Category: Cybersecurity

Cybersecurity researchers have called attention to a “massive campaign” that has systematically targeted cloud native environments to set up malicious infrastructure for follow-on exploitation.

The activity, observed around December 25, 2025, and described as “worm-driven,” leveraged exposed Docker APIs, Kubernetes clusters, Ray dashboards, and Redis servers, along with the recently disclosed React2Shell (CVE-2025-55182, CVSS score: 10.0) vulnerability. The campaign has been attributed to a threat cluster known as TeamPCP (aka DeadCatx3, PCPcat, PersyPCP, and ShellForce).

TeamPCP is known to be active since at least November 2025, with the first instance of Telegram activity dating back to July 30, 2025. The TeamPCP Telegram channel currently has over 700 members, where the group publishes stolen data from diverse victims across Canada, Serbia, South Korea, the U.A.E., and the U.S. Details of the threat actor were first documented by Beelzebub in December 2025 under the name Operation PCPcat.

“The operation’s goals were to build a distributed proxy and scanning infrastructure at scale, then compromise servers to exfiltrate data, deploy ransomware, conduct extortion, and mine cryptocurrency,” Flare security researcher Assaf Morag said in a report published last week.

TeamPCP is said to function as a cloud-native cybercrime platform, leveraging misconfigured Docker APIs, Kubernetes APIs, Ray dashboards, Redis servers, and vulnerable React/Next.js applications as main infection pathways to breach modern cloud infrastructure to facilitate data theft and extortion.

“Notably, proxy.sh performs environment fingerprinting at execution time,” Morag said. “Early in its runtime, it checks whether it is running inside a Kubernetes cluster.”

“If a Kubernetes environment is detected, the script branches into a separate execution path and drops a cluster-specific secondary payload, indicating that TeamPCP maintains distinct tooling and tradecraft for cloud-native targets rather than relying on generic Linux malware alone.”

A brief description of the other payloads is as follows –

• scanner.py, which is designed to find misconfigured Docker APIs and Ray dashboards by downloading Classless Inter-Domain Routing (CIDR) lists from a GitHub account named “DeadCatx3,” while also featuring options to run a cryptocurrency miner (“mine.sh”).
• kube.py, which includes Kubernetes-specific functionality to conduct cluster credential harvesting and API-based discovery of resources such as pods and namespaces, followed by dropping “proxy.sh” into accessible pods for broader propagation and setting up a persistent backdoor by deploying a privileged pod on every node that mounts the host.
• react.py, which is designed to exploit the React flaw (CVE-2025-29927) to achieve remote command execution at scale.
• pcpcat.py, which is designed to discover exposed Docker APIs and Ray dashboards across large IP address ranges and automatically deploy a malicious container or job that executes a Base64-encoded payload.

Flare said the C2 server node located at 67.217.57[.]240 has also been linked to the operation of Sliver, an open-source C2 framework that’s known to be abused by threat actors for post-exploitation purposes.

Data from the cybersecurity company shows that the threat actors mainly single out Amazon Web Services (AWS) and Microsoft Azure environments. The attacks are assessed to be opportunistic in nature, primarily targeting infrastructure that supports its goals rather than going after specific industries. The result is that organizations that run such infrastructure become “collateral victims” in the process. 

“The PCPcat campaign demonstrates a full lifecycle of scanning, exploitation, persistence, tunneling, data theft, and monetization built specifically for modern cloud infrastructure,” Morag said. “What makes TeamPCP dangerous is not technical novelty, but their operational integration and scale. Deeper analysis shows that most of their exploits and malware are based on well-known vulnerabilities and lightly modified open-source tools.”

“At the same time, TeamPCP blends infrastructure exploitation with data theft and extortion. Leaked CV databases, identity records, and corporate data are published through ShellForce to fuel ransomware, fraud, and cybercrime reputation building. This hybrid model allows the group to monetize both compute and information, giving it multiple revenue streams and resilience against takedowns.”

Ravie LakshmananFeb 09, 2026Threat Intelligence / Cyber Espionage

The threat actor known as Bloody Wolf has been linked to a campaign targeting Uzbekistan and Russia to infect systems with a remote access trojan known as NetSupport RAT.

Cybersecurity vendor Kaspersky is tracking the activity under the moniker Stan Ghouls. The threat actor is known to be active since at least 2023, orchestrating spear-phishing attacks against manufacturing, finance, and IT sectors in Russia, Kyrgyzstan, Kazakhstan, and Uzbekistan.

The campaign is estimated to have claimed about 50 victims in Uzbekistan, with 10 devices in Russia also impacted. Other infections have been identified to a lesser degree in Kazakhstan, Turkey, Serbia, and Belarus. Infection attempts have also been recorded on devices within government organizations, logistics companies, medical facilities, and educational institutions.

“Given Stan Ghouls’ targeting of financial institutions, we believe their primary motive is financial gain,” Kaspersky noted. “That said, their heavy use of RATs may also hint at cyber espionage.”

The misuse of NetSupport, a legitimate remote administration tool, is a departure for the threat actor, which previously leveraged STRRAT (aka Strigoi Master) in its attacks. In November 2025, Group-IB documented phishing attacks aimed at entities in Kyrgyzstan to distribute the tool.

