Cheers broke out during Al Jazeera’s Teresa Bo’s live report as a Syrian military convoy reached the town square of Tel Brak in northern Syria. It’s part of the nationwide unification of Syria after the central government reached a deal with the Kurdish-led Syrian Democratic Forces.
Published On 3 Feb 2026
Sir Keir Starmer and the Labour high command may be relieved that Peter Mandelson has quit the House of Lords.
But for both the prime minister and the soon-to-be ex-peer, their humiliation and torment may be about to get even worse.
Mr Mandelson faces a full-blown probe by the Met’s specialist crime team into allegations of misconduct in public office, for which the maximum penalty is life imprisonment.
Jeffrey Epstein scandal – latest
Yes, really! It’s that serious.
In an interview with The Times carried out last week but published on Monday, Mandelson referred to a “handful of misguided historical emails, which I deeply regret sending”.
On other claims, Lord Mandelson questioned the authenticity of the documents, citing false claims he had a US social security number, questionable US-dollar cheque payments into UK banks, incorrect beneficiary details, and multiple basic errors in dates, spelling and formatting.
The police investigation, no doubt extremely complex, could last several months, and if he’s prosecuted, Mr Mandelson’s agony could last years, even if he’s acquitted.
The torment for the prime minister is more immediate.
He faces a potentially painful onslaught from Kemi Badenoch at Wednesday’s Prime Minister’s Questions, followed by a bruising Commons debate.
The PM must be cursing the parliamentary calendar, because Wednesday is an opposition day in the Commons, which means the Conservatives choose the business.
And this time the Tories are using a tactic used by Labour in opposition.
In the parliamentary jargon, it’s called a humble address, which means the Tory motion demands publication of all the papers relating to Sir Keir’s appointment of Mr Mandelson as ambassador to the US.
Yes, all of them! In theory, at least. A paper trail, in other words.
It’s a device Labour employed with some success during the endless Commons debates on Brexit a few years back when Sir Keir was opposition leader.
This time, though, the prime minister could face a major rebellion from Labour backbenchers if he whips his MPs to vote against the Tory motion. But will he?
“I’ll vote for a paper trail to be released,” left-wing serial rebel Richard Burgon told Sky News. “But there shouldn’t be a vote. They shouldn’t be opposing the motion.
“It would be crazy to do so. We can’t have a situation where the government is dragged kicking and screaming to do the right thing.”
The government is not falling into the Tory trap, however. It will commit to publishing documents about the Mandelson appointment.
But ministers have tabled an amendment to the Conservative motion proposing an exemption for papers affecting national security.
The PM’s amendment adds: “Except papers prejudicial to UK national security of international relations.”
Which could, of course, mean there are a large number of exemptions. Too many, the Conservatives may claim.
Kemi Badenoch claims the normal procedures were “waived away” so the prime minister could appoint Mr Mandelson as ambassador, despite his close relationship with a convicted paedophile.
“Let’s see all the correspondence, emails, mobile phone records,” she said. “We want to see everything.”
The Tories also plan to turn up the heat on the PM’s controversial chief of staff, Morgan McSweeney, a man who’s already the pantomime villain of Labour’s woes and blunders.
“Morgan McSweeney, a close protégé of Peter Mandelson, was involved in the vetting,” said the Tory leader. “Morgan McSweeney is a man whose fingerprints are all over this embarrassment.”
Read more on Sky News:
Mandelson quits Labour Party over Epstein links
Mandelson ‘has no recollection’ of $75,000
Scandal-tainted career is over
For the PM, the Mandelson nightmare couldn’t have come at a worse time. His poll ratings are through the floor, he faces a horrible by-election on 26 February and horrendous local and national elections in May.
The mavericks and malcontents on the Labour benches claim the only question about Sir Keir’s survival is when his mutineers move to oust him: after the by-election or after the May elections.
McSweeney, therefore, could be a convenient scapegoat, sacrificed to save an embattled prime minister.
A No 10 svengali dumped just like Alastair Campbell, Andy Coulson and Dominic Cummings were before him.
The only winners from the Mandelson fiasco are Westminster’s opposition parties. Not just the Conservatives, either. The Liberal Democrats and Scottish National party led demands for the police investigation.
