A fake 7-Zip website distributes a malicious installer that turns infected computers into residential proxy nodes. The campaign uses a trojanized version of the 7-Zip tool, which includes legitimate functionality but also installs proxy malware. The malware communicates with command-and-control (C2) servers using obfuscated messages and avoids detection by checking for virtualization and debuggers. The threat actor registered the domain 7zip[.]com, mimicking the legitimate 7-Zip website. The malware modifies firewall rules to allow inbound and outbound connections and collects system information, which is sent to a remote server. The campaign also involves trojanized installers for other popular applications like HolaVPN, TikTok, WhatsApp, and Wire VPN.

Microsoft has released the Windows 10 KB5075912 extended security update to address vulnerabilities, including six zero-days, and to continue rolling out replacements for expiring Secure Boot certificates. This update is available for Windows 10 Enterprise LTSC and ESU program participants. It fixes several known issues, including a problem preventing devices from shutting down or hibernating if System Guard Secure Launch is enabled. The update also includes changes to Chinese fonts to meet GB18030-2022A compliance and addresses a stability issue affecting certain GPU configurations. Microsoft has been warning about the expiration of multiple Windows Secure Boot certificates since June 2025, which could allow threat actors to bypass security protections if not updated. This update continues the phased rollout of new Secure Boot certificates to targeted systems.

Microsoft's February 2026 Patch Tuesday addresses 58 vulnerabilities, including 6 actively exploited zero-days and 3 publicly disclosed flaws. The updates also include fixes for 5 critical vulnerabilities and the rollout of updated Secure Boot certificates. The zero-days span various components, including Windows Shell, MSHTML Framework, Microsoft Word, Desktop Window Manager, Windows Remote Access Connection Manager, and Windows Remote Desktop Services. The updates also cover a range of other vulnerabilities, including elevation of privilege, security feature bypass, remote code execution, information disclosure, denial of service, and spoofing flaws. Additionally, Microsoft has begun rolling out updated Secure Boot certificates to replace expiring 2011 certificates. Other vendors, including Adobe, BeyondTrust, CISA, Cisco, Fortinet, Google, n8n, and SAP, have also released security updates or advisories.

Microsoft has released cumulative updates KB5077181 and KB5075941 for Windows 11. These updates address various issues and introduce new features, including enhancements to Secure Boot, Cross-Device Resume, MIDI services, Narrator, and Smart App Control. The updates also improve gaming, networking, and voice accessibility features.

North Korean state actors have been using fake or stolen identities to secure IT jobs in various companies, particularly in the blockchain and technology sectors. These actors have stolen virtual currency and funneled money to North Korea's weapons program. The practice has escalated with the rise of remote work and AI, enabling fraudsters to impersonate employees and gain privileged access to company networks. Labyrinth Chollima, a prolific North Korean-linked cyber threat group, has recently evolved into three distinct hacking groups: Labyrinth Chollima, Golden Chollima, and Pressure Chollima. Labyrinth Chollima continues to focus on cyber espionage, targeting industrial, logistics, and defense companies, while Golden Chollima and Pressure Chollima have shifted towards targeting cryptocurrency entities. Each group uses distinct toolsets in their malware campaigns, all evolutions of the same malware framework used by Labyrinth Chollima in the 2000s and 2010s. A joint investigation led by Mauro Eldritch, founder of BCA LTD, conducted together with threat-intel initiative NorthScan and ANY.RUN, uncovered a network of remote IT workers tied to Lazarus Group's Famous Chollima division. Researchers captured live activity of Lazarus operators on what they believed were real developer laptops, which were actually fully controlled, long-running sandbox environments created by ANY.RUN. Thousands of North Korean IT workers have infiltrated the job market over the past two years, exploiting vulnerabilities in hiring processes and remote work environments. Over 320 cases of North Korean operatives infiltrating companies by posing as remote IT workers were identified in August 2025. The Justice Department has shut down several laptop farms used by these actors, but the problem persists, with security experts warning of significant security risks and financial losses for affected companies. The U.S. Treasury's Office of Foreign Assets Control (OFAC) has recently sanctioned two individuals and two entities for their role in these schemes, identifying financial transfers worth nearly $600,000 and over $1 million in profits generated since 2021. Japan, South Korea, and the United States are collaborating to combat North Korean IT worker schemes. The three countries held a joint forum on August 26, 2025, in Tokyo to improve collaboration, with both Japan and South Korea issuing updated advisories on the threat. The United States sanctioned four entities for their roles in the IT worker fraud schemes, accusing them of working to help the Democratic People's Republic of Korea (DPRK) to generate revenue. Recently, five U.S. citizens pleaded guilty to assisting North Korea's illicit revenue generation schemes by enabling IT worker fraud. The scheme impacted more than 136 U.S. victim companies, generated more than $2.2 million in revenue for the DPRK regime, and compromised the identities of more than 18 U.S. persons. The US government has seized $15m worth of gains in Tether (USDT) from APT38 actors, seeking to return the funds to their rightful owners. North Korean IT recruiters target and lure developers into renting their identities for illicit fundraising. Famous Chollima, part of North Korea’s state-sponsored Lazarus group, uses deep fake videos and avoids appearing on camera during interviews. Legitimate engineers are recruited to act as figureheads in DPRK agents’ operations to secure remote jobs at targeted companies. Compromised engineers receive a percentage of the salary, between 20% and 35%, for the duration of the contract. DPRK agents use compromised engineers' computers as proxies for malicious activities to hide their location and traces. North Korean recruiters use AI-powered tools like AIApply, Simplify Copilot, Final Round AI, and Saved Prompts to autofill job applications and create resumes. The threat actor used Astrill VPN, a popular service among North Korean fake IT workers, for remote connections. The Famous Chollima team involved in this operation consisted of six members, who used the names Mateo, Julián, Aaron, Jesús, Sebastián, and Alfredo. The DPRK IT worker scheme is also tracked as Jasper Sleet, PurpleDelta, and Wagemole. The scheme aims to generate revenue, conduct espionage, and in some cases, demand ransoms. DPRK IT workers transfer cryptocurrency through various money laundering techniques, including chain-hopping and token swapping. Norwegian businesses have been impacted by IT worker schemes, with salaries likely funding North Korea's weapons and nuclear programs. A campaign dubbed Contagious Interview uses fake hiring flows to lure targets into executing malicious code. The campaign employs EtherHiding, a technique using blockchain smart contracts to host and retrieve command-and-control infrastructure. New variants of the Contagious Interview campaign use malicious Microsoft VS Code task files to execute JavaScript malware. The Koalemos RAT campaign involves malicious npm packages to deploy a modular JavaScript remote access trojan (RAT) framework.

