In today’s cybersecurity news…
UK and China try to ease cyberattack tensions
Bloomberg’s sources say the UK and Chinese governments created a forum called Cyber Dialogue to discuss allegations of cyberattacks, believed to be the first of its kind with China. This will provide a single mechanism for senior-level discussions of cyber incidents directly, rather than working through back channels or more diffuse methods. Sources previously reported on Chinese threat actors infiltrating UK government servers and critical infrastructure for over a decade. This comes as China is in the midst of negotiations to build a new “super-embassy” in London, and as the UK government announced a total reset in its national cybersecurity policy.
Iranian state TV hijacked
Multiple media reports claim that Iranian state TV was temporarily interrupted on January 18th. Impacted channels are transmitted via the Badr satellite, which delivers content to provisional stations. Impacted channels began sending messages urging protesters to continue their demonstrations and a call from Reza Pahlavi, the son of the last shah of Iran. While only lasting about 10 minutes, the move comes as Iran continues to impose a two-week near-total shutdown of the internet and mobile phones in the country.
AI-generated malware touches the Void…link
Last week, we covered an advanced Linux malware framework called VoidLink, which offers some sophisticated cloud-focused tooling like custom loaders, rootkits, and modules for evasion across cloud providers. Initially, researchers at Check Point believed it was the work of Chinese developers due to its sophistication. However, in a follow-up report, they now say it shows “clear evidence that the malware was produced predominantly through AI-driven development,” believed to be the work of a single person iterating on it for about a week. That’s because the dev accidentally exposed source code, documentation, and internal product structure in an open directory on their server. It shows development starting in November 2025, using an AI assistant in the IDE TRAE. The developer initially used the AI to generate a multi-team development plan, which served as a roadmap for subsequent development. The AI initially estimated this would take 16-30 weeks for a human team, but timestamps show VoidLink functional by early December 2025.
Telegram fraud front shuts down
The blockchain analytics company Elliptic disclosed that the scam marketplace Tudou Guarantee will shutter its operations on Telegram. Since launching in 2023, Tudou Guarantee processed an estimated $12 billion in transactions and has become a staple of the Southeast Asian scam economy. It provided crypto money laundering services, served as a PII clearinghouse, and provided fraud-as-a-service infrastructure. The move comes after the US and UK imposed sanctions on the operation, designating it a “transnational criminal organization.” It’s unclear if the group is shuttering all operations, as Elliptic found its gambling business still up and running.
Huge thanks to our sponsor, Dropzone AI
The alert fires. Within minutes, not hours, their AI SOC agents have already correlated logs across your entire security stack, built a complete evidence chain, and delivered a verdict. False positive, or escalate immediately.
Your analyst wakes up to answers, not a queue. That’s autonomous investigation at enterprise scale.
Experience it for yourself at dropzone.ai.
Flaws found in Anthropic Git server
Researchers at Cyata disclosed three vulnerabilities in Anthropic’s Git Model Context Protocol, or MCP server. This server provides tools for accessing Git repos via LLMs. The researchers discovered two path traversal and one argument injection vulnerability that could be chained to allow someone to turn any system directory into a Git repository, opening the door to remote code execution through a prompt injection. In response, Anthropic removed the git_init tool from the package and added additional validation path-traversal primitives.
Pen testing tools used in LinkedIn phishing
Researchers at ReliaQuest details a phishing campaign that targeted “high-value individuals” on LinkedIn. These used industry-related lures to establish trust to at first gain a connection with the target, then send them direct messages. From there, the attackers send a carefully named malicious WinRAR archive that extracts a legit PDF reader and a malicious DLL. This is all pretty standard stuff, but the researchers noted the campaign used an open-source, Python pen-testing script with a registry Run key to achieve persistence on systems, something they hadn’t observed in other attacks.
UK’s “Report Fraud” service does what it says on the tin
The City of London Police formally launched the Report Fraud service, which provides a single reporting portal for fraud and cybercrime across the UK. This follows a soft launch of the service late last year. Unlike it’s previous Action Fraud service, Report Fraud will actively keep people reporting scams in the loop as an investigation progresses, and is built on top of a new real-time analytics platform that will integrate with telco operators to actively disrupt malicious activity. The UK’s minister for tackling fraud, Lord Hanson, said the government planned to follow this with the launch of its new fraud strategy next month.
Fake ad-blocker leads to real ClickFix attacks
A browser extension causing a crash usually isn’t a feature, but it is in the case of NextShield. Available for Chrome and Edge, it was listed as being created by uBlock Origin creator Raymond Hill to give it added veracity. This supposed ad-blocker intentionally creates a denial-of-service condition by exhausting memory resources, causing the browser to hang or crash. Upon restart, the extension shows a pop-up suggesting a system scan to solve the issue. This scan, of course, reveals a security issue, which conveniently requires you to input a series of commands in the Windows command prompt, which actually executes a malicious script. The extension has a 60-day timer to help avoid suspicion, and downloads a more specialized ModeloRAT payload if it detects it’s on a corporate network. The extension is no longer available on the Chrome Web Store.