Summary5 min read

Cybersecurity Headlines – February 3, 2026

Host: Sarah Lane
Podcast: CISO Series

Episode Overview

This episode provides a rapid-fire summary of major cybersecurity incidents from the last 24 hours. Key topics include new malware threats, nation-state attacks exploiting software supply chains, record-setting DDoS activity, and growing sophistication among both state and cybercriminal groups. The tone is urgent but clear, with Sarah Lane emphasizing both technical details and the broader significance of each story.

Key Discussion Points and Insights

1. OpenClaw Malware Campaign on ClawHub

Summary:
The OpenClaw AI assistant (formerly Claudebot/Multbot) is being exploited to distribute malware via malicious “skills” that impersonate crypto trading and wallet tools.
Details:
- At least 14 malware-laden skills uploaded late January.
- Both Windows and macOS users targeted — malware installed via obfuscated commands.
- The open, un-sandboxed nature of OpenClaw’s skills platform and its rapid rebranding facilitate social engineering.
Notable Quote:
“The incident highlights how OpenClaw’s unsandboxed skills model and rapid rebranding have made it an easy target for social engineering.” (00:32, Sarah Lane)

2. Notepad++ Update Mechanism Compromised

Summary:
Attackers hijacked the Notepad++ update process via the hosting provider, redirecting downloads and infecting targeted users with malware.
Details:
- Attack did not alter Notepad++ code; compromise occurred at the hosting provider.
- Linked to China-nexus group “Violet Typhoon”.
- Primary victims: Telecom and financial organizations in East Asia.
- Notepad++ has switched hosting providers and tightened update security.
Notable Quote:
“The compromise occurred at the hosting provider level, not in Notepad code, and involved targeted redirection of update traffic starting as early as last June.” (01:07, Sarah Lane)

3. APT28 (Fancy Bear) Abuses New Microsoft Office Zero-Day

Summary:
Russian APT28 is actively exploiting a just-disclosed Microsoft Office zero-day vulnerability, targeting Ukrainian and broader EU government networks.
Details:
- Attacks initiated within days of vulnerability disclosure.
- Initial infection via phishing emails with malicious Word docs.
- Payload downloads malware and deploys the “Covenant” post-exploitation framework.
- Patches are out, but CERT-UA warns of continued risk due to slow user updates.
Notable Quote:
“Microsoft has released patches, but CERT-UA warns attacks are likely to increase as many users delay or are unable to update.” (01:42, Sarah Lane)

4. Windows Shutdown Bug Widens Impact

Summary:
Microsoft’s January updates introduced a shutdown bug now known to impact not just Windows 11, but also Windows 10 machines with Virtual Secure Mode enabled.
Details:
- Devices may restart instead of shutting down or hibernating.
- Microsoft recommends manual shutdowns via command line for now.
Notable Quote:
“Microsoft has issued out-of-band fixes for some Windows 11 systems and advises impacted users to manually shut down via command line while it works on a broader fix.” (02:21, Sarah Lane)

5. Polish Energy Infrastructure Attack — Security Failures Exposed

Summary:
Russian threats breached wind, solar, and heating plants in Poland in December, with attacks attributed by various researchers to GRU-linked “Sandworm” or “Berserk Bear.”
Details:
- No power outages occurred, but operators had severe basic security lapses (unused MFA, default credentials, unpatched devices).
- First recorded destructive activity linked to Berserk Bear/Dragonfly.
Notable Quote:
“The agency claims the affected operators had basic security failures, including default credentials, unpatched perimeter devices and no multi factor authentication.” (03:23, Sarah Lane)

6. Shiny Hunters Extortion Campaign Expands

Summary:
Shiny Hunters, initially focused on Salesforce, now targets Microsoft 365, SharePoint, Slack, and Okta using advanced phishing, vishing, and credential harvesting to enable SaaS extortion.
Details:
- Steals SSO creds, MFA codes, and exfiltrates SaaS data.
- Uses ransom, doxing/data leak threats, and DDoS.
Notable Quote:
“Researchers warn the activity shows a clear escalation in both targeting and tactics, despite earlier law enforcement takedowns.” (04:14, Sarah Lane)

