Category: Cybersecurity

Cybersecurity researchers have flagged a new malicious Microsoft Visual Studio Code (VS Code) extension for Moltbot (formerly Clawdbot) on the official Extension Marketplace that claims to be a free artificial intelligence (AI) coding assistant, but stealthily drops a malicious payload on compromised hosts.

The extension, named “ClawdBot Agent – AI Coding Assistant” (“clawdbot.clawdbot-agent”), has since been taken down by Microsoft. It was published by a user named “clawdbot” on January 27, 2026.

Moltbot has taken off in a big way, crossing more than 85,000 stars on GitHub as of writing. The open-source project, created by Austrian developer Peter Steinberger, allows users to run a personal AI assistant powered by a large language model (LLM) locally on their own devices and interact with it over already established communication platforms like WhatsApp, Telegram, Slack, Discord, Google Chat, Signal, iMessage, Microsoft Teams, and WebChat.

The malicious extension is designed such that it’s automatically executed every time the integrated development environment (IDE) is launched, stealthily retrieving a file named “config.json” from an external server (“clawdbot.getintwopc[.]site”) to execute a binary named “Code.exe” that deploys a legitimate remote desktop program like ConnectWise ScreenConnect.

The application then connects to the URL “meeting.bulletmailer[.]net:8041,” granting the attacker persistent remote access to the compromised host.

“The attackers set up their own ScreenConnect relay server, generated a pre-configured client installer, and distributed it through the VS Code extension,” Aikido researcher Charlie Eriksen said. “When victims install the extension, they get a fully functional ScreenConnect client that immediately phones home to the attacker’s infrastructure.”

What’s more, the extension incorporates a fallback mechanism that retrieves a DLL listed in “config.json” and sideloads it to obtain the same payload from Dropbox. The DLL (“DWrite.dll”), written in Rust, ensures that the ScreenConnect client is delivered even if the command-and-control (C2) infrastructure becomes inaccessible.

This is not the only backup mechanism incorporated into the extension for payload delivery. The fake Moltbot extension also embeds hard-coded URLs to get the executable and the DLL to be sideloaded. A second alternative method involves using a batch script to obtain the payloads from a different domain (“darkgptprivate[.]com”).

The Security Risks with Moltbot

The disclosure comes as security researcher and Dvuln founder Jamieson O’Reilly found hundreds of unauthenticated Moltbot instances online, exposing configuration data, API keys, OAuth credentials, and conversation histories from private chats to unauthorized parties.

“The real problem is that Clawdbot agents have agency,” O’Reilly explained. “They can send messages on behalf of users across Telegram, Slack, Discord, Signal, and WhatsApp. They can execute tools and run commands.”

This, in turn, opens the door to a scenario where an attacker can impersonate the operator to their contacts, inject messages into ongoing conversations, modify agent responses, and exfiltrate sensitive data without their knowledge. More critically, an attacker could distribute a backdoored Moltbot “skill” via MoltHub (formerly ClawdHub) to stage supply chain attacks and siphon sensitive data.

Intruder, in a similar analysis, said it has observed widespread misconfigurations leading to credential exposure, prompt injection vulnerabilities, and compromised instances across multiple cloud providers.

“The core issue is architectural: Clawdbot prioritizes ease of deployment over secure-by-default configuration,” Benjamin Marr, security engineer at Intruder, said in a statement. “Non-technical users can spin up instances and integrate sensitive services without encountering any security friction or validation. There are no enforced firewall requirements, no credential validation, and no sandboxing of untrusted plugins.”

Users who are running Clawdbot with default configurations are recommended to audit their configuration, revoke all connected service integrations, review exposed credentials, implement network controls, and monitor for signs of compromise.

Ravie LakshmananJan 28, 2026Network Security / Zero-Day

Fortinet has begun releasing security updates to address a critical flaw impacting FortiOS that has come under active exploitation in the wild.

The vulnerability, assigned the CVE identifier CVE-2026-24858 (CVSS score: 9.4), has been described as an authentication bypass related to FortiOS single sign-on (SSO). The flaw also affects FortiManager and FortiAnalyzer. The company said it’s continuing to investigate if other products, including FortiWeb and FortiSwitch Manager, are impacted by the flaw.

“An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] in FortiOS, FortiManager, FortiAnalyzer may allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices,” Fortinet said in an advisory released Tuesday.

It’s worth noting that the FortiCloud SSO login feature is not enabled in the default factory settings. It’s only turned on in scenarios where an administrator registers the device to FortiCare from the device’s GUI, unless they have taken steps to explicitly toggle the “Allow administrative login using FortiCloud SSO” switch.

The development comes days after Fortinet confirmed that unidentified threat actors were abusing a “new attack path” to achieve SSO logins without requiring any authentication. The access was abused to create local admin accounts for persistence, make configuration changes granting VPN access to those accounts, and exfiltrate those firewall configurations.