The attack chains are fairly straightforward in that phishing emails loaded with malicious PDF attachments are used as a launchpad to trigger the infection. The PDF documents embed links that, when clicked, lead to the download of a malicious loader that handles multiple tasks –

Kaspersky said it also identified Mirai botnet payloads staged on infrastructure associated with Bloody Wolf, raising the possibility that the threat actor may have expanded its malware arsenal to target IoT devices.

“With over 60 targets hit, this is a remarkably high volume for a sophisticated targeted campaign,” the company concluded. “It points to the significant resources these actors are willing to pour into their operations.”

The disclosure coincides with a number of cyber campaigns targeting Russian organizations, including those conducted by ExCobalt, which has leveraged known security flaws and credentials stolen from contractors to obtain initial access to target networks. Positive Technologies described the adversary as one of the “most dangerous groups” attacking Russian entities.

The attacks are characterized by the use of various tools, along with attempts to siphon Telegram credentials and message history from the compromised hosts and Outlook Web Access credentials by injecting malicious code into the login page –

• CobInt, a known backdoor used by the group.
• Lockers such as Babuk and LockBit.
• PUMAKIT, a kernel rootkit to escalate privileges, hide files and directories, and conceal itself from system tools, along with prior iterations known as Facefish (February 2021), Kitsune (February 2022), and Megatsune (November 2023). The use of Kitsune was also linked to a threat cluster known as Sneaky Wolf (aka Sneaking Leprechaun) by BI.ZONE.
• Octopus, a Rust-based toolkit that’s used to elevate privileges in a compromised Linux system.

“The group changed the tactics of initial access, shifting the focus of attention from the exploitation of 1-day vulnerabilities in corporate services available from the internet (e.g., Microsoft Exchange) to the penetration of the infrastructure of the main target through contractors,” Positive Technologies said.

State institutions, scientific enterprises, and IT organizations in Russia have also been targeted by a previously unknown threat actor known as Punishing Owl that has resorted to stealing and leaking data on the dark web. The group, suspected to be a politically motivated hacktivist entity, has been active since December 2025, with one of its social media accounts administered from Kazakhstan.

The attacks utilize phishing emails with a password-protected ZIP archive, which, when opened, contains a Windows shortcut (LNK) masquerading as a PDF document. Opening the LNK file results in the execution of a PowerShell command to download a stealer named ZipWhisper from a remote server to harvest sensitive data and upload it to the same server.

Another threat cluster that has trained its sights on Russia and Belarus is Vortex Werewolf. The end goal of the attacks is to deploy Tor and OpenSSH so as to facilitate persistent remote access. The campaign was previously exposed in November 2025 by Cyble and Seqrite Labs, with the latter calling the campaign Operation SkyCloak.

OpenClaw (formerly Moltbot and Clawdbot) has announced that it’s partnering with Google-owned VirusTotal to scan skills that are being uploaded to ClawHub, its skill marketplace, as part of broader efforts to bolster the security of the agentic ecosystem.

“All skills published to ClawHub are now scanned using VirusTotal’s threat intelligence, including their new Code Insight capability,” OpenClaw’s founder Peter Steinberger, along with Jamieson O’Reilly and Bernardo Quintero said. “This provides an additional layer of security for the OpenClaw community.”

The process essentially entails creating a unique SHA-256 hash for every skill and cross checking it against VirusTotal’s database for a match. If it’s not found, the skill bundle is uploaded to the malware scanning tool for further analysis using VirusTotal Code Insight.

Skills that have a “benign” Code Insight verdict are automatically approved by ClawHub, while those marked suspicious are flagged with a warning. Any skill that’s deemed malicious is blocked from download. OpenClaw also said all active skills are re-scanned on a daily basis to detect scenarios where a previously clean skill becomes malicious.

That said, OpenClaw maintainers also cautioned that VirusTotal scanning is “not a silver bullet” and that there is a possibility that some malicious skills that use a cleverly concealed prompt injection payload may slip through the cracks.

In addition to the VirusTotal partnership, the platform is expected to publish a comprehensive threat model, public security roadmap, formal security reporting process, as well as details about the security audit of its entire codebase.

The development comes in the aftermath of reports that found hundreds of malicious skills on ClawHub, prompting OpenClaw to add a reporting option that allows signed-in users to flag a suspicious skill. Multiple analyses have uncovered that these skills masquerade as legitimate tools, but, under the hood, they harbor malicious functionality to exfiltrate data, inject backdoors for remote access, or install stealer malware.

“AI agents with system access can become covert data-leak channels that bypass traditional data loss prevention, proxies, and endpoint monitoring,” Cisco noted last week. “Second, models can also become an execution orchestrator, wherein the prompt itself becomes the instruction and is difficult to catch using traditional security tooling.”

The recent viral popularity of OpenClaw, the open-source agentic artificial intelligence (AI) assistant, and Moltbook, an adjacent social network where autonomous AI agents built atop OpenClaw interact with each other in a Reddit-style platform, has raised security concerns.

In other words, the integrations, while convenient, significantly broaden the attack surface and expand the set of untrusted inputs the agent consumes, turning it into an “agentic trojan horse” for data exfiltration and other malicious actions. Backslash Security has described OpenClaw as an “AI With Hands.”

“Unlike traditional software that does exactly what code tells it to do, AI agents interpret natural language and make decisions about actions,” OpenClaw noted. “They blur the boundary between user intent and machine execution. They can be manipulated through language itself.”

