Dagelijkse cyberbeveiligingsbriefing: OpenAI Codex Security scant 1,2M commits en vindt 10.561 kwetsbaarheden, Irans MuddyWater richt zich op VS met Dindoor-backdoor, Termite-ransomware zet CastleRAT in via ClickFix, Microsoft waarschuwt voor AI-aanvallen in elke fase, en meer.
OpenAI has launched Codex Security, an AI-powered security agent that autonomously reviews code commits for vulnerabilities. In its first week of general availability, it scanned 1.2 million commits and identified 10,561 high-severity vulnerabilities — including SQL injection, authenticatie-omzeilinges, and hardcoded secrets.
| Milestone | Date | Details |
|---|---|---|
| Aardvark private beta | October 2025 | Internal testing with select enterprise partners |
| Codex Security launch | March 2026 | General availability for ChatGPT Pro/Enterprise/Business users |
| First week results | 8 maart 2026 | 1.2M commits scanned, 10,561 high-severity findings |
Codex Security represents a significant shift in application security — moving from periodic scanning to continuous AI-powered code review. The 10,561 high-severity findings in just one week suggest many vulnerabilities slip through traditional SAST/DAST tooling. Available to ChatGPT Pro, Enterprise, and Business subscribers at no additional cost.
The Velvet Tempest threat actor group is deploying Termite ransomware using a ClickFix social engineering technique combined with legitimate Windows utilities to deliver DonutLoader malware and the CastleRAT backdoor.
Block ClickFix-style attacks by training users to never execute commands from pop-up error messages. Implement application whitelisting to prevent unauthorized use of mshta.exe and certutil. Monitor for DonutLoader indicators and unusual PowerShell execution patterns.
Microsoft's latest threat intelligence report confirms that dreigingsactoren are increasingly using AI across all stages of de aanval lifecycle — from reconnaissance and social engineering to malware development and evasion.
| Attack Stage | AI Application | Impact |
|---|---|---|
| Reconnaissance | AI-powered OSINT gathering, target profiling | Faster, more thorough target analysis |
| Social Engineering | Deepfake voice/video, AI-written phishing | Higher success rates, multilingual campaigns |
| Malware Development | AI-generated code, polymorphic malware | Faster development cycles, evasion of signatures |
| Credential Attacks | AI-optimized password spraying, CAPTCHA solving | Higher throughput, bypass of protections |
| Evasion | AI-modified payloads to bypass EDR/AV | Lower detection rates |
Microsoft emphasizes that AI is lowering the barrier to entry for cybercrime — less skilled actors can now execute sophisticated attacks. Organizations must adopt AI-powered defenses to keep pace with AI-powered offense. Traditional signature-based detection is increasingly inadequate.
MuddyWater (also tracked as Seedworm), affiliated with Iran's Ministry of Intelligence and Security (MOIS), is actively embedding in US company networks including banks, airports, and nonprofits using a new backdoor called Dindoor.
| Date | Event |
|---|---|
| February 2026 | Initial campaign activity detected targeting US organizations |
| Late February 2026 | Campaign intensifies following US/Israeli strikes on Iranian nuclear facilities |
| March 2026 | Dindoor backdoor identified in multiple US financial and transportation networks |
The intensification of this campaign directly correlates with escalating US-Iran tensions following military strikes. MuddyWater's targeting of banks and airports suggests both intelligence collection and potential pre-positioning for disruptive attacks. US CISA has issued an advisory urging kritieke infrastructuur operators to hunt for Dindoor indicators.
CISA has ordered all federal agencies to patch three Apple iOS security flaws actief misbruikt by the Coruna exploit kit in cyberespionage and cryptocurrency theft campaigns.
The Coruna exploit kit chains these three vulnerabilities together for a zero-click exploit capable of fully compromising iOS devices. It has been observed in two distinct campaigns:
Update all iOS devices to the latest version immediately. Federal agencies have a mandatory deadline to comply. Organizations should verify all corporate-managed iOS devices are patched and monitor for indicators of compromise associated with the Coruna exploit kit.
The FBI heeft bevestigd it is investigating a breach of systems used for surveillance and wiretap warrant management — potentially exposing details of ongoing investigations and surveillance targets.
While details remain limited due to the sensitivity of the investigation, key concerns include:
This breach follows a pattern of attacks targeting law enforcement and intelligence community systems. The compromise of wiretap management systems is particularly sensitive — it could undermine active criminal and national security investigations and erode public trust in the government's ability to secure its most sensitive operations.
A new ClickFix variant called InstallFix is targeting developers by creating fake installation guides for popular CLI tools — including Claude Code by Anthropic — that trick users into running malicious commands.
curl | bash one-liner that fetches malwareAlways install developer tools only from official sources. For Claude Code, use Anthropic's official documentation at docs.anthropic.com. Never run curl | bash commands from unofficial websites. Verify package checksums and use package managers (npm, pip) rather than raw shell scripts.
Transparent Tribe (APT36), a Pakistan-aligned APT group, is using AI coding tools to mass-produce malware in uncommon languages like Nim, Zig, and Crystal — creating what researchers are calling "Vibeware": vibe-coded malware produced at industrial scale.
| Aspect | Traditional Malware | Vibeware |
|---|---|---|
| Development time | Weeks to months | Hours to days |
| Languages | C/C++, Python, C# | Nim, Zig, Crystal, V, Odin |
| Signature evasion | Manual obfuscation | Inherent — uncommon language binaries evade most AV |
| Scale | Dozens of variants | Hundreds of unique binaries per day |
| Disposability | Reused across campaigns | Single-use, discarded after detection |
Vibeware represents a fundamental shift in the malware economy. Transparent Tribe's use of AI to industrialize malware production means defenders must move beyond signature-based detection toward behavioral analysis, memory forensics, and AI-powered threat detection. The concept of "known malware" becomes less relevant when attackers can generate unique variants on demand.
| Threat | Actor | Severity | Action Required |
|---|---|---|---|
| OpenAI Codex Security launch | N/A (Defensive) | 🟢 Info | Evaluate for CI/CD integration |
| Termite ransomware + CastleRAT | Velvet Tempest | 🔴 Critical | Block ClickFix, monitor DonutLoader IOCs |
| AI abuse across attack stages | Multiple | 🔴 Critical | Deploy AI-powered defenses, update threat models |
| MuddyWater Dindoor backdoor | Iran (MOIS) | 🔴 Critical | Hunt for DoH anomalies, audit kritieke infrastructuur |
| Coruna iOS exploit kit | Unknown (espionage) | 🔴 Critical | Patch all iOS devices immediately |
| FBI wiretap system breach | Unknown | 🔴 Critical | Audit law enforcement system access controls |
| InstallFix fake install guides | Cybercriminals | 🟠 High | Verify all tool installations from official sources |
| Transparent Tribe Vibeware | Pakistan-aligned APT | 🟠 High | Deploy behavioral detection, move beyond signatures |
KENSAI's automated security scanning detects vulnerabilities, misconfigurations, and indicators of compromise across your entire aanvalsoppervlak — before attackers exploit them.
Start Free Security ScanStay vigilant. Stay protected.
🗡️ KENSAI Dreigingsinformatie Team