Information Security News | AI Aggregator

A Google report published on February 12 reveals that nation-state hackers, including groups from Iran, China, and North Korea, are increasingly using AI, particularly Google’s Gemini, for malicious activities such as reconnaissance and social engineering. APT42 and UNC2970 have utilized AI for target profiling and operational data collection. Additionally, model extraction attacks have surged, where cybercriminals attempt to hijack AI models through techniques like knowledge distillation to enhance their capabilities.

The Google Threat Intelligence Group report reveals that threat actors are increasingly utilizing AI for malicious purposes. They employ distillation attacks to clone large language models, enabling them to create custom models for phishing and social engineering. State-sponsored groups, such as those from Iran and North Korea, leverage AI for intelligence gathering and crafting convincing phishing kits. Additionally, AI is integrated into malware, like HONESTCUE, to adapt and evade detection. Security solutions are countering this threat with AI tools for real-time threat analysis and phishing detection.

Google reported blocking over 100,000 prompts utilized by hackers to create clones of its Gemini AI. An identified attack directed Gemini to ensure that the language in its output matched the user's input language. Google highlighted that government-backed threat actors are increasingly using large language models (LLMs) for technical research, targeting, and generating sophisticated phishing attempts.

Nation-state hackers from China, North Korea, and Iran are leveraging Google's Gemini AI tool for reconnaissance and malware development. Google’s Threat Intelligence Group reported that APT groups are using Gemini for target profiling, phishing email crafting, and automating vulnerability analysis. Notably, Iranian group APT42 utilized Gemini for reconnaissance and malware acceleration. Additionally, a new malware, HONESTCUE, integrates Gemini's API for code generation, enhancing obfuscation and evading detection.

Threat actors are increasingly utilizing large language models (LLMs) like Google's Gemini for cyber-attacks, according to research from Google Threat Intelligence Group. These models assist in target research, vulnerability investigation, and phishing lure creation. Notable activities include mode extraction attacks and the use of AI for reconnaissance by state-backed groups. While AI-generated malware is still experimental, tools like HONESTCUE and COINBAIT indicate evolving tactics. Researchers warn of the potential for future AI-enhanced threats.

Google reported that the North Korea-linked group UNC2970 is using its Gemini AI for reconnaissance and attack support, synthesizing OSINT to profile high-value targets, particularly in cybersecurity and defense sectors. Other threat actors, including various Chinese groups, are also leveraging Gemini for intelligence gathering and malware development. Notably, malware HONESTCUE uses Gemini's API for code generation, while AI-generated phishing kit COINBAIT targets cryptocurrency users. Google identified model extraction attacks against Gemini, highlighting vulnerabilities in AI model security.

Attackers have attempted to clone Google's Gemini AI chatbot over 100,000 times, using prompts in various languages to extract knowledge for a cheaper copy. Google labels this practice as "model extraction," equating it to intellectual property theft. The company asserts that such activities are primarily conducted by private firms seeking competitive advantages. Google's terms of service prohibit this data extraction, and while it has faced similar accusations, it denies any wrongdoing regarding its own data sourcing practices.

A Google report reveals state-sponsored hackers are utilizing the AI tool Gemini at various stages of the cyber attack cycle. While no fully automated attacks have been reported, Gemini aids in tasks such as reconnaissance, malware generation, and creating fake personas. Countries like North Korea, Iran, China, and Russia are experimenting with AI for espionage and information operations. The report indicates that smaller cybercriminal groups may benefit more from these advancements than state actors, though this could evolve.

Apple released updates for iOS, iPadOS, macOS Tahoe, tvOS, watchOS, and visionOS to fix a zero-day vulnerability (CVE-2026-20700) exploited in sophisticated cyber attacks. This memory corruption issue in dyld could allow arbitrary code execution. Google TAG discovered the flaw. Apple also addressed CVE-2025-14174 and CVE-2025-43529, both with CVSS scores of 8.8, related to memory access and WebKit vulnerabilities. Updates are available for various Apple devices and operating systems.

Apple addressed an actively exploited zero-day vulnerability, CVE-2026-20700, affecting iOS, macOS, and other devices, allowing code execution via a memory flaw in the Dynamic Link Editor (dyld). Discovered by Google’s Threat Analysis Group, it may have been used in sophisticated attacks. Apple also fixed CVEs 2025-14174 and 2025-43529, related to memory access issues in Google Chrome and WebKit. Security updates are available for supported devices running the latest OS versions.

Apple has addressed a zero-day vulnerability (CVE-2026-20700) in dyld, exploited in targeted attacks against specific individuals on older iOS versions. This memory corruption issue allows arbitrary code execution. Additional vulnerabilities, CVE-2025-14174 and CVE-2025-43529, affecting WebKit, were also reported by Google's Threat Analysis Group. Fixes are available for the latest OS versions, while users on older branches must await backporting. All users are urged to update their devices promptly.

Apple has released security updates for various devices, addressing a zero-day vulnerability (CVE-2026-20700) that allows attackers to execute arbitrary code. This memory corruption issue affects watchOS, tvOS, macOS, visionOS, iOS, and iPadOS 26.3. The flaw was exploited in targeted attacks alongside two previously patched vulnerabilities. Users are urged to update their devices promptly to safeguard personal information and follow best practices for security, including avoiding unsolicited links.

Apple patched CVE-2026-20700, a zero-day vulnerability in dyld affecting all iOS versions since 1.0, exploited in a sophisticated attack against targeted individuals. The flaw allows arbitrary code execution for attackers with memory write capability. This vulnerability, part of an exploit chain with WebKit flaws, enables a "zero-click" path to control devices. The iOS 26.3 update also addresses other bugs, but CVE-2026-20700 is the only one confirmed to be exploited in the wild.

Apple has patched a critical zero-day vulnerability, CVE-2026-20700, in the Dynamic Link Editor (dyld), which allowed arbitrary code execution and was exploited in sophisticated attacks against targeted individuals. The flaw affects devices including iPhone 11 and later, various iPad models, and Macs running macOS Tahoe. Updates were released in iOS 18.7.5, iPadOS 18.7.5, macOS Tahoe 26.3, tvOS 26.3, watchOS 26.3, and visionOS 26.3. Users are urged to update immediately.

Apple disclosed its first actively exploited zero-day of 2026, a memory-corruption vulnerability (CVE-2026-20700) affecting iPhones and iPads running iOS versions prior to iOS 26. The Cybersecurity and Infrastructure Security Agency added it to its catalog of known exploited vulnerabilities. Exploited by sophisticated attackers targeting specific individuals, it allows arbitrary code execution. Apple also addressed two related WebKit vulnerabilities (CVE-2025-14174, CVE-2025-43529) in its security updates for iOS 26.3 and iPadOS 26.3.

A malicious Microsoft Outlook add-in named AgreeTo, initially a legitimate tool, was exploited to steal over 4,000 Microsoft account credentials, credit card numbers, and banking security answers. After the original developer abandoned the project, an attacker registered the orphaned URL and deployed a phishing kit. The add-in's architecture allowed the attacker to serve a fake login page without triggering a security review. Microsoft has since removed the add-in, highlighting significant supply chain risks.

A malicious Microsoft Outlook add-in named AgreeTo, originally a meeting scheduling tool, was exploited to steal over 4,000 Microsoft account credentials, credit card numbers, and banking security answers. After the original developer abandoned it, an attacker claimed its expired backend URL, deploying a phishing kit that mimicked Microsoft’s login interface. Users unknowingly entered their credentials, which were sent to the attacker via Telegram. Affected users should uninstall the add-in, change passwords, and monitor account activity.

A hijacked Microsoft Outlook add-in, AgreeTo, has been turned into a phishing kit, stealing over 4,000 Microsoft accounts, credit card data, and banking security answers. The add-in, abandoned since December 2022, was exploited to present users with a fake Microsoft login page. Microsoft has since removed it from their repository. Users are advised to uninstall the add-in, reset passwords, and monitor financial activity for suspicious transactions. This incident marks the first malware found on the official Microsoft Marketplace.

A vulnerability in Microsoft’s app marketplace allowed a hacker to hijack the abandoned Outlook add-in AgreeTo, a meeting scheduling tool, to execute phishing attacks on 4,000 users. The add-in, which had a 4.71-star rating, was still listed despite being abandoned. Koi Security, the company that uncovered the attack, reported that the phishing campaign successfully compromised thousands of Microsoft account credentials.

SSHStalker is a newly identified botnet that utilizes IRC for command-and-control, targeting Linux systems through legacy kernel exploits. It employs an SSH scanner to compromise systems and maintain persistent access without immediate post-exploitation actions. The botnet leverages a catalog of 16 vulnerabilities, including CVE-2009-2692 and CVE-2010-3849. The threat actor, suspected to be Romanian, demonstrates operational control through established tools rather than novel exploits, focusing on mass compromise and persistence.

A newly discovered Linux botnet, SSHStalker, utilizes automated SSH compromises to enroll hosts by guessing weak passwords. It deploys IRC bots and helper tools, leveraging a build-and-run pipeline. The botnet exhibits "dormant persistence," quickly restoring control if disrupted. Recommendations include disabling SSH password authentication, enforcing key-based access, and monitoring for unexpected GCC runs. Indicators of Compromise suggest removing cron jobs and hunting for added services to prevent re-entry.

A botnet named SSHStalker has compromised approximately 7,000 Linux machines through brute-force attacks. Currently, it maintains persistence without monetizing its access, indicating potential staging or testing by its operator. To mitigate this threat, cybersecurity experts recommend disabling SSH password authentication in favor of SSH-key based authentication, implementing brute-force rate limiting, monitoring access attempts, and restricting remote access to specific IP ranges.

CVE-2026-20841, a vulnerability in Notepad's new Markdown feature, allows remote code execution (RCE) through social engineering tactics, such as tricking users into opening malicious Markdown files. Microsoft addressed this flaw in its latest Patch Tuesday updates. Although it requires user interaction, the risk is significant due to Notepad's widespread installation on Windows PCs. No known exploits have been reported in the wild. The Markdown feature was introduced in May 2025, alongside other updates.

Microsoft has confirmed a Remote Code Execution vulnerability in Windows 11 Notepad, tracked as CVE-2026-20841, rated 8.8 on the CVSS scale. The flaw allows remote attackers to execute code if a user opens a malicious Markdown file and clicks a link. The vulnerability arises from improper command handling in the modern Notepad app. Microsoft has not observed active exploitation, but user interaction is required, making it a potential risk in enterprise environments. A fix is included in the February 2026 Patch Tuesday update.

Microsoft has patched a remote code execution (RCE) flaw in Windows 11 Notepad, tracked as CVE-2026-20841, with a severity score of 8.8/10. The vulnerability exploited Markdown links, allowing attackers to execute malicious code without user prompts. Affected versions include 11.2510 and earlier. Users are advised to avoid clicking suspicious links in Notepad until the Patch Tuesday update is applied, which addresses the issue by fixing improper neutralization of special elements in commands.

