacement certificates back in 2023, alongside CVE-2023-24932 which covered relevant Windows patches as well as subsequent steps to remediate the Secure Boot bypass exploited by the BlackLotus bootkit.”
Goettl noted that Mozilla has released updates for Firefox and Firefox ESR resolving a total of 34 vulnerabilities, two of which are suspected to be exploited (CVE-2026-0891 and CVE-2026-0892). Both are resolved in Firefox 147 (MFSA2026-01) and CVE-2026-0891 is resolved in Firefox ESR 140.7 (MFSA2026-03).
“Expect Google Chrome and Microsoft Edge updates this week in addition to a high severity vulnerability in Chrome WebView that was resolved in the January 6 Chrome update (CVE-2026-0628),” Goettl said.
As ever, the SANS Internet Storm Center has a per-patch breakdown by severity and urgency. Windows admins should keep an eye on askwoody.com for any news about patches that don’t quite play nice with everything. If you experience any issues related installing January’s patches, please drop a line in the comments below.
To stay up to date on our latest investigations, join Bellingcat’s WhatsApp channel here
On Jan. 7 Renee Good, a 37-year-old mother of three, was shot and killed by a federal agent on Portland Avenue in Minneapolis, Minnesota. The incident was captured on several separate videos and spread rapidly on social media. The videos were soon accompanied by competing analysis and narratives as to what had happened.
Bellingcat looked at five videos filmed during the incident, including one apparently from the phone of Jonathan Ross, the ICE agent who shot and killed Good.
While each video alone provides valuable information, the five together provide a fuller picture of the situation as it unfolded.
Synced Overview
One of the ways to visualise the full incident was by tracking the movements of the key players on an overview map, which Bellingcat did shortly after the incident on Jan. 7.
Using eyewitness video shared by Daniel Suitor on Bluesky we tracked the movements of federal agents at the scene – including Ross as he moved around the street. The video also captured the position and movements of Good’s vehicle before, during and after the shots were fired.
We’ve also updated our animated map of the positions of agents and vehicles during the incident here with new footage published by @cnn.com that shows the shooter closer to a white SUV prior to the shootingbsky.app/profile/bell…
Another video, filmed by a bystander and later shared by the Minnesota Reformer, shows a closer view of Ross’ movements in the moments immediately before the shooting.
In the video, Ross can be seen with his phone in his left hand filming Good before he pulls his gun out of its holster with his right hand. Roughly one second elapses before he fires the first round through Good’s front window. Two more shots follow.
A still from that same video captures Ross as he walks past in the seconds after the shooting. A camera app appears open on his phone.
A still image in a video published by the Minnesota Reformer. A video app can be seen open in the federal agent’s phone.
Agent’s Phone
On Jan. 9, a video filmed by Ross was published on X by a conservative news outlet called Alpha News.
By syncing this video up with the other four available videos, it was possible to observe more of what occurred, including from Ross’ rough perspective. However, it is important to note that Ross was holding the phone slightly away from his body, so what appears in the video would be marginally different to what would have been his line of sight.
Support Bellingcat
Your donations directly contribute to our ability to publish groundbreaking investigations and uncover wrongdoing around the world.
In the footage, Good can be seen backing up before veering to the right as Ross and the camera move to her left. It is not clear from this footage exactly how close the car came to Ross, as the cellphone points up and away as the vehicle moves forward. Someone can be heard saying “whoa” before gunshots are heard.
An angle captured from down the street (middle lower right in the synchronised video below and in full view here) – which some have suggested shows Ross being hit by the vehicle – does appear to show the vehicle pass close to the agent as he fires. However, the close-up video shared by the Minnesota Reformer (middle top and in full view here) shows Ross moving out of the way and to the side of the vehicle as he fires.
Another video published by CNN (middle lower left) shows a head-on view of the incident from surveillance footage.
New footage from the ICE agent’s phone who shot at Renee Nicole Good in Minneapolis has emerged, posted by AlphaNews on X. We’ve placed that footage in a synced timeline with the other currently available footage.
Almost one week after the incident, protests have been held in Minneapolis and other cities in the US.
US President, Donald Trump, and Department of Homeland Security, Kristi Noem, initially said that Good had tried to run over an ICE officer after blocking the road, labelling her a “domestic terrorist”. However, the Democratic mayor of Minneapolis, Jacob Frey, said that version of events was “garbage” and disproven by the video footage.
