Category: Cybersecurity

Ravie LakshmananFeb 03, 2026Vulnerability / Malware

The Russia-linked state-sponsored threat actor known as APT28 (aka UAC-0001) has been attributed to attacks exploiting a newly disclosed security flaw in Microsoft Office as part of a campaign codenamed Operation Neusploit.

Zscaler ThreatLabz said it observed the hacking group weaponizing the shortcoming on January 29, 2026, in attacks targeting users in Ukraine, Slovakia, and Romania, three days after Microsoft publicly disclosed the existence of the bug.

The vulnerability in question is CVE-2026-21509 (CVSS score: 7.8), a security feature bypass in Microsoft Office that could allow an unauthorized attacker to send a specially crafted Office file and trigger it.

“Social engineering lures were crafted in both English and localized languages (Romanian, Slovak, and Ukrainian) to target the users in the respective countries,” security researchers Sudeep Singh and Roy Tay said. “The threat actor employed server-side evasion techniques, responding with the malicious DLL only when requests originated from the targeted geographic region and included the correct User-Agent HTTP header.”

The attack chains, in a nutshell, entail the exploitation of the security hole by means of a malicious RTF file to deliver two different versions of a dropper, one that’s designed to drop an Outlook email stealer called MiniDoor, and another, referred to as PixyNetLoader, that’s responsible for the deployment of a Covenant Grunt implant.

The first dropper acts as a pathway for serving MiniDoor, a C++-based DLL file that steals a user’s emails in various folders (Inbox, Junk, and Drafts) and forwards them to two hard-coded threat actor email addresses: ahmeclaw2002@outlook[.]com and ahmeclaw@proton[.]me. MiniDoor is assessed to be a stripped-down version of NotDoor (aka GONEPOSTAL), which was documented by S2 Grupo LAB52 in September 2025.

In contrast, the second dropper, i.e., PixyNetLoader, is used to initiate a much more elaborate attack chain that involves delivering additional components embedded into it and setting up persistence on the host using COM object hijacking. Among the extracted payloads are a shellcode loader (“EhStoreShell.dll”) and a PNG image (“SplashScreen.png”).

The primary responsibility of the loader is to parse shellcode concealed using steganography within the image and execute it. That said, the loader only activates its malicious logic if the infected machine is not an analysis environment and when the host process that launched the DLL is “explorer.exe.” The malware stays dormant if the conditions are not met.

The extracted shellcode, ultimately, is used to load an embedded .NET assembly, which is nothing but a Grunt implant associated with the open source .NET COVENANT command-and-control (C2) framework. It’s worth noting that APT28’s use of the Grunt Stager was highlighted by Sekoia in September 2025 in connection with a campaign named Operation Phantom Net Voxel.

“The PixyNetLoader infection chain shares notable overlap with Operation Phantom Net Voxel,” Zscaler said. “Although the earlier campaign used a VBA macro, this activity replaces it with a DLL while retaining similar techniques, including (1) COM hijacking for execution, (2) DLL proxying, (3) XOR string encryption techniques, and (4) Covenant Grunt and its shellcode loader embedded in a PNG via steganography.”

The disclosure coincides with a report from the Computer Emergency Response Team of Ukraine (CERT-UA) that also warned of APT28’s abuse of CVE-2026-21509 using Word documents to target more than 60 email addresses associated with central executive authorities in the country. Metadata analysis reveals that one of the lure documents was created on January 27, 2026.

“During the investigation, it was found that opening the document using Microsoft Office leads to establishing a network connection to an external resource using the WebDAV protocol, followed by downloading a file with a shortcut file name containing program code designed to download and run an executable file,” CERT-UA said.

This, in turn, triggers an attack chain that’s identical to PixyNetLoader, resulting in the deployment of the COVENANT framework’s Grunt implant.

The Hacker NewsFeb 02, 2026Threat Detection / Endpoint Security

For mid-market organizations, cybersecurity is a constant balancing act. Proactive, preventative security measures are essential to protect an expanding attack surface. Combined with effective protection that blocks threats, they play a critical role in stopping cyberattacks before damage is done.

The challenge is that many security tools add complexity and cost that most mid-market businesses can’t absorb. With limited budgets and lean IT and security teams, organizations often focus on detection and response. While necessary, this places a significant operational burden on teams already stretched thin.

A more sustainable approach is security across the complete threat lifecycle—combining prevention, protection, detection, and response in a way that reduces risk without increasing cost or complexity.

Why Mid-Market Security Often Feels Stuck

Most mid-market organizations rely on a small set of foundational tools, such as endpoint protection, email security, and network firewalls. However, limited staff and resources often leave these tools operating as isolated point solutions, preventing teams from extracting their full value.

Solutions such as Bitdefender GravityZone consolidate critical security capabilities into a single platform, enabling centralized management, visibility, and reporting across the security program. This approach allows mid-market organizations to achieve broader coverage without increasing operational overhead.

Extending Coverage with MDR

Managed Detection and Response (MDR) services offer another way to strengthen security quickly. MDR provides 24/7 monitoring, proactive threat hunting, and incident response, effectively extending internal teams without adding headcount.

By combining a unified platform with MDR, mid-market organizations can close coverage gaps and focus internal resources on strategic priorities.

Takeaway: Security Across the Threat Lifecycle

Improving mid-market cybersecurity isn’t about adding more tools—it’s about using the right tools more effectively. Integrating prevention, protection, detection, and response across the threat lifecycle enables stronger security outcomes with less complexity.

Platforms like Bitdefender GravityZone help mid-market organizations strengthen resilience while reducing the operational burden on lean teams.

To explore this approach further, read How to Secure Your Mid-Market Business Across the Complete Threat Lifecycle or the Buyer’s Guide for Mid-Market Businesses: Choosing the Right Security Platform.

Ravie LakshmananFeb 02, 2026Threat Intelligence / Malware

The maintainer of Notepad++ has revealed that state-sponsored attackers hijacked the utility’s update mechanism to redirect update traffic to malicious servers instead.

“The attack involved [an] infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org,” developer Don Ho said. “The compromise occurred at the hosting provider level rather than through vulnerabilities in Notepad++ code itself.”

The exact mechanism through which this was realized is currently being investigated, Ho added.

The development comes a little over a month after Notepad++ released version 8.8.9 to address an issue that resulted in traffic from WinGUp, the Notepad++ updater, being “occasionally” redirected to malicious domains, resulting in the download of poisoned executables.

Specifically, the problem stemmed from the way the updater verified the integrity and authenticity of the downloaded update file, allowing an attacker who is able to intercept network traffic between the updater client and the update server to trick the tool into downloading a different binary instead.

It’s believed this redirection was highly targeted, with traffic originating from only certain users routed to the rogue servers and fetching the malicious components. The incident is assessed to have commenced in June 2025, more than six months before it came to light.

Independent security researcher Kevin Beaumont revealed that the flaw was being exploited by threat actors in China to hijack networks and deceive targets into downloading malware. The attacks, attributed to a nation-state threat actor known as Violet Typhoon (aka APT31), targeted telecommunications and financial services organizations in East Asia.

