2026-02-03 AI创业新闻

Researchers Find 341 Malicious ClawHub Skills Stealing Data from OpenClaw Users

A security audit of 2,857 skills on ClawHub has found 341 malicious skills across multiple campaigns, according to new findings from Koi Security, exposing users to new supply chain risks. ClawHub is a marketplace designed to make it easy for OpenClaw users to find and install third-party skills. It’s an extension to the OpenClaw project, a self-hosted artificial intelligence (AI) assistant formerly known as both Clawdbot and Moltbot. The analysis, which Koi conducted with the help of an OpenClaw bot named Alex, found that 335 skills use fake pre-requisites to install an Apple macOS stealer named Atomic Stealer (AMOS).

This activity set has been codenamed ClawHavoc . “You install what looks like a legitimate skill – maybe solana-wallet-tracker or youtube-summarize-pro,” Koi researcher Oren Yomtov said. “The skill’s documentation looks professional. But there’s a ‘Prerequisites’ section that says you need to install something first.” This step involves instructions for both Windows and macOS systems: On Windows, users are asked to download a file called “openclaw-agent.zip” from a GitHub repository.

On macOS, the documentation tells them to copy an installation script hosted at glot[.]io and paste it into the Terminal app. The targeting of macOS is no coincidence, as reports have emerged of people buying Mac Minis to run the AI assistant 24x7. Present within the password-protected archive is a trojan with keylogging functionality to capture API keys, credentials, and other sensitive data on the machine, including those that the bot already has access to. On the other hand, the glot[.]io script contains obfuscated shell commands to fetch next-stage payloads from an attacker-controlled infrastructure.

This, in turn, entails reaching out to another IP address (“91.92.242[.]30”) to retrieve another shell script, which is configured to contact the same server to obtain a universal Mach-O binary that exhibits traits consistent with Atomic Stealer, a commodity stealer available for $500-1000/month that can harvest data from macOS hosts. According to Koi, the malicious skills masquerade as ClawHub typosquats (e.g., clawhub, clawhub1, clawhubb, clawhubcli, clawwhub, cllawhub) Cryptocurrency tools like Solana wallets and wallet trackers Polymarket bots (e.g., polymarket-trader, polymarket-pro, polytrading) YouTube utilities (e.g., youtube-summarize, youtube-thumbnail-grabber, youtube-video-downloader) Auto-updaters (e.g., auto-updater-agent, update, updater) Finance and social media tools (e.g., yahoo-finance-pro, x-trends-tracker) Google Workspace tools claiming integrations with Gmail, Calendar, Sheets, and Drive Ethereum gas trackers Lost Bitcoin finders In addition, the cybersecurity company said it identified skills that hide reverse shell backdoors inside functional code (e.g., better-polymarket and polymarket-all-in-one), or exfiltrate bot credentials present in “~/.clawdbot/.env” to a webhook[.]site (e.g., rankaj). The development coincides with a report from OpenSourceMalware, which also flagged the same ClawHavoc campaign targeting OpenClaw users. “The skills masquerade as cryptocurrency trading automation tools and deliver information-stealing malware to macOS and Windows systems,” a security researcher who goes by the online alias 6mile said .

“All these skills share the same command-and-control infrastructure (91.92.242[.]30) and use sophisticated social engineering to convince users to execute malicious commands, which then steal crypto assets like exchange API keys, wallet private keys, SSH credentials, and browser passwords.” OpenClaw Adds a Reporting Option The problem stems from the fact that ClawHub is open by default and allows anyone to upload skills. The only restriction at this stage is that a publisher must have a GitHub account that’s at least one week old. The issue with malicious skills hasn’t gone unnoticed by OpenClaw’s creator Peter Steinberger, who has since rolled out a reporting feature that allows signed-in users to flag a skill. “Each user can have up to 20 active reports at a time,” the documentation states .

“Skills with more than 3 unique reports are auto-hidden by default.” The findings underscore how open-source ecosystems continue to be abused by threat actors, who are now piggybacking on OpenClaw’s sudden popularity to orchestrate malicious campaigns and distribute malware at scale. In a report last week, Palo Alto Networks warned that OpenClaw represents what British programmer Simon Willison, who coined the term prompt injection, describes as a “ lethal trifecta “ that renders AI agents vulnerable by design due to their access to private data, exposure to untrusted content, and the ability to communicate externally. The intersection of these three capabilities, combined with OpenClaw’s persistent memory, “acts as an accelerant” and amplifies the risks, the cybersecurity company added. “With persistent memory, attacks are no longer just point-in-time exploits.

They become stateful, delayed-execution attacks,” researchers Sailesh Mishra and Sean P. Morgan said . “Malicious payloads no longer need to trigger immediate execution on delivery. Instead, they can be fragmented, untrusted inputs that appear benign in isolation, are written into long-term agent memory, and later assembled into an executable set of instructions.” “This enables time-shifted prompt injection, memory poisoning, and logic bomb–style activation, where the exploit is created at ingestion but detonates only when the agent’s internal state, goals, or tool availability align.” Found this article interesting?

OpenClaw Bug Enables One-Click Remote Code Execution via Malicious Link

A high-severity security flaw has been disclosed in OpenClaw (formerly referred to as Clawdbot and Moltbot) that could allow remote code execution (RCE) through a crafted malicious link. The issue, which is tracked as CVE-2026-25253 (CVSS score: 8.8), has been addressed in version 2026.1.29 released on January 30, 2026. It has been described as a token exfiltration vulnerability that leads to full gateway compromise. “The Control UI trusts gatewayUrl from the query string without validation and auto-connects on load, sending the stored gateway token in the WebSocket connect payload,” OpenClaw’s creator and maintainer Peter Steinberger said in an advisory.

“Clicking a crafted link or visiting a malicious site can send the token to an attacker-controlled server. The attacker can then connect to the victim’s local gateway, modify config (sandbox, tool policies), and invoke privileged actions, achieving 1-click RCE.” OpenClaw is an open-source autonomous artificial intelligence (AI) personal assistant that runs locally on user devices and integrates with a wide range of messaging platforms. Although initially released in November 2025, the project has gained rapid popularity in recent weeks, with its GitHub repository crossing 149,000 stars as of writing. “OpenClaw is an open agent platform that runs on your machine and works from the chat apps you already use,” Steinberger said .

“Unlike SaaS assistants where your data lives on someone else’s servers, OpenClaw runs where you choose – laptop, homelab, or VPS. Your infrastructure. Your keys. Your data.” Mav Levin, founding security researcher at depthfirst who is credited with discovering the shortcoming, said it can be exploited to create a one-click RCE exploit chain that takes only milliseconds after a victim visits a single malicious web page.

The problem is that clicking on the link to that web page is enough to trigger a cross-site WebSocket hijacking attack because OpenClaw’s server doesn’t validate the WebSocket origin header. This causes the server to accept requests from any website, effectively getting around localhost network restrictions. A malicious web page can take advantage of the issue to execute client-side JavaScript on the victim’s browser that can retrieve an authentication token, establish a WebSocket connection to the server, and use the stolen token to bypass authentication and log in to the victim’s OpenClaw instance. To make matters worse, by leveraging the token’s privileged operator.admin and operator.approvals scopes, the attacker can use the API to disable user confirmation by setting “exec.approvals.set” to “off” and escape the container used to run shell tools by setting “tools.exec.host” to “gateway.” “This forces the agent to run commands directly on the host machine, not inside a Docker container,” Levin said.

“Finally, to achieve arbitrary command execution, the attacker JavaScript executes a node.invoke request.” When asked whether OpenClaw’s use of the API to manage the safety features constitutes an architectural limitation, Levin told The Hacker News in an emailed response that, “I would say the problem is those defenses (sandbox and safety guardrails) were designed to contain malicious actions of an LLM, as a result of prompt injection, for example. And users might think these defenses would protect from this vulnerability (or limit the blast radius), but they don’t.” Steinberger noted in the advisory that “the vulnerability is exploitable even on instances configured to listen on loopback only, since the victim’s browser initiates the outbound connection.” “It impacts any Moltbot deployment where a user has authenticated to the Control UI. The attacker gains operator-level access to the gateway API, enabling arbitrary config changes and code execution on the gateway host. The attack works even when the gateway binds to loopback because the victim’s browser acts as the bridge.” Found this article interesting?

Microsoft Begins NTLM Phase-Out With Three-Stage Plan to Move Windows to Kerberos

Microsoft has announced a three-phase approach to phase out New Technology LAN Manager (NTLM) as part of its efforts to shift Windows environments toward stronger, Kerberos-based options. The development comes more than two years after the tech giant revealed its plans to deprecate the legacy technology, citing its susceptibility to weaknesses that could facilitate relay attacks and allow bad actors to gain unauthorized access to network resources. NTLM was formally deprecated in June 2024 and no longer receives updates. “NTLM consists of security protocols originally designed to provide authentication, integrity, and confidentiality to users,” Mariam Gewida, Technical Program Manager II at Microsoft, explained.

“However, as security threats have evolved, so have our standards to meet modern security expectations. Today, NTLM is susceptible to various attacks, including replay and man-in-the-middle attacks, due to its use of weak cryptography.” Despite the deprecated status, Microsoft said it continues to find the use of NTLM prevalent in enterprise environments where modern protocols like Kerberos cannot be implemented due to legacy dependencies, network limitations, or ingrained application logic. This, in turn, exposes organizations to security risks, such as replay, relay, and pass-the-hash attacks. To mitigate this problem in a secure manner, the company has adopted a three-phase strategy that paves the way for NTLM to be disabled by default - Phase 1: Building visibility and control using enhanced NTLM auditing to better understand where and why NTLM is still being used (Available now) Phase 2: Addressing common roadblocks that prevent a migration to NTLM through features like IAKerb and local Key Distribution Center (KDC) (pre-release), as well as updating core Windows components to prioritize Kerberos authentication (Expected in H2 2026) Phase 3: Disabling NTLM in the next version of Windows Server and associated Windows client, and requiring explicit re-enablement through new policy controls Microsoft has positioned the transition as a major step toward a passwordless, phishing-resistant future.