On Monday Jan. 12, Noem, told FOX News that more ICE agents would be sent to Minnesota.
Individual links to each of the five videos detailed above can be found here, here, here, here and here.
Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here and Mastodon here.
Beverages like sugary drinks and alcohol are too accessible and cost too little in most of the world – helping fuel obesity, diabetes, cancer and injury, the World Health Organization (WHO) warned on Tuesday.
Data centers present sprawling engineering and political problems, with ravenous appetites for land and resources. Building them on Earth has proven problematic enough — so why is everyone suddenly talking about launching them into space?
Data centers are giant warehouses for computer chips that run continuously, with up to hundreds of thousands of processors packed closely together taking up a mammoth footprint: An Indiana data center complex run by Amazon, for example, takes up more real estate than seven football stadiums. To operate nonstop, they consume immense amounts of electricity, which in turn is converted to intense heat, requiring constant cooling with fans and pumped-in water.
Fueled by the ongoing boom in artificial intelligence, Big Tech is so desperate to power its data centers that Microsoft successfully convinced the Trump administration to restart operations at the benighted Three Mile Island nuclear plant in Pennsylvania.
The data center surge has spawned a backlash, as communities grow skeptical about their environmental toll and ultimate utility of the machine learning systems they serve.
It’s in this climate that technologists, investors, and the world’s richest humans are now talking about bypassing Earth and its logistical hurdles by putting data centers in space. And if you take at face value the words of tech barons whose wealth in no small part relies on overstating what their companies may someday achieve, they’re not just novel but inevitable. The Wall Street Journal reported last month that Jeff Bezos’s space launch firm Blue Origin has been working on an orbital data center project for over a year. Elon Musk, not known for accurate predictions, has publicly committed SpaceX to putting AI data centers in orbit. “There’s no doubt to me that a decade or so away we’ll be viewing it as a more normal way to build data centers,” Google CEO Sundar Pichai recently told Fox News.
The prospect of taking a trillion-dollar industry that is already experiencing a historic boom and literally shooting it toward the moon has understandably created a frenzy within a frenzy.
But large questions remain: Is it even possible? And if it is, why bother?
Orbital computing boosters claim the reason is simple: Data centers are very hot. Space, as sci-fi teaches us, is very cold. Data centers need a lot of energy, and the sun produces an effectively infinite supply of it. The thinking goes that with free ambient cooling and constant access to solar power (unlike terrestrial solar panels, these wouldn’t have to contend with Earth’s rotation or atmosphere), an orbital data center could beam its information back to our planet with few earthly downsides.
Experts who spoke to The Intercept say it’s nowhere near this simple. Despite the fact that putting small objects like satellites into orbit has become significantly cheaper than decades past, doing anything in space remains an extremely expensive and difficult enterprise compared to doing it on the ground. And even if the engineering problems are surmountable, some question the point.
There are varying visions of space data centers. Musk’s idea seems to be based on constellations of smaller satellites carrying computing hardware; others envision massive spacecraft the size of skyscrapers filled with graphics-processing units.
“If you wanted to spend enough money, you could absolutely put GPUs in space and have them do the things that data centers are supposed to do,” Matthew Buckley, a theoretical physicist at Rutgers University, told The Intercept. “The reason that I would say it is an incredibly stupid idea is that in order to make them work, you’re going to have to spend incredible amounts of money to keep them from melting. And you could solve that problem much easier by not launching them into space. And it is unclear why on earth you would want to do that.”
“You’re going to have to spend incredible amounts of money to keep them from melting. And you could solve that problem much easier by not launching them into space.”
Outer space is largely a cold vacuum, but objects in Earth’s orbit are subjected to temperature extremes. Ali Hajimiri, an electrical engineering professor at Caltech, pushed back on the “general notion of a cold vacuum of space. Actually space can become very cold or very hot.” The International Space Station, carrying a computer payload producing a mere fraction of the heat of a large-scale data center, has to carefully contend with temperatures of between 250 and -250 degrees Fahrenheit depending on whether it’s exposed to direct sunlight. But even when an object in orbit is subjected to extreme cold temperatures, the nature of space’s vacuum behaves drastically differently than hot and cold within our atmosphere.