Over the past week, the network security vendor said it has taken the following steps –

• Locked out two malicious FortiCloud accounts (cloud-noc@mail.io and cloud-init@mail.io) on January 22, 2026
• Disabled FortiCloud SSO on the FortiCloud side on January 26, 2026
• Re-enabled FortiCloud SSO on January 27, 2026, while disabling the option to login from devices running vulnerable versions

In other words, customers are required to upgrade to the latest versions of the software for the FortiCloud SSO authentication to function. Fortinet is also urging users who detect signs of compromise to treat their devices as breached and recommends the following actions –

• Ensure the device is running the latest firmware version
• Restore configuration with a known clean version or audit for any unauthorized changes
• Rotate credentials, including any LDAP/AD accounts that may be connected to the FortiGate devices

The development has led the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add CVE-2026-24858 to its Known Exploited Vulnerabilities (KEV) catalog, mandating Federal Civilian Executive Branch (FCEB) agencies to remediate the issues by January 30, 2026.

Ravie LakshmananJan 28, 2026Supply Chain Security / Malware

Cybersecurity researchers have discovered two malicious packages in the Python Package Index (PyPI) repository that masquerade as spellcheckers but contain functionality to deliver a remote access trojan (RAT).

The packages, named spellcheckerpy and spellcheckpy, are no longer available on PyPI, but not before they were collectively downloaded a little over 1,000 times.

“Hidden inside the Basque language dictionary file was a base64-encoded payload that downloads a full-featured Python RAT,” Aikido researcher Charlie Eriksen said. “The attacker published three ‘dormant’ versions first, payload present, trigger absent, then flipped the switch with spellcheckpy v1.2.0, adding an obfuscated execution trigger that fires the moment you import SpellChecker.”

Unlike other packages that conceal the malicious functionality within “__init__.py” scripts, the threat actor behind the campaign has been found to add the payload inside a file named “resources/eu.json.gz” that contains Basque word frequencies from the legitimate pyspellchecker package.

While the package appears harmless at first glance, the malicious behavior is triggered when the archive file is extracted using the test_file() function with the parameters: test_file(“eu”, “utf-8”, “spellchecker”), causing it to retrieve a Base64-encoded downloader hidden in the dictionary under a key called “spellchecker.”

Interestingly, the first three versions of the package only fetched and decoded the payload, but never executed it. However, that changed with the release of spellcheckpy version 1.2.0, published on January 21, 2026, when it gained the ability to run the payload as well.

The first stage is a downloader that’s designed to retrieve a Python-based RAT from an external domain (“updatenet[.]work”). It’s capable of fingerprinting the compromised host, parsing incoming commands, and executing them. The domain, registered in late October 2025, is associated with 172.86.73[.]139, an IP address managed by RouterHosting LLC (aka Cloudzy), a hosting provider that has a history of offering its services to nation-state groups.

This is not the first time fake Python spell-checking tools have been detected in PyPI. In November 2025, HelixGuard said it discovered a malicious package named “spellcheckers” that featured the ability to retrieve and execute a RAT payload. It’s suspected that these two sets of attacks are the work of the same threat actor.

The development coincides with the discovery of several malicious npm packages to facilitate data theft and target cryptocurrency wallets –

• flockiali (1.2.3-1.2.6), opresc (1.0.0), prndn (1.0.0), oprnm (1.0.0), and operni, which contain a single JavaScript file that, when loaded, serves a fake Microsoft-branded login screen as part of a targeted spear-phishing campaign hitting employees at specific industrial and energy companies located in France, Germany, Spain, the U.A.E, and the U.S. with malicious links

• ansi-universal-ui (1.3.5, 1.3.6, 1.3.7, 1.4.0, 1.4.1), which masquerades as a UI component library but deploys a Python-based stealer dubbed G_Wagon that exfiltrates web browser credentials, cryptocurrency wallets, cloud credentials, and Discord tokens to an Appwrite storage bucket

The disclosure also comes as Aikido highlighted the threat associated with slopsquatting, wherein artificial intelligence (AI)-powered agents can hallucinate non-existent packages that could then be claimed by a threat actor to push malicious code to downstream users.

In one case highlighted by the supply chain security company, it has been found that a fictitious npm package named “react-codeshift” is referenced by 237 GitHub repositories since it was made up by a large language model in mid-October 2025, with some of them even instructing AI agents to install it.

“How did it spread to 237 repos? Agent skill files. Copy-pasted, forked, translated into Japanese, never once verified,” Eriksen said. “Skills are the new code. They don’t look like it. They’re Markdown and YAML and friendly instructions. But they’re executable. AI agents follow them without asking, ‘Does this package actually exist?’”

Ravie LakshmananJan 28, 2026Vulnerability / Threat Intelligence

Google on Tuesday revealed that multiple threat actors, including nation-state adversaries and financially motivated groups, are exploiting a now-patched critical security flaw in RARLAB WinRAR to establish initial access and deploy a diverse array of payloads.

“Discovered and patched in July 2025, government-backed threat actors linked to Russia and China as well as financially motivated threat actors continue to exploit this n-day across disparate operations,” the Google Threat Intelligence Group (GTIG) said.

“The consistent exploitation method, a path traversal flaw allowing files to be dropped into the Windows Startup folder for persistence, underscores a defensive gap in fundamental application security and user awareness.”

