{"id":264,"date":"2026-03-16T17:03:58","date_gmt":"2026-03-16T17:03:58","guid":{"rendered":"https:\/\/cybercolombia.co\/index.php\/2026\/03\/16\/chrome-0-days-router-botnets-aws-breach-rogue-ai-agents-more-cyberdefensa-mx\/"},"modified":"2026-03-16T17:03:58","modified_gmt":"2026-03-16T17:03:58","slug":"chrome-0-days-router-botnets-aws-breach-rogue-ai-agents-more-cyberdefensa-mx","status":"publish","type":"post","link":"https:\/\/cybercolombia.co\/index.php\/2026\/03\/16\/chrome-0-days-router-botnets-aws-breach-rogue-ai-agents-more-cyberdefensa-mx\/","title":{"rendered":"Chrome 0-Days, Router Botnets, AWS Breach, Rogue AI Agents &#038; More \u2013 CYBERDEFENSA.MX"},"content":{"rendered":"<div id=\"articlebody\">\n<p>Some weeks in security feel normal. Then you read a few tabs and get that immediate \u201cah, great, we\u2019re doing this now\u201d feeling.<\/p>\n<p>This week has that energy. Fresh messes, old problems getting sharper, and research that stops feeling theoretical real fast. A few bits hit a little too close to real life, too. There\u2019s a good mix here: weird abuse of trusted stuff, quiet infrastructure ugliness, sketchy chatter, and the usual reminder that attackers will use anything that works.<\/p>\n<p>Scroll on. You\u2019ll see what I mean.<\/p>\n<h2 style=\"text-align: left;\"><strong>\u26a1 Threat of the Week<\/strong><\/h2>\n<p><strong>Google Patches 2 Actively Exploited Chrome 0-Days <\/strong>\u2014 Google released security updates for its Chrome web browser to address two high-severity vulnerabilities that it said have been exploited in the wild. The vulnerabilities related to an out-of-bounds write vulnerability in the Skia 2D graphics library (CVE-2026-3909) and an inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine (CVE-2026-3910) that could result in out-of-bounds memory access or code execution, respectively. Google did not share additional details about the flaws, but acknowledged that there exist exploits for both of them. The issues were addressed in Chrome versions 146.0.7680.75\/76 for Windows and Apple macOS, and 146.0.7680.75 for Linux.\u00a0<\/p>\n<h2 style=\"text-align: left;\"><strong>\ud83d\udd14 Top News<\/strong><\/h2>\n<ul>\n<li><strong><a href=\"https:\/\/thehackernews.com\/2026\/03\/meta-to-shut-down-instagram-end-to-end.html\" rel=\"noopener\" target=\"_blank\">Meta to Discontinue Instagram E2EE in May 2026 <\/a><\/strong>\u2014 Meta announced plans to discontinue support for end-to-end encryption (E2EE) for chats on Instagram after May 8, 2026. In a statement shared with The Hacker News, a Meta spokesperson said, \u00abVery few people were opting in to end-to-end encrypted messaging in DMs, so we\u2019re removing this option from Instagram in the coming months. Anyone who wants to keep messaging with end-to-end encryption can easily do that on WhatsApp.\u00bb<\/li>\n<li><strong>Authorities Disrupt SocksEscort Service <\/strong>\u2014 A court-authorized international law enforcement operation dismantled a criminal proxy service named SocksEscort that enslaved thousands of residential routers worldwide into a botnet for committing large-scale fraud. \u00abThe malware allowed SocksEscort to direct internet traffic through the infected routers. SocksEscort sold this access to its customers,\u00bb the U.S. Justice Department said. The main thing to note here is that SocksEscort was powered by AVrecon, a malware written in C to explicitly target MIPS and ARM architectures via known security flaws in edge network devices. The malware also featured a novel persistence mechanism that involved flashing custom firmware, which intentionally disables future updates, permanently transforming SOHO routers into SocksEscort proxy nodes to blindside corporate monitoring.