Threat Watch Feed
🚩 – IOCs Added
The red flag indicates that Indicators of Compromise (IOCs) have been added to SRA’s Threat Feed used by CyberSOC clients. Articles may not be flagged if IOCs are not available at the time or are not applicable to the article.
🚩Asia-Based Cyberespionage Group Expands Global Campaign Against Government and Critical Infrastructure
Security researchers at Palo Alto Networks track an Asia-based nation-state cyberespionage group designated TGR-STA-1030 that has successfully compromised 70 government and critical infrastructure organizations across 37 countries over the past year. The group initiates attacks through targeted phishing campaigns that deliver a custom malware loader called Diaoyu, which performs anti-detection checks before deploying Cobalt Strike from GitHub repositories. Attackers exploit known vulnerabilities in widely deployed enterprise software, including SAP Solution Manager, Microsoft Exchange Server, Atlassian Crowd, and various networking devices to gain initial network access. Once inside victim networks, the group deploys multiple command-and-control frameworks, including VShell, Havoc, SparkRat, and Sliver, alongside web shells such as Behinder and Godzilla. On Linux systems, attackers install ShadowGuard, an Extended Berkeley Packet Filter rootkit that operates within kernel space to hide processes, files, and directories from detection tools. The group obscures outbound traffic using tunneling software, including GO Simple Tunnel, Fast Reverse Proxy Server, and IOX, while routing communications through virtual private servers located in the United States, the United Kingdom, and Singapore. Researchers attribute the group to Asia based on language settings, regional tooling preferences, GMT+8 operating hours, and targeting patterns that correlate with geopolitical events in the region.
Impact: The activity described represents sustained espionage risk to government ministries and departments and to critical infrastructure operators, with potential for long-duration access and intelligence collection. Unit 42’s reporting indicates a blend of phishing, exploitation attempts, and post-compromise tooling that supports persistent access, lateral movement, and stealth, including web shell deployment and kernel-level concealment on Linux via eBPF. The scale of targeting and the breadth of affected regions increases the likelihood that organizations with Internet-facing services and government-adjacent exposure could encounter reconnaissance, credential theft, or follow-on exploitation attempts associated with this activity.
Recommendation: Organizations should prioritize patching all known vulnerabilities in the software products, operating systems, and libraries that this group actively exploits, including SAP Solution Manager, Microsoft Exchange Server, Microsoft Open Management Infrastructure, Atlassian Crowd, and networking equipment from multiple vendors. Security teams should strengthen phishing defenses through user awareness training, email filtering, and verification procedures for messages claiming to originate from official institutions. Network defenders should deploy enhanced monitoring for Linux systems to detect potential eBPF-based rootkits, though detection remains challenging due to the kernel-level operation of these tools. Network monitoring should focus on detecting unusual outbound connections, tunneling activity, and the use of administrative tools in unexpected contexts.
CISA Orders Federal Agencies to Patch Actively Exploited SolarWinds Web Help Desk Vulnerability
CISA added CVE-2025-40551 to the Known Exploited Vulnerabilities catalog on February 3, 2026, ordering federal civilian agencies to patch by Friday. The critical vulnerability with severity score 9.8 affects SolarWinds Web Help Desk, an IT service management platform used for ticketing and asset tracking. Horizon3.ai researcher Jimi Sebree discovered and reported the vulnerability to SolarWinds on December 5, 2025. The flaw bypasses fixes implemented for CVE-2024-28986, a 2024 vulnerability that was also added to CISA’s KEV catalog. SolarWinds released patches in Web Help Desk version 2026.1 addressing CVE-2025-40551 and several other recently discovered security bugs.
Impact: The vulnerability enables unauthenticated remote code execution on systems running vulnerable Web Help Desk versions. Active exploitation allows attackers to compromise IT service management platforms handling sensitive support tickets, asset inventories, and internal helpdesk operations. Organizations using Web Help Desk for centralized IT support face risks of unauthorized access to ticketing systems containing employee information, system configurations, and corporate infrastructure details. The bypass of previous security fixes demonstrates persistent attacker interest in this platform as an entry point into enterprise networks.
Recommendation: Organizations running SolarWinds Web Help Desk should upgrade to version 2026.1 or later. Federal civilian agencies must complete patching by February 7, 2026 per CISA directive. Audit Web Help Desk installations for signs of compromise including unauthorized user accounts, configuration changes, or suspicious access patterns. Review Web Help Desk access logs for unauthorized authentication attempts or unusual administrative activity occurring before patch deployment.