The vulnerability in question is CVE-2025-8088 (CVSS score: 8.8), which was patched by WinRAR version 7.13 released on July 30, 2025. Successful exploitation of the flaw could allow an attacker to obtain arbitrary code execution by crafting malicious archive files that are opened by a vulnerable version of the program.

ESET, which discovered and reported the security defect, said it observed the dual financial and espionage-motivated threat group known as RomCom (aka CIGAR or UNC4895) exploiting the flaw as a zero-day as far back as July 18, 2025, to deliver a variant of the SnipBot (aka NESTPACKER) malware. It’s worth noting that Google is tracking the threat cluster behind the deployment of Cuba Ransomware under the moniker UNC2596.

Since then, the vulnerability has come under widespread exploitation, with attack chains typically concealing the malicious file, such as a Windows shortcut (LNK), within the alternate data streams (ADS) of a decoy file inside the archive, causing the payload to be extracted to a specific path (e.g., the Windows Startup folder) and automatically executing it once the user logs in to the machine after a restart.

Some of the other Russian threat actors who have joined the exploitation bandwagon are listed below –

• Sandworm (aka APT44 and FROZENBARENTS), which has leveraged the flaw to drop a decoy file with a Ukrainian filename and a malicious LNK file that attempts further downloads
• Gamaredon (aka CARPATHIAN), which has leveraged the flaw to strike Ukrainian government agencies with malicious RAR archives containing HTML Application (HTA) files that act as a downloader for a second stage
• Turla (aka SUMMIT), which has leveraged the flaw to deliver the STOCKSTAY malware suite using lures centred around Ukrainian military activities and drone operations

GTIG said it also identified a China-based actor weaponizing CVE-2025-8088 to deliver Poison Ivy via a batch script dropped into the Windows Startup folder that’s then configured to download a dropper.

“Financially motivated threat actors also quickly adopted the vulnerability to deploy commodity RATs and information stealers against commercial targets,” it added. Some of these attacks have led to the deployment of Telegram bot-controlled backdoors and malware families like AsyncRAT and XWorm.

In another case highlighted by Google’s threat intelligence team, a cybercrime group known for targeting Brazilian users via banking websites is said to have delivered a malicious Chrome extension that’s capable of injecting JavaScript into the pages of two Brazilian banking sites to serve phishing content and steal credentials.

The broad exploitation of the flaw is assessed to have been the result of a thriving underground economy, where WinRAR exploits have been advertised for thousands of dollars. One such supplier, “zeroplayer,” marketed a WinRAR exploit around the same time in the weeks leading to the public disclosure of CVE-2025-8088.

“Zeroplayer’s continued activity as an upstream supplier of exploits highlights the continued commoditization of the attack lifecycle,” GTIG said. “By providing ready-to-use capabilities, actors such as zeroplayer reduce the technical complexity and resource demands for threat actors, allowing groups with diverse motivations […] to leverage a diverse set of capabilities.”

The development comes as another WinRAR vulnerability (CVE-2025-6218, CVSS score: 7.8) has also witnessed exploitation efforts from multiple threat actors, including GOFFEE, Bitter, and Gamaredon, underscoring the threat posed by N-day vulnerabilities.

When security teams discuss credential-related risk, the focus typically falls on threats such as phishing, malware, or ransomware. These attack methods continue to evolve and rightly command attention. However, one of the most persistent and underestimated risks to organizational security remains far more ordinary.

Near-identical password reuse continues to slip past security controls, often unnoticed, even in environments with established password policies.

Why password reuse still persists despite strong policies

Most organizations understand that using the exact same password across multiple systems introduces risk. Security policies, regulatory frameworks, and user awareness training consistently discourage this behavior, and many employees make a genuine effort to comply. On the surface, this suggests that password reuse should be a diminishing problem.

In reality, attackers continue to gain access through credentials that technically meet policy requirements. The reason is not always blatant password reuse, but a subtler workaround known as near-identical password reuse.

What is near-identical password reuse?

Near-identical password reuse occurs when users make small, predictable changes to an existing password rather than creating a completely new one.

While these changes satisfy formal password rules, they do little to reduce real-world exposure. Here are some classic examples:

• Adding or changing a number
• Summer2023! → Summer2024!
• Appending a character
• Swapping symbols or capitalization
• Welcome! → Welcome?
• AdminPass → adminpass

Another common scenario occurs when organizations issue a standard starter password to new employees, and instead of replacing it entirely, users make incremental changes over time to remain compliant. In both cases, the password changes appear legitimate, but the underlying structure remains largely intact.

Specops research found that a 250-person organization may collectively manage an estimated 47,750 passwords, significantly expanding the attack surface. Under these conditions, near-identical password reuse becomes a practical workaround rather than an act of negligence.

From a user’s perspective, a tweaked password feels different enough to meet compliance expectations while remaining memorable. These micro-changes satisfy password history rules and complexity requirements, and in the user’s mind, the requirement to change a password has been fulfilled.

Predictability is exactly what attackers exploit

From an attacker’s perspective, the situation looks very different. These passwords represent a clear and repeatable pattern.

