Added more indicators for: RedLine Stealer (+1), DCRat (+1), Eye Pyramid (+1), AsyncRAT (+2), NjRAT (+1), m0yv (+1) and Metamorfo (+1). https://vuldb.com/?actor #apt #cti #ioc
#apt
UNC3886 targeted Singapore’s telecom infrastructure, impacting Singtel, StarHub, M1 & Simba.
Limited access, small technical data exfiltration, no customer data exposed.
What lessons should telecoms take from this?
Added some indicators for: Coinminer (+1), neshta (+1), DarkComet (+1), SHEETCREEP (+1), Gafgyt (+1), PureLogs Stealer (+1) and VShell (+2). https://vuldb.com/?actor #apt #cti #ioc
This thread about #apt is so bizarre I can't help but share it. https://www.reddit.com/r/Crostini/comments/1qx76ta/someone_explain_this/
Added indicators for: zgRAT (+1), Hook (+1), DeimosC2 (+1), Vidar (+3), DCRat (+2), Gafgyt (+1) and Empire Downloader (+2). https://vuldb.com/?actor #apt #cti #ioc
Hello everyone! It's been a pretty active 24 hours in the cyber world, with a significant ransomware incident, a deep dive into a global state-sponsored espionage campaign, and some critical warnings about social engineering on messaging apps. We're also seeing more scrutiny on biometric data and AI surveillance. Let's get into it:
Payment Gateway Hit by Ransomware ⚠️
- BridgePay Network Solutions, a major US payment gateway, has confirmed a ransomware attack caused widespread outages across its core production systems.
- The incident, which began on Friday, led to merchants nationwide being unable to process card payments, forcing some to go cash-only.
- While initial forensics suggest no payment card data was compromised, the attack encrypted files and highlights the critical impact of ransomware on payment infrastructure.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/payment-gateway-bridgepay-confirms-ransomware-attack-behind-outage/
Global Espionage Operation 'Shadow Campaigns' Uncovered 🕵️
- Palo Alto Networks' Unit 42 has detailed "Shadow Campaigns," a global espionage operation by an Asia-based state-sponsored actor (tracked as TGR-STA-1030/UNC6619) active since January 2024.
- The group has compromised at least 70 government and critical infrastructure organisations in 37 countries, with reconnaissance efforts targeting 155 nations.
- Initial access methods include tailored phishing with a custom 'Diaoyu' loader and exploitation of 15 known vulnerabilities, alongside the deployment of 'ShadowGuard', a custom Linux kernel eBPF rootkit designed for stealthy persistence.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/state-actor-targets-155-countries-in-shadow-campaigns-espionage-op/
State-Sponsored Signal Phishing Targets High-Value Individuals 📱
- German intelligence agencies (BfV and BSI) are warning of state-sponsored phishing attacks via the Signal messaging app, targeting politicians, military personnel, diplomats, and journalists.
- Attackers impersonate "Signal Support" to trick victims into revealing their Signal PIN or scanning a malicious QR code, gaining access to contacts, profile information, and potentially message history.
- This campaign doesn't exploit Signal vulnerabilities but weaponises its legitimate features; similar tactics could extend to WhatsApp, underscoring the need for Registration Lock and vigilance against social engineering.
📰 The Hacker News | https://thehackernews.com/2026/02/german-agencies-warn-of-signal-phishing.html
Biometric Surveillance Under Scrutiny 🔒
- New York City's MTA is trialling AI-powered cameras in subway gates to detect fare evasion, generating physical descriptions of suspected individuals and raising significant privacy concerns.
- This initiative is part of a broader trend of increasing biometric surveillance in NYC by both government and retailers, prompting warnings about "sleepwalking into a surveillance state."
- Separately, the DHS Inspector General has launched an audit into the Department of Homeland Security's privacy practices, specifically focusing on the collection and management of biometric data by ICE and OBIM amid allegations of civil liberties violations.
