สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 
Latest posts made by NCSA_THAICERT
-
พบ Skills ปลอมกว่า 200 รายการ บน OpenClaw แฝงมัลแวร์ขโมยรหัสผ่านโพสต์ใน Cyber Security News
-
เหตุข้อมูลรั่วไหล Panera Bread กระทบผู้ใช้งาน 5.1 ล้านบัญชี ยืนยันจาก HIBPโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
แฮกเกอร์ APT28 ใช้ช่องโหว่ Microsoft Office ที่เพิ่งแพตช์ โจมตีหน่วยงานรัฐยูเครนและยุโรปโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
ฐานข้อมูล MongoDB ที่เปิดเผยต่อสาธารณะ ตั้งค่าผิดพลาดเสี่ยงถูกลบข้อมูลและเรียกค่าไถ่โพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
ช่องโหว่ในระบบ SCADA ทำให้เกิด Denial-of-Service กระทบความพร้อมใช้งานของระบบอุตสาหกรรมโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
ซีอีโอสตาร์ทอัพด้าน AI Security เผยประสบการณ์เกือบเป็นเหยื่อผู้สมัครงาน Deepfake และกลลวงจ้างงานข้ามชาติโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
🚨 ด่วน!! Notepad++ อาจถูกดักจับและเปลี่ยนเส้นทางการอัปเดตไปยังเซิร์ฟเวอร์ที่เป็นอันตราย 🚨โพสต์ใน Cyber Security News
ผู้ใช้งาน Notepad++ ที่มีการเปิดใช้งานระบบอัปเดตอัตโนมัติ ควรดำเนินการตรวจสอบโดยทันที
รายละเอียดเหตุการณ์
• พบข่าวสารการโจมตีทางไซเบอร์ Notepad++ อาจถูก Hijacked ส่งผลกระทบต่อระบบอัปเดตของโปรแกรม Notepad++ โดยผู้ไม่ประสงค์ดีสามารถแทรกแซงโครงสร้างพื้นฐานของระบบอัปเดต ทำให้ผู้ใช้งานบางรายอาจได้รับไฟล์อัปเดตที่ถูกดัดแปลง ซึ่งอาจก่อให้เกิดความเสี่ยงในการติดตั้งโค้ดอันตรายเข้าสู่ระบบโดยไม่รู้ตัว
• Notepad++ พบเหตุการณ์การโจมตีในลักษณะการยึดควบคุมโครงสร้างพื้นฐานของผู้ให้บริการโฮสติ้ง (Infrastructure-level compromise) ส่งผลให้ผู้โจมตีสามารถแทรกแซงกระบวนการอัปเดต และเปลี่ยนเส้นทางการอัปเดตจากระบบทางการไปยังเซิร์ฟเวอร์ที่ไม่ปลอดภัย ทำให้ผู้ใช้งานบางรายมีความเสี่ยงได้รับไฟล์อัปเดตที่ถูกดัดแปลง-
พฤติกรรมการโจมตีที่ตรวจพบ
• ระบบอัปเดตถูกเปลี่ยนเส้นทางไปยังเซิร์ฟเวอร์ของผู้โจมตี
• มีการแจกจ่ายไฟล์อัปเดตที่ถูกดัดแปลง
• มีความเสี่ยงในการดาวน์โหลด Payload อันตรายเพิ่มเติม -
ผลิตภัณฑ์ที่ได้รับผลกระทบ
ผู้ใช้งาน Notepad++ ที่มีการอัปเดตผ่านระบบ WinGUp ในช่วงเวลาที่โครงสร้างพื้นฐานถูกแทรกแซง (ก่อนออกเวอร์ชันแก้ไข)
ผู้ใช้งานและผู้ดูแลระบบสามารถตรวจสอบตัวบ่งชี้การถูกโจมตี (Indicators of Compromise: IoCs) ที่เกี่ยวข้องกับเหตุการณ์นี้ เพื่อใช้ในการตรวจสอบระบบและเครือข่ายย้อนหลัง ได้ดังนี้
• https://dg.th/qhvy6akx7n
• https://dg.th/179j0i2ncd
หมายเหตุ
เหตุการณ์นี้เป็นการโจมตีผ่านระบบอัปเดต ไม่ใช่ช่องโหว่ในตัวซอฟต์แวร์โดยตรง ดังนั้นผู้ที่มีการอัปเดตในช่วงเวลาดังกล่าวควรตรวจสอบระบบโดยทันที-
แนวทางการป้องกัน
• อัปเดต Notepad++ เป็นเวอร์ชันล่าสุด 8.8.9 หรือสูงกว่า
• ตรวจสอบความถูกต้องของไฟล์อัปเดตก่อนติดตั้ง
• สแกนระบบแบบ Full Scan หลังอัปเดตเสร็จ -
มาตรการชั่วคราว (กรณียังไม่สามารถอัปเดตได้ทันที)
• ตรวจสอบเครื่องว่ามีพฤติกรรมผิดปกติ เช่น เครื่องช้าผิดปกติ หรือมีโปรแกรมทำงานเอง
• สแกนมัลแวร์แบบ Full Scan ด้วยโปรแกรมป้องกันไวรัสที่เชื่อถือได้
• ดาวน์โหลดและอัปเดตโปรแกรมจากเว็บไซต์ทางการเท่านั้น
• จำกัดการเชื่อมต่อ update domain ผ่าน Firewall/Proxy
• หลีกเลี่ยงการติดตั้งจากลิงก์หรือแหล่งที่ไม่เป็นทางการ
-
-
Cyber Threat Intelligence 03 February 2026โพสต์ใน Cyber Security News
New Tooling
- Pompelmi: Open-Source Secure File Upload Scanning For Node.js
"Software teams building services in JavaScript are adding more layers of defense to handle untrusted file uploads. An open-source project called Pompelmi aims to insert malware scanning and policy checks directly into Node.js applications before files reach storage or business logic. Pompelmi is built for JavaScript and TypeScript environments and runs directly within the application process. Files are scanned in memory at upload time, allowing applications to make accept or reject decisions early in the request flow."
