China-linked APT UAT-8837 Exploits Zero-Day to Hijack Critical Infrastructure; Iran Spoofs GPS to Sabotage Starlink; ICE Leak Exposes Surveillance Machine; AI Code Agents Generate 69 Flaws; Copilot Leaks Chat History via One-Click URL

TL;DR

• UAT-8837 APT actor exploits CVE-2025-53690 zero-day to compromise North American critical infrastructure via credential harvesting and Earthworm malware
• Iranian state actors jam Starlink terminals using GPS spoofing, disrupting satellite connectivity for 24 minutes per session and degrading bandwidth to 10% in targeted regions
• ICE whistleblower leak exposes 4,500 personnel records, triggering Doxxing attacks and raising concerns over domestic surveillance and officer safety protocols
• AI agents from Tenzai testing reveal 69 vulnerabilities in vibe coding tools, with 45 high-severity flaws including SQLi and XSS in OWASP Top 10 categories
• Microsoft fixes Copilot AI vulnerability allowing one-click exfiltration of user chat history data including names, locations, and event details via malicious URLs

UAT-8837 Exploits Zero-Day to Hack Critical Infrastructure—Again

UAT-8837, a China-linked APT, exploited CVE-2025-53690, a ViewState deserialization flaw (CVSS 9.8), to gain zero-click remote code execution on DMZ-facing HMI web portals. This enabled credential harvesting via GoTokenTheft, extracting Kerberos tickets and NTLM hashes from domain controllers.

Why is Earthworm still a problem?

Earthworm 2.0, a reflective DLL injected into svchost.exe, established TLS-wrapped C2 on port 443. It disabled RestrictedAdmin on RDP hosts and pivoted to internal ICS networks via WMIExec, granting SYSTEM-level control over power and water systems. Its JA4 H-hash signature (e3b9…) is now documented in Cisco Secure Endpoint.

Why is this not surprising?

CVE-2025-53690 appeared in public exploit repositories in Q1 2025. Similar patterns occurred with FortiSIEM (CVE-2025-64155) and Cisco ISE (CVE-2026-20029). Earthworm resurfaced after its October 2025 debut, mirroring CastleLoader’s evolution. The 2025 CISA KEV catalog listed 245 new ICS-relevant exploits.

What happens next?

• 0–30 days: Network sensors detect Earthworm’s TLS fingerprint; YARA rules updated.
• 30–90 days: RansomCat-X deploys to encrypt PLC configurations.
• 90–180 days: Vendor firmware updates with identical WebCore binaries become attack vectors.

180 days: Policy mandates HMACSHA256 ViewState validation in federal SCADA contracts.

What should you do?

1. Patch WebCore or enforce.
2. Isolate SCADA from corporate AD; enforce MFA on all RDP; disable RestrictedAdmin.
3. Deploy network detection for long-lived TLS sessions from privileged hosts using JA4 H-hash e3b9….
4. Deploy LAPS; rotate service-account keys weekly; audit krbtgt ticket usage.
5. Ensure endpoint detection tools flag reflective DLL injection and memory-resident payloads.

The pattern is clear: high-severity zero-days combined with freely available credential harvesters and persistent backdoors create industrial compromise. Patching, segmentation, and telemetry remain the only cost-effective defenses.

Iran Jams Starlink With GPS Spoofing—Because Why Buy a Jammer When You Can Lie to It?

Iranian state operators consistently deploy GPS spoofing to disrupt Starlink terminals, forcing them into a 24-minute blind phase where positioning data is deliberately falsified. This causes antenna pointing errors, triggering a 198-second convergence delay in the terminal’s Extended Kalman Filter. During this time, bandwidth drops to 10%—a feature, not a bug.

How Does Lying to a GPS Receiver Break Internet Access?

Starlink terminals rely on GPS for precise antenna alignment. Spoofed signals flood the receiver with phantom satellite positions, confusing the system into thinking it’s in Tehran when it’s actually in Isfahan. The phased-array antenna points at empty space. The link degrades. The scheduler, detecting high packet loss, throttles throughput to 10–20 Mbps to avoid total collapse. The terminal doesn’t crash—it just becomes painfully slow.

