UK warns of ongoing Russia-aligned hacktivist DDoS activity — UK NCSC warned that Russia-aligned hacktivists continue disruptive denial-of-service attacks against UK critical infrastructure and local government online services, urging defenders to harden exposed services and DDoS controls (19-01-2026) [EMEA]. For DFIR teams, this provides an immediate triage playbook—review upstream mitigation, log and preserve edge telemetry, validate failover paths, and rehearse comms—because availability incidents still create forensic blind spots and can mask follow-on intrusion attempts. (Source: BleepingComputer, 19-01-2026).

Chainlit vulnerabilities could expose sensitive data in AI app deployments — SecurityWeek reported two Chainlit flaws—an arbitrary file read and an SSRF issue—that can be exploited without user interaction to leak credentials, databases, and other sensitive information from affected deployments (20-01-2026) [AMER]. Incident responders should treat this as an “assume exposure” scenario: inventory internet-facing Chainlit instances, rotate secrets, pull access logs for suspicious fetches, and validate containment, because SSRF/file-read artifacts can be subtle yet high-impact in cloud-hosted evidence trails. (Source: SecurityWeek, 20-01-2026).

Phishing campaign abuses LinkedIn messages and DLL sideloading to deploy a RAT — Researchers detailed a campaign that used private LinkedIn messages to build trust, then delivered weaponized archives that relied on DLL sideloading to execute a remote access trojan on targeted systems (20-01-2026) [AMER]. For investigators, this shifts key evidence sources to social-platform messaging, archive execution chains, and signed-binary side-loading artifacts, making endpoint timeline reconstruction and user-interaction proof (DMs, downloads, execution) central to attribution and containment decisions. (Source: SC Media / SCWorld, 20-01-2026).

Researchers show prompt-injection can trick Google Gemini into leaking Calendar data — Researchers demonstrated that a crafted Google Calendar invite can plant instructions that Gemini later follows, causing summaries of private meetings to be written into new events and exposed to an attacker through shared visibility (20-01-2026) [AMER]. This matters to investigative and security teams because it reframes “content” as an execution surface—requiring audit of agent actions, event-field provenance, and cross-app data flows—while providing a concrete pattern for reproducing and validating AI-assisted data exfiltration claims. (Source: BleepingComputer, 20-01-2026).

Ingram Micro says ransomware attack exposed personal data of ~42,000 people — Ingram Micro began notifying roughly 42,000 individuals that personal information was compromised in a ransomware incident, with impacted data including identifiers such as dates of birth, Social Security numbers, and employment-related details (19-01-2026) [AMER]. For DFIR and risk leaders, the notification scope signals downstream identity-fraud exposure and extended remediation timelines, so responders should prioritize full scoping of data stores touched, preserve extortion communications, and validate whether access paths overlap supplier or customer environments. (Source: SecurityWeek, 19-01-2026).

Iranian state TV channels reportedly hijacked to air anti-regime messages — Multiple Iranian state television channels were reportedly hijacked briefly via satellite delivery, interrupting programming for about 10 minutes to broadcast protest footage and opposition messaging, with attribution not immediately known (19-01-2026) [EMEA]. For incident handlers, broadcast/satellite compromises are high-signal availability and integrity events that demand rapid evidence capture (uplink logs, encoder configs, satellite chain telemetry) and crisis comms coordination, because short intrusions can still indicate deeper footholds in media OT/IT convergence. (Source: The Record (Recorded Future News), 19-01-2026).

APT-grade “PDFSider” backdoor reported in targeted attacks and ransomware activity — Researchers reported a new malware family dubbed PDFSider that delivers APT-like backdoor capabilities and uses DLL sideloading, with multiple ransomware groups observed leveraging it for access and remote command execution (20-01-2026) [AMER]. This matters operationally because DLL sideloading complicates detection and forensics—teams should hunt for legitimate loaders paired with anomalous DLLs, verify persistence and encrypted C2 indicators, and update YARA/EDR detections to prevent the same tradecraft being reused across sectors. (Source: SecurityWeek, 20-01-2026).

