Cyware Daily Threat Intelligence, January 14, 2026

What looks like an ordinary Linux process in the cloud may be hiding a far more dangerous agenda. Security researchers have uncovered VoidLink, a sophisticated and actively developed Linux malware framework targeting cloud environments that adapts to Kubernetes and Docker deployments.

Void Blizzard is targeting Ukrainian defense forces with PLUGGYAPE malware spread via fake charity links on Signal and WhatsApp, using trusted local accounts, dynamic C2 updates, and parallel phishing campaigns.

Microsoft has warned of an actively exploited zero-day flaw in the Windows Desktop Window Manager (CVE-2026-20805) that allows low-privileged local attackers to access sensitive data such as credentials and encryption keys.

Top Malware Reported in the Last 24 Hours

VoidLink targets Linux cloud servers

VoidLink is a newly discovered advanced Linux malware framework targeting cloud environments, offering custom loaders, implants, rootkits, and plugins for exploitation. Written in Zig, Go, and C, VoidLink is under active development, with signs pointing to its use as a commercial product or framework for customers. The malware adapts its behavior to Kubernetes or Docker environments and gathers details about cloud providers, kernel versions, processes, and security tools. VoidLink uses a custom encrypted communication protocol, 'VoidStream,' to camouflage its traffic and employs multiple plugins for reconnaissance, credential harvesting, lateral movement, persistence, and anti-forensics. 

Void Blizzard deploys PLUGGYAPE against Ukraine

Russian hacking group tracked as Void Blizzard deploys PLUGGYAPE malware to target Ukrainian defense forces via Signal and WhatsApp, distributed through fake charity links. The malware employs Python, WebSocket, and MQTT for communication, with dynamic C2 updates using external paste services. Attackers use legitimate Ukrainian accounts and personalized tactics to enhance credibility in their operations. Other campaigns include phishing emails delivering Go-based stealers (FILEMESS), OrcaC2 frameworks, and LaZagne password recovery tools. Ukrainian institutions face spear-phishing campaigns leveraging malicious ZIP archives and LNK files.

Top Vulnerabilities Reported in the Last 24 Hours

Critical zero-day vulnerability in Microsoft Desktop Window Manager

Microsoft disclosed a critical zero-day vulnerability (CVE-2026-20805) in the Desktop Window Manager, which is actively being exploited. This vulnerability enables local attackers with low privileges to access sensitive system information, such as authentication credentials and encryption keys, without user interaction. It poses significant risks to enterprise and consumer environments, particularly in targeted attacks. Microsoft is expected to release a security update soon, and organizations are advised to prioritize patching and monitor for suspicious activity.

Critical vulnerability disclosed in FortiOS

Fortinet disclosed a critical vulnerability (CVE-2025-25249) in FortiOS and FortiSwitchManager, enabling remote code execution. The vulnerability stems from a heap-based buffer overflow in the cw_acd daemon, which handles fabric connectivity and access control. Fortinet recommends patching affected FortiOS versions (7.6, 7.4, 7.2, 7.0, and 6.4) and FortiSwitchManager versions immediately. Temporary workarounds include disabling fabric access and restricting CAPWAP-CONTROL access via firewall policies.