Cyber Threat Weekly – #112

The week of January 12th through January 18^th, around 389 cyber news articles were reviewed. A light-ish amount of cyber threat trends and adversarial behavior news to share.  Been thinkin about social engineering and the attack on trust.

From credential harvesting, attacking help desks, and employees via impersonation to funds transfer fraud via business email compromise.  Social engineering is happening across sms text, email, voice, and social platforms.  Pretexting, a social engineering technique to build trust and look legitimate.  Now add in AI to help with messaging, deepfakes for voice and video impersonation, and phishing-as-a-service kits to automate much of it.  Are you prepared for these types of attacks?

Let’s start with a malware variant deployed through DLL side-loading.  Supply chain attacks on browser extensions.  Social engineering attacks continue to grow.  Fortinet FortiSIEM bug exploited after exploit code released.

Interesting defense evasion technique by GootLoader malware.  The U.S. and allies release principled based security guidance for OT connectivity.  Annual Threat Landscape Report.  Cloud first modular framework targeting Linux.

Why agentic AI governance is so important.  Adversaries are targeting trust, this time LinkedIn.  An interesting reconnaissance campaign targeting large language models. 

Broken Record Alert: Don’t get pwned by N-day vulnerabilities!!!

Known exploited software flaws are one of the top 4 initial access vectors and have increased sharply in recent months.  We continue to share n-day vulnerabilities being actively exploited.  Priority #1, start with the CISA / VulnCheck known exploited vulnerability (KEV) catalogs.  If it’s in the catalog, it should be patched.

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for actively exploited and weaponized PoC code available vulnerabilities.

VPN gateways from all vendors are under constant attack.

You should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices and services exposed to the Internet.

CISA Known Exploited Vulnerabilities – January 12^th to January 18^th:

CVE-2025-8110 – Gogs Path Traversal Vulnerability:
Could allow for code execution.

CVE-2026-20805 – Microsoft Windows Information Disclosure Vulnerability:
Allows an authorized attacker to disclose information locally.

DLL Side-Loading Malware PDFSIDER

The name of the malware isn’t that important, what is crucial is how it works.  This technique is used by nation-states and cyber criminals.  It’s designed to bypass anti-virus and EDR.  In particular this variant uses authenticated encryption to secure its command-and-control traffic.  It’s designed to evade defenses.

https://www.resecurity.com/blog/article/pdfsider-malware-exploitation-of-dll-side-loading-for-av-and-edr-evasion

Browser Extension Supply Chain Attacks

Like npm, PyPI, and other code repositories, were seeing browser extension supply chain attacks trending.  Seems like every week we see these types of attacks.  This one is Chrome browser extensions, researchers found them exfiltrating cookies, blocking security admin pages, and direct session hijacking via bidirectional cookies injection. 

https://www.bleepingcomputer.com/news/security/credential-stealing-chrome-extensions-target-enterprise-hr-platforms/

https://socket.dev/blog/5-malicious-chrome-extensions-enable-session-hijacking

Researchers Share a Social Engineering Investigation

Funds transfer fraud is picking up speed; this is a case investigated with lessons learned.  In the investigation, it was discovered social engineering kicked off the attack with the adversary impersonating employees and manipulating multiple help desks into performing password resets and MFA re-enrollment compromising multiple employee accounts.

https://unit42.paloaltonetworks.com/social-engineering-payroll-pirates/

Fortinet’s SIEM Product Bug Exploited After Exploit Release

Honestly, this is frustrating.  Researchers know that adversaries abuse exploit code, yet release it quickly after bugs are discovered and / or fixed.  This leads to active exploitation causing harm to those vendors customers.  When are we going to stop marketing this way?  Totally understand it was 151 days since initial reporting, but how about thinking about customers for a change.

https://www.darkreading.com/vulnerabilities-threats/fortinet-critical-fortisiem-flaw-exploited

https://horizon3.ai/attack-research/disclosures/cve-2025-64155-three-years-of-remotely-rooting-the-fortinet-fortisiem/

Concatenated ZIP Archives Used by GootLoader

Researchers share a deep dive into how GootLoader abuses zip archives to bypass security controls.  They also share detection opportunities.  Security operations practitioners may find the breakdown and detection opportunities useful. 

https://thehackernews.com/2026/01/gootloader-malware-uses-5001000.html

https://expel.com/blog/gootloaders-malformed-zip/

https://expel.com/blog/gootloaders-malformed-zip/#defense-summary

Secure Connectivity Guidance for Operational Technology (OT)

Principle based secure connectivity guidance for OT environments released by the U.S. and allies.  The guide uses a common-sense threat informed approach and let’s face it; principles stand the test of time when implemented properly.

https://www.cybersecuritydive.com/news/operational-technology-security-international-guidance/809851/

https://www.ncsc.gov.uk/files/ncsc-secure-connectivity-for-operational-technology.pdf

Annual Threat Landscape Report 2025

Cyble released their annual report covering threat trends.  Both supply chain attacks and ransomware attacks claimed by threat groups broke volume records.  Supply chain attacks nearly doubled while ransomware groups increased by 57 and extortion groups increased by 27.

Researchers Discover VoidLink, a Modular Linux Framework

Designed to be cloud-focused and maintain long term access to Linux systems.  This stealthy framework includes multiple operational security mechanisms, loaders, rootkits, and plugins.  The flexibility comes from a custom Plugin API.

https://www.bleepingcomputer.com/news/security/new-voidlink-malware-framework-targets-linux-cloud-servers/

https://research.checkpoint.com/2026/voidlink-the-cloud-native-malware-framework/

ServiceNow Agentic AI Abused by Researchers

First, were lucky this was researchers and not threat actors.  A legacy chatbot essentially had agentic AI bolted on.  This allowed for bot to bot and agent to agent communications through providers such as Slack.  The researcher was able to create platform wide admin credentials using the chatbot.  AI, data, and identity and access management governance is critical when deploying agentic AI.

https://www.darkreading.com/remote-workforce/ai-vulnerability-servicenow

https://appomni.com/ao-labs/bodysnatcher-agentic-ai-security-vulnerability-in-servicenow/

Comment-Reply Phishing Impersonating LinkedIn  

Impersonating the platform with bot-like activity using messages such as ‘your account is temporarily restricted’.  The message provides a link, sometimes using LinkedIn’s shortening URL.  This is a persistent attack on trust via social engineering.

https://www.bleepingcomputer.com/news/security/convincing-linkedin-comment-reply-tactic-used-in-new-phishing/

Reconnaissance Campaign Targeting Large Language Models (LLMs)

Researchers observe a widespread campaign scanning for misconfigured proxy servers, looking for exposed LLM endpoints.  The test queries were likely attempting to fingerprint which model responds. 

https://thecyberexpress.com/attackers-targeting-llms-widespread-campaign/

https://www.greynoise.io/blog/threat-actors-actively-targeting-llms