InfoSec Briefing - February 23, 2026

🎧 Audio Briefing

Playback Speed:

Good morning. This is your security briefing for Sunday, February 22, 2026, covering 12 articles analyzed overnight. All attribution is by the article authors. All article analysis is automated.

AdGuard VPN has released TrustTunnel, an open-source VPN protocol designed to obfuscate traffic as regular HTTPS to bypass deep-packet inspection and throttling. The protocol includes server endpoint software, CLI and library clients, and GUI applications available across Linux, macOS, Windows, Android, and iOS platforms.

fksvs has released Siper, an open-source XDP-based firewall that drops malicious traffic at the network driver level using eBPF programs. The tool is designed to mitigate DDoS attacks by blocking traffic before it reaches the Linux networking stack, reducing CPU overhead compared to traditional firewalls.

Ajay Kumar Dhyani at Kubefront published a technical comparison of eBPF Ring Buffer and Perf Buffer mechanisms for transferring data from Linux kernel to user space. The article recommends Ring Buffer for new eBPF development due to its efficiency and modern design.

ODCrawler is a search engine that indexes and makes searchable publicly available files hosted in open directories across the internet. The platform may surface improperly secured data including sensitive information that organizations have inadvertently left accessible.

The United States Department of Justice reports that Romanian national Catalin Dragomir pleaded guilty to gaining unauthorized access to an Oregon state government office network in June 2021 and selling that access to buyers, along with stolen PII samples. He also sold access to numerous other U.S. victim networks, causing losses exceeding $250,000.

La Repubblica reports that Chinese state-sponsored hackers conducted a sophisticated cyberattack against Italy's Ministry of Interior, stealing identities of approximately 5,000 Digos agents. The primary objective was intelligence gathering to map dissidents within Italy, indicating targeted espionage operations against individuals of interest to the Chinese government.

Cyber&Ramen reports on a sophisticated intrusion campaign active since December 2025 that leveraged Large Language Models to automate attacks against FortiGate devices across 106 countries. The operation used a custom Model Context Protocol server called ARXON and orchestrator called CHECKER2 to enable LLMs like DeepSeek and Claude to generate attack plans, analyze reconnaissance data, and automate backdoor creation, representing a significant shift toward AI-augmented cyberattacks.

dazzyddos has released LSA Whisperer BOF, a Cobalt Strike Beacon Object File tool that enables attackers to extract Windows authentication material including DPAPI credential keys, cloud SSO tokens, and Kerberos tickets. The technique bypasses traditional LSASS memory protection mechanisms like Protected Process Light and Credential Guard by communicating directly with LSA authentication packages instead of accessing LSASS process memory.

The Cofense Phishing Defense Center reports that threat actors are conducting phishing campaigns using fake Microsoft and Google Calendar invitations to steal employee credentials. The attacks employ email spoofing techniques with altered sender addresses and urgent-themed calendar invites that redirect victims to fake login pages designed to harvest credentials.

Security researcher Thomas Roccia critiques the current approach to building AI-powered Cyber Threat Intelligence agents, arguing the industry over-emphasizes AI capabilities while neglecting user interface design and threat visualization. Roccia advocates for better visual representations to help threat analysts understand complex security landscapes and make AI CTI tools more effective.

The U.S. Department of the Treasury concluded a public-private initiative to enhance cybersecurity and risk management for AI in financial services. The initiative developed practical resources covering AI governance, data management, transparency, fraud prevention, and digital identity, with six resources to be released throughout February to help financial institutions manage AI-specific cybersecurity risks.

The Sequence reports on a macOS malware campaign distributing information stealers, Odyssey and MacSyncStealer, through cracked music plugin DMG files. The attack employs a multistage loader-as-a-service model with ClickFix social engineering tactics, targeting Intel-based Macs through unsigned DMG files containing bash scripts and Mach-O binaries that communicate with command and control domains.

That concludes today's briefing.

📰 Articles Covered

TrustTunnel: Modern, fast and obfuscated VPN protocol - TrustTunnel

TrustTunnel is an open-source VPN protocol developed by AdGuard VPN, designed to provide fast, secure, and reliable connections that are indistinguishable from regular HTTPS traffic. This allows it to bypass throttling and deep-packet inspection while maintaining privacy. The project includes a VPN endpoint (server), a library and CLI client, and a GUI application.

### What Happened

The provided article describes the TrustTunnel VPN protocol and its implementation. It details how to set up both the server (endpoint) and the client, covering installation, configuration, and operation.