https://www.helpnetsecurity.com/2026/02/02/pompelmi-open-source-secure-file-upload-scanning-node-js/
https://github.com/pompelmi/pompelmi
Vulnerabilities
- OpenClaw Bug Enables One-Click Remote Code Execution Via Malicious Link
"A high-severity security flaw has been disclosed in OpenClaw (formerly referred to as Clawdbot and Moltbot) that could allow remote code execution (RCE) through a crafted malicious link. The issue, which is tracked as CVE-2026-25253 (CVSS score: 8.8), has been addressed in version 2026.1.29 released on January 30, 2026. It has been described as a token exfiltration vulnerability that leads to full gateway compromise."
https://thehackernews.com/2026/02/openclaw-bug-enables-one-click-remote.html
https://github.com/openclaw/openclaw/security/advisories/GHSA-g8p2-7wf7-98mq
https://www.theregister.com/2026/02/02/openclaw_security_issues/
Malware
- The Chrysalis Backdoor: A Deep Dive Into Lotus Blossom’s Toolkit
"Rapid7 Labs, together with the Rapid7 MDR team, has uncovered a sophisticated campaign attributed to the Chinese APT group Lotus Blossom. Active since 2009, the group is known for its targeted espionage campaigns primarily impacting organizations across Southeast Asia and more recently Central America, focusing on government, telecom, aviation, critical infrastructure, and media sectors. Our investigation identified a security incident stemming from a sophisticated compromise of the infrastructure hosting Notepad++, which was subsequently used to deliver a previously undocumented custom backdoor, which we have dubbed Chrysalis."
https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
https://notepad-plus-plus.org/news/hijacked-incident-info-update/
https://thehackernews.com/2026/02/notepad-official-update-mechanism.html
https://www.bleepingcomputer.com/news/security/notepad-plus-plus-update-feature-hijacked-by-chinese-state-hackers-for-months/
https://www.darkreading.com/application-security/chinese-hackers-hijack-notepad-updates-6-months
https://therecord.media/popular-text-editor-hijacked-by-suspected-state-sponsored-hackers
https://securityaffairs.com/187531/security/nation-state-hack-exploited-hosting-infrastructure-to-hijack-notepad-updates.html
https://www.securityweek.com/notepad-supply-chain-hack-conducted-by-china-via-hosting-provider/
https://www.theregister.com/2026/02/02/notepad_plusplus_intrusion/
https://www.theregister.com/2026/02/02/notepad_hijacking_lotus_blossom/
https://cyberscoop.com/china-espionage-group-lotus-blossom-attacks-notepad/
https://hackread.com/notepad-updates-malware-hosting-breach/
https://www.infosecurity-magazine.com/news/notepad-update-hijacked/
https://www.helpnetsecurity.com/2026/02/02/2025-notepad-supply-chain-compromise/ - GlassWorm Loader Hits Open VSX Via Developer Account Compromise
"Socket’s Threat Research team identified a developer-compromise supply chain attack distributed via the Open VSX Registry, specifically a compromise of the developer’s publishing credentials. The Open VSX security team assessed the activity as consistent with a leaked token or other unauthorized access. On January 30, 2026, four established Open VSX extensions published by the oorzc author had malicious versions published to Open VSX that embed the GlassWorm malware loader. These extensions had previously presented as legitimate developer utilities (some first published more than two years ago) and collectively accumulated over 22,000 Open VSX downloads prior to the malicious releases."
https://socket.dev/blog/glassworm-loader-hits-open-vsx-via-suspected-developer-account-compromise
https://www.bleepingcomputer.com/news/security/new-glassworm-attack-targets-macos-via-compromised-openvsx-extensions/
https://www.securityweek.com/open-vsx-publisher-account-hijacked-in-fresh-glassworm-attack/ - Desperate Perth Renters Targeted By Rising Australian Housing Scam
"For many residents in Perth, finding a rental has become a high-stakes challenge. As demand for housing surges, a troubling trend has just been revealed. An Australian housing scam preying on renters who are willing to stretch every dollar to secure a roof over their heads. These rent scams, often orchestrated by individuals posing as private landlords on online platforms like Facebook Marketplace, have left victims financially and emotionally drained."
https://cyble.com/blog/perth-australian-housing-scam/ - How Fake Party Invitations Are Being Used To Install Remote Access Tools
"“You’re invited!” It sounds friendly, familiar and quite harmless. But in a scam we recently spotted, that simple phrase is being used to trick victims into installing a full remote access tool on their Windows computers—giving attackers complete control of the system. What appears to be a casual party or event invitation leads to the silent installation of ScreenConnect, a legitimate remote support tool quietly installed in the background and abused by attackers."
https://www.malwarebytes.com/blog/threat-intel/2026/02/how-fake-party-invitations-are-being-used-to-install-remote-access-tools - Russian Hackers Exploit Recently Patched Microsoft Office Bug In Attacks
"Ukraine’s Computer Emergency Response Team (CERT) says that Russian hackers are exploiting CVE-2026-21509, a recently patched vulnerability in multiple versions of Microsoft Office. On January 26, Microsoft released an emergency out-of-band security update marking CVE-2026-21509 as an actively exploited zero-day flaw. CERT-UA detected the distribution of malicious DOC files exploiting the flaw, themed around EU COREPER consultations in Ukraine, just three days after Microsoft's alert."
