Zero Day Wire - Zero Day Wire (Page 5)

Threats

Interlock Ransomware Deploys Zero-Day Anti-Cheat Driver Exploit to Kill EDR Processes

FortiGuard Incident Response has documented a new tool in Interlock ransomware's arsenal — a bring-your-own-vulnerable-driver (BYOVD) process killer that abuses a zero-day vulnerability in a gaming anti-cheat kernel driver to terminate EDR and AV processes before ransomware deployment. The activity was observed during an intrusion against a North American

Threats

AI-Assisted Cloud Intrusion Achieves AWS Admin Access in 8 Minutes

Sysdig's Threat Research Team has published a detailed analysis of a cloud intrusion in which a threat actor went from stolen credentials to full AWS administrative access in under 10 minutes — with strong indicators that large language models were used throughout the operation to automate reconnaissance, generate exploitation

Alerts

Django Patches Three High-Severity SQL Injection Flaws Across All Supported Versions

The Django project has issued security releases across all supported versions — Django 6.0.2, 5.2.11, and 4.2.28 — addressing six vulnerabilities, three of which are high-severity SQL injection flaws that could allow attackers to execute arbitrary SQL commands against backend databases. All three SQL injection CVEs

Breaches

Step Finance Loses $40M in Crypto After Executive Devices Compromised

Step Finance, one of the most widely used DeFi dashboard and analytics platforms on Solana, has disclosed that attackers stole approximately $40 million in digital assets after compromising devices belonging to company executives. The breach was detected on January 31 during APAC hours. Step Finance described the attacker as a

Threats

BlueNoroff Weaponizes Microsoft Teams Calls to Steal macOS Credentials in Real-Time

Daylight Security has published findings from a real-world intrusion in which BlueNoroff — the financially motivated subgroup of North Korea's Lazarus Group — used live social engineering over Microsoft Teams to compromise a macOS endpoint, steal Keychain credentials, and stage data for exfiltration. The entire attack was operator-driven in real

Alerts

Critical 1-Click RCE in OpenClaw Gives Attackers Full Control of Developer Machines (CVE-2026-25253)

A critical vulnerability in OpenClaw — the viral open-source AI assistant trusted by over 100,000 developers — allows attackers to achieve full remote code execution on a victim's machine through a single webpage visit. No user interaction beyond loading the page is required. CVE-2026-25253 (CVSS 8.8) affects all

Threats

Inside the Lazarus Group's Contagious Interview Machine: 857 Developers Compromised, 241,000 Credentials Stolen

A months-long offensive investigation by Red Asgard's threat research team has produced one of the most detailed public examinations of North Korea's Contagious Interview campaign infrastructure ever published. The findings — spanning four malware families, approximately 20 previously undocumented C2 servers, a novel binary protocol, and unauthenticated

Alerts

APT28 Weaponizes Microsoft Office Zero-Day Within 24 Hours, Targets Ukraine and EU with Covenant Backdoor

Russian state-sponsored hacking group APT28 weaponized a critical Microsoft Office zero-day vulnerability within 24 hours of public disclosure, launching targeted attacks against Ukrainian government agencies and European Union institutions. Ukraine's Computer Emergency Response Team (CERT-UA) detected exploitation attempts beginning January 27 — just one day after Microsoft published details

Threats

Chinese APT Lotus Blossom Hijacked Notepad++ Updates for Six Months, Deploying New Chrysalis Backdoor

Chinese state-sponsored threat actors compromised the update infrastructure for Notepad++, the popular open-source text editor with tens of millions of Windows users, and maintained access for nearly six months while selectively targeting victims with malicious updates. The Notepad++ development team confirmed the breach today, stating that attackers intercepted update requests

Threats

ShinyHunters Escalates SaaS Data Theft with Vishing and MFA Manipulation

Mandiant has published a detailed analysis of an escalation in threat activity linked to ShinyHunters-branded extortion operations. The campaigns leverage evolved voice phishing (vishing) techniques and victim-branded credential harvesting pages to compromise single sign-on credentials and enroll unauthorized devices into victim MFA solutions — enabling access to cloud SaaS environments for

Threats

GhostChat Spyware Uses Romance Scams and WhatsApp Hijacking to Target Pakistani Android Users

Security researchers have uncovered a coordinated espionage campaign targeting Android users in Pakistan through a spyware operation that combines romance-themed social engineering, mobile surveillance, and WhatsApp account hijacking. ESET researchers track the Android component as GhostChat, a spyware that masquerades as a dating application while exfiltrating sensitive data and enabling

Threats

ShadowHS: Fileless Linux Framework Executes Entirely from Memory for Long-Term Intrusion Operations

Security researchers have uncovered a sophisticated Linux post-exploitation framework that operates entirely in memory, leaving no persistent artifacts on disk while providing operators with extensive capabilities for long-term intrusion operations. Cyble Research & Intelligence Labs tracks the activity as ShadowHS, reflecting its fileless execution model and lineage from the original