Daily Digest

Ivanti Zero-Days Under Active Attack as Polish Energy Grid Hit by Destructive Wiper Malware

February 1, 2026

9 articles (8 new, 1 updated)

27 min read

Summary

This edition covers the critical cybersecurity landscape for February 1, 2026. Dominating the headlines are two actively exploited zero-day vulnerabilities in Ivanti's EPMM, prompting an emergency CISA directive. Simultaneously, a sophisticated wiper malware attack, potentially linked to Russian state-actors like Sandworm, targeted over 30 energy facilities in Poland, aiming to disrupt critical infrastructure. Other major events include an FBI takedown of the RAMP ransomware forum, a supply chain attack compromising eScan antivirus, and an advanced vishing campaign mimicking ShinyHunters to breach SaaS platforms. These incidents highlight escalating threats against enterprise software, critical infrastructure, and the software supply chain.

Filter by Category

New Articles (8)

FBI Shuts Down RAMP, a Notorious Ransomware Recruitment and Trading Hub

HIGH

FBI Takes Control of RAMP (Russian Anonymous MarketPlace) Forum in Law Enforcement Takedown

In a significant blow to the ransomware ecosystem, the U.S. Federal Bureau of Investigation (FBI) has seized the RAMP (Russian Anonymous MarketPlace) forum. The Russian-language site, which operated on both the clear and dark web, was a central hub for ransomware-as-a-service (RaaS) operations. It served as a recruitment ground for affiliates for major gangs like ALPHV/BlackCat and Qilin, a marketplace for initial access brokers, and a trading post for stolen data. The takedown, conducted with the DOJ, disrupts a key piece of infrastructure that enabled numerous high-profile cyberattacks.

February 1, 2026

4 min read

FBIRAMPTakedownRansomwareCybercrime +3 more

Security Operations

Ransomware

Threat Actor

Supply Chain Attack: eScan Antivirus Update Server Compromised to Distribute Malware

HIGH

eScan Antivirus Becomes Malware Vector After Regional Update Server is Breached in Supply Chain Attack

Indian antivirus provider eScan, a product of MicroWorld Technologies, has suffered a supply chain attack. On January 20, 2026, a regional update server was compromised, causing it to push a malicious file named 'Reload.exe' to enterprise and consumer customers. According to security firm Morphisec, the malware disables the antivirus product by modifying the local HOSTS file to block future updates and then proceeds with a multi-stage infection to download additional payloads. While MicroWorld Technologies acknowledged the breach and isolated the server, it has disputed the 'supply chain attack' label. Affected users require a manual cleaning utility from eScan support for remediation.

February 1, 2026

6 min read

Supply Chain AttackeScanAntivirusMalwareReload.exe +1 more

Supply Chain Attack

Malware

Incident Response

New Iran-Linked 'RedKitten' Group Targets Human Rights NGOs with AI-Suspected Malware

MEDIUM

Farsi-Speaking Threat Actor 'RedKitten' Uses Sophisticated Malware in Espionage Campaign Against Human Rights Activists

A new cyber-espionage campaign by a Farsi-speaking threat actor dubbed 'RedKitten' is targeting human rights NGOs and activists documenting abuses in Iran. The campaign, observed by HarfangLab in January 2026, uses phishing emails with macro-laced Excel files as an initial vector. The malware is notable for its modularity and its use of legitimate public services like GitHub, Google Drive, and Telegram for C2 and payload delivery, a technique to evade detection. Researchers suspect the attackers may have used Large Language Models (LLMs) to assist in the development of their sophisticated tooling, marking a potential new trend in malware creation.

February 1, 2026

5 min read

RedKittenIranEspionageMalwarePhishing +3 more

Threat Actor

Malware

Phishing

'WhisperPair' Bluetooth Flaw Exposes Millions of Headphones and Speakers to Eavesdropping

MEDIUM

Widespread 'WhisperPair' Vulnerability in Bluetooth Devices Allows Pairing Bypass and Audio Interception

A newly discovered vulnerability named 'WhisperPair' affects millions of Bluetooth audio devices from major brands, including Sony, JBL, and Logitech. The flaw allows a nearby attacker to bypass standard Bluetooth pairing security protocols. Successful exploitation could enable an attacker to eavesdrop on private audio streams or inject malicious audio commands into the connected device. This discovery highlights significant security and privacy risks in widely used consumer electronics and the persistent challenges of securing wireless communication protocols.