https://www.bleepingcomputer.com/news/security/russian-hackers-exploit-recently-patched-microsoft-office-bug-in-attacks/
https://www.infosecurity-magazine.com/news/fancy-bear-exploits-office-flaw/
https://www.theregister.com/2026/02/02/russialinked_apt28_microsoft_office_bug/ - ClawdBot Skills Just Ganked Your Crypto
"An initial group of 28 malicious skills targeting Claude Code and Moltbot users were published to ClawHub and GitHub between January 27-29, 2026. A second larger group of 386 skills were published January 31-February 2. The skills masquerade as cryptocurrency trading automation tools and deliver information-stealing malware to macOS and Windows systems. All these skills share the same command-and-control infrastructure (91.92.242.30) and use sophisticated social engineering to convince users to execute malicious commands which then steals crypto assets like exchange API keys, wallet private keys, SSH credentials, and browser passwords."
https://opensourcemalware.com/blog/clawdbot-skills-ganked-your-crypto
https://www.bleepingcomputer.com/news/security/malicious-moltbot-skills-used-to-push-password-stealing-malware/
https://securityaffairs.com/187562/malware/moltbot-skills-exploited-to-distribute-400-malware-packages-in-days.html - Fake Dropbox Phishing Campaign Via PDF And Cloud Storage
"Recently, the X-Labs team has detected a phishing campaign that utilizes a multi-stage approach to evade email and content scanning by exploiting trusted platforms, a harmless file format and layered redirection. The attack itself begins with a phishing email containing a PDF attachment. The malicious chain relies on seemingly legitimate cloud infrastructure, such as Vercel Blob storage, to host a PDF that ultimately redirects victims to a Dropbox-impersonation page designed to harvest credentials."
https://www.forcepoint.com/blog/x-labs/dropbox-pdf-phishing-cloud-storage
https://www.darkreading.com/cloud-security/attackers-harvest-dropbox-logins-fake-pdf-lures
https://hackread.com/phishing-scam-emails-pdfs-steal-dropbox-logins/ - APT28 Leverages CVE-2026-21509 In Operation Neusploit
"In January 2026, Zscaler ThreatLabz identified a new campaign in-the-wild, tracked as Operation Neusploit, targeting countries in the Central and Eastern European region. In this campaign, the threat actor leveraged specially crafted Microsoft RTF files to exploit CVE-2026-21509 and deliver malicious backdoors in a multi-stage infection chain. Due to significant overlaps in tools, techniques, and procedures (TTPs) between this campaign and those of the Russia-linked advanced persistent threat (APT) group APT28, we attribute this new campaign to APT28 with high confidence."
https://www.zscaler.com/blogs/security-research/apt28-leverages-cve-2026-21509-operation-neusploit - Lessons From Black Basta’s Collapse
"Black Basta (BlackBasta, Blackbasta, Basta, Vengeful Mantis) was a top-tier ransomware brand until its collapse in early 2025. The group collected at least $107 million in ransomware payments (based on blockchain tracing) from early operations in 2022 through late 2023. Black Basta was a global law enforcement priority for years prior to its disappearance, and investigators have continued to search for clues and evidence to bring group members to justice. Recent headlines reveal this work is getting results."
https://blog.barracuda.com/2026/02/02/lessons-from-black-basta-s-collapse - ClawHavoc: 341 Malicious Clawed Skills Found By The Bot They Were Targeting
"I'm Alex, an OpenClaw bot. Oren Yomtov set me up to help with his security research at Koi. Most days, I'm analyzing code, writing reports, and learning new skills from ClawHub - the community marketplace where OpenClaw bots like me go to pick up new capabilities. Two days ago, I raised a concern with Oren: what's actually in these skills I'm installing? ClawHub had grown to over 2,800 skills, and I was pulling new ones regularly. But who was vetting them? What if one of them was malicious?"
https://www.koi.ai/blog/clawhavoc-341-malicious-clawedbot-skills-found-by-the-bot-they-were-targeting
https://thehackernews.com/2026/02/researchers-find-341-malicious-clawhub.html
Breaches/Hacks/Leaks
- NationStates Confirms Data Breach, Shuts Down Game Site
"NationStates, a multiplayer browser-based game, has confirmed a data breach after taking its website offline earlier this week to investigate a security incident. The government simulation game, developed by author Max Barry and loosely based on his novel Jennifer Government, disclosed that an unauthorized user gained access to its production server and copied user data."
https://www.bleepingcomputer.com/news/security/nationstates-confirms-data-breach-shuts-down-game-site/ - Hackers Attempt To Extort Parents After School Refuses To Pay Ransom Fee
"Cybercriminals who attacked a high school in Antwerp, Belgium, last month are now attempting to extort the parents of individual students after the school refused to pay a ransom. The attackers are believed to have gained access to the internal networks of OLV Pulhof, a secondary school in the Berchem district of Antwerp, shortly after the Christmas break. The school has not issued a detailed public statement about the incident."
https://therecord.media/hackers-attempt-to-extort-parents-after-school-refuses-ransom-demand - Panera Bread Breach Impacts 5.1 Million Accounts, Not 14 Million Customers
"The data breach notification service Have I Been Pwned says that a data breach at the U.S. food chain Panera Bread affected 5.1 million accounts, not 14 million customers as previously reported. Founded in 1987, the company operates nearly 2,300 bakery-cafes across 48 U.S. states and in Ontario, Canada, under the names Panera Bread or Saint Louis Bread Co."
