2026-02-09 AI创业新闻

OpenClaw Integrates VirusTotal Scanning to Detect Malicious ClawHub Skills

OpenClaw (formerly Moltbot and Clawdbot) has announced that it’s partnering with Google-owned VirusTotal to scan skills that are being uploaded to ClawHub, its skill marketplace, as part of broader efforts to bolster the security of the agentic ecosystem. “All skills published to ClawHub are now scanned using VirusTotal’s threat intelligence, including their new Code Insight capability,” OpenClaw’s founder Peter Steinberger, along with Jamieson O’Reilly and Bernardo Quintero said. “This provides an additional layer of security for the OpenClaw community.” The process essentially entails creating a unique SHA-256 hash for every skill and cross checking it against VirusTotal’s database for a match. If it’s not found, the skill bundle is uploaded to the malware scanning tool for further analysis using VirusTotal Code Insight .

Skills that have a “benign” Code Insight verdict are automatically approved by ClawHub, while those marked suspicious are flagged with a warning. Any skill that’s deemed malicious is blocked from download. OpenClaw also said all active skills are re-scanned on a daily basis to detect scenarios where a previously clean skill becomes malicious. That said, OpenClaw maintainers also cautioned that VirusTotal scanning is “not a silver bullet” and that there is a possibility that some malicious skills that use a cleverly concealed prompt injection payload may slip through the cracks.

In addition to the VirusTotal partnership, the platform is expected to publish a comprehensive threat model, public security roadmap, formal security reporting process, as well as details about the security audit of its entire codebase. The development comes in the aftermath of reports that found hundreds of malicious skills on ClawHub , prompting OpenClaw to add a reporting option that allows signed-in users to flag a suspicious skill. Multiple analyses have uncovered that these skills masquerade as legitimate tools, but, under the hood, they harbor malicious functionality to exfiltrate data, inject backdoors for remote access, or install stealer malware. “AI agents with system access can become covert data-leak channels that bypass traditional data loss prevention, proxies, and endpoint monitoring,” Cisco noted last week.

“Second, models can also become an execution orchestrator, wherein the prompt itself becomes the instruction and is difficult to catch using traditional security tooling.” The recent viral popularity of OpenClaw, the open-source agentic artificial intelligence (AI) assistant, and Moltbook , an adjacent social network where autonomous AI agents built atop OpenClaw interact with each other in a Reddit-style platform, has raised security concerns . While OpenClaw functions as an automation engine to trigger workflows, interact with online services, and operate across devices, the entrenched access given to skills, coupled with the fact that they can process data from untrusted sources, can open the door to risks like malware and prompt injection. In other words, the integrations, while convenient, significantly broaden the attack surface and expand the set of untrusted inputs the agent consumes, turning it into an “ agentic trojan horse “ for data exfiltration and other malicious actions. Backslash Security has described OpenClaw as an “AI With Hands.” “Unlike traditional software that does exactly what code tells it to do, AI agents interpret natural language and make decisions about actions,” OpenClaw noted.

“They blur the boundary between user intent and machine execution. They can be manipulated through language itself.” OpenClaw also acknowledged that the power wielded by skills – which are used to extend the capabilities of an AI agent, such as controlling smart home devices to managing finances – can be abused by bad actors, who can leverage the agent’s access to tools and data to exfiltrate sensitive information, execute unauthorized commands, send messages on the victim’s behalf, and even download and run additional payloads without their knowledge or consent. What’s more, with OpenClaw being increasingly deployed on employee endpoints without formal IT or security approval, the elevated privileges of these agents can further enable shell access, data movement, and network connectivity outside standard security controls, creating a new class of Shadow AI risk for enterprises. “OpenClaw and tools like it will show up in your organization whether you approve them or not,” Astrix Security researcher Tomer Yahalom said .

“Employees will install them because they’re genuinely useful. The only question is whether you’ll know about it.” Some of the glaring security issues that have come to the fore in recent days are below - A now-fixed issue identified in earlier versions that could cause proxied traffic to be misclassified as local, bypassing authentication for some internet-exposed instances. “OpenClaw stores credentials in cleartext, uses insecure coding patterns including direct eval with user input, and has no privacy policy or clear accountability,” OX Security’s Moshe Siman Tov Bustan and Nir Zadok said . “Common uninstall methods leave sensitive data behind – and fully revoking access is far harder than most users realize.” A zero-click attack that abuses OpenClaw’s integrations to plant a backdoor on a victim’s endpoint for persistent control when a seemingly harmless document is processed by the AI agent, resulting in the execution of an indirect prompt injection payload that allows it to respond to messages from an attacker-controlled Telegram bot.

An indirect prompt injection embedded in a web page, which, when parsed as part of an innocuous prompt asking the large language model (LLM) to summarize the page’s contents, causes OpenClaw to append an attacker-controlled set of instructions to the ~/.openclaw/workspace/HEARTBEAT.md file and silently await further commands from an external server. A security analysis of 3,984 skills on the ClawHub marketplace has found that 283 skills, about 7.1% of the entire registry, contain critical security flaws that expose sensitive credentials in plaintext through the LLM’s context window and output logs. A report from Bitdefender has revealed that malicious skills are often cloned and re-published at scale using small name variations, and that payloads are staged through paste services such as glot.io and public GitHub repositories. A now-patched one-click remote code execution vulnerability affecting OpenClaw that could have allowed an attacker to trick a user into visiting a malicious web page that could cause the Gateway Control UI to leak the OpenClaw authentication token over a WebSocket channel and subsequently use it to execute arbitrary commands on the host.

OpenClaw’s gateway binds to 0.0.0.0:18789 by default , exposing the full API to any network interface. Per data from Censys , there are over 30,000 exposed instances accessible over the internet as of February 8, 2026, although most require a token value in order to view and interact with them. In a hypothetical attack scenario , a prompt injection payload embedded within a specifically crafted WhatsApp message can be used to exfiltrate “.env” and “creds.json” files, which store credentials, API keys, and session tokens for connected messaging platforms from an exposed OpenClaw instance. An misconfigured Supabase database belonging to Moltbook that was left exposed in client-side JavaScript, making secret API keys of every agent registered on the site freely accessible, and allowing full read and write access to platform data.

According to Wiz , the exposure included 1.5 million API authentication tokens, 35,000 email addresses, and private messages between agents. Threat actors have been found exploiting Moltbook’s platform mechanics to amplify reach and funnel other agents toward malicious threads that contain prompt injections to manipulate their behavior and extract sensitive data or steal cryptocurrency. “Moltbook may have inadvertently also created a laboratory in which agents, which can be high-value targets, are constantly processing and engaging with untrusted data, and in which guardrails aren’t set into the platform – all by design,” Zenity Labs said . “The first, and perhaps most egregious, issue is that OpenClaw relies on the configured language model for many security-critical decisions,” HiddenLayer researchers Conor McCauley, Kasimir Schulz, Ryan Tracey, and Jason Martin noted.

“Unless the user proactively enables OpenClaw’s Docker-based tool sandboxing feature, full system-wide access remains the default.” Among other architectural and design problems identified by the AI security company are OpenClaw’s failure to filter out untrusted content containing control sequences, ineffective guardrails against indirect prompt injections, modifiable memories and system prompts that persist into future chat sessions, plaintext storage of API keys and session tokens, and no explicit user approval before executing tool calls. In a report published last week, Persmiso Security argued that the security of the OpenClaw ecosystem is much more crucial than app stores and browser extension marketplaces owing to the agents’ extensive access to user data. “AI agents get credentials to your entire digital life,” security researcher Ian Ahl pointed out . “And unlike browser extensions that run in a sandbox with some level of isolation, these agents operate with the full privileges you grant them.” “The skills marketplace compounds this.

When you install a malicious browser extension, you’re compromising one system. When you install a malicious agent skill, you’re potentially compromising every system that agent has credentials for.” The long list of security issues associated with OpenClaw has prompted China’s Ministry of Industry and Information Technology to issue an alert about misconfigured instances, urging users to implement protections to secure against cyber attacks and data breaches, Reuters reported . “When agent platforms go viral faster than security practices mature, misconfiguration becomes the primary attack surface,” Ensar Seker, CISO at SOCRadar, told The Hacker News via email. “The risk isn’t the agent itself; it’s exposing autonomous tooling to public networks without hardened identity, access control, and execution boundaries.” “What’s notable here is that the Chinese regulator is explicitly calling out configuration risk rather than banning the technology.