On February 2026 Patch Tuesday, Microsoft addressed CVE-2026-20841, a command injection vulnerability in Windows Notepad that could allow remote code execution. The flaw arises from insufficient handling of links in Markdown files, enabling attackers to execute malicious code if a user interacts with a crafted link. Affected versions are Notepad 11.0.0 to 11.2510. The fix includes a warning for non-standard links, though users can still proceed at their own risk. No active exploitation has been reported.

Microsoft's February Patch Tuesday update addressed 59 vulnerabilities, including six actively exploited zero-days, matching last year's high. Notable vulnerabilities include CVE-2026-21510 and CVE-2026-21513 (CVSS 8.8), which allow code execution via user interaction. CVE-2026-21531 and CVE-2026-24300 are critical (CVSS 9.8) affecting Azure SDK and Azure Front Door. The Cybersecurity and Infrastructure Security Agency added all six zero-days to its catalog, highlighting the increased risk due to security feature bypasses.

Microsoft's February 2026 Patch Tuesday addressed over 50 security vulnerabilities, including six zero-day flaws. Key vulnerabilities include CVE-2026-21510 (Windows Shell bypass), CVE-2026-21513 (MSHTML bypass), CVE-2026-21514 (Microsoft Word bypass), CVE-2026-21533 (privilege escalation in Remote Desktop Services), CVE-2026-21519 (DWM elevation of privilege), and CVE-2026-21525 (denial-of-service in Remote Access Connection Manager). Additional fixes target remote code execution vulnerabilities in GitHub Copilot and IDEs.

On February's Patch Tuesday, Microsoft addressed six zero-day vulnerabilities, including CVE-2026-21510, CVE-2026-21513, and CVE-2026-21514, all rated 8.8 and publicly disclosed, allowing remote code execution via malicious links or files. CVE-2026-21519 (7.8) enables SYSTEM privilege escalation, while CVE-2026-21525 (6.2) allows denial of service. CVE-2026-21533 (7.8) permits local privilege elevation in Remote Desktop Services. Immediate patching is recommended.

Microsoft's February 2026 Patch Tuesday updates address six actively exploited zero-day vulnerabilities, part of a total of 58 security flaws across various products. The zero-days include CVE-2026-21510 (7.5), CVE-2026-21513 (8.8), CVE-2026-21514 (8.1), CVE-2026-21519 (7.8), CVE-2026-21525 (6.5), and CVE-2026-21533 (8.8). Notably, CVE-2026-21510, CVE-2026-21514, and CVE-2026-21513 are publicly disclosed. Microsoft credited multiple sources for their discovery.

Microsoft's February 2026 Patch Tuesday addresses 59 vulnerabilities, including two critical ones: CVE-2026-21522 (elevation of privilege in ACI Confidential Containers) and CVE-2026-23655 (information disclosure in ACI Confidential Containers). Active exploitation is reported for five "Important" vulnerabilities, including CVE-2026-21510 (Windows Shell bypass) and CVE-2026-21519 (Desktop Window Manager privilege escalation). Talos released Snort rules to detect exploitation attempts. Full details are available on Microsoft's update page.

Microsoft's February 2026 Patch Tuesday addressed six new actively exploited vulnerabilities among 60 total fixes. Tyler Reguly from Fortra noted that these issues can be easily resolved with standard Microsoft patches for Windows and Office, with no additional configuration needed post-patch. Notably, three of the six vulnerabilities involve a security feature bypass, which should be a point of concern for Chief Security Officers.

Microsoft's February 2026 Patch Tuesday addresses 55 vulnerabilities, including six exploited in the wild. Key zero-day vulnerabilities include CVE-2026-21510 (Windows Shell bypass), CVE-2026-21513 (MSHTML bypass), and CVE-2026-21514 (OLE bypass in Word). Additionally, CVE-2026-21519 (DWM elevation of privilege) and CVE-2026-21533 (RDP elevation of privilege) are noted. CVE-2026-21525 is a local denial of service in RasMan. Patches are available for various Windows Server products.

Microsoft has patched CVE-2026-21533, a zero-day elevation of privilege vulnerability in Windows Remote Desktop Services (RDS) exploited for SYSTEM-level access. The flaw, due to improper privilege management, was addressed in the February 2026 Patch Tuesday updates. It affects multiple Windows versions, primarily servers with RDS enabled, and has a CVSS score of 7.8. Microsoft recommends immediate patch deployment, disabling RDS if unused, and monitoring registry changes to mitigate risks.

Microsoft released a patch for a critical zero-day vulnerability in Windows Shell, tracked as CVE-2026-21510, allowing remote attackers to bypass authentication mechanisms. This flaw, with a CVSS score of 8.8, affects various Windows versions, including Windows 10 (1607, 1809, 21H2, 22H2) and Windows 11 (23H2-26H1). Attackers can exploit this to execute malicious code without user consent. Users are urged to update their systems immediately and exercise caution with links from unknown sources.

On February 11, 2026, CISA added several Microsoft vulnerabilities to its Known Exploited Vulnerabilities catalog, including CVE-2026-21510, CVE-2026-21513, CVE-2026-21514, CVE-2026-21519, CVE-2026-21525, and CVE-2026-21533. These flaws, with CVSS scores ranging from 6.5 to 8.8, involve issues like security feature bypasses and privilege escalation. Federal agencies must remediate these vulnerabilities by March 3, 2026, while private organizations are advised to review and address them.

Microsoft has patched a zero-day vulnerability in the Windows Remote Access Connection Manager (RasMan), tracked as CVE-2026-21525, allowing denial-of-service (DoS) attacks on unpatched systems. The flaw, due to a NULL pointer dereference, was actively exploited before disclosure. The February 2026 Patch Tuesday addresses the issue across various Windows versions. Immediate patching is recommended, as no workarounds exist without disabling RasMan, which disrupts remote access.

Microsoft's February Patch Tuesday addressed six zero-day vulnerabilities, including CVE-2026-21510, a Windows Shell bypass; CVE-2026-21513, a MSHTML Framework bypass; and CVE-2026-21514, a Word bypass. Additionally, CVE-2026-21519 and CVE-2026-21533 are elevation of privilege flaws, while CVE-2026-21525 is a denial-of-service vulnerability. SAP also released 26 security notes, with CVE-2026-0509 (CVSS 9.6) and CVE-2026-0488 (CVSS 9.9) being critical vulnerabilities affecting NetWeaver and CRM systems.

CISA has added six Microsoft zero-day vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog due to active exploitation. Key vulnerabilities include CVE-2026-21510 (Windows Shell RCE), CVE-2026-21513 (MSHTML security bypass), and CVE-2026-21519 (local privilege escalation). Patches were released in February 2026. Organizations must prioritize remediation, especially Federal Civilian Executive Branch agencies under BOD 22-01. Immediate actions include applying patches and enhancing detection and mitigation strategies.

Microsoft released security updates addressing 59 vulnerabilities, including six actively exploited zero-days. Key vulnerabilities include CVE-2026-21510, CVE-2026-21513, CVE-2026-21514 (all CVSS 8.8), and CVE-2026-21519, CVE-2026-21525, CVE-2026-21533 (CVSS 6.2-7.8). CISA added these to its Known Exploited Vulnerabilities catalog, requiring fixes by March 3, 2026. Microsoft also announced updates to Secure Boot certificates and new security initiatives to enhance Windows protections.

Microsoft's February 2026 Patch Tuesday addressed over 50 security vulnerabilities, including six zero-days actively exploited. Key vulnerabilities include CVE-2026-21513 and CVE-2026-21514, which allow security feature bypasses in Internet Explorer and Microsoft Word, respectively. CVE-2026-21519 enables privilege escalation, while CVE-2026-21525 poses a DoS risk to Windows Remote Access Connection Manager. CVE-2026-21533 allows privilege escalation in Remote Desktop Services, impacting U.S. and Canadian entities since late December 2025. Prompt patching is advised.

February 2026 Patch Tuesday addresses 59 Microsoft CVEs, including six zero-days. Key vulnerabilities include: CVE-2026-21510 (Windows Shell bypass, CVSS 8.8), CVE-2026-21513 (MSHTML bypass, CVSS 8.8), CVE-2026-21514 (Word bypass, CVSS 5.5), CVE-2026-21519 (Desktop Window Manager privilege escalation, CVSS 7.8), CVE-2026-21525 (Remote Access DoS, CVSS 6.2), and CVE-2026-21533 (Remote Desktop privilege escalation, CVSS 7.8). Azure users should note CVE-2026-21531 and CVE-2026-24300 (both CVSS 9.8).

A critical zero-day vulnerability in Microsoft Word, tracked as CVE-2026-21514, was disclosed on February 10, 2026, allowing attackers to bypass security protections. It has a CVSS score of 7.8 and exploits weaknesses in handling untrusted inputs. Attackers can craft malicious documents to execute exploits without user warnings. Affects multiple Office versions; Microsoft released fixes. CISA mandates federal agencies to patch by March 3, 2026. Recommendations include deploying updates and educating users.

Over 60 software vendors released security patches on Patch Tuesday. Microsoft addressed 59 vulnerabilities, including six zero-days that could bypass security features and trigger DoS conditions. Adobe updated multiple products without known exploitation. SAP fixed two critical vulnerabilities: a code injection flaw (CVE-2026-0488, CVSS 9.9) and a missing authorization check (CVE-2026-0509, CVSS 9.6). Intel and Google identified five vulnerabilities in Intel TDX 1.5, highlighting increased complexity in the Trusted Computing Base.

Microsoft released a critical security patch for a zero-day vulnerability (CVE-2026-21513) in the MSHTML Framework, actively exploited before the fix. This security feature bypass allows attackers to circumvent Windows security without elevated privileges, affecting all supported Windows versions. Exploitation requires social engineering to open malicious files, leading to unauthorized code execution and potential data breaches. CISA mandates federal agencies to apply fixes by March 3, 2026. Patching is urgent due to real-world attacks.

Microsoft has addressed critical zero-day vulnerabilities in Windows and Office being actively exploited by hackers. The flaws, including CVE-2026-21510 in the Windows shell and CVE-2026-21513 in MSHTML, allow one-click attacks to plant malware or gain access to systems. These vulnerabilities bypass security features like SmartScreen. Microsoft acknowledged the role of Google’s Threat Intelligence Group in their discovery and noted that other zero-day bugs were also patched.

Microsoft has patched over 50 vulnerabilities in Windows and Office, including several zero-day vulnerabilities. Users are advised to download the latest updates immediately. Zero-day attacks can occur when victims click on malicious links, so it is crucial to avoid clicking on links from unknown sources. Additionally, maintaining an active spam or phishing filter on devices is recommended to enhance security.

Microsoft is implementing a “consent-first model” with its new Windows Baseline Security Mode to enhance user control and security. This model restricts automated systems to approved capabilities, ensuring users are notified when apps access sensitive resources or install additional software. Runtime integrity protection will be enabled by default, allowing only trusted software to run. Microsoft is collaborating with partners like Adobe and OpenAI to improve transparency and security for users and IT administrators.

Microsoft plans to enhance Windows 11 security by introducing a "Baseline Security Mode," which will only allow properly signed apps and drivers to run by default. This shift aims to reduce malware vulnerabilities while maintaining user control. The new "User Transparency and Consent" model will provide clear permission prompts for sensitive resource access, similar to mobile OSes. Microsoft emphasizes a gradual rollout, ensuring compatibility with existing software and offering developers tools to adapt.

