Daily Digest

Microsoft Rushes to Patch Six Zero-Days as CISA Warns of Actively Exploited Flaws in SolarWinds and BeyondTrust

Microsoft Rushes to Patch Six Zero-Days as CISA Warns of Actively Exploited Flaws in SolarWinds and BeyondTrust

February 11, 2026
12 articles (10 new, 2 updated)
36 min read

Summary

This edition covers a critical Microsoft Patch Tuesday on February 11, 2026, which addressed 58 vulnerabilities, including six actively exploited zero-days impacting Windows Shell, Office, and Remote Desktop Services. CISA has also been active, adding a critical SolarWinds flaw to its KEV catalog and issuing new guidance on the BRICKSTORM malware used by Chinese state-sponsored actors. Other major incidents include a critical BeyondTrust vulnerability being used in ransomware attacks, a large-scale data breach at Dutch telecom Odido, and new reports on sophisticated tax-themed phishing campaigns and the evolution of AI-targeted attacks.

Filter by Category

New Articles (10)

Microsoft Scrambles to Fix Six Actively Exploited Zero-Days in February 2026 Patch Tuesday

CRITICAL

Microsoft's February 2026 Patch Tuesday Addresses 58 Flaws, Including Six Actively Exploited Zero-Days

Microsoft's February 2026 Patch Tuesday release is a critical one, addressing 58 vulnerabilities across its product ecosystem. Most alarmingly, the update includes patches for six zero-day vulnerabilities that were already being actively exploited by attackers in the wild. Three of these flaws were publicly disclosed before a fix was available, escalating the urgency for administrators to deploy these updates. The zero-days include severe security feature bypasses in Windows Shell (CVE-2026-21510) and the MSHTML engine (CVE-2026-21513), both rated with a CVSS of 8.8, which could allow for silent code execution. Additionally, three elevation of privilege (EoP) flaws in Desktop Window Manager (CVE-2026-21519) and Remote Desktop Services (CVE-2026-21533) grant attackers SYSTEM-level access. The sheer number of in-the-wild exploits makes this one of the most critical patch cycles in recent memory, requiring immediate action from all organizations to prevent compromise.

February 11, 2026
7 min read
Patch TuesdayZero-DayVulnerabilityWindowsPrivilege Escalation +2 more
Microsoft Scrambles to Fix Six Actively Exploited Zero-Days in February 2026 Patch Tuesday
Patch Management
Vulnerability
Cyberattack

CISA, NSA, and Canada Warn of New BRICKSTORM Malware Variant Used by Chinese Hackers

HIGH

US and Canadian Agencies Update Advisory on BRICKSTORM Backdoor Used by PRC State-Sponsored Actors

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and the Canadian Centre for Cyber Security (Cyber Centre) have jointly released an updated Malware Analysis Report (MAR) for the BRICKSTORM backdoor. This new advisory, published February 11, 2026, details a new variant of the malware discovered during an incident response engagement. The investigation revealed that state-sponsored actors from the People's Republic of China (PRC) deployed BRICKSTORM on a VMware vCenter server to maintain long-term persistence within a victim network, having first gained access in April 2024. The agencies have released new YARA and Sigma rules to help organizations hunt for this threat and are urging government and critical infrastructure entities to immediately search their networks for signs of compromise.

February 11, 2026
6 min read
BRICKSTORMMalwareBackdoorChinaAPT +3 more
CISA, NSA, and Canada Warn of New BRICKSTORM Malware Variant Used by Chinese Hackers
Malware
Threat Actor
Threat Intelligence

Tax Season Phishing Frenzy: Microsoft Details Campaigns Abusing ScreenConnect and QR Codes

HIGH

Microsoft Threat Intelligence Exposes Multiple Large-Scale Phishing Campaigns Leveraging Tax Season Lures

Microsoft has uncovered several large-scale, sophisticated phishing campaigns exploiting the U.S. tax season. In a report on February 10, 2026, the company detailed one massive campaign targeting over 29,000 users that aimed to install the legitimate remote access tool ScreenConnect for malicious use. This campaign broadly targeted organizations in financial services, technology, and retail. Another concurrent campaign used QR codes embedded in Word documents with 'W-2' themes to redirect victims to a credential harvesting site running the 'SneakyLog' phishing kit. A third attack wave leveraged lures impersonating CPAs to deliver the 'Energy365' Phishing-as-a-Service (PhaaS) kit. These multi-faceted campaigns demonstrate attackers' increasing sophistication in social engineering and their abuse of legitimate tools to bypass security.