In response to the security incident, the Notepad++ website has been migrated to a new hosting provider with “significantly strong practices,” and the update process has been hardened with additional guardrails to ensure its integrity.

“According to the former hosting provider, the shared hosting server was compromised until September 2, 2025,” Ho explained. “Even after losing server access, attackers maintained credentials to internal services until December 2, 2025, which allowed them to continue redirecting Notepad++ update traffic to malicious servers.”

Ravie LakshmananFeb 02, 2026Hacking News / Cybersecurity

Every week brings new discoveries, attacks, and defenses that shape the state of cybersecurity. Some threats are stopped quickly, while others go unseen until they cause real damage.

Sometimes a single update, exploit, or mistake changes how we think about risk and protection. Every incident shows how defenders adapt — and how fast attackers try to stay ahead.

This week’s recap brings you the key moments that matter most, in one place, so you can stay informed and ready for what’s next.

⚡ Threat of the Week

Google Disrupts IPIDEA Residential Proxy Network — Google has crippled IPIDEA, a massive residential proxy network consisting of user devices that are being used as the last-mile link in cyberattack chains. According to the tech giant, not only do these networks permit bad actors to conceal their malicious traffic, but they also open up users who enroll their devices to further attacks. Residential IP addresses in the U.S., Canada, and Europe were seen as the most desirable. Google pursued legal measures to seize or sinkhole domains used as command‑and‑control (C2) for devices enrolled in the IPIDEA proxy network, cutting off operators’ ability to route traffic through compromised systems. The disruption is assessed to have reduced IPIDEA’s available pool of devices by millions. The proxy software is either pre-installed on devices or may be willingly installed by users, lured by the promise of monetizing their available internet bandwidth. Once devices are registered in the residential proxy network, operators sell access to it to their customers. Numerous proxy and VPN brands, marketed as separate businesses, were controlled by the same actors behind IPIDEA. The proxy network also promoted several SDKs as app monetization tools, quietly turning user devices into proxy exit nodes without their knowledge or consent once embedded. IPIDEA has also been linked to large-scale brute-forcing attacks targeting VPN and SSH services as far back as early 2024. The team from Device and Browser Info has since released a list of all IPIDEA-linked proxy exit IPs.

• Microsoft Patches Exploited Office Flaw — Microsoft issued out-of-band security patches for a high-severity Microsoft Office zero-day vulnerability exploited in attacks. The vulnerability, tracked as CVE-2026-21509, carries a CVSS score of 7.8 out of 10.0. It has been described as a security feature bypass in Microsoft Office. “Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally,” the tech giant said in an advisory. “This update addresses a vulnerability that bypasses OLE mitigations in Microsoft 365 and Microsoft Office, which protect users from vulnerable COM/OLE controls.” Microsoft has not shared any details about the nature and the scope of attacks exploiting CVE-2026-21509.
• Ivanti Patches Exploited EPMM Flaws — Ivanti rolled out security updates to address two security flaws impacting Ivanti Endpoint Manager Mobile (EPMM) that have been exploited in zero-day attacks. The vulnerabilities, tracked as CVE-2026-1281 and CVE-2026-1340, relate to code injection, allowing attackers to achieve unauthenticated remote code execution. “We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure,” Ivanti said in an advisory, adding it does not have enough information about the threat actor tactics to provide “reliable atomic indicators.” As of January 30, 2026, a public working proof-of-concept exploit is available. “As EPMM is an endpoint management solution for mobile devices, the impact of an attacker compromising the EPMM server is significant,” Rapid7 said. “An attacker may be able to access Personally Identifiable Information (PII) regarding mobile device users, such as their names and email addresses, but also their mobile device information, such as their phone numbers, GPS information, and other sensitive unique identification information.”
• Poland Links Cyber Attack on Power System to Static Tundra — The Polish computer emergency response team revealed that coordinated cyber attacks targeted more than 30 wind and photovoltaic farms, a private company from the manufacturing sector, and a large combined heat and power plant (CHP) supplying heat to almost half a million customers in the country. CERT Polska said the incident took place on December 29, 2025, describing the attacks as destructive. The agency attributed the attacks to a threat cluster dubbed Static Tundra, which is also tracked as Berserk Bear, Blue Kraken, Crouching Yeti, Dragonfly, Energetic Bear, Ghost Blizzard (formerly Bromine), and Havex. Static Tundra is assessed to be linked to Russia’s Federal Security Service’s (FSB) Center 16 unit. Prior reports from ESET and Dragos linked the attack with moderate confidence to a group that shares tactical overlaps with a cluster referred to as Sandworm. The group exhibits a deep understanding of electrical grid equipment and operations, strong proficiency in the industrial protocols used in power systems, and the ability to develop custom malware and wiper tools across IT and OT environments. The activity also reflects the adversary’s grasp of substation operations and the operational dependencies within electrical systems. “Taking over these devices requires capabilities beyond simply understanding their technical flaws,” Dragos said. “It requires knowledge of their specific implementation. The adversaries demonstrated this by successfully compromising RTUs at approximately 30 sites, suggesting they had mapped common configurations and operational patterns to exploit systematically.”
• LLMJacking Campaign Targets Exposed AI Endpoints — Cybercriminals are searching for, hijacking, and monetizing exposed LLM and MCP endpoints at scale. The campaign, dubbed Operation Bizarre Bazaar, targets exposed or unprotected AI endpoints to hijack system resources, resell API access, exfiltrate data, and move laterally to internal systems. “The threat differs from traditional API abuse because compromised LLM endpoints can generate significant costs (inference is expensive), expose sensitive organizational data, and provide lateral movement opportunities,” Pillar Security said. Organizations running self-hosted LLM infrastructure (Ollama, vLLM, local AI implementations) or deploying MCP servers for AI integrations face active targeting. Common misconfigurations that are under active exploitation include Ollama running on port 11434 without authentication, OpenAI-compatible APIs on port 8000, MCP servers accessible without access controls, development/staging AI infrastructure with public IPs, and production chatbot endpoints that lack authentication or rate limits. Access to the infrastructure is advertised on a marketplace that offers access to over 30 LLMs. Called silver[.]inc, it is hosted on bulletproof infrastructure in the Netherlands, and marketed on Discord and Telegram, with payments made via cryptocurrency or PayPal.
• Chinese Threat Actors Use PeckBirdy Framework — China-aligned threat actors have been using a cross-platform, multifunction JScript framework called PeckBirdy to conduct cyber espionage attacks since 2023, augmenting their activities with modular backdoors in two separate campaigns targeting gambling sites and government entities. The command-and-control (C2) framework, written in Microsoft’s JScript legacy language, is aimed at flexible deployment by enabling execution across multiple environments, including web browsers, MSHTA, WScript, Classic ASP, Node JS, and .NET (ScriptControl).

‎️‍🔥 Trending CVEs

New vulnerabilities surface daily, and attackers move fast. Reviewing and patching early keeps your systems resilient.

