Cyware Weekly Threat Intelligence, January 19–23, 2026
The Good
Europe is securing its digital future with a major two-pronged strategy: legislative reform and technical independence. The proposed Cybersecurity Act 2.0 empowers the EU’s cybersecurity agency, ENISA, to enforce mandatory certifications and purge high-risk suppliers from telecom networks. Simultaneously, the launch of the GCVE provides a decentralized, European alternative to the U.S.-led CVE program. Managed by CIRCL, this open-source initiative aims to accelerate vulnerability tracking and bolster digital sovereignty by allowing independent entities to assign security identifiers without relying on a centralized, foreign authority.
The EU has proposed significant updates to its Cybersecurity Act, referred to as "Cybersecurity Act 2.0," to enhance cybersecurity across the bloc. This revision addresses previous criticisms regarding the act's voluntary nature and slow certification processes. Key changes include the introduction of a trusted ICT supply chain security framework, mandatory derisking of telecom networks from high-risk suppliers, and streamlined certification schemes that must be developed within 12 months. Additionally, ENISA will see an expansion of its role, gaining more authority and resources to lead responses to major cyber incidents and support businesses. The new act aims to ensure better protection of critical ICT supply chains and strengthen the EU's overall cybersecurity posture.
A new initiative, the Global Cybersecurity Vulnerability Enumeration (GCVE), has been launched as a European alternative to the U.S.-led CVE program. This open-source platform aims to decentralize vulnerability tracking by enabling over 25 independent entities, known as GNAs, to allocate and publish vulnerability identifiers. Hosted by the CIRCL, GCVE focuses on providing a unified reference point for vulnerability intelligence, enhancing digital sovereignty and trust in information sharing. In contrast to the centralized CVE program, which faced funding uncertainties, GCVE aims to improve the speed and efficacy of vulnerability documentation, allowing for quicker responses to emerging threats.
A new national fraud reporting service, Report Fraud, has launched in the U.K, aiming to enhance how individuals and businesses report economic crime and how law enforcement responds. Replacing the criticized Action Fraud, this service is operated by the City of London Police and features a modern platform that allows real-time analytics, an interactive portal for tracking reports, and proactive notifications to victims. With fraud and cybercrime accounting for nearly half of all crime in the U.K, the service seeks to improve the identification and disruption of criminal activities.
The Bad
Downloading the wrong text editor could turn your PC into a traffic relay for criminals. Threat actor Larva-25012 is bundling malicious DLLs with legitimate Notepad++ installers to deploy DPLoader. In a campaign dubbed TrueSightKiller, attackers are exploiting the legitimate TrueSight.sys security driver to blind antivirus defenses. By weaponizing over 2,500 variants of this driver, hackers can terminate endpoint security processes before deploying ransomware. The job interview from hell is now taking place inside your code editor. The Contagious Interview campaign is targeting crypto and fintech developers using malicious Microsoft VS Code projects.
ASEC is monitoring proxyjacking attacks involving malware disguised as a Notepad++ installer, deployed by the threat actor Larva-25012. This group has evolved its techniques to evade detection, including injecting proxyware into legitimate processes. Larva-25012 distributes various proxyware types, primarily through fake download sites for cracked software. Recent campaigns have shifted from MSI installers to ZIP archives containing both a legitimate Notepad++ installer and a malicious DLL. The malware, known as DPLoader, registers itself in the Windows Task Scheduler and executes scripts that install proxyware like Infatica and DigitalPulse, further enhancing the attack's persistence and effectiveness.
TrueSightKiller is a significant cybersecurity threat where attackers exploit the TrueSight.sys driver, a legitimate security tool from Adlice Software, to bypass antivirus protections. Over 2,500 variants of this driver are weaponized, allowing threat actors to terminate endpoint security processes before deploying malware such as ransomware and remote access trojans. This exploitation takes advantage of a vulnerability in the driver's design, enabling attackers to manipulate its digital signature while maintaining its validity. The attack chain typically begins with phishing or compromised websites, leading to multi-stage deployments that install the EDR killer module. This module targets numerous security products, effectively rendering traditional defenses obsolete. The combination of valid signatures and the ability to create polymorphic variants allows attackers to evade detection.
North Korean hackers associated with the Contagious Interview campaign are targeting developers by using malicious Microsoft VS Code projects to deliver backdoor malware. This tactic involves instructing victims to clone repositories from platforms like GitHub and launch them in VS Code, where embedded malicious payloads are executed through task configuration files. The malware, disguised as benign files such as spell-check dictionaries, utilizes obfuscated JavaScript to establish communication with remote servers, enabling remote code execution and persistent access. Attackers specifically target software engineers in cryptocurrency and fintech sectors to gain access to sensitive information and digital assets. Additionally, the campaign has evolved to include various delivery methods, such as malicious npm dependencies and advanced modules for keylogging and cryptocurrency mining.
