Cyware Daily Threat Intelligence, January 15, 2026
Ransomware gangs are finding ingenious new ways to hide their tracks on the blockchain. The DeadLock ransomware group is bypassing traditional firewalls by utilizing Polygon smart contracts to dynamically rotate its proxy server addresses. The group’s use of decentralized infrastructure and evolving ransom tactics makes it a uniquely resilient threat that is difficult to track.
Trusted software is being weaponized to slip past corporate defenses in a new campaign targeting the finance and supply chain sectors. Hackers are exploiting a DLL side-loading vulnerability in the c-ares library by pairing a malicious file with a signed, legitimate GitKraken executable.
The first Patch Tuesday of 2026 is a heavy one, requiring immediate attention from administrators. Microsoft has addressed 114 vulnerabilities, including a zero-day flaw in the Desktop Window Manager, which attackers are actively exploiting to steal sensitive information.
Top Malware Reported in the Last 24 Hours
DeadLock ransomware exploits smart contracts
DeadLock ransomware, identified in July 2025, employs innovative techniques by utilizing Polygon smart contracts for proxy server address rotation, allowing it to bypass traditional defenses. This ransomware is notable for lacking a Data Leak Site (DLS) and has a low victim count, resulting in limited exposure. Its ransom notes have evolved from simple encryption threats to include data theft and additional services like incident reports. DeadLock primarily uses AnyDesk for remote management and employs a PowerShell script to stop non-whitelisted services and delete backups. The group’s infrastructure leverages decentralized blockchain technology, making it challenging to track their activities.
Hackers exploit DLL flaw, drop malware
Hackers are exploiting a DLL side-loading vulnerability in the c-ares library to bypass security measures and deploy various malware, including Agent Tesla and CryptBot. This campaign targets employees in finance and supply chain sectors, using deceptive themes in multiple languages to lure victims. The attackers pair a malicious version of the libcares-2.dll with a signed version of GitKraken's ahost.exe, enabling them to execute their code while evading traditional security defenses. Additionally, phishing scams employing the Browser-in-the-Browser technique have emerged, tricking users into entering their Facebook credentials through fake login screens. A multi-stage phishing campaign has also been identified, utilizing Python payloads and cloud services to distribute AsyncRAT.
Top Vulnerabilities Reported in the Last 24 Hours
Critical FortiSIEM bug exposes systems to attack
A critical vulnerability, tracked as CVE-2025-25256, has been discovered in Fortinet SIEM, allowing remote, unauthenticated attackers to execute commands or code. This flaw combines two issues that enable arbitrary write with admin permissions and privilege escalation to root access. Identified by Horizon3.ai in August 2025, the vulnerability arises from exposed command handlers in the phMonitor service, which has been a recurring entry point for previous vulnerabilities. Fortinet addressed the issue in November 2025, releasing patches for affected versions, specifically from 6.7 to 7.5. However, older versions, such as 7.0 and 6.7.0, remain unpatched. Horizon3.ai has also published a public exploit and indicators of compromise to assist organizations in detecting potential breaches related to this vulnerability.
Microsoft patches 114 Windows vulnerabilities
Microsoft's January 2026 security update addresses 114 vulnerabilities, including one actively exploited flaw (CVE-2026-20805) affecting the Desktop Window Manager, which could lead to unauthorized disclosure of sensitive information. Among the vulnerabilities, eight are rated Critical, with many related to privilege escalation and information disclosure. Notably, the update addresses a security feature bypass concerning Secure Boot Certificate Expiration (CVE-2026-21265) and a critical privilege escalation flaw in Windows Virtualization-Based Security (CVE-2026-20876). Microsoft also removed outdated Agere Soft Modem drivers due to a local privilege escalation flaw.