Despite the PM’s tough talk and his claim that Mandelson “let his country down”, a damning verdict of his bad judgement in him could mean he ends up being as big a loser as the Prince of Darkness himself.
NEWYou can now listen to Fox News articles!
Leaked documents from the Iranian regime reveal a coordinated plan by its security apparatus, approved by Supreme Leader Ayatollah Ali Khamenei, to violently suppress nationwide protests using force, surveillance and internet shutdowns.
Excerpts of the documents, reviewed by Fox News Digital, show that Iran’s Supreme National Security Council developed the strategy after the 2019 nationwide protests that came amid fuel price hikes and economic collapse.
At a National Council of Resistance of Iran (NCRI) press briefing Tuesday covering the regime’s pre-planned orders behind the protests and mass killings, Alireza Jafarzadeh, deputy director of the Washington office, said the documents “were obtained from within the regime” and later cited The People’s Mojahedin Organization of Iran (MEK) as having gained access to them.
“This Directive by the National Security Council was obtained by the network in Iran of the MEK, which has access to sources within the regime,” he confirmed to Fox News Digital.
Iranian security forces escalated from pellet guns to live ammunition during protests. (Getty)
“These documents show the regime’s efforts to prevent the resurgence of the uprising and, if it occurred, to suppress it,” Jafarzadeh added before stating that there are “clear operational plans allocated to the IRGC to use lethal force to kill as many people as needed to stay in power.”
The first document, classified “top secret,” was issued Mar. 3, 2021, with the regime codifying four escalating law enforcement and security conditions. The regime defined how unrest would be handled and which authorities would be in command at each stage.
Initial law enforcement and non-armed security situations placed command authority with Iran’s national police force, with support from the Islamic Revolutionary Guard Corps (IRGC) and the Intelligence Ministry (VAJA).
In the most severe category, designated an “armed security situation,” full command authority rapidly shifted to the IRGC.
“For now, this compilation should be communicated for two years,” Khamenei wrote before ordering the blueprint implemented nationwide.
Iran’s Supreme Leader, Ayatollah Ali Khamenei, approved a detailed plan for protest suppression. (Getty Images)
The secret guidelines became the blueprint for crushing the January 2026 protests, which erupted amid soaring inflation, currency collapse and anger toward clerical rule.
According to the Human Rights Activists News Agency (HRANA), at least 6,854 people have been killed during the protests, with 11,280 cases under investigation.
Internal regime assessments cited in other leaked files describe three phases of the 2026 uprising: an initial law enforcement phase, followed by a non-armed security phase and finally an armed security situation beginning Jan. 8 when authority shifted fully to the IRGC that played the command role and carried out armed killings.
The documents specify that during armed security situations, the IRGC operated with support from other security bodies, while Iran’s Ministry of Communications was ordered to impose internet restrictions, including full shutdowns.
At a press briefing, NCRI Deputy Director, Washington office, Alireza Jafarzadeh outlined how Iranian regime documents showed the regime’s crackdown strategy. (National Council of Resistance of Iran (NCRI))
A second classified document, compiled in 2024 by the IRGC’s Sarallah Headquarters, reveals how far the regime went to prepare for dissent.
The 129-page “Comprehensive Security Plan of Tehran” details extensive surveillance and repression measures, identifying members of the opposition MEK and family members of executed dissidents as “level number one” enemies subject to monitoring and control.
CLICK HERE TO DOWNLOAD THE FOX NEWS APP
“It also shows how far the regime is prepared to go to kill as many people as needed, which they did in January 2026. However, these killings further convinced the people that there is only one way to end the killings, and that is to overthrow the regime,” Jafarzadeh added.
“There are more people, especially young ones, who have joined the ranks of the organized force to confront the IRGC and liberate the nation,” he said.
The Russia-linked state-sponsored threat actor known as APT28 (aka UAC-0001) has been attributed to attacks exploiting a newly disclosed security flaw in Microsoft Office as part of a campaign codenamed Operation Neusploit.
Zscaler ThreatLabz said it observed the hacking group weaponizing the shortcoming on January 29, 2026, in attacks targeting users in Ukraine, Slovakia, and Romania, three days after Microsoft publicly disclosed the existence of the bug.
