Lmst
Login

#APT

Frehifrehi@fosstodon.org
2026-02-04

Hm, I cannot find this and I cannot imagine this is not possible: on Debian, how can you upgrade only packages present in a certain repository? Something like apt-get upgrade -t bookworm-security comes close, but -t still only sets a default pin , not an exclusive pin. If you were installing packages, you could use apt-get install package/bookworm-security, which will exclusively limit installed packages to that source. I would need something like that for apt-get upgrade.

#Debian #apt

Manuel Bisseymbissey@cyberplace.social
2026-02-04

Russia-linked APT28 is exploiting a Microsoft Office flaw to deliver malware — old file formats, new espionage. Patch fast and lock down document workflows. 📄⚠️ #APT #OfficeSecurity

theregister.com/2026/02/02/rus

KaiXinkaixin@snac.bsd.cafe
2026-02-04
Every now and then when I come back to use my daily driver running #Debian #Linux, I got surprised why #apt still does not provided short-formed commands like #pkg in #FreeBSD and #pkgin in #NetBSD do such as:

# FreeBSD
pkg ins vim   # same as pkg install vim
pkg sea vim   # same as pkg search vim

# NetBSD
pkgin in vim # same as pkgin install vim
pkgin se vim # same as pkgin search vim

# while in Debian
apt search vim  # no apt se/sea
apt install vim # no apt in/ins
#Unix #BSD #FOSS
ijliaoijliao@g0v.social
2026-02-04

quote :
#DreamSecurity 判定這波攻勢是由中國網路間諜組織 #MustangPanda 發動。該組織利用各國的頭條新聞或重要議題作為誘餌,藉此竊取國家機密並潛伏在美國政府機構之中。

#APT

#中國 #駭客 鎖定全球外交官員寄假美國政策檔案 開啟即遭駭入
cna.com.tw/news/aopl/202602040

VulDB :verified:vuldb@infosec.exchange
2026-02-03

We have added indicators: Phorpiex (+3), VShell (+2), NjRAT (+1), Eye Pyramid (+1), Gafgyt (+1), zgRAT (+2) and Interlock (+9). vuldb.com/?actor #apt #cti #ioc

SOC Goulashsoc_goulash@infosec.exchange
2026-02-03

Morning, cyber pros! ☕ It's been a busy 24 hours with several critical vulnerabilities under active exploitation, new insights into nation-state tradecraft, and some important shifts in government cyber policy. Let's dive in:

Actively Exploited Vulnerabilities & Reconnaissance ⚠️
- Russian APT28 (Fancy Bear) is actively exploiting a recently patched Microsoft Office zero-day (CVE-2026-21509) in attacks against Ukrainian government entities and other EU organisations. They're using themed malicious DOC files to install COVENANT malware, and sometimes MiniDoor or PixyNetLoader. Patching immediately is crucial; if not, implement registry-based mitigations.
- A critical RCE flaw (CVE-2025-11953) in React Native's Metro development server is under active exploitation, delivering Rust-based malware to Windows and Linux dev systems. Attackers are using the /open-url HTTP endpoint for arbitrary OS command execution, often disabling Microsoft Defender first. With ~3,500 exposed servers, developers should patch to version 20.0.0 or later immediately.
- CISA has flagged a critical SolarWinds Web Help Desk untrusted data deserialisation RCE flaw (CVE-2025-40551) as actively exploited, mandating federal agencies patch within three days. This allows unauthenticated attackers remote command execution. Admins should update to Web Help Desk 2026.1 without delay, as these products are frequent targets.
- A widespread reconnaissance campaign is targeting Citrix NetScaler infrastructure, using over 63,000 residential proxies to scan for login panels and enumerate product versions. This activity, observed between January 28 and February 2, suggests pre-exploitation mapping for known Citrix ADC weaknesses. Monitor for specific user agents, unusual access to /epa/scripts/win/nsepa_setup.exe, and outdated browser fingerprints.
🤖 Bleeping Computer | bleepingcomputer.com/news/secu
🗞️ The Record | therecord.media/russian-state-
🤖 Bleeping Computer | bleepingcomputer.com/news/secu
🕵🏼 The Register | go.theregister.com/feed/www.th
🤖 Bleeping Computer | bleepingcomputer.com/news/secu
🤖 Bleeping Computer | bleepingcomputer.com/news/secu

