2026-02-04 AI创业新闻

Docker Fixes Critical Ask Gordon AI Flaw Allowing Code Execution via Image Metadata

Cybersecurity researchers have disclosed details of a now-patched security flaw impacting Ask Gordon , an artificial intelligence (AI) assistant built into Docker Desktop and the Docker Command-Line Interface (CLI), that could be exploited to execute code and exfiltrate sensitive data. The critical vulnerability has been codenamed DockerDash by cybersecurity company Noma Labs. It was addressed by Docker with the release of version 4.50.0 in November 2025. “In DockerDash, a single malicious metadata label in a Docker image can be used to compromise your Docker environment through a simple three-stage attack: Gordon AI reads and interprets the malicious instruction, forwards it to the MCP [Model Context Protocol] Gateway, which then executes it through MCP tools,” Sasi Levi, security research lead at Noma, said in a report shared with The Hacker News.

“Every stage happens with zero validation, taking advantage of current agents and MCP Gateway architecture.” Successful exploitation of the vulnerability could result in critical-impact remote code execution for cloud and CLI systems, or high-impact data exfiltration for desktop applications. The problem, Noma Security said, stems from the fact that the AI assistant treats unverified metadata as executable commands, allowing it to propagate through different layers sans any validation, allowing an attacker to sidestep security boundaries. The result is that a simple AI query opens the door for tool execution. With MCP acting as a connective tissue between a large language model (LLM) and the local environment, the issue is a failure of contextual trust.

The problem has been characterized as a case of Meta-Context Injection. “MCP Gateway cannot distinguish between informational metadata (like a standard Docker LABEL) and a pre-authorized, runnable internal instruction,” Levi said. “By embedding malicious instructions in these metadata fields, an attacker can hijack the AI’s reasoning process.” In a hypothetical attack scenario, a threat actor can exploit a critical trust boundary violation in how Ask Gordon parses container metadata. To accomplish this, the attacker crafts a malicious Docker image with embedded instructions in Dockerfile LABEL fields.

While the metadata fields may seem innocuous, they become vectors for injection when processed by Ask Gordon AI. The code execution attack chain is as follows - The attacker publishes a Docker image containing weaponized LABEL instructions in the Dockerfile When a victim queries Ask Gordon AI about the image, Gordon reads the image metadata, including all LABEL fields, taking advantage of Ask Gordon’s inability to differentiate between legitimate metadata descriptions and embedded malicious instructions Ask Gordon to forward the parsed instructions to the MCP gateway, a middleware layer that sits between AI agents and MCP servers. MCP Gateway interprets it as a standard request from a trusted source and invokes the specified MCP tools without any additional validation MCP tool executes the command with the victim’s Docker privileges, achieving code execution The data exfiltration vulnerability weaponizes the same prompt injection flaw but takes aim at Ask Gordon’s Docker Desktop implementation to capture sensitive internal data about the victim’s environment using MCP tools by taking advantage of the assistant’s read-only permissions. The gathered information can include details about installed tools, container details, Docker configuration, mounted directories, and network topology.

It’s worth noting that Ask Gordon version 4.50.0 also resolves a prompt injection vulnerability discovered by Pillar Security that could have allowed attackers to hijack the assistant and exfiltrate sensitive data by tampering with the Docker Hub repository metadata with malicious instructions. “The DockerDash vulnerability underscores your need to treat AI Supply Chain Risk as a current core threat,” Levi said. “It proves that your trusted input sources can be used to hide malicious payloads that easily manipulate AI’s execution path. Mitigating this new class of attacks requires implementing zero-trust validation on all contextual data provided to the AI model.” Found this article interesting?

[Webinar] The Smarter SOC Blueprint: Learn What to Build, Buy, and Automate

Most security teams today are buried under tools. Too many dashboards. Too much noise. Not enough real progress.

Every vendor promises “complete coverage” or “AI-powered automation,” but inside most SOCs, teams are still overwhelmed, stretched thin, and unsure which tools are truly pulling their weight. The result? Bloated stacks, missed signals, and mounting pressure to do more with less. This live session, “ Breaking Down the Modern SOC: What to Build vs Buy vs Automate ,” with Kumar Saurabh (CEO, AirMDR) and Francis Odum (CEO, SACR) , clears the fog.

No jargon. Just real answers to the question every security leader faces: What should we build, what should we buy, and what should we automate? Secure your spot for the live session ➜ You’ll see what a healthy modern SOC looks like today—how top-performing teams decide where to build, when to buy, and how to automate without losing control. The session goes beyond theory: expect a real customer case study, a side-by-side look at common SOC models, and a practical checklist you can use right away to simplify operations and improve results.

If your SOC feels overloaded, underfunded, or always one step behind, this session is your reset point. You’ll leave with clarity, not buzzwords—a grounded view of how to strengthen your SOC with the people, tools, and budget you already have. Budgets are shrinking. Threats are scaling.

The noise is deafening. It’s time to pause, rethink, and rebuild smarter. Register for the Webinar ➜ Register Free Now — and learn how to simplify your SOC, cut the clutter, and make every decision count. Found this article interesting?

This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Hackers Exploit Metro4Shell RCE Flaw in React Native CLI npm Package

Threat actors have been observed exploiting a critical security flaw impacting the Metro Development Server in the popular “@react-native-community/cli” npm package. Cybersecurity company VulnCheck said it first observed exploitation of CVE-2025-11953 (aka Metro4Shell) on December 21, 2025. With a CVSS score of 9.8, the vulnerability allows remote unauthenticated attackers to execute arbitrary operating system commands on the underlying host. Details of the flaw were first documented by JFrog in November 2025.

Despite more than a month after initial exploitation in the wild, the “activity has yet to see broad public acknowledgment,” it added. In the attack detected against its honeypot network, the threat actors have weaponized the flaw to deliver a Base64-encoded PowerShell script that, once parsed, is configured to perform a series of actions, including Microsoft Defender Antivirus exclusions for the current working directory and the temporary folder (“C:\Users<Username>\AppData\Local\Temp”). The PowerShell script also establishes a raw TCP connection to an attacker-controlled host and port (“8.218.43[.]248:60124”) and sends a request to retrieve data, write it to a file in the temporary directory, and execute it. The downloaded binary is based in Rust, and features anti-analysis checks to hinder static inspection.

The attacks have been found to originate from the following IP addresses - 5.109.182[.]231 223.6.249[.]141 134.209.69[.]155 Describing the activity as neither experimental nor exploratory, VulnCheck said the delivered payloads were “consistent across multiple weeks of exploitation, indicating operational use rather than vulnerability probing or proof-of-concept testing.” “CVE-2025-11953 is not remarkable because it exists. It is remarkable because it reinforces a pattern defenders continue to relearn. Development infrastructure becomes production infrastructure the moment it is reachable, regardless of intent.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

When Cloud Outages Ripple Across the Internet

Recent major cloud service outages have been hard to miss. High-profile incidents affecting providers such as AWS, Azure, and Cloudflare have disrupted large parts of the internet, taking down websites and services that many other systems depend on. The resulting ripple effects have halted applications and workflows that many organizations rely on every day. For consumers, these outages are often experienced as an inconvenience, such as being unable to order food, stream content, or access online services.

For businesses, however, the impact is far more severe. When an airline’s booking system goes offline, lost availability translates directly into lost revenue, reputational damage, and operational disruption. These incidents highlight that cloud outages affect far more than compute or networking. One of the most critical and impactful areas is identity.

When authentication and authorization are disrupted, the result is not just downtime; it is a core operational and security incident. Cloud Infrastructure, a Shared Point of Failure Cloud providers are not identity systems. But modern identity architectures are deeply dependent on cloud-hosted infrastructure and shared services. Even when an authentication service itself remains functional, failures elsewhere in the dependency chain can render identity flows unusable.

Most organizations rely on cloud infrastructure for critical identity-related components, such as: Datastores holding identity attributes and directory information Policy and authorization data Load balancers, control planes, and DNS These shared dependencies introduce risk in the system. A failure in any one of them can block authentication or authorization entirely, even if the identity provider is technically still running. The result is a hidden single point of failure that many organizations, unfortunately, only discover during an outage. Identity, the Gatekeeper for Everything Authentication and authorization aren’t isolated functions used only during login - they are continuous gatekeepers for every system, API, and service.