### Who is Affected

* **Users seeking privacy and security:** Individuals who want to protect their online activity from surveillance, censorship, or throttling.
* **System administrators:** Those responsible for setting up and managing VPN infrastructure for their organizations or personal use.
* **Developers:** Individuals interested in contributing to or building upon the TrustTunnel protocol.

The TrustTunnel client is available for **Linux, macOS, Windows, Android, and iOS**. The server is compatible with **Linux and macOS**.

### Security Implications

* **Traffic Obfuscation:** TrustTunnel traffic is designed to mimic regular HTTPS traffic, making it difficult to detect and block by network providers or firewalls.
* **Privacy Protection:** The protocol aims to provide strong privacy protections by masking user activity.
* **Open-Source Nature:** Being open-source allows for community auditing, which can help identify and fix vulnerabilities.
* **Certificate Management:** The use of Let's Encrypt certificates for the Flutter client is recommended for secure connections, as self-signed certificates are not yet supported by that client.

### Technical Details

* **Protocol:** Compatible with HTTP/1.1, HTTP/2, and QUIC.
* **Traffic Tunneling:** Supports TCP, UDP, and ICMP traffic.
* **Client Features:**
* System-wide tunnel or SOCKS5 proxy.
* Split tunneling (excluding or including specific domains/hosts).
* Custom DNS upstream support.
* **Endpoint Setup:**
* Installation script available for Linux.
* Configuration wizard (`setup_wizard`) for generating necessary files.
* Supports Let's Encrypt certificates, self-signed certificates, or existing certificates.
* Can be run as a systemd service.
* **Client Setup:**
* CLI client and Flutter-based GUI client available.
* Installation scripts for Linux/macOS, and release archives for Windows.
* Client configuration wizard for importing endpoint configurations.
* Supports TUN device or SOCKS5 proxy listener types.
* **Client Configuration Export:** The endpoint can export client configurations in a deep-link format (`tt://`) or TOML format.

### What Defenders Should Know

* **Endpoint Security:** Securely manage the endpoint's TLS certificates. If using Let's Encrypt, ensure automatic renewal is configured and tested.
* **Firewall Rules:** If the endpoint is exposed to the internet, ensure appropriate firewall rules are in place to restrict access to necessary ports (e.g., 443 for HTTPS).
* **User Credentials:** Securely manage user credentials used for authorization with the endpoint.
* **Client Configuration:** When distributing client configurations, ensure they are protected, especially if they contain sensitive information or are intended for specific users.
* **Vulnerability Monitoring:** As an open-source project, defenders should stay informed about any security advisories or updates released for TrustTunnel.
* **Flutter Client Limitations:** Be aware that the TrustTunnel Flutter Client currently does not support self-signed certificates, requiring a valid, publicly trusted certificate for connections.
siper: XDP Based Lightweight and Fast Firewall - fksvs

Siper is a high-performance, XDP-based IP blacklist firewall designed to **drop malicious traffic at the network driver level** 【1】. This approach significantly reduces CPU overhead compared to traditional firewalls like iptables or nftables 【1】.

**What Happened:**
Siper acts as a firewall that intercepts incoming network packets. It checks these packets against a blacklist of IP addresses or ranges. If a packet's source IP matches an entry in the blacklist, Siper drops the packet before it can be processed by the main Linux networking stack 【1】.

**Who is Affected:**
The primary beneficiaries of Siper are **system administrators and network defenders** looking to protect their servers from malicious traffic, particularly during Distributed Denial of Service (DDoS) attacks 【1】. The tool is designed for Linux systems with specific kernel and software prerequisites 【1】.

**Security Implications:**
The main security implication is the **enhanced ability to mitigate and block malicious traffic at the earliest possible stage** 【1】. By dropping traffic at the network driver level using XDP_DROP, Siper can handle high volumes of traffic, making it effective against DDoS attacks and other IP-based threats 【1】. This prevents the malicious traffic from consuming valuable system resources.