Conduent, a business services provider, has confirmed that a data breach in 2024 impacted over 10.5 million individuals. The breach, initially disclosed in January 2025, affected government agencies in multiple US states. The attackers accessed Conduent's network on October 21, 2024, and were evicted on January 13, 2025. The compromised data includes names, addresses, dates of birth, Social Security numbers, health insurance details, and medical information. Conduent serves over 600 government and transportation organizations, and roughly half of Fortune 100 companies. The company has not provided an exact number of affected individuals, but breach notices indicate at least 10.5 million people were impacted, with the largest number in Oregon (10.5 million) and over 4 million in Texas. The Safepay ransomware group claimed responsibility for the attack in February 2025 and claimed to have stolen 8.5TB of data. Conduent provides services to several other states where specific data breach figures aren't published, potentially increasing the actual impact. As of October 24, 2025, there is no evidence that the stolen data has been misused. Additionally, Volvo Group North America disclosed that nearly 17,000 customers and/or staff had their personal details exposed in the Conduent data breach. Conduent is sending notifications to impacted parties, offering free membership to identity monitoring services for at least a year, along with credit and dark web monitoring, and identity restoration. Volvo Group North America has recently suffered a new data breach caused by a third-party supplier, Miljödata, exposing staff data such as full names and Social Security Numbers. The breach at Miljödata in August 2025 exposed the information of 1.5 million people, including Volvo Group employees in Sweden and the U.S. Ingram Micro, a major IT services provider, revealed a ransomware attack in July 2025 that affected over 42,000 individuals. The SafePay ransomware group was behind this attack, claiming to have stolen 3.5TB of documents. The attack triggered a massive outage and highlighted SafePay's growing activity as a significant ransomware threat.

Microsoft has started rolling out new Secure Boot certificates through monthly Windows updates to replace the original 2011 certificates that will expire in late June 2026. These certificates are crucial for ensuring that only trusted bootloaders can load on UEFI firmware, preventing malicious software like rootkits from executing during system startup. The update process involves firmware updates across millions of device configurations from various hardware manufacturers and OEMs. Devices that do not receive the updated certificates will enter a 'degraded security state' with limited boot-level protections. Microsoft advises customers to upgrade to Windows 11, as unsupported versions like Windows 10 will not receive the new certificates.

A high-volume phishing campaign using the Phorpiex malware has been observed delivering Global Group ransomware. The campaign employs emails with the subject line "Your Document" and weaponized Windows Shortcut (.lnk) files to initiate a multi-stage infection chain. The ransomware operates offline, generating encryption keys locally and avoiding command-and-control (C2) server communication, making it effective in isolated environments. The malware uses the ChaCha20-Poly1305 algorithm, appends the .Reco extension to encrypted files, and deletes itself after execution, complicating forensic analysis and recovery.