OpenClaw also acknowledged that the power wielded by skills – which are used to extend the capabilities of an AI agent, such as controlling smart home devices to managing finances – can be abused by bad actors, who can leverage the agent’s access to tools and data to exfiltrate sensitive information, execute unauthorized commands, send messages on the victim’s behalf, and even download and run additional payloads without their knowledge or consent.

What’s more, with OpenClaw being increasingly deployed on employee endpoints without formal IT or security approval, the elevated privileges of these agents can further enable shell access, data movement, and network connectivity outside standard security controls, creating a new class of Shadow AI risk for enterprises.

“OpenClaw and tools like it will show up in your organization whether you approve them or not,” Astrix Security researcher Tomer Yahalom said. “Employees will install them because they’re genuinely useful. The only question is whether you’ll know about it.”

Some of the glaring security issues that have come to the fore in recent days are below –

• A now-fixed issue identified in earlier versions that could cause proxied traffic to be misclassified as local, bypassing authentication for some internet-exposed instances.
• “OpenClaw stores credentials in cleartext, uses insecure coding patterns including direct eval with user input, and has no privacy policy or clear accountability,” OX Security’s Moshe Siman Tov Bustan and Nir Zadok said. “Common uninstall methods leave sensitive data behind – and fully revoking access is far harder than most users realize.”
• A zero-click attack that abuses OpenClaw’s integrations to plant a backdoor on a victim’s endpoint for persistent control when a seemingly harmless document is processed by the AI agent, resulting in the execution of an indirect prompt injection payload that allows it to respond to messages from an attacker-controlled Telegram bot.
• An indirect prompt injection embedded in a web page, which, when parsed as part of an innocuous prompt asking the large language model (LLM) to summarize the page’s contents, causes OpenClaw to append an attacker-controlled set of instructions to the ~/.openclaw/workspace/HEARTBEAT.md file and silently await further commands from an external server.
• A security analysis of 3,984 skills on the ClawHub marketplace has found that 283 skills, about 7.1% of the entire registry, contain critical security flaws that expose sensitive credentials in plaintext through the LLM’s context window and output logs.
• A report from Bitdefender has revealed that malicious skills are often cloned and re-published at scale using small name variations, and that payloads are staged through paste services such as glot.io and public GitHub repositories.
• A now-patched one-click remote code execution vulnerability affecting OpenClaw that could have allowed an attacker to trick a user into visiting a malicious web page that could cause the Gateway Control UI to leak the OpenClaw authentication token over a WebSocket channel and subsequently use it to execute arbitrary commands on the host.
• OpenClaw’s gateway binds to 0.0.0.0:18789 by default, exposing the full API to any network interface. Per data from Censys, there are over 30,000 exposed instances accessible over the internet as of February 8, 2026, although most require a token value in order to view and interact with them.
• In a hypothetical attack scenario, a prompt injection payload embedded within a specifically crafted WhatsApp message can be used to exfiltrate “.env” and “creds.json” files, which store credentials, API keys, and session tokens for connected messaging platforms from an exposed OpenClaw instance.
• An misconfigured Supabase database belonging to Moltbook that was left exposed in client-side JavaScript, making secret API keys of every agent registered on the site freely accessible, and allowing full read and write access to platform data. According to Wiz, the exposure included 1.5 million API authentication tokens, 35,000 email addresses, and private messages between agents.
• Threat actors have been found exploiting Moltbook’s platform mechanics to amplify reach and funnel other agents toward malicious threads that contain prompt injections to manipulate their behavior and extract sensitive data or steal cryptocurrency.
• “Moltbook may have inadvertently also created a laboratory in which agents, which can be high-value targets, are constantly processing and engaging with untrusted data, and in which guardrails aren’t set into the platform – all by design,” Zenity Labs said.

“The first, and perhaps most egregious, issue is that OpenClaw relies on the configured language model for many security-critical decisions,” HiddenLayer researchers Conor McCauley, Kasimir Schulz, Ryan Tracey, and Jason Martin noted. “Unless the user proactively enables OpenClaw’s Docker-based tool sandboxing feature, full system-wide access remains the default.”

Among other architectural and design problems identified by the AI security company are OpenClaw’s failure to filter out untrusted content containing control sequences, ineffective guardrails against indirect prompt injections, modifiable memories and system prompts that persist into future chat sessions, plaintext storage of API keys and session tokens, and no explicit user approval before executing tool calls.

In a report published last week, Persmiso Security argued that the security of the OpenClaw ecosystem is much more crucial than app stores and browser extension marketplaces owing to the agents’ extensive access to user data.

“AI agents get credentials to your entire digital life,” security researcher Ian Ahl pointed out. “And unlike browser extensions that run in a sandbox with some level of isolation, these agents operate with the full privileges you grant them.”

“The skills marketplace compounds this. When you install a malicious browser extension, you’re compromising one system. When you install a malicious agent skill, you’re potentially compromising every system that agent has credentials for.”

The long list of security issues associated with OpenClaw has prompted China’s Ministry of Industry and Information Technology to issue an alert about misconfigured instances, urging users to implement protections to secure against cyber attacks and data breaches, Reuters reported.

“When agent platforms go viral faster than security practices mature, misconfiguration becomes the primary attack surface,” Ensar Seker, CISO at SOCRadar, told The Hacker News via email. “The risk isn’t the agent itself; it’s exposing autonomous tooling to public networks without hardened identity, access control, and execution boundaries.”

