Daily Threat Intel Digest - 2026-02-04

🔴 Critical Threats & Active Exploitation

[NEW] Developers targeted in active Metro4Shell RCE attacks
Threat actors are actively exploiting a critical vulnerability in React Native’s Metro development server (CVE-2025-11953, “Metro4Shell”) to deploy sophisticated malware against developers worldwide. The vulnerability allows unauthenticated remote code execution through improper input validation on the /open-url endpoint, with the server binding to 0.0.0.0 by default despite displaying “localhost” to users. Attackers have been observed since December 2025 delivering PowerShell-based loaders that establish TCP connections to attacker infrastructure (8.218.43.248:60124, 47.86.33.195:60130) and execute UPX-packed Rust binaries. Over 3,500 Metro servers remain exposed on the internet, making this an urgent threat to development environments containing source code, credentials, and API keys [VulnCheck; Cyberpress].

[UPDATE] Ivanti EPMM under mass exploitation as two new zero-days emerge
Attackers are actively exploiting two newly disclosed critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) - CVE-2026-1281 and CVE-2026-1340 (both CVSS 9.8) - allowing unauthenticated remote code execution. This follows a pattern of repeated Ivanti compromises, with over 1,400 EPMM instances still exposed to the internet according to Shadowserver. WatchTowr researchers observed the exploitation evolving from “tightly scoped zero-day exploitation” to “global mass exploitation by a wide mix of opportunistic actors” within days of disclosure. While Ivanti released temporary patches, CISA has added CVE-2026-1281 to its KEV catalog. Organizations must consider exposed instances compromised and initiate incident response immediately [Cyberscoop].

[UPDATE] SolarWinds Web Help Desk RCE added to CISA KEV catalog
CISA has added SolarWinds Web Help Desk vulnerability CVE-2025-40551 (CVSS 9.8) to its Known Exploited Vulnerabilities catalog due to confirmed active exploitation. The critical deserialization flaw enables unauthenticated remote code execution and has been exploited in attacks alongside the previously disclosed SolarWinds vulnerabilities. This represents another supply chain risk for organizations using SolarWinds products, with attackers leveraging the flaw to gain initial access and potentially move laterally to other systems [GBHackers; Bitsight].

[NEW] Shadow DNS operation hijacks internet traffic via compromised routers
A sophisticated threat operation active since mid-2022 is compromising routers to force devices onto malicious DNS resolvers hosted by sanctioned provider Aeza International (AS210644). The attackers manipulate DNS responses for high-value domains (shopify.com, okta.com) while returning correct IPs for major services (Google, Facebook) to avoid detection. The campaign delivers malicious JavaScript through an HTTP Traffic Distribution System (TDS) that fingerprints devices before redirecting to adtech scams or malware. Key technical indicators include rejection of EDNS0 queries, 20-second TTLs, and resolvers at IPs including 104.238.29.136, 138.124.101.153, and 193.233.232.229. Victims report network glitches, crypto miners, and admin lockouts, with the activity potentially enabling supply chain attacks and credential theft [Infoblox; Cyberpress].

🎯 Threat Actor Activity & Campaigns

[NEW] ValleyRAT campaign spreads via trojanized LINE installers
Silver Fox APT group is distributing a fake LINE messenger installer that delivers ValleyRAT malware targeting Chinese-speaking users. The trojanized installer uses a stolen EV certificate from “Chengdu MODIFENGNIAO Network Technology Co., Ltd.” and employs advanced evasion including PowerShell commands to exclude drives from Windows Defender, PoolParty Variant 7 code injection into Explorer.exe, and disruption of 360 Total Security processes. The malware drops multiple files in %AppData%\TrustAsia including intel.dll, config.ini, and config2.ini, establishing persistence via PowerShell Scheduled Tasks and RPC. Command-and-control servers include 143.92.38[.]217:18852 and 206.238.221[.]165:443, enabling credential theft and surveillance [Cybereason; Cyberpress].

[NEW] Enterprise phishing campaigns abuse legitimate cloud infrastructure
Threat actors are increasingly hosting malicious kits on trusted platforms like Microsoft Azure, Google Firebase, AWS CloudFront, and Cloudflare to bypass traditional security defenses. These AiTM (Adversary-in-the-Middle) kits - particularly Tycoon2FA, Sneaky2FA, and EvilProxy - target enterprise accounts by filtering out personal email addresses and proxying connections to legitimate services. The campaigns leverage CAPTCHA-protected pages and rapid domain swapping to evade detection, with ANY.RUN data showing Tycoon2FA cases on Azure doubling in a week. Cloudflare’s popularity stems from its ability to mask VPS origins, resist blocking, and kill JA3S fingerprints via TLS termination at the edge [ANY.RUN; Cyberpress].

[NEW] Coordinated reconnaissance targets exposed Citrix NetScaler infrastructure
A widespread scanning campaign has targeted Citrix ADC (NetScaler) Gateway infrastructure using over 63,000 residential proxy IPs and AWS cloud infrastructure. GreyNoise observed 111,834 sessions between January 28 and February 2, with 79% of traffic specifically targeting authentication interfaces. The campaign focused on enumerating versions via EPA artifacts (/epa/scripts/win/nsepa_setup.exe) and identifying exposed login panels, indicating pre-exploitation preparation for known vulnerabilities like CVE-2025-5777 and CVE-2025-5775. Attackers used Chrome 50 user agents (circa 2016) and employed HEAD requests against Citrix Gateway endpoints for stealth [GreyNoise; BleepingComputer].

[NEW] Medusa ransomware claims attacks on Italian municipality and US company
The Medusa ransomware group has publicly claimed responsibility for attacks on Comune di Battipaglia (Italian municipal government) and Balloons Everywhere (US balloon products distributor). Both attacks occurred on February 3, 2026, with the group threatening to publish stolen data unless ransom demands are met. While Medusa has not specified the attack vectors, these incidents follow the group’s pattern of targeting mid-sized organizations across sectors, potentially leveraging access brokers or exploiting unpatched vulnerabilities for initial entry [DeXpose].

⚠️ Vulnerabilities & Patches

[NEW] Critical Django vulnerabilities enable SQL injection and DoS attacks
The Django Software Foundation released emergency security patches addressing six vulnerabilities across all supported versions (6.0.2, 5.2.11, 4.2.28). Three high-severity SQL injection flaws were disclosed: CVE-2026-1207 affecting PostGIS raster lookups, CVE-2026-1287 enabling injection via column aliases with FilteredRelation, and CVE-2026-1312 exploiting QuerySet.order_by() with column aliases containing periods. Additionally, CVE-2025-14550 causes denial-of-service via duplicate HTTP headers in ASGI, while CVE-2026-1285 affects HTML truncation. Organizations using Django in production should prioritize patching, particularly applications utilizing PostGIS functionality or FilteredRelation queries [Django security releases; Cyberpress].

[NEW] Ingress-NGINX vulnerability allows Kubernetes cluster compromise
A high-severity vulnerability (CVE-2026-24512, CVSS 8.8) in the Kubernetes ingress-nginx controller enables attackers to execute arbitrary code by injecting rogue configuration directives through the rules.http.paths.path field. Since the controller typically has broad access to Kubernetes secrets, successful exploitation could lead to full cluster compromise, service disruption, or persistent access. The Kubernetes Security Response Committee has released patched versions v1.13.7 and v1.14.3, with administrators urged to upgrade immediately. Given the ingress-nginx project’s scheduled retirement in March 2026, organizations should also plan migrations to alternative controllers like Contour, Traefik, or HAProxy [Kubernetes security advisory; Cyberpress].