Microsoft 365 applications are experiencing an outage preventing some users, particularly administrators with business or enterprise subscriptions, from accessing the Microsoft 365 admin center in North America and Canada regions. The incident was acknowledged by Microsoft, which is reviewing telemetry data to identify the root cause and develop a remediation plan. The disruption follows two other major incidents last week that impacted Microsoft 365 services due to MFA issues and Azure Front Door CDN problems. Previous outages in September were caused by an Exchange Online coding bug.

A pre-built Tines workflow automates AWS incident investigation by integrating CLI data retrieval directly into the case management system. This eliminates manual data gathering, reduces Mean Time to Resolution (MTTR), and mitigates security risks associated with broad read-access to production environments. The workflow uses Tines agents to execute CLI commands securely and efficiently, providing analysts with immediate, formatted insights.

A new ransomware family, Reynolds, has been discovered with a built-in Bring Your Own Vulnerable Driver (BYOVD) component designed to disable Endpoint Detection and Response (EDR) security tools. The ransomware embeds the NsecSoft NSecKrnl driver, which is vulnerable to a known flaw (CVE-2025-68947), to terminate processes associated with various security programs. This integration allows the ransomware to evade detection and maintain persistence on compromised systems. The Reynolds ransomware campaign also involved the deployment of a suspicious side-loaded loader and the GotoHTTP remote access program, indicating a sophisticated attack strategy.

A new commercial spyware platform, ZeroDayRAT, is being advertised on Telegram, offering full remote control over compromised Android (versions 5–16) and iOS (up to version 26) devices. The malware provides extensive surveillance capabilities, including real-time tracking, data theft, and financial fraud. It can log app usage, SMS messages, and notifications, activate cameras and microphones, and steal cryptocurrency and banking credentials. ZeroDayRAT is marketed through Telegram channels and infections are initiated by persuading victims to install malicious binaries via smishing, phishing emails, counterfeit app stores, and links shared through WhatsApp or Telegram. The malware includes a dedicated web-based dashboard displaying device details, app usage, SMS messages, and live activity timeline. It also includes a crypto stealer and targets online banking apps, UPI platforms, and payment services like Apple Pay and PayPal. The malware is marketed as a complete mobile compromise toolkit, posing significant risks to both individuals and enterprises.

Threat actors are increasingly favoring stealthy persistence and evasion techniques to silently exfiltrate data for extortion. According to Picus Security's Red Report 2026, attackers are blending in with legitimate traffic and operating through trusted processes to stay hidden from network defenders. Process injection remains the top malicious technique, enabling attackers to hide malicious code inside legitimate applications. Additionally, attackers are routing command-and-control (C2) traffic through high-reputation services like OpenAI and AWS to evade detection. The use of 'data encrypted for impact' has dropped by 38% annually, indicating a shift towards silent data exfiltration. The report also highlights sophisticated evasion techniques such as LummaC2 infostealer malware, which uses trigonometry to detect sandbox environments and avoid detonation. Virtualization/sandbox evasion is now the fourth most prevalent MITRE ATT&CK technique observed.

Picus Labs' Red Report 2026 reveals a strategic shift in cyberattacks from disruptive ransomware to stealthy, long-term access. Analyzing 1.1 million malicious files and 15.5 million adversarial actions, the report highlights a decline in ransomware encryption and an increase in techniques focused on evasion, persistence, and credential theft. Attackers now prioritize remaining undetected, exploiting identities and trusted infrastructure for extended periods. The report underscores the rise of 'Digital Parasites'—malware that operates quietly, avoids detection, and maintains access without causing immediate disruption. This shift signifies a change in attacker success metrics, from immediate impact to prolonged dwell time. Credential theft, process injection, and evasion techniques are now dominant, with 80% of top ATT&CK techniques favoring stealth. The report also notes the limited impact of AI in malware, emphasizing that attackers are winning through stealth and patience rather than advanced AI techniques.