Here are this week’s most critical flaws to check first — CVE-2026-24423 (SmarterTools SmarterMail), CVE-2026-1281, CVE-2026-1340 (Ivanti Endpoint Manager Mobile), CVE-2025-40536, CVE-2025-40537, CVE-2025-40551, CVE-2025-40552, CVE-2025-40553 (SolarWinds Web Help Desk), CVE-2026-22709 (vm2), CVE-2026-1470, CVE-2026-0863 (n8n), CVE-2026-24858 (Fortinet FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb), CVE-2026-21509 (Microsoft Office), CVE-2025-30248, CVE-2025-26465 (Western Digital), CVE-2025-56005 (PLY), CVE-2026-23864 (React Server Components), CVE-2025-14756 (TP-Link), CVE‑2026‑0755 (Google gemini-mcp-tool), CVE-2025-9142 (Check Point Harmony SASE), CVE-2026-1504 (Google Chrome), CVE-2025-12556 (IDIS IP cameras), CVE-2026-0818 (Mozilla Thunderbird), CCVE-2025-52598, CVE-2025-52599, CVE-2025-52600, CVE-2025-52601, CVE-2025-8075 (Hanwha Wisenet cameras), CVE-2025-33217, CVE-2025-33218, CVE-2025-33219, CVE-2025-33220 (NVIDIA GPU Display Drivers), CVE-2025-0921 (Iconics Suite), CVE-2025-26385 (Johnson Controls), and SRC-2025-0001, SRC-2025-0002, SRC-2025-0003, SRC-2025-0004 (Samsung MagicINFO 9 Server).