“What’s notable here is that the Chinese regulator is explicitly calling out configuration risk rather than banning the technology. That aligns with what defenders already know: agent frameworks amplify both productivity and blast radius. A single exposed endpoint or overly permissive plugin can turn an AI agent into an unintentional automation layer for attackers.”

Germany’s Federal Office for the Protection of the Constitution (aka Bundesamt für Verfassungsschutz or BfV) and Federal Office for Information Security (BSI) have issued a joint advisory warning of a malicious cyber campaign undertaken by a likely state-sponsored threat actor that involves carrying out phishing attacks over the Signal messaging app.

“The focus is on high-ranking targets in politics, the military, and diplomacy, as well as investigative journalists in Germany and Europe,” the agencies said. “Unauthorized access to messenger accounts not only allows access to confidential private communications but also potentially compromises entire networks.”

A noteworthy aspect of the campaign is that it does not involve the distribution of malware or the exploitation of any security vulnerability in the privacy-focused messaging platform. Rather, the end goal is to weaponize its legitimate features to obtain covert access to a victim’s chats, along with their contact lists.

The attack chain is as follows: the threat actors masquerade as “Signal Support” or a support chatbot named “Signal Security ChatBot” to initiate direct contact with prospective targets, urging them to provide a PIN or verification code received via SMS, or risk facing data loss.

Should the victim comply, the attackers can register the account and gain access to the victim’s profile, settings, contacts, and block list through a device and mobile phone number under their control. While the stolen PIN does not enable access to the victim’s past conversations, a threat actor can use it to capture incoming messages and send messages posing as the victim.

That target user, who has by now lost access to their account, is then instructed by the threat actor disguised as the support chatbot to register for a new account.

There also exists an alternative infection sequence that takes advantage of the device linking option to trick victims into scanning a QR code, thereby granting the attackers access to the victim’s account, including their messages for the last 45 days, on a device managed by them.

In this case, however, the targeted individuals continue to have access to their account, little realizing that their chats and contact lists are now also exposed to the threat actors. 

The security authorities warned that while the current focus of the campaign appears to be Signal, the attack can also be extended to WhatsApp since it also incorporates similar device linking and PIN features as part of two-step verification.

“Successful access to messenger accounts not only allows confidential individual communications to be viewed, but also potentially compromises entire networks via group chats,” BfV and BSI said.

While it’s not known who is behind the activity, similar attacks have been orchestrated by multiple Russia-aligned threat clusters tracked as Star Blizzard, UNC5792 (aka UAC-0195), and UNC4221 (aka UAC-0185), per reports from Microsoft and Google Threat Intelligence Group early last year.

In December 2025, Gen Digital also detailed another campaign codenamed GhostPairing, where cybercriminals have resorted to the device linking feature on WhatsApp to seize control of accounts to likely impersonate users or commit fraud.

To stay protected against the threat, users are advised to refrain from engaging with support accounts and entering their Signal PIN as a text message. A crucial line of defense is to enable Registration Lock, which prevents unauthorized users from registering a phone number on another device. It’s also advised to periodically review the list of linked devices and remove any unknown devices.

The development comes as the Norwegian government accused the Chinese-backed hacking groups, including Salt Typhoon, of breaking into several organizations in the country by exploiting vulnerable network devices, while also calling out Russia for closely monitoring military targets and allied activities, and Iran for keeping tabs on dissidents.

Stating that Chinese intelligence services attempt to recruit Norwegian nationals to gain access to classified data, the Norwegian Police Security Service (PST) noted that these sources are then encouraged to establish their own “human source” networks by advertising part-time positions on job boards or approaching them via LinkedIn.

The agency further warned that China is “systematically” exploiting collaborative research and development efforts to strengthen its own security and intelligence capabilities. It’s worth noting that Chinese law requires software vulnerabilities identified by Chinese researchers to be reported to the authorities no later than two days after discovery.

“Iranian cyber threat actors compromise email accounts, social media profiles, and private computers belonging to dissidents to collect information about them and their networks,” PST said. “These actors have advanced capabilities and will continue to develop their methods to conduct increasingly targeted and intrusive operations against individuals in Norway.”

The disclosure follows an advisory from CERT Polska, which assessed that a Russian nation-state hacking group called Static Tundra is likely behind coordinated cyber attacks targeted at more than 30 wind and photovoltaic farms, a private company from the manufacturing sector, and a large combined heat and power plant (CHP) supplying heat to almost half a million customers in the country.

“In each affected facility, a FortiGate device was present, serving as both a VPN concentrator and a firewall,” it said. “In every case, the VPN interface was exposed to the internet and allowed authentication to accounts defined in the configuration without multi‑factor authentication.”

Ravie LakshmananFeb 06, 2026Cyber Espionage / Malware

A previously undocumented cyber espionage group operating from Asia broke into the networks of at least 70 government and critical infrastructure organizations across 37 countries over the past year, according to new findings from Palo Alto Networks Unit 42.

In addition, the hacking crew has been observed conducting active reconnaissance against government infrastructure associated with 155 countries between November and December 2025. Some of the entities that have been successfully compromised include five national-level law enforcement/border control entities, three ministries of finance and other government ministries, and departments that align with economic, trade, natural resources, and diplomatic functions.

The activity is being tracked by the cybersecurity company under the moniker TGR-STA-1030, where “TGR” stands for temporary threat group and “STA” refers to state-backed motivation. Evidence shows that the threat actor has been active since January 2024.

