We open the new year with a Microsoft CVE dating back to 2009 finally being added to the CISA known exploited vulnerability catalog on the 7th of January. An old vulnerability only now being exploited underscores the need to keep software up to date. On the ransomware front, we start the year with Qilin once again taking the top spot. In the ransomware space, we are seeing an increasing prevalence of double-extortion. While good backup and DR processes can mitigate the impact of encryption, threat actors have learned that there is little that victims can do once their data is stolen.
Report Links
Download Threat Brief For January 1-15 2026
Byer-Nichols Threat Brief Podcast 01-15-2026
Ransomware Actors
| Ransomware | Percentage | Last Period | Two Ago |
|---|---|---|---|
| Qilin | 20.07% | 1 | 1 |
| Akira | 14.80% | 5 | 2 |
| Sinobi | 9.54% | 4 | 4 |
| Lynx | 7.57% | 12 | 24 |
| INC Ransom | 6.58% | 6 | 7 |
Qilin, LockBit, SAFEPAY, Sinobi and Akira topped ransomware activity in early January 2025, with Qilin remaining the single most active actor over the past year. Manufacturing again tops targets, joined by critical infrastructure, supply‑chain vendors and mid‑market enterprises. Recent campaigns feature much faster encryption windows, routine double‑extortion data theft and public leak sites, opportunistic exploitation of exposed RDP and unpatched appliances, growing use of affiliate models, commodity tooling to scale operations, and tighter ransom demands with accelerated negotiation timelines.
Victim Sector
| Sector | Percentage | Last Period | Movement |
|---|---|---|---|
| manufacturing | 21.71% | 4 | 4-> 1 |
| retail | 13.82% | 5 | 5 ->2 |
| construction | 13.16% | 1 | 1 -> 3 |
| financial-services | 10.86% | 2 | 2 -> 4 |
| technology | 7.89% | 3 | 3 -> 5 |
Victim Location
| Victim | Percentage | Last Period | Movement |
|---|---|---|---|
| USA | 56.25% | 1 | Unchanged |
| Canada | 4.61% | 2 | Unchanged |
| UK | 3.29% | 4 | 4 -> 3 |
| ITALY | 3.29% | NEW | |
| Germany | 2.96% | 5 | 4 -> 5 |
Victim Org Size
| Size | Percentage | Last Period | Change |
|---|---|---|---|
| Small Business (500 or less) | 80.79% | 81.37% | +0.72% |
| Mid-Market (501-5000) | 15.89% | 15.20% | −4.34% |
| Large Enterprise (5000+) | 3.31% | 3.43% | +3.63% |
Trending Adversaries
Trending adversaries, namelyAPT41, Black Axe, Kimsuky, UAT‑7290, UNC3886 and Zestix are converging on the same playbook: phishing and supply‑chain lures, third‑party compromise, living‑off‑the‑land tooling, modular implants and stealthy C2 (proxying/FakeTLS) to harvest credentials, move laterally and quietly exfiltrate high‑value data. APT41 is the standout risk for scale and dual espionage/crime tradecraft. Defenders should patch fast, enforce MFA and credential rotation, segment networks, tune EDR for L‑O‑T‑L behaviors and proactively hunt anomalous admin/proxy traffic.
- APT41
- Black Axe
- Kimsuky
- UAT-7290
- UNC3886
- Zestix
Trending & Actively Exploited Vulnerabilities
Active exploits in early Jan 2026 hit a broad stack: Windows (CVE‑2026‑20805), Office, PAN‑OS/Prisma, FortiSIEM, Trend Micro Apex Central, HPE OneView, D‑Link DSL routers, n8n, Gogs, and jsPDF—attackers are chaining appliance/router flaws with web‑app and document exploits to gain footholds and move laterally. Defenders should patch and update firmware/EDR now, segment and isolate exposed systems, tighten IDS/IPS rules (watch for FakeTLS/outbound TLS‑like traffic), rotate credentials, hunt IOCs, and monitor admin activity.