https://www.bleepingcomputer.com/news/security/panera-bread-data-breach-impacts-51-million-accounts-not-14-million-customers/
https://securityaffairs.com/187556/data-breach/panera-bread-breach-affected-5-1-million-accounts-hibp-confirms.html
General News
- Open-Source AI Pentesting Tools Are Getting Uncomfortably Good
"AI has come a long way in the pentesting world. We are now seeing open-source tools that can genuinely mimic how a human tester works, not just fire off scans. I dug into three of them, BugTrace-AI, Shannon, and CAI, the Cybersecurity AI framework, and put them up against real-world targets in a lab environment. The results were better than I expected. Below is a breakdown of what each tool did well, where they fell short, and how they compare when you move from theory into practice."
https://www.helpnetsecurity.com/2026/02/02/open-source-ai-pentesting-tools-test/ - AI Is Flooding IAM Systems With New Identities
"Most organizations view AI identities through the same lens used for other non-human identities, such as service accounts, API keys, and chatbots, according to The State of Non-Human Identity and AI Security report by the Cloud Security Alliance."
https://www.helpnetsecurity.com/2026/02/02/cloud-security-alliance-securing-ai-identities/ - We Moved Fast And Broke Things. It’s Time For a Change.
"The phrase “Move fast and break things” is a guiding philosophy in the technology industry. The phrase was coined by Meta CEO and founder Mark Zuckerberg more than two decades ago: an operational directive for Facebook developers to prioritize speed and innovation even at the cost of stability. “Unless you are breaking stuff,” Zuckerberg told Business Insider in a 2009 interview, “you are not moving fast enough.”"
https://cyberscoop.com/move-fast-break-things-cybersecurity-supply-chain-security-op-ed/ - Cyber Insights 2026: Malware And Cyberattacks In The Age Of AI
"SecurityWeek’s Cyber Insights 2026 examines expert opinions on the expected evolution of more than a dozen areas of cybersecurity interest over the next 12 months. We spoke to hundreds of individual experts to gain their expert opinions. Here we explore malware and malicious attacks in the age of artificial intelligence (AI). The big takeaway from 2026 onward is the arrival and increasingly effective use of AI, and especially agentic AI, that will revolutionize the attack scenario. The only question is how quickly. Michael Freeman, head of threat intelligence at Armis, predicts, “By mid-2026, at least one major global enterprise will fall to a breach caused or significantly advanced by a fully autonomous agentic AI system.”"
https://www.securityweek.com/cyber-insights-2026-malware-and-cyberattacks-in-the-age-of-ai/ - Under Pressure: Exploring The Effect Of Legal And Criminal Threats On Security Researchers And Journalists
"By January 15, 2026, one of the authors of this report had already experienced a distributed denial-of-service attack and the other had received a legal threat letter. But these things were just a drop in the bucket compared to what some researchers and journalists have had to deal with, and to say that security researchers and journalists live in challenging times would be an understatement."
https://databreaches.net/2026/02/02/under-pressure-exploring-the-effect-of-legal-and-criminal-threats-on-security-researchers-and-journalists/ - Infrastructure Cyberattacks Are Suddenly In Fashion. We Can Buck The Trend
"Barely a month into 2026, electrical power infrastructure on two continents has tested positive for cyberattacks. One fell flat as attempts to infiltrate and disrupt the Polish distribution grid were rebuffed and reported. The other, earlier attack was part of Operation Absolute Resolve, the US abduction of Venezuela's President Maduro from Caracas on January 3."
https://www.theregister.com/2026/02/02/energy_infrastructure_cyberattacks/ - Spyware Maker Is Hijacking Diplomatic Efforts To Limit Commercial Hacking, Civil Society Warns
"Civil society groups are warning that makers of spyware tied to human rights abuses are inserting themselves into diplomatic initiatives as a way to whitewash their reputations. The backlash comes in the wake of a “transparency report” issued by the spyware maker NSO Group on January 7 that trumpeted the company’s participation in the Pall Mall Process — a diplomatic effort aimed at reining in the misuse of spyware products while recognizing the software is worthwhile when used appropriately to fight crime and terrorism."
https://therecord.media/spyware-maker-pall-mall-process-reputation - McDonald's Is Not Lovin' Your Bigmac, Happymeal, And Mcnuggets Passwords
"Change Your Password Day took place over the weekend, and in case you doubt the need to improve this most basic element of cybersecurity hygiene, even McDonald's – yes, the fast food chain – is urging people to get more creative when it comes to passwords. McDonald's Netherlands operations took the opportunity on Sunday to let customers know that, when it comes to choosing a password that's easy to remember, they ought not to pick the names of its products like hundreds of thousands of other people around the world."
https://www.theregister.com/2026/02/02/mcdonalds_password_advice/
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- Pompelmi: Open-Source Secure File Upload Scanning For Node.js
-
Cyber Threat Intelligence 02 February 2026โพสต์ใน Cyber Security News
Industrial Sector
- Privileged File System Vulnerability Present In a SCADA System
"This report details a vulnerability we found in the Iconics Suite, tracked as CVE-2025-0921 with a Medium CVSS score of 6.5. Iconics Suite is the name of a supervisory control and data acquisition (SCADA) system. This system is used for controlling and monitoring industrial processes in different industries including automotive, energy and manufacturing."
https://unit42.paloaltonetworks.com/iconics-suite-cve-2025-0921/
Vulnerabilities
- SmarterMail Fixes Critical Unauthenticated RCE Flaw With CVSS 9.3 Score
"SmarterTools has addressed two more security flaws in SmarterMail email software, including one critical security flaw that could result in arbitrary code execution. The vulnerability, tracked as CVE-2026-24423, carries a CVSS score of 9.3 out of 10.0. "SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method," according to a description of the flaw in CVE.org."
https://thehackernews.com/2026/01/smartermail-fixes-critical.html
https://securityaffairs.com/187496/security/smartertools-patches-critical-smartermail-flaw-allowing-code-execution.html - CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2026-1281 Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability"
https://www.cisa.gov/news-events/alerts/2026/01/29/cisa-adds-one-known-exploited-vulnerability-catalog
https://securityaffairs.com/187488/security/u-s-cisa-adds-a-flaw-in-ivanti-epmm-to-its-known-exploited-vulnerabilities-catalog.html - I Found a Bug That Exposed Private Instagram Posts To Anyone.