New Threat Research & Malware 🕵🏼
- Chinese state-linked APT group Lotus Blossom (aka Billbug) has been attributed with "moderate confidence" to the Notepad++ update hijacking. They exploited update infrastructure to deliver a new, sophisticated backdoor dubbed Chrysalis, using DLL sideloading, custom API hashing, and obfuscation.
- Users who downloaded suspicious Notepad++ updates between June and December 2025 should check for compromise and rotate credentials.
- A new GlassWorm malware campaign is targeting macOS systems via compromised OpenVSX extensions, stealing passwords, crypto-wallet data, and developer credentials. The threat actor compromised a legitimate developer's account to push malicious updates. Users of affected extensions should clean systems and rotate all secrets.
🕵🏼 The Register | go.theregister.com/feed/www.th
📰 The Hacker News | thehackernews.com/2026/02/note
🤖 Bleeping Computer | bleepingcomputer.com/news/secu

Recent Cyber Attacks & Breaches 🚨
- Data storage giant Iron Mountain has confirmed a breach claimed by the Everest extortion gang, but states it was mostly limited to marketing materials. Attackers used a single compromised credential to access one folder on a public-facing file-sharing server, with no ransomware deployed or other systems breached.
- Separately, a new phishing scheme is harvesting Dropbox logins using multi-stage obfuscation, with fake PDF lures hosted on legitimate cloud services. The campaign is notable for its lack of conventional malware, focusing purely on credential theft and bypassing email authentication checks.
- This highlights the importance of strong credential management and user awareness, as sophisticated social engineering can bypass technical controls.
🤖 Bleeping Computer | bleepingcomputer.com/news/secu
🚨 Dark Reading | darkreading.com/cloud-security

Regulatory Issues & Changes ⚖️
- The UK's Office of Financial Sanctions Implementation (OFSI) has opened its first investigation into suspected breaches of the country's cyber sanctions regime, involving up to five financial services firms. This follows expanded monitoring and investment in crypto investigation tools.
- This underscores increased scrutiny on compliance with sanctions against state-backed and financially motivated cyber actors, with potential civil penalties up to £1 million or 50% of the breach value.
- Microsoft Azure Storage has officially stopped supporting TLS 1.0 and 1.1, with TLS 1.2 now the minimum requirement, effective February 3, 2026. Organisations still relying on these deprecated, less secure protocols for legacy systems connecting to Azure Storage will no longer be able to connect.
🗞️ The Record | therecord.media/uk-investing-f
🕵🏼 The Register | go.theregister.com/feed/www.th

Government Cyber Policy & Staffing 🏛️
- The Trump administration's second term has seen CISA scale back its election security support, leading states to seek internal funding and resources. Cuts to CISA's budget and staff, combined with a lack of dedicated congressional funding, have left states feeling isolated.
- This shift necessitates states developing more self-reliant strategies for election cybersecurity, despite CISA's claims of continued support.
- National Cyber Director Sean Cairncross is advocating for reduced cybersecurity regulatory burdens on industry and increased cooperation, urging industry feedback on friction points. He also called for industry support to pass a 10-year extension of the Cybersecurity Information Sharing Act of 2015.
🤫 CyberScoop | cyberscoop.com/cisa-election-s
🤫 CyberScoop | cyberscoop.com/sean-cairncross

Everything Else 🌐
- The AI-powered personal assistant project OpenClaw (formerly Clawdbot/Moltbot) is being described as a "security dumpster fire" due to multiple high-impact vulnerabilities, including one-click RCE and command injection flaws. Hundreds of malicious "skills" have been found, some stealing cryptocurrency.
- Users are warned against running OpenClaw on their machines due to significant security risks and unexpectedly high API costs from inefficient operations.
- Polish authorities have arrested a 20-year-old man suspected of operating a multi-layered botnet to conduct DDoS attacks on "numerous popular websites," including those of strategic importance globally.
- Recent major cloud outages underscore the critical impact on identity systems, which act as "gatekeepers" for all modern applications and services. Traditional regional high availability is often insufficient, necessitating multi-cloud strategies or on-premises alternatives and graceful degradation planning for identity architectures.
🕵🏼 The Register | go.theregister.com/feed/www.th
🕵🏼 The Register | go.theregister.com/feed/www.th
📰 The Hacker News | thehackernews.com/2026/02/when

