Cybersecurity Headlines – Episode Summary

Date: February 9, 2026
Host: Steve Prentiss, CISO Series
Main Theme:
This episode provides a rapid-fire overview of vital information security news, including updates on malware threats leveraging AI assistant platforms, federal cybersecurity directives, escalating nation-state cyberattacks, major ransomware incidents, and evolving phishing campaigns targeting digital communication platforms.

Key Discussion Points & Insights

1. OpenClaw Embraces VirusTotal to Thwart Malicious AI Skills

Background: OpenClaw, formerly Claudebot and Multbot, has been facing abuses where its AI assistant is being used to distribute malware via its “skills” marketplace (Clawhub).
New Partnership:
- OpenClaw now partners with Google-owned VirusTotal to scan all uploaded skills before release.
- Each skill is hashed (SHA256) and compared to VirusTotal’s database for threats.
- Not a perfect solution: "VirusTotal scanning is not a silver bullet and...some malicious skills that use a cleverly concealed prompt injection payload may slip through." (Steve Prentiss, 00:33)
Implication: New security layers, but sophisticated attacks remain a risk.

2. CISA’s One-Year Deadline to Remove End-of-Life Devices

Directive Overview:
- CISA gives federal agencies one year to remove end-of-life (EOL) infrastructure (load balancers, firewalls, routers, IoT edge devices) due to ongoing exploitation.
- Focus on devices vulnerable to sophisticated, nation-state-backed hackers.
- Not reactionary:
  
  "This directive is not a response to any one incident or compromise."
  (Nick Anderson, CISA Executive Assistant Director for Cybersecurity, 01:15)
Significance: A preemptive attempt to minimize the federal attack surface.

3. Russia’s APT28 Targets European Maritime and Transport Sectors

Attack Pattern:
- Russian group APT28 (Fancy Bear) uses a Microsoft Office exploit.
- Targets: Maritime and diplomatic bodies in Poland, Slovenia, Turkey, Greece, UAE.
- Method:
  - Phishing emails with malicious Office documents themed as urgent military/diplomatic correspondence.
  - Example lures: Weapons smuggling alerts, military training notices, emergency bulletins.
Notable:
- State-backed attacks expanding into critical international infrastructure.
- Derived from “CERT UA, Zscaler, and Trellix” reporting. (01:44)

4. Salt Typhoon: Chinese Espionage in Norway

Incident:
- Norwegian officials accuse Chinese-linked group Salt Typhoon of multiple espionage attacks.
- Labeled “an epoch defining threat” due to the group’s global reach into critical infrastructure.
Quoted:
- "[Salt Typhoon] has for years stealthily hacked into the networks of critical infrastructure organizations around the world." (Steve Prentiss citing US national security officials, 02:18)

5. Chinese ‘Dknife’ Malware on Chinese Routers and Edge Devices

Discovery:
- Cisco Talos finds “Dknife,” a Chinese-nexus adversary-in-the-middle Linux malware.
- Targets: Chinese-speaking users, operational since at least 2019.
- Capabilities: Gateway monitoring, network traffic hijacking.
Details:
- “It is a Linux-based framework designed for gateway-level attacks, enabling operators to monitor, manipulate and hijack network traffic..." (03:31)

6. BridgePay Ransomware Attack Disrupts Nationwide Payments

Incident:
- U.S. payment platform BridgePay hit by ransomware; outage affects merchants nationwide.
- Some could only accept cash, with systems knocked offline from Friday.
- No ransomware group claimed (as of episode time).
Context:
- Ongoing vulnerabilities in critical financial infrastructure. (04:03)

7. AWS Intrusion: Admin Privileges Gained in Minutes with AI

Finding:
- A reported attack saw an intruder go from initial access to AWS admin privileges in under 10 minutes—helped by AI automation.
- Source: Sysdig Threat Research, observed November 28.
- Attack details:
  - Used large language models (LLMs) to script and speed up each breach phase: recon, privilege escalation, lateral movement, code writing.
  - Gained entry via credentials found in public S3 buckets.
Quote:

"...stood out not only for its speed, but also for the multiple indicators suggesting the criminals used large language models to automate most phases of the attack..."
(Steve Prentiss, 05:05)

8. German Agencies Warn of ‘Signal’ Phishing

Target:
- High-ranking political, military, diplomatic, and journalistic figures in Germany/EU.
- Attack vector: No malware or Signal exploit. Instead, attackers use Signal’s legitimate features to gain covert chat and contact access, pretending to be Signal support or bots.
Insight:
- Adversaries increasingly weaponize trust in communications platforms. (06:02)