Microsoft plans to enhance Windows 11 security with a 'Windows Baseline Security Mode' that will restrict the execution of only properly signed apps and drivers. A new app permissions system will require user consent for accessing hardware features and installing additional software, similar to mobile platforms. These changes aim to improve user trust and security, addressing concerns over unauthorized app behaviors. The rollout will occur in phases, with user feedback considered for refinements.

A cyberattack on Poland's power grid has led CISA to warn U.S. critical infrastructure operators. The December attack, linked to a Russian hacking group, targeted 30 renewable energy facilities, deploying wiper malware that damaged operational technology systems. CISA emphasized the need for enhanced cybersecurity for vulnerable edge devices. The attack, described as having a "purely destructive objective," marks a significant threat to distributed energy resources, highlighting their increasing vulnerability.

A cyberattack on Poland’s energy grid in December exploited vulnerable internet-facing edge devices, leading to significant operational disruptions. Hackers accessed FortiGate devices lacking multifactor authentication and used default credentials to compromise OT control devices from various manufacturers. The attack, attributed to Russian hackers, resulted in loss of control over renewable energy systems. CISA emphasized the need for critical infrastructure operators to change default passwords and enhance cybersecurity measures for edge devices.

The NCSC warns critical national infrastructure (CNI) providers in the UK to enhance cyber defenses following a malware attack on Poland's energy sector. Jonathan Ellison emphasized the urgency of strengthening resilience against severe cyber threats, highlighting the potential for disruptive attacks on vital services. He urged adherence to the NCSC's Cyber Assessment Framework, focusing on risk management, identity controls, threat hunting, and basic cyber hygiene practices like patching vulnerabilities and implementing multi-factor authentication.

Attackers are leveraging the Phorpiex botnet to distribute Global Group ransomware through phishing emails with deceptive attachments. These emails contain Windows Shortcut (LNK) files disguised as documents, exploiting social engineering tactics. Once clicked, the shortcut executes commands to download the ransomware using PowerShell, operating autonomously without network communication. To mitigate risks, organizations should block LNK files at email gateways and implement behavior-based detection to prevent data loss.

A phishing campaign linked to the Phorpiex botnet has been identified, utilizing weaponized Windows shortcut files to deploy Global Group ransomware. Observed from late 2024 into 2026, the campaign employs a common email lure with the subject “Your Document” to entice users to open a malicious LNK attachment. The technique combines social engineering and stealthy execution, allowing the shortcut file to silently retrieve and execute a second-stage payload without raising suspicion.

A phishing campaign delivering Phorpiex malware has been observed, using emails with the subject "Your Document" to distribute a weaponized Windows Shortcut file. This initiates a multi-stage infection leading to Global Group ransomware, which operates offline, generating encryption keys locally without contacting a C2 server. The ransomware encrypts files with the ChaCha20-Poly1305 algorithm, appending the .Reco extension, and drops a ransom note. The campaign highlights the effectiveness of using familiar file types for initial access.

Discord will require global users to verify their ages via video selfies or government IDs, starting in early March. The data collected will be deleted post-verification. This policy aims to enhance safety for minors amid increasing age verification laws. Critics highlight concerns over a previous data breach affecting 70,000 users' ID images. New settings will restrict access to age-restricted content and direct messages for unverified users. Discord emphasizes the importance of safety for teen users in its approach.

Discord will implement mandatory age verification globally for users accessing adult content, transitioning to a "teen-by-default" model. Users must verify their age via facial recognition or ID uploads. This follows a UK requirement and aims to enhance safety for teen users. Concerns arise from a previous data breach involving 70,000 user IDs, prompting Discord to assure that verification images will be deleted post-confirmation. AI will assist in age verification, but users may face challenges with ID submissions and appeals.

Discord will implement a default teen-appropriate profile mode for all users starting in early March, requiring age verification for full access. This change aims to enhance safety for teens amid increasing regulatory pressure regarding age verification. Current methods include facial scans and government IDs, which have reliability concerns. Critics argue that strict verification may not eliminate risks, as minors can bypass these measures. Discord emphasizes user safety while navigating these challenges.

A new tool, the Discord ID Bypass Tool, claims to circumvent Discord's age verification by using a 3D model controlled by users instead of their real faces. This follows Discord's global rollout of teen-by-default settings, requiring age verification through identity documents or selfies. The tool mimics user movements to pass verification checks. Discord's age verification is part of compliance with laws in the UK and several U.S. states, amid concerns following a recent data breach involving user verification data.

North Korean hackers UNC1069 are targeting the finance and cryptocurrency sectors using advanced malware and AI-driven social engineering. They initiate contact via platforms like Telegram, posing as recruiters, and use deepfake videos in spoofed calls to build trust. Their tactics include the "ClickFix" method, tricking victims into executing commands that install malware like WAVESHAPER and SUGARLOADER. This allows persistent access to steal credentials and drain cryptocurrency wallets, employing multiple malware families to maintain control.

North Korean hackers, identified as UNC1069, targeted a cryptocurrency executive using a fake Zoom meeting and ClickFix scam. The attack involved malware installation through a ruse of technical issues during the call. The malware, including backdoors WAVESHAPER and HYPERCALL, allowed data theft via tools DEEPBREATH and CHROMEPUSH. Mandiant noted this attack was highly tailored, aimed at cryptocurrency theft and future social engineering. UNC1069 has been active since 2018, focusing on financial services and cryptocurrency sectors.

The North Korea-linked group UNC1069 targets cryptocurrency organizations using social engineering tactics, including a compromised Telegram account and fake Zoom meetings. They deploy multiple malware families, such as SILENCELIFT and DEEPBREATH, to steal sensitive data from Windows and macOS systems. The attacks involve deepfake videos and phishing links that lead victims to download malicious software. The group has shifted focus to the Web3 industry, indicating an expansion in their operational capabilities.

A financially motivated threat actor, UNC1609, is using a ClickFix-style social engineering campaign to deploy macOS malware against crypto-focused organizations. Research from Google Cloud’s Mandiant reveals that UNC1609 targeted an employee in the cryptocurrency sector using a hijacked Telegram account, a fake Zoom meeting, and AI-generated video to deceive the victim into executing malicious terminal commands on their macOS system.

North Korean hackers, identified as UNC1069, are employing AI-generated deepfake videos and compromised Telegram accounts to deliver malware targeting cryptocurrency firms. The attack involves spoofed Zoom calls where victims are shown a deepfake of a CEO, leading to the installation of malware including WAVESHAPER, HYPERCALL, and SUGARLOADER. This multi-stage infection enables credential harvesting and long-term access. The report highlights the ongoing state-sponsored theft campaigns linked to North Korea's funding efforts.

A North Korean hacking campaign, attributed to the group UNC1069, targets cryptocurrency firms using deepfake video calls and MacOS malware. The attack begins with a hijacked Telegram account of a crypto executive, leading to a fake meeting where a deepfake impersonates the executive. Victims are tricked into running commands, allowing attackers to install backdoors (Waveshaper, Hypercall) and information stealers (Deepbreath, CHROMEPUSH) to harvest credentials and browser data for financial theft.

The Dutch Data Protection Authority (AP) confirmed it was affected by zero-day attacks exploiting Ivanti Endpoint Manager Mobile vulnerabilities (CVE-2026-1281 and CVE-2026-1340) on January 29. Personal data of AP and Council for the Judiciary employees may have been accessed. The US CISA added CVE-2026-1281 to its Known Exploited Vulnerability list. The UK's NHS warned that EPMM devices are internet-facing and attractive targets, urging organizations to consider compromised instances and initiate incident response.

Hackers are exploiting Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities, CVE-2026-1281 and CVE-2026-1340, to deploy dormant backdoors. These backdoors allow unauthenticated access to application endpoints. The attackers deliver a Base64-encoded Java class file that acts as a loader, waiting for an activation request. Evidence of compromise includes requests to /mifs/403.jsp with specific parameters. Ivanti recommends immediate patching and server restarts to mitigate risks.

Ivanti disclosed two critical zero-day vulnerabilities, CVE-2026-1281 and CVE-2026-1340, with a CVSS rating of 9.8, allowing remote code execution. Major government agencies in the Netherlands and the European Commission were impacted. As of Monday, 86 compromised instances were identified, with nearly 1,300 still exposed online. Rapid7 reported significant malicious activity targeting these vulnerabilities. Ivanti has released detection scripts and is collaborating with security partners, but has not updated the victim count.

The Dutch Data Protection Authority and the Council for the Judiciary confirmed that their systems were compromised due to vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), exposing employee contact data. The European Commission also reported traces of a cyber attack affecting staff names and mobile numbers, contained within nine hours. Finland's Valtori disclosed a breach impacting 50,000 government employees, linked to zero-day vulnerabilities CVE-2026-1281 and CVE-2026-1340, which allowed unauthorized access to sensitive information.

Several European government institutions, including the European Commission, Finnish government, and Dutch agencies, were targeted in zero-day attacks exploiting Ivanti Endpoint Manager Mobile (EPMM). The breaches, discovered on January 30, exposed personal details of tens of thousands of users. Ivanti had released patches for two critical vulnerabilities (CVE-2026-1281, CVE-2026-1340) on January 29. Experts warn of potential follow-on spearphishing attacks and emphasize the need for organizations to reassess access controls and restore trust post-breach.

Dutch agencies, including the Data Protection Authority and the Council for the Judiciary, were attacked due to vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), exposing employee contact data. The National Cyber Security Center was alerted on January 29. Attackers accessed names, work emails, and phone numbers of staff. The European Commission also reported a cyberattack on its mobile device management system on January 30, with potential access to staff data but no device compromise. Investigations are ongoing.

Die Europäische Kommission wurde Ende Januar Ziel eines Cyberangriffs, der auf ihr Mobile Device Management (MDM) System abzielte. Cyberkriminelle könnten an Namen und Rufnummern einiger Mitarbeiter gelangt sein, jedoch gibt es keine Hinweise auf eine Kompromittierung mobiler Endgeräte. Der Vorfall wurde innerhalb von neun Stunden eingedämmt. Es wird vermutet, dass der Angriff möglicherweise über eine Sicherheitslücke im Ivanti Endpoint Manager Mobile (EPMM) erfolgte.

European authorities are investigating cyberattacks exploiting critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), tracked as CVE-2026-1281 and CVE-2026-1340, enabling remote code execution. The European Commission reported a Jan. 30 attack affecting staff data, contained within nine hours. Dutch authorities confirmed impacts on their Data Protection Authority and Judicial Council. Threat activity is accelerating, with over 600 IPs detected exploiting the vulnerabilities. Ivanti is collaborating with partners to address the threat and has released indicators of compromise.

The European Commission is investigating a potential data breach in its mobile device management infrastructure, which occurred on January 30 and was contained within nine hours. The breach may have exposed personal details of thousands of users. Similar incidents were reported by Dutch authorities on January 29, linked to vulnerabilities in Ivanti's Endpoint Manager Mobile (EPMM). Ivanti released zero-day patches but has not provided comprehensive fixes, raising concerns about security for affected organizations.

