Daily Digest

APT28 Exploits Office Zero-Day in Hours; Critical N8N Flaw Exposes 100K Servers; ShinyHunters Breaches Harvard

APT28 Exploits Office Zero-Day in Hours; Critical N8N Flaw Exposes 100K Servers; ShinyHunters Breaches Harvard

February 5, 2026
8 articles (6 new, 2 updated)
24 min read

Summary

In the period of February 4-5, 2026, the cybersecurity landscape was dominated by rapid state-sponsored exploitation and critical vulnerability disclosures. The Russian APT28 group weaponized a Microsoft Office zero-day (CVE-2026-21509) within 24 hours to target European governments. Concurrently, a CVSS 10.0 RCE flaw (CVE-2026-21858) in the N8N automation platform left over 100,000 servers vulnerable to takeover. Adding to the incidents, the ShinyHunters collective claimed a major data breach at Harvard University, exposing 115,000 donor records through a sophisticated vishing campaign. Other significant events include patches from Cisco and F5, and CISA adding a SolarWinds flaw to its KEV catalog.

Filter by Category

New Articles (6)

Cisco and F5 Release Urgent Patches for High-Severity DoS and RCE Vulnerabilities

HIGH

Cisco and F5 Address Multiple High-Severity Flaws in TelePresence, BIG-IP, and NGINX Products

Networking giants Cisco and F5 have released a wave of security updates to address multiple high-severity vulnerabilities across their product lines. Cisco patched five flaws, including a remote DoS bug in TelePresence/RoomOS (CVE-2026-20119) and a root-level command execution flaw in Meeting Management software (CVE-2026-20098). Concurrently, F5 addressed five vulnerabilities in its BIG-IP and NGINX products, two of which are rated high-severity: a DoS flaw in BIG-IP (CVE-2026-22548) and a man-in-the-middle vulnerability in NGINX (CVE-2026-1642). Customers are strongly advised to apply the patches promptly to mitigate risks of service disruption and system compromise.

February 5, 2026
4 min read
CiscoF5Patch ManagementVulnerabilityDoS +6 more
Cisco and F5 Release Urgent Patches for High-Severity DoS and RCE Vulnerabilities
Patch Management
Vulnerability

Chinese APT 'Amaranth-Dragon' Hits Southeast Asian Governments with WinRAR Exploit

HIGH

China-Linked Amaranth-Dragon Exploits WinRAR Flaw CVE-2025-8088 in Espionage Campaigns

A newly identified China-linked APT group, dubbed 'Amaranth-Dragon,' is conducting targeted cyber espionage campaigns against government and law enforcement agencies in Southeast Asia. The group, believed to be affiliated with the broader APT41 ecosystem, is exploiting a known WinRAR vulnerability (CVE-2025-8088) for initial access. Amaranth-Dragon demonstrates a high degree of stealth, using custom tools like 'Amaranth Loader' and a new 'TGAmaranth RAT' that leverages Telegram for command-and-control. The campaigns are tightly scoped, targeting countries like Cambodia, Thailand, and the Philippines, and appear to be motivated by geopolitical intelligence gathering.

February 5, 2026
5 min read
Amaranth-DragonAPTChinaEspionageCVE-2025-8088 +3 more
Chinese APT 'Amaranth-Dragon' Hits Southeast Asian Governments with WinRAR Exploit
Threat Actor
Cyberattack
Vulnerability

Voicemail-Themed Phishing Campaign Deploys Legitimate RMM Tools for Backdoor Access

MEDIUM

New Phishing Lure Uses Fake Voicemails to Install Remote Management Tools

A widespread social engineering campaign is using convincing voicemail-themed lures to trick victims into installing legitimate remote monitoring and management (RMM) software. The attack begins with an email, often from a bank-themed subdomain, leading to a webpage that prompts the user to 'listen to your message.' Instead of playing a message, the page guides the user through a series of installation steps for a legitimate tool called 'Remotely RMM.' Once installed, the software enrolls the device into an attacker-controlled environment, providing them with persistent remote access for data theft and further malware deployment.

February 5, 2026
4 min read
PhishingSocial EngineeringRMMBackdoorLiving off the Land
Voicemail-Themed Phishing Campaign Deploys Legitimate RMM Tools for Backdoor Access
Phishing
Malware
Security Operations

Microsoft Mandates TLS 1.2 for Azure Blob Storage, Sunsetting Older Versions

INFORMATIONAL

Microsoft Enforces TLS 1.2 as Minimum Standard for Azure Blob Storage

Microsoft has officially deprecated support for Transport Layer Security (TLS) versions 1.0 and 1.1 for its Azure Blob Storage service, effective February 3, 2026. TLS 1.2 is now the minimum required version for all new and existing blob storage accounts across all Azure clouds. This mandatory security enhancement aims to protect data in transit from known cryptographic vulnerabilities present in the older protocols. Customers with applications or clients still relying on TLS 1.0 or 1.1 must update them to ensure continued connectivity and avoid service disruptions.

