{"id":53,"date":"2026-02-26T18:49:07","date_gmt":"2026-02-26T18:49:07","guid":{"rendered":"https:\/\/cybercolombia.co\/index.php\/2026\/02\/26\/kali-linux-claude-chrome-crash-traps-winrar-flaws-lockbit-15-stories-cyberdefensa-mx\/"},"modified":"2026-02-26T18:49:07","modified_gmt":"2026-02-26T18:49:07","slug":"kali-linux-claude-chrome-crash-traps-winrar-flaws-lockbit-15-stories-cyberdefensa-mx","status":"publish","type":"post","link":"https:\/\/cybercolombia.co\/index.php\/2026\/02\/26\/kali-linux-claude-chrome-crash-traps-winrar-flaws-lockbit-15-stories-cyberdefensa-mx\/","title":{"rendered":"Kali Linux + Claude, Chrome Crash Traps, WinRAR Flaws, LockBit & 15+ Stories \u2013 CYBERDEFENSA.MX"},"content":{"rendered":"
\n

Nothing here looks dramatic at first glance. That\u2019s the point. Many of this week\u2019s threats begin with something ordinary, like an ad, a meeting invite, or a software update.<\/p>\n

Behind the scenes, the tactics are sharper. Access happens faster. Control is established sooner. Cleanup becomes harder.<\/p>\n

Here is a quick look at the signals worth paying attention to.<\/p>\n

\n
\n
    \n
  1. \n <\/p>\n
    \n AI-powered command execution<\/span><\/p>\n

    \n Kali Linux, an advanced penetration testing Linux distribution used for ethical hacking and network security assessments, has added<\/a> an integration with Anthropic\u2019s Claude large language model through the Model Context Protocol (MCP) to issue commands in natural language and translate them into technical commands.\n <\/p>\n<\/div>\n<\/li>\n

  2. \n <\/p>\n
    \n Belarus-linked Android spyware<\/span><\/p>\n

    \n ResidentBat is an Android spyware implant used by Belarusian authorities for surveillance operations against journalists and civil society. Once installed, it provides operators with access to call logs, microphone recordings, SMS, encrypted messenger traffic, screen captures, and locally stored files. The malware, although first documented in December 2025, is assessed to date back to 2021. According to Censys, ResidentBat-associated infrastructure is concentrated<\/a> in Europe and Russia: the Netherlands (5 hosts), Germany (2 hosts), Switzerland (2 hosts), and Russia (1 host) in a recent Platform view, using a narrow port range (7000-7257) for control traffic.\n <\/p>\n<\/div>\n<\/li>\n

  3. \n <\/p>\n
    \n Crypto phishing wave<\/span><\/p>\n

    \n Phishing campaigns are impersonating cryptocurrency brokerage services like Bitpanda to harvest sensitive data under the pretext of reconfirming their information or risk having their accounts blocked. \u00abAttempting to get multiple forms of information and identification, the attackers used tactics that would seem legitimate to the everyday user,\u00bb Cofense said<\/a>. \u00abUser information such as name verification, email, and password credentials, and location were all used in this attempt to harvest information under the guise of a multi-factor authentication process.\u00bb\n <\/p>\n<\/div>\n<\/li>\n

  4. \n <\/p>\n
    \n Breakout times shrink<\/span><\/p>\n

    \n In its 2026 Global Threat Report, CrowdStrike said adversaries became faster than ever before in 2025. \u00abThe average e-crime breakout time \u2014 the period between initial access and lateral movement onto another system \u2014 dropped to 29 minutes, a 65% increase in speed from 2024,\u00bb the company said<\/a>. One such intrusion undertaken by Luna Moth (aka Chatty Spider) targeting a law firm moved from initial access to data exfiltration in four minutes. Chief among the factors fueling this dramatic acceleration was the widespread abuse of legitimate credentials, which allowed attackers to blend into normal network traffic and bypass many traditional security controls. This was coupled with threat actors of varied motivations utilizing AI technology to accelerate and optimize their existing techniques. Some of the threat actors that have leveraged AI in their operations include Fancy Bear, Punk Spider (aka Akira), Blind Spider (aka Blind Eagle), Odyssey Spider (aka TA558), and an India-nexus hacking group called Frantic Tiger that has used Netlify and Cloudflare pages for credential-harvesting operations. The cybersecurity company said it observed an 89% increase in the number of attacks by AI-enabled adversaries compared to 2024 and a 42% year-over-year increase in zero-days exploited prior to public disclosure. In tandem, 67% of vulnerabilities exploited by China-nexus adversaries provided immediate system access, and 40% targeted edge devices that typically lack comprehensive monitoring. The vast majority of attacks, 82%, were free of malware \u2014 highlighting attackers\u2019 enduring shift toward hands-on-keyboard operations and the abuse of legitimate tools and credentials.\n <\/p>\n<\/div>\n<\/li>\n

