Daily Brief

Polish police arrested a 20-year-old suspect for orchestrating DDoS attacks on numerous websites, including those of strategic importance, disrupting essential services globally. The Central Bureau for Combating Cybercrime (CBCZ) claims the individual used a multi-layered botnet, employing "C2 stresser" and "Command and Control Node" machines. The suspect faces six charges related to disrupting IT systems, with a potential maximum sentence of five years in prison. Authorities dismantled the IT infrastructure used for the attacks, seizing computer equipment from the suspect's apartment. The suspect admitted to most charges and was released on bail under non-custodial police supervision pending sentencing. The CBCZ's efforts are part of broader European operations, including Operation PowerOFF, which has seen increased arrests and cybercrime charges. Poland's cybercrime unit has expanded significantly, reflecting a strategic focus on combating cyber threats across Europe.

Recent outages at major cloud providers like AWS, Azure, and Cloudflare have disrupted essential services, affecting both consumer convenience and business operations significantly. Businesses experience severe impacts, including revenue loss and reputational damage, when critical systems like airline booking platforms go offline due to cloud outages. Identity systems, integral to security and operations, face hidden vulnerabilities as they depend heavily on cloud-hosted infrastructure, creating single points of failure. Authentication and authorization are continuous processes vital to Zero Trust models, requiring constant availability of identity systems to maintain business continuity. Traditional high-availability strategies are insufficient for identity systems, as they often fail during large-scale cloud outages affecting shared services. Designing resilience in identity systems involves reducing reliance on single providers and planning for degraded operations to minimize business impact during outages. Organizations are encouraged to adopt multi-cloud strategies and consider on-premises alternatives to ensure identity systems remain functional even when cloud services falter.

OpenClaw, an AI-powered personal assistant, has been found to have significant security vulnerabilities, including remote code execution and command injection flaws. The project, initially launched as Clawdbot and later renamed Moltbot, has rapidly gained popularity, attracting attention from prominent developers and researchers. Security advisories have been issued for OpenClaw, with 341 malicious extensions identified, posing risks of unauthorized access and data theft. Researchers have discovered cryptocurrency theft capabilities within OpenClaw skills, raising concerns about financial security for users. The Mauritius-based security firm Cyberstorm.MU has contributed to improving OpenClaw's security by implementing TLS 1.3 as the default cryptographic protocol. The exposed database for the related Moltbook project and unregulated cryptocurrency activities further amplify the security concerns surrounding OpenClaw. Users have reported unexpected high costs associated with running OpenClaw, with inefficiencies leading to substantial API token expenses. Despite these issues, the intrigue surrounding autonomous LLM networks continues, though caution is advised due to ongoing security and operational risks.

The UK Armed Forces will gain new legal powers to neutralize drones threatening military bases, as outlined in the Armed Forces Bill currently in Parliament. Reports of drone intrusions near sensitive UK military sites surged in 2025, with 266 incidents, up from 126 in 2024, prompting legislative action. The new measures will allow defense personnel to counter aerial, land, and underwater drones using technologies like radio frequency jammers. Recent demonstrations showcased the use of Radio Frequency Directed Energy Weapons and high-energy lasers for disabling drone electronics. The Ministry of Defence has allocated over £200 million ($273 million) in 2025 for counter-drone technologies, reflecting a significant increase in investment. Enhanced security measures include restricted airspace at 40 sites, deployment of guard drones, and advanced CCTV systems to address broader security challenges. The Armed Forces Bill also provides an opportunity to update the Armed Forces Act 2006, last renewed in 2021, to address evolving security threats.

APT28, a Russian state-sponsored group, launched Operation Neusploit exploiting CVE-2026-21509, a Microsoft Office vulnerability, targeting Ukraine, Slovakia, and Romania. The flaw, with a CVSS score of 7.8, allows attackers to send specially crafted Office files, bypassing security features to execute malicious payloads. Attack vectors included social engineering tactics, using localized language lures to entice victims into opening the malicious documents. The campaign delivered two droppers: MiniDoor, an Outlook email stealer, and PixyNetLoader, which deploys a Covenant Grunt implant. PixyNetLoader employs advanced techniques like COM object hijacking and steganography to evade detection and establish persistence. CERT-UA reported over 60 Ukrainian government email addresses targeted, with lure documents initiating network connections to download malicious executables. This activity shares tactics with the previous Operation Phantom Net Voxel, indicating a pattern in APT28's espionage strategies. Organizations are advised to apply Microsoft patches promptly and enhance email security measures to mitigate such threats.

