Daily Cyber Threat Brief – Ep 1060
February 3, 2026 | Host: Dr. Gerald Auger (Simply Cyber Media Group)
Episode Overview
This episode of the Daily Cyber Threat Brief delivers the top cybersecurity news stories for Feb 3, 2026, unpacking vital threats and industry trends for professionals, analysts, and leaders. Dr. Gerald Auger brings both expertise and humorous commentary, breaking down why these stories matter and how they can impact organizations and careers. The episode covers everything from AI-fueled malware, targeted supply chain threats, geopolitical cyber operations, vulnerability exploits, SaaS extortion, to record-setting DDoS attacks, always with practical advice for defenders.
Key News Stories and Insights
1. OpenClaw/Claudebot Malicious Extensions Spreading Crypto Malware
[11:00-17:48]
- Summary:
Security researchers highlighted how “OpenClaw,” a popular self-hosted, open-source AI assistant (formerly Claudebot/Multbot), is being abused by attackers. Over a dozen fake “skills” disguised as crypto trading/wallet tools were uploaded to Clawhub, tricking non-technical users into running malicious code on Windows and Mac. - Expert Analysis (Gerald):
- The core AI tool is “legit by itself”—attacks arise when users download third-party skills/extensions.
- This is a classic “perfect storm” as a huge, non-expert user base is eager for the newest AI features and blindly follows install guides, making them ripe targets.
- “Threat actors are well aware… You’re getting unsuspecting, unskilled, non-technical users…as a defender you can’t really get better threat insights than this.” [13:00]
- Practical Risk:
- Shadow AI “sprawl” is now coupled with malware risk—installing these open-source tools can give attackers network footholds.
- Detection is hard: users install under their own permissions. “This might be an American thing…but this reminds me…the ripe population of unsuspecting victims.” [16:00]
- Advice: Caution end-users against installing unvetted AI assistants/skills. Incident response and monitoring should anticipate new “shadow AI” infection sources.
2. Notepad++ Targeted in Highly Specific Software Supply Chain Attack
[17:48–24:06]
- Summary:
Nation-state attackers (attributed to China’s “Violet Typhoon”) hijacked the Notepad++ update infrastructure, using it to selectively deliver malware to telecom and financial orgs in East Asia. - Insights:
- The “compromise occurred at the hosting provider”—classic supply chain manipulation.
- Attack was “super targeted”: only machines of organizations that attackers cared about were redirected to receive a trojanized update.
- “If you had Notepad++ and updated recently, you’re good to go…This was a very specifically targeted [campaign].” [22:00]
- Similar in sophistication to classic SolarWinds and NotPetya supply chain breaches, but at smaller scale.
- Action:
- If you use Notepad++, check sources of updates; ensure you have recent versions.
- For most, risk is low unless you’re a high-value org in targeted geography/sector.
3. Russian APT28 Exploiting New Microsoft Office Zero-Day
[24:06–29:49]
- Summary:
CERT-UA reports Russian APT28 (“Fancy Bear”) is actively exploiting a fresh MS Office zero-day against Ukrainian gov and EU targets. Phishing emails with malicious Office docs pull down malware and deploy post-exploitation tools. - Analysis:
- “Microsoft published the details…and within one day there was an exploit chain waiting.” [25:50]
- Concern about how AI may enable even faster vulnerability weaponization: “Turnaround times are blistering fast.” [27:20]
- Exploit delivered via phishing (file: “Consultation Topics Ukraine.doc”), triggers C2 via dropped DLL.
- Advice:
- Patch MS Office immediately—including older builds.
- “Even if you’re not a Ukrainian target, similar techniques can be reused for business email compromise.”
- Educate users and apply defense-in-depth for email/file exploits.
4. Windows Update Bug: Affects More PCs, Causes Restart-Lock
[29:49–33:23]
- Summary:
January Windows Updates introduced a shutdown bug now known to affect more systems (Win 10/11 with Virtual Secure Mode). Computers may restart or fail to hibernate properly. - Commentary:
- Issue requires manual shutdown or command-line workaround until a full patch lands.
- “Last time I checked, holding the power button on my computer successfully shuts it down. I don’t know if that’s crude…but it works.” [31:51]
- Practical Tips:
- Apply latest Microsoft out-of-band fixes if affected.
- In the interim: use
shutdown /s /t 0or power button for shutdown.
5. Poland: Russian Cyberattack on Energy Infrastructure (Sandworm or Berserk Bear?)
[41:18–45:41]
- Summary:
December attacks (attributed by Dragos to Sandworm, by CERT Polska to Berserk Bear) hit Polish wind, solar, and heat plants. No power outages, but major security lapses exposed (default credentials, unpatched devices, no MFA). - Key Insight:
- “Dragos attributes to Sandworm, CERT Polska attributes to Berserk Bear—who’s right? This is the headline.” [42:50]
- First destructive activity attributed publicly to Berserk Bear; shows difficulty in attribution and potential for geopolitical confusion.
- Action:
- OT/ICS operators in Europe need to heed these lessons and harden visible infrastructure.
6. ShinyHunters: SaaS Extortion Campaigns Escalate
[45:41–53:33]
- Summary:
Mandiant reports “Shiny Hunters” have shifted from Salesforce breaches to targeting M365, SharePoint, Okta, Slack and more. Vishing and credential harvesting are rampant; attackers use stolen SSO creds for SaaS extortion and ransomware, backed by data leaks and DDoS. - Deep Dive:
- “There’s an explosive increase in vishing activity…They have so many people and such a corpus of seed data…it’s all hands on deck.” [47:50]
- Real-world example of how vishing attacks succeed—helpdesk staff giving away sensitive info without robust verification.