This also requires organizations relying on NTLM to conduct audits, map dependencies, migrate to Kerberos, test NTLM-off configurations in non-production environments, and enable Kerberos upgrades. “Disabling NTLM by default does not mean completely removing NTLM from Windows yet,” Gewida said. “Instead, it means that Windows will be delivered in a secure-by-default state where network NTLM authentication is blocked and no longer used automatically.” “The OS will prefer modern, more secure Kerberos-based alternatives. At the same time, common legacy scenarios will be addressed through new upcoming capabilities such as Local KDC and IAKerb (pre-release).” Found this article interesting?

⚡ Weekly Recap: Proxy Botnet, Office Zero-Day, MongoDB Ransoms, AI Hijacks & New Threats

Every week brings new discoveries, attacks, and defenses that shape the state of cybersecurity. Some threats are stopped quickly, while others go unseen until they cause real damage. Sometimes a single update, exploit, or mistake changes how we think about risk and protection. Every incident shows how defenders adapt — and how fast attackers try to stay ahead.

This week’s recap brings you the key moments that matter most, in one place, so you can stay informed and ready for what’s next. ⚡ Threat of the Week Google Disrupts IPIDEA Residential Proxy Network — Google has crippled IPIDEA, a massive residential proxy network consisting of user devices that are being used as the last-mile link in cyberattack chains. According to the tech giant, not only do these networks permit bad actors to conceal their malicious traffic, but they also open up users who enroll their devices to further attacks. Residential IP addresses in the U.S., Canada, and Europe were seen as the most desirable.

Google pursued legal measures to seize or sinkhole domains used as command‑and‑control (C2) for devices enrolled in the IPIDEA proxy network, cutting off operators’ ability to route traffic through compromised systems. The disruption is assessed to have reduced IPIDEA’s available pool of devices by millions. The proxy software is either pre-installed on devices or may be willingly installed by users, lured by the promise of monetizing their available internet bandwidth. Once devices are registered in the residential proxy network, operators sell access to it to their customers.

Numerous proxy and VPN brands, marketed as separate businesses, were controlled by the same actors behind IPIDEA. The proxy network also promoted several SDKs as app monetization tools, quietly turning user devices into proxy exit nodes without their knowledge or consent once embedded. IPIDEA has also been linked to large-scale brute-forcing attacks targeting VPN and SSH services as far back as early 2024. The team from Device and Browser Info has since released a list of all IPIDEA-linked proxy exit IPs.

New Insights From 1800+ Security Leaders and Practitioners 99% of SOCs are already using AI, yet 81% say workloads increased in the past year. Teams have yet to unlock AI’s full impact. To find out why, Tines surveyed 1,800+ security leaders and practitioners worldwide for their biggest Voice of Security report yet. Get the Report ➝ 🔔 Top News Microsoft Patches Exploited Office Flaw — Microsoft issued out-of-band security patches for a high-severity Microsoft Office zero-day vulnerability exploited in attacks.

The vulnerability, tracked as CVE-2026-21509, carries a CVSS score of 7.8 out of 10.0. It has been described as a security feature bypass in Microsoft Office. “Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally,” the tech giant said in an advisory. “This update addresses a vulnerability that bypasses OLE mitigations in Microsoft 365 and Microsoft Office, which protect users from vulnerable COM/OLE controls.” Microsoft has not shared any details about the nature and the scope of attacks exploiting CVE-2026-21509.

Ivanti Patches Exploited EPMM Flaws — Ivanti rolled out security updates to address two security flaws impacting Ivanti Endpoint Manager Mobile (EPMM) that have been exploited in zero-day attacks. The vulnerabilities, tracked as CVE-2026-1281 and CVE-2026-1340, relate to code injection, allowing attackers to achieve unauthenticated remote code execution. “We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure,” Ivanti said in an advisory, adding it does not have enough information about the threat actor tactics to provide “reliable atomic indicators.” As of January 30, 2026, a public working proof-of-concept exploit is available. “As EPMM is an endpoint management solution for mobile devices, the impact of an attacker compromising the EPMM server is significant,” Rapid7 said .

“An attacker may be able to access Personally Identifiable Information (PII) regarding mobile device users, such as their names and email addresses, but also their mobile device information, such as their phone numbers, GPS information, and other sensitive unique identification information.” Poland Links Cyber Attack on Power System to Static Tundra — The Polish computer emergency response team revealed that coordinated cyber attacks targeted more than 30 wind and photovoltaic farms, a private company from the manufacturing sector, and a large combined heat and power plant (CHP) supplying heat to almost half a million customers in the country. CERT Polska said the incident took place on December 29, 2025, describing the attacks as destructive. The agency attributed the attacks to a threat cluster dubbed Static Tundra, which is also tracked as Berserk Bear, Blue Kraken, Crouching Yeti, Dragonfly, Energetic Bear, Ghost Blizzard (formerly Bromine), and Havex. Static Tundra is assessed to be linked to Russia’s Federal Security Service’s (FSB) Center 16 unit.

Prior reports from ESET and Dragos linked the attack with moderate confidence to a group that shares tactical overlaps with a cluster referred to as Sandworm. The group exhibits a deep understanding of electrical grid equipment and operations, strong proficiency in the industrial protocols used in power systems, and the ability to develop custom malware and wiper tools across IT and OT environments. The activity also reflects the adversary’s grasp of substation operations and the operational dependencies within electrical systems. “Taking over these devices requires capabilities beyond simply understanding their technical flaws,” Dragos said.

“It requires knowledge of their specific implementation. The adversaries demonstrated this by successfully compromising RTUs at approximately 30 sites, suggesting they had mapped common configurations and operational patterns to exploit systematically.” LLMJacking Campaign Targets Exposed AI Endpoints — Cybercriminals are searching for, hijacking, and monetizing exposed LLM and MCP endpoints at scale. The campaign, dubbed Operation Bizarre Bazaar, targets exposed or unprotected AI endpoints to hijack system resources, resell API access, exfiltrate data, and move laterally to internal systems. “The threat differs from traditional API abuse because compromised LLM endpoints can generate significant costs (inference is expensive), expose sensitive organizational data, and provide lateral movement opportunities,” Pillar Security said.

Organizations running self-hosted LLM infrastructure (Ollama, vLLM, local AI implementations) or deploying MCP servers for AI integrations face active targeting. Common misconfigurations that are under active exploitation include Ollama running on port 11434 without authentication, OpenAI-compatible APIs on port 8000, MCP servers accessible without access controls, development/staging AI infrastructure with public IPs, and production chatbot endpoints that lack authentication or rate limits. Access to the infrastructure is advertised on a marketplace that offers access to over 30 LLMs. Called silver[.]inc, it is hosted on bulletproof infrastructure in the Netherlands, and marketed on Discord and Telegram, with payments made via cryptocurrency or PayPal.

Chinese Threat Actors Use PeckBirdy Framework — China-aligned threat actors have been using a cross-platform, multifunction JScript framework called PeckBirdy to conduct cyber espionage attacks since 2023, augmenting their activities with modular backdoors in two separate campaigns targeting gambling sites and government entities. The command-and-control (C2) framework, written in Microsoft’s JScript legacy language, is aimed at flexible deployment by enabling execution across multiple environments, including web browsers, MSHTA, WScript, Classic ASP, Node JS, and .NET (ScriptControl). ‎️‍🔥 Trending CVEs New vulnerabilities surface daily, and attackers move fast. Reviewing and patching early keeps your systems resilient.

Here are this week’s most critical flaws to check first — CVE-2026-24423 (SmarterTools SmarterMail), CVE-2026-1281, CVE-2026-1340 (Ivanti Endpoint Manager Mobile), CVE-2025-40536, CVE-2025-40537, CVE-2025-40551, CVE-2025-40552, CVE-2025-40553 (SolarWinds Web Help Desk), CVE-2026-22709 (vm2), CVE-2026-1470, CVE-2026-0863 (n8n), CVE-2026-24858 (Fortinet FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb), CVE-2026-21509 (Microsoft Office), CVE-2025-30248 , CVE-2025-26465 (Western Digital), CVE-2025-56005 (PLY), CVE-2026-23864 (React Server Components), CVE-2025-14756 (TP-Link), CVE‑2026‑0755 (Google gemini-mcp-tool), CVE-2025-9142 (Check Point Harmony SASE), CVE-2026-1504 (Google Chrome), CVE-2025-12556 (IDIS IP cameras), CVE-2026-0818 (Mozilla Thunderbird), CCVE-2025-52598, CVE-2025-52599, CVE-2025-52600, CVE-2025-52601, CVE-2025-8075 (Hanwha Wisenet cameras), CVE-2025-33217, CVE-2025-33218, CVE-2025-33219, CVE-2025-33220 (NVIDIA GPU Display Drivers), CVE-2025-0921 (Iconics Suite), CVE-2025-26385 (Johnson Controls), and SRC-2025-0001, SRC-2025-0002 , SRC-2025-0003, SRC-2025-0004 (Samsung MagicINFO 9 Server). 📰 Around the Cyber World Exposed C2 Server Reveals BYOB Infrastructure — Cybersecurity researchers have discovered an open directory on a command-and-control (C2) server at IP address 38.255.43[.]60 on port 8081, which has been found serving malicious payloads associated with the Build Your Own Botnet ( BYOB ) framework. “The open directory contained a complete deployment of the BYOB post-exploitation framework, including droppers, stagers, payloads, and multiple post-exploitation modules,” Hunt.io said . “Analysis of the captured samples reveals a modular multi-stage infection chain designed to establish persistent remote access across Windows, Linux, and macOS platforms.” The first stage is a dropper that implements multiple layers of obfuscation to evade signature-based detection, while fetching and executing an intermediate loader, which performs a series of security checks of its own before deploying the main remote access trojan (RAT) payload for reconnaissance and persistence.