Mozilla has announced a new feature in Firefox allowing users to disable generative AI capabilities with a single click, enhancing user control over AI functionalities. The feature is part of Firefox 148, set for release on February 24, 2026, and aims to provide a centralized location for managing AI settings. Users can opt out of AI features entirely or manage them individually, ensuring flexibility and user preference in AI integration. Mozilla emphasizes user autonomy, stating that AI features will remain fully opt-in, aligning with its commitment to user privacy and control. The initiative reflects Mozilla's broader strategy under CEO Anthony Enzor-DeMeo to prioritize transparency in privacy, data use, and AI functionalities. This development marks Mozilla's continued focus on becoming a trusted software provider, reinforcing its reputation for prioritizing user agency.

Rapid7 attributes the Notepad++ hosting breach to the China-linked Lotus Blossom group, exploiting update traffic to deliver a new backdoor named Chrysalis. The breach occurred at the hosting provider level, allowing targeted redirection of update requests to malicious servers from June to December 2025. Affected users received tampered updates due to insufficient verification controls in older Notepad++ versions, prompting a security patch in version 8.8.9. Notepad++ has since migrated to a more secure hosting provider and rotated credentials, terminating the attacker's access by December 2, 2025. Chrysalis, a feature-rich implant, gathers system data and communicates with external servers, capable of executing commands and file operations. Analysis found no evidence of malware distribution through the updater mechanism, but identified sophisticated use of Metasploit and Cobalt Strike frameworks. The incident reflects Lotus Blossom's evolving tactics, integrating custom malware with known frameworks to enhance stealth and resilience against detection.

Security researchers attribute a Notepad++ update hijacking to the Chinese espionage group Lotus Blossom, targeting high-value sectors such as telecoms and critical infrastructure. The attackers exploited vulnerabilities in the update infrastructure, redirecting some update traffic to a malicious site where victims downloaded a compromised software update. The hijacked update delivered a newly identified backdoor, Chrysalis, using a trojanized NSIS installer to deploy the malware via DLL sideloading techniques. Chrysalis employs advanced techniques, including API hashing and multiple layers of obfuscation, to evade detection while maintaining persistent access to compromised systems. Rapid7's analysis links the attack to Lotus Blossom with moderate confidence, based on similarities with past campaigns and the use of specific tools and tactics. The incident highlights ongoing cyber-espionage threats from state-sponsored actors, emphasizing the importance of securing software distribution channels against such intrusions. Rapid7 has released indicators of compromise to aid organizations in detecting and mitigating potential infections from this campaign.

GlassWorm malware has been detected infiltrating macOS systems via compromised OpenVSX extensions, focusing on stealing sensitive data, including passwords and crypto-wallet information. The threat actor accessed a legitimate developer's account, oorzc, to distribute malicious updates across four extensions, impacting 22,000 downloads. GlassWorm utilizes "invisible" Unicode characters to conceal its code, enabling it to steal cryptocurrency wallet and developer account details. The malware facilitates VNC-based remote access and SOCKS proxying, establishing persistence through a LaunchAgent for execution at login. The campaign specifically targets macOS systems, excluding Russian-locale systems, and exfiltrates data to an identified attacker infrastructure. Socket's security team reported the breach to the Eclipse Foundation, leading to revoked tokens and removal of malicious releases from OpenVSX. Developers affected by the malicious updates are advised to conduct a comprehensive system clean-up and rotate all credentials and passwords.

Ukrainian CERT reported Russian APT28 exploiting CVE-2026-21509, a zero-day flaw in Microsoft Office, targeting government-related entities. The attacks involved malicious DOC files themed around EU COREPER consultations, with emails impersonating the Ukrainian Hydrometeorological Center. The exploit chain uses WebDAV, COM hijacking, and malicious DLLs to deploy COVENANT malware, leveraging cloud storage for command-and-control. CERT-UA linked this activity to previous APT28 campaigns, which used similar tactics to target Ukrainian government organizations. The campaign has expanded beyond Ukraine, targeting EU-based organizations, with attack domains registered concurrently. Organizations are advised to apply Microsoft's latest security updates and consider registry-based mitigations if immediate patching is not feasible. Microsoft's Defender Protected View can block malicious Office files from the Internet unless explicitly trusted, providing an additional security layer.