The vulnerability in question is CVE-2026-21509 (CVSS score: 7.8), a security feature bypass in Microsoft Office that could allow an unauthorized attacker to send a specially crafted Office file and trigger it.
The Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC), and Office Product Group Security Team, along with Google Threat Intelligence Group (GTIG), have been credited with discovering and reporting the flaw.
“Social engineering lures were crafted in both English and localized languages (Romanian, Slovak, and Ukrainian) to target the users in the respective countries,” security researchers Sudeep Singh and Roy Tay said. “The threat actor employed server-side evasion techniques, responding with the malicious DLL only when requests originated from the targeted geographic region and included the correct User-Agent HTTP header.”
The attack chains, in a nutshell, entail the exploitation of the security hole by means of a malicious RTF file to deliver two different versions of a dropper, one that’s designed to drop an Outlook email stealer called MiniDoor, and another, referred to as PixyNetLoader, that’s responsible for the deployment of a Covenant Grunt implant.
The first dropper acts as a pathway for serving MiniDoor, a C++-based DLL file that steals a user’s emails in various folders (Inbox, Junk, and Drafts) and forwards them to two hard-coded threat actor email addresses: ahmeclaw2002@outlook[.]com and ahmeclaw@proton[.]me. MiniDoor is assessed to be a stripped-down version of NotDoor (aka GONEPOSTAL), which was documented by S2 Grupo LAB52 in September 2025.
In contrast, the second dropper, i.e., PixyNetLoader, is used to initiate a much more elaborate attack chain that involves delivering additional components embedded into it and setting up persistence on the host using COM object hijacking. Among the extracted payloads are a shellcode loader (“EhStoreShell.dll”) and a PNG image (“SplashScreen.png”).
The primary responsibility of the loader is to parse shellcode concealed using steganography within the image and execute it. That said, the loader only activates its malicious logic if the infected machine is not an analysis environment and when the host process that launched the DLL is “explorer.exe.” The malware stays dormant if the conditions are not met.
The extracted shellcode, ultimately, is used to load an embedded .NET assembly, which is nothing but a Grunt implant associated with the open source .NET COVENANT command-and-control (C2) framework. It’s worth noting that APT28’s use of the Grunt Stager was highlighted by Sekoia in September 2025 in connection with a campaign named Operation Phantom Net Voxel.
“The PixyNetLoader infection chain shares notable overlap with Operation Phantom Net Voxel,” Zscaler said. “Although the earlier campaign used a VBA macro, this activity replaces it with a DLL while retaining similar techniques, including (1) COM hijacking for execution, (2) DLL proxying, (3) XOR string encryption techniques, and (4) Covenant Grunt and its shellcode loader embedded in a PNG via steganography.”
The disclosure coincides with a report from the Computer Emergency Response Team of Ukraine (CERT-UA) that also warned of APT28’s abuse of CVE-2026-21509 using Word documents to target more than 60 email addresses associated with central executive authorities in the country. Metadata analysis reveals that one of the lure documents was created on January 27, 2026.
“During the investigation, it was found that opening the document using Microsoft Office leads to establishing a network connection to an external resource using the WebDAV protocol, followed by downloading a file with a shortcut file name containing program code designed to download and run an executable file,” CERT-UA said.
This, in turn, triggers an attack chain that’s identical to PixyNetLoader, resulting in the deployment of the COVENANT framework’s Grunt implant.
Omar Shakir, who has worked for the rights group for more than 10 years, says he has lost faith in the organisation.
The Israel-Palestine director of Human Rights Watch (HRW) has resigned in protest, saying the organisation’s new chief blocked a report accusing Israel of committing “crimes against humanity” in its denial of Palestinian refugees’ right of return.
Omar Shakir, who has worked for the rights group for more than 10 years, told Al Jazeera on Tuesday that the report “sought to connect the erasure of camps in Gaza with the emptying of camps in the West Bank, with the full assault led by the Israeli government against UNRWA, the [United Nations] aid agency for Palestinian refugees and underscoring how in the midst of this Nakba 2.0 that we’re seeing unfold beyond us, it’s critical that we learn the lessons from Nakba 1.0”.