Microsoft plans to enhance the security of Entra ID authentication by implementing a strengthened Content Security Policy (CSP) starting in mid-to-late October 2026. This update will allow script downloads only from Microsoft-trusted content delivery network domains and inline script execution only from Microsoft-trusted sources during sign-ins. The policy aims to protect users against cross-site scripting (XSS) attacks, where attackers inject malicious code to steal credentials or compromise systems. The update will apply only to browser-based sign-in experiences at URLs beginning with login.microsoftonline.com, excluding Microsoft Entra External ID. Microsoft urges organizations to test sign-in scenarios before the deadline to identify and address dependencies on code-injection tools. IT administrators can review sign-in flows in the browser developer console to identify violations. Enterprise customers are advised to stop using browser extensions and tools that inject code or scripts into sign-in pages before the change takes effect. This move is part of Microsoft's Secure Future Initiative (SFI), launched in November 2023, following a report by the Cyber Safety Review Board of the U.S. Department of Homeland Security. The initiative also includes updates to Microsoft 365 security defaults to block access to SharePoint, OneDrive, and Office files via legacy authentication protocols, and the disabling of all ActiveX controls in Windows versions of Microsoft 365 and Office 2024 apps. Additionally, Microsoft has expanded its bug bounty program to cover all online services, including third-party and open-source components, if they impact Microsoft online services. The company has paid over $17 million in bounty awards to 344 security researchers over the last 12 months, and another $16.6 million to 343 security researchers during the previous year. Microsoft has deployed over 50 new detections in its infrastructure to target high-priority tactics, techniques, and procedures. The adoption of phishing-resistant multi-factor authentication (MFA) for users and devices has hit 99.6%. Microsoft has enforced Mandatory MFA across all services, including for all Azure service users. The company has also introduced Automatic recovery capabilities via Quick Machine Recovery, expanded passkey and Windows Hello support, and improved memory safety in UEFI firmware and drivers by using Rust. Microsoft has migrated 95% of Microsoft Entra ID signing VMs to Azure Confidential Compute and moved 94.3% of Microsoft Entra ID security token validation to its standard identity Software Development Kit (SDK). The company has discontinued the use of Active Directory Federation Services (ADFS) in its productivity environment and decommissioned 560,000 additional unused and aged tenants and 83,000 unused Microsoft Entra ID apps across Microsoft production and productivity environments. Microsoft has advanced threat hunting by centrally tracking 98% of production infrastructure, achieved complete network device inventory and mature asset lifecycle management, and almost entirely locked code signing to production identities. The company has published 1,096 CVEs, including 53 no-action cloud CVEs, and paid out $17 million in bounties. Microsoft plans to introduce smartphone-style app permission prompts in Windows 11 to request user consent before apps can access sensitive resources such as files, cameras, and microphones. The "Windows Baseline Security Mode" and "User Transparency and Consent" changes will prompt for permission when apps try to install unwanted software or access sensitive resources, allowing users to change their choices at any time. Baseline Security Mode will enable runtime integrity safeguards by default, ensuring that only properly signed apps, services, and drivers can run, but allowing users and IT administrators to override these safeguards for specific apps when needed.

Chinese state-sponsored APT actors have **dramatically escalated cyber operations against Taiwan and expanded into Southeast Asia**, with Taiwan’s National Security Bureau (NSB) reporting **960,620,609 intrusion attempts** in 2025—a **6% year-over-year increase** and **112.5% surge since 2023**. The **energy sector** faced a **tenfold spike in attacks**, while **emergency/hospital systems** saw a **54% rise**, including **ransomware deployments** disrupting operations in at least **20 hospitals** and stolen medical data sold on dark web forums. In **February 2026**, Singapore’s Cyber Security Agency (CSA) confirmed that **UNC3886**—a China-nexus APT group—executed a **deliberate cyber espionage campaign** against all four of Singapore’s major telecommunications operators (**M1, SIMBA Telecom, Singtel, StarHub**). The actors **weaponized a zero-day exploit** to bypass perimeter defenses, deployed **rootkits for persistence**, and exfiltrated **technical network data**, though no personal customer data was compromised. Singapore’s **Operation CYBER GUARDIAN**—the country’s **largest and longest-running anti-cyber threat effort**—successfully disrupted UNC3886’s access, engaged **over 100 investigators from six agencies**, and expanded monitoring to **banking, transport, and healthcare sectors** to prevent lateral movement. This campaign underscores the PRC’s **growing focus on Southeast Asian critical infrastructure** alongside its long-standing operations in Taiwan and North America. The campaigns, attributed to **BlackTech, Flax Typhoon, Mustang Panda, APT41, and UNC3886**, leverage **hardware/software vulnerabilities, DDoS, social engineering, and supply-chain compromises**, often correlating with **PLA military drills, political events, and visits by Taiwanese officials**. Taiwan’s NSB is now collaborating with **30+ countries** on joint investigations, while advisories from **CISA, NSA, and allies** warn of a shift from espionage to **potential disruptive capabilities**. Earlier phases targeted **U.S. government agencies (CBO, Treasury, CFIUS)**, **European telecoms**, and global critical infrastructure via exploits in **Cisco, Ivanti, Palo Alto, and Citrix devices**.

The UK’s National Cyber Security Centre (NCSC) reported 204 nationally significant cyber incidents between September 2024 and August 2025, a 130% increase from the previous year. Recent high-profile attacks on Marks & Spencer, the Co-op Group, and Jaguar Land Rover highlighted the real-world impact of cyber threats. The NCSC emphasized the need for urgent action from business leaders to enhance cybersecurity defenses. The UK government urged senior executives to better prepare for cyber-attacks. The NCSC's 2025 Annual Review included a letter from the CEO of the Co-op Group, emphasizing the responsibility of senior leaders in protecting their businesses. The NCSC launched the Cyber Action Toolkit to help small organizations improve their cyber defenses. Additionally, the NCSC issued an alert to critical national infrastructure (CNI) providers about severe cyber threats targeting CNI, following coordinated cyber-attacks on Poland's energy infrastructure in December.