On Earth, you can remove a boiling kettle from the stove and the energy within will gradually transfer to the surrounding air, cooling the vessel and its contents back to room temperature. In space, there is no air, water, or other medium to which one can transfer heat, thus the coldness of space would do nothing to cool a scorching hot piece of silicon. “If you put a GPU in space and powered it, it would melt,” said Buckley.
“Heavy is not good for space.”
Without ambient air or any other medium to ferry away heat through convection, a hypothetical space data center would need to rely on thermal radiation. Washington-based Starcloud is among the most prominent startups pitching orbital data centers as a concept, and says it’s working to build a 5 gigawatt space facility, a staggering figure that represents about 10 percent of all electricity currently consumed by data centers on Earth, according to a recent Goldman Sachs estimate. Starcloud says it would get rid of the astounding amount of heat generated in such a facility through the use of enormous radiators — essentially large pieces of metal that absorb the heat directly from the onboard chips and then radiates it out into space. Physics dictates that this would require radiators unlike anything that’s ever been constructed: Starcloud says it would use 16 square kilometers of radiators, taller and wider than four Burj Khalifa skyscrapers stacked end to end. How such a thing would be launched into or constructed in space, a project without any precedent, is unclear.
“If you want to create this heat transfer system, either heat pipes and all those things, those things are heavy,” Hajimiri said. “And heavy is not good for space.”
Then there’s the sun. Proponents of space data centers also point to the fact that a solar panel in space can receive uninterrupted solar energy without diminishment from weather or Earth’s atmosphere. But all of this sunlight generates extreme heat of its own, requiring further cooling. And any efficiency gained by putting the panels closer to the sun, argued Buckley, is largely negated by the extreme inefficiency of having to put them into space in the first place.
Other unsolved problems abound. While space is thought of as empty, it’s filled with radiation that can damage computer hardware or corrupt the data stored within. Earth’s orbit is also filled with debris. This orbiting space trash presents the biggest hurdle, according to John Crassidis, a mechanical and aerospace engineering professor at the University of Buffalo. Near-misses and space junk collisions are a real danger for satellites — objects a small fraction of the size of mammoth orbiting data centers. Last month, Starlink executive Michael Nicolls announced one of the company’s satellites — infinitesimal compared to Starcloud’s plan — nearly collided with a Chinese satellite. “This stuff’s going 17,500 miles per hour,” Crassidis said of space debris, and even contact with a tiny fragment could be catastrophic. “It doesn’t take too big of a hole. I think it’s half an inch radius to explode the whole [International] Space Station.”
“I think it’s half an inch radius to explode the whole Space Station.”
Though Crassidis doesn’t object to companies pursuing these projects, he cautions that flooding Earth’s orbit with chip-ferrying satellites could make a dangerous situation worse. He pointed to Kessler syndrome, a theoretical scenario in which low Earth orbit becomes so crowded with objects and trash that it becomes unusable by humans.
Any floating data center would also have to contend with the difficulties of communicating between space and Earth; even Starlink’s broadband satellites are extremely slow compared to the fiber optic connections plugged into terrestrial data centers. University of Pittsburgh electrical and computer engineering department chair Alan George told The Intercept that sending data between Earth and space is just one of “many extreme challenges to overcome.” And if it can’t be solved, the whole endeavor is for naught. “Bold claims are being made based upon technologies that don’t yet exist,” he said.
“If you have hundreds of billions of dollars, you can launch enough infrastructure to keep it cool. Why would you do that when you can just put it an ugly building at the end of the block?” said Buckley. “I’m not saying that you could never do this if you just decided to set money on fire. I’m just saying I don’t understand the motivation to do this.”
The motivation may be as financial as it is scientific. SpaceX is rumored to be approaching an initial public offering that could potentially be bolstered by plans for orbiting data centers, and any Big Tech entity knows it can reap publicity and share price benefits by mentioning “AI” at any available opportunity. Space is trendy, “AI” is booming (or bubbling), and the combination of the two could spur further investment.
Starcloud co-founder and CEO Philip Johnston was unfazed by these challenges in an interview with The Intercept. He said his company’s vision of a 5-gigawatt facility is 10 to 15 years away, by which point he believes SpaceX launches will be so frequent and carry such huge payloads that bringing the raw materials to orbit shouldn’t be difficult. Johnston dismissed as “annoying” criticism of his company’s plan to cool hot chips in space. “Nothing we’re doing is against the laws of physics and nothing requires new physics to make it work. It’s not like we’re building a fusion reactor.”
