Cybersecurity Headlines – February 3, 2026

Host: Sarah Lane
Podcast: CISO Series

Episode Overview

This episode provides a rapid-fire summary of major cybersecurity incidents from the last 24 hours. Key topics include new malware threats, nation-state attacks exploiting software supply chains, record-setting DDoS activity, and growing sophistication among both state and cybercriminal groups. The tone is urgent but clear, with Sarah Lane emphasizing both technical details and the broader significance of each story.

Key Discussion Points and Insights

1. OpenClaw Malware Campaign on ClawHub

Summary:
The OpenClaw AI assistant (formerly Claudebot/Multbot) is being exploited to distribute malware via malicious “skills” that impersonate crypto trading and wallet tools.
Details:
- At least 14 malware-laden skills uploaded late January.
- Both Windows and macOS users targeted — malware installed via obfuscated commands.
- The open, un-sandboxed nature of OpenClaw’s skills platform and its rapid rebranding facilitate social engineering.
Notable Quote:
“The incident highlights how OpenClaw’s unsandboxed skills model and rapid rebranding have made it an easy target for social engineering.” (00:32, Sarah Lane)

2. Notepad++ Update Mechanism Compromised

Summary:
Attackers hijacked the Notepad++ update process via the hosting provider, redirecting downloads and infecting targeted users with malware.
Details:
- Attack did not alter Notepad++ code; compromise occurred at the hosting provider.
- Linked to China-nexus group “Violet Typhoon”.
- Primary victims: Telecom and financial organizations in East Asia.
- Notepad++ has switched hosting providers and tightened update security.
Notable Quote:
“The compromise occurred at the hosting provider level, not in Notepad code, and involved targeted redirection of update traffic starting as early as last June.” (01:07, Sarah Lane)

3. APT28 (Fancy Bear) Abuses New Microsoft Office Zero-Day

Summary:
Russian APT28 is actively exploiting a just-disclosed Microsoft Office zero-day vulnerability, targeting Ukrainian and broader EU government networks.
Details:
- Attacks initiated within days of vulnerability disclosure.
- Initial infection via phishing emails with malicious Word docs.
- Payload downloads malware and deploys the “Covenant” post-exploitation framework.
- Patches are out, but CERT-UA warns of continued risk due to slow user updates.
Notable Quote:
“Microsoft has released patches, but CERT-UA warns attacks are likely to increase as many users delay or are unable to update.” (01:42, Sarah Lane)

4. Windows Shutdown Bug Widens Impact

Summary:
Microsoft’s January updates introduced a shutdown bug now known to impact not just Windows 11, but also Windows 10 machines with Virtual Secure Mode enabled.
Details:
- Devices may restart instead of shutting down or hibernating.
- Microsoft recommends manual shutdowns via command line for now.
Notable Quote:
“Microsoft has issued out-of-band fixes for some Windows 11 systems and advises impacted users to manually shut down via command line while it works on a broader fix.” (02:21, Sarah Lane)

5. Polish Energy Infrastructure Attack — Security Failures Exposed

Summary:
Russian threats breached wind, solar, and heating plants in Poland in December, with attacks attributed by various researchers to GRU-linked “Sandworm” or “Berserk Bear.”
Details:
- No power outages occurred, but operators had severe basic security lapses (unused MFA, default credentials, unpatched devices).
- First recorded destructive activity linked to Berserk Bear/Dragonfly.
Notable Quote:
“The agency claims the affected operators had basic security failures, including default credentials, unpatched perimeter devices and no multi factor authentication.” (03:23, Sarah Lane)

6. Shiny Hunters Extortion Campaign Expands

Summary:
Shiny Hunters, initially focused on Salesforce, now targets Microsoft 365, SharePoint, Slack, and Okta using advanced phishing, vishing, and credential harvesting to enable SaaS extortion.
Details:
- Steals SSO creds, MFA codes, and exfiltrates SaaS data.
- Uses ransom, doxing/data leak threats, and DDoS.
Notable Quote:
“Researchers warn the activity shows a clear escalation in both targeting and tactics, despite earlier law enforcement takedowns.” (04:14, Sarah Lane)

7. Largest DDoS Attack on Record — Isuru Botnet

Summary:
Cloudflare reports a December DDoS attack by the Isuru botnet, which peaked at 31.4 Tbps and 200 million requests per second.
Details:
- Targets: Telecoms.
- Botnet size: 1–4 million devices (routers, CCTV, Android TVs, etc.).
- Available as a “botnet for hire”; also used for credential stuffing/phishing.
- Highlights poor household device security.
Notable Quote:
“The scale highlights how poorly secured consumer devices are increasingly being weaponized for internet-wide attacks.” (05:08, Sarah Lane)