That aligns with what defenders already know: agent frameworks amplify both productivity and blast radius. A single exposed endpoint or overly permissive plugin can turn an AI agent into an unintentional automation layer for attackers.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

German Agencies Warn of Signal Phishing Targeting Politicians, Military, Journalists

Germany’s Federal Office for the Protection of the Constitution (aka Bundesamt für Verfassungsschutz or BfV) and Federal Office for Information Security (BSI) have issued a joint advisory warning of a malicious cyber campaign undertaken by a likely state-sponsored threat actor that involves carrying out phishing attacks over the Signal messaging app. “The focus is on high-ranking targets in politics, the military, and diplomacy, as well as investigative journalists in Germany and Europe,” the agencies said . “Unauthorized access to messenger accounts not only allows access to confidential private communications but also potentially compromises entire networks.” A noteworthy aspect of the campaign is that it does not involve the distribution of malware or the exploitation of any security vulnerability in the privacy-focused messaging platform. Rather, the end goal is to weaponize its legitimate features to obtain covert access to a victim’s chats, along with their contact lists.

The attack chain is as follows: the threat actors masquerade as “Signal Support” or a support chatbot named “Signal Security ChatBot” to initiate direct contact with prospective targets, urging them to provide a PIN or verification code received via SMS, or risk facing data loss. Should the victim comply, the attackers can register the account and gain access to the victim’s profile, settings, contacts, and block list through a device and mobile phone number under their control. While the stolen PIN does not enable access to the victim’s past conversations, a threat actor can use it to capture incoming messages and send messages posing as the victim. That target user, who has by now lost access to their account, is then instructed by the threat actor disguised as the support chatbot to register for a new account.

There also exists an alternative infection sequence that takes advantage of the device linking option to trick victims into scanning a QR code, thereby granting the attackers access to the victim’s account, including their messages for the last 45 days, on a device managed by them. In this case, however, the targeted individuals continue to have access to their account, little realizing that their chats and contact lists are now also exposed to the threat actors. The security authorities warned that while the current focus of the campaign appears to be Signal, the attack can also be extended to WhatsApp since it also incorporates similar device linking and PIN features as part of two-step verification . “Successful access to messenger accounts not only allows confidential individual communications to be viewed, but also potentially compromises entire networks via group chats,” BfV and BSI said.

While it’s not known who is behind the activity, similar attacks have been orchestrated by multiple Russia-aligned threat clusters tracked as Star Blizzard , UNC5792 (aka UAC-0195), and UNC4221 (aka UAC-0185) , per reports from Microsoft and Google Threat Intelligence Group early last year. In December 2025, Gen Digital also detailed another campaign codenamed GhostPairing, where cybercriminals have resorted to the device linking feature on WhatsApp to seize control of accounts to likely impersonate users or commit fraud. To stay protected against the threat, users are advised to refrain from engaging with support accounts and entering their Signal PIN as a text message. A crucial line of defense is to enable Registration Lock, which prevents unauthorized users from registering a phone number on another device.

It’s also advised to periodically review the list of linked devices and remove any unknown devices. The development comes as the Norwegian government accused the Chinese-backed hacking groups, including Salt Typhoon , of breaking into several organizations in the country by exploiting vulnerable network devices, while also calling out Russia for closely monitoring military targets and allied activities, and Iran for keeping tabs on dissidents. Stating that Chinese intelligence services attempt to recruit Norwegian nationals to gain access to classified data, the Norwegian Police Security Service (PST) noted that these sources are then encouraged to establish their own “human source” networks by advertising part-time positions on job boards or approaching them via LinkedIn. The agency further warned that China is “systematically” exploiting collaborative research and development efforts to strengthen its own security and intelligence capabilities.

It’s worth noting that Chinese law requires software vulnerabilities identified by Chinese researchers to be reported to the authorities no later than two days after discovery. “Iranian cyber threat actors compromise email accounts, social media profiles, and private computers belonging to dissidents to collect information about them and their networks,” PST said . “These actors have advanced capabilities and will continue to develop their methods to conduct increasingly targeted and intrusive operations against individuals in Norway.” The disclosures also follow an advisory from CERT Polska, which assessed that a Russian nation-state hacking group called Static Tundra is likely behind coordinated cyber attacks targeted at more than 30 wind and photovoltaic farms, a private company from the manufacturing sector, and a large combined heat and power plant (CHP) supplying heat to almost half a million customers in the country. “In each affected facility, a FortiGate device was present, serving as both a VPN concentrator and a firewall,” it said.

“In every case, the VPN interface was exposed to the internet and allowed authentication to accounts defined in the configuration without multi‑factor authentication.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

China-Linked DKnife AitM Framework Targets Routers for Traffic Hijacking, Malware Delivery

Cybersecurity researchers have taken the wraps off a gateway-monitoring and adversary-in-the-middle (AitM) framework dubbed DKnife that’s operated by China-nexus threat actors since at least 2019. The framework comprises seven Linux-based implants that are designed to perform deep packet inspection, manipulate traffic, and deliver malware via routers and edge devices. Its primary targets seem to be Chinese-speaking users, an assessment based on the presence of credential harvesting phishing pages for Chinese email services, exfiltration modules for popular Chinese mobile applications like WeChat, and code references to Chinese media domains. “DKnife’s attacks target a wide range of devices, including PCs, mobile devices, and Internet of Things (IoT) devices,” Cisco Talos researcher Ashley Shen noted in a Thursday report.

“It delivers and interacts with the ShadowPad and DarkNimbus backdoors by hijacking binary downloads and Android application updates.” The cybersecurity company said it discovered DKnife as part of its ongoing monitoring of another Chinese threat activity cluster codenamed Earth Minotaur that’s linked to tools like the MOONSHINE exploit kit and the DarkNimbus (aka DarkNights) backdoor . Interestingly, the backdoor has also been put to use by a third China-aligned advanced persistent threat (APT) group called TheWizards. An analysis of DKnife’s infrastructure has uncovered an IP address hosting WizardNet, a Windows implant deployed by TheWizards via an AitM framework referred to as Spellbinder. Details of the toolkit were documented by ESET in April 2025.

The targeting of Chinese-speaking users, Cisco said, hinges on the discovery of configuration files obtained from a single command-and-control (C2) server, raising the possibility that there could be other servers hosting similar configurations for different regional targeting. This is significant in light of infrastructural connections between DKnife and WizardNet, as TheWizards is known to target individuals and the gambling sector across Cambodia, Hong Kong, Mainland China, the Philippines, and the United Arab Emirates. Functions of seven DKnife components Unlike WizardNet, DKnife is engineered to be run on Linux-based devices. Its modular architecture enables operators to serve a wide range of functions, ranging from packet analysis to traffic manipulation.

Delivered by means of an ELF downloader, it contains seven different components - dknife.bin - The central nervous system of the framework responsible for deep packet inspection, user activities reporting, binary download hijacking, and DNS hijacking postapi.bin - A data reporter module that acts as a relay by receiving traffic from DKnife and reporting to remote C2 sslmm.bin - A reverse proxy module modified from HAProxy that performs TLS termination, email decryption, and URL rerouting mmdown.bin - An updater module that connects to a hard-coded C2 server to download APKs used for the attack yitiji.bin - A packet forwarder module that creates a bridged TAP interface on the router to host and route attacker-injected LAN traffic remote.bin - A peer-to-peer (P2P) VPN client module that creates a communication channel to remote C2 dkupdate.bin - An updater and watchdog module that keeps the various components alive “DKnife can harvest credentials from a major Chinese email provider and host phishing pages for other services,” Talos said. “For harvesting email credentials, the sslmm.bin component presents its own TLS certificate to clients, terminates and decrypts POP3/IMAP connections, and inspects the plaintext stream to extract usernames and passwords.” “Extracted credentials are tagged with ‘PASSWORD,’ forwarded to the postapi.bin component, and ultimately relayed to remote C2 servers.” The core component of the framework is “dknife.bin,” which takes care of deep packet inspection, allowing operators to conduct traffic monitoring campaigns ranging from “covert monitoring of user activity to active in-line attacks that replace legitimate downloads with malicious payloads.” This includes - Serving updated C2 to Android and Windows variants of DarkNimbus malware Conducting Domain Name System (DNS)-based hijacking over IPv4 and IPv6 to facilitate malicious redirects for JD.com-related domains Hijacking and replacing Android application updates associated with Chinese news media, video streaming, image editing apps, e-commerce platforms, taxi-service platforms, gaming, and pornography video streaming apps by intercepting their update manifest requests Hijacking Windows and other binary downloads based on certain pre-configured rules to deliver via DLL side-loading the ShadowPad backdoor, which then loads DarkNimbus Interfering with communications from antivirus and PC-management products, including 360 Total Security and Tencent services Monitoring user activity in real-time and reporting it back to the C2 server by grouping them into broad categories, such as messaging (including voice/video calls, sent texts, received images, in-app article views on Signal and WeChat), shopping, news consumption, map searches, video streaming, gaming, dating, taxi and rideshare requests, and email checking. “Routers and edge devices remain prime targets in sophisticated targeted attack campaigns,” Talos said. “As threat actors intensify their efforts to compromise this infrastructure, understanding the tools and TTPs they employ is critical.