#CyberSecurity #ThreatIntelligence #APT #Ransomware #Vulnerability #ZeroDay #RCE #SupplyChainAttack #Malware #InfoSec #IncidentResponse #CloudSecurity #ElectionSecurity #CyberPolicy #AI #DDoS

1313@2137.social
2026-02-03

Anatomia ataku na Notepad++. Zobacz szczegóły ataku oraz metody detekcji i eliminacji sekurak.pl/anatomia-ataku-na-n #Aktualnoci #Teksty #Apt #Chiny #Chrysalis #Lotusblossom #Notepad #Sideloading #Supplychain #Windows

Christoffer S.nopatience@swecyb.com
2026-02-03

If you have not already read this multi-article deep dive into a recent Lazarus campaign, you probably should.

It's technical, it's liberal on sharing indicators, and just an overall great read.

Part IV: redasgard.com/blog/hunting-laz

Part III: redasgard.com/blog/hunting-laz

Part II: redasgard.com/blog/hunting-laz

Part I: redasgard.com/blog/hunting-laz

#Cybersecurity #ThreatIntel #Lazarus #APT #NorthKorea

sekurak Newssekurakbot@mastodon.com.pl
2026-02-03

Anatomia ataku na Notepad++. Zobacz szczegóły ataku oraz metody detekcji i eliminacji

W dniu wczorajszym opublikowaliśmy artykuł nawiązujący do oficjalnego komunikatu Notepad++ dotyczącego poważnego i nietypowego ataku na łańcuch dostaw narzędzia. Pojawiły się już pierwsze, ale potwierdzone analizy. TLDR: Współczesny krajobraz cyberbezpieczeństwa przechodzi fundamentalną transformację, w której zaufanie do dostawców oprogramowania staje się jednym z najbardziej newralgicznych wektorów ataku. Incydent związany z naruszeniem...

#Aktualności #Teksty #Apt #Chiny #Chrysalis #Lotusblossom #Notepad++ #Supplychain #Windows

sekurak.pl/anatomia-ataku-na-n

Frederikfre@infosec.exchange
2026-02-03

#Rapid7 published some analysis of #malware likely dropped through the Notepad++ issue.
One of the loaders used by the malware is built with #Microsoft Warbird, a kernel-level code protection framework used by Windows. @cirosec blogged about how this framework could be abused a while back and also published a PoC on GitHub.
I'm one of the authors of that research. We included some thoughts on detection in the article but if there's any further questions about the technique or anything, ask away :)

#notepad #chrysalis #ioc #apt #warbird

AskUbuntuaskubuntu@ubuntu.social
2026-02-03

Trouble installing software on Debian #commandline #apt #softwareinstallation #debian

askubuntu.com/q/1563541/612

SOC Goulashsoc_goulash@infosec.exchange
2026-02-03

Alright team, it's been a busy 24 hours in the cyber world with significant updates on supply chain attacks, actively exploited zero-days, evolving threat actor tactics, and a few stark reminders about fundamental security hygiene. Let's dive in:

Recent Cyber Attacks & Breaches ⚠️

Notepad++, eScan, and Open VSX Hit by Supply Chain Attacks
- The popular Notepad++ text editor's update mechanism was hijacked for six months by a suspected Chinese state-sponsored group (Lotus Blossom/Billbug), redirecting select users to malicious servers to deliver custom backdoors.
- eScan Antivirus update servers were compromised, distributing multi-stage malware globally by replacing a legitimate 'Reload.exe' with a rogue, unsigned version that disabled updates and fetched further payloads.
- A supply chain attack on the Open VSX Registry saw a legitimate developer's account compromised to push malicious updates embedding the GlassWorm malware loader, designed to steal macOS credentials and crypto wallet data, notably avoiding Russian locales.