ZAST.AI, a startup specializing in AI-powered code security, has raised $6 million in Pre-A funding from Hillhouse Capital. The company's technology focuses on eliminating false positives in security alerts by automatically generating and validating Proof-of-Concept (PoC) exploits for vulnerabilities. In 2025, ZAST.AI discovered hundreds of zero-day vulnerabilities in popular open-source projects, leading to 119 CVE assignments. The funding will be used for R&D, product expansion, and global market development.

Threat actors, assessed to be China-based Storm-2603, have started using the Velociraptor digital forensics and incident response (DFIR) tool in ransomware attacks deploying LockBit and Babuk ransomware. The attackers exploited a privilege escalation vulnerability in an outdated version of Velociraptor to gain persistent access and control over virtual machines. The campaign involved creating local admin accounts, disabling security features, and using fileless PowerShell encryptors for data exfiltration and encryption. The ransomware deployed on Windows systems was identified as LockBit, while a Linux binary detected as Babuk ransomware was found on VMware ESXi systems. Storm-2603 initially exploited SharePoint vulnerabilities in July 2025 and deployed Warlock, LockBit, and Babuk ransomware on VMware ESXi servers in August 2025. Sophos CTU researchers first documented Velociraptor abuse by Storm-2603 on August 5, 2025. Storm-2603 used the ToolShell exploit to gain initial access and deployed an outdated version of Velociraptor (version 0.73.4.0) that is susceptible to a privilege escalation vulnerability (CVE-2025-6264) to enable arbitrary command execution and endpoint takeover. The group also used Smbexec to remotely launch programs using the SMB protocol and modified Active Directory (AD) Group Policy Objects (GPOs) to disable real-time protection. Storm-2603 established the infrastructure for the AK47 C2 framework in March 2025 and created the first prototype of the tool the next month. The group pivoted from LockBit-only deployment to dual LockBit/Warlock deployment in April 2025 and used the ToolShell exploit as a zero-day in July 2025. Storm-2603 demonstrated operational flexibility and sophisticated builder expertise using leaked and open-source ransomware frameworks. In a recent breach, SmarterTools confirmed that the Warlock ransomware gang breached its network on January 29, 2026, via a single SmarterMail virtual machine (VM) set up by an employee. The vulnerability exploited in the attack to gain access is CVE-2026-23760, an authentication bypass flaw in SmarterMail before Build 9518, which allows resetting administrator passwords and obtaining full privileges. The attackers moved laterally from that one vulnerable VM via Active Directory, using Windows-centric tooling and persistence methods. The ransomware operators waited roughly a week after gaining initial access, the final stage being encryption of all reachable machines. Sentinel One security products reportedly stopped the final payload from performing encryption, the impacted systems were isolated, and data was restored from fresh backups. Tools used in the attacks include Velociraptor, SimpleHelp, and vulnerable versions of WinRAR, while startup items and scheduled tasks were also used for persistence. ReliaQuest reported that Storm-2603 chains CVE-2026-23760 access with the software’s built-in 'Volume Mount' feature to gain full system control. ReliaQuest also saw probes for CVE-2026-24423, another SmarterMail flaw flagged by CISA as actively exploited by ransomware actors, although the primary vector was CVE-2026-23760.

