RadioCSIRT - English Edition

We open this recap with the Winter Olympic Games in Milano Cortina, facing a wave of cyberattacks attributed to Russia. According to The Register, Italy’s Minister of Foreign Affairs confirmed the targeting of diplomatic offices and Olympic infrastructure. The defensive posture is further strained by supply chain tensions, as Cloudflare’s CEO threatened to withdraw pro bono protection services following a regulatory dispute with Italian authorities.

In France, ZDNet reported an espionage case in Gironde involving a clandestine interception station operated from a rented Airbnb property. Two Chinese nationals were charged. The seized equipment was designed for sniffing Starlink communications and intercepting military frequencies, illustrating direct risk at the physical communications layer.

We then move to active exploitation and emergency response requirements around Cisco Catalyst SD-wan. Australia’s cyber authorities published an alert on exploitation of Cisco SD-wan appliances. Cisa added CVE 2026 20127 and CVE 2022 20775 to the Known Exploited Vulnerabilities catalog and issued Emergency Directive twenty-six zero three, requiring immediate inventory, forensic artifact collection, patching, and compromise assessment, with a deadline of February twenty-seventh, twenty twenty-six. certfr confirmed active exploitation through alert certfr twenty twenty-six ALE zero zero two, and BleepingComputer reported exploitation activity dating back to twenty twenty-three.

On the malware front, multiple campaigns highlight attacker focus on routers, developers, and stealth tooling. Cisco Talos detailed the dismantling of the DKnife interception framework used since twenty nineteen. Talos also documented the Dohdoor backdoor campaign using DNS over HTTPS through Cloudflare, delivered via DLL sideloading and process hollowing, with EDR bypass techniques involving syscall unhooking in ntdll dot dll. Kaspersky GReAT reported Arkanix Stealer operating as Malware as a Service, with both Python and C plus plus implementations, AES GCM communications, and indications of LLM-assisted development.

Developer ecosystems remain a key battleground. Microsoft warned of fake Next dot js repositories used as job interview lures delivering in-memory JavaScript payloads, and GitLab banned one hundred thirty-one accounts linked to the Contagious Interview operation and the Wagemole scheme. Socket identified the SANDWORM underscore MODE campaign abusing at least nineteen malicious npm packages through typosquatting, including a module targeting AI coding assistants via malicious MCP server injection combined with prompt injection.

We also cover phishing at industrial scale. As reported by KrebsOnSecurity, the Starkiller phishing as a service platform dynamically loads real login pages and acts as a reverse proxy, relaying keystrokes, form submissions, and session tokens through attacker infrastructure, effectively defeating multi-factor authentication by capturing the full authentication flow.

Finally, critical vulnerabilities affected AI development environments. Check Point Research documented vulnerabilities in Anthropic’s Claude Code enabling command execution via project hooks, MCP consent bypass through project configuration, and clear-text exfiltration of Anthropic API keys by redirecting the ANTHROPIC underscore BASE underscore URL variable to an attacker-controlled endpoint. In parallel, Linux ecosystem updates included Linux seven point zero entering release candidate status, while incident response and law enforcement actions included Eurojust’s takedown of a fraudulent call centre in Dnipro.

All  sources are available on https://www.radiocsirt.com/podcast/your-cybersecurity-news-for-saturday-february-28-2026-ep-71/

Don’t think, patch!

Your feedback is welcome.
Email: [email protected]
Website:https://www.radiocsirt.com
Weekly Newsletter:https://radiocsirtenglishedition.substack.com/

