ALL POSTS

Key Findings China-linked hacking group UNC6201 has been exploiting a zero-day vulnerability (CVE-2026-22769) in Dell RecoverPoint for Virtual Machines since at least 2024. The vulnerability is a hardcoded credential flaw that allows unauthenticated remote attackers to gain administrator-level access to affected systems. Hackers have used this access to deploy a novel backdoor malware called GrimBolt, which is more advanced and harder to detect than the previously used Bricks

Key Findings A suspected China-linked APT group, UNC6201, has been exploiting a critical zero-day vulnerability in Dell RecoverPoint for Virtual Machines since mid-2024. The vulnerability, tracked as CVE-2026-22769, has a CVSS score of 10.0 and involves hardcoded credentials that can be abused to gain unauthorized access and root-level persistence. The group has used the flaw to move laterally, maintain persistence, and deploy malware including SLAYSTYLE, BRICKSTORM, and a no

Key Findings Cybersecurity researchers have demonstrated that AI assistants with web browsing or URL fetching capabilities, such as Microsoft Copilot and xAI Grok, can be abused as covert command-and-control (C2) relays by attackers. This technique allows attackers to blend their malicious communications into legitimate-looking AI assistant traffic, making detection and blocking significantly more challenging. The attack method, dubbed "AI as a C2 proxy," leverages the web ac

Key Findings SmartLoader hackers cloned a legitimate Oura MCP (Model Context Protocol) server and built a deceptive infrastructure of fake forks and contributors to make the project appear credible. The trojanized version of the Oura MCP server delivers the StealC information stealer, targeting developer credentials, browser passwords, and cryptocurrency wallets. This campaign signals a significant shift in the threat landscape, with traditional supply chain attackers now piv

Key Findings Cybersecurity researchers have uncovered a new information stealer that exfiltrated a victim's OpenClaw configuration environment. The incident marks a significant evolution in infostealer behavior, transitioning from stealing browser credentials to targeting the identities, settings, and "digital souls" of personal AI agents. The stolen files included openclaw.json with gateway tokens, device.json containing private cryptographic keys, and "soul" and memory file

Key Findings Microsoft warns of a new ClickFix variant that tricks users into running a malicious nslookup command through the Windows Run dialog to retrieve a second-stage payload via DNS. Attackers use cmd.exe to perform a DNS lookup against a hard-coded external server, and the `Name:` response is extracted and executed as the second-stage payload. This DNS-based approach allows attackers to signal and deliver payloads via their own infrastructure, reducing reliance on web

Key Findings Microsoft has disclosed details of a new version of the ClickFix social engineering tactic that uses DNS lookups to retrieve malware payloads. The attack tricks users into running commands through the Windows Run dialog that perform a DNS lookup to an external server controlled by the attackers. The DNS response is then executed as the second-stage payload, allowing the threat actors to reach infrastructure under their control and establish a new validation layer

Key Findings Google Threat Intelligence Group (GTIG) has identified a previously undocumented threat actor, possibly affiliated with Russian intelligence services, that has been targeting Ukrainian organizations with the CANFAIL malware. The threat actor has primarily targeted defense, military, government, and energy organizations within the Ukrainian regional and national governments, but has also shown growing interest in aerospace, manufacturing with military/drone ties,

Key Findings DKnife is a Linux-based toolkit used since 2019 to hijack router traffic and deliver malware in cyber-espionage attacks The toolkit is designed for deep packet inspection, traffic manipulation, credential harvesting, and malware delivery DKnife has been linked to China-nexus threat actors with high confidence The toolkit targets Chinese-speaking users, stealing credentials from Chinese services and popular Chinese apps DKnife hijacks software downloads and Androi

Key Findings DKnife is a gateway-monitoring and adversary-in-the-middle (AitM) framework operated by China-nexus threat actors since at least 2019 It comprises seven Linux-based implants designed for deep packet inspection, traffic manipulation, and malware delivery via routers and edge devices The framework's primary targets appear to be Chinese-speaking users, based on the presence of credential harvesting phishing pages for Chinese email services and exfiltration modules f