Two malware strains were discovered in an organization's network after attackers exploited two zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). The vulnerabilities, CVE-2025-4427 and CVE-2025-4428, allow for authentication bypass and remote code execution, respectively. Attackers used these flaws to gain access to the EPMM server, execute arbitrary code, and maintain persistence. The attack began around May 15, 2025, following the publication of a proof-of-concept exploit. The malware sets include loaders that enable arbitrary code execution and data exfiltration. The vulnerabilities affect Ivanti EPMM development branches 11.12.0.4, 12.3.0.1, 12.4.0.1, and 12.5.0.0 and their earlier releases. A China-nexus espionage group was leveraging the vulnerabilities since at least May 15, 2025. The threat actor targeted the /mifs/rs/api/v2/ endpoint with HTTP GET requests and used the ?format= parameter to send malicious remote commands. The malware sets include distinct loaders with the same name, and malicious listeners that allow injecting and running arbitrary code on the compromised system. The threat actor delivered the malware through separate HTTP GET requests in segmented, Base64-encoded chunks. Organizations are advised to update their EPMM instances, monitor for suspicious activity, and implement access restrictions to prevent unauthorized access to mobile device management systems. Ivanti has disclosed two additional critical vulnerabilities, CVE-2026-1281 and CVE-2026-1340, which were exploited in zero-day attacks. These code-injection vulnerabilities allow remote attackers to execute arbitrary code on vulnerable devices without authentication. Ivanti has released RPM scripts to mitigate the vulnerabilities and advises applying them as soon as possible. The vulnerabilities will be permanently fixed in EPMM version 12.8.0.0, scheduled for release later in Q1 2026. CISA has added CVE-2026-1281 to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation. The vulnerabilities affect EPMM versions 12.5.0.0 and prior, 12.6.0.0 and prior, and 12.7.0.0 and prior (Fixed in RPM 12.x.0.x), and EPMM 12.5.1.0 and prior and 12.6.1.0 and prior (Fixed in RPM 12.x.1.x). The RPM patch does not survive a version upgrade and must be reapplied if the appliance is upgraded to a new version. The vulnerabilities affect the In-House Application Distribution and the Android File Transfer Configuration features and do not affect other products, including Ivanti Neurons for MDM, Ivanti Endpoint Manager (EPM), or Ivanti Sentry. Successful exploitation of the EPMM appliance will enable arbitrary code execution on the appliance and allow lateral movement to the connected environment. EPMM contains sensitive information about devices managed by the appliance. Legitimate use of the capabilities will result in 200 HTTP response codes in the Apache Access Log, whereas successful or attempted exploitation will cause 404 HTTP response codes. Customers are advised to review EPMM administrators for new or recently changed administrators, authentication configuration, new push applications for mobile devices, configuration changes to applications, new or recently modified policies, and network configuration changes. In the event of compromise, users are advised to restore the EPMM device from a known good backup or build a replacement EPMM and then migrate data to the device. After restoring, users should reset the password of any local EPMM accounts, reset the password for the LDAP and/or KDC service accounts, revoke and replace the public certificate used for EPMM, and reset the password for any other internal or external service accounts configured with the EPMM solution. The Dutch Data Protection Authority (AP) and the Council for the Judiciary confirmed that their systems were impacted by cyber attacks exploiting Ivanti EPMM vulnerabilities. Work-related data of AP employees, including names, business email addresses, and telephone numbers, were accessed by unauthorized persons. The European Commission identified traces of a cyber attack that may have resulted in access to names and mobile numbers of some of its staff members. Finland's state information and communications technology provider, Valtori, disclosed a breach that exposed work-related details of up to 50,000 government employees. The attacker gained access to information used in operating the service, including names, work email addresses, phone numbers, and device details. Investigations showed that the management system did not permanently delete removed data but only marked it as deleted, potentially compromising device and user data belonging to all organizations that have used the service during its lifecycle.

Fortinet has released patches for a **new critical SQL injection vulnerability (CVE-2026-21643, CVSS 9.1)** in FortiClientEMS, which allows unauthenticated attackers to execute arbitrary code via crafted HTTP requests. The flaw affects FortiClientEMS 7.4.4 (fixed in 7.4.5) but does not impact versions 7.2 or 8.0. This follows Fortinet’s recent emergency updates for **CVE-2026-24858**, a critical FortiCloud SSO authentication bypass flaw (CVSS 9.4) actively exploited to create admin accounts, modify firewall configurations, and exfiltrate data. Over 25,000 Fortinet devices with FortiCloud SSO enabled remain exposed, with CISA mandating patches for federal agencies by January 30, 2026. Fortinet has also confirmed that CVE-2026-24858 was exploited via malicious FortiCloud accounts ('[email protected]', '[email protected]') to breach fully patched devices, prompting global SSO restrictions until fixes were deployed. The vulnerabilities stem from improper input validation (SQLi in FortiClientEMS; authentication bypass in FortiCloud SSO) and have been linked to automated attacks since January 15, 2026. Fortinet advises disabling FortiCloud SSO until patches are applied, restricting management interface access, and treating compromised systems as fully breached—requiring credential rotation and configuration restoration from clean backups. Patches for CVE-2026-24858 are available in FortiOS 7.4.11, FortiManager 7.4.10, and FortiAnalyzer 7.4.10, with additional fixes planned for older versions.