A wave of exploitation attempts has emerged following the disclosure of CVE-2026-1281, a critical vulnerability in Ivanti EPMM. Researchers noted the deployment of "sleeper" webshells for future exploitation. Confirmed breaches include the Dutch Data Protection Authority and Valtori, Finland's ICT service center. Ivanti released a detection script and urged organizations to assume compromise, patch their systems, and conduct forensic investigations. Recommendations include reviewing access logs and restarting application servers.

More than 80% of exploitation activity targeting critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) is linked to a single IP address using bulletproof hosting, as reported by GreyNoise. Key vulnerabilities include CVE-2026-1281 and CVE-2026-1340, allowing remote code execution. Threat activity surged recently, with 269 sessions recorded on a single day. Breaches involving Ivanti EPMM affected the Dutch Data Protection Authority and the European Commission, with potential data leaks under investigation.

A significant increase in exploitation attempts of CVE-2026-1281, a critical vulnerability in Ivanti Endpoint Manager Mobile (EPMM), was reported on February 9, 2026, with over 28,300 unique IP addresses involved. This pre-authentication code injection flaw allows unauthenticated remote code execution. The U.S. accounted for 72% of attack sources. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog, urging immediate remediation. Ivanti has issued temporary patches, with a permanent fix expected in Q1 2026.

A significant portion of exploitation attempts targeting a newly disclosed flaw in Ivanti Endpoint Manager Mobile (EPMM) is traced to a single IP on PROSPERO's bulletproof hosting. Between February 1-9, 2026, 83% of 417 sessions originated from this IP, exploiting CVE-2026-1281 (CVSS 9.8) for unauthenticated remote code execution. Multiple European agencies were targeted. Users are advised to apply patches, audit MDM infrastructure, and monitor for specific indicators of compromise.

The Cyber Security Agency of Singapore reported that the China-linked cyber espionage group UNC3886 targeted all four major telecommunications operators in Singapore: M1, SIMBA Telecom, Singtel, and StarHub. The group used sophisticated tools, including a zero-day exploit and rootkits, to gain access to telco systems without causing service disruptions. In response, CSA launched operation CYBER GUARDIAN to limit the threat and enhance monitoring, confirming no personal data was exfiltrated.

Chinese APT group UNC3886 targeted Singapore's telecommunications sector in a sophisticated cyber espionage campaign, disclosed after Operation CYBER GUARDIAN. The breach affected Singtel, M1, StarHub, and SIMBA Telecom, utilizing a zero-day exploit to bypass firewalls and infiltrate networks. The attackers aimed to exfiltrate technical data without disrupting services. Advanced evasion techniques, including rootkits, were employed for persistence. Swift collaboration between government and telcos was crucial in containing the threat.

China-linked APT UNC3886 targeted Singapore's telecom sector in a cyber espionage campaign, as revealed by the Cyber Security Agency of Singapore on February 10, 2026. Since July 2025, UNC3886 attacked all four major telcos: M1, SIMBA Telecom, Singtel, and StarHub, using zero-day exploits to access networks and exfiltrate data. Operation CYBER GUARDIAN was initiated to counter the threat, involving over 100 cyber experts. While partial access was gained, no data theft or service disruption occurred. Authorities are enhancing defenses and monitoring for future threats.

The Singapore government disrupted cyber-attacks by the Chinese cyber threat group UNC3886 targeting its four telecommunications operators through Operation Cyber Guardian, conducted from July 2025 to early 2026. The Cyber Security Agency (CSA) reported that UNC3886 used a zero-day exploit and rootkits to infiltrate networks and maintain access. While some unauthorized access occurred, no significant damage or data exfiltration was reported. Remediation measures have been implemented, but vigilance against future attacks is advised.

Singapore's Cyber Security Agency conducted "Operation Cyber Guardian," an 11-month effort to remove the China-linked advanced persistent threat UNC3886 from its telecom networks. The operation involved over 100 personnel and targeted all four major telecom providers. UNC3886 exploited a previously unknown flaw and used custom rootkits to remain undetected. The focus was on gathering technical network information rather than customer data. Singapore emphasized the ongoing risk to telecom networks and the need for heightened defenses.

Singapore's four major telcos—M1, SIMBA Telecom, Singtel, and StarHub—were targeted by the cyber espionage group UNC3886 last year. The Cyber Security Agency (CSA) reported that the group used advanced hacking tools, including a zero-day vulnerability, to infiltrate networks and exfiltrate technical data. Operation Cyber Guardian was launched to mitigate the threat, and while the attack did not disrupt services or compromise personal data, it highlighted the need for enhanced public-private cybersecurity collaboration.

Singapore's government has attributed a months-long cyber-espionage campaign against its four largest telecom companies—Singtel, StarHub, M1, and Simba Telecom—to the Chinese hacking group UNC3886. Although the hackers accessed some systems using advanced tools like rootkits, they did not disrupt services or access personal information. The attack is part of a broader pattern of cyber-espionage linked to China, with UNC3886 known for exploiting zero-day vulnerabilities in critical infrastructure.

Chinese cyber-espionage group UNC3886 breached all four major telecom providers in Singapore—M1, SIMBA Telecom, Singtel, and StarHub—last year, according to the Cyber Security Agency of Singapore. The attackers stole a small amount of technical data but did not access customer details. The breaches involved zero-day vulnerabilities in firewalls and rootkits for persistence. UNC3886 is noted for exploiting networking gear from vendors like Fortinet and VMware.

Singapore's government reported that its four major telecommunications providers—M1, SIMBA Telecom, Singtel, and StarHub—were targeted by the Chinese state-sponsored group UNC3886. The attacks, which began in mid-July 2025, involved advanced techniques like rootkits and zero-day firewall exploits. However, no sensitive data was stolen, and there was no disruption to services. The investigation revealed unauthorized access but no significant damage or exfiltration of personal information.

A trojanized version of 7-Zip is turning home computers into proxy nodes, as reported by Malwarebytes. Users downloading from 7zip[.]com instead of the legitimate 7-zip.org are at risk. The malware functions as proxyware, routing traffic through victims' IP addresses and employs evasion techniques to avoid detection. Users are advised to verify software sources and bookmark official domains. Enterprises should monitor for unauthorized services and block known command-and-control domains.

A counterfeit version of 7-Zip is being used by hackers to turn home computers into residential proxy nodes. Users are misled to download from the fraudulent domain 7zip[.]com, which installs malware alongside the legitimate software. The malware, including Uphero.exe and hero.exe, registers as Windows services, manipulates firewall rules, and collects system data. Users should treat affected systems as compromised and consider OS reinstallation. Security measures include verifying software sources and blocking known malicious domains.

A fake website, 7zip.com, is distributing a malicious installer for the legitimate 7-Zip archiver, embedding malware that integrates victims' devices into a residential proxy network. This network is exploited by cybercriminals for various illegal activities, including phishing and data breaches. The site mimics the legitimate 7-zip.org, making it easy for users to be deceived. Digital squatting incidents have surged by 68% over five years, with 6,200 disputes recorded in 2025.

The European Commission detected and contained a cyber-attack on January 30, affecting its staff mobile device management infrastructure. Unauthorized access to limited Personally Identifiable Information (PII) occurred, but no mobile endpoints were compromised. The incident was resolved in approximately nine hours, with systems isolated and cleaned. A post-incident review is underway, and the Commission's cybersecurity efforts are supported by CERT-EU, focusing on preemptive vulnerability management amid a high-threat environment.

The European Commission is investigating a cyberattack on its mobile device management system detected on January 30, 2026. Attackers may have accessed staff names and phone numbers, but no devices were compromised. The Commission contained the incident within nine hours and is enhancing cybersecurity measures. The European Computer Emergency Response Team (CERT-EU) is involved in the investigation. The stolen data could facilitate targeted phishing attacks, posing risks of GDPR violations and reputational damage.

On January 30, 2026, the European Commission's mobile device management platform was hacked, but no mobile devices were compromised. CERT-EU detected the intrusion, and the Commission contained the incident within 9 hours. Speculation points to Ivanti Endpoint Manager Mobile (EPMM) as the affected platform. The Dutch NCSC warned of active exploitation of CVE-2026-1281, advising users to assume compromise and change passwords. The investigation is ongoing, with previous zero-day exploits linked to a suspected China-nexus threat actor.

On 30 January 2026, the European Commission detected a cyber attack targeting its mobile device management systems, potentially exposing staff personal details. The breach was linked to critical Ivanti software flaws (CVE-2026-1281, CVE-2026-1340), allowing remote server control. CERT-EU contained the breach within nine hours, with no compromise of mobile devices reported. Experts raised concerns over Ivanti's patching approach, emphasizing the need for immediate updates to mitigate risks for affected organizations.

On February 6, BridgePay, a US payments platform, confirmed a ransomware attack causing a system-wide service disruption. The company is collaborating with cybersecurity experts and authorities, including the FBI, to investigate. Initial findings indicate no payment card data was compromised, as any accessed data was encrypted. Recovery timelines are uncertain, and the incident has affected various organizations, including restaurants and retailers, which can no longer accept card payments.

A ransomware attack on BridgePay Network Solutions has disrupted payment processing systems for several local governments in Florida and Texas. The company is collaborating with the FBI and U.S. Secret Service to address the issue, but has not provided a restoration timeline. No payment card data is believed to have been stolen. Affected cities, including Palm Bay and Frisco, advised residents to use alternative payment methods. No group has claimed responsibility for the attack as of the latest updates.

BridgePay, a major US payment gateway, suffered a ransomware attack that took its services offline, impacting merchants nationwide and forcing many to accept cash only. The company stated that no payment card data was compromised and that any accessed files were encrypted. An investigation is ongoing with forensic teams, including the US Secret Service. The identity of the attackers remains unknown, and the company is working on remediation efforts.

BeyondTrust has addressed a critical pre-authentication remote code execution vulnerability (CVE-2026-1731) in Remote Support and Privileged Remote Access products, rated 9.9 on the CVSS scale. Exploitation could allow unauthorized access and data exfiltration. Affected versions include Remote Support 25.3.1 and prior, and PRA 24.3.4 and prior. Patches are available in Remote Support 25.3.2 and PRA 25.1.1. Users are urged to apply patches manually if not on automatic updates.

BeyondTrust has addressed a critical remote code execution vulnerability (CVE-2026-1731) in its Remote Support and Privileged Remote Access solutions, urging self-hosted customers to apply the patch immediately. The flaw allows unauthenticated attackers to execute OS commands, potentially leading to system compromise. Affected versions include Remote Support 25.3.1 and prior, and Privileged Remote Access 24.3.4 and prior. The patch was applied for SaaS customers on February 2, 2026.

On February 6, 2026, BeyondTrust disclosed CVE-2026-1731, a critical unauthenticated RCE vulnerability in Remote Support (RS) versions 25.3.1 and prior, and Privileged Remote Access (PRA) versions 24.3.4 and prior, with a CVSSv4 score of 9.9. While SaaS instances were patched on February 2, self-hosted customers remain at risk. Approximately 8,500 on-premises instances are exposed. Patches are available for remediation. Rapid7 customers can assess exposure using new checks available on February 9.

