Ivanti EPMM zero-days π΄, Match Group breach π±, ShadowHS Linux framework π», OpenSSL vulnerability π
Daily Threat Intel Digest - January 30, 2026
π΄ Critical Threats & Active Exploitation
[NEW] Ivanti EPMM zero-days exploited in wild with unauthenticated RCE
Attackers are actively exploiting two critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) tracked as CVE-2026-1281 and CVE-2026-1340, both with CVSS 9.8 scores that allow remote code execution without authentication. Successful exploitation gives attackers complete control over the mobile device management appliance, exposing sensitive data including device identifiers, location information, and authentication credentials. CISA has added CVE-2026-1281 to the KEV catalog with a February 1 remediation deadline for federal agencies, while Ivanti reports “very limited” but confirmed exploitation in customer environments. The vulnerabilities affect EPMM versions 12.5.0.0, 12.6.0.0, and 12.7.0.0 and earlier, with temporary RPM patches available that don’t survive version upgrades [BleepingComputer; SOCRadar]. Detection requires examining Apache access logs for external requests to /mifs/c/(aft|app)store/fob/ returning 404 errors using the regex ^(?!127.0.0.1:\d+ .$).?/mifs/c/(aft|app)store/fob/.*?404 [BleepingComputer].
[NEW] Match Group breach exposes data from Tinder, Hinge, OkCupid after Okta SSO compromise
Match Group confirmed attackers stole user data from multiple dating platforms including Tinder, Hinge, OkCupid, and Match.com after compromising an Okta single sign-on account through a sophisticated voice phishing campaign by the ShinyHunters group. The breach leveraged a phishing domain at ‘matchinternal.com’ to gain access to AppsFlyer marketing analytics, Google Drive, and Dropbox storage, exposing 1.7GB of compressed files containing approximately 10 million user records. While Match Group claims no financial information or private communications were accessed, the incident represents one of the largest dating platform breaches to date, affecting their 80+ million active user base [BleepingComputer].
π― Threat Actor Activity & Campaigns
[NEW] ShadowHS Linux post-exploitation framework emerges with fileless execution capabilities
A sophisticated fileless Linux intrusion chain deploying a weaponized variant of hackshell has been identified, tracking as ShadowHS. The framework operates entirely in memory using AES-256-CBC encrypted payloads that reconstruct and execute via /proc//fd/ without touching disk, making detection extremely difficult. ShadowHS demonstrates aggressive EDR/AV fingerprinting covering dozens of commercial platforms, implements anti-competition logic to terminate rival malware, and includes dormant modules for credential theft, lateral movement via SSH brute-forcing, cryptomining, and covert data exfiltration using user-space tunnels. The framework’s design prioritizes stealth, operator safety, and interactive control over automated monetization, suggesting use by advanced intrusion operators rather than commodity attackers [Cyble].
[UPDATE] Google disrupts IPIDEA residential proxy network fueling global attacks
Google Threat Intelligence Group, in collaboration with industry partners, has taken down domains and infrastructure associated with IPIDEA, one of the largest residential proxy networks used by threat actors. The operation disrupted at least 19 proxy brands and over 7,400 servers that routed traffic through approximately 600 trojanized Android apps and 3,000 compromised Windows binaries. IPIDEA facilitated attacks by more than 550 distinct threat groups in a single week, including account takeovers, credential theft, and large-scale DDoS attacks. Google Play Protect now automatically detects and blocks applications containing IPIDEA-related SDKs, though the operators may attempt to rebuild infrastructure [BleepingComputer].
β οΈ Vulnerabilities & Patches
[UPDATE] Windows 11 boot failures linked to failed December 2025 update attempts
Microsoft has confirmed that recent Windows 11 boot failures after installing January 2026 updates are linked to systems that previously failed to install the December 2025 security update, leaving them in an “improper state” after rollback attempts. The issue causes BSOD crashes with “UNMOUNTABLE_BOOT_VOLUME” errors on physical devices, with no virtual machines impacted. Microsoft is developing a partial resolution to prevent additional no-boot scenarios but warns this fix won’t repair already-bricked systems or prevent the initial improper state. Organizations experiencing boot failures should review update history for December failures and consider system restoration from clean backups [BleepingComputer].
[NEW] OpenSSL vulnerability CVE-2025-15467 enables DoS and potential RCE
A high-severity stack buffer overflow in OpenSSL versions 3.0 through 3.6 allows denial-of-service and, under specific conditions, remote code execution when processing maliciously crafted CMS AuthEnvelopedData structures with AEAD ciphers like AES-GCM. The vulnerability occurs before authentication checks, meaning attackers don’t need valid keys to exploit it. Users should update to patched versions 3.6.1, 3.5.5, 3.4.4, 3.3.6, or 3.0.19 depending on their current version. OpenSSL 1.1.1 and 1.0.2 remain unaffected [SOC Prime].
π‘οΈ Defense & Detection
[NEW] Google rolls out enhanced Android theft protection with biometric verification
Google has released comprehensive theft protection updates for Android 10+ devices, expanding security-by-default configurations. The updates strengthen authentication safeguards with Failed Authentication Lock that increases lockout periods after incorrect attempts, Identity Check requiring biometric verification for sensitive actions outside trusted locations, and enhanced Remote Lock functionality with additional verification challenges. Notably, Brazil is the first region where Theft Detection Lock and Remote Lock are enabled by default on new devices, using on-device machine learning to detect “snatch-and-run” scenarios. Identity Check now extends to all applications using Android’s Biometric Prompt API, automatically securing third-party banking and credential management apps [Cyberpress].
[NEW] NIST releases draft cybersecurity framework for transportation systems
The National Institute of Standards and Technology published a draft Transit Cybersecurity Framework Community Profile targeting the transportation sector’s unique risks. The framework addresses sprawling operational networks including signaling equipment, fare collection, and vehicle telemetry systems that rely heavily on wireless connectivity and legacy technology. Key recommendations prioritize securing functions threatening passenger safety or service continuity, emphasizing collaboration between suppliers, vendors, and internal stakeholders. The voluntary framework is scalable from small municipal bus fleets to multi-modal regional systems and is open for public comment through February 23, 2026 [Nextgov/FCW].
π Policy & Industry News
[NEW] Android malware campaign abuses Hugging Face AI platform for distribution
A sophisticated Android malware campaign is using Hugging Face’s trusted AI platform to host thousands of polymorphic malware variants. The attack begins with the TrustBastion dropper app that uses scareware tactics to lure users, then fetches payloads from Hugging Face dataset repositories via server-side polymorphism generating new variants every 15 minutes. The final payload is a remote access tool that abuses Android Accessibility Services to capture credentials, display phishing overlays for financial services like Alipay and WeChat, and maintain persistent C2 connections. Hugging Face removed the malicious repositories after notification from researchers [BleepingComputer].