It also comes with capabilities to escalate privileges, log keystrokes, terminate processes, harvest emails, and inspect network traffic. Additional infrastructure linked to the threat actor has been found to host cryptocurrency mining payloads, indicating a two-pronged approach to compromising endpoints with different payloads. Phantom Enigma Resurfaces with New Tactics — The threat actors behind the Operation Phantom Enigma campaign, which targeted Brazilian users in order to steal bank accounts in early 2025, resurfaced with similar attacks in fall 2025. The attacks, per Positive Technologies, involve sending phishing emails bearing invoice-related themes to trick ordinary users into clicking on malicious links to download a malicious MSI installer that installs a malicious Google Chrome extension dubbed EnigmaBanker on the victim’s browser to collect credentials and transmit them to the attacker’s server.

The malware is designed to execute JavaScript code that imports a malicious extension via Chrome DevTools Protocol ( CDP ) after launching the browser in debugging mode. On the other hand, the attacks aimed at enterprises drop an installer for legitimate remote access software like PDQ Connect, MeshAgent, ScreenConnect, or Syncro RMM. The threat actors behind the campaign are suspected to be operating out of Latin America. Attackers Exploit Stolen AWS Credentials to Target AWS WorkMail — Threat actors are leveraging compromised Amazon Web Services (AWS) credentials to deploy phishing and spam infrastructure using AWS WorkMail, bypassing the anti-abuse controls normally enforced by AWS Simple Email Service (SES).

“This allows the threat actor to leverage Amazon’s high sender reputation to masquerade as a valid business entity, with the ability to send email directly from victim-owned AWS infrastructure,” Rapid7 said . “Generating minimal service-attributed telemetry also makes threat actor activity difficult to distinguish from routine activity. Any organization with exposed AWS credentials and permissive Identity and Access Management (IAM) policies is potentially at risk, particularly those without guardrails or monitoring around WorkMail and SES configuration.” Malicious VS Code Extension Delivers Stealer Malware — A malicious Visual Studio Code (VS Code) extension has been identified in Open VSX (“Angular-studio.ng-angular-extension”) masquerading as a tool for the Angular web development framework, but harbors functionality that’s activated when any HTML or TypeScript file is opened. It’s designed to run encrypted JavaScript responsible for fetching the next-stage payload from a URL embedded into the memo field of a Solana wallet using a technique called EtherHiding by constructing an RPC request to the Solana mainnet.

The infection chain is also engineered such that execution is skipped on systems matching Russian locale indicators. “This pattern is commonly observed in malware originating from or affiliated with Russian-speaking threat actors, implemented to avoid domestic prosecution,” Secure Annex said . This architecture offers several advantages: blockchain immutability ensures configuration data persists indefinitely, and attackers can update payload URLs without modifying the published extension. The final payload deployed as part of the attack is a stealer malware that can siphon credentials from developer machines, conduct cryptocurrency theft, establish persistence, and exfiltrate the data to a server retrieved from a Google Calendar event.

Threat Actors Exploit Critical Adobe Commerce Flaw — Threat actors are continuing to exploit a critical flaw in Adobe Commerce and Magento Open Source platforms ( CVE-2025-54236 , CVSS score: 9.1) to compromise 216 websites worldwide in one campaign, and deploy web shells on Magento sites in Canada and Japan to enable persistent access in another. “While the cases are not assessed to be part of a single coordinated campaign, all incidents demonstrate that the vulnerability is being actively abused for authentication bypass, full system compromise, and, in some cases, web shell deployment and persistent access,” Oasis Security said . Malicious Google Ads Leads to Stealer Malware — Sponsored ads on Google when searching for “Mac cleaner” or “clear cache macOS” are being used to redirect unsuspecting users to sketchy sites hosted on Google Docs and Medium to trick them into following ClickFix-style instructions to deliver stealer malware. In a related development, DHL-themed phishing emails containing ZIP archives are being used to launch XLoader using DLL side-loading, which then uses process hollowing techniques to load Phantom Stealer.

U.S. Authorities Investigated Meta Contractors’ Claims that WhatsApp Chats Aren’t Private — U.S. law enforcement has been investigating allegations by former Meta contractors that employees at the company can access WhatsApp messages, despite the company’s statements that the chat service is private and encrypted. The contractors claimed that some Meta staff had “unfettered” access to WhatsApp messages, content that should be off-limits, Bloomberg reported .

The report stands in stark contrast to WhatsApp encryption foundations, which prevent third parties, including the company, from accessing the chat contents. “What these individuals claim is not possible because WhatsApp, its employees, and its contractors, cannot access people’s encrypted communications,” Meta was quoted as saying to Bloomberg. It’s worth noting that when a user reports a user or group , WhatsApp receives up to five of the last messages sent to them, along with their metadata. This is akin to taking a screenshot of the last few messages, as they are already on the device and in a decrypted state because the device has the “key” to read them.

However, these allegations suggest much broader access to the platform. New PyRAT Malware Spotted — A new Python-based remote access trojan (RAT) called PyRAT has been found to demonstrate cross-platform capabilities, persistent infection methods, and extensive remote access features. It supports features like system command execution, file system operations, file enumeration, file upload/download, and archive creation to facilitate bulk exfiltration of stolen data. The malware also comes fitted with self-cleanup capabilities to uninstall itself from the victim machine and wipe all persistence components.

“This Python‑based RAT poses a notable risk to organizations because of its cross‑platform capability, broad functionality, and ease of deployment,” K7 Security Labs said . “Even though it is not associated with highly sophisticated threat actors, its effectiveness in real‑world attacks and observed detection rates indicate that it is actively used by cybercriminals and deserves attention.” It’s currently not known how it’s distributed. New Exfil Out&Look Attack Technique Detailed — Cybersecurity researchers have discovered a new technique named Exfil Out&Look that abuses Outlook add-ins to steal data from organizations. “An add-in installed via OWA [Outlook Web Access can be abused to silently extract email data without generating audit logs or leaving any forensic footprint — a stark contrast to the behavior observed in Outlook Desktop,” Varonis said .

“In organizations that rely heavily on Unified Audit Logs for detection and investigation, this blind spot can allow malicious or overly permissive add-ins to operate undetected for extended periods of time.” An attacker could exploit this behavior to trigger an add-in’s core functionality when a victim sends an email, allowing it to intercept outgoing messages and send the data to a third-party server. Following responsible disclosure to Microsoft on September 30, 2025, the company categorized the issue as low-severity with no immediate fix. Exposed MongoDB Servers Exploited for Extortion Attacks — Almost half of all internet-exposed MongoDB servers have been compromised and are being held for ransom. An unidentified threat actor has targeted misconfigured instances to drop ransom notes on more than 1,400 databases demanding a Bitcoin payment to restore the data.

Flare’s analysis found more than 208,500 publicly exposed MongoDB servers, out of which 100,000 expose operational information, and 3,100 could be accessed without authentication. What’s more, nearly half (95,000) of all internet-exposed MongoDB servers run older versions that are vulnerable to N-day flaws. “Threat actors demand payment in Bitcoin (often around 0.005 BTC, equivalent today to $500-600 USD) to a specified wallet address, promising to restore the data,” the cybersecurity company said . “However, there is no guarantee the attackers have the data, or will provide a working decryption key if paid.” Deep Dive into Dark Web Forums — Positive Technologies has taken a deep-dive look into modern dark web forums, noting how they are in a constant state of flux due to ramping up of law enforcement operations, even as they embrace anonymity and protection technologies like Tor, I2P, coupled with anti-bot guardrails, anti-scraping mechanisms, closed moderation, and a strict trust system to escape scrutiny and block suspicious activity.

“However, the results of these interventions are rarely final: the elimination of one forum usually becomes the starting point for the emergence of a new, more sustainable and secure one,” it said . “And an important feature of such forums is the high level of development of technical means of protection. If the early generations of dark web forums were primitive web platforms that often existed in the public part of the internet, modern forums are complex distributed systems with multi-level infrastructure, APIs, moderator bots, built-in verification tools and a multi-stage access system.” TA584 Campaign Drops XWorm and Tsundere Bot — A prolific initial access broker known as TA584 (aka Storm-0900 ) has been observed using the Tsundere Bot alongside XWorm remote access trojan to gain network access for likely follow-on ransomware attacks. The XWorm malware uses a configuration called “P0WER” to enable its execution.

“In the second half of 2025, TA584 demonstrated multiple attack chain changes, including adopting ClickFix social engineering, expanded targeting to more consistently target specific geographies and languages, and recently delivering a new malware called Tsundere Bot,” Proofpoint said . The threat actor is assessed to be active since at least 2020, but has exhibited an increased operational tempo since March 2025. Organizations in North America, the U.K., Ireland, and Germany are the main targets. Emails sent by TA584 impersonate various organizations associated with healthcare and government entities, as well as leverage well-designed and believable lures to get people to engage with malicious content.