BeyondTrust patched a critical pre-authentication vulnerability (CVE-2026-1731, CVSS 9.9) in Remote Support and older Privileged Remote Access products, allowing unauthenticated remote code execution. The flaw, disclosed on February 6, 2026, affects Remote Support versions 25.3.1 and prior and Privileged Remote Access versions 24.3.4 and prior. SaaS customers received automatic updates on February 2, 2026, while self-hosted users must manually apply patches. Approximately 11,000 instances are exposed, primarily in large organizations.

BeyondTrust has identified a critical remote code execution vulnerability (CVE-2026-1731) in its Remote Support and older Privileged Remote Access products, allowing unauthenticated OS command execution. The flaw, with a severity score of 9.9/10, affects versions 25.3.1 and earlier for Remote Support and 24.3.4 and earlier for PRA. A patch was released on February 2, 2026, but approximately 11,000 instances, primarily on-prem, remain exposed if not updated. No evidence of exploitation has been found.

BeyondTrust has addressed a critical remote code execution (RCE) vulnerability in its Remote Support (RS) and Privileged Remote Access (PRA) tools. The flaw allows attackers to execute OS commands without authentication, potentially leading to system compromise, unauthorized access, data exfiltration, and service disruption. Users of self-hosted versions are urged to apply Patch BT26-02-RS for RS versions 21.3 to 25.3.1 and Patch BT26-02-PRA for PRA versions 22.1 to 24.X.

Active exploitation of a remote code execution (RCE) vulnerability in SolarWinds Web Help Desk (WHD) is ongoing, affecting 84 endpoints across 78 organizations. Attackers deploy tools like Zoho ManageEngine RMM for persistent access and Velociraptor for command-and-control. The campaign utilizes outdated software with known vulnerabilities and exfiltrates data to attacker-controlled infrastructure. Organizations are urged to update to WHD version 2026.1 or later and secure administrative interfaces.

On February 7, 2026, Huntress reported active exploitation of SolarWinds Web Help Desk vulnerabilities, specifically CVE-2025-40551 and CVE-2025-26399. Attackers installed Zoho ManageEngine tools for persistent access and used Velociraptor for control. They executed reconnaissance commands and collected system data sent to an attacker-controlled Elastic Cloud instance. Mitigations include updating to version 2026.1, restricting WHD access, resetting service account passwords, and reviewing for unauthorized tools.

Microsoft reported a multi-stage attack exploiting exposed SolarWinds Web Help Desk (WHD) instances, allowing remote code execution (RCE) and lateral movement within networks. The attackers may have leveraged CVE-2025-40551, CVE-2025-40536, or CVE-2025-26399. CISA added CVE-2025-40551 to its Known Exploited Vulnerabilities catalog, mandating fixes by February 6, 2026. Recommendations include updating WHD instances, removing unauthorized tools, and rotating accounts to mitigate risks.

A critical vulnerability in SolarWinds Web Help Desk, tracked as CVE-2025-40551, allows remote code execution through deserialization of untrusted data. Huntress Labs reported that three enterprise customers were compromised, with hackers using remote assist tools. SolarWinds issued a patch on January 28, and the Cybersecurity and Infrastructure Security Agency added the flaw to its Known Exploited Vulnerabilities catalog. Researchers suspect threat group Storm-2603 is behind the attacks, focusing on reconnaissance rather than deploying ransomware.

Digital intruders exploited vulnerabilities in SolarWinds Web Help Desk (WHD) in December 2025 to steal high-privilege credentials. Microsoft researchers are investigating which specific CVE was used, noting potential links to CVE-2025-40551, CVE-2025-40536, and CVE-2025-26399. Attackers utilized PowerShell and Background Intelligent Transfer Service (BITS) for malware execution and installed Zoho ManageEngine for remote control. Recommendations include applying WHD patches, removing public admin access, and rotating credentials.

Unpatched SolarWinds Web Help Desk (WHD) instances are under active attack, with threat actors exploiting vulnerabilities to gain network access. Attackers deploy legitimate tools like Zoho Assist and Velociraptor for data theft and system control. The exact CVE exploited remains unknown. Attacks began in mid-January, affecting at least three customers. Recommendations include applying the latest WHD patch, rotating credentials, and removing public access to admin paths.

Hackers are exploiting two critical vulnerabilities in SolarWinds Web Help Desk: CVE-2025-40551 and CVE-2025-26399, both scoring 9.8/10 for severity. The campaign, ongoing since January, involves disabling security tools to deploy legitimate software like Zoho ManageEngine and Velociraptor for persistence and control. The identities of the attackers and victims remain unknown, and the ultimate goal of the attacks is unclear. Microsoft has also noted the abuse of SolarWinds WHD in attacks.

SolarWinds Web Help Desk (WHD) is currently under attack, with vulnerabilities exploited dating back to late 2025. Security firm Huntress analyzed customer reports revealing a series of compromises first identified in December. On January 28, SolarWinds issued an advisory detailing six CVEs rated as ‘critical’ or ‘high,’ including two zero-days: CVE-2025-40551, a deserialization flaw enabling remote code execution (RCE), and CVE-2025-40536, which allows authentication bypass, both with a CVSS score of 9.8.

Germany's BfV and BSI issued a warning about state-sponsored phishing attacks targeting politicians, military, and journalists via the Signal app. Attackers impersonate "Signal Support" to obtain PINs or verification codes, allowing access to victims' accounts and messages. The campaign can also extend to WhatsApp. Users are advised to avoid engaging with support accounts, enable Registration Lock, and review linked devices. Similar tactics have been noted in past campaigns by Russia-aligned groups.

Germany's security agencies warned of a cyber espionage campaign targeting military officials and journalists, revealed on February 6. State-sponsored hackers are hijacking Signal accounts using social engineering tactics. The "Fake Support" method involves impersonating Signal support to obtain PIN codes, locking users out. The "Silent QR Code Spy" tricks users into linking devices, allowing attackers to read messages. Authorities suspect a state-controlled actor aiming for espionage, urging users to check linked devices and safeguard PINs.

Cybercriminals are targeting Signal accounts of high-ranking German politicians, soldiers, diplomats, and journalists, as warned by the Federal Office for the Protection of the Constitution and the Federal Office for Information Security. The attackers impersonate Signal's support team, sending fake security alerts to obtain users' security PINs, allowing them to take control of accounts. No malware or vulnerabilities are exploited; the attacks rely solely on user naivety. Users are advised not to share their PIN via text.

Security experts in Germany warn of state-backed hackers targeting military and political leaders using social engineering tactics via the Signal messaging app. Attackers impersonate Signal support to trick users into revealing their Security PIN, allowing account takeover. Another method involves victims scanning QR codes that link the hacker's device to their account, granting access to chat history and new messages. Experts recommend ignoring unsolicited support messages, checking linked devices, and enabling Registration Lock for protection.

German authorities warn of a state-linked phishing campaign targeting journalists and officials via messaging apps like Signal. The BfV and BSI report attackers use social engineering to gain access to private accounts, focusing on impersonating support teams or exploiting device-linking features. Victims are tricked into sharing security PINs or scanning QR codes, allowing attackers to control communications. The campaign highlights Signal's vulnerability due to its use by high-profile targets, with potential implications for other messaging platforms.

OpenClaw has partnered with VirusTotal to enhance security for its AI agent marketplace, ClawHub. Skills published will undergo automated scanning using VirusTotal's threat intelligence and Code Insight tools. Malicious skills will be blocked, while suspicious ones receive warnings. The system evaluates skills for risky behaviors, with daily re-scans for active skills. OpenClaw emphasizes this as one layer of defense, alongside a broader security program, including a threat model and security roadmap.

OpenClaw v2026.2.6, released on February 7, 2026, enhances security with a code safety scanner and partnerships for automated scanning. It addresses vulnerabilities, including 283-341 malicious skills in its marketplace. Key features include support for Opus 4.6 and GPT-5.3-Codex, authentication for hosts, and redaction of sensitive data. Security firms recommend isolating instances and auditing code due to risks from misconfigurations and plugin ecosystems. The update aims to improve marketplace integrity and user safety.

OpenClaw has partnered with VirusTotal to enhance security for its ClawHub skill marketplace by scanning uploaded skills for malware. Each skill is hashed and checked against VirusTotal's database, with benign skills auto-approved and suspicious ones flagged. Active skills are re-scanned daily. Despite these measures, OpenClaw warns that some malicious skills may evade detection. The platform plans to release a threat model and security roadmap following reports of malicious skills that can exfiltrate data and execute unauthorized commands.

OpenClaw's ClawHub plugin marketplace is under threat from supply chain attacks, with security firms identifying 341 malicious extensions, representing a 12% infection rate. Attackers use Base64-obfuscated commands to deploy infostealers like Atomic Stealer, which exfiltrates sensitive data. The permissive upload process of ClawHub mirrors vulnerabilities seen in other marketplaces. Key IOCs include domains and IPs linked to the attacks, with specific malicious files identified.

Threat actors are exploiting the ClawHub ecosystem by using social engineering to bypass VirusTotal detections. They host malicious payloads on external websites, utilizing SKILL.md files that appear benign. Over 40 trojanized skills were identified, luring users to install a tool named “OpenClawCLI,” which executes an obfuscated payload from a remote IP (91.92.242.30). Users are advised to verify installation commands and security teams should block related command-and-control IPs to prevent data exfiltration.

OpenClaw has integrated VirusTotal's malware scanning into its ClawHub skills marketplace to enhance security amid concerns over its vulnerabilities. This integration automatically scans all published skills, approving those deemed "benign," warning on suspicious ones, and blocking malicious skills. Daily re-scanning of active skills is also implemented. The initiative responds to documented cases of malicious actors targeting AI agent platforms, aiming to mitigate risks as the ecosystem expands.

On February 5, 2026, Flickr reported a data breach due to a flaw in a third-party email vendor, potentially exposing user names, emails, IP addresses, and activity logs, while passwords and payment information remained secure. Flickr has notified data protection authorities and is enhancing oversight of external partners. Users are advised to be cautious of phishing attempts, change passwords if reused elsewhere, and review account settings for unauthorized changes. The number of affected accounts is unspecified.

On February 5, Flickr experienced a data breach linked to a third-party email service provider. The breach potentially exposed users' personally identifiable information (PII), including names, email addresses, usernames, IP addresses, and general locations. Flickr has disabled access to the affected system and is reviewing its security practices. Users are advised to be cautious of phishing attempts and to review their account settings. No passwords or financial information were compromised.

Flickr reported a potential data breach due to a flaw in a third-party email provider, exposing users' names, email addresses, IPs, and account activity, but not passwords or payment data. The issue was identified on February 5, 2026, and Flickr quickly shut down the affected system. They are conducting a security review and have notified data protection authorities. Users are advised to be cautious of phishing attempts and to check for unusual account activity.

Flickr confirmed a data breach on February 5, 2026, due to a third-party email provider, exposing customer PII including names, emails, usernames, account types, IP addresses, and locations. Passwords and financial information were not compromised. The company warned users of potential phishing risks and is reviewing security practices with third-party providers. The breach affects a global user base of over 35 million across 190 countries, and relevant authorities have been notified.

