Welcome to your biweekly digest of curated cybersecurity intelligence.
Every two weeks, we bring you expert insights and handpicked articles covering the latest threats, threat actor activity, vulnerabilities, incident trends, and defensive strategies. Whether you’re on the front lines or shaping your organization’s security posture, Security Signals delivers the information you need to stay informed and ready.
For more articles, check out our #onpatrol4malware blog.
Turn Insights Into Action with Free Threat Intel
Security Signals gives you the insights and our Risk Indicators OSINT feeds help you apply them.
This Edition’s Articles
These early January 2026 cyber threat reports showcase how attackers are actively abusing trusted software, exposed infrastructure, and popular platforms to reach victims at scale. This roundup highlights GoBruteforcer server attacks, UAT-7290 telecom targeting, fake WinRAR installers delivering malware, malicious Chrome extensions abusing AI tools, and ongoing MacSync stealer campaigns impacting macOS users.
APT36 : Multi-Stage LNK Malware Campaign Targeting Indian Government Entities
Source: CYFIRMA
(Published: 30 December 2025)
CYFIRMA has identified a targeted malware campaign attributed to APT36 (Transparent Tribe), a Pakistan aligned threat actor actively engaged in cyber espionage operations against Indian governmental, academic, and strategic entities. Read more.
From Victim to Vector: How Infostealers Turn Legitimate Businesses into Malware Hosts
Source: InfoStealers
(Published: 30 December 2025)
This entry in the Hudson Rock database means that a computer – likely belonging to a developer or admin at jrqsistemas.com – was infected by an Infostealer. Read more.
2 Security Experts Plead Guilty In BlackCat Ransomware Case
Source: The Cyber Express
(Published: 30 December 2025)
Ryan Goldberg, 40, of Georgia, and Kevin Martin, 36, of Texas, were indicted in the BlackCat ransomware case in October. Read more.
Knownsec Data Breach: A Trove of Espionage Tradecraft with an Insider Narrative
Source: Resecurity
(Published: 31 December 2025)
The Knownsec leak is a pivotal incident of 2025 because it exposed the inner workings of a major state-linked Chinese cybersecurity firm, revealed espionage tools and global targets, internal documentation, and evidence of ongoing cyber operations targeting other countries. Read more.
VVS Discord Stealer Using Pyarmor for Obfuscation and Detection Evasion
Source: Unit 42 (Palo Alto Networks)
(Published: 2 January 2026)
This article details our technical analysis of VVS stealer, also styled VVS $tealer, including its distributors’ use of obfuscation and detection evasion. Read more.
Resurgence of Scattered Lapsus$ hunters
Source: CYFIRMA
(Published: 3 January 2026)
Recent monitoring of underground forums and Telegram communities has identified the resurgence of the Scattered Lapsus$ collective. Read more.
D-Link DSL/DIR/DNS Command Injection via DNS Configuration Endpoint
Source: VulnCheck
(Published: 5 January 2026)
severity critical. Read more.
NordVPN Denies Breach After Hacker Leaks Data
Source: SecurityWeek
(Published: 6 January 2026)
The VPN company has conducted an investigation after a threat actor claimed to have hacked its systems. Read more.
Phishing actors exploit complex routing and misconfigurations to spoof domains
Source: Microsoft Security Blog
(Published: 6 January 2026)
Any third-party connectors – such as a spam filtering service, security solution, or archiving service – must be configured properly or spoof detections cannot be calculated correctly, allowing phishing emails such as the examples below to be delivered. Read more.
The Great VM Escape: ESXi Exploitation in the Wild
Source: Huntress
(Published: 7 January 2026)
In December 2025, Huntress observed an intrusion leading to the deployment of VMware ESXi exploits. Read more.
Malicious NPM Packages Deliver NodeCordRAT
Source: Zscaler ThreatLabz
(Published: 7 January 2026)
Zscaler ThreatLabz regularly monitors the `npm` database for suspicious packages. Read more.
Researchers rush to warn defenders of max-severity defect in n8n
Source: CyberScoop
(Published: 7 January 2026)
Roughly 100,000 servers running the automated workflow platform for AI and other enterprise tools are potentially exposed to exploitation. Read more.