8. Stop ICE Hacked — Blame Cast on US Agent

Summary:
Stop ICE, a US immigration enforcement tracking service, suffered an attempted hack and disinformation campaign; they allege a US CBP agent was involved.
Details:
- Fake texts falsely warned users their data was shared with authorities.
- No evidence that sensitive user data was stored.
- Server attack quickly contained; pattern of DDoS and harassment continues.
Notable Quote:
“Stop ICE says the attempted server attack was quickly contained and describes the incident as part of frequent DDoS and harassment campaigns against the service.” (06:03, Sarah Lane)

Memorable Moments & Quotes

“OpenClaw’s unsandboxed skills model and rapid rebranding have made it an easy target for social engineering.” (00:32, Sarah Lane)
“The compromise occurred at the hosting provider level, not in Notepad code...” (01:07, Sarah Lane)
“Microsoft has released patches, but CERT-UA warns attacks are likely to increase as many users delay or are unable to update.” (01:42, Sarah Lane)
“The agency claims the affected operators had basic security failures...” (03:23, Sarah Lane)
“The scale highlights how poorly secured consumer devices are increasingly being weaponized for internet-wide attacks.” (05:08, Sarah Lane)

Timestamps for Major Segments

OpenClaw Malware on ClawHub: 00:12–00:52
Notepad++ Update Compromise: 00:52–01:28
APT28 Office Zero-Day: 01:28–02:10
Windows Shutdown Bug: 02:10–02:50
Polish Energy Attack: 03:22–03:55
Shiny Hunters SaaS Attacks: 03:55–04:42
Isuru DDoS Attack: 04:43–05:19
Stop ICE Hack: 05:48–06:21

Closing Note

Sarah Lane wraps up by promoting the deeper-dive CISO Series podcast and inviting listener feedback, underscoring the show’s commitment to ongoing relevance and dialogue.

Cybersecurity Headlines – February 3, 2026

Host: Sarah Lane
Podcast: CISO Series

Episode Overview

Key Discussion Points and Insights

1. OpenClaw Malware Campaign on ClawHub

Summary:
The OpenClaw AI assistant (formerly Claudebot/Multbot) is being exploited to distribute malware via malicious “skills” that impersonate crypto trading and wallet tools.
Details:
- At least 14 malware-laden skills uploaded late January.
- Both Windows and macOS users targeted — malware installed via obfuscated commands.
- The open, un-sandboxed nature of OpenClaw’s skills platform and its rapid rebranding facilitate social engineering.
Notable Quote:
“The incident highlights how OpenClaw’s unsandboxed skills model and rapid rebranding have made it an easy target for social engineering.” (00:32, Sarah Lane)

2. Notepad++ Update Mechanism Compromised

Summary:
Attackers hijacked the Notepad++ update process via the hosting provider, redirecting downloads and infecting targeted users with malware.
Details:
- Attack did not alter Notepad++ code; compromise occurred at the hosting provider.
- Linked to China-nexus group “Violet Typhoon”.
- Primary victims: Telecom and financial organizations in East Asia.
- Notepad++ has switched hosting providers and tightened update security.
Notable Quote:
“The compromise occurred at the hosting provider level, not in Notepad code, and involved targeted redirection of update traffic starting as early as last June.” (01:07, Sarah Lane)

3. APT28 (Fancy Bear) Abuses New Microsoft Office Zero-Day

Summary:
Russian APT28 is actively exploiting a just-disclosed Microsoft Office zero-day vulnerability, targeting Ukrainian and broader EU government networks.
Details:
- Attacks initiated within days of vulnerability disclosure.
- Initial infection via phishing emails with malicious Word docs.
- Payload downloads malware and deploys the “Covenant” post-exploitation framework.
- Patches are out, but CERT-UA warns of continued risk due to slow user updates.
Notable Quote:
“Microsoft has released patches, but CERT-UA warns attacks are likely to increase as many users delay or are unable to update.” (01:42, Sarah Lane)

4. Windows Shutdown Bug Widens Impact

Summary:
Microsoft’s January updates introduced a shutdown bug now known to impact not just Windows 11, but also Windows 10 machines with Virtual Secure Mode enabled.
Details:
- Devices may restart instead of shutting down or hibernating.
- Microsoft recommends manual shutdowns via command line for now.
Notable Quote:
“Microsoft has issued out-of-band fixes for some Windows 11 systems and advises impacted users to manually shut down via command line while it works on a broader fix.” (02:21, Sarah Lane)

5. Polish Energy Infrastructure Attack — Security Failures Exposed

Summary:
Russian threats breached wind, solar, and heating plants in Poland in December, with attacks attributed by various researchers to GRU-linked “Sandworm” or “Berserk Bear.”
Details:
- No power outages occurred, but operators had severe basic security lapses (unused MFA, default credentials, unpatched devices).
- First recorded destructive activity linked to Berserk Bear/Dragonfly.
Notable Quote:
“The agency claims the affected operators had basic security failures, including default credentials, unpatched perimeter devices and no multi factor authentication.” (03:23, Sarah Lane)