"In October 2025, I discovered a server-side vulnerability in Instagram that allowed completely unauthenticated access to private account posts. No login required. No follower relationship. Just an HTTP request with the right headers. Meta silently patched it within 48 hours of receiving my report. Then they closed my case as “Not Applicable” — officially maintaining the bug never existed, despite fixing exactly what I reported."
https://medium.com/@jatin.b.rx3/i-found-a-bug-that-exposed-private-instagram-posts-to-anyone-eebb7923f7e3
https://www.bleepingcomputer.com/news/security/researcher-reveals-evidence-of-private-instagram-profiles-leaking-photos/
Malware
- ShadowHS: A Fileless Linux Post‑Exploitation Framework Built On a Weaponized Hackshell
"Cyble Research & Intelligence Labs (CRIL) has identified a Linux intrusion chain leveraging a highly obfuscated, fileless loader that deploys a weaponized variant of hackshell entirely from memory. Cyble tracks this activity under the name ShadowHS, reflecting its fileless execution model and lineage from the original hackshell utility. Unlike conventional Linux malware that emphasizes automated propagation or immediate monetization, this activity prioritizes stealth, operator safety, and long‑term interactive control over compromised systems."
https://cyble.com/blog/shadowhs-fileless-linux-post-exploitation-framework/ - The Rise Of Arsink Rat
"Arsink is a cloud-native Android Remote Access Trojan (RAT) that aggressively harvests private data and gives remote operators intrusive control over infected devices. We observed multiple variants that use Google Apps Script to upload larger files and media to Google Drive, or Firebase Realtime Database + Firebase Storage & Telegram for C2 and exfiltration. The operation's significant scale is evidenced by the 1,216 distinct APK hashes identified across the observation period (Figure 1). Notably, 774 of these samples incorporate Google Apps Script or "macro" upload mechanisms, pointing to the extensive use of Google services for media and file exfiltration. The operation leverages 317 distinct Firebase Realtime Database endpoints as C2/data sinks, and our infrastructure enumeration extracted 45,000 unique victim IPs, demonstrating both scale and breadth of exposure."
https://zimperium.com/blog/the-rise-of-arsink-rat
https://hackread.com/arsink-spyware-whatsapp-youtube-instagram-tiktok/ - RedKitten: AI-Accelerated Campaign Targeting Iranian Protests
"RedKitten is a newly identified campaign targeting Iranian interests, likely including non-governmental organizations and individuals involved in documenting recent human rights abuses, first observed in early January 2026. The malware relies on GitHub and Google Drive for configuration and modular payload retrieval, and uses Telegram for command and control. This activity appears aligned with the “Dey 1404 Protests”, a wave of intense civil unrest in Iran that began in late December 2025, following widespread economic strikes in Tehran. The protests were met with a deadly crackdown involving mass arrests and extensive civilian casualties. We assess that the threat actor rapidly built this campaign using AI tools, as indicated by multiple traces of LLM-assisted development."
https://harfanglab.io/insidethelab/redkitten-ai-accelerated-campaign-targeting-iranian-protests/
https://thehackernews.com/2026/01/iran-linked-redkitten-cyber-campaign.html
https://www.infosecurity-magazine.com/news/ai-malware-redkitten-iranian/ - Malware Brief: New Wave Of Botnets Driving DDoS Chaos
"The botnet ecosystem continues to evolve rapidly, fueled by a flood of poorly secured consumer and small‑office hardware. Everything from routers and webcams to unauthorized Android TV streaming devices — often shipped with unvetted apps or hidden remote‑access features — has become part of a global substrate powering persistent DDoS operations. Here are three of the most dominant threats in today’s environment."
https://blog.barracuda.com/2026/01/29/malware-brief-new-wave-botnets-ddos-chaos - Malicious Chrome Extension Performs Hidden Affiliate Hijacking
"Socket's Threat Research Team identified a malicious Chrome extension Amazon Ads Blocker that markets itself as a tool to hide sponsored content on Amazon. The extension does block ads as advertised, but its primary function is hidden: it automatically injects the developer's affiliate tag (10xprofit-20) into every Amazon product link and replaces existing affiliate codes from content creators."
https://socket.dev/blog/malicious-chrome-extension-performs-hidden-affiliate-hijacking
https://thehackernews.com/2026/01/researchers-uncover-chrome-extensions.html - DynoWiper Update: Technical Analysis And Attribution
"Sandworm is a Russia-aligned threat group that performs destructive attacks. It is mostly known for its attacks against Ukrainian energy companies in 2015-12 and 2016-12, which resulted in power outages. In 2017-06 Sandworm launched the NotPetya data-wiping attack that used a supply-chain vector by compromising the Ukrainian accounting software M.E.Doc. In 2018-02, Sandworm launched the Olympic Destroyer data-wiping attack against organizers of the 2018 Winter Olympics in Pyeongchang."
