Daily Recap, researchers report a live ClawdBot infection that exfiltrates OpenClaw configurations (including private keys) enabling AI‑agent impersonation, while CTM360 warns of a global campaign distributing Lumma Stealer and a trojanized Ninja Browser via Google Groups and weaponized ad fraud. Patch alerts follow, with BeyondTrust CVE-2026-1731 requiring patching within 3 days, Google Chrome’s high‑severity zero‑day CVE-2026-2441 being fixed across platforms, Windows 11 boot issues addressed by KB5077181, Lotus Blossom hijacking Notepad++ updates to deploy Chrysalis and Cobalt Strike in high‑value targets, and VoidLink campaigns affecting technology and financial sectors alongside ShinyHunters’ Canada Goose data leak. #ClawdBot #OpenClaw #LummaStealer #NinjaBrowser #ModeloRAT #NotepadPlusPlus #Chrysalis #CobaltStrike #LotusBlossom #VoidLink #ShinyHunters #CanadaGoose #BeyondTrust #ChromeZeroDay
Category: Daily Recap
![Cybersecurity News | Daily Recap [16 Feb 2026]](https://www.hendryadrian.com/tweet/image/DailyRecap.png "Cybersecurity News | Daily Recap [16 Feb 2026]")
Daily Recap, fake recruiters distribute a modular RAT named Graphalgo attributed to Lazarus (North Korea) that enables MetaMask theft, token-protected C2, remote command execution and data exfiltration across 192 packages. MacSync is promoted via ClickFix campaigns that abuse Claude artifacts and Google Ads to coax macOS users into pasting shell commands that install the MacSync infostealer, with multiple variants sharing C2 infrastructure, while Louis Vuitton, Christian Dior Couture, and Tiffany were fined $25 million for breaches tied to ShinyHunters exploiting Salesforce SaaS access. #Graphalgo #ShinyHunters
![Threat Research | Weekly Recap [08 Feb 2026]](https://www.hendryadrian.com/tweet/image/WeeklyRecap.png "Threat Research | Weekly Recap [08 Feb 2026]")
Cybersecurity Threat Research ‘Weekly’ Recap: the report surveys supply-chain compromises, ransomware/defense evasion, infostealers, targeted espionage, cloud and identity threats, phishing, vulnerabilities and detection, labs automation and resilience guidance. It highlights notable campaigns and families such as the Notepad++ supply-chain attack, GlassWorm on Open VSX, dYdX npm/PyPI abuse, DYNOWIPER in Polish energy, Black Basta kernel-driver evasion, SonicWall SSLVPN intrusion, APT28 and Shadow Campaigns, Amaranth-Dragon, Transparent Tribe, Stan Ghouls, Prometei, ShinyHunters, NGOSS and ZHGUI breaches, plus attempts at web-infra abuse (Quest KACE, NGINX hijacking, CrashFix/ClickFix) and AI-assisted cloud intrusion via Amazon Bedrock. #NotepadPlusPlus #GlassWorm #OpenVSX #dYdX #DYNOWIPER #BlackBasta #SonicWall #APT28 #ShadowCampaigns #AmaranthDragon #TransparentTribe #StanGhouls #Prometei #ShinyHunters #NGOSS #ZHGUI #QuestKACE #CrashFix #ClickFix #GOAD #NGINX #Baota #AmazonBedrock #DetectionsAsCode
Daily Recap, BridgePay confirms a ransomware attack that knocked core payment systems offline, causing a nationwide outage and forcing some merchants to accept cash while the FBI and agencies investigate. Attacks span academia and government, including Spain’s Ministry of Science data leaks linked to GordonFreeman and BabLock/Femwar02 that took La Sapienza offline, affecting about 112,500 students, plus AI-enabled threat discussions and privacy concerns around surveillance tools.
