Cyware Daily Threat Intelligence, January 20, 2026

A Fortune 100 financial giant has been hit by a malware strain that looks less like a typical ransomware tool and more like an instrument of espionage. Attackers combined fake tech support calls with legitimate software to deploy PDFSider, a stealthy new threat delivered via DLL side-loading.

A malicious ad-blocker is forcing users into a trap by literally breaking their web browsers. The NexShield extension intentionally crashes Chrome and Edge to create a DoS condition. When the browser restarts, it presents a fake security warning that tricks frustrated users into running commands that install ModeloRAT.

Your daily schedule could be weaponized against your own AI assistant. A vulnerability in Google Gemini allowed attackers to use "indirect prompt injection" to bypass privacy controls in Google Calendar. By simply embedding a hidden command in a calendar invite, hackers could trick the AI into leaking private meeting details or planting deceptive events on a user's schedule without them ever realizing it.

Top Malware Reported in the Last 24 Hours

New PDFSider malware targets Fortune 100 firm

A new strain of malware known as PDFSider has been deployed in ransomware attacks against a Fortune 100 company in the finance sector. Attackers utilized social engineering tactics, impersonating technical support to trick employees into installing Microsoft’s Quick Assist tool. PDFSider is delivered via spearphishing emails containing a legitimate executable for the PDF24 Creator, alongside a malicious DLL that is loaded through DLL side-loading. This method allows the malware to bypass security systems effectively. PDFSider operates stealthily, with minimal disk artifacts, and exfiltrates system information over DNS. It employs AES-256-GCM encryption for secure communication, making it more akin to espionage tools than typical financially motivated malware, and includes anti-analysis features to evade detection in sandbox environments.

Fake ad blocker crashes browsers, spreads malware

A malicious ad-blocker extension called NexShield has been discovered, targeting Chrome and Edge users through a malvertising campaign. This extension creates a denial-of-service condition by generating infinite connections, leading to browser crashes and unresponsiveness. Once the browser restarts, NexShield displays a deceptive pop-up warning users of security issues and instructs them to execute malicious commands in the Windows command prompt. These commands trigger an obfuscated PowerShell script that downloads a remote access tool known as ModeloRAT, which can perform various malicious activities within corporate environments. Researchers attribute this evolving threat to a group named KongTuke, which has been increasingly focusing on enterprise networks since early 2025. 

Top Vulnerabilities Reported in the Last 24 Hours

Google Gemini vulnerability exposes calendar data

A vulnerability in Google Gemini has been uncovered, allowing attackers to exploit indirect prompt injection to bypass Google Calendar's privacy controls. By embedding a malicious prompt within a calendar invite, threat actors could access private meeting data and create deceptive calendar events without user interaction. This attack was triggered when users queried their schedules, leading Gemini to process the harmful prompt and generate new events containing sensitive information. Although the flaw has been addressed, it underscores the risks associated with AI-native features, which can inadvertently broaden the attack surface. 

AMD StackWarp flaw affects Zen processors

A new hardware vulnerability, named StackWarp, has been identified in AMD processors, specifically affecting Zen 1 through Zen 5 models. This flaw allows attackers with privileged control over host servers to execute malicious code within confidential virtual machines (CVMs), compromising the integrity of AMD's Secure Encrypted Virtualization with Secure Nested Paging (SEV-SNP). Researchers from the CISPA Helmholtz Center for Information Security revealed that the vulnerability enables malicious VM hosts to manipulate the stack pointer of guest VMs, facilitating remote code execution and privilege escalation. The vulnerability can be exploited to recover sensitive information, such as RSA-2048 private keys, and bypass authentication mechanisms. AMD has acknowledged the issue, tracking it as CVE-2025-29943, and has released microcode updates to address the flaw.