February 5, 2026
3 min read
Microsoft AzureTLSCloud SecurityPolicyDeprecation
Microsoft Mandates TLS 1.2 for Azure Blob Storage, Sunsetting Older Versions
Policy and Compliance
Cloud Security

'Shadow Campaign' Hacks Governments in 37 Countries, China-Linked Group Suspected

CRITICAL

'Shadow Campaign' Espionage Operation Compromises Governments and Critical Infrastructure in 37 Countries

Security researchers have uncovered a massive, long-running cyber-espionage operation dubbed 'Shadow Campaign.' The campaign is attributed to a suspected Chinese nation-state group, TGR-STA-1030, and has successfully compromised at least 70 government and critical infrastructure organizations in 37 countries. The group's reconnaissance activities have been even broader, targeting government infrastructure in 155 countries. Targets include high-value entities like national law enforcement, border control, finance ministries, and telecommunications companies. The operational footprint, including tools and timezone activity (GMT+8), strongly points towards a China-based actor.

February 5, 2026
5 min read
Shadow CampaignAPTChinaEspionageTGR-STA-1030 +1 more
'Shadow Campaign' Hacks Governments in 37 Countries, China-Linked Group Suspected
Threat Actor
Cyberattack
Industrial Control Systems

Futile Ransom: Nitrogen Ransomware Contains Fatal Coding Error, Decryption Impossible

MEDIUM

Nitrogen Ransomware's ESXi Encryptor is Fatally Flawed, Rendering Decryption Impossible

In a case of profound operational failure, security researchers have discovered a fatal coding error in the Nitrogen ransomware group's malware that targets VMware ESXi systems. The flaw, found in the encryption routine, causes the malware to use the wrong public key during the encryption process. As a result, the decryptor provided by the gang after a ransom is paid is mathematically incapable of reversing the encryption. This means that any victim who pays the ransom for their encrypted ESXi virtual machines has zero chance of recovering their data, reinforcing law enforcement advice to not pay ransoms.

February 5, 2026
4 min read
NitrogenRansomwareVMware ESXiCryptographyData Recovery +1 more
Futile Ransom: Nitrogen Ransomware Contains Fatal Coding Error, Decryption Impossible
Ransomware
Malware

Updated Articles (2)

UK Advances New Bill to Regulate Managed Service Providers (MSPs)

INFORMATIONAL

UK's Cyber Security and Resilience Bill to Impose Security Duties on MSPs to Mitigate Supply-Chain Risk

Update:

The UK's Cyber Security and Resilience Bill has successfully passed its second reading in the House of Commons, marking a significant step towards becoming law. The Information Commissioner's Office (ICO) has expressed support for the bill's objectives but has called for the final regulations to provide clear, practical guidance, especially for small and medium-sized businesses (SMBs). This ensures SMBs can meet new requirements without undue burden, highlighting ongoing considerations for the bill's implementation and scope.

January 24, 2026
Updated: February 5, 2026
5 min read
UKRegulationPolicyComplianceMSP +3 more
UK Advances New Bill to Regulate Managed Service Providers (MSPs)
Policy and Compliance
Regulatory
Supply Chain Attack

SolarWinds Discloses Five Critical RCE & Auth Bypass Flaws in Web Help Desk

CRITICAL

SolarWinds Reveals Multiple Critical Vulnerabilities in Web Help Desk Platform, Including RCE and Auth Bypass

Update:

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical remote code execution (RCE) vulnerability, CVE-2025-40551, in SolarWinds Web Help Desk (WHD) to its Known Exploited Vulnerabilities (KEV) catalog. This confirms active, in-the-wild exploitation of the deserialization flaw (CVSS 9.8). CISA has mandated that all Federal Civilian Executive Branch (FCEB) agencies must patch this vulnerability by February 6, 2026. This development significantly increases the urgency for all organizations using SolarWinds WHD to apply the latest security patches immediately to prevent compromise. The vulnerability allows unauthenticated attackers to execute arbitrary code.

January 28, 2026
Updated: February 5, 2026
5 min read
SolarWindsWeb Help DeskRCEauthentication bypassCVE-2025-40553 +2 more
SolarWinds Discloses Five Critical RCE & Auth Bypass Flaws in Web Help Desk
Vulnerability
Patch Management
Cyberattack

📢 Share This Publication

Help others stay informed about cybersecurity threats