While the hackers’ country of origin remains unclear, they are assessed to be of Asian origin, given the use of regional tooling and services, language setting preferences, targeting that’s consistent with events and intelligence of interest to the region, and its GMT+8 operating hours.

Attack chains have been found to leverage phishing emails as a starting point to trick recipients into clicking on a link pointing to New Zealand-based file hosting service MEGA. The link hosts a ZIP archive that contains an executable dubbed Diaoyu Loader and a zero-byte file named “pic1.png.”

“The malware employs a dual-stage execution guardrail to thwart automated sandbox analysis,” Unit 42 said. “Beyond the hardware requirement of a horizontal screen resolution greater than or equal to 1440, the sample performs an environmental dependency check for a specific file (pic1.png) in its execution directory.”

The PNG image acts as a file-based integrity check that causes the malware artifact to terminate before unleashing its nefarious behavior in the event it’s not present in the same location. It’s only after this condition is satisfied that the malware checks for the presence of specific cybersecurity programs from Avira (“SentryEye.exe”), Bitdefender (“EPSecurityService.exe”), Kaspersky (“Avp.exe”), Sentinel One (“SentinelUI.exe”), and Symantec (“NortonSecurity.exe”).

Countries targeted by TGR-STA-1030 reconnaissance between November and December 2025

It’s currently not known why the threat actors have opted to look for only a narrow selection of products. The end goal of the loader is to download three images (“admin-bar-sprite.png,” “Linux.jpg,” and “Windows.jpg”) from a GitHub repository named “WordPress,” which serve as a conduit for the deployment of a Cobalt Strike payload. The associated GitHub account (“github[.]com/padeqav”) is no longer available.

TGR-STA-1030 has also been observed attempting to exploit various kinds of N-day vulnerabilities impacting a large number of software products from Microsoft, SAP, Atlassian, Ruijieyi Networks, Commvault, and Eyou Email System to gain initial access to target networks. There is no evidence indicating the group has developed or leveraged any zero-day exploit in their attacks.

Among the tools put to use by the threat actor are command-and-control (C2) frameworks, web shells, and tunneling utilities –

It’s worth noting that the use of the aforementioned web shells is frequently linked to Chinese hacking groups. Another tool of note is a Linux kernel rootkit codenamed ShadowGuard that utilizes the Extended Berkeley Packet Filter (eBPF) technology to conceal process information details, intercept critical system calls to hide specific processes from user-space analysis tools like ps, and conceal directories and files named “swsecret.”

“The group routinely leases and configures its C2 servers on infrastructure owned by a variety of legitimate and commonly known VPS providers,” Unit 42 said. “To connect to the C2 infrastructure, the group leases additional VPS infrastructure that it uses to relay traffic through.”

The cybersecurity vendor said the adversary managed to maintain access to several of the impacted entities for months, indicating efforts to collect intelligence over extended periods of time.

“TGR-STA-1030 remains an active threat to government and critical infrastructure worldwide. The group primarily targets government ministries and departments for espionage purposes,” it concluded. “We assess that it prioritizes efforts against countries that have established or are exploring certain economic partnerships.”

“While this group might be pursuing espionage objectives, its methods, targets, and scale of operations are alarming, with potential long-term consequences for national security and key services.”

Ravie LakshmananFeb 06, 2026Federal Security / Infrastructure Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered Federal Civilian Executive Branch (FCEB) agencies to strengthen asset lifecycle management for edge network devices and remove those that no longer receive security updates from original equipment manufacturers (OEMs) over the next 12 to 18 months.

The agency said the move is to drive down technical debt and minimize the risk of compromise, as state-sponsored threat actors turn such devices as a preferred access pathway for breaking into target networks.

Edge devices is an umbrella term that encompasses load balancers, firewalls, routers, switches, wireless access points, network security appliances, Internet of Things (IoT) edge devices, software-defined networks, and other physical or virtual networking components that route network traffic and hold privileged access.

“Persistent cyber threat actors are increasingly exploiting unsupported edge devices — hardware and software that no longer receive vendor updates to firmware or other security patches,” CISA said. “Positioned at the network perimeter, these devices are especially vulnerable to persistent cyber threat actors exploiting a new or known vulnerability.”

To assist FCEB agencies in this regard, CISA said it has developed an end-of-support edge device list that acts as a preliminary repository with information about devices that have already reached end-of-support or are expected to lose support. This list will include the product name, version number, and end-of-support date.

The newly issued Binding Operational Directive 26-02, Mitigating Risk From End-of-Support Edge Devices, requires FCEB agencies to undertake the following actions –

• Update each vendor-supported-edge device running end-of-support software to a vendor-supported software version (With immediate effect)
• Catalog all devices to identify those that are end-of-support and report to CISA (Within three months)
• Decommission all edge devices that  are end-of-support and listed in the edge device list from agency networks and replace them with vendor-supported devices that can receive security updates (Within 12 months)
• Decommission all other identified edge devices from agency networks and replace with vendor-supported devices that can receive security updates (Within 18 months)
• Establish a lifecycle management process to enable continuous discovery of all edge devices and maintain an inventory of those that are/will reach  end-of-support (Within 24 months)

“Unsupported devices pose a serious risk to federal systems and should never remain on enterprise networks,” said CISA Acting Director Madhu Gottumukkala. “By proactively managing asset lifecycles and removing end-of-support technology, we can collectively strengthen resilience and protect the global digital ecosystem.”