📰 Around the Cyber World

• Exposed C2 Server Reveals BYOB Infrastructure — Cybersecurity researchers have discovered an open directory on a command-and-control (C2) server at IP address 38.255.43[.]60 on port 8081, which has been found serving malicious payloads associated with the Build Your Own Botnet (BYOB) framework. “The open directory contained a complete deployment of the BYOB post-exploitation framework, including droppers, stagers, payloads, and multiple post-exploitation modules,” Hunt.io said. “Analysis of the captured samples reveals a modular multi-stage infection chain designed to establish persistent remote access across Windows, Linux, and macOS platforms.” The first stage is a dropper that implements multiple layers of obfuscation to evade signature-based detection, while fetching and executing an intermediate loader, which performs a series of security checks of its own before deploying the main remote access trojan (RAT) payload for reconnaissance and persistence. It also comes with capabilities to escalate privileges, log keystrokes, terminate processes, harvest emails, and inspect network traffic. Additional infrastructure linked to the threat actor has been found to host cryptocurrency mining payloads, indicating a two-pronged approach to compromising endpoints with different payloads.
• Phantom Enigma Resurfaces with New Tactics — The threat actors behind the Operation Phantom Enigma campaign, which targeted Brazilian users in order to steal bank accounts in early 2025, resurfaced with similar attacks in fall 2025. The attacks, per Positive Technologies, involve sending phishing emails bearing invoice-related themes to trick ordinary users into clicking on malicious links to download a malicious MSI installer that installs a malicious Google Chrome extension dubbed EnigmaBanker on the victim’s browser to collect credentials and transmit them to the attacker’s server. The malware is designed to execute JavaScript code that imports a malicious extension via Chrome DevTools Protocol (CDP) after launching the browser in debugging mode. On the other hand, the attacks aimed at enterprises drop an installer for legitimate remote access software like PDQ Connect, MeshAgent, ScreenConnect, or Syncro RMM. The threat actors behind the campaign are suspected to be operating out of Latin America.
• Attackers Exploit Stolen AWS Credentials to Target AWS WorkMail — Threat actors are leveraging compromised Amazon Web Services (AWS) credentials to deploy phishing and spam infrastructure using AWS WorkMail, bypassing the anti-abuse controls normally enforced by AWS Simple Email Service (SES). “This allows the threat actor to leverage Amazon’s high sender reputation to masquerade as a valid business entity, with the ability to send email directly from victim-owned AWS infrastructure,” Rapid7 said. “Generating minimal service-attributed telemetry also makes threat actor activity difficult to distinguish from routine activity. Any organization with exposed AWS credentials and permissive Identity and Access Management (IAM) policies is potentially at risk, particularly those without guardrails or monitoring around WorkMail and SES configuration.”
• Malicious VS Code Extension Delivers Stealer Malware — A malicious Visual Studio Code (VS Code) extension has been identified in Open VSX (“Angular-studio.ng-angular-extension”) masquerading as a tool for the Angular web development framework, but harbors functionality that’s activated when any HTML or TypeScript file is opened. It’s designed to run encrypted JavaScript responsible for fetching the next-stage payload from a URL embedded into the memo field of a Solana wallet using a technique called EtherHiding by constructing an RPC request to the Solana mainnet. The infection chain is also engineered such that execution is skipped on systems matching Russian locale indicators. “This pattern is commonly observed in malware originating from or affiliated with Russian-speaking threat actors, implemented to avoid domestic prosecution,” Secure Annex said. This architecture offers several advantages: blockchain immutability ensures configuration data persists indefinitely, and attackers can update payload URLs without modifying the published extension. The final payload deployed as part of the attack is a stealer malware that can siphon credentials from developer machines, conduct cryptocurrency theft, establish persistence, and exfiltrate the data to a server retrieved from a Google Calendar event.
• Threat Actors Exploit Critical Adobe Commerce Flaw — Threat actors are continuing to exploit a critical flaw in Adobe Commerce and Magento Open Source platforms (CVE-2025-54236, CVSS score: 9.1) to compromise 216 websites worldwide in one campaign, and deploy web shells on Magento sites in Canada and Japan to enable persistent access in another. “While the cases are not assessed to be part of a single coordinated campaign, all incidents demonstrate that the vulnerability is being actively abused for authentication bypass, full system compromise, and, in some cases, web shell deployment and persistent access,” Oasis Security said.
• Malicious Google Ads Leads to Stealer Malware — Sponsored ads on Google when searching for “Mac cleaner” or “clear cache macOS” are being used to redirect unsuspecting users to sketchy sites hosted on Google Docs and Medium to trick them into following ClickFix-style instructions to deliver stealer malware. In a related development, DHL-themed phishing emails containing ZIP archives are being used to launch XLoader using DLL side-loading, which then uses process hollowing techniques to load Phantom Stealer.
• U.S. Authorities Investigated Meta Contractors’ Claims that WhatsApp Chats Aren’t Private — U.S. law enforcement has been investigating allegations by former Meta contractors that employees at the company can access WhatsApp messages, despite the company’s statements that the chat service is private and encrypted. The contractors claimed that some Meta staff had “unfettered” access to WhatsApp messages, content that should be off-limits, Bloomberg reported. The report stands in stark contrast to WhatsApp encryption foundations, which prevent third parties, including the company, from accessing the chat contents. “What these individuals claim is not possible because WhatsApp, its employees, and its contractors, cannot access people’s encrypted communications,” Meta was quoted as saying to Bloomberg. It’s worth noting that when a user reports a user or group, WhatsApp receives up to five of the last messages sent to them, along with their metadata. This is akin to taking a screenshot of the last few messages, as they are already on the device and in a decrypted state because the device has the “key” to read them. However, these allegations suggest much broader access to the platform.
• New PyRAT Malware Spotted — A new Python-based remote access trojan (RAT) called PyRAT has been found to demonstrate cross-platform capabilities, persistent infection methods, and extensive remote access features. It supports features like system command execution, file system operations, file enumeration, file upload/download, and archive creation to facilitate bulk exfiltration of stolen data. The malware also comes fitted with self-cleanup capabilities to uninstall itself from the victim machine and wipe all persistence components. “This Python‑based RAT poses a notable risk to organizations because of its cross‑platform capability, broad functionality, and ease of deployment,” K7 Security Labs said. “Even though it is not associated with highly sophisticated threat actors, its effectiveness in real‑world attacks and observed detection rates indicate that it is actively used by cybercriminals and deserves attention.” It’s currently not known how it’s distributed.
• New Exfil Out&Look Attack Technique Detailed — Cybersecurity researchers have discovered a new technique named Exfil Out&Look that abuses Outlook add-ins to steal data from organizations. “An add-in installed via OWA [Outlook Web Access can be abused to silently extract email data without generating audit logs or leaving any forensic footprint — a stark contrast to the behavior observed in Outlook Desktop,” Varonis said. “In organizations that rely heavily on Unified Audit Logs for detection and investigation, this blind spot can allow malicious or overly permissive add-ins to operate undetected for extended periods of time.” An attacker could exploit this behavior to trigger an add-in’s core functionality when a victim sends an email, allowing it to intercept outgoing messages and send the data to a third-party server. Following responsible disclosure to Microsoft on September 30, 2025, the company categorized the issue as low-severity with no immediate fix.
• Exposed MongoDB Servers Exploited for Extortion Attacks — Almost half of all internet-exposed MongoDB servers have been compromised and are being held for ransom. An unidentified threat actor has targeted misconfigured instances to drop ransom notes on more than 1,400 databases demanding a Bitcoin payment to restore the data. Flare’s analysis found more than 208,500 publicly exposed MongoDB servers, out of which 100,000 expose operational information, and 3,100 could be accessed without authentication. What’s more, nearly half (95,000) of all internet-exposed MongoDB servers run older versions that are vulnerable to N-day flaws. “Threat actors demand payment in Bitcoin (often around 0.005 BTC, equivalent today to $500-600 USD) to a specified wallet address, promising to restore the data,” the cybersecurity company said. “However, there is no guarantee the attackers have the data, or will provide a working decryption key if paid.”
• Deep Dive into Dark Web Forums — Positive Technologies has taken a deep-dive look into modern dark web forums, noting how they are in a constant state of flux due to ramping up of law enforcement operations, even as they embrace anonymity and protection technologies like Tor, I2P, coupled with anti-bot guardrails, anti-scraping mechanisms, closed moderation, and a strict trust system to escape scrutiny and block suspicious activity. “However, the results of these interventions are rarely final: the elimination of one forum usually becomes the starting point for the emergence of a new, more sustainable and secure one,” it said. “And an important feature of such forums is the high level of development of technical means of protection. If the early generations of dark web forums were primitive web platforms that often existed in the public part of the internet, modern forums are complex distributed systems with multi-level infrastructure, APIs, moderator bots, built-in verification tools and a multi-stage access system.”
• TA584 Campaign Drops XWorm and Tsundere Bot — A prolific initial access broker known as TA584 (aka Storm-0900) has been observed using the Tsundere Bot alongside XWorm remote access trojan to gain network access for likely follow-on ransomware attacks. The XWorm malware uses a configuration called “P0WER” to enable its execution. “In the second half of 2025, TA584 demonstrated multiple attack chain changes, including adopting ClickFix social engineering, expanded targeting to more consistently target specific geographies and languages, and recently delivering a new malware called Tsundere Bot,” Proofpoint said. The threat actor is assessed to be active since at least 2020, but has exhibited an increased operational tempo since March 2025. Organizations in North America, the U.K., Ireland, and Germany are the main targets. Emails sent by TA584 impersonate various organizations associated with healthcare and government entities, as well as leverage well-designed and believable lures to get people to engage with malicious content. These messages are sent via compromised accounts or third-party services like SendGrid and Amazon Simple Email Service (SES). “The emails usually contain unique links for each target that perform geofencing and IP filtering,” Proofpoint said. “If these checks were passed, the recipient is redirected to a landing page aligning with the lure in the email.” Early iterations of the campaign delivered macro-enabled Excel documents dubbed EtterSilent to facilitate malware installation. The end goal of the attack is to initiate a redirect chain involving third-party traffic direction systems (TDS) like Keitaro to a CAPTCHA page, followed by a ClickFix page that instructs the victim to run a PowerShell command on their system. Some of the other payloads distributed by TA584 in the past include Ursine, TA584, WARMCOOKIE, Xeno RAT, Cobalt Strike, and DCRat.
• South Korea to Notify Citizens of Data Leaks — The South Korean government will notify citizens when their data was exposed in a security breach. The new notification system will cover confirmed breaches, but also alert people who may be involved in a data breach, even if the case has not been confirmed. These alerts will also include information on how to seek compensation for damages.
• Details About Critical Apache bRPC Flaw — CyberArk has published details about a recently patched critical vulnerability in Apache bRPC (CVE-2025-60021, CVSS score: 9.8) that could allow an attacker to inject remote commands. The problem resides in the “/pprof/heap” profiler endpoint. “The heap profiler service /pprof/heap did not validate the user-provided extra_options parameter before incorporating it into the jeprof command line,’ CyberArk said. “Prior to the fix, extra_options was appended directly to the command string as –<user_input>. Because this command is later executed to generate the profiling output, shell special characters in attacker-controlled input could alter the executed command, resulting in command injection.” As a result, an attacker could exploit a reachable “/pprof/heap” endpoint to execute arbitrary commands with the privileges of the Apache bRPC process, resulting in remote code execution. There are about 181 publicly reachable /pprof/heap endpoints and 790 /pprof/* endpoints, although it’s not known how many of them are susceptible to this flaw.
• Threat Actors Use New Unicode Trick to Evade Detection — Threat actors are using the Unicode character for math division (∕) instead of a standard forward slash (/) in malicious links to evade detection. “The barely noticeable difference between the divisional and forward slashes causes traditional automated security systems and filters to fail, allowing the links to bypass detection,” email security firm Barracuda said. “As a result, victims are redirected to default or random pages.”
• China Executes 11 Members of Myanmar Scam Mafia — The Chinese government has executed 11 members of the Ming family who ran cyber scam compounds in Myanmar. The suspects were sentenced in September 2025 following their arrest in 2023. In November 2025, five members of a Myanmar crime syndicate were sentenced to death for their roles in running industrial-scale scamming compounds near the border with China. The Ming mafia’s scam operations and gambling dens brought in more than $1.4 billion between 2015 and 2023, BBC News reported, citing China’s highest court.
• FBI Urges Organizations to Improve Cybersecurity — The U.S. Federal Bureau of Investigation (FBI) launched Operation Winter SHIELD (short for “Securing Homeland Infrastructure by Enhancing Layered Defense”), outlining ten actions which organizations should implement to improve cyber resilience. This includes adopting phishing-resistant authentication, implementing a risk-based vulnerability management program, retiring end-of-life technology, managing third-party risk, preserving security logs, maintaining offline backups, inventorying internet-facing systems and services, strengthening email authentication, reducing administrator privileges, and executing incident response plans with all stakeholders. “Winter SHIELD provides industry with a practical roadmap to better secure information technology (IT) and operational technology (OT) environments, hardening the nation’s digital infrastructure and reducing the attack surface,” the FBI said. “Our goal is simple: to move the needle on resilience across industry by helping organizations understand where adversaries are focused and what concrete steps they can take now (and build toward in the future) to make exploitation harder.”
• Only 26% of Vulnerability Attacks Blocked by Hosts — A new study by website security firm PatchStack has revealed that a significant majority of common WordPress-specific vulnerabilities are not mitigated by hosting service providers. In a test using 30 vulnerabilities that were known to be exploited in real-world attacks, the company found that 74% of all attacks resulted in a successful site takeover. “Of the high-impact vulnerabilities, Privilege Escalation attacks were blocked only 12% of the time,” Patchstack said. “The biggest problem isn’t that hosts don’t care about vulnerability attacks – it’s that they think their existing solutions have got them covered.”
• Cyber Attacks Became More Distributed in 2025 — Forescout’s Threat Roundup report for 2025 has found that cyber attacks became more globally distributed and cloud-enabled. “In 2025, the top 10 countries accounted for 61% of malicious traffic – a 22% decrease compared to 2024 – and a reversal of a trend observed since 2022, when that figure was 73%,” Forescout said. “In other words, attacks are more distributed and attackers are using IP addresses from less common countries more frequently.” The U.S., India, and Germany were the most targeted countries, with 59% of the attacks originating from ISP-managed IPs, 17% from business and government networks, and 24% from hosting or cloud providers. The vast majority of the attacks originated from China, Russia, and Iran. Attacks using OT protocols surged by 84%, led by Modbus. The development comes as Cisco Talos revealed that threat actors are increasingly exploiting public-facing applications, overtaking phishing in the last quarter of 2025.
• Google Agrees to Settle Privacy Lawsuit for $68M — Google has agreed to pay $68 million to settle a class-action lawsuit alleging its voice-activated assistant illegally recorded and shared the private conversations with third parties without their consent. The case revolved around “false accepts,” where Google Assistant is said to have activated and recorded the user’s communications even in scenarios where the actual trigger word, “Ok Google,” was not used. Google has denied any wrongdoing. Apple reached a similar $95 million settlement in December 2024 over Siri recordings. Separately, Google has agreed to pay $135 million to settle a proposed class-action lawsuit that accused the company of illegally using users’ cellular data to transmit system information to its servers without the user’s knowledge or consent since November 12, 2017. As part of the settlement, Google will not transfer data without obtaining consent from Android users when they set up their phones. It will also make it easier for users to stop the transfers, and will disclose the transfers in its Google Play terms of service. The development follows a U.S. Supreme Court decision to hear a case stemming from the use of a Facebook tracking pixel to monitor the streaming habits of users of a sports website.
• Security Flaws in Google Fast Pair protocol — More than a dozen headphone and speaker models have been found vulnerable to a new vulnerability (CVE-2025-36911, CVSS score: 7.1) in the Google Fast Pair protocol. Called WhisperPair, the attack allows threat actors to hijack a user’s accessories without user interaction. In certain scenarios, the attackers can also register as the owners of those accessories and track the movement of the real owners via the Google Find Hub. Google awarded the researchers $15,000 following responsible disclosure in August 2025. “WhisperPair enables attackers to forcibly pair a vulnerable Fast Pair accessory (e.g., wireless headphones or earbuds) with an attacker-controlled device (e.g., a laptop) without user consent,” researchers at the COSIC group of KU Leuven said. “This gives an attacker complete control over the accessory, allowing them to play audio at high volumes or record conversations using the microphone. This attack succeeds within seconds (a median of 10 seconds) at realistic ranges (tested up to 14 metres) and does not require physical access to the vulnerable device.” In related news, an information leak vulnerability (CVE-2025-13834) and a denial-of-service (DoS) vulnerability (CVE-2025-13328) have been uncovered in Xiaomi Redmi Buds versions 3 Pro through 6 Pro. “An attacker within Bluetooth radio range can send specially crafted RFCOMM protocol interactions to the device’s internal channels without prior pairing or authentication, enabling the exposure of sensitive call-related data or triggering repeatable firmware crashes,” CERT Coordination Center (CERT/CC) said.