ShinyHunters Breaches Harvard University Alumni Database Exposing 115,000 Donor Records
Hudson Rock researchers disclosed a data breach affecting Harvard University’s Alumni Affairs and Development department on February 4, 2026, attributed to the ShinyHunters cybercriminal group operating as part of the “Scattered LAPSUS$ Hunters” collective. The breach exposed approximately 115,000 sensitive records containing detailed donor information, wealth classifications, and admissions coordination data. The exposed database included comprehensive tracking of alumni, spouses, parents, and current students with entries categorized by relationship type and financial contribution levels. The leak revealed “Lifetime Recognition” donation amounts for high-profile donors including Mark Zuckerberg ($603 million), Michael Bloomberg ($421 million), and Steven Ballmer ($102 million), along with home addresses, private email addresses, and family member tracking. Documents showed coordination between fundraising and admissions departments through “Admissions Holds” that pause donor solicitation when family members apply to the university. The attack likely used voice phishing targeting administrative staff with access to the alumni database. Security analysts assess ShinyHunters employed deepfake voice technology to impersonate IT support staff, directing victims to fake Single Sign-On portals that captured credentials in real-time through man-in-the-middle techniques. Attackers convinced victims to approve multi-factor authentication push notifications or provide one-time passwords, allowing session token hijacking that bypassed security controls without triggering alerts. Once inside the university’s systems, the group moved laterally across Microsoft 365, SharePoint, and Salesforce platforms, searching for files containing terms like “confidential,” “stewardship,” and “proposal.”
Impact: The breach exposes the private financial relationships and personal details of the world’s most influential academic donor base, creating a high-value target environment for extortion, social engineering, and identity theft. The consolidated database provides attackers with wealth classifications, residential addresses, private contact information, and family relationship mapping for ultra-high-net-worth individuals. The leak enables granular profiling of donor cultivation strategies and relationship management approaches, potentially compromising ongoing fundraising campaigns and donor relationships. The centralization of sensitive data in cloud platforms demonstrates a systemic vulnerability affecting higher education institutions managing major donor portfolios.
Recommendation: Higher education institutions should implement phishing-resistant multi-factor authentication for all administrative staff accessing donor databases and development systems. Deploy Zero Trust architecture requiring continuous verification for access to sensitive alumni and development data. Conduct security awareness training focused on voice phishing detection for administrative personnel. Segment alumni and development databases from general institutional systems to limit lateral movement following credential compromise. Implement data loss prevention controls monitoring for bulk exfiltration of sensitive files.
🚩 Notepad++ Supply Chain Attack Deployed Three Distinct Infection Chains Over Four Months
Kaspersky researchers disclosed a supply chain attack targeting Notepad++ text editor update infrastructure that operated from July through October 2025. On February 2, 2026, Notepad++ developers announced their update infrastructure was compromised due to a hosting provider breach from June to September 2025, with attackers maintaining access until December 2025. The campaign targeted approximately a dozen machines belonging to individuals in Vietnam, El Salvador, and Australia, along with government, financial, and IT service provider organizations. Attackers continuously changed their attack methods, server addresses, and malware throughout the operation. Three infection chains were identified: Chain 1 ran from late July through early August using fake update files that collected system information and uploaded it to temp[.]sh before deploying Cobalt Strike backdoor through exploitation of old ProShow software vulnerabilities. Chain 2 operated from mid-September through late September with modified update files that expanded information collection and used legitimate Lua interpreter software to load and execute malicious code, also delivering Cobalt Strike. Chain 3 deployed in October using standard malware installation techniques to drop the Chrysalis backdoor, with Rapid7 observing additional Cobalt Strike deployment. Attackers rotated between different domains including cdncheck.it[.]com, self-dns.it[.]com, safe-dns.it[.]com, and api.wiresguard[.]com throughout the campaign.
Impact: The compromise of Notepad++ update infrastructure enabled targeted attacks against high-profile organizations worldwide through a trusted software distribution channel. Attackers demonstrated sophistication by drastically changing infection chains monthly to evade detection while spreading implants in a targeted manner. The deployment of multiple payloads including Cobalt Strike Beacon and Chrysalis backdoor provided persistent remote access for espionage and data theft operations. Chain 3’s execution techniques match patterns associated with Chinese-speaking threat actors. The targeted nature of infections affecting government, financial, and IT service provider organizations suggests intelligence collection objectives.
Recommendation: Organizations using Notepad++ should verify software integrity and investigate systems for compromise indicators. Review network traffic for DNS resolutions to temp[.]sh domain and HTTP requests with temp[.]sh URLs embedded in User-Agent headers. Hunt for suspicious command sequences including whoami, tasklist, systeminfo, and netstat -ano executed in rapid succession. Block identified malicious domains. Search for files dropped to %appdata%\ProShow, %APPDATA%\Adobe\Scripts, and %appdata%\Bluetooth directories. Monitor for LOLC2 service connections, local reconnaissance command sequences, and persistence through Windows Registry Run keys.
CISA Warns of Actively Exploited Five-Year-Old GitLab SSRF Vulnerability
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2021-39935 to its Known Exploited Vulnerabilities Catalog on February 3, 2026, warning that threat actors are actively exploiting this server-side request forgery (SSRF) flaw in GitLab Community and Enterprise Editions. Originally patched by GitLab in December 2021, the vulnerability allows unauthenticated attackers to access the CI Lint API and force GitLab servers to make unauthorized requests to internal or external resources. Despite being addressed over three years ago, recent reports indicate renewed exploitation activity targeting unpatched GitLab instances exposed to the internet. The flaw stems from improper validation of user-supplied URLs during continuous integration configuration checks. Attackers can craft malicious API requests without authentication to conduct internal network scanning, expose sensitive metadata services in cloud environments, leak credentials, or exploit secondary vulnerabilities in connected systems. With over 49,000 GitLab instances currently exposed online (according to Shodan), and GitLab’s platform serving more than 30 million registered users including 50% of Fortune 100 organizations, the attack surface remains significant for organizations running outdated versions.
