Daily Threat Intel Digest - 2026-02-03

🔴 Critical Threats & Active Exploitation

[NEW] APT28 exploits Microsoft Office zero-day in active espionage campaign
Russian state actors are exploiting CVE-2026-21509, a critical Microsoft Office vulnerability, in attacks targeting Ukraine, Slovakia, Romania, and other European countries. The campaign dubbed “Operation Neusploit” uses weaponized RTF files to deliver either MiniDoor email theft malware or PixyNetLoader deploying Covenant Grunt implants via steganography hidden in PNG files. Microsoft issued an out-of-band patch on January 26, but exploitation continued through at least January 29. Attackers employ server-side checks to only deliver malicious payloads to targeted regions with correct User-Agent headers, using Filen API for command-and-control communications [Zscaler ThreatLabz]; CERT-UA]; BleepingComputer].

[UPDATE] Notepad++ supply chain attack reveals sophisticated multi-month operation
Lotus Blossom (China-nexus APT) compromised Notepad++ update infrastructure for six months, deploying multiple attack chains and the previously undocumented Chrysalis backdoor. Researchers identified three distinct infection chains from July-October 2025, each rotating infrastructure and payloads, including Cobalt Strike beacons and custom backdoors using encryption mimicking Deepseek API traffic. The campaign targeted government organizations in the Philippines, financial entities in El Salvador, and IT providers in Vietnam, with malware deployed via malicious update.exe files from compromised update servers [Kaspersky Securelist]; CyberPress]; CyberScoop].

[NEW] Sandworm deploys DynoWiper against Polish energy company
Russia-linked Sandworm targeted a Polish energy firm with new wiper malware in late December 2025, marking an expansion beyond their traditional Ukrainian focus. DynoWiper overwrites files with random buffers, deletes directory contents, and forces system reboots in three phases - behavior similar to the earlier ZOV wiper but with enhanced evasion techniques. Attackers gained domain admin access via Active Directory, deployed PowerShell scripts through Group Policy, and used Rubeus for Kerberos attacks plus rsocx SOCKS5 proxy for lateral movement. ESET blocked the attack, limiting damage to the energy sector target [ESET WeLiveSecurity]; CyberPress].

⚠️ Vulnerabilities & Patches

[NEW] Critical KiloView authentication bypass enables full device takeover
CISA disclosed CVE-2026-1453 (CVSS 9.8) affecting multiple KiloView Encoder Series devices used in critical infrastructure sectors including communications and IT. The vulnerability stems from missing authentication for critical administrative functions, allowing unauthenticated attackers to create or delete administrator accounts and gain complete device control remotely. Eight encoder series variants are affected, with CISA recommending immediate network isolation of devices and restriction of Internet accessibility [CISA Advisory ICSA-26-029-01]; CyberPress].

[NEW] Apache Syncope XXE allows session hijacking in IAM platform
Apache Syncope versions 3.0-3.0.15 and 4.0-4.0.3 contain CVE-2026-23795, an XML External Entity vulnerability in the Console component’s Keymaster parameters. Authenticated administrators can craft malicious XML payloads to read sensitive files, access internal system information, and potentially escalate privileges within the identity management infrastructure. The Apache Syncope team released patched versions 3.0.16 and 4.0.4 with hardened XML parsing mechanisms [Apache Mailing List]; CyberPress].

[NEW] Hikvision wireless AP flaw enables authenticated command execution
CVE-2026-0709 affects multiple Hikvision wireless access point models due to insufficient input validation, allowing authenticated attackers to execute arbitrary commands. The vulnerability carries a high severity rating and impacts devices widely deployed in enterprise and critical infrastructure environments. Hikvision released patches on January 30, urging immediate application to prevent potential network compromise [Hikvision Advisory].

🎯 Threat Actor Activity & Campaigns

[NEW] GhostChat spyware targets Pakistani users with romance deception
A sophisticated Android spyware campaign dubbed GhostChat (Android/Spy.GhostChat.A) is targeting Pakistani users through a fake dating app that demands hardcoded “unlock passcodes” for access. The malware steals contacts, files, and real-time data including new photos and documents, uploading everything to a C&C server. ESET linked GhostChat to a broader campaign also using GhostPairing to hijack WhatsApp accounts via QR code scans impersonating Pakistan’s Ministry of Defence. The app is distributed outside official stores, relying on social engineering tactics and hardcoded credentials to appear legitimate [ESET Research]; CyberPress].

[NEW] Anatsa banking trojan spreads via Google Play with 50K+ downloads
The notorious Anatsa banking trojan was distributed through “StellarGrid,” a malicious document reader app on Google Play that accumulated over 50,000 downloads. The app functions as a dropper, fetching Anatsa from external servers after installation to overlay fake login screens on banking apps and steal credentials. Anatsa has historically targeted over 100 banks across Europe and the US, employing automated transfer service attacks to move money directly from compromised accounts. The malicious app remains available for download, requiring immediate uninstallation [ThreatLabz]; CyberPress].

[NEW] GlassWorm malware delivered through compromised OpenVSX extensions
Attackers compromised the legitimate OpenVSX extension developer account “oorzc” to push malicious updates across four extensions totaling 22,000 downloads. The GlassWorm payload exclusively targets macOS, establishing persistence via LaunchAgents and stealing browser data, cryptocurrency wallets, macOS Keychain data, and developer credentials. The campaign excludes Russian-language systems and exfiltrates data to infrastructure at 45.32.150.251. OpenVSX has removed the malicious releases, but users who installed affected versions must perform full system cleanup and credential rotation [Socket Research]; BleepingComputer].

🛡️ Defense & Detection

[NEW] Mozilla introduces global AI controls in Firefox 148
Mozilla will add a “Block AI enhancements” toggle in Firefox 148 (releasing February 24) allowing users to disable all generative AI features or manage them individually. The controls will block current and future AI capabilities including browser translations, alt text generation, AI-enhanced tab grouping, and sidebar chatbot access. The feature responds to user feedback demanding more control over AI integration, with preferences persisting across browser updates [Mozilla Blog]; BleepingComputer].

[UPDATE] CISA adds CVE-2018-14634 (Mutagen Astronomy) to Known Exploited Vulnerabilities catalog
The Linux kernel vulnerability CVE-2018-14634, discovered by Qualys in 2018 and nicknamed “Mutagen Astronomy,” was added to CISA’s KEV catalog on January 26, 2026, indicating confirmed active exploitation. The local privilege escalation flaw in create_elf_tables() affects major enterprise distributions including Red Hat Enterprise Linux and CentOS. Despite its age, the vulnerability retains exploitation value for attackers seeking root access on systems where users have shell access [Qualys Blog]; CISA KEV].

[NEW] Malicious OpenClaw skills push password-stealing malware
Over 230 malicious “skills” for the personal AI assistant OpenClaw were published between January 27-February 1, delivering info-stealing malware through fake cryptocurrency, financial, and social media utilities. The campaign tricks users into running “AuthTool,” which on macOS deploys NovaStealer variants bypassing Gatekeeper via xattr commands to steal cryptocurrency keys, SSH credentials, browser data, and .env files. On Windows, it downloads password-protected ZIP archives. The creator of OpenClaw acknowledged inability to review all submissions, advising users to verify safety before deployment [OpenSourceMalware]; BleepingComputer].