Notable Quotes & Memorable Moments

"VirusTotal scanning is not a silver bullet..."
- Steve Prentiss, 00:33
"This directive is not a response to any one incident or compromise."
- Nick Anderson (CISA), 01:15
"[Salt Typhoon]...an epoch defining threat..."
- US national security officials via Steve Prentiss, 02:18
"...stood out not only for its speed, but also for the multiple indicators suggesting the criminals used large language models..."
- Steve Prentiss, 05:05

Important Segment Timestamps

00:07 — Episode and headlines opening
00:33 — OpenClaw & VirusTotal partnership
01:07 — CISA directive on EOL devices
01:44 — APT28’s Microsoft Office campaign
02:18 — Salt Typhoon in Norway
03:31 — “Dknife” malware in China
04:03 — BridgePay ransomware attack
05:05 — AWS admin breach with AI
06:02 — German Signal phishing campaign

Recap & Closing

This episode spotlights the relentless pace and innovation in cyber threats, from state-backed espionage to the use of AI in rapid-fire cloud attacks. Also prominent are the proactive efforts by organizations like CISA and OpenClaw to anticipate and counter these evolving tactics, underscoring how security is increasingly a race against both creativity and speed in the cyber domain.

Transcript

A (0:00)

From the CISO series, it's Cybersecurity Headlines.

B (0:07)

These are the cybersecurity headlines for Monday, February 9, 2026. I'm Steve Prentiss. Openclaw turns to virus Total to boost security following up on a story we have been covering this past week regarding openclaw, the self hosted AI assistant formerly known as Claudebot and Multbot, now being abused to distribute malware. Its founders have now announced that they are partnering with Google owned VirusTotal to scan skills that are being uploaded to Clawhub, its skill marketplace. End quote by essentially Creating a unique SHA256 hash for every skill and cross checking it against VirusTotal's database for a match, the company warns that VirusTotal scanning is not a silver bullet and that there is a possibility that some malicious skills that use a cleverly concealed prompt injection payload may slip through the cracks. End quote CISA gives federal agencies one year to rip out end of life devices this operational directive issued on Thursday is in response to ongoing and widespread exploitation campaigns from sophisticated hackers. The devices such as load balancers, firewalls, routers, IoT edge devices and many more remain vulnerable, especially to those with ties to nation states, said CISA Executive Assistant Director for Cybersecurity Nick Anderson. He clarified that this directive is not a response to any one incident or compromise Microsoft Office Exploit Attacks European Maritime and transport organizations following up on a story we covered midweek, Ukraine's Computer Emergency Response Team Cert UA and cybersecurity firms Zscaler and Trellix have reported that the exploitation of a newly disclosed Microsoft Office vulnerability linked to Russ. Russia's APT28 Fancy Bear group is additionally focusing on maritime transportation and diplomatic entities in Poland, Slovenia, Turkey, Greece and the United Arab Emirates. The campaign consists of phishing emails with malicious Microsoft Office documents mentioning weapons smuggling alerts, diplomatic invitations, military training notices and emergency weather bulletins that resemble legitimate government correspondence. Salt Typhoon hacks Norwegian Companies the Norwegian Police Security Service on Friday accused the Chinese backed hacking group of breaking into several organizations in the country to conduct espionage. Their report did not provide many details about this campaign, but the SALT Typhoon organization was described recently by senior US national security officials as an epoch defining threat which has for years stealthily hacked into the networks of critical infrastructure organizations around the world. Huge thanks to our sponsor ThreatLocker. Want real zero trust training? Zero Trust World 2026 delivers hands on labs and workshops that show CISOs exactly how to implement and maintain zero trust in real environments. Join us March 4 through 6 in Orlando plus a live CISO series episode on March 6 and you can get $200 off with code ZTWCISO26@ZTW.com Chinese malware targets Chinese based routers and edge devices Researchers at Cisco Thales made the discovery, which they describe as a fully featured gateway monitoring and adversary in the middle framework, and published their report on Thursday. In use since at least 2019 and still active, Dknife, I.e. dknife targets Chinese speaking users and the researchers express high confidence that it was made by Chinese nexus threat actors. It is a Linux based framework designed for gateway level attacks, enabling operators to monitor, manipulate and hijack network traffic on compromised routers or edge devices. A link to the report is available in the show notes to this episode Payments platform bridgepay confirms ransomware attack the US Payment gateway and solutions provider says a ransomware attack has knocked key systems offline, triggering a widespread outage affecting multiple services. This incident started on Friday and spread nationwide across its platform. The company confirmed late Friday that the incident was caused by ransomware. During the incident, some US Merchants and organizations were only able to accept cash from their customers, and BridgePay has not yet named the ransomware actor. AWS Intruder becomes admin in under 10 minutes with AI assistance a digital intruder broke into an AWS cloud environment and in just under 10 minutes went from initial access to administrative privileges thanks to an AI speed assist. End quote. This is according to a research team from Sysdig Threat Research who observed the break in on November 28 and noted it stood out not only for its speed, but also for the multiple indicators suggesting the criminals used large language models to automate most phases of the attack, from reconnaissance and privilege escalation to lateral movement, malicious code writing and LLM jacking. Using a compromised cloud account to Access Cloud hosted LLMs, the attackers initially gained access by stealing valid test credentials from public Amazon S3 buckets. German agencies warn of unusual signal phishing Campaign Federal officials in Germany have issued a joint advisory warning. This attack focuses on high ranking targets in politics, the military and diplomacy, as well as investigative journalists in Germany and Europe. Interestingly, this campaign does not involve the distribution of malware or the exploitation of any security vulnerability within Signal, but the end goal is to weaponize its legitimate features to obtain covert access to a victim's chats along with their contact lists. And this is done largely by masquerading as signal support or a signal support chatbot. Do you want to know more about the most pressing stories of the last few days? In time for your weekly stand up. Well join us today at 4:00pm Eastern time for the Department of no Where. Our guests will sort out the priority stories and do a deep dive on the ones that matter most. And of course, we will actively involve you in the conversation. Just go to YouTube, search for CISO series and look for the Department of no under upcoming live streams. And if you have some thoughts on the news from today or about this show in general, please be sure to reach out to us@feedbackisoseries.com we would love to hear from you. I'm Steve Prentiss reporting for the CISO series.