Modern credential-based attacks are built on an understanding of how people modify passwords under pressure, and near-identical password reuse is assumed rather than treated as an edge case. This is why most contemporary password cracking and credential stuffing tools are designed to exploit predictable variations at scale.

How attackers weaponize password patterns

Rather than guessing passwords randomly, attackers typically begin with credentials exposed in previous data breaches. These breached passwords are aggregated into large datasets and used as a foundation for further attacks.

Automated tools then apply common transformations such as:

• Adding characters
• Changing symbols
• Incrementing numbers

When users rely on near-identical password reuse, these tools can move quickly and efficiently from one compromised account to another.

Importantly, password modification patterns tend to be highly consistent across different user demographics. Specops password analysis has repeatedly shown that people follow similar rules when adjusting passwords, regardless of role, industry, or technical ability.

This consistency makes password reuse, including near-identical variants, highly predictable and therefore easier for attackers to exploit. In many cases, a modified password is also reused across multiple accounts, further amplifying the risk.

Why traditional password policies fail to stop near-identical reuse

Many organizations believe they are protected because they already enforce password complexity rules. These often include minimum length requirements, a mix of uppercase and lowercase letters, numbers, symbols, and restrictions on reusing previous passwords. Some organizations also mandate regular password rotation to reduce exposure.

While these measures can block the weakest passwords, they are poorly suited to addressing near-identical password reuse. A password such as FinanceTeam!2023 followed by FinanceTeam!2024 would exceed all complexity and history checks, yet once one version is known, the next is trivial for an attacker to infer. With a well-placed symbol or a capitalized letter, users can remain compliant while still relying on the same underlying password.

Another challenge is the lack of uniformity in how password policies are enforced across an organization’s broader digital environment. Employees may encounter different requirements across corporate systems, cloud platforms, and personal devices that still have access to organizational data. These inconsistencies further encourage predictable workarounds that technically comply with policy while weakening security overall.

Recommended steps to reduce password risk

Reducing the risk associated with near-identical password reuse requires moving beyond basic complexity rules. Security starts with understanding the state of credentials within the environment. Organizations need visibility into whether passwords have appeared in known breaches and whether users are relying on predictable similarity patterns.

This requires continuous monitoring against breach data combined with intelligent similarity analysis, not static or one-time checks. It also means reviewing and updating password policies to explicitly block passwords that are too similar to previous ones, preventing common workarounds before they become entrenched behavior.

Closing the gap with smarter password controls

Organizations that miss this basic aspect of password policy leave themselves unnecessarily exposed. Specops Password Policy consolidates these capabilities in a single solution, allowing organizations to manage password security in a more structured and transparent way.

Specops Password Policy

Specops Password Policy enables centralized policy management, making it easier to define, update, and enforce password rules across Active Directory as requirements evolve. It also provides clear, easy-to-understand reports that help security teams assess password risk and demonstrate compliance. In addition, this tool continuously scans Active Directory passwords against a database of more than 4.5 billion known breached passwords.

Interested in understanding which Specops tools apply to your organization’s environment. Book a live demo of Specops Password Policy today.

Threat actors with ties to China have been observed using an updated version of a backdoor called COOLCLIENT in cyber espionage attacks in 2025 to facilitate comprehensive data theft from infected endpoints.

The activity has been attributed to Mustang Panda (aka Earth Preta, Fireant, HoneyMyte, Polaris, and Twill Typhoon) with the intrusions primarily directed against government entities located across campaigns across Myanmar, Mongolia, Malaysia, and Russia.

Kaspersky, which disclosed details of the updated malware, said it’s deployed as a secondary backdoor along with PlugX and LuminousMoth infections.

“COOLCLIENT was typically delivered alongside encrypted loader files containing encrypted configuration data, shellcode, and in-memory next-stage DLL modules,” the Russian cybersecurity company said. “These modules relied on DLL side-loading as their primary execution method, which required a legitimate signed executable to load a malicious DLL.”

Between 2021 and 2025, Mustang Panda is said to have leveraged signed binaries from various software products, including Bitdefender (“qutppy.exe”), VLC Media Player (“vlc.exe” renamed as “googleupdate.exe”), Ulead PhotoImpact (“olreg.exe”), and Sangfor (“sang.exe”) for this purpose.

COOLCLIENT was first documented by Sophos in November 2022 in a report detailing the widespread use of DLL side-loading by China-based APT groups. A subsequent analysis from Trend Micro officially attributed the backdoor to Mustang Panda and highlighted its ability to read/delete files, as well as monitor the clipboard and active windows.

The malware has also been put to use in attacks targeting multiple telecom operators in a single Asian country in a long-running espionage campaign that may have commenced in 2021, Broadcom’s Symantec and Carbon Black Threat Hunter Team revealed in June 2024.

COOLCLIENT is designed for collecting system and user information, such as keystrokes, clipboard contents, files, and HTTP proxy credentials from the host’s HTTP traffic packets based on instructions sent from a command-and-control (C2) server over TCP. It can also set up a reverse tunnel or proxy, and receive and execute additional plugins in memory.

