Notepad++ Hijacked by State-Sponsored Hackers
https://notepad-plus-plus.org/news/hijacked-incident-info-update/
https://notepad-plus-plus.org/news/hijacked-incident-info-update/
LookOut: Discovering RCE and Internal Access on Looker (Google Cloud & On-Prem)
https://www.tenable.com/blog/google-looker-vulnerabilities-rce-internal-access-lookout
https://www.tenable.com/blog/google-looker-vulnerabilities-rce-internal-access-lookout
Tenable®
LookOut: Discovering RCE and Internal Access on Looker (Google Cloud & On-Prem)
Tenable Research discovered two novel vulnerabilities in Google Looker that could allow an attacker to completely compromise a Looker instance. Google moved swiftly to patch these issues. Organizations running Looker on-prem should verify they have upgraded…
Web Traffic Hijacking: When Your Nginx Configuration Turns Malicious
https://securitylabs.datadoghq.com/articles/web-traffic-hijacking-nginx-configuration-malicious/
https://securitylabs.datadoghq.com/articles/web-traffic-hijacking-nginx-configuration-malicious/
Datadoghq
Web Traffic Hijacking: When Your Nginx Configuration Turns Malicious
Datadog Security Research has identified an active web traffic hijacking campaign that targets NGINX installations and management panels like Baota (BT). In this post, we provide our analysis of the techniques this campaign uses and share indicators of compromise…
Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
Fake 7-Zip downloads are turning home PCs into proxy nodes
https://www.malwarebytes.com/blog/threat-intel/2026/02/fake-7-zip-downloads-are-turning-home-pcs-into-proxy-nodes
https://www.malwarebytes.com/blog/threat-intel/2026/02/fake-7-zip-downloads-are-turning-home-pcs-into-proxy-nodes
Malwarebytes
Fake 7-Zip downloads are turning home PCs into proxy nodes
A convincing lookalike of the popular 7-Zip archiver site has been silently turning victims’ machines into residential proxy nodes.
Old-School IRC, New Victims: Inside The Newly Discovered SSHStalker Linux Botnet
https://flare.io/learn/resources/blog/old-school-irc-new-victims-inside-the-newly-discovered-sshstalker-linux-botnet
https://flare.io/learn/resources/blog/old-school-irc-new-victims-inside-the-newly-discovered-sshstalker-linux-botnet
Flare | Threat Exposure Management | Unmatched Visibility into Cybercrime
Old-School IRC, New Victims: Inside the Newly Discovered SSHStalker Linux Botnet
Flare’s research team has uncovered a previously undocumented Linux botnet operation we’re calling SSHStalker. To the best of our knowledge, no other research team has reported on this threat actor. Our SSH honeypot captured multiple attacks over two months…
AI in the Middle: Turning Web-Based AI Services into C2 Proxies & The Future Of AI Driven Attacks
https://research.checkpoint.com/2026/ai-in-the-middle-turning-web-based-ai-services-into-c2-proxies-the-future-of-ai-driven-attacks/
https://research.checkpoint.com/2026/ai-in-the-middle-turning-web-based-ai-services-into-c2-proxies-the-future-of-ai-driven-attacks/
Check Point Research
AI in the Middle: Turning Web-Based AI Services into C2 Proxies & The Future Of AI Driven Attacks - Check Point Research
Key Points Introduction AI is rapidly becoming embedded in day-to-day enterprise workflows, inside browsers, collaboration suites, and developer tooling. As a result, AI service domains increasingly blend into normal corporate traffic, often allowed by default…
PromptSpy ushers in the era of Android threats using GenAI
https://www.welivesecurity.com/en/eset-research/promptspy-ushers-in-era-android-threats-using-genai/
https://www.welivesecurity.com/en/eset-research/promptspy-ushers-in-era-android-threats-using-genai/
Welivesecurity
PromptSpy ushers in the era of Android threats using GenAI
ESET researchers discover PromptSpy, the first known Android malware to abuse generative AI in its execution flow.
