⚠️ Russian users hit by a new phishing chain delivering Amnesia RAT and ransomware.

Fake business docs and LNK files do the work — no exploits. Payloads are split across GitHub and Dropbox, then Microsoft Defender is disabled using defendnot.

🔗Full attack chain and defenses → https://thehackernews.com/2026/01/multi-stage-phishing-campaign-targets.html

🧑‍💻 North Korea’s Konni group is using AI-assisted PowerShell malware to target blockchain developers.

Campaigns hit Japan, Australia, and India via Google ad–style phishing links that bypass filters and drop EndRAT.

🔗 Inside the full attack chain → https://thehackernews.com/2026/01/konni-hackers-deploy-ai-generated.html

🛑 Attackers now use 🤖 AI to write, hide, and mutate malware in real time. Google and Anthropic confirm AI-orchestrated attacks running autonomously end to end.

They bypass EDR by looking normal on each endpoint. The tell is in network behavior.

🔗 How network signals expose what endpoints miss → https://thehackernews.com/2026/01/winning-against-ai-based-attacks.html

🚨 Two popular VS Code AI assistant extensions were caught spying on developers.

They looked normal but quietly sent opened files and code edits to servers in 🇨🇳 China.

Koi Security says 1.5M installs were exposed without consent.

🔗Read → https://thehackernews.com/2026/01/malicious-vs-code-ai-extensions-with-15.html

🚨 Weekly Cybersecurity Recap

⚠️ Old flaws, new attacks
🧠 AI writing malware
🧩 Trusted software abused
⏱️ Exploits moving fast

🔐 Read the full recap. Stay alert → https://thehackernews.com/2026/01/weekly-recap-firewall-flaws-ai-built.html

🚨 ALERT: Indian users are being hit by a cyber-espionage campaign posing as Income Tax emails.

Opening the attachment installs a stealth backdoor that disguises itself as Windows Explorer, bypasses UAC, and stays hidden.

🔗 Inside the attack chain and payloads → https://thehackernews.com/2026/01/indian-users-targeted-in-tax-phishing.html

Google Project Zero revealed a working zero-click exploit chain against Pixel 9 phones.

A bug in the Dolby audio decoder let Google Messages process a malicious audio file in the background, gaining code execution, then a kernel bug completed the takeover. Pixel patches shipped in early Jan 2026.

🔗 Read → https://thehackernews.com/2026/01/threatsday-bulletin-pixel-zero-click.html#zero-click-chain-hits-pixel

🛑 URGENT: Microsoft rushed out out-of-band fixes for an actively exploited Office zero-day.

CVE-2026-21509 (CVSS 7.8) lets attackers bypass Office security using a malicious file that must be opened by the victim.

🔗 Details → https://thehackernews.com/2026/01/microsoft-issues-emergency-patch-for.html

⚠️ Most OT incidents don’t start in OT. They start with routine IT gaps reaching operations.

Sygnia found risk centered on remote access, management systems, identity, and recovery—not the process network. ~60% of OT access came via trusted management paths.

🔗 Why this pattern keeps repeating across industries → https://thehackernews.com/expert-insights/2026/01/ot-security-in-practice-4-crossindustry.html

🇨🇳 China-aligned APTs are using PeckBirdy, a JScript-based C2 framework active since 2023, to move quietly across browsers, Windows tools, and servers.

🕵️‍♂️ It relies on LOLBins to deliver modular backdoors and steal data, leaving little trace on disk.

🔗 See how PeckBirdy works → https://thehackernews.com/2026/01/china-linked-hackers-have-used.html

⚠️ A single spreadsheet formula can now lead to full server takeover in Grist-Core.

The flaw, CVE-2026-24002 (CVSS 9.1), breaks out of the Pyodide sandbox, letting attackers run OS commands and access files and secrets.

🔗 Read → https://thehackernews.com/2026/01/critical-grist-core-vulnerability.html

⚠️ Update: Alma Security calls CVE-2026-1245 ParserPoison.

binary-parser drops unvalidated field names and encodings into new Function(). Untrusted schemas = JavaScript execution.

🔗 How ParserPoison works under the hood → https://thehackernews.com/2026/01/certcc-warns-binary-parser-bug-allows.html

🚨 ClickFix attacks are evolving fast.

🧩 Fake CAPTCHAs trick users into running commands that abuse signed Windows App-V scripts to proxy PowerShell.

☁️ Malware like Amatera Stealer is staged via trusted services, runs in memory, and mainly hits enterprise systems—staying under EDR radar.

🔗 Inside the new ClickFix playbook → https://thehackernews.com/2026/01/clickfix-attacks-expand-using-fake.html

🇮🇳 Indian government networks were targeted in two cyber campaigns linked to a Pakistan-based actor.

Tracked by Zscaler as Gopher Strike and Sheet Attack, the key tactic was India-only malware delivery, filtered by IP and Windows systems to evade analysis.

🔗 Attack chain and tools explained → https://thehackernews.com/2026/01/experts-detect-pakistan-linked-cyber.html

🔒 WhatsApp is adding a lockdown-style security mode for high-risk users, including journalists and public figures.

It blocks media from unknown senders, silences unknown calls, and locks risky settings to reduce spyware exposure.

🔗 How it works → https://thehackernews.com/2026/01/whatsapp-rolls-out-lockdown-style.html

⚡ WEBINAR ALERT — AI is redefining how MSSPs scale in 2026.

This session breaks down how one MSSP cut manual work, delivered CISO-grade services, and grew recurring revenue -- without adding headcount. The advantage came from automation, not expansion.

🔗 Register now to see how it works → https://thehacker.news/ai-security-management

🔧 Fortinet issues patch update for actively exploited FortiOS SSO flaw.

The fix addresses CVE-2026-24858 (CVSS 9.4), an SSO authentication bypass that can allow cross-tenant device access when FortiCloud SSO is enabled. CISA has added the issue to its KEV list, setting a Jan 30 remediation deadline.

🔗 Details → https://thehackernews.com/2026/01/fortinet-patches-cve-2026-24858-after.html

🛑 A WinRAR bug fixed in July 2025 is still being exploited.

Researchers at Google ties CVE-2025-8088 to Russia- and China-linked actors, plus cybercrime groups deploying RATs and stealers, showing how quickly n-days get reused.

🔗 Read → https://thehackernews.com/2026/01/google-warns-of-active-exploitation-of.html

China-linked Mustang Panda is using an updated COOLCLIENT backdoor in 2025 espionage attacks on government networks across Asia and Russia.

🗂️ Enables file theft
⌨️ keylogging
📋 clipboard monitoring
🌐 proxy credential theft

🔗 Read → https://thehackernews.com/2026/01/mustang-panda-deploys-updated.html

⚠️ n8n disclosed two sandbox escape flaws that let authenticated users seize control of automation servers.

One issue is rated CVSS 9.9 and enables full RCE. Risk is higher in internal execution mode, which n8n already advises against.

🔗 Details → https://thehackernews.com/2026/01/two-high-severity-n8n-flaws-allow.html

🚨 A critical flaw in the vm2 Node.js library lets attackers escape the sandbox and run code on the host system.

Tracked as CVE-2026-22709 (CVSS 9.8), the issue stems from improper Promise handler sanitization.

🔗 How the flaw works → https://thehackernews.com/2026/01/critical-vm2-nodejs-flaw-allows-sandbox.html