7. Largest DDoS Attack on Record — Isuru Botnet

Summary:
Cloudflare reports a December DDoS attack by the Isuru botnet, which peaked at 31.4 Tbps and 200 million requests per second.
Details:
- Targets: Telecoms.
- Botnet size: 1–4 million devices (routers, CCTV, Android TVs, etc.).
- Available as a “botnet for hire”; also used for credential stuffing/phishing.
- Highlights poor household device security.
Notable Quote:
“The scale highlights how poorly secured consumer devices are increasingly being weaponized for internet-wide attacks.” (05:08, Sarah Lane)

8. Stop ICE Hacked — Blame Cast on US Agent

Summary:
Stop ICE, a US immigration enforcement tracking service, suffered an attempted hack and disinformation campaign; they allege a US CBP agent was involved.
Details:
- Fake texts falsely warned users their data was shared with authorities.
- No evidence that sensitive user data was stored.
- Server attack quickly contained; pattern of DDoS and harassment continues.
Notable Quote:
“Stop ICE says the attempted server attack was quickly contained and describes the incident as part of frequent DDoS and harassment campaigns against the service.” (06:03, Sarah Lane)

Memorable Moments & Quotes

“OpenClaw’s unsandboxed skills model and rapid rebranding have made it an easy target for social engineering.” (00:32, Sarah Lane)
“The compromise occurred at the hosting provider level, not in Notepad code...” (01:07, Sarah Lane)
“Microsoft has released patches, but CERT-UA warns attacks are likely to increase as many users delay or are unable to update.” (01:42, Sarah Lane)
“The agency claims the affected operators had basic security failures...” (03:23, Sarah Lane)
“The scale highlights how poorly secured consumer devices are increasingly being weaponized for internet-wide attacks.” (05:08, Sarah Lane)

Timestamps for Major Segments

OpenClaw Malware on ClawHub: 00:12–00:52
Notepad++ Update Compromise: 00:52–01:28
APT28 Office Zero-Day: 01:28–02:10
Windows Shutdown Bug: 02:10–02:50
Polish Energy Attack: 03:22–03:55
Shiny Hunters SaaS Attacks: 03:55–04:42
Isuru DDoS Attack: 04:43–05:19
Stop ICE Hack: 05:48–06:21

