Daily Digest

CISA Warns of Actively Exploited SmarterMail RCE; Asian APT Hits 70 Orgs; 'Shai-Hulud' Worm Automates Supply Chain Attacks

February 7, 2026

7 articles (6 new, 1 updated)

21 min read

Summary

This cybersecurity brief for February 7, 2026, covers multiple critical threats. CISA has added a SmarterMail RCE vulnerability (CVE-2026-24423) to its KEV catalog due to active exploitation in ransomware attacks. A massive year-long cyber-espionage campaign by an Asian APT group, TGR-STA-1030, has compromised at least 70 government and critical infrastructure organizations across 37 nations. Additionally, a new self-propagating worm, 'Shai-Hulud,' is automating software supply chain attacks by stealing developer credentials to infect npm packages. Other major developments include CISA's new directive to remove unsupported edge devices from federal networks and the discovery of new malware strains like Odyssey Stealer, Milkyway Ransomware, and the covert Pulsar RAT.

Filter by Category

New Articles (6)

Transparent Tribe (APT36) Shifts Focus, Targeting Indian Startups with Crimson RAT

HIGH

Pakistan-linked APT Transparent Tribe Pivots from Government to Target India's Startup Ecosystem

The Pakistan-aligned APT group Transparent Tribe (also known as APT36) has strategically shifted its targeting from Indian government and military entities to the country's growing startup sector. A new campaign, identified by researchers, uses the group's signature Crimson RAT malware delivered via malicious ISO files in phishing emails. The lures are themed around startups, with some attacks leveraging scraped personal information of real founders to appear more legitimate. The focus on startups in the cybersecurity and intelligence fields suggests the group aims to steal intellectual property and potentially use compromised companies as a supply chain vector to attack their government clients.

February 7, 2026

5 min read

APTCrimson RATISO filePhishingStartup +2 more

Transparent Tribe (APT36) Shifts Focus, Targeting Indian Startups with Crimson RAT

Threat Actor

Phishing

Cyberattack

Ransomware Gangs Like LockBit and BlackCat Use Legitimate ISP Software for Anonymous Server Provisioning

HIGH

Sophos Uncovers How Bulletproof Hosters Exploit ISPsystem's VMmanager to Power Ransomware Infrastructure

Researchers at Sophos have discovered how bulletproof hosting (BPH) providers are abusing legitimate server management software from ISPsystem to anonymously provision virtual machines for cybercriminals. The software, VMmanager, leaves a default hostname fingerprint (`WIN-J9D866ESIJ2`) that allowed researchers to link thousands of malicious servers to BPH providers like Stark Industries Solutions and MasterRDP. This infrastructure is actively being used to support operations for top-tier ransomware groups, including LockBit, BlackCat (ALPHV), and Conti, highlighting a critical link between legitimate tools and the cybercrime underworld.

February 7, 2026

5 min read

Bulletproof HostingBPHRDPInfrastructureCybercrime +1 more

Threat Intelligence

Ransomware

Cyberattack

Aggressive Odyssey Stealer Malware Campaign Targets macOS Users Globally

HIGH

New Wave of Odyssey Stealer Malware Expands Rapidly, Targeting macOS Users Worldwide with Evasive Variants

A new and aggressive campaign featuring the Odyssey Stealer malware is actively targeting Apple macOS users across the globe. Initially focused on the US and Europe, the attack's reach expanded within 24 hours to South America, Africa, and Asia. Odyssey Stealer is an info-stealer designed to harvest browser credentials, crypto wallets, and system data. This latest variant uses builders to automatically generate unique, obfuscated samples, making it difficult for signature-based antivirus to detect. The malware spreads via social engineering, using fake or cracked software downloads and phishing lures to trick users into installing it.

February 7, 2026

5 min read

macOSInfoStealerCredential TheftCryptocurrencyPolymorphic Malware

Malware

Phishing

Mobile Security

Attackers Abuse Windows Screensaver (.scr) Files to Drop RMM Tools for Persistent Access

MEDIUM

Novel Attack Vector: Threat Actors Use Malicious Windows Screensaver Files to Deploy Remote Management Tools

A novel attack technique has been observed where threat actors are abusing Windows screensaver (.scr) files as droppers for legitimate remote monitoring and management (RMM) tools. By tricking users into executing a malicious screensaver file, attackers can bypass security controls that might block direct RMM installation. Because .scr files are executables, they can be weaponized to install the RMM software, providing the attacker with persistent, stealthy remote access to the compromised machine for data theft, surveillance, or lateral movement. This method highlights the ongoing trend of attackers using living-off-the-land techniques.

February 7, 2026

5 min read

RMMLiving off the LandLoTLScreensaverDropper +1 more

Attackers Abuse Windows Screensaver (.scr) Files to Drop RMM Tools for Persistent Access

Malware

Phishing

Security Operations

Evolving Telegram Phishing Campaign Tricks Users into Approving Account Takeover

MEDIUM

Re-Emerging Telegram Phishing Campaign Abuses Authorization Prompts for Session Hijacking

A sophisticated phishing campaign targeting Telegram users has re-emerged, using the platform's own features to hijack accounts. As reported by CYFIRMA, the attack tricks users with fake security alerts, directing them to a malicious site or bot that mimics an official Telegram service. The core of the attack is manipulating the user into approving a legitimate-looking authorization prompt for a 'new device' within their own Telegram app. Approving this prompt grants the attacker's device full session access, enabling them to take over the account, read private chats, and exfiltrate data. The campaign highlights the effectiveness of social engineering attacks that exploit user trust in a platform's native functions.

February 7, 2026

5 min read

TelegramPhishingSocial EngineeringAccount TakeoverSession Hijacking +1 more

Phishing

Mobile Security

Ransomware Attacks on Education Sector Slowed in 2025, But U.S. Remains Top Target

INFORMATIONAL

Comparitech Report: Ransomware Attacks on Education Sector See Slower Growth in 2025

A 2025 report from Comparitech indicates a slowdown in the growth of ransomware attacks against the global education sector. There were 251 attacks recorded worldwide, a slight 2% increase from the previous year. These incidents resulted in at least 3.96 million breached records. The United States was the most affected country with 130 attacks, though this marked a 9% decrease for the nation year-over-year. High-profile incidents included demands of $400,000 against school districts by the Medusa ransomware gang, highlighting the continued financial and operational strain these attacks place on educational institutions.

February 7, 2026

5 min read

EducationK-12UniversityData BreachStatistics

Ransomware

Threat Intelligence

Data Breach

Updated Articles (1)

CISA: Critical SmarterMail RCE Flaw Actively Exploited in Ransomware Attacks

CRITICAL

CISA Adds Critical SmarterMail RCE Vulnerability (CVE-2026-24423) to KEV Catalog Amid Ransomware Exploitation

Update:

The vulnerable API endpoint for CVE-2026-24423 is more precisely identified as '/api/v1/settings/sysadmin/connect-to-hub', and the vulnerability is classified as CWE-306. This is the third SmarterMail flaw in KEV, following CVE-2025-52691 and CVE-2026-23760. New detection guidance includes monitoring 'MailService.exe' and leveraging D3FEND techniques like Process Analysis (D3-PA) and Network Traffic Analysis (D3-NTA). Mitigation now explicitly advises assuming compromise for unpatched systems and applying Inbound Traffic Filtering (D3-ITF) and Software Update (D3-SU).

February 6, 2026

Updated: February 7, 2026

5 min read

CVE-2026-24423RCEKEVSmarterMailRansomware +1 more

Vulnerability

Ransomware

Patch Management

📢 Share This Publication

Help others stay informed about cybersecurity threats