Cyber Threat Intelligence 05 February 2026

NCSA_THAICERT

New Tooling

Global Threat Map: Open-Source Real-Time Situational Awareness Platform
"Global Threat Map is an open-source project offering security teams a live view of reported cyber activity across the globe, pulling together open data feeds into a single interactive map. It visualizes indicators such as malware distribution, phishing activity, and attack traffic by geographic region. Global threat maps have long been used by security vendors to illustrate attack volumes and regional trends. This project takes a different path by relying on open feeds and community-maintained code, making its data sources and logic visible to users."
https://www.helpnetsecurity.com/2026/02/04/global-threat-map-open-source-osint/
https://github.com/unicodeveloper/globalthreatmap

Vulnerabilities

n8n Sandbox Escape: Critical Vulnerabilities In n8n Exposes Hundreds Of Thousands Of Enterprise AI Systems To Complete Takeover
"Pillar Security researchers uncovered critical vulnerabilities in n8n, a popular open-source workflow automation platform powering numerous enterprise deployments. The vulnerabilities allowed any authenticated user to seize complete control of the server, stealing every stored credential, API key, and secret on both self hosted and cloud instances. On n8n Cloud, the shared multi-tenant architecture meant a single malicious user could potentially breach the entire platform, accessing data belonging to all other customers."
https://www.pillar.security/blog/n8n-sandbox-escape-critical-vulnerabilities-in-n8n-exposes-hundreds-of-thousands-of-enterprise-ai-systems-to-complete-takeover
https://www.bleepingcomputer.com/news/security/critical-n8n-flaws-disclosed-along-with-public-exploits/
https://www.infosecurity-magazine.com/news/two-critical-flaws-in-n8n-ai/
LookOut: Discovering RCE And Internal Access On Looker (Google Cloud & On-Prem)
"Tenable Research discovered two novel vulnerabilities in Google Looker that could allow an attacker to completely compromise a Looker instance. Google moved swiftly to patch these issues. Organizations running Looker on-prem should verify they have upgraded to the patched versions."
https://www.tenable.com/blog/google-looker-vulnerabilities-rce-internal-access-lookout
https://www.darkreading.com/application-security/google-looker-bugs-cross-tenant-rce-data-exfil
https://www.securityweek.com/vulnerabilities-allowed-full-compromise-of-google-looker-instances/
https://www.helpnetsecurity.com/2026/02/04/google-looker-vulnerabilities-cve-2025-12743/

