Russian state-sponsored hackers Fancy Bear (aka APT 28) are exploiting CVE-2026-21509, a Microsoft Office vulnerability for which Microsoft released an emergency fix last week. The exploitation CVE-2026-21509 allows unauthorized attackers to bypass a security feature (OLE mitigations in Microsoft 365 and Microsoft Office) locally, by creating and tricking targets into opening booby-trapped Office files. On January 29, 2026 – three days after Microsoft released the aforementioned fix – Zscaler researchers flagged an email phishing campaign … More →
The post Russian hackers are exploiting recently patched Microsoft Office vulnerability (CVE-2026-21509) appeared first on Help Net Security.
There is a comforting illusion in cybersecurity leadership: when things get noisy, you add more people. More analysts. More shifts. More headcount. It feels decisive. It looks responsible. It even photographs well for internal reports. But SOC inefficiency is rarely a staffing problem. It is a signal problem. When More People Don’t Mean Better Security Across industries, security […]
The post Stronger Incident Prevention Takes Just One CISO Decision appeared first on Cyber Security News.
Gremlin, the proactive reliability platform, launched Disaster Recovery Testing: a new product built to safely and efficiently test zone, region, and datacenter evacuations and failovers. These large-scale tests ensure businesses maintain digital resilience and business continuity when faced with cloud migrations, compliance concerns, and catastrophic events. There were multiple high-profile cloud outages in 2025, such as the AWS us-east-1 zone outage in October 2025 impacting 70,000 companies and incurring losses estimated at $581 million, that … More →
The post Gremlin launches Disaster Recovery Testing for zone, region, and datacenter failovers appeared first on Help Net Security.
A sophisticated phishing campaign targeting macOS users has emerged, using fake compliance emails as a delivery mechanism for advanced malware. Chainbase Lab recently detected this campaign, which impersonates legitimate audit and compliance notifications to deceive users. The attack chain combines social engineering with multi-stage fileless payloads designed to steal credentials and establish persistent remote access […]
The post Beware of New Compliance Emails Weaponizing Word/PDF Files to Steal Sensitive Data appeared first on Cyber Security News.
A new variant of the PDFly malware has emerged with advanced techniques that challenge traditional analysis methods. The malware uses a modified PyInstaller executable that prevents standard extraction tools from working properly. This makes it difficult for security teams to examine the code and understand how the threat operates. The modified version changes key identifiers […]
The post PDFly Variant Uses Custom PyInstaller Modification, Forcing Analysts to Reverse-Engineer Decryption appeared first on Cyber Security News.
Threat actors compromised the update infrastructure for Notepad++, redirecting traffic to an attacker controlled site for targeted espionage purposes.
Change logUpdate February 4: This FAQ blog has been updated to note that CVE-2025-15556 was assigned for this security incident.
Click here to review the change log historyUpdate February 4: This FAQ blog has been updated to note that CVE-2025-15556 was assigned for this security incident.
Key takeaways:Tenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding the disclosure of a supply chain compromise of Notepad++.
FAQWhat happened with Notepad++?
On February 2, Don Ho, creator of Notepad ++, a source code and text editor for Windows, published a blog detailing the investigation into a supply chain security incident.
What kind of security incident is this?
According to the blog post, threat actors compromised the infrastructure by which Notepad++ would distribute software updates. This compromise allowed the attackers to redirect update traffic from its intended destination (notepad-plus-plus dot org) to an attacker-controlled site.
When did this security incident begin?
The security incident began in June 2025.
How long did the security incident last for?
Roughly six months. The compromised infrastructure was accessible until September 2, 2025. However, because the attackers possessed valid credentials for the internal services of the infrastructure provider, they were able to continue redirecting Notepad++ update traffic until December 2, 2025.
Was this incident known prior to February 2?
Yes, Ho published a blog post on December 9 regarding the release of version 8.8.9 and noted that security experts “reported incidents of traffic hijacking affecting Notepad++.” The full scope of the security incident wasn’t known at the time as the investigation was ongoing.
Has this attack been linked to a specific threat actor?
Yes, reports suggest that the attack was carried out by a Chinese threat actor known as Lotus Blossom, also known as Bilbug, Raspberry Typhoon or Thrip.