The Nakba, which means “catastrophe”, refers to the forced displacement of 750,000 Palestinians expelled from their homes and land by Zionist armed groups and then the newly created state of Israel in 1948. Thousands of Palestinians were also killed during the Nakba.
Shakir said the report documented how the denial of return “amounts to a crime against humanity”.
He said he had been told that Executive Director Philippe Bolopion, who took the helm of HRW late last year, was worried the report would be misread by “detractors” as a call to “demographically extinguish the Jewishness of the Israeli state”, according to his resignation letter seen by Al Jazeera and dated January 15.
Shakir wrote: “Through this process, I have lost my faith in the integrity of how we do our work and our commitment to principled reporting on the facts and application of the law.”
The report was slated to be published on December 4 and had been given the greenlight by others in HRW during an internal review, Shakir said.
In a statement to Al Jazeera, HRW said it had received the resignations of two people working on Israel-Palestine after “a decision to pause the publication of a draft report on the right of return of Palestinian refugees”.
“The report in question raised complex and consequential issues. In our review process, we concluded that aspects of the research and the factual basis for our legal conclusions needed to be strengthened to meet Human Rights Watch’s high standards,” the group said.
“For that reason, the publication of the report was paused pending further analysis and research. This process is ongoing.”
In his letter, Shakir said he has received criticism from those in Israel as well as Palestine throughout his time at HRW.
“My strongest defense has been saying with full conviction that we hold our Israel/Palestine work to the same standard as the other 100 countries we cover,” he wrote.
But his stint had its challenges, he added.
“At times, some in the organization, driven by bias, pressure, politics or cowardice, have tried to manipulate our findings on Israel/Palestine to arrive at their preferred outcomes, but, throughout my tenure, the review process ensured we published the facts as we documented them and the findings that derived from our principled and consistent application of the law.”
At HRW, Shakir investigated rights abuses in Israel, the occupied West Bank and Gaza and documented how Israel instituted an apartheid system and persecuted Palestinians.
In 2019, the Israeli government deported him due to his advocacy.
In a report in late 2024, HRW said Israel had “deliberately inflicted conditions of life calculated to bring about the destruction of part of the population in Gaza by intentionally depriving Palestinian civilians there of adequate access to water, most likely resulting in thousands of deaths”.
That, the group said at the time, made the Israeli authorities “responsible for the crime against humanity of extermination and for acts of genocide”.
Andrew Mountbatten-Windsor has moved out of Royal Lodge, as police assess claims that a woman was sent to the former duke by Jeffrey Epstein in 2010.
The former duke’s move is part of a permanent move to Norfolk, which may take some time, according to Sky’s royal correspondent Rhiannon Mills.
Andrew is now living in a house on Sandringham Estate in Norfolk, which is seen as temporary accommodation.
There will be a further move in the coming months once final arrangements have been made.
The Palace had announced last October that the King had started the process of removing the style, title and honours of the former prince after the Epstein-linked allegations against him had started to “distract” from the Royal Family’s work.
It comes as Thames Valley Police said it is assessing a claim that a woman was sent by Epstein to Andrew at Royal Lodge in 2010.
The encounter allegedly took place when the woman was in her 20s, her lawyer told the BBC earlier this week.
A Thames Valley Police spokesperson said: “We are aware of reports about a woman said to have been taken to an address in Windsor in 2010 for sexual purposes.
“We are assessing the information in line with our established procedures. We take any reports of sexual crimes extremely seriously and encourage anyone with information to come forward.
“At this time, these allegations have not been reported to Thames Valley Police by either the lawyer or their client.”
Read more:
Epstein survivors condemn US government’s handling of files
Epstein files: The key findings so far
Andrew has not commented on the latest claims but has previously denied any wrongdoing related to Epstein.
NEWYou can now listen to Fox News articles!
Royal experts warned that Crown Princess Mette-Marit’s attempt to frame her ties to Jeffrey Epstein as an “incidental brush with a bad guy” is unraveling, after newly unsealed documents reignited scrutiny of her judgment and credibility.
Mette-Marit was mentioned in over 1,000 files recently released from multiple investigations into the late-financier. Mette-Marit was involved in “contact and meetings” with Epstein between 2011 and 2013 and continued communication with him into 2014, according to the Norwegian outlet VG.