6. Shiny Hunters Extortion Campaign Expands

Summary:
Shiny Hunters, initially focused on Salesforce, now targets Microsoft 365, SharePoint, Slack, and Okta using advanced phishing, vishing, and credential harvesting to enable SaaS extortion.
Details:
- Steals SSO creds, MFA codes, and exfiltrates SaaS data.
- Uses ransom, doxing/data leak threats, and DDoS.
Notable Quote:
“Researchers warn the activity shows a clear escalation in both targeting and tactics, despite earlier law enforcement takedowns.” (04:14, Sarah Lane)

7. Largest DDoS Attack on Record — Isuru Botnet

Summary:
Cloudflare reports a December DDoS attack by the Isuru botnet, which peaked at 31.4 Tbps and 200 million requests per second.
Details:
- Targets: Telecoms.
- Botnet size: 1–4 million devices (routers, CCTV, Android TVs, etc.).
- Available as a “botnet for hire”; also used for credential stuffing/phishing.
- Highlights poor household device security.
Notable Quote:
“The scale highlights how poorly secured consumer devices are increasingly being weaponized for internet-wide attacks.” (05:08, Sarah Lane)

8. Stop ICE Hacked — Blame Cast on US Agent

Summary:
Stop ICE, a US immigration enforcement tracking service, suffered an attempted hack and disinformation campaign; they allege a US CBP agent was involved.
Details:
- Fake texts falsely warned users their data was shared with authorities.
- No evidence that sensitive user data was stored.
- Server attack quickly contained; pattern of DDoS and harassment continues.
Notable Quote:
“Stop ICE says the attempted server attack was quickly contained and describes the incident as part of frequent DDoS and harassment campaigns against the service.” (06:03, Sarah Lane)

Memorable Moments & Quotes

“OpenClaw’s unsandboxed skills model and rapid rebranding have made it an easy target for social engineering.” (00:32, Sarah Lane)
“The compromise occurred at the hosting provider level, not in Notepad code...” (01:07, Sarah Lane)
“Microsoft has released patches, but CERT-UA warns attacks are likely to increase as many users delay or are unable to update.” (01:42, Sarah Lane)
“The agency claims the affected operators had basic security failures...” (03:23, Sarah Lane)
“The scale highlights how poorly secured consumer devices are increasingly being weaponized for internet-wide attacks.” (05:08, Sarah Lane)

Timestamps for Major Segments

OpenClaw Malware on ClawHub: 00:12–00:52
Notepad++ Update Compromise: 00:52–01:28
APT28 Office Zero-Day: 01:28–02:10
Windows Shutdown Bug: 02:10–02:50
Polish Energy Attack: 03:22–03:55
Shiny Hunters SaaS Attacks: 03:55–04:42
Isuru DDoS Attack: 04:43–05:19
Stop ICE Hack: 05:48–06:21

Closing Note

Sarah Lane wraps up by promoting the deeper-dive CISO Series podcast and inviting listener feedback, underscoring the show’s commitment to ongoing relevance and dialogue.

wavePod

OpenClaw targets ClawHub users, Notepad++ update delivers malware, APT28 attackers abuse Microsoft Office zero-day

Powered by Wave AI

Summary

Cybersecurity Headlines – February 3, 2026

Episode Overview

Key Discussion Points and Insights

1. OpenClaw Malware Campaign on ClawHub

2. Notepad++ Update Mechanism Compromised

3. APT28 (Fancy Bear) Abuses New Microsoft Office Zero-Day

4. Windows Shutdown Bug Widens Impact

5. Polish Energy Infrastructure Attack — Security Failures Exposed

6. Shiny Hunters Extortion Campaign Expands

7. Largest DDoS Attack on Record — Isuru Botnet

8. Stop ICE Hacked — Blame Cast on US Agent

Memorable Moments & Quotes

Timestamps for Major Segments

Closing Note

Summary

Cybersecurity Headlines – February 3, 2026

Episode Overview

Key Discussion Points and Insights

1. OpenClaw Malware Campaign on ClawHub

2. Notepad++ Update Mechanism Compromised

3. APT28 (Fancy Bear) Abuses New Microsoft Office Zero-Day

4. Windows Shutdown Bug Widens Impact

5. Polish Energy Infrastructure Attack — Security Failures Exposed

6. Shiny Hunters Extortion Campaign Expands

7. Largest DDoS Attack on Record — Isuru Botnet

8. Stop ICE Hacked — Blame Cast on US Agent

Memorable Moments & Quotes

Timestamps for Major Segments

Closing Note