🛠️⚠️ Attackers are abusing trusted IT tools, not deploying malware.

A new campaign steals email logins, then installs legitimate RMM software for silent, long-term access.
Because the tools are signed and allowed, many security controls don’t trigger.

🔗 Details → https://thehackernews.com/2026/01/phishing-attack-uses-stolen-credentials.html

🇺🇸  TikTok confirmed a new U.S. joint venture to stay operational in the country.

ByteDance will reduce its stake to 19.9%, giving majority control to U.S. investors.

U.S. user data and algorithms will move to Oracle’s U.S. cloud with third-party security audits.

🔗 Read → https://thehackernews.com/2026/01/tiktok-forms-us-joint-venture-to.html

🚨 Fortinet confirms active exploitation of CVE-2025-59718 / 59719, allowing FortiGate FortiCloud SSO bypass — even on fully patched devices.

Attackers abuse crafted SAML logins to gain admin access, add persistent accounts, enable VPN, and steal configs. Disabling FortiCloud SSO is advised.

🔗 Details → https://thehackernews.com/2026/01/fortinet-confirms-active-forticloud-sso.html

🚨 CISA added four exploited vulnerabilities to its KEV list, impacting Zimbra, Versa SD-WAN, Vite, and a compromised npm package linked to a supply-chain attack.

⏳ U.S. federal agencies must apply fixes by Feb 12 under BOD 22-01.

🔗 CVEs, fixes, and deadlines → https://thehackernews.com/2026/01/cisa-updates-kev-catalog-with-four.html

🚨 CISA confirms active exploitation of a critical VMware vCenter Server flaw.

CVE-2024-37079 allows remote code execution via a DCE/RPC heap overflow if an attacker has network access.

🔗 Details → https://thehackernews.com/2026/01/cisa-adds-actively-exploited-vmware.html

🇵🇱 Poland blocked what officials described as its strongest cyberattack on the energy sector in years.

ESET links it to Russia-aligned Sandworm, which used a new DynoWiper malware to target ⚡ power plants and renewable energy systems in late Dec 2025.

🔗Details → https://thehackernews.com/2026/01/new-dynowiper-malware-used-in-attempted.html

🤖 AI agents now move faster than IAM can see.

Shared agents quietly gain broad, long-lived access across systems, often with no clear owner. That’s how access drift begins.

The risk isn’t stolen creds—it’s valid access used in unsafe ways that never trigger alerts.

🔗 Read → https://thehackernews.com/2026/01/who-approved-this-agent-rethinking.html

⚠️ Russian users hit by a new phishing chain delivering Amnesia RAT and ransomware.

Fake business docs and LNK files do the work — no exploits. Payloads are split across GitHub and Dropbox, then Microsoft Defender is disabled using defendnot.

🔗Full attack chain and defenses → https://thehackernews.com/2026/01/multi-stage-phishing-campaign-targets.html

🧑‍💻 North Korea’s Konni group is using AI-assisted PowerShell malware to target blockchain developers.

Campaigns hit Japan, Australia, and India via Google ad–style phishing links that bypass filters and drop EndRAT.

🔗 Inside the full attack chain → https://thehackernews.com/2026/01/konni-hackers-deploy-ai-generated.html

🛑 Attackers now use 🤖 AI to write, hide, and mutate malware in real time. Google and Anthropic confirm AI-orchestrated attacks running autonomously end to end.

They bypass EDR by looking normal on each endpoint. The tell is in network behavior.

🔗 How network signals expose what endpoints miss → https://thehackernews.com/2026/01/winning-against-ai-based-attacks.html

🚨 Two popular VS Code AI assistant extensions were caught spying on developers.

They looked normal but quietly sent opened files and code edits to servers in 🇨🇳 China.

Koi Security says 1.5M installs were exposed without consent.

🔗Read → https://thehackernews.com/2026/01/malicious-vs-code-ai-extensions-with-15.html

🚨 Weekly Cybersecurity Recap

⚠️ Old flaws, new attacks
🧠 AI writing malware
🧩 Trusted software abused
⏱️ Exploits moving fast

🔐 Read the full recap. Stay alert → https://thehackernews.com/2026/01/weekly-recap-firewall-flaws-ai-built.html

🚨 ALERT: Indian users are being hit by a cyber-espionage campaign posing as Income Tax emails.

Opening the attachment installs a stealth backdoor that disguises itself as Windows Explorer, bypasses UAC, and stays hidden.

🔗 Inside the attack chain and payloads → https://thehackernews.com/2026/01/indian-users-targeted-in-tax-phishing.html

Google Project Zero revealed a working zero-click exploit chain against Pixel 9 phones.

A bug in the Dolby audio decoder let Google Messages process a malicious audio file in the background, gaining code execution, then a kernel bug completed the takeover. Pixel patches shipped in early Jan 2026.

🔗 Read → https://thehackernews.com/2026/01/threatsday-bulletin-pixel-zero-click.html#zero-click-chain-hits-pixel

🛑 URGENT: Microsoft rushed out out-of-band fixes for an actively exploited Office zero-day.

CVE-2026-21509 (CVSS 7.8) lets attackers bypass Office security using a malicious file that must be opened by the victim.

🔗 Details → https://thehackernews.com/2026/01/microsoft-issues-emergency-patch-for.html

⚠️ Most OT incidents don’t start in OT. They start with routine IT gaps reaching operations.

Sygnia found risk centered on remote access, management systems, identity, and recovery—not the process network. ~60% of OT access came via trusted management paths.

🔗 Why this pattern keeps repeating across industries → https://thehackernews.com/expert-insights/2026/01/ot-security-in-practice-4-crossindustry.html

🇨🇳 China-aligned APTs are using PeckBirdy, a JScript-based C2 framework active since 2023, to move quietly across browsers, Windows tools, and servers.

🕵️‍♂️ It relies on LOLBins to deliver modular backdoors and steal data, leaving little trace on disk.

🔗 See how PeckBirdy works → https://thehackernews.com/2026/01/china-linked-hackers-have-used.html

⚠️ A single spreadsheet formula can now lead to full server takeover in Grist-Core.

The flaw, CVE-2026-24002 (CVSS 9.1), breaks out of the Pyodide sandbox, letting attackers run OS commands and access files and secrets.

🔗 Read → https://thehackernews.com/2026/01/critical-grist-core-vulnerability.html

⚠️ Update: Alma Security calls CVE-2026-1245 ParserPoison.

binary-parser drops unvalidated field names and encodings into new Function(). Untrusted schemas = JavaScript execution.

🔗 How ParserPoison works under the hood → https://thehackernews.com/2026/01/certcc-warns-binary-parser-bug-allows.html

🚨 ClickFix attacks are evolving fast.

🧩 Fake CAPTCHAs trick users into running commands that abuse signed Windows App-V scripts to proxy PowerShell.

☁️ Malware like Amatera Stealer is staged via trusted services, runs in memory, and mainly hits enterprise systems—staying under EDR radar.

🔗 Inside the new ClickFix playbook → https://thehackernews.com/2026/01/clickfix-attacks-expand-using-fake.html

🇮🇳 Indian government networks were targeted in two cyber campaigns linked to a Pakistan-based actor.

Tracked by Zscaler as Gopher Strike and Sheet Attack, the key tactic was India-only malware delivery, filtered by IP and Windows systems to evade analysis.

🔗 Attack chain and tools explained → https://thehackernews.com/2026/01/experts-detect-pakistan-linked-cyber.html