We open this weekly recap with a critical alert regarding the active exploitation of a Microsoft Office Zero-Day, CVE-2026-21509. According to CERT-UA, the Russian-linked group APT28 has integrated this flaw into phishing campaigns targeting Ukrainian administrations and several EU nations, utilizing a complex infection chain involving WebDAV and the Covenant post-exploitation framework. In a simultaneous blow to software supply chains, the official update mechanism for Notepad++ was hijacked by the state-sponsored actor Violet Typhoon to distribute malware. While threats against productivity tools rise, Mozilla is pivoting toward privacy by announcing that Firefox 148 will allow users to centrally disable all generative AI features.
The infrastructure landscape faced significant pressure this week as the CISA issued a binding operational directive requiring federal agencies to retire all End-of-Life (EoL) equipment within 12 months, citing their role as persistent entry points for Edge-based attacks. Meanwhile, the AISURU botnet shattered global records by launching a hyper-volumetric DDoS attack peaking at 31.4 Tbps, fueled by 2 million compromised Android devices. On the regulatory front, the European Commission warned TikTok of potential fines reaching 6% of its global turnover for violating the Digital Services Act (DSA) through "addictive by design" features, while U.S. authorities successfully seized major piracy domains operated from Bulgaria.
Regarding cyber-extortion, the group Scattered Lapsus ShinyHunters continues to defy traditional ransomware models by combining data theft with physical harassment and social engineering. In Germany, authorities warned of Signal account takeovers targeting high-profile individuals via fraudulent QR code pairing. To counter evolving threats, Microsoft unveiled a new scanner designed to detect backdoors within Large Language Models (LLMs), and the UK’s NCSC provided a strategic reality check on Cloud Security Posture Management (CSPM), emphasizing that while vital, these tools are only one piece of the broader cloud security puzzle.
Sources
Saturday, January 31, 2026
Clubic – https://www.clubic.com/actualite-598390-data-centers-ce-que-revele-la-premiere-reunion-a-bercy-sur-les-projets-en-cours-et-a-venir-en-france.html
The Record – https://therecord.media/bulgaria-piracy-sites-streaming-gaming-seized-us
Unit 42 – https://unit42.paloaltonetworks.com/russian-cyberthreat-2026-winter-olympics/
CERT Santé – https://cyberveille.esante.gouv.fr/alertes/grafana-cve-2026-21720-2026-01-29
SANS ISC – https://isc.sans.edu/diary/rss/32668
Sunday, February 1, 2026
Google TAG – https://blog.google/threat-analysis-group/tag-bulletin-q4-2025/
CERT-FR – https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0102/
BleepingComputer – https://www.bleepingcomputer.com/news/security/mandiant-details-how-shinyhunters-abuse-sso-to-steal-cloud-data/
The Hacker News – https://thehackernews.com/2026/01/iran-linked-redkitten-cyber-campaign.html
Monday, February 2, 2026
The Register – https://www.theregister.com/2026/02/02/russialinked_apt28_microsoft_office_bug/ 
The Hacker News – https://thehackernews.com/2026/02/notepad-official-update-mechanism.html
BleepingComputer – https://www.bleepingcomputer.com/news/software/mozilla-will-let-you-turn-off-all-firefox-ai-features/
SANS ISC – https://isc.sans.edu/diary/rss/32674
Tuesday, February 3, 2026
Zscaler ThreatLabz – https://www.zscaler.com/blogs/security-research/technical-analysis-anatsa-campaigns-android-banking-malware-active-google
EFF – https://www.encryptitalready.org/
Centre canadien pour la cybersécurité – https://www.cyber.gc.ca/fr/alertes-avis/bulletin-securite-kubernetes-av26-078
Wednesday, February 4, 2026
CERT-FR – https://www.cert.ssi.gouv.fr/cti/CERTFR-2026-CTI-001/
NCSC – https://www.ncsc.gov.uk/blog-post/cspm-silver-bullet-or-another-piece-in-the-cloud-puzzle
The Hacker News – https://thehackernews.com/2026/02/microsoft-develops-scanner-to-detect.html
CISA – https://www.cisa.gov/news-events/alerts/2026/02/03/cisa-adds-four-known-exploited-vulnerabilities-catalog
Thursday, February 5, 2026
The Record – https://therecord.media/cisa-gives-federal-agencies-one-year-end-of-life-devices
The Hacker News – https://thehackernews.com/2026/02/aisurukimwolf-botnet-launches-record.html
The Register – https://www.theregister.com/2026/02/05/asia_government_spies_hacked_37_critical_networks/
BleepingComputer – https://www.bleepingcomputer.com/news/security/hackers-compromise-nginx-servers-to-redirect-user-traffic/
Friday, February 6, 2026
KrebsOnSecurity – https://krebsonsecurity.com/2026/02/please-dont-feed-the-scattered-lapsus-shiny-hunters/
BleepingComputer – https://www.bleepingcomputer.com/news/security/european-commission-says-tiktok-facing-fine-over-addictive-design/
BleepingComputer – https://www.bleepingcomputer.com/news/security/germany-warns-of-signal-account-hijacking-targeting-senior-figures/
CISA – https://www.cisa.gov/news-events/alerts/2026/02/05/cisa-adds-two-known-exploited-vulnerabilities-catalog
Don’t think, patch!
Your feedback is welcome.
Email: [email protected]
Website: https://www.radiocsirt.com
Weekly Newsletter: https://radiocsirtenglishedition.substack.com/

