Cyware Weekly Threat Intelligence, January 12–16, 2026
The Good
The U.S. government is overhauling its defense strategy for critical infrastructure to keep pace with rapid technological shifts and evolving threats. CISA, alongside international partners, has released urgent guidelines for integrating Artificial Intelligence into OT sectors, warning that tools like generative AI could create new vulnerabilities in already exposed industrial networks. Simultaneously, the DHS is streamlining its collaboration with the private sector by launching ANCHOR, an agile new council designed to replace the bureaucratic CIPAC model and foster faster, less rigid communication regarding threats to the nation's essential systems.
CISA, in collaboration with international cybersecurity agencies, has issued new guidelines addressing the security risks of integrating AI into OT systems, such as power grids and water treatment facilities. These guidelines emphasize the vulnerabilities of OT systems, which have become increasingly exposed due to their connection to the internet and the use of Industrial Internet of Things (IIoT) sensors. The rise of generative AI tools like ChatGPT in these environments raises concerns about potential exploitation by hackers. The guidance outlines four key principles for effectively managing AI integration into OT, focusing on understanding AI risks, assessing its application, establishing governance frameworks, and embedding safety practices to ensure the reliability of critical infrastructure.
The DHS is finalizing plans for a new council named ANCHOR (Alliance of National Councils for Homeland Operational Resilience) to replace the disbanded Critical Infrastructure Partnership Advisory Council (CIPAC). ANCHOR aims to enhance communication between government and industry regarding critical infrastructure security, addressing ongoing threats, particularly from cyber attacks. Unlike CIPAC, which was burdened by bureaucratic processes, ANCHOR seeks to facilitate broader discussions without rigid charter requirements.
Microsoft, in collaboration with international law enforcement, has successfully dismantled RedVDS, a cybercrime marketplace responsible for facilitating over $40 million in fraud in the U.S. since March 2025. This platform provided cybercriminals with access to disposable virtual machines, enabling widespread attacks such as credential theft, account takeovers, and phishing schemes. The operation involved seizing infrastructure and domains associated with RedVDS, which had been operational since 2019 and used third-party hosting services to evade detection. Microsoft identified the group behind RedVDS as Storm-2470 and is continuing efforts to trace the individuals involved in these cybercrimes.
The Bad
The DeadLock ransomware group is bypassing traditional firewalls by utilizing Polygon smart contracts to dynamically rotate its proxy server addresses. Hackers are exploiting a DLL side-loading vulnerability in the c-ares library by pairing a malicious file with a signed, legitimate GitKraken executable. Void Blizzard is targeting Ukrainian defense forces with PLUGGYAPE malware spread via fake charity links on Signal and WhatsApp, using trusted local accounts, dynamic C2 updates, and parallel phishing campaigns.
DeadLock ransomware, identified in July 2025, employs innovative techniques by utilizing Polygon smart contracts for proxy server address rotation, allowing it to bypass traditional defenses. This ransomware is notable for lacking a Data Leak Site (DLS) and has a low victim count, resulting in limited exposure. Its ransom notes have evolved from simple encryption threats to include data theft and additional services like incident reports. DeadLock primarily uses AnyDesk for remote management and employs a PowerShell script to stop non-whitelisted services and delete backups. The group’s infrastructure leverages decentralized blockchain technology, making it challenging to track their activities.
Hackers are exploiting a DLL side-loading vulnerability in the c-ares library to bypass security measures and deploy various malware, including Agent Tesla and CryptBot. This campaign targets employees in finance and supply chain sectors, using deceptive themes in multiple languages to lure victims. The attackers pair a malicious version of the libcares-2.dll with a signed version of GitKraken's ahost.exe, enabling them to execute their code while evading traditional security defenses. Additionally, phishing scams employing the Browser-in-the-Browser technique have emerged, tricking users into entering their Facebook credentials through fake login screens. A multi-stage phishing campaign has also been identified, utilizing Python payloads and cloud services to distribute AsyncRAT.
A critical vulnerability, tracked as CVE-2025-25256, has been discovered in Fortinet SIEM, allowing remote, unauthenticated attackers to execute commands or code. This flaw combines two issues that enable arbitrary write with admin permissions and privilege escalation to root access. Identified by Horizon3.ai in August 2025, the vulnerability arises from exposed command handlers in the phMonitor service, which has been a recurring entry point for previous vulnerabilities. Fortinet addressed the issue in November 2025, releasing patches for affected versions, specifically from 6.7 to 7.5. However, older versions, such as 7.0 and 6.7.0, remain unpatched. Horizon3.ai has also published a public exploit and indicators of compromise to assist organizations in detecting potential breaches related to this vulnerability.
