Cyware Daily Threat Intelligence, January 08, 2026

A stealthy Golang-based botnet is sweeping through cryptocurrency and blockchain environments by brute-forcing exposed services such as FTP, MySQL, PostgreSQL, and phpMyAdmin. The campaign exploits weak, AI-generated default credentials and outdated stacks like XAMPP, turning compromised servers into scanners and crypto-wallet drainers.

Ghost Tap is redefining card fraud by enabling remote NFC tap-to-pay transactions without ever touching a victim’s physical card. Disguised as legitimate banking apps and spread via smishing and vishing, the malware pairs card-data harvesting with mule-driven transactions to enable global, in-store fraud.

A critical trust flaw in Open WebUI’s Direct Connections feature opens the door to account takeover and potential full server compromise. Tracked as CVE-2025-64496, the issue allows malicious server-sent events to steal auth tokens and execute JavaScript.

Top Malware Reported in the Last 24 Hours

GoBruteforcer targets crypto projects

A new wave of GoBruteforcer botnet malware is targeting cryptocurrency and blockchain projects by exploiting weak server configurations and default credentials. The malware, written in Golang, uses brute-force attacks on exposed FTP, MySQL, PostgreSQL, and phpMyAdmin services. Many vulnerabilities arise from AI-generated server configurations that use predictable usernames and passwords, as well as outdated software stacks like XAMPP. Attackers are also using compromised hosts to scan and drain cryptocurrency wallets. Admins are advised to avoid default credentials, strengthen security configurations, and update software to mitigate risks.

Cybercriminals exploit Ghost Tap malware for NFC payment fraud

An Android malware, known as Ghost Tap, is enabling cybercriminals to perform unauthorized remote NFC tap-to-pay transactions without physical access to victims' bank cards. The malware disguises itself as legitimate financial apps and is distributed via smishing and vishing campaigns. Criminals use two coordinated apps: one to capture NFC card data from victims and another to complete fraudulent transactions. Mule networks are also utilizing compromised cards for in-store purchases globally. 

Top Vulnerabilities Reported in the Last 24 Hours

High-severity flaw in Open WebUI affects AI connections

A high-severity vulnerability (CVE-2025-64496) in Open WebUI's Direct Connections feature can lead to account takeover (ATO) and potentially full server compromise. The flaw stems from a trust failure, allowing attackers to exploit crafted server-sent events to execute malicious JavaScript, stealing authentication tokens and sensitive user data. The vulnerability impacts Open WebUI versions 0.6.34 and older, with risks including session hijacking, data exposure, and remote code execution (RCE) for users with elevated permissions. Open WebUI maintainers addressed the issue in versions 0.6.35 and later, which block malicious events, though further security enhancements are recommended.

Critical Dolby vulnerability patched in Android

The critical vulnerability CVE-2025-54957 in the Dolby Digital Plus (DD+) Unified Decoder was discovered by Google researchers and made public in October 2025. The flaw allows zero-click remote code execution on Android devices via specially crafted media files, making it highly severe. Google released a patch for Pixel devices in December 2025 and rolled out updates for all Android devices in January 2026. No other vulnerabilities were addressed in the January 2026 update.