| CVE | Vendor | Product |
|---|---|---|
| CVE-2025-69258 | Trend Micro | Apex Central |
| CVE-2026-0625 | D-Link | DSL Gateway Routers |
| CVE-2025-64155 | Fortinet | FortiSIEM |
| CVE-2025-8110 | Gogs | Gogs |
| CVE-2025-68428 | Parallax | jsPDF |
| CVE-2026-21858 | n8n.io | n8n |
| CVE-2009-0556 | Microsoft | Office |
| CVE-2025-37164 | Hewlett Packard Enterprise (HPE) | OneView |
| CVE-2026-0227 | Palo Alto | PAN-OS and Prisma Access |
| CVE-2026-20805 | Microsoft | Windows |
Trending Malware
| Trending Malware | Description |
|---|---|
| Gootloader | Gootloader is a JScript‑based malware that tricks users through SEO‑poisoned search results and compromised websites offering fake legal or financial documents. When someone downloads the ZIP file it presents, the malware checks whether the system is part of an Active Directory domain and then launches multiple stages of JScript and PowerShell payloads. Those payloads can ultimately deploy tools like Cobalt Strike or even ransomware. Because it targets anyone searching for common terms like “contract” or “agreement,” it’s an opportunistic threat that can hit any organization. If it isn’t removed quickly, it can escalate into major data theft or full‑scale ransomware incidents. |
| Kimwolf | Kimwolf is a fast‑growing botnet that spreads by abusing residential proxy networks, turning everyday consumer devices into entry points for large‑scale attacks. It bypasses proxy restrictions by manipulating DNS records to access internal IP addresses, then uses unsecured Android Debug Bridge ports on devices like cheap Android TV boxes to gain full control. Once inside a home network, it moves laterally and installs malware across multiple devices, enabling DDoS attacks, ad fraud, account takeovers, and large‑scale data scraping. The real risk is that a single exposed device can quietly give attackers a foothold into millions of networks, amplifying the impact far beyond the initial infection. |
| Ripper Ransomware | Ripper is a Windows‑focused ransomware strain that encrypts a wide range of files using RSA and AES, renames them with a .ripper12 extension, and drops a ransom note demanding payment. It also changes the victim’s desktop wallpaper, deletes shadow copies to block easy recovery, and sets up scheduled tasks so it can relaunch even after a reboot. The operators claim to steal data before encryption and threaten to leak or sell it if the victim doesn’t engage within 72 hours. Because it combines encryption, persistence, and data‑extortion tactics, Ripper can quickly escalate into a major business‑disrupting incident if not contained early. |
| Sicarii | Sicarii is a new ransomware‑as‑a‑service threat, claiming Israeli affiliation, that targets exposed RDP services and vulnerable devices, using geo‑fencing and anti‑analysis checks to avoid detection. Once inside a network, it steals credentials and sensitive data before encrypting files with a .sicarii extension. It also deploys destructive scripts that corrupt bootloader files, making recovery much harder. The risk is significant because Sicarii blends data theft, lateral movement, and system‑breaking behavior, turning a single intrusion into a major outage. |
| VoidLink | Voidlink is a highly advanced, cloud‑native Linux malware framework built to maintain long‑term, stealthy access across modern cloud and container environments. It adapts to its surroundings by detecting whether it’s running in AWS, Azure, GCP, Docker, or Kubernetes, then loads custom plugins for credential theft, lateral movement, persistence, and rootkit‑level hiding. Its modular design—over 30 plugins plus a full operator dashboard—lets attackers tailor capabilities on the fly, much like a cloud‑era equivalent of Cobalt Strike. The real risk is that Voidlink can quietly blend into legitimate cloud operations, evade monitoring, and turn any compromised Linux system into a launchpad for deeper cloud, container, or supply‑chain attacks. |
| VVS Stealer | VVS Stealer is a Python‑based info‑stealing malware that targets Discord users by grabbing their tokens, account details, and browser data. It hides behind heavy Pyarmor obfuscation, making it harder for security tools to detect or analyze, and it can hijack active Discord sessions by injecting malicious JavaScript into the app. The stealer also collects browser passwords, cookies, and autofill data, then quietly exfiltrates everything through attacker‑controlled webhooks. Because it installs itself for persistence and displays fake error messages to distract victims, it can continue harvesting sensitive data long after the initial infection. A single compromise can lead to full account takeover, credential theft, and broader identity abuse across multiple platforms. |
Top News
- BreachForums hacking forum database leaked, exposing 324,000 accounts
- Cloud file-sharing sites targeted for corporate data theft attacks
- Hackers target misconfigured proxies to access paid LLM services
- Max severity Ni8mare flaw impacts nearly 60,000 n8n instances
- Microsoft disrupts massive RedVDS cybercrime virtual desktop service
- Spain arrests 34 suspects linked to Black Axe cyber crime
- Taiwan says China's attacks on its energy sector increased tenfold
- Trust Wallet links $8.5 million crypto theft to Shai-Hulud NPM attack, several other cryptoc thefts traced to 2022 LastPass breach
Contributors
Written by Jeremy Nichols, former Director Of The Global Threat Intelligence Center
Executive Summaries & Adversary Bio’s by Geoff Rehmet, Cybersecurity Architect
Produced & Distributed By Phish Tank Digital