SmarterTools was hacked on January 29 via a vulnerability in its SmarterMail product, exploited by the Warlock ransomware group. The breach affected 30 email servers, facilitated by an unpatched virtual machine. SentinelOne blocked the ransomware during the attack, and network segmentation limited the damage. SmarterTools had disclosed three vulnerabilities, including CVE-2026-24423, which is likely the exploited flaw. The group, tracked as Gold Salem, is believed to operate from China.

SmarterTools was breached on January 29, 2026, due to a vulnerability in its SmarterMail deployment, specifically likely CVE-2026-24423. An unupdated VM led to the compromise, affecting the company's office and data center networks. The Warlock ransomware group executed the attack, employing double extortion tactics. SmarterTools has since eliminated Windows from their networks and changed all passwords. The breach did not compromise business applications or account data, and Linux servers remained unaffected.

On January 29, 2026, the Warlock ransomware gang breached SmarterTools by exploiting an unpatched SmarterMail server. The attack affected 12 Windows servers and hosted customers using SmarterTrack. Key vulnerabilities include CVE-2025-52691 and CVE-2026-23760, which were actively exploited. SmarterTools has released an update (Build 9526) to address these issues. Users are advised to upgrade immediately and isolate mail servers to prevent lateral movement of ransomware.

SmarterTools experienced a ransomware attack attributed to the Warlock gang, exploiting CVE-2026-23760, an authentication bypass flaw in SmarterMail. The breach affected the office network and data center, but business applications and account data remained secure. The company has since patched the vulnerability, eliminated Windows servers, and discontinued Active Directory usage to prevent future incidents. Users are advised to upgrade to SmarterMail Build 9518 to address the vulnerability.

Claude Opus 4.6 enhances coding performance and model safety, excelling in identifying vulnerabilities in codebases. It features improved task execution, error correction, and supports complex workflows in financial analyses and document creation. Safety evaluations indicate low rates of misaligned behavior and extensive testing for harmful actions. The model aids in cyber defense by identifying and patching vulnerabilities in open-source software, demonstrating effectiveness in complex coding tasks.

Anthropic's Claude Opus 4.6 identified 500 high-severity software vulnerabilities in open-source projects during a trial. The model operated within a virtual machine with access to the latest software versions and standard vulnerability analysis tools, without specific instructions. Anthropic is currently validating these findings to confirm their accuracy before reporting them to the respective developers.

Anthropic's Claude Opus 4.6 has identified over 500 high-severity security vulnerabilities in open-source libraries, outperforming traditional fuzzing methods. The model analyzes code like a human researcher, detecting flaws in well-tested codebases that had evaded detection for decades. The company emphasizes the urgency of patching these vulnerabilities, as many open-source projects are maintained by limited resources. Initial patches have been reported, and collaboration with maintainers is ongoing to address remaining issues.

Anthropic released Claude Opus 4.6 on February 5, 2026, enhancing cybersecurity by autonomously identifying over 500 high-severity vulnerabilities in open-source software. The AI model utilized human-like reasoning to discover flaws in codebases, including GhostScript and OpenSC, without specialized tools. Validation procedures confirmed all vulnerabilities as genuine, with patches being developed. Anthropic introduced new detection layers to mitigate misuse risks and emphasized the need for rapid security responses to AI-discovered vulnerabilities.

CISA has mandated that federal civilian agencies remove end-of-life devices within one year due to exploitation risks by sophisticated hackers. The directive requires agencies to inventory unsupported devices within three months and decommission them within a year. Agencies must also ensure devices can receive security updates. CISA highlighted the persistent cyber threats posed by unsupported edge devices, which are often targeted by nation-state actors. The EOS Edge Device List will not be publicly published.

The Cybersecurity and Infrastructure Security Agency (CISA) has mandated federal agencies to cease using unsupported edge devices within one year due to significant security risks. The directive requires immediate updates to outdated devices, a report on current usage within three months, and a complete decommissioning of listed devices within 12 months. Agencies must also inventory all edge devices losing support in the next year. CISA aims to enhance security amid rising exploitation campaigns targeting these devices.

CISA has mandated that federal agencies remove unsupported edge devices within 18 months, addressing a shift in nation-state attack strategies that target network infrastructure. The directive, BOD 26-02, requires agencies to inventory, update, and replace outdated firewalls, routers, VPN gateways, and other network security appliances lacking vendor security patches. CISA emphasizes the significant risk these unsupported devices pose to federal systems, urging immediate action to enhance security.

CISA issued a binding operational directive mandating US federal agencies to replace unsupported edge devices, which pose significant cyber risks. Agencies must patch immediately where possible, inventory devices on the end-of-service list within three months, and replace unsupported devices within one year. By 18 months, all identified devices must be removed, and a continuous discovery process implemented within two years. CISA emphasizes the heightened risk of exploitation from advanced threat actors targeting these devices.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has mandated Federal Civilian Executive Branch agencies to remove unsupported edge network devices within 12 to 18 months to mitigate risks from state-sponsored threat actors. CISA's Binding Operational Directive 26-02 outlines actions including updating vendor-supported devices, cataloging end-of-support devices, and establishing a lifecycle management process. An end-of-support edge device list will assist agencies in identifying vulnerable devices.

CISA has issued Binding Operational Directive (BOD) 26-02, mandating Federal Civilian Executive Branch agencies to remove unsupported edge devices from their networks due to security risks. Agencies must update EOS devices, inventory them within 3 months, decommission identified devices within 12 months, and remove all remaining EOS devices within 18 months. A continuous lifecycle management process must be established within 24 months. This directive aims to enhance security and align with Zero Trust architecture goals.

CISA has mandated federal agencies to replace unsupported edge devices, citing significant security risks due to lack of vendor updates. Agencies have one year to remove these devices, which include firewalls and IoT devices, and should enhance lifecycle management practices for timely replacements. CISA also emphasizes adopting Zero Trust principles, including multi-factor authentication and data encryption, to bolster security. All organizations are encouraged to heed this guidance amid rising cyber threats.

CISA has mandated U.S. federal agencies to replace end-of-support edge devices within 12–18 months to enhance cybersecurity. Under Binding Operational Directive 26-02, agencies must inventory edge devices, report unsupported ones, and adopt robust lifecycle management. CISA warns that unsupported devices are prime targets for cyber threats. The directive emphasizes the importance of removing such devices to improve resilience and encourages non-federal organizations to follow suit.

On February 5, 2023, CISA issued Binding Operational Directive 26-02, mandating US federal agencies to decommission end-of-support (EOS) edge devices within 12 months due to significant exploitation risks. Agencies must identify EOS devices within three months, decommission those EOS within 12 months, and maintain an inventory of EOS devices. By 18 months, agencies must replace EOS devices with vendor-supported alternatives and establish a continuous discovery process within two years.

Substack confirmed a data breach on February 3, 2025, where unauthorized access led to the exposure of customer email addresses, phone numbers, and other metadata. CEO Chris Best stated that credit card numbers and passwords were not compromised. An unidentified hacker claimed to have stolen data from approximately 700,000 users, including emails and user IDs. Substack is investigating the incident and has implemented fixes to prevent future breaches, advising customers to be cautious of potential phishing attempts.

Substack reported a security breach where an unauthorized party accessed user contact details, including email addresses and phone numbers, in October 2025, but it was not detected until February 3. The company confirmed that passwords and financial data were not compromised. Following the incident, Substack has patched the vulnerability and is conducting an internal investigation. Users are advised to remain vigilant against phishing attempts. The breach may impact trust in Substack's platform.

Substack confirmed a data breach affecting nearly 700,000 users, with email addresses and phone numbers leaked. The breach, discovered on February 3, 2026, occurred in October 2025. CEO Chris Best stated that passwords and financial data were not compromised. A threat actor claimed responsibility on a cybercrime forum. Substack is investigating the incident and has implemented security enhancements. Users are advised to remain vigilant against suspicious communications.

Substack experienced a data breach in October 2025, affecting an unknown number of creators and subscribers. The breach was identified on February 3, revealing that a third party exploited a vulnerability to access user email addresses, phone numbers, and other internal metadata. Substack confirmed that no credit card numbers, passwords, or financial information were compromised. The exposure of this data lasted for up to four months.

On February 2, 2026, a user on BreachForums claimed to have scraped 662,752 Substack user records. Substack confirmed unauthorized access on February 5, tracing it back to October 2025. Exposed data includes email addresses, phone numbers, and internal metadata, but not passwords or financial info. The dataset contains details of active publishers, linking accounts to Stripe customer IDs. Substack reported no evidence of data misuse but warned users of potential targeted phishing attempts.

Substack confirmed a data breach in October 2025, exposing user emails, phone numbers, and metadata. CEO Chris Best stated that no financial data or credentials were accessed, and the vulnerability has been patched. An investigation is ongoing. A thread on BreachForums claims nearly 700,000 records were stolen, although Substack reports no evidence of data abuse. The breach was identified on February 3, prompting notifications to affected users.

Substack confirmed a data breach affecting users' email addresses and phone numbers, detected on February 3, 2025, but occurring in October 2025. CEO Chris Best stated no financial information or passwords were compromised. The breach was addressed, and additional safeguards implemented. Experts criticized the vague details provided, emphasizing the risk of phishing and social engineering. Substack is conducting a full investigation to enhance security measures. No specifics on the number of affected users were disclosed.

Pro-Russian group Noname057(16) launched DDoS attacks targeting the Milano Cortina 2026 Winter Olympics, including Foreign Ministry offices and hotels. Italy's Foreign Minister Antonio Tajani confirmed the thwarting of these cyberattacks, which were retaliation for Italy's pro-Ukraine stance. The attacks had limited impact due to the efforts of Italian authorities and the National Cybersecurity Agency. Italy plans to deploy 6,000 security officers for the event, including specialized units.

The Milano-Cortina 2026 Winter Olympics face significant cyber and physical security challenges due to their expansive geographic footprint. Italy has thwarted cyberattacks attributed to Russian sources targeting government offices and event-related websites. Common threats include phishing and DDoS attacks. Protests against U.S. security roles and environmental activism are anticipated, alongside potential labor strikes. Attendees are advised to use official apps, avoid public Wi-Fi, and remain vigilant against protests and digital threats.

A series of cyberattacks, attributed to Russian-linked hackers, targeted the 2026 Winter Olympics in Italy and La Sapienza University in Rome. The Italian government reported that attacks on Olympic facilities, including hotels in Cortina d’Ampezzo, were blocked, causing no significant disruption. The pro-Russian group NoName057(16) claimed responsibility, framing the attacks as retaliation for Italy's support of Ukraine. La Sapienza University shut down its systems due to a suspected ransomware attack and is restoring access from backups.

Rome’s La Sapienza University has been offline since February 2, 2026, due to a ransomware attack attributed to the Russian cybercrime group Femwar02, utilizing the Bablock strain. The attack disrupted IT systems, preventing students from accessing essential services. The university shut down its infrastructure to mitigate the threat and is coordinating with law enforcement and the Italian National Cybersecurity Agency. Investigations are ongoing to assess the breach's scope and the integrity of backup data.