Closing Note

Sarah Lane wraps up by promoting the deeper-dive CISO Series podcast and inviting listener feedback, underscoring the show’s commitment to ongoing relevance and dialogue.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines.
[00:07]
B
These are the cybersecurity headlines for Tuesday, February 3, 2026. I'm Sarah Lane. OpenClaw targets crypto users on Clawhub Security researchers warn that OpenClaw, the self hosted AI assistant formerly known as Claudebot and Multbot, is being abused to distribute malware. Open source malware says at least 14 malicious skills posing as crypto trading or wallet tools were uploaded to Clawhub in late January, tricking Windows and macOS users into running obfuscated commands that fetch malware. The incident highlights how OpenClaw's UN sandboxed skills model and rapid rebranding have made it an easy target for social engineering. Notepad update delivers malware State sponsored Attackers hijacked Notepad update mechanism, redirecting some users to malicious servers that delivered malware, according to the project's maintainer. The compromise occurred at the hosting provider level, not in Notepad code, and involved targeted redirection of update traffic starting as early as last June. Security researchers link the activity to China Nexus Group Violet Typhoon, which targeted telecom and financial organizations in East Asia. Notepad has since moved hosting providers and hardened its update process. APT28 attackers abuse Microsoft Office 0day cert UA says Russia linked APT28, also known as Fancy Bear, is already exploiting a new disclosed Microsoft Office zero day to target Ukrainian government agencies and organizations across the eu. The bug went from disclosure to active exploitation in days, with phishing emails delivering malicious Word documents that quietly pull down malware and deploy the Covenant Post exploitation framework. Microsoft has released patches, but Cert UA warns attacks are likely to increase as many users delay or are unable to update. January Update affects more Windows PCs Microsoft says a shutdown bug introduced by January Updates affects more PCs than previously known, extending beyond Windows 11 to Windows 10 systems with virtual Secure Mode enabled. The issue causes affected devices to restart instead of shutting down or entering hibernation after installing recent updates, including secure launch capable machines. Microsoft has issued out of band fixes for some Windows 11 systems and advises impacted users to manually shut down via command line while it works on a broader fix. Huge thanks to our sponsor, Strike 48. It's no secret that AI is only as good as the data available to it. Strike 48 unifies agentic AI with unmatched log visibility while avoiding the typical hefty price tag. Build and deploy agents for phishing detection, alert, triage, threat correlation and more. Query existing logs where they currently live so you can keep keep the technology you already have Learn more at strike48.com Poland's energy infrastructure lacked security measures, SERT Polska says a December cyber attack linked to Russian threat actors compromised wind and solar farms and a heat and power plant in Poland, though it didn't disrupt electricity supplies. The agency claims the affected operators had basic security failures and including default credentials, unpatched perimeter devices and no multi factor authentication. While ISET and Dragos attribute the activity to the GRU linked Sandworm group, Sirtpolska ties it to a separate Russian cluster known as Berserk Bear or Dragonfly. This marks the first publicly described destructive activity linked to that group. Shiny Hunters expands scope of attacks Mandian says the Shiny Hunters cybercrime group has expanded its software as a service extortion campaign beyond Salesforce to platforms including Microsoft 365, SharePoint, Slack and Okta, using vishing and branded credential harvesting sites to steal SSO credentials and MFA codes. Google tracks multiple Shiny Hunters linked clusters that exfiltrate sensitive SaaS data and use it for aggressive extortion, including ransomware demands backed by data leaks and DDoS threats. Researchers warn the activity shows a clear escalation in both targeting and tactics, despite earlier law enforcement takedowns. Massive attack breaks records and no, I'm not talking about the band. Cloudflare reports that the Isuru botnet set a new DDoS record in December with an attack peaking at 31.4 terabits per second and and 200 million requests per second, primarily targeting telecom providers. The botnet, estimated to control 1 to 4 million compromised devices, including home routers, CCTV systems and Android TV devices, is sold as a botnet for hire and can also be used for credential stuffing, scraping and phishing. The scale highlights how poorly secured consumer devices are increasingly being weaponized for for Internet wide attacks. Stop ICE hacked admins accuse sabotage Stop ICE says it was targeted in an attack that sent fake text messages warning users their data had been sent to the authorities, which the group claims is false. The ICE tracking service says it doesn't store users names, addresses or GPS data, and alleges the attack originated from a personal server linked to a US Customs and Border Protection agent, an accusation as of this recording CBP has not yet commented on. Stop Ice says the attempted server attack was quickly contained and describes the incident as part of frequent DDoS and harassment campaigns against the service. Have you checked out the CISO Series podcast yet? If you enjoy getting the daily news from us, you will also enjoy our deeper dive discussions and into wider topics in cybersecurity this week we're digging into the challenges of trying to secure systems in a healthcare setting where creating any kind of user friction can mean impacting health outcomes. Look for the episode Take two Factor Authentication and call me in the morning wherever you get your podcasts, and check it out. If you have some thoughts on the news from today or about our show in general, be sure to reach out to us@feedbackisoseries.com we would love to hear from you. I'm Sarah Lane, reporting for the CISO series. Thank you for listening. We'll talk to you tomorrow.
[07:09]
A
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.