Modern security models, specifically Zero Trust, are built on the principle of “never trust, always verify” . That verification depends entirely on the availability of identity systems. This applies equally to human users and machine identities . Applications authenticate constantly.

APIs authorize every request. Services obtain tokens to call other services. When identity systems are unavailable, nothing works. Because of this, identity outages directly threaten business continuity.

They should trigger the highest level of incident response, with proactive monitoring and alerting across all dependent services. Treating identity downtime as a secondary or purely technical issue significantly underestimates its impact. The Hidden Complexity of Authentication Flows Authentication involves far more than verifying a username and password, or a passkey, as organizations increasingly move toward passwordless models. A single authentication event typically triggers a complex chain of operations behind the scenes.

Identity systems are commonly: Resolve user attributes from directories or databases Store session state Issue access tokens containing scopes, claims, and attributes Perform fine-grained authorization decisions using policy engines Authorization checks may occur both during token issuance and at runtime when APIs are accessed. In many cases, APIs must authenticate themselves and obtain tokens before calling other services. Each of these steps depends on the underlying infrastructure. Datastores, policy engines, token stores, and external services all become part of the authentication flow.

A failure in any one of these components can fully block access, impacting users, applications, and business processes. Why Traditional High Availability Isn’t Enough High availability is widely implemented and absolutely necessary, but it is often insufficient for identity systems. Most high-availability designs focus on regional failover: a primary deployment in one region with a secondary in another. If one region fails, traffic shifts to the backup.

This approach breaks down when failures affect shared or global services. If identity systems in multiple regions depend on the same cloud control plane, DNS provider, or managed database service, regional failover provides little protection. In these scenarios, the backup system fails for the same reasons as the primary. The result is an identity architecture that appears resilient on paper but collapses under large-scale cloud or platform-wide outages.

Designing Resilience for Identity Systems True resilience must be deliberately designed. For identity systems, this often means reducing dependency on a single provider or failure domain. Approaches may include multi-cloud strategies or controlled on-premises alternatives that remain accessible even when cloud services are degraded. Equally important is planning for degraded operation.

Fully denying access during an outage has the highest possible business impact. Allowing limited access, based on cached attributes, precomputed authorization decisions, or reduced functionality, can dramatically reduce operational and reputational damage. Not all identity-related data needs the same level of availability. Some attributes or authorization sources may be less fault-tolerant than others, and that may be acceptable.

What matters is making these trade-offs deliberately, based on business risk rather than architectural convenience. Identity systems must be engineered to fail gracefully. When infrastructure outages are inevitable, access control should degrade predictably, not completely collapse. Ready to get started with a robust identity management solution?

Try the Curity Identity Server for free . Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

APT28 Uses Microsoft Office CVE-2026-21509 in Espionage-Focused Malware Attacks

The Russia-linked state-sponsored threat actor known as APT28 (aka UAC-0001) has been attributed to attacks exploiting a newly disclosed security flaw in Microsoft Office as part of a campaign codenamed Operation Neusploit . Zscaler ThreatLabz said it observed the hacking group weaponizing the shortcoming on January 29, 2026, in attacks targeting users in Ukraine, Slovakia, and Romania, three days after Microsoft publicly disclosed the existence of the bug. The vulnerability in question is CVE-2026-21509 (CVSS score: 7.8), a security feature bypass in Microsoft Office that could allow an unauthorized attacker to send a specially crafted Office file and trigger it. The Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC), and Office Product Group Security Team, along with Google Threat Intelligence Group (GTIG), have been credited with discovering and reporting the flaw.

“Social engineering lures were crafted in both English and localized languages (Romanian, Slovak, and Ukrainian) to target the users in the respective countries,” security researchers Sudeep Singh and Roy Tay said. “The threat actor employed server-side evasion techniques, responding with the malicious DLL only when requests originated from the targeted geographic region and included the correct User-Agent HTTP header.” The attack chains, in a nutshell, entail the exploitation of the security hole by means of a malicious RTF file to deliver two different versions of a dropper, one that’s designed to drop an Outlook email stealer called MiniDoor , and another, referred to as PixyNetLoader , that’s responsible for the deployment of a Covenant Grunt implant. The first dropper acts as a pathway for serving MiniDoor, a C++-based DLL file that steals a user’s emails in various folders (Inbox, Junk, and Drafts) and forwards them to two hard-coded threat actor email addresses: ahmeclaw2002@outlook[.]com and ahmeclaw@proton[.]me. MiniDoor is assessed to be a stripped-down version of NotDoor (aka GONEPOSTAL), which was documented by S2 Grupo LAB52 in September 2025.

In contrast, the second dropper, i.e., PixyNetLoader, is used to initiate a much more elaborate attack chain that involves delivering additional components embedded into it and setting up persistence on the host using COM object hijacking . Among the extracted payloads are a shellcode loader (“EhStoreShell.dll”) and a PNG image (“SplashScreen.png”). The primary responsibility of the loader is to parse shellcode concealed using steganography within the image and execute it. That said, the loader only activates its malicious logic if the infected machine is not an analysis environment and when the host process that launched the DLL is “explorer.exe.” The malware stays dormant if the conditions are not met.

The extracted shellcode, ultimately, is used to load an embedded .NET assembly, which is nothing but a Grunt implant associated with the open source .NET COVENANT command-and-control (C2) framework. It’s worth noting that APT28’s use of the Grunt Stager was highlighted by Sekoia in September 2025 in connection with a campaign named Operation Phantom Net Voxel. “The PixyNetLoader infection chain shares notable overlap with Operation Phantom Net Voxel,” Zscaler said. “Although the earlier campaign used a VBA macro, this activity replaces it with a DLL while retaining similar techniques, including (1) COM hijacking for execution, (2) DLL proxying, (3) XOR string encryption techniques, and (4) Covenant Grunt and its shellcode loader embedded in a PNG via steganography.” The disclosure coincides with a report from the Computer Emergency Response Team of Ukraine (CERT-UA) that also warned of APT28’s abuse of CVE-2026-21509 using Word documents to target more than 60 email addresses associated with central executive authorities in the country.

Metadata analysis reveals that one of the lure documents was created on January 27, 2026. “During the investigation, it was found that opening the document using Microsoft Office leads to establishing a network connection to an external resource using the WebDAV protocol, followed by downloading a file with a shortcut file name containing program code designed to download and run an executable file,” CERT-UA said. This, in turn, triggers an attack chain that’s identical to PixyNetLoader, resulting in the deployment of the COVENANT framework’s Grunt implant. Found this article interesting?

Mozilla Adds One-Click Option to Disable Generative AI Features in Firefox

Mozilla on Monday announced a new controls section in its Firefox desktop browser settings that allows users to completely turn off generative artificial intelligence (GenAI) features. “It provides a single place to block current and future generative AI features in Firefox,” Ajit Varma, head of Firefox, said . “You can also review and manage individual AI features if you choose to use them. This lets you use Firefox without AI while we continue to build AI features for those who want them.” Mozilla first announced its plans to integrate AI into Firefox in November 2025, stating it’s fully opt-in and that it’s incorporating the technology while placing users in the driver’s seat.

The new feature is expected to be rolled out with Firefox 148, which is scheduled to be released on February 24, 2026. At the outset, AI controls will allow users to manage the following settings individually - Translations Alt text in PDFs (adding accessibility descriptions to images in PDF pages) AI-enhanced tab grouping (suggestions for related tabs and group names) Link previews (show key points before a link is opened) AI chatbot in the sidebar (Using well-known chatbots like Anthropic Claude, OpenAI ChatGPT, Microsoft Copilot, Google Gemini, and Le Chat Mistral while navigating the web) Mozilla said user choice is crucial as more AI features are baked into web browsers, adding that it believes in giving people control regardless of how they feel about the technology. “If you don’t want to use AI features from Firefox at all, you can turn on the Block AI enhancements toggle,” Varma said. “When it’s toggled on, you won’t see pop-ups or reminders to use existing or upcoming AI features.” Last month, Mozilla’s new CEO, Anthony Enzor-DeMeo, said the company’s focus will be on becoming a trusted software company that gives users agency in how its products work.

