![Threat Research | Weekly Recap [08 Feb 2026]](https://www.hendryadrian.com/tweet/image/WeeklyRecap.png "Threat Research | Weekly Recap [08 Feb 2026]")
Cybersecurity Threat Research ‘Weekly’ Recap: the report surveys supply-chain compromises, ransomware/defense evasion, infostealers, targeted espionage, cloud and identity threats, phishing, vulnerabilities and detection, labs automation and resilience guidance. It highlights notable campaigns and families such as the Notepad++ supply-chain attack, GlassWorm on Open VSX, dYdX npm/PyPI abuse, DYNOWIPER in Polish energy, Black Basta kernel-driver evasion, SonicWall SSLVPN intrusion, APT28 and Shadow Campaigns, Amaranth-Dragon, Transparent Tribe, Stan Ghouls, Prometei, ShinyHunters, NGOSS and ZHGUI breaches, plus attempts at web-infra abuse (Quest KACE, NGINX hijacking, CrashFix/ClickFix) and AI-assisted cloud intrusion via Amazon Bedrock. #NotepadPlusPlus #GlassWorm #OpenVSX #dYdX #DYNOWIPER #BlackBasta #SonicWall #APT28 #ShadowCampaigns #AmaranthDragon #TransparentTribe #StanGhouls #Prometei #ShinyHunters #NGOSS #ZHGUI #QuestKACE #CrashFix #ClickFix #GOAD #NGINX #Baota #AmazonBedrock #DetectionsAsCode
Tag: SSO
OpenClaw has partnered with VirusTotal to scan every skill uploaded to the ClawHub marketplace using SHA-256 hashing and VirusTotal Code Insight, automatically approving benign skills, flagging suspicious ones, and blocking malicious downloads while re-scanning active skills daily. Researchers and vendors warn the measure is not a silver bullet amid widespread misconfigurations,…
Conpet, Romania’s national oil pipeline operator, confirmed a major cyberattack after the Qilin ransomware group claimed to have stolen nearly 1TB of sensitive data. Hudson Rock traced the breach to a single Infostealer infection on an IT employee’s personal computer on January 11, 2026, which leaked credentials (including WSUS and Cacti access) that enabled a likely full network takeover. #Qilin #Infostealer #Conpet #WSUS
CYFIRMA analyzed LTX Stealer, a Windows information stealer delivered via a heavily obfuscated Inno Setup installer that embeds a full Node.js runtime and uses Bytenode JavaScript bytecode to hinder analysis. The malware harvests Chromium-based credentials and cryptocurrency artifacts, stages them for exfiltration to Cloudflareāfronted infrastructure, and uses Supabase for operator authentication. #LTXStealer #Supabase
A state-sponsored threat actor tracked as TGR-STA-1030/UNC6619 conducted global espionage operations called “Shadow Campaigns,” compromising at least 70 government and critical infrastructure organizations across 37 countries and conducting reconnaissance against entities in 155 countries. The group used tailored phishing with Mega.nz-hosted archives, the Diaoyu loader (delivering Cobalt Strike and VShell), multiple exploit chains, and a custom eBPF Linux rootkit named ShadowGuard to evade detection and maintain persistent access. #TGR-STA-1030 #ShadowGuard
Researchers uncovered DKnife, a Linux-based gateway-monitoring and adversary-in-the-middle framework used by China-nexus actors since at least 2019 to perform deep packet inspection, manipulate traffic, and deliver malware via compromised routers and edge devices. The modular toolkit hijacks binary and Android update downloads to deploy backdoors like ShadowPad and DarkNimbus and harvests…
This blog describes an automated, scalable cyber-range that uses Ludus to deploy multi-VM labs (GOAD and XZbot) and instruments every host with Elastic Agent/Defend to validate detections against real attacks. It details safe isolation techniques for running a live CVE-2024-3094 backdoor, shows how Elastic SIEM/XDR (Event Analyzer, Session Viewer) surfaces forensic āsmoking guns,ā and explains AI-driven hunting and response with Attack Discovery, the AI Assistant, and Elastic Workflows. #GOAD #XZbot
The paper by Tod Beardsley provides an insider analysis of CISAās Known Exploited Vulnerability (KEV) catalog and delivers KEV Collider, a web tool and dataset to help teams prioritize vulnerabilities. It uses enrichment signals like CVSS, EPSS, SSVC, Metasploit and Nuclei tooling, and MITRE ATT&CK mappings to show that only about…
![Cybersecurity News | Daily Recap [05 Feb 2026]](https://www.hendryadrian.com/tweet/image/DailyRecap.png "Cybersecurity News | Daily Recap [05 Feb 2026]")
Daily Recap, exposed test credentials in a public S3 bucket allowed an attacker to gain full admin control of an AWS environment in 8 minutes via Lambda code injection and privilege escalation, while Google Looker vulnerabilities enabled RCE and data exfiltration in cloud instances and self-hosted deployments. The recap also covers the Harvard Alumni data breach tied to ShinyHunters, the Panera data exposure, the Incognito Market operator’s 30-year sentence, rising ransomware activity from Qilin and CL0P, and notable nation-state and cyberespionage campaigns like Lotus Blossom and Amaranth Dragon. #ShinyHunters #HarvardAlumni #PaneraBread #IncognitoMarket #Qilin #CL0P #LotusBlossom #AmaranthDragon #TRMLabs #AWS #Looker
Researchers at Cisco Talos uncovered DKnife, an ELF-based post-compromise toolkit used since 2019 to hijack edge devices and perform deep packet inspection, traffic manipulation, and targeted malware delivery. The frameworkās seven Linux components enable DNS and update hijacking, credential harvesting, and delivery of backdoors such as ShadowPad and DarkNimbus, and Talos attributes the activity to a China-nexus threat actor. #DKnife #ShadowPad
In January 2026 eSentire’s TRU investigated a Prometei botnet infection on a Windows Server used by a customer in the Construction industry and published a technical breakdown of its deployment, unpacking, persistence, C2 communications, and modular components. The report includes decryption recipes, Yara rules, IOCs, and remediation guidance used to detect, analyze, and contain the intrusion. #Prometei #eSentire
A ransomware claim targets Logility, a US-based provider of supply chain and retail planning solutions, attributed to the threat actor coinbasecartel. The claim indicates operational disruption and potential data exfiltration affecting Logility’s services.
#UnitedStates
On December 29, 2025, a coordinated destructive campaign using a custom wiper called DYNOWIPER targeted Poland’s energy infrastructure, impacting more than 30 renewable sites and a major CHP plant. CERT Polska attributes the attack infrastructure to clusters tracked as Static Tundra / Berserk Bear / Ghost Blizzard / Dragonfly, and Elastic Defend’s canary-file ransomware protection successfully detected and blocked DYNOWIPER activity. #DYNOWIPER #CERTPolska
The AISURU/Kimwolf botnet launched a record-setting hyper-volumetric HTTP DDoS attack in November 2025 that peaked at 31.4 Tbps for 35 seconds and later ran the “The Night Before Christmas” campaign with wins up to 24 Tbps and 9 Bpps. Cloudflare and Google disrupted the supporting IPIDEA residential proxy infrastructure that had…
Socket Threat Research discovered a coordinated supply chain attack that published malicious versions of the dYdX client libraries to npm and PyPI, embedding wallet-stealing credential exfiltration and, in the PyPI release, a Remote Access Trojan (RAT). The malicious packages exfiltrated seed phrases and device fingerprints to a typosquatting domain and the PyPI release used a 100-iteration obfuscation to deploy a RAT capable of arbitrary code execution and persistent access. #dYdX #priceoracle.site