These messages are sent via compromised accounts or third-party services like SendGrid and Amazon Simple Email Service (SES). “The emails usually contain unique links for each target that perform geofencing and IP filtering,” Proofpoint said. “If these checks were passed, the recipient is redirected to a landing page aligning with the lure in the email.” Early iterations of the campaign delivered macro-enabled Excel documents dubbed EtterSilent to facilitate malware installation. The end goal of the attack is to initiate a redirect chain involving third-party traffic direction systems (TDS) like Keitaro to a CAPTCHA page, followed by a ClickFix page that instructs the victim to run a PowerShell command on their system.

Some of the other payloads distributed by TA584 in the past include Ursine, TA584, WARMCOOKIE, Xeno RAT, Cobalt Strike, and DCRat. South Korea to Notify Citizens of Data Leaks — The South Korean government will notify citizens when their data was exposed in a security breach. The new notification system will cover confirmed breaches, but also alert people who may be involved in a data breach, even if the case has not been confirmed. These alerts will also include information on how to seek compensation for damages.

Details About Critical Apache bRPC Flaw — CyberArk has published details about a recently patched critical vulnerability in Apache bRPC (CVE-2025-60021, CVSS score: 9.8) that could allow an attacker to inject remote commands. The problem resides in the “/pprof/heap” profiler endpoint. “The heap profiler service /pprof/heap did not validate the user-provided extra_options parameter before incorporating it into the jeprof command line,’ CyberArk said . “Prior to the fix, extra_options was appended directly to the command string as –.

Because this command is later executed to generate the profiling output, shell special characters in attacker-controlled input could alter the executed command, resulting in command injection.” As a result, an attacker could exploit a reachable “/pprof/heap” endpoint to execute arbitrary commands with the privileges of the Apache bRPC process, resulting in remote code execution. There are about 181 publicly reachable /pprof/heap endpoints and 790 /pprof/* endpoints, although it’s not known how many of them are susceptible to this flaw. Threat Actors Use New Unicode Trick to Evade Detection — Threat actors are using the Unicode character for math division (∕) instead of a standard forward slash (/) in malicious links to evade detection. “The barely noticeable difference between the divisional and forward slashes causes traditional automated security systems and filters to fail, allowing the links to bypass detection,” email security firm Barracuda said .

“As a result, victims are redirected to default or random pages.” China Executes 11 Members of Myanmar Scam Mafia — The Chinese government has executed 11 members of the Ming family who ran cyber scam compounds in Myanmar. The suspects were sentenced in September 2025 following their arrest in 2023. In November 2025, five members of a Myanmar crime syndicate were sentenced to death for their roles in running industrial-scale scamming compounds near the border with China. The Ming mafia’s scam operations and gambling dens brought in more than $1.4 billion between 2015 and 2023, BBC News reported , citing China’s highest court.

FBI Urges Organizations to Improve Cybersecurity — The U.S. Federal Bureau of Investigation (FBI) launched Operation Winter SHIELD (short for “Securing Homeland Infrastructure by Enhancing Layered Defense”), outlining ten actions which organizations should implement to improve cyber resilience. This includes adopting phishing-resistant authentication, implementing a risk-based vulnerability management program, retiring end-of-life technology, managing third-party risk, preserving security logs, maintaining offline backups, inventorying internet-facing systems and services, strengthening email authentication, reducing administrator privileges, and executing incident response plans with all stakeholders. “Winter SHIELD provides industry with a practical roadmap to better secure information technology (IT) and operational technology (OT) environments, hardening the nation’s digital infrastructure and reducing the attack surface,” the FBI said .

“Our goal is simple: to move the needle on resilience across industry by helping organizations understand where adversaries are focused and what concrete steps they can take now (and build toward in the future) to make exploitation harder.” Only 26% of Vulnerability Attacks Blocked by Hosts — A new study by website security firm PatchStack has revealed that a significant majority of common WordPress-specific vulnerabilities are not mitigated by hosting service providers. In a test using 30 vulnerabilities that were known to be exploited in real-world attacks, the company found that 74% of all attacks resulted in a successful site takeover. “Of the high-impact vulnerabilities, Privilege Escalation attacks were blocked only 12% of the time,” Patchstack said . “The biggest problem isn’t that hosts don’t care about vulnerability attacks – it’s that they think their existing solutions have got them covered.” Cyber Attacks Became More Distributed in 2025 — Forescout’s Threat Roundup report for 2025 has found that cyber attacks became more globally distributed and cloud-enabled.

“In 2025, the top 10 countries accounted for 61% of malicious traffic - a 22% decrease compared to 2024 – and a reversal of a trend observed since 2022, when that figure was 73%,” Forescout said . “In other words, attacks are more distributed and attackers are using IP addresses from less common countries more frequently.” The U.S., India, and Germany were the most targeted countries, with 59% of the attacks originating from ISP-managed IPs, 17% from business and government networks, and 24% from hosting or cloud providers. The vast majority of the attacks originated from China, Russia, and Iran. Attacks using OT protocols surged by 84%, led by Modbus.

The development comes as Cisco Talos revealed that threat actors are increasingly exploiting public-facing applications, overtaking phishing in the last quarter of 2025. Google Agrees to Settle Privacy Lawsuit for $68M — Google has agreed to pay $68 million to settle a class-action lawsuit alleging its voice-activated assistant illegally recorded and shared the private conversations with third parties without their consent. The case revolved around “false accepts,” where Google Assistant is said to have activated and recorded the user’s communications even in scenarios where the actual trigger word, “Ok Google,” was not used. Google has denied any wrongdoing.

Apple reached a similar $95 million settlement in December 2024 over Siri recordings. Separately, Google has agreed to pay $135 million to settle a proposed class-action lawsuit that accused the company of illegally using users’ cellular data to transmit system information to its servers without the user’s knowledge or consent since November 12, 2017. As part of the settlement, Google will not transfer data without obtaining consent from Android users when they set up their phones. It will also make it easier for users to stop the transfers, and will disclose the transfers in its Google Play terms of service.

The development follows a U.S. Supreme Court decision to hear a case stemming from the use of a Facebook tracking pixel to monitor the streaming habits of users of a sports website. Security Flaws in Google Fast Pair protocol — More than a dozen headphone and speaker models have been found vulnerable to a new vulnerability (CVE-2025-36911, CVSS score: 7.1) in the Google Fast Pair protocol. Called WhisperPair , the attack allows threat actors to hijack a user’s accessories without user interaction.

In certain scenarios, the attackers can also register as the owners of those accessories and track the movement of the real owners via the Google Find Hub. Google awarded the researchers $15,000 following responsible disclosure in August 2025. “WhisperPair enables attackers to forcibly pair a vulnerable Fast Pair accessory (e.g., wireless headphones or earbuds) with an attacker-controlled device (e.g., a laptop) without user consent,” researchers at the COSIC group of KU Leuven said. “This gives an attacker complete control over the accessory, allowing them to play audio at high volumes or record conversations using the microphone.

This attack succeeds within seconds (a median of 10 seconds) at realistic ranges (tested up to 14 metres) and does not require physical access to the vulnerable device.” In related news, an information leak vulnerability (CVE-2025-13834) and a denial-of-service (DoS) vulnerability (CVE-2025-13328) have been uncovered in Xiaomi Redmi Buds versions 3 Pro through 6 Pro. “An attacker within Bluetooth radio range can send specially crafted RFCOMM protocol interactions to the device’s internal channels without prior pairing or authentication, enabling the exposure of sensitive call-related data or triggering repeatable firmware crashes,” CERT Coordination Center (CERT/CC) said . 🎥 Cybersecurity Webinars Your SOC Stack Is Broken — Here’s How to Fix It Fast : Modern SOC teams are drowning in tools, alerts, and complexity. This live session with AirMDR CEO Kumar Saurabh and SACR CEO Francis Odum cuts through the noise—showing what to build, what to buy, and what to automate for real results.

Learn how top teams design efficient, cost-effective SOCs that actually work. Join now to make smarter security decisions. AI Is Rewriting Cloud Forensics — Learn How to Investigate Faster : Cloud investigations are getting harder as evidence disappears fast and systems change by the minute. Traditional forensics can’t keep up.

Join Wiz’s experts to see how AI and context-aware forensics are transforming cloud incident response—helping teams capture the right data automatically, connect the dots faster, and uncover what really happened in minutes instead of days. Build Your Quantum-Safe Defense: Get Guidance for IT Leaders : Quantum computers could soon break the encryption that protects today’s data. Hackers are already stealing encrypted information now to decrypt it later. Join this Zscaler webinar to learn how post-quantum cryptography keeps your business safe—using hybrid encryption, zero trust, and quantum-ready security tools built for the future.

🔧 Cybersecurity Tools
Vulnhalla: CyberArk open-sources a new tool that automates vulnerability triage by combining CodeQL analysis with AI models like GPT-4 or Gemini. It scans public code repositories, runs CodeQL queries to find potential issues, and then uses AI to decide which ones are real security flaws versus false positives. This helps developers and security teams quickly focus on genuine risks instead of wasting time sorting through noisy scan results. OpenClaw; A personal AI assistant running in Cloudflare Workers, connecting to Telegram, Discord, and Slack with secure device pairing.

It uses Claude via Anthropic API and optional R2 storage for persistence—showcasing how AI agents can run safely in a sandboxed, serverless Cloudflare setup. Disclaimer: These tools are provided for research and educational use only. They are not security-audited and may cause harm if misused. Review the code, test in controlled environments, and comply with all applicable laws and policies.

Conclusion Cybersecurity keeps moving fast. This week’s stories show how attacks, defenses, and discoveries keep shifting the balance. Staying secure now means staying alert, reacting fast, and knowing what’s changing around you. The past few days proved that no one is too small to be a target and no system is ever fully safe.

