Podcast Detail

SANS Stormcast Tuesday, February 17th, 2026: 64Bit Malware; Password Manager Weaknesses; OpenClaw Config Theft;

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9812.mp3

previous
Podcast Logo
64Bit Malware; Password Manager Weaknesses; OpenClaw Config Theft;
00:00

2026 64-Bits Malware Trend
https://isc.sans.edu/diary/2026%2064-Bits%20Malware%20Trend/32718


A Comparative Security Analysis of Three Cloud-based Password Managers
https://zkae.io

Infostealer Infection Targeting OpenClaw Configurations
https://www.infostealers.com/article/hudson-rock-identifies-real-world-infostealer-infection-targeting-openclaw-configurations/

Podcast Transcript

 Hello and welcome to the Tuesday, February 17th, 2026
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu undergraduate certificate
 program in Applied Cybersecurity. Xavier today
 took a look at, well, some of the malware evolution over the
 last few years in particular when it comes to 32-bit versus
 64-bit malware. Backwards compatibility can always be a
 little bit sort of an innovation hurdle in the sense
 that, well, if it still works, why change it? And that has
 been very true for malware in that most malware has for many
 years now been 32-bit, even though after 64-bit systems
 have become sort of common available and pretty much the
 default. But what Xavier noted was that lately there is about
 an even split between 64-bit and 32-bit malware. So it
 looks like there's a little bit of tipping point happening
 here where we will have more 64-bit malware than 32-bit. A
 little bit about the methodology here. Xavier used
 Malware Bazaar. Malware Bazaar offers a real nice sort of
 downloadable Malware repository with daily files.
 And Xavier looked at a terabyte worth of compressed Malware in
 order to compile the statistics. So it should be
 pretty good here and cover a pretty good percentage of the
 Malware ecosystem. And well, I've mentioned before that
 password managers are pretty much a must that you have to
 implement these days. The problem being that pretty much
 all of the big password managers, they opt for a cloud
 -based synchronization scheme in part, well, for economic
 reasons to be able to charge subscription fees. But the
 problem now becomes, well, how secure are those keys in the
 cloud? And of course, there's a lot of transparency as to
 how these keys are exactly stored. Now, given how you
 have to authenticate to the cloud and such, you can draw
 some conclusions. But now we have a real nice comprehensive
 paper by researchers at ETH Zurich and the Università
 della Sibirza Italiana, sorry for mispronouncing that,
 likely. The problem is, of course, that when you're
 dealing with cloud-based storage, you must store the
 keys somewhere. And in the case of these password
 managers, the keys themselves are then encrypted with
 secrets only known to the user. But there are still a
 couple of issues and some of them pretty much unfixable.
 One password sort of has an older document, paper, blog
 post where they talk a little bit about this. But for
 example, where it can be difficult to authenticate, in
 particular, when you're sharing passwords within this
 password manager ecosystem, whether or not you're
 authenticating or whether you're sharing these keys with
 the correct individual. That's sort of one of the issues
 they're pointing out here. They looked at a number of
 different attacks and looked at sort of the four, I think,
 biggest vendors of password managers. So, really a nice
 document and hopefully some of these issues can be fixed. And
 well, that may be down the road. There will eventually be
 a non-cloud-based option, which I think only one or two
 of the sort of commonly used password managers offer right
 now. So, without solid credential management, like
 provided by some of those password managers, well, you
 often end up with simple text -based configuration files
 that contain secrets like API keys. And of course, they're
 right for the taking. The latest example is an info
 stealer that was discovered that goes specifically after
 OpenClaw configurations. OpenClaw, the current sort of
 viral genetic AI tool that of course does interface with
 lots and lots of different APIs, in particular, some of
 these AI systems like, you know, Cloud and OpenAI, that
 these agents often have substantial access to credits
 that the user bought for them to use. So, no surprise here.
 Yes, the configuration file is easily found. It's in a
 standard location. I do believe that OpenClaw, at
 least as an option, adds support for things like
 1Password that can serve as a more secure storage for these
 credentials. Well, and that's it for today. So, thanks for
 listening. Thanks for liking and thanks for subscribing to
 this podcast. Did I miss a story? Well, please let me
 know. And thanks and talk to you again tomorrow. Bye.
 So, for now, Thank you.