News
-
PeckBirdy JScript framework used by China-aligned actors to target gambling and government sites
A JScript C2 framework called PeckBirdy has been used since 2023 to compromise gambling sites and Asian government and private organizations. The framework runs across browsers and common binaries and delivers modular backdoors including HOLODONUT and MKDOOR.
-
Multiple groups exploit WinRAR CVE-2025-8088 using Alternate Data Streams since July 2025
Multiple state-backed and criminal groups have exploited the high severity WinRAR path traversal CVE-2025-8088 since July 18, 2025. Exploits hide payloads in Alternate Data Streams and can drop persistent launchers to Startup folders.
-
WhatsApp adds Strict Account Settings to block media from unknown contacts
Meta announced Strict Account Settings for WhatsApp to lock accounts to restrictive options and block media from unknown contacts. The feature rolls out over weeks and a Rust-based media library will be used to improve memory safety.
-
Pakistan-linked campaigns use new tradecraft to target Indian government in September 2025
Two campaigns codenamed Gopher Strike and Sheet Attack targeted Indian government entities in September 2025 using phishing and legitimate services for command and control. Malware included a Golang downloader, GitHub-based backdoors and a loader for Cobalt Strike.
-
Over 6,000 SmarterMail servers exposed and likely vulnerable to critical auth bypass
Shadowserver found more than 6,000 SmarterMail servers exposed and likely vulnerable to CVE-2026-23760, a critical authentication bypass that can reset admin passwords and allow remote code execution. A vendor fix was released in build 9511.
-
Microsoft issues emergency patch for Office zero-day CVE-2026-21509
Microsoft issued out-of-band patches for Office zero-day CVE-2026-21509, rated 7.8. Service-side protection covers newer builds and a registry workaround is provided for older Office versions. Federal agencies must remediate by February 16, 2026.
-
New MaaS Stanley promises phishing extensions on Chrome Web Store
A technical analysis found the Stanley MaaS offers Chrome extensions that overlay phishing iframes and promises to pass Chrome Web Store review. The service includes auto-install, persistent C2 polling, geotargeting, and a paid Luxe plan.
-
CISA publishes post-quantum procurement guidance but experts warn it lacks operational detail
CISA published guidance on Jan. 23 listing federal products for post-quantum cryptography. Experts warned the document lacks operational detail on inventories, timelines and authentication support, complicating procurement and migration efforts.
-
Phishing campaign in India deploys Blackmoon variant and SyncFuture TSM
Security researchers found a phishing campaign targeting Indian taxpayers that uses fake Income Tax Department notices to deliver a multi stage backdoor which installs a Blackmoon variant and SyncFuture TSM for persistent remote access.
-
EU opens DSA investigation into X after Grok generated sexual images
The EU opened DSA proceedings against X after its Grok AI tool produced sexually explicit images, including possible child sexual abuse material. UK and US regulators are also examining the platform while X limited Grok image features to paid subscribers.