The discovery of the DKnife framework highlights the advanced capabilities of modern AitM threats, which blend deep‑packet inspection, traffic manipulation, and customized malware delivery across a wide range of device types.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

CISA Orders Removal of Unsupported Edge Devices to Reduce Federal Network Risk

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered Federal Civilian Executive Branch (FCEB) agencies to strengthen asset lifecycle management for edge network devices and remove those that no longer receive security updates from original equipment manufacturers (OEMs) over the next 12 to 18 months. The agency said the move is to drive down technical debt and minimize the risk of compromise, as state-sponsored threat actors turn such devices as a preferred access pathway for breaking into target networks. Edge devices is an umbrella term that encompasses load balancers, firewalls, routers, switches, wireless access points, network security appliances, Internet of Things (IoT) edge devices, software-defined networks, and other physical or virtual networking components that route network traffic and hold privileged access.

“Persistent cyber threat actors are increasingly exploiting unsupported edge devices – hardware and software that no longer receive vendor updates to firmware or other security patches,” CISA said. “Positioned at the network perimeter, these devices are especially vulnerable to persistent cyber threat actors exploiting a new or known vulnerability.” To assist FCEB agencies in this regard, CISA said it has developed an end-of-support edge device list that acts as a preliminary repository with information about devices that have already reached end-of-support or are expected to lose support. This list will include the product name, version number, and end-of-support date. The newly issued Binding Operational Directive 26-02, Mitigating Risk From End-of-Support Edge Devices , requires FCEB agencies to undertake the following actions - Update each vendor-supported-edge device running end-of-support software to a vendor-supported software version (With immediate effect) Catalog all devices to identify those that are end-of-support and report to CISA (Within three months) Decommission all edge devices that  are end-of-support and listed in the edge device list from agency networks and replace them with vendor-supported devices that can receive security updates (Within 12 months) Decommission all other identified edge devices from agency networks and replace with vendor-supported devices that can receive security updates (Within 18 months) Establish a lifecycle management process to enable continuous discovery of all edge devices and maintain an inventory of those that are/will reach  end-of-support (Within 24 months) “Unsupported devices pose a serious risk to federal systems and should never remain on enterprise networks,” said CISA Acting Director Madhu Gottumukkala.

“By proactively managing asset lifecycles and removing end-of-support technology, we can collectively strengthen resilience and protect the global digital ecosystem.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Asian State-Backed Group TGR-STA-1030 Breaches 70 Government, Infrastructure Entities

A previously undocumented cyber espionage group operating from Asia broke into the networks of at least 70 government and critical infrastructure organizations across 37 countries over the past year, according to new findings from Palo Alto Networks Unit 42. In addition, the hacking crew has been observed conducting active reconnaissance against government infrastructure associated with 155 countries between November and December 2025. Some of the entities that have been successfully compromised include five national-level law enforcement/border control entities, three ministries of finance and other government ministries, and departments that align with economic, trade, natural resources, and diplomatic functions. The activity is being tracked by the cybersecurity company under the moniker TGR-STA-1030 , where “TGR” stands for temporary threat group and “STA” refers to state-backed motivation.

Evidence shows that the threat actor has been active since January 2024. While the hackers’ country of origin remains unclear, they are assessed to be of Asian origin, given the use of regional tooling and services, language setting preferences, targeting that’s consistent with events and intelligence of interest to the region, and its GMT+8 operating hours. Pete Renals, director of National Security Programs for Unit 42 at Palo Alto Networks, told The Hacker News over email that “the threat actor successfully accessed and exfiltrated sensitive data from victim email servers.” The siphoned information included financial negotiations and contracts, banking and account information, and critical military-related operational updates. Attack chains have been found to leverage phishing emails as a starting point to trick recipients into clicking on a link pointing to New Zealand-based file hosting service MEGA.

The link hosts a ZIP archive that contains an executable dubbed Diaoyu Loader and a zero-byte file named “pic1.png.” “The malware employs a dual-stage execution guardrail to thwart automated sandbox analysis,” Unit 42 said. “Beyond the hardware requirement of a horizontal screen resolution greater than or equal to 1440, the sample performs an environmental dependency check for a specific file (pic1.png) in its execution directory.” The PNG image acts as a file-based integrity check that causes the malware artifact to terminate before unleashing its nefarious behavior in the event it’s not present in the same location. It’s only after this condition is satisfied that the malware checks for the presence of specific cybersecurity programs from Avira (“SentryEye.exe”), Bitdefender (“EPSecurityService.exe”), Kaspersky (“Avp.exe”), Sentinel One (“SentinelUI.exe”), and Symantec (“NortonSecurity.exe”). Countries targeted by TGR-STA-1030 reconnaissance between November and December 2025 It’s currently not known why the threat actors have opted to look for only a narrow selection of products.

The end goal of the loader is to download three images (“admin-bar-sprite.png,” “Linux.jpg,” and “Windows.jpg”) from a GitHub repository named “WordPress,” which serve as a conduit for the deployment of a Cobalt Strike payload. The associated GitHub account (“github[.]com/padeqav”) is no longer available. TGR-STA-1030 has also been observed attempting to exploit various kinds of N-day vulnerabilities impacting a large number of software products from Microsoft, SAP, Atlassian, Ruijieyi Networks, Commvault, and Eyou Email System to gain initial access to target networks. There is no evidence indicating the group has developed or leveraged any zero-day exploit in their attacks.

Among the tools put to use by the threat actor are command-and-control (C2) frameworks, web shells, and tunneling utilities - C2 frameworks - Cobalt Strike , VShell , Havoc , Sliver , and SparkRAT Web shells - Behinder , neo-reGeorg , and Godzilla Tunnelers - GO Simple Tunnel (GOST), Fast Reverse Proxy Server (FRPS), and IOX It’s worth noting that the use of the aforementioned web shells is frequently linked to Chinese hacking groups. Another tool of note is a Linux kernel rootkit codenamed ShadowGuard that utilizes the Extended Berkeley Packet Filter (eBPF) technology to conceal process information details, intercept critical system calls to hide specific processes from user-space analysis tools like ps, and conceal directories and files named “swsecret.” “The group routinely leases and configures its C2 servers on infrastructure owned by a variety of legitimate and commonly known VPS providers,” Unit 42 said. “To connect to the C2 infrastructure, the group leases additional VPS infrastructure that it uses to relay traffic through.” The cybersecurity vendor said the adversary managed to maintain access to several of the impacted entities for months, indicating efforts to collect intelligence over extended periods of time. “TGR-STA-1030 remains an active threat to government and critical infrastructure worldwide.

The group primarily targets government ministries and departments for espionage purposes,” it concluded. “We assess that it prioritizes efforts against countries that have established or are exploring certain economic partnerships.” “While this group might be pursuing espionage objectives, its methods, targets, and scale of operations are alarming, with potential long-term consequences for national security and key services.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Can AI Be Secure? Find Out at SANS 2026

How Samsung Knox Helps Stop Your Network Security Breach

As you know, enterprise network security has undergone significant evolution over the past decade. Firewalls have become more intelligent, threat detection methods have advanced, and access controls are now more detailed. However (and it’s a big “however”), the increasing use of mobile devices in business operations necessitates network security measures that are specifically tailored to their unique operating patterns. Yes, enterprises have invested heavily in robust network security such as firewalls, intrusion detection, and threat intelligence platforms.

And yes, these controls work exceptionally well for traditional endpoints—but mobile devices operate differently! They connect to corporate Wi-Fi and public networks interchangeably. They run dozens of apps with varying trust levels. They process sensitive data in coffee shops, airports, and home offices.

The challenge isn’t that organizations lack security—it’s that mobile devices need security controls that adapt to their unique usage patterns. Samsung Knox is specifically designed to address this reality. Let’s find out how. Samsung Knox Firewall offers granular control Change my mind: Most mobile firewalls are blunt instruments.

Traffic is either allowed or blocked, with little visibility into what’s happening—or why. That makes it hard to enforce meaningful policies or investigate issues when something goes wrong. Knox Firewall takes a more precise approach. It gives IT admins granular, per-app network controls and the transparency security teams expect.

