Cyware Weekly Threat Intelligence, January 05–09, 2026
The Good
The U.K has launched a new cybersecurity strategy with an investment of over £210 million to enhance defenses across government departments and the public sector. This initiative includes establishing a Government Cyber Unit to coordinate risk management and incident response, aiming to secure online public services for citizens. Key measures involve setting minimum security standards, increasing visibility of cyber risks, and ensuring robust incident response capabilities. Additionally, a Software Security Ambassador Scheme will involve major firms promoting best practices in cybersecurity. This strategy follows recent legislation designed to protect critical infrastructure and public services from cyber threats, addressing prior incidents that disrupted essential services, including the NHS and Ministry of Defence systems.
The Bad
Telecommunications networks in South Asia and Southeastern Europe are being systematically mapped by a patient and calculated adversary. A China-linked threat actor known as UAT-7290 has been conducting deep espionage operations since 2022. Ghost Tap is redefining card fraud by enabling remote NFC tap-to-pay transactions without ever touching a victim’s physical card. Disguised as legitimate banking apps and spread via smishing and vishing. Two malicious Chrome extensions, masquerading as helpful tools for ChatGPT and DeepSeek. Using a tactic dubbed "Prompt Poaching," these extensions harvested complete conversation logs and browsing history every 30 minutes.
UAT-7290, a China-linked threat actor, has been conducting espionage-focused attacks against telecommunications entities in South Asia and Southeastern Europe since at least 2022. This group specializes in extensive reconnaissance of target organizations before launching their attacks, employing malware such as RushDrop, DriveSwitch, and SilentRaid. UAT-7290 not only infiltrates networks but also establishes Operational Relay Box (ORB) nodes, which can be utilized by other Chinese cyber actors for malicious operations. Their tactics include exploiting one-day vulnerabilities and using SSH brute force methods to compromise public-facing devices. The threat actor relies on a mix of open-source malware and custom tools, and their operations exhibit overlaps with other Chinese hacking groups like Stone Panda and RedFoxtrot.
An Android malware, known as Ghost Tap, is enabling cybercriminals to perform unauthorized remote NFC tap-to-pay transactions without physical access to victims' bank cards. The malware disguises itself as legitimate financial apps and is distributed via smishing and vishing campaigns. Criminals use two coordinated apps: one to capture NFC card data from victims and another to complete fraudulent transactions. Mule networks are also utilizing compromised cards for in-store purchases globally.
Two malicious Chrome extensions, affecting over 900,000 users, have been discovered exfiltrating sensitive data from OpenAI ChatGPT and DeepSeek conversations. Named "Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI" and "AI Sidebar with Deepseek, ChatGPT, Claude, and more," these extensions impersonated legitimate tools to gain user trust. Once installed, they requested permissions to collect anonymized analytics but instead harvested complete conversation data and browsing activity, sending this information to remote servers every 30 minutes. This tactic, referred to as "Prompt Poaching," poses significant risks, as the stolen data can be weaponized for corporate espionage and identity theft. Additionally, legitimate extensions like Similarweb have also been implicated in similar data collection practices, raising concerns about privacy and security in browser extensions.
A sophisticated cyberattack campaign by the Black Cat hacker group has been revealed, utilizing fake Notepad++ download websites to distribute malware and steal sensitive data. By exploiting search engine optimization techniques, these phishing sites rank prominently in search results, deceiving users into downloading malicious software. The malware employs advanced tactics, including a multi-layered execution chain and DLL side-loading, to establish persistence and evade detection. Once installed, it creates shortcuts that lead to backdoor components, enabling the theft of browser credentials, keylogging, and sensitive data exfiltration.
The Kimwolf botnet has infected over 2 million Android devices by exploiting exposed Android Debug Bridge (ADB) services and residential proxy networks. Active since at least August 2025, this botnet is identified as an Android variant of AISURU and is linked to record-breaking DDoS attacks. Most infections are concentrated in Vietnam, Brazil, India, and Saudi Arabia, with approximately 67% of the compromised devices having ADB enabled by default. Many of these devices are thought to be pre-infected with software development kits (SDKs) from proxy providers. The botnet monetizes its operations by selling residential proxy bandwidth and utilizing the Byteconnect SDK for bandwidth monetization, allowing compromised devices to execute proxy tasks.