**Technical Details:**
- **XDP (Express Data Path):** Siper leverages XDP to process packets directly in the network driver, bypassing much of the kernel's networking stack 【1】.
- **eBPF (extended Berkeley Packet Filter):** The firewall logic is implemented using eBPF programs, allowing for safe and efficient execution within the kernel 【1】.
- **Longest Prefix Match (LPM):** Siper uses LPM with specialized BPF LPM Trie maps to efficiently look up IP ranges specified in CIDR notation (e.g., 192.168.1.0/24) 【1】.
- **Packet Flow:** When a packet arrives, the XDP program checks if its source IP is in the `block_list` map. If a match is found, the packet is dropped (XDP_DROP); otherwise, it's passed to the kernel (XDP_PASS) 【1】.
- **Prerequisites:** Requires Linux Kernel 5.4+, Go 1.21+, Clang/LLVM, and root or specific capabilities (CAP_NET_ADMIN/CAP_BPF) 【1】.

**What Defenders Should Know:**
- **Management:** Defenders can manage the blacklist by adding or removing IP ranges (CIDRs) using simple CLI commands. These rules are stored in a local JSON configuration file 【1】.
- **Deployment:** The firewall can be attached to a specific network interface (e.g., `eth0`) using the `run` command and detached using the `stop` command 【1】.
- **Monitoring:** Siper provides tools to monitor its activity, including viewing active keys in the BPF map and tracking drop/pass statistics 【1】.
- **Licensing:** The project is licensed under the GPLv3 license 【1】.
eBPF Ring Buffer vs Perf Buffer - The content posted at `https://kubefront.net/system/ebpf/ring-buffer-vs-perf-buffer/` is controlled by **Ajay Kumar Dhyani** . He is a Senior Software Engineer with expertise in cloud-native environments and works at SingleStore .

The article discusses the differences between **eBPF Ring Buffer** and **Perf Buffer**, two mechanisms used for sending data from the Linux kernel (where eBPF programs run) to user space applications. The primary recommendation is to **use Ring Buffer for new development** due to its efficiency and modern design.

### What Happened

The article explains the technical underpinnings of both Perf Buffer and Ring Buffer. It details how each mechanism works, including the specific eBPF helper functions and map types involved. The core difference highlighted is that Perf Buffer is an older system built on the Linux perf events subsystem, operating at a per-CPU level and involving more complex data copying. In contrast, Ring Buffer is a newer system (introduced in Linux 5.8) specifically designed for eBPF, utilizing a single, shared circular buffer across all CPUs for more efficient data streaming.

### Who is Affected

* **eBPF Developers:** Those writing eBPF programs in C and user-space applications (e.g., in Go) that consume data from these eBPF programs. The article provides code examples for both kernel-side eBPF and user-space consumers.
* **System Administrators and Security Professionals:** Anyone managing or monitoring Linux systems where eBPF is used for tracing, security, or networking. Understanding these mechanisms can help in optimizing performance and troubleshooting.

### Security Implications

While the article focuses on the technical and performance aspects, the choice between these buffers has indirect security implications:

* **Performance Overhead:** Inefficient data transfer mechanisms can lead to higher system overhead, potentially impacting the performance of security monitoring tools. A less performant system might miss critical events or introduce latency, which could be exploited.
* **Data Integrity and Timeliness:** The efficiency of data transfer is crucial for real-time security analysis. Ring Buffers, being more modern and efficient, are likely to provide more timely and potentially more reliable data streams for security event monitoring compared to the older Perf Buffer.
* **Resource Consumption:** Older or less efficient mechanisms like Perf Buffer might consume more CPU and memory resources, which could be a factor in resource-constrained environments or during high-load scenarios.

### Technical Details

* **Perf Buffer:**
* Built on the **Linux perf events subsystem**.
* Operates at a **per-CPU level**.
* Uses `bpf_perf_event_output()` to send data.
* Data is written into a per-CPU buffer.
* User-space consumers read using `perf_event_open`.
* Involves metadata-heavy mmaped pages.
* Can have higher latency due to data copying between BPF, the perf subsystem, and user space.
* Complex setup and cross-CPU event ordering can increase overhead.
* Example C code uses `BPF_MAP_TYPE_PERF_EVENT_ARRAY` and `bpf_perf_event_output`.

* **Ring Buffer:**
* Introduced in **Linux 5.8**, specifically for eBPF.
* Uses a **single shared circular buffer** among all CPUs.
* Uses `bpf_ringbuf_submit()` to send data.
* User-space consumers read using `ring_buffer_new()`.
* Designed for **general high-throughput structured event streaming** and building tracing tools.
* More efficient data transfer with lower latency.
* Example C code uses `BPF_MAP_TYPE_RINGBUF` and `bpf_ringbuf_reserve`/`bpf_ringbuf_submit`.
* User-space consumers (e.g., in Go using `cilium/ebpf`) read from the `ringbuf.Reader`.