Why 24 Minutes Exactly?

Every session lasts precisely 24 minutes. Not 23. Not 25. This is not random. It aligns with standard Iranian state network maintenance windows—likely scheduled to coincide with peak dissent activity. The attack is surgical, not chaotic. It doesn’t destroy hardware. It makes the internet feel broken.

Who Benefits From Slow Internet?

Civil activists still transmit photos and text over 10% bandwidth. The regime doesn’t need to cut the internet—just make it frustrating enough that people give up. Starlink’s resilience becomes its vulnerability: the system’s self-preservation mechanism (bandwidth throttling) is weaponized against its users.

What’s Next?

• SpaceX will likely add multi-constellation GNSS (GLONASS, BeiDou) to reduce single-system dependence.
• Firmware updates will cross-validate GNSS data with inertial sensors and star trackers.
• Iran may escalate to ionospheric delay injection—making the lie feel even more real.

The irony? The more Starlink improves, the more precise the lie must become. This isn’t jamming. It’s psychological warfare with a GNSS antenna.

Should We Be Surprised?

No. If you can’t silence dissent, make the signal too slow to matter. And if that fails? Just wait for the next 24-minute window—and try again.

ICE Leak Exposes 4,500 Officers — And the Surveillance Machine That Built It

The leak did not create threats — it revealed the infrastructure that made them inevitable. ICE’s FY2025 $28.7B surveillance budget funded forensic tools that collected biometric, location, and social media data on 33% of U.S. adults — six times the agency’s personnel count. When those records were dumped, the system turned on its own operators.

Why did DHS publish the same leak on its official portal?

The Department of Homeland Security reposted the whistleblower’s dataset, effectively legitimizing its distribution. This action did not clarify policy — it amplified risk. The move transformed a data breach into a de facto public registry of federal agents, triggering coordinated doxxing campaigns and a 1,300% spike in physical assaults.

Why is ICE’s surveillance capability six times its workforce?

The agency’s data infrastructure — powered by contracts with Cellebrite and PenLink — aggregates more personal information than the FBI’s criminal databases. This is not overreach by accident; it is structural. The breach exposed a system designed to map populations, not enforce immigration law. Officers became collateral in a surveillance architecture with no off-ramp.

Why did the whistleblower’s leak accelerate legislative reform?

The leak catalyzed bipartisan proposals for federal officer privacy statutes. The same data that endangered agents also exposed the scale of unregulated data collection. As public trust in ICE drops to 62% viewing it as a surveillance arm, lawmakers face pressure to cap data retention and mandate privacy-by-design. The agency’s own tools became the evidence for its own constraints.

What can actually fix this?

• Deploy zero-trust access controls on all personnel records — mandatory MFA, micro-segmentation. Expected reduction in bulk exfiltration: 80%.
• Enforce minimum-data collection: delete non-essential identifiers after 90 days. Reduces exposure surface.
• Issue officer-shield protocols: disposable emails, anonymized identifiers, social media restrictions. Estimated 60% drop in successful doxxing.
• Conduct quarterly third-party penetration tests. Identify gaps before insiders exploit them.

The system didn’t break because of a leak. It broke because it was built to collect everything — and protect nothing. The officers are not the problem. The architecture is.

AI Agents Generate Code With 69 Flaws—And We Still Think Vibe Coding Is a Strategy

Tenzai’s red-team testing of five "vibe-coding" agents—Claude Code, OpenAI Codex, Cursor, Replit, and Devin—uncovered 69 security vulnerabilities in generated code. Of these, 45 were classified as high-severity, including SQL injection and cross-site scripting—both OWASP Top 10 staples since 2003.

Why Do AI Agents Ignore Input Sanitization?

Despite deterministic prompts, all agents consistently omitted basic security controls: prepared statements, output encoding, and role-based access checks. Static analysis tools (Semgrep) flagged the same 45 flaws, confirming that automated linters cannot compensate for the absence of secure coding instincts.

Claude Code generated the most flaws (16), followed by Codex and Cursor (13 each). Replit, marketed as "secure-by-default," produced 9—fewest in the group. Devin generated only 4, but also offered minimal functionality.