What do we know about Lotus Blossom?
Lotus Blossom has been operating since 2009, known for deploying various backdoor malware. Regionally, the group has a penchant for targeting entities across Asia including government and the defense sector.
How widespread was this Notepad++ attack?
Despite the widespread usage of Notepad++, reports indicate that Lotus Blossom focused more on espionage of certain targets through the deployment of malware rather than financially motivated cybercrime like ransomware or extortion.
Were there any vulnerabilities associated with this security incident?
On February 2, CVE-2025-15556 was assigned for this security incident. CVE-2025-15556 is a download of code without integrity check vulnerability.
Are there software updates available for this security incident?
Yes, Notepad++ have released 8.9.1 which now includes XML signature validation (XMLDSig) for security updates with additional signing enforcement expected in version 8.9.2.
Affected ProductAffected VersionsFixed VersionsNotepad ++8.9 and lower8.9.1 and aboveHas Tenable released any product coverage for these vulnerabilities?
Yes, a Tenable plugin to identify vulnerable versions of Notepad++ can be found here.
This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.
Get more informationJoin Tenable's Research Special Operations (RSO) Team on Tenable Connect and engage with us in the Threat Roundtable group for further discussions on the latest cyber threats.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Threat actors compromised the update infrastructure for Notepad++, redirecting traffic to an attacker controlled site for targeted espionage purposes.
Change logUpdate February 4: This FAQ blog has been updated to note that CVE-2025-15556 was assigned for this security incident.
Click here to review the change log historyUpdate February 4: This FAQ blog has been updated to note that CVE-2025-15556 was assigned for this security incident.
Key takeaways:Tenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding the disclosure of a supply chain compromise of Notepad++.
FAQWhat happened with Notepad++?
On February 2, Don Ho, creator of Notepad ++, a source code and text editor for Windows, published a blog detailing the investigation into a supply chain security incident.
What kind of security incident is this?
According to the blog post, threat actors compromised the infrastructure by which Notepad++ would distribute software updates. This compromise allowed the attackers to redirect update traffic from its intended destination (notepad-plus-plus dot org) to an attacker-controlled site.
When did this security incident begin?
The security incident began in June 2025.
How long did the security incident last for?
Roughly six months. The compromised infrastructure was accessible until September 2, 2025. However, because the attackers possessed valid credentials for the internal services of the infrastructure provider, they were able to continue redirecting Notepad++ update traffic until December 2, 2025.
Was this incident known prior to February 2?
Yes, Ho published a blog post on December 9 regarding the release of version 8.8.9 and noted that security experts “reported incidents of traffic hijacking affecting Notepad++.” The full scope of the security incident wasn’t known at the time as the investigation was ongoing.
Has this attack been linked to a specific threat actor?
Yes, reports suggest that the attack was carried out by a Chinese threat actor known as Lotus Blossom, also known as Bilbug, Raspberry Typhoon or Thrip.
What do we know about Lotus Blossom?
Lotus Blossom has been operating since 2009, known for deploying various backdoor malware. Regionally, the group has a penchant for targeting entities across Asia including government and the defense sector.
How widespread was this Notepad++ attack?
Despite the widespread usage of Notepad++, reports indicate that Lotus Blossom focused more on espionage of certain targets through the deployment of malware rather than financially motivated cybercrime like ransomware or extortion.
Were there any vulnerabilities associated with this security incident?
On February 2, CVE-2025-15556 was assigned for this security incident. CVE-2025-15556 is a download of code without integrity check vulnerability.
Are there software updates available for this security incident?
Yes, Notepad++ have released 8.9.1 which now includes XML signature validation (XMLDSig) for security updates with additional signing enforcement expected in version 8.9.2.
Affected ProductAffected VersionsFixed VersionsNotepad ++8.9 and lower8.9.1 and aboveHas Tenable released any product coverage for these vulnerabilities?
Yes, a Tenable plugin to identify vulnerable versions of Notepad++ can be found here.
This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.
Get more informationJoin Tenable's Research Special Operations (RSO) Team on Tenable Connect and engage with us in the Threat Roundtable group for further discussions on the latest cyber threats.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.