The European Commission has opened a formal investigation under the Digital Services Act into X over its AI chatbot Grok, amid allegations that Grok’s image-generation and recommender features exposed EU users to manipulated sexually explicit images and possible CSAM. The probe, which extends earlier December 2023 proceedings, will examine whether X…
Tag: SSO
Validin has added support for JA4X fingerprints from the JA4+ suite to its platform to detect structural anomalies in X.509 certificates and improve hunting for malicious infrastructure. The post demonstrates using JA4X to uncover and narrow C2 infrastructure associated with BianLian and QuasarRAT, including example fingerprints and an advanced search combining a JA4X value with cert.not_after=”9999-12-31T23:59:59Z”. #BianLian #QuasarRAT
Modern IDEs like VS Code and Cursor rely on a trust-based model that grants extensions and trusted workspaces full user-level privileges, enabling malicious extensions or workspace files to execute arbitrary code and spawn hidden network connections. IDE-SHEPHERD is an open-source extension that injects into the extension-host Node.js runtime to intercept dangerous APIs (child_process, http, https), block malicious operations (PowerShell execution, remote downloads, auto-run tasks), and provide runtime and heuristic defenses to mitigate attacks such as the “Contagious Interview” campaign and marketplace-based compromises. #IDE-SHEPHERD #ContagiousInterview
Microsoft released emergency out-of-band updates to address a high-severity Microsoft Office zero-day vulnerability tracked as CVE-2026-21509 that bypasses OLE/COM mitigations. The flaw affects multiple Office editions (including Office 2016, 2019, LTSC 2021, LTSC 2024, and Microsoft 365 Apps for Enterprise), with patches for Office 2016 and 2019 not yet available and registry-based mitigations and a service-side fix provided for other versions. #CVE-2026-21509 #MicrosoftOffice
A new malware-as-a-service called Stanley offers malicious Chrome extensions that overlay full-screen iframes to carry out phishing while leaving the browser address bar displaying a legitimate site. Stanley advertises silent auto-installation on Chrome, Edge, and Brave, subscription tiers (including a Luxe Plan that assists in publishing extensions to the Chrome Web Store), persistent C2 polling, geo-targeting, and an operator web panel for controlling hijacks and notifications. #Stanley #ChromeWebStore
Nike is investigating a potential security breach after the WorldLeaks cybercrime group claimed it accessed and stole data from the company’s systems. WorldLeaks published 1.4TB of data and has shifted to extortion-focused data theft after rebranding from Hunters International, while Under Armour faces a separate large exposure linked to the Everest…
ShinyHunters claim to have leaked tens of millions of records from SoundCloud, Crunchbase, and Betterment after failed extortion attempts, publishing alleged partial databases on a new dark web .onion leak site. The group has also claimed responsibility for an Okta SSO vishing campaign, and researchers and the affected companies are investigating…
FortiGuard Labs describes a multi-stage Windows-focused campaign that uses social-engineered archives and LNK-triggered PowerShell to deploy staged loaders, abuse Defendnot to disable Microsoft Defender, install Amnesia RAT for extensive data theft and surveillance, and finally deliver Hakuna Matata–derived ransomware and a WinLocker to encrypt and lock victims’ systems. The operation leverages GitHub and Dropbox for modular hosting and the Telegram Bot API for C2 and exfiltration, while using registry and policy manipulation to suppress defenses and destroy recovery options. #Defendnot #AmnesiaRAT
![Cybersecurity News | Daily Recap [24 Jan 2026]](https://www.hendryadrian.com/tweet/image/DailyRecap.png "Cybersecurity News | Daily Recap [24 Jan 2026]")
Daily Recap, phishing activity escalates with an AiTM campaign abusing SharePoint to steal Microsoft credentials, compromise inboxes, and bypass MFA in the energy sector, while vishing kits synchronize fake login pages with live calls targeting Google, Microsoft, and Okta. Ransomware and exploits dominate the headlines, from Osiris using POORTRY to disable protections and exfiltrate data to Wasabi, to INC recovery of encrypted data and Ploutus ATM jackpotting linked to Tren de Aragua, alongside critical vulnerabilities in FortiCloud SSO, SmarterMail, InetUtils telnetd, and widespread security updates from GitLab, Outlook iOS, curl, and Teams. #SharePoint #AiTM #Microsoft #Google #Okta #Osiris #POORTRY #Wasabi #INC #Ploutus #TrenDeAragua #FortiCloudSSO #FortiOS #SmarterMail #InetUtils #telnetd #GitLab #Outlook #curl #Teams #Pwn2OwnAuto #FALSECUB #TamperedChef #NetNTLMv1 #MnCHOICES #ActiveDirectory
North Korean-linked group Konni (Opal Sleet, TA406) is deploying AI-generated PowerShell backdoors to target developers and engineers in the blockchain sector across the Asia-Pacific region. The campaign uses Discord-hosted lures, LNK/DOCX/CAB loaders, UAC bypasses, scheduled tasks, and XOR-encrypted in-memory execution to maintain persistence and execute C2-issued code. #Konni #PowerShell
The Russian nation-state hacking group Sandworm was attributed by ESET to a December 29–30, 2025 attempted disruptive attack on Poland’s energy sector that used a previously undocumented wiper called DynoWiper. Polish officials, including Energy Minister Milosz Motyka and Prime Minister Donald Tusk, said the attack failed and the government is preparing…
A multi-stage phishing campaign targeting Russian users delivers Amnesia RAT and a Hakuna Matata–derived ransomware via business-themed decoy documents and malicious LNK files that fetch loaders from a GitHub repository and binaries from Dropbox. The attackers abuse defendnot to disable Microsoft Defender, communicate and exfiltrate data via Telegram Bot APIs, and…
Check Point Research identified a KONNI-linked phishing campaign targeting blockchain developers across the APAC region that uses Discord-hosted lures and weaponized LNK shortcuts to deploy a multi-stage infection chain. The operation deploys an AI-generated, obfuscated PowerShell backdoor, leverages UAC bypass and scheduled-task persistence, and communicates with a PHP-based C2 protected by a JavaScript/AES challenge. #KONNI #SimpleHelp
The ShinyHunters extortion group says it is conducting vishing campaigns that impersonate IT support to phish SSO credentials and MFA codes for Okta, Microsoft Entra, and Google accounts, enabling attackers to access corporate SaaS platforms. Compromised SSO dashboards let intruders pivot into services like Salesforce, Microsoft 365, Google Workspace and other connected apps to harvest data and issue extortion demands, with ShinyHunters claiming responsibility and posting breaches on its Tor leak site. #ShinyHunters #Okta #MicrosoftEntra #Google #Salesforce #Crunchbase #SoundCloud #Betterment
A coordinated campaign is exploiting CVE-2026-24061, a critical authentication-bypass flaw in GNU InetUtils’ telnetd that allows attackers to gain root by injecting a crafted USER environment variable. Although observed exploitation is limited so far, affected systems should upgrade to GNU InetUtils 2.8 or disable telnetd/block TCP port 23 to prevent compromise. #CVE-2026-24061 #GNUInetUtils