What's New in Elements - January 2026

Editor’s Highlights

Apologies for a late publication of the January 2026 edition of What's New in Elements. We hope this information is still important for you

Extended Detection and Response

Endpoint Protection

WithSecure Agent for Mobile Protection for Android

An update to the WithSecure Elements Mobile Protection app for Android (26.1.0023467) has been completed 12 January 2026.

It includes the following new features and improvements:

Reverted temporary support for Android 12

WithSecure Agent for Linux

New Linux Security 64 and Elements Agent installers have been released (2026-01-14)

The new product installers released are as follows:

Linux Security 64 Policy Manager installation package version 5.0.15, compatible with Policy Manager Server version 16.00 and above.
WithSecure Elements Agent for Servers.

The updates fix several installation issues and removes compatibility with no longer supported Policy Manager versions.

If you have already successfully installed the product, there is no need to download or install these packages. The product installer is only needed for the initial setup process and does not need to be kept up to date afterwards.

WithSecure Client Security for Mac

Client Security for macOS v16.03 has been released to general availability (GA) on 19th of January 2026.

This release brings following new features:

macOS 26 (Tahoe) support
macOS 26 compatible icons
Minimum required macOS version is now macOS 14
Accessing SecurityCloud uses macOS native networking libraries

Fixed issues

Fixes crashes in following components; wsuplinkd, wssettingsd, wssecuritycloudd and wsbootstrapnative
'Allow new system extension' dialog led to the incorrect settings page
Chrome browsing protection was always shown as disabled in Elements Security Center and in local GUI
Open Settings button was not localized properly
Allow button in Browsing Protection was not 'clickable'

WithSecure Agent for Mobile Protection for iOS

An update to the WithSecure Elements Mobile Protection app for iOS (26.1.12041) has been finalized 21.01.2026.

Fixed issues

Improvements to Apple CarPlay compatibility with Network Gateway.
Improvements to web content filtering and exception handling.
Improvements to log file management.
Improvements to security event reporting.

Important: Support for the following iOS versions was removed:

iOS 15
iOS 16

Email and Collaboration Protection

Exchange Application Permissions Update

The Collaboration Protection Exchange application has been updated with a new set of permissions in preparation for upcoming support for Microsoft Graph API. As a result, tenants already configured in the service may require re‑authorization.

When updated permissions are needed for one or more tenants, the Collaboration protection portal will display a banner prompting administrators to refresh the Exchange application permissions.

Please follow the on‑screen flow on Cloud services page to accept the new permissions, or refer to the Elements Collaboration Protection User Guide for detailed instructions on service authorization.

Exposure Management

Newly released functionality includes updates in the Identity onboarding process and Recommendations page partner level view:

Near Real-Time Identities for Newly Onboarded Tenants

Identity onboarding process has been improved. Until now, the list of identities for a newly onboarded Microsoft Entra tenant could take up to 24 hours to populate. With our new functionality, list of identities will populate in near real-time for successfully onboarded tenant. Instead of waiting hours, the process now completes in minutes, depending on scanning time and current processing queues.

This improvement is part of our ongoing commitment to provide up to date data in near real time including changes in the Identities data. Stay tuned for more updates as we continue to work on the improvements!

Recommendation list - partner level view

Recommendation list (Environment -> Exposure -> Recommendations) page is now available in the partner level views also. Page contains a list of recommendations for all organizations for which partner has access to.

Exposure Management for Business

WithSecure Vulnerability Management Portal

We have implemented many fixes to the portal, including

Disabled editing of asset properties in preparation for migration to Devices → Computers and Devices → Unmanaged Devices views.
Removed “archive assets period” and “store assets period” settings in preparation for migration to Devices → Computers and Devices → Unmanaged Devices views.
Disabled the Vulnerability Users page and related API; use Security Administrators instead.
Removed account locking after multiple failed API key attempts.
API keys are now locked after 50 failed attempts, improving security without blocking the entire account.
Agent scanning will now be automatically enabled for all new devices in companies with Vulnerability Management or Exposure Management subscriptions as soon as they are installed. This means no user interaction is needed to start scanning.

Resolved issues with asset data inconsistencies between Exposure views and Devices views.
Resolved issues with exporting scan reports in XML and DOCX formats.
Resolved issues with computing weekly vulnerability statistics for the last week of the previous year and the first week of the new year.

Resolved an issue in XLSX summary report. Cells in Platform Vulnerabilities tab are merged properly.
Resolved an issue with reply-to field in email notifications. The field is empty now.
Resolved an issue with delays occurring during automatic agent scanning enablement.
Overall security improvements.

Integrated asset retention mechanism with Devices → Computers view, Devices → Unmanaged Devices view. Devices removed from these views will be permanently deleted from the VM portal and Exposure Management views after 30 days.
Overall performance improvements.