🎥 Cybersecurity Webinars

• Your SOC Stack Is Broken — Here’s How to Fix It Fast: Modern SOC teams are drowning in tools, alerts, and complexity. This live session with AirMDR CEO Kumar Saurabh and SACR CEO Francis Odum cuts through the noise—showing what to build, what to buy, and what to automate for real results. Learn how top teams design efficient, cost-effective SOCs that actually work. Join now to make smarter security decisions.
• AI Is Rewriting Cloud Forensics — Learn How to Investigate Faster: Cloud investigations are getting harder as evidence disappears fast and systems change by the minute. Traditional forensics can’t keep up. Join Wiz’s experts to see how AI and context-aware forensics are transforming cloud incident response—helping teams capture the right data automatically, connect the dots faster, and uncover what really happened in minutes instead of days.
• Build Your Quantum-Safe Defense: Get Guidance for IT Leaders: Quantum computers could soon break the encryption that protects today’s data. Hackers are already stealing encrypted information now to decrypt it later. Join this Zscaler webinar to learn how post-quantum cryptography keeps your business safe—using hybrid encryption, zero trust, and quantum-ready security tools built for the future.

🔧 Cybersecurity Tools

• Vulnhalla: CyberArk open-sources a new tool that automates vulnerability triage by combining CodeQL analysis with AI models like GPT-4 or Gemini. It scans public code repositories, runs CodeQL queries to find potential issues, and then uses AI to decide which ones are real security flaws versus false positives. This helps developers and security teams quickly focus on genuine risks instead of wasting time sorting through noisy scan results.
• OpenClaw: A personal AI assistant running in Cloudflare Workers, connecting to Telegram, Discord, and Slack with secure device pairing. It uses Claude via Anthropic API and optional R2 storage for persistence—showcasing how AI agents can run safely in a sandboxed, serverless Cloudflare setup.

Disclaimer: These tools are provided for research and educational use only. They are not security-audited and may cause harm if misused. Review the code, test in controlled environments, and comply with all applicable laws and policies.

Conclusion

Cybersecurity keeps moving fast. This week’s stories show how attacks, defenses, and discoveries keep shifting the balance. Staying secure now means staying alert, reacting fast, and knowing what’s changing around you.