<\/li>\n<li><strong>UNC6426 Exploits nx npm Supply Chain Attack to Gain AWS Admin Access in 72 Hours <\/strong>\u2014 A threat actor known as UNC6426 leveraged keys stolen following the supply chain compromise of the nx npm package in August 2025 to completely breach a victim\u2019s AWS environment within 72 hours. UNC6426 used the access to abuse the GitHub-to-AWS OpenID Connect (OIDC) trust and create a new administrator role in the cloud environment, Google said. Subsequently, this role was abused to exfiltrate files from the client\u2019s Amazon Web Services (AWS) Simple Storage Service (S3) buckets and perform data destruction in their production cloud environments.<\/li>\n<li><strong>KadNap Enslaves Network Devices to Fuel Illegal Proxy <\/strong>\u2014 A takedown-resistant botnet comprising more than 14,000 routers and other network devices has been conscripted into a proxy network that anonymously ferries traffic used for cybercrime. The botnet, named KadNap, exploits known vulnerabilities in Asus routers (among others), leveraging the initial access to drop shell scripts that reach out to a peer-to-peer network based on Kademlia for decentralized control. Infected devices are being used to fuel a proxy service named Doppelganger that, for a fee, tunnels customers\u2019 internet traffic through residential IP addresses, offering a way for attackers to blend in and make it harder to differentiate malicious traffic from legitimate activity.<\/li>\n<li><strong>APT28 Strikes with Sophisticated Toolkit <\/strong>\u2014 The Russian threat actor known as APT28 has been observed using a bespoke toolkit in recent cyber espionage campaigns targeting Ukrainian cyber assets. The primary components of the toolkit are two implants, one of which employs techniques from a malware framework the threat actor used in 2010s, while the other is a heavily modified version of the COVENANT framework for long-term spying. COVENANT is used in concert with BEARDSHELL to facilitate data exfiltration, lateral movement, and execution of PowerShell commands. Also alongside these tools is a malware named SLIMAGENT that shares overlaps with XAgent.<\/li>\n<\/ul>\n<h2 style=\"text-align: left;\"><strong>\u200e\ufe0f\u200d\ud83d\udd25 Trending CVEs<\/strong><\/h2>\n<p>New vulnerabilities show up every week, and the window between disclosure and exploitation keeps getting shorter. The flaws below are this week\u2019s most critical \u2014 high-severity, widely used software, or already drawing attention from the security community.<\/p>\n<p>Check these first, patch what applies, and don\u2019t wait on the ones marked urgent \u2014 CVE-2026-3909, CVE-2026-3910, <a href=\"https:\/\/chromereleases.googleblog.com\/2026\/03\/stable-channel-update-for-desktop_10.html\" rel=\"noopener\" target=\"_blank\">CVE-2026-3913<\/a> (Google Chrome), CVE-2026-21666, CVE-2026-21667, CVE-2026-21668, CVE-2026-21672, CVE-2026-21708, CVE-2026-21669, CVE-2026-21671 (Veeam Backup &amp; Replication), CVE-2026-27577, CVE-2026-27493, CVE-2026-27495, CVE-2026-27497 (n8n), CVE-2026-26127, CVE-2026-21262 (Microsoft Windows), CVE-2019-17571, CVE-2026-27685 (SAP), <a href=\"https:\/\/www.kaspersky.com\/blog\/exiftool-macos-picture-vulnerability-mitigation-cve-2026-3102\/55362\/\" rel=\"noopener\" target=\"_blank\">CVE-2026-3102<\/a> (ExifTool for macOS), <a href=\"https:\/\/github.com\/0xJacky\/nginx-ui\/security\/advisories\/GHSA-g9w5-qffc-6762\" rel=\"noopener\" target=\"_blank\">CVE-2026-27944<\/a> (Nginx UI), <a href=\"https:\/\/blog.quarkslab.com\/k7-antivirus-named-pipe-abuse-registry-manipulation-and-privilege-escalation.html\" rel=\"noopener\" target=\"_blank\">CVE-2025-67826<\/a> (K7 Ultimate Security), <a href=\"https:\/\/blog.quarkslab.com\/intego_lpe_macos_1.html\" rel=\"noopener\" target=\"_blank\">CVE-2026-26224<\/a>, <a href=\"https:\/\/blog.quarkslab.com\/intego_lpe_macos_2.html\" rel=\"noopener\" target=\"_blank\">CVE-2026-26225<\/a> (Intego X9), <a href=\"https:\/\/www.codeant.ai\/security-research\/pac4j-jwt-authentication-bypass-public-key\" rel=\"noopener\" target=\"_blank\">CVE-2026-29000<\/a> (<a href=\"https:\/\/www.pac4j.org\/blog\/security-advisory-pac4j-jwt-jwtauthenticator.html\" rel=\"noopener\" target=\"_blank\">pac4j-jwt<\/a>), <a