🗞️ The Record | https://therecord.media/nyc-explores-ai-cameras-fare-evaders-subway
🤫 CyberScoop | https://cyberscoop.com/dhs-ig-audit-ice-obim-biometric-data-privacy-facial-recognition/
#CyberSecurity #Ransomware #Espionage #APT #StateSponsored #Phishing #SocialEngineering #SignalApp #DataPrivacy #BiometricSurveillance #AI #InfoSec #ThreatIntelligence #IncidentResponse
Chapelle Sainte-Catherine à #Apt (#Vaucluse) Construction 2e moitié XVIIe siècle. Chapelle Sainte-Catherine (cad. AW 210) : classement par arrêté du 31 décembre 1984.
Suite 👉 https://monumentum.fr/monument-historique/pa00081802/apt-chapelle-sainte-catherine
#Patrimoine #MonumentHistorique
Photo CC-BY-SA 4.0 : Véronique PAGNIER
Software Updater vs. command line in 24.04 with Ubuntu Pro #apt #updates #updatemanager
Software Updater vs Comand Line in 24.04 LTS with Ubuntu Pro #apt #updates #updatemanager
New indicators for: DoublePulsar (+1), AdWind (+1), Xtreme RAT (+1), Ghost RAT (+1), PureLogs Stealer (+1), NjRAT (+1) and Sliver (+1). https://vuldb.com/?actor #apt #cti #ioc
Alright team, it's been a pretty packed 24 hours in the cyber world! We've got updates on several significant breaches, some deep dives into nation-state tradecraft, critical actively exploited vulnerabilities, and important regulatory shifts. Let's get stuck in:
Recent Cyber Attacks and Breaches ⚠️
- Spain's Ministry of Science has partially shut down its IT systems following a "technical incident". A threat actor, 'GordonFreeman', claimed responsibility, alleging an Insecure Direct Object Reference (IDOR) vulnerability granted them full admin access and allowed the exfiltration of personal records, emails, and application data.
- Romania's national oil pipeline operator, Conpet, confirmed a cyberattack disrupted parts of its IT infrastructure and took its website offline. While oil transport operations (OT systems) remained functional, the Qilin ransomware group has claimed responsibility, listing Conpet on their leak site and alleging the theft of nearly one terabyte of data.
- Photo-sharing platform Flickr is notifying users of a potential data breach stemming from a vulnerability in a third-party email service provider. The incident may have exposed users' real names, email addresses, Flickr usernames, IP addresses, general location data, and account activity, though passwords and payment card numbers were not compromised.
- An Illinois man, Kyle Svara, pleaded guilty to hacking nearly 600 women's Snapchat accounts between May 2020 and February 2021. He used social engineering to phish access codes, then downloaded private photos, which he kept, sold, or traded online. Svara also admitted to hacking accounts at the request of a former university track coach previously convicted of sextortion.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/spains-ministry-of-science-shuts-down-systems-after-breach-claims/
🗞️ The Record | https://therecord.media/romania-conpet-oil-pipeline-ransomware-attack
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/flickr-discloses-potential-data-breach-exposing-users-names-emails/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/06/flickr_emails_users_about_data_breach/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/man-pleads-guilty-to-hacking-nearly-600-womens-snapchat-accounts/
🗞️ The Record | https://therecord.media/illinois-man-pleads-guilty-snapchat-nude-photo-hacks
New Threat Research on Threat Actors, Malware, and Techniques 🛡️
- Palo Alto Networks Unit 42 has uncovered TGR-STA-1030, a previously undocumented Asian state-backed cyber espionage group that has breached at least 70 government and critical infrastructure organisations across 37 countries since January 2024. The group uses phishing to deliver a dual-stage Diaoyu Loader, which then deploys Cobalt Strike, and also exploits N-day vulnerabilities in various software.