This week, the vulnerability floodgates opened. From an 11-year-old Telnet flaw to critical VMware exploits, the CISA KEV catalog is overflowing. But the biggest shocker? Operational security failures at the highest levels of government.
In this episode of RadioCSIRT English Edition:
🚨 Critical Patch Overload: A massive week for the CISA KEV catalog, featuring Oracle, VMware vCenter (CVSS 9.8), and a critical bypass in Fortinet.
🦖 The Return of Sandworm: ESET uncovers "DynoWiper," a new malware targeting the Polish energy sector, marking the 10th anniversary of the Ukraine grid attack.
🤖 OpSec Failures: The CISA Acting Director leaks classified docs to ChatGPT, and why your BitLocker keys might not be safe with Microsoft.
🕸️ Botnet Consolidation: The Kimwolf botnet grows, potentially merging with Badbox 2.0 to control millions of Android devices.
🇫🇷 Digital Sovereignty: France bids farewell to Teams and Zoom, deploying its sovereign "Visio" platform government-wide.
Tune in for your weekly dose of critical cybersecurity intelligence.
🔗 Links & Resources: https://www.radiocsirt.com/podcast/ep-69-cisas-kev-surge-sandworm-returns-the-chatgpt-leak/

We open this weekly recap with a massive Patch Tuesday from Microsoft, which addressed 114 vulnerabilities, including three zero-days; notably, CVE-2026-20805 is actively exploited in the wild. Infrastructure concerns continued as Cisco patched a critical AsyncOS zero-day exploited by Chinese APT actors, and AWS remediated a "CodeBreach" supply chain flaw in its console CI pipelines.

In data privacy and regulation, France’s CNIL imposed a combined $48 million fine on Free and Free Mobile for security failures affecting 24 million subscribers. Meanwhile, Spanish energy giant Endesa disclosed a breach exposing the data of 22 million customers, and a massive scraping incident affected 17.5 million Instagram users.

On the threat landscape, Check Point Research analyzed "Sicarii," a new ransomware operation likely acting as a false flag with confused ideological messaging. Physical "Quishing" (QR code phishing) campaigns are surging in France, and the infamous BreachForums hacking community suffered a taste of its own medicine with a leak of its user database. Finally, strategic cooperation strengthens as the UK unveils its Government Cyber Action Plan and Germany partners with Israel to build a "Cyber Dome" defense system.

OSINT Sources:

📊 Reports, Studies & Strategies

Kaspersky Security Bulletin 2025 : https://www.kasbersky.com/about/press-releases/2025_kaspersky-financial-sector-faced-ai-blockchain-and-organized-crime-threats-in-2025
SecurityScorecard (via KnowBe4) : https://www.knowbe4.com/hubfs/Financial-Sector-Threats-The-Shifting-Landscape.pdf
ENISA Threat Landscape 2025 : https://www.enisa.europa.eu/publications/enisa-threat-landscape-2025
FS-ISAC : https://www.fsisac.com/knowledge/annual-navigating-cyber-2025-report
RESCO Courtage : https://www.resco-courtage.com/dora-reglementation-guide-complet-2025
NCSC UK : https://www.ncsc.gov.uk/blog-post/government-cyber-action-plan-strengthening-resilience-across-uk

