In today’s cybersecurity news…
Arkanix Stealer – the new AI info-stealer experiment
Researchers from Kaspersky now say that an information-stealing malware operation named Arkanix Stealer, which appeared on dark web forums towards the end of last year, was “likely developed as an AI-assisted experiment.” It included a control panel and a Discord server for communication with users, but has since been removed by its developer. Although it consisted of many standard data-stealing features that cybercriminals are already using, along with a modular architecture and anti-analysis features, the Kaspersky researchers said the clues that indicated LLM-assisted development, “might have drastically reduced development time and costs.”
AI-assisted hacker breached 600 Fortinet firewalls in 5 weeks
Following up on a story we covered exactly one month ago, Amazon is warning that “a Russian-speaking hacker used multiple generative AI services as part of a campaign that breached more than 600 FortiGate firewalls across 55 countries in five weeks.” As reported by CJ Moses, CISO of Amazon Integrated Security, the January hacking campaign did not rely on exploits, instead, the threat actor “targeted exposed management interfaces and weak credentials that lacked MFA protection, brute-forcing with common passwords, then used AI to help automate access to other devices on the breached network.”
Russia stepping up hybrid attacks, preparing for confrontation with West
This warning comes from Dutch intelligence services, who said that the “intensifying cyberattacks, sabotage and covert influence operations across Europe show the Kremlin is preparing for a prolonged confrontation with the West.” Two Dutch intelligence agencies, one general and the other military, said “the Russian armed forces are preparing for the possibility of a conflict with NATO and are carrying out various activities to test the West’s willingness to escalate.” Their term “hybrid refers to a blend of “cyberattacks, sabotage, disinformation, covert political influence and espionage designed to stay below the threshold of open war.”
Japanese semiconductor supplier suffers ransomware attack
Tokyo-based Advantest, a supplier of semiconductor test equipment, said the attack occurred last Sunday and has impacted several company systems. “Advantest is one of the largest manufacturers of test and measurement equipment used in the design and production of semiconductors for machine learning, autonomous vehicles, 5G systems and more.” Its tools have become “critical assets in the production process of semiconductors globally.” No group has yet claimed responsibility for this attack.
Huge thanks to our sponsor, Adaptive Security
Anthropic announces embedded security scanning for Claude
This new feature can scan a user’s software codebases for vulnerabilities and suggest patching solutions. Claude Code Security, as it is called, will initially be available to a limited number of enterprise and team customers for testing. This is after a year of internal stress-testing conducted by and for the company. Anthropic says that as “vibe coding” becomes more widespread, the demand for automated vulnerability scanning will exceed the capacity of manual security reviews.
New ClickFix campaign deploys MIMICRAT malware
A new report from cybersecurity research company Elastic Security Labs describes a new ClickFix campaign that delivers a previously undocumented remote access trojan called MIMICRAT. The sophisticated operation attacks compromised sites in diverse industries and geographies, to drop a Lua-scripted shellcode loader. The final implant “communicates over HTTPS…using profiles that resemble legitimate web analytics traffic.” They added “the campaign supports 17 languages, with the lure content dynamically localized based on the victim’s browser language settings to broaden its effective reach.”
ShinyHunters beats the house in Vegas
Wynn Resorts appears to be the latest victim of the ShinyHunters extortion gang. The group posted the company on its blog last Friday, claiming possession of stolen “more than 800,000 records containing employees’ Social Security numbers and other private details.” Wynn has until today, February 23, to reach out, otherwise a data leak and – in the words of the gang – “other annoying (digital) problems” will occur. A spokesperson for the crime group told The Register that they gained initial access to Wynn’s systems in September 2025 “via an Oracle PeopleSoft vulnerability using an employee’s credentials.”
PayPal’s small data incident has a long tail
PayPal is alerting customers of a small data incident following a software error in a small business loan application process, which exposed sensitive PII including Social Security numbers. Although the number of people affected was very small – 100 customers, the data remained exposed for nearly 6 months last year, between July 1, and the date of discovery, December 12. PayPal has emphasized that this was not a breach, and its systems were not compromised. The erroneous code was quickly rolled back.