< Back
Abst

Tags:

Threat intelligence
05 February 2026

Weekly Summary Cyberattacks 29 jan-04 feb

DockerDash: Two Attack Paths, One AI Supply Chain Crisis 

Security researchers disclosed a critical AI supply-chain vulnerability dubbed DockerDash affecting Docker’s Ask Gordon AI assistant (beta), revealing how a single malicious metadata label embedded in a Docker image can compromise Docker environments through a fully automated execution chain. The flaw exploits a cascading trust failure in the Ask Gordon AI → MCP Gateway → MCP Tools workflow, where unverified Docker image metadata is interpreted as executable instructions and passed through each layer without validation. 

Fake Dropbox Phishing Campaign via PDF and Cloud Storage  

An active phishing campaign that uses a multi-stage delivery chain combining PDF attachments, trusted cloud storage, and brand impersonation to harvest user credentials while evading traditional email and content security controls was identified. The campaign begins with a procurement-themed phishing email that appears to be part of a legitimate tender or request-for-quotation process and contains a PDF attachment rather than a direct malicious link. The email content is minimal and professional, allowing it to bypass common detection mechanisms and standard authentication checks such as SPF, DKIM, and DMARC, while the sender address is likely spoofed or tied to a compromised account.

DynoWiper Update: Technical Analysis and Attribution  

Cybersecurity researchers disclosed new technical details regarding a destructive cyberattack involving previously undocumented data-wiping malware, named DynoWiper, that targeted an energy company in Poland in late December 2025. The incident represents a rare case of destructive malware deployment against Polish critical infrastructure and is attributed with medium confidence to the threat actor Sandworm. DynoWiper operates in multiple phases, including recursive file wiping across removable and fixed drives, selective directory exclusions, partial overwriting of larger files to accelerate destruction, and a forced system reboot to finalize system damage. The attackers rebuilt and redeployed the malware several times within the same day, indicating active troubleshooting during the operation. 

Hugging Face Abused to Spread Thousands of Android Malware Variants  

Cybersecurity researchers have identified a large-scale Android remote access trojan (RAT) campaign that abuses the legitimate infrastructure of Hugging Face to host and distribute malicious APK payloads. The operation combines social engineering, a two-stage infection chain, extensive abuse of Android Accessibility Services, and aggressive server-side polymorphism to evade detection. The infection chain begins with a malicious Android application named TrustBastion, distributed via deceptive advertisements or scareware-style prompts claiming that the victim’s device is infected and requires a security solution.

TA584 Innovates Initial Access  

TA584, one of the most active cybercriminal initial access brokers tracked since 2020, significantly innovated its initial access operations throughout 2025 by rapidly rotating attack chains, expanding geographic targeting, adopting ClickFix social engineering, and introducing a new malware payload known as Tsundere Bot. TA584, which overlaps with a cluster tracked as Storm-0900, increased its operational tempo dramatically in 2025, with monthly campaign volume tripling between March and December, and campaigns often lasting only hours or days before being replaced or modified.