The document release has compounded pressure on Norway’s royal family as questions mount over her past and her future role.
“Jeffrey Epstein is solely responsible for his actions. I must take responsibility for not having investigated Epstein’s background more thoroughly, and for not realizing sooner what kind of person he was,” Mette-Marit said in a statement provided to Fox News Digital.
PRINCESS SOFIA OF SWEDEN MET JEFFREY EPSTEIN A FEW TIMES BUT DENIES ANY TIES, PALACE SAYS
Crown Princess Mette-Marit is facing renewed scrutiny over her ties to the late Jeffrey Epstein. (Per Ole Hagen / Getty Images)
“I deeply regret this, and it is a responsibility I must bear. I showed poor judgment and regret having had any contact with Epstein at all. It is simply embarrassing. I wish to express my deep sympathy and solidarity with the victims of the abuse committed by Jeffrey Epstein.”
The never-before-seen communications between Mette-Marit and Epstein surfaced in the latest batch of documents released by the Department of Justice (DOJ). The DOJ released more than three million Epstein records, including his personal emails, Friday.
Mette-Marit’s apology likely will “deepen the crisis” because it draws attention to the timeline of her contact with Epstein, royal commentator Amanda Matta told Fox News Digital.
“This is actually her second time apologizing for her relationship with him, and it will now be ten times harder to file this away as an incidental brush with a bad guy,” Matta explained. “The newly released emails, more extensive than what the public previously understood, open many, many channels to question the Crown Princess’s judgment. Why did she keep contact going? Why didn’t she ‘understand more quickly’ what Epstein was, and that he was not the sort of person she would want to be publicly associated with?”
Jeffrey Epstein and Mette-Marit continued communication into 2014, despite the palace claiming correspondence ended in 2013. (Rick Friedman/Rick Friedman Photography/Corbis via Getty Images)
LIKE WHAT YOU’RE READING? CLICK HERE FOR MORE ENTERTAINMENT NEWS
Crown Princess Mette-Marit of Norway is married to Crown Prince Haakon of Norway. (Michael Campanella / Getty Images)
Experts specifically questioned Mette-Marit’s timeline of contact after she previously claimed contact with Epstein ceased in 2013.
“And then we also have to investigate whether the palace’s previous framing was incomplete,” she said. “They previously stated that MM’s last contact with JE was in 2013, and we now see that it was actually 2014. The public now knows that they weren’t told the whole truth the first time, and palace officials are painting this as a ‘mistake’ or ‘accident.’ But trust is being eroded in the process. Even if there was no wrongdoing, that will leave a bad taste in people’s mouths.”
Multiple royals have been tied to Epstein, including former Prince Andrew and Sweden’s Princess Sofia. The Royal Court of Sweden admitted that Princess Sofia did meet with Epstein on multiple occasions but had no ties to the convicted sex offender.
“Sofia was introduced a few times around 2005, didn’t accept an invite to gatherings with him, and hasn’t had contact for 20 years,” Matta said. “Mette Marit was voluntarily and enthusiastically close with Epstein.”
Mette-Marit’s Epstein ties create a different situation for the crown princess than Princess Sofia, according to a royal commentator. (Michael Campanella/Getty Images)
The email drop including Mette-Marit couldn’t have come “at a worse time,” royal commentator Meredith Constant told Fox News Digital.
“That’s on top of the fact that her son was just arrested on another charge ahead of his trial,” she added. “This crisis with The Crown Princess makes Princess Märtha Louis and Shaman Durek’s documentary last year look quaint.”
The son of Norway’s crown princess pleaded not guilty to rape charges as he went on trial Tuesday for multiple alleged offenses, opening weeks of proceedings in a case that has cast a shadow on the royal family’s image.
CLICK HERE TO SIGN UP FOR THE ENTERTAINMENT NEWSLETTER
Crown Princess Mette-Marit’s son, Marius Borg Hoiby, is on trial. (Julian Parker / UK Press)
Marius Borg Høiby, 29, is the eldest son of Crown Princess Mette-Marit from a previous relationship and the stepson of the heir to the throne, Crown Prince Haakon. Høiby has no royal title or official duties.
