News & Commentary

Just dropped on YouTube: Russia is hacking zero-days (again) 🥲

Hot off the press on my YouTube channel: Microsoft recently released an emergency out-of-band fix for CVE-2026-21509 following January’s Patch Tuesday. Yay.

This one’s an MS Office security feature bypass vulnerability. And while Microsoft doesn’t provide too many details in their security bulletin (Shocked? Me neither!), here’s what I’ve gathered.

It boils down to “reliance on untrusted inputs,” letting an attacker bypass a local security feature. Still, the severity isn’t anything to shake a stick at: This one clocks in around a 7.8 CVSS and, more importantly, it’s not theoretical. It’s actively being exploited.

What’s especially gnarly is the execution chain. The malicious document leverages OLE / COM object behavior to reach out over WebDAV to an external resource, pulling down a file (often a Windows shortcut / LNK), which then kicks off additional downloads and execution. The whole point is to turn “I opened a document” into “I just ran untrusted code from the internet,” while sidestepping the protections you’d expect to stop that.

And the post-exploitation story? We’ve seen it before many times: staged payloads disguised as normal files (even things like splashscreen.png), COM hijacking by changing a CLSID registry path, scheduled task persistence, and even behavior that restarts Explorer to make sure the hijack triggers reliably. There’s also mention of adversaries leaning on legitimate third-party infrastructure (including cloud storage) as part of their control plane: the classic “living off trusted services” move that makes network filtering harder if you’re not already thinking about it.

You might be able to guess the guidance here: patch. Mitigations like registry blocks can help as a stopgap, but the real fix is updating Office. If you want to go one step further, there are community scripts (built around tools like oletools) that can help scan Office documents for the specific OLE object / CLSID patterns associated with this technique.

Here’s the video I just posted if you’d like to dig deeper:

Four popular VS Code extensions shown to have critical flaws 🫠

If you’re one of the 125 million VS Code users who’s downloaded the Live Server, Code Runner, Markdown Preview Enhanced, or Microsoft Live Preview extensions, I’m sorry for what I’m about to say. 😅

These extensions contain vulnerabilities that could let an attacker steal local files and potentially even execute code on remote machines. Ugh.

The Hacker News does a great job of breaking down the technical details of what’s going on for each extension:

• a Live Server flaw (CVE-2025-65717) that can exfiltrate files if a developer is tricked into visiting a malicious site while the local server is running on localhost:5500

• a Markdown Preview Enhanced bug (CVE-2025-65716) that enables arbitrary JavaScript via a crafted markdown file

• a Code Runner issue (CVE-2025-65715) that can lead to code execution if someone can socially engineer changes to settings.json

• a Microsoft Live Preview issue that could expose sensitive local files via malicious web content while the extension is running, which Microsoft reportedly fixed in version 0.4.16 back in September 2025 (without a CVE)

TL;DR: Dev tooling is part of your attack surface. Extensions are luxuries of convenience, but at the end of the day, they sit right next to your code, your terminals, and your browser. And that…can be a spicy combo when vulnerabilities surface. 😅

If you’ve downloaded any of these extensions, update what you can and consider uninstalling any extensions (for any program, really) that you don’t really need.

Ransomware groups are speeding up attacks thanks to AI 🤖

I’m back on my AI soapbox again. 😁

In last month’s Shenanigans, I talked about a discovery from Check Point Research: a single dev used AI to generate 88,000 lines of code to form a new Linux malware framework called VoidLink.

A new research report from Palo Alto Networks shows that ransomware groups are now moving four times faster than they were ONE year ago. For example, some of the fastest intrusions are resulting in data exfiltration within 72 minutes of initial access.

I don’t even chug my morning Monster that fast.

This is being made possible by AI. It’s helping threat actors with reconnaissance, phishing, scripting, and operational execution. In other words, threat actors are wisely turning to AI to help with the boring, repetitive stuff so they can focus their efforts elsewhere. And that results in more sophisticated attacks.

One important trend I want to touch on: Attackers are more frequently abusing trusted integrations to compromise SaaS apps. (Sound familiar?) These integrations already have legitimate, privileged access, which means attackers are less often brute-forcing their way through the door and more often just…walking through the door you unintentionally built for them.

That means we have to be vigilant with making sure we trust and monitor the extensions, applications, and integrations we use.

Sponsor

Get insights from 1800+ security pros in Voice of Security 2026

AI is everywhere in security, but workloads keep climbing.

To find out why, Tines surveyed 1,800+ security leaders and practitioners worldwide for their largest Voice of Security report to date. The data shows that while AI adoption and enthusiasm are high, teams have yet to unlock its full impact. A few key stats:

• 81% saw workloads increase in the past year.

• Teams still spend 44% of their time on manual or repetitive work.

• 76% report burnout, driven primarily by heavy workloads.

Learn how security teams are responding in the full Voice of Security 2026 report.

Email being clipped?

Here’s some actually helpful advice: You can view the email in your browser: https://johnhammond.beehiiv.com/p/cybersecurity-shenanigans-021.

(And as always, thanks for nothing, Clippy. 💙)

Just Hacking Training 🤓
February Announcements

Dark Web 2 is Here – 20% Off ALL Month!

Sorry it took so long, but I think you’ll be pleased with the end result. DW2 – CTI Researcher is ready for your hoodie and your hacker mindset with real links, more exposure of criminal activity, and hands-on exercises in cloud-based VMs for you to hunt from a protected environment.

See for yourself with 3 Free Preview Lessons:

📋 Index Sites and Aggregators
🥷 Overview of Infostealer Malware
💼 Career Opportunities (I highly recommend this one!)

Opportunity to Save 25% on Dark Web Path

The Dark Web Path consists of DW1, Dark Web and Cybercrime Investigations ($125), and Dark Web 2 – CTI Researcher ($175). Both are 20% off if purchased individually, $100 and $140 respectively.

New Free Upskill Challenges!

San Francisco…Here We Come!

Save Big with Bundles!

• The “Mishaal” Bundle: Get EVERYTHING Mishaal Khan has on JHT for only $345 (25% Off)! At a fraction of what he charges for a single in-person course, you get 4 courses (3 OSINT, 1 OpSec) & 2 geoINT Hack-Alongs.
• Mastering Active Directory Security (MADS) Volumes 1 – 3: (20% Off)
• WMD Intro Path includes courses 1 – 3: (46% Off)
• 7 CTF Bundle: 50% Off
• 7 Hack-Along Bundle: 75% Off

Discord | FB | IG | LinkedIn | RSS | Twitch | TikTok | X | YouTube

Forget the Noise. Get to Just Hacking!

ContinuumCon is back! 🎉

Kind of!! As “back” as you can get for a cybersecurity conference that doesn’t end. 😆

ContinuumCon is a virtual, hands-on cybersecurity conference running June 12–14, 2026. It’s built around practical workshops and interactive labs across core blue-team and reverse-engineering domains. It’s hosted by Level Effect and my team at Just Hacking Training, with community happening in Discord and content organized by tracks like DFIR, Detection Engineering, Reverse Engineering, Threat Hunting, Malware Analysis, CTI, SecOps, Tactical GRC, and AI/ML.

If you want the best parts of a con (learning by doing, labs that actually work, and content you can come back to when your brain is ready), that’s the vibe we strive for at ContinuumCon. Show up live for the energy, then keep the workshops for when it’s 2AM and you’ve decided today is the day you finally learn detection engineering. 😅

Are you loving this thing? Can it be improved? Either way, I want to know.

Please reply to this email and let me know what you’re loving — and what you’d love to see in the next edition.

Thank you!