Instead of defaulting to “allow all” or “block everything,” rules are tailored to individual applications. A confidential document viewer can be restricted to specific IP addresses. Collaboration tools can be limited to approved domains. Each app gets network access based on its risk profile—not lumped in with everything else on the device.

I think visibility is where this layer really stands out. When a user attempts to access a blocked domain, Knox Firewall logs the event with detailed context, including: the app package name the blocked domain/IP a timestamp For threat hunting and incident response, this level of insight can shrink investigations from days to hours! Knox Firewall also supports IPv4 and IPv6 filtering, domain and sub-domain controls, and both per-app and device-wide modes. Because it’s built into the device architecture, it avoids the performance overhead and deployment complexity common with third-party firewalls.

Key takeaway: Knox Firewall gives IT teams granular control and complete visibility, turning a “block or allow” firewall into a proactive, investigative tool. Zero Trust Network Access that works alongside your VPN Perimeter security isn’t enough anymore. Access decisions need to consider device health, user identity, and context—and they need to do it continuously, not just at login. That’s where the Samsung Knox Zero Trust Network Access (ZTNA) framework comes in.

It supports Zero Trust principles while working alongside your existing VPN investments, not replacing them. By using host-based micro-segmentation, the Samsung Knox ZTNA framework isolates network traffic by app and domain. The result? A smaller attack surface and far less room for lateral movement if a device or app is compromised.

Key features include: split DNS tunneling to balance security and performance context-rich metadata (such as app package name, signature, version) to enable precise access policies dynamic policy evaluation at access time based on device and application context privacy-aware traffic handling that respects enterprise and user boundaries Most importantly, the Samsung Knox ZTNA framework is built for real-world environments. It works alongside the VPN and mobile threat defense tools organizations already use—no rip-and-replace required! For organizations with existing VPN infrastructure, the Samsung Knox ZTNA framework enables a gradual migration path. That’s Zero Trust in practice—precise access control, reduced attack surface, and the flexibility to evolve security architecture at your own pace.

Key takeaway: The Samsung Knox ZTNA framework brings practical Zero Trust to life, working with the tools teams already trust while locking down mobile access. The integration advantage Samsung Knox isn’t just a collection of tools—it’s a system. Threat signals flow across the device, adapting protections in real time. A phishing alert?

That can trigger new firewall rules or even a hardware-backed lockdown. Device health, user context, and threat intelligence all work together— Zero Trust, in practice, not just on paper. Because Samsung Knox is built into Samsung Galaxy devices, you skip the chaos of multiple agents, vendors, and integrations. SOC 2 certified, GDPR-ready, and fully compatible with leading MDM, UEM, and SIEM platforms—it just works.

Mobile devices aren’t endpoints anymore—they’re entry points. And if your network security doesn’t protect them, it’s not just incomplete. It’s useless. Found this article interesting?

This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Compromised dYdX npm and PyPI Packages Deliver Wallet Stealers and RAT Malware

Cybersecurity researchers have discovered a new supply chain attack in which legitimate packages on npm and the Python Package Index (PyPI) repository have been compromised to push malicious versions to facilitate wallet credential theft and remote code execution. The compromised versions of the two packages are listed below - @dydxprotocol/v4-client-js (npm) - 3.4.1, 1.22.1, 1.15.2, 1.0.31 dydx-v4-client (PyPI) - 1.1.5post1 “The @dydxprotocol/v4-client-js (npm) and dydx-v4-client (PyPI) packages provide developers with tools to interact with the dYdX v4 protocol, including transaction signing, order placement, and wallet management,” Socket security researcher Kush Pandya noted. “Applications using these packages handle sensitive cryptocurrency operations.” dYdX is a non-custodial, decentralized cryptocurrency exchange for trading margin and perpetual swaps, while allowing users to retain full control over their assets. On its website, the DeFi exchange says it has surpassed $1.5 trillion in cumulative trading volume.

While it’s currently how these poisoned updates were pushed, it’s suspected to be a case of developer account compromise, as the rogue versions were published using legitimate publishing credentials. The changes introduced by the threat actors have been found to target both the JavaScript and Python ecosystems with different payloads. In the case of npm, the malicious code acts as a cryptocurrency wallet stealer that siphons seed phrases and device information. The Python package, on the other hand, also incorporates a remote access trojan (RAT) along with the wallet stealer functionality.

The RAT component, which is run as soon as the package is imported, contacts an external server (“dydx.priceoracle[.]site/py”) to retrieve commands for subsequent execution on the host. On Windows systems, it makes use of the “ CREATE_NO_WINDOW “ flag to ensure that it’s executed without a console window. “The threat actor demonstrated detailed knowledge of the package internals, inserting malicious code into core registry files (registry.ts, registry.js, account.py) that would execute during normal package usage,” Pandya said. “The 100-iteration obfuscation in the PyPI version and the coordinated cross-ecosystem deployment suggest the threat actor had direct access to publishing infrastructure rather than exploiting a technical vulnerability in the registries themselves.” Following responsible disclosure on January 28, 2026, dYdX acknowledged the incident in a series of posts on X, and urged users who may have downloaded the compromised versions to isolate affected machines, move funds to a new wallet from a clean system, and rotate all API keys and credentials.

“The versions of dydx-v4-clients hosted in the dydxprotocol Github do not contain the malware,” it added. This is not the first time the dYdX ecosystem has been the target of supply chain attacks. In September 2022, Mend and Bleeping Computer reported a similar case where the npm account of a dYdX staff member was hijacked to publish new versions of multiple npm packages that contained code to steal credentials and other sensitive data. Two years later, the exchange also divulged that the website associated with its now-discontinued dYdX v3 platform was compromised to redirect users to a phishing site with the goal of draining their wallets.

“Viewed alongside the 2022 npm supply chain compromise and the 2024 DNS hijacking incident, this attack highlights a persistent pattern of adversaries targeting dYdX-related assets through trusted distribution channels,” Socket said. “The nearly identical credential theft implementations across languages indicate deliberate planning. The threat actor maintained consistent exfiltration endpoints, API keys, and device fingerprinting logic while deploying ecosystem-specific attack vectors. The npm version focuses on credential theft, while the PyPI version adds persistent system access.” Supply Chain Risks with Non-Existent Packages The disclosure comes as Aikido detailed how npm packages referenced in README files and scripts but never actually published pose an attractive supply chain attack vector, allowing a threat actor to publish packages under those names to distribute malware.

The discovery is the latest manifestation of the growing sophistication of software supply chain threats, allowing bad actors to compromise several users at once by exploiting the trust associated with open-source repositories. “Sophisticated attackers are moving upstream into the software supply chain because it provides a deep, low-noise initial access path into downstream environments,” Sygnia’s Omer Kidron said . “The same approach supports both precision compromise (a specific vendor, maintainer, or build identity) and opportunistic attacks at scale (‘spray’) through widely trusted ecosystems – making it relevant to all organizations, regardless of whether they see themselves as primary targets.” Aikido’s analysis found that the 128 phantom packages collectively racked up 121,539 downloads between July 2025 and January 2026, averaging 3,903 downloads per week and scaling a peak of 4,236 downloads last month. The packages with the most downloads are listed below - openapi-generator-cli (48,356 downloads), which mimics @openapitools/openapi-generator-cli cucumber-js (32,110 downloads), which mimics @cucumber/cucumber depcruise (15,637 downloads), which mimics dependency-cruiser jsdoc2md (4,641 downloads) grpc_tools_node_protoc (4,518 downloads) vue-demi-switch (1,166 downloads) “Openapi-generator-cli saw 3,994 downloads in just the last seven days,” security researcher Charlie Eriksen said .

“That’s nearly 4,000 times someone tried to run a command that doesn’t exist. In one week.” The findings highlight a blind spot in npm’s typosquatting protections, which, while actively blocking attempts to claim names with similar spelling to that of existing packages, doesn’t prevent a user from creating packages with names that were never registered in the first place, as there is nothing to compare against. To mitigate this risk with npx confusion, Aikido recommends taking the following steps - Use “ npx –no-install “ to block registry fallback, causing an installation to fail if a package is not found locally Install CLI tools explicitly Verify a package exists if the documentation asks users to run it Register obvious aliases and misspellings to prevent a bad actor from claiming them “The npm ecosystem has millions of packages,” Eriksen said. “Developers run npx commands thousands of times daily.