### What Defenders Should Know

* **Prioritize Ring Buffer:** For new eBPF deployments, especially for tracing and event streaming, **Ring Buffer is the recommended mechanism** due to its superior performance and efficiency over Perf Buffer 【1】.
* **Understand Performance Trade-offs:** Be aware that older systems like Perf Buffer can introduce higher latency and overhead. If performance is critical for security monitoring, ensure your eBPF tools are using Ring Buffers.
* **Resource Monitoring:** Monitor the resource consumption (CPU, memory) of eBPF applications, as inefficient data transfer mechanisms can impact overall system stability and performance.
* **Data Consistency:** While both mechanisms aim to transfer data, the shared nature of the Ring Buffer might simplify certain aspects of data consumption and ordering compared to the per-CPU nature of Perf Buffers.
ODCrawler - A search engine for open directories. - ODCrawler

The provided article describes **ODCrawler**, a search engine designed to find publicly available files hosted on open directories across the internet 【1】.

**What happened:** ODCrawler was launched as a tool to aggregate links to files from various online sources, making them searchable through its platform 【1】.

**Who is affected:** The article does not specify any particular group of people or organizations affected by ODCrawler. It is a tool for users to find publicly available files 【1】.

**Security implications:** The article mentions that "Illegal Content might be linked, but is in no way promoted or endorsed" 【1】. This suggests a potential security implication where users might inadvertently access or download illegal or malicious content through the search engine. ODCrawler's disclaimer directs users to contact the hosting website owner if they have issues with a link 【1】.

**Technical details:** The article provides minimal technical details. It states that links are "automatically aggregated from all over the Internet" 【1】. It also mentions a search functionality with an "Advanced Search" option 【1】.

**What defenders should know:** Defenders should be aware that tools like ODCrawler exist, which can index and make publicly accessible files easily discoverable. This could include sensitive information that has been inadvertently exposed or intentionally placed in open directories. Organizations should ensure their data is not accessible through such open directories and implement robust security measures to prevent unauthorized access to their files. Monitoring for exposed data and understanding how search engines like ODCrawler operate can help in mitigating potential risks.
Romanian National Pleads Guilty to Selling Access to Networks of Oregon State Government Office and Other U.S. Victims - United States Department of Justice

A Romanian national, **Catalin Dragomir**, has pleaded guilty to charges related to selling access to compromised computer networks, including those of an **Oregon state government office** and other U.S. victims 【1】.

**What Happened:**
In June 2021, Dragomir gained unauthorized access to an Oregon state government office's network. He subsequently sold access to a computer on this network to a buyer, providing samples of personal identifying information (PII) obtained from the compromised system. He also sold access to the networks of numerous other U.S. victims, resulting in losses exceeding $250,000 【1】.

**Who is Affected:**
The primary victims include an **Oregon state government office** and **numerous other U.S. entities** whose networks were compromised and accessed 【1】. The broader impact extends to individuals whose PII may have been exposed.

**Security Implications:**
This case highlights the severe implications of **unauthorized network access and the subsequent sale of that access**. It demonstrates how attackers can monetize their intrusions by providing a marketplace for stolen network credentials and data. The compromise of government networks raises concerns about the security of sensitive public data and critical infrastructure. The theft and potential misuse of PII also pose significant risks to individuals 【1】.

**Technical Details:**
Dragomir pleaded guilty to **obtaining information from a protected computer** and **aggravated identity theft** 【1】. The technical details involve gaining unauthorized access to computer networks, likely through methods such as exploiting vulnerabilities or using stolen credentials, and then facilitating further access for malicious actors. The provision of PII samples indicates a data exfiltration component to the intrusion 【1】.

**What Defenders Should Know:**
Defenders should be aware that **network access is a commodity** that cybercriminals actively trade. This underscores the importance of robust network segmentation, access controls, and continuous monitoring to detect and prevent unauthorized access. The case also emphasizes the need for **vigilant protection of personal identifying information** and the critical role of **international cooperation** in investigating and prosecuting cybercrimes that cross borders. Agencies like the FBI, in coordination with international law enforcement and specialized units like the Criminal Division's Computer Crime and Intellectual Property Section (CCIPS), are actively pursuing these threats 【1】.
Chinese hackers steal the identities of five thousand Digos agents. - The Ministry of the Interior's computer network has been hacked: it's in the crosshairs the police who also investigate dissidents - **La Repubblica** is controlled by **GEDI Gruppo Editoriale**. The Agnelli family previously owned La Repubblica, having bought it in 2019 from Carlo De Benedetti. In December 2025, GEDI Gruppo Editoriale, which owns La Repubblica, was reportedly set to be sold to a Greek buyer.