“Privacy, data use, and AI must be clear and understandable,” Enzor-DeMeo said. “Controls must be simple. AI should always be a choice – something people can easily turn off.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Notepad++ Hosting Breach Attributed to China-Linked Lotus Blossom Hacking Group

A China-linked threat actor known as Lotus Blossom has been attributed with medium confidence to the recently discovered compromise of the infrastructure hosting Notepad++. The attack enabled the state-sponsored hacking group to deliver a previously undocumented backdoor codenamed Chrysalis to users of the open-source editor, according to new findings from Rapid7. The development comes shortly after Notepad++ maintainer Don Ho said that a compromise at the hosting provider level allowed threat actors to hijack update traffic starting June 2025 and selectively redirect such requests from certain users to malicious servers to serve a tampered update by exploiting insufficient update verification controls that existed in older versions of the utility. The weakness was plugged in December 2025 with the release of version 8.8.9.

It has since emerged that the hosting provider for the software was breached to perform targeted traffic redirections until December 2, 2025, when the attacker’s access was terminated. Notepad++ has since migrated to a new hosting provider with stronger security and rotated all credentials. Rapid7’s analysis of the incident has uncovered no evidence or artifacts to suggest that the site’s plugin or updater-related mechanisms were exploited to distribute malware. “The only confirmed behavior is that execution of ‘notepad++.exe’ and subsequently ‘GUP.exe’ preceded the execution of a suspicious process ‘update.exe’ which was downloaded from 95.179.213.0,” security researcher Ivan Feigl said.

“Update.exe” is a Nullsoft Scriptable Install System (NSIS) installer that contains multiple files - An NSIS installation script BluetoothService.exe, a renamed version of Bitdefender Submission Wizard that’s used for DLL side-loading (a technique widely used by Chinese hacking groups) BluetoothService, encrypted shellcode (aka Chrysalis) log.dll, a malicious DLL that’s sideloaded to decrypt and execute the shellcode Chrysalis is a bespoke, feature-rich implant that gathers system information and contacts an external server (“api.skycloudcenter[.]com”) to likely receive additional commands for execution on the infected host. The command-and-control (C2) server is currently offline. However, a deeper examination of the obfuscated artifact has revealed that it’s capable of processing incoming HTTP responses to spawn an interactive shell, create processes, perform file operations, upload/download files, and uninstall itself. “Overall, the sample looks like something that has been actively developed over time,” Rapid7 said, adding it also identified a file named “conf.c” that’s designed to retrieve a Cobalt Strike beacon by means of a custom loader that embeds Metasploit block API shellcode.

One such loader, “ConsoleApplication2.exe” is noteworthy for its use of Microsoft Warbird , an undocumented internal code protection and obfuscation framework, to execute shellcode. The threat actor has been found to copy and modify an already existing proof-of-concept (PoC) published by German cybersecurity company Cirosec in September 2024. Rapid7’s attribution of Chrysalis to Lotus Blossom (aka Billbug, Bronze Elgin, Lotus Panda, Raspberry Typhoon, Spring Dragon, and Thrip) based on similarities with prior campaigns undertaken by the threat actor, including one documented by Broadcom-owned Symantec in April 2025 that involved the use of legitimate executables from Trend Micro and Bitdefender to sideload malicious DLLs. “While the group continues to rely on proven techniques like DLL side-loading and service persistence, their multi-layered shellcode loader and integration of undocumented system calls (NtQuerySystemInformation) mark a clear shift toward more resilient and stealth tradecraft,” the company said.

“What stands out is the mix of tools: the deployment of custom malware (Chrysalis) alongside commodity frameworks like Metasploit and Cobalt Strike, together with the rapid adaptation of public research (specifically the abuse of Microsoft Warbird). This demonstrates that Billbug is actively updating its playbook to stay ahead of modern detection.” Kaspersky Observes 3 Infection Chains Kaspersky, in its own breakdown of the Notepad++ incident, said it observed three different infection chains that were designed to target about a dozen machines belonging to individuals located in Vietnam, El Salvador, and Australia, a government organization located in the Philippines, a financial organization located in El Salvador, and an IT service provider organization located in Vietnam. “Over the course of four months, from July to October 2025, attackers who have compromised Notepad++ have been constantly rotating C2 server addresses used for distributing malicious updates, the downloaders used for implant delivery, as well as the final payloads,” security researchers Georgy Kucherin and Anton Kargin said . The company said it did not detect any payloads being deployed starting from November 2025.

The details of the three infection sequences are below - Chain #1 (Between late July and early August 2025) Attackers were found to deploy a malicious Notepad++ update hosted at “45.76.155[.]202/update/update.exe,” which was then launched by the legitimate Notepad++ updater process WinGUp (“gup.exe”). The executable, an NSIS installer, was used to send system information to a temp[.]sh URL by executing a series of shell commands (whoami and tasklist). This behavior was described by a user named “soft-parsley” on the Notepad++ community forums in October 2025. Like in the case of “update.exe” documented by Rapid7, the “update.exe” used in this chain leveraged DLL side-loading by abusing a legitimate binary associated with ProShow software (“ProShow.exe”) to deploy two shellcodes: one that’s not meant to be executed and functioned as a distraction mechanism, while the second shellcode decrypted a Metasploit downloader payload that retrieves a Cobalt Strike beacon shellcode from a remote URL.

Chain #2 (Between the middle and the end of September 2025) The malicious update continued to be delivered via “45.76.155[.]202/update/update.exe,” while the “update.exe” NSIS installer featured slight tweaks to collect more system information (whoami, tasklist, and netstat) and deliver a completely different set of payloads, including a Lua script that’s engineered to execute shellcode. The launched shellcode was a Metasploit downloader that drops a Cobalt Strike beacon. A subsequently observed “update.exe” variant towards the end of September 2025 also harvested the results of the systeminfo shell command alongside whoami, tasklist, and netstat. Another version of the binary changed the system information upload URL to self-dns.it[.]com/list, along with the URL used by the Metasploit downloader and Cobalt Strike Beacon C2 server.

Chain #3 (October 2025) This infection chain altered the NSIS installer distribution URL to “45.32.144[.]255/update/update.exe” and initiated the same sequence of events described by Rapid7 above. What’s common to all three sets of attacks is the fact that the Beacons are loaded through a Metasploit downloader shellcode. Then, starting mid-October 2025, the attackers began to propagate the installer via three different URLs to launch a combination of both #2 and #3 execution chains - 95.179.213[.]0/update/update.exe 95.179.213[.]0/update/install.exe 95.179.213[.]0/update/AutoUpdater.exe The compromise of Notepad++’s update infrastructure is the latest example of how the software ecosystem has increasingly become the target of supply chain attacks in recent years. In breaching the mechanism used to distribute updates, it enabled the attackers to selectively break into machines of high-profile organizations across the world, the Russian cybersecurity vendor noted.

“The variety of infection chains makes detection of the Notepad++ supply chain attack quite a difficult and at the same time creative task,” Kaspersky said. “The attackers made an effort to avoid losing access to this infection vector — they were spreading the malicious implants in a targeted manner, and they were skilled enough to drastically change the infection chains about once a month.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Researchers Find 341 Malicious ClawHub Skills Stealing Data from OpenClaw Users

A security audit of 2,857 skills on ClawHub has found 341 malicious skills across multiple campaigns, according to new findings from Koi Security, exposing users to new supply chain risks. ClawHub is a marketplace designed to make it easy for OpenClaw users to find and install third-party skills. It’s an extension to the OpenClaw project, a self-hosted artificial intelligence (AI) assistant formerly known as both Clawdbot and Moltbot. The analysis, which Koi conducted with the help of an OpenClaw bot named Alex, found that 335 skills use fake pre-requisites to install an Apple macOS stealer named Atomic Stealer (AMOS).

This activity set has been codenamed ClawHavoc . “You install what looks like a legitimate skill – maybe solana-wallet-tracker or youtube-summarize-pro,” Koi researcher Oren Yomtov said. “The skill’s documentation looks professional. But there’s a ‘Prerequisites’ section that says you need to install something first.” This step involves instructions for both Windows and macOS systems: On Windows, users are asked to download a file called “openclaw-agent.zip” from a GitHub repository.