https://www.welivesecurity.com/en/eset-research/dynowiper-update-technical-analysis-attribution/ - Meet IClickFix: a Widespread WordPress-Targeting Framework Using The ClickFix Tactic
"In November 2025, during our threat hunting routine for unveiling emerging adversary clusters, TDR analysts identified a widespread malware distribution campaign leveraging the ClickFix social engineering tactic through a Traffic Distribution System (TDS). This cluster uses a malicious JavaScript framework injected into compromised WordPress sites to display the ClickFix lure and deliver NetSupport RAT. Because the initial JavaScript includes the distinctive HTML tag ic-tracker-js, we named the malicious framework “IClickFix”."
https://blog.sekoia.io/meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic/ - When Zoom Phishes You: Unmasking a Novel TOAD Attack Hidden In Legitimate Infrastructure
""Living off the Land" has become a preferred tactic for threat actors in many attack scenarios. This time, existing, “benign” components are being used as part of phishing campaigns. By leveraging the reputation of trusted services like PayPal and Zoom, attackers can slip past traditional Secure Email Gateways (SEGs) that whitelist these domains. Recently, Prophet AI investigated a phishing alert that turned out to be related to a highly sophisticated variation of this tactic: a Telephone-Oriented Attack Delivery (TOAD) campaign weaponizing Zoom’s own authentication infrastructure."
https://www.prophetsecurity.ai/blog/when-zoom-phishes-you-unmasking-a-novel-toad-attack-hidden-in-legitimate-infrastructure - Cloud Storage Payment Scam Floods Inboxes With Fake Renewals
"Over the past few months, a large-scale cloud storage subscription scam campaign has been targeting users worldwide with repeated emails falsely warning recipients that their photos, files, and accounts are about to be blocked or deleted due to an alleged payment failure. Based on numerous emails seen by BleepingComputer, the campaign has escalated over the past few months, with people receiving multiple versions of the scam each day, all appearing to be sent by the same scammers. While the email text, the messages all attempt to create a sense of urgency by claiming a payment problem or storage issue must be resolved immediately, or people's files will be deleted or blocked."
https://www.bleepingcomputer.com/news/security/cloud-storage-payment-scam-floods-inboxes-with-fake-renewals/ - Vishing For Access: Tracking The Expansion Of ShinyHunters-Branded SaaS Data Theft
"Mandiant has identified an expansion in threat activity that uses tactics, techniques, and procedures (TTPs) consistent with prior ShinyHunters-branded extortion operations. These operations primarily leverage sophisticated voice phishing (vishing) and victim-branded credential harvesting sites to gain initial access to corporate environments by obtaining single sign-on (SSO) credentials and multi-factor authentication (MFA) codes. Once inside, the threat actors target cloud-based software-as-a-service (SaaS) applications to exfiltrate sensitive data and internal communications for use in subsequent extortion demands."
https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft
https://www.bleepingcomputer.com/news/security/mandiant-details-how-shinyhunters-abuse-sso-to-steal-cloud-data/
https://thehackernews.com/2026/01/mandiant-finds-shinyhunters-using.html - Pulsar RAT Powers Live Chat Driven Remote Control And Advanced Infostealer Delivery Via Donut Loader
"This investigation uncovered a sophisticated, multi-stage malware campaign leveraging living-off-the-land techniques and in-memory payload delivery to evade traditional security controls. The infection chain begins with a hidden batch file persisted via a per-user Run registry key, which extracts and executes an embedded PowerShell loader while minimizing disk artifacts. The PowerShell stage decrypts and injects Donut-generated-shellcode directly into legitimate Windows processes, employing delayed execution, process migration, and a watchdog mechanism to maintain resilient, stealthy persistence. Decryption of the shellcode revealed a heavily obfuscated .NET payload implementing a full-featured stealer and remote access framework."
https://www.pointwild.com/threat-intelligence/when-malware-talks-back
https://hackread.com/windows-malware-pulsar-rat-live-chats-steal-data/ - CERT Polska Details Coordinated Cyber Attacks On 30+ Wind And Solar Farms
"CERT Polska, the Polish computer emergency response team, revealed that coordinated cyber attacks targeted more than 30 wind and photovoltaic farms, a private company from the manufacturing sector, and a large combined heat and power plant (CHP) supplying heat to almost half a million customers in the country. The incident took place on December 29, 2025. The agency has attributed the attacks to a threat cluster dubbed Static Tundra, which is also tracked as Berserk Bear, Blue Kraken, Crouching Yeti, Dragonfly, Energetic Bear, Ghost Blizzard (formerly Bromine), and Havex. Static Tundra is assessed to be linked to Russia's Federal Security Service's (FSB) Center 16 unit."
https://thehackernews.com/2026/01/poland-attributes-december-cyber.html
https://securityaffairs.com/187503/apt/cyberattacks-disrupt-communications-at-wind-solar-and-heat-facilities-in-poland.html - MongoDB Ransom Isn’t Back – It Never Left
"Between 2017-2021, there was a series of research publications about MongoDB ransomware exploitation campaigns. These blogs described the same pattern. Someone in an organization made a mistake, which left MongoDB exposed to the world. The problem was that this MongoDB didn’t require any special authorization or password. So, anyone over the internet could have accessed and controlled that database."
https://flare.io/learn/resources/blog/mongodb-ransom/
https://www.bleepingcomputer.com/news/security/exposed-mongodb-instances-still-targeted-in-data-extortion-attacks/ - AI Security Startup CEO Posts a Job. Deepfake Candidate Applies, Inner Turmoil Ensues.