🛡️ Vulnerabilities, Patch Tuesday & Security Advisories

Microsoft Security Update Guide : https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-0628
CISA (CVE-2025-8110) : https://www.cisa.gov/news-events/alerts/2026/01/12/cisa-adds-one-known-exploited-vulnerability-catalog
CISA (CVE-2026-20805) : https://www.cisa.gov/news-events/alerts/2026/01/13/cisa-adds-one-known-exploited-vulnerability-catalog
CERT-FR (MISP) : https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0030/
CERT-FR (VMware) : https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0029/
CERT-FR (MariaDB) : https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0028/
CERT-FR (NetApp) : https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0027/
CERT-FR (Google Pixel) : https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0026/
Krebs on Security : https://krebsonsecurity.com/2026/01/patch-tuesday-january-2026-edition/
Cisco Talos Intelligence : https://blog.talosintelligence.com/microsoft-patch-tuesday-january-2026/
CERT Santé : https://cyberveille.esante.gouv.fr/alertes/palo-alto-cve-2026-0227-2026-01-15
BleepingComputer (Cisco AsyncOS) : https://www.bleepingcomputer.com/news/security/cisco-finally-fixes-asyncos-zero-day-exploited-since-november/
CyberPress (AWS Console) : https://cyberpress.org/aws-console-supply-chain-attack-github-hijackingcyber/

⚠️ Data Leaks, Incidents & Attacks

BleepingComputer (BreachForums) : https://www.bleepingcomputer.com/news/security/breachforums-hacking-forum-database-leaked-exposing-324-000-accounts/
CyberPress (Instagram) : https://cyberpress.org/instagram-data-leak/
Cybersecurity Dive (SitusAMC) : https://www.cybersecuritydive.com/news/hackers-steal-sensitive-data-major-banking-industry-vendor-situsamc/
BleepingComputer (Endesa) : https://www.bleepingcomputer.com/news/security/spanish-energy-giant-endesa-discloses-data-breach-affecting-customers/
BleepingComputer (Pax8) : https://www.bleepingcomputer.com/news/security/cloud-marketplace-pax8-accidentally-exposes-data-on-1-800-msp-partners/
The Record (Anchorage Police) : https://therecord.media/anchorage-police-takes-servers-offline-after-third-party-attack
🕵️ Threat Intelligence (APT, Ransomware, Phishing)

Planet.fr (Quishing Scam) : https://www.planet.fr/societe-arnaque-a-la-fausse-carte-bancaire-par-courrier-le-mecanisme-du-quishing-qui-vise-vos-coordonnees.2992374.29336.html
Check Point Research (Sicarii) : https://research.checkpoint.com/2026/sicarii-ransomware-truth-vs-myth/
Cisco Talos Intelligence (UAT-8837) : https://blog.talosintelligence.com/uat-8837/
Malwarebytes (LinkedIn Phishing) : https://www.malwarebytes.com/blog/news/2026/01/phishing-scammers-are-posting-fake-account-restricted-comments-on-linkedin

⚖️ Regulations, Sanctions & International Cooperation

The Record (CNIL/Free Fine) : https://therecord.media/france-data-regulator-fine
Malwarebytes (Datamasters Fine) : https://www.malwarebytes.com/blog/news/2026/01/data-broker-fined-after-selling-alzheimers-patient-info-and-millions-of-sensitive-profiles
The Record (Germany-Israel Deal) : https://therecord.media/germany-cyber-dome-israel

🏛️ Institutional: AMSN / Monaco Special

AMSN : https://amsn.gouv.mc/decouvrir-l-amsn/presentation
CERT-MC : https://amsn.gouv.mc/cert-mc
Prince's Government (Directory) : https://www.gouv.mc/Gouvernement-et-Institutions/Le-Gouvernement/Ministere-d-Etat/Agence-Monegasque-de-Securite-Numerique
Légimonaco : https://legimonaco.mc/tnc/ordonnance/2015/12-23-5.664/
ANSSI / cyber.gouv.fr : https://cyber.gouv.fr/actualites/signature-dun-nouveau-programme-de-cooperation-entre-lagence-monegasque-de-securite
Prince's Government (FIRST Conference) : https://www.gouv.mc/Action-Gouvernementale/La-Securite/Actualites/L-Agence-Monegasque-de-Securite-Numerique-participe-a-la-36eme-conference-annuelle-du-Forum-of-Incident-Response-and-Security-Teams

Don’t think, just patch!

