Ransomware stayed hot in late January, with Cl0p jumping to the top after its huge Cleo linked victim dump, while Qilin, Akira, Sinobi and The Gentlemen kept pressure on manufacturing and mid market orgs. At the same time, exploitation of vCenter, SmarterMail, Zimbra, Ivanti EPMM and Fortinet gear drove a wave of opportunistic intrusions. Threat actors like Sandworm, Konni and ShinyHunters leaned on phishing, credential theft and stealthy C2, with Sandworm remaining the most worrying due to its destructive track record.
Report Links
Download Threat Brief For January 16-31 2026
Byer-Nichols Threat Brief Podcast 16-31-2026
Ransomware Actors
| Ransomware | Percentage | Last Period | Two Ago |
|---|---|---|---|
| CL0P | 19.38% | 19 | 39 |
| Qilin | 12.33% | 1 | 1 |
| The Gentlemen | 7.93% | 8 | 11 |
| Akira | 7.05% | 2 | 5 |
| Sinobi | 6.17% | 3 | 4 |
Cl0p surged to the top in late January 2026, driven by a massive leak of victims tied to its Cleo campaign—likely exploiting supply-chain weaknesses. Qilin held steady in second, continuing its aggressive targeting of manufacturing and mid-sized enterprises. Akira and Sinobi remain active with fast encryption and double-extortion tactics, while The Gentlemen group is gaining traction through tailored phishing and data leak threats. The shift toward faster, more surgical campaigns and tighter ransom timelines is becoming a clear trend.
Victim Sector
| Sector | Percentage | Last Period | Movement |
|---|---|---|---|
| technology | 14.98% | 5 | 5 -> 1 |
| manufacturing | 14.10% | 1 | 1 -> 2 |
| construction | 13.44% | 3 | unchanged |
| financial-services | 12.56% | 4 | unchanged |
| retail | 12.11% | 2 | 2 -> 5 |
Victim Location
| Victim | Percentage | Last Period | Movement |
|---|---|---|---|
| USA | 43.83% | 1 | unchanged |
| UK | 7.71% | 3 | 3 -> 2 |
| Canada | 6.39% | 2 | 2 > 3 |
| Germany | 3.30% | 5 | 5 -> 4 |
| Australia | 2.64% | NEW |
Victim Org Size
| Size | Percentage | Last Period | Change |
|---|---|---|---|
| Small Business (500 or less) | 84.00% | 80.79% | +3.97% |
| Mid-Market (501-5000) | 13.56% | 15.89% | −14.66% |
| Large Enterprise (5000+) | 2.44% | 3.31% | −26.29% |
Trending Adversaries
KongTuke, Konni, NoName057(16), Sandworm, ShinyHunters, and UAT‑8837 are trending for their mix of espionage, hacktivism, and data theft. Most are leaning into browser‑based lures, credential harvesting, and destructive payloads, often targeting government, telecom, and crypto sectors. Sandworm stands out as the most dangerous—its infrastructure attacks and wiper campaigns pose serious risks to national stability. Common threads include phishing, proxy‑based C2, and modular loaders. Defenders should expect stealthy persistence and politically charged targeting.
- KongTuke
- Konni
- NoName057(16)
- Sandworm
- ShinyHunters
- UAT-8837
Trending & Actively Exploited Vulnerabilities
Late January 2026 exploits hit a nasty mix of edge and core: VMware vCenter, Versa Concerto, SmarterMail (two bugs), Zimbra, Ivanti EPMM zero‑day RCEs, Cisco Unified Comms, Microsoft Office, GNU InetUtils, and multiple Fortinet products. The big worry is internet‑facing management and mail systems being used for initial access and lateral movement. Defenders should fast‑track patches and hotfixes, lock down and segment exposed services, enforce MFA on admin access, and monitor logs/IDS closely for new exploit and post‑compromise activity.
| CVE | Vendor | Product |
|---|---|---|
| CVE-2024-37079 | Broadcom | VMware vCenter Server |
| CVE-2025-34026 | Versa | Concerto |
| CVE-2025-52691 | SmarterTools | SmarterMail |
| CVE-2025-68645 | Synacor | Zimbra Collaboration Suite (ZCS) |
| CVE-2026-1281 | Ivanti | Endpoint Manager Mobile (EPMM) |
| CVE-2026-20045 | Cisco | Unified Communications Manager |
| CVE-2026-21509 | Microsoft | Office |
| CVE-2026-23760 | SmarterTools | SmarterMail |
| CVE-2026-24061 | GNU | InetUtils |
| CVE-2026-24858 | Fortinet | Multiple Products |
Trending Malware
| Malware | Details |
|---|---|
| Android.Click.415 | This Android malware uses AI-driven automation to perform ad-click fraud by silently opening browser windows and clicking on ads in the background. It spreads through modified mobile games and pirated streaming apps, including some found on Xiaomi’s GetApps store. While it doesn’t steal personal data, it drains battery life, slows devices, and generates fraudulent ad revenue at scale |
| DynoWiper | DynoWiper is a destructive wiper attributed to Russia’s Sandworm group, deployed in a failed December 2025 attack on Poland’s energy sector. It overwrites files, disables boot processes, and renders systems unbootable, with no ransom demand or recovery path. Its use against critical infrastructure marks a serious escalation in state-aligned cyber sabotage |
| GhostPoster | GhostPoster is a browser extension-based malware campaign that infected over 840,000 users via Chrome, Firefox, and Edge. It hides malicious JavaScript in logo images using steganography, then hijacks affiliate links, monitors browsing, and injects invisible iframes for ad fraud. Its stealthy payload delivery and abuse of trusted extension stores make it especially dangerous |
| Osiris | Osiris is a newly identified ransomware strain that hit a Southeast Asian food company in late 2025. It uses a “bring your own vulnerable driver” (BYOVD) technique with the POORTRY driver to disable security tools, followed by encryption and data exfiltration. Unlike older ransomware, Osiris shows advanced operational planning and evasion tactics |
| PDFSider | PDFSider is a stealthy Windows backdoor used by ransomware groups and APTs, deployed via DLL sideloading and social engineering. It provides encrypted command-and-control, remote shell access, and anti-analysis features, making it ideal for long-term espionage and lateral movement. It was recently used in a ransomware attack on a Fortune 100 financial firm |
| Ploutus | Ploutus is ATM-targeting malware used in jackpotting schemes to force machines to dispense all cash. In late 2025, U.S. authorities linked it to the Tren de Aragua gang, which infected older ATMs across multiple states, stealing millions. It remains one of the most effective tools for physical bank heists via malware |
Top News
- Black Basta boss makes it onto Interpol's 'Red Notice' list
- Crypto wallets received a record $158 billion in illicit funds last year
- Jordanian pleads guilty to selling access to 50 corporate networks
- Konni hackers target blockchain engineers with AI-built malware
- New ClickFix attacks abuse Windows App-V scripts to push malware
- New malware service Stanley guarantees phishing extensions on Chrome web store
- US convicts ex-Google engineer for sending AI tech data to China
- US to deport Venezuelans who emptied bank ATMs using malware
Contributors
Written by Jeremy Nichols, former Director Of The Global Threat Intelligence Center
Executive Summaries & Adversary Bio’s by Geoff Rehmet, Cybersecurity Architect
Produced & Distributed By Phish Tank Digital