  5. \n <\/p>\n
    \n 4-minute lateral movement<\/span><\/p>\n

    \n In a similar report, ReliaQuest said the fastest intrusions reached lateral movement in just 4 minutes, an 85% acceleration from last year, with data exfiltration taking place in 6 minutes. The statistic is fueled by attackers increasingly weaving AI and automation into their tradecraft. \u00abAs attackers increasingly secure valid credentials with elevated privileges, the time to react has drastically dropped,\u00bb ReliaQuest said<\/a>. \u00abIn 2025, the average breakout time (initial access to lateral movement) dropped to 34 minutes. In 47% of incidents, they secured high privileges before ever touching the network. This allows them to skip escalation, blend into traffic, and repurpose legitimate tools.\u00bb\n <\/p>\n<\/div>\n<\/li>\n

  6. \n <\/p>\n
    \n ClickFix fuels Mac stealers<\/span><\/p>\n

    \n Mac users searching for popular software like Homebrew, 7-Zip, Notepad++, LibreOffice, and Final Cut Pro are the target of an active malvertising campaign<\/a> powered by at least 35 hijacked Google advertiser accounts originating from countries including the U.S., Canada, Italy, Poland, Brazil, India, Saudi Arabia, Japan, China, Romania, Malta, Slovenia, Germany, the U.K., and the U.A.E. More than 200 malicious advertisements impersonating legitimate macOS software have been found. The end goal of these efforts is to direct users to fake pages that contain ClickFix-like instructions to deliver MacSync stealer. Another ClickFix campaign has been observed<\/a> using fake CAPTCHA verification lures on bogus phishing pages to distribute stealer malware that can harvest data from web browsers, gaming apps like Steam, cryptocurrency wallets, and VPN apps. According to ReliaQuest data, a quarter of attacks used social engineering for initial access last year, with ClickFix responsible<\/a> for delivering 59% of the top malware families.\n <\/p>\n<\/div>\n<\/li>\n

  7. \n <\/p>\n
    \n Encryption debate resurfaces<\/span><\/p>\n

    \n Meta went ahead with a plan to encrypt the messaging services connected to its Facebook and Instagram apps despite internal warnings that it would hinder the social media giant\u2019s ability to flag child-exploitation cases to law enforcement, Reuters reported<\/a>. The internal chat exchange dated March 2019 was filed in connection with a lawsuit<\/a> brought by the U.S. state of New Mexico, accusing it of exposing children and teens to sexual exploitation on its platforms and profiting from it. In response to the concerns raised, Meta said it worked on additional safety features before it launched encrypted messaging on Facebook and Instagram in 2023.\n <\/p>\n<\/div>\n<\/li>\n

  8. \n <\/p>\n
    \n ActiveMQ flaw aids LockBit<\/span><\/p>\n

    \n Threat actors are exploiting a now-patched security flaw in internet-facing Apache ActiveMQ servers (CVE-2023-46604) to deploy LockBit ransomware. \u00abDespite being evicted after the initial intrusion, they successfully breached the same server on a second occasion 18 days later,\u00bb The DFIR Report said<\/a>. \u00abAfter compromising the server, the threat actor used Metasploit, possibly along with Meterpreter, to perform post-exploitation activities. These activities included escalating privileges, accessing LSASS process memory, and moving laterally across the network. After regaining access following their eviction, the threat actor swiftly transitioned to deploying ransomware. They leveraged credentials extracted during their previous breach to deploy LockBit ransomware via RDP.\u00bb The ransomware is suspected to be crafted using the leaked LockBit builder.\n <\/p>\n<\/div>\n<\/li>\n

  9. \n <\/p>\n
    \n Chrome crash-to-command trick<\/span><\/p>\n

    \n Two newly flagged Google Chrome extensions, Pixel Shield \u2013 Block Ads (ID: nlogodaofdghipmbdclajkkpheneldjd) and PageGuard \u2013 Phishing Protection (ID: mlaonedihngoginmmlaacpihnojcoocl), have been found to adopt the same playbook as CrashFix, where the browser is deliberately crashed, and the user is tricked into running a malicious command \u00e0 la ClickFix. The most concerning aspect of this campaign is that the extensions actually work and offer the advertised functionality. \u00abThe original NexShield DoS created a billion chrome.runtime.connect() calls,\u00bb Annex Security\u2019s John Tuckner said<\/a>. \u00abThese variants use a different technique I\u2019m calling the Promise Bomb because it crashes the browser by flooding Chrome\u2019s message passing system with millions of unresolvable promises.\u00bb While the original NexShield used timer-based activation, the new variants have evolved to push notification-based command-and-control (C2), causing the denial-of-service to be triggered only when the C2 server sends a push notification containing a \u00abnewVersion\u00bb value ending in \u00ab2.\u00bb This, in turn, gives the attacker selective remote control over when the crashes happen.\n <\/p>\n<\/div>\n<\/li>\n