On macOS, the documentation tells them to copy an installation script hosted at glot[.]io and paste it into the Terminal app. The targeting of macOS is no coincidence, as reports have emerged of people buying Mac Minis to run the AI assistant 24x7. Present within the password-protected archive is a trojan with keylogging functionality to capture API keys, credentials, and other sensitive data on the machine, including those that the bot already has access to. On the other hand, the glot[.]io script contains obfuscated shell commands to fetch next-stage payloads from an attacker-controlled infrastructure.

This, in turn, entails reaching out to another IP address (“91.92.242[.]30”) to retrieve another shell script, which is configured to contact the same server to obtain a universal Mach-O binary that exhibits traits consistent with Atomic Stealer, a commodity stealer available for $500-1000/month that can harvest data from macOS hosts. According to Koi, the malicious skills masquerade as ClawHub typosquats (e.g., clawhub, clawhub1, clawhubb, clawhubcli, clawwhub, cllawhub) Cryptocurrency tools like Solana wallets and wallet trackers Polymarket bots (e.g., polymarket-trader, polymarket-pro, polytrading) YouTube utilities (e.g., youtube-summarize, youtube-thumbnail-grabber, youtube-video-downloader) Auto-updaters (e.g., auto-updater-agent, update, updater) Finance and social media tools (e.g., yahoo-finance-pro, x-trends-tracker) Google Workspace tools claiming integrations with Gmail, Calendar, Sheets, and Drive Ethereum gas trackers Lost Bitcoin finders In addition, the cybersecurity company said it identified skills that hide reverse shell backdoors inside functional code (e.g., better-polymarket and polymarket-all-in-one), or exfiltrate bot credentials present in “~/.clawdbot/.env” to a webhook[.]site (e.g., rankaj). The development coincides with a report from OpenSourceMalware, which also flagged the same ClawHavoc campaign targeting OpenClaw users. “The skills masquerade as cryptocurrency trading automation tools and deliver information-stealing malware to macOS and Windows systems,” a security researcher who goes by the online alias 6mile said .

“All these skills share the same command-and-control infrastructure (91.92.242[.]30) and use sophisticated social engineering to convince users to execute malicious commands, which then steal crypto assets like exchange API keys, wallet private keys, SSH credentials, and browser passwords.” OpenClaw Adds a Reporting Option The problem stems from the fact that ClawHub is open by default and allows anyone to upload skills. The only restriction at this stage is that a publisher must have a GitHub account that’s at least one week old. The issue with malicious skills hasn’t gone unnoticed by OpenClaw’s creator Peter Steinberger, who has since rolled out a reporting feature that allows signed-in users to flag a skill. “Each user can have up to 20 active reports at a time,” the documentation states .

“Skills with more than 3 unique reports are auto-hidden by default.” The findings underscore how open-source ecosystems continue to be abused by threat actors, who are now piggybacking on OpenClaw’s sudden popularity to orchestrate malicious campaigns and distribute malware at scale. In a report last week, Palo Alto Networks warned that OpenClaw represents what British programmer Simon Willison, who coined the term prompt injection, describes as a “ lethal trifecta “ that renders AI agents vulnerable by design due to their access to private data, exposure to untrusted content, and the ability to communicate externally. The intersection of these three capabilities, combined with OpenClaw’s persistent memory, “acts as an accelerant” and amplifies the risks, the cybersecurity company added. “With persistent memory, attacks are no longer just point-in-time exploits.

They become stateful, delayed-execution attacks,” researchers Sailesh Mishra and Sean P. Morgan said . “Malicious payloads no longer need to trigger immediate execution on delivery. Instead, they can be fragmented, untrusted inputs that appear benign in isolation, are written into long-term agent memory, and later assembled into an executable set of instructions.” “This enables time-shifted prompt injection, memory poisoning, and logic bomb–style activation, where the exploit is created at ingestion but detonates only when the agent’s internal state, goals, or tool availability align.” Found this article interesting?

OpenClaw Bug Enables One-Click Remote Code Execution via Malicious Link

A high-severity security flaw has been disclosed in OpenClaw (formerly referred to as Clawdbot and Moltbot) that could allow remote code execution (RCE) through a crafted malicious link. The issue, which is tracked as CVE-2026-25253 (CVSS score: 8.8), has been addressed in version 2026.1.29 released on January 30, 2026. It has been described as a token exfiltration vulnerability that leads to full gateway compromise. “The Control UI trusts gatewayUrl from the query string without validation and auto-connects on load, sending the stored gateway token in the WebSocket connect payload,” OpenClaw’s creator and maintainer Peter Steinberger said in an advisory.

“Clicking a crafted link or visiting a malicious site can send the token to an attacker-controlled server. The attacker can then connect to the victim’s local gateway, modify config (sandbox, tool policies), and invoke privileged actions, achieving 1-click RCE.” OpenClaw is an open-source autonomous artificial intelligence (AI) personal assistant that runs locally on user devices and integrates with a wide range of messaging platforms. Although initially released in November 2025, the project has gained rapid popularity in recent weeks, with its GitHub repository crossing 149,000 stars as of writing. “OpenClaw is an open agent platform that runs on your machine and works from the chat apps you already use,” Steinberger said .

“Unlike SaaS assistants where your data lives on someone else’s servers, OpenClaw runs where you choose – laptop, homelab, or VPS. Your infrastructure. Your keys. Your data.” Mav Levin, founding security researcher at depthfirst who is credited with discovering the shortcoming, said it can be exploited to create a one-click RCE exploit chain that takes only milliseconds after a victim visits a single malicious web page.

The problem is that clicking on the link to that web page is enough to trigger a cross-site WebSocket hijacking attack because OpenClaw’s server doesn’t validate the WebSocket origin header. This causes the server to accept requests from any website, effectively getting around localhost network restrictions. A malicious web page can take advantage of the issue to execute client-side JavaScript on the victim’s browser that can retrieve an authentication token, establish a WebSocket connection to the server, and use the stolen token to bypass authentication and log in to the victim’s OpenClaw instance. To make matters worse, by leveraging the token’s privileged operator.admin and operator.approvals scopes, the attacker can use the API to disable user confirmation by setting “exec.approvals.set” to “off” and escape the container used to run shell tools by setting “tools.exec.host” to “gateway.” “This forces the agent to run commands directly on the host machine, not inside a Docker container,” Levin said.

“Finally, to achieve arbitrary command execution, the attacker JavaScript executes a node.invoke request.” When asked whether OpenClaw’s use of the API to manage the safety features constitutes an architectural limitation, Levin told The Hacker News in an emailed response that, “I would say the problem is those defenses (sandbox and safety guardrails) were designed to contain malicious actions of an LLM, as a result of prompt injection, for example. And users might think these defenses would protect from this vulnerability (or limit the blast radius), but they don’t.” Steinberger noted in the advisory that “the vulnerability is exploitable even on instances configured to listen on loopback only, since the victim’s browser initiates the outbound connection.” “It impacts any Moltbot deployment where a user has authenticated to the Control UI. The attacker gains operator-level access to the gateway API, enabling arbitrary config changes and code execution on the gateway host. The attack works even when the gateway binds to loopback because the victim’s browser acts as the bridge.” Found this article interesting?

Microsoft Begins NTLM Phase-Out With Three-Stage Plan to Move Windows to Kerberos

Microsoft has announced a three-phase approach to phase out New Technology LAN Manager (NTLM) as part of its efforts to shift Windows environments toward stronger, Kerberos-based options. The development comes more than two years after the tech giant revealed its plans to deprecate the legacy technology, citing its susceptibility to weaknesses that could facilitate relay attacks and allow bad actors to gain unauthorized access to network resources. NTLM was formally deprecated in June 2024 and no longer receives updates. “NTLM consists of security protocols originally designed to provide authentication, integrity, and confidentiality to users,” Mariam Gewida, Technical Program Manager II at Microsoft, explained.

