I just solved Facts on Hack The Box! https://labs.hackthebox.com/achievement/machine/2026525/829 #HackTheBox #HTB #CyberSecurity #EthicalHacking #InfoSec #PenTesting

So, one of my resolutions this year was to write more code.
I love to break stuff, but last year I reignited my passion for coding and I would really love to contribute to the community that has given me so much and continues to do so.
And contributing works a lot better by creating, rather than breaking.

So I created a codeberg account. And I already have a first repo published!
I called it Axmar.
Axmar is a C# implementation of the SilentHarvest technique that was published last year.
It uses backup access and rarely used APIs to (mostly) stealthily read the local credentials database in Windows system.

Enjoy!

https://codeberg.org/Ti-Kallisti/Axmar

#foss #coding #infosec #malware #pentesting #redteaming #codeberg #windows #csharp

Alright team, it's been a busy 24 hours in the cyber world with significant updates on supply chain attacks, actively exploited zero-days, evolving threat actor tactics, and a few stark reminders about fundamental security hygiene. Let's dive in:

Recent Cyber Attacks & Breaches ⚠️

Notepad++, eScan, and Open VSX Hit by Supply Chain Attacks
- The popular Notepad++ text editor's update mechanism was hijacked for six months by a suspected Chinese state-sponsored group (Lotus Blossom/Billbug), redirecting select users to malicious servers to deliver custom backdoors.
- eScan Antivirus update servers were compromised, distributing multi-stage malware globally by replacing a legitimate 'Reload.exe' with a rogue, unsigned version that disabled updates and fetched further payloads.
- A supply chain attack on the Open VSX Registry saw a legitimate developer's account compromised to push malicious updates embedding the GlassWorm malware loader, designed to steal macOS credentials and crypto wallet data, notably avoiding Russian locales.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/02/notepad_plusplus_intrusion/
📰 The Hacker News | https://thehackernews.com/2026/02/notepad-official-update-mechanism-hijacked-to-deliver-malware-to-select-users.html
🤫 CyberScoop | https://cyberscoop.com/china-espionage-group-lotus-blossom-attacks-notepad/
📰 The Hacker News | https://thehackernews.com/2026/02/escan-antivirus-update-servers-compromised-to-deliver-multi-stage-malware.html
📰 The Hacker News | https://thehackernews.com/2026/02/open-vsx-supply-chain-attack-used-compromised-dev-account-to-spread-glassWorm.html

NationStates, Panera Bread, and a Belgian School Suffer Breaches
- The browser game NationStates confirmed a data breach after a player exploited an RCE vulnerability in a new feature, gaining access to the production server and copying user data including email addresses and MD5 password hashes.
- Panera Bread's data breach, attributed to the ShinyHunters extortion gang via a vishing campaign targeting Microsoft Entra SSO, impacted 5.1 million unique accounts, exposing names, phone numbers, and physical addresses.
- A high school in Antwerp, Belgium, OLV Pulhof, was hit by cybercriminals (falsely claiming to be LockBit) who attempted to extort the school for €15,000, and upon refusal, directly targeted parents for €50 per child, threatening data leaks.
- The anti-ICE alert service StopICE reported a server attack, blaming a US Customs and Border Protection agent for sending alarming text messages to users, though admins state no personal data (names, addresses, GPS) was stored or compromised.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/nationstates-confirms-data-breach-shuts-down-game-site/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/panera-bread-data-breach-impacts-51-million-accounts-not-14-million-customers/
🗞️ The Record | https://therecord.media/hackers-attempt-to-extort-parents-after-school-refuses-ransom-demand
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/02/stopice_alerts_hacked/

Vulnerabilities & Active Exploitation 💥

APT28 Actively Exploiting New Microsoft Office Zero-Day
- Russia-linked APT28 (UAC-0001/Fancy Bear) is actively abusing CVE-2026-21509, a Microsoft Office security feature bypass zero-day, targeting Ukrainian government agencies and EU organisations.
- The attack chain involves malicious DOC attachments that, when opened, initiate a WebDAV connection to download a shortcut file, leading to DLL sideloading, shellcode deployment, and persistence via COM hijacking and scheduled tasks.
- The campaign deploys the COVENANT post-exploitation framework, routing traffic through legitimate cloud storage to evade detection, with CERT-UA urging monitoring or blocking of Filen-related traffic.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/02/russialinked_apt28_microsoft_office_bug/

