Cyware Daily Threat Intelligence, January 09, 2026

The popular messaging app on your phone has become the latest vector for a notorious banking trojan. A new campaign dubbed Boto Cor-de-Rosa is using WhatsApp to aggressively spread the Astaroth malware. The malware creates a self-propagating worm that installs a banking module to harvest financial credentials.

Telecommunications networks in South Asia and Southeastern Europe are being systematically mapped by a patient and calculated adversary. A China-linked threat actor known as UAT-7290 has been conducting deep espionage operations since 2022, spending months on reconnaissance before deploying custom malware like SilentRaid.

Cisco administrators need to be on alert for cracks in their network identity systems. The company has released updates to fix vulnerabilities in its Identity Services Engine that could allow attackers to access sensitive files via improper XML parsing.

Top Malware Reported in the Last 24 Hours

WhatsApp used to spread Astaroth trojan

A new campaign has emerged that utilizes WhatsApp to distribute the Astaroth banking trojan, primarily targeting users in Brazil. This malware, known for its data theft capabilities, retrieves victims' WhatsApp contact lists and automatically sends malicious messages to spread the infection. Codenamed Boto Cor-de-Rosa, the campaign features a multi-language approach, incorporating a Python-based worm module alongside a Visual Basic script installer. Astaroth has been active since 2015 and has recently adapted its tactics by leveraging WhatsApp, a widely used messaging platform in Brazil. The malware propagates through ZIP files containing downloader scripts that install further malicious components. Additionally, it includes a banking module that monitors web activity to harvest credentials, while tracking its propagation metrics in real time.

UAT-7290 targets telecoms with malware

UAT-7290, a China-linked threat actor, has been conducting espionage-focused attacks against telecommunications entities in South Asia and Southeastern Europe since at least 2022. This group specializes in extensive reconnaissance of target organizations before launching their attacks, employing malware such as RushDrop, DriveSwitch, and SilentRaid. UAT-7290 not only infiltrates networks but also establishes Operational Relay Box (ORB) nodes, which can be utilized by other Chinese cyber actors for malicious operations. Their tactics include exploiting one-day vulnerabilities and using SSH brute force methods to compromise public-facing devices. The threat actor relies on a mix of open-source malware and custom tools, and their operations exhibit overlaps with other Chinese hacking groups like Stone Panda and RedFoxtrot.

Top Vulnerabilities Reported in the Last 24 Hours

Cisco patches ISE flaw

Cisco has released updates to address medium-severity vulnerabilities in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC). One notable flaw, tracked as CVE-2026-20029, arises from improper XML parsing, allowing authenticated remote attackers with administrative privileges to access sensitive information by uploading malicious files. Additionally, two other vulnerabilities related to the Snort 3 Detection Engine, CVE-2026-20026 and CVE-2026-20027, could enable unauthenticated attackers to cause denial-of-service incidents or leak sensitive data. These vulnerabilities impact several Cisco products, including specific versions of ISE and Snort 3. 

Coolify discloses 11 critical vulnerabilities

Cybersecurity researchers have identified 11 critical vulnerabilities in Coolify, an open-source self-hosting platform, which could lead to severe security risks such as authentication bypass and remote code execution. Key issues include command injection vulnerabilities that allow authenticated users to execute arbitrary commands on the host server, potentially resulting in full server compromise. The affected vulnerabilities include CVE-2025-66209, CVE-2025-66210, and others, with some scoring a maximum CVSS score of 10.0. As of January 8, approximately 52,890 Coolify instances are exposed globally, primarily in Germany, the U.S., and France.