Lotus Blossom has resurfaced with a sophisticated supply chain attack against the Notepad++ infrastructure and deployed a new custom backdoor called Chrysalis to spy on targets in Southeast Asia and Central America. The campaign uses a Warbird-protected loader, DLL side‑loading, commodity tools like Cobalt Strike, and undocumented system calls to evade…
Tag: CRITICAL INFRASTRUCTURE
Unit 42 attributes a large-scale, state-aligned cyberespionage campaign — tracked as TGR-STA-1030 and called the Shadow Campaigns — to an Asia-based actor that has compromised government and critical infrastructure across 37 countries using phishing, exploitation, C2 frameworks and a novel eBPF rootkit. The group used tools including Diaoyu Loader, Cobalt Strike,…
Italy says it foiled a series of cyberattacks that targeted some of its foreign ministry offices, including one in Washington, as well as Winter Olympics websites and hotels in Cortina d’Ampezzo. Foreign Minister Antonio Tajani attributed the attempted attacks to Russia, and Interior Minister Matteo Piantedosi said 6,000 security officers are…
Phonesack Group, a major mining and energy conglomerate in Laos, appears to have been breached, with a threat actor claiming to sell approximately 4 GB (81 documents) of internal files related to the Xekong 1800 MW thermal power plant project. The leaked materials reportedly cover 2020–2021 project development and include confidential…
Amaranth-Dragon (a nexus linked to APT-41) ran highly targeted 2025 espionage campaigns across Southeast Asia using weaponized archives that exploited WinRAR CVE-2025-8088, custom Amaranth Loader, Havoc C2, and a new Telegram-based TGAmaranth RAT. The campaigns used geo-restricted Cloudflare-protected C2s, legitimate hosting (Dropbox, Pastebin), DLL sideloading, and payload encryption to maximize stealth and persistence. #Amaranth-Dragon #TGAmaranth
Security researchers attribute the Notepad++ update hijacking to the Chinese state-linked APT Lotus Blossom, which abused the project’s update infrastructure to deliver a newly identified backdoor called Chrysalis to targeted victims. The trojanized NSIS installer sideloaded a renamed Bitdefender Submission Wizard (BluetoothService.exe) to load encrypted shellcode and a malicious DLL, using…
CERT Polska reports a sustained campaign of destructive attacks against Poland’s energy sector that targeted renewable facilities, a large CHP plant, and a manufacturing supplier, using wiper malware to disrupt OT and distribution connections. Investigators identified two bespoke destructive families, DynoWiper and LazyWiper, and traced infrastructure overlap to the state-linked cluster…
SecurityWeek’s Cyber Insights 2026 gathers experts who warn that cyberwarfare – driven by nation-state pre-positioning, AI-enabled operations, and rising geopolitical tensions – will escalate faster than criminal cybercrime in 2026. The report highlights blurred lines between criminal and state actors, the difficulty of attribution, and the need for improved detection, resilience,…
![Cybersecurity News | Daily Recap [03 Feb 2026]](https://www.hendryadrian.com/tweet/image/DailyRecap.png "Cybersecurity News | Daily Recap [03 Feb 2026]")
Daily Recap, attackers hijacked an OpenVSX publisher to push the GlassWorm macOS infostealer via malicious extension updates and Notepad++ update tampering, while researchers uncovered 341 ClawHub skills, OpenClaw one-click RCE from a critical token-exfiltration bug (CVE-2026-25253), and MoltBot used to push password-stealing malware across developer ecosystems. The Microsoft section notes APT28 exploiting CVE-2026-21509 to deploy the Covenant loader, NTLM is being phased out in favor of Kerberos, a Windows shutdown bug affects Windows 11 and 10 with a temporary workaround, ShinyHunters expanded extortion to vishing and MFA-credential harvesting alongside the PaneraBread breach, and destructive attacks on Polish energy sites via Fortinet devices, with Mozilla adding an AI controls panel in Firefox and policy moves toward stronger age verification and platform oversight. #GlassWorm #OpenVSX #Notepad++ #ClawHub #OpenClaw #MoltBot #AtomicStealer #CVE-2026-25253 #CVE-2026-21509 #APT28 #CovenantLoader #NTLM #Kerberos #PaneraBread #ShinyHunters #Sandworm #PolandGrid #Fortinet #Firefox #VirtualSecureMode
Write 2 sentences summarizing the content. At the end, add hashtags for specific keywords mentioned in the article—such as names of malware, threat actors, or affected organizations/systems. Avoid general terms like #malware, #ransomware, or #cybersecurity. Use this format: #Keyword1 #Keyword2…
Identity security is rapidly evolving from simple username/password models into AI-driven governance, liveness biometrics, decentralized identity, passwordless passkeys, and machine identities that will define access in 2026. Organizations must treat identity as the central control plane for digital trust and adopt technologies like self-sovereign identity and post-quantum cryptography to stay ahead of sophisticated threats. #SailPoint #SelfSovereignIdentity
Daily Recap, a wave of critical flaws including n8n CVE-2026-1470/0863 enabling authenticated remote code execution and extensive updates across builds, alongside KEV catalog additions (Microsoft Office CVE-2026-21509, GNU InetUtils, SmarterMail, Linux kernel) highlight widespread risk across software, networks and OT. In parallel, state-backed and criminal groups continue weaponizing legacy flaws (WinRAR CVE-2025-8088 with UNC4895/RomCom, APT44, Turla), LLM/MCP abuses (Operation Bizarre Bazaar), C2 abuse (Sheet Attack), exposed AI tools (Bondu Panel, ChatGPT) and infrastructure attacks (IPIDEA takedown, Poland grid disruption), underscoring the need for resilient, AI-assisted defenses. #n8n #OperationBizarreBazaar
SecurityWeek’s weekly roundup condenses noteworthy but smaller cybersecurity stories into a single briefing covering acquisitions, legal settlements, threat disruptions, policy updates, and technical guidance. This week’s highlights include Mitsubishi Electric’s acquisition of Nozomi Networks, a fresh phishing wave targeting LastPass users, CISA’s RSA withdrawal and post-quantum cryptography guidance, the alleged upload…
A December 2025 campaign compromised at least 30 Polish wind and solar farms by exploiting default credentials, lack of multi‑factor authentication, and outdated or misconfigured OT and network devices. CERT Polska attributed the incident to Static Tundra while noting DynoWiper similarities to Sandworm-linked wipers, and reported attackers abused exposed FortiGate VPNs,…
This weekly roundup covers major global cyber incidents, emerging threats in AI and ad fraud, critical zero-day patches, and growing regulatory scrutiny affecting public and private sectors. Highlights include the disruptive attack on Russian security firm Delta, the discovery of the ShadowHS Linux post-exploitation framework, Ivanti emergency fixes for CVE-2026-1281 and…