🚨 ClickFix attacks are evolving fast.

🧩 Fake CAPTCHAs trick users into running commands that abuse signed Windows App-V scripts to proxy PowerShell.

☁️ Malware like Amatera Stealer is staged via trusted services, runs in memory, and mainly hits enterprise systems—staying under EDR radar.

🔗 Inside the new ClickFix playbook → https://thehackernews.com/2026/01/clickfix-attacks-expand-using-fake.html

🇮🇳 Indian government networks were targeted in two cyber campaigns linked to a Pakistan-based actor.

Tracked by Zscaler as Gopher Strike and Sheet Attack, the key tactic was India-only malware delivery, filtered by IP and Windows systems to evade analysis.

🔗 Attack chain and tools explained → https://thehackernews.com/2026/01/experts-detect-pakistan-linked-cyber.html

🔒 WhatsApp is adding a lockdown-style security mode for high-risk users, including journalists and public figures.

It blocks media from unknown senders, silences unknown calls, and locks risky settings to reduce spyware exposure.

🔗 How it works → https://thehackernews.com/2026/01/whatsapp-rolls-out-lockdown-style.html

⚡ WEBINAR ALERT — AI is redefining how MSSPs scale in 2026.

This session breaks down how one MSSP cut manual work, delivered CISO-grade services, and grew recurring revenue -- without adding headcount. The advantage came from automation, not expansion.

🔗 Register now to see how it works → https://thehacker.news/ai-security-management

🔧 Fortinet issues patch update for actively exploited FortiOS SSO flaw.

The fix addresses CVE-2026-24858 (CVSS 9.4), an SSO authentication bypass that can allow cross-tenant device access when FortiCloud SSO is enabled. CISA has added the issue to its KEV list, setting a Jan 30 remediation deadline.

🔗 Details → https://thehackernews.com/2026/01/fortinet-patches-cve-2026-24858-after.html

🛑 A WinRAR bug fixed in July 2025 is still being exploited.

Researchers at Google ties CVE-2025-8088 to Russia- and China-linked actors, plus cybercrime groups deploying RATs and stealers, showing how quickly n-days get reused.

🔗 Read → https://thehackernews.com/2026/01/google-warns-of-active-exploitation-of.html

China-linked Mustang Panda is using an updated COOLCLIENT backdoor in 2025 espionage attacks on government networks across Asia and Russia.

🗂️ Enables file theft
⌨️ keylogging
📋 clipboard monitoring
🌐 proxy credential theft

🔗 Read → https://thehackernews.com/2026/01/mustang-panda-deploys-updated.html

⚠️ n8n disclosed two sandbox escape flaws that let authenticated users seize control of automation servers.

One issue is rated CVSS 9.9 and enables full RCE. Risk is higher in internal execution mode, which n8n already advises against.

🔗 Details → https://thehackernews.com/2026/01/two-high-severity-n8n-flaws-allow.html

🚨 A critical flaw in the vm2 Node.js library lets attackers escape the sandbox and run code on the host system.

Tracked as CVE-2026-22709 (CVSS 9.8), the issue stems from improper Promise handler sanitization.

🔗 How the flaw works → https://thehackernews.com/2026/01/critical-vm2-nodejs-flaw-allows-sandbox.html

🤖 AI didn’t replace SOC analysts. It fixed the scale gap.

Agentic AI investigates every alert first, then hands a verdict to humans.

🚫 No sampling. No skipped signals.
🔍 Full context by default.

🔗 How triage really changes → https://thehackernews.com/2026/01/from-triage-to-threat-hunts-how-ai.html

Researchers find Russian-linked ELECTRUM targeted Poland’s ⚡ power infrastructure in December.

The coordinated attack hit wind, solar, and CHP sites, breaching OT systems and damaging some equipment beyond repair.

🔗 Read → https://thehackernews.com/2026/01/russian-electrum-tied-to-december-2025.html

🚨 Fake VS Code extension abused #Moltbot’s name to deliver remote access malware.

It posed as an AI assistant, despite Moltbot having no official VS Code plugin. Once installed, it auto-ran on IDE launch and dropped ScreenConnect for persistent remote control.

🔗 Read → https://thehackernews.com/2026/01/fake-moltbot-ai-coding-assistant-on-vs.html

🚨 Container adoption has outpaced security.

82% of organizations suffered a container breach last year, and most now assume one will happen every year. Fast-moving containers and unchecked public images keep adding risk faster than teams can fix it.

🔗 Why container security prevention is failing in 2026 → https://thehackernews.com/expert-insights/2026/01/the-great-container-disconnect-security.html

💪 Google dismantles IPIDEA, a major residential proxy network.

GTIG says 550+ threat groups used it this month to hide espionage, cybercrime, and password-spray attacks by routing traffic through hijacked home devices worldwide.

🔗 Read → https://thehackernews.com/2026/01/google-disrupts-ipidea-one-of-worlds.html

🚨 SolarWinds patches unauthenticated RCE paths → https://thehackernews.com/2026/01/solarwinds-fixes-four-critical-web-help.html

Four critical Web Help Desk bugs let attackers skip login, run code.

Deserialization + auth bypass chained. Update closes it.

🚨 Fake ChatGPT Chrome add-on stole 459+ API keys: https://thehackernews.com/2026/01/weekly-recap-firewall-flaws-ai-built.html#:~:text=Malicious%20Chrome%20Extensions%20Steal%20OpenAI%20API%20Keys%20and%20User%20Prompts

Keys sent to Telegram after logout or chat delete.

Hidden Google access raised the real stakes.

📊🛡️ Poor threat intel drives downtime and analyst burnout in modern SOCs.

Fresh, validated feeds shorten MTTD/MTTR and reduce false positives at scale.

Full details: https://thehackernews.com/2026/01/3-decisions-cisos-need-to-make-to.html

🔥 This week’s ThreatsDay tracks exploits, ransomware trends, crypto laundering, and phishing operations.

Patterns point to scale and repetition, not one-off incidents, across platforms teams already trust.

Full details ➡️ https://thehackernews.com/2026/01/threatsday-bulletin-new-rces-darknet.html