Refund scam impersonates Avast to harvest credit card details
https://www.malwarebytes.com/blog/threat-intel/2026/02/refund-scam-impersonates-avast-to-harvest-credit-card-details
https://www.malwarebytes.com/blog/threat-intel/2026/02/refund-scam-impersonates-avast-to-harvest-credit-card-details
Malwarebytes
Refund scam impersonates Avast to harvest credit card details
A convincing fake Avast site displays a €499.99 charge and promises a refund. Instead, it harvests your name, address, and full credit card details.
Taming Agentic Browsers: Vulnerability in Chrome Allowed Extensions to Hijack New Gemini Panel
https://unit42.paloaltonetworks.com/gemini-live-in-chrome-hijacking/
https://unit42.paloaltonetworks.com/gemini-live-in-chrome-hijacking/
Unit 42
Taming Agentic Browsers: Vulnerability in Chrome Allowed Extensions to Hijack New Gemini Panel
A high-severity CVE-2026-0628 in Chrome's Gemini allowed local file access and privacy invasion. Google quickly patched the flaw.
Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
The Forgotten Bug: How a Node.js Core Design Flaw Enables HTTP Request Splitting
https://r3verii.github.io/cve/2026/02/27/nodejs-toctou.html
https://r3verii.github.io/cve/2026/02/27/nodejs-toctou.html
CyberSec Notes
The Forgotten Bug: How a Node.js Core Design Flaw Enables HTTP Request Splitting
Deep dive into a TOCTOU vulnerability in Node.js’s ClientRequest.path that bypasses CRLF validation and enables Header Injection and HTTP Request Splitting across 7+ major HTTP libraries totaling 160M+ weekly downloads.
New A0Backdoor Linked to Teams Impersonation and Quick Assist Social Engineering
https://www.bluevoyant.com/blog/new-a0backdoor-linked-to-teams-impersonation-and-quick-assist-social-engineering
https://www.bluevoyant.com/blog/new-a0backdoor-linked-to-teams-impersonation-and-quick-assist-social-engineering
BlueVoyant
New A0Backdoor Linked to Teams Impersonation and Quick Assist Social…
BlueVoyant's Security Operations Center (SOC) recently uncovered a new A0Backdoor delivered through Teams impersonation.
Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
blacksanta-edr-killer-threat-report.pdf
13.7 MB
BlackSanta EDR-Killer
A Silent Threat Targeting Recruitment Workflows. Aryaka Threat Labs has uncovered a sophisticated malware campaign:
The malware performs system reconnaissance and conducts environment checks to detect sandboxes, virtual machines, and debugging tools to evade analysis. A key component, BlackSanta, acts as an EDR-killer, disabling security solutions to ensure malicious payloads run undetected.
Once established, the malware communicates with command-and-control servers over encrypted HTTPS to exfiltrate sensitive data, demonstrating a persistent and highly sophisticated cyber threat..
A Silent Threat Targeting Recruitment Workflows. Aryaka Threat Labs has uncovered a sophisticated malware campaign:
The malware performs system reconnaissance and conducts environment checks to detect sandboxes, virtual machines, and debugging tools to evade analysis. A key component, BlackSanta, acts as an EDR-killer, disabling security solutions to ensure malicious payloads run undetected.
Once established, the malware communicates with command-and-control servers over encrypted HTTPS to exfiltrate sensitive data, demonstrating a persistent and highly sophisticated cyber threat..
Inside DarkSword: A New iOS Exploit Kit Delivered Via Compromised Legitimate Websites
https://iverify.io/blog/darksword-ios-exploit-kit-explained
https://iverify.io/blog/darksword-ios-exploit-kit-explained
iverify.io
Inside DarkSword: A New iOS Exploit Kit Delivered Via Compromised Legitimate Websites
Shortly after our publication on the Coruna exploit kit, a collaborating researcher at Lookout flagged a suspicious-looking URL possibly related to the threat actor from Russia linked with Coruna.