Ravie LakshmananFeb 06, 2026Malware / IoT Security

Cybersecurity researchers have taken the wraps off a gateway-monitoring and adversary-in-the-middle (AitM) framework dubbed DKnife that’s operated by China-nexus threat actors since at least 2019.

The framework comprises seven Linux-based implants that are designed to perform deep packet inspection, manipulate traffic, and deliver malware via routers and edge devices. Its primary targets seem to be Chinese-speaking users, an assessment based on the presence of credential harvesting phishing pages for Chinese email services, exfiltration modules for popular Chinese mobile applications like WeChat, and code references to Chinese media domains.

“DKnife’s attacks target a wide range of devices, including PCs, mobile devices, and Internet of Things (IoT) devices,” Cisco Talos researcher Ashley Shen noted in a Thursday report. “It delivers and interacts with the ShadowPad and DarkNimbus backdoors by hijacking binary downloads and Android application updates.”

The cybersecurity company said it discovered DKnife as part of its ongoing monitoring of another Chinese threat activity cluster codenamed Earth Minotaur that’s linked to tools like the MOONSHINE exploit kit and the DarkNimbus (aka DarkNights) backdoor. Interestingly, the backdoor has also been put to use by a third China-aligned advanced persistent threat (APT) group called TheWizards.

An analysis of DKnife’s infrastructure has uncovered an IP address hosting WizardNet, a Windows implant deployed by TheWizards via an AitM framework referred to as Spellbinder. Details of the toolkit were documented by ESET in April 2025.

The targeting of Chinese-speaking users, Cisco said, hinges on the discovery of configuration files obtained from a single command-and-control (C2) server, raising the possibility that there could be other servers hosting similar configurations for different regional targeting.

This is significant in light of infrastructural connections between DKnife and WizardNet, as TheWizards is known to target individuals and the gambling sector across Cambodia, Hong Kong, Mainland China, the Philippines, and the United Arab Emirates.

Functions of seven DKnife components

Unlike WizardNet, DKnife is engineered to be run on Linux-based devices. Its modular architecture enables operators to serve a wide range of functions, ranging from packet analysis to traffic manipulation. Delivered by means of an ELF downloader, it contains seven different components –

• dknife.bin – The central nervous system of the framework responsible for deep packet inspection, user activities reporting, binary download hijacking, and DNS hijacking
• postapi.bin – A data reporter module that acts as a relay by receiving traffic from DKnife and reporting to remote C2
• sslmm.bin – A reverse proxy module modified from HAProxy that performs TLS termination, email decryption, and URL rerouting
• mmdown.bin – An updater module that connects to a hard-coded C2 server to download APKs used for the attack
• yitiji.bin – A packet forwarder module that creates a bridged TAP interface on the router to host and route attacker-injected LAN traffic
• remote.bin – A peer-to-peer (P2P) VPN client module that creates a communication channel to remote C2
• dkupdate.bin – An updater and watchdog module that keeps the various components alive

“DKnife can harvest credentials from a major Chinese email provider and host phishing pages for other services,” Talos said. “For harvesting email credentials, the sslmm.bin component presents its own TLS certificate to clients, terminates and decrypts POP3/IMAP connections, and inspects the plaintext stream to extract usernames and passwords.”

“Extracted credentials are tagged with ‘PASSWORD,’ forwarded to the postapi.bin component, and ultimately relayed to remote C2 servers.”

The core component of the framework is “dknife.bin,” which takes care of deep packet inspection, allowing operators to conduct traffic monitoring campaigns ranging from “covert monitoring of user activity to active in-line attacks that replace legitimate downloads with malicious payloads.” This includes –

• Serving updated C2 to Android and Windows variants of DarkNimbus malware
• Conducting Domain Name System (DNS)-based hijacking over IPv4 and IPv6 to facilitate malicious redirects for JD.com-related domains
• Hijacking and replacing Android application updates associated with Chinese news media, video streaming, image editing apps, e-commerce platforms, taxi-service platforms, gaming, and pornography video streaming apps by intercepting their update manifest requests
• Hijacking Windows and other binary downloads based on certain pre-configured rules to deliver via DLL side-loading the ShadowPad backdoor, which then loads DarkNimbus
• Interfering with communications from antivirus and PC-management products, including 360 Total Security and Tencent services
• Monitoring user activity in real-time and reporting it back to the C2 server

“Routers and edge devices remain prime targets in sophisticated targeted attack campaigns,” Talos said. “As threat actors intensify their efforts to compromise this infrastructure, understanding the tools and TTPs they employ is critical. The discovery of the DKnife framework highlights the advanced capabilities of modern AitM threats, which blend deep‑packet inspection, traffic manipulation, and customized malware delivery across a wide range of device types.”

Ravie LakshmananFeb 06, 2026Artificial Intelligence / Vulnerability

Artificial intelligence (AI) company Anthropic revealed that its latest large language model (LLM), Claude Opus 4.6, has found more than 500 previously unknown high-severity security flaws in open-source libraries, including Ghostscript, OpenSC, and CGIF.

Claude Opus 4.6, which was launched Thursday, comes with improved coding skills, including code review and debugging capabilities, along with enhancements to tasks like financial analyses, research, and document creation.

Stating that the model is “notably better” at discovering high-severity vulnerabilities without requiring any task-specific tooling, custom scaffolding, or specialized prompting, Anthropic said it is putting it to use to find and help fix vulnerabilities in open-source software.