February 11, 2026
6 min read
PhishingTax SeasonScreenConnectQR CodeQuishing +2 more
Tax Season Phishing Frenzy: Microsoft Details Campaigns Abusing ScreenConnect and QR Codes
Phishing
Malware
Threat Intelligence

Healthcare Provider's Ransomware Attack Traced to Compromised SonicWall Cloud Backups

HIGH

Marquis Health Services Discloses Ransomware Incident Stemming from Compromised SonicWall Cloud Backup System

Marquis Health Services, a major provider of skilled nursing care, has reported a disruptive ransomware attack that it attributes to a compromise of its SonicWall cloud backup systems. The incident, reported on February 10, 2026, allowed attackers to encrypt critical data, causing operational issues across its healthcare facilities. By targeting the backup system directly, the threat actors not only deployed ransomware but also aimed to sabotage the company's ability to recover, a tactic known as double extortion. This attack serves as a critical reminder of the security risks inherent in the third-party supply chain and the need to secure backup and recovery environments with the same rigor as primary production systems.

February 11, 2026
6 min read
RansomwareHealthcareData BreachSupply Chain AttackSonicWall +2 more
Healthcare Provider's Ransomware Attack Traced to Compromised SonicWall Cloud Backups
Ransomware
Supply Chain Attack
Data Breach

Dutch Telecom Odido Suffers Massive Data Breach; 6 Million Customers Potentially Exposed

HIGH

Odido Confirms Major Data Breach via Third-Party Supplier, Up to Six Million Customers Affected

Dutch telecommunications provider Odido announced a major data breach on February 11, 2026, after a third-party supplier's system was compromised. The incident may have exposed the personal information of as many as six million customers. The compromised data reportedly includes sensitive details such as names, addresses, phone numbers, and in some cases, bank account and passport numbers. While Odido's core network was not affected, the breach originated from a supplier managing a customer data environment, highlighting significant third-party risk. The company has launched a full investigation and is notifying affected individuals and regulatory authorities under GDPR, with significant fines and legal action expected.

February 11, 2026
5 min read
Data BreachSupply Chain AttackGDPRTelecommunicationsNetherlands +1 more
Dutch Telecom Odido Suffers Massive Data Breach; 6 Million Customers Potentially Exposed
Data Breach
Supply Chain Attack
Regulatory

Boggy Serpens (MuddyWater) APT Targets UAE Energy Firm in Sustained Espionage Campaign

HIGH

Palo Alto Networks' Unit 42 Uncovers Sustained Campaign by Boggy Serpens APT Against UAE Marine and Energy Company

Researchers from Palo Alto Networks' Unit 42 have detailed a long-running cyber-espionage campaign targeting a national marine and energy company in the United Arab Emirates. The campaign, attributed to the APT group Boggy Serpens (also known as MuddyWater), was active from August 2025 through February 11, 2026. The threat actor conducted four distinct attack waves, using hijacked email accounts from legitimate government and corporate entities for its spear-phishing operations. The campaign deployed a diverse arsenal of malware, including GhostBackDoor, Nuso (HTTP_VIP), UDPGangster, and LampoRAT, showcasing the group's maturing and persistent operational methodology aimed at long-term intelligence gathering.

February 11, 2026
6 min read
APTBoggy SerpensMuddyWaterCyber EspionageThreat Actor +3 more
Boggy Serpens (MuddyWater) APT Targets UAE Energy Firm in Sustained Espionage Campaign
Threat Actor
Cyberattack
Threat Intelligence

Undetected Go-Based Malware Emerge: GREENBLOOD Ransomware and Moonrise RAT

HIGH

Researchers Discover New Go-Based GREENBLOOD Ransomware and Fully Undetected Moonrise RAT

Security researchers have identified two new and dangerous malware families written in the Go programming language. The discoveries, reported on February 11, 2026, include a ransomware variant named GREENBLOOD and a remote access trojan (RAT) called Moonrise RAT. GREENBLOOD is designed for high-speed encryption and evidence removal, maximizing damage before detection. More alarmingly, the Moonrise RAT was found to be fully-featured, with extensive credential theft capabilities, and had zero detections on VirusTotal at the time of its analysis. The emergence of these potent Go-based threats highlights a trend of attackers using less common languages to develop malware that evades traditional signature-based antivirus and security tools, posing a significant challenge for defenders.

February 11, 2026
6 min read
MalwareGoGolangRansomwareRAT +3 more
Undetected Go-Based Malware Emerge: GREENBLOOD Ransomware and Moonrise RAT
Malware
Ransomware
Threat Intelligence

EU Greenlights Google's $32 Billion Acquisition of Cybersecurity Firm Wiz

INFORMATIONAL

European Commission Grants Unconditional Antitrust Approval for Google's $32B Acquisition of Wiz

The European Commission has granted unconditional antitrust approval for Google's proposed $32 billion acquisition of cybersecurity firm Wiz. The decision, announced on February 10, 2026, allows Google to move forward with its largest-ever deal, significantly bolstering its cloud security portfolio. EU regulators concluded that the acquisition would not harm competition in the cloud infrastructure market. They reasoned that Google remains a smaller player compared to Amazon and Microsoft, and customers will continue to have credible alternative security solutions and the ability to switch cloud providers. This approval from a major regulatory body signals a significant consolidation in the cybersecurity industry as cloud hyperscalers aim to deeply integrate security into their platforms.