“Coupled with her son’s ongoing trial and new arrests, I honestly don’t know what the path forward looks like for Mette-Marit,” Matta said.
“Norwegians are already openly questioning whether she is fit to be queen after this,” the royal expert added. “25 years ago, the same questions were being asked about her prior to her wedding. If the royal house isn’t treating this as a full-blown crisis, they should be.”
CLICK HERE TO DOWNLOAD THE FOX NEWS APP
The Associated Press contributed to this report.
KrebsOnSecurity.com celebrates its 16th anniversary today! A huge “thank you” to all of our readers — newcomers, long-timers and drive-by critics alike. Your engagement this past year here has been tremendous and truly a salve on a handful of dark days. Happily, comeuppance was a strong theme running through our coverage in 2025, with a primary focus on entities that enabled complex and globally-dispersed cybercrime services.
Image: Shutterstock, Younes Stiller Kraske.
In May 2024, we scrutinized the history and ownership of Stark Industries Solutions Ltd., a “bulletproof hosting” provider that came online just two weeks before Russia invaded Ukraine and served as a primary staging ground for repeated Kremlin cyberattacks and disinformation efforts. A year later, Stark and its two co-owners were sanctioned by the European Union, but our analysis showed those penalties have done little to stop the Stark proprietors from rebranding and transferring considerable network assets to other entities they control.
In December 2024, KrebsOnSecurity profiled Cryptomus, a financial firm registered in Canada that emerged as the payment processor of choice for dozens of Russian cryptocurrency exchanges and websites hawking cybercrime services aimed at Russian-speaking customers. In October 2025, Canadian financial regulators ruled that Cryptomus had grossly violated its anti-money laundering laws, and levied a record $176 million fine against the platform.
In September 2023, KrebsOnSecurity published findings from researchers who concluded that a series of six-figure cyberheists across dozens of victims resulted from thieves cracking master passwords stolen from the password manager service LastPass in 2022. In a court filing in March 2025, U.S. federal agents investigating a spectacular $150 million cryptocurrency heist said they had reached the same conclusion.
Phishing was a major theme of this year’s coverage, which peered inside the day-to-day operations of several voice phishing gangs that routinely carried out elaborate, convincing, and financially devastating cryptocurrency thefts. A Day in the Life of a Prolific Voice Phishing Crew examined how one cybercrime gang abused legitimate services at Apple and Google to force a variety of outbound communications to their users, including emails, automated phone calls and system-level messages sent to all signed-in devices.
Nearly a half-dozen stories in 2025 dissected the incessant SMS phishing or “smishing” coming from China-based phishing kit vendors, who make it easy for customers to convert phished payment card data into mobile wallets from Apple and Google. In an effort to wrest control over this phishing syndicate’s online resources, Google has since filed at least two John Doe lawsuits targeting these groups and dozens of unnamed defendants.
In January, we highlighted research into a dodgy and sprawling content delivery network called Funnull that specialized in helping China-based gambling and money laundering websites distribute their operations across multiple U.S.-based cloud providers. Five months later, the U.S. government sanctioned Funnull, identifying it as a top source of investment/romance scams known as “pig butchering.”
Image: Shutterstock, ArtHead.
In May, Pakistan arrested 21 people alleged to be working for Heartsender, a phishing and malware dissemination service that KrebsOnSecurity first profiled back in 2015. The arrests came shortly after the FBI and the Dutch police seized dozens of servers and domains for the group. Many of those arrested were first publicly identified in a 2021 story here about how they’d inadvertently infected their computers with malware that gave away their real-life identities.
In April, the U.S. Department of Justice indicted the proprietors of a Pakistan-based e-commerce company for conspiring to distribute synthetic opioids in the United States. The following month, KrebsOnSecurity detailed how the proprietors of the sanctioned entity are perhaps better known for operating an elaborate and lengthy scheme to scam westerners seeking help with trademarks, book writing, mobile app development and logo designs.
Earlier this month, we examined an academic cheating empire turbocharged by Google Ads that earned tens of millions of dollars in revenue and has curious ties to a Kremlin-connected oligarch whose Russian university builds drones for Russia’s war against Ukraine.