How TeamPCP's supply chain attack evolved
The malicious campaign that started with Trivy and Checkmarx has shifted to LiteLLM. Here's how — and what's different this time:
https://www.reversinglabs.com/blog/teampcp-supply-chain-attack-spreads
The malicious campaign that started with Trivy and Checkmarx has shifted to LiteLLM. Here's how — and what's different this time:
https://www.reversinglabs.com/blog/teampcp-supply-chain-attack-spreads
ReversingLabs
Inside the TeamPCP cascading supply chain attack | ReversingLabs
The malicious campaign that started with Trivy and Checkmarx has shifted to LiteLLM. Here's how — and what's different this time.
Operation NoVoice: Rootkit Tells No Tales
WhatsApp under attack *
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/new-research-operation-novoice-rootkit-malware-android/
WhatsApp under attack *
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/new-research-operation-novoice-rootkit-malware-android/
McAfee Blog
Operation NoVoice: Rootkit Tells No Tales | McAfee Blog
Authored By: Ahmad Zubair Zahid McAfee’s mobile research team identified and investigated an Android rootkit campaign tracked as Operation Novoice. The
SecuritySnack - OpenAI Anti-Ads Malware
This report details the discovery of a malicious Chrome extension, named "ChatGPT Ad Blocker", found on the Google Chrome Web Store.
https://dti.domaintools.com/securitysnacks/securitysnack-openai-anti-ads-malware
This report details the discovery of a malicious Chrome extension, named "ChatGPT Ad Blocker", found on the Google Chrome Web Store.
https://dti.domaintools.com/securitysnacks/securitysnack-openai-anti-ads-malware
Domaintools
DomainTools Investigations | SecuritySnack - OpenAI Anti-Ads Malware
Stay protected against the "ChatGPT Ad Blocker" malware. This investigation reveals how a malicious Chrome extension uses Discord webhooks to steal private ChatGPT conversations, prompts, and metadata.
MCPwn: A CVSS 9.8 One-Line MCP Bug That Hands Over Your Nginx to Anyone on the Network – Actively Exploited in the Wild
https://pluto.security/blog/mcp-bug-nginx-security-vulnerability-cvss-9-8/
Unauthenticated MCP Endpoint Allows Remote Nginx Takeover PoC:
https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-h6c2-x2m2-mwhf
https://pluto.security/blog/mcp-bug-nginx-security-vulnerability-cvss-9-8/
Unauthenticated MCP Endpoint Allows Remote Nginx Takeover PoC:
https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-h6c2-x2m2-mwhf
Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
www.ietf.org
Internet Protocol Version 8 (IPv8)
Internet Protocol Version 8 (IPv8) is a managed network protocol
suite that transforms how networks of every scale -- from home
networks to the global internet -- are operated, secured, and
monitored. Every manageable element in an IPv8 network is
authorised…
suite that transforms how networks of every scale -- from home
networks to the global internet -- are operated, secured, and
monitored. Every manageable element in an IPv8 network is
authorised…
FakeWallet crypto stealer spreading through iOS apps in the App Store
During our investigation, we identified 26 phishing apps in the App Store mimicking the following major wallets:
• MetaMask
• Ledger
• Trust Wallet
• Coinbase
• TokenPocket
• imToken
• Bitpie
https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/
During our investigation, we identified 26 phishing apps in the App Store mimicking the following major wallets:
• MetaMask
• Ledger
• Trust Wallet
• Coinbase
• TokenPocket
• imToken
• Bitpie
https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/
Kyber Ransomware Double Trouble: Windows and ESXi Attacks Explained
https://www.rapid7.com/blog/post/tr-kyber-ransomware-double-trouble-windows-esxi-attacks-explained/
https://www.rapid7.com/blog/post/tr-kyber-ransomware-double-trouble-windows-esxi-attacks-explained/
Rapid7
Kyber Ransomware Double Trouble: Windows and ESXi Attacks Explained