OpenClaw/Moltbot RCE and Database Exposure Patched
- A one-click RCE exploit chain was discovered in OpenClaw (formerly Moltbot/ClawdBot), allowing attackers to gain control by exploiting a cross-site WebSocket hijacking vulnerability due to a lack of origin header validation.
- The exploit, which takes milliseconds, could allow an attacker to retrieve authentication tokens, disable sandboxing, and execute privileged operations via node.invoke requests after a user visits a malicious webpage.
- Separately, the Moltbook social media network for AI agents, associated with OpenClaw, had its database exposed, making secret API keys freely accessible and potentially allowing attackers to post as high-profile AI agents.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/02/openclaw_security_issues/

New Threat Research on Threat Actors/Malware 🕵🏼

North Korean Labyrinth Chollima Splits into Specialised Entities
- The prolific North Korean cyber threat group Labyrinth Chollima has evolved into three distinct, coordinated entities: Golden Chollima, Pressure Chollima, and the original Labyrinth Chollima.
- Golden Chollima focuses on small-value cryptocurrency and fintech thefts in regions like the US, Europe, and South Korea, while Pressure Chollima handles high-profile financial and crypto heists, showcasing advanced technical capabilities.
- The original Labyrinth Chollima now exclusively targets malware-driven espionage against defence and manufacturing sectors, with Crowdstrike warning organisations in these sectors to be vigilant against DPRK social engineering, especially employment-themed lures and trojanised software.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/01/opensource_ai_is_a_global/

Malicious OpenClaw/Moltbot Skills Deliver NovaStealer
- Over 230 malicious "skills" (plugins) for the OpenClaw AI assistant were published on its official registry and GitHub, impersonating legitimate utilities to deliver information-stealing malware.
- The infection occurs when users follow documentation instructions to run a fake 'AuthTool,' which on macOS is a base64-encoded shell command downloading NovaStealer, and on Windows, a password-protected ZIP archive.
- NovaStealer targets a wide array of sensitive data, including cryptocurrency exchange API keys, wallet files, seed phrases, browser wallet extensions, macOS Keychain data, browser passwords, SSH keys, and cloud credentials.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/malicious-moltbot-skills-used-to-push-password-stealing-malware/

Threat Landscape & Industry Commentary 📈

Open-Source AI: A Global Security Monoculture
- Researchers warn that open-source AI deployments, particularly Ollama instances, are forming a global monoculture, with 175,108 hosts found exposed across 130 countries, largely running similar models and configurations.
- This homogeneity means a single vulnerability in how specific quantized models handle tokens could simultaneously affect a substantial portion of the exposed ecosystem, leading to widespread exploitation.
- Many exposed instances have tool-calling capabilities via API, vision capabilities, and uncensored prompt templates lacking safety guardrails, posing risks of resource hijacking, remote execution, and identity laundering if not treated as critical infrastructure with proper authentication, monitoring, and network controls.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/01/opensource_ai_is_a_global/

Infrastructure Cyberattacks Are on the Rise
- Cyberattacks on critical infrastructure are becoming more prevalent and integrated into military strategies, as seen in attempts to disrupt the Polish grid and the US-attributed power outages in Caracas during a military operation.
- The "democratisation" of attack technologies, with open-source tools like Shodan and resources like MITRE ATT&CK, has made infrastructure attacks more accessible beyond nation-state specialisation.
- While such attacks can cause short-term disruption and confusion, their effectiveness for political extortion or as singular game-changers is limited, highlighting the need for increased awareness, spending on resilience, and clear national policies on responses.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/02/energy_infrastructure_cyberattacks/

"Move Fast and Break Things" Culture Undermines Supply Chain Security
- The "move fast and break things" development culture has led to vulnerable applications and services, making supply chain attacks a primary concern, as demonstrated by incidents like Microsoft Sharepoint and Ivanti VPN exploits, and the Trust Wallet breach.
- Attackers increasingly target older applications with legacy code vulnerabilities and complex cloud platforms by compromising third-party integrations, software dependencies, and poorly managed APIs.
- To counter this, software publishers must prioritise security by adopting "zero vulnerability" goals, testing compiled binaries, and embracing transparency through Software Bills of Materials (SBOMs, MLBOMs, SaaSBOMs) to ensure secure and resilient technology.

