Summary5 min read

Cybersecurity Headlines – January 21, 2026

Podcast: CISO Series
Host: Rich Stroffolino
Main Topics: UK-China cyber dialogue, Iranian TV hack, AI-developed malware, Telegram fraud front, UK’s “Report Fraud”, phishing tools, fake ad blocker

Episode Overview

This episode delivers the latest critical updates in cybersecurity across the globe, highlighting government-level cyber dialogues, incidents of media hijacking, the disruptive potentials (and rapid development) of AI-generated malware, targeted phishing attacks, law enforcement advances, and the evolution of malicious browser extensions. The host maintains an urgent, informational tone, emphasizing both the technical sophistication and the real-world impact of each story.

Key Discussion Points & Insights

1. UK and China Launch Cyber Dialogue Forum

Summary:
The UK and Chinese governments have established a new forum, the Cyber Dialogue, to address mutual cyberattack allegations directly.
Insights:
- This is the first such mechanism between the two countries, aiming to move discussions from informal backchannels to senior-level, structured dialogue.
- Comes amid:
  - China’s attempts to build a "Super Embassy" in London.
  - UK’s announced overhaul of its national cybersecurity policy.
  - A decade-long history of alleged Chinese cyber intrusions into UK governmental and critical infrastructure systems.
Quote:

“This will provide a single mechanism for senior level discussions of cyber incidents directly, rather than working through back channels or more diffuse methods.”
— Rich Stroffolino (00:38)
Timestamp: 00:23–01:05

2. Iranian State TV Hijacked Amidst Protests

Summary:
On January 18, Iranian state TV was briefly, but dramatically, hijacked.
Details:
- Occurred via the Bader satellite system, affecting key stations.
- Hackers broadcast calls for continued protest, including audio from Reza Pahlavi (son of last Shah of Iran).
- Incident lasted roughly 10 minutes, during a near total internet/mobile shutdown in Iran.
Quote:

“Impacted channels began sending messages urging protesters to continue their demonstrations and included a call from Reza Pahlavi, the son of the last Shah of Iran.”
— Rich Stroffolino (01:13)
Timestamp: 01:06–01:35

3. VoidLink Malware: AI-Generated Attack Tools

Summary:
New Linux malware, VoidLink, was identified as largely AI-generated, representing a shift in rapid, efficient cyberweapon development.
Technical Deep Dive:
- Features sophisticated cloud-focused evasion and attack tools.
- Initially thought to be the work of a Chinese team; later revealed via exposed source code to be the solo project of one developer using an AI assistant.
- AI estimated development would take 16–30 weeks for a human team, but VoidLink was functional within weeks.
Quote:

“The AI initially estimated this would take about 16 to 30 weeks for a human team, but timestamps show Void Link functional by early December 2025.”
— Rich Stroffolino (02:16)
Timestamp: 01:36–02:20

4. TeleFraud: Telegram’s Toudo Guarantee Marketplace Shutters

Summary:
The notorious Toudo Guarantee marketplace, a major Telegram-based scam hub, is closing after US and UK sanctions.
Impact Details:
- Processed over $12 billion in transactions since 2023.
- Provided money laundering, PII exchange, "fraud-as-a-service."
- Still may have operational gambling sections.
Quote:

“It provided crypto money laundering services, served as a PII clearinghouse, and provided fraud as a service infrastructure.”
— Rich Stroffolino (02:50)
Timestamp: 02:21–03:01

5. Vulnerabilities Exposed in Anthropic's Git Server

Summary:
Sayada researchers found three vulnerabilities in Anthropic’s Git Model Context Protocol (MCP) server.
Tech Details:
- Vulnerabilities: two path traversals, one argument injection.
- Could enable attackers to turn any directory into a git repo and achieve remote code execution via prompt injection.
- Anthropic patched by removing Git init and adding more validation.
Quote:

“…could be chained to allow someone to turn any system directory into a git repository, opening the door to remote code execution through a prompt injection.”
— Rich Stroffolino (04:04)
Timestamp: 03:38–04:10