#BridgePay #BabLock
Daily Recap, exposed test credentials in a public S3 bucket allowed an attacker to gain full admin control of an AWS environment in 8 minutes via Lambda code injection and privilege escalation, while Google Looker vulnerabilities enabled RCE and data exfiltration in cloud instances and self-hosted deployments. The recap also covers the Harvard Alumni data breach tied to ShinyHunters, the Panera data exposure, the Incognito Market operator’s 30-year sentence, rising ransomware activity from Qilin and CL0P, and notable nation-state and cyberespionage campaigns like Lotus Blossom and Amaranth Dragon. #ShinyHunters #HarvardAlumni #PaneraBread #IncognitoMarket #Qilin #CL0P #LotusBlossom #AmaranthDragon #TRMLabs #AWS #Looker
Daily Recap, patches and active exploitation are underway for several critical flaws, including the Metro4Shell vulnerability (CVE-2025-11953) delivering PowerShell loaders, the vLLM RCE via malicious video URLs affecting millions of AI servers, and Foxit PDF Editor XSS bugs requiring immediate updates and mitigations. Additionally, Iran-linked APT42 used social engineering to deploy the fileless TAMECAT backdoor; Mountain View shut down Flock Safety ALPR cameras after unauthorized searches, Lakelands Health disclosed a cyberattack with no patient data exposure, Grok investigations in France prompting a raid, and RADICL and RapidFort securing funding to boost threat detection and software supply-chain security. #Metro4Shell #vLLMRCE #FoxitXSS #APT42 #TAMECAT #MountainView #FlockSafety #LakelandsHealth #Grok #Europol #FranceBan #RADICL #RapidFort
Daily Recap, attackers hijacked an OpenVSX publisher to push the GlassWorm macOS infostealer via malicious extension updates and Notepad++ update tampering, while researchers uncovered 341 ClawHub skills, OpenClaw one-click RCE from a critical token-exfiltration bug (CVE-2026-25253), and MoltBot used to push password-stealing malware across developer ecosystems. The Microsoft section notes APT28 exploiting CVE-2026-21509 to deploy the Covenant loader, NTLM is being phased out in favor of Kerberos, a Windows shutdown bug affects Windows 11 and 10 with a temporary workaround, ShinyHunters expanded extortion to vishing and MFA-credential harvesting alongside the PaneraBread breach, and destructive attacks on Polish energy sites via Fortinet devices, with Mozilla adding an AI controls panel in Firefox and policy moves toward stronger age verification and platform oversight. #GlassWorm #OpenVSX #Notepad++ #ClawHub #OpenClaw #MoltBot #AtomicStealer #CVE-2026-25253 #CVE-2026-21509 #APT28 #CovenantLoader #NTLM #Kerberos #PaneraBread #ShinyHunters #Sandworm #PolandGrid #Fortinet #Firefox #VirtualSecureMode
Daily Recap, Britain and Japan agreed to deepen a cyber strategic partnership to boost cybersecurity and secure critical mineral supply chains, while India unveiled a long-term digital strategy in Union Budget 2026–27 prioritizing AI, cloud, semiconductors, data centers and integrated cybersecurity including a tax holiday until 2047 to attract foreign cloud providers. The roundup also highlights a spate of incidents from piracy takedowns in Bulgaria to MongoDB data extortion involving over 1,400 databases, the OpenVSX supply-chain attack delivering the GlassWorm loader exfiltrating macOS credentials, a multi-stage eScan compromise, UAT-8099 region-locked BadIIS campaigns, NationStates data breach, Microsoft planning NTLM deprecation in favor of Kerberos, and the rise of autonomous threat tooling led by OpenClaw, Moltbook and Molt Road. #GlassWorm #OpenVSX #eScan #UAT-8099 #BadIIS #NationStates #NTLM #Kerberos #OpenClaw #Moltbook #MoltRoad #MongoDB #macOS #Solana #EtherHiding
Cybersecurity Threat Research ‘Weekly’ Recap: A sweeping roundup covers ransomware, Android threats, fileless tools, nation-state campaigns, cloud abuse, browser extension hijacks, supply-chain incidents, AI governance risks, and defensive improvements. It highlights actor-tool pairs and campaigns such as LockBit5.0, BravoX, Amnesia RAT, Arsink RAT, PlayCloak, PureRAT, PyRAT, GOGITTER, GITSHELLPAD, SheetCreep, VSCode tunnel, DarkSpectre, PayTool, SquarePhish2 and Graphish among others.
