Cyware Daily Threat Intelligence, January 16, 2026

Security analysts are being baffled by a digital puzzle made of a thousand pieces. The Gootloader malware has returned from a seven-month hiatus with a clever new evasion technique: concatenating up to 1,000 malformed ZIP archives into a single file.

The political turmoil in Venezuela is being weaponized to infiltrate the highest levels of U.S. governance. A new cyber-espionage campaign attributed to the Chinese state-sponsored group Mustang Panda is using Venezuela-themed spear phishing emails to target American government and policy entities.

Your wireless headphones might be listening to more than just music; they could be listening to you for someone else. A critical vulnerability in Google's Fast Pair protocol, dubbed WhisperPair, allows attackers to hijack Bluetooth audio devices and eavesdrop on conversations without the user's consent.

Top Malware Reported in the Last 24 Hours

Gootloader uses 1,000-part ZIP archives

Gootloader malware has evolved to utilize a sophisticated method of delivery by concatenating up to 1,000 malformed ZIP archives, making it difficult for analysis tools like 7-Zip and WinRAR to process. This technique exploits the way parsers read files, allowing the malware to remain undetected while still being unpacked by the default Windows utility. Since its emergence in 2020, Gootloader has been linked to various cybercriminal activities, including ransomware deployments. After a seven-month hiatus, it returned in November 2025 with enhanced obfuscation strategies, such as truncated End of Central Directory headers and randomized disk fields. These measures complicate detection and analysis, allowing the malware to execute JScript via Windows Script Host and maintain persistence on infected systems through shortcut files that trigger upon startup.

LOTUSLITE backdoor targets U.S. policy entities

A new cyber-espionage campaign has emerged, targeting U.S. government and policy entities through Venezuela-themed spear phishing tactics to deliver the LOTUSLITE backdoor. Attributed to the Chinese state-sponsored group Mustang Panda, this campaign utilizes DLL side-loading techniques to launch its attacks. The LOTUSLITE backdoor is a custom C++ implant designed for remote command execution and data exfiltration, establishing persistence via Windows Registry modifications.

Top Vulnerabilities Reported in the Last 24 Hours

Cisco patches actively exploited vulnerability 

Cisco has addressed a critical vulnerability, tracked as CVE-2025-20393, affecting its Secure Email Gateway and Secure Email and Web Manager products. This security flaw, disclosed in December 2025, was exploited by a China-linked threat group known as UAT-9686, allowing attackers to execute arbitrary commands with root privileges on compromised appliances. The vulnerability stemmed from insufficient validation of HTTP requests, enabling unauthenticated remote attackers to manipulate affected systems. Cisco reported that the exploitation had been ongoing since at least November 2025, with threat actors deploying the AquaShell backdoor and other malicious tools. 

Critical Bluetooth flaw exposes user privacy

A critical vulnerability in Google's Fast Pair protocol, known as WhisperPair (CVE-2025-36911), has been discovered, allowing attackers to hijack Bluetooth audio devices and eavesdrop on conversations. This flaw affects a wide range of wireless headphones, earbuds, and speakers from various manufacturers, compromising user privacy regardless of smartphone operating systems. The vulnerability arises from improper implementation of the Fast Pair protocol, enabling unauthorized devices to initiate pairing without user consent. Attackers can exploit this weakness using any Bluetooth-capable device, gaining control over the audio devices to blast sound or listen in on conversations. Additionally, they can track users' locations via Google’s Find Hub network if the accessory has never been paired with an Android device, posing significant privacy risks.