“Opus 4.6 reads and reasons about code the way a human researcher would—looking at past fixes to find similar bugs that weren’t addressed, spotting patterns that tend to cause problems, or understanding a piece of logic well enough to know exactly what input would break it,” it added.

Prior to its debut, Anthropic’s Frontier Red Team put the model to test inside a virtualized environment and gave it the necessary tools, such as debuggers and fuzzers, to find flaws in open-source projects. The idea, it said, was to assess the model’s out-of-the-box capabilities without providing any instructions on how to use these tools or providing information that could help it better flag the vulnerabilities.

The company also said it validated every discovered flaw to make sure that it was not made up (i.e., hallucinated), and that the LLM was used as a tool to prioritize the most severe memory corruption vulnerabilities that were identified.

Some of the security defects that were flagged by Claude Opus 4.6 are listed below. They have since been patched by the respective maintainers.

• Parsing the Git commit history to identify a vulnerability in Ghostscript that could result in a crash by taking advantage of a missing bounds check
• Searching for function calls like strrchr() and strcat() to identify a buffer overflow vulnerability in OpenSC
• A heap buffer overflow vulnerability in CGIF (Fixed in version 0.5.1)

“This vulnerability is particularly interesting because triggering it requires a conceptual understanding of the LZW algorithm and how it relates to the GIF file format,” Anthropic said of the CGIF bug. “Traditional fuzzers (and even coverage-guided fuzzers) struggle to trigger vulnerabilities of this nature because they require making a particular choice of branches.”

“In fact, even if CGIF had 100% line- and branch-coverage, this vulnerability could still remain undetected: it requires a very specific sequence of operations.”

The company has pitched AI models like Claude as a critical tool for defenders to “level the playing field.” But it also emphasized that it will adjust and update its safeguards as potential threats are discovered and put in place additional guardrails to prevent misuse.

The disclosure comes weeks after Anthropic said its current Claude models can succeed at multi-stage attacks on networks with dozens of hosts using only standard, open-source tools by finding and exploiting known security flaws.

“This illustrates how barriers to the use of AI in relatively autonomous cyber workflows are rapidly coming down, and highlights the importance of security fundamentals like promptly patching known vulnerabilities,” it said.

Cybersecurity researchers have discovered a new supply chain attack in which legitimate packages on npm and the Python Package Index (PyPI) repository have been compromised to push malicious versions to facilitate wallet credential theft and remote code execution.

The compromised versions of the two packages are listed below –

“The @dydxprotocol/v4-client-js (npm) and dydx-v4-client (PyPI) packages provide developers with tools to interact with the dYdX v4 protocol, including transaction signing, order placement, and wallet management,” Socket security researcher Kush Pandya noted. “Applications using these packages handle sensitive cryptocurrency operations.”

dYdX is a non-custodial, decentralized cryptocurrency exchange for trading margin and perpetual swaps, while allowing users to retain full control over their assets. On its website, the DeFi exchange says it has surpassed $1.5 trillion in cumulative trading volume.

While it’s currently how these poisoned updates were pushed, it’s suspected to be a case of developer account compromise, as the rogue versions were published using legitimate publishing credentials.

The changes introduced by the threat actors have been found to target both the JavaScript and Python ecosystems with different payloads. In the case of npm, the malicious code acts as a cryptocurrency wallet stealer that siphons seed phrases and device information. The Python package, on the other hand, also incorporates a remote access trojan (RAT) along with the wallet stealer functionality.

The RAT component, which is run as soon as the package is imported, contacts an external server (“dydx.priceoracle[.]site/py”) to retrieve commands for subsequent execution on the host. On Windows systems, it makes use of the “CREATE_NO_WINDOW” flag to ensure that it’s executed without a console window.

“The threat actor demonstrated detailed knowledge of the package internals, inserting malicious code into core registry files (registry.ts, registry.js, account.py) that would execute during normal package usage,” Pandya said.

Following responsible disclosure on January 28, 2026, dYdX acknowledged the incident in a series of posts on X, and urged users who may have downloaded the compromised versions to isolate affected machines, move funds to a new wallet from a clean system, and rotate all API keys and credentials.

“The versions of dydx-v4-clients hosted in the dydxprotocol Github do not contain the malware,” it added.

This is not the first time the dYdX ecosystem has been the target of supply chain attacks. In September 2022, Mend and Bleeping Computer reported a similar case where the npm account of a dYdX staff member was hijacked to publish new versions of multiple npm packages that contained code to steal credentials and other sensitive data. 

Two years later, the exchange also divulged that the website associated with its now-discontinued dYdX v3 platform was compromised to redirect users to a phishing site with the goal of draining their wallets.

“Viewed alongside the 2022 npm supply chain compromise and the 2024 DNS hijacking incident, this attack highlights a persistent pattern of adversaries targeting dYdX-related assets through trusted distribution channels,” Socket said.

“The nearly identical credential theft implementations across languages indicate deliberate planning. The threat actor maintained consistent exfiltration endpoints, API keys, and device fingerprinting logic while deploying ecosystem-specific attack vectors. The npm version focuses on credential theft, while the PyPI version adds persistent system access.”

Supply Chain Risks with Non-Existent Packages

The disclosure comes as Aikido detailed how npm packages referenced in README files and scripts but never actually published pose an attractive supply chain attack vector, allowing a threat actor to publish packages under those names to distribute malware.

The discovery is the latest manifestation of the growing sophistication of software supply chain threats, allowing bad actors to compromise several users at once by exploiting the trust associated with open-source repositories.