Cybersecurity Headlines – Episode Summary

Key Discussion Points & Insights

1. OpenClaw Embraces VirusTotal to Thwart Malicious AI Skills

Background: OpenClaw, formerly Claudebot and Multbot, has been facing abuses where its AI assistant is being used to distribute malware via its “skills” marketplace (Clawhub).
New Partnership:
- OpenClaw now partners with Google-owned VirusTotal to scan all uploaded skills before release.
- Each skill is hashed (SHA256) and compared to VirusTotal’s database for threats.
- Not a perfect solution: "VirusTotal scanning is not a silver bullet and...some malicious skills that use a cleverly concealed prompt injection payload may slip through." (Steve Prentiss, 00:33)
Implication: New security layers, but sophisticated attacks remain a risk.

2. CISA’s One-Year Deadline to Remove End-of-Life Devices

Directive Overview:
- CISA gives federal agencies one year to remove end-of-life (EOL) infrastructure (load balancers, firewalls, routers, IoT edge devices) due to ongoing exploitation.
- Focus on devices vulnerable to sophisticated, nation-state-backed hackers.
- Not reactionary:
  
  "This directive is not a response to any one incident or compromise."
  (Nick Anderson, CISA Executive Assistant Director for Cybersecurity, 01:15)
Significance: A preemptive attempt to minimize the federal attack surface.

3. Russia’s APT28 Targets European Maritime and Transport Sectors

Attack Pattern:
- Russian group APT28 (Fancy Bear) uses a Microsoft Office exploit.
- Targets: Maritime and diplomatic bodies in Poland, Slovenia, Turkey, Greece, UAE.
- Method:
  - Phishing emails with malicious Office documents themed as urgent military/diplomatic correspondence.
  - Example lures: Weapons smuggling alerts, military training notices, emergency bulletins.
Notable:
- State-backed attacks expanding into critical international infrastructure.
- Derived from “CERT UA, Zscaler, and Trellix” reporting. (01:44)

4. Salt Typhoon: Chinese Espionage in Norway

Incident:
- Norwegian officials accuse Chinese-linked group Salt Typhoon of multiple espionage attacks.
- Labeled “an epoch defining threat” due to the group’s global reach into critical infrastructure.
Quoted:
- "[Salt Typhoon] has for years stealthily hacked into the networks of critical infrastructure organizations around the world." (Steve Prentiss citing US national security officials, 02:18)