Impact: Unauthenticated SSRF exploitation in GitLab poses severe risks to development and CI/CD pipeline environments. Successful attacks can expose cloud metadata services containing authentication tokens and configuration secrets, enable lateral movement into internal networks, facilitate supply chain compromises, and serve as initial intrusion vectors for ransomware or cryptomining campaigns. The vulnerability’s exploitation in DevOps infrastructure creates downstream risks affecting source code repositories, build systems, and production deployment pipelines across affected organizations.
Recommendation: Apply GitLab’s security patches to the latest fixed versions as specified in GitLab’s official security advisory addressing CVE-2021-39935. Review and limit access to the CI Lint API, especially for GitLab instances accessible from public networks. Implement authentication requirements and IP whitelisting where possible.
🚩 Microsoft Reports Infostealer Campaigns Expanding Beyond Windows, with macOS-Targeted Stealers
Microsoft published research reporting that infostealer threats are increasingly targeting macOS environments, leveraging cross-platform languages like Python, and abusing trusted platforms and utilities to deliver credential-stealing malware. Microsoft Defender Experts observed macOS-targeted campaigns since late 2025 using social engineering, including ClickFix-style prompts and malicious DMG installers, to deploy macOS stealers such as DigitStealer, MacSync, and Atomic macOS Stealer (AMOS). Microsoft reports these campaigns commonly use fileless execution, native macOS utilities, and AppleScript automation to collect credentials, session data, and secrets from browsers, keychains, and developer environments, then exfiltrate and attempt to remove traces. In parallel, Microsoft observed Python-based stealer campaigns distributed via phishing that collect credentials, cookies, authentication tokens, payment data, and crypto wallet data, with examples including PXA Stealer activity in October and December 2025 that used persistence via registry Run keys or scheduled tasks and exfiltration via Telegram. Microsoft also describes platform abuse campaigns, including WhatsApp abuse in November 2025 to propagate malware and ultimately deliver Eternidade Stealer, and a September 2025 malvertising and SEO poisoning campaign using a fake Crystal PDF installer that establishes persistence via scheduled tasks and steals browser data.
Impact: These activity patterns increase the likelihood of credential theft and session hijacking across email, banking, social media, and corporate cloud services, and can create direct financial exposure through cryptocurrency wallet theft. Microsoft notes that compromise of developer credentials can enable access to source code, cloud infrastructure, and potentially customer data, and that broader infostealer compromise can lead to follow-on outcomes including unauthorized internal access, data breaches, business email compromise, supply chain abuse, and ransomware activity.
Recommendation: Recommendations include strengthening user awareness against malvertising redirect chains, fake installers, ClickFix-style copy and paste prompts, and discouraging installation of unsigned DMGs or unofficial “terminal-fix” utilities. Teams should monitor for suspicious macOS Terminal activity and fileless execution patterns involving utilities and flows called out by Microsoft, including curl, Base64 decoding, gunzip, osascript, and JXA, and alert on abnormal access to Keychain, browser credential stores, and developer and cloud artifacts (for example SSH keys and cloud credentials). Where Microsoft Defender is in use, enable cloud-delivered protection, run EDR in block mode, enable network and web protection, enable tamper protection, and consider Microsoft’s recommended attack surface reduction rules such as blocking potentially obfuscated scripts and blocking downloaded JS or VBScript from launching executable content.
Sign up here!
To receive the TIGR Threat Watch email bulletin and critical vulnerability notifications, simply complete the form below.
Follow on Twitter
@SRA_ThreatWatch will keep you up to date with the most recent posts on your social media feed.
Subscribe to the RSS
Just copy and add this link to your RSS app and be notified immediately when new intel is posted.
How to use RSS
Following the RSS feed is easy. RSS can be added in your Outlook desktop app, and there are many free RSS readers available for your mobile device.
To follow using Outlook:
- In Outlook, right-click the RSS Feeds folder and choose Add a New RSS Feed.
- In the New RSS Feed dialog box, enter the URL of the RSS Feed: https://sra.io/category/tigr/feed
(click here for detailed instructions and additional options for Outlook)
Popular mobile RSS reader apps include:
- Feedly
- NewsBlur
- RSS Reader
- Inoreader
After installing your preferred RSS reader, you will be able to add this feed by entering the URL: https://sra.io/category/tigr/feed
Threat Bulletin Archive
About TIGR Threat Watch
Our Threat Intelligence Gathering & Research (TIGR) team is focused on threat intelligence and curates a daily intelligence report, TIGR Threat Watch, with information collected from several industry intel sources. We also create and publish ad-hoc critical vulnerability notifications in case of critical and time-sensitive vulnerabilities or threats. These notifications include details and recommendations for mitigation/remediation.