🕵🏼 The Register | go.theregister.com/feed/www.th
📰 The Hacker News | thehackernews.com/2026/02/note
🤫 CyberScoop | cyberscoop.com/china-espionage
📰 The Hacker News | thehackernews.com/2026/02/esca
📰 The Hacker News | thehackernews.com/2026/02/open

NationStates, Panera Bread, and a Belgian School Suffer Breaches
- The browser game NationStates confirmed a data breach after a player exploited an RCE vulnerability in a new feature, gaining access to the production server and copying user data including email addresses and MD5 password hashes.
- Panera Bread's data breach, attributed to the ShinyHunters extortion gang via a vishing campaign targeting Microsoft Entra SSO, impacted 5.1 million unique accounts, exposing names, phone numbers, and physical addresses.
- A high school in Antwerp, Belgium, OLV Pulhof, was hit by cybercriminals (falsely claiming to be LockBit) who attempted to extort the school for €15,000, and upon refusal, directly targeted parents for €50 per child, threatening data leaks.
- The anti-ICE alert service StopICE reported a server attack, blaming a US Customs and Border Protection agent for sending alarming text messages to users, though admins state no personal data (names, addresses, GPS) was stored or compromised.

🤖 Bleeping Computer | bleepingcomputer.com/news/secu
🤖 Bleeping Computer | bleepingcomputer.com/news/secu
🗞️ The Record | therecord.media/hackers-attemp
🕵🏼 The Register | go.theregister.com/feed/www.th

Vulnerabilities & Active Exploitation 💥

APT28 Actively Exploiting New Microsoft Office Zero-Day
- Russia-linked APT28 (UAC-0001/Fancy Bear) is actively abusing CVE-2026-21509, a Microsoft Office security feature bypass zero-day, targeting Ukrainian government agencies and EU organisations.
- The attack chain involves malicious DOC attachments that, when opened, initiate a WebDAV connection to download a shortcut file, leading to DLL sideloading, shellcode deployment, and persistence via COM hijacking and scheduled tasks.
- The campaign deploys the COVENANT post-exploitation framework, routing traffic through legitimate cloud storage to evade detection, with CERT-UA urging monitoring or blocking of Filen-related traffic.

🕵🏼 The Register | go.theregister.com/feed/www.th

OpenClaw/Moltbot RCE and Database Exposure Patched
- A one-click RCE exploit chain was discovered in OpenClaw (formerly Moltbot/ClawdBot), allowing attackers to gain control by exploiting a cross-site WebSocket hijacking vulnerability due to a lack of origin header validation.
- The exploit, which takes milliseconds, could allow an attacker to retrieve authentication tokens, disable sandboxing, and execute privileged operations via node.invoke requests after a user visits a malicious webpage.
- Separately, the Moltbook social media network for AI agents, associated with OpenClaw, had its database exposed, making secret API keys freely accessible and potentially allowing attackers to post as high-profile AI agents.

🕵🏼 The Register | go.theregister.com/feed/www.th

New Threat Research on Threat Actors/Malware 🕵🏼

North Korean Labyrinth Chollima Splits into Specialised Entities
- The prolific North Korean cyber threat group Labyrinth Chollima has evolved into three distinct, coordinated entities: Golden Chollima, Pressure Chollima, and the original Labyrinth Chollima.
- Golden Chollima focuses on small-value cryptocurrency and fintech thefts in regions like the US, Europe, and South Korea, while Pressure Chollima handles high-profile financial and crypto heists, showcasing advanced technical capabilities.
- The original Labyrinth Chollima now exclusively targets malware-driven espionage against defence and manufacturing sectors, with Crowdstrike warning organisations in these sectors to be vigilant against DPRK social engineering, especially employment-themed lures and trojanised software.

🕵🏼 The Register | go.theregister.com/feed/www.th

Malicious OpenClaw/Moltbot Skills Deliver NovaStealer
- Over 230 malicious "skills" (plugins) for the OpenClaw AI assistant were published on its official registry and GitHub, impersonating legitimate utilities to deliver information-stealing malware.
- The infection occurs when users follow documentation instructions to run a fake 'AuthTool,' which on macOS is a base64-encoded shell command downloading NovaStealer, and on Windows, a password-protected ZIP archive.
- NovaStealer targets a wide array of sensitive data, including cryptocurrency exchange API keys, wallet files, seed phrases, browser wallet extensions, macOS Keychain data, browser passwords, SSH keys, and cloud credentials.

