Today’s roundup
APT28 Uses Microsoft Office CVE-2026-21509 in Espionage-Focused Malware Attacks
OpenClaw Bug Enables One-Click Remote Code Execution via Malicious Link
Microsoft Begins NTLM Phase-Out With Three-Stage Plan to Move Windows to Kerberos
Vibe-Coded Moltbook Exposes User Data, API Keys and More
NSA Publishes New Zero Trust Implementation Guidelines
Please Don’t Feed the Scattered Lapsus ShinyHunters
Notepad++ infrastructure hack likely tied to China-nexus APT Lotus Blossom
MoltBot Skills exploited to distribute 400+ malware packages in days
Panera Bread breach affected 5.1 Million accounts, HIBP Confirms
Hackers exploit unsecured MongoDB instances to wipe data and demand ransom
Summary
Russian-linked APT28 (UAC-0001) is exploiting the recently patched Microsoft Office vulnerability CVE-2026-21509 in an espionage campaign, "Operation Neusploit." Zscaler observed weaponization since January 29, 2026, targeting Ukraine, Slovakia, and Romania.
A high-severity remote code execution (RCE) flaw, CVE-2026-25253 (CVSS 8.8), was disclosed in the OpenClaw AI assistant (formerly Moltbot/Clawdbot). The vulnerability enables one-click RCE via a malicious link and was patched in version 2026.1.29 on January 30, 2026.
Microsoft has begun a three-phase plan to phase out NTLM, shifting Windows authentication towards more secure Kerberos-based options. This move aims to address NTLM's susceptibility to relay attacks and other vulnerabilities.
A misconfiguration in the Moltbook AI-powered assistant led to exposed user data, including API keys, granting full read and write access. Wiz Security identified this critical vulnerability, highlighting the need for rigorous secure configuration.
The National Security Agency (NSA) has released new guidelines to help organizations achieve target-level maturity in Zero Trust architecture implementation, providing essential strategic guidance for cybersecurity professionals.
The Scattered Lapsus ShinyHunters (SLSH) data ransom group employs aggressive tactics like harassing and swatting executives, alongside media notification. Unit 221B's research, cited by Brian Krebs, advises against paying SLSH due to their unreliable conduct and use of psychological extortion.
Rapid7 linked the Notepad++ hosting infrastructure compromise to the China-nexus APT Lotus Blossom. This supply chain attack, from June to December 2025, redirected update traffic to malicious servers, deploying the "Chrysalis" backdoor through DLL sideloading and Microsoft Warbird abuse.
Over 400 malicious OpenClaw/MoltBot skills, disguised as crypto trading tools, were exploited on ClawHub and GitHub to distribute info-stealing malware to Windows and macOS. OpenSourceMalware reported attackers used social engineering, exposing weak security in AI skill registries.
Have I Been Pwned confirmed the Panera Bread data breach affected 5.1 million accounts (not 14 million), exposing emails, names, phone numbers, and addresses. The breach is attributed to a ShinyHunters vishing campaign targeting SSO accounts.
Cybersecurity firm Flare reported 1,416 of 3,100 exposed MongoDB instances were compromised, data wiped, and ransoms of ~$500 Bitcoin demanded. Misconfiguration, not zero-day exploits, remains the primary risk for these public-facing databases.
Want to dig deeper?
Vulnerabilities
Cyber Groups
| APT28 | IRON TWILIGHT, SNAKEMACKEREL, Swallowtail, Group 74, Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group-4127, TG-4127, Forest Blizzard, FROZENLAKE, GruesomeLarch |
| Lotus Blossom | DRAGONFISH, Spring Dragon, RADIUM, Raspberry Typhoon, Bilbug, Thrip |
Malware Families