February 1, 2026

5 min read

BluetoothVulnerabilityWhisperPairIoTEavesdropping +4 more

'WhisperPair' Bluetooth Flaw Exposes Millions of Headphones and Speakers to Eavesdropping

Vulnerability

IoT Security

Mobile Security

UStrive Mentoring Platform Exposes Data of 238,000 Users, Including Minors, via Leaky API

MEDIUM

Misconfigured GraphQL Endpoint at Non-Profit UStrive Leads to Exposure of Over 238,000 Users' Data

The non-profit mentoring platform UStrive has inadvertently exposed the sensitive personal data of over 238,000 users due to a misconfigured GraphQL API endpoint. A significant portion of the exposed user base includes minors, elevating the severity and privacy implications of the incident. The leaky API could have allowed unauthorized individuals to query and retrieve vast amounts of user data. This breach highlights the critical need for robust cybersecurity practices and secure API implementation, particularly for organizations in the non-profit sector that handle sensitive information, including that of children.

February 1, 2026

4 min read

Data BreachUStriveGraphQLAPI SecurityNon-profit +1 more

UStrive Mentoring Platform Exposes Data of 238,000 Users, Including Minors, via Leaky API

Data Breach

Policy and Compliance

Cloud Security

Automated Attacks Wipe Exposed MongoDB Databases, Demanding $500 Ransom

MEDIUM

Ongoing Extortion Campaign Targets Thousands of Misconfigured MongoDB Servers

An automated data extortion campaign is actively targeting publicly exposed and misconfigured MongoDB databases. A threat actor is systematically wiping data from these unsecured servers and leaving a ransom note demanding approximately $500 in Bitcoin for its return. Research from Flare identified over 3,100 MongoDB instances accessible without authentication, with nearly half (1,400) already compromised by this attacker. This campaign highlights the persistent threat of automated scanning and exploitation of basic security misconfigurations, demonstrating that even with lower ransom demands, such attacks remain a profitable venture for criminals preying on low-hanging fruit.

February 1, 2026

5 min read

MongoDBData BreachExtortionMisconfigurationDatabase Security

Automated Attacks Wipe Exposed MongoDB Databases, Demanding $500 Ransom

Cyberattack

Data Breach

Cloud Security

Air Conditioning Giant Blue Star Discloses Data Breach Affecting Product Installation Data

LOW

Blue Star Reports Unauthorized Access to Product Data in Security Incident

Blue Star, a major Indian multinational specializing in air conditioning and commercial refrigeration, has announced it experienced a data security incident. The company reported unauthorized access to its product installation data. The breach was reported to its Compliance Officer on January 31, 2026. Blue Star has engaged external cybersecurity experts to investigate the incident's scope, perform a root cause analysis, and strengthen its security posture. Further details on the extent of the compromise and the responsible party have not yet been released as the investigation is ongoing.

February 1, 2026

4 min read

Data BreachBlue StarManufacturingIncident Response

Data Breach

Incident Response

Industrial Control Systems

Cybersecurity Risks Mount as Partial US Government Shutdown Begins

INFORMATIONAL

Partial US Government Shutdown Raises Concerns Over Weakened Federal Cyber Defenses

A partial U.S. government shutdown began at midnight on January 31, 2026, after funding for several federal agencies, including the Department of Homeland Security (DHS), lapsed. Security experts are warning that such shutdowns create a period of heightened cybersecurity risk for the nation. With reduced staffing and coordination at key agencies like CISA, the government's ability to detect, respond to, and share intelligence about threats is diminished. Threat actors, both criminal and nation-state, are known to exploit these periods of disruption to launch targeted phishing, credential harvesting, and ransomware campaigns against government agencies and adjacent sectors.

February 1, 2026

4 min read

Government ShutdownCybersecurity RiskDHSCISAPhishing +1 more

Cybersecurity Risks Mount as Partial US Government Shutdown Begins

Policy and Compliance

Regulatory

Threat Intelligence

Updated Articles (1)

Cognizant Sued in Class-Action Lawsuits After TriZetto Data Breach

MEDIUM

Cognizant and Subsidiary TriZetto Face Multiple Class-Action Lawsuits Over Healthcare Data Breach

Update:

New information reveals the TriZetto data breach, which began in November 2024, was not discovered until approximately October 2025, nearly a year after the initial intrusion. This significant delay has prolonged the risk of identity theft and fraud for affected individuals. The consequences continue to expand, with thousands of residents in Oregon now receiving notification letters regarding their exposed Protected Health Information (PHI). This update underscores the long-term impact and challenges of supply chain breaches in healthcare.

January 4, 2026

Updated: February 1, 2026

4 min read

Data BreachHealthcareHIPAAClass Action LawsuitCognizant +1 more

Data Breach

Regulatory

Security Operations

📢 Share This Publication

Help others stay informed about cybersecurity threats