Ukraine’s cyber defenders say Russian state-sponsored APT28 weaponized a Microsoft Office zero-day (CVE-2026-21509) and launched targeted attacks against Ukrainian government agencies and European institutions within 24 hours of public disclosure. Malicious documents exploited the flaw to deploy a multi-stage chain that drops EhStoreShell.dll and SplashScreen.png, uses COM hijacking and a scheduled…
Tag: ZERO-DAY
Microsoft will disable NTLM by default in the next Windows Server and associated Windows client releases as part of a multi-phase plan to eliminate the legacy protocol. Organizations should use enhanced NTLM auditing in Windows Server 2025 and Windows 11 24H2+, map dependencies, migrate to Kerberos, and test NTLM-off configurations to…
![Cybersecurity News | Daily Recap [31 Jan 2026]](https://www.hendryadrian.com/tweet/image/DailyRecap.png "Cybersecurity News | Daily Recap [31 Jan 2026]")
Daily Recap, a December 2025 campaign used default credentials to expose FortiGate VPNs and misconfigured OT devices, compromising about 30 Polish wind and solar sites, exfiltrating credentials, and deploying wipers linked to Static Tundra and DynoWiper with ties to Electrum and Sandworm. The recap also covers Ivanti EPMM zero-days (including CVE-2026-1281) exploited in the wild, SolarWinds Web Help Desk patches, Windows 11 boot failures after the December 2025 update, exposure of Ollama hosts and Hugging Face abuse, and notable disruptions and breaches such as IPIDEA takedown, the Match Group leak, the Marquis/SonicWall incident, and CNIL’s €5 million fine. #FortiGate #StaticTundra #DynoWiper #Electrum #Sandworm #Ivanti #CVE-2026-1281 #WebHelpDesk #Windows11 #Ollama #HuggingFace #IPIDEA #MatchGroup #SonicWall #Marquis #CNIL
Hudson Rock reports that the convergence of OpenClaw (local runtime), Moltbook (agent collaboration network), and Molt Road (black market) forms a “Lethal Trifecta” of autonomous AI agents that can use stolen credentials to infiltrate organizations, move laterally, deploy Ransomware 5.0, and self-fund via cryptocurrency without human oversight. Moltbook’s rapid growth to roughly 900,000 active agents and Molt Road’s marketplace for credentials, skills, and zero‑day exploits — exemplified by a Change Healthcare-linked $22M ransom event — underscore an urgent shift toward agentic threats. #OpenClaw #Moltbook #MoltRoad #Ransomware5.0 #ChangeHealthcare #DarkBard
Arsink is a cloud-native Android RAT that exfiltrates extensive personal data and grants remote operators intrusive control over infected devices while abusing legitimate cloud services for C2 and media/file exfiltration. The campaign deployed 1,216 distinct APKs across global social-engineered distribution channels and used 317 Firebase Realtime Database endpoints, Google Apps Script/Drive, and Telegram for C2 and exfiltration. #Arsink #Firebase
This weekly roundup covers major global cyber incidents, emerging threats in AI and ad fraud, critical zero-day patches, and growing regulatory scrutiny affecting public and private sectors. Highlights include the disruptive attack on Russian security firm Delta, the discovery of the ShadowHS Linux post-exploitation framework, Ivanti emergency fixes for CVE-2026-1281 and…
Attackers abused Hugging Face datasets to distribute an Android remote access trojan via a fake security app named TrustBastion, Bitdefender reports. The TrustBastion dropper tricks users with update dialogs, fetches payloads from a Hugging Face repository, requests broad Accessibility and screen-capture permissions, and uses persistent C&C channels to exfiltrate screen content…
Two critical code-injection zero-days in Ivanti Endpoint Manager Mobile (CVE-2026-1281 and CVE-2026-1340) allowed unauthenticated attackers to execute arbitrary code and compromise on-premises EPMM appliances, prompting Ivanti to issue emergency RPM mitigations. Exploited systems exposed administrator and user credentials, device identifiers and location data, and CISA added CVE-2026-1281 to its Known Exploited…
Ivanti disclosed two critical code‑injection zero‑day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), tracked as CVE-2026-1281 and CVE-2026-1340, both rated CVSS 9.8 and observed in limited active exploitation. Ivanti released RPM hotfixes that require no downtime but must be reapplied after upgrades and provided detection and remediation guidance while a permanent fix arrives in EPMM 12.8.0.0. #Ivanti #EPMM #CVE-2026-1281 #CVE-2026-1340 #CISA
SolarWinds released patches for six vulnerabilities in its Web Help Desk product, including four critical flaws that could enable unauthenticated remote code execution via untrusted data deserialization and AjaxProxy bypasses. The defects, discovered by Horizon3.ai and WatchTowr, are fixed in Web Help Desk version 2026.1 and organizations are urged to update…
Russian and Chinese state-backed groups and financially motivated actors have been exploiting CVE-2025-8088 in WinRAR to drop malware into Windows Startup folders using a path traversal vulnerability combined with Alternate Data Streams. The flaw remained widely abused months after RARLAB released WinRAR 7.13, with actors like UNC4895 (RomCom), APT44 (FROZENBARENTS), Turla,…
Check Point Research’s Cyber Security Report 2026 synthesizes findings from 2025 showing AI is embedded across the attack lifecycle, accelerating reconnaissance, social engineering, and malware development while introducing new governance risks. The report also highlights fragmented, data-only ransomware extortion, exploitation of unmonitored edge and perimeter devices, geopolitically aligned cyber activity, and measurable vulnerabilities in Model Context Protocols and ungoverned AI usage. #ModelContextProtocols #UnmonitoredDevices
CISA added critical vulnerabilities in Microsoft Office, GNU InetUtils, SmarterTools SmarterMail, and the Linux kernel to its Known Exploited Vulnerabilities catalog, flagging multiple flaws that enable privilege escalation, remote code execution, and authentication bypass. Notable entries include the Mutagen Astronomy Linux kernel integer overflow, an actively exploited Microsoft Office security bypass…
Daily Recap, emergency fixes have been issued for Microsoft’s Office zero-day CVE-2026-21509 and a critical VMware vCenter DCERPC flaw (CVE-2024-37079) that attackers are already exploiting, with patches and mitigations urging rapid remediation. The roundup also highlights Dormakaba Exos flaws enabling remote door access, the Stanley malware-as-a-service for Chrome extensions, the Amatera infostealer via in-memory PowerShell with the ClickFix method, extortion-linked data breaches at Nike and by ShinyHunters, a Sandworm-linked DynoWiper attempt against Poland’s power grid, a Cloudflare BGP leak, and regulatory actions around Grok, AI privacy and platform governance. #OfficeZeroDay #CVE-2026-21509 #VMwareVCenter #CVE-2024-37079 #DormakabaExos #StanleyService #Amatera #DynoWiper #Sandworm #PolandPowerGrid #Nike #WorldLeaks #ShinyHunters #Cloudflare #BGPLeak #Grok #X
Downloading cracks, keygens, or cheat tools can deliver malware or embed critical vulnerabilities into systems, as shown by examples like iOS jailbreaks, Windows cheat drivers, and the macOS AutoHackGUI helper that runs as root. Researchers reversed AutoHackGUI and demonstrated an XPC-based exploit that connects to the Mach service io.github.marlkiller.AutoHackGUIHelper to execute arbitrary commands as root, illustrating how non-malicious cracking tools can enable local privilege escalation. #AutoHackGUI #IDAPro