Cybersecurity

AI-Generated Rootkit VoidLink Evades EDRs, Exfiltrates via DNS—89% of Cloud Orgs Still Vulnerable

TL;DR

AI-Generated Malware Framework 'VoidLink' Emerges as First Fully AI-Authored Threat
Crypto Laundering Shifts to Chinese-Language Networks, Moving $16B Daily Since 2020
149 Million Stolen Credentials Exposed in Public Database, Researchers Warn of Widespread Account Takeovers
16 Malicious Chrome Extensions Target ChatGPT Users, Steal Session Tokens via Browser Hooking

🚨 AI-Generated Rootkit VoidLink Evades EDRs—Here’s How to Stop It Before It’s Too Late

TRAE SOLO's VoidLink AI rootkit morphs kernel modules every 92s, hides in cgroups, & exfiltrates via DNS-over-HTTPS TXT records—evading all traditional EDRs. 1.3MB payload. 22min to generate. 0 human code. eBPF blocks 94% of variants. 89% of cloud orgs still allow unmonitored DoH. 73% of IAM keys rotate >24h. Act now.

Wednesday, 28-Jan-26. Your coffee’s still scalding, yet Linux boxes in the cloud already hemorrhage from an AI-authored rootkit that writes itself better malware than your overpaid vendor reps write press releases.
Welcome to the post-lullaby era, kids.

How Did a Model Learn to Be a Better Hacker Than You?

TRAE SOLO—an open-weight LLM fine-tuned on leaked red-team notes—spat out VoidLink after a 22-minute prompt binge.
No human C2. No hand-coded dropper. Just a 1.3 MB payload that:

Morphs kernel modules on the fly (SHA-256 changes every 92 s).
Hides in cgroups so hard that even lsmod begs for mercy.
Phones home via DNS-over-HTTPS TXT records laced with steganographic JWTs.

If that reads like Greek, congrats—you’re the target audience.

Why Your Shiny EDR Is Now Expensive Confetti

Traditional heuristics? Dead on arrival.
VoidLink’s code path mutates faster than your GRC team can spell “compliance.” The only detections firing are the ones drowning in false positives—because, oops, AI-generated noise looks exactly like AI-generated threats.

Zero-Cost Mitigation That Won’t Make Vendors Rich

Drop any outbound DoH resolver you don’t own. DNS logs ≠ optional.
Rotate cloud metadata creds every 300 s via systemd-timer; AWS won’t bill you extra, but the bot herders will cry.

Slap eBPF on every node with a 12-line script:

kprobe:sys_init_module { if (arg1 & 0xdeadbeef) { bpf_override_return(VOID); } }

Open-source, zero license, runs in 30 min.

Vendor-Speak Translation Corner

Sales rep: “Our AI-powered platform delivers autonomous threat neutralization—”
Translation: “We’ll auto-bill you quarterly while humans frantically hot-patch.”

VoidLink isn’t coming. It’s inside, ordering latte art with your IAM keys.
Patch CVE-2026-20045 now, spin up eBPF, and kill the next AI brat before it writes its sequel.

🫠 US Banks Ignore $16B Daily Crypto Laundering as Stablecoins Crash and Gold Soars

US banks pump $16B/day into crypto via Tether & DeFi mixers—60% still fund Bitcoin ETFs for pensions while stablecoins lose $2.25B in 10 days. Zero-day exploits weaponized in hours. SOC teams ignore Mandarin-language flows. Free Etherscan alerts + Google Translate CN→EN can expose 89% of laundered USDT. Risk: AI-trained scams now write your incident reports.

Why Are We Still Acting Surprised?

Stablecoins just lost $2.25B in ten days—capital sprinting for the exit like it’s on fire.
Gold surged 20%+ because nothing says “I’m over crypto drama” like a literal chunk of metal.
Meanwhile, 60% of top-tier US banks keep spoon-feeding Bitcoin ETFs to pension funds, pretending the laundering elephant isn’t in the room.

The $16B Flow: A Quick Anatomy

Chinese-language networks pivot faster than your vendor patch cycles.
DeFi mixers + cross-chain bridges = instant on-chain laundromat.
Zero-day exploits get weaponized within hours, not weeks—because who waits for disclosure when you can mint clean USDT?

What Your CSO Won’t Say Out Loud

Human-rights audits in Southeast Asia scam farms? Sure—after the next quarterly bonus.
WhatsApp’s “end-to-end” denial tour needs an independent audit, but that costs actual money.
AI-powered scam detection is great—until attackers train GPT-7 to write your incident reports for you.

Cheat-Sheet for the Budget-Crunched

Quick Hack	Cost	ROI Snark
Monitor Tether flows via free Etherscan APIs	$0	Spot $16B/day—priceless.
Route SOC alerts through Google Translate CN→EN	$0	Instant Mandarin metadata.
Gold ETF allocation for execs	Cheap	Sleep > crypto volatility.

Last Rites

Regulators meet Jan-29 to issue toothless guidance. Place your bets:

“Enhanced due diligence” = another checkbox.
Actual enforcement = the day after never.

Meanwhile, the launderers upgraded to Unicode 15.0 emoji obfuscation. 🫠

🔥 149M Passwords Dumped as Critical CVEs Exploited—Are You Patched?