🤖 Bleeping Computer | bleepingcomputer.com/news/secu

Threat Landscape & Industry Commentary 📈

Open-Source AI: A Global Security Monoculture
- Researchers warn that open-source AI deployments, particularly Ollama instances, are forming a global monoculture, with 175,108 hosts found exposed across 130 countries, largely running similar models and configurations.
- This homogeneity means a single vulnerability in how specific quantized models handle tokens could simultaneously affect a substantial portion of the exposed ecosystem, leading to widespread exploitation.
- Many exposed instances have tool-calling capabilities via API, vision capabilities, and uncensored prompt templates lacking safety guardrails, posing risks of resource hijacking, remote execution, and identity laundering if not treated as critical infrastructure with proper authentication, monitoring, and network controls.

🕵🏼 The Register | go.theregister.com/feed/www.th

Infrastructure Cyberattacks Are on the Rise
- Cyberattacks on critical infrastructure are becoming more prevalent and integrated into military strategies, as seen in attempts to disrupt the Polish grid and the US-attributed power outages in Caracas during a military operation.
- The "democratisation" of attack technologies, with open-source tools like Shodan and resources like MITRE ATT&CK, has made infrastructure attacks more accessible beyond nation-state specialisation.
- While such attacks can cause short-term disruption and confusion, their effectiveness for political extortion or as singular game-changers is limited, highlighting the need for increased awareness, spending on resilience, and clear national policies on responses.

🕵🏼 The Register | go.theregister.com/feed/www.th

"Move Fast and Break Things" Culture Undermines Supply Chain Security
- The "move fast and break things" development culture has led to vulnerable applications and services, making supply chain attacks a primary concern, as demonstrated by incidents like Microsoft Sharepoint and Ivanti VPN exploits, and the Trust Wallet breach.
- Attackers increasingly target older applications with legacy code vulnerabilities and complex cloud platforms by compromising third-party integrations, software dependencies, and poorly managed APIs.
- To counter this, software publishers must prioritise security by adopting "zero vulnerability" goals, testing compiled binaries, and embracing transparency through Software Bills of Materials (SBOMs, MLBOMs, SaaSBOMs) to ensure secure and resilient technology.

🤫 CyberScoop | cyberscoop.com/move-fast-break

Data Privacy & Best Practices 🔒

Booz Allen Hamilton Loses Treasury Contracts Over Data Leak
- The US Treasury Department has terminated 31 contracts with consulting firm Booz Allen Hamilton, totaling $4.8 million annually, citing the company's failure to implement adequate safeguards for sensitive taxpayer data.
- This decision follows a former BAH employee, Charles Littlejohn, pleading guilty to stealing and leaking confidential tax returns of high-profile US citizens, including Donald Trump and Elon Musk, between 2018 and 2020.
- The incident underscores the severe consequences for contractors who fail to protect sensitive government data, highlighting the critical need for robust internal security controls and data handling policies.

🕵🏼 The Register | go.theregister.com/feed/www.th

McDonald's Urges Better Password Hygiene
- McDonald's Netherlands used "Change Your Password Day" to highlight poor password practices, noting that terms like "bigmac" and its leetspeak variants appear over 110,000 times in compromised password corpuses.
- The campaign, including public advertisements, warns against using easily guessable product names or simple character substitutions (e.g., Ch!ck3nMcN4gg€t$) as these are easily brute-forced by attackers.
- This serves as a reminder for all users, not just "normies," to adopt stronger password practices, such as long passphrases, randomised passwords, password managers, and multi-factor authentication, to counter widespread cybercriminal reliance on weak credentials.

🕵🏼 The Register | go.theregister.com/feed/www.th

Regulatory & Policy Changes 📜

Microsoft Begins NTLM Phase-Out to Kerberos
- Microsoft has initiated a three-phase plan to phase out the legacy NTLM authentication protocol in Windows environments, aiming to shift towards more secure, Kerberos-based options.
- NTLM, deprecated in June 2024 due to its susceptibility to replay, relay, and man-in-the-middle attacks, is still prevalent in enterprise environments due to legacy dependencies, posing significant security risks.
- The transition involves enhanced NTLM auditing (Phase 1, available now), addressing migration roadblocks with features like IAKerb and local KDC (Phase 2, H2 2026), and finally disabling NTLM by default in future Windows Server and client versions (Phase 3), requiring explicit re-enablement.

