Cyware Daily Threat Intelligence, January 22, 2026

Smartphone malware just got smarter, leveraging artificial intelligence to commit fraud with frightening efficiency. A new Android threat family is using TensorFlow machine learning models to intelligently interact with hidden ads, operating in a "phantom" mode that mimics human behavior or a "signalling" mode that streams live video to attackers.

Cybercriminals are turning the very tools designed to protect us into weapons of mass disruption. In a campaign dubbed TrueSightKiller, attackers are exploiting the legitimate TrueSight.sys security driver to blind antivirus defenses. By weaponizing over 2,500 variants of this driver, hackers can terminate endpoint security processes before deploying ransomware.

Cisco administrators face a critical deadline this week as a dangerous flaw in the company's communication tools comes under active fire. Cisco has patched a RCE vulnerability in its Unified Communications and Webex Calling software that allows attackers to gain root access via simple HTTP requests.

Top Malware Reported in the Last 24 Hours

New Android malware uses AI for click fraud

A new family of Android malware employs AI-driven TensorFlow models to execute click fraud by interacting with hidden browser advertisements. This malware, distributed through Xiaomi’s GetApps and third-party APK sites, operates in two modes: 'phantom,' which utilizes a hidden WebView browser to automate ad interactions, and 'signalling,' which streams live video feeds of the browser screen to attackers for real-time manipulation. Researchers discovered that the trojans often masquerade as legitimate apps, reducing user suspicion while executing covert operations. Infected applications include popular games and modified versions of well-known services like Spotify and YouTube. 

TrueSightKiller exploits legitimate security driver

TrueSightKiller is a significant cybersecurity threat where attackers exploit the TrueSight.sys driver, a legitimate security tool from Adlice Software, to bypass antivirus protections. Over 2,500 variants of this driver are weaponized, allowing threat actors to terminate endpoint security processes before deploying malware such as ransomware and remote access trojans. This exploitation takes advantage of a vulnerability in the driver's design, enabling attackers to manipulate its digital signature while maintaining its validity. The attack chain typically begins with phishing or compromised websites, leading to multi-stage deployments that install the EDR killer module. This module targets numerous security products, effectively rendering traditional defenses obsolete. The combination of valid signatures and the ability to create polymorphic variants allows attackers to evade detection.

Top Vulnerabilities Reported in the Last 24 Hours

Cisco patches Unified Communications 0-day 

Cisco has addressed a critical RCE vulnerability (CVE-2026-20045) in its Unified Communications and Webex Calling software, which has been actively exploited in attacks. This flaw arises from improper validation of user-supplied input in HTTP requests, enabling attackers to send crafted requests to the affected devices' management interface. Successful exploitation could grant attackers user-level access to the underlying operating system, allowing them to escalate privileges to root. Cisco assigned a Critical severity rating to this vulnerability, which has a CVSS score of 8.2. The company released specific software updates and patch files for various affected products, urging users to review the README before applying these patches. The CISA has included this vulnerability in its KEV catalog.

Zoom and GitLab issue security updates

Zoom and GitLab have released critical security updates to address several vulnerabilities that could lead to RCE, DoS, and 2FA bypass. The most severe issue, tracked as CVE-2026-22844, affects Zoom Node Multimedia Routers (MMRs) and carries a CVSS score of 9.9, allowing potential RCE attacks via network access. GitLab's updates tackle multiple high-severity vulnerabilities, including CVE-2025-13927 and CVE-2025-13928, which could enable unauthenticated users to create DoS conditions. Additionally, CVE-2026-0723 allows bypassing two-factor authentication protections. GitLab also remediated two medium-severity issues that could trigger DoS conditions.