“However, as security threats have evolved, so have our standards to meet modern security expectations. Today, NTLM is susceptible to various attacks, including replay and man-in-the-middle attacks, due to its use of weak cryptography.” Despite the deprecated status, Microsoft said it continues to find the use of NTLM prevalent in enterprise environments where modern protocols like Kerberos cannot be implemented due to legacy dependencies, network limitations, or ingrained application logic. This, in turn, exposes organizations to security risks, such as replay, relay, and pass-the-hash attacks. To mitigate this problem in a secure manner, the company has adopted a three-phase strategy that paves the way for NTLM to be disabled by default - Phase 1: Building visibility and control using enhanced NTLM auditing to better understand where and why NTLM is still being used (Available now) Phase 2: Addressing common roadblocks that prevent a migration to NTLM through features like IAKerb and local Key Distribution Center (KDC) (pre-release), as well as updating core Windows components to prioritize Kerberos authentication (Expected in H2 2026) Phase 3: Disabling NTLM in the next version of Windows Server and associated Windows client, and requiring explicit re-enablement through new policy controls Microsoft has positioned the transition as a major step toward a passwordless, phishing-resistant future.

This also requires organizations relying on NTLM to conduct audits, map dependencies, migrate to Kerberos, test NTLM-off configurations in non-production environments, and enable Kerberos upgrades. “Disabling NTLM by default does not mean completely removing NTLM from Windows yet,” Gewida said. “Instead, it means that Windows will be delivered in a secure-by-default state where network NTLM authentication is blocked and no longer used automatically.” “The OS will prefer modern, more secure Kerberos-based alternatives. At the same time, common legacy scenarios will be addressed through new upcoming capabilities such as Local KDC and IAKerb (pre-release).” Found this article interesting?

⚡ Weekly Recap: Proxy Botnet, Office Zero-Day, MongoDB Ransoms, AI Hijacks & New Threats

Every week brings new discoveries, attacks, and defenses that shape the state of cybersecurity. Some threats are stopped quickly, while others go unseen until they cause real damage. Sometimes a single update, exploit, or mistake changes how we think about risk and protection. Every incident shows how defenders adapt — and how fast attackers try to stay ahead.

This week’s recap brings you the key moments that matter most, in one place, so you can stay informed and ready for what’s next. ⚡ Threat of the Week Google Disrupts IPIDEA Residential Proxy Network — Google has crippled IPIDEA, a massive residential proxy network consisting of user devices that are being used as the last-mile link in cyberattack chains. According to the tech giant, not only do these networks permit bad actors to conceal their malicious traffic, but they also open up users who enroll their devices to further attacks. Residential IP addresses in the U.S., Canada, and Europe were seen as the most desirable.

Google pursued legal measures to seize or sinkhole domains used as command‑and‑control (C2) for devices enrolled in the IPIDEA proxy network, cutting off operators’ ability to route traffic through compromised systems. The disruption is assessed to have reduced IPIDEA’s available pool of devices by millions. The proxy software is either pre-installed on devices or may be willingly installed by users, lured by the promise of monetizing their available internet bandwidth. Once devices are registered in the residential proxy network, operators sell access to it to their customers.

Numerous proxy and VPN brands, marketed as separate businesses, were controlled by the same actors behind IPIDEA. The proxy network also promoted several SDKs as app monetization tools, quietly turning user devices into proxy exit nodes without their knowledge or consent once embedded. IPIDEA has also been linked to large-scale brute-forcing attacks targeting VPN and SSH services as far back as early 2024. The team from Device and Browser Info has since released a list of all IPIDEA-linked proxy exit IPs.

New Insights From 1800+ Security Leaders and Practitioners 99% of SOCs are already using AI, yet 81% say workloads increased in the past year. Teams have yet to unlock AI’s full impact. To find out why, Tines surveyed 1,800+ security leaders and practitioners worldwide for their biggest Voice of Security report yet. Get the Report ➝ 🔔 Top News Microsoft Patches Exploited Office Flaw — Microsoft issued out-of-band security patches for a high-severity Microsoft Office zero-day vulnerability exploited in attacks.

The vulnerability, tracked as CVE-2026-21509, carries a CVSS score of 7.8 out of 10.0. It has been described as a security feature bypass in Microsoft Office. “Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally,” the tech giant said in an advisory. “This update addresses a vulnerability that bypasses OLE mitigations in Microsoft 365 and Microsoft Office, which protect users from vulnerable COM/OLE controls.” Microsoft has not shared any details about the nature and the scope of attacks exploiting CVE-2026-21509.

Ivanti Patches Exploited EPMM Flaws — Ivanti rolled out security updates to address two security flaws impacting Ivanti Endpoint Manager Mobile (EPMM) that have been exploited in zero-day attacks. The vulnerabilities, tracked as CVE-2026-1281 and CVE-2026-1340, relate to code injection, allowing attackers to achieve unauthenticated remote code execution. “We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure,” Ivanti said in an advisory, adding it does not have enough information about the threat actor tactics to provide “reliable atomic indicators.” As of January 30, 2026, a public working proof-of-concept exploit is available. “As EPMM is an endpoint management solution for mobile devices, the impact of an attacker compromising the EPMM server is significant,” Rapid7 said .

“An attacker may be able to access Personally Identifiable Information (PII) regarding mobile device users, such as their names and email addresses, but also their mobile device information, such as their phone numbers, GPS information, and other sensitive unique identification information.” Poland Links Cyber Attack on Power System to Static Tundra — The Polish computer emergency response team revealed that coordinated cyber attacks targeted more than 30 wind and photovoltaic farms, a private company from the manufacturing sector, and a large combined heat and power plant (CHP) supplying heat to almost half a million customers in the country. CERT Polska said the incident took place on December 29, 2025, describing the attacks as destructive. The agency attributed the attacks to a threat cluster dubbed Static Tundra, which is also tracked as Berserk Bear, Blue Kraken, Crouching Yeti, Dragonfly, Energetic Bear, Ghost Blizzard (formerly Bromine), and Havex. Static Tundra is assessed to be linked to Russia’s Federal Security Service’s (FSB) Center 16 unit.

Prior reports from ESET and Dragos linked the attack with moderate confidence to a group that shares tactical overlaps with a cluster referred to as Sandworm. The group exhibits a deep understanding of electrical grid equipment and operations, strong proficiency in the industrial protocols used in power systems, and the ability to develop custom malware and wiper tools across IT and OT environments. The activity also reflects the adversary’s grasp of substation operations and the operational dependencies within electrical systems. “Taking over these devices requires capabilities beyond simply understanding their technical flaws,” Dragos said.

“It requires knowledge of their specific implementation. The adversaries demonstrated this by successfully compromising RTUs at approximately 30 sites, suggesting they had mapped common configurations and operational patterns to exploit systematically.” LLMJacking Campaign Targets Exposed AI Endpoints — Cybercriminals are searching for, hijacking, and monetizing exposed LLM and MCP endpoints at scale. The campaign, dubbed Operation Bizarre Bazaar, targets exposed or unprotected AI endpoints to hijack system resources, resell API access, exfiltrate data, and move laterally to internal systems. “The threat differs from traditional API abuse because compromised LLM endpoints can generate significant costs (inference is expensive), expose sensitive organizational data, and provide lateral movement opportunities,” Pillar Security said.

Organizations running self-hosted LLM infrastructure (Ollama, vLLM, local AI implementations) or deploying MCP servers for AI integrations face active targeting. Common misconfigurations that are under active exploitation include Ollama running on port 11434 without authentication, OpenAI-compatible APIs on port 8000, MCP servers accessible without access controls, development/staging AI infrastructure with public IPs, and production chatbot endpoints that lack authentication or rate limits. Access to the infrastructure is advertised on a marketplace that offers access to over 30 LLMs. Called silver[.]inc, it is hosted on bulletproof infrastructure in the Netherlands, and marketed on Discord and Telegram, with payments made via cryptocurrency or PayPal.