Malware

CISA: VMware ESXi Flaw Now Exploited In Ransomware Attacks
"CISA confirmed on Wednesday that ransomware gangs have begun exploiting a high-severity VMware ESXi sandbox escape vulnerability that was previously used in zero-day attacks. Broadcom patched this ESXi arbitrary-write vulnerability (tracked as CVE-2025-22225) in March 2025 alongside a memory leak (CVE-2025-22226) and a TOCTOU flaw (CVE-2025-22224), and tagged them all as actively exploited zero-days. "A malicious actor with privileges within the VMX process may trigger an arbitrary kernel write leading to an escape of the sandbox," Broadcom said about the CVE-2025-22225 flaw."
https://www.bleepingcomputer.com/news/security/cisa-vmware-esxi-flaw-now-exploited-in-ransomware-attacks/
https://securityaffairs.com/187637/security/cve-2025-22225-in-vmware-esxi-now-used-in-active-ransomware-attacks.html
Hackers Compromise NGINX Servers To Redirect User Traffic
"A threat actor is compromising NGINX servers in a campaign that hijacks user traffic and reroutes it through the attacker's backend infrastructure. NGINX is open-source software for web traffic management. It intermediates connections between users and servers and is employed for web serving, load balancing, caching, and reverse proxying. The malicious campaign, discovered by researchers at DataDog Security Labs, targets NGINX installations and Baota hosting management panels used by sites with Asian top-level domains (.in, .id, .pe, .bd, and .th) and government and educational sites (.edu and .gov)."
https://www.bleepingcomputer.com/news/security/hackers-compromise-nginx-servers-to-redirect-user-traffic/
They Got In Through SonicWall. Then They Tried To Kill Every Security Tool
"In early February 2026, Huntress responded to an intrusion where threat actors leveraged compromised SonicWall SSLVPN credentials to gain initial access to a victim network. Once inside, the attacker deployed an EDR killer that abuses a legitimate Guidance Software (EnCase) forensic driver with a revoked certificate to terminate security processes from kernel mode, a technique known as Bring Your Own Vulnerable Driver (BYOVD). The attack was disrupted before ransomware deployment, but the case highlights a growing trend: threat actors weaponizing signed, legitimate drivers to blind endpoint security. The EnCase driver's certificate expired in 2010 and was subsequently revoked, yet Windows still loads it, a gap in Driver Signature Enforcement that attackers continue to exploit."
https://www.huntress.com/blog/encase-byovd-edr-killer
https://www.bleepingcomputer.com/news/security/edr-killer-tool-uses-signed-kernel-driver-from-forensic-software/
Amaranth-Dragon: Weaponizing CVE-2025-8088 For Targeted Espionage In The Southeast Asia
"Check Point Research has identified several campaigns targeting multiple countries in the Southeast Asian region. These related activities have been collectively categorized under the codename “Amaranth-Dragon”. The campaigns demonstrate a clear focus on government entities across the region, suggesting a motivated threat actor with a strong interest in geopolitical intelligence. The campaigns frequently target law enforcement agencies, particularly the police, and often appear to be timed or themed around ongoing local political events."
https://research.checkpoint.com/2026/amaranth-dragon-weaponizes-cve-2025-8088-for-targeted-espionage/
https://blog.checkpoint.com/research/amaranth-dragon-targeted-cyber-espionage-campaigns-across-southeast-asia/
https://thehackernews.com/2026/02/china-linked-amaranth-dragon-exploits.html
The Godfather Of Ransomware? Inside DragonForce’s Cartel Ambitions
"DragonForce employs advanced methodologies, using a dual-extortion strategy in which they not only encrypt critical business data but also exfiltrate sensitive information, threatening to release it on dark web leak sites unless the ransom is paid. DragonForce has targeted a variety of sectors, with a notable focus on manufacturing and construction, and has impacted several high-profile organizations. The group has shown adaptability by continuously refining its tools and tactics, moving from dedicated victim sites to a centralized domain for hosting leaked data. This rapid evolution keeps them a persistent and growing threat to businesses worldwide."
https://www.levelblue.com/blogs/spiderlabs-blog/the-godfather-of-ransomware-inside-dragonforces-cartel-ambitions
https://www.darkreading.com/cyber-risk/ransomware-gang-full-godfather-cartel
New Campaign Uses Screensavers For RMM-Based Persistence
"Attackers are abusing Windows screensaver (.scr) files to silently install commonly used remote monitoring and management (RMM) tools to turn trusted software into persistent remote access. Because this activity can blend into normal IT operations and avoid “classic malware” signals, it gives attackers room to escalate into credential theft, data exfiltration, and ransomware deployment. We’ve observed this campaign across multiple ReliaQuest customers. It stands out because, unlike typical attacks, this marks the first time we’ve identified a campaign using business-themed lures to persuade users to download a .scr file—an often-overlooked executable—that then deploys an RMM tool for durable access and follow-on actions with unusual effectiveness."
https://reliaquest.com/blog/threat-spotlight-new-campaign-uses-screensavers-RMM-based-persistence/
https://www.darkreading.com/application-security/attackers-use-screensavers-drop-malware-rmm-tools
Shaping Shadows: Breaking Down New ShadowSyndicate Methods And Infrastructure
"ShadowSyndicate is a malicious activity cluster that unites a wide set of campaigns based on infrastructure overlaps. Despite the huge number of servers involved, the threat actor relies on OpenSSH and usually uses one SSH key for all of them. But each pair of SSH keys is unique, so the presence of the public key on the server is usually associated with a specific person or group that has access to it. Because ShadowSyndicate’s SSH fingerprints are known to be used with a large number of servers, it allows researchers to spot the links and analyze such clusters. ShadowSyndicate’s infrastructure is always connected to various malware families and has links to different ransomware groups or affiliate programs."
https://www.group-ib.com/blog/new-shadowsyndicate-infrastructure/
https://www.infosecurity-magazine.com/news/shadowsyndicate/
PlugX Diplomacy: A Mustang Panda Campaign
"The campaign commenced with what initially appeared to be a standard diplomatic email. The subject line alluded to a policy update. The attached document was structured as an internal briefing, authored in informal language, and corresponded with actual and current geopolitical developments. For individuals engaged in government or foreign policy, it closely resembled the typical summary produced by the United States that frequently circulates after meetings, forums, or coordination calls. However, it was not authentic."
https://dreamgroup.com/plugx-diplomacy-mustang-panda-campaign/
https://hackread.com/chinese-mustang-panda-briefing-spy-diplomat/
Silent Push Identifies More Than 10,000 Infected IPs As Part Of SystemBC Botnet Malware Family
"Using a custom-built SystemBC tracker, Silent Push Preemptive Cyber Defense Analysts identified more than 10,000 unique infected IP addresses as part of this botnet. While we don’t have immediate visibility on any follow-on malware payloads deployed via this current SystemBC botnet, historically, many threat actors have used SystemBC to deploy ransomware on compromised networks, highlighting the importance of remediation. Our analysis shows SystemBC infections are globally distributed at scale, with the highest concentration of infected IP addresses observed in the United States, followed by Germany, France, Singapore, and India."
https://www.silentpush.com/blog/systembc/
https://www.infosecurity-magazine.com/news/global-systembc-botnet-10000/
React Server Components Exploitation Consolidates As Two IPs Generate Majority Of Attack Traffic
"Two months after CVE-2025-55182 was disclosed on December 3, 2025, exploitation activity targeting React Server Components has consolidated significantly. GreyNoise telemetry from the past seven days shows that two IP addresses now account for 56% of all observed exploitation attempts, down from 1,083 unique sources. The dominant sources deploy distinct post-exploitation payloads: one retrieves cryptomining binaries from staging servers, while the other opens reverse shells directly to the scanner IP. Whether this represents two separate actors or compartmentalized infrastructure from a single actor remains unclear, but the behavioral distinction is notable."
https://www.greynoise.io/blog/react2shell-exploitation-consolidates
https://www.securityweek.com/cryptominers-reverse-shells-dropped-in-recent-react2shell-attacks/
Analyzing Dead#Vax: Analyzing Multi-Stage VHD Delivery And Self-Parsing Batch Scripts To Deploy In-Memory Shellcode
"Securonix Threat Research has been tracking a stealthy malware campaign that uses an uncommon chain of VHD abuse, script-based execution, self-parsing batch logic, fileless PowerShell injections and ultimately dropping RAT. The attack leverages IPFS-hosted VHD files, extreme script obfuscation, runtime decryption, and in-memory shellcode injection into trusted Windows processes, never dropping a decrypted binary to disk. This research breaks down each stage at code level, highlighting modern attacker tradecraft that bypasses traditional detection mechanisms."
https://www.securonix.com/blog/deadvax-threat-research-security-advisory/
https://thehackernews.com/2026/02/deadvax-malware-campaign-deploys.html
Nitrogen Ransomware: ESXi Malware Has a Bug!
"Nitrogen ransomware was derived from the previously leaked Conti 2 builder code, and is similar to Nitrogen ransomware, but a coding mistake in the ESXi malware causes it to encrypt all the files with the wrong public key, irrevocably corrupting them. This means that even the threat actor is incapable of decrypting them, and that victims that are without viable backups have no ability to recover their ESXi encrypted servers. Paying a ransom will not assist these victims, as the decryption key/ tool will not work."
https://www.coveware.com/blog/2026/2/2/nitrogen-ransomware-esxi-malware-has-a-bug
https://www.theregister.com/2026/02/04/nitrogen_ransomware_broken_decryptor/