The past few days proved that no one is too small to be a target and no system is ever fully safe. Every patch, every update, every fix counts — because threats don’t wait.

Keep learning, stay cautious, and keep your guard up. The next wave of attacks is already forming.

Ravie LakshmananFeb 02, 2026Kerberos / Enterprise Security

Microsoft has announced a three-phase approach to phase out New Technology LAN Manager (NTLM) as part of its efforts to shift Windows environments toward stronger, Kerberos-based options.

The development comes more than two years after the tech giant revealed its plans to deprecate the legacy technology, citing its susceptibility to weaknesses that could facilitate relay attacks and allow bad actors to gain unauthorized access to network resources. NTLM was formally deprecated in June 2024 and no longer receives updates.

“NTLM consists of security protocols originally designed to provide authentication, integrity, and confidentiality to users,” Mariam Gewida, Technical Program Manager II at Microsoft, explained. “However, as security threats have evolved, so have our standards to meet modern security expectations. Today, NTLM is susceptible to various attacks, including replay and man-in-the-middle attacks, due to its use of weak cryptography.”

Despite the deprecated status, Microsoft said it continues to find the use of NTLM prevalent in enterprise environments where modern protocols like Kerberos cannot be implemented due to legacy dependencies, network limitations, or ingrained application logic. This, in turn, exposes organizations to security risks, such as replay, relay, and pass-the-hash attacks.

To mitigate this problem in a secure manner, the company has adopted a three-phase strategy that paves the way for NTLM to be disabled by default –

• Phase 1: Building visibility and control using enhanced NTLM auditing to better understand where and why NTLM is still being used (Available now)
• Phase 2: Addressing common roadblocks that prevent a migration to NTLM through features like IAKerb and local Key Distribution Center (KDC) (pre-release), as well as updating core Windows components to prioritize Kerberos authentication (Expected in H2 2026)
• Phase 3: Disabling NTLM in the next version of Windows Server and associated Windows client, and requiring explicit re-enablement through new policy controls

Microsoft has positioned the transition as a major step toward a passwordless, phishing-resistant future. This also requires organizations relying on NTLM to conduct audits, map dependencies, migrate to Kerberos, test NTLM-off configurations in non-production environments, and enable Kerberos upgrades.

“Disabling NTLM by default does not mean completely removing NTLM from Windows yet,” Gewida said. “Instead, it means that Windows will be delivered in a secure-by-default state where network NTLM authentication is blocked and no longer used automatically.”

“The OS will prefer modern, more secure Kerberos-based alternatives. At the same time, common legacy scenarios will be addressed through new upcoming capabilities such as Local KDC and IAKerb (pre-release).”

Ravie LakshmananFeb 02, 2026Vulnerability / Artificial Intelligence

A high-severity security flaw has been disclosed in OpenClaw (formerly referred to as Clawdbot and Moltbot) that could allow remote code execution (RCE) through a crafted malicious link.

The issue, which is tracked as CVE-2026-25253 (CVSS score: 8.8), has been addressed in version 2026.1.29 released on January 30, 2026. It has been described as a token exfiltration vulnerability that leads to full gateway compromise.

“The Control UI trusts gatewayUrl from the query string without validation and auto-connects on load, sending the stored gateway token in the WebSocket connect payload,” OpenClaw’s creator and maintainer Peter Steinberger said in an advisory.

“Clicking a crafted link or visiting a malicious site can send the token to an attacker-controlled server. The attacker can then connect to the victim’s local gateway, modify config (sandbox, tool policies), and invoke privileged actions, achieving 1-click RCE.”

“OpenClaw is an open agent platform that runs on your machine and works from the chat apps you already use,” Steinberger said. “Unlike SaaS assistants where your data lives on someone else’s servers, OpenClaw runs where you choose – laptop, homelab, or VPS. Your infrastructure. Your keys. Your data.”

Mav Levin, founding security researcher at depthfirst who is credited with discovering the shortcoming, said it can be exploited to create a one-click RCE exploit chain that takes only milliseconds after a victim visits a single malicious web page.

The problem is that clicking on the link to that web page is enough to trigger a cross-site WebSocket hijacking attack because OpenClaw’s server doesn’t validate the WebSocket origin header. This causes the server to accept requests from any website, effectively getting around localhost network restrictions.

A malicious web page can take advantage of the issue to execute client-side JavaScript on the victim’s browser that can retrieve an authentication token, establish a WebSocket connection to the server, and use the stolen token to bypass authentication and log in to the victim’s OpenClaw instance.

To make matters worse, by leveraging the token’s privileged operator.admin and operator.approvals scopes, the attacker can use the API to disable user confirmation by setting “exec.approvals.set” to “off” and escape the container used to run shell tools by setting “tools.exec.host” to “gateway.”

“This forces the agent to run commands directly on the host machine, not inside a Docker container,” Levin said. “Finally, to achieve arbitrary command execution, the attacker JavaScript executes a node.invoke request.”

When asked whether OpenClaw’s use of the API to manage the safety features constitutes an architectural limitation, Levin told The Hacker News in an emailed response that, “I would say the problem is those defenses (sandbox and safety guardrails) were designed to contain malicious actions of an LLM, as a result of prompt injection, for example. And users might think these defenses would protect from this vulnerability (or limit the blast radius), but they don’t.”

Steinberger noted in the advisory that “the vulnerability is exploitable even on instances configured to listen on loopback only, since the victim’s browser initiates the outbound connection.”

“It impacts any Moltbot deployment where a user has authenticated to the Control UI. The attacker gains operator-level access to the gateway API, enabling arbitrary config changes and code execution on the gateway host. The attack works even when the gateway binds to loopback because the victim’s browser acts as the bridge.”

A security audit of 2,857 skills on ClawHub has found 341 malicious skills across multiple campaigns, according to new findings from Koi Security, exposing users to new supply chain risks.

ClawHub is a marketplace designed to make it easy for OpenClaw users to find and install third-party skills. It’s an extension to the OpenClaw project, a self-hosted artificial intelligence (AI) assistant formerly known as both Clawdbot and Moltbot.

The analysis, which Koi conducted with the help of an OpenClaw bot named Alex, found that 335 skills use fake pre-requisites to install an Apple macOS stealer named Atomic Stealer (AMOS). This set has been codenamed ClawHavoc.

“You install what looks like a legitimate skill – maybe solana-wallet-tracker or youtube-summarize-pro,” Koi researcher Oren Yomtov said. “The skill’s documentation looks professional. But there’s a ‘Prerequisites’ section that says you need to install something first.”

This step involves instructions for both Windows and macOS systems: On Windows, users are asked to download a file called “openclaw-agent.zip” from a GitHub repository. On macOS, the documentation tells them to copy an installation script hosted at glot[.]io and paste it into the Terminal app. The targeting of macOS is no coincidence, as reports have emerged of people buying Mac Minis to run the AI assistant 24×7.

Present within the password-protected archive is a trojan with keylogging functionality to capture API keys, credentials, and other sensitive data on the machine, including those that the bot already has access to. On the other hand, the glot[.]io script contains obfuscated shell commands to fetch next-stage payloads from an attacker-controlled infrastructure.

