The state-backed Harvester espionage group has expanded its cross-platform arsenal with a newly identified Linux variant of the GoGra backdoor. Disguised as legitimate ELF binaries, the malware leverages the Microsoft Graph API for stealthy command-and-control, using a compromised Outlook mailbox as a covert dead drop.

Industrial infrastructure in Venezuela is currently facing a wave of destructive attacks from Lotus Wiper, a novel data-wiping malware that systematically disables energy and utility systems. The malware first blinds system defenses and kills network interfaces before executing “diskpart clean all” to overwrite physical volumes.

Microsoft has issued urgent, out-of-band security updates to fix a critical "broken crypto" flaw in ASP.NET Core. A regression in the Data Protection APIs caused HMAC validation to be ignored on non-Windows systems, allowing unauthenticated attackers to forge authentication cookies and elevate privileges to SYSTEM.

Top Malware Reported in the Last 24 Hours

Linux GoGra malware exploits Microsoft Graph API

A new Linux variant of the GoGra backdoor, attributed to the state-backed Harvester espionage group, utilizes Microsoft Graph API for communication, leveraging legitimate Microsoft infrastructure. This malware gains initial access by deceiving victims into executing ELF binaries disguised as PDF files. Once installed, it employs hardcoded Azure Active Directory credentials to authenticate and obtain OAuth2 tokens, allowing it to interact with Outlook mailboxes. The malware monitors a specific mailbox folder for command emails, processes the encrypted contents, and executes the commands locally. Execution results are then encrypted and sent back to the operator via reply emails, while the original command emails are deleted to minimize forensic visibility. The Linux version shares significant code similarities with its Windows counterpart.

Lotus Wiper malware targets Venezuela's energy sector

A newly discovered data-wiping malware, dubbed "Lotus Wiper," has been targeting Venezuela's energy sector in late 2025 and early 2026. This malware employs two batch scripts to initiate a destructive attack, disabling system defenses and preparing the environment for the wiper payload. Once deployed, Lotus Wiper erases recovery mechanisms, overwrites physical drives, and systematically deletes files, leaving systems inoperable. Notably, the malware was uploaded to a public platform in mid-December 2025, just weeks before U.S. military action in Venezuela, suggesting a potential link between these events. The attack chain begins with a script that checks for network shares and executes further commands to facilitate the wiper's destructive actions.

Top Vulnerabilities Reported in the Last 24 Hours

Microsoft issues emergency patches for ASP.NET flaw

Microsoft has released urgent out-of-band security updates to address a critical vulnerability in ASP.NET Core, identified as CVE-2026-40372. This flaw, found in the Data Protection cryptographic APIs, allows unauthenticated attackers to forge authentication cookies and potentially gain SYSTEM privileges on affected devices. The issue stems from a regression in the Microsoft.AspNetCore.DataProtection NuGet packages, which improperly validated HMAC tags, enabling attackers to create payloads that bypass authenticity checks. Consequently, attackers could decrypt previously protected data and issue legitimate tokens to themselves during the vulnerable period. Although the flaw does not compromise system availability, it poses significant risks, including the potential for data disclosure and modification.

Critical vulnerability discovered in Terrarium sandbox

A critical security vulnerability, tracked as CVE-2026-5752, has been identified in the Terrarium sandbox, a Python-based project developed by Cohere AI. This flaw, rated 9.3 on the CVSS scale, allows for arbitrary code execution with root privileges through JavaScript prototype chain traversal. Terrarium, which operates on Pyodide and is designed to run untrusted code in Docker containers, is at risk of exploitation, enabling attackers to execute system commands and access sensitive files without requiring special privileges. The vulnerability arises from the sandbox's failure to adequately restrict access to parent or global object prototypes, leading to a potential breach of security boundaries. As the project is no longer actively maintained, a patch for this vulnerability is unlikely.