Key Findings: Microsoft warns that info-stealing attacks are "rapidly expanding" beyond Windows to target Apple macOS environments. Attackers are leveraging cross-platform languages like Python and abusing trusted platforms to distribute infostealer malware at scale. Background Since late 2025, Microsoft has observed macOS-targeted infostealer campaigns using social engineering techniques such as ClickFix-style prompts and malicious DMG installers. These campaigns deploy macO

Key Findings Notepad++ update infrastructure was compromised from June to December 2025 Attackers rotated C2 server addresses, downloaders, and final payloads over 4 months Attacks targeted individuals, government, financial, and IT organizations in various countries Kaspersky solutions were able to block the identified attacks as they occurred Background On February 2, 2026, the developers of Notepad++, a popular text editor among developers, published a statement claiming t

Key Findings Threat actors have been observed exploiting a critical security flaw, CVE-2025-11953, impacting the Metro Development Server in the popular "@react-native-community/cli" npm package. The vulnerability, also known as "Metro4Shell," allows remote unauthenticated attackers to execute arbitrary operating system commands on the underlying host. VulnCheck, a cybersecurity company, first observed the exploitation of this flaw on December 21, 2025, with a CVSS score of 9

Key Findings China-based espionage group Lotus Blossom compromised the internal systems of Notepad++, a popular open-source code editor, for nearly six months starting in June 2025. The group deployed various payloads, including a custom backdoor, to selectively spy on a limited set of Notepad++ users' activities. The campaign showcased resilience and stealth tradecraft, but did not result in a mass compromise of all Notepad++ users. The attackers exploited "insufficient upda

Key Findings The maintainer of Notepad++ has revealed that state-sponsored attackers hijacked the utility's update mechanism to redirect update traffic to malicious servers. The attack involved an infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org. The compromise occurred at the hosting provider level rather than through vulnerabilities in Notepad++ code itself. The incident is assessed to

Arsink Spyware Posing as WhatsApp, YouTube, Instagram, TikTok Hits 143 Countries Key Findings Arsink is a dangerous Android Trojan that impersonates over 50 popular brands, including WhatsApp, YouTube, Instagram, and TikTok The malware has infected over 45,000 devices across 143 countries, with major clusters in Egypt, Indonesia, and Iraq Arsink grants hackers complete remote control, allowing them to record audio, read text messages, and wipe devices Background A massive new

Key Findings A malicious Microsoft Visual Studio Code (VS Code) extension named "ClawdBot Agent - AI Coding Assistant" has been discovered on the official Extension Marketplace. The extension claims to be a free artificial intelligence (AI) coding assistant for the popular open-source project Moltbot, but it stealthily drops a malicious payload on compromised hosts. The extension was published by a user named "clawdbot" on January 27, 2026 and has since been taken down by Mic

Key Findings Android game mods bundled with "Android.Phantom" malware hijack devices for covert ad fraud Malware operates in two modes - "phantom" mode for automated ad interaction and remote control mode for real-time device control Uses machine learning techniques to mimic user behavior and avoid detection Spreads through unofficial app stores and third-party sources, not the official Google Play Store Affects popular game titles with high download counts, making it difficu

Key Findings: Ongoing campaign targeting Indian users with a multi-stage backdoor as part of a suspected cyber espionage operation Phishing emails impersonating the Income Tax Department of India to trick victims into downloading a malicious archive Malware known as Blackmoon (aka KRBanker) and a legitimate enterprise tool called SyncFuture TSM used as the final payload Sophisticated attack involving anti-analysis, privilege escalation, DLL sideloading, commercial-tool repurp

Key Findings Symantec and VMware Carbon Black researchers have uncovered a new ransomware strain called Osiris, used in a November 2025 attack against a major Southeast Asian food service franchise operator. Osiris leverages the POORTRY driver in a bring-your-own-vulnerable-driver (BYOVD) attack to disable security software on targeted systems. The new ransomware has full-featured capabilities, including the ability to stop services and processes, select files and folders to