According to Koi, the malicious skills masquerade as

• ClawHub typosquats (e.g., clawhub, clawhub1, clawhubb, clawhubcli, clawwhub, cllawhub)
• Cryptocurrency tools like Solana wallets and wallet trackers
• Polymarket bots (e.g., polymarket-trader, polymarket-pro, polytrading)
• YouTube utilities (e.g., youtube-summarize, youtube-thumbnail-grabber, youtube-video-downloader)
• Auto-updaters (e.g., auto-updater-agent, update, updater)
• Finance and social media tools (e.g., yahoo-finance-pro, x-trends-tracker)
• Google Workspace tools claiming integrations with Gmail, Calendar, Sheets, and Drive
• Ethereum gas trackers
• Lost Bitcoin finders

In addition, the cybersecurity company said it identified skills that hide reverse shell backdoors inside functional code (e.g., better-polymarket and polymarket-all-in-one), or exfiltrate bot credentials present in “~/.clawdbot/.env” to a webhook[.]site (e.g., rankaj).

The development coincides with a report from OpenSourceMalware, which also flagged the same ClawHavoc campaign targeting OpenClaw users.

“The skills masquerade as cryptocurrency trading automation tools and deliver information-stealing malware to macOS and Windows systems,” a security researcher who goes by the online alias 6mile said.

“All these skills share the same command-and-control infrastructure (91.92.242[.]30) and use sophisticated social engineering to convince users to execute malicious commands, which then steal crypto assets like exchange API keys, wallet private keys, SSH credentials, and browser passwords.”

OpenClaw Adds a Reporting Option

The problem stems from the fact that ClawHub is open by default and allows anyone to upload skills. The only restriction at this stage is that a publisher must have a GitHub account that’s at least one week old.

The issue with malicious skills hasn’t gone unnoticed by OpenClaw’s creator Peter Steinberger, who has since rolled out a reporting feature that allows signed-in users to flag a skill. “Each user can have up to 20 active reports at a time,” the documentation states. “Skills with more than 3 unique reports are auto-hidden by default.”

The findings underscore how open-source ecosystems continue to be abused by threat actors, who are now piggybacking on OpenClaw’s sudden popularity to orchestrate malicious campaigns and distribute malware at scale.

In a report last week, Palo Alto Networks warned that OpenClaw represents what British programmer Simon Willison, who coined the term prompt injection, describes as a “lethal trifecta” that renders AI agents vulnerable by design due to their access to private data, exposure to untrusted content, and the ability to communicate externally.

The intersection of these three capabilities, combined with OpenClaw’s persistent memory, “acts as an accelerant” and amplifies the risks, the cybersecurity company added.

“With persistent memory, attacks are no longer just point-in-time exploits. They become stateful, delayed-execution attacks,” researchers Sailesh Mishra and Sean P. Morgan said. “Malicious payloads no longer need to trigger immediate execution on delivery. Instead, they can be fragmented, untrusted inputs that appear benign in isolation, are written into long-term agent memory, and later assembled into an executable set of instructions.”

“This enables time-shifted prompt injection, memory poisoning, and logic bomb–style activation, where the exploit is created at ingestion but detonates only when the agent’s internal state, goals, or tool availability align.”

Ravie LakshmananFeb 02, 2026Developer Tools / Malware

Cybersecurity researchers have disclosed details of a supply chain attack targeting the Open VSX Registry in which unidentified threat actors compromised a legitimate developer’s resources to push malicious updates to downstream users.

“On January 30, 2026, four established Open VSX extensions published by the oorzc author had malicious versions published to Open VSX that embed the GlassWorm malware loader,” Socket security researcher Kirill Boychenko said in a Saturday report.

“These extensions had previously been presented as legitimate developer utilities (some first published more than two years ago) and collectively accumulated over 22,000 Open VSX downloads prior to the malicious releases.”

The supply chain security company said that the supply chain attack involved the compromise of the developer’s publishing credentials, with the Open VSX security team assessing the incident as involving the use of either a leaked token or other unauthorized access. The malicious versions have since been removed from the Open VSX.

The list of identified extensions is below –

• FTP/SFTP/SSH Sync Tool (oorzc.ssh-tools — version 0.5.1)
• I18n Tools (oorzc.i18n-tools-plus — version 1.6.8)
• vscode mindmap (oorzc.mind-map — version 1.0.61)
• scss to css (oorzc.scss-to-css-compile — version 1.3.4)

The poisoned versions, Socket noted, are designed to deliver a loader malware associated with a known campaign called GlassWorm. The loader is equipped to decrypt and run embedded at runtime, uses an increasingly weaponized technique called EtherHiding to fetch command-and-control (C2) endpoints, and ultimately run code designed to steal Apple macOS credentials and cryptocurrency wallet data.

At the same time, the malware is detonated only after the compromised machine has been profiled, and it has been determined that it does not correspond to a Russian locale, a pattern commonly observed in malicious programs originating from or affiliated with Russian-speaking threat actors to avoid domestic prosecution.

The kinds of information harvested by the malware include –

• Data from Mozilla Firefox and Chromium-based browsers (logins, cookies, internet history, and wallet extensions like MetaMask)
• Cryptocurrency wallet files (Electrum, Exodus, Atomic, Ledger Live, Trezor Suite, Binance, and TonKeeper)
• iCloud Keychain database
• Safari cookies
• Data from Apple Notes
• user documents from Desktop, Documents, and Downloads folders
• FortiClient VPN configuration files
• Developer credentials (e.g., ~/.aws and ~/.ssh)

The targeting of developer information poses severe risks as it exposes enterprise environments to potential cloud account compromise and lateral movement attacks.

“The payload includes routines to locate and extract authentication material used in common workflows, including inspecting npm configuration for _authToken and referencing GitHub authentication artifacts, which can provide access to private repositories, CI secrets, and release automation,” Boychenko said.

A significant aspect of the attack is that it diverges from previously observed GlassWorm indicators in that it makes use of a compromised account belonging to a legitimate developer to distribute the malware. In prior instances, the threat actors behind the campaign have leveraged typosquatting and brandjacking to upload fraudulent extensions for subsequent propagation.

“The threat actor blends into normal developer workflows, hides execution behind encrypted, runtime-decrypted loaders, and uses Solana memos as a dynamic dead drop to rotate staging infrastructure without republishing extensions,” Socket said. “These design choices reduce the value of static indicators and shift defender advantage toward behavioral detection and rapid response.”

The update infrastructure for eScan antivirus, a security solution developed by Indian cybersecurity company MicroWorld Technologies, has been compromised by unknown attackers to deliver a persistent downloader to enterprise and consumer systems.

“Malicious updates were distributed through eScan’s legitimate update infrastructure, resulting in the deployment of multi-stage malware to enterprise and consumer endpoints globally,” Morphisec researcher Michael Gorelik said.