🤫 CyberScoop | https://cyberscoop.com/move-fast-break-things-cybersecurity-supply-chain-security-op-ed/

Data Privacy & Best Practices 🔒

Booz Allen Hamilton Loses Treasury Contracts Over Data Leak
- The US Treasury Department has terminated 31 contracts with consulting firm Booz Allen Hamilton, totaling $4.8 million annually, citing the company's failure to implement adequate safeguards for sensitive taxpayer data.
- This decision follows a former BAH employee, Charles Littlejohn, pleading guilty to stealing and leaking confidential tax returns of high-profile US citizens, including Donald Trump and Elon Musk, between 2018 and 2020.
- The incident underscores the severe consequences for contractors who fail to protect sensitive government data, highlighting the critical need for robust internal security controls and data handling policies.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/01/opensource_ai_is_a_global/

McDonald's Urges Better Password Hygiene
- McDonald's Netherlands used "Change Your Password Day" to highlight poor password practices, noting that terms like "bigmac" and its leetspeak variants appear over 110,000 times in compromised password corpuses.
- The campaign, including public advertisements, warns against using easily guessable product names or simple character substitutions (e.g., Ch!ck3nMcN4gg€t$) as these are easily brute-forced by attackers.
- This serves as a reminder for all users, not just "normies," to adopt stronger password practices, such as long passphrases, randomised passwords, password managers, and multi-factor authentication, to counter widespread cybercriminal reliance on weak credentials.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/02/mcdonalds_password_advice/

Regulatory & Policy Changes 📜

Microsoft Begins NTLM Phase-Out to Kerberos
- Microsoft has initiated a three-phase plan to phase out the legacy NTLM authentication protocol in Windows environments, aiming to shift towards more secure, Kerberos-based options.
- NTLM, deprecated in June 2024 due to its susceptibility to replay, relay, and man-in-the-middle attacks, is still prevalent in enterprise environments due to legacy dependencies, posing significant security risks.
- The transition involves enhanced NTLM auditing (Phase 1, available now), addressing migration roadblocks with features like IAKerb and local KDC (Phase 2, H2 2026), and finally disabling NTLM by default in future Windows Server and client versions (Phase 3), requiring explicit re-enablement.

📰 The Hacker News | https://thehackernews.com/2026/02/microsoft-begins-ntlm-phase-out-with.html

#CyberSecurity #ThreatIntelligence #SupplyChainAttack #ZeroDay #RCE #APT #Malware #Ransomware #DataBreach #InfoSec #IncidentResponse #Vulnerability #AI #CriticalInfrastructure #PasswordSecurity #NTLM #Kerberos #Pentesting

Six hundred grand for a pen test? Yeah, ok the accomodations weren't great but picky picky.

https://www.darkreading.com/cybersecurity-operations/county-pays-600k-wrongfully-jailed-pen-testers

#pentesting #legal

I decided to dust off some of my dormant pentesting skills. I picked up some Hack The Box, and after several rooted boxes I've now reached the Hacker rank. :dance_cool_doge:

https://labs.hackthebox.com/achievement/badge/37182/215

#hackthebox #hacking #pentesting #ctf

WiFi hacking isn’t magic. It’s fundamentals and proper hardware.

I wrote a practical guide on WiFi security testing.

Part 1 👇
https://www.kayssel.com/newsletter/issue-35/

#infosec #cybersecurity #pentesting

Burp Suite: A Comprehensive Web Security Testing Tool for Beginners
Burp Suite is a powerful web application security testing tool primarily used by ethical hackers, penetration testers, and cybersecurity students. It intercepts, analyzes, and modifies HTTP/HTTPS traffic between the browser and a website to identify security vulnerabilities such as weak login systems, input validation issues, and authentication problems. The main components of Burp Suite include Proxy, Target, Repeater, Intruder, Scanner (Pro Version), Decoder, and Comparer. By intercepting and manipulating HTTPS traffic with its CA Certificate, users can safely analyze secure websites for learning and testing purposes. A real-life example involves testing a login page, intercepting the request using Burp Proxy, modifying parameters, and checking the server's response to discover potential security flaws. Key lesson: Burp Suite is an essential tool for beginners looking to learn web security testing and discover vulnerabilities in applications. #BugBounty #Cybersecurity #WebSecurity #PenTesting #EthicalHacking

https://shadowattackers.medium.com/burp-suite-a-beginners-guide-to-web-security-testing-fa2394a9d12d?source=rss------bug_bounty-5

I couldn't resist! Say hello to my little RF hacking toy. Took out this Christmas gift for a test spin today, and it worked like a charm.