Some of the supported plugins are listed below –

• ServiceMgrS.dll, a service management plugin to oversee all services on the victim host
• FileMgrS.dll, a file management plugin to enumerate, create, move, read, compress, search, or delete files and folders
• RemoteShellS.dll, a remote shell plugin that spawns a “cmd.exe” process to allow the operator to issue commands and capture the resulting output

Mustang Panda has also been observed deploying three different stealer programs in order to extract saved login credentials from Google Chrome, Microsoft Edge, and other Chromium-based browsers. In at least one case, the adversary ran a cURL command to exfiltrate the Mozilla Firefox browser cookie file (“cookies.sqlite”) to Google Drive.

These stealers, detected in attacks against the government sector in Myanmar, Malaysia, and Thailand, are suspected to be used as part of broader post-exploitation efforts.

Furthermore, the attacks are characterized by the use of a known malware called TONESHELL (aka TOnePipeShell), which has been employed with varying levels of capabilities to establish persistence and drop additional payloads like QReverse, a remote access trojan with remote shell, file management, screenshot capture, and information gathering features, and a USB worm codenamed TONEDISK.

Kaspersky’s analysis of the browser credential stealer has also uncovered code-level similarities with a cookie stealer used by LuminousMoth, suggesting some level of tool sharing between the two clusters. On top of that, Mustang Panda has been identified as using batch and PowerShell scripts to gather system information, conduct document theft activities, and steal browser login data.

“With capabilities such as keylogging, clipboard monitoring, proxy credential theft, document exfiltration, browser credential harvesting, and large-scale file theft, HoneyMyte’s campaigns appear to go far beyond traditional espionage goals like document theft and persistence,” the company said.

“These tools indicate a shift toward the active surveillance of user activity that includes capturing keystrokes, collecting clipboard data, and harvesting proxy credentials.”

If you work in security operations, the concept of the AI SOC agent is likely familiar. Early narratives promised total autonomy. Vendors seized on the idea of the “Autonomous SOC” and suggested a future where algorithms replaced analysts.

That future has not arrived. We have not seen mass layoffs or empty security operations centers. We have instead seen the emergence of a practical reality. The deployment of AI in the SOC has not removed the human element. It has instead redefined how they are spending their time.

We now understand that the value of AI is not in replacing the operator. It is in solving the math problem of defense. Infrastructure complexity scales exponentially while headcount scales linearly. This mismatch previously forced teams to make statistical compromises and sample alerts rather than solving them. Agentic AI corrects this imbalance. It decouples investigation capacity from human availability and fundamentally alters the daily workflow of the security operations team.

Redefining Triage and Investigation: Automated Context at Scale

Alert triage currently functions as a filter. SOC analysts review basic telemetry to decide if an alert warrants a full investigation. This manual gatekeeping creates a bottleneck where low-fidelity signals are ignored to preserve bandwidth. Now imagine if an alert that comes in as low severity and is pushed down the priority queue ends up being a real threat. This is where missed alerts lead to breaches.

Agentic AI changes triage by adding a machine layer that investigates every alert, regardless of severity, with human-level accuracy before it reaches the analyst. It pulls disjointed telemetry from EDR, identity, email, cloud, SaaS, and network tools into a unified context. The system performs the initial analysis and correlation and redetermines the severity, instantly pushing that low-severity alert to the top. This enables the analyst to concentrate on detecting malicious actors concealed within the noise.

The human operator no longer spends time gathering IP reputation or verifying user locations. Their role shifts to reviewing the verdict provided by the system. This ensures that 100% of alerts receive a full investigation as soon as they arrive. Zero dwell time for every alert. The forced tradeoff of ignoring low-fidelity signals disappears because the cost of investigation is significantly lower with AI SOC agents.

Impact on Detection Engineering: Visualizing the Noise

Effective detection engineering requires feedback loops that manual SOCs struggle to provide. Analysts often close false positives without detailed documentation, which leaves detection engineers blind to which rules generate the most operational waste.

An AI-driven architecture creates a structured feedback loop for detection logic. Because the system investigates every alert, it aggregates data on which rules consistently produce false positives. It identifies specific detection logic that requires tuning and provides the evidence needed to modify it.

This visibility allows engineers to surgically prune noisy alerts. They can retire or adjust low-value rules based on empirical data rather than anecdotal complaints. The SOC becomes cleaner over time as the AI highlights exactly where the noise lives.

AI removes this syntax barrier. It enables natural language interaction with security data. An analyst can ask semantic questions about the environment. A query such as “show me all lateral movement attempts from unmanaged devices in the last 24 hours” translates instantly into the necessary database queries.

This capability democratizes threat hunting. Senior analysts can execute complex hypotheses faster. Junior analysts can participate in hunting operations without needing years of query language experience. The focus remains on the investigative theory rather than the mechanics of data retrieval.

Why Organizations Choose Prophet Security

What we’ve found from Prophet Security customers is that successful deployment of Agentic AI in a live environment hinges on several critical standards: Depth, Accuracy, Transparency, Adaptability, and Workflow Integration. These are the foundational pillars essential for human operators to trust the AI system’s judgment and operationalize it. Without excelling in these areas, AI adoption will falter, as the human team will lack confidence in its verdicts.