In his view, it’s simply a matter of scaling up existing technology. Johnston said he doesn’t believe his company will compete with Earth-based facilities for several years, at which point he thinks Starcloud will begin launching large constellations of smaller satellites carrying computing hardware that will mesh together, rather than one giant object. This modular approach, Johnston said, will also take care of the obsolescence issue: Older hardware can simply be left to burn up upon reentering the Earth’s atmosphere. For the time being, he said the company will cater to the specialized needs like processing satellite imagery, with potential customers including the U.S. Department of War. The company counts In-Q-Tel, the venture capital arm of the U.S. intelligence community, among its backers. Johnston told The Intercept that the “CIA is interested in what we’re doing,” but declined to comment further.
Experts who spoke with The Intercept didn’t wholly oppose these projects because the sheer enormity of the challenge could yield engineering breakthroughs. But many also suggested that the mammoth investment in resources and ingenuity required would be better spent on the surface.
Hajimiri says he believes the engineering problems could be solved eventually, and that crazy ideas can yield scientific and societal benefits. A decade ago, he pursued a similar project on a far smaller scale. He and his team dropped it for simple reason: Chips need to be replaced. The processors used to train state-of-the-art large language models are rendered obsolete in a matter of years. It’s this need for newer and better chips that has taken the value of chipmakers like Nvidia into the stratosphere. But it’s not just buying the latest and greatest. Things go wrong: Processors sometimes fail, power supplies burn out, wiring needs to be fixed. In earthly data centers, the solution is easy. Technicians use their hands to pop in a replacement processor, for example.
“Data centers need full-time humans to deal with the occasional hardware emergencies,” said Dimitrios Nikolopoulos, an engineering professor at Virginia Tech who works on high-performance computing. “And I don’t know how this is gonna be dealt with in space.” Johnston predicted that robot repairmen would eventually solve this problem.
When an orbital data center’s hardware grows obsolete, companies would need to figure out how to upgrade them. Otherwise it becomes a piece of space trash two-and-a-half miles across.
Jesse Jenkins, an engineering professor at Princeton who works on energy technologies, said the tech world is simply looking in the wrong place. “The fact that we are considering building data centers in space because it’s too hard to build and power them on land should be an indictment of our ability to deploy new energy and data infrastructure at scale in the United States.”
The biggest problem is the simplest, said veteran aerospace engineer Andrew McCalip. Though the cost of putting things in space has decreased dramatically, it’s still vastly greater than building a data center on land. “Can we host a GPU in space cheaper than hosting it in a building in Oregon?” he asked. The answer remains an emphatic no.
McCalip is also skeptical of Johnston’s claim that Starcloud represents a green alternative to terrestrial data centers. Launching craft large enough and frequently enough to make orbital data centers feasible would require infeasibly vast volumes of liquid oxygen fuel, McCalip said, and manufacturing enough to match the ambitions of SpaceX (and other companies hoping to hitch a ride to orbit) would likely entail burning a lot of fossil fuels.
It’s enough to make you ask once more: Why do all of this in space?
“The benefit,” McCalip said, “would be this sort of vague ‘Humanity gets better at doing things in space.’”
Correction: January 15, 2026 Due to an editing error, a quote was misattributed. “If you have hundreds of billions of dollars, you can launch enough infrastructure to keep it cool. Why would you do that when you can just put it an ugly building at the end of the block?” was said by Matthew Buckley, not Alan George.
After multiple delays, the Trump administration finally released the latest version of the Dietary Guidelines for Americans on Wednesday. The document advises Americans to eat more red meat and dairy, cautions against added sugars and ultra-processed foods and flips the food pyramid on its head.
The dietary guidelines are written and released every five years by the Department of Health and Human Services and the Department of Agriculture. The document guides many of the government’s most significant food programs. School lunch offerings and the foods available for purchase with SNAP benefits must adhere to its recommendations. In all, the dietary guidelines influence over $40 billion in federal spending annually.
“These guidelines dismiss 75 years of research favoring diets higher in plant foods.”
“These guidelines take us back to the diets of the 1950s, when everyone was eating lots of meat and dairy and not worrying much about vegetables, and heart disease was rampant,” Marion Nestle, a professor emerita of nutrition, food studies and public health at New York University who served on the advisory panel in the 1990s, wrote on her blog Food Politics. “I’m all for eating whole foods, but these guidelines dismiss 75 years of research favoring diets higher in plant foods.”