Every patch, every update, every fix counts — because threats don’t wait. Keep learning, stay cautious, and keep your guard up. The next wave of attacks is already forming. Found this article interesting?

Securing the Mid-Market Across the Complete Threat Lifecycle

For mid-market organizations, cybersecurity is a constant balancing act. Proactive, preventative security measures are essential to protect an expanding attack surface. Combined with effective protection that blocks threats, they play a critical role in stopping cyberattacks before damage is done. The challenge is that many security tools add complexity and cost that most mid-market businesses can’t absorb.

With limited budgets and lean IT and security teams, organizations often focus on detection and response. While necessary, this places a significant operational burden on teams already stretched thin. A more sustainable approach is security across the complete threat lifecycle—combining prevention, protection, detection, and response in a way that reduces risk without increasing cost or complexity. Why Mid-Market Security Often Feels Stuck Most mid-market organizations rely on a small set of foundational tools, such as endpoint protection, email security, and network firewalls.

However, limited staff and resources often leave these tools operating as isolated point solutions, preventing teams from extracting their full value. Endpoint Detection and Response (EDR) is a common example. Although EDR is included in most Endpoint Protection Platforms (EPP), many organizations struggle to use it effectively. EDR was designed for enterprises with dedicated security operations teams, and using it well requires time and specialized expertise to configure, monitor, and respond to alerts.

With teams focused on firefighting, there is little time for proactive improvements that strengthen overall security. Unlocking more value from existing tools is often the fastest way to improve coverage without adding complexity. Making Advanced Security Accessible with Platforms Security platforms extend the value of EDR by providing visibility across the broader attack surface. By correlating signals from endpoints, cloud, identities, and networks, platforms turn fragmented insights into a unified view through Extended Detection and Response (XDR).

Many platforms are also shifting beyond reactive detection and response to include proactive prevention. Preventative controls help stop attackers before they gain a foothold, reducing pressure on already lean teams. Solutions such as Bitdefender GravityZone consolidate critical security capabilities into a single platform, enabling centralized management, visibility, and reporting across the security program. This approach allows mid-market organizations to achieve broader coverage without increasing operational overhead.

Extending Coverage with MDR Managed Detection and Response (MDR) services offer another way to strengthen security quickly. MDR provides 24/7 monitoring, proactive threat hunting, and incident response, effectively extending internal teams without adding headcount. By combining a unified platform with MDR, mid-market organizations can close coverage gaps and focus internal resources on strategic priorities. Takeaway: Security Across the Threat Lifecycle Improving mid-market cybersecurity isn’t about adding more tools—it’s about using the right tools more effectively.

Integrating prevention, protection, detection, and response across the threat lifecycle enables stronger security outcomes with less complexity. Platforms like Bitdefender GravityZone help mid-market organizations strengthen resilience while reducing the operational burden on lean teams. To explore this approach further, read How to Secure Your Mid-Market Business Across the Complete Threat Lifecycle or the Buyer’s Guide for Mid-Market Businesses: Choosing the Right Security Platform . Found this article interesting?

This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Notepad++ Official Update Mechanism Hijacked to Deliver Malware to Select Users

The maintainer of Notepad++ has revealed that state-sponsored attackers hijacked the utility’s update mechanism to redirect update traffic to malicious servers instead. “The attack involved [an] infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org,” developer Don Ho said . “The compromise occurred at the hosting provider level rather than through vulnerabilities in Notepad++ code itself.” The exact mechanism through which this was realized is currently being investigated, Ho added. The development comes a little over a month after Notepad++ released version 8.8.9 to address an issue that resulted in traffic from WinGUp, the Notepad++ updater, being “occasionally” redirected to malicious domains, resulting in the download of poisoned executables.

Specifically, the problem stemmed from the way the updater verified the integrity and authenticity of the downloaded update file, allowing an attacker who is able to intercept network traffic between the updater client and the update server to trick the tool into downloading a different binary instead. It’s believed this redirection was highly targeted, with traffic originating from only certain users routed to the rogue servers and fetching the malicious components. The incident is assessed to have commenced in June 2025, more than six months before it came to light. Independent security researcher Kevin Beaumont revealed that the flaw was being exploited by threat actors in China to hijack networks and deceive targets into downloading malware.

The attacks, attributed to a nation-state threat actor known as Violet Typhoon (aka APT31), targeted telecommunications and financial services organizations in East Asia. In response to the security incident, the Notepad++ website has been migrated to a new hosting provider with “significantly strong practices,” and the update process has been hardened with additional guardrails to ensure its integrity. “According to the former hosting provider, the shared hosting server was compromised until September 2, 2025,” Ho explained. “Even after losing server access, attackers maintained credentials to internal services until December 2, 2025, which allowed them to continue redirecting Notepad++ update traffic to malicious servers.” Found this article interesting?

eScan Antivirus Update Servers Compromised to Deliver Multi-Stage Malware

The update infrastructure for eScan antivirus, a security solution developed by Indian cybersecurity company MicroWorld Technologies, has been compromised by unknown attackers to deliver a persistent downloader to enterprise and consumer systems. “Malicious updates were distributed through eScan’s legitimate update infrastructure, resulting in the deployment of multi-stage malware to enterprise and consumer endpoints globally,” Morphisec researcher Michael Gorelik said . MicroWorld Technologies has revealed that it detected unauthorized access to its infrastructure and immediately isolated the impacted update servers, which remained offline for over eight hours. It has also released a patch that reverts the changes introduced as part of the malicious update.

Impacted organizations are recommended to contact MicroWorld Technologies to obtain the fix. It also pinned the attack as resulting from unauthorized access to one of its regional update server configurations, which enabled the threat actors to distribute a “corrupt” update to customers during a “limited timeframe” of about two hours on January 20, 2026. “eScan experienced a temporary update service disruption starting January 20, 2026, affecting a subset of customers whose systems automatically download updates during a specific timeframe, from a specific update cluster,” the company said in an advisory issued on January 22, 2026. “The issue resulted from unauthorized access to the regional update server infrastructure.

The incident has been identified and resolved. Comprehensive remediation is available that addresses all observed scenarios.” Morphisec, which identified the incident on January 20, 2026, said the malicious payload interferes with the regular functionality of the product, effectively preventing automatic remediation. This specifically involves delivering a malicious “ Reload.exe “ file that’s designed to drop a downloader, which contains functionality to establish persistence, block remote updates, and contact an external server to fetch additional payloads, including “ CONSCTLX.exe .” According to details shared by Kaspersky, “Reload.exe” – a legitimate file located in “C:\Program Files (x86)\escan\reload.exe” – is replaced with a rogue counterpart that can prevent further antivirus product updates by modifying the HOSTS file. It’s signed with a fake, invalid digital signature.

“When started, this reload.exe file checks whether it is launched from the Program Files folder, and exits if not,” the Russian cybersecurity company said . “This executable is based on the UnmanagedPowerShell tool, which allows executing PowerShell code in any process. Attackers have modified the source code of this project by adding an AMSI bypass capability to it, and used it to execute a malicious PowerShell script inside the reload.exe process.” The primary responsibility of the binary is to launch three Base64-encoded PowerShell payloads, which are designed to - Tamper with the installed eScan solution to prevent it from receiving updates and detecting the installed malicious components Bypass Windows Antimalware Scan Interface (AMSI) Check whether the victim machine should be further infected, and if yes, deliver a PowerShell-based payload to it The victim validation step examines the list of installed software, running processes, and services against a hard-coded blocklist that includes analysis tools and security solutions, including those from Kaspersky. If they are detected, no further payloads are delivered.

The PowerShell payload, once executed, contacts an external server to receive two payloads in return: “CONSCTLX.exe” and a second PowerShell-based malware that’s launched by means of a scheduled task. It’s worth noting that the first of the three aforementioned PowerShell scripts also replaces the “C:\Program Files (x86)\eScan\CONSCTLX.exe” component with the malicious file. “CONSCTLX.exe” works by launching the PowerShell-based malware, alongside changing the last update time of the eScan product to the current time by writing the current date to the “C:\Program Files (x86)\eScan\Eupdate.ini” file so as to give the impression that the tool is working as expected. The PowerShell malware, for its part, performs the same validation procedures as before and sends an HTTP request to the attacker-controlled infrastructure to receive more PowerShell payloads from the server for subsequent execution.

The eScan bulletin does not say which regional update server was affected, but Kaspersky’s analysis of telemetry data has revealed “hundreds of machines belonging to both individuals and organizations” that encountered infection attempts with payloads related to the supply chain attack. These machines are mainly located in India, Bangladesh, Sri Lanka, and the Philippines. The security outfit also noted that the attackers had to have studied the internals of eScan in detail to understand how its update mechanism worked and how it could be tampered with to distribute malicious updates. It’s currently not known how the threat actors managed to secure access to the update server.

“Notably, it is quite unique to see malware being deployed through a security solution update,” it said. “Supply chain attacks are a rare occurrence in general, let alone the ones orchestrated through antivirus products.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Open VSX Supply Chain Attack Used Compromised Dev Account to Spread GlassWorm

Cybersecurity researchers have disclosed details of a supply chain attack targeting the Open VSX Registry in which unidentified threat actors compromised a legitimate developer’s resources to push malicious updates to downstream users. “On January 30, 2026, four established Open VSX extensions published by the oorzc author had malicious versions published to Open VSX that embed the GlassWorm malware loader,” Socket security researcher Kirill Boychenko said in a Saturday report. “These extensions had previously been presented as legitimate developer utilities (some first published more than two years ago) and collectively accumulated over 22,000 Open VSX downloads prior to the malicious releases.” The supply chain security company said that the supply chain attack involved the compromise of the developer’s publishing credentials, with the Open VSX security team assessing the incident as involving the use of either a leaked token or other unauthorized access. The malicious versions have since been removed from the Open VSX.