Depth requires the system to replicate the cognitive workflow of a Tier 1-3 analyst. Basic automation checks a file hash and stops. Agentic AI must go further. It must pivot across identity providers, EDR, and network logs to build a complete picture. It must understand the nuance of internal business logic to investigate with the same breadth and rigor as a human expert.

Accuracy is the measure of utility. The system must reliably distinguish between benign administrative tasks and genuine threats. High fidelity ensures that analysts can rely on the system’s verdicts without constant re-verification. Not surprisingly, depth of investigation and accuracy go hand-in-hand. Prophet Security’s accuracy is consistently above 98%, including where it counts the most: identifying true positives.

Transparency and explainability are the ultimate test of trust. AI builds trust by providing transparency into its operations, detailing the queries run against data sources, the specific data retrieved, and the logical conclusions drawn. Prophet Security enforces a “Glass Box” standard that meticulously documents and exposes every query, data point, and logic step used to determine whether the alert is a true positive or benign.

Adaptability refers to how well the AI system ingests feedback and guidance, and other organizational-specific context to improve its accuracy. The AI system should effectively mold around your environment and its unique security needs and risk tolerance. Prophet Security has built a Guidance system that enables a human-on-the-loop model where analysts provide feedback and organizational context to customize the AI’s investigation and response logic to their needs.

Workflow Integration is crucial. Tools must not only integrate with your existing technology stack but also seamlessly fit into your current security operations workflows. A solution that demands a complete overhaul of existing systems or clashes with your established security tool implementation will be unusable from the start. Prophet Security understands this necessity, as the platform was developed by former SOC analysts from leading firms like Mandiant, Red Canary, and Expel. We’ve prioritized integration quality to ensure a seamless experience and immediate value for every security team.

To learn more about Prophet Security and see why teams trust Prophet AI to triage, investigate, and respond to all of their alerts, request a demo today.

Ravie LakshmananJan 28, 2026Vulnerability / Workflow Automation

Cybersecurity researchers have disclosed two new security flaws in the n8n workflow automation platform, including a crucial vulnerability that could result in remote code execution.

The weaknesses, discovered by the JFrog Security Research team, are listed below –

• CVE-2026-1470 (CVSS score: 9.9) – An eval injection vulnerability that could allow an authenticated user to bypass the Expression sandbox mechanism and achieve full remote code execution on n8n’s main node by passing specially crafted JavaScript code
• CVE-2026-0863 (CVSS score: 8.5) – An eval injection vulnerability that could allow an authenticated user to bypass n8n’s python-task-executor sandbox restrictions and run arbitrary Python code on the underlying operating system

Successful exploitation of the flaws could permit an attacker to hijack an entire n8n instance, including under scenarios where it’s operating under “internal” execution mode. In its documentation, n8n notes that using internal mode in production environments can pose a security risk, urging users to switch to external mode to ensure proper isolation between n8n and task runner processes.

“As n8n spans an entire organization to automate AI workflows, it holds the keys to core tools, functions, and data from infrastructure, including LLM APIs, sales data, and internal IAM systems, among others,” JFrog said in a statement shared with The Hacker News. “This results in escapes giving a hacker an effective “skeleton key” to the entire corporation.”

To address the flaws, users are advised to update to the following versions –

• CVE-2026-1470 – 1.123.17, 2.4.5, or 2.5.1
• CVE-2026-0863 – 1.123.14, 2.3.5, or 2.4.2

The development comes merely weeks after Cyera Research Labs detailed a maximum-severity security flaw in n8n (CVE-2026-21858 aka Ni8mare) that allows an unauthenticated remote attacker to gain complete control over susceptible instances.

“These vulnerabilities highlight how difficult it is to safely sandbox dynamic, high‑level languages such as JavaScript and Python,” researcher Nathan Nehorai said. “Even with multiple validation layers, deny lists, and AST‑based controls in place, subtle language features and runtime behaviors can be leveraged to bypass security assumptions.”

“In this case, deprecated or rarely used constructs, combined with interpreter changes and exception handling behavior, were enough to break out of otherwise restrictive sandboxes and achieve remote code execution.”

Ravie LakshmananJan 27, 2026Threat Intelligence / Cyber Espionage

Indian government entities have been targeted in two campaigns undertaken by a threat actor that operates in Pakistan using previously undocumented tradecraft.

The campaigns have been codenamed Gopher Strike and Sheet Attack by Zscaler ThreatLabz, which identified them in September 2025.

“While these campaigns share some similarities with the Pakistan-linked Advanced Persistent Threat (APT) group, APT36, we assess with medium confidence that the activity identified during this analysis might originate from a new subgroup or another Pakistan-linked group operating in parallel,” researchers Sudeep Singh and Yin Hong Chang said.