“Sophisticated attackers are moving upstream into the software supply chain because it provides a deep, low-noise initial access path into downstream environments,” Sygnia’s Omer Kidron said.

“The same approach supports both precision compromise (a specific vendor, maintainer, or build identity) and opportunistic attacks at scale (‘spray’) through widely trusted ecosystems — making it relevant to all organizations, regardless of whether they see themselves as primary targets.”

Aikido’s analysis found that the 128 phantom packages collectively racked up 121,539 downloads between July 2025 and January 2026, averaging 3,903 downloads per week and scaling a peak of 4,236 downloads last month. The packages with the most downloads are listed below –

• openapi-generator-cli (48,356 downloads), which mimics @openapitools/openapi-generator-cli
• cucumber-js (32,110 downloads), which mimics @cucumber/cucumber
• depcruise (15,637 downloads), which mimics dependency-cruiser
• jsdoc2md (4,641 downloads)
• grpc_tools_node_protoc (4,518 downloads)
• vue-demi-switch (1,166 downloads)

“Openapi-generator-cli saw 3,994 downloads in just the last seven days,” security researcher Charlie Eriksen said. “That’s nearly 4,000 times someone tried to run a command that doesn’t exist. In one week.”

The findings highlight a blind spot in npm’s typosquatting protections, which, while actively blocking attempts to claim names with similar spelling to that of existing packages, doesn’t prevent a user from creating packages with names that were never registered in the first place, as there is nothing to compare against.

To mitigate this risk with npx confusion, Aikido recommends taking the following steps –

• Use “npx –no-install” to block registry fallback, causing an installation to fail if a package is not found locally
• Install CLI tools explicitly
• Verify a package exists if the documentation asks users to run it
• Register obvious aliases and misspellings to prevent a bad actor from claiming them

“The npm ecosystem has millions of packages,” Eriksen said. “Developers run npx commands thousands of times daily. The gap between ‘convenient default’ and ‘arbitrary code execution’ is one unclaimed package name.”

As you know, enterprise network security has undergone significant evolution over the past decade. Firewalls have become more intelligent, threat detection methods have advanced, and access controls are now more detailed. However (and it’s a big “however”), the increasing use of mobile devices in business operations necessitates network security measures that are specifically tailored to their unique operating patterns.

Yes, enterprises have invested heavily in robust network security such as firewalls, intrusion detection, and threat intelligence platforms. And yes, these controls work exceptionally well for traditional endpoints—but mobile devices operate differently! They connect to corporate Wi-Fi and public networks interchangeably. They run dozens of apps with varying trust levels. They process sensitive data in coffee shops, airports, and home offices.

The challenge isn’t that organizations lack security—it’s that mobile devices need security controls that adapt to their unique usage patterns.

Samsung Knox is specifically designed to address this reality. Let’s find out how.

Samsung Knox Firewall offers granular control

Change my mind: Most mobile firewalls are blunt instruments. Traffic is either allowed or blocked, with little visibility into what’s happening—or why. That makes it hard to enforce meaningful policies or investigate issues when something goes wrong.

Knox Firewall takes a more precise approach. It gives IT admins granular, per-app network controls and the transparency security teams expect.

Instead of defaulting to “allow all” or “block everything,” rules are tailored to individual applications. A confidential document viewer can be restricted to specific IP addresses. Collaboration tools can be limited to approved domains. Each app gets network access based on its risk profile—not lumped in with everything else on the device.

Perimeter security isn’t enough anymore. Access decisions need to consider device health, user identity, and context—and they need to do it continuously, not just at login.

That’s where the Samsung Knox Zero Trust Network Access (ZTNA) framework comes in. It supports Zero Trust principles while working alongside your existing VPN investments, not replacing them.

By using host-based micro-segmentation, the Samsung Knox ZTNA framework isolates network traffic by app and domain. The result? A smaller attack surface and far less room for lateral movement if a device or app is compromised.

Key features include:

• split DNS tunneling to balance security and performance
• context-rich metadata (such as app package name, signature, version) to enable precise access policies
• dynamic policy evaluation at access time based on device and application context
• privacy-aware traffic handling that respects enterprise and user boundaries

Most importantly, the Samsung Knox ZTNA framework is built for real-world environments. It works alongside the VPN and mobile threat defense tools organizations already use—no rip-and-replace required!

For organizations with existing VPN infrastructure, the Samsung Knox ZTNA framework enables a gradual migration path. That’s Zero Trust in practice—precise access control, reduced attack surface, and the flexibility to evolve security architecture at your own pace.

Key takeaway: The Samsung Knox ZTNA framework brings practical Zero Trust to life, working with the tools teams already trust while locking down mobile access.

The integration advantage

Samsung Knox isn’t just a collection of tools—it’s a system. Threat signals flow across the device, adapting protections in real time. A phishing alert? That can trigger new firewall rules or even a hardware-backed lockdown. Device health, user context, and threat intelligence all work together—Zero Trust, in practice, not just on paper.

Because Samsung Knox is built into Samsung Galaxy devices, you skip the chaos of multiple agents, vendors, and integrations. SOC 2 certified, GDPR-ready, and fully compatible with leading MDM, UEM, and SIEM platforms—it just works.

Mobile devices aren’t endpoints anymore—they’re entry points. And if your network security doesn’t protect them, it’s not just incomplete. It’s useless.