Daily Digest

Global Espionage 'Shadow Campaign' Breaches 37 Nations; CISA Warns of Actively Exploited Flaws in SmarterMail and VMware

Global Espionage 'Shadow Campaign' Breaches 37 Nations; CISA Warns of Actively Exploited Flaws in SmarterMail and VMware

February 6, 2026
8 articles (8 new)
24 min read

Summary

This week in cybersecurity, a massive state-aligned espionage operation dubbed the 'Shadow Campaign' was uncovered, having compromised government and critical infrastructure entities in 37 countries. Meanwhile, CISA issued urgent warnings about actively exploited vulnerabilities in SmarterMail and VMware ESXi, both being used in ransomware attacks. Major data breaches also came to light, with an unsecured server exposing 8.7 billion records on Chinese citizens and social engineering attacks hitting investment platform Betterment and newsletter service Substack, affecting millions of users. In policy news, CISA mandated the removal of all unsupported edge devices from federal networks to combat nation-state threats.

Filter by Category

New Articles (8)

CISA: Critical SmarterMail RCE Flaw Actively Exploited in Ransomware Attacks

CRITICAL

CISA Adds Critical SmarterMail RCE Vulnerability (CVE-2026-24423) to KEV Catalog Amid Ransomware Exploitation

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical remote code execution (RCE) vulnerability in SmarterTools' SmarterMail, CVE-2026-24423, to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, which has a CVSS score of 9.3, allows an unauthenticated attacker to take full control of a mail server by abusing an API method with a missing authentication check. CISA confirms the vulnerability is being actively used in ransomware campaigns and has mandated that federal agencies patch by February 26, 2026. All organizations using the affected email server software are strongly urged to update to build 9511 or later immediately.

February 6, 2026
5 min read
CVE-2026-24423RCEKEVSmarterMailRansomware +1 more
CISA: Critical SmarterMail RCE Flaw Actively Exploited in Ransomware Attacks

CISA Issues Directive Forcing Removal of Unsupported Edge Devices from Federal Networks

HIGH

CISA Mandates Removal of End-of-Life Edge Devices with Binding Operational Directive 26-02

In response to increasing exploitation by nation-state actors, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued Binding Operational Directive (BOD) 26-02. The directive mandates that all Federal Civilian Executive Branch (FCEB) agencies inventory and remove all unsupported network edge devices, such as firewalls and routers, within one year. Devices that are end-of-life (EOL) or end-of-support (EOS) no longer receive security updates and represent a significant risk. The order requires agencies to replace unsupported hardware and software, report their inventory to CISA, and establish a mature lifecycle management process to prevent future risks from technical debt.

February 6, 2026
5 min read
CISABOD 26-02federal governmentEOLEOS +2 more
CISA Issues Directive Forcing Removal of Unsupported Edge Devices from Federal Networks

Betterment Data Breach Exposes 1.4M Customers After Social Engineering Attack

HIGH

Investment Platform Betterment Discloses Breach of 1.4 Million Accounts Following Voice Phishing Attack

Automated investment platform Betterment has disclosed a data breach affecting 1.4 million customers, originating from a sophisticated social engineering attack. Threat actors, claiming to be the 'ShinyHunters' group, used voice phishing (vishing) to manipulate employees and steal Okta single sign-on codes, gaining access to third-party marketing and support systems. The compromised data includes names, email addresses, phone numbers, and physical addresses. While core financial accounts were not compromised, the attackers used the stolen contact information to launch a fraudulent cryptocurrency scam targeting Betterment's customers. The incident highlights the growing threat of social engineering targeting employees to bypass technical security controls.

February 6, 2026
6 min read
BettermentShinyHuntersvishingsocial engineeringOkta +1 more
Betterment Data Breach Exposes 1.4M Customers After Social Engineering Attack

Financial Sector Cyberattacks Doubled in 2025, Fueled by Geopolitical Hacktivism

HIGH

Report: Cyberattacks on Financial Sector Doubled in 2025, Driven by 105% Surge in DDoS Attacks

A new report from Check Point Software reveals a dramatic escalation in cyber threats targeting the global financial sector, with incidents more than doubling in 2025. The primary driver was a 105% increase in Distributed Denial-of-Service (DDoS) attacks, which were largely motivated by geopolitically-driven hacktivism rather than direct financial gain. Hacktivist campaigns aimed to disrupt banking portals and payment systems in countries involved in geopolitical conflicts, including Israel, the U.S., and Ukraine. The report also highlights a 73% jump in data breaches and the persistent threat of multi-extortion ransomware, indicating a complex and evolving threat landscape for financial institutions.