A meaty update
Some clues already existed regarding what the guidelines would look like. Kennedy said last year that the administration would be would be disregarding the advisory panel’s research-based suggestions and crafting the guidelines from the ground up. He made clear that the new version would focus on the supposed dangers of ultra-processed foods, a pet issue of his; in truth, the health properties of ultra-processed foods aren’t black and white, as some ultra-processed foods, such as whole-grain grocery store bread, are perfectly nutritious.
The new guidelines place heavy emphasis on protein.
The new guidelines place heavy emphasis on protein, with the official website going so far as to proclaim that the administration is “ending the war on protein.” It’s unclear what this is a reference to. Sentient has reached out to the USDA and HHS for clarification on this and other questions. Neither agency has responded.
While the previous version of the document endorsed low-fat dairy and lean meats such as poultry and fish, this newest update advises Americans to eat red meat and full-fat dairy. Eating more red meat has been linked to a higher risk of cardiovascular disease, diabetes, and premature death. Though the document emphasizes animal protein, it does also say that “every meal must prioritize high-quality, nutrient-dense protein from both animal and plant sources.” This guideline seems to be in contradiction with the new visual.
Like previous versions, the document advises limiting saturated fat to 10% of daily calories — but at the same time it recommends eating more full-fat dairy and red meat. As Nestle points out, this creates a contradiction. Full-fat dairy is high in saturated fat, and the majority of fat in red meat is saturated.
“If you increase the amount of protein, meat and full-fat dairy in your diet, you will not be able to keep your saturated fat intake below 10% of calories, and will have a harder time maintaining calorie balance,” Nestle wrote in her blog.
As with previous versions of the guidelines, the latest update gives dairy its own category separate from the protein category, although dairy contains significant protein, and advises Americans to consume three servings of dairy per day.
Upside down
Visually, the new guidelines have scrapped MyPlate, which was introduced by the USDA in 2011 to be a clear and simple guide to which quantities of different food groups to eat. Instead, they return to the food pyramid — but flipped upside down.
“We are reclaiming the food pyramid and returning it to its true purpose of educating and nourishing all Americans,” the document boasts, though the food pyramid was in fact originally designed for Swedish consumers.
The inverted food pyramid starts at the top left with pictures of a steak, cheese, chicken and vegetables, apparently indicating that these foods are good to consume in large quantities. In the middle, butter, grapes and nuts are placed at the same level. Whole grains are at the bottom, visually communicating that Americans should eat less of them than other foods, even though the guidelines themselves recommend eating two to four servings of whole grain per day.
While the old pyramid contained six categories of food, the new one includes only three: “proteins, dairy, and healthy fats,” “vegetables and fruits” and “whole grains.” Unlike the old version, the inverted pyramid graphic doesn’t list specific serving sizes.
Federal law requires the government to update the guidelines every five years, but the administration blew through several self-imposed deadlines while crafting them, and ultimately missed the legal deadline for their release.
Sudan’s protracted conflict has spiralled into one of the world’s most severe humanitarian crises, with hunger, displacement and the collapse of basic services exacting a daily toll on civilians.
What does Donald Trump have against Minnesota? Not only is ICE causing mayhem in Minneapolis, but Trump is also halting hundreds of millions of dollars in federal funding for social services programs there, according to a Tuesday announcement from the Department of Health and Human Services.
It’s not just Minnesota. Trump is also stopping billions in funding for social services in Colorado, Illinois, New York and California.
Why? Could it be because all of them are led by Democrats and inhabited by voters who overwhelmingly rejected Trump in 2024?
It’s not the first time Trump has openly penalized “blue” states. What’s new is how blatant his vindictiveness toward blue states has become.
Trump is also stopping billions in funding for social services in Colorado, Illinois, New York and California.
Angry at Colorado’s votes against him in three successive elections and at its refusal to free Tina Peters — the former clerk of Mesa County, who was convicted in 2024 of tampering with voting machines under her control in a failed plot to prove they had been used to rig the 2020 election against Trump — the president has cut off transportation money to the state, relocated the military’s Space Command, vowed to dismantle a major climate and weather research center located there and rejected disaster relief for rural counties hammered by floods and wildfires.