Chinese Threat Actors Use PeckBirdy Framework — China-aligned threat actors have been using a cross-platform, multifunction JScript framework called PeckBirdy to conduct cyber espionage attacks since 2023, augmenting their activities with modular backdoors in two separate campaigns targeting gambling sites and government entities. The command-and-control (C2) framework, written in Microsoft’s JScript legacy language, is aimed at flexible deployment by enabling execution across multiple environments, including web browsers, MSHTA, WScript, Classic ASP, Node JS, and .NET (ScriptControl). ‎️‍🔥 Trending CVEs New vulnerabilities surface daily, and attackers move fast. Reviewing and patching early keeps your systems resilient.

Here are this week’s most critical flaws to check first — CVE-2026-24423 (SmarterTools SmarterMail), CVE-2026-1281, CVE-2026-1340 (Ivanti Endpoint Manager Mobile), CVE-2025-40536, CVE-2025-40537, CVE-2025-40551, CVE-2025-40552, CVE-2025-40553 (SolarWinds Web Help Desk), CVE-2026-22709 (vm2), CVE-2026-1470, CVE-2026-0863 (n8n), CVE-2026-24858 (Fortinet FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb), CVE-2026-21509 (Microsoft Office), CVE-2025-30248 , CVE-2025-26465 (Western Digital), CVE-2025-56005 (PLY), CVE-2026-23864 (React Server Components), CVE-2025-14756 (TP-Link), CVE‑2026‑0755 (Google gemini-mcp-tool), CVE-2025-9142 (Check Point Harmony SASE), CVE-2026-1504 (Google Chrome), CVE-2025-12556 (IDIS IP cameras), CVE-2026-0818 (Mozilla Thunderbird), CCVE-2025-52598, CVE-2025-52599, CVE-2025-52600, CVE-2025-52601, CVE-2025-8075 (Hanwha Wisenet cameras), CVE-2025-33217, CVE-2025-33218, CVE-2025-33219, CVE-2025-33220 (NVIDIA GPU Display Drivers), CVE-2025-0921 (Iconics Suite), CVE-2025-26385 (Johnson Controls), and SRC-2025-0001, SRC-2025-0002 , SRC-2025-0003, SRC-2025-0004 (Samsung MagicINFO 9 Server). 📰 Around the Cyber World Exposed C2 Server Reveals BYOB Infrastructure — Cybersecurity researchers have discovered an open directory on a command-and-control (C2) server at IP address 38.255.43[.]60 on port 8081, which has been found serving malicious payloads associated with the Build Your Own Botnet ( BYOB ) framework. “The open directory contained a complete deployment of the BYOB post-exploitation framework, including droppers, stagers, payloads, and multiple post-exploitation modules,” Hunt.io said . “Analysis of the captured samples reveals a modular multi-stage infection chain designed to establish persistent remote access across Windows, Linux, and macOS platforms.” The first stage is a dropper that implements multiple layers of obfuscation to evade signature-based detection, while fetching and executing an intermediate loader, which performs a series of security checks of its own before deploying the main remote access trojan (RAT) payload for reconnaissance and persistence.

It also comes with capabilities to escalate privileges, log keystrokes, terminate processes, harvest emails, and inspect network traffic. Additional infrastructure linked to the threat actor has been found to host cryptocurrency mining payloads, indicating a two-pronged approach to compromising endpoints with different payloads. Phantom Enigma Resurfaces with New Tactics — The threat actors behind the Operation Phantom Enigma campaign, which targeted Brazilian users in order to steal bank accounts in early 2025, resurfaced with similar attacks in fall 2025. The attacks, per Positive Technologies, involve sending phishing emails bearing invoice-related themes to trick ordinary users into clicking on malicious links to download a malicious MSI installer that installs a malicious Google Chrome extension dubbed EnigmaBanker on the victim’s browser to collect credentials and transmit them to the attacker’s server.

The malware is designed to execute JavaScript code that imports a malicious extension via Chrome DevTools Protocol ( CDP ) after launching the browser in debugging mode. On the other hand, the attacks aimed at enterprises drop an installer for legitimate remote access software like PDQ Connect, MeshAgent, ScreenConnect, or Syncro RMM. The threat actors behind the campaign are suspected to be operating out of Latin America. Attackers Exploit Stolen AWS Credentials to Target AWS WorkMail — Threat actors are leveraging compromised Amazon Web Services (AWS) credentials to deploy phishing and spam infrastructure using AWS WorkMail, bypassing the anti-abuse controls normally enforced by AWS Simple Email Service (SES).

“This allows the threat actor to leverage Amazon’s high sender reputation to masquerade as a valid business entity, with the ability to send email directly from victim-owned AWS infrastructure,” Rapid7 said . “Generating minimal service-attributed telemetry also makes threat actor activity difficult to distinguish from routine activity. Any organization with exposed AWS credentials and permissive Identity and Access Management (IAM) policies is potentially at risk, particularly those without guardrails or monitoring around WorkMail and SES configuration.” Malicious VS Code Extension Delivers Stealer Malware — A malicious Visual Studio Code (VS Code) extension has been identified in Open VSX (“Angular-studio.ng-angular-extension”) masquerading as a tool for the Angular web development framework, but harbors functionality that’s activated when any HTML or TypeScript file is opened. It’s designed to run encrypted JavaScript responsible for fetching the next-stage payload from a URL embedded into the memo field of a Solana wallet using a technique called EtherHiding by constructing an RPC request to the Solana mainnet.

The infection chain is also engineered such that execution is skipped on systems matching Russian locale indicators. “This pattern is commonly observed in malware originating from or affiliated with Russian-speaking threat actors, implemented to avoid domestic prosecution,” Secure Annex said . This architecture offers several advantages: blockchain immutability ensures configuration data persists indefinitely, and attackers can update payload URLs without modifying the published extension. The final payload deployed as part of the attack is a stealer malware that can siphon credentials from developer machines, conduct cryptocurrency theft, establish persistence, and exfiltrate the data to a server retrieved from a Google Calendar event.

Threat Actors Exploit Critical Adobe Commerce Flaw — Threat actors are continuing to exploit a critical flaw in Adobe Commerce and Magento Open Source platforms ( CVE-2025-54236 , CVSS score: 9.1) to compromise 216 websites worldwide in one campaign, and deploy web shells on Magento sites in Canada and Japan to enable persistent access in another. “While the cases are not assessed to be part of a single coordinated campaign, all incidents demonstrate that the vulnerability is being actively abused for authentication bypass, full system compromise, and, in some cases, web shell deployment and persistent access,” Oasis Security said . Malicious Google Ads Leads to Stealer Malware — Sponsored ads on Google when searching for “Mac cleaner” or “clear cache macOS” are being used to redirect unsuspecting users to sketchy sites hosted on Google Docs and Medium to trick them into following ClickFix-style instructions to deliver stealer malware. In a related development, DHL-themed phishing emails containing ZIP archives are being used to launch XLoader using DLL side-loading, which then uses process hollowing techniques to load Phantom Stealer.

U.S. Authorities Investigated Meta Contractors’ Claims that WhatsApp Chats Aren’t Private — U.S. law enforcement has been investigating allegations by former Meta contractors that employees at the company can access WhatsApp messages, despite the company’s statements that the chat service is private and encrypted. The contractors claimed that some Meta staff had “unfettered” access to WhatsApp messages, content that should be off-limits, Bloomberg reported .

The report stands in stark contrast to WhatsApp encryption foundations, which prevent third parties, including the company, from accessing the chat contents. “What these individuals claim is not possible because WhatsApp, its employees, and its contractors, cannot access people’s encrypted communications,” Meta was quoted as saying to Bloomberg. It’s worth noting that when a user reports a user or group , WhatsApp receives up to five of the last messages sent to them, along with their metadata. This is akin to taking a screenshot of the last few messages, as they are already on the device and in a decrypted state because the device has the “key” to read them.

However, these allegations suggest much broader access to the platform. New PyRAT Malware Spotted — A new Python-based remote access trojan (RAT) called PyRAT has been found to demonstrate cross-platform capabilities, persistent infection methods, and extensive remote access features. It supports features like system command execution, file system operations, file enumeration, file upload/download, and archive creation to facilitate bulk exfiltration of stolen data. The malware also comes fitted with self-cleanup capabilities to uninstall itself from the victim machine and wipe all persistence components.