5. Chinese ‘Dknife’ Malware on Chinese Routers and Edge Devices

Discovery:
- Cisco Talos finds “Dknife,” a Chinese-nexus adversary-in-the-middle Linux malware.
- Targets: Chinese-speaking users, operational since at least 2019.
- Capabilities: Gateway monitoring, network traffic hijacking.
Details:
- “It is a Linux-based framework designed for gateway-level attacks, enabling operators to monitor, manipulate and hijack network traffic..." (03:31)

6. BridgePay Ransomware Attack Disrupts Nationwide Payments

Incident:
- U.S. payment platform BridgePay hit by ransomware; outage affects merchants nationwide.
- Some could only accept cash, with systems knocked offline from Friday.
- No ransomware group claimed (as of episode time).
Context:
- Ongoing vulnerabilities in critical financial infrastructure. (04:03)

7. AWS Intrusion: Admin Privileges Gained in Minutes with AI

Finding:
- A reported attack saw an intruder go from initial access to AWS admin privileges in under 10 minutes—helped by AI automation.
- Source: Sysdig Threat Research, observed November 28.
- Attack details:
  - Used large language models (LLMs) to script and speed up each breach phase: recon, privilege escalation, lateral movement, code writing.
  - Gained entry via credentials found in public S3 buckets.
Quote:

"...stood out not only for its speed, but also for the multiple indicators suggesting the criminals used large language models to automate most phases of the attack..."
(Steve Prentiss, 05:05)

8. German Agencies Warn of ‘Signal’ Phishing

Target:
- High-ranking political, military, diplomatic, and journalistic figures in Germany/EU.
- Attack vector: No malware or Signal exploit. Instead, attackers use Signal’s legitimate features to gain covert chat and contact access, pretending to be Signal support or bots.
Insight:
- Adversaries increasingly weaponize trust in communications platforms. (06:02)

Notable Quotes & Memorable Moments

"VirusTotal scanning is not a silver bullet..."
- Steve Prentiss, 00:33
"This directive is not a response to any one incident or compromise."
- Nick Anderson (CISA), 01:15
"[Salt Typhoon]...an epoch defining threat..."
- US national security officials via Steve Prentiss, 02:18
"...stood out not only for its speed, but also for the multiple indicators suggesting the criminals used large language models..."
- Steve Prentiss, 05:05

Important Segment Timestamps

00:07 — Episode and headlines opening
00:33 — OpenClaw & VirusTotal partnership
01:07 — CISA directive on EOL devices
01:44 — APT28’s Microsoft Office campaign
02:18 — Salt Typhoon in Norway
03:31 — “Dknife” malware in China
04:03 — BridgePay ransomware attack
05:05 — AWS admin breach with AI
06:02 — German Signal phishing campaign

wavePod

OpenClaw embraces VirusTotal, CISA EOL Deadline, ransomware hits BridgePay

Summary

Cybersecurity Headlines – Episode Summary

Key Discussion Points & Insights

1. OpenClaw Embraces VirusTotal to Thwart Malicious AI Skills

2. CISA’s One-Year Deadline to Remove End-of-Life Devices

3. Russia’s APT28 Targets European Maritime and Transport Sectors

4. Salt Typhoon: Chinese Espionage in Norway

5. Chinese ‘Dknife’ Malware on Chinese Routers and Edge Devices

6. BridgePay Ransomware Attack Disrupts Nationwide Payments

7. AWS Intrusion: Admin Privileges Gained in Minutes with AI

8. German Agencies Warn of ‘Signal’ Phishing

Notable Quotes & Memorable Moments

Important Segment Timestamps

Recap & Closing

Transcript

Summary

Cybersecurity Headlines – Episode Summary

Key Discussion Points & Insights

1. OpenClaw Embraces VirusTotal to Thwart Malicious AI Skills

2. CISA’s One-Year Deadline to Remove End-of-Life Devices

3. Russia’s APT28 Targets European Maritime and Transport Sectors

4. Salt Typhoon: Chinese Espionage in Norway

5. Chinese ‘Dknife’ Malware on Chinese Routers and Edge Devices

6. BridgePay Ransomware Attack Disrupts Nationwide Payments

7. AWS Intrusion: Admin Privileges Gained in Minutes with AI

8. German Agencies Warn of ‘Signal’ Phishing

Notable Quotes & Memorable Moments

Important Segment Timestamps

Recap & Closing