Two weeks ago Trump used the first veto of his second term to kill a pipeline project that had achieved bipartisan congressional support to provide clean drinking water to Colorado’s parched eastern plains. (Trump’s action enraged the Republican congresswoman and formerly dedicated Trumper Lauren Boebert, who stated: “Nothing says America First like denying clean drinking water to 50,000 people in southeast Colorado, many of whom voted for him in all three elections.”)
If there were any doubts about Trump’s sentiments toward Colorado, he posted a New Year’s Eve message telling Colorado Gov. Jared Polis, a Democrat, and Daniel P. Rubinstein, the Republican district attorney in Mesa County who prosecuted Peters, to “rot in Hell,” adding. “I wish them only the worst.”
Is it even legal for Trump to reward red states and penalize blue ones? In a word: No.
In early December, Justice Department lawyers openly admitted that Trump withheld Department of Energy grants to Minnesota and other states according to “whether a grantee’s address was located in a State that tends to elect and/or has recently elected Democratic candidates in state and national elections.”
It’s the first time the Trump regime clearly acknowledged in court that which states get what depends on whether most people in a state voted for or against him.
What’s the legal argument? Trump’s Justice Department lawyers claim that such overt political vindictiveness “is constitutionally permissible, including because it can serve as a proxy for legitimate policy considerations.”
This, my friends, is utter rubbish.
The issue will almost certainly end up in the Supreme Court.
Punishing states based on whom their residents voted for directly violates the 14th Amendment’s Equal Protection Clause, which requires that the government treat citizens equally under the law: No “State [shall] deprive … to any person within its jurisdiction the equal protection of the laws.”
Penalizing a state for how its citizens vote also violates the First Amendment’s guarantee of freedom of speech. Voting is one of the most basic forms of speech in a democracy; it cannot be abridged or punished depending on for whom one votes.
And it violates a president’s duty under the Constitution to “take Care that the Laws be faithfully executed.” At the least, this requires that a president apply the law in a nonpartisan way. Congress may award grants or benefits to certain states and not others, but this power is reserved for Congress, not the president.
The issue will almost certainly end up in the Supreme Court. Although my expectations for our highest court could not be much lower, I’d be surprised if the justices sided with Trump here.
Any other result would effectively allow Trump to pit red states against blue and wreak havoc on the very idea of a national government.
Trump has made it clear he regards himself as president only of the people who voted for him. But that’s not how the Constitution works. Nor is it how American democracy works.
Ian Kelling, FSF senior systems administrator, and also our president, outlines the complex steps the FSF tech team goes through to ensure the software we use is free. The tech team — currently just two people — is vital to our collective work for software freedom, which itself helps guarantee many of our other basic freedoms. We depend on people just like you to support our work: we have an associate membership drive to welcome 100 new members by January 16. Please join the FSF and help keep this work going.
Our first story of 2026 revealed how a destructive new botnet called Kimwolf has infected more than two million devices by mass-compromising a vast number of unofficial Android TV streaming boxes. Today, we’ll dig through digital clues left behind by the hackers, network operators and services that appear to have benefitted from Kimwolf’s spread.
On Dec. 17, 2025, the Chinese security firm XLab published a deep dive on Kimwolf, which forces infected devices to participate in distributed denial-of-service (DDoS) attacks and to relay abusive and malicious Internet traffic for so-called “residential proxy” services.
The software that turns one’s device into a residential proxy is often quietly bundled with mobile apps and games. Kimwolf specifically targeted residential proxy software that is factory installed on more than a thousand different models of unsanctioned Android TV streaming devices. Very quickly, the residential proxy’s Internet address starts funneling traffic that is linked to ad fraud, account takeover attempts and mass content scraping.
The XLab report explained its researchers found “definitive evidence” that the same cybercriminal actors and infrastructure were used to deploy both Kimwolf and the Aisuru botnet — an earlier version of Kimwolf that also enslaved devices for use in DDoS attacks and proxy services.
XLab said it suspected since October that Kimwolf and Aisuru had the same author(s) and operators, based in part on shared code changes over time. But it said those suspicions were confirmed on December 8 when it witnessed both botnet strains being distributed by the same Internet address at 93.95.112[.]59.
Image: XLab.
RESI RACK
Public records show the Internet address range flagged by XLab is assigned to Lehi, Utah-based Resi Rack LLC. Resi Rack’s website bills the company as a “Premium Game Server Hosting Provider.” Meanwhile, Resi Rack’s ads on the Internet moneymaking forum BlackHatWorld refer to it as a “Premium Residential Proxy Hosting and Proxy Software Solutions Company.”