“This Python‑based RAT poses a notable risk to organizations because of its cross‑platform capability, broad functionality, and ease of deployment,” K7 Security Labs said . “Even though it is not associated with highly sophisticated threat actors, its effectiveness in real‑world attacks and observed detection rates indicate that it is actively used by cybercriminals and deserves attention.” It’s currently not known how it’s distributed. New Exfil Out&Look Attack Technique Detailed — Cybersecurity researchers have discovered a new technique named Exfil Out&Look that abuses Outlook add-ins to steal data from organizations. “An add-in installed via OWA [Outlook Web Access can be abused to silently extract email data without generating audit logs or leaving any forensic footprint — a stark contrast to the behavior observed in Outlook Desktop,” Varonis said .

“In organizations that rely heavily on Unified Audit Logs for detection and investigation, this blind spot can allow malicious or overly permissive add-ins to operate undetected for extended periods of time.” An attacker could exploit this behavior to trigger an add-in’s core functionality when a victim sends an email, allowing it to intercept outgoing messages and send the data to a third-party server. Following responsible disclosure to Microsoft on September 30, 2025, the company categorized the issue as low-severity with no immediate fix. Exposed MongoDB Servers Exploited for Extortion Attacks — Almost half of all internet-exposed MongoDB servers have been compromised and are being held for ransom. An unidentified threat actor has targeted misconfigured instances to drop ransom notes on more than 1,400 databases demanding a Bitcoin payment to restore the data.

Flare’s analysis found more than 208,500 publicly exposed MongoDB servers, out of which 100,000 expose operational information, and 3,100 could be accessed without authentication. What’s more, nearly half (95,000) of all internet-exposed MongoDB servers run older versions that are vulnerable to N-day flaws. “Threat actors demand payment in Bitcoin (often around 0.005 BTC, equivalent today to $500-600 USD) to a specified wallet address, promising to restore the data,” the cybersecurity company said . “However, there is no guarantee the attackers have the data, or will provide a working decryption key if paid.” Deep Dive into Dark Web Forums — Positive Technologies has taken a deep-dive look into modern dark web forums, noting how they are in a constant state of flux due to ramping up of law enforcement operations, even as they embrace anonymity and protection technologies like Tor, I2P, coupled with anti-bot guardrails, anti-scraping mechanisms, closed moderation, and a strict trust system to escape scrutiny and block suspicious activity.

“However, the results of these interventions are rarely final: the elimination of one forum usually becomes the starting point for the emergence of a new, more sustainable and secure one,” it said . “And an important feature of such forums is the high level of development of technical means of protection. If the early generations of dark web forums were primitive web platforms that often existed in the public part of the internet, modern forums are complex distributed systems with multi-level infrastructure, APIs, moderator bots, built-in verification tools and a multi-stage access system.” TA584 Campaign Drops XWorm and Tsundere Bot — A prolific initial access broker known as TA584 (aka Storm-0900 ) has been observed using the Tsundere Bot alongside XWorm remote access trojan to gain network access for likely follow-on ransomware attacks. The XWorm malware uses a configuration called “P0WER” to enable its execution.

“In the second half of 2025, TA584 demonstrated multiple attack chain changes, including adopting ClickFix social engineering, expanded targeting to more consistently target specific geographies and languages, and recently delivering a new malware called Tsundere Bot,” Proofpoint said . The threat actor is assessed to be active since at least 2020, but has exhibited an increased operational tempo since March 2025. Organizations in North America, the U.K., Ireland, and Germany are the main targets. Emails sent by TA584 impersonate various organizations associated with healthcare and government entities, as well as leverage well-designed and believable lures to get people to engage with malicious content.

These messages are sent via compromised accounts or third-party services like SendGrid and Amazon Simple Email Service (SES). “The emails usually contain unique links for each target that perform geofencing and IP filtering,” Proofpoint said. “If these checks were passed, the recipient is redirected to a landing page aligning with the lure in the email.” Early iterations of the campaign delivered macro-enabled Excel documents dubbed EtterSilent to facilitate malware installation. The end goal of the attack is to initiate a redirect chain involving third-party traffic direction systems (TDS) like Keitaro to a CAPTCHA page, followed by a ClickFix page that instructs the victim to run a PowerShell command on their system.

Some of the other payloads distributed by TA584 in the past include Ursine, TA584, WARMCOOKIE, Xeno RAT, Cobalt Strike, and DCRat. South Korea to Notify Citizens of Data Leaks — The South Korean government will notify citizens when their data was exposed in a security breach. The new notification system will cover confirmed breaches, but also alert people who may be involved in a data breach, even if the case has not been confirmed. These alerts will also include information on how to seek compensation for damages.

Details About Critical Apache bRPC Flaw — CyberArk has published details about a recently patched critical vulnerability in Apache bRPC (CVE-2025-60021, CVSS score: 9.8) that could allow an attacker to inject remote commands. The problem resides in the “/pprof/heap” profiler endpoint. “The heap profiler service /pprof/heap did not validate the user-provided extra_options parameter before incorporating it into the jeprof command line,’ CyberArk said . “Prior to the fix, extra_options was appended directly to the command string as –.

Because this command is later executed to generate the profiling output, shell special characters in attacker-controlled input could alter the executed command, resulting in command injection.” As a result, an attacker could exploit a reachable “/pprof/heap” endpoint to execute arbitrary commands with the privileges of the Apache bRPC process, resulting in remote code execution. There are about 181 publicly reachable /pprof/heap endpoints and 790 /pprof/* endpoints, although it’s not known how many of them are susceptible to this flaw. Threat Actors Use New Unicode Trick to Evade Detection — Threat actors are using the Unicode character for math division (∕) instead of a standard forward slash (/) in malicious links to evade detection. “The barely noticeable difference between the divisional and forward slashes causes traditional automated security systems and filters to fail, allowing the links to bypass detection,” email security firm Barracuda said .

“As a result, victims are redirected to default or random pages.” China Executes 11 Members of Myanmar Scam Mafia — The Chinese government has executed 11 members of the Ming family who ran cyber scam compounds in Myanmar. The suspects were sentenced in September 2025 following their arrest in 2023. In November 2025, five members of a Myanmar crime syndicate were sentenced to death for their roles in running industrial-scale scamming compounds near the border with China. The Ming mafia’s scam operations and gambling dens brought in more than $1.4 billion between 2015 and 2023, BBC News reported , citing China’s highest court.

FBI Urges Organizations to Improve Cybersecurity — The U.S. Federal Bureau of Investigation (FBI) launched Operation Winter SHIELD (short for “Securing Homeland Infrastructure by Enhancing Layered Defense”), outlining ten actions which organizations should implement to improve cyber resilience. This includes adopting phishing-resistant authentication, implementing a risk-based vulnerability management program, retiring end-of-life technology, managing third-party risk, preserving security logs, maintaining offline backups, inventorying internet-facing systems and services, strengthening email authentication, reducing administrator privileges, and executing incident response plans with all stakeholders. “Winter SHIELD provides industry with a practical roadmap to better secure information technology (IT) and operational technology (OT) environments, hardening the nation’s digital infrastructure and reducing the attack surface,” the FBI said .

“Our goal is simple: to move the needle on resilience across industry by helping organizations understand where adversaries are focused and what concrete steps they can take now (and build toward in the future) to make exploitation harder.” Only 26% of Vulnerability Attacks Blocked by Hosts — A new study by website security firm PatchStack has revealed that a significant majority of common WordPress-specific vulnerabilities are not mitigated by hosting service providers. In a test using 30 vulnerabilities that were known to be exploited in real-world attacks, the company found that 74% of all attacks resulted in a successful site takeover. “Of the high-impact vulnerabilities, Privilege Escalation attacks were blocked only 12% of the time,” Patchstack said . “The biggest problem isn’t that hosts don’t care about vulnerability attacks – it’s that they think their existing solutions have got them covered.” Cyber Attacks Became More Distributed in 2025 — Forescout’s Threat Roundup report for 2025 has found that cyber attacks became more globally distributed and cloud-enabled.