Chrome Extensions Impersonate AI Tools to Steal ChatGPT & DeepSeek Chats
Source: SOCRadar
(Published: 7 January 2026)
A recently uncovered malware campaign involving Chrome extensions demonstrates how seemingly legitimate AI-focused add-ons can be abused to quietly collect sensitive user data at scale. Read more.
Inside GoBruteforcer: AI-Generated Server Defaults, Weak Passwords, and Crypto-Focused Campaigns
Source: Check Point Research
(Published: 7 January 2026)
GoBruteforcer is a botnet that turns compromised Linux servers into scanning and password brute-force nodes. Read more.
UAT-7290 targets high value telecommunications infrastructure in South Asia
Source: Cisco Talos
(Published: 8 January 2026)
Cisco Talos is disclosing a sophisticated threat actor we track as UAT-7290, who has been active since at least 2022. Read more.
Fake WinRAR downloads hide malware behind a real installer
Source: Malwarebytes
(Published: 8 January 2026)
A member of our web research team pointed me to a fake WinRAR installer that was linked from various Chinese websites. Read more.
Maduro Arrest Used as a Lure to Deliver Backdoor
Source: Darktrace
(Published: 9 January 2026)
Darktrace researchers observed threat actors exploiting reports of Venezuelan President Maduro’s arrest to deliver backdoor malware. Read more.
MacSync stealer is using a notarized app to bypass Mac defenses
Source: Moonlock
(Published: 9 January 2026)
MacSync, the new macOS stealer in town, is back with new tricks. Read more.
Boto-Cor-de-Rosa campaign reveals Astaroth WhatsApp-based worm activity in Brazil
Source: Acronis Threat Research Unit
(Published: 8 January 2026)
In a newly identified campaign, internally referred to as Boto Cor-de-Rosa, our researchers discovered that Astaroth now exploits WhatsApp Web as part of its propagation strategy. Read more.
Under Medusa’s Gaze: How Darktrace Uncovers RMM Abuse in Ransomware Campaigns
Source: Darktrace
(Published: 8 January 2026)
Medusa ransomware increasingly exploits remote monitoring and management (RMM) tools for persistence, lateral movement, and data exfiltration. Read more.
Reborn in Rust: Muddy Water Evolves Tooling with RustyWater Implant
Source: CloudSEK
(Published: 8 January 2026)
CloudSEK’s TRIAD recently identified a spear-phishing campaign attributed to the Muddy Water APT group targeting multiple sectors across the Middle East, including diplomatic, maritime, financial, and telecom entities. Read more.
North Korean Kimsuky Actors Leverage Malicious QR Codes in Spearphishing Campaigns Targeting U.S. Entities
Source: FBI IC3 (FLASH)
(Published: 8 January 2026)
The Federal Bureau of Investigation (FBI) is releasing this FLASH to alert NGOs, think tanks, academia, and other foreign policy experts with a nexus to North Korea of evolving tactics employed by the North Korean state-sponsored cyber threat group Kimsuky and to provide mitigation recommendations. Read more.
Iran Implements Nationwide Military Jamming to Cripple Starlink and Enforce Digital Blackout
Source: Reclaim The Net
(Published: 12 January 2026)
Iran’s government has expanded its control over digital communication, deploying military jamming systems that have largely disabled Starlink satellite access. Read more.
Stealthy malware masking its activity, deploying infostealer
Source: Kaspersky
(Published: 12 January 2026)
Our experts have detected a new wave of malicious emails targeting Russian private-sector organizations. Read more.
Hunting Lazarus: Inside the Contagious Interview C2 Infrastructure
Source: Red Asgard
(Published: 12 January 2026)
We found North Korean malware in a client’s Upwork project. Read more.
Unmasking the DPRK Remote Worker Problem
Source: Silent Push
(Published: 12 January 2026)
For decades, the “insider threat” was synonymous with the disgruntled staffer or the negligent contractor. Read more.
Want more articles? Check out the previous edition of Security Signals here.