The gap between ‘convenient default’ and ‘arbitrary code execution’ is one unclaimed package name.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Claude Opus 4.6 Finds 500+ High-Severity Flaws Across Major Open-Source Libraries

Artificial intelligence (AI) company Anthropic revealed that its latest large language model (LLM), Claude Opus 4.6, has found more than 500 previously unknown high-severity security flaws in open-source libraries, including Ghostscript , OpenSC , and CGIF . Claude Opus 4.6, which was launched Thursday, comes with improved coding skills, including code review and debugging capabilities, along with enhancements to tasks like financial analyses, research, and document creation. Stating that the model is “notably better” at discovering high-severity vulnerabilities without requiring any task-specific tooling, custom scaffolding, or specialized prompting, Anthropic said it is putting it to use to find and help fix vulnerabilities in open-source software. “Opus 4.6 reads and reasons about code the way a human researcher would—looking at past fixes to find similar bugs that weren’t addressed, spotting patterns that tend to cause problems, or understanding a piece of logic well enough to know exactly what input would break it,” it added.

Prior to its debut, Anthropic’s Frontier Red Team put the model to test inside a virtualized environment and gave it the necessary tools, such as debuggers and fuzzers, to find flaws in open-source projects. The idea, it said, was to assess the model’s out-of-the-box capabilities without providing any instructions on how to use these tools or providing information that could help it better flag the vulnerabilities. The company also said it validated every discovered flaw to make sure that it was not made up (i.e., hallucinated), and that the LLM was used as a tool to prioritize the most severe memory corruption vulnerabilities that were identified. Some of the security defects that were flagged by Claude Opus 4.6 are listed below.

They have since been patched by the respective maintainers. Parsing the Git commit history to identify a vulnerability in Ghostscript that could result in a crash by taking advantage of a missing bounds check Searching for function calls like strrchr() and strcat() to identify a buffer overflow vulnerability in OpenSC A heap buffer overflow vulnerability in CGIF (Fixed in version 0.5.1 ) “This vulnerability is particularly interesting because triggering it requires a conceptual understanding of the LZW algorithm and how it relates to the GIF file format,” Anthropic said of the CGIF bug. “Traditional fuzzers (and even coverage-guided fuzzers) struggle to trigger vulnerabilities of this nature because they require making a particular choice of branches.” “In fact, even if CGIF had 100% line- and branch-coverage, this vulnerability could still remain undetected: it requires a very specific sequence of operations.” The company has pitched AI models like Claude as a critical tool for defenders to “level the playing field.” But it also emphasized that it will adjust and update its safeguards as potential threats are discovered and put in place additional guardrails to prevent misuse. The disclosure comes weeks after Anthropic said its current Claude models can succeed at multi-stage attacks on networks with dozens of hosts using only standard, open-source tools by finding and exploiting known security flaws.

“This illustrates how barriers to the use of AI in relatively autonomous cyber workflows are rapidly coming down, and highlights the importance of security fundamentals like promptly patching known vulnerabilities,” it said . Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

AISURU/Kimwolf Botnet Launches Record-Setting 31.4 Tbps DDoS Attack

The distributed denial-of-service ( DDoS ) botnet known as AISURU/Kimwolf has been attributed to a record-setting attack that peaked at 31.4 Terabits per second (Tbps) and lasted only 35 seconds. Cloudflare, which automatically detected and mitigated the activity, said it’s part of a growing number of hyper-volumetric HTTP DDoS attacks mounted by the botnet in the fourth quarter of 2025. The attack took place in November 2025. AISURU/Kimwolf has also been linked to another DDoS campaign codenamed The Night Before Christmas that commenced on December 19, 2025.

Per Cloudflare, the average size of the hyper-volumetric DDoS attacks during the campaign was 3 billion packets per second (Bpps), 4 Tbps, and 54 requests per second (Mrps), with the maximum rates touching 9 Bpps, 24 Tbps, and 205 Mrps. “DDoS attacks surged by 121% in 2025, reaching an average of 5,376 attacks automatically mitigated every hour,” Cloudflare’s Omer Yoachimik and Jorge Pacheco said. “In 2025, the total number of DDoS attacks more than doubled to an incredible 47.1 million.” The web infrastructure company noted that it mitigated 34.4 million network-layer DDoS attacks in 2025, compared to 11.4 million in 2024. In Q4 2025 alone, network-layer DDoS attacks accounted for 78% of all DDoS attacks.

Put together, the number of DDoS attacks surged by 31% over the previous quarter and 58% over 2024. In 2025 Q4, hyper-volumetric attacks increased by 40% compared to the previous quarter, witnessing a jump from 1,304 to 1,824. A total of 717 attacks were recorded in Q1 2025. The spike in the number of attacks has been complemented by an uptick in the size of these attacks, growing by over 700% compared to the large attacks seen in late 2024.

AISURU/Kimwolf has ensnared more than 2 million Android devices, most of which are compromised, off-brand Android TVs , into its botnet, often by tunneling through residential proxy networks like IPIDEA. Last month, Google disrupted the proxy network and initiated legal action to take down dozens of domains used to control devices and proxy traffic through them. It also partnered with Cloudflare to disrupt IPIDEA’s domain resolution, impacting their ability to command and control infected devices and market their products. “As part of the Google-led disruption effort, Cloudflare participated by suspending access to many accounts and domains that were misusing its infrastructure,” Cloudflare told The Hacker News over email.

“Threat actors were attempting to distribute malware and provide markets for people seeking access to the network of illicit residential proxies.” IPIDEA is assessed to have enrolled devices using at least 600 trojanized Android apps that embedded various proxy software development kits (SDKs), and over 3,000 trojanized Windows binaries posing as OneDriveSync or Windows updates. Furthermore, the Beijing-based company has advertised several VPN and proxy apps that silently turned users’ Android devices into proxy exit nodes without their knowledge or consent. What’s more, the operators have been found to run at least a dozen residential proxy businesses that masquerade as legitimate services. Behind the scenes, all these offerings are connected to a centralized infrastructure that’s under the control of IPIDEA.

Some of the other noteworthy trends observed by Cloudflare during Q4 2025 are as follows - Telecommunications, service providers, and carriers emerged as the most attacked sector, followed by information technology, gambling, gaming, and computer software verticals. China, Hong Kong, Germany, Brazil, the U.S., the U.K., Vietnam, Azerbaijan, India, and Singapore were the most attacked countries. Bangladesh surpassed Indonesia to become the largest source of DDoS attacks. Other top sources included Ecuador, Indonesia, Argentina, Hong Kong, Ukraine, Vietnam, Taiwan, Singapore, and Peru.

“DDoS attacks are rapidly growing in sophistication and size, surpassing what was previously imaginable,” Cloudflare said. “This evolving threat landscape presents a significant challenge for many organizations to keep pace. Organizations currently relying on on-premise mitigation appliances or on-demand scrubbing centers may benefit from re-evaluating their defense strategy.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

ThreatsDay Bulletin: Codespaces RCE, AsyncRAT C2, BYOVD Abuse, AI Cloud Intrusions & 15+ Stories

This week didn’t produce one big headline. It produced many small signals — the kind that quietly shape what attacks will look like next. Researchers tracked intrusions that start in ordinary places: developer workflows, remote tools, cloud access, identity paths, and even routine user actions. Nothing looked dramatic on the surface.

That’s the point. Entry is becoming less visible while impact scales later. Several findings also show how attackers are industrializing their work — shared infrastructure, repeatable playbooks, rented access, and affiliate-style ecosystems. Operations are no longer isolated campaigns.

They run more like services. This edition pulls those fragments together — short, precise updates that show where techniques are maturing, where exposure is widening, and what patterns are forming behind the noise. Startup espionage expansion Operation Nomad Leopard Targets Afghanistan In a sign that the threat actor has moved beyond government targets, the Pakistan-aligned APT36 threat actor has been observed targeting India’s startup ecosystem, using ISO files and malicious LNK shortcuts using sensitive, startup-themed lures to deliver Crimson RAT , enabling comprehensive surveillance, data exfiltration, and system reconnaissance. The initial access vector is a spear-phishing email carrying an ISO image.

Once executed, the ISO contains a malicious shortcut file and a folder holding three files: a decoy document, a batch script that acts as the persistence mechanism, and the final Crimson RAT payload, disguised as an executable named Excel. “Despite this expansion, the campaign remains closely aligned with Transparent Tribe’s historical focus on Indian government and defense-adjacent intelligence collection, with overlap suggesting that startup-linked individuals may be targeted for their proximity to government, law enforcement, or security operations,” Acronis said . Shared cybercrime infrastructure ShadowSyndicate Levels Up with New Tactics The threat activity cluster known as ShadowSyndicate has been linked to two additional SSH markers that connect dozens of servers to the same cybercrime operator. These hosts are then used for a wide range of malicious activities by various threat clusters linked to Cl0p, BlackCat, Ryuk, Malsmoke, and Black Basta.

