News Week: January 19th to January 25th, 2026

Spear-phishing via advertising infrastructure

A recently uncovered spear-phishing operation demonstrates how attackers are abusing online advertising mechanisms to deliver advanced malware. In this campaign, known as Operation Poseidon, carefully crafted phishing emails redirect victims through legitimate Google Ads tracking domains before leading them to compromised websites hosting malicious payloads. By hiding harmful destinations inside trusted advertising parameters, the attackers significantly reduce suspicion and bypass common email security controls. The activity has been attributed to the Konni APT group, which primarily targets South Korean organizations using socially engineered lures disguised as financial or official documents. Once accessed, compressed files deploy shortcut-based execution chains that ultimately load the EndRAT remote access trojan directly into memory. This method avoids traditional file-based detection and allows the attackers to maintain stealthy persistence while rapidly rotating infrastructure across hacked WordPress sites.

Stealthy backdoor deployed during ransomware intrusion

A ransomware incident at a major financial institution has revealed a previously undocumented Windows backdoor designed for covert, long-term access. The malware, named PDFSider, was uncovered during forensic analysis and appears to function as an initial foothold for broader compromise. The intrusion relied heavily on social engineering, with attackers impersonating IT staff and convincing employees to install Microsoft Quick Assist, a legitimate remote-support tool. Once access was established, PDFSider was delivered via phishing emails containing ZIP archives that abused DLL side-loading through a signed PDF24 Creator application. The backdoor operates largely in memory, gathers system fingerprints, and communicates with attacker infrastructure using encrypted DNS traffic. While PDFSider has been linked to campaigns involving the Qilin ransomware, researchers note that its adoption is spreading across multiple threat actors, highlighting its value for persistent, low-noise access within high-value networks.

Backdoor targeting virtualized infrastructure

A recent malware analysis published by CISA details an advanced backdoor designed to operate deep inside virtualized enterprise environments. The threat, tracked as BRICKSTORM, specifically targets VMware vSphere components such as vCenter servers and ESXi hosts, allowing attackers to retain covert, long-term access. Active since at least 2024, the malware was observed during an extended intrusion in which adversaries quietly expanded control, accessed domain controllers, and extracted sensitive cryptographic material from identity infrastructure. BRICKSTORM is engineered for persistence, reinstalling itself automatically if disrupted and remaining largely invisible to traditional monitoring tools. Multiple variants have been identified, built in both Go and Rust, highlighting ongoing development. Its ability to blend encrypted command-and-control traffic into normal DNS-over-HTTPS activity makes BRICKSTORM particularly effective at evading detection while enabling data theft and lateral movement.

Leaked panel reveals ongoing ransomware operations

Newly exposed materials from the LockBit 5.0 affiliate panel provide rare insight into how a major ransomware-as-a-service (RaaS) operation continues to function despite sustained law-enforcement pressure. The leaked dashboard shows a mature backend used by affiliates to manage campaigns, negotiate payments, and coordinate attacks at scale, indicating that LockBit’s core workflows remain largely unchanged. While cosmetic updates suggest active maintenance, the bigger development is the release of four new encryption variants: LB_Black_14_01_2026 for Windows environments, LB_Linux_14_01_2026 targeting Linux systems, LB_ESXi_14_01_2026 aimed at VMware ESXi, and the specialized LB_ChuongDong_14_01_2026 variant. This multi-platform expansion underscores how the RaaS model enables rapid adaptation across diverse infrastructures. Despite waning trust among affiliates, LockBit leadership appears focused on maintaining operational reach rather than restructuring its ecosystem.

BYOVD-driven ransomware highlights shifting threat landscape

A newly identified ransomware strain named Osiris illustrates how attackers are combining bespoke drivers and familiar tooling to evade defenses. In this case, threat actors used the malicious POORTRY driver in a bring your own vulnerable driver (BYOVD) attack to disable endpoint protection before deploying Osiris, an encryption payload designed for precise control and per-file keys. Investigators observed data exfiltration via Rclone to Wasabi buckets and tooling overlaps that suggest possible links to INC ransomware. This activity emerges amid a broader ecosystem where ransomware variants such as Akira, Qilin, Play, SafePay, RansomHub, DragonForce, Rhysida, CACTUS, Makop, Lynx, 01flip, LockBit 5.0, and newer RaaS-style operations like Sicarii continue to evolve. Together, these developments show how ransomware actors are refining privilege escalation, persistence, and cross-platform targeting to maintain pressure on enterprise environments.

Conclusion

The emergence of Osiris and the broader surge in advanced ransomware activity highlight how quickly threat actors are refining their techniques, from BYOVD-based defense evasion to cross-platform targeting and data exfiltration. These developments underline the importance of rapid detection, expert response, and well-prepared recovery strategies when facing modern ransomware incidents.

As ransomware and cybersecurity specialists, we support organizations before, during, and after an attack through dedicated Ransomware Recovery Services, professional Ransomware Negotiation Services, and proactive protection via an Incident Response Retainer. If your organization needs expert help with ransomware decryption, incident containment, or long-term resilience, reach out to discuss how we can support your recovery and security goals.