The list of identified extensions is below - FTP/SFTP/SSH Sync Tool (oorzc.ssh-tools — version 0.5.1) I18n Tools (oorzc.i18n-tools-plus — version 1.6.8) vscode mindmap (oorzc.mind-map — version 1.0.61) scss to css (oorzc.scss-to-css-compile — version 1.3.4) The poisoned versions, Socket noted, are designed to deliver a loader malware associated with a known campaign called GlassWorm . The loader is equipped to decrypt and run embedded at runtime, uses an increasingly weaponized technique called EtherHiding to fetch command-and-control (C2) endpoints, and ultimately run code designed to steal Apple macOS credentials and cryptocurrency wallet data. At the same time, the malware is detonated only after the compromised machine has been profiled, and it has been determined that it does not correspond to a Russian locale, a pattern commonly observed in malicious programs originating from or affiliated with Russian-speaking threat actors to avoid domestic prosecution. The kinds of information harvested by the malware include - Data from Mozilla Firefox and Chromium-based browsers (logins, cookies, internet history, and wallet extensions like MetaMask) Cryptocurrency wallet files (Electrum, Exodus, Atomic, Ledger Live, Trezor Suite, Binance, and TonKeeper) iCloud Keychain database Safari cookies Data from Apple Notes user documents from Desktop, Documents, and Downloads folders FortiClient VPN configuration files Developer credentials (e.g., ~/.aws and ~/.ssh) The targeting of developer information poses severe risks as it exposes enterprise environments to potential cloud account compromise and lateral movement attacks.

“The payload includes routines to locate and extract authentication material used in common workflows, including inspecting npm configuration for _authToken and referencing GitHub authentication artifacts, which can provide access to private repositories, CI secrets, and release automation,” Boychenko said. A significant aspect of the attack is that it diverges from previously observed GlassWorm indicators in that it makes use of a compromised account belonging to a legitimate developer to distribute the malware. In prior instances, the threat actors behind the campaign have leveraged typosquatting and brandjacking to upload fraudulent extensions for subsequent propagation. “The threat actor blends into normal developer workflows, hides execution behind encrypted, runtime-decrypted loaders, and uses Solana memos as a dynamic dead drop to rotate staging infrastructure without republishing extensions,” Socket said.

“These design choices reduce the value of static indicators and shift defender advantage toward behavioral detection and rapid response.” Update Secure Annex researcher John Tuckner told The Hacker News that three of the aforementioned extensions were still available for download as of February 2, 2026, 6:30 a.m. UTC. They have since been removed from Open VSX as of writing - oorzc.mind-map@1.0.61 oorzc.i18n-tools-plus@1.6.8 oorzc.scss-to-css-compile@1.3.4 “This is also tricky because victims will have to wait until the real developer publishes a new higher version in order for an auto update to be triggered,” Tuckner said. “Even if the extensions are removed from the marketplace, they won’t uninstall from editors.” (The story was updated after publication to include details of the extension status.) Found this article interesting?

Iran-Linked RedKitten Cyber Campaign Targets Human Rights NGOs and Activists

A Farsi-speaking threat actor aligned with Iranian state interests is suspected to be behind a new campaign targeting non-governmental organizations and individuals involved in documenting recent human rights abuses. The activity , observed by HarfangLab in January 2026, has been codenamed RedKitten . It’s said to coincide with the nationwide unrest in Iran that began towards the end of 2025, protesting soaring inflation, rising food prices, and currency depreciation. The ensuing crackdown has resulted in mass casualties and an internet blackout .

“The malware relies on GitHub and Google Drive for configuration and modular payload retrieval, and uses Telegram for command-and-control,” the French cybersecurity company said. What makes the campaign noteworthy is the threat actor’s likely reliance on large language models (LLMs) to build and orchestrate the necessary tooling. The starting point of the attack is a 7-Zip archive with a Farsi filename that contains macro-laced Microsoft Excel documents. The XLSM spreadsheets claim to include details about protesters who died in Tehran between December 22, 2025, and January 20, 2026.

But embedded within each of them is a malicious VBA macro, which, when enabled, functions as a dropper for a C#-based implant (“AppVStreamingUX_Multi_User.dll”) by means of a technique called AppDomainManager injection . The VBA macro, for its part, shows signs of being generated by an LLM due to the “overall style of the VBA code, the variable names and methods” used, as well as the presence of comments like “PART 5: Report the result and schedule if successful.” The attack is likely an effort to target individuals who are looking for information about missing persons, exploiting their emotional distress to provoke a false sense of urgency and trigger the infection chain. Analysis of the spreadsheet data, such as mismatched ages and birthdates, suggests it’s fabricated. The backdoor, dubbed SloppyMIO, uses GitHub as a dead drop resolver to retrieve Google Drive URLs that host images from which its configuration is steganographically obtained, including details of the Telegram bot token, Telegram chat ID, and links staging various modules.

As many as five different modules are supported - cm, to execute commands using “cmd.exe” do, to collect files on the compromised host and create a ZIP archive for each file that fits in the Telegram API file size limits up, to write a file to “%LOCALAPPDATA%\Microsoft\CLR_v4.0_32\NativeImages\,” with the file data encoded within an image fetched via the Telegram API pr, to create a scheduled task for persistence to run an executable every two hours ra, to start a process In addition, the malware is capable of contacting a command-and-control (C2) server to beacon to the configured Telegram chat ID, receiving additional instructions and sending the results back to the operator: download, which runs the do module cmd, which runs the cm module runapp, to launch a process “The malware can fetch and cache multiple modules from remote storage, run arbitrary commands, collect and exfiltrate files and deploy further malware with persistence via scheduled tasks,” HarfangLab said. “SloppyMIO beacons status messages, polls for commands and sends exfiltrated files over to a specified operator leveraging the Telegram Bot API for command-and-control.” As for attribution, the links to Iranian actors are based on the presence of Farsi artifacts, the lure themes, and tactical similarities with prior campaigns, including that of Tortoiseshell , which has leveraged malicious Excel documents to deliver IMAPLoader using AppDomainManager injection. The attackers’ choice of GitHub as a dead drop resolver is also not without precedent. In late 2022, Secureworks (now part of Sophos) detailed a campaign undertaken by a sub-cluster of an Iranian nation-state group known as Nemesis Kitten that used GitHub as a conduit to deliver a backdoor referred to as Drokbk.

Complicating matters further is the growing adoption of artificial intelligence (AI) tools by adversaries, making it harder for defenders to distinguish one actor from the other. “The threat actor’s reliance on commoditized infrastructure (GitHub, Google Drive, and Telegram) hinders traditional infrastructure-based tracking but paradoxically exposes useful metadata and poses other operational security challenges to the threat actor,” HarfangLab said. The development comes a couple of weeks after U.K.-based Iranian activist and independent cyber espionage investigator Nariman Gharib revealed details of a phishing link (“whatsapp-meeting.duckdns[.]org”) that’s distributed via WhatsApp and captures victims’ credentials by displaying a fake WhatsApp Web login page. “The page polls the attacker’s server every second via /api/p/{victim_id}/,” Gharib explained .

“This lets the attacker serve a live QR code from their own WhatsApp Web session directly to the victim. When the target scans it with their phone, thinking they’re joining a ‘meeting,’ they’re actually authenticating the attacker’s browser session. Attacker gets full access to the victim’s WhatsApp account.” The phishing page is also designed to request browser permissions to access the device camera, microphone, and geolocation, effectively turning it into a surveillance kit that can capture victims’ photos, audio, and current whereabouts. It’s currently not known who is behind the campaign, or what was the motivation was behind it.

TechCrunch’s Zack Whittaker, who uncovered more specifics about the activity, said it’s also aimed at stealing Gmail credentials by serving a bogus Gmail login page that gathers a victim’s password and two-factor authentication (2FA) code. About 50 individuals have been found to be impacted. This includes ordinary people across the Kurdish community, academics, government officials, business leaders, and other senior figures. The findings also come in the aftermath of a major leak suffered by the Iranian hacking group Charming Kitten that laid bare its inner workings, organizational structure, and the key personnel involved.

The leaks also shed light on a surveillance platform named Kashef (aka Discoverer or Revealer ) for tracking Iranian citizens and foreign nationals by aggregating data collected by different departments associated with the Islamic Revolutionary Guard Corps (IRGC). In October 2025, Gharib also made available a database containing 1,051 individuals who enrolled in various training programs offered by Ravin Academy, a cybersecurity school founded in 2019 by two operatives of Iran’s Ministry of Intelligence and Security (MOIS), Seyed Mojtaba Mostafavi and Farzin Karimi. The entity was sanctioned by the U.S. Department of the Treasury in October 2022 for supporting and enabling MOIS’s operations.

This includes assisting MOIS with information security training, threat hunting, cybersecurity, red teaming, digital forensics, malware analysis, security auditing, penetration testing, network defense, incident response, vulnerability analysis, mobile penetration testing, reverse engineering, and security research. In a post shared on its Telegram channel on October 22, 2025, Ravin Academy confirmed the breach, stating one of its online systems, which was hosted outside its network, was the target of a cyber attack that led to the leak of usernames and phone numbers of some of the training participants. It also claimed the attack was carried out with an aim to undermine its reputation, and that a significant portion of the leaked information is invalid. “The model allows MOIS to outsource initial recruitment and vetting while maintaining operational control through the founders’ direct relationship with the intelligence service,” Gharib said.