New Threats
The popular messaging app on your phone has become the latest vector for a notorious banking trojan. A new campaign dubbed Boto Cor-de-Rosa is using WhatsApp to aggressively spread the Astaroth malware. A new ClickFix campaign is targeting European hotels with phishing emails. When victims visit the fraudulent site, they are hit with a realistic fake BSOD. A critical vulnerability (CVE-2025-68668) in the open-source n8n platform allows authenticated users to execute arbitrary system commands, earning it a severity score of 9.9.
A new campaign has emerged that utilizes WhatsApp to distribute the Astaroth banking trojan, primarily targeting users in Brazil. This malware, known for its data theft capabilities, retrieves victims' WhatsApp contact lists and automatically sends malicious messages to spread the infection. Codenamed Boto Cor-de-Rosa, the campaign features a multi-language approach, incorporating a Python-based worm module alongside a Visual Basic script installer. Astaroth has been active since 2015 and has recently adapted its tactics by leveraging WhatsApp, a widely used messaging platform in Brazil. The malware propagates through ZIP files containing downloader scripts that install further malicious components. Additionally, it includes a banking module that monitors web activity to harvest credentials, while tracking its propagation metrics in real time.
A new wave of GoBruteforcer botnet malware is targeting cryptocurrency and blockchain projects by exploiting weak server configurations and default credentials. The malware, written in Golang, uses brute-force attacks on exposed FTP, MySQL, PostgreSQL, and phpMyAdmin services. Many vulnerabilities arise from AI-generated server configurations that use predictable usernames and passwords, as well as outdated software stacks like XAMPP. Attackers are also using compromised hosts to scan and drain cryptocurrency wallets. Admins are advised to avoid default credentials, strengthen security configurations, and update software to mitigate risks.
A new ClickFix social engineering campaign targets the hospitality sector in Europe, utilizing fake Windows Blue Screen of Death (BSOD) screens to deceive users into executing malware. The attack begins with phishing emails impersonating Booking[.]com, claiming a significant refund due to a guest's reservation cancellation, which creates urgency. Victims are directed to a counterfeit Booking.com website that mimics the original and displays a fake error message. Clicking the refresh button triggers a full-screen fake BSOD, prompting users to run a malicious PowerShell command. This command downloads and compiles DCRAT, allowing attackers to gain control over the infected systems. Once established, the malware can steal data, spread throughout networks, and deploy additional payloads, such as cryptocurrency miners, further compromising the target's security.
A critical security vulnerability has been discovered in n8n, an open-source workflow automation platform, allowing authenticated users to execute arbitrary system commands on the host machine. This vulnerability, tracked as CVE-2025-68668 and rated 9.9 on the CVSS scoring system, affects versions from 1.0.0 to 1.111.0. It arises from a failure in the protection mechanism of the Python Code Node that utilizes Pyodide. The issue enables users with permissions to create or modify workflows to exploit the flaw and run commands with the same privileges as the n8n process. The vulnerability has been addressed in n8n version 2.0.0, which introduces a task runner-based native Python implementation for enhanced security.
A new wave of GlassWorm malware is specifically targeting macOS developers through malicious VSCode and OpenVSX extensions that deliver trojanized crypto wallet applications. This campaign marks a shift from previous attacks that focused on Windows systems. The malware employs AES-256-CBC–encrypted payloads embedded in JavaScript, executing its malicious logic after a 15-minute delay to evade detection. It utilizes AppleScript for persistence and LaunchAgents instead of modifying the Registry. Additionally, GlassWorm attempts to replace legitimate hardware wallet applications like Ledger Live and Trezor Suite with compromised versions, although this feature is currently malfunctioning. Despite the increased defenses against it, the malware continues to steal credentials and sensitive data, including Keychain passwords, and has recorded over 33,000 installations, with figures that may be artificially inflated to enhance trustworthiness.