Russian hacking group tracked as Void Blizzard deploys PLUGGYAPE malware to target Ukrainian defense forces via Signal and WhatsApp, distributed through fake charity links. The malware employs Python, WebSocket, and MQTT for communication, with dynamic C2 updates using external paste services. Attackers use legitimate Ukrainian accounts and personalized tactics to enhance credibility in their operations. Other campaigns include phishing emails delivering Go-based stealers (FILEMESS), OrcaC2 frameworks, and LaZagne password recovery tools. Ukrainian institutions face spear-phishing campaigns leveraging malicious ZIP archives and LNK files.
Cisco has addressed a critical vulnerability, tracked as CVE-2025-20393, affecting its Secure Email Gateway and Secure Email and Web Manager products. This security flaw, disclosed in December 2025, was exploited by a China-linked threat group known as UAT-9686, allowing attackers to execute arbitrary commands with root privileges on compromised appliances. The vulnerability stemmed from insufficient validation of HTTP requests, enabling unauthenticated remote attackers to manipulate affected systems. Cisco reported that the exploitation had been ongoing since at least November 2025, with threat actors deploying the AquaShell backdoor and other malicious tools.
New Threats
The Gootloader malware has returned from a seven-month hiatus with a clever new evasion technique: concatenating up to 1,000 malformed ZIP archives into a single file. A new cyber-espionage campaign attributed to the Chinese state-sponsored group Mustang Panda is using Venezuela-themed spear phishing emails to target American government and policy entities. The first Patch Tuesday of 2026 is a heavy one, requiring immediate attention from administrators. Microsoft has addressed 114 vulnerabilities, including a zero-day flaw in the Desktop Window Manager, which attackers are actively exploiting to steal sensitive information.
Gootloader malware has evolved to utilize a sophisticated method of delivery by concatenating up to 1,000 malformed ZIP archives, making it difficult for analysis tools like 7-Zip and WinRAR to process. This technique exploits the way parsers read files, allowing the malware to remain undetected while still being unpacked by the default Windows utility. Since its emergence in 2020, Gootloader has been linked to various cybercriminal activities, including ransomware deployments. After a seven-month hiatus, it returned in November 2025 with enhanced obfuscation strategies, such as truncated End of Central Directory headers and randomized disk fields. These measures complicate detection and analysis, allowing the malware to execute JScript via Windows Script Host and maintain persistence on infected systems through shortcut files that trigger upon startup.
A new cyber-espionage campaign has emerged, targeting U.S. government and policy entities through Venezuela-themed spear phishing tactics to deliver the LOTUSLITE backdoor. Attributed to the Chinese state-sponsored group Mustang Panda, this campaign utilizes DLL side-loading techniques to launch its attacks. The LOTUSLITE backdoor is a custom C++ implant designed for remote command execution and data exfiltration, establishing persistence via Windows Registry modifications.
Microsoft's January 2026 security update addresses 114 vulnerabilities, including one actively exploited flaw (CVE-2026-20805) affecting the Desktop Window Manager, which could lead to unauthorized disclosure of sensitive information. Among the vulnerabilities, eight are rated Critical, with many related to privilege escalation and information disclosure. Notably, the update addresses a security feature bypass concerning Secure Boot Certificate Expiration (CVE-2026-21265) and a critical privilege escalation flaw in Windows Virtualization-Based Security (CVE-2026-20876). Microsoft also removed outdated Agere Soft Modem drivers due to a local privilege escalation flaw.
VoidLink is a newly discovered advanced Linux malware framework targeting cloud environments, offering custom loaders, implants, rootkits, and plugins for exploitation. Written in Zig, Go, and C, VoidLink is under active development, with signs pointing to its use as a commercial product or framework for customers. The malware adapts its behavior to Kubernetes or Docker environments and gathers details about cloud providers, kernel versions, processes, and security tools. VoidLink uses a custom encrypted communication protocol, 'VoidStream,' to camouflage its traffic and employs multiple plugins for reconnaissance, credential harvesting, lateral movement, persistence, and anti-forensics.