Everything is dumb again. This week feels broken in a very familiar way. Old tricks are back. New tools are doing shady crap. Supply chains got hit. Fake help desks worked. Weird research showed how easy some attacks still are.

Most of it feels like stuff we should have fixed years ago. Bad extensions. Stolen creds. Remote tools are getting abused. Malware hides in places people trust. Same mess, cleaner packaging.

Coffee is cold. The vuln list is ugly. Let’s get into it.

⚡ Threat of the Week

New fast16 Malware Was Developed Years Before Stuxnet—A new Lua-based malware called fast16, created years before the notorious Stuxnet worm, is designed to primarily target high-precision calculation software to tamper with results. The framework dates back to 2005. Analysis suggests that fast16 was active at least five years before the emergence of Stuxnet. Widely regarded as a joint U.S.-Israeli project, Stuxnet marked a turning point in cyber warfare as the first disruptive digital weapon and eventually served as the blueprint for the Duqu information-stealing rootkit. Fast16, however, establishes a much earlier timeline for such sophisticated operations. The development places its origin well before Stuxnet came into being. Although it’s currently not known if it was ever deployed in the wild, the investigation found three potential types of physical simulation software that the malware might have been designed to tamper with. «It focuses on making slight alterations to these calculations so that they lead to failures – very subtle ones, perhaps not immediately apparent,» security researcher Vitaly Kamluk told WIRED. «Systems might wear out faster, collapse, or crash, and scientific research could yield incorrect conclusions, potentially causing serious harm.»

🔔 Top News

• UNC6692 Resorts to Teams Help Desk Impersonation—A new threat group tracked as UNC6692 uses social engineering to deploy a new, custom malware suite named Snow, which consists of a browser extension, a tunneler, and a backdoor. The end goal is to steal sensitive data after network compromise through credential theft and domain takeover. «This component is where active reconnaissance and mission completion occur,» Google Mandiant noted. «Attacker commands (such as whoami or net user) are sent through the SnowGlaze tunnel, intercepted by the SnowBelt extension, and then proxied to the SnowBasin local server via HTTP POST requests. SnowBasin executes these commands and relays the results back through the same pipeline to the attacker.»
• U.S. Federal Agency Targeted by FIRESTARTER Backdoor—The U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed that an unnamed federal civilian agency’s Cisco Firepower device running Adaptive Security Appliance (ASA) software was compromised in September 2025 with a new malware called FIRESTARTER. FIRESTARTER is assessed to be a backdoor designed for remote access and control. It’s believed to be deployed as part of a «widespread» campaign orchestrated by an advanced persistent threat (APT) actor to obtain access to Cisco Adaptive Security Appliance (ASA) firmware by exploiting now-patched security flaws such as CVE-2025-20333 and CVE-2025-20362. Given the backdoor’s ability to survive patches and system reboots, Cisco is recommending users reimage and update to the latest fixed versions.
• Lotus Wiper Malware Targets Venezuelan Energy Systems—A previously undocumented data wiper codenamed Lotus Wiper has been used in attacks targeting the energy and utilities sector in Venezuela at the end of last year and the start of 2026. «Two batch scripts are responsible for initiating the destructive phase of the attack and preparing the environment for executing the final wiper payload,» Kaspersky said. «These scripts coordinate the start of the operation across the network, weaken system defenses, and disrupt normal operations before retrieving, deobfuscating, and executing a previously unknown wiper.» Once deployed, the wiper erases recovery mechanisms, overwrites the content of physical drives, and systematically deletes files across affected volumes, effectively leaving the system in an inoperable state.
• The Gentlemen Deploys SystemBC Malware—Threat actors associated with The Gentlemen ransomware‑as‑a‑service (RaaS) operation have been observed attempting to deploy a known proxy malware called SystemBC. The ransomware group has quickly made a name for itself in a matter of months, claiming more than 320 victims on its data leak site since its emergence in July 2025. According to Comparitech, the group claimed 202 attacks last quarter, second only to Qilin’s 353 claims. NCC Group found The Gentlemen was responsible for 34 attacks in January and 67 in February 2026, making it a prominent player alongside other established groups like Qilin, Akira, and Cl0p. «The emergence of The Gentlemen group among the top three most active threat actors is notable as it demonstrates how a relatively new group can scale operations rapidly,» NCC Group said. The development comes as another nascent ransomware group called Kyber has attracted attention for becoming the first RaaS crew to adopt the Kyber1024 (aka ML-KEM) post-quantum encryption algorithm for its Windows variant of the locker. In related news, the threat actors linked to the Trigona ransomware, dubbed Rhantus, have been observed using a custom data exfiltration tool that’s designed to provide attackers with more control over what files to choose (or ignore) and facilitate rapid data transfer by opening five parallel connections per file. The attacks were detected in March 2026. It’s not known why the threat actors shifted from readily available tools like Rclone. The use of custom tooling in the ransomware landscape is something of a rarity, even as it’s a double-edged sword for attackers. «While it requires development resources and time, these tools can provide a level of stealth that generic tools cannot match, at least until they’re discovered,» the Symantec and Carbon Black Threat Hunter Team said. 
• Bitwarden CLI Compromised in Supply Chain Campaign—Bitwarden CLI, the command-line interface for the password manager Bitwarden, was compromised as part of a new supply chain attack that targeted Checkmarx’s Docker images, Visual Studio Code extensions, and GitHub Actions workflow. The affected package, @bitwarden/cli@2026.4.0, contained malicious code to steal sensitive data from developer systems. The malware also features self-propagation capabilities, using stolen npm credentials to identify packages the victim can modify and inject them with malicious code to expand its reach. Bitwarden has since addressed the issue. The attack appears to be the work of a threat actor known as TeamPCP, although references to the string «Shai-Hulud: The Third Coming» have complicated attribution.