A notable finding is that the threat actor tends to transfer servers between their SSH clusters. ShadowSyndicate continues to be associated with toolkits including Cobalt Strike, Metasploit, Havoc, Mythic, Sliver, AsyncRAT, MeshAgent, and Brute Ratel. “The threat actor tends to reuse previously employed infrastructure, sometimes rotating various SSH keys across their servers,” Group-IB said . “If such a technique is performed correctly, the infrastructure is transferred subsequently, much like in a legitimate scenario, when a server goes to a new user.” Ransomware KEV expansion CISA Marks 59 CVEs as Exploited in Ransomware Attacks The U.S.

Cybersecurity and Infrastructure Security Agency (CISA) has tweaked 59 actively exploited vulnerability notices in 2025 to reflect their use by ransomware groups. That list includes 16 entries for Microsoft, six for Ivanti, five for Fortinet, three for Palo Alto Networks, and three for Zimbra. “When it flips from ‘Unknown’ to ‘Known,’ reassess, especially if you’ve been deprioritizing that patch because ‘it’s not ransomware-related yet,” GreyNoise’s Glenn Thorpe said . Espionage and DDoS arrests Polish Authorities Detain Two People Polish authorities have detained a 60-year-old employee of the country’s defense ministry on suspicion of spying for a foreign intelligence agency.

The suspect worked in the Ministry of National Defense’s strategy and planning department, including on military modernization projects, officials said. While the name of the country was not revealed, Polish state officials told local media that the suspect had worked with Russian and Belarusian intelligence services. In a related development, Poland’s Central Bureau for Combating Cybercrime (CBZC) said a 20-year-old man has been arrested for allegedly conducting distributed denial-of-service (DDoS) attacks on high-profile websites, including those of strategic importance. The individual faces six charges and a potential five-year prison sentence.

Codespaces RCE vectors Supply-Chain Attack Vectors in GitHub Codespaces Multiple attack vectors have been disclosed in GitHub Codespaces that allow remote code execution simply by opening a malicious repository or pull request. The identified vectors include: (1) .vscode/settings.json with PROMPT_COMMAND injection, (2) .devcontainer/devcontainer.json with postCreateCommand injection, and (3) .vscode/tasks.json with folderOpen auto-run tasks. “By abusing VS Code-integrated configuration files that Codespaces automatically respects, an adversary can execute arbitrary commands, exfiltrate GitHub tokens and secrets, and even abuse hidden APIs to access premium Copilot models,” Orca Security researcher Roi Nisimi said . Microsoft has deemed the behavior to be by design.

Nordic finance targeting Lazarus Group Linked to New Campaign Targeting the Nordics The financial sector in the Nordics has been targeted by the North Korea-linked Lazarus Group as part of a long-running campaign dubbed Contagious Interview that drops a stealer and downloads a named BeaverTail. “BeaverTail contains functionality that will automatically search the victim’s machine for cryptocurrency-related data, but can also be used as a remote access tool for further attacks,” TRUESEC said. Volunteer DDoS force NoName057(16) and DDoSia Project Detailed In a new analysis, SOCRadar said the pro-Russian hacktivist outfit known as NoName057(16) is using a volunteer-distributed DDoS weapon called DDoSia Project to disrupt government, media, and institutional websites tied to Ukraine and Western political interests. Through active Telegram channels with over 20,000 followers, the group frames the disruptive (but non-destructive) attacks as “self-defense” against Western aggression and provides real-time evidence of successful disruptions.

Its ideologically driven campaigns often coincide with major geopolitical events, countering sanctions and military aid announcements with retaliatory cyber attacks. “Unlike traditional botnets that compromise systems without user knowledge, DDoSia operates on a disturbing premise: thousands of willing participants knowingly install the tool and coordinate attacks against targets designated by the group’s operators,” SOCRadar said . “Through propaganda, gamification, and cryptocurrency rewards, NoName057(16) has built a distributed attack force that requires minimal technical skill to join, yet demonstrates remarkable operational sophistication.” According to Censys , targeting of the purpose-built tool is heavily focused on Ukraine, European allies, and NATO states in government, military, transportation, public utilities, financial, and tourism sectors. Affiliate crypto drainers Rublevka Team, a Russian Crypto Drainer Operation A major cybercriminal operation dubbed Rublevka Team specializes in large-scale cryptocurrency theft since its inception in 2023, generating over $10 million through affiliate-driven wallet draining campaigns.

“Rublevka Team is an example of a ‘traffer team,’ composed of a network of thousands of social engineering specialists tasked with directing victim traffic to malicious pages,” Recorded Future said . “Unlike traditional malware-based approaches such as those used by the trafficker teams Markopolo and Crazy Evil , Rublevka Team deploys custom JavaScript scripts via spoofed landing pages that impersonate legitimate crypto services, tricking victims into connecting their wallets and authorizing fraudulent transactions.” Rublevka Team offers affiliates access to fully automated Telegram bots, landing page generators, evasion features, and support for over 90 wallet types. This further lowers the technical barrier to entry, allowing the threat actors to build an extensive ecosystem of global affiliates capable of launching high-volume scams with minimal oversight. Rublevka Team’s primary Telegram channel has approximately 7,000 members to date.

TLS deprecation deadline Microsoft Urges Migration to TLS 1.2 for Azure Blob Storage Microsoft is urging customers to secure their infrastructure with Transport Layer Security (TLS) version 1.2 for Azure Blob Storage, and remove dependencies on TLS version 1.0 and 1.1. “On February 3, 2026, Azure Blob Storage will stop supporting versions 1.0 and 1.1 of Transport Layer Security (TLS),” Microsoft said . “TLS 1.2 will become the new minimum TLS version. This change impacts all existing and new blob storage accounts, using TLS 1.0 and 1.1 in all clouds.

Storage accounts already using TLS 1.2 aren’t impacted by this change.” Voicemail social engineering German-Language Voicemail Lure Leads to Remote Access In a new campaign, fake voicemail messages with bank-themed subdomains have been found to direct targets to a convincing “listen to your message” experience that’s designed to look routine and trustworthy. In reality, the attack leads to the deployment of Remotely RMM, a legitimate remote access software, that enrolls the victim system into an attacker-controlled environment to enable persistent remote access and management. “The flow relies on social engineering rather than exploits, using lures to persuade users to approve installation steps,” Censys said . “The end goal is installation of an RMM (remote monitoring and management) tool, enrolling the device into an attacker-controlled environment.” Global proxy botnet SystemBC Botnet Has Over 10K Infected IPs A long-running malware operation known as SystemBC (aka Coroxy or DroxiDat) has been tied to more than 10,000 infected IP addresses globally, including systems associated with sensitive government infrastructure in Burkina Faso and Vietnam.

The highest concentration of infected IP addresses has been observed in the U.S., followed by Germany, France, Singapore, and India, per Silent Push. Known to be active since at least 2019, the malware is commonly used to proxy traffic through compromised systems, to maintain persistent access to internal networks, or deploy additional malware. “SystemBC-associated infrastructure presents a sustained risk due to its role early in intrusion chains and its use across multiple threat actors,” Silent Push said . “Proactive monitoring is critical, as activity tied to SystemBC is often a precursor to ransomware deployment and other follow-on abuse.” Screensaver initial access Windows Screensavers Lead to RMM Deployment A new spear-phishing campaign using business-themed lures has been observed luring users into running a Windows screensaver (.SCR) file that discreetly installs a legitimate RMM tool like SimpleHelp, giving attackers interactive remote control.

“The delivery chain is built to evade reputation-based defenses by hiding behind trusted services,” ReliaQuest said . “This reduces attacker-owned infrastructure and makes takedown and containment slower and less straightforward. SCR files are a reliable initial-access vector because they’re executables that don’t always receive executable-level controls. When users download and run them from email or cloud links, attackers can trigger code execution while bypassing policies tuned primarily for EXE and MSI files.” Driver abuse escalation BYOVD Attacks Become the Norm in Ransomware Playbook Threat actors are abusing a legitimate but revoked Guidance Software ( EnCase ) kernel driver as part of a bring your own vulnerable driver ( BYOVD ) attack to elevate privileges and attempt to disarm 59 security tools.