“This dual-purpose structure enables MOIS to develop human capital for cyber operations while maintaining a layer of separation from direct government attribution.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Mandiant Finds ShinyHunters-Style Vishing Attacks Stealing MFA to Breach SaaS Platforms

Google-owned Mandiant on Friday said it identified an “expansion in threat activity” that uses tradecraft consistent with extortion-themed attacks orchestrated by a financially motivated hacking group known as ShinyHunters. The attacks leverage advanced voice phishing (aka vishing) and bogus credential harvesting sites mimicking targeted companies to gain unauthorized access to victim environments by collecting sign-on (SSO) credentials and multi-factor authentication (MFA) codes. The end goal of the attacks is to target cloud-based software-as-a-service (SaaS) applications to siphon sensitive data and internal communications and extort victims. The tech giant’s threat intelligence team said it’s tracking the activity under multiple clusters, including UNC6661, UNC6671, and UNC6240 (aka ShinyHunters), so as to account for the possibility that these groups could be evolving their modus operandi or mimicking previously observed tactics.

“While this methodology of targeting identity providers and SaaS platforms is consistent with our prior observations of threat activity preceding ShinyHunters-branded extortion, the breadth of targeted cloud platforms continues to expand as these threat actors seek more sensitive data for extortion,” Mandiant noted. “Further, they appear to be escalating their extortion tactics with recent incidents, including harassment of victim personnel, among other tactics.” Details of the vishing and credential theft activity are as follows - UNC6661 has been observed pretending to be IT staff in calls to employees at targeted victim organizations, directing them to credential harvesting links under the guise of instructing them to update their multi-factor authentication (MFA) settings. The activity was recorded between early and mid-January 2026. The stolen credentials are then used to register their own device for MFA and then move laterally across the network to exfiltrate data from SaaS platforms.

In at least one case, the threat actor weaponized their access to compromised email accounts to send more phishing emails to contacts at cryptocurrency-focused companies. The emails were subsequently deleted to cover up the tracks. This is followed by extortion activity conducted by UNC6240. UNC6671 has also been identified as impersonating IT staff to deceive victims as part of efforts to obtain their credentials and MFA authentication codes on victim-branded credential harvesting sites since early January 2026.

In at least some instances, the threat actors gained access to Okta customer accounts. UNC6671 has also leveraged PowerShell to download sensitive data from SharePoint and OneDrive. The differences between UNC6661 and UNC6671 relate to the use of different domain registrars for registering the credential harvesting domains (NICENIC for UNC6661 and Tucows for UNC6671), as well as the fact that an extortion email sent following UNC6671 activity did not overlap with known UNC6240 indicators. This indicates that different sets of people may be involved, illustrating the amorphous nature of these cybercrime groups.

What’s more, the targeting of cryptocurrency firms suggests that the threat actors may also be looking to explore further avenues for financial gain. To counter the threat posed to SaaS platforms, Google has outlined a long list of hardening, logging, and detection recommendations - Improve help desk processes, including requiring personnel to require a live video call to verify their identity Limit access to trusted egress points and physical locations; enforce strong passwords; and remove SMS, phone call, and email as authentication methods Restrict management-plane access, audit for exposed secrets and enforce device access controls Implement logging to increase visibility into identity actions, authorizations, and SaaS export behaviors Detect MFA device enrollment and MFA life cycle changes; look for OAuth/app authorization events that suggest mailbox manipulation activity using utilities like ToogleBox Email Recall , or identity events occurring outside normal business hours “This activity is not the result of a security vulnerability in vendors’ products or infrastructure,” Google said. “Instead, it continues to highlight the effectiveness of social engineering and underscores the importance of organizations moving towards phishing-resistant MFA where possible. Methods such as FIDO2 security keys or passkeys are resistant to social engineering in ways that push-based, or SMS authentication are not.” Found this article interesting?

CERT Polska Details Coordinated Cyber Attacks on 30+ Wind and Solar Farms

CERT Polska, the Polish computer emergency response team, revealed that coordinated cyber attacks targeted more than 30 wind and photovoltaic farms, a private company from the manufacturing sector, and a large combined heat and power plant (CHP) supplying heat to almost half a million customers in the country. The incident took place on December 29, 2025. The agency has attributed the attacks to a threat cluster dubbed Static Tundra , which is also tracked as Berserk Bear, Blue Kraken, Crouching Yeti, Dragonfly, Energetic Bear, Ghost Blizzard (formerly Bromine), and Havex. Static Tundra is assessed to be linked to Russia’s Federal Security Service’s (FSB) Center 16 unit.

It’s worth noting that recent reports from ESET and Dragos attributed the activity with moderate confidence to a different Russian state-sponsored hacking group known as Sandworm. “All attacks had a purely destructive objective,” CERT Polska said in a report published Friday. “Although attacks on renewable energy farms disrupted communication between these facilities and the distribution system operator, they did not affect the ongoing production of electricity. Similarly, the attack on the combined heat and power plant did not achieve the attacker’s intended effect of disrupting heat supply to end users.” The attackers are said to have gained access to the internal network of power substations associated with a renewable energy facility to carry out reconnaissance and disruptive activities, including damaging the firmware of controllers, deleting system files, or launching custom-built wiper malware codenamed DynoWiper by ESET.

In the intrusion aimed at the CHP, the adversary engaged in long-term data theft dating all the way back to March 2025 that enabled them to escalate privileges and move laterally across the network. The attackers’ attempts to detonate the wiper malware were unsuccessful, CERT Polska noted. On the other hand, the targeting of the manufacturing sector company is believed to be opportunistic, with the threat actor gaining initial access via a vulnerable Fortinet perimeter device. The attack targeting the grid connection point is also likely to have involved the exploitation of a vulnerable FortiGate appliance.

At least four different versions of DynoWiper have been discovered to date. These variants were deployed on Mikronika HMI Computers used by the energy facility and on a network share within the CHP after securing access through the SSL‑VPN portal service of a FortiGate device. “The attacker gained access to the infrastructure using multiple accounts that were statically defined in the device configuration and did not have two‑factor authentication enabled,” CERT Polska said, detailing the actor’s modus operandi targeting the CHP. “The attacker connected using Tor nodes, as well as Polish and foreign IP addresses, which were often associated with compromised infrastructure.” The wiper’s functionality is fairly straightforward - Initialization that involves seeding a pseudorandom number generator (PRNG) called Mersenne Twister Enumerate files and corrupt them using the PRNG Delete files It’s worth mentioning here that the malware does not have a persistence mechanism, a way to communicate with a command‑and‑control (C2) server, or execute shell commands.

Nor does it attempt to hide the activity from security programs. CERT Polska said the attack targeting the manufacturing sector company involved the use of a PowerShell-based wiper dubbed LazyWiper that scripts overwrites files on the system with pseudorandom 32‑byte sequences to render them unrecoverable. It’s suspected that the core wiping functionality was developed using a large language model (LLM). “The malware used in the incident involving renewable energy farms was executed directly on the HMI machine,” CERT Polska pointed out.

“In contrast, in the CHP plant (DynoWiper) and the manufacturing sector company (LazyWiper), the malware was distributed within the Active Directory domain via a PowerShell script executed on a domain controller.” The agency also described some of the code-level similarities between DynoWiper and other wipers built by Sandworm as “general” in nature and does not offer any concrete evidence as to whether the threat actor participated in the attack. “The attacker used credentials obtained from the on‑premises environment in attempts to gain access to cloud services,” CERT Polska said. “After identifying credentials for which corresponding accounts existed in the M365 service, the attacker downloaded selected data from services such as Exchange, Teams, and SharePoint.” “The attacker was particularly interested in files and email messages related to OT network modernization, SCADA systems, and technical work carried out within the organizations.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Researchers Uncover Chrome Extensions Abusing Affiliate Links and Stealing ChatGPT Access

Cybersecurity researchers have discovered malicious Google Chrome extensions that come with capabilities to hijack affiliate links, steal data, and collect OpenAI ChatGPT authentication tokens. One of the extensions in question is Amazon Ads Blocker (ID: pnpchphmplpdimbllknjoiopmfphellj), which claims to be a tool to browse Amazon without any sponsored content. It was uploaded to the Chrome Web Store by a publisher named “10Xprofit” on January 19, 2026. “The extension does block ads as advertised, but its primary function is hidden: it automatically injects the developer’s affiliate tag (10xprofit-20) into every Amazon product link and replaces existing affiliate codes from content creators,” Socket security researcher Kush Pandya said .

