Sign in Subscribe

InfoSec News 09MAR2026

General

According to the researchers, the threat actor set up malicious GitHub repositories posing as OpenClaw installers, which were recommended by Bing in its AI-powered search results for the Windows version of the tool.
...
A fake OpenClaw repository that Huntress analyzed appeared legitimate at a quick look, as the threat actor tied it to a GitHub organization named openclaw-installer. This may also have carried some weight in Bing's AI recommendation.
The GitHub accounts publishing these repositories were newly created, but attempted to increase their legitimacy by copying real code from the Cloudflare moltworker project.
...
"The repository contained a number of files that followed a theme of containing a shell script paired with a Mach-O executable," which Huntress identified as the Atomic Stealer malware.
...
Most of the executables were Rust-based malware loaders that executed information stealers in memory, the researchers said, adding that one of the payloads was Vidar stealer that contacted Telegram and Steam user profiles to get command-and-control (C2) data.
The attacker's approach is straightforward. They clone the Claude Code installation page (layout, branding, documentation sidebar, and all), hosting it on a lookalike domain. The page is a near-pixel-perfect replica of the real thing. The only meaningful difference is in the installation commands themselves: instead of fetching the install script from claude.ai, the commands point to an attacker-controlled server that serves malware instead.
...
The fake install pages are distributed exclusively through Google Ads, specifically through sponsored search results that appear when users search for terms like "Claude Code", "Claude Code install", or "Claude Code CLI."
...
Another common theme we see across pretty much every phishing site these days is the abuse of legitimate domains for hosting malicious content. This allows attackers to blend in with normal web traffic and is a core detection evasion technique.
In this case, we observed Cloudflare Pages (pages.dev), Squarespace, and Tencent EdgeOne being used.
Since 2024, UAT-9244 has targeted critical telecommunications infrastructure, including Windows and Linux-based endpoints and edge devices in South America, proliferating access via three malware implants.
...
Although UAT-9244 and Salt Typhoon both target telecommunications service providers, Talos has not been able to verify or establish a solid connection between the two clusters.
...
The TernDoor infection chain is persisted on the system using either a scheduled task or the Registry Run key.
...
Infrastructure used by UAT-9244 also hosts another set of shell scripts and payloads designed to establish compromised Linux based systems including edge devices as operational relay boxes (ORBs) that scan and brute force Tomcat, Postgres, and SSH servers.
Svelto said that, in the last week, Mozilla received about 470,000 crash reports from Firefox users, which just covers those who opted in to crash reporting. About 25,000, he said, look to be potential bit flips.
...
And, he said, if he subtracts crashes caused by resource exhaustion, like running out of memory, the proportion of crashes attributable to hardware goes up to about 15 percent.
...
This is not the first time people have been taken aback by hardware error rates. Google researchers looked at DRAM errors in its data centers back in 2009 and were surprised to find that DRAM error rates "are orders of magnitude higher than previously reported, with 25,000 to 70,000 errors per billion device hours per Mbit and more than 8 percent of DIMMs affected by errors per year."
40-year-old Derrick Van Yeboah pleaded guilty to conspiracy to commit wire fraud on Thursday and agreed to pay more than $10 million in restitution.
...
According to court documents, the scammers (who called themselves "game boys" or "sakawa boys") deceived vulnerable older women and men across the U.S. who lived alone into believing they were in romantic relationships online and tricked them into depositing money into the bank accounts of U.S. middlemen after gaining their trust.
...
Van Yeboah is scheduled to be sentenced by U.S. District Judge Arun Subramanian on June 3 and is facing up to 20 years in prison.

Getting Techy

  • PAN's Unit 42 look at another china-aligned threat-actor. An interesting point was the use of 'certutil -encode' to Base-64 encode data, then stream the data through the web-shell.
The initial access to environments targeted in CL-UNK-1068 activity is achieved by deploying and utilizing various web shells. We observed the attackers deploying the GodZilla web shell, and a variation of AntSword, both of which are written in a combination of English and Simplified Chinese. After gaining an initial foothold, the attackers use these web shells to move laterally to additional hosts and SQL servers.
...
By encoding the archives as text and printing them to their screen, the attackers were able to exfiltrate data without actually uploading any files. The attackers likely chose this method because the shell on the host allowed them to run commands and view output, but not to directly transfer files. Figure 3 shows the alert triggered by the data exfiltration activity.
...
We assess with high confidence that CL-UNK-1068 represents activity from a threat group that communicates in Chinese. The group behind this activity cluster has been targeting high-value sectors across South, Southeast and East Asia since at least 2020. Using primarily open-source tools, community-shared malware and batch scripts, the group has successfully maintained stealthy operations while infiltrating critical organizations.
Mutational grammar fuzzing is a fuzzing technique in which the fuzzer uses a predefined grammar that describes the structure of the samples. When a sample gets mutated, the mutations happen in such a way that any resulting samples still adhere to the grammar rules, thus the structure of the samples gets maintained by the mutation process. In case of coverage-guided grammar fuzzing, if the resulting sample (after the mutation) triggers previously unseen code coverage, this sample is saved to the sample corpus and used as a basis for future mutations.
...
However, despite the approach being effective, it is not without its flaws which, for a casual fuzzer user, might not be obvious. In this blogpost I will introduce what I perceive to be the flaws of the mutational coverage-guided grammar fuzzing approach. I will also describe a very simple but effective technique I use in my fuzzing runs to counter these flaws.
...
Although the trick described in this blogpost is very simple, it nevertheless worked surprisingly well and helped discover issues in libxslt quicker than I would likely be able to find using default settings. It also underlines the benefits of experimenting with different fuzzing setups according to the target specifics, rather than relying on tooling out-of-the-box.

Geo-Politics

  • [US] In some positive security news, for a change, a bill to fund electricity-grid security has passed the House.
The House Energy and Commerce committee unanimously passed a package of bipartisan cybersecurity bills Thursday targeting the energy sector, including legislation that would reauthorize and fund a critical federal cybersecurity assistance program for rural electric utilities across the country.
...
The program was created through the 2022 Infrastructure Investment and Jobs Act and is widely viewed in the energy sector as a cybersecurity lifeline for badly underfunded electric utilities that would otherwise be a weak link in the nation’s energy cybersecurity or reliability.

AI

  • OpenAI have updated GPT and GPT-pro to version 5.4. Prices have risen, as well as adding an increased cost for context lengths over 272k tokens.
    • Input: $1.75 (5.2) -> $2.50 (5.4 <= 272k) or $5.00 (5.4 > 272k)
    • Output: $14 (5.2) -> $15 (5.4 <= 272k) or $22.50 (5.4 > 272k)
    • Input: $21 (5.2 Pro) -> $30 (5.4 Pro <= 272k) or $60 (5.4 Pro > 272k)
    • Output: $168 (5.2 Pro) -> $180 (5.4 Pro <= 272k) or $270 (5.4 Pro > 272k)
In ChatGPT, GPT‑5.4 Thinking can now provide an upfront plan of its thinking, so you can adjust course mid-response while it’s working, and arrive at a final output that’s more closely aligned with what you need without additional turns. GPT‑5.4
What I had not realized is that extremely short exposures to a relatively simple computer program could induce powerful delusional thinking in quite normal people.

Subscribe to Deuxieme RE Banque News

Sign up now to get access to the library of members-only issues.
Jamie Larson
Subscribe