InfoSec News 12FEB2026

General

• Brian Krebs is continuing his series on the Kimwolf botnet. The botnet has now added I2P (The Invisible Internet Project) support, however it's overwhelming the I2P network.

“I don’t think their goal is to take I2P down,” he said. “It’s more they’re looking for an alternative to keep the botnet stable in the face of takedown attempts.”
...
Meanwhile, Brundage said the good news is Kimwolf’s overlords appear to have quite recently alienated some of their more competent developers and operators, leading to a rookie mistake this past week that caused the botnet’s overall numbers to drop by more than 600,000 infected systems.
“It seems like they’re just testing stuff, like running experiments in production,” he said. “But the botnet’s numbers are dropping significantly now, and they don’t seem to know what they’re doing.”

• https://krebsonsecurity.com/2026/02/kimwolf-botnet-swamps-anonymity-network-i2p/
• https://i2p.net/en/
• https://en.wikipedia.org/wiki/I2P
• Another arrest after JokerOTP/JockerPhone OTP was taken down in April 2025. This time it's the seller - a 21-year-old from the Netherlands (following on from arrests of the main developer and co-developer).

Typically, cybercriminals would use stolen credentials, either collected from malware infections or purchased on the dark web, and try to log into a target account. The legitimate owner would receive the OTP required for completing the login process.
At the same time, JokerOTP automated calls to targets, posing as representatives of the legitimate service the attackers were attempting to access, and requesting the one-time password (OTP).
Because the calls coincided with the delivery of the authentication code, many users failed to recognize the scam.

• https://www.bleepingcomputer.com/news/security/police-arrest-seller-of-jokerotp-mfa-passcode-capturing-tool/
• Movie-plot security threats - this is not the stuff you should be worrying about.

An Instagram template is currently doing the rounds instructing users to go to ChatGPT and use the following prompt: “Create a caricature of me and my job based on everything you know about me.” In some instances, the LLM may ask for more context, but in many this prompt alone is enough to generate concerningly detailed images.
While fun, the AI work caricature trend poses a huge risk to individuals and their employers and highlights just how many people use AI, or more specifically large language models (LLMs), to talk about and support their work.

• https://www.fortra.com/blog/what-can-ai-work-caricature-trend-teach-us-about-risks-shadow-ai
• https://www.theregister.com/2026/02/11/ai_caricatures_social_media_bad_security/
• In the battle of the computers, using a 3D model of a humanoid, to pass Discord's on-device age-estimation. It's pretty lightweight - a single HTML file, JavaScript assets brought in via CDN, and bring-your-own (demo model supplied) 3D model. The model allows real-time manipulation, to meet the verification requirements, such as turning the head, opening the mouth.
  • https://github.com/promptpirate-x/discord-id-bypass-tool
  • https://www.404media.co/free-tool-says-it-can-bypass-discords-age-verification-check-with-a-3d-model/ / https://archive.is/V2Bid
• See if you can detect the problem with this process. An add-in retrieves all of its content (assets) from a remote, developer-controlled server; the add-in is reviewed, and added to the store; the developer can now update/maintain the software without further review. Hmm, sounds like a classic TOC/TOU (Time of Check/Time of Use) bug - when it was checked, everything was fine, by the time it was used, it was bad.
  In this case, an Outlook add-in developer abandoned the project, abandoning the file hosting, a threat-actor re-registered the file hosting, and could then compromise the users of the add-in.

In 2022, a developer built a meeting scheduling tool called AgreeTo and published it to the Microsoft Office Add-in Store. It worked. People liked it. Then the developer moved on, and the project died.
The add-in stayed listed in Microsoft's store. The URL it pointed to - hosted on Vercel - became claimable. An attacker claimed it, deployed a phishing kit, and Microsoft's own infrastructure started serving it inside Outlook's sidebar. By gaining access to the attacker's exfiltration channel, we were able to recover the full scope of the operation: over 4,000 stolen Microsoft account credentials, credit card numbers, and banking security answers. The attacker was actively testing stolen credentials yesterday. The infrastructure is live as you read this.