href=\"https:\/\/support.hpe.com\/hpesc\/public\/docDisplay?docId=hpesbnw05027en_us&amp;docLocale=en_US\" rel=\"noopener\" target=\"_blank\">CVE-2026-23813<\/a> (HPE Aruba Networking AOS-CX), <a href=\"https:\/\/swarm.ptsecurity.com\/attack-arithmetic-how-an-integer-overflow-in-postgresql-libpq-leads-to-denial-of-service\/\" rel=\"noopener\" target=\"_blank\">CVE-2025-12818<\/a> (<a href=\"https:\/\/www.postgresql.org\/support\/security\/CVE-2025-12818\/\" rel=\"noopener\" target=\"_blank\">PostgreSQL<\/a>), <a href=\"https:\/\/www.wordfence.com\/blog\/2026\/03\/400000-wordpress-sites-affected-by-unauthenticated-sql-injection-vulnerability-in-ally-wordpress-plugin\/\" rel=\"noopener\" target=\"_blank\">CVE-2026-2413<\/a> (Ally WordPress plugin), <a href=\"https:\/\/www.wordfence.com\/blog\/2026\/03\/30000-wordpress-sites-affected-by-authentication-bypass-vulnerability-in-tutor-lms-pro-wordpress-plugin\/\" rel=\"noopener\" target=\"_blank\">CVE-2026-0953<\/a> (Tutor LMS Pro WordPress plugin), <a href=\"https:\/\/github.com\/gogs\/gogs\/security\/advisories\/GHSA-cj4v-437j-jq4c\" rel=\"noopener\" target=\"_blank\">CVE-2026-25921<\/a> (Gogs), <a href=\"https:\/\/blog.cloudflare.com\/pingora-oss-smuggling-vulnerabilities\/\" rel=\"noopener\" target=\"_blank\">CVE-2026-2833, CVE-2026-2835, CVE-2026-2836<\/a> (Cloudflare Pingora), <a href=\"https:\/\/zookeeper.apache.org\/security.html\" rel=\"noopener\" target=\"_blank\">CVE-2026-24308<\/a> (Apache ZooKeeper), <a href=\"https:\/\/kb.cert.org\/vuls\/id\/665416\" rel=\"noopener\" target=\"_blank\">CVE-2026-3059, CVE-2026-3060, CVE-2026-3989<\/a> (SGLang), <a href=\"https:\/\/security.paloaltonetworks.com\/CVE-2026-0231\" rel=\"noopener\" target=\"_blank\">CVE-2026-0231<\/a> (Palo Alto Networks Cortex XDR Broker VM), <a href=\"https:\/\/sec.cloudapps.cisco.com\/security\/center\/content\/CiscoSecurityAdvisory\/cisco-sa-iosxr-privesc-bF8D5U4W\" rel=\"noopener\" target=\"_blank\">CVE-2026-20040, CVE-2026-20046<\/a> (Cisco IOS XR Software), <a href=\"https:\/\/kb.cert.org\/vuls\/id\/907705\" rel=\"noopener\" target=\"_blank\">CVE-2025-65587<\/a> (graphql-upload-minimal), <a href=\"https:\/\/seclists.org\/oss-sec\/2026\/q1\/299\" rel=\"noopener\" target=\"_blank\">CVE-2026-3497<\/a> (OpenSSH), <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2026-26123\" rel=\"noopener\" target=\"_blank\">CVE-2026-26123<\/a> (Microsoft Authenticator for Android and iOS), and <a href=\"https:\/\/www.levelblue.com\/blogs\/spiderlabs-blog\/cve-2025-61915-buffer-underflow-vulnerability-leads-to-memory-corruption-in-cups\" rel=\"noopener\" target=\"_blank\">CVE-2025-61915<\/a> (CUPS).<\/p>\n<h2 style=\"text-align: left;\"><strong>\ud83c\udfa5 Cybersecurity Webinars<\/strong><\/h2>\n<ul>\n<li><a href=\"https:\/\/thehacker.news\/automate-testing-security-posture?source=recap\" rel=\"noopener\" target=\"_blank\">Stop Guessing: Automate Your Defense Against Real-World Attacks<\/a> \u2192 Learn how to move beyond basic security checklists by using automation to test your defenses against real-world attacks. Experts will show you why traditional testing often fails and how to use continuous, data-driven tools to find and fix gaps in your protection. You will learn how to prove your security actually works without increasing your manual workload.<\/li>\n<li><a href=\"https:\/\/thehacker.news\/identity-maturity-2026?source=recap\" rel=\"noopener\" target=\"_blank\">Fix Your Identity Security: Closing the Gaps Before Hackers Find Them<\/a> \u2192 This webinar covers a new study about why many companies are struggling to keep their user accounts and digital identities safe. Experts share findings from the Ponemon Institute on the biggest security gaps, such as disconnected apps and the new risks created by AI. You will learn simple, practical steps to fix these problems and get better control over who has access to your company\u2019s data.