Pro-Russia hacktivist groups are conducting opportunistic, low-sophistication cyberattacks against U.S., UK, and global critical infrastructure. These attacks target a wide range of sectors, including water treatment facilities, food production, energy systems, and local government bodies, using easily repeatable methods. The groups exploit minimally secured, internet-facing virtual network computing (VNC) connections to gain unauthorized access to operational technology (OT) control devices. The joint advisory from CISA, FBI, NSA, and global partners, along with a recent warning from the UK National Cyber Security Centre (NCSC), urges immediate action to mitigate these threats. The advisory highlights the use of basic methods to target supervisory control and data acquisition (SCADA) networks, sometimes combined with DDoS attacks. The cumulative impact of these activities poses a persistent and disruptive threat to essential services. According to a new report, groups such as Cyber Army of Russia Reborn (CARR), Z-Pentest, NoName057(16), and Sector16 are using simple reconnaissance tools and common password-guessing techniques to reach internet-facing human-machine interfaces. These groups have led to physical impacts in some cases, including temporary loss of view and costly manual recovery efforts. The NCSC warns of continued malicious activity from Russian-aligned hacktivist groups targeting critical infrastructure and local government organizations in the UK with disruptive denial-of-service (DDoS) attacks. The NCSC notes that NoName057(16) operates the DDoSia project, a platform that allows volunteers to contribute computing resources to carry out crowdsourced DDoS attacks and receive monetary rewards or recognition from the community. Operation Eastwood disrupted NoName057(16)'s activity in mid-July 2025 by arresting two members of the group, issuing eight arrest warrants, and taking down 100 servers. Despite these efforts, the group has returned to action, highlighting the evolving threat they pose. Recent developments indicate that attackers are growing more interested in and accustomed to dealing with industrial machines, potentially leading to more sophisticated OT attacks. Ric Derbyshire, principal security engineer at Orange Cyberdefense, will demonstrate 'living-off-the-plant' attacks at the RSA Conference 2026, which require a holistic understanding of the physical process, OT systems, network architecture, security controls, and human interactions.

TeamPCP, a threat cluster active since November 2025, has conducted a worm-driven campaign targeting cloud-native environments to build malicious infrastructure. The campaign, observed around December 25, 2025, leveraged exposed Docker APIs, Kubernetes clusters, Ray dashboards, Redis servers, and the React2Shell vulnerability (CVE-2025-55182) to compromise servers for data exfiltration, ransomware deployment, extortion, and cryptocurrency mining. The group operates as a cloud-native cybercrime platform, using misconfigured cloud services and known vulnerabilities to create a self-propagating criminal ecosystem. TeamPCP's activities include deploying various payloads such as proxy.sh, scanner.py, kube.py, react.py, and pcpcat.py to exploit and expand their reach within cloud environments. The group's operations are opportunistic, targeting AWS, Microsoft Azure, Google, and Oracle cloud environments, and have resulted in data leaks and extortion activities. The group has compromised at least 60,000 servers worldwide and has exfiltrated more than two million records from JobsGO, a recruitment platform in Vietnam.

SolarWinds has released security updates to address multiple critical vulnerabilities in SolarWinds Web Help Desk, including CVE-2025-40536, CVE-2025-40537, CVE-2025-40551, CVE-2025-40552, CVE-2025-40553, and CVE-2025-40554. These vulnerabilities could result in authentication bypass and remote code execution (RCE). CVE-2025-40551 is actively exploited in attacks and has been added to CISA's KEV catalog. SolarWinds Web Help Desk is used by more than 300,000 customers worldwide, including government agencies, large corporations, healthcare organizations, and educational institutions. SolarWinds has previously released a third patch to address a critical deserialization vulnerability (CVE-2025-26399) in Web Help Desk 12.8.7 and earlier versions. This flaw allows unauthenticated remote code execution (RCE) on affected systems. The vulnerability was discovered by an anonymous researcher and reported through Trend Micro's Zero Day Initiative (ZDI). The flaw is a patch bypass for CVE-2024-28988, which itself was a bypass for CVE-2024-28986. The original vulnerability was exploited in the wild and added to the KEV catalog by CISA. SolarWinds advises users to update to version 12.8.7 HF1 to mitigate the risk. SolarWinds Web Help Desk is a help desk and ticketing suite used by medium-to-large organizations for IT support request tracking, workflow automation, asset management, and compliance assurance. The vulnerability affects the AjaxProxy component, and the hotfix requires replacing specific JAR files. Microsoft has revealed that it observed a multi-stage intrusion that involved the threat actors exploiting internet-exposed SolarWinds Web Help Desk (WHD) instances to obtain initial access and move laterally across the organization's network to other high-value assets. The attackers used legitimate components associated with Zoho ManageEngine to enable persistent remote control over the infected system. They enumerated sensitive domain users and groups, established persistence via reverse SSH and RDP access, and conducted a DCSync attack to request password hashes and other sensitive information from an Active Directory (AD) database. Threat actors have been exploiting CVE-2025-40551 and CVE-2025-26399 to deploy legitimate tools for malicious purposes, such as Zoho ManageEngine and Velociraptor. The attackers targeted at least three organizations and leveraged Cloudflare tunnels for persistence. The malicious activity was spotted by researchers at Huntress Security and is believed to be part of a campaign that started on January 16. The attackers used Velociraptor for command and control (C2) and Zoho ManageEngine for remote monitoring and management. The attackers installed the Zoho ManageEngine Assist agent via an MSI file fetched from the Catbox file-hosting platform and configured the tool for unattended access. They registered the compromised host to a Zoho Assist account tied to an anonymous Proton Mail address. The attackers used Velociraptor as a command-and-control (C2) framework that communicates with attackers via Cloudflare Workers. The attackers used an outdated version of Velociraptor (0.73.4), which is vulnerable to a privilege escalation flaw. The attackers installed Cloudflared from Cloudflare's official GitHub repository as a secondary tunnel-based access channel for C2 redundancy. The attackers disabled Windows Defender and Firewall via registry modifications to ensure that fetching additional payloads would not be blocked. The attackers downloaded a fresh copy of the VS Code binary approximately a second after disabling Defender. System administrators are recommended to upgrade SolarWinds Web Help Desk to version 2026.1 or later, remove public internet access to SolarWinds WHD admin interfaces, and reset all credentials associated with the product.