#RF #hacking #pentesting #chameleonultra #NFC #RFID #gadgets

@BrideOfLinux THIS is why one has explicit comms prepared to get released immediately.

#RedTeam #RedTeaming #Pentesting #PhysicalSecurity #Itsec #InfoSec #OpSec #ComSec

I just solved OpenSecret on Hack The Box! https://labs.hackthebox.com/achievement/challenge/2026525/1135 #HackTheBox #HTB #CyberSecurity #EthicalHacking #InfoSec #PenTesting

From pentesting tips to cloud defense, today’s curated cyber playlist has it all. 🎥 https://www.youtube.com/playlist?list=PLXqx05yil_mc5ukr_PNUosNSlQbYJvQhU
#PenTesting #AppSec #CyberSecurity #ThreatIntelligence #IncidentResponse

TaskHound hunts privileged Windows scheduled tasks and exports them for BloodHound attack path analysis.

https://github.com/1r0BIT/TaskHound

#infosec #pentesting #redteam

🚀 RF Swift v0.7.1!
New "--realtime" mode and associated features ⚡ Killing SDR buffer underruns!
rfswift run -i <image> -n sdr --realtime
📡 rfswift.io
#SDR #HamRadio #RF #pentesting #realtime

I once talked about bug bounty platforms and warned the community about them.

There are deeper issues with these platforms:

https://www.linkedin.com/pulse/transparency-vs-silence-advisories-dont-exist-systems-johannes-greil-ufzpf/

Platforms are paid by vendors, so they listen to vendors. A lot of these vendors abuse the platform to silence offensive researchers and the platforms don't care.

➡️ My recommendation remains ⬅️

• contact vendors directly via email
• use your national CERT for escalations

If you're in Europe: you're in luck, from 2027 the Cyber Resilience Act (CRA) will make it mandatory to have a responsible disclosure process, so European vendors have to answer to the national CERT (or get fined).

#PenerationTesting #pentesting #responsibledisclosure #infosec #cybersecurity #CRA #CyberResilienceAct

My top GitHub list for cybersecurity projects is updated for this month 😎👇

Explore top-ranked FOSS projects spanning both the defensive and offensive sides of cybersecurity.

Find a high-res pdf book with all my cybersecurity related infographics from https://study-notes.org

#cybersecurity #github #infosec #pentesting #informationsecurity

El lado del mal - Prompt Injection con Advesarial Preprocesing Attacks en Imágenes usando Anamorpher https://elladodelmal.com/2026/01/prompt-injection-con-advesarial.html #PromptInjection #Gemini #AdversarialAttacks #ImageScaling #IA #AI #Hacking #Pentesting

New blog post!
This is the longest one in quite a while.

Last year, I held a presentation about the basics of Active Directory pentesting, focusing on "quick wins", easy to exploit vulnerabilities with huge impact.
I turned that presentation into a blog post.

The result is a surface-level overview of some of the most severe Active Directory vulnerabilities.

I hope it can be useful for aspiring pentesters and Active Directory admins alike.

https://ti-kallisti.com/general/ms/ad-basics.html

#redteam #pentesting #infosec #ActiveDirectory #sysadmin #Microsoft #Windows

@cR0w The ATMs rebooted every day at 5:00am. The AUTOEXEC.BAT had like 5 instances of HIDESTART.EXE trying to hide the start menu during boot.

These machines had dozens of plaintext files with the full, raw, magnetic stripe track data from every card it had handled in the last 30 days.

My contact told me that one day, some drunk was walking past one of these and saw it reboot. He caught the start menu and started exploring. Did he open notepad and start perusing credit card and debit card data?

No. He opened up MS paint, made it full screen, drew a crude penis using the touch screen, and walked off.

@RickiTarr

#pentesting #pentest

NetExec Lab is a set of hands-on labs used in the NetExec workshop and CTF to help you mastering NetExec for your next pentest engagement.

https://github.com/Pennyw0rth/NetExec-Lab

#infosec #pentesting

Caido v0.55.1 released

https://secburg.com/posts/caido-v0551-released/

#caido #web #webapp #pentesting #tools #tool