System Scan

Support for detecting vulnerabilities in the following products was added to Authenticated Scanning for Windows:

Apache Tika core
Apache Tika PDF parser module
Control-M/Agent
Eaton Intelligent Power Manager
IBM App Connect Enterprise (ACE)
IBM Semeru Runtime

Elements Foundations

Elements Security Center

To make it easier for our Japanese MDR customers to work in their native language, we are introducing AI-powered on-demand translation for communication in elevated BCDs in Elements.

Starting from 1 February 2026, customers with an active MDR service and the Elements user interface set to Japanese will be able to exchange messages with analysts in elevated BCDs in Japanese, with translations provided on demand by an approved AI (LLM) service.

What is changing?

In the BCD details view in Elements, users will see new options to translate comments on demand:
from English to Japanese, and
from Japanese to English.
Japanese-speaking users can write and read BCD comments in their native language, while still being able to request an English version when needed.
Translations are not automatic in the background - they are triggered explicitly by the user for each comment via dedicated translation buttons.

What does this mean for you?

If you are an MDR customer using Elements in Japanese, communication in elevated BCDs becomes clearer, more natural, and easier to follow in your own language.
You keep full control over when translations are requested, allowing you to focus on the comments that matter most.
The way you work with elevated BCDs in Elements stays familiar - this enhancement adds a convenient translation capability on top of your existing experience, without introducing new complexity into your daily workflow.

We believe this improvement will significantly enhance the day-to-day experience of our Japanese MDR customers and pave the way for further localization and usability enhancements in the future.

Integrations

Elements API

Product related Security Events

The latest Elements API release brings new (WithSecure) Product Security Events.

The following new events are now supported:

Product has been uninstalled successfully
Product uninstallation has been canceled
Product uninstallation has failed due to incorrect uninstallation password
Product uninstallation has failed due to unknown reason
Product uninstallation is not allowed

More information with examples is available in the Security Events reference page.

New device operations for categorization 2026-01-27

The latest Elements API release brings new device operations for helping in categorization of devices.

The following new device operations are now supported:

Set a custom alias name for a device. This allows you to assign a human-readable name to a device for easier identification
Set the importance level of devices. This helps prioritize devices based on their criticality to your organization
Set business context information for a device. This allows you to associate devices with specific business units, departments, or purposes to help with organization and reporting
Set device labels. This allows to you to categorize devices with custom labels

See the full Element API specification from here.

WithSecure Commercial API

The descriptions for the Create New Subscription and Change Subscription API endpoints were updated to better reflect their purpose and supported operations. No changes were made to request or response parameters.

Documentation-Only Updates to Endpoint Descriptions:

Create New Subscription

Provision a new Total Volume subscription for a new or existing licensee. This endpoint may also be used to grant access to an admin user in the Elements Security Center or to change the licensee (company) name. Granting access and changing the name can only be completed as part of a subscription creation request.

Change Subscription

Make changes to an existing Total Volume subscription. This endpoint may also be used to grant access to an admin user in the Elements Security Center as part of a subscription change request.

Other items of interest

WithSecure™ Labs - To the past and beyond: Andariel’s latest arsenal and cyberattacks

Executive Summary

WithSecure proactively identified and notified a European customer belonging to the public/legal sector of a breach attributed with high confidence to the Andariel group, a state-sponsored cyber group linked to the Reconnaissance General Bureau (RGB) 3rd bureau of Democratic People’s Republic of Korea (DPRK).

The attribution was based on the threat actor’s usage of unique malware, such as TigerRAT, command execution patterns, infrastructure linkages, and other technical and non-technical evidence that linked it to previous reports of Andariel activity.

We assess that the primary goal of this breach was cyberespionage. This was determined based on the group’s past objectives and the intrusion activity, but most notably the threat actor accessing documents relating to anti-money laundering on the victim host. DPRK is notoriously known for its money-laundering activity to evade international sanctions.

This investigation led WithSecure to the discovery of another set of attack conducted by this group against an Enterprise Resource Planning (ERP) software in Republic of Korea (ROK) in 2025. WithSecure determined that this particular ERP software had been a previous target of Andariel in 2017 and almost certainly again in 2024.

This further on led to the discovery of three new, previously undocumented RATs that WithSecure attributes to Andariel, namely StarshellRAT, JelusRAT, and GopherRAT.

The investigation also led WithSecure to discover a staging server used by the group. Through this staging server, we were able to find additional artifacts related to both attacks. We also discovered a mix of new and old techniques and tooling used by the group to conduct their latest attacks, including privilege escalation tools such as PrintSpoofer and PetitPotato, and the abuse of the trending bring-your-own-vulnerable-driver (BYOVD) technique that is used by other threat actors to kill AV/EDR products.

This report provides details on the two cyberattacks we investigated and analysis of the artifacts we found across the two attacks and on the staging server. WithSecure has engaged governments and select partners with advanced copies of this report.

Share your ideas with us

Our purpose is to co-secure the world with you – now as WithSecure™. To co-create the best possible cyber security products and services, we warmly recommend you share your ideas via the Ideas section of the WithSecure Community, now accessible directly from WithSecure™ Elements Security Center.

Further information

Changelogs and Release Notes for all parts of WithSecure™ Elements can be found at the Help Center.