- Norway's domestic security agency (PST) confirmed that the Chinese state-sponsored espionage campaign, Salt Typhoon, has compromised network devices within Norwegian organisations. This campaign, known for targeting telecommunications and critical infrastructure, highlights an increasing threat from foreign intelligence services, particularly from China, Russia, and Iran, which are employing hybrid tactics to undermine Norway's resilience.
- Cisco Talos researchers have detailed DKnife, a China-nexus gateway-monitoring and adversary-in-the-middle (AitM) framework active since at least 2019. This Linux-based toolkit, comprising seven implants, performs deep packet inspection, manipulates traffic, and delivers malware like ShadowPad and DarkNimbus via routers and edge devices, primarily targeting Chinese-speaking users.
- Threat actors are weaponising a Windows kernel driver from the legitimate forensic tool EnCase to disable security products, despite its digital certificate being revoked over a decade ago. This bring-your-own-vulnerable-driver (BYOVD) technique exploits gaps in Windows' Driver Signature Enforcement, allowing older, unsigned drivers to load and terminate EDR processes before detection.
- Germany's domestic intelligence agency (BfV) and Federal Office for Information Security (BSI) are warning of suspected state-sponsored threat actors targeting high-ranking individuals in Germany and Europe through Signal account hijacking. These attacks use social engineering, not malware, to trick targets into sharing Signal PINs for full account takeover or scanning QR codes to link attacker-controlled devices for chat monitoring.
📰 The Hacker News | https://thehackernews.com/2026/02/asian-state-backed-group-tgr-sta-1030.html
🗞️ The Record | https://therecord.media/norawy-intelligence-discloses-salt-typhoon-attacks
📰 The Hacker News | https://thehackernews.com/2026/02/china-linked-dknife-aitm-framework-targets-routers-for-traffic-hijacking-malware-delivery.html
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/dknife-linux-toolkit-hijacks-router-traffic-to-spy-deliver-malware/
🕶️ Dark Reading | https://www.darkreading.com/threat-intelligence/encase-driver-weaponized-edr-killers-persist
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/germany-warns-of-signal-account-hijacking-targeting-senior-figures/
Vulnerabilities and Active Exploitation 🚨
- CISA is warning that ransomware actors are actively exploiting CVE-2026-24423, a critical remote code execution (RCE) vulnerability in SmarterMail (versions prior to build 9511). The flaw allows unauthenticated RCE via the ConnectToHub API, and CISA has added it to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch or remove the product by February 26, 2026.
- The experimental AI agent social platform 'Moltbook' publicly exposed its entire user database, including secrets, PII, and API keys, due to an unsecured internal database. Furthermore, the underlying OpenClaw agent platform's 'ClawHub' marketplace was found to contain 283 skills (7.1% of the total) that leak sensitive credentials via prompt injection, and 76 malicious payloads designed for credential theft, backdoor installation, and data exfiltration.
- Indirect prompt injection attacks against OpenClaw agents have been demonstrated, allowing attackers to backdoor user machines and steal sensitive data or perform destructive operations. This is particularly concerning due to AI agents' integrations with productivity tools like Google Workspace and Slack, enabling attackers to deliver malicious prompts that can lead to the deployment of C2 beacons for long-term remote access.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/cisa-warns-of-smartermail-rce-flaw-used-in-ransomware-attacks/
🕶️ Dark Reading | https://www.darkreading.com/cyber-risk/agentic-ai-moltbook-security-risks
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/05/openclaw_skills_marketplace_leaky_security/
Threat Landscape Commentary 🌍
- Cloudflare reported a significant surge in DDoS attacks in Q4 2025, with volumes jumping 31% from the previous quarter and 58% year-over-year, totalling 47.1 million attacks. The UK experienced an unwelcome leap of 36 places to become the world's sixth-most targeted location, with financial services, telecoms, IT, and gambling/gaming sectors being primary targets.