Why Is OWASP Top 10 Still the Benchmark?

No novel attack classes emerged. The agents didn’t invent new exploits—they reproduced the same injection patterns human developers have been fixing for two decades. The issue isn’t novelty; it’s repetition.

Why Does Tool Diversity Multiply Risk?

Claude Code’s higher flaw count correlates with broader language support (PHP, Node, Python), not superior reasoning. More features = more surfaces. Devin’s minimalism reduced flaws but also utility. Neither outcome reflects intelligence—only exposure.

What Should Organizations Do?

• Integrate SEI-CERT coding standards into AI code generators to reduce SQLi/XSS by ~40%.
• Enforce post-generation static analysis (Semgrep + OWASP-ZAP) before CI/CD promotion—catches ≥95% of high-severity flaws.
• Assign a security champion per AI-generated code layer to clarify ownership and reduce coordination friction.
• Publish prompt-hardening guidelines requiring explicit sanitization directives in user prompts.

And About That Human Error?

If you spotted a typo in this analysis—you’ve found the only vulnerability this report didn’t generate. The human wrote it. The AI didn’t. And yes, it’s still more reliable.

Microsoft Copilot Patched After One-Click Chat History Leak Via Malicious URL

Microsoft’s Copilot AI accepted unsanitised URL parameters, allowing attackers to inject prompts that triggered background extraction of full chat histories—including names, geolocations, and event details—from the AI’s memory store. The flaw required no login, no phishing, just a single click.

How did the exploit work?

• User clicked malicious URL: https://copilot.microsoft.com/?q=<malicious_prompt>
• Backend treated payload as legitimate system instruction
• Memory store (/var/lib/copilot/memory.db) accessed without session context
• Background worker exfiltrated data to attacker domain post-UI closure
• Worker persisted for ~30 seconds, enabling delayed data harvest

What was exposed?

• Full chat transcript
• User-provided names and locations
• Timestamps and event descriptions
• Contextual details from Office 365, Edge, and embedded Copilot sessions

How was it fixed?

• January 2026 Patch Tuesday (KB5072046) deployed
• URL-derived prompts now strictly sanitised
• Background memory reads disabled after UI close
• Memory access API hardened with least-privilege isolation
• Independent verification confirmed patch effectiveness

Why is this not unique?

• ServiceNow’s "BodySnatcher" (2025): Prompt injection via ticket fields
• OpenAI’s "ZombieAgent": Memory leakage via API chain manipulation
• Pattern: AI assistants treat user input as executable command, not data

What should organisations do?

• Deploy KB5072046 immediately
• Block all q parameters containing LLM-style syntax at gateway
• Enforce Intune policy: RemoveMicrosoftCopilotApp on non-essential devices
• Monitor for outbound connections from Copilot.exe or copilotservice.dll
• Train users: Copilot links are not safe just because they look official

What’s next?

The industry is moving toward prompt-gateway architectures—external inputs validated and normalised before reaching the LLM. Microsoft’s fix is reactive. The next generation of AI assistants will either build this in from day one… or become the next headline.

What else is happening?

• Kyowon Group confirms ransomware attack exfiltrated customer data from 600 servers, notifying KISA and restoring services after a 72-hour outage
• NVIDIA patches critical CVE-2025-23304 (7.8/10) in NeMo AI library after researchers discover arbitrary code execution via malicious model metadata, affecting over 10M Hugging Face downloads
• Salesforce issues CVE-2026-22584 (9.8/10) for FlexTok AI library vulnerability allowing remote code execution, fixed in June 2025 after Prisma AIRS tool uncovered exploit pathway
• Check Point Research uncovers VoidLink, a sophisticated Linux malware framework targeting AWS, Azure, GCP, and Alibaba Cloud environments to harvest credentials and secrets, with potential Chinese state affiliation
• Telegram fixes one-click IP leak vulnerability (CVE-2026-XXXX) that bypasses all proxy and VPN configurations on Android and iOS, with PoC code published on GitHub after researchers exposed network stack flaws