February 11, 2026
4 min read
GoogleWizAcquisitionEUAntitrust +2 more
EU Greenlights Google's $32 Billion Acquisition of Cybersecurity Firm Wiz
Policy and Compliance
Cloud Security
Other

Critical BeyondTrust Flaw Actively Exploited in Ransomware Attacks

CRITICAL

Active Exploitation of Critical BeyondTrust Vulnerability Linked to Ransomware Intrusions

A critical vulnerability in BeyondTrust's remote access solutions is being actively exploited by threat actors, with security firm Darktrace reporting anomalous activity linked to the flaw starting on February 10, 2026. Attackers are leveraging the vulnerability to gain unauthorized control of systems, which then serves as an entry point for follow-on attacks, including ransomware intrusions. Observed malicious activity includes compromised devices making suspicious outbound connections to Out-of-Band Application Security Testing (OAST) services, a technique used to validate successful exploitation. The active exploitation has prompted urgent calls for all BeyondTrust customers to apply patches immediately and hunt for signs of compromise within their networks.

February 11, 2026
6 min read
BeyondTrustVulnerabilityActive ExploitationRansomwareOAST +1 more
Critical BeyondTrust Flaw Actively Exploited in Ransomware Attacks
Vulnerability
Ransomware
Cyberattack

Supply Chain Attacks Now a Dominant 'Ecosystem' of Crime, Warns Group-IB

INFORMATIONAL

Group-IB Report: Supply Chain Attacks Evolving from Isolated Incidents into a Top Global Threat Ecosystem

A new report from cybersecurity firm Group-IB warns that supply chain attacks have evolved from being a specific attack type into a dominant 'ecosystem' of interconnected criminal activity. The 'High-Tech Crime Trends Report,' released on February 11, 2026, states that attackers are increasingly targeting upstream software vendors and managed service providers (MSPs) to compromise thousands of downstream victims in a single stroke. According to the report, 68% of major global incidents in the last year were linked to supply chain compromises. The firm's CEO highlights that phishing, ransomware, and data breaches are often just different stages of a larger campaign built on exploiting trusted third-party relationships, fueled by a booming dark web market for initial access credentials.

February 11, 2026
4 min read
Supply Chain AttackThreat IntelligenceGroup-IBCybercrimeMSP +1 more
Supply Chain Attacks Now a Dominant 'Ecosystem' of Crime, Warns Group-IB
Supply Chain Attack
Threat Intelligence
Policy and Compliance

Updated Articles (2)

Hackers Expand Attacks on ICS/OT and Enterprise AI Systems

HIGH

Research Shows Rising Threat Convergence as Adversaries Target Both Industrial Control Systems and AI Workflows

Update:

A new report from HiddenLayer (Feb 11, 2026) reveals 'tool chain escalation' as the leading attack against AI agents, accounting for 11.7% of malicious activity. This advanced technique involves attackers using benign tools to map an agent's capabilities, then crafting prompts to chain them with dangerous tools (e.g., code execution, file writing) for privilege escalation. This goes beyond traditional prompt injection, targeting the AI's reasoning. The report warns of severe impacts including remote code execution, data exfiltration, and internal network attacks, emphasizing the need for new security measures beyond input sanitization.

January 21, 2026
Updated: February 11, 2026
6 min read
ICSOTSCADAHMIAI Security +4 more
Hackers Expand Attacks on ICS/OT and Enterprise AI Systems
Industrial Control Systems
Threat Intelligence
Cloud Security

CISA Adds Actively Exploited SolarWinds RCE Flaw to KEV Catalog

CRITICAL

CISA KEV Catalog Updated with Actively Exploited SolarWinds Web Help Desk RCE Flaw (CVE-2025-40551)

Update:

New intelligence indicates that threat actors exploiting the SolarWinds Web Help Desk RCE vulnerability are deploying the legitimate forensic tool Velociraptor for post-exploitation activities. This includes using it for discovery (T1082), lateral movement (T1021), and persistence (T1219), effectively 'Living Off the Land' to evade detection. Specific observables for detection include the presence of 'velociraptor.exe', unusual outbound connections from the WHD server, encoded PowerShell commands, and executables in temporary directories. This sophisticated tactic highlights the need for enhanced monitoring beyond initial compromise.

February 5, 2026
Updated: February 11, 2026
4 min read
CISAKEVSolarWindsCVE-2025-40551RCE +2 more
CISA Adds Actively Exploited SolarWinds RCE Flaw to KEV Catalog
Vulnerability
Patch Management
Regulatory

📢 Share This Publication

Help others stay informed about cybersecurity threats