A new surveillance framework named “DKnife,” attributed to China-nexus threat actors, targets Linux-based routers and edge devices, allowing attackers to manipulate network traffic and deploy malware. Active since 2019, DKnife hijacks legitimate requests, enabling backdoor installations on connected devices. It uses deep packet inspection to intercept updates, redirecting users to malicious URLs. The malware can disrupt antivirus traffic and harvest sensitive data, turning compromised routers into espionage tools.

Cybersecurity researchers have unveiled the DKnife framework, operated by China-linked threat actors since 2019, targeting routers for traffic hijacking and malware delivery. Comprising seven Linux-based implants, DKnife performs deep packet inspection and manipulates traffic, primarily aimed at Chinese-speaking users. It can harvest credentials from Chinese email services and hijack Android app updates. The framework's core component, dknife.bin, enables covert monitoring and malicious payload delivery, highlighting advanced AitM threat capabilities.

A malware framework named DKnife, discovered by Cisco Talos, targets Chinese-speaking users and has been active since at least 2019. It is linked to the MOONSHINE exploit kit and is used for gateway-level attacks, enabling traffic manipulation on compromised routers. The framework consists of seven ELF binaries for deep packet inspection and malicious payload delivery. Researchers assess it was developed by Chinese-nexus threat actors based on code language and overlaps with other malware campaigns.

DKnife is a Linux toolkit identified by Cisco Talos, used since 2019 for cyber-espionage by hijacking router traffic to deliver malware. It performs deep packet inspection, alters data, and installs ShadowPad and DarkNimbus backdoors, primarily targeting Chinese-speaking users. The toolkit disrupts security tools and monitors user activity, while its components include traffic inspection and malicious update delivery. Active as of January 2026, it highlights the evolving threat landscape of adversary-in-the-middle attacks.

Researchers at Cisco Talos revealed that the DKnife spyware, linked to Chinese threat actors, has been compromising internet routers since 2019. This toolkit employs an Adversary-in-the-Middle attack to intercept legitimate app updates, using seven specialized implants to monitor and manipulate data. It targets both Android and Windows devices, tracking activities on apps like WeChat and Signal. Users are advised to keep router firmware updated and disable Remote Management to mitigate risks.

AitM framework “DKnife,” linked to a China-based adversary, targets network gateways to intercept and manipulate in-transit traffic. Active since at least 2019 and still operational as of early 2026, DKnife operates at the network edge, allowing control over traffic through compromised devices. It is a modular Linux-based system capable of deep packet inspection, credential interception, and malicious content injection, as reported by Cisco Talos.

Hackers linked to an Asian government breached 70 agencies and critical infrastructure in 37 countries, targeting information on rare earth minerals and trade deals, according to a Palo Alto Networks report. The group, TGR-STA-1030, conducted reconnaissance in 155 countries and exploited vulnerabilities in Microsoft Exchange and SAP. Their toolkit includes a phishing-delivered malware loader and a unique rootkit, ShadowGuard, operating within the Linux kernel. The group poses an ongoing threat to global security.

A state-aligned cyber group, TGR-STA-1030, has compromised at least 70 organizations across 37 countries, including national police, parliaments, and telecommunications entities. They exfiltrated sensitive data, including financial and military information, using phishing and exploiting vulnerabilities in Microsoft Exchange, SAP, and Atlassian products. A unique Linux kernel rootkit, ShadowGuard, was discovered. The Cybersecurity and Infrastructure Security Agency is monitoring this ongoing threat, which poses risks to national security.

A new cyberespionage group, TGR-STA-1030 (UNC6619), has breached 70 government and critical infrastructure organizations across 37 countries over the past year. Utilizing phishing, exploitation kits, custom malware, and other tools, the group is believed to be expanding its operations. Between November and December 2025, they conducted reconnaissance on government infrastructure in 155 countries. Researchers from Palo Alto Networks suggest the group is based in Asia and has potential ties to a nation state.

A previously undocumented cyber espionage group, TGR-STA-1030, has breached 70 government and critical infrastructure entities across 37 countries since January 2024. The group employs phishing tactics to deploy malware, including Diaoyu Loader, and exploits N-day vulnerabilities in software from Microsoft, SAP, and others. Tools used include Cobalt Strike and various web shells. The group targets ministries for espionage, maintaining access for months, posing significant risks to national security and infrastructure.

Microsoft has developed a scanner to detect backdoors in open-weight large language models (LLMs), enhancing trust in AI systems. The scanner identifies three signals indicating model poisoning: a "double triangle" attention pattern, memorization of poisoning data, and activation by fuzzy triggers. It requires no additional training and works across common GPT-style models, though it has limitations, such as not functioning on proprietary models. This initiative is part of Microsoft's broader effort to address AI-specific security concerns.

A recent study by Ram Shankar Siva Kumar and colleagues highlights the security risks of backdoored AI large language models (LLMs). They identified three indicators of model poisoning: 1) a "double triangle" attention pattern where the model focuses excessively on a trigger word; 2) models leaking their own poisoned training data; and 3) "fuzzy" backdoors that can be activated by partial trigger phrases. A lightweight scanner has been developed to help enterprises detect these vulnerabilities in LLMs.

Microsoft has developed a scanner to detect hidden backdoors in open-weight AI models, targeting a significant vulnerability for enterprises using third-party LLMs. The scanner identifies hidden triggers and malicious behaviors that may be embedded during the training or fine-tuning of these models. Such backdoors can enable attackers to subtly alter model behavior, potentially leading to data exposure or allowing malicious activities to bypass standard security measures.

A cyber-espionage group, Amaranth-Dragon, is exploiting the WinRAR vulnerability (CVE-2025-8088) to target Southeast Asian government agencies. This path traversal flaw allows arbitrary code execution via malicious RAR files, enabling attackers to establish persistence by placing scripts in the Startup folder. The group uses the Amaranth Loader to retrieve payloads and deploy the Havoc Framework for remote control. Immediate patching of WinRAR and enhanced monitoring of archive files are recommended defenses.

China-linked hackers, identified as Amaranth-Dragon, targeted Southeast Asian government and law enforcement agencies in 2025, utilizing cyber-espionage tactics linked to APT41. They exploited a newly disclosed WinRAR vulnerability (CVE-2025-8088) for arbitrary code execution, beginning their attacks shortly after the flaw's public disclosure. Victims were likely lured via spear-phishing emails. The group's operations demonstrate advanced technical capabilities and highlight the need for effective vulnerability management and user awareness.

A hacking campaign exploited the CVE-2025-8088 vulnerability in WinRAR, disclosed in August 2025. Attackers targeted government and law enforcement in Southeast Asia, using tailored phishing emails to deliver malicious files. The campaign, linked to the group Amarath-Dragon, utilized the Havoc Framework for persistence and data collection. Check Point emphasizes the need for timely vulnerability management and recommends organizations prioritize patching and monitoring for suspicious archive files.

Amaranth Dragon, linked to APT41, is exploiting the WinRAR vulnerability CVE-2025-8088, affecting versions 7.12 and older, with a severity score of 8.4/10. This flaw allows arbitrary code execution and has been abused since mid-2025 by various state actors targeting organizations in Southeast Asia. The group uses custom loaders and Cloudflare-masked servers, hiding malware in Alternate Data Streams within archives. Other actors like RomCom and APT44 have also exploited this vulnerability.

A critical vulnerability in the n8n workflow automation platform, tracked as CVE-2026-25049 (CVSS score: 9.4), allows for arbitrary system command execution via malicious workflows. This flaw affects versions <1.123.17 and <2.5.2, and arises from inadequate sanitization, bypassing previous security measures. Exploitation could lead to server compromise and data exfiltration. Users are advised to restrict workflow permissions and deploy n8n in a hardened environment. Immediate patching is recommended.

Multiple newly disclosed vulnerabilities in the workflow automation tool n8n, tracked as CVE-2026-25049, could allow attackers to hijack servers and steal credentials. These flaws, with a CVSS rating of 9.4, exploit weaknesses in expression sanitization, enabling authenticated users to execute malicious commands. The risks are heightened for n8n Cloud users due to its multi-tenant architecture. Patches have been released, and users are urged to update, review permissions, and rotate sensitive credentials.

A critical remote code execution (RCE) vulnerability in n8n allows authenticated attackers to execute arbitrary system commands via weaponized workflows. This flaw, an expansion of CVE-2025-68613, affects how n8n processes dynamic expressions, enabling malicious payload injection. Successful exploitation can lead to full server compromise and sensitive data exfiltration. Emergency patches are available in versions v1.123.17 and v2.5.2. Organizations are urged to upgrade or implement defense-in-depth strategies.

A critical vulnerability in n8n, tracked as CVE-2026-25049, allows unauthenticated users to execute arbitrary commands on servers, risking theft of sensitive data like API keys and OAuth tokens. The flaw enables cross-tenant data exposure. A patch (v2.4.0) was released on January 13, 2026, following the discovery of the issue. Users are urged to update immediately, as a Proof of Concept is publicly available. Temporary workarounds include restricting workflow permissions and deploying n8n in a hardened environment.

Six vulnerabilities have been identified in the n8n automation platform, with four rated critical (CVSS 9.4). They include remote code execution, command injection, arbitrary file access, and cross-site scripting. These vulnerabilities pose risks as n8n is often deployed with access to sensitive information. Security experts highlighted issues with the sandboxing of user processes and the protection of the host from users with n8n access.

A significant change in threat activity targeting the React2Shell vulnerability (CVE-2025-55182) has been observed, with over 1.4 million exploitation attempts detected in a week. Initially, attacks came from 1,083 unique sources, but now over half originate from just two IP addresses. The focus is on software development servers, posing risks to organizations exposing their infrastructure online. GreyNoise warns that unpatched organizations should assume they have been targeted. Additionally, new denial of service vulnerabilities (CVE-2026-23864) were disclosed.

Threat actors are exploiting the React2Shell vulnerability in React server components to hijack web traffic, primarily targeting sites using the NGINX web server managed with Boato Panel. Researchers at Datadog Security Labs reported that affected organizations include those with top-level domains like .in, .id, .pe, .bd, .edu, .gov, and .th, as well as Chinese hosting infrastructure. The exploitation allows hackers to fingerprint web traffic, insert malware, or redirect users to phishing pages.

Threat actors are exploiting the React2Shell vulnerability in React server components to hijack web traffic. Researchers at Datadog Security Labs identified that the primary targets are sites using the NGINX web server managed with Boato Panel, particularly in Asia and Chinese hosting infrastructure. The exploitation allows hackers to fingerprint web traffic, insert malware, or redirect users to malicious landing pages to steal credentials.

Cybersecurity researchers revealed a web traffic hijacking campaign exploiting React2Shell (CVE-2025-55182, CVSS 10.0) targeting NGINX servers and Baota management panels. Attackers use malicious configurations to intercept traffic, redirecting it through their servers. The toolkit includes scripts for persistence and configuration manipulation, focusing on Asian TLDs and government domains. GreyNoise reported two IPs responsible for 56% of exploitation attempts, with distinct post-exploitation payloads indicating varied attack objectives.