The provided article from Repubblica.it discusses a cybersecurity incident where Chinese hackers allegedly stole the identities of approximately 5,000 agents from Italy's Digos (General Directorate for the Prevention of Terrorism) 【1】.

**What Happened:**
The incident involved a sophisticated cyberattack attributed to Chinese hackers. The primary goal of the attackers was to **map dissidents within Italy** 【1】. This suggests a motive related to intelligence gathering and surveillance of individuals deemed undesirable by the Chinese government.

**Who is Affected:**
The direct victims of this data breach are **approximately 5,000 agents of the Digos**, an Italian intelligence agency focused on counter-terrorism 【1】. The broader implication is that individuals who have had contact with these agents, or who are subjects of Digos investigations, could also be indirectly affected if their information was compromised through the agents' data.

**Security Implications:**
The security implications are significant. The theft of Digos agents' identities could compromise ongoing investigations, endanger agents and their sources, and undermine Italy's national security efforts. The ability of hackers to infiltrate such a sensitive agency highlights vulnerabilities in the protection of critical government data. Furthermore, the use of stolen identities could facilitate further espionage or disinformation campaigns.

**Technical Details:**
The article does not provide extensive technical details about the attack. However, it implies a **sophisticated operation** by attributing it to Chinese hackers, suggesting advanced capabilities. The objective of mapping dissidents indicates a focus on **data exfiltration and analysis** to build profiles of individuals.

**What Defenders Should Know:**
Defenders should be aware of the **advanced capabilities of state-sponsored hacking groups**, particularly those originating from China, which are known for their intelligence-gathering operations. The incident underscores the critical need for robust cybersecurity measures within intelligence agencies, including:
- **Enhanced data protection protocols** for sensitive personal information.
- **Advanced threat detection and response systems** capable of identifying sophisticated intrusion attempts.
- **Regular security audits and penetration testing** to identify and remediate vulnerabilities.
- **Strong access controls and multi-factor authentication** to prevent unauthorized access.
- **Awareness training for personnel** on phishing and social engineering tactics that could be used to gain initial access.
- **Proactive threat intelligence gathering** to stay ahead of evolving attack vectors and actor tactics, techniques, and procedures (TTPs) 【1】.
LLMs in the Kill Chain: Inside a Custom MCP Targeting FortiGate Devices Across Continents - Cyber&Ramen

In early February 2026, a misconfigured server exposed a sophisticated intrusion campaign that leveraged **Large Language Models (LLMs)** to automate and accelerate attacks against **FortiGate devices** across multiple continents 【1】. The operation, active since at least December 2025, demonstrated a significant advancement in cyber warfare by integrating LLMs into various stages of the cyber kill chain 【1】.

**What Happened:**
The core of the incident involved a custom software pipeline that used LLMs for tasks such as triaging compromised targets and generating attack plans 【1】. A misconfigured server revealed stolen firewall configurations, network maps, credentials, and detailed attack strategies 【1】. The attackers automated the creation of backdoors on compromised Fortinet appliances, mapped internal networks, and fed this reconnaissance data to LLMs for analysis and further exploitation 【1】. A custom **Model Context Protocol (MCP)** server, named ARXON, acted as a bridge to the LLMs, maintaining a growing knowledge base of targets 【1】. Another custom tool, CHECKER2, served as a Docker-based orchestrator for parallel VPN scanning and target processing 【1】.

**Who is Affected:**
Confirmed victims include an **industrial gas company in the Asia-Pacific region**, a **telecom provider in Turkey**, and a **media company in Asia** 【1】. Additional reconnaissance targeted entities in **South Korea, Egypt, Vietnam, and Kenya**, as well as a **medical equipment manufacturer** 【1】. The operation was designed to run in parallel, with scans identifying over 2,500 targets across 106 countries 【1】.