🔥 Trending CVEs

Bugs drop weekly, and the gap between a patch and an exploit is shrinking fast. These are the heavy hitters for the week: high-severity, widely used, or already being poked at in the wild.

Check the list, patch what you have, and hit the ones marked urgent first — CVE-2026-40372 (Microsoft ASP.NET Core), CVE-2026-33626 (LMDeploy), CVE-2026-5760 (SGLang), CVE-2026-5752 (Cohere AI Terrarium), CVE-2026-3517, CVE-2026-3518, CVE-2026-3519, CVE-2026-4048 (Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager, and MOVEit WAF), CVE-2026-21876 (Progress MOVEit WAF), CVE-2026-32173 (Microsoft Azure SRE Agent), CVE-2026-25262 (Qualcomm), CVE-2025-24371 (CometBFT), CVE-2026-5754 (Radware Alteon), CVE-2026-40872 (Mailcow), CVE-2026-27654 (Nginx), CVE-2026-5756 (DRC INSIGHT), CVE-2026-5757 (Ollama), CVE-2026-41651 aka Pack2TheRoot (Linux PackageKit), CVE-2026-33824 (Microsoft Windows IKEv2), CVE-2026-21571, CVE-2026-33871 (Atlassian Bamboo Data Center), CVE-2026-40050 (CrowdStrike LogScale), CVE-2026-32604, CVE-2026-32613 (Spinnaker), CVE-2026-33694 (Tenable Nessus Agent on Windows), TRA-2026-30 (Windows-driver-samples), TRA-2026-35 (Yuma AI), and a remote code execution flaw in Slippi (no CVE).

🎥 Cybersecurity Webinars

• Stop Testing, Start Validating: Outsmart Hackers with Agentic AI → Stop guessing which security gaps matter most while hackers use AI to find them for you. Most tools just follow a static checklist, but «Agentic Exposure Validation» actually thinks like an attacker, uncovering hidden paths into your network that traditional scans miss. Join this webinar to see how autonomous AI agents can test your defenses 24/7 and help you fix the risks that truly matter before they are exploited.
• Stop the Spread: How to Kill «Patient Zero» Before Your Network Goes Down → It only takes one «Patient Zero» to bring down your entire company. While traditional tools look for old threats, modern hackers are using AI-powered tricks to slip past your defenses undetected. Join this webinar to see how these new attacks work and learn simple «Zero Trust» steps to stop a breach before it spreads. Don’t wait for a crisis—learn how to lock down your network today.
• Connect the Dots: Stop Attackers Before They Reach Your Data → Hackers aren’t just looking for one big bug; they are chaining small, hidden gaps in your code and cloud to create a direct path to your data. Most security tools only see these issues in isolation, leaving you blind to the «big picture» thatan attacker sees. Join this webinar to learn how to map these complex attack paths and fix the real risks before they are exploited.