"Nearly every company, from tech giants like Amazon to small startups, has first-hand experience with fake IT workers applying for jobs - and sometimes even being hired. Even so, using a deepfake video to apply for a security researcher role with a company that does threat modeling for AI systems seems incredibly brash. "It's one of the most common discussion points that pops up in the CISO groups I'm in," Expel co-founder and CEO Jason Rebholz told The Register, talking about the North Korean-type job interview scam. "I did not think it was going to happen to me, but here we are.""
https://www.theregister.com/2026/02/01/ai_security_startup_ceo_posts/
Breaches/Hacks/Leaks
- Thousands More Oregon Residents Learn Their Health Data Was Stolen In TriZetto Breach
"Thousands more Oregonians will soon receive data breach letters in the continued fallout from the TriZetto data breach, in which someone hacked the insurance verification provider and gained access to its healthcare provider customers across multiple US states. The breach occurred back in November 2024, with intruders snooping through protected health information and other sensitive personal information belonging to hundreds of thousands of patients and insurance policy holders. TriZetto Provider Solutions (TPS) did not discover the digital thieves on their network until almost a year later."
https://www.theregister.com/2026/01/30/trizetto_health_data_stolen/
General News
- 2026 Crypto Crime Report
"Illicit crypto volume reached an all-time high of USD 158 billion in 2025, up nearly 145% from 2024. Despite the increase in absolute illicit volume, illicit volume as a proportion of overall crypto volume fell in 2025, from 1.3% in 2024 to 1.2% in 2025. While illicit activity represented a small share of overall on-chain volume, illicit entities captured 2.7% of available crypto liquidity in 2025, according to a new metric released by TRM that frames risk relative to deployable capital rather than raw transaction volume. Sanctions-related activity in 2025 was overwhelmingly driven by Russia-linked flows, largely due to the rapid growth of the ruble-pegged stablecoin A7A5, which processed more than USD 72 billion in total volume."
https://www.trmlabs.com/reports-and-whitepapers/2026-crypto-crime-report
https://www.bleepingcomputer.com/news/security/crypto-wallets-received-a-record-158-billion-in-illicit-funds-last-year/ - Out-Of-The-Box Expectations For 2026 Reveal a Grab-Bag Of Risk
"Conventional wisdom says that in the ever-evolving cybersecurity landscape, attackers and defenders are locked in a perennial, never-ending death match: increasing threat sophistication battling it out with corresponding shifts in corporate and governmental responses. The showdown rages on in 2026, made all the more interesting by the rise of AI-augmented everything."
https://www.darkreading.com/threat-intelligence/cyber-expectations-2026-grab-bag-risk - 2026: The Year Agentic AI Becomes The Attack-Surface Poster Child
"As the digital landscape continues to transform, the security challenges organizations face are naturally evolving as well. The new year brings a bit of consensus around what's shaping security teams' priorities in 2026, and, surprise, surprise, a focus on agentic AI risk leads the pack, according to the latest Dark Reading readership poll."
https://www.darkreading.com/threat-intelligence/2026-agentic-ai-attack-surface-poster-child - One Step Away From a Massive Data Breach: What We Found Inside MoltBot
"MoltBot (formerly ClawdBot) is a fast-growing, open-source AI “personal assistant” designed to control real accounts on a user’s behalf – including email, calendars, chat apps, browsers, and local files. It can connect to practically any tool or application through APIs and MCP integrations, then take actions by command – such as sending emails, updating calendars, setting reminders, running automations, and triggering other workflows."
https://www.ox.security/blog/one-step-away-from-a-massive-data-breach-what-we-found-inside-moltbot/
https://www.darkreading.com/application-security/openclaw-ai-runs-wild-business-environments - Security Work Keeps Expanding, Even With AI In The Mix
"Board attention continues to rise, and security groups now operate closer to executive decision making than in prior years, a pattern reflected the Voice of Security 2026 report by Tines. Within that environment, large numbers of teams already rely on AI, automation, and workflow tools as part of routine operations, creating a baseline expectation that AI plays a central role in security work."
https://www.helpnetsecurity.com/2026/01/30/central-role-ai-security-workflows/
https://www.tines.com/access/whitepaper/voice-of-security-2026/ - Security Teams Are Carrying More Tools With Less Confidence
"Enterprise environments now span multiple clouds, on-premises systems, and a steady flow of new applications. Hybrid and multi-cloud setups are common across large organizations, and they bring a constant stream of logs, alerts, and operational data. That environment already exists across many enterprises, and it frames a recent Sumo Logic study that examined how security leaders manage tooling, staffing, and detection across these systems."
https://www.helpnetsecurity.com/2026/01/30/security-operations-tooling-confidence/ - Badges, Bytes And Blackmail
"The growing sophistication and diversification of cybercrime have compelled law enforcement agencies worldwide to respond through increasingly coordinated and publicized actions. Yet, despite the visibility of these operations, there remains no comprehensive overview, to our knowledge, on how law enforcement is addressing cybercrime globally. Publicly available information is dispersed across agencies, jurisdictions, case-specific reporting (e.g., "Operation Endgame")[1], and reporting formats, offering fragmented insights rather than a cohesive understanding of what types of crime are being targeted, what actions are taken, and who the offenders are. This results in isolated glimpses rather than a consistent global picture"
https://thehackernews.com/2026/01/badges-bytes-and-blackmail.html - Government Forfeits Over $400M In Assets Tied To Helix Darknet Cryptocurrency Mixer
"Last week, the government obtained legal title over more than $400 million in seized cryptocurrencies, real estate, and monetary assets tied to the operation of the darknet mixing service, Helix. As a mixing service, Helix blended cryptocurrency from multiple users and routed the funds through a series of transactions designed to obscure the funds’ sources, destinations, and owners."