A critical zero-click remote code execution (RCE) vulnerability in Claude Desktop Extensions (DXT) allows attackers to compromise systems via malicious Google Calendar events. The flaw, rated CVSS 10.0, affects over 10,000 users. Anthropic, the developer, declined to fix it, stating it falls outside their threat model. The vulnerability arises from the lack of security boundaries in the Model Context Protocol (MCP) used by Claude DXT, which executes with full system privileges.

Printers in enterprise environments often lack proper security measures due to misaligned ownership and budgeting. Despite being significant endpoints, they are frequently managed for cost and uptime rather than security, leaving them vulnerable to exploitation. Leadership must address organizational challenges before implementing technical solutions.

Two Connecticut men, Amitoj Kapoor and Siddharth Lillaney, have been charged with defrauding FanDuel and other online gambling sites of $3 million over several years using stolen identities of approximately 3,000 victims. The scheme involved purchasing stolen personally identifiable information (PII) from darknet markets and Telegram, creating fraudulent accounts, and exploiting promotional bonuses. The defendants used background-check services to verify identities and organized stolen data in a spreadsheet. They transferred winnings to virtual stored-value cards and moved fraudulent proceeds to their bank and investment accounts. The indictment was returned by a federal grand jury in New Haven on February 3, 2026, and the defendants were released on a $300,000 bond each pending further proceedings.

VoidLink is a Linux-based command-and-control (C2) framework capable of long-term intrusion across cloud and enterprise environments. The malware generates implant binaries designed for credential theft, data exfiltration, and stealthy persistence on compromised systems. VoidLink combines multi-cloud targeting with container and kernel awareness in a single Linux implant, fingerprinting environments across major cloud providers and adjusting its behavior based on what it finds. The implant harvests credentials from environment variables, configuration files, and metadata APIs, and profiles security controls, kernel versions, and container runtimes before activating additional modules. VoidLink employs a modular plugin-based architecture that loads functionality as needed, including credential harvesting, environment fingerprinting, container escape, Kubernetes privilege escalation, and kernel-level stealth. The malware uses AES-256-GCM over HTTPS for encrypted C2 traffic, designed to resemble normal web activity. VoidLink stands out for its apparent development using a large language model (LLM) coding agent with limited human review, as indicated by unusual development artifacts such as structured "Phase X:" labels, verbose debug logs, and documentation left inside the production binary. The research concludes that VoidLink is not a proof-of-concept but an operational implant with live infrastructure, highlighting how AI-assisted development is lowering the barrier to producing functional, modular, and hard-to-detect malware.

Attackers are leveraging contextual language from organizations' public-facing content to create targeted password wordlists, significantly improving their success rates in credential attacks. Tools like CeWL, an open-source web crawler, extract relevant terminology from websites, which attackers then transform into plausible password guesses. This method bypasses standard complexity requirements and exploits users' tendency to incorporate familiar organizational language into their passwords. The effectiveness of this approach lies in its relevance to the organization's internal vocabulary, making it more likely to match users' password patterns. Defenders are advised to implement controls that block context-derived and known-compromised passwords, enforce longer passphrases, and enable multi-factor authentication (MFA) to mitigate these attacks.

BeyondTrust has patched a critical pre-authentication remote code execution (RCE) vulnerability (CVE-2026-1731, CVSS 9.9) in Remote Support (RS) and Privileged Remote Access (PRA) products. The flaw could allow unauthenticated attackers to execute OS commands in the context of the site user, leading to unauthorized access, data exfiltration, and service disruption. The vulnerability affects RS versions 25.3.1 and prior, and PRA versions 24.3.4 and prior. Patches are available in RS versions 25.3.2 and later, and PRA versions 25.1.1 and later. Self-hosted customers must manually apply updates if not subscribed to automatic updates. The vulnerability was discovered on January 31, 2026, with approximately 11,000 exposed instances identified, including around 8,500 on-prem deployments. BeyondTrust secured all RS/PRA cloud systems by February 2, 2026. The flaw was discovered by Harsh Jaiswal and the Hacktron AI team. Threat actors can exploit the flaw through maliciously crafted client requests in low-complexity attacks that do not require user interaction. In June 2025, BeyondTrust fixed a high-severity RS/PRA Server-Side Template Injection vulnerability.