<\/li>\n<li><a href=\"https:\/\/thehacker.news\/ghost-in-the-machine?source=recap\" rel=\"noopener\" target=\"_blank\">The Ghost in the Machine: Securing the Secret Identities of Your AI Agents<\/a> \u2192 As artificial intelligence (AI) begins to act on its own, businesses face a new challenge: how to give these \u00abAI agents\u00bb the right digital IDs. This webinar explains why current security for humans doesn\u2019t work for autonomous bots and how to build a better system to track what they do. You will learn simple, real-world steps to give AI agents secure identities and clear rules, ensuring they don\u2019t accidentally expose your private company data.<\/li>\n<\/ul>\n<h2 style=\"text-align: left;\"><strong>\ud83d\udcf0 Around the Cyber World<\/strong><\/h2>\n<ul>\n<li><strong>Fake Google Security Check Drops Browser RAT <\/strong>\u2014 A web page mimicking a Google Account security page has been spotted delivering a fully featured browser-based surveillance toolkit that takes the form of a Progressive Web App (PWA). \u00abDisguised as a routine security checkup, it walks victims through a four-step flow that grants the attacker push notification access, the device\u2019s contact list, real-time GPS location, and clipboard contents\u2014all without installing a traditional app,\u00bb Malwarebytes <a href=\"https:\/\/www.malwarebytes.com\/blog\/privacy\/2026\/02\/inside-a-fake-google-security-check-that-becomes-a-browser-rat\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abFor victims who follow every prompt, the site also delivers an Android companion package introducing a native implant that includes a custom keyboard (enabling keystroke capture), accessibility-based screen reading capabilities, and permissions consistent with call log access and microphone recording.\u00bb<\/li>\n<li><strong>Forbidden Hyena Delivers BlackReaperRAT <\/strong>\u2014 A hacktivist group known as <a href=\"https:\/\/bi.zone\/eng\/expertise\/blog\/forbidden-hyena-atakuet-s-novym-troyanom-udalennogo-dostupa-blackreaperrat\/\" rel=\"noopener\" target=\"_blank\">Forbidden Hyena<\/a> (aka 4B1D) has distributed RAR archives in December 2025 and January 2026 in attacks targeting Russia that led to the deployment of a previously undocumented remote access trojan called BlackReaperRAT and an updated version of the Blackout Locker ransomware, referred to as <a href=\"https:\/\/securelist.ru\/sovmestnye-ataki-4bid-bo-team-red-likho\/114124\/\" rel=\"noopener\" target=\"_blank\">Milkyway<\/a> by the threat actors. BlackReaperRAT is capable of running commands via \u00abcmd.exe,\u00bb uploading\/downloading files, spawning an HTTP shell to receive commands, and spreading the malware to connected removable media. \u00abIt carries out destructive attacks against organizations across various sectors located within the Russian Federation,\u00bb BI.ZONE said. \u00abThe group publishes information regarding successful attacks on its Telegram channel. It collaborates with the groups Cobalt Werewolf and Hoody Hyena.\u00bb<\/li>\n<li><strong>Chinese Hackers Target the Persian Gulf region with PlugX <\/strong>\u2014 A China-nexus threat actor, likely suspected to be Mustang Panda, has targeted countries in the Persian Gulf region. The activity took place within the first 24 hours of the ongoing conflict in the Middle East late last month. The campaign used a multi-stage attack chain that ultimately deployed a PlugX backdoor variant. \u00abThe shellcode and PlugX backdoor used obfuscation techniques such as control flow flattening (CFF) and mixed boolean arithmetic (MBA) to hinder reverse engineering,\u00bb Zscaler <a href=\"https:\/\/www.zscaler.com\/blogs\/security-research\/china-nexus-threat-actor-targets-persian-gulf-region-plugx\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abThe PlugX variant in this campaign supports HTTPS for command-and-control (C2) communication and DNS-over-HTTPS (DOH) for domain resolution.