Ankura CTIX FLASH Update – January 23, 2026

Malware Activity

Rising Threats of AI-Generated Malware and Stealthy Cyber AttacksRecent reports highlight a concerning trend where individual hackers are using artificial intelligence (AI) to develop sophisticated malware rapidly and with minimal resources. For example, the Linux malware framework VoidLink was almost entirely created by a single person with AI assistance in less than a week, enabling the quick production of a tool designed to secretly access cloud systems. Similarly, a new malware called PDFSider has been used in targeted attacks, employing advanced techniques to evade detection and maintain covert control over infected systems. These tools can establish hidden backdoors, support encrypted communication, and bypass traditional security defenses, making cyber threats more scalable and harder to detect. Experts warn that as AI becomes more accessible, even lone actors and smaller groups can now produce malware that rivals the capabilities of large cybercriminal organizations, posing significant challenges for cybersecurity defenses worldwide.

• BleepingComputer: VoidLink Cloud Malware Shows Clear Signs of Being AI Generated article
• TheHackerNews: VoidLink Linux Malware Framework Built article
• TheRegister: VoidLink AI Developed article
• SecurityWeek: APT Grade PDFSider Malware Used by Ransomware Groups article
• BleepingComputer: New PDFSider Windows Malware Deployed on Fortune 100 Firms Network article

---

Threat Actor Activity

North Korean Hackers, PurpleBravo, Target Global IT Supply Chains in New Phishing Campaign

The Contagious Interview campaign, tracked by Recorded Future’s Insikt Group under the alias PurpleBravo, has potentially targeted 3,136 IP addresses across sectors like AI, cryptocurrency, and IT services in regions including Europe, South Asia, and Central America. First identified in late 2023, this North Korean threat operation aims at cyber espionage and financial theft, notably utilizing malicious Microsoft Visual Studio Code projects to distribute backdoors. Recorded Future’s Insikt Group attributed PurpleBravo as being linked to deceptive LinkedIn personas and GitHub repositories delivering malware such as BeaverTail and GolangGhost, with command-and-control (C2) servers managed via Astrill VPN, where the North Korean threat actors will obfuscate their C2 traffic to appear from IP ranges coming out of China. These tactics overlap with those of a parallel campaign, Wagemole (or PurpleDelta), where North Korean IT workers seek unauthorized employment using false identities for espionage and financial gain. The campaign has seen jobseekers inadvertently executing malicious code on company devices, exposing organizations beyond individual targets. This underscores vulnerabilities in the IT software supply chain, as companies outsourcing work to these regions face significant risks of infiltration. Based on the acute supply-chain risks posed by PurpleBravo, CTIX analysts recommend organizations bolster defenses against potential data leaks to North Korean actors and train employees on relevant phishing campaigns. Follow CTIX Flash publications to stay up-to-date with the latest emerging threat actor activities and campaigns and check out our previous one-pager on past, advanced North Korean phishing campaigns: Ankura: North Korean Laptop Farm Report.

• The Hacker News: North Korean PurpleBravo Article
• Ankura: North Korean Laptop Farm Report

---

Vulnerabilities

Ongoing FortiGate SSO Exploitation Campaign Persists Despite Patching

Beginning in mid-January 2026, security researchers observed a sustained and likely automated exploitation campaign targeting FortiGate firewalls via FortiCloud SSO, characterized by unauthorized administrative logins, rapid configuration exports, and the creation of generic super-admin accounts for persistence. The campaign closely aligns with exploitation of the critical FortiCloud SSO authentication bypass vulnerability tracked as

(and the related ), originally disclosed in December 2025, with attackers leveraging crafted SAML messages to bypass authentication when SSO is enabled. Notably, follow-on reporting indicates the vulnerability can still be exploited on systems running FortiOS 7.4.9 and 7.4.10, suggesting a patch bypass or incomplete remediation, a finding reportedly acknowledged internally by Fortinet, which is planning additional FortiOS releases to fully resolve the issue. Observed intrusions consistently show malicious SSO logins (often using accounts such as “cloud-init@mail.io”) followed within seconds by configuration downloads and the creation of new administrator users, strongly indicating automation. In response, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added to its Known Exploited Vulnerabilities (KEV) catalog, while Shadowserver continues to track thousands of internet-exposed Fortinet devices with FortiCloud SSO enabled. Until a fully effective patch is released, CTIX analysts urge administrators and defenders to disable FortiCloud SSO where possible, restrict management interface access, monitor for suspicious SSO logins and rapid admin changes, and reset credentials on any potentially affected devices.

• Arctic Wolf:
  CVE-2025-59718
  Article
• Bleeping Computer:
  CVE-2025-59718
  Article
• CISA:
  CVE-2025-59718
  Advisory

📧 Never Miss a Briefing

Stay informed and secure. Subscribe to Ankura’s Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure. 

Join the Cyber Flash Update community today.

^{© Copyright 2026. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.}