Chinese APT exploited a Dell zero-day for 18+ months undetected. Check Point demonstrates Microsoft Copilot and Grok as malware C2 proxies. Keenadu firmware backdoor discovered in Android tablets. Password managers have 25 attack variants undermining zero-knowledge promises.
Chinese state-backed hackers have been exploiting a critical Dell vulnerability since mid-2024 — over 18 months before detection. Zero-day attacks started before any patch was available.
This prolonged dwell time highlights the sophistication of nation-state actors and the need for robust detection beyond just patching.
Check Point researchers have demonstrated that AI assistants can serve as command-and-control proxies for malware operations.
| AI Platform | Abuse Vector |
|---|---|
| Microsoft Copilot | Web browsing + URL fetching enables reconnaissance |
| xAI Grok | Same capabilities exploited for dynamic attack decisions |
The technique enables:
Organizations using enterprise AI tools should monitor for anomalous request patterns.
Kaspersky discovered sophisticated Android malware embedded in device firmware — compromised during the build phase, not after.
Key findings:
This represents a supply chain compromise at the hardware level — extremely difficult to detect or remediate.
Researchers identified 25 attack variants against cloud password managers including Bitwarden, LastPass, and Dashlane.
Attack severity ranges from integrity violations to complete vault compromise. The research assumes a malicious server scenario, questioning whether "zero-knowledge encryption" truly protects users if the server is compromised.
Yesterday's 6 zero-days remain critical. If you haven't patched yet:
| CVE | Impact |
|---|---|
| CVE-2026-21510 | Windows Shell bypass — single click executes attacker code |
| CVE-2026-21513 | MSHTML browser bypass |
| CVE-2026-21514 | Microsoft Word security bypass |
| CVE-2026-21533 | RDP privilege escalation to SYSTEM |
| CVE-2026-21519 | Desktop Window Manager escalation |
| CVE-2026-21525 | VPN disruption via RASMAN DoS |
Critical-to-high severity flaws discovered in popular VSCode extensions with 128 million+ total downloads:
ClickFix attacks now use DNS queries (nslookup) to retrieve PowerShell payloads — first known use of DNS as a payload delivery channel. Delivers "ModeloRAT" malware.
| Target | Impact | Actor |
|---|---|---|
| Eurail B.V. | Traveler data on dark web | Unknown |
| Canada Goose | 600K customer records | ShinyHunters |
| LVMH brands | $25M fine (South Korea) | Scattered LAPSUS$ |
| Washington Hotel (Japan) | Business data exposed | Ransomware |
Positive news: A 47-year-old Phobos ransomware suspect was arrested in Poland with devices containing stolen credentials and credit card data.
The DHS shutdown continues — CISA operating with 888 of 2,341 staff. Federal cybersecurity response capability remains degraded. Organizations should increase internal monitoring.
| Metric | Value |
|---|---|
| Dell zero-day dwell time | 18+ months |
| Password manager attack variants | 25 |
| VSCode extension downloads affected | 128M+ |
| Malicious Google Groups | 4,000+ |
| Active Microsoft zero-days | 6 |
| CISA capacity | 38% |
AI-powered vulnerability management with 333,000+ CVEs indexed.
Start Free ScanStay secure. Stay vigilant.
🗡️ KENSAI Security Team