📰 Around the Cyber World

• Turning the Web Into a Trap for LLMs —Google has revealed that indirect prompt injections (IPI) are a top security priority, calling it a «primary attack vector for adversaries to target and compromise AI agents.» Unlike regular prompt injection that seeks to manipulate a chatbot into executing malicious instructions, IPI occurs when an AI system processes content, like a website, email, or document, that contains nefarious commands. As this content is processed by the AI, it may end up following the attacker’s commands instead of the user’s original intent. This is complicated by the fact that attackers use a gaggle of tricks to hide malicious instructions from human eyes while keeping them fully visible to AI. This often involves making the text invisible through CSS, encoding it in various formats, or stashing it in unexpected locations. In at least one malicious scenario, Google flagged a number of websites that attempt to vandalize the machines of anyone using AI assistants. If executed, the commands in this example would try to delete all files on the user’s machine. Some websites include prompt injections for the purpose of SEO, trying to manipulate AI assistants into promoting their business over others. «Additionally, even though sophistication was low, we observed an uptick in detections over time: We saw a relative increase of 32% in the malicious category between November 2025 and February 2026, repeating the scan on multiple versions of the [CommonCrawl] archive,» Google said. «This upward trend indicates growing interest in IPI attacks.»
• Meta Debuts Improved Meta Account —Meta has introduced an improved Meta Account as a centralized way to sign in and manage Meta apps and devices like Facebook, Instagram, and AI glasses. Besides adding support for passkeys, Meta also allows users to «optionally set up a single password to log into your apps and devices so you no longer have to remember multiple passwords.»
• X Launches XChat —X launched XChat as a standalone app for iOS, allowing users on the platform to connect with others for messaging, file sharing, audio and video calls, as well as group chats. The company claims all messages are end-to-end encrypted and PIN-protected — though security experts have previously disputed the company’s encryption claims when an early version was teased last year. XChat’s app listing page shows that it can collect location, contacts, search history, usage data, identifiers, and device diagnostics, and link that information to a user’s identity directly.
• Meta Plans to Track Employee Mouse Movements, Keystrokes for AI Model Training —Meta is installing tracking software on the systems of U.S. employees to capture mouse movements, clicks, and keystrokes, per a report from Reuters. Meta said the data will be used to train its artificial intelligence (AI) models and will not be used for employee reviews. In a similar development, GitHub notified users that the GitHub CLI now collects anonymous usage telemetry by default and that they should disable the feature if they do not want to share such information.
• Surge in Attacks Involving Compromised Bomgar Instances —Huntress has recorded an uptick in incidents involving compromised Bomgar remote monitoring and management (RMM) instances. «The surge follows intermittent waves of exploitation we have seen over the past two months, after BeyondTrust first disclosed a critical-severity flaw (CVE-2026-1731) in Bomgar in February,» the company said. «On February 6, 2026, BeyondTrust issued fixes for the flaw in Bomgar (rebranded as BeyondTrust Remote Support), which could be exploited by an unauthenticated attacker to remotely execute code.» The specific root cause behind these attacks is not clear, but the incidents likely stem from the exploitation of CVE-2026-1731. Fortra has also spotted phishing campaigns trying to lure victims into installing Datto’s CentraStage remote monitoring and management tool, which attackers are then using to connect back into the victim’s internal network. The findings demonstrate threat actors’ continued shift toward exploiting RMMs rather than using traditional malware.
• Over 1.2K C2 Servers Linked to Russian Infrastructure Providers —A large-scale study of the Russian web hosting space has found more than 1,250 malicious command-and-control servers hosted inside Russia this year. Most of the servers are linked to malware families and IoT botnets, such as Keitaro, Hajime, Cobalt Strike, Sliver, Mozi, and Mirai, according to Hunt.io.
• Tether Freezes $344M —Tether announced that it supported the U.S. Government in freezing $344 million USD₮ across two addresses. «The freeze was executed after the addresses were identified, preventing further movement of funds,» the company said. «The freeze follows information shared with Tether by several U.S. authorities about activity tied to unlawful conduct. When wallets are identified as connected to sanctions evasion, criminal networks, or other illicit activity, Tether can move to restrict those assets.»
• Malicious Chrome Extension Masquerades as Google Authenticator —A malicious Chrome extension posing as the official Google Authenticator app was identified in the official extension marketplace as part of an ongoing malicious campaign codenamed AIFrame, active since at least early 2026. «The extension appears to use Chrome’s localization system and skeleton code to bypass security reviews,» DomainTools said. «Despite its functional appearance, it requests broad, unnecessary permissions and contains ‘dormant infrastructure.’ This extension is linked to at least six others through a shared developer front, two of which already carry fully operational malicious payloads. These extensions utilize hidden iframes to inject attacker-controlled content into every webpage, deploy fraudulent paywalls for free services, and maintain bidirectional communication with C2 servers.»
• Compromised WordPress Sites Push ClickFix Schemes —Multiple websites have been compromised by a ClickFix clipboard hijacker that aims to trick users into pasting malicious commands into the Windows Run dialog or the macOS Terminal app to deliver malware. The kill chain is assessed to share overlaps with a known traffic distribution system (TDS) named KongTuke.
• New Phishing Toolkits Discovered —A number of new phishing-as-a-service toolkits have been spotted in the wild: OLUOMO, ATHR, VENOM, p1bot, TMoscow Bot, REFUNDEE, and UPMI.