Breaches/Hacks/Leaks

Coinbase Confirms Insider Breach Linked To Leaked Support Tool Screenshots
"Coinbase has confirmed an insider breach after a contractor improperly accessed the data of approximately thirty customers, which BleepingComputer has learned is a new incident that occurred in December. "Last year our security team detected that a single Coinbase contractor improperly accessed customer information, impacting a very small number of users (approximately 30)," a Coinbase spokesperson told BleepingComputer."
https://www.bleepingcomputer.com/news/security/coinbase-confirms-insider-breach-linked-to-leaked-support-tool-screenshots/
Harvard, UPenn Data Leaked In ShinyHunters Shakedown
"Cyber extortion group ShinyHunters claimed responsibility Wednesday for late 2025 attacks against Harvard University and the University of Pennsylvania, publishing on a darkweb leak site what they claimed were more than 2 million records stolen from the two Ivy League schools. Threat intelligence firm Hudson Rock, which reviewed the leaked Harvard data, said it includes admissions and fundraising information, and details such as "top donors," as well as spouses, widows, parents, current students and family members who are prospective students. This serves not only as a "social graph" revealing "wealth bands" and details of "domestic intimacy," the firm said."
https://www.bankinfosecurity.com/harvard-upenn-data-leaked-in-shinyhunters-shakedown-a-30677
Big Breach Or Smooth Sailing? Mexican Gov't Faces Leak Allegations
"The information of more than a quarter (28%) of Mexico's population may be at risk following the leak of 2.3TB of data online by a hacktivist group, but Mexico's cybersecurity and digital-technology agency, the Agencia de Transformación Digital y Telecomunicaciones (ATDT), downplayed the significance of any potential compromise."
https://www.darkreading.com/cyberattacks-data-breaches/big-breach-or-nada-de-nada-mexican-govt-faces-leak-allegations

