The Cybersecurity and Infrastructure Security Agency (CISA) has added six security vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog. One of them is a recently patched remote code execution (RCE) vulnerability (CVE-2025-40551) in SolarWinds Web Help Desk. The other five exploited issues include CVE-2026-24423, a missing authentication vulnerability in SmarterTools SmarterMail; CVE-2025-11953, an OS command injection flaw in the React Native Community CLI; CVE-2019-19006 and CVE-2025-64328, both affect Sangoma FreePBX; CVE-2021-39935, a GitLab Community and Enterprise Editions SSRF.
A Russia-linked state-sponsored hacking group known as APT28 (also tracked as UAC-0001) has been linked to a new wave of cyberattacks exploiting a recently disclosed vulnerability in Microsoft Office, according to findings from Zscaler ThreatLabz. The report follows a security alert from Ukraine’s cybersecurity authorities detailing likely the same campaign. The campaign, dubbed Operation Neusploit, was observed on January 29, 2026, just three days after Microsoft revealed the flaw. The vulnerability, tracked as CVE-2026-21509, is a security feature bypass that allows attackers to trigger malicious behavior using specially crafted Office files.
A separate report from Trellix details some additional findings. The researchers said that the activity targeted maritime, transportation, and diplomatic organizations across several countries, including Poland, Turkey, Greece, and the UAE. The campaign involved a multi-stage infection chain and novel payloads, including a simple initial loader, an Outlook VBA backdoor (NotDoor), and a custom C++ implant dubbed “BeardShell.”
Hackers are actively targeting software developers by exploiting a critical vulnerability in the Metro server for React Native, tracked as CVE-2025-11953, to deliver malicious payloads on Windows and Linux systems.
Rapid7 Labs has detailed a cyber-espionage campaign involving a Notepad++ supply-chain attack attributed with moderate confidence to the Chinese advanced persistent threat (APT) group Lotus Blossom. On February 2, the Notepad++ maintainer revealed that state-sponsored attackers compromised the project’s update infrastructure, redirecting some users to malicious servers. Rapid7 said that the attackers abused the compromised infrastructure to deliver a previously undocumented backdoor called 'Chrysalis,' along with custom loaders such as ConsoleApplication2.exe that use Microsoft’s Warbird protection framework to hide malicious activity.
China-aligned threat actor, known as “Amaranth Dragon,” has conducted cyber-espionage campaigns targeting government and law enforcement agencies in Southeast Asia. The group exploited a critical WinRAR zero-day vulnerability (CVE-2025-8088) that abuses Windows Alternate Data Streams to write malicious files to arbitrary locations, achieving persistence by placing malware in the Windows Startup folder.
A coordinated reconnaissance campaign has targeted Citrix NetScaler infrastructure, using tens of thousands of residential proxy IPs to locate exposed login panels and enumerate product versions, GrayNoise warned. Observed between January 28 and February 2, the activity appears deliberate and systematic, suggesting pre-exploitation infrastructure mapping likely aimed at preparing or validating version-specific exploits against known Citrix ADC vulnerabilities.
In a separate report, GreyNoise noted that threat actors are exploiting the CVE-2025-55182 (React2Shell) vulnerability to deploy web shells and cryptocurrency miners.
A threat actor is compromising NGINX servers to hijack user traffic and reroute it through attacker-controlled infrastructure. The activity, uncovered by DataDog Security Labs, targets NGINX installations and Chinese Baota hosting management panels. The attackers modify legitimate NGINX configuration files by injecting malicious “location” blocks. The blocks capture requests for specific URL paths and forward them via the standard proxy_pass directive to backend servers controlled by the attackers.
SafeBreach published a second part (part 1) of its in-depth analysis of the Iranian state-sponsored threat actor known as “Infy” or “Prince of Persia.”
Threat hunters have uncovered a malware campaign dubbed DEAD#VAX that delivers the AsyncRAT malware via IPFS-hosted VHD files, heavy script obfuscation, runtime decryption, and in-memory injection into trusted processes. Securonix researchers note that it never writes a decrypted payload to disk, instead the final payload is delivered as encrypted x64 shellcode, injected directly into trusted Windows processes and executed entirely in memory.
The US FBI, CISA, and the UK’s NCSC issued a joint advisory detailing how threat actors linked to hostile nation-states exploit unsupported edge devices to gain access to and compromise data
Cloudflare detected a record-breaking DDoS attack, which it attributed to the AISURU/Kimwolf botnet. The attack, which took place in November 2025, peaked at 31.4 Tbps and lasted 35 seconds. The botnet has driven a surge in hyper-volumetric HTTP DDoS attacks in late 2025, including the “Night Before Christmas” campaign, which saw sustained attacks reaching up to 24 Tbps, 9 billion packets per second, and 205 million requests per second.