February 6, 2026
5 min read
DDoShacktivismfinancial servicesCheck Pointcyberattack trends +1 more
Financial Sector Cyberattacks Doubled in 2025, Fueled by Geopolitical Hacktivism

Critical RCE Flaw in n8n Automation Platform Allows Full Server Takeover

CRITICAL

Critical Sandbox Escape Vulnerability (CVE-2026-25049) in n8n Allows Remote Code Execution

A critical sandbox escape vulnerability, CVE-2026-25049, has been discovered in the popular n8n workflow automation platform. The flaw, rated 9.4 on the CVSS scale, allows an authenticated user with permission to edit workflows to bypass security controls and execute arbitrary system commands on the host server. This could lead to a full server compromise, exposing sensitive credentials, API keys, and OAuth tokens stored in the environment. The vulnerability is a bypass for a previously patched RCE flaw, and administrators are urged to update to n8n versions 1.123.17 or 2.5.2 immediately to prevent potential hijacking of connected cloud services and AI pipelines.

February 6, 2026
5 min read
CVE-2026-25049n8nRCEsandbox escapeworkflow automation +1 more
Critical RCE Flaw in n8n Automation Platform Allows Full Server Takeover

New 'Milkyway' Ransomware Strain Surfaces with Aggressive Extortion Tactics

MEDIUM

Researchers Detail Emerging 'Milkyway' Ransomware Variant Threatening Data Leaks and Reporting Victims to Authorities

A new Windows-based ransomware strain named 'Milkyway' has been identified by researchers at CYFIRMA. Currently in a developing state, the malware encrypts files and appends a '.milkyway' extension. It employs aggressive extortion tactics via a full-screen ransom note, threatening not only to leak or sell stolen data but also to report victims to tax authorities and law enforcement if the ransom is not paid. The operators also threaten to contact the victim's clients and partners. Experts warn that Milkyway could evolve into a more sophisticated threat, potentially adopting a Ransomware-as-a-Service (RaaS) model, which would significantly broaden its impact.

February 6, 2026
5 min read
MilkywayRansomwaremalwareCYFIRMARaaS +1 more
New 'Milkyway' Ransomware Strain Surfaces with Aggressive Extortion Tactics

Everest Ransomware Group Claims Attack on Japanese Manufacturer Hosokawa Micron

HIGH

Everest Ransomware Lists Japanese Tech Firm Hosokawa Micron as Victim, Threatens to Leak 30 GB of Data

The Everest ransomware group has claimed responsibility for a cyberattack against Hosokawa Micron Corporation, a leading Japanese manufacturer of industrial processing technology. The group announced the breach on an underground forum, threatening to publish approximately 30 GB of exfiltrated confidential company data if their ransom demands are not met. This incident aligns with Everest's typical double-extortion strategy. The group is known for targeting organizations in manufacturing, finance, and IT across the U.S., Europe, and Asia, and also acts as an initial access broker, selling network access to other threat actors.

February 6, 2026
5 min read
EverestRansomwaredouble extortionmanufacturingHosokawa Micron
Everest Ransomware Group Claims Attack on Japanese Manufacturer Hosokawa Micron

Substack Discloses Data Breach Exposing User Contact Information

MEDIUM

Newsletter Platform Substack Confirms Data Breach Exposing User PII

The newsletter platform Substack has announced it suffered a data breach after discovering on February 3, 2026, that an unauthorized party had gained access to a database containing user information. The exposed data includes names, email addresses, phone numbers, and Stripe IDs, though the company stated that financial data like credit card numbers and passwords were not compromised. The data exposure may date back to October 2025. With over 20 million active users, Substack is warning customers to be wary of suspicious emails and text messages, as a hacker has claimed to have stolen data from 700,000 users and posted it on the dark web.

February 6, 2026
5 min read
Substackdata breachPIIphishingprivacy
Substack Discloses Data Breach Exposing User Contact Information

📢 Share This Publication

Help others stay informed about cybersecurity threats

📅 Daily Edition

Curated and deduplicated every day from dozens of trusted sources — giving you one clean, consolidated view of what matters in cybersecurity.

🔢 Deduplication Applied

Related stories are merged into a single evolving article rather than repeated as separate entries — cutting through noise so you only read what's new.

🔗 Full Articles Linked

Every entry links to its full enriched article — complete with MITRE ATT&CK mappings, extracted IOCs, and actionable detection and mitigation guidance.