\u00bb<\/li>\n<li><strong>Phishing Campaign Uses SEO Poisoning to Steal Data <\/strong>\u2014 A phishing campaign has employed SEO poisoning to direct search engine results to fake traffic ticket portals that impersonate the Government of Canada and specific provincial agencies. \u00abThe campaign lures victims to a fake \u2018Traffic Ticket Search Portal\u2019 under the pretense of paying outstanding traffic violations,\u00bb Palo Alto Networks Unit 42 <a href=\"https:\/\/github.com\/PaloAltoNetworks\/Unit42-timely-threat-intel\/blob\/main\/2026-01-30-IOCs-for-traffic-ticket-search-portal-themed-phishing.txt\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abSubmitted data includes license plates, address, date of birth, phone\/email, and credit card numbers.\u00bb The phishing pages utilize a \u00abwaiting room\u00bb tactic where the victim\u2019s browser polls the server every two seconds and triggers redirects based on specific status codes.<\/li>\n<li><strong>Roundcube Exploitation Toolkit Discovered <\/strong>\u2014 Hunt.io said it discovered a Roundcube exploitation toolkit on an internet-exposed directory on 203.161.50[.]145. It\u2019s worth noting that Russian threat actors like APT28, Winter Vivern, and TAG-70 have repeatedly targeted Roundcube vulnerabilities to breach Ukrainian organizations. \u00abThe directory included development and production XSS payloads, a Flask-based command-and-control server, CSS-injection tooling, operator bash history, and a Go-based implant deployed on a compromised Ukrainian web application,\u00bb the company said, attributing it with medium to high confidence to APT28, citing overlaps with Operation RoundPress. The toolkit, dubbed Roundish, supports credential harvesting, persistent mail forwarding, bulk email exfiltration, address book theft, and two-factor authentication (2FA) secret extraction, mirroring a feature present in MDAEMON. One of the primary targets of the attack is mail.dmsu.gov[.]ua, a Roundcube webmail instance associated with Ukraine\u2019s State Migration Service (DMSU). Besides the possibility of a shared development lineage, Roundish introduces four new components not previously documented in APT28 webmail activity, including a CSS-based side-channel module, browser credential stealer, and a Go-based backdoor that provides persistence via cron, systemd, and SELinux. The CSS injection component is designed to progressively extract characters from Roundcube\u2019s document object model (DOM) without injecting any JavaScript into the victim\u2019s page. The technique is likely used for targeting Cross-Site Request Forgery (CSRF) tokens or email UIDs. Central to the Roundish toolkit is an XSS payload that\u2019s engineered to steal the victim\u2019s email address, harvest account credentials, redirect all incoming emails to a Proton Mail address, export mailbox data from the victim\u2019s Inbox and Sent folders, and gather the victim\u2019s complete address book. \u00abThe combination of hidden autofill credential harvesting, server-side mail forwarding persistence, bulk mailbox exfiltration, and browser credential theft reflects a modular approach designed for sustained access,\u00bb Hunt.io <a href=\"https:\/\/hunt.io\/blog\/operation-roundish-apt28-roundcube-exploitation\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abFrom a defensive perspective, password resets alone are not sufficient in cases like this. Mail forwarding rules, Sieve filters, and multi-factor authentication secrets must be audited and reset.\u00bb<\/li>\n<li><strong>Phishing Campaign Targeting AWS Console Credentials <\/strong>\u2014 An active adversary-in-the-middle (AiTM) phishing campaign is using fake security alert emails to steal AWS Console credentials, per Datadog. \u00abThe phishing kit proxies authentication to the legitimate AWS sign-in endpoint in real time, validating credentials before redirecting victims and likely capturing one-time password (OTP) codes,\u00bb the company <a href=\"https:\/\/securitylabs.datadoghq.com\/articles\/behind-the-console-aws-aitm-phishing-campaign\/\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abThis campaign does not exploit AWS vulnerabilities or abuse AWS infrastructure.\u00bb Post-compromise console access has been observed within 20 minutes of credential submission. These efforts originated from Mullvad VPN infrastructure.