**Security Implications:**
This operation highlights a critical shift towards **AI-augmented cyberattacks**, enabling a single operator to manage multiple simultaneous intrusions 【1】. The LLMs were not used for discovering new vulnerabilities but for efficiently processing information and strategizing attacks, significantly reducing the time and skill required for complex operations 【1】. The use of LLMs like **DeepSeek** for generating attack plans and **Claude's coding agent** for vulnerability assessments and executing offensive tools demonstrates a new frontier in automated cyber threats 【1】. The progression from publicly available tools like HexStrike to custom-built, private tools like ARXON and CHECKER2 signifies an evolving threat landscape where sophisticated automation is becoming more accessible 【1】.

**Technical Details:**
The attack chain often began with the extraction of full FortiGate appliance configurations, even from read-only accounts 【1】. These configurations provided detailed network topology, user accounts, and credentials 【1】. Python scripts, likely exploiting CVE-2019-6693, were used to decrypt encrypted passwords from the backups 【1】.

Once inside the network, LLMs were employed for internal reconnaissance and automated strategy. Reconnaissance data was fed into the ARXON MCP server, which then queried LLMs. For instance, a Claude Task file showed prompts requesting attack vectors, credential locations, methods to identify IT staff, and a prioritized path to Domain Admin 【1】.

Claude Code was also used for active exploitation, generating vulnerability assessment reports and executing offensive tools like Metasploit modules and Impacket scripts (e.g., ntlmrelayx.py) 【1】. The attackers also utilized a dual-model approach, leveraging different LLMs based on their capabilities for specific tasks 【1】.

**What Defenders Should Know:**
Defenders must recognize the growing integration of AI into offensive operations and the potential for a single actor to manage widespread attacks 【1】. Key defensive measures include:
- **Patching edge devices** promptly to mitigate known vulnerabilities 【1】.
- **Auditing VPN accounts** regularly for unauthorized or unexpected activity 【1】.
- Monitoring for **unexpected SSH access** and unapproved policy changes 【1】.
- Understanding that LLMs can significantly lower the barrier to entry for sophisticated attacks, enabling less skilled actors to conduct complex operations 【1】.
- Staying vigilant against the use of LLMs for automated reconnaissance, attack planning, and direct exploitation 【1】.
lsawhisper-bof: A Beacon Object File (BOF) that talks directly to Windows authentication packages through the LSA untrusted/trusted client interface, without touching LSASS process memory. - dazzyddos

The cybersecurity article details **LSA Whisperer BOF**, a tool that brings the functionalities of LSA Whisperer into Cobalt Strike Beacon Object Files (BOFs) 【1】.

**What Happened:**
LSA Whisperer BOF allows attackers to interact with Windows authentication packages via the LSA untrusted/trusted client interface. Crucially, it achieves this **without directly accessing LSASS process memory**, which is a common target for credential theft 【1】. This bypasses security measures like Protected Process Light (PPL) and Credential Guard 【1】.

**Who is Affected:**
The tool primarily affects **Windows systems**, particularly those with enhanced security features like PPL and Credential Guard enabled, as it's designed to circumvent these protections 【1】. While SYSTEM privileges are needed to target arbitrary logon sessions, unprivileged users can still access information related to their own session 【1】.

**Security Implications:**
The primary security implication is the **ability for attackers to exfiltrate sensitive authentication material**, including DPAPI credential keys, cloud Single Sign-On (SSO) tokens (from Entra ID, device, and AD FS), and Kerberos tickets 【1】. This bypasses traditional memory protection mechanisms, posing a significant threat to credential security and system integrity.

**Technical Details:**
LSA Whisperer BOF operates by interacting with the LSA (Local Security Authority) through its client interface, avoiding direct memory reads of the LSASS process 【1】. Key commands and their functions include:
- `lsa-credkey`: Recovers DPAPI credential keys 【1】.
- `lsa-ntlmv1`: Extracts NTLMv1 responses (though this specific command is blocked by Credential Guard) 【1】.
- `lsa-klist` and `lsa-dump`: Interact with Kerberos tickets 【1】.
- `lsa-ssocookie`: Extracts cloud SSO tokens 【1】.
- `lsa-strongcredkey`: Works through Credential Guard 【1】.
Modules for cloud authentication (CloudAP) require an Entra ID/Azure AD joined device with an active cloud logon session 【1】.