#LockBit5_0 #BravoX #AmnesiaRAT #ArsinkRAT #PlayCloak #PureRAT #PyRAT #GOGITTER #GITSHELLPAD #SheetCreep #VSCodeTunnel #DarkSpectre #PayTool #SquarePhish2 #Graphish
Daily Recap, a December 2025 campaign used default credentials to expose FortiGate VPNs and misconfigured OT devices, compromising about 30 Polish wind and solar sites, exfiltrating credentials, and deploying wipers linked to Static Tundra and DynoWiper with ties to Electrum and Sandworm. The recap also covers Ivanti EPMM zero-days (including CVE-2026-1281) exploited in the wild, SolarWinds Web Help Desk patches, Windows 11 boot failures after the December 2025 update, exposure of Ollama hosts and Hugging Face abuse, and notable disruptions and breaches such as IPIDEA takedown, the Match Group leak, the Marquis/SonicWall incident, and CNIL’s €5 million fine. #FortiGate #StaticTundra #DynoWiper #Electrum #Sandworm #Ivanti #CVE-2026-1281 #WebHelpDesk #Windows11 #Ollama #HuggingFace #IPIDEA #MatchGroup #SonicWall #Marquis #CNIL
Daily Recap, a wave of critical flaws including n8n CVE-2026-1470/0863 enabling authenticated remote code execution and extensive updates across builds, alongside KEV catalog additions (Microsoft Office CVE-2026-21509, GNU InetUtils, SmarterMail, Linux kernel) highlight widespread risk across software, networks and OT. In parallel, state-backed and criminal groups continue weaponizing legacy flaws (WinRAR CVE-2025-8088 with UNC4895/RomCom, APT44, Turla), LLM/MCP abuses (Operation Bizarre Bazaar), C2 abuse (Sheet Attack), exposed AI tools (Bondu Panel, ChatGPT) and infrastructure attacks (IPIDEA takedown, Poland grid disruption), underscoring the need for resilient, AI-assisted defenses. #n8n #OperationBizarreBazaar
Daily Recap, The day’s cybersecurity news shows ongoing exploitation of the WinRAR CVE-2025-8088 to drop silent payloads into Windows Startup folders by nation-state and criminal groups. It also highlights high-severity flaws such as Grist Core RCE in Pyodide, React2Shell deserialization, Fortinet FortiOS SSO bypass, and other attacks, underscoring urgent patching and proactive defense. #WinRAR #React2Shell
Daily Recap, emergency fixes have been issued for Microsoft’s Office zero-day CVE-2026-21509 and a critical VMware vCenter DCERPC flaw (CVE-2024-37079) that attackers are already exploiting, with patches and mitigations urging rapid remediation. The roundup also highlights Dormakaba Exos flaws enabling remote door access, the Stanley malware-as-a-service for Chrome extensions, the Amatera infostealer via in-memory PowerShell with the ClickFix method, extortion-linked data breaches at Nike and by ShinyHunters, a Sandworm-linked DynoWiper attempt against Poland’s power grid, a Cloudflare BGP leak, and regulatory actions around Grok, AI privacy and platform governance. #OfficeZeroDay #CVE-2026-21509 #VMwareVCenter #CVE-2024-37079 #DormakabaExos #StanleyService #Amatera #DynoWiper #Sandworm #PolandPowerGrid #Nike #WorldLeaks #ShinyHunters #Cloudflare #BGPLeak #Grok #X
Daily Recap, VMware’s critical vCenter remote code execution flaw (CVE-2024-37079) is actively exploited, with federal agencies ordered to patch within three weeks after a June 2024 DCERPC heap-overflow fix. 1Password adds auto-enabled phishing warnings to curb credential theft amid rising AI-amplified phishing risks, while Microsoft investigates Windows 11 boot failures due to UNMOUNTABLE_BOOT_VOLUME in KB5074109 affecting 25H2 and 24H2, with separate OOB fixes for Outlook PST cloud freezes, and HendryAdrian’s daily threat recap provides a weekly summary.
#VMware #CVE-2024-37079
Cybersecurity Threat Research ‘Weekly’ Recap: the report highlights AI‑generated malware frameworks like VoidLink, AI‑driven KONNI backdoors, real‑time LLM‑assembled phishing, and evolving ransomware such as AnubisRaaS and Osiris, alongside supply‑chain and watering‑hole compromises across multiple industries. It also covers state‑sponsored espionage, credential theft campaigns, and defensive insights for detection, telemetry, and incident response. #VoidLink #KONNI #AnubisRaaS #Osiris #CharmingKitten #APT28 #PurpleBravo #Evelyn