<\/li>\n<li><strong>Malicious npm Packages Deliver Cipher stealer <\/strong>\u2014 Two new malicious npm packages, bluelite-bot-manager and test-logsmodule-v-zisko, were found to deliver via Dropbox a Windows executable designed to siphon sensitive data, including Discord totems, credentials from Chrome, Edge, Opera, Brave, and Yandex browsers, and seed files from cryptocurrency wallet apps like Exodus. from compromised hosts using a stealer named Cipher stealer. \u00abThe stealer also uses an embedded Python script and a secondary payload downloaded from GitHub,\u00bb JFrog <a href=\"https:\/\/research.jfrog.com\/post\/solara-cipher-npm\/\" rel=\"noopener\" target=\"_blank\">said<\/a>.<\/li>\n<li><strong>GIBCRYPTO Ransomware Detailed <\/strong>\u2014 A new ransomware called <a href=\"https:\/\/labs.k7computing.com\/index.php\/gibcrypto-the-destructive-ransomware-with-a-snake-keylogger-connection\/\" rel=\"noopener\" target=\"_blank\">GIBCRYPTO<\/a> comes with the ability to capture keystrokes and corrupt the Master Boot Record (MBR) so that any attempt to restart the system will cause the system to run into an error. The ransomware uses the Salsa20 algorithm for encryption. It\u2019s suspected to be part of Snake Keylogger, indicating the malware authors\u2019 attempts to diversify beyond information theft. The development comes as Sygnia highlighted SafePay\u2019s OneDrive-based data exfiltration technique during a ransomware attack after breaching a victim by leveraging a FortiGate firewall flaw and a misconfigured administrative account. \u00abSafePay gained initial access by exploiting a firewall misconfiguration, which enabled them to obtain local administrative credentials,\u00bb the company <a href=\"https:\/\/www.sygnia.co\/blog\/safepay-onedrive-exfiltration-technique\/\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abThey rapidly escalated discovery and enumeration activities to identify high-value targets for lateral movement, demonstrating a structured and methodical approach to mapping the environment. Within a matter of hours, SafePay escalated to domain administrator access.\u00bb The attack culminated in the deployment of ransomware, encrypting more than 60 servers.<\/li>\n<li><strong>Fraudulent Account Registration Activity Originating from Vietnam <\/strong>\u2014 A sprawling cybercrime ecosystem based in Vietnam has been linked to a cluster of fraudulent account registration activity on platforms like LinkedIn, Instagram, Facebook, and TikTok. In these attacks, attributed to <a href=\"https:\/\/www.okta.com\/blog\/threat-intelligence\/opportunistic-sms-pumping-attacks-target-customer-sign-up-pages\/\" rel=\"noopener\" target=\"_blank\">O-UNC-036<\/a>, the threat actors rely on disposable email addresses in order to execute SMS pumping attacks, also called International Revenue Sharing Fraud (IRSF). \u00abIn this scheme, malicious actors automate the creation of puppet accounts in a targeted service provider,\u00bb Okta <a href=\"https:\/\/www.okta.com\/blog\/threat-intelligence\/vietnamese-cybercrime-operation-enables-fraudulent-account-signups\/\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abFraudsters use these account registrations to trigger SMS messages to premium rate phone numbers and profit from charges incurred. This activity can prove costly for service providers who use SMS to verify registration information in customer accounts or to send multi-factor authentication (MFA) security codes.\u00bb O-UNC-036 has also been linked to a cybercrime-as\u2013a-service (CaaS) ecosystem that provides paid infrastructure and services to facilitate online fraud. The web-based storefronts are hosted in Vietnam and specialize in the sales of web-based accounts.