🔧 Cybersecurity Tools

• Malfixer → Stop wasting hours manually repairing broken malware just to see how it works. Malfixer does the heavy lifting by automatically rebuilding corrupted or «packed» files so they are ready for analysis in seconds. It is a simple, effective way to bypass the tricks hackers use to hide their code, letting you get straight to your investigation.
• SmokedMeat → Most developers have no idea how many «shadow» tools and scripts are hidden inside their software build pipelines. Smokedmeat shines a light on these forgotten GitHub Actions and third-party tools by quickly scanning your environment to show you exactly what is running. It is a simple way to find hidden back doors and security risks before attackers do.

Disclaimer: This is strictly for research and learning. It hasn’t been through a formal security audit, so don’t just blindly drop it into production. Read the code, break it in a sandbox first, and make sure whatever you’re doing stays on the right side of the law.

Conclusion

Same pattern, new mess. Patch the obvious stuff first. Check the weird logins. Look hard at browser extensions, remote tools, and anything that touches your build chain. The boring checks are boring until they save prod.

That’s it for this week. Keep backups clean, MFA tight, and your trust budget low.

Investigadores de ciberseguridad han descubierto un nuevo malware basado en Lua creado años antes que el notorio gusano Stuxnet que tenía como objetivo sabotear el programa nuclear de Irán destruyendo centrifugadoras de enriquecimiento de uranio.

Según un nuevo informe publicado por SentinelOne, el marco de cibersabotaje no documentado anteriormente se remonta a 2005 y apunta principalmente a software de cálculo de alta precisión para alterar los resultados. ha sido nombrado en clave rápido16.

«Al combinar esta carga útil con mecanismos de autopropagación, los atacantes pretenden producir cálculos inexactos equivalentes en toda una instalación», investigadores Vitaly Kamluk y Juan Andrés Guerrero-Saade dicho en un informe exhaustivo publicado esta semana.

Se considera que Fast16 es anterior Stuxnetla primera arma digital conocida diseñada para acciones disruptivasy cual sirvió de base para el duqu rootkit ladrón de información, por al menos cinco años. Se cree ampliamente que Stuxnet fue desarrollado por Estados Unidos e Israel.

También precede a las primeras muestras conocidas de Llama (también conocido como Flamer y Skywiper), otro malware sofisticado descubierto en 2012, que incorpora una máquina virtual Lua para lograr sus objetivos. El descubrimiento convierte a fast16 en la primera cepa de malware de Windows que incorpora un motor Lua.