  10. \n <\/p>\n
    \n WinRAR patch lag persists<\/span><\/p>\n

    \n Cybersecurity firm Stairwell said more than 80% of the IT networks it monitors run versions of WinRAR vulnerable to CVE-2025-8088, a vulnerability that has been widely exploited by cybercrime and cyber espionage groups. \u00abThis finding underscores a persistent challenge in enterprise security when widely deployed, trusted software that quietly falls out of date and becomes a high-value target for attackers,\u00bb Alex Hegyi said<\/a>.\n <\/p>\n<\/div>\n<\/li>\n

  11. \n <\/p>\n
    \n Crypto IV reuse risk<\/span><\/p>\n

    \n A new analysis from Trail of Bits has revealed that more than 723,000 open-source projects use cryptographic libraries with insecure defaults. The aes-js and pyaes libraries have been found to provide a default initialization vector (IV) in their AES-CTR API, leading to a large number of key\/IV reuse bugs. \u00abReusing a key\/IV pair leads to serious security issues: if you encrypt two messages in CTR mode or GCM with the same key and IV, then anybody with access to the ciphertexts can recover the XOR of the plaintexts, and that\u2019s a very bad thing,\u00bb Trail of Bits said<\/a>. While neither library has been updated in years, strongSwan has released an update to address the problem in strongMan (CVE-2026-25998<\/a>).\n <\/p>\n<\/div>\n<\/li>\n

  12. \n <\/p>\n
    \n AI audits smart contracts<\/span><\/p>\n

    \n OpenAI and Paradigm have jointly announced EVMbench, a benchmark that measures how well AI agents can detect, exploit, and patch high-severity smart contract vulnerabilities. \u00abEVMbench draws on 120 curated vulnerabilities from 40 audits, with most sourced from open code audit competitions,\u00bb OpenAI said<\/a>. \u00abEVMbench is intended both as a measurement tool and as a call to action. As agents improve, it becomes increasingly important for developers and security researchers to incorporate AI-assisted auditing into their workflows.\u00bb\n <\/p>\n<\/div>\n<\/li>\n

  13. \n <\/p>\n
    \n Fake FSB extortion plot<\/span><\/p>\n

    \n A Russian national has been accused of trying to extort money from the notorious Conti ransomware group by posing as an officer of Russia\u2019s Federal Security Service (FSB), according to local media reports. RBC reported<\/a> that the suspect, Ruslan Satuchin, posed as an FSB officer and demanded a large payment from Conti. Although an investigation was formally launched in September 2025, the incident allegedly began in September 2022 when Satuchin contacted one of the members of the hacker group and extorted them to avoid criminal liability. Once a prolific ransomware gang, Conti shut down its operations in mid-2022 after splintering into small groups.\n <\/p>\n<\/div>\n<\/li>\n

  14. \n <\/p>\n
    \n Ad cloaking service exposed<\/span><\/p>\n

    \n Varonis has disclosed details of a newly identified cybercrime service known as 1Campaign that enables threat actors to run malicious Google Ads for extended periods of time while evading scrutiny. The cloaking platform \u00abpasses Google\u2019s screening, filters out security researchers, and keeps phishing and crypto drainer pages online for as long as possible, funneling real users to attacker-controlled sites,\u00bb Varonis security researcher Daniel Kelley said<\/a>. \u00abIt combines real-time visitor filtering, fraud scoring, geographic targeting, and a bot guard script generator into a single dashboard.\u00bb It\u2019s developed and maintained by a threat actor named DuppyMeister for over three years, along with offering Telegram channels for support. Traffic linked to 1Campaign has been distributed across the U.S., Canada, the Netherlands, China, Germany, France, Japan, Hungary, and Albania.\n <\/p>\n<\/div>\n<\/li>\n

  15. \n <\/p>\n
    \n Teams call drops macOS malware<\/span><\/p>\n

    \n A social engineering campaign has been observed using Microsoft Teams meetings to trick attendants into installing macOS malware. Daylight Security has assessed that the activity is consistent with an ongoing attack campaign orchestrated by North Korean threat actors under the name GhostCall. \u00abDuring the call, the attacker claimed audio issues and coached the victim into running terminal commands that downloaded and executed malicious binaries,\u00bb Daylight researchers Kyle Henson and Oren Biderman said<\/a>. \u00abAnalysts observed staged downloads and execution from macOS cache and temporary paths, Keychain credential access, and outbound connections to newly created attacker-controlled domains.\u00bb\n <\/p>\n<\/div>\n<\/li>\n