In an attack observed earlier this month, attackers leveraged compromised SonicWall SSL-VPN credentials to gain initial access to a victim network and deployed an EDR that abused the driver (“EnPortv.sys”) to terminate security processes from kernel mode. “The attack was disrupted before ransomware deployment, but the case highlights a growing trend: threat actors weaponizing signed, legitimate drivers to blind endpoint security,” Huntress researchers Anna Pham and Dray Agha said . “The EnCase driver’s certificate expired in 2010 and was subsequently revoked, yet Windows still loads it, a gap in Driver Signature Enforcement that attackers continue to exploit.” Ransomware crypto bug Flaw in Nitrogen Ransomware’s VMware ESXi Variant Security researchers have discovered a coding mistake in Nitrogen ransomware that causes it to encrypt all the files with the wrong public key, irrevocably corrupting them. “This means that even the threat actor is incapable of decrypting them, and that victims that are without viable backups have no ability to recover their ESXi encrypted servers,” Coveware said .

“Paying a ransom will not assist these victims, as the decryption key/ tool will not work.” AI cloud escalation AI-Assisted Cloud Intrusion Achieves Admin Access in Less Than 10 Minutes An offensive cloud operation targeting an Amazon Web Services (AWS) environment went from initial access to administrative privileges in eight minutes. The speed of the attack notwithstanding, Sysdig said the activity bears hallmarks of large language model (LLM) use to automate reconnaissance, generate malicious code, and make real-time decisions. “The threat actor gained initial access to the victim’s AWS account through credentials discovered in public Simple Storage Service (S3) buckets,” Sysdig said . “Then, they rapidly escalated privileges through Lambda function code injection, moved laterally across 19 unique AWS principals, abused Amazon Bedrock for LLMjacking , and launched GPU instances for model training.” Cloud phishing chain Fake Dropbox Phishing Campaign Conducts Credential Theft A phishing scheme has utilized phishing emails themed around procurements and tenders to distribute PDF attachments that initiate a multi-stage attack chain to steal users’ Dropbox credentials and send them to a Telegram bot.

Once the data is transmitted, it simulates a login process using a 5-second delay and is configured to display an “Invalid email or password” error message. “The malicious chain relies on seemingly legitimate cloud infrastructure, such as Vercel Blob storage, to host a PDF that ultimately redirects victims to a Dropbox-impersonation page designed to harvest credentials,” Forcepoint said . “Because Dropbox is a familiar and trusted brand, the request for credentials appeared reasonable to the unsuspecting users. It’s here that the campaign moves from deception to impact.” Sandbox escape flaw Critical Flaw in Sandboxie A critical-rated security flaw in Sandboxie ( CVE-2025-64721 , CVSS score: 9.9) has been disclosed that, if successfully exploited, could allow sandboxed processes to execute arbitrary code as SYSTEM, fully compromising the host.

The problem is rooted in a service named “SboxSvc.exe,” which runs with SYSTEM permissions and functions as the “Responsible Adult” between sandboxed processes and the real computer resources. The issue has been addressed in version 1.16.7. “In this case, the reliance on manual C-style pointer arithmetic over a safe interface definition (like IDL) left a gap,” depthfirst researcher Mav Levin, who discovered the vulnerability, said . “A single missing integer overflow check, coupled with implicit trust in client-provided message lengths, turned the Responsible Adult into a victim.” AsyncRAT infrastructure exposed AsyncRAT C2 Activity Mapped Attack surface management platform Censys said it’s tracking 57 active AsyncRAT-associated hosts exposed on the public internet as of January 2026.

First released in 2019, AsyncRAT enables long-term unauthorized access and post-compromise control, making it a reliable tool for credential theft, lateral movement staging, and follow-on payload delivery. Out of the 57 total assets, the majority are hosted on APIVERSA (13% of hosts), Contabo networks (11% combined), and AS-COLOCROSSING (5.5%), indicating operators prioritize low-cost, abuse-tolerant hosting over major cloud providers. “These hosts are primarily concentrated within a small number of VPS-focused autonomous systems and frequently reuse a distinctive self-signed TLS certificate identifying the service as an ‘AsyncRAT Server,’ enabling scalable discovery of related infrastructure beyond sample-based detection,” Censys said . Typhoon tradecraft overlap Overlapping Tactics Between Violet Typhoon and Volt Typhoon An analysis of various campaigns mounted by Chinese hacking groups Violet Typhoon and Volt Typhoon has revealed the use of some common tactics: exploiting zero-day flaws in edge devices, living-off-the-land (LotL) techniques to traverse networks and hide within normal network activity, and Operational Relay Box (ORB) networks to conceal espionage operations.

“Not only will Chinese nation-state threat actors almost certainly continue to pursue high-value targets, but it is probable they will scale up their operations to conduct global campaigns and target as many entities in each region or sector as possible to maximize their gains at every exploitation,” Intel471 said . “The acceleration of improvements in the cybersecurity posture of numerous key targeted countries has compelled Chinese state-sponsored intelligence forces to become more innovative with their attack strategies.” ClickFix distribution surge From ErrTraffic to IClickFix Threat actors are using a framework named IClickFix that can be used to build ClickFix pages on hacked WordPress sites. According to security firm Sekoia, the framework has been live on more than 3,800 sites since December 2024. “This cluster uses a malicious JavaScript framework injected into compromised WordPress sites to display the ClickFix lure and deliver NetSupport RAT,” the French cybersecurity company said .

The malware distribution campaign leverages the ClickFix social engineering tactic through a Traffic Distribution System ( TDS ). It’s suspected that the attacker abuses the open-source URL shortener YOURLS as the TDS. In recent months, threat actors have also been found using another TDS called ErrTraffic to inject malicious JavaScript in compromised websites so as to cause them to glitch and then suggest a fix to address the non-existent problem. Across these updates, the common thread is operational efficiency.

Attackers are cutting time between access and impact, removing friction from tooling, and relying more on automation, prebuilt frameworks, and reusable infrastructure. Speed is no longer a byproduct — it’s a design goal. Another shift sits on the defensive side. Several cases show how security gaps are forming not from unknown threats, but from known behaviors — legacy configurations, trusted integrations, overlooked exposure, and assumptions about how tools should behave.

Taken together, the signals point to a threat environment that is scaling quietly rather than loudly — broader reach, lower visibility, and faster execution cycles. The fragments in this bulletin map that direction. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

The Buyer’s Guide to AI Usage Control

Today’s “AI everywhere” reality is woven into everyday workflows across the enterprise, embedded in SaaS platforms, browsers, copilots, extensions, and a rapidly expanding universe of shadow tools that appear faster than security teams can track. Yet most organizations still rely on legacy controls that operate far away from where AI interactions actually occur. The result is a widening governance gap where AI usage grows exponentially, but visibility and control do not. With AI becoming central to productivity, enterprises face a new challenge: enabling the business to innovate while maintaining governance, compliance, and security.

A new Buyer’s Guide for AI Usage Control argues that enterprises have fundamentally misunderstood where AI risk lives. Discovering AI Usage and Eliminating ‘Shadow’ AI will also be discussed in an upcoming virtual lunch and learn . The surprising truth is that AI security isn’t a data problem or an app problem. It’s an interaction problem.

And legacy tools aren’t built for it. AI Everywhere, Visibility Nowhere If you ask a typical security leader how many AI tools their workforce uses, you’ll get an answer. Ask how they know, and the room goes quiet. The guide surfaces an uncomfortable truth: AI adoption has outpaced AI security visibility and control by years, not months.

AI is embedded in SaaS platforms, productivity suites, email clients, CRMs, browsers, extensions, and even in employee side projects. Users jump between corporate and personal AI identities, often in the same session. Agentic workflows chain actions across multiple tools without clear attribution. And yet the average enterprise has no reliable inventory of AI usage, let alone control over how prompts, uploads, identities, and automated actions are flowing across the environment.

This isn’t a tooling issue, it’s an architectural one. Traditional security controls don’t operate at the point where AI interactions actually occur. This gap is exactly why AI Usage Control has emerged as a new category built specifically to govern real-time AI behavior. AI Usage Control Lets You Govern AI Interactions AUC is not an enhancement to traditional security but a fundamentally different layer of governance at the point of AI interaction.

Effective AUC requires both discovery and enforcement at the moment of interaction , powered by contextual risk signals, not static allowlists or network flows. In short, AUC doesn’t just answer “What data left the AI tool?” It answers “Who is using AI? How? Through what tool?

In what session? With what identity? Under what conditions? And what happened next?” This shift from tool-centric control to interaction-centric governance is where the security industry needs to catch up.