Resi Rack co-founder Cassidy Hales told KrebsOnSecurity his company received a notification on December 10 about Kimwolf using their network “that detailed what was being done by one of our customers leasing our servers.”
“When we received this email we took care of this issue immediately,” Hales wrote in response to an email requesting comment. “This is something we are very disappointed is now associated with our name and this was not the intention of our company whatsoever.”
The Resi Rack Internet address cited by XLab on December 8 came onto KrebsOnSecurity’s radar more than two weeks before that. Benjamin Brundage is founder of Synthient, a startup that tracks proxy services. In late October 2025, Brundage shared that the people selling various proxy services which benefitted from the Aisuru and Kimwolf botnets were doing so at a new Discord server called resi[.]to.
On November 24, 2025, a member of the resi-dot-to Discord channel shares an IP address responsible for proxying traffic over Android TV streaming boxes infected by the Kimwolf botnet.
When KrebsOnSecurity joined the resi[.]to Discord channel in late October as a silent lurker, the server had fewer than 150 members, including “Shox” — the nickname used by Resi Rack’s co-founder Mr. Hales — and his business partner “Linus,” who did not respond to requests for comment.
Other members of the resi[.]to Discord channel would periodically post new IP addresses that were responsible for proxying traffic over the Kimwolf botnet. As the screenshot from resi[.]to above shows, that Resi Rack Internet address flagged by XLab was used by Kimwolf to direct proxy traffic as far back as November 24, if not earlier. All told, Synthient said it tracked at least seven static Resi Rack IP addresses connected to Kimwolf proxy infrastructure between October and December 2025.
Neither of Resi Rack’s co-owners responded to follow-up questions. Both have been active in selling proxy services via Discord for nearly two years. According to a review of Discord messages indexed by the cyber intelligence firm Flashpoint, Shox and Linus spent much of 2024 selling static “ISP proxies” by routing various Internet address blocks at major U.S. Internet service providers.
In February 2025, AT&T announced that effective July 31, 2025, it would no longer originate routes for network blocks that are not owned and managed by AT&T (other major ISPs have since made similar moves). Less than a month later, Shox and Linus told customers they would soon cease offering static ISP proxies as a result of these policy changes.
Shox and Linux, talking about their decision to stop selling ISP proxies.
DORT & SNOW
The stated owner of the resi[.]to Discord server went by the abbreviated username “D.” That initial appears to be short for the hacker handle “Dort,” a name that was invoked frequently throughout these Discord chats.
Dort’s profile on resi dot to.
This “Dort” nickname came up in KrebsOnSecurity’s recent conversations with “Forky,” a Brazilian man who acknowledged being involved in the marketing of the Aisuru botnet at its inception in late 2024. But Forky vehemently denied having anything to do with a series of massive and record-smashing DDoS attacks in the latter half of 2025 that were blamed on Aisuru, saying the botnet by that point had been taken over by rivals.
Forky asserts that Dort is a resident of Canada and one of at least two individuals currently in control of the Aisuru/Kimwolf botnet. The other individual Forky named as an Aisuru/Kimwolf botmaster goes by the nickname “Snow.”
On January 2 — just hours after our story on Kimwolf was published — the historical chat records on resi[.]to were erased without warning and replaced by a profanity-laced message for Synthient’s founder. Minutes after that, the entire server disappeared.
Later that same day, several of the more active members of the now-defunct resi[.]to Discord server moved to a Telegram channel where they posted Brundage’s personal information, and generally complained about being unable to find reliable “bulletproof” hosting for their botnet.
Hilariously, a user by the name “Richard Remington” briefly appeared in the group’s Telegram server to post a crude “Happy New Year” sketch that claims Dort and Snow are now in control of 3.5 million devices infected by Aisuru and/or Kimwolf. Richard Remington’s Telegram account has since been deleted, but it previously stated its owner operates a website that caters to DDoS-for-hire or “stresser” services seeking to test their firepower.
BYTECONNECT, PLAINPROXIES, AND 3XK TECH
Reports from both Synthient and XLab found that Kimwolf was used to deploy programs that turned infected systems into Internet traffic relays for multiple residential proxy services. Among those was a component that installed a software development kit (SDK) called ByteConnect, which is distributed by a provider known as Plainproxies.