Further analysis has determined that Amazon Ads Blocker is part of a larger cluster of 29 browser add-ons that target several e-commerce platforms like AliExpress, Amazon, Best Buy, Shein, Shopify, and Walmart. The complete list is as follows - AliExpress Invoice Generator (FREE) - AliInvoice™️ (10+ Templates) (ID: mabbblhhnmlckjbfppkopnccllieeocp) AliExpress Price Tracker - Price History & Alerts (ID: loiofaagnefbonjdjklhacdhfkolcfgi) AliExpress Quick Currency & Price Converter (ID: mcaglpclodnaiimhicpjemhcinjfnjce) AliExpress Deals Countdown - Flash Sale Timer (ID: jmlgkeaofknfmnbpmlmadnfnfajdlehn) 10Xprofit - Amazon Seller Tools (FBA & FBM) (ID: ahlnchhkedmjbdocaamkbmhppnligmoh) Amazon Ads Blocker (ID: pnpchphmplpdimbllknjoiopmfphellj) Amazon ASIN Lookup 10xprofit (ID: ljcgnobemekghgobhlplpehijemdgcgo) Amazon Search Suggestion (ID: dnmfcojgjchpjcmjgpgonmhccibjopnb) Amazon Product Scraper 10xprofit (ID: mnacfoefejolpobogooghoclppjcgfcm) Amazon Quick Brand Search (ID: nigamacoibifjohkmepefofohfedblgg) Amazon Stock Checker 999 (ID: johobikccpnmifjjpephegmfpipfbfme) Amazon Price History Saver (ID: kppfbknppimnoociaomjcdgkebdmenkh) Amazon ASIN Copy (ID: aohfjaadlbiifnnajpobdhokecjokhab) Amazon Keyword Cloud Generator (ID: gfdbbmngalhmegpkejhidhgdpmehlmnd) Amazon Image Downloader (ID: cpcojeeblggnjjgnpiicndnahfhjdobd) Amazon Negative Review Hider (ID: hkkkipfcdagiocekjdhobgmlkhejjfoj) Amazon Listing Score Checker (ID: jaojpdijbaolkhkifpgbjnhfbmckoojh) Amazon Keyword Density Searcher (ID: ekomkpgkmieaaekmaldmaljljahehkoi) Amazon Sticky Notes (ID: hkhmodcdjhcidbcncgmnknjppphcpgmh) Amazon Result Numbering (ID: nipfdfkjnidadibpbflijepbllfkokac) Amazon Profit Calculator Lite (ID: behckapcoohededfbgjgkgefgkpodeho) Amazon Weight Converter (ID: dfnannaibdndmkienngjahldiofjbkmj) Amazon BSR Fast View (ID: nhilffccdbcjcnoopblecppbhalagpaf) Amazon Character Count & Seller Tools (ID: goikoilmhcgfidolicnbgggdpckdcoam) Amazon Global Price Checker (ID: mjcgfimemamogfmekphcfdehfkkbmldn) BestBuy Search By Image (ID: nppjmiadmakeigiagilkfffplihgjlec) SHEIN Search By Image (ID: mpgaodghdhmeljgogbeagpbhgdbfofgb) Shopify Search By Image (ID: gjlbbcimkbncedhofeknicfkhgaocohl) Walmart Search By Image (ID: mcaihdkeijgfhnlfcdehniplmaapadgb) While “Amazon Ads Blocker” offers the advertised functionality, it also embeds malicious code that scans all Amazon product URL patterns for any affiliate tag without requiring any user interaction, and replaces it with “10xprofit-20” (or “_c3pFXV63” for AliExpress). In cases where there are no tags, the attacker’s tag is appended to each URL. Socket also noted that the extension listing page on the Chrome Web Store makes misleading disclosures, claiming that the developers earn a “small commission” every time a user makes use of a coupon code to make a purchase.

Affiliate links are widely used across social media and websites. They refer to URLs containing a specific ID that enables tracking of traffic and sales to a particular marketer. When a user clicks this link to buy the product, the affiliate earns a cut of the sale. Due to the extensions searching for existing tags and replacing them, social media content creators who share Amazon product links with their own affiliate tags lose commissions when users who have installed the add-on click those links.

This amounts to a violation of Chrome Web Store policies , as they require extensions using affiliate links to accurately divulge how the program works, require user action before each injection, and never replace existing affiliate codes. “The disclosure describes a coupon/deal extension with user-triggered reveals. The actual product is an ad blocker with automatic link modification,” Pandya explained. “This mismatch between disclosure and implementation creates false consent.” “The extension also violates the Single Purpose policy by combining two unrelated functions (ad blocking and affiliate injection) that should be separate extensions.” The identified extensions have also been found to scrape product data and exfiltrate it to “app.10xprofit[.]io,” with those focusing on AliExpress serving bogus “LIMITED TIME DEAL” countdown timers on product pages to create a false sense of urgency and rush them into making purchases so as to earn commissions on affiliate links.

“Extensions that combine unrelated functionality (ad blocking, price comparison, coupon finding) with affiliate injection should be treated as high-risk, particularly those with disclosures that don’t match the actual code behavior,” Socket said. The disclosure comes as Broadcom-owned Symantec flagged four different extensions that have a combined user base exceeding 100,000 users and are designed to steal data - Good Tab (ID: glckmpfajbjppappjlnhhlofhdhlcgaj), which grants full clipboard permissions to an external domain (“api.office123456[.]com”) to enable remote clipboard-read and clipboard-write permissions Children Protection (ID: giecgobdmgdamgffeoankaipjkdjbfep), which implements functionality to harvest cookies, inject ads, and execute arbitrary JavaScript by contacting a remote server DPS Websafe (ID: bjoddpbfndnpeohkmpbjfhcppkhgobcg), which changes the default search to one under their control to capture search terms entered by users and potentially route them to malicious websites Stock Informer (ID: beifiidafjobphnbhbbgmgnndjolfcho), which is susceptible to a years-old cross-site (XSS) vulnerability in the Stockdio Historical Chart WordPress plugin ( CVE-2020-28707 , CVSS score: 6.1) that could allow a remote attacker to execute JavaScript code “While browser extensions can provide a wide range of handy tools to help us achieve more online, much care needs to be taken when choosing to install them, even when installing from trusted sources,” researchers Yuanjing Guo and Tommy Dong said . Rounding off the list of malicious extensions is another network of 16 add-ons (15 on the Chrome Web Store and one on the Microsoft Edge Add-ons marketplace) that are designed to intercept and steal ChatGPT authentication tokens by injecting a content script into chatgpt[.]com. Cumulatively, the extensions were downloaded about 900 times, according to LayerX.

The extensions are assessed to be part of a coordinated campaign due to overlaps in source code, icons, branding, and descriptions - ChatGPT folder, voice download, prompt manager, free tools – ChatGPT Mods (ID: lmiigijnefpkjcenfbinhdpafehaddag) ChatGPT voice download, TTS download – ChatGPT Mods (ID: obdobankihdfckkbfnoglefmdgmblcld) ChatGPT pin chat, bookmark – ChatGPT Mods (ID: kefnabicobeigajdngijnnjmljehknjl) ChatGPT message navigator, history scroller – ChatGPT Mods (ID: ifjimhnbnbniiiaihphlclkpfikcdkab) ChatGPT model switch, save advanced model uses – ChatGPT Mods (ID: pfgbcfaiglkcoclichlojeaklcfboieh) ChatGPT export, Markdown, JSON, images – ChatGPT Mods (ID: hljdedgemmmkdalbnmnpoimdedckdkhm) ChatGPT Timestamp Display – ChatGPT Mods (ID: afjenpabhpfodjpncbiiahbknnghabdc) ChatGPT bulk delete, Chat manager – ChatGPT Mods (ID: gbcgjnbccjojicobfimcnfjddhpphaod) ChatGPT search history, locate specific messages – ChatGPT Mods (ID: ipjgfhcjeckaibnohigmbcaonfcjepmb) ChatGPT prompt optimization – ChatGPT Mods (ID: mmjmcfaejolfbenlplfoihnobnggljij) Collapsed message – ChatGPT Mods (ID: lechagcebaneoafonkbfkljmbmaaoaec) Multi-Profile Management & Switching – ChatGPT Mods (ID: nhnfaiiobkpbenbbiblmgncgokeknnno) Search with ChatGPT – ChatGPT Mods (ID: hpcejjllhbalkcmdikecfngkepppoknd) ChatGPT Token counter – ChatGPT Mods (ID: hfdpdgblphooommgcjdnnmhpglleaafj) ChatGPT Prompt Manager, Folder, Library, Auto Send – ChatGPT Mods (ID: ioaeacncbhpmlkediaagefiegegknglc) ChatGPT Mods – Folder Voice Download & More Free Tools (ID: jhohjhmbiakpgedidneeloaoloadlbdj) With artificial intelligence (AI)-related extensions becoming increasingly common in enterprise workflows, the development highlights an emerging attack surface where threat actors weaponize the trust associated with popular AI brands to deceive users into installing them. Because such tools often require elevated execution context within the browser and have access to sensitive data, seemingly harmless extensions can become a lucrative attack vector, permitting adversaries to obtain persistent access without the need for exploiting security flaws or resorting to other methods that may trigger security alarms. “Possession of such tokens provides account-level access equivalent to that of the user, including access to conversation history and metadata,” security researcher Natalie Zargarov said . “As a result, attackers can replicate the users’ access credentials to ChatGPT and impersonate them, allowing them to access all of the user’s ChatGPT conversations, data, or code.” Browsers Become a Lucrative Attack Vector The findings also coincide with the emergence of a new malware-as-a-service toolkit called Stanley that’s being peddled on a Russian cybercrime forum for between $2,000 and $6,000, and allows crooks to generate malicious Chrome browser extensions that can be used to serve phishing pages within an HTML iframe element while still showing the legitimate URL in the address bar.

Customers of the tool gain access to a C2 panel for managing victims, configuring spoofed redirects, and sending fake browser notifications. Those who are willing to spend $6,000 get a guarantee that any extension they create using the kit will pass Google’s vetting process for the Chrome Web Store. These extensions take the form of innocuous note-taking utilities to fly under the radar. But their malicious behavior is activated when the user navigates to a website of interest to the attacker, such as a bank, at which point a full-screen iframe containing the phishing page is overlaid, while leaving the browser’s URL bar intact.

This visual deception creates a defensive blind spot that can dupe even vigilant users into entering their credentials or sensitive information on the page. As of January 27, 2026, the service appears to have vanished – likely prompted by the public disclosure – but it’s very much possible that it can resurface under a different name in the future. “Stanley provides a turnkey website-spoofing operation disguised as a Chrome extension, with its premium tier promising guaranteed publication on the Chrome Web Store,” Varonis researcher Daniel Kelley noted earlier this week. “BYOD policies, SaaS-first environments, and remote work have made the browser the new endpoint.

Attackers have noticed. Malicious browser extensions are now a primary attack vector.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.