January 20, 2026 Cyber Threat Intelligence Briefing

kroll logo
Kroll
Jan 20, 2026
Kroll

This week’s briefing covers:

00:00 – Intro

00:46 [PATCHING] Microsoft Patch Tuesday Addresses 112 Issues, One Zero-Day
Microsoft has fixed 112 vulnerabilities in January’s patch cycle and Microsoft Edge releases.
The patches address:

  • Elevation of privilege vulnerabilities: 57
  • Security feature bypass vulnerabilities: 3
  • Remote code execution vulnerabilities: 22
  • Information disclosure vulnerabilities: 22
  • Denial of service vulnerabilities: 2
  • Spoofing vulnerabilities: 5
  • Edge - Chromium vulnerabilities: 1

01:44 [VULNERABILITY] CVE-2025-64155 Affecting FortiSIEM Exploited in the Wild
On January 14, 2026, Kroll Threat Intelligence released an out of band on CVE-2025-64155, a critical vulnerability affecting FortiSIEM. Since then, reports have emerged that unknown threat actors have been observed exploiting this vulnerability against honeypot environments, leading on from the previous assessment of likely soon scanning/exploitation.

03:24 [MALWARE] New VOIDLINK Malware Framework
Checkpoint research released a write up on a new malware framework it named VOIDLINK.
VOIDLINK is a collection of implants, rootkits and loaders targeting Linux systems designed to maintain long term access. It includes capabilities run smoothly inside cloud infrastructure.

04:52 [THREAT ACTOR] North Korean Actor KTA082 (Kimsuky) Uses QR Code Phishing to Target Government, Education and Think Tanks
KTA082 (also tracked as Kimsuky, APT43, Thallium, and Velvet Chollima) has evolved its espionage operations by adopting QR code phishing (quishing) as an initial access vector.

07:16 [MALWARE] KTA060 develop RUSTYWATER RAT
KTA060 (aka Muddywater), a group suspected to be affiliated with Iran, is known for phishing campaigns against diplomatic, financial and telecom entities across the Middle East.

10:17 [LEAK] BreachForums User Database Leaked
On January 9, 2026, a database containing records for approximately 324,000 BreachForums users was leaked on shinyhunte[.]rs. The dataset includes display names, email addresses, Argon2i password hashes and IP addresses.

Dive deeper:

Kroll’s Monthly Threat Intelligence Spotlight Report: https://www.kroll.com/en/reports/cyber/threat-intelligence-reports/cti-spotlight-trends-report

Kroll’s Q4 2024 Cyber Threat Landscape: https://www.kroll.com/en/reports/cyber/threat-intelligence-reports/q4-2024-threat-landscape-report-phishing

Kroll’s 2025 Cyber Threat Landscape Report: Cybercrime in the Crypto Era: https://www.kroll.com/Reports/Cyber/Threat-Intelligence-Reports/Threat-Landscape-Report-Lens-on-Crypto

Playlist of Kroll's Weekly Cyber Threat Intelligence Briefings: https://www.youtube.com/playlist

Kroll Cyber Blog: https://www.kroll.com/en/insights/cyber

Kroll Cyber Threat Intelligence: https://www.kroll.com/en/services/cyber/threat-intelligence-services

Kroll Threat Intelligence Reports: https://www.kroll.com/en/reports/cyber/threat-intelligence-reports

Kroll Responder MDR: https://www.kroll.com/en/services/cyber/kroll-responder

#krollcyber #threatintelligence #cyberthreats

Copyright © 2026 OpsMatters™. All rights reserved.