Threat actors are compromising NGINX servers, particularly those using the Baota management panel, to redirect web traffic to malicious sites. They modify legitimate configuration files, using the proxy_pass directive to route traffic through attacker-controlled servers. The campaign targets Asian TLDs and government/educational sites. Administrators are advised to check for unexpected proxy_pass directives pointing to known malicious domains, including xzz.pier46[.]com and ide.hashbank8[.]com.

Attackers are hijacking NGINX server configurations, primarily targeting Asian government and education sectors, to reroute traffic through malicious infrastructure. This five-stage attack involves modifying configuration files to capture session tokens, cookies, and credentials without exploiting vulnerabilities. The stolen data can be used for phishing, malware injection, ad fraud, and proxying further attacks. Compromised servers can also be monetized or used to mask the origins of attacks against other targets.

U.S. CISA has added vulnerabilities to its Known Exploited Vulnerabilities catalog: CVE-2019-19006 (Sangoma FreePBX, improper authentication, CVSS 9.8), CVE-2021-39935 (GitLab, SSRF, CVSS 7.5), CVE-2025-40551 (SolarWinds Web Help Desk, deserialization, CVSS 9.8), and CVE-2025-64328 (Sangoma FreePBX, OS command injection, CVSS 8.6). Federal agencies must remediate these by February 24, 2026, with the SolarWinds flaw due by February 6, 2026.

CISA added the critical vulnerability CVE-2025-40551 (CVSS 9.8) in SolarWinds Web Help Desk to its KEV catalog, noting it is actively exploited. This untrusted data deserialization flaw allows remote code execution without authentication. SolarWinds released fixes for this and other vulnerabilities (CVE-2025-40536, CVE-2025-40537, CVE-2025-40552, CVE-2025-40553, CVE-2025-40554). Federal agencies must address CVE-2025-40551 by February 6, 2026, under BOD 22-01.

CISA issued an urgent warning about a critical remote code execution (RCE) vulnerability in SolarWinds Web Help Desk, tracked as CVE-2025-40551. This flaw allows attackers to execute arbitrary commands without authentication, posing significant risks. Organizations must apply patches by February 6, 2026, isolate affected systems, and monitor logs for unauthorized access. Successful exploitation could lead to data compromise, malware deployment, and persistent access. Immediate action is essential to mitigate risks.

A remote code execution vulnerability (CVE-2025-40551) in SolarWinds Web Help Desk is being actively exploited, as warned by CISA. It has a CVSS score of 9.8, allowing unauthenticated access to help-desk systems. CISA has mandated federal agencies to patch it by Friday. Three additional critical vulnerabilities (CVE-2025-40552, CVE-2025-40553, CVE-2025-40554) were also identified, all with CVSS scores of 9.8. Users are advised to update to Web Help Desk 2026.1 immediately.

Attackers are exploiting a critical vulnerability in SolarWinds Web Help Desk, CVE-2025-40551, which allows remote code execution. The flaw was disclosed and patched in version 2026.1 on January 28. CISA set a three-day deadline for federal agencies to apply the patch due to the serious threat. Previous vulnerabilities in the product have been targets for real-world attackers. No details on the attackers or their methods have been disclosed.

Over 170 SolarWinds Web Help Desk installations are vulnerable to CVE-2025-40551, a critical RCE flaw with a CVSS score of 9.8, allowing unauthenticated remote code execution. Discovered by Horizon3.ai, the vulnerability affects versions prior to 2026.1 and has been added to CISA's Known Exploited Vulnerabilities catalog due to active exploitation. Organizations must update to version 2026.1 to mitigate risks, as the flaw enables complete system compromise without user interaction.

A critical vulnerability in SolarWinds Web Help Desk, tracked as CVE-2025-40551, allows remote code execution due to unsafe deserialization of untrusted data, with a severity score of 9.8. Exploitation activity has been reported shortly after disclosure. The Cybersecurity and Infrastructure Security Agency added it to its Known Exploited Vulnerabilities catalog. SolarWinds advised users to upgrade to a patched version following the identification of about 170 vulnerable IPs.

On 28 November 2025, a cloud breach occurred within eight minutes due to exposed AWS credentials in a public S3 bucket. The attacker, utilizing AI tools, gained administrative access by exploiting a ReadOnlyAccess policy and injecting code into Lambda functions. They compromised 19 AWS principals and attempted to run costly AI models. Sysdig recommends preventing such breaches by avoiding public access keys and monitoring for unusual enumeration activities. The incident highlights the need for AI-aware cybersecurity defenses.

In November 2025, threat actors exploited valid AWS credentials from publicly accessible S3 buckets, escalating to full administrative privileges in under 10 minutes using AI tools. They injected malicious code into AWS Lambda, compromised multiple IAM users, and provisioned costly EC2 instances. The attackers employed sophisticated evasion tactics and created a backdoor user. Recommendations include enforcing least privilege, restricting permissions, and enabling logging to mitigate such threats.

On November 28, a digital intruder accessed an AWS environment, escalating privileges to admin in under 10 minutes using AI tools. The attacker stole valid IAM credentials from public S3 buckets and exploited Lambda function code injection to gain access to 19 AWS identities. They invoked multiple AI models via Amazon Bedrock and accessed sensitive data. Recommendations include applying least privilege principles, restricting Lambda permissions, and ensuring S3 buckets are not publicly accessible.

Hackers exploited a critical flaw in the React Native CLI Metro server (CVE-2025-11953) to deploy Rust malware before its public disclosure. This command injection vulnerability allows unauthenticated attackers to execute arbitrary commands via POST requests. Real-world exploitation was observed by VulnCheck starting December 21, 2025, with attackers using a multi-stage PowerShell loader to disable defenses and fetch payloads. The flaw remains underreported, posing risks to unprepared defenders.

Threat actors are exploiting CVE-2025-11953, a critical remote code execution vulnerability in React Native’s Metro Development Server, first detected on December 21, 2025. This vulnerability allows unauthenticated attackers to execute arbitrary commands on Windows and Linux systems. Organizations must upgrade to @react-native-community/cli version 20.0.0 or later. The vulnerability has a CVSS score of 9.8, yet remains under-discussed in public security discourse, highlighting a gap in vulnerability management awareness.

A critical vulnerability in React Native's Metro development server, tracked as CVE-2025-11953, allows unauthenticated attackers to execute malicious commands on Windows and Linux systems. Discovered by JFrog researchers, it has a CVSS severity rating of 9.8. Exploitation attempts began in December, using a PowerShell loader that disables Microsoft Defender. Attacks originated from specific IP addresses, with payloads hosted on designated servers. The vulnerability remains underacknowledged despite active exploitation.

Prosecutors raided the French headquarters of Elon Musk’s platform X as part of a cybercrime investigation into alleged complicity in spreading child abuse images, deepfakes, and manipulating data processing systems. Musk and former CEO Linda Yaccarino were summoned for questioning. The investigation, initiated after a complaint about biased algorithms, expanded due to concerns over X's AI chatbot, Grok. X has rejected the allegations, calling the inquiry politically motivated and a distortion of French law.

On February 3, 2026, the Paris Prosecutor’s Office raided Elon Musk’s X offices as part of a preliminary investigation into alleged offenses, including operating an illegal online platform and fraudulent data extraction. The investigation, initiated in January 2025 after complaints regarding algorithm changes, expanded due to reports of X’s AI chatbot inappropriately handling images. Prosecutors noted an 81.4% drop in CSAM reports to NCMEC, leading to additional allegations of complicity in CSAM distribution. Musk and CEO Linda Yaccarino are scheduled for interviews on April 20, 2026.

The UK Information Commissioner’s Office (ICO) has launched investigations into X and xAI regarding compliance with data protection laws after Grok AI generated sexual deepfake images without consent. Concerns were raised about safeguards in Grok's design. ICO's William Malcolm highlighted the potential harm from unauthorized use of personal data, especially involving children. Ofcom is gathering evidence on X but is not investigating xAI, focusing instead on age verification for pornographic content.

French police raided X's Paris office as part of a criminal investigation into alleged algorithmic manipulation by foreign powers. The probe, initiated in January 2025, follows complaints from a French parliament member and a senior official. Investigators are examining claims of organized disruption of data processing systems and fraudulent data extraction. Potential charges include possession of child pornography and dissemination of deepfakes. Elon Musk and former CEO Linda Yaccarino are summoned for interviews in April 2026.

French prosecutors raided X's offices on October 16, 2023, as part of an investigation into alleged offenses, including the distribution of child sexual abuse images and deepfakes. The inquiry, initiated in January 2022, examines potential complicity in these activities and manipulation of data processing systems. Europol is assisting in the investigation. The probe was expanded after reports of biased algorithms and antisemitic content generated by Musk's AI chatbot, Grok, which has faced scrutiny for Holocaust denial.

French authorities raided X's Paris headquarters on February 3, 2026, as part of a cybercrime investigation into algorithmic manipulation and illicit content distribution. The probe, initiated on January 5, 2025, expanded due to allegations involving X's AI chatbot Grok disseminating harmful content. Investigators are examining fraudulent data extraction and the amplification of harmful content. X has not commented on the raid, which may lead to fines or operational restrictions in the EU.

French prosecutors raided the Paris offices of X on Tuesday as part of a criminal investigation into allegations that the platform facilitated the spread of child sexual abuse material. Elon Musk and CEO Linda Yaccarino have been summoned for voluntary interviews. The investigation includes concerns over nonconsensual sexualized images generated by X's chatbot Grok. Britain's ICO is also investigating the lawful processing of personal data and safeguards against harmful content. No charges have been filed yet.

The UK ICO has initiated an investigation into X (formerly Twitter) regarding AI-generated non-consensual sexual imagery produced by Grok, its AI assistant. Announced on February 3, the inquiry focuses on compliance with UK data protection laws and the potential risks to public safety. The ICO seeks urgent information from X about the use of personal data in generating harmful images. Legal experts emphasize the ICO's authority to enforce compliance and protect users' rights, especially concerning manipulated images.

The ICO has launched investigations into X and xAI regarding the processing of personal data linked to Grok's generation of non-consensual sexualized deepfake images. Concerns focus on compliance with UK data protection law and the adequacy of safeguards to prevent harm, especially to children. The ICO aims to assess whether XIUC and X.AI met their obligations in developing Grok. Ofcom is also investigating X for potential breaches of the Online Safety Act but is not examining xAI, as it does not fall under its regulatory scope.

French police searched X's Paris offices as part of an investigation into the distribution of sexually explicit deepfakes and Holocaust denial content. Prosecutors summoned Elon Musk and former CEO Linda Yaccarino for questioning in April. Concurrently, the UK's Information Commissioner's Office launched an investigation into the xAI chatbot Grok for generating non-consensual sexual imagery, including of minors. This follows scrutiny from multiple countries regarding Grok's content.

French prosecutors raided X's Paris offices on February 4, 2026, as part of a criminal investigation into allegations of facilitating child sexual abuse material. The probe, initiated in January, involves claims of illegal content and unauthorized data extraction. Elon Musk and CEO Linda Yaccarino are summoned for voluntary interviews in April. X denies wrongdoing, labeling the investigation as politically motivated. UK authorities are also examining sexual deepfakes generated by X's AI, Grok.