- A new tool, KEV Collider, has been developed by Tod Beardsley (former CISA KEV section chief) to help security teams better triage CISA's Known Exploited Vulnerabilities (KEV) Catalog. The tool combines KEV data with other metrics like CVSS and EPSS scores, and Metasploit automation status, to provide a more relevant and prioritised view of vulnerabilities, acknowledging that the KEV list isn't a universal "must-patch" for all organisations.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/06/uk_climbs_up_ddos_hit/
🕶️ Dark Reading | https://www.darkreading.com/threat-intelligence/data-tool-triage-exploited-vulnerabilities-make-kev-catalog-more-useful
Regulatory Issues and Changes 🏛️
- CISA has issued Binding Operational Directive 26-02, mandating U.S. Federal Civilian Executive Branch (FCEB) agencies to identify and remove end-of-life (EOL) network edge devices that no longer receive security updates from manufacturers. Agencies have three months to inventory these devices and 12-18 months to decommission and replace them, aiming to mitigate significant risks posed by advanced threat actors exploiting unsupported hardware.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/cisa-orders-federal-agencies-to-replace-end-of-life-edge-devices/
📰 The Hacker News | https://thehackernews.com/2026/02/cisa-orders-removal-of-unsupported-edge.html
AI for Vulnerability Discovery 🤖
- Anthropic's latest large language model (LLM), Claude Opus 4.6, has demonstrated impressive capabilities by discovering over 500 previously unknown high-severity security flaws in major open-source libraries, including Ghostscript, OpenSC, and CGIF. The model was able to identify these vulnerabilities without task-specific tooling or specialised prompting, showcasing its advanced coding, code review, and debugging skills.
📰 The Hacker News | https://thehackernews.com/2026/02/claude-opus-46-finds-500-high-severity-flaws-across-major-open-source-libraries.html
#CyberSecurity #ThreatIntelligence #Ransomware #NationState #APT #Vulnerability #RCE #ActiveExploitation #AI #DataBreach #SocialEngineering #DDoS #IncidentResponse #InfoSec #CISA #EDR #BYOVD #SupplyChainSecurity
Lotus Blossom hackers quietly abused Notepad++ updates to deploy a new “Chrysalis” backdoor in a months-long supply-chain cyber‑espionage campaign, researchers warn. 🔍💻 Details: https://cyberinsider.com/lotus-blossom-hackers-deployed-new-chrysalis-backdoor-via-notepad-updates/ #cybersecurity #infosec #APT #Newz
I have had a strange issue lately with my Debian machines, in that the repos were ignoring that updates existed.
I had to swap from http://deb.debian.org/debian to
http://ftp.se.debian.org/debian and only then was I able to get updates.
Suddenly one machine that said 13.2 was latest found out that 13.3 existed.
Strange little bug I suppose.
Updated threat actors: PureRAT (+1), Gafgyt (+1), Empire Downloader (+1), MimiKatz (+1), SmartApeSG (+1), Havoc (+4) and P2Pinfect (+8). https://vuldb.com/?actor #apt #cti #ioc
📰 'Shadow Campaign' Hacks Governments in 37 Countries, China-Linked Group Suspected
MASSIVE ESPIONAGE: A suspected Chinese APT's 'Shadow Campaign' has hacked 70+ government & critical orgs in 37 countries. 🌏 Recon targeted 155 nations. High-value targets include police and parliaments. #APT #CyberEspionage #China
📰 Chinese APT 'Amaranth-Dragon' Hits Southeast Asian Governments with WinRAR Exploit
🇨🇳 New Chinese APT 'Amaranth-Dragon' targets Southeast Asian governments. Exploits WinRAR flaw CVE-2025-8088 for initial access. Uses custom 'TGAmaranth RAT' with Telegram for stealthy C2. 🐉 #APT #CyberEspionage #AmaranthDragon
Client Info
Server: https://mastodon.social
Version: 2025.07
Repository: https://github.com/cyevgeniy/lmst