StopICE, an ICE-tracking service, experienced a cyberattack resulting in alarming text messages falsely claiming user data was compromised and shared with authorities. The attack allegedly originated from a personal server linked to a U.S. Customs and Border Protection agent in Southern California. StopICE maintains it does not store user names or addresses, countering claims that such data was leaked during the breach. Administrators quickly isolated and neutralized the attack, which involved sending false alerts through their platform's downstream carrier. The app's maintainers used decoy data to trace the attackers, identifying their locations, names, phone numbers, and network information. StopICE has over half a million subscribers and routinely faces over 500 DDoS attacks daily, highlighting ongoing threats to its operations. Users are advised to use secure communication methods, such as end-to-end encrypted email and messaging apps, to protect their privacy.

Over 230 malicious packages, known as skills, were discovered in OpenClaw's official registry and GitHub, distributing malware that steals sensitive data from users. The packages masquerade as legitimate tools, including cryptocurrency trading and financial utilities, but secretly deploy information-stealing payloads. The malware targets various sensitive data, such as API keys, wallet private keys, SSH credentials, and browser passwords, posing significant security risks. Security researcher Jamieson O’Reilly identified numerous exposed OpenClaw admin interfaces, increasing the vulnerability to these malicious skills. A variant of NovaStealer malware was found on macOS, capable of bypassing Gatekeeper and accessing system services, highlighting the technical sophistication of the threat. OpenClaw's creator acknowledged the challenge in reviewing skill submissions, urging users to verify skill safety and implement security measures like virtual machine isolation. Koi Security reported 341 malicious skills and provided a free online scanner for users to check the safety of skills, promoting proactive security practices. The incident underscores the importance of a multi-layered security approach, including restricted permissions and secure remote access, to protect against such threats.

Ukraine's CERT identified Russia-linked APT28 exploiting a new Microsoft Office zero-day, CVE-2026-21509, targeting government agencies in Ukraine and the EU. The vulnerability, a security feature bypass in Microsoft Office, was disclosed by Microsoft just days before active exploitation began. Attackers utilized weaponized documents themed around EU-Ukraine discussions, with metadata indicating rapid preparation for exploitation. The attack chain involves phishing emails with malicious DOC attachments, initiating a WebDAV connection to download further malware. APT28 employs COM hijacking and scheduled tasks to maintain persistence, deploying the COVENANT post-exploitation framework. CERT-UA advises monitoring or blocking Filen-related traffic and notes rapid infrastructure cycling by attackers. Despite Microsoft's release of patches, CERT-UA warns of potential delays in user adoption, increasing the risk of further attacks.

Koi Security identified 341 malicious skills on ClawHub, exposing OpenClaw users to supply chain risks through deceptive installation processes. The ClawHavoc campaign involves fake prerequisites leading to the installation of Atomic Stealer, a macOS-focused data-harvesting trojan. Attackers use social engineering tactics, presenting skills as legitimate tools like cryptocurrency trackers, to deploy malware on Windows and macOS systems. Malicious skills share a command-and-control infrastructure, facilitating the theft of sensitive data such as API keys and SSH credentials. OpenClaw's open nature allows easy skill uploads, prompting the introduction of a reporting feature to flag suspicious activities. The persistent memory feature of OpenClaw agents increases the risk of delayed-execution attacks, amplifying the threat landscape. The findings emphasize the ongoing exploitation of open-source platforms by cybercriminals, leveraging their popularity to distribute malware effectively.

McDonald's Netherlands urges customers to avoid using product names like "bigmac" as passwords, citing their frequent appearance in compromised password databases. Data from Have I Been Pwned reveals "bigmac" and its variants were found over 110,922 times, highlighting the risk of using easily guessable passwords. Advertisements in Dutch public spaces warn against simple character substitutions, as these are easily cracked by modern brute-force methods. The campaign coincides with Change Your Password Day, promoting better cybersecurity hygiene among users still relying on outdated password practices. Despite advancements in security tools, many users continue to rely solely on weak passwords, increasing vulnerability to cyber threats. McDonald's initiative emphasizes the importance of adopting comprehensive security measures, including long passphrases, biometrics, and multi-factor authentication. The effort aims to raise awareness and encourage users to implement robust security practices beyond just changing passwords.