**What Defenders Should Know:**
Defenders need to be aware that **this tool can bypass common LSASS memory protection techniques** 【1】. They should understand that sensitive authentication data, including DPAPI keys and cloud SSO tokens, can be compromised even when PPL and Credential Guard are active 【1】. Monitoring for unusual LSA client interface activity and ensuring robust endpoint detection and response (EDR) solutions are in place to detect the execution of such BOFs are crucial defensive measures 【1】.
Invitation to Trouble: The Rise of Calendar Phishing Attacks - Cofense Phishing Defense Center

The article discusses a new phishing tactic that leverages **calendar invitations** to steal user login credentials 【1】.

**What Happened:**
Threat actors are sending fake Microsoft and Google Calendar invitations that mimic legitimate designs. These invitations often use familiar colors and urgent language to trick recipients into clicking malicious links or buttons, ultimately leading them to fake login pages 【1】.

**Who is Affected:**
The primary targets of these attacks are **employees in business environments** who are accustomed to receiving and responding to routine calendar scheduling 【1】.

**Security Implications:**
The security implications are substantial and include:
- **Credential theft**: Attackers aim to steal users' login credentials 【1】.
- **Data breaches**: Compromised accounts can lead to unauthorized access to sensitive information 【1】.
- **Further attacks**: Attackers can use compromised accounts to launch more sophisticated phishing campaigns within an organization 【1】.

**Technical Details:**
These attacks employ several technical methods:
- **Email spoofing**: Senders may use slightly altered addresses (e.g., "Micr0soft") or randomized "from" addresses to deceive recipients 【1】.
- **Fake meeting invites**: The invitations are crafted to appear as urgent and legitimate calendar events 【1】.
- **Redirection to fake login pages**: Clicking on malicious links within the invites redirects users to convincing but fake login pages that impersonate Microsoft or Google 【1】.

**What Defenders Should Know:**
Defenders need to be **vigilant** and take the following precautions:
- **Carefully check sender details**: Scrutinize the sender's email address for any discrepancies 【1】.
- **Verify authenticity**: Confirm the legitimacy of calendar invites before interacting with them 【1】.
- **Avoid suspicious links**: Do not click on links from unknown or untrusted senders 【1】.
- **Implement expert defense services**: Organizations are advised to utilize defense services capable of keeping pace with evolving threats 【1】.
From GenAI to GenUI: Why Your AI CTI Agent Is Sh*T - Thomas Roccia

The article discusses the current trend of building AI-powered Cyber Threat Intelligence (CTI) agents and argues that the industry is making a mistake by focusing too much on the "AI" (Artificial General Intelligence) aspect and not enough on the "UI" (User Interface) and visualization. The author, Thomas Roccia, emphasizes the importance of visual representations in understanding complex threats and incidents, drawing from his own work in creating security infographics and his book, "Visual Threat Intelligence: An Illustrated Guide for Threat Researchers."

**What Happened:**
The cybersecurity industry is experiencing an "explosion of AI agents" for CTI. However, the article suggests that these agents are being developed with a flawed approach, prioritizing AI capabilities over user-friendly interfaces and effective visualization.

**Who is Affected:**
* **Threat Researchers and Analysts:** Those who rely on CTI to understand and combat threats are affected by the current limitations of AI CTI agents.
* **Security Industry:** The broader security industry is making a mistake in its development strategy for AI CTI tools.

**Security Implications:**
The primary implication is that current AI CTI agents may not be as effective as they could be due to a lack of focus on visualization and user interface design. This could lead to:
* **Difficulty in understanding threats:** Complex threat landscapes might remain difficult to grasp, hindering effective response.
* **Inefficient CTI:** The potential benefits of AI in CTI are not being fully realized because the output is not easily digestible or actionable for human analysts.

**Technical Details:**
The article does not delve into specific technical details of AI algorithms or CTI agent architectures. Instead, it focuses on the **conceptual and design aspects**, specifically:
* **GenAI vs. GenUI:** The author contrasts the focus on "Generative AI" with the need for "Generative User Interface" (GenUI) in the context of CTI.
* **Visualization:** The core technical argument revolves around the power of visual representations (infographics, diagrams) in making CTI understandable and actionable.