6. Targeted Phishing Campaigns Leveraging Pen Testing Tools

Summary:
Reliaquest reports a LinkedIn phishing scheme spreading malware via winrar archives and open-source pen-testing scripts.
Details:
- Attackers build trust, then send malware hidden in what appears to be business documents.
- Used an open-source Python script for system persistence — an unusual method for malware distribution.
Quote:

“…the campaign used an open source Python pen testing script with a registry run key to achieve persistence on systems, something they hadn’t observed in other similar attacks.”
— Rich Stroffolino (04:32)
Timestamp: 04:11–04:38

7. UK’s “Report Fraud” Service Launches Nationally

Summary:
The City of London Police officially launched Report Fraud: a real-time, all-in-one fraud and cybercrime reporting portal.
Advancements:
- Active investigation updates for victims (a major shift from the former Action Fraud platform).
- Built atop analytics integrating with telecoms to disrupt scams as they happen.
Quote:

“Unlike the UK’s previous Action Fraud service, Report Fraud will actively keep people reporting scams in the loop as an investigation progresses…”
— Rich Stroffolino (04:57)
Timestamp: 04:39–05:08

8. Fake Ad Blocker Extension Leads to Real Attacks (“NextShield”)

Summary:
Malicious browser extension NextShield impersonated Ublock Origin’s creator, crashed browsers, and tricked users into running malware.
Attack Details:
- After crash, prompts a "system scan" which instructs users to run malicious code in their terminal.
- Includes a 60-day time bomb for stealth, and delivers specialized RAT payloads if run on corporate networks.
- Extension now removed from Chrome Web Store.
Quote:

“Upon restart, the extension shows a pop up suggesting a system scan to solve the issue… a supposed security issue, which conveniently requires you to input a series of commands…that actually executes a malicious script.”
— Rich Stroffolino (05:41)
Timestamp: 05:09–06:00

Notable Quotes & Memorable Moments

“Accidentally exposed source code, documentation and internal product structure…” (on VoidLink developer) (02:02)
“Report Fraud will actively keep people reporting scams in the loop as an investigation progresses…” (04:58)

Timestamps for Key Segments

UK-China Cyber Forum: 00:23–01:05
Iranian TV Hijack: 01:06–01:35
VoidLink AI Malware: 01:36–02:20
Telegram Fraud Market: 02:21–03:01
Anthropic Git Vulnerability: 03:38–04:10
LinkedIn Pen Test Phishing: 04:11–04:38
UK Report Fraud Service: 04:39–05:08
NextShield Ad Blocker Attack: 05:09–06:00