📰 The Hacker News | thehackernews.com/2026/02/micr

#CyberSecurity #ThreatIntelligence #SupplyChainAttack #ZeroDay #RCE #APT #Malware #Ransomware #DataBreach #InfoSec #IncidentResponse #Vulnerability #AI #CriticalInfrastructure #PasswordSecurity #NTLM #Kerberos #Pentesting

securityaffairssecurityaffairs@infosec.exchange
2026-02-03

#Notepad++ infrastructure hack likely tied to #China-nexus #APT #Lotus #Blossom
securityaffairs.com/187570/apt
#securityaffairs #hacking

VulDB :verified:vuldb@infosec.exchange
2026-02-02

We have updated indicators: Gh0stnet (+2), MintsLoader (+1), Vidar (+1), Empire Downloader (+1), Bashlite (+2), Chaos (+1) and Amadey (+2). vuldb.com/?actor #apt #cti #ioc

Sikorski Arkadiuszsikorski@ublog.tech
2026-02-02

Warning: Failed to fetch apt.llvm.org/trixie/dists/llvm Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on 6084F3CF814B57C1CF12EFD515CF4D18AF4F7421 is not bound: No binding signature at time 2025-08-09T21:49:56Z because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance because: SHA1 is not considered secure since 2026-02-01T00:00:00Z
#llvm #programing #linux #sha1 #apt
--> github.com/llvm/llvm-project/i

Gauff 🇪🇺gaufff@piaille.fr
2026-02-02

#IT #admin friends, I'm stuck. I'm pushing a #linux #debian config to some computers in my school after forcing it to #apt install what I need, and then copying a skeleton of config files. Systems are in French (FR-BE) set during installation.

For some reason, #Firefox (available without an extra install), stays in English. I want to avoid requiring manual work to switch all instances to French.

I have tried tweaking prefs.js, user.js, policies, ... But nothing wrks. At best, A prompt shows up in the options, which requires a click.

Any idea how to natively have FIrefox in French, or if in English, to switch it to English in an automated way?

Thank you!

1313@2137.social
2026-02-02

Poważne naruszenie łańcucha dostaw Notepad++, aktualizacje były złośliwe sekurak.pl/powazne-naruszenie- #Wbiegu #Aktualizacje #Apt #Hacking #Notepad #Supplychain #Wyciek

TechNadutechnadu@infosec.exchange
2026-02-02

🚨 RedKitten runs AI-accelerated malware campaign tied to Iranian protests
Weaponized Excel lures deploy SloppyMIO using GitHub, Google Drive & Telegram C2.

technadu.com/state-aligned-act

#InfoSec #ThreatIntel #Iran #AIThreats #APT

State-Aligned Actors Exploit Unrest with RedKitten AI-Accelerated Campaign Targeting Iranian Protests
sekurak Newssekurakbot@mastodon.com.pl
2026-02-02

Poważne naruszenie łańcucha dostaw Notepad++, aktualizacje były złośliwe

Jak czytamy w oficjalnym komunikacie N++. Serwer aktualizacji Notepad++ został przejęty na poziomie infrastruktury hostingodawcy, co umożliwiło atakującym przechwytywanie i przekierowywanie ruchu aktualizacji do serwera kontrolowanego przez nich, bez konieczności włamywania się do repozytorium kodu Notepad++. Atakujący podszywali się pod oficjalny mechanizm aktualizacji i dla wybranych, „interesujących” ofiar zwracali złośliwe...

#WBiegu #Aktualizacje #Apt #Hacking #Notepad++ #SupplyChain #Wyciek

sekurak.pl/powazne-naruszenie-

VulDB :verified:vuldb@infosec.exchange
2026-02-01

We have updated these actors: Kaiji (+1), AdaptixC2 (+1), Havoc (+1), SVCStealer (+1), Odyssey Stealer (+1), GhostSocks (+1) and ValleyRAT (+2). vuldb.com/?actor #apt #cti #ioc

Client Info

Server: https://mastodon.social
Version: 2025.07
Repository: https://github.com/cyevgeniy/lmst