Issues

Russia-linked Attackers Abuse New Microsoft Office Zero-day

,

Russia-linked APT28 hackers exploit latest Microsoft Office zero-day, targeting Ukrainian government and EU organizations. Ukraine's CERT reports rapid weaponization of the CVE-2026-21509 vulnerability, leading to phishing campaigns and malware deployment via malicious DOC files. Microsoft has issued patches, but concerns about increasing cyberattacks persist due to slow user updates.

https://www.theregister.com/2026/02/02/russialinked_apt28_microsoft_office_bug/

Spyware Maker Is Hijacking Diplomatic Efforts to Limit Commercial Hacking, Civil Society Warns

, , ,

Civil society alleges NSO Group, a spyware manufacturer with a history of human rights violations, is using diplomatic initiatives like the Pall Mall Process to rehabilitate its image despite reports of abuses. While NSO claims engagement in reining in spyware misuse, officials from France and the UK affirm they did not invite NSO's participation. Critics stress that NSO's history, including targeting journalists and activists, undermines its claims of responsible governance, while calls for exclusion from future negotiations are growing amid concerns over accountability and transparency.

https://therecord.media/spyware-maker-pall-mall-process-reputation

Malicious MoltBot Skills Used to Push Password-stealing Malware

,

Over 230 malicious packages, dubbed “skills,” targeting the OpenClaw AI assistant have been released in a week, posing as legitimate tools to distribute malware that steals sensitive information like API keys and passwords. The malware exploits misconfigurations in OpenClaw's admin interface and employs social engineering tactics to infect users' systems, using a seemingly crucial tool called ‘AuthTool' to deliver payloads. To mitigate risks, users are advised to carefully verify the safety of skills before use and adopt security measures such as isolating the AI assistant in a virtual environment.

https://www.bleepingcomputer.com/news/security/malicious-moltbot-skills-used-to-push-password-stealing-malware/

How Fake Party Invitations Are Being Used to Install Remote Access Tools

,

Fake party invitations are being used in a scam to trick victims into installing ScreenConnect, a remote access tool, on their Windows computers. Victims receive emails that appear friendly and informal, leading to a seemingly innocent invitation link. Clicking the link downloads an MSI file disguised as an invitation, which silently installs ScreenConnect, allowing attackers full control of the victim's computer. The scam exploits human curiosity and urgency, often going unnoticed until suspicious behavior occurs on the system. To protect against this scam, users should be wary of unsolicited invitations, avoid running unknown MSI files, and verify invitations through other channels.

https://www.malwarebytes.com/blog/threat-intel/2026/02/how-fake-party-invitations-are-being-used-to-install-remote-access-tools

Notepad Hijacked

, ,

Notepad++ update servers were compromised by a likely Chinese state-sponsored group from June to December 2025. Attackers intercepted update traffic, redirecting users to malicious binaries due to inadequate validation of update packages. Following the breach, Notepad++ enhanced security measures, including stricter validation processes and plans to implement XMLDSig in future updates to prevent such incidents.

https://cybersecuritynews.com/notepad-hijacked/

175K Exposed Ollama Hosts Allow Remote Code Execution

,

175,000 exposed Ollama AI servers across 130 countries present significant remote code execution risks due to insufficient security. Researchers found 7.23 million observations and highlighted a core of 23,000 persistent hosts, with many capable of executing code and interacting with external systems, heightening threat levels. Security risks include resource hijacking, spam, and prompt injection attacks, particularly as many hosts lack adequate monitoring. The global infrastructure complicates traditional governance, necessitating improved security measures for edge-deployed AI models.

https://cyberpress.org/175k-exposed-ollama-hosts-allow-remote-code-execution/

OpenSourceMalware.com

, , , ,

Extreme TLDR:
14 malicious ClawdBot skills, posing as crypto trading tools, distribute malware targeting ByBit, Polymarket, and others. Skills leverage social engineering for credential theft on macOS and Windows. They exploit a lack of security in ClawHub, using deceptive documentation to trick users into executing harmful commands. The campaign relies on a centralized C2 infrastructure for data theft, with multiple skills still available online.

https://opensourcemalware.com/blog/clawdbot-skills-ganked-your-crypto

Can’t Stop, Won’t Stop: TA584 Innovates Initial Access

,

TA584 Cyber Threat Overview: TA584 is a prominent threat actor monitored by Proofpoint, known for rapid innovation in attack strategies. In 2025, it evolved its tactics, employing ClickFix social engineering, targeting various regions, and introducing new malware (Tsundere Bot). This actor showed a significant increase in campaign frequency, tripling monthly attacks by year's end, with a focus on quick campaign turnover and a variety of delivery methods. Its recent approach contrasts earlier patterns, highlighting its adaptability to cybersecurity defenses.