Final Thoughts

This episode underscores growing nation-state tension (and attempts to resolve it), the dangers and promise of AI in cyber offense, the ongoing evolution of attack vectors (social engineering, browser, supply chain), and significant improvements in defensive infrastructures. Listeners are provided up-to-the-minute insights and practical takeaways for defending against today’s most sophisticated threats.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines.
[00:07]
B
These are the cybersecurity headlines for Wednesday, January 21, 2026. I'm Rich Stroffelino. UK and China try to ease cyberattack tensions Bloomberg sources say the UK and Chinese governments created a forum called Cyber Dialogue to discuss cyberattack allegations, believed to be the first of its kind with China. This will provide a single mechanism for senior level discussions of cyber incidents directly, rather than working through back channels or more diffuse methods. Sources previously reported on Chinese threat actors infiltrating UK government servers and critical infrastructure for over a decade. This comes as China is in the midst of negotiations to build a new Super Embassy in London and as the UK government announced a total reset of its national cybersecurity policy. Iranian State TV hijacked Multiple media reports claim that Iranian state TV was temporarily interrupted on January 18. Impacted channels were transmitted through the Bader satellite, which delivered content to provisional stations. Impacted channels began sending messages urging protesters to continue their demonstrations and included a call from Reza Pahlavi, the son of the last Shah of Iran. While Only lasting about 10 minutes, the move comes as Iran continues to impose a two week near total shutdown of the intern Internet and mobile phones in the country. AI generated Malware touches the Void Link Last week we covered an advanced Linux malware framework called voidlink which offers some sophisticated cloud focused tooling like custom loaders, rootkits and modules for evasion across cloud providers. Initially, researchers at Checkpoint believed this to be the work of Chinese developers due to its sophistication. However, in a follow up report they now say it shows clear evidence that the malware was produced predominantly through AI driven development believed to be the work of a single person iterating on it for about a week. That's because the dev accidentally exposed source code, documentation and internal product structure in an open directory on their server. It shows development started in November 2025 using an AI assistant in the IDE tray. This developer initially used the AI to generate a multi team development plan, then used that as a roadmap for further work. The AI initially estimated this would take about 16 to 30 weeks for a human team, but but timestamps show Void Link functional by early December 2025. Telegram fraud front shuts down the blockchain analytics company Elliptic disclosed that the scam marketplace Toudo Guarantee will shutter its operation on Telegram. Since launching in 2023 to do guarantee processed an estimated $12 billion in transactions and has become a staple of the Southeast Asian scam economy it provided crypto money laundering services, served as a PII clearinghouse, and provided fraud as a service infrastructure. The move comes after the US and UK imposed sanctions on the operation, designating it a transnational criminal organization. It's unclear if the group is shuttering all operations as Elliptic found its gambling business still up and running and now a huge thanks to our sponsor DropZone AI. Remember yesterday's 2am alert? Here's how it ends differently with DropZone AI, the alert fires within minutes, not hours. Their AI SOC agents have already correlated logs across your entire security stack, built a complete evidence chain and delivered a verdict. False positive or escalate immediately. Your analyst wakes up to answers, not a cue. That's autonomous investigation at enterprise scale. Experience it for yourself at DropZone AI. That's D R o p Z o N e Flaws found in Anthropic Git server Researchers at Sayada disclosed three vulnerabilities in Anthropic's Git Model Context protocol, or MCP server. This server provides tools for accessing git repos through LLMs. The researchers discovered two path traversal and one argument injection vulnerability that could be chained to allow someone to turn any system directory into a git repository, opening the door to remote code execution through a prompt injection. In response, Anthropic removed the Git init tool from the package and added additional validation path traversal primitives. Pen testing tools used in LinkedIn phishing researchers at Reliaquest detailed a phishing campaign that targeted high value individuals on LinkedIn. These used industry related lures to establish trust first to gain a connection with the target and then to send them a direct message. From there, the attackers send a carefully named malicious winrar archive that extracts a legit PDF reader and a malicious dll. This is all pretty standard stuff, but the researchers noted the campaign used an open source Python pen testing script with a registry run key to achieve persistence on systems, something they hadn't observed in other similar attacks. UK's Report Fraud Service does what it says on the TIN the City of London Police formally launched the Report fraud service, which provides a single reporting portal for fraud and cybercrime across uk. This follows a soft launch of the service late last year. Unlike the UK's previous Action Fraud service, Report Fraud will actively keep people reporting scams in the loop as an investigation progresses, and is built on top of a new real time analytics platform that will integrate with telco operators to actively disrupt malicious activity. The UK's minister for tackling Fraud, Lord Hanson, said the government planned to follow this with the launch of its new fraud strategy next month. Fake Ad blocker leads to Real Click Fix Attacks A browser extension causing a crash usually isn't a feature, but it is in the case of NextShield, available for Chrome and Edge. It was listed as being created by Ublock Origin creator Raymond Hill to give it added veracity. This supposed ad blocker intentionally creates a denial of service condition by exhausting memory resources, causing the browser to either hang or just flat out crash. Upon restart, the extension shows a pop up suggesting a system scan to solve the issue. This scan, of course, reveals a supposed security issue, which conveniently requires you to input a series of commands in the Windows command prompt that actually executes a malicious script. The Extension has a 60 day timer to help avoid suspicion, and downloads a more specialized Modelo RAT payload if it attacks, it's on a corporate network. The extension is no longer available on the Chrome Web Store. Remember to subscribe to the CISO Series YouTube channel. We host live streams every week, post daily videos as well as demos, and we have podcast clips and original interviews. Just search for the ciso series on YouTube and subscribe. And if you have some thoughts on the news from today or about the show in general, reach out to us feedbackisoseries.com we'd love to hear from you. Reporting for the CISO Series, I'm Rich Straffolino, reminding you that to have a super sparkly day.
[07:07]
A
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.