MicroWorld Technologies has revealed that it detected unauthorized access to its infrastructure and immediately isolated the impacted update servers, which remained offline for over eight hours. It has also released a patch that reverts the changes introduced as part of the malicious update. Impacted organizations are recommended to contact MicroWorld Technologies to obtain the fix.

It also pinned the attack as resulting from unauthorized access to one of its regional update server configurations, which enabled the threat actors to distribute a “corrupt” update to customers during a “limited timeframe” of about two hours on January 20, 2026.

“eScan experienced a temporary update service disruption starting January 20, 2026, affecting a subset of customers whose systems automatically download updates during a specific timeframe, from a specific update cluster,” the company said in an advisory issued on January 22, 2026.

“The issue resulted from unauthorized access to the regional update server infrastructure. The incident has been identified and resolved. Comprehensive remediation is available that addresses all observed scenarios.”

Morphisec, which identified the incident on January 20, 2026, said the malicious payload interferes with the regular functionality of the product, effectively preventing automatic remediation. This specifically involves delivering a malicious “Reload.exe” file that’s designed to drop a downloader, which contains functionality to establish persistence, block remote updates, and contact an external server to fetch additional payloads, including “CONSCTLX.exe.”

According to details shared by Kaspersky, “Reload.exe” – a legitimate file located in “C:Program Files (x86)escanreload.exe” – is replaced with a rogue counterpart that can prevent further antivirus product updates by modifying the HOSTS file. It’s signed with a fake, invalid digital signature.

“When started, this reload.exe file checks whether it is launched from the Program Files folder, and exits if not,” the Russian cybersecurity company said. “This executable is based on the UnmanagedPowerShell tool, which allows executing PowerShell code in any process. Attackers have modified the source code of this project by adding an AMSI bypass capability to it, and used it to execute a malicious PowerShell script inside the reload.exe process.”

The primary responsibility of the binary is to launch three Base64-encoded PowerShell payloads, which are designed to –

• Tamper with the installed eScan solution to prevent it from receiving updates and detecting the installed malicious components
• Bypass Windows Antimalware Scan Interface (AMSI)
• Check whether the victim machine should be further infected, and if yes, deliver a PowerShell-based payload to it

The victim validation step examines the list of installed software, running processes, and services against a hard-coded blocklist that includes analysis tools and security solutions, including those from Kaspersky. If they are detected, no further payloads are delivered.

The PowerShell payload, once executed, contacts an external server to receive two payloads in return: “CONSCTLX.exe” and a second PowerShell-based malware that’s launched by means of a scheduled task. It’s worth noting that the first of the three aforementioned PowerShell scripts also replaces the “C:Program Files (x86)eScanCONSCTLX.exe” component with the malicious file.

“CONSCTLX.exe” works by launching the PowerShell-based malware, alongside changing the last update time of the eScan product to the current time by writing the current date to the “C:Program Files (x86)eScanEupdate.ini” file so as to give the impression that the tool is working as expected.

The PowerShell malware, for its part, performs the same validation procedures as before and sends an HTTP request to the attacker-controlled infrastructure to receive more PowerShell payloads from the server for subsequent execution.

The eScan bulletin does not say which regional update server was affected, but Kaspersky’s analysis of telemetry data has revealed “hundreds of machines belonging to both individuals and organizations” that encountered infection attempts with payloads related to the supply chain attack. These machines are mainly located in India, Bangladesh, Sri Lanka, and the Philippines.

The security outfit also noted that the attackers had to have studied the internals of eScan in detail to understand how its update mechanism worked and how it could be tampered with to distribute malicious updates. It’s currently not known how the threat actors managed to secure access to the update server.

“Notably, it is quite unique to see malware being deployed through a security solution update,” it said. “Supply chain attacks are a rare occurrence in general, let alone the ones orchestrated through antivirus products.”

Ravie LakshmananJan 28, 2026Critical Infrastructure / Threat Intelligence

The “coordinated” cyber attack targeting multiple sites across the Polish power grid has been attributed with medium confidence to a Russian state-sponsored hacking crew known as ELECTRUM.

Operational technology (OT) cybersecurity company Dragos, in a new intelligence brief published Tuesday, described the late December 2025 activity as the first major cyber attack targeting distributed energy resources (DERs).

“The attack affected communication and control systems at combined heat and power (CHP) facilities and systems managing the dispatch of renewable energy systems from wind and solar sites,” Dragos said. “While the attack did not result in power outages, adversaries gained access to operational technology systems critical to grid operations and disabled key equipment beyond repair at the site.”

It’s worth pointing out that ELECTRUM and KAMACITE share overlaps with a cluster referred to as Sandworm (aka APT44 and Seashell Blizzard). KAMACITE focuses on establishing and maintaining initial access to targeted organizations using spear-phishing, stolen credentials, and exploitation of exposed services.

“Following access enablement, ELECTRUM conducts operations that bridge IT and OT environments, deploying tooling within operational networks, and performs ICS-specific actions that manipulate control systems or disrupt physical processes,” Dragos said. “These actions have included both manual interactions with operator interfaces and the deployment of purpose-built ICS malware, depending on the operational requirements and objectives.”

Put differently, the two clusters have clear separation of roles and responsibilities, enabling flexibility in execution and facilitating sustained OT-focused intrusions when conditions are favourable. As recently as July 2025, KAMACITE is said to have engaged in scanning activity against industrial devices located in the U.S.

Although no follow-on OT disruptions have been publicly reported to date, this highlights an operational model that is not geographically constrained and facilitates early-stage access identification and positioning.

“KAMACITE’s access-oriented operations create the conditions under which OT impact becomes possible, while ELECTRUM applies execution tradecraft when timing, access, and risk tolerance align,” it explained. “This division of labor enables flexibility in execution and allows OT impact to remain an option, even when it is not immediately exercised. This extends risk beyond discrete incidents and into prolonged periods of latent exposure.”

Dragos said the Poland attack targeted systems that facilitate communication and control between grid operators and DER assets, including assets that enable network connectivity, allowing the adversary to successfully disrupt operations at about 30 distributed generation sites.

The threat actors are assessed to have breached Remote Terminal Units (RTUs) and communication infrastructure at the affected sites using exposed network devices and exploited vulnerabilities as initial access vectors. The findings indicate that the attackers possess a deep understanding of electrical grid infrastructure, allowing them to disable communications equipment, including some OT devices.

That said, the full scope of the malicious actions undertaken by ELECTRUM is unknown, with Dragos noting that it’s unclear if the threat actor attempted to issue operational commands to this equipment or focused solely on disabling communications.

The Poland attack is also assessed to be more opportunistic and rushed than a precisely planned operation, allowing the hackers to take advantage of the unauthorized access to inflict as much damage as possible by wiping Windows-based devices to impede recovery, resetting configurations, or attempting to permanently brick equipment. The majority of the equipment is targeted at grid safety and stability monitoring, per Dragos.

“This incident demonstrates that adversaries with OT-specific capabilities are actively targeting systems that monitor and control distributed generation,” it added. “The disabling of certain OT or industrial control system (ICS) equipment beyond repair at the site moved what could have been seen as a pre-positioning attempt by the adversary into an attack.”