Category: Daily Recap

Daily Recap, China-linked APT UAT-9244 targets South American telcos, deploying new malware families TernDoor, PeerTime, and BruteEntry across Windows, Linux and edge devices. Iranian-nexus actors weaponize exposed IP cameras (Hikvision, Dahua) for real-time reconnaissance supporting missile operations and battle-damage assessment, while a multi-stage BadPaw campaign targets Ukraine with ZIP/HTA delivery and the MeowMeowProgram backdoor. #UAT-9244 #TernDoor #PeerTime #BruteEntry #Hikvision #Dahua #MeowMeowProgram #BadPaw #Ukraine #IPCamera #Tycoon #LastPass #Phobos #OpenClaw #LeakBase #HungerRush

Daily Recap, a multi-vector campaign by state-aligned actors and hacktivists is escalating after allied strikes, with claimed intrusions and a plunge in Iranian connectivity to 1–4% that raises supply-chain and high-value target risks. In notable developments, SloppyLeming targeted Pakistan, Bangladesh and Sri Lanka with BurrowShell and Excel keyloggers; APT28 is linked to the CVE-2026-21513 MSHTML zero-day; breaches at the University of Hawaiʻi Cancer Center and Madison Square Garden were disclosed, while TPMS privacy tracking and Singapore router security efforts illustrate broader defensive trends. #SloppyLemming #BurrowShell #APT28 #MSHTML #CVE2026-21513 #UH #MSG #TPMS #SingaporeRouters #MerkleTreeCerts #GTA

Daily Recap, North Korea actors published 26 steganographic npm packages (StegaBin) that pull Vercel-hosted C2s from Pastebin to deploy credential stealers and a RAT, while APT37 expanded tooling with LNKs and implants (Restleaf, ThumbSBD, VirusTask, FootWine) to bridge air-gapped systems via USB and Zoho WorkDrive C2s. CISA warns RESURGE remains dormant on Ivanti Connect Secure devices (CVE-2025-0282) with ECC encryption, forged TLS certs, SSH tunnels and traffic fingerprinting for covert persistence — a malicious campaign delivers a RAT via trojanized gaming utilities (Xeno.exe, RobloxPlayerBeta.exe) connecting to C2 79.110.49.15 for data theft and follow-up payloads, and ClawJacked fixes tighten WebSocket checks to block localhost brute-force abuse. #StegaBin #APT37 #RESURGE #IvantiConnectSecure #CVE20250282 #XenoExe #RobloxPlayerBetaExe #ClawJacked #OpenClaw #VAL4K

Cybersecurity Threat Research ‘Weekly’ Recap highlights burgeoning risks from agentic AI in SOCs, OpenClaw backdoors, and AI‑augmented malware experiments, spanning supply‑chain abuse, developer‑targeting campaigns, phishing, and OT/edge security implications. It catalogs notable actors and families—OpenClaw, SURXRAT, Moonrise, Winos 4.0, Lazarus/Medusa, APT36, APT37, GRIDTIDE, UNC2814, MuddyWater—and techniques from StegaBin steganography to Go module backdoors and AI‑assisted detection engineering. #OpenClaw #AMOS #SURXRAT #Moonrise #Winos4.0 #Lazarus #Medusa #APT36 #APT37 #GRIDTIDE #MuddyWater #StegaBin #XWorm #DcRAT

Daily Recap, North Korea-linked operators use removable drives and Zoho WorkDrive C2 in the Ruby Jumper campaign to deploy RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK and FOOTWINE to bridge air-gapped networks and exfiltrate data. The recap also covers MuddyWater’s Rust-based payload for patient espionage, RESURGE on Ivanti Connect Secure with CVE-2025-0282, widespread FreePBX web shells after CVE-2025-64328, Apex One RCE patches, and policy actions around Anthropic, EU youth safeguards, Samsung ACR privacy, and other related incidents. #RubyJumper #ZohoWorkDrive #RESTLEAF #SNAKEDROPPER #THUMBSBD #VIRUSTASK #FOOTWINE #ScarCruftUSB #MuddyWater #nomercys_it #RESURGE #IvantiConnectSecure #CVE-2025-0282 #FreePBX #CVE-2025-64328 #SangomaFreePBX #ApexOne #ApexOneRCE #TrendMicro #Anthropic #Trump #EUYouthRules #SamsungACR #ManoManoBreach #OnlyFake #Predator #Oblivion #InsiktGroup #OperationZero

