Cyware Daily Threat Intelligence, January 29, 2026

In Pakistan, a digital honey-trap dubbed GhostChat has turned the search for connection into a conduit for espionage. The malicious app uses the psychological lure of "exclusive" access, presenting victims with locked female profiles that supposedly require hardcoded passcodes to view. This charade of scarcity masks a powerful surveillance tool that, once installed, quietly harvests contacts and documents in the background.

The cybercriminal group TA584 has hit a high-speed stride, deploying a relentless attack chain that pairs the new Tsundere Bot with the versatile XWorm RAT. By leveraging compromised email accounts and manipulative ClickFix prompts, the group guides users through a maze of CAPTCHAs and PowerShell commands to deliver their payload.

SolarWinds is racing to close several dangerous backdoors in its Web Help Desk software before attackers can walk through them. A series of critical flaws have revealed that untrusted data can be "deserialized" to grant unauthenticated users full command over a host system. These vulnerabilities turn the very platform meant to manage IT service requests into a launchpad for remote code execution.

Top Malware Reported in the Last 24 Hours

ESET uncovers spyware campaign in Pakistan

ESET researchers have identified a sophisticated spyware campaign in Pakistan that uses a fake dating app called GhostChat to lure victims. Posing as a chat platform, the app features locked female profiles and requires users to enter hardcoded access codes, creating an illusion of exclusivity. Once installed, GhostChat covertly monitors device activity and exfiltrates sensitive data, including contacts and documents. The campaign is linked to broader espionage activities, including ClickFix attacks that compromise victims’ computers and a WhatsApp hijacking technique called GhostPairing, which allows attackers to access users' chat histories. This coordinated effort employs social engineering tactics and impersonates governmental organizations to distribute malware.

Initial access hackers use Tsundere Bot

A prolific initial access broker known as TA584 has recently adopted the Tsundere Bot alongside the XWorm RAT to facilitate ransomware attacks. Active since 2020, TA584 has significantly increased its operations, employing a sophisticated attack chain that evades static detection methods. The Tsundere Bot, attributed to a Russian-speaking operator and linked to the 123 Stealer malware, can gather information, exfiltrate data, and install additional payloads. This attack chain begins with emails from compromised accounts, leading targets through a series of redirects and CAPTCHA pages to execute a PowerShell command that loads the malware. TA584's activity has expanded beyond North America and the U.K to include Germany and Australia, indicating a broader targeting strategy. The malware operates as a service, utilizing the Ethereum blockchain for C2 communication and featuring capabilities to profile infected systems and execute arbitrary code.

Top Vulnerabilities Reported in the Last 24 Hours

SolarWinds patches four critical vulnerabilities

SolarWinds has issued critical security updates for its Web Help Desk software, addressing multiple vulnerabilities that could lead to authentication bypass and remote code execution (RCE). Among the identified flaws are CVE-2025-40536, which allows unauthenticated access to restricted functionalities, and CVE-2025-40551 and CVE-2025-40553, both of which involve untrusted data deserialization, enabling attackers to execute arbitrary commands on the host system. Additional vulnerabilities, CVE-2025-40552 and CVE-2025-40554, also permit authentication bypass, potentially allowing unauthorized actions within the Web Help Desk. 

High-severity vulnerabilities found in n8n

Two critical vulnerabilities in the n8n workflow automation platform have been disclosed, allowing authenticated users to execute remote code. The first vulnerability, CVE-2026-1470, has a CVSS score of 9.9 and enables users to bypass the Expression sandbox mechanism by injecting malicious JavaScript code, leading to full remote code execution. The second flaw, CVE-2026-0863, with a CVSS score of 8.5, permits users to evade sandbox restrictions in the Python task executor, allowing arbitrary Python code execution on the underlying operating system. Exploiting these vulnerabilities could grant attackers complete control over n8n instances, posing significant risks, especially in internal execution modes.