Sheet Attack gets its name from the use of legitimate services like Google Sheets, Firebase, and email for command-and-control (C2). On the other hand, Gopher Strike is assessed to have leveraged phishing emails as a starting point to deliver PDF documents containing a blurred image that’s superimposed by a seemingly harmless pop-up instructing the recipient to download an update for Adobe Acrobat Reader DC.

The main purpose of the image is to give the users an impression that it’s necessary to install the update in order to access the document’s contents. Clicking the “Download and Install” button in the fake update dialog triggers the download of an ISO image file only when the requests originate from IP addresses located in India and the User-Agent string corresponds to Windows.

Once the download is successful, the attack chain sends an HTTP GET request to the domain “adobe-acrobat[.]in” likely to signal the threat actors that the endpoint has been infected. GOGITTER then extracts and executes “edgehost.exe” from the ZIP file. A lightweight Golang-based backdoor, GITSHELLPAD, leverages threat actor-controlled private GitHub repositories for C2.

Specifically, it polls the C2 server every 15 seconds by means of a GET request to access the contents of a file named “command.txt.” It supports six different commands –

• cd .., to change working directory to the parent directory
• cd, to change directory to the specified path
• run, to run a command in the background without capturing the output
• upload, to upload a local file specified by the path to the GitHub repository
• download, to download a file to the specified path
• default case, to run a command using cmd /c and capture the output

The results of the command execution are stored in a file called “result.txt” and uploaded to the GitHub account via an HTTP PUT request. The “command.txt” is then deleted from the GitHub repository once the command is successfully executed.

Zscaler said it observed the threat actor also downloading RAR archives using cURL commands after gaining access to the victim’s machine. The archives include utilities to gather system information and drop GOSHELL, a bespoke Golang-based loader used to deliver Cobalt Strike Beacon after multiple rounds of decoding. The tools are wiped from the machine after use.

“GOSHELL’s size was artificially inflated to approximately 1 gigabyte by adding junk bytes to the Portable Executable (PE) overlay, likely to evade detection by antivirus software,” the cybersecurity company said. “GOSHELL only executes on specific hostnames by comparing the victim’s hostname against a hard-coded list.”

Cybersecurity researchers have disclosed details of a new campaign that combines ClickFix-style fake CAPTCHAs with a signed Microsoft Application Virtualization (App-V) script to distribute an information stealer called Amatera.

“Instead of launching PowerShell directly, the attacker uses this script to control how execution begins and to avoid more common, easily recognized execution paths,” Blackpoint researchers Jack Patrick and Sam Decker said in a report published last week.

In doing so, the idea is to transform the App-V script into a living-off-the-land (LotL) binary that proxies the execution of PowerShell through a trusted Microsoft component to conceal the malicious activity.

The starting point of the attack is a fake CAPTCHA verification prompt that seeks to trick users into pasting and executing a malicious command on the Windows Run dialog. But here is where the attack diverges from traditional ClickFix attacks.

The supplied command, rather than invoking PowerShell directly, abuses “SyncAppvPublishingServer.vbs,” a signed Visual Basic Script associated with App-V to retrieve and execute an in-memory loader from an external server using “wscript.exe.”

It’s worth noting that the misuse of “SyncAppvPublishingServer.vbs” is not new. In 2022, two different threat actors from China and North Korea, tracked as DarkHotel and BlueNoroff, were observed leveraging the LOLBin exploit to stealthily execute a PowerShell script. But this is the first time it has been observed in ClickFix attacks.

“Adversaries may abuse SyncAppvPublishingServer.vbs to bypass PowerShell execution restrictions and evade defensive counter measures by ‘living off the land,’” MITRE notes in its ATT&CK framework. “Proxying execution may function as a trusted/signed alternative to directly invoking ‘powershell.exe.’”

The use of an App-V script is also significant as the virtualization solution is built only into Enterprise and Education editions of Windows 10 and Windows 11, along with modern Windows Server versions. It’s not available for Windows Home or Pro installations.

In Windows operating systems where App-V is either absent or not enabled, the execution of the command fails outright. This also indicates that enterprise managed systems are likely the primary targets of the campaign.

The obfuscated loader runs checks to ensure that it’s not run within sandboxed environments, and then proceeds to fetch configuration data from a public Google Calendar (ICS) file, essentially turning a trusted third-party service into a dead drop resolver.

“By externalizing configuration in this way, the actor can rapidly rotate infrastructure or adjust delivery parameters without redeploying earlier stages of the chain, reducing operational friction and extending the lifespan of the initial infection vector,” the researchers pointed out.

Parsing the calendar event file leads to the retrieval of additional loader stages, including a PowerShell script that functions as an intermediate loader to execute the next stage, another PowerShell script, directly in memory. This step, in turn, results in the retrieval of a PNG image from domains like “gcdnb.pbrd[.]co” and “iili[.]io” via WinINet APIs that conceals an encrypted and compressed PowerShell payload.

The resulting script is decrypted, GZip decompressed in memory, and run using Invoke-Expression, ultimately culminating in the execution of a shellcode loader that’s designed to launch Amatera Stealer.

“What makes this campaign interesting isn’t any single trick, but how carefully thought-out everything is when chained together,” Blackpoint concluded. “Each stage reinforces the last, from requiring manual user interaction, to validating clipboard state, to pulling live configuration from a trusted third-party service.”