**What Defenders Should Know:**
Defenders and CTI professionals should be aware that:
* **Visualization is crucial:** The effectiveness of CTI tools, especially those powered by AI, hinges on their ability to present information visually and intuitively.
* **Beware of AI hype:** While AI is powerful, its application in CTI needs to be user-centric. The focus should be on how humans interact with and understand the AI's output, not just the AI's capabilities in isolation.
* **Prioritize user experience:** When evaluating or developing AI CTI tools, consider how well they translate complex data into easily understandable visual formats.
Treasury Announces Public-Private Initiative to Strengthen Cybersecurity and Risk Management for AI - U.S. Department of the Treasury

The U.S. Department of the Treasury has concluded a public-private initiative focused on enhancing **cybersecurity and risk management for artificial intelligence (AI)** within the financial services sector 【1】. This initiative is a component of the President's AI Action Plan and involved the **Artificial Intelligence Executive Oversight Group (AIEOG)**, a collaboration of industry leaders, financial regulators, and other stakeholders 【1】.

**What Happened:**
The initiative culminated in the development of a series of resources designed to facilitate the secure and resilient adoption of AI. These resources are practical in nature, offering guidance on AI governance, data management, transparency, fraud prevention, and digital identity 【1】.

**Who is Affected:**
The primary beneficiaries of this initiative are **financial institutions**, with a particular emphasis on **small and mid-sized organizations** 【1】. The aim is to equip them with the tools to manage AI-specific cybersecurity risks effectively.

**Security Implications:**
The initiative addresses the growing need to strengthen cyber defenses and deploy AI more securely. By promoting best practices, it seeks to increase the overall **resilience of the financial system** against AI-related threats 【1】.

**Technical Details:**
While the article does not delve into highly technical specifics, it highlights that the resources developed focus on practical implementation in areas such as:
- **Governance:** Establishing frameworks for AI oversight.
- **Data Practices:** Ensuring secure and ethical data handling for AI.
- **Transparency:** Methods for understanding and explaining AI decisions.
- **Fraud:** Identifying and mitigating AI-driven fraudulent activities.
- **Digital Identity:** Securing user identification in AI-powered systems 【1】.

**What Defenders Should Know:**
Defenders should be aware that the Treasury is releasing six resources throughout February to aid in the secure adoption of AI. These resources are not prescriptive but offer practical guidance to help financial institutions manage AI-specific cybersecurity risks and improve their defenses. The overarching goal is to promote secure AI deployment and enhance financial system resilience 【1】.
macOS Malware Analysis: Music Plugin DMG Loader - The Sequence

A cybersecurity campaign has been identified where **malware is being distributed through cracked music plugin Disk Image (.DMG) files** targeting macOS users 【1】.

**What Happened:**
Security researchers discovered a widespread distribution of malware disguised as cracked music plugins within DMG files. These files are designed to immediately execute harmful scripts upon opening. The campaign employs a "ClickFix" style attack, using browser pop-ups to trick users into running malicious code 【1】. This operation is believed to be part of the "loader as a service" model within the Pay-Per-Install (PPI) ecosystem 【1】.

**Who is Affected:**
**macOS users** are the primary targets of this campaign, particularly those who download cracked music plugins 【1】.

**Security Implications:**
The malware is designed to deliver multistage payloads, including information stealers like Odyssey and MacSyncStealer 【1】. The use of social engineering tactics, such as "ClickFix" prompts, aims to bypass traditional security measures. The "loader as a service" model indicates a sophisticated and potentially widespread threat that can be easily adapted to deliver various malicious payloads 【1】.

**Technical Details:**
The distribution method involves unsigned DMG files containing a Mach-O binary and a bash script 【1】.
- **Stage 1:** A bash script within the DMG constructs requests to hardcoded command-and-control (C2) domains (e.g., `com.airportsock[.]xyz`) to download and execute further payloads 【1】.
- **Stage 2:** The "Meta Installer" Mach-O binary, specifically targeting Intel-based Macs, retrieves additional payloads. These payloads decode base64-encoded content and execute it, often using domains like `robincompany[.]xyz` or `kuturu[.]com` 【1】.
- **Stage 3:** An information stealer payload, such as Macsync stealer, is downloaded. This payload fetches further malicious content from domains like `kuturu.com` and exfiltrates collected user data 【1】.
- The `Installer.plist` file acts as a hidden configuration script that communicates with remote servers 【1】.

**What Defenders Should Know:**
Defenders need to be aware of the increasing sophistication of macOS threats 【1】. Key points include:
- The **combination of social engineering with deceptive prompts** (like "ClickFix") to trick users into executing malware 【1】.
- The prevalence of the **"loader-as-a-service" model**, which allows for the rapid deployment of various malware types 【1】.
- Endpoint Detection and Response (EDR) solutions can be crucial for **automatically removing threats and monitoring for suspicious behaviors** associated with information stealers 【1】.