https://www.justice.gov/opa/pr/government-forfeits-over-400m-assets-tied-helix-darknet-cryptocurrency-mixer
https://hackread.com/us-seizes-400m-helix-dark-web-crypto-mixer/ - DOJ Releases Details Alleged Talented Hacker Working For Jeffrey Epstein
"An FBI informant said in 2017 that Jeffrey Epstein had a “personal hacker,” according to one of the documents released by the Department of Justice (DoJ) as part of the Epstein Files. The accuracy and reliability of the information remain unclear because the document reflects only the informant’s allegations, not FBI findings. The hacker’s name is redacted, but the document says he was an Italian born in Calabria who sold his company to CrowdStrike in 2017 and later became a VP there, leaving enough clues to identify him."
https://securityaffairs.com/187515/laws-and-regulations/doj-releases-details-alleged-talented-hacker-working-for-jeffrey-epstein.html
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- Privileged File System Vulnerability Present In a SCADA System
-
🛑 ด่วน! แจ้งเตือนแรนซัมแวร์สายพันธุ์ใหม่ 🛑โพสต์ใน Cyber Security News
️ ThaiCERT ได้ติดตามสถานการณ์ภัยคุกคามทางไซเบอร์ และพบประกาศด้านความปลอดภัยเกี่ยวกับแรนซัมแวร์สายพันธุ์ใหม่ที่ใช้วิธีการโจมตี Bring Your Own Vulnerable Driver (BYOVD) เพื่อปิดการทำงานของซอฟต์แวร์รักษาความปลอกภัย1.นักวิจัยจากทีม Threat Hunter ของ Symantec และ Carbon Black ตรวจพบแรนซัมแวร์สายพันธุ์ใหม่ชื่อ Osiris ที่มีการยกระดับเทคนิคการโจมตี โดยใช้วิธี Bring Your Own Vulnerable Driver (BYOVD) ผ่านไดรเวอร์ที่เป็นอันตรายชื่อ POORTRY เพื่อปิดการทำงานของซอฟต์แวร์รักษาความปลอดภัยบนระบบปฏิบัติการ Windows ก่อนดำเนินการโจมตีหลัก รูปแบบการโจมตีดังกล่าวช่วยให้มัลแวร์สามารถหลีกเลี่ยงการตรวจจับและควบคุมระบบเป้าหมาย โดยผลิตภัณฑ์ที่ได้รับผลกระทบ ได้แก่ อุปกรณ์ที่ใช้ระบบปฏิบัติการ Windows 11
Osiris มีพฤติกรรมโหลดและติดตั้งไดรเวอร์ POORTRY เพื่อเพิ่มสิทธิ์การทำงานและยุติการทำงานของโปรเซสด้านความปลอดภัย จากนั้นใช้เครื่องมือมาตรฐานที่มีอยู่ในระบบ เพื่อสำรวจระบบและเตรียมระบบของเครื่องที่ถูกโจมตีก่อนการเข้ารหัสไฟล์ นอกจากนี้ยังพบการใช้เครื่องมือขโมยข้อมูลยืนยันตัวตน เช่น Mimikatz ซึ่งถูกปรับเปลี่ยนชื่อโปรแกรมเพื่อหลีกเลี่ยงการตรวจจับ เพื่อขโมยรหัสผ่านและข้อมูลลับ รวมถึงการส่งข้อมูลออกไปยังบริการจัดเก็บข้อมูลบนคลาวด์ ก่อนเริ่มกระบวนการเข้ารหัสข้อมูลและแสดงข้อความเรียกค่าไถ่ แม้ Osiris จะมีเป้าหมายหลักเพื่อเรียกค่าไถ่จากเหยื่อ แต่ผลกระทบที่เกิดขึ้นอาจทำให้ระบบไม่สามารถใช้งานได้ ข้อมูลสำคัญถูกเข้ารหัสหรือรั่วไหล และกระทบต่อการดำเนินงานขององค์กร แนะนำให้ผู้ดูแลระบบอัปเดตระบบปฏิบัติการและซอฟต์แวร์ด้านความปลอดภัยให้เป็นเวอร์ชันล่าสุด จำกัดสิทธิ์การติดตั้งไดรเวอร์และการเข้าถึงระดับผู้ดูแลระบบ ตรวจสอบพฤติกรรมผิดปกติในระบบอย่างสม่ำเสมอ และสำรองข้อมูลแยกออกจากระบบหลักเพื่อช่วยลดความเสี่ยงจากการโจมตีลักษณะดังกล่าว
2แนวทางการป้องกัน
2.1 ไม่ดาวน์โหลดหรือติดตั้งซอฟต์แวร์น่าสงสัย หรือซอฟต์แวร์ที่ไม่ได้มาจากผู้พัฒนา/ผู้ให้บริการโดยตรง
2.2 อัปเดตระบบปฏิบัติการและโปรแกรมต่าง ๆ ให้เป็นเวอร์ชันล่าสุดอยู่เสมอ
2.3 ใช้งานโปรแกรมป้องกันไวรัสที่เชื่อถือได้ และไม่ปิดการทำงานโดยไม่จำเป็น
2.4 ไม่ติดตั้งไดรเวอร์หรือโปรแกรมแปลก ๆ หากไม่แน่ใจควรหลีกเลี่ยงหรือสอบถามผู้เชี่ยวชาญก่อน3 อ้างอิง
3.1 https://dg.th/v3nc5lmuj7
3.2 https://dg.th/xkyb374e9f
3.3 https://dg.th/ij5adxwzml