An attack drone advertised on a website hosted in the same network as Russia’s largest private education company — Synergy University.
As ever, KrebsOnSecurity endeavored to keep close tabs on the world’s biggest and most disruptive botnets, which pummeled the Internet this year with distributed denial-of-service (DDoS) assaults that were two to three times the size and impact of previous record DDoS attacks.
In June, KrebsOnSecurity.com was hit by the largest DDoS attack that Google had ever mitigated at the time (we are a grateful guest of Google’s excellent Project Shield offering). Experts blamed that attack on an Internet-of-Things botnet called Aisuru that had rapidly grown in size and firepower since its debut in late 2024. Another Aisuru attack on Cloudflare just days later practically doubled the size of the June attack against this website. Not long after that, Aisuru was blamed for a DDoS that again doubled the previous record.
In October, it appeared the cybercriminals in control of Aisuru had shifted the botnet’s focus from DDoS to a more sustainable and profitable use: Renting hundreds of thousands of infected Internet of Things (IoT) devices to proxy services that help cybercriminals anonymize their traffic.
However, it has recently become clear that at least some of the disruptive botnet and residential proxy activity attributed to Aisuru last year likely was the work of people responsible for building and testing a powerful botnet known as Kimwolf. Chinese security firm XLab, which was the first to chronicle Aisuru’s rise in 2024, recently profiled Kimwolf as easily the world’s biggest and most dangerous collection of compromised machines — with approximately 1.83 million devices under its thumb as of December 17.
XLab noted that the Kimwolf author “shows an almost ‘obsessive’ fixation on the well-known cybersecurity investigative journalist Brian Krebs, leaving easter eggs related to him in multiple places.”
Image: XLab, Kimwolf Botnet Exposed: The Massive Android Botnet with 1.8 million infected devices.
I am happy to report that the first KrebsOnSecurity stories of 2026 will go deep into the origins of Kimwolf, and examine the botnet’s unique and highly invasive means of spreading digital disease far and wide. The first in that series will include a somewhat sobering and global security notification concerning the devices and residential proxy services that are inadvertently helping to power Kimwolf’s rapid growth.
Thank you once again for your continued readership, encouragement and support. If you like the content we publish at KrebsOnSecurity.com, please consider making an exception for our domain in your ad blocker. The ads we run are limited to a handful of static images that are all served in-house and vetted by me (there is no third-party content on this site, period). Doing so would help further support the work you see here almost every week.
And if you haven’t done so yet, sign up for our email newsletter! (62,000 other subscribers can’t be wrong, right?). The newsletter is just a plain text email that goes out the moment a new story is published. We send between one and two emails a week, we never share our email list, and we don’t run surveys or promotions.
Thanks again, and Happy New Year everyone! Be safe out there.
The legislation heads to US President Donald Trump’s desk for signature.
Published On 3 Feb 2026
The United States House of Representatives has approved a $1.2 trillion spending package to end a partial government shutdown.
The bipartisan legislation, passed on Tuesday, restores lapsed funding for key federal programmes, including those within the Departments of Labor and Education. The bill passed with 217 voting for it and 214 voting against in the Republican-controlled House.
Twenty-one Republicans voted against the bill, while 21 Democrats ended up voting for the legislation, which is now headed to President Donald Trump’s desk, where he will sign it into law.
Immigration was a major point of contention. The bill temporarily extends funding to the Department of Homeland Security (DHS) but leaves room for lawmakers to negotiate changes and reforms to immigration enforcement in the wake of federal agents killing two US citizens, Renee Good and Alex Pretti, last month.
The spending package only funds DHS for two weeks, through February 13. Otherwise, Congress wrapped up 11 annual appropriations bills that fund government agencies and programmes through September 30.
Democrats are also demanding new restraints for the Immigration and Customs Enforcement (ICE) agency.
“Democrats are united in our commitment to compel substantial reform at the Department of Homeland Security. Dramatic changes such as a mask ban, judicial warrant requirement, independent investigations when agents break the law, use of force protocols, mandatory body cameras and an end to the targeting of sensitive locations like houses of worship, schools and hospitals must be part of any full-year appropriations bill,” Democratic leader Hakeem Jeffries said in a statement after the vote.