ByteConnect says it specializes in “monetizing apps ethically and free,” while Plainproxies advertises the ability to provide content scraping companies with “unlimited” proxy pools. However, Synthient said that upon connecting to ByteConnect’s SDK they instead observed a mass influx of credential-stuffing attacks targeting email servers and popular online websites.
A search on LinkedIn finds the CEO of Plainproxies is Friedrich Kraft, whose resume says he is co-founder of ByteConnect Ltd. Public Internet routing records show Mr. Kraft also operates a hosting firm in Germany called 3XK Tech GmbH. Mr. Kraft did not respond to repeated requests for an interview.
In July 2025, Cloudflare reported that 3XK Tech (a.k.a. Drei-K-Tech) had become the Internet’s largest source of application-layer DDoS attacks. In November 2025, the security firm GreyNoise Intelligencefound that Internet addresses on 3XK Tech were responsible for roughly three-quarters of the Internet scanning being done at the time for a newly discovered and critical vulnerability in security products made by Palo Alto Networks.
Source: Cloudflare’s Q2 2025 DDoS threat report.
LinkedIn has a profile for another Plainproxies employee, Julia Levi, who is listed as co-founder of ByteConnect. Ms. Levi did not respond to requests for comment. Her resume says she previously worked for two major proxy providers: Netnut Proxy Network, and Bright Data.
Synthient likewise said Plainproxies ignored their outreach, noting that the Byteconnect SDK continues to remain active on devices compromised by Kimwolf.
A post from the LinkedIn page of Plainproxies Chief Revenue Officer Julia Levi, explaining how the residential proxy business works.
MASKIFY
Synthient’s January 2 report said another proxy provider heavily involved in the sale of Kimwolf proxies was Maskify, which currently advertises on multiple cybercrime forums that it has more than six million residential Internet addresses for rent.
Maskify prices its service at a rate of 30 cents per gigabyte of data relayed through their proxies. According to Synthient, that price range is insanely low and is far cheaper than any other proxy provider in business today.
“Synthient’s Research Team received screenshots from other proxy providers showing key Kimwolf actors attempting to offload proxy bandwidth in exchange for upfront cash,” the Synthient report noted. “This approach likely helped fuel early development, with associated members spending earnings on infrastructure and outsourced development tasks. Please note that resellers know precisely what they are selling; proxies at these prices are not ethically sourced.”
Maskify did not respond to requests for comment.
The Maskify website. Image: Synthient.
BOTMASTERS LASH OUT
Hours after our first Kimwolf story was published last week, the resi[.]to Discord server vanished, Synthient’s website was hit with a DDoS attack, and the Kimwolf botmasters took to doxing Brundage via their botnet.
The harassing messages appeared as text records uploaded to the Ethereum Name Service (ENS), a distributed system for supporting smart contracts deployed on the Ethereum blockchain. As documented by XLab, in mid-December the Kimwolf operators upgraded their infrastructure and began using ENS to better withstand the near-constant takedown efforts targeting the botnet’s control servers.
An ENS record used by the Kimwolf operators taunts security firms trying to take down the botnet’s control servers. Image: XLab.
By telling infected systems to seek out the Kimwolf control servers via ENS, even if the servers that the botmasters use to control the botnet are taken down the attacker only needs to update the ENS text record to reflect the new Internet address of the control server, and the infected devices will immediately know where to look for further instructions.
“This channel itself relies on the decentralized nature of blockchain, unregulated by Ethereum or other blockchain operators, and cannot be blocked,” XLab wrote.
The text records included in Kimwolf’s ENS instructions can also feature short messages, such as those that carried Brundage’s personal information. Other ENS text records associated with Kimwolf offered some sage advice: “If flagged, we encourage the TV box to be destroyed.”
An ENS record tied to the Kimwolf botnet advises, “If flagged, we encourage the TV box to be destroyed.”
Both Synthient and XLabs say Kimwolf targets a vast number of Android TV streaming box models, all of which have zero security protections, and many of which ship with proxy malware built in. Generally speaking, if you can send a data packet to one of these devices you can also seize administrative control over it.
If you own a TV box that matches one of these model names and/or numbers, please just rip it out of your network. If you encounter one of these devices on the network of a family member or friend, send them a link to this story (or to our January 2 story on Kimwolf) and explain that it’s not worth the potential hassle and harm created by keeping them plugged in.
