Cyber Security News Daily Recap

Cybersecurity News | Daily Recap [02 Mar 2026]

admin
Cybersecurity News | Daily Recap [02 Mar 2026]

Daily Recap, North Korea actors published 26 steganographic npm packages (StegaBin) that pull Vercel-hosted C2s from Pastebin to deploy credential stealers and a RAT, while APT37 expanded tooling with LNKs and implants (Restleaf, ThumbSBD, VirusTask, FootWine) to bridge air-gapped systems via USB and Zoho WorkDrive C2s. CISA warns RESURGE remains dormant on Ivanti Connect Secure devices (CVE-2025-0282) with ECC encryption, forged TLS certs, SSH tunnels and traffic fingerprinting for covert persistence — a malicious campaign delivers a RAT via trojanized gaming utilities (Xeno.exe, RobloxPlayerBeta.exe) connecting to C2 79.110.49.15 for data theft and follow-up payloads, and ClawJacked fixes tighten WebSocket checks to block localhost brute-force abuse. #StegaBin #APT37 #RESURGE #IvantiConnectSecure #CVE20250282 #XenoExe #RobloxPlayerBetaExe #ClawJacked #OpenClaw #VAL4K

Nation-state campaigns

  • North Korea actors published 26 malicious npm packages using a steganographic loader (StegaBin) that pulls Vercel-hosted C2s from Pastebin to deploy cross-platform credential stealers and a RAT – StegaBin Packages
  • APT37 deployed the Ruby Jumper campaign using malicious LNKs and implants (Restleaf, ThumbSBD, VirusTask, FootWine) to bridge air‑gapped systems via USB and Zoho WorkDrive C2s – APT37 Tools

Threat alerts & vulnerabilities

  • CISA warns the RESURGE malware can remain dormant on compromised Ivanti Connect Secure devices (CVE-2025-0282), using advanced ECC encryption, forged TLS certs, SSH tunnels and traffic fingerprinting for covert persistence — patch and hunt recommended – RESURGE Alert
  • A malicious campaign delivers a RAT via trojanized gaming utilities (Xeno.exe, RobloxPlayerBeta.exe) using a portable Java runtime, PowerShell, LOLBins and connecting to C2 79.110.49.15 for data theft and follow-up payloads – Gaming RAT
  • A high-severity ClawJacked flaw allowed malicious websites to brute-force a localhost gateway and hijack OpenClaw, fixed in 2026.2.26 which tightened WebSocket checks and blocked localhost brute-force abuse – ClawJacked Bug

Cybercrime & enforcement

  • A Chilean national, VAL4K, was extradited to the U.S. and arraigned over Telegram carding channels (MacacoCC Collective, Novato Carding) that allegedly sold more than 26,000 stolen payment cards – Carding Extradition

Leadership & industry

  • Nick Andersen appointed acting director of CISA after Madhu Gottumukkala’s departure amid polygraph and data-sharing reports, leaving the agency without a permanent director – CISA Acting Director
  • AWS launched Security Hub Extended to unify Inspector, GuardDuty and curated third-party vendors using OCSF for pre-normalized findings and consolidated billing to form a cross-domain mini-SOC – AWS Security Hub

Privacy & consumer

  • Ring’s Super Bowl ad triggered U.S. backlash, subscription cancellations, threatened lawsuits and the end of its partnership with ALPR firm Flock, reigniting concerns about pervasive surveillance and law‑enforcement ties – Ring Backlash
  • Samsung agreed to stop collecting Automated Content Recognition (ACR) viewing data from Texans without express consent and to update privacy disclosures under a Texas settlement addressing alleged “dark patterns” – Samsung Settlement

Misc

  • Daily and weekly threat roundups and recaps from Hendry Adrian – Weekly Recap

Cybersecurity News | Daily Recap – hendryadrian.com