SentinelOne dijo que hizo el descubrimiento después de identificar un artefacto llamado «svcmgmt.exe» que, a primera vista, parecía ser un contenedor de servicio genérico en modo consola. La muestra tiene una marca de tiempo de creación de archivo del 30 de agosto de 2005, según VirusTotal, en la que se cargó más de una década después, el 8 de octubre de 2016.

Sin embargo, una investigación más profunda ha revelado una máquina virtual Lua 5.0 integrada y un contenedor de código de bytes cifrado, junto con varios otros módulos que se vinculan directamente al sistema de archivos, registro, control de servicios y API de red de Windows NT.

La lógica central del implante reside en el código de bytes Lua, y el binario también hace referencia a un controlador del kernel («fast16.sys«) a través de una ruta PDB (un archivo con fecha de creación del 19 de julio de 2005) que es responsable de interceptar y modificar el código ejecutable a medida que se lee desde el disco. Dicho esto, vale la pena señalar que el controlador no se ejecutará en sistemas con Windows 7 o posterior.

En lo que es un hallazgo que podría dar una indicación de los orígenes de la herramienta, SentinelOne dijo que descubrió una referencia a la cadena «fast16» en un archivo de texto llamado «drv_list.txt» que incluía una lista de controladores diseñados para su uso en ataques de amenazas persistentes avanzadas (APT). El archivo de casi 250 KB fue filtrado por un misterioso grupo de piratas informáticos hace nueve años.

En 2016 y 2017, el colectivo –llamándose a sí mismo Los corredores de la sombra – publicó grandes cantidades de datos supuestamente robados del Grupo de ecuacionesun grupo de amenaza persistente avanzado con presuntos vínculos con la Agencia de Seguridad Nacional de EE. UU. (NSA). Esto incluía un conjunto de herramientas de piratería y exploits bajo el sobrenombre de «Lost in Translation». El archivo de texto fue uno de ellos.

«La cadena dentro de svcmgmt.exe proporcionó el vínculo forense clave en esta investigación», dijo SentinelOne. «La ruta PDB conecta la filtración de 2017 de firmas de desconflicto utilizadas por los operadores de la NSA con un módulo ‘portador’ multimodal impulsado por Lua compilado en 2005 y, en última instancia, su carga útil sigilosa: un controlador de kernel diseñado para sabotaje de precisión».

«Svcmgmt.exe» ha sido descrito como un «módulo portador altamente adaptable» que puede alterar su comportamiento en función de los argumentos de la línea de comandos que se le pasan, permitiéndole ejecutarse como un servicio de Windows o ejecutar código Lua. Viene con tres cargas útiles distintas: código de bytes Lua para manejar la configuración y la lógica de propagación y coordinación, un ConnotifyDLL auxiliar («svcmgmt.dll«) y el controlador del núcleo «fast16.sys».

Específicamente, está diseñado para analizar la configuración, escalarse como un servicio, implementar opcionalmente el implante del kernel e iniciar un Administrador de control de servicios (SCM) wormlet que busca servidores de red y propaga el malware a otros entornos Windows 2000/XP con credenciales débiles o predeterminadas.

Un aspecto importante que vale la pena mencionar aquí es que la propagación solo ocurre cuando se fuerza manualmente o no se encuentran productos de seguridad comunes en el sistema al escanear la base de datos del Registro de Windows en busca de claves de registro asociadas. Algunas de las herramientas de seguridad que verifica explícitamente pertenecen a Agnitum, F-Secure, Kaspersky, McAfee, Microsoft, Symantec, Sygate Technologies y Trend Micro.

La presencia de Sygate Technologies es otro indicador de que la muestra se desarrolló a mediados de la década de 2000, cuando la empresa fue adquirida por Symantec, ahora parte de Broadcom, en agosto de 2025, y las ventas y el soporte para sus productos se suspendieron formalmente en noviembre.

