This roundup condenses notable cybersecurity developments that include espionage, large-scale DDoS activity, AI-driven intrusions, vulnerability disclosures, and consumer data breaches. This week’s highlights include the conviction of former Google engineer Linwei Ding for stealing AI trade secrets, Cloudflare reporting a record 31.4 Tbps DDoS attack, an LLM-assisted AWS admin takeover observed…
Tag: EDR
Attackers are evolving from “living off the land” and “living off the cloud” to “living off the AI,” abusing AI agents, MCP connectors, prompts, and shared vector stores to exfiltrate data, execute actions, and deploy malware through legitimate workflows. Defenders must treat agents as privileged users—apply least privilege, harden prompts and…
![Cybersecurity News | Daily Recap [05 Feb 2026]](https://www.hendryadrian.com/tweet/image/DailyRecap.png "Cybersecurity News | Daily Recap [05 Feb 2026]")
Daily Recap, exposed test credentials in a public S3 bucket allowed an attacker to gain full admin control of an AWS environment in 8 minutes via Lambda code injection and privilege escalation, while Google Looker vulnerabilities enabled RCE and data exfiltration in cloud instances and self-hosted deployments. The recap also covers the Harvard Alumni data breach tied to ShinyHunters, the Panera data exposure, the Incognito Market operator’s 30-year sentence, rising ransomware activity from Qilin and CL0P, and notable nation-state and cyberespionage campaigns like Lotus Blossom and Amaranth Dragon. #ShinyHunters #HarvardAlumni #PaneraBread #IncognitoMarket #Qilin #CL0P #LotusBlossom #AmaranthDragon #TRMLabs #AWS #Looker
Enterprise work now runs primarily in the browser, but existing security stacks lack visibility into in‑browser user interactions, creating a safe haven for attacks like ClickFix, malicious extensions, Man‑in‑the‑Browser, and HTML smuggling. Keep Aware provides browser‑level observability to prevent risky actions, reconstruct incidents, and continuously refine policy. #ClickFix #KeepAware
Attackers are using a BYOVD EDR-killing payload that embeds a legacy EnCase kernel driver to disable 59 endpoint security products. They gained access via compromised SonicWall SSLVPN credentials, decoded and installed the revoked driver as a kernel service to terminate protected processes and persist; defenders should enable MFA, Memory Integrity and…
In January 2026 eSentire’s TRU investigated a Prometei botnet infection on a Windows Server used by a customer in the Construction industry and published a technical breakdown of its deployment, unpacking, persistence, C2 communications, and modular components. The report includes decryption recipes, Yara rules, IOCs, and remediation guidance used to detect, analyze, and contain the intrusion. #Prometei #eSentire
On December 29, 2025, a coordinated destructive campaign using a custom wiper called DYNOWIPER targeted Poland’s energy infrastructure, impacting more than 30 renewable sites and a major CHP plant. CERT Polska attributes the attack infrastructure to clusters tracked as Static Tundra / Berserk Bear / Ghost Blizzard / Dragonfly, and Elastic Defend’s canary-file ransomware protection successfully detected and blocked DYNOWIPER activity. #DYNOWIPER #CERTPolska
The AISURU/Kimwolf botnet launched a record-setting hyper-volumetric HTTP DDoS attack in November 2025 that peaked at 31.4 Tbps for 35 seconds and later ran the “The Night Before Christmas” campaign with wins up to 24 Tbps and 9 Bpps. Cloudflare and Google disrupted the supporting IPIDEA residential proxy infrastructure that had…
Black Basta operators (tracked as the group Cardinal) deployed a ransomware payload that uniquely bundled a vulnerable NsecSoft NSecKrnl kernel driver (CVE-2025-68947) to kill security processes and evade defenses, appending a “.locked” extension to encrypted files. The campaign also included a prior side-loaded loader and post-deployment presence of the GotoHTTP RAT, suggesting long dwell time or attempts to maintain persistence. #BlackBasta #Cardinal
Microsoft Defender Experts discovered CrashFix, an evolved ClickFix campaign variant that intentionally crashes victims’ browsers and displays fake “CrashFix” pop-ups to socially engineer users into running malicious commands. The attack chain leverages a malicious Chrome extension impersonating uBlock Origin Lite, abuses the native finger.exe (renamed to ct.exe) to fetch obfuscated PowerShell and Python payloads, and uses attacker infrastructure for further delivery and command retrieval. #CrashFix #ClickFix
Cloud migrations often create visibility blind spots, and network-layer telemetry combined with Network Detection and Response (NDR) provides consistent, provider-agnostic visibility for detecting threats in multi- and hybrid-cloud environments. The article recommends enabling flow logs and traffic mirroring, standardizing and enriching telemetry with cloud inventory, and tuning baselines to detect threats such as coinminer beaconing, stolen credentials, and suspicious interactive admin activity. #Corelight #Kubernetes
Zscaler ThreatLabz discovered Marco Stealer in June 2025, an information stealer that primarily exfiltrates browser data, cryptocurrency wallet data from extensions, and sensitive files from local and cloud storage. The malware uses ARX-based runtime string decryption, anti-analysis checks that terminate tools like x64dbg and Wireshark, named pipes and DLL injection to extract browser and wallet data, and sends AES-256–encrypted data to HTTP C2 endpoints. #MarcoStealer #Zscaler
Daily Recap, patches and active exploitation are underway for several critical flaws, including the Metro4Shell vulnerability (CVE-2025-11953) delivering PowerShell loaders, the vLLM RCE via malicious video URLs affecting millions of AI servers, and Foxit PDF Editor XSS bugs requiring immediate updates and mitigations. Additionally, Iran-linked APT42 used social engineering to deploy the fileless TAMECAT backdoor; Mountain View shut down Flock Safety ALPR cameras after unauthorized searches, Lakelands Health disclosed a cyberattack with no patient data exposure, Grok investigations in France prompting a raid, and RADICL and RapidFort securing funding to boost threat detection and software supply-chain security. #Metro4Shell #vLLMRCE #FoxitXSS #APT42 #TAMECAT #MountainView #FlockSafety #LakelandsHealth #Grok #Europol #FranceBan #RADICL #RapidFort
Acronis TRU tracked Transparent Tribe (APT36) shifting from government and defense targets to India’s startup ecosystem, delivering Crimson RAT via startup-themed ISO container files and malicious LNK shortcuts. The campaign reused established APT36 tooling, infrastructure and tradecraft — including spear-phishing ISO attachments, a batch runner for persistence, and C2 servers 93.127.133.9 and sharmaxme11.org — reinforcing attribution overlaps and the targeting of OSINT/cybersecurity startups. #TransparentTribe #CrimsonRAT
On 28 November 2025 Sysdig researchers observed an attacker gain full administrative control of a company’s AWS cloud environment in just eight minutes after finding exposed test credentials in a public S3 bucket. The breach combined Lambda code injection and privilege escalation into a ‘frick’ account, with indicators of LLM-assisted automation…