<\/li>\n<li><strong>Hijacked AppsFlyer SDK Distributes Crypto Clipper <\/strong>\u2014 The AppsFlyer Web SDK was briefly hijacked to serve malicious code to steal cryptocurrency in a supply chain attack. The clipper malware payload came with capabilities to intercept cryptocurrency wallet addresses entered on websites and replace them with attacker-controlled addresses to divert funds to the threat actor. \u00abThe AppsFlyer Web SDK was observed serving obfuscated malicious JavaScript instead of the legitimate SDK from websdk.appsflyer[.]com,\u00bb Profero <a href=\"https:\/\/profero.io\/blog\/hijacked-at-the-source-a-trusted-marketing-appsflyers-sdk-distributes-a-crypto-stealer\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abThe malicious payload appears to have been designed for stealth and compatibility, preserving legitimate SDK functionality while adding hidden browser hooks and wallet-hijacking logic.\u00bb The <a href=\"https:\/\/statusfield.com\/services\/appsflyer\/incidents\" rel=\"noopener\" target=\"_blank\">incident<\/a> has since been resolved by AppsFlyer.<\/li>\n<li><strong>Operation CamelClone Targets Government and Defense Entities <\/strong>\u2014 A new cyber espionage campaign dubbed Operation CamelClone has targeted governments and defense entities in Algeria, Mongolia, Ukraine, and Kuwait using malicious ZIP archives that contain a Windows shortcut (LNK) file, which, when executed, delivers a JavaScript loader named HOPPINGANT. The loader then delivers additional payloads for establishing C2 and exfiltrating data to the MEGA cloud storage service. \u00abOne interesting aspect of this campaign is that the threat actor does not rely on traditional command-and-control infrastructure,\u00bb Seqrite Labs <a href=\"https:\/\/www.seqrite.com\/blog\/operation-camelclone-multi-region-espionage-campaign-targets-government-and-defense-entities-amidst-regional-tensions\/\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abInstead, the payloads are hosted on a public file-sharing service, filebulldogs[.]com, while stolen data is uploaded to MEGA storage using the legitimate tool Rclone.\u00bb The activity has not been attributed to any known threat group.<\/li>\n<li><strong>How Threat Actors Exfiltrate Credentials Using Telegram Bots <\/strong>\u2014 Threat actors are abusing the <a href=\"https:\/\/core.telegram.org\/bots\/api\" rel=\"noopener\" target=\"_blank\">Telegram Bot API<\/a> to exfiltrate data via text messages or arbitrary file uploads, highlighting how legitimate services can be weaponized to evade detection. Agent Tesla Keylogger is by far the most prominent example of a malware family that uses Telegram for C2. \u00abIn general, Telegram C2s appear to be most popular among information stealers, possibly due to Telegram\u2019s technically legitimate nature and because information stealers typically only need to exfiltrate data passively rather than provide complex communications beyond simple message or file transfers,\u00bb Cofense <a href=\"https:\/\/cofense.com\/blog\/weaponizing-telegram-bots-how-threat-actors-exfiltrate-credentials\" rel=\"noopener\" target=\"_blank\">said<\/a>.<\/li>\n<li><strong>Microsoft Launches Copilot Health <\/strong>\u2014 Microsoft has become the latest company after OpenAI and Anthropic to launch a dedicated \u00absecure space\u00bb called Copilot Health that integrates medical records, biometric data from wearables, and lab test results to give personalized advice in the U.S. \u00abCopilot Health brings together your health records, wearable data, and health history into one place, then applies intelligence to turn them into a coherent story,\u00bb the company <a href=\"https:\/\/microsoft.ai\/news\/introducing-copilot-health\/\" rel=\"noopener\" target=\"_blank\">said<\/a>. Like OpenAI and Anthropic, Microsoft emphasized that Copilot Health isn\u2019t meant to replace professional medical care.