Your feedback is welcome.
Email: [email protected]
Website:https://www.radiocsirt.com
Weekly Newsletter:https://radiocsirtenglishedition.substack.com/

We open this episode with a new physical mail scam campaign targeting bank customers in France, according to Planet.fr. The modus operandi begins with the receipt of a letter bearing the letterhead of a financial institution and containing a fake bank card equipped with a chip. The document instructs the recipient to scan a QR code to activate the card. This technique, known as “quishing,” redirects the victim to a malicious website designed to exfiltrate personal data and banking details. The phenomenon, already observed in neighboring European countries, is gaining ground in France. The cards display a high level of counterfeiting, including accurate reproduction of banks’ visual identities. Verifying the URL displayed after scanning the QR code is the first indicator of legitimacy. If information is entered on a fraudulent website, the recommended procedure includes immediately blocking the bank card, changing all passwords, and reporting the incident via the French Interior Ministry’s Perceval platform.
Microsoft published CVE-2026-0628 in its Security Update Guide, concerning a high-severity vulnerability affecting Chromium’s WebView tag component, according to Neowin. The technical flaw, classified as “Insufficient policy enforcement,” allows an attacker who has convinced a user to install a malicious extension to inject scripts or HTML into a privileged page. Researcher Gal Weizman reported the vulnerability to Google in late November. Chrome version 143.0.7499.192 contains the upstream fix, which was integrated by Microsoft into Edge on January 10, 2026. Microsoft records the CVE in its Security Update Guide to provide authoritative downstream status to Edge customers. Canonical vulnerability trackers confirm that the upstream remediation threshold was set in the Chrome 143 stable release. Inventory and remediation efforts must cover all embedded Chromium runtimes and Electron applications, as updating the host browser does not protect these applications.
The BreachForums hacking forum suffered a data leak exposing its user database table, according to BleepingComputer. On January 9, 2026, a site named after the ShinyHunters extortion gang published a 7Zip archive named breachedforum.7z. The archive contains the file databoose.sql, a MyBB database table comprising 323,988 member records, including display names, registration dates, IP addresses, and other internal information. Analysis shows that the majority of IP addresses resolve to a local loopback address, but 70,296 records contain public IP addresses. The latest registration date corresponds to August 11, 2025, the day the previous BreachForums was shut down following the arrest of certain alleged operators. The current administrator, known under the pseudonym N/A, acknowledged the leak, stating that a backup of the MyBB users table was temporarily exposed in an unsecured directory and downloaded once.
Finally, a major data leak compromised the personal information of approximately 17.5 million Instagram users, according to CyberPress. The leak, initially reported by cybersecurity researchers at Malwarebytes, exposes contact information, making millions of users vulnerable to identity theft and targeted phishing attacks. The dataset appeared this week on a hacking forum, published by a threat actor using the pseudonym “Solonik.” The listing titled “INSTAGRAM.COM 17M GLOBAL USERS — 2024 API LEAK” contains 17.5 million records formatted in JSON and TXT files. The data was collected in late 2024 via an API leak that bypassed standard security measures. The exposed database includes full names, usernames, verified email addresses, phone numbers, user identifiers, and partial location data. The leak is classified as scraping, meaning automated data collection via public interfaces. As of January 10, 2026, Meta has not issued a formal statement regarding this leak.
Sources
Planet.fr – Bank card scam https://www.planet.fr/societe-arnaque-a-la-fausse-carte-bancaire-par-courrier-le-mecanisme-du-quishing-qui-vise-vos-coordonnees.2992374.29336.html
Microsoft Security Update Guide – CVE-2026-0628 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-0628 
BleepingComputer – BreachForums database leak https://www.bleepingcomputer.com/news/security/breachforums-hacking-forum-database-leaked-exposing-324-000-accounts/ 
CyberPress – Instagram data leak https://cyberpress.org/instagram-data-leak/
Don’t think, patch!
Your feedback is welcome.
Email: [email protected]
Website: https://www.radiocsirt.com
Weekly Newsletter: https://radiocsirtenglishedition.substack.com/