Chainlit file-read and SSRF flaws highlight AI app exposure paths — Two Chainlit vulnerabilities—arbitrary file read and SSRF—were disclosed as enabling attackers to leak credentials, databases, and other sensitive data from exposed deployments without user interaction (20-01-2026) [AMER]. Threat hunters should treat this as a playbook for AI middleware abuse: monitor outbound fetch patterns, flag unexpected local file access, and correlate secret use after suspicious requests, because attackers can pivot from “AI app” footholds into broader cloud identity and data planes. (Source: SecurityWeek, 20-01-2026).

UK launches “Report Fraud” platform to improve cybercrime and fraud reporting — UK authorities rolled out the “Report Fraud” service to replace and modernize the Action Fraud reporting pipeline, aiming to rebuild trust and improve how police triage and respond to fraud and cyber-enabled crime (20-01-2026) [EMEA]. For practitioners, better intake quality can translate into faster disruption and richer investigative artifacts, so organizations should align internal reporting fields (IoCs, victimology, payment rails) with the new workflow to support actionable case linkage and takedown opportunities. (Source: The Record (Recorded Future News), 20-01-2026).

Ghana task force raids alleged cybercrime hubs in Greater Accra — Ghanaian security agencies reported dismantling suspected cybercrime centers across multiple Accra-area locations after intelligence-led operations, citing dozens of arrests and seizure of laptops and phones connected to online fraud activity (18-01-2026) [EMEA]. This is operationally relevant because such raids often surface device images, chat logs, and money-mule networks that can correlate to international victim reports, so DFIR teams should watch for reused lures, infrastructure, and recovery of credential sets that may map to ongoing BEC and scam campaigns. (Source: GBC Ghana Online, 18-01-2026).

European Commission proposes new cybersecurity measures and Cybersecurity Act revision — The European Commission announced a cybersecurity package proposing revisions to the 2019 Cybersecurity Act and measures to strengthen EU resilience, including improvements to certification efficiency, supply-chain risk reduction, and enhanced ENISA support (20-01-2026) [EMEA]. For regulated organizations, this signals upcoming compliance and reporting changes—particularly around ransomware data collection and certification scope—so security leaders should track legislative timelines and prepare impact assessments on supplier governance, certification strategy, and incident reporting workflows. (Source: European Commission, 20-01-2026).

UK Parliament debates steps to improve international response to cyber-attacks and ransomware — In the UK House of Commons, ministers were questioned on actions with international partners to strengthen the global response to cyber-attacks and ransomware, reflecting sustained political focus on cross-border disruption (20-01-2026) [EMEA]. For cyber professionals, these debates often precede funding, information-sharing mandates, and operational partnerships, so monitoring outcomes can help anticipate new reporting expectations, expanded taskforce activity, and opportunities for private-sector collaboration on takedowns and victim support. (Source: TheyWorkForYou / UK Parliament (HC Deb), 20-01-2026).

Singapore CSA publishes Security Bulletin (21 Jan 2026) with updated guidance — The Cyber Security Agency of Singapore listed a new Security Bulletin dated 21 January 2026, consolidating current guidance and references for organizations tracking actionable security updates in its jurisdiction (21-01-2026) [APAC]. Compliance and governance teams can use bulletins as an auditable control input—mapping required patching and mitigation actions to internal SLAs—while SOC/DFIR can tie bulletin-driven changes to evidence of due diligence during post-incident reviews. (Source: Cyber Security Agency of Singapore, 21-01-2026).

Singapore CSA issues alert on high-severity PAN-OS vulnerability — Singapore’s CSA posted an alert advising PAN-OS users to apply vendor updates for a high-severity vulnerability affecting Palo Alto Networks firewall software, emphasizing prompt remediation for exposed environments (19-01-2026) [APAC]. For compliance programs, perimeter control weaknesses are high-risk control failures, so teams should document version checks, patch windows, and compensating controls (rule hardening, admin access restrictions) to demonstrate timely risk management and reduce audit and incident exposure. (Source: Cyber Security Agency of Singapore, 19-01-2026).