«Para herramientas de esta época, ese nivel de conciencia ambiental es notable», dijo SentinelOne. «Si bien la lista de productos puede no parecer completa, probablemente refleja los productos que los operadores esperaban que estuvieran presentes en sus redes objetivo cuya tecnología de detección amenazaría el sigilo de una operación encubierta».

ConnotifyDLL, por otro lado, se invoca cada vez que el sistema establece una nueva conexión de red utilizando el Servicio de acceso remoto (RAS) y escribe los nombres de las conexiones locales y remotas en un tubería con nombre («\\.\pipe\p577»).

Sin embargo, es el controlador el responsable del sabotaje de precisión, dirigido a ejecutables compilados con el compilador Intel C/C++ para realizar parches basados ​​en reglas y secuestrar el flujo de ejecución mediante inyecciones de código malicioso. Uno de esos bloques es capaz de corromper los cálculos matemáticos, específicamente atacando herramientas utilizadas en ingeniería civil, física y simulaciones de procesos físicos.

«Al introducir errores pequeños pero sistemáticos en los cálculos del mundo físico, el marco podría socavar o ralentizar los programas de investigación científica, degradar los sistemas diseñados con el tiempo o incluso contribuir a daños catastróficos», explicó SentinelOne.

«Al separar un contenedor de ejecución relativamente estable de cargas útiles cifradas y específicas de tareas, los desarrolladores crearon un marco reutilizable y compartimentado que podían adaptar a diferentes entornos objetivo y objetivos operativos, dejando el binario del operador externo prácticamente sin cambios en todas las campañas».

Basado en un análisis de las 101 reglas definidas en el motor de parches y comparándolas con el software utilizado a mediados de la década de 2000, se evalúa que tres conjuntos de ingeniería y simulación de alta precisión pueden haber sido los objetivos: LS-DYNA 970, PKPM y la plataforma de modelado hidrodinámico MOHID.

LS-DYNAque ahora forma parte de Ansys Suite, es un paquete de software de simulación de física múltiple de uso general que se utiliza para simular choques, impactos y explosiones. En septiembre de 2024, el Instituto para la Ciencia y la Seguridad Internacional (ISIS) liberado un informe que detalla el probable uso por parte de Irán de software de modelado informático como LS-DYNA relacionado con el desarrollo de armas nucleares basado en un examen de 157 publicaciones académicas encontradas en literatura científica y de ingeniería de código abierto.

Esta cadena de pruebas adquiere importancia teniendo en cuenta que se dice que el programa nuclear de Irán ha sufrido daño sustancial después de que su instalación de enriquecimiento de uranio en Natanz fuera atacada por el gusano stuxnet en junio de 2010. Es más, Symantec reveló en febrero de 2013 una versión anterior de Student que se utilizó para atacar el programa nuclear de Irán en noviembre de 2007, con evidencia que indicaba que ya estaba en desarrollo en noviembre de 2005.

«Stuxnet 0.5 es la versión de Stuxnet más antigua conocida que se analizará», Symantec anotado En el momento. «Stuxnet 0.5 contiene una estrategia de ataque alternativa, cerrando válvulas dentro de la instalación de enriquecimiento de uranio en Natanz, Irán, lo que habría causado graves daños a las centrifugadoras y al sistema de enriquecimiento de uranio en su conjunto».

En conjunto, el último hallazgo «obliga a una reevaluación» del cronograma histórico de desarrollo de las operaciones clandestinas de sabotaje cibernético, dijo SentinelOne, añadiendo que muestra que las herramientas de sabotaje cibernético respaldadas por el Estado contra objetivos físicos se habían desarrollado y desplegado por completo a mediados de la década de 2000.

«En el panorama más amplio de la evolución de APT, fast16 cierra la brecha entre los primeros programas de desarrollo, en gran medida invisibles, y los conjuntos de herramientas posteriores, más ampliamente documentados, basados ​​en Lua y LuaJIT», concluyeron los investigadores. «Es un punto de referencia para comprender cómo piensan los actores avanzados sobre los implantes a largo plazo, el sabotaje y la capacidad de un estado para remodelar el mundo físico a través del software. fast16 fue el presagio silencioso de una nueva forma de arte de gobernar, exitosa en su encubrimiento hasta hoy».