Why Most AI “Controls” Aren’t Really Controls Security teams consistently fall into the same traps when trying to secure AI usage: Treating AUC as a checkbox feature inside CASB or SSE Relying purely on network visibility (which misses most AI interactions) Over-indexing on detection without enforcement Ignoring browser extensions and AI-native apps Assuming data loss prevention alone is enough Each of these creates a dangerously incomplete security posture. The industry has been trying to retrofit old controls onto an entirely new interaction model and it simply doesn’t work. AUC exists because no legacy tool was built for this. AI Usage Control Is More Than Just Visibility In AI usage control, visibility is only the first checkpoint not the destination.

Knowing where AI is being used matters, but the real differentiation lies in how a solution understands, governs, and controls AI interactions at the moment they happen. Security leaders typically move through four stages:

Discovery

Identify all AI touchpoints: sanctioned apps, desktop apps, copilots, browser-based interactions, AI extensions, agents and shadow AI tools. Many assume discovery defines the full scope of risk. In reality, visibility without interaction context often leads to inflated risk perceptions and crude responses like broad AI bans.

Interaction Awareness

AI risk occurs in real-time while a prompt is being typed, a file is being auto-summarized, or an agent runs an automated workflow. It’s necessary to move beyond “which tools are being used” to “what users are actually doing.” Not every AI interaction is risky, and most are benign. Understanding prompts, actions, uploads, and outputs in real-time is what separates harmless usage from true exposure. Identity & Context: AI interactions often bypass traditional identity frameworks, happening through personal AI accounts, unauthenticated browser sessions, or unmanaged extensions.

Since legacy tools assume identity equals control, they miss most of this activity. Modern AUC must tie interactions to real identities (corporate or personal), evaluate session context (device posture, location, risk), and enforce adaptive, risk-based policies. This enables nuanced controls such as: “Allow marketing summaries from non-SSO accounts, but block financial model uploads from non-corporate identities.”

Real-Time Control

This is where traditional models break down. AI interactions don’t fit allow/block thinking.

The strongest AUC solutions operate in the nuance: redaction, real-time user warnings, bypass, and guardrails that protect data without shutting down workflows. Architectural Fit

The most underestimated but decisive stage. Many solutions require agents, proxies, traffic rerouting, or changes to the SaaS stack. These deployments often stall or get bypassed.

Buyers quickly learn that the winning architecture is the one that fits seamlessly into existing workflows and enforces policy at the actual point of AI interaction. Technical Considerations: Guide the Head, But Ease of Use Drives the Heart While technical fit is paramount, non-technical factors often decide whether an AI security solution succeeds or fails: Operational Overhead – Can it be deployed in hours, or does it require weeks of endpoint configuration? User Experience – Are controls transparent and minimally disruptive, or do they generate workarounds? Futureproofing – Does the vendor have a roadmap for adapting to emerging AI tools, agentic AI, autonomous workflows, and compliance regimes, or are you buying a static product in a dynamic field?

These considerations are less about “checklists” and more about sustainability, ensuring the solution can scale with both organizational adoption and the broader AI landscape. The Future: Interaction-centric Governance Is the New Security Frontier AI isn’t going away, and security teams need to evolve from perimeter control to interaction-centric governance . The Buyer’s Guide for AI Usage Control offers a practical, vendor-agnostic framework for evaluating this emerging category. For CISOs, security architects, and technical practitioners, it lays out: What capabilities truly matter How to distinguish marketing from substance And why real-time, contextual control is the only scalable path forward AI Usage Control isn’t just a new category; it’s the next phase of secure AI adoption.

It reframes the problem from data loss prevention to usage governance, aligning security with business productivity and enterprise risk frameworks. Enterprises that master AI usage governance will unlock the full potential of AI with confidence. Download the

Buyer’s Guide for AI Usage Control

to explore the criteria, capabilities, and evaluation frameworks that will define secure AI adoption in 2026 and beyond. Join the

virtual lunch and learn

Discovering AI Usage and Eliminating ‘Shadow’ AI.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Infy Hackers Resume Operations with New C2 Servers After Iran Internet Blackout Ends

The elusive Iranian threat group known as Infy (aka Prince of Persia) has evolved its tactics as part of efforts to hide its tracks, even as it readied new command-and-control (C2) infrastructure coinciding with the end of the widespread internet blackout the regime imposed at the start of January 2026. “The threat actor stopped maintaining its C2 servers on January 8 for the first time since we began monitoring their activities,” Tomer Bar, vice president of security research at SafeBreach, said in a report shared with The Hacker News. “This was the same day a country-wide internet shutdown was imposed by Iranian authorities in response to recent protests, which likely suggests that even government-affiliated cyber units did not have the ability or motivation to carry out malicious activities within Iran.” The cybersecurity company said it observed renewed activity on January 26, 2026, as the hacking crew set up new C2 servers, one day before the Iranian government relaxed internet restrictions within the country. The development is significant, not least because it offers concrete evidence that the adversary is state-sponsored and backed by Iran.

Infy is just one of many state-sponsored hacking groups operating out of Iran that conduct espionage, sabotage, and influence operations aligned with Tehran’s strategic interests. But it’s also one of the oldest and lesser-known groups that has managed to stay under the radar, not attracting attention and operating quietly since 2004 through “laser-focused” attacks aimed at individuals for intelligence gathering. In a report published in December 2025, SafeBreach disclosed new tradecraft associated with the threat actor, including the use of updated versions of Foudre and Tonnerre, with the latter employing a Telegram bot likely for issuing commands and collecting data. The latest version of Tonnerre (version 50) has been codenamed Tornado.

Continued visibility into the threat actor’s operations between December 19, 2025, and February 3, 2026, has uncovered that the attackers have taken the step of replacing the C2 infrastructure for all versions of Foudre and Tonnerre, along with introducing Tornado version 51 that uses both HTTP and Telegram for C2. “It uses two different methods to generate C2 domain names: first, a new DGA algorithm and then fixed names using blockchain data de-obfuscation,” Bar said. “This is a unique approach that we assume is being used to provide greater flexibility in registering C2 domain names without the need to update the Tornado version.” There are also signs that Infy has weaponized a 1-day security flaw in WinRAR (either CVE-2025-8088 or CVE‑2025‑6218 ) to extract the Tornado payload on a compromised host. The change in attack vector is seen as a way to increase the success rate of its campaigns.

The specially-crafted RAR archives were uploaded to the VirusTotal platform from Germany and India in mid-December 2025, suggesting the two countries may have been targeted. Present within the RAR file is a self-extracting archive (SFX) that contains two files - AuthFWSnapin.dll, the main Tornado version 51 DLL reg7989.dll, an installer that first checks if Avast antivirus software is not installed, and if yes, creates a scheduled task for persistence and executes the Tornado DLL Tornado establishes communication with the C2 server over HTTP to download and execute the main backdoor and harvest system information. If Telegram is chosen as the C2 method, Tornado uses the bot API to exfiltrate system data and receive more commands. It’s worth noting that version 50 of the malware used a Telegram group named سرافراز (literally translates to “sarafraz,” meaning proudly) that featured the Telegram bot “@ttestro1bot” and a user with the handle “@ehsan8999100.” In the latest version, a different user called “ @Ehsan66442 “ has been added in place of the latter.

“As before, the bot member of the Telegram group still doesn’t have permissions to read the group’s chat messages,” Bar said. “On December 21, the original user @ehsan8999100 was added to a new Telegram channel named Test that had three subscribers. The goal of this channel is still unknown, but we assume it is being used for command and control over the victim’s machines.” SafeBreach said it managed to extract all messages within the private Telegram group, enabling access to all exfiltrated Foudre and Tonnerre files since February 16, 2025, including 118 files and 14 shared links containing encoded commands sent to Tonnerre by the threat actor. An analysis of this data has led to two crucial discoveries - A malicious ZIP file that drops ZZ Stealer, which loads a custom variant of the StormKitty infostealer A “very strong correlation” between the ZZ Stealer attack chain and a campaign targeting the Python Package Index (PyPI) repository with a package named “ testfiwldsd21233s “ that’s designed to drop a previous iteration of ZZ Stealer and exfiltrate the data through the Telegram bot API A “weaker potential correlation” between Infy and Charming Kitten (aka Educated Manticore) owing to the use of ZIP and Windows Shortcut (LNK) files, and a PowerShell loader technique “ZZ Stealer appears to be a first-stage malware (like Foudre) that first collects environmental data, screenshots, and exfiltrates all desktop files,” SafeBreach explained.

“In addition, upon receiving the command ‘8==3’ from the C2 server, it will download and execute the second-stage malware also named by the threat actor as ‘8==3.’” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.