A long-running malware operation known as SystemBC has been linked to more than 10,000 infected IP addresses worldwide. First spotted in 2019, SystemBC (aka Coroxy or DroxiDat), is a multi-platform proxy malware that turns compromised systems into SOCKS5 relays. The relays allow threat actors to route malicious traffic through victim machines, masking their own infrastructure while maintaining persistent access to internal networks. In some cases, SystemBC infections have also been observed deploying additional malware.
More than three hundreds malicious packages targeting the personal AI assistant OpenClaw (formerly known as ClawdBot and Moltbot) were published in less than a week on the project’s official registry ClawHub, and on GitHub. Masquerading as legitimate cryptocurrency trading automation tools, the packages, known as “skills,” deliver data-stealing malware.
Recorded Future’s Insikt Group has uncovered Rublevka Team, a large-scale cybercriminal operation focused on cryptocurrency theft. Active since 2023, the group has made over $10 million through affiliate-driven wallet-draining campaigns. Operating as a “traffer team,” Rublevka Team relies on thousands of social engineering specialists to funnel victims to spoofed crypto websites. Rublevka Team uses custom JavaScript on fake landing pages to trick users into connecting wallets and approving fraudulent transactions.
The Sysdig Threat Research Team (TRT) said it observed a swift attack on an AWS cloud environment, where a hacker went from initial access to full admin rights in under 10 minutes. The attack was unusual for its speed and for using large language models (LLMs) to help automate tasks, write malicious code, and make decisions in real time. The hacker gained access using exposed credentials in public S3 buckets, quickly escalated privileges by injecting code into Lambda functions, moved across 19 AWS accounts, exploited Amazon Bedrock for LLM misuse, and launched GPU instances for model training.
Ransomware operators are exploiting virtual machines (VMs) provided by ISPsystem to host and distribute malware at scale. Sophos researchers, investigating recent ‘WantToCry’ ransomware attacks, found attackers using Windows VMs with identical hostnames, likely from ISPsystem’s default VM templates. The hostnames appeared across multiple ransomware groups, including LockBit, Qilin, Conti, BlackCat/ALPHV, Ursnif, and malware campaigns like RedLine and Lummar info-stealers.
A threat actor is actively exploiting misconfigured MongoDB databases exposed to the internet, wiping the contents and demanding low ransoms to restore access. According to researchers at cybersecurity firm Flare, around 1,400 MongoDB servers have already been compromised in automated attacks that typically demand about $500 in Bitcoin from victims.
Soket researchers have uncovered a supply chain attack targeting the Open VSX Registry, where threat actors hijacked a legitimate developer’s account to distribute malicious updates through trusted extensions. The malicious extensions were designed to deploy GlassWorm, a loader capable of decrypting and executing payloads at runtime while using the EtherHiding technique to retrieve command-and-control (C&C) infrastructure.
As part Operation Vicentius, Spain’s Guardia Civil has identified 12 suspects linked to fraud, money laundering, and unauthorized access to computer systems. Authorities allege the group ran fraudulent cryptocurrency investment platforms and used remote access software to empty victims’ bank accounts and take out loans in their names, resulting in estimated losses of €442,650. The stolen funds were allegedly transferred to accounts in Denmark, Lithuania, the United Kingdom, and China.
A Taiwanese national, Rui-Siang Lin, was sentenced to 30 years in US prison for operating one of the major Dark Web drug marketplaces, Incognito Market, that facilitated hundreds of thousands of drug transactions. Lin, who pleaded guilty in December 2024, oversaw the platform’s vendors, customers, and staff, earning commissions and fees that helped generate millions in illegal sales. He was also ordered to forfeit over $105 million and serve five years of supervised release.
Authorities from several countries, along with Eurojust and Europol, dismantled multiple illegal streaming services. Investigations traced an international criminal group of 31 suspects responsible for distributing pay-TV content without authorization, committing computer fraud, and laundering millions of euros through cryptocurrency and shell companies. In parallel, the US authorities seized the internet domains for three major piracy sites (Zamunda.net, ArenaBG.com, and Zelka.org) operated from Bulgaria that provided pirated copies of movies, TV shows, and video games.
Substack, a popular publishing platform for academics, journalists, and experts, experienced a data breach affecting an unknown number of creators and subscribers. The company discovered on February 3 that a third party exploited a system vulnerability in October 2025, accessing email addresses, phone numbers, and other internal metadata. No financial information, passwords, or credit card data were exposed, and there is no evidence of misuse, the company said. The statement comes after a threat actor on a cybercrime forum claimed to have stolen nearly 700,000 records.
Coinbase has confirmed an insider data breach after a contractor improperly accessed customer information affecting approximately 30 users. The incident occurred in December 2025 and was detected by Coinbase’s security team last year. The company said the contractor no longer performs services for Coinbase, affected users were notified, and identity theft protection and additional guidance were provided.