- “Executives need to eat their own dog food…you’re going to be the downfall of us.” [51:30]
- Advice:
- Educate helpdesk and workforce about vishing and social engineering.
- Ensure strong procedures for credential resets: no exceptions for “VIPs.”
- Layer MFA and detect SaaS access anomalies.
7. Isuru Botnet Sets DDoS Record (31.4 Tbps Attack)
[53:33–57:35]
- Summary:
Cloudflare logs a historic DDoS (31.4 Tbps, 200M req/sec) by Isuru botnet, which commandeers 1–4 million IoT devices (routers, cameras, Android TVs). Sold as “botnet for hire,” it enables DDoS, credential stuffing, and more. - Context:
- “This is the equivalent of Tony Stark doing a weapons demonstration…If you want something blown off the Internet, call these guys.” [54:20]
- Underlines IoT insecurity: “You just log in with defaults, and you own it. Internet-facing in a lot of instances.”
- Takeaway:
- For any online service: DDoS protections are essential (Cloudflare remains gold standard).
- Policy changes needed for IoT device security standards and enforcement.
8. Stop ICE App Hacked; Users Targeted with Scare Tactics
[57:35–61:12]
- Summary:
“Stop ICE,” an activist app used to organize around ICE activity, was hacked. Attackers sent fake texts warning users their information was given to authorities. The attack allegedly originated from a US Customs agent’s server. - Analysis:
- Not necessarily ICE itself; could be a sympathizer.
- “If you’re going to vibe-code or write an app…use good credentials, don’t use default creds.” [59:10]
- Broader Implication:
- Activist and protest organization apps face distinctive cyber risks.
- Draws parallel to protest coordination under oppressive regimes (“This is what you see all the time in China…” [61:12]).
- Advice:
- App developers: enforce security best practices.
- All: be aware of data protection if using activist or crowd-sourced safety apps.
Notable Quotes & Memorable Moments
- “Ain’t nobody got time for that… No cyber professional goes through, reads a bunch of stories, digests it, and then pretends to go through it for the first time with others.” [04:50]
- On targeted supply chain attacks: “Let’s be real…this was a very specifically targeted campaign. China’s wicked good at espionage.” [22:00]
- “This used to be like Microsoft Office every day…Nowadays, they’ve disabled macros, cleaned up…I guess APT28 is highly effective—they’ve gone and done it again.” [25:10]
- “IoT—well known, default security accounts, trivial to compromise, Internet facing, easy to find on Shodan…Finding these devices is absolutely trivial.” [56:00]
- “Executives—get top cover. You’re not allowed to threaten support desk people if they don’t reset your password.” [53:00]
Jawjacking Q&A Session (Eric Taylor, Barricade Cyber)
[66:00–88:54]
- Topics:
- Deep dive into Notepad++ supply chain attack, with live walkthrough of IOC resources.
- Best practices for designing tabletop exercises: “Build out a cut sheet of approved vendors, disaster contacts—don’t wait for an incident to figure this out.” [78:00]
- Open source certificate authorities like Let’s Encrypt: “I don’t know if anyone really cares anymore—Let’s Encrypt is legitimate; just ensure automated renewals.” [85:40]
- Advice on MDR reporting: “Instead of ‘number of threats stopped,’ frame it as ‘here’s what we learned, how MDR helped, and the threats we stopped proactively.’” [86:30]
- Style:
- Eric’s answers were open, candid, and practical—emphasizing real-world strategies over academic perfection.
- Key Quote:
- “People jump at crimes of opportunity—it’s rarely personal unless you’ve attracted state-level threat actors.”
Lighter Moments & Community Vibes
- Community shoutouts throughout: welcoming first-timers, emote sound effects, and invitations to Discord and conference meetups.
- Tidbits Tuesday: Gerald recommends the show Ludwig (on Brit Box) for true crime & puzzle lovers, and shares his affection for Psych, Brooklyn Nine-Nine, and the deep-cut Garth Merenghi’s Dark Place.
- As always, the episode blends expert threat coverage with community humor, inside jokes, and audience engagement.
Timestamps for Key Segments
| Segment | Topic | Start Time |
|---------|-------|------------|
| Opening, Community Greetings | CPEs, show structure, engagement tips | 00:01
| Story 1 | OpenClaw AI abuse for crypto malware | 11:00
| Story 2 | Notepad++ supply chain attack | 17:48
| Story 3 | MS Office zero-day exploitation by APT28 | 24:06
| Story 4 | Windows shutdown bug | 29:49
| Midroll | Sponsors, Tidbits Tuesday, TV recs | 33:57
| Story 5 | Poland’s energy cyberattack attribution | 41:18
| Story 6 | ShinyHunters SaaS extortion/vishing | 45:41
| Story 7 | Isuru botnet DDoS record | 53:33
| Story 8 | "Stop ICE" hack & activist security | 57:35
| Jawjacking Q&A | Notepad++ deep dive, tabletops, CAs, MDR metrics | 66:00 |
Final Takeaways
- Be proactive: Patch quickly, monitor emerging SaaS and AI tools, and educate both technical and non-technical staff.
- Security basics matter: Strong credentials, update hygiene, supply chain vigilance, and user training prevented or limited most of the day’s breaches.
- Threat actors are always evolving: From sophisticated supply chain attacks to wide-net SaaS extortion and next-gen DDoS, the playbook is ever-changing.
- Community & collaboration: Sharing insights and resources accelerates threat detection and response.
Dr. Gerald Auger closes with appreciation for the community and encouragement to keep learning and leveling up together. More episodes, Q&A, and resources available at simplycyber.io and on Discord.