A malicious ad-blocker extension called NexShield has been discovered, targeting Chrome and Edge users through a malvertising campaign. This extension creates a denial-of-service condition by generating infinite connections, leading to browser crashes and unresponsiveness. Once the browser restarts, NexShield displays a deceptive pop-up warning users of security issues and instructs them to execute malicious commands in the Windows command prompt. These commands trigger an obfuscated PowerShell script that downloads a remote access tool known as ModeloRAT, which can perform various malicious activities within corporate environments. Researchers attribute this evolving threat to a group named KongTuke, which has been increasingly focusing on enterprise networks since early 2025.
Cybersecurity researchers have discovered five malicious Google Chrome extensions that impersonate popular HR and ERP platforms, including Workday and NetSuite, to hijack user accounts. These extensions, such as DataByCloud Access and Tool Access 11, are designed to steal authentication tokens and block security responses, enabling complete account takeover through session hijacking. They exfiltrate cookies to remote servers and manipulate the Document Object Model (DOM) to obstruct access to administrative pages. Notably, Software Access combines cookie theft with the ability to inject stolen cookies into browsers, facilitating direct session hijacking. All five extensions share similar functionalities and patterns, suggesting they are part of a coordinated operation by the same threat actors or a common toolkit. While most have been removed from the Chrome Web Store, they remain accessible on third-party sites.
New Threats
A new, sophisticated ransomware named Osiris has surfaced, crippling a major Southeast Asian food service operator. This operation uses a BYOVD attack with the malicious Poortry driver to disable defenses. Smartphone malware just got smarter, leveraging artificial intelligence to commit fraud with frightening efficiency. A new Android threat family is using TensorFlow machine learning models to intelligently interact with hidden ads. A new phishing campaign on LinkedIn is targeting high-value individuals with malicious WinRAR archives that use DLL sideloading to slip a RAT past standard defenses.
A new ransomware family named Osiris has emerged, targeting a major food service operator in Southeast Asia in November 2025. This ransomware is distinct from a similarly named variant from 2016 and is believed to be developed by experienced attackers. Utilizing advanced techniques, the attackers employed a malicious driver called Poortry in a BYOVD attack to disable security measures. Data exfiltration was conducted using Rclone to Wasabi cloud storage, echoing tactics seen in previous Inc ransomware attacks. Osiris features hybrid encryption (ECC + AES-128-CTR) and can encrypt specific files while terminating essential processes and services. The ransomware appends the .Osiris extension to affected files and drops a ransom note for victims to negotiate with the attackers.
A new family of Android malware employs AI-driven TensorFlow models to execute click fraud by interacting with hidden browser advertisements. This malware, distributed through Xiaomi’s GetApps and third-party APK sites, operates in two modes: 'phantom,' which utilizes a hidden WebView browser to automate ad interactions, and 'signalling,' which streams live video feeds of the browser screen to attackers for real-time manipulation. Researchers discovered that the trojans often masquerade as legitimate apps, reducing user suspicion while executing covert operations. Infected applications include popular games and modified versions of well-known services like Spotify and YouTube.
A new phishing campaign has emerged, utilizing LinkedIn messages to distribute RAT through DLL sideloading. Cybercriminals target high-value individuals by sending messages that build trust and encourage them to download a malicious WinRAR self-extracting archive. This archive contains a legitimate PDF reader application, alongside a malicious DLL that is sideloaded when the application is executed. The attack installs a Python interpreter and executes Base64-encoded shellcode in memory, enabling persistent remote access to the compromised system. This method allows attackers to operate stealthily, bypassing traditional security measures typically focused on email.
A new strain of malware known as PDFSider has been deployed in ransomware attacks against a Fortune 100 company in the finance sector. Attackers utilized social engineering tactics, impersonating technical support to trick employees into installing Microsoft’s Quick Assist tool. PDFSider is delivered via spearphishing emails containing a legitimate executable for the PDF24 Creator, alongside a malicious DLL that is loaded through DLL side-loading. This method allows the malware to bypass security systems effectively. PDFSider operates stealthily, with minimal disk artifacts, and exfiltrates system information over DNS. It employs AES-256-GCM encryption for secure communication, making it more akin to espionage tools than typical financially motivated malware, and includes anti-analysis features to evade detection in sandbox environments.