• https://www.koi.ai/blog/agreetosteal-the-first-malicious-outlook-add-in-leads-to-4-000-stolen-credentials
• https://www.bleepingcomputer.com/news/security/microsoft-store-outlook-add-in-hijacked-to-steal-4-000-microsoft-accounts/
• [RU] In a move that's ging to annoy a bunch of cybercriminals, Roskomnadzor (Federal Service for Supervision of Communications, Information Technology and Mass Media - the Russian's are known for their snappy organisational titles! Also has a very snazzy HQ) is throttling Telegram. The move is designed to push users onto the government's own 'Max' messenger, styled on the chinese domestic-market version of WeChat - Weixin. Max is likewise being positioned as a 'superapp', containing mini-apps to perform functions like transferring money, interacting with government agencies.

Russian users began reporting widespread Telegram disruptions earlier this week, according to data from internet monitoring service Downdetector. Nearly 15 Russian regions have experienced significant slowdowns over the past two days, local internet analysts said.
...
More recently, in August, Roskomnadzor announced restrictions on calls via Telegram and WhatsApp, saying the services were frequently used by fraudsters to recruit Russian citizens into “sabotage and terrorist activities.”
To replace these apps, Russian officials are promoting a national messaging platform called Max, a government-backed service modeled on China’s WeChat and developed by the creator of the social network VKontakte.

• https://therecord.media/russia-throttles-telegram-pushes-its-own-messaging-app
• https://en.wikipedia.org/wiki/Roskomnadzor

Getting Techy

• Flare have found a very retro worm. Brute-force SSH, IRC for command and control, cron-jobs for persistence, 16-year-old CVEs for privilege escalation.
  • https://flare.io/learn/resources/blog/old-school-irc-new-victims-inside-the-newly-discovered-sshstalker-linux-botnet
  • https://www.bleepingcomputer.com/news/security/new-linux-botnet-sshstalker-uses-old-school-irc-for-c2-comms/
  • https://thehackernews.com/2026/02/sshstalker-botnet-uses-irc-c2-to.html
• Huntress have attributed some attacks to the Crazy ransomware gang, installing legitimate support (SimpleHelp) and employee monitoring (Network Monitor for Employees) tools for system access. It also looks as though they're exploring other options for monetisation - searching machines for use of crypto-currency wallets.
  • https://www.huntress.com/blog/employee-monitoring-simplehelp-abused-in-ransomware-operations
  • https://www.bleepingcomputer.com/news/security/crazy-ransomware-gang-abuses-employee-monitoring-tool-in-attacks/

Geo-Politics

• [US] In an unintentionally ironic move the acting head of the Cybersecurity and Infrastructure Security Agency (CISA) has warned of the impacts of a partial government shutdown, as Department of Homeland Security (DHS) funding is set to expire on Friday. CISA has already lost roughly a third of its staff, some through forced transfers to other agencies - not necessarily even in the same state.

A shutdown would “degrade our capacity to provide timely and actionable guidance to help partners defend their networks,” acting CISA Director Madhu Gottumukkala told the House Appropriations Homeland Security subcommittee.
...
“I want to be clear: when the government shuts down, cyber threats do not,” Gottumukkala, who testified alongside the heads of four other DHS elements, told the panel.
...
Gottumukkala said CISA has transferred about 70 employees to other DHS components using reassignment authorities and has taken in more than 30 employees from other components. He noted a “handful” of personnel have been moved to ICE. CISA has lost about one-third of its staff since the start of the second Trump administration.
...
Rep. Rosa DeLauro (CT), the top Democrat on the full Appropriations Committee, on Wednesday introduced legislation that would fund all DHS components except for ICE and CBP.

• https://therecord.media/interim-cisa-chief-tells-congress-threats-continue-during-shutdown

Privacy

• [AU] Another Digital ID project - this time it's Service NSW.

The new system will give NSW residents who decide to participate in the program the ability to use their smartphone camera to verify their biometric facial features against a mix of conventional identity documents such as drivers’ licences, passports and birth certificates to create the new digital ID.
...
The new NSW Digital ID will sit within residents’ existing MyServiceNSW Account.

• https://www.itnews.com.au/news/service-nsw-launches-digital-id-pilot-623548

AI

• Z.ai have released the latest version of their MIT-licensed GLM model, up from 368b (32b active) parameters in 4.5/4.5, to a massive 754b (40b active) parameters in the new version 5. "targeting complex systems engineering and long-horizon agentic tasks". Benchmark results are compared to older Claude 4.5 (not current 4.6) and GPT-5.2 (not Codex variant). For an open-weight model, it's pretty impressive - just unclear who has sufficient hardware to run it!
  • https://z.ai/blog/glm-5 / https://archive.is/KqpBD
  • https://simonwillison.net/2026/Feb/11/glm-5/