Daily Recap, governance and policy shifts are tightening security posture in the UK with a Vulnerability Monitoring Service and a refreshed Cyber Profession that cut fix times from ~50 days to 8 and reduced critical backlog by 75%, alongside DNS risk management, while EU NIS2 and Ireland’s National Cyber Security Bill push senior-management accountability under Article 20. Threat trends point to AI-driven attacks, ransomware evolution, phishing surges, and cloud misconfigurations, with 32 million high-confidence phishing emails detected in 2025 and identity-focused breaches via Microsoft 365, alongside targeted developer attacks using Claude Code flaws and Gambit Security-funded campaigns, and high-impact network exploits like Cisco SD-WAN CVE-2026-20127 and MFA bypass through Infostealer-driven SSO campaigns; notable incidents affect Hazeldenes and UFP Technologies, and Valve faces legal action over loot boxes in Counter-Strike 2, Team Fortress 2, and Dota 2.
#UAT-8616 #CiscoSD-WAN #CVE2026-20127 #Microsoft365 #ClaudeCode #GambitSecurity #Valve #CounterStrike2 #TeamFortress2 #Dota2 #Hazeldenes #UFPTechnologies #Infostealer #F5BIGIP #SSO #MFA

Daily Recap, U.S. sanctions target Operation Zero and its owner Sergey Zelenyuk after investigators found the broker bought stolen zero‑day exploits from a jailed ex-L3Harris exec, Peter Williams, whose theft caused $35 million in losses and asset forfeiture. The update also covers evolving threats like SURXRAT and ArsinkRAT with OpenClaw’s hype around a plugin market that could enable poisoned modules, plus recent breaches involving Marquis and SonicWall’s cloud backups and UFP Technologies, alongside fixes for Zyxel CVE-2025-13942 and Microsoft Windows 11 KB5077241. #OperationZero #SergeyZelenyuk #PeterWilliams #ZeroDayTheft #SURXRAT #ArsinkRAT #OpenClaw #CVE-2026-25253 #SonicWall #Marquis #UFPTechnologies #Zyxel #CVE-2025-13942 #KB5077241 #Windows11

Daily Recap, Arkanix Stealer surfaced in October 2025 and disappeared by December 2025, packing infostealing capabilities and post-exploit tools like ChromElevator to harvest system, credentials, VPN, and crypto-wallet data. The rest of the recap covers a VMware Aria Operations patch for CVE-2026-22719, Copilot data controls via Purview DLP, a CarGurus breach claimed by ShinyHunters, Reddit’s ICO fine, FBI actions against Southeast Asia scam networks, and Tim Youngblood’s CISO‑in‑residence advisory work. #ArkanixStealer #ChromElevator #VMwareAriaOperations #CVE-2026-22719 #Microsoft365Copilot #PurviewDLP #AugLoop #CarGurus #ShinyHunters #Reddit #FBI #TimothyYoungblood

Daily Recap, CISA warns that two patched Roundcube Webmail flaws (CVE-2025-49113 and CVE-2025-68461) are actively exploited, prompting federal agencies to patch within three weeks and exposing tens of thousands of internet-facing instances tied to Winter Vivern (TA473) and APT28. Arkanix Stealer has emerged as a short-lived, AI-assisted info-stealer with modular Python and protected C++ builds that exfiltrated data from browsers, wallets, messengers, and games, while researchers published IoCs and a threat-research hub tracks a Weekly Recap for 22 Feb 2026. #WinterVivern #ArkanixStealer

Daily Recap, The week highlighted active exploitation of Roundcube vulnerabilities (CVE-2025-49113, CVE-2025-68461) and a BeyondTrust CVE-2026-1731 pre-auth RCE used in ransomware campaigns delivering SparkRAT and VShell, along with IoT and other critical flaws affecting devices like Jinan USR IOT PUSR USR-W610 and Welker OdorEyes controllers. Data breaches and fraud surged with PayPal exposing user data for about six months and the FICOBA breach impacting roughly 1.2 million accounts, while AI and security research advanced with Claude Code Security and NIST’s quantum-chip progress. #Roundcube #BeyondTrust #SparkRAT #VShell #USR_W610 #WelkerOdorEyes #PayPal #FICOBA #Advantest #ClaudeCodeSecurity #ECCouncil #NIST #QuantumChip #Coretax #GigabudRAT #MMRat #RemcosRAT #NKLaptopScheme #OregonBreach #ShiftNightmare