<\/li>\n<li><strong>Rogue AI Agents Can Work Together to Engage in Offensive Behaviors <\/strong>\u2014 According to a new report from artificial intelligence (AI) security company Irregular, agents can work together to hack into systems, escalate privileges, disable endpoint protection, and steal sensitive data while evading pattern-matching defenses. What\u2019s notable is that the experiment did not rely on adversarial prompting or deliberately unsafe system design. \u00abIn one case, an agent convinced another agent to carry out an offensive action, a form of inter-agent collusion that emerged with no external manipulation,\u00bb Irregular <a href=\"https:\/\/www.irregular.com\/publications\/emergent-offensive-cyber-behavior-in-ai-agents\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abThis scenario demonstrates two compounding risks: inter-agent persuasion can erode safety boundaries, and agents can independently develop techniques to circumvent security controls. When an agent is given access to tools or data, particularly but not exclusively shell or code access, the threat model should assume that the agent will use them, and that it will do so in unexpected and possibly malicious ways.\u00bb<\/li>\n<\/ul>\n<h2 style=\"text-align: left;\"><strong>\ud83d\udd27 Cybersecurity Tools<\/strong><\/h2>\n<ul>\n<li><a href=\"https:\/\/github.com\/step-security\/dev-machine-guard\" rel=\"noopener\" target=\"_blank\">Dev Machine Guard<\/a> \u2192 It is a free, open-source tool that scans your computer to show you exactly what developer tools and scripts are running. It creates a simple list of your AI coding assistants, code editor extensions, and software packages to help you find anything suspicious or outdated. It is a single script that works in seconds to give you better visibility into the security of your local coding environment.<\/li>\n<li><a href=\"https:\/\/github.com\/praetorian-inc\/trajan\" rel=\"noopener\" target=\"_blank\">Trajan<\/a> \u2192 It is an automated security tool designed to find hidden vulnerabilities in \u00abservice meshes,\u00bb which are the systems that manage how different parts of a large software application talk to each other. Because these systems are complex, it is easy for engineers to make small mistakes in the settings that allow hackers to bypass security or steal data. Trajan works by scanning these configurations to spot those specific errors and helping developers fix them before they can be exploited.<\/li>\n<\/ul>\n<p><em>Disclaimer: For research and educational use only. Not security-audited. Review all code before use, test in isolated environments, and ensure compliance with applicable laws.<\/em><\/p>\n<h2 style=\"text-align: left;\"><strong>Conclusion<\/strong><\/h2>\n<p>There\u2019s a lot packed in here, and not in a neat way. Some of it is the usual recycled chaos, some of it feels a little more deliberate, and some of it has that nasty \u201cthis is going to show up everywhere by next week\u201d energy.<\/p>\n<p>Anyway \u2014 enough throat-clearing. Here\u2019s the stuff worth your attention.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Some weeks in security feel normal. Then you read a few tabs and get that immediate \u201cah, great, we\u2019re doing this now\u201d feeling. This week has that energy. Fresh messes, old problems getting sharper, and research that stops feeling theoretical real fast. A few bits hit a little too close to real life, too. There\u2019s [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25,5],"tags":[925,930,736,927,928,17,24,929,926],"class_list":["post-264","post","type-post","status-publish","format-standard","hentry","category-noticias","category-trending","tag-0days","tag-agents","tag-aws","tag-botnets","tag-breach","tag-chrome","tag-cyberdefensa-mx","tag-rogue","tag-router"],"_links":{"self":[{"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/posts\/264","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/comments?post=264"}],"version-history":[{"count":0,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/posts\/264\/revisions"}],"wp:attachment":[{"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/media?parent=264"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/categories?post=264"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/tags?post=264"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}