  16. \n <\/p>\n
    \n RAMP fallout reshapes underground<\/span><\/p>\n

    \n Last month, law enforcement authorities from the U.S. seized the notorious RAMP cybercrime forum. The event has had a cascading impact, destabilising trust and accelerating fragmentation across the underground cybercrime ecosystem. There are also speculations that RAMP may have functioned as a honeypot or had been compromised long before its seizure. \u00abRather than consolidating around a single successor, ransomware actors are redistributing across both gated platforms like T1erOne and accessible forums such as Rehub,\u00bb Rapid7 said<\/a>. \u00abThis shift reflects adaptation, not decline. Disruption fractures trust and redistributes coordination across multiple platforms.\u00bb\n <\/p>\n<\/div>\n<\/li>\n

  17. \n <\/p>\n
    \n Anonymous F\u00e9nix members detained<\/span><\/p>\n

    \n Spanish authorities have announced<\/a> the arrest of four members of the Anonymous F\u00e9nix group for their involvement in distributed denial-of-service (DDoS) attacks. The suspects, whose names were not disclosed, targeted the websites of government ministries, political parties, and public institutions. Two of the group leaders were arrested in May 2025. The first attacks occurred in April 2023. The group is said to have intensified its activities beginning in September 2024, recruiting volunteers to mount DDoS attacks against targets of interest.\n <\/p>\n<\/div>\n<\/li>\n

  18. \n <\/p>\n
    \n Judicial spear-phish drops RAT<\/span><\/p>\n

    \n A spear-phishing campaign has been observed targeting Argentina\u2019s judicial sector that delivers a ZIP archive containing a Windows shortcut that, when launched, displays a decoy PDF to the victims, while stealthily dropping a Rust-based remote access trojan (RAT). \u00abThe campaign leverages highly authentic judicial decoy documents to exploit trust in court communications, enabling successful delivery of a covert remote access trojan and facilitating long-term access to sensitive legal and institutional data,\u00bb Seqrite Labs said<\/a>.\n <\/p>\n<\/div>\n<\/li>\n

  19. \n <\/p>\n
    \n Typosquat spreads ValleyRAT<\/span><\/p>\n

    \n A persuasive lookalike website of Huorong Security antivirus (\u00abhuoronga[.]com\u00bb) has been used to deliver a RAT malware known as ValleyRAT. The campaign is the work of a Chinese cybercrime group called Silver Fox, which has a history of distributing trojanized versions of popular Chinese software and other popular programs through typosquatted domains to distribute trojanized installers responsible for deploying ValleyRAT. \u00abOnce it\u2019s installed, attackers can monitor the victim, steal sensitive information, and remotely control the system,\u00bb Malwarebytes said<\/a>.\n <\/p>\n<\/div>\n<\/li>\n

  20. \n <\/p>\n
    \n Repo-squatting via Google Ads<\/span><\/p>\n

    \n Users searching for developer tools have become the target of an ongoing campaign dubbed GPUGate that uses a malicious installer to deliver Hijack Loader and Atomic Stealer. \u00abThe attacker creates a throwaway GitHub account and forks the official GitHub Desktop repository,\u00bb GMO Cybersecurity by Ierae said<\/a>. \u00abThe attacker edits the download link in the README to point to their malicious installer and commits the change. Lastly, the attacker used sponsored ads for \u2018GitHub Desktop\u2019 to promote their commit, using an anchor in README.md to skip past GitHub\u2019s cautions.\u00bb Victims who downloaded the malicious Windows installer would execute a multi-stage loader, while Mac victims received Atomic Stealer.\n <\/p>\n<\/div>\n<\/li>\n<\/ol>\n<\/section>\n<\/div>\n

    These stories may seem separate, but they point in the same direction. Speed is increasing. Deception is improving. And attackers are finding new ways to blend into everyday activity.<\/p>\n

    The warning signs are there for those who look closely. Small gaps, delayed patches, misplaced trust, and rushed clicks still make the biggest difference.<\/p>\n

    Staying aware of these shifts is no longer optional. The details change each week. The pressure does not.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

    Nothing here looks dramatic at first glance. That\u2019s the point. Many of this week\u2019s threats begin with something ordinary, like an ad, a meeting invite, or a software update. Behind the scenes, the tactics are sharper. Access happens faster. Control is established sooner. Cleanup becomes harder. Here is a quick look at the signals worth […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25],"tags":[17,16,18,24,21,14,15,22,23,19,20],"class_list":["post-53","post","type-post","status-publish","format-standard","hentry","category-noticias","tag-chrome","tag-claude","tag-crash","tag-cyberdefensa-mx","tag-flaws","tag-kali","tag-linux","tag-lockbit","tag-stories","tag-traps","tag-winrar"],"_links":{"self":[{"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/posts\/53","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/comments?post=53"}],"version-history":[{"count":0,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/posts\/53\/revisions"}],"wp:attachment":[{"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/media?parent=53"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/categories?post=53"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/tags?post=53"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}