https://www.proofpoint.com/us/blog/threat-insight/cant-stop-wont-stop-ta584-innovates-initial-access

Aisuru Botnet Sets New Record With 31.4 Tbps DDoS Attack

,

Aisuru botnet set a record with a 31.4 Tbps DDoS attack, targeting telecoms and IT firms. Cloudflare mitigated this “Night Before Christmas” attack, which peaked at 200 million requests per second. The botnet, leveraging compromised devices, continues to increase DDoS incidents, with a 121% rise in attacks over 2025.

https://www.bleepingcomputer.com/news/security/aisuru-botnet-sets-new-record-with-314-tbps-ddos-attack/

Clawdbot’s Rename to Moltbot Sparks Impersonation Campaign

,

AI assistant Clawdbot was renamed Moltbot due to trademark issues, leading to impersonation campaigns. Attackers exploited the transition by creating typosquat domains and a cloned, clean code GitHub repository to mislead users, aiming for potential supply-chain attacks. Despite no immediate malware, the impersonation strategy relies on trust, risking users' API keys and data over time. Users are advised to verify sources and maintain scrutiny during transitions, while maintainers should preemptively secure domains and manage renames carefully.

https://www.malwarebytes.com/blog/threat-intel/2026/01/clawdbots-rename-to-moltbot-sparks-impersonation-campaign

Operation Bizarre Bazaar: First Attributed LLMjacking Campaign With Commercial Marketplace Monetization

,

Pillar Security introduces RedGraph, the first attack surface mapping and continuous testing platform for AI agents, providing visibility and security for AI infrastructures. The platform addresses rising threats identified in “Operation Bizarre Bazaar,” an orchestrated campaign focused on exploiting exposed AI systems for unauthorized access and resale on digital marketplaces. Key risks include compute theft, data exfiltration, and lateral movement within networks. Recommendations for mitigation involve enabling authentication, auditing server exposure, and implementing strict security controls. The ongoing threat necessitates transparency and proactive defense measures in AI environments.

https://www.pillar.security/blog/operation-bizarre-bazaar-first-attributed-llmjacking-campaign-with-commercial-marketplace-monetization

Two High-Severity N8n Flaws Allow Authenticated Remote Code Execution

Two high-severity vulnerabilities in the n8n workflow automation platform could lead to remote code execution by authenticated users. Discovered by JFrog Security Research, these vulnerabilities include CVE-2026-1470 (eval injection, CVSS 9.9) and CVE-2026-0863 (Python task executor bypass, CVSS 8.5). Exploiting these flaws may allow attackers to gain full control of n8n instances, especially in internal execution mode. Users are advised to update to specific safe versions to mitigate these risks.

https://thehackernews.com/2026/01/two-high-severity-n8n-flaws-allow.html

Cyberattack on Poland’s Power Grid Hit Around 30 Facilities, New Report Says

Cyberattack on Poland's power grid affected ~30 facilities. Attributed to Russian group Sandworm, the attack compromised control systems but did not disrupt power supply. Researchers noted hackers accessed key operational tech but clarity on intent is lacking. This highlights vulnerabilities in distributed energy systems, which are now targeted by sophisticated adversaries.

https://therecord.media/poland-electrical-grid-cyberattack-30-facilities-affected

Malicious PyPI Packages Spellcheckpy and Spellcheckerpy Deliver Python RAT

, , ,

Malicious PyPI packages spellcheckpy and spellcheckerpy impersonated the legitimate pyspellchecker, embedding a base64-encoded payload that executes a Python Remote Access Trojan (RAT) when imported. Initially dormant, the payload would extract and execute upon the new version's trigger. This RAT, with dual-layer XOR encryption, facilitates remote control, evading detection, and employs a command and control server historically linked to malicious activity. Connections to earlier similar attacks suggest a recurring threat actor.

https://www.aikido.dev/blog/malicious-pypi-packages-spellcheckpy-and-spellcheckerpy-deliver-python-rat

FBI Seizes RAMP Cybercrime Forum Used by Ransomware Gangs

,

FBI seized RAMP, a cybercrime forum used by ransomware gangs, displaying a seizure notice on its Tor and clearnet sites. The action, coordinated with the Justice Department, provides access to user data, potentially identifying criminals. The forum, launched in 2021 after restrictions on ransomware promotion elsewhere, was managed by Mikhail Matveev, linked to multiple ransomware operations. Forum operators lamented the loss, and this seizure reflects ongoing law enforcement efforts against cybercrime.

https://www.bleepingcomputer.com/news/security/fbi-seizes-ramp-cybercrime-forum-used-by-ransomware-gangs/

Scroll to Top