Cyware Daily Threat Intelligence, January 23, 2026

A new, sophisticated ransomware named Osiris has surfaced, crippling a major Southeast Asian food service operator. Distinct from its 2016 namesake, this operation uses a BYOVD attack with the malicious Poortry driver to disable defenses before encrypting files and exfiltrating data to Wasabi cloud storage.

Downloading the wrong text editor could turn your PC into a traffic relay for criminals. Threat actor Larva-25012 is bundling malicious DLLs with legitimate Notepad++ installers to deploy DPLoader. This malware silently installs proxyware like Infatica and DigitalPulse, effectively selling the victim's internet bandwidth to the highest bidder while evading detection.

Hackers are actively exploiting a critical authentication bypass in SmarterMail servers to reset admin passwords and seize control. Although a patch was released for the vulnerable API endpoint, threat actors quickly reverse-engineered the fix to launch fresh attacks.

Top Malware Reported in the Last 24 Hours

New Osiris ransomware targets food service

A new ransomware family named Osiris has emerged, targeting a major food service operator in Southeast Asia in November 2025. This ransomware is distinct from a similarly named variant from 2016 and is believed to be developed by experienced attackers. Utilizing advanced techniques, the attackers employed a malicious driver called Poortry in a BYOVD attack to disable security measures. Data exfiltration was conducted using Rclone to Wasabi cloud storage, echoing tactics seen in previous Inc ransomware attacks. Osiris features hybrid encryption (ECC + AES-128-CTR) and can encrypt specific files while terminating essential processes and services. The ransomware appends the .Osiris extension to affected files and drops a ransom note for victims to negotiate with the attackers.

Proxyware malware disguised as Notepad++

ASEC is monitoring proxyjacking attacks involving malware disguised as a Notepad++ installer, deployed by the threat actor Larva-25012. This group has evolved its techniques to evade detection, including injecting proxyware into legitimate processes. Larva-25012 distributes various proxyware types, primarily through fake download sites for cracked software. Recent campaigns have shifted from MSI installers to ZIP archives containing both a legitimate Notepad++ installer and a malicious DLL. The malware, known as DPLoader, registers itself in the Windows Task Scheduler and executes scripts that install proxyware like Infatica and DigitalPulse, further enhancing the attack's persistence and effectiveness.

Top Vulnerabilities Reported in the Last 24 Hours

Critical Vivotek firmware vulnerability

Akamai has uncovered a significant vulnerability (CVE-2026-22755) in the legacy firmware of Vivotek cameras, enabling remote attackers to execute arbitrary commands as the root user without authentication. This flaw arises from improper handling of user-supplied filenames in the upload_map.cgi script, which allows malicious input to be processed by the system. The team utilized advanced AI-driven reverse engineering tools to identify and validate the exploit, confirming its impact on numerous legacy camera models. The vulnerability poses a serious threat, as it can be exploited by attackers to gain unauthorized access and control over affected devices.

SmarterMail bug exploited to hijack accounts

An authentication bypass vulnerability in SmarterMail, a self-hosted email server by SmarterTools, has been actively exploited, allowing attackers to reset administrator passwords and gain full system privileges. This flaw lies in the exposed ‘force-reset-password’ API endpoint, which accepts JSON input without proper security checks, enabling unauthorized password resets. Researchers identified the issue and reported it on January 8, with SmarterMail releasing a fix shortly after. However, within days of the patch, evidence emerged that threat actors had reverse-engineered it to exploit the vulnerability. This critical flaw affects only admin-level accounts, granting attackers the ability to execute OS commands and achieve remote code execution. The vulnerability has been assigned the identifier CVE-2026-23760, rated critical with a CVSS score of 9.3.