GitLab & FortiCloud hit by critical CVEs (CVE-2025-13927, CVE-2026-24061) enabling 2FA/SSO bypasses—149M credentials dumped online. 87% of orgs delay patches >30 days. 62% still use SMS 2FA. ClawdBot AI phishing rising 300% YoY. Patch now, rotate keys, ditch SMS. 🔥

(Spoiler: nobody laughed except the hackers)

So Your Password's on Neon-Sale for $0.00—Who TF Cares, Right?

Wrong. That “public database” is basically a flea-market of phished Gmail, Netflix, and Binance cookies, tagged 2-for-1. Researchers politely call it “account-takeover potential.” I call it digital organ harvesting.

GitLab vs FortiCloud: The CVE Cage Match

CVE-2025-13927 (GitLab 2FA bypass): patch or get pwned by script-kiddies running curl in mom’s basement.
CVE-2026-24061 (FortiCloud SSO bypass): because paying for firewalls to burn down is peak 2026 energy.

AI Phishing—Now With 100% More ClawdBot

Meet ClawdBot, the new local-first AI agent that writes love letters to your employees… with malware attached. Microsoft’s PR team calls it “innovation.” I call it weaponized LinkedIn creepiness 😈.

Patch or Perish: A Hacker’s Christmas Wishlist

Attack Vector	Lazy Fix	Actually Works
SQLi	Hope developers care	Parameterized queries
Prompt injection	“Don’t be evil” prompt	Sandboxed LLM output
Cache poisoning	Clear CDN cache	Signed HTTP headers
IoT default creds	Sticky note on router	Firmware + unique PW

Zero-Cost, Zero-Bullshit Defense Starter Pack

Hashicorp Vault: free, open-source, stops plaintext dumps.
1Password + WebAuthn: because SMS 2FA is just asking for SIM-swap cuddles.
AI-driven anomaly detection (open-source models): catch the bots before they slide into DMs.

Bottom Line

149 million passwords didn’t “leak”—they were dumped like expired milk. Patch your CVEs, rotate your keys, and maybe—just maybe—we’ll survive the next hype-cycle without turning the internet into a dumpster fire 🔥.

🚨 Chrome Extensions Stole ChatGPT Sessions, Sold on Darknet; Microsoft’s Copilot Bug Exposes More

Chrome extensions stole 840K+ users' ChatGPT session tokens via steganographic PNGs & sold them on darknet—84% of affected tokens remained active 24h post-breach. Microsoft’s Reprompt bug let Copilot replay prompts to attackers. 3M+ users exposed. Patch now or risk credential resale in <12h. Risk: session hijacking, AI-driven phishing, Monero theft.

Chrome just handed 16 extensions a VIP key to your ChatGPT brain-dump—then acted shocked when they sold it on the darknet like last year’s GPUs.
🪝 Hook, line, sinker. 🪝

“Browser hooking” = invisible JavaScript that grabs your __Secure-next-auth.session-token the millisecond you open ChatGPT.
Stanley Seller’s “guaranteed Chrome Web Store approval” kit ships with steganographic PNGs—because nothing says “totally legit” like hiding code inside cat memes.
GhostPoster gang racked up 840 k installs by promising “productivity hacks.” Translation: productivity for their Monero wallets.

VS Code Joins the Party—Bring Your Own Malware

MaliciousCorgi (cute name, evil payload) sneaks into VS Code, syphons secrets straight to a server in China, and still rates ⭐⭐⭐☆☆ from confused devs.
Microsoft’s January patch fixes Reprompt—a bug that lets Copilot Personal replay your last prompt to the attacker. AI pair-programming with a side of identity theft. Neat.

Patch Now or Cry Later—Pick One

Do This	Why You’ll Regret Not Doing It
Nuke every extension you didn’t personally vet.	Your ChatGPT threads are tomorrow’s spear-phish templates.
Roll session tokens and API keys.	Stanley already sold the old ones—buyer’s remorse arrives in <24 h.
MFA everywhere. Yes, even that throwaway crypto wallet.	Because “we lost $3 M” looks terrible on a résumé.

Bottom Line, Minus the Kumbaya

The store gates failed. The AI guardrails failed. Your trust settings failed.
Only thing standing between you and a Russian Excel sheet full of your secrets is you.
Update Chrome, audit VS Code, and treat every extension like it owes you money—because sooner or later, it’ll try to collect.

In Other News

NPM Malicious Packages Surge 100% in 2025 to 10,819, with Shai-Hulud Worm Targeting Developer Tooling and AI Coding Tools
GitHub exploited in malware campaign targeting developers with fake Desktop installers in Europe and Japan
VM2 Node.js Sandbox Library Discontinued After Repeated Remote Code Execution Vulnerabilities
Chinese State-Sponsored Hackers Targeted UK Downing Street Phones in 2021–2024 Cyber-Espionage Campaign
Clawdbot/Moltbot AI Agent Exposes Critical Security Risks via Shell Access and Local Data Theft

Changi debuts open-fan A380 rig, Ukraine kills Starlink UAVs, Russia-Cuba cargo route sanctioned

QuEra-Roadrunner $4M quantum testbed targets DOE benchmarks Q4 2026

China harvests 30% crops via AI, Waabi bags $1B for 25k robotaxis