“In 2025, the top 10 countries accounted for 61% of malicious traffic - a 22% decrease compared to 2024 – and a reversal of a trend observed since 2022, when that figure was 73%,” Forescout said . “In other words, attacks are more distributed and attackers are using IP addresses from less common countries more frequently.” The U.S., India, and Germany were the most targeted countries, with 59% of the attacks originating from ISP-managed IPs, 17% from business and government networks, and 24% from hosting or cloud providers. The vast majority of the attacks originated from China, Russia, and Iran. Attacks using OT protocols surged by 84%, led by Modbus.

The development comes as Cisco Talos revealed that threat actors are increasingly exploiting public-facing applications, overtaking phishing in the last quarter of 2025. Google Agrees to Settle Privacy Lawsuit for $68M — Google has agreed to pay $68 million to settle a class-action lawsuit alleging its voice-activated assistant illegally recorded and shared the private conversations with third parties without their consent. The case revolved around “false accepts,” where Google Assistant is said to have activated and recorded the user’s communications even in scenarios where the actual trigger word, “Ok Google,” was not used. Google has denied any wrongdoing.

Apple reached a similar $95 million settlement in December 2024 over Siri recordings. Separately, Google has agreed to pay $135 million to settle a proposed class-action lawsuit that accused the company of illegally using users’ cellular data to transmit system information to its servers without the user’s knowledge or consent since November 12, 2017. As part of the settlement, Google will not transfer data without obtaining consent from Android users when they set up their phones. It will also make it easier for users to stop the transfers, and will disclose the transfers in its Google Play terms of service.

The development follows a U.S. Supreme Court decision to hear a case stemming from the use of a Facebook tracking pixel to monitor the streaming habits of users of a sports website. Security Flaws in Google Fast Pair protocol — More than a dozen headphone and speaker models have been found vulnerable to a new vulnerability (CVE-2025-36911, CVSS score: 7.1) in the Google Fast Pair protocol. Called WhisperPair , the attack allows threat actors to hijack a user’s accessories without user interaction.

In certain scenarios, the attackers can also register as the owners of those accessories and track the movement of the real owners via the Google Find Hub. Google awarded the researchers $15,000 following responsible disclosure in August 2025. “WhisperPair enables attackers to forcibly pair a vulnerable Fast Pair accessory (e.g., wireless headphones or earbuds) with an attacker-controlled device (e.g., a laptop) without user consent,” researchers at the COSIC group of KU Leuven said. “This gives an attacker complete control over the accessory, allowing them to play audio at high volumes or record conversations using the microphone.

This attack succeeds within seconds (a median of 10 seconds) at realistic ranges (tested up to 14 metres) and does not require physical access to the vulnerable device.” In related news, an information leak vulnerability (CVE-2025-13834) and a denial-of-service (DoS) vulnerability (CVE-2025-13328) have been uncovered in Xiaomi Redmi Buds versions 3 Pro through 6 Pro. “An attacker within Bluetooth radio range can send specially crafted RFCOMM protocol interactions to the device’s internal channels without prior pairing or authentication, enabling the exposure of sensitive call-related data or triggering repeatable firmware crashes,” CERT Coordination Center (CERT/CC) said . 🎥 Cybersecurity Webinars Your SOC Stack Is Broken — Here’s How to Fix It Fast : Modern SOC teams are drowning in tools, alerts, and complexity. This live session with AirMDR CEO Kumar Saurabh and SACR CEO Francis Odum cuts through the noise—showing what to build, what to buy, and what to automate for real results.

Learn how top teams design efficient, cost-effective SOCs that actually work. Join now to make smarter security decisions. AI Is Rewriting Cloud Forensics — Learn How to Investigate Faster : Cloud investigations are getting harder as evidence disappears fast and systems change by the minute. Traditional forensics can’t keep up.

Join Wiz’s experts to see how AI and context-aware forensics are transforming cloud incident response—helping teams capture the right data automatically, connect the dots faster, and uncover what really happened in minutes instead of days. Build Your Quantum-Safe Defense: Get Guidance for IT Leaders : Quantum computers could soon break the encryption that protects today’s data. Hackers are already stealing encrypted information now to decrypt it later. Join this Zscaler webinar to learn how post-quantum cryptography keeps your business safe—using hybrid encryption, zero trust, and quantum-ready security tools built for the future.

🔧 Cybersecurity Tools
Vulnhalla: CyberArk open-sources a new tool that automates vulnerability triage by combining CodeQL analysis with AI models like GPT-4 or Gemini. It scans public code repositories, runs CodeQL queries to find potential issues, and then uses AI to decide which ones are real security flaws versus false positives. This helps developers and security teams quickly focus on genuine risks instead of wasting time sorting through noisy scan results. OpenClaw; A personal AI assistant running in Cloudflare Workers, connecting to Telegram, Discord, and Slack with secure device pairing.

It uses Claude via Anthropic API and optional R2 storage for persistence—showcasing how AI agents can run safely in a sandboxed, serverless Cloudflare setup. Disclaimer: These tools are provided for research and educational use only. They are not security-audited and may cause harm if misused. Review the code, test in controlled environments, and comply with all applicable laws and policies.

Conclusion Cybersecurity keeps moving fast. This week’s stories show how attacks, defenses, and discoveries keep shifting the balance. Staying secure now means staying alert, reacting fast, and knowing what’s changing around you. The past few days proved that no one is too small to be a target and no system is ever fully safe.

Every patch, every update, every fix counts — because threats don’t wait. Keep learning, stay cautious, and keep your guard up. The next wave of attacks is already forming. Found this article interesting?

Securing the Mid-Market Across the Complete Threat Lifecycle

For mid-market organizations, cybersecurity is a constant balancing act. Proactive, preventative security measures are essential to protect an expanding attack surface. Combined with effective protection that blocks threats, they play a critical role in stopping cyberattacks before damage is done. The challenge is that many security tools add complexity and cost that most mid-market businesses can’t absorb.

With limited budgets and lean IT and security teams, organizations often focus on detection and response. While necessary, this places a significant operational burden on teams already stretched thin. A more sustainable approach is security across the complete threat lifecycle—combining prevention, protection, detection, and response in a way that reduces risk without increasing cost or complexity. Why Mid-Market Security Often Feels Stuck Most mid-market organizations rely on a small set of foundational tools, such as endpoint protection, email security, and network firewalls.

However, limited staff and resources often leave these tools operating as isolated point solutions, preventing teams from extracting their full value. Endpoint Detection and Response (EDR) is a common example. Although EDR is included in most Endpoint Protection Platforms (EPP), many organizations struggle to use it effectively. EDR was designed for enterprises with dedicated security operations teams, and using it well requires time and specialized expertise to configure, monitor, and respond to alerts.

With teams focused on firefighting, there is little time for proactive improvements that strengthen overall security. Unlocking more value from existing tools is often the fastest way to improve coverage without adding complexity. Making Advanced Security Accessible with Platforms Security platforms extend the value of EDR by providing visibility across the broader attack surface. By correlating signals from endpoints, cloud, identities, and networks, platforms turn fragmented insights into a unified view through Extended Detection and Response (XDR).

Many platforms are also shifting beyond reactive detection and response to include proactive prevention. Preventative controls help stop attackers before they gain a foothold, reducing pressure on already lean teams. Solutions such as Bitdefender GravityZone consolidate critical security capabilities into a single platform, enabling centralized management, visibility, and reporting across the security program. This approach allows mid-market organizations to achieve broader coverage without increasing operational overhead.

Extending Coverage with MDR Managed Detection and Response (MDR) services offer another way to strengthen security quickly. MDR provides 24/7 monitoring, proactive threat hunting, and incident response, effectively extending internal teams without adding headcount. By combining a unified platform with MDR, mid-market organizations can close coverage gaps and focus internal resources on strategic priorities. Takeaway: Security Across the Threat Lifecycle Improving mid-market cybersecurity isn’t about adding more tools—it’s about using the right tools more effectively.

Integrating prevention, protection, detection, and response across the threat lifecycle enables stronger security outcomes with less complexity. Platforms like Bitdefender GravityZone help mid-market organizations strengthen resilience while reducing the operational burden on lean teams. To explore this approach further, read How to Secure Your Mid-Market Business Across the Complete Threat Lifecycle or the Buyer’s Guide for Mid-Market Businesses: Choosing the Right Security Platform . Found this article interesting?

This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.