Speaker Mike Johnson said he expects the two sides will be able to reach an agreement by the deadline.
“This is no time to play games with that funding. We hope that they will operate in good faith over the next 10 days as we negotiate this,” said Johnson. “The president, again, has reached out.”
Some Republicans on the party’s right flank had sought, unsuccessfully, to modify the bill to include a provision that would tighten voting requirements.
House Republicans have only a 218-214 majority, which means they can lose only one Republican vote in the face of united Democratic opposition.
The last government shutdown lasted a record 43 days in October and November, furloughing hundreds of thousands of federal workers and costing the US economy an estimated $11bn.
A criminal investigation has been launched into allegations that Peter Mandelson leaked market sensitive information from Downing Street to Jeffrey Epstein.
It comes after emails appeared to show conversations between the pair about political matters while Lord Mandelson was serving as business secretary and the de-facto deputy prime minister in 2009, in Gordon Brown’s government.
Politics live: How did we get here with Peter Mandelson?
The SNP, Lib Dems and Plaid Cymru had all called for a formal police inquiry, alleging potential misconduct in public office.
Commander Ella Marriott, of the Metropolitan Police, said: “Following the further release of millions of court documents in relation to Jeffrey Epstein by the United States Department of Justice, the Met received a number of reports into alleged misconduct in public office including a referral from the UK government.
“I can confirm that the Metropolitan Police has now launched an investigation into a 72-year-old man, a former government minister, for misconduct in public office offences.
“The Met will continue to assess all relevant information brought to our attention as part of this investigation and won’t be commenting any further at this time.”
Lord Mandelson is set to step down from the House of Lords following the latest revelations.
Documents released by the US Department of Justice on Monday indicate Epstein was sent internal discussions from the heart of the UK government after the global financial crisis.
That includes emails in which Lord Mandelson appeared to tell Epstein he was “trying hard” to change government policy on bankers’ bonuses, and to confirm an imminent bailout package for the euro the day before it was announced.
The peer also appeared to write to Epstein in June 2009 about an “interesting note that’s gone to the PM”, forwarding an assessment by Mr Brown’s adviser Nick Butler of potential policy measures including an “asset sales plan”.
Downing Street earlier said the Cabinet Office had referred how Lord Mandelson handled sensitive government information while he was a minister to the Metropolitan Police.
Mr Brown also said he had written to the force’s commissioner, Mark Rowley, about Lord Mandelson’s contact with Epstein.
The former PM said the alleged leak was “an inexcusable and unpatriotic act at a time when the whole government and country were attempting to address the global financial crisis that was damaging so many livelihoods”.
Lord Mandelson’s representatives have been contacted for comment.
He has previously said: “I was wrong to believe Epstein following his conviction [in 2008 for procuring a child for prostitution and of soliciting a prostitute] and to continue my association with him afterwards. I apologise unequivocally for doing so to the women and girls who suffered.”
And in an interview with The Times carried out last week but published on Monday, Mandelson referred to a “handful of misguided historical emails, which I deeply regret sending”.
On other claims, Lord Mandelson questioned the authenticity of the documents, citing false claims he had a US social security number, questionable US-dollar cheque payments into UK banks, incorrect beneficiary details, and multiple basic errors in dates, spelling and formatting.
Investigation ‘inevitable’
Conservative leader Kemi Badenoch said the news of the police investigation was “inevitable” and “welcome”.
She added: “We should not let this distract us from the fact the prime minister has his fingerprints all over this.
“He knew all of the allegations, concerns and reports about Peter Mandelson, knew that he was a close friend, an associate, of a convicted paedophile, and he still gave him the biggest job in the Foreign Office, at a time when UK-US relations are at a critical point.
“That’s what he chose to do, and he’s got a lot of questions to answer.”
This is in reference to Lord Mandelson’s public relationship with Epstein at the time he was chosen to be ambassador to the US (December 2024) and then appointed (February 2025).
He quit that position in September after new emails revealed that he sent messages of support to Epstein even as he faced jail for sex offences in 2008.
The revelations that have come out in recent weeks are a result of new documents published by the US Congress, and Downing Street has said it was not aware of these allegations until they were made public in recent days.