In today’s cybersecurity news…
OpenClaw turns to VirusTotal to boost security
Following up on a story we have been covering this past week regarding OpenClaw, the self-hosted AI assistant formerly known as Clawdbot and Moltbot, now being abused to distribute malware, its founders have now announced that they are partnering with Google-owned VirusTotal to “scan skills that are being uploaded to ClawHub, its skill marketplace,” by essentially creating a unique SHA-256 hash for every skill and cross-checking it against VirusTotal’s database for a match. The company warns that VirusTotal scanning “is not a silver bullet and that there is a possibility that some malicious skills that use a cleverly concealed prompt injection payload may slip through the cracks.”
CISA gives federal agencies one year to rip out end-of-life devices
This operational directive issued on Thursday is in response to ongoing and widespread exploitation campaigns from sophisticated hackers. The devices, such as load balancers, firewalls, routers, IoT edge devices and many more, remain vulnerable, especially to those with ties to nation-states, said CISA Executive Assistant Director for Cybersecurity Nick Andersen. He clarified that this directive is not a response to any one incident or compromise.
Microsoft Office exploit attacks European maritime and transport organizations
Following up on a story we covered mid-week, Ukraine’s computer emergency response team, CERT-UA, and cybersecurity firms Zscaler and Trellix, have reported that the exploitation of a newly disclosed Microsoft Office vulnerability (CVE-2026-21509), linked to Russia’s APT28 Fancy Bear group, is additionally focusing on maritime, transportation, and diplomatic entities in Poland, Slovenia, Turkey, Greece and the United Arab Emirates. The campaign consists of phishing emails with malicious Microsoft Office documents mentioning weapons-smuggling alerts, diplomatic invitations, military training notices and emergency weather bulletins that resembled legitimate government correspondence.
Salt Typhoon hacks Norwegian companies
The Norwegian Police Security Service on Friday accused the Chinese-backed hacking group of breaking into several organizations in the country to conduct espionage. Their report did not provide many details about this campaign, but the Salt Typhoon organization was described recently by senior U.S. national security officials as “ an epoch-defining threat,” which has “for years stealthily hacked into the networks of critical infrastructure organizations around the world.”
Huge thanks to our episode sponsor, ThreatLocker
Chinese malware targets Chinese-based routers and edge devices
Researchers at Cisco Talos made the discovery, which they describe as a fully featured gateway-monitoring and adversary-in-the-middle (AitM) framework, and published their report on Thursday. In use since at least 2019 and still active, DKnife targets Chinese-speaking users, and the researchers express high confidence that it was made by Chinese-nexus threat actors. It is a Linux-based framework designed for “gateway-level attacks, enabling operators to monitor, manipulate and hijack network traffic on compromised routers or edge devices.” A link to the report is available in the show notes to this episode.
Payments platform BridgePay confirms ransomware attack
The U.S. payment gateway and solutions provider says “a ransomware attack has knocked key systems offline, triggering a widespread outage affecting multiple services.” This incident started on Friday spread and nationwide across its platform. The company confirmed late Friday that the incident was caused by ransomware. During the incident, some U.S. merchants and organizations were only able to accept cash from their customers. The company has not yet named the ransomware actor.
AWS intruder becomes admin in under 10 minutes with AI assistance
A digital intruder “broke into an AWS cloud environment and in just under 10 minutes went from initial access to administrative privileges, thanks to an AI speed assist.” This is according to a research team from Sysdig Threat Research who observed the break-in on November 28, and noted it stood out “not only for its speed, but also for the multiple indicators suggesting the criminals used large language models to automate most phases of the attack, from reconnaissance and privilege escalation to lateral movement, malicious code writing, and LLMjacking – using a compromised cloud account to access cloud-hosted LLMs.” The attackers initially gained access by stealing valid test credentials from public Amazon S3 buckets.
German agencies warn of unusual Signal phishing campaign
Federal officials in Germany have issued a joint advisory warning, stating it focuses on “high-ranking targets in politics, the military, and diplomacy, as well as investigative journalists in Germany and Europe.” Interestingly, the campaign “does not involve distribution of malware or the exploitation of any security vulnerability” within Signal, but the end goal is to “weaponize its legitimate features to obtain covert access to a victim’s chats, along with their contact lists,” largely by masquerading as “Signal Support” chatbot.