“The result is an execution flow that only progresses when it unfolds (almost) exactly as the attacker expects, which makes both automated detonation and casual analysis significantly harder.”

The Evolution of ClickFix: JackFix, CrashFix, and GlitchFix

The disclosure comes as ClickFix has become one of the most widely used initial access methods in the last year, accounting for 47% of the attacks observed by Microsoft.

Recent ClickFix campaigns have targeted social media content creators by claiming they are eligible for free verified badges, instructing them via videos to copy authentication tokens from their browser cookies into a fake form to complete the supposed verification process. The embedded video also informs the user to “not log out for at least 24 hours” to keep the authentication tokens valid.

The campaign, active since at least September 2025, is estimated to have used 115 web pages across the attack chain and eight exfiltration endpoints, per Hunt.io. The main targets of the activity include creators, monetized pages, and businesses seeking verification, with the end goal being to facilitate account takeover following token theft.

“Defending against the ClickFix technique is uniquely challenging because the attack chain is built almost entirely on legitimate user actions and the abuse of trusted system tools,” Martin Zugec, technical solutions director at Bitdefender, said in a report last month. “Unlike traditional malware, ClickFix turns the user into the initial access vector, making the attack look benign from an endpoint defense perspective.”

ClickFix is also constantly evolving, utilizing variants like JackFix and CrashFix to deceive the victim into infecting their own machines. While operators use several methods to attempt to convince a target to perform command execution, the growing popularity of the social engineering technique has paved the way for ClickFix builders that are advertised on hacker forums for anywhere between $200 to $1,500 per month.

The latest entrant to this threat landscape is ErrTraffic, a traffic distribution system (TDS) that’s specifically designed for ClickFix-like campaigns by causing compromised websites injected with malicious JavaScript to glitch and then suggesting a fix to address the non-existent problem. This technique has been codenamed GlitchFix.

The malware-as-a-service (MaaS) supports three different file distribution modes that involve using fake browser update alerts, fake “system font required” dialogs, and bogus missing system font errors to trigger the execution of malicious commands. ErrTraffic is explicitly blocked from running on machines located in the Commonwealth of Independent States (CIS) countries.

“ErrTraffic doesn’t just show a fake update prompt, it actively corrupts the underlying page to make victims believe something is genuinely wrong,” Censys said. “It also applies CSS transformations that make everything look broken.”

ClickFix has also been adopted by threat actors behind the ClearFake campaign, which is known to infect sites with fake web browser update decoys on compromised WordPress to distribute malware. ClearFake’s use of ClickFix was first recorded in May 2024, leveraging CAPTCHA challenges for delivering Emmenhtal Loader (aka PEAKLIGHT), which then drops Lumma Stealer.

The attack chain also makes use of another known technique referred to as EtherHiding to retrieve the next-stage JavaScript code using smart contracts on Binance’s BNB Smart Chain (BSC) and eventually inject the ClickFix fake CAPTCHA obtained from a different smart contract into the web page. At the same time, the final stage avoids re-infecting already infected victims.

Like in the case of the Amatera Stealer attack, the ClickFix command copied to the clipboard abuses “SyncAppvPublishingServer.vbs” to obtain the final payload hosted on the jsDelivr content delivery network (CDN). Expel’s analysis of the ClearFake campaign shows that as many as 147,521 systems have likely been infected since late August 2025.

“One of many factors security products use to decide if behavior is malicious or not is whether said behavior is being performed by a trusted application,” security researcher Marcus Hutchins said. “In this case, ‘SyncAppvPublishingServer.vbs’ is a default Windows component, and the file can only be modified by TrustedInstaller (a highly privileged system account used internally by the operating system). Therefore, the file and its behavior alone would not normally be suspect.”

“Organizations and EDR are unlikely to outright block ‘SyncAppvPublishingServer.vbs’ from launching PowerShell in hidden mode, as it would prevent the component from being used for its intended purpose. Consequently, by abusing the command line injection bug in ‘SyncAppvPublishingServer.vbs,’ attackers can execute arbitrary code via a trusted system component.”

Expel also characterized the campaign as highly sophisticated and very evasive, owing to the use of in-memory PowerShell code execution, coupled with its reliance on blockchain and popular CDNs, thus ensuring that it does not communicate with any infrastructure that’s not a legitimate service.

Censys has described the broader fake CAPTCHA ecosystem as a “fragmented, fast-changing abuse pattern that uses trusted web infrastructure as the delivery surface,” wherein Cloudflare-style challenges act as a conduit for clipboard-driven execution of PowerShell commands, VB Scripts, MSI installers, and even hand-offs to browser-native frameworks like Matrix Push C2.

“This aligns with a broader shift toward Living Off the Web: systematic reuse of security-themed interfaces, platform-sanctioned workflows, and conditioned user behavior to deliver malware,” the attack surface management firm said. “Attackers do not need to compromise trusted services; they inherit trust by operating inside familiar verification and browser workflows that users and tooling are trained to accept.”