General News

Harassment, Scare Tactics, & Why Victims Should Never Pay ShinyHunters
"There is an unusual wave of ongoing ransomware attacks that involve data theft by members of The Com. This type of ransomware attack threatens to leak the stolen data publicly but does not involve encryption nor does it require the victim to purchase a decryption key. Corporate victims are simultaneously harassed, which is designed to be emotionally triggering and overwhelming. This ransomware campaign is related to a group that calls itself by a number of names, including "ShinyHunters", or "Scattered Lapsus Hunters", or "Scattered Lapsus Shiny Hunters", or "SLSH". This Com group and their activity are distinct from previous iterations of groups that used the moniker "Shiny Hunters" before 2025."
https://blog.unit221b.com/dont-read-this-blog/harassment-scare-tactics-why-victims-should-never-pay-shinyhunters
https://www.bankinfosecurity.com/victims-are-rebuffing-ransomware-mass-data-theft-campaigns-a-30676
Cofense Report Reveals AI-Powered Phishing Accelerated To One Attack Every 19 Seconds
"Cofense, the leading provider of intelligence-driven post-perimeter phishing defense, today released its latest threat intelligence report, The New Era of Phishing: Threats Built in the Age of AI, revealing how AI technologies are now central to how threat actors operate, fundamentally transforming the speed, scale, and sophistication of modern phishing attacks."
https://cofense.com/blog/cofense-report-reveals-ai-powered-phishing-accelerated-to-one-attack-every-19-seconds
https://www.infosecurity-magazine.com/news/ai-double-volume-phishing-attacks/
Ransomware Attacks Have Surged 30% Since Q4 2025
"Ransomware groups claimed more than 2,000 attacks in the last three months of 2025 – and they’re starting 2026 at the same elevated pace. Cyble recorded 2,018 claimed attacks by ransomware groups in the fourth quarter of 2025, an average of just under 673 a month. The threat groups maintained that pace in January 2026, claiming 679 ransomware victims."
https://cyble.com/blog/ransomware-groups-q4-2025-cyble-report/
AI May Supplant Pen Testers, But Oversight & Trust Are Not There Yet
"While current artificial intelligence (AI) agents and large language models (LLMs) continue to have significant issues in finding vulnerabilities and conducting penetration tests, they are already augmenting many human pen testers and even supplanting them. Problems such as false positives continue to be significant, and human ingenuity and creativity will remain essential for discovering novel or complex vulnerabilities, such as timing attacks, experts say. However, AI pen-testing tools and services are quickly improving, with the majority of pen testers already augmenting their workflow with AI technologies — a use case that will only increase."
https://www.darkreading.com/cybersecurity-operations/ai-supplant-pen-testers-oversight-trust-not-there-yet
Cyber Insights 2026: Cyberwar And Rising Nation State Threats
"Entering the cyber world is stepping into a warzone. Cyber is considered a war zone, and what happens there is described as cyberwar. But it’s not that simple. War is conducted by nations (political), not undertaken by criminals (financial). Both are increasing in this war zone we call cyber, but the political threat is growing fast. Cyberwar is a complex subject, and a formal definition is difficult. Opinions vary over whether there is any effective difference between common cybercriminal and nation state aggression – and, if there is, whether defenders need to understand or act upon that difference."
https://www.securityweek.com/cyber-insights-2026-cyberwar-and-rising-nation-state-threats/
Detecting Backdoored Language Models At Scale
"Today, we are releasing new research on detecting backdoors in open-weight language models. Our research highlights several key properties of language model backdoors, laying the groundwork for a practical scanner designed to detect backdoored models at scale and improve overall trust in AI systems."
https://www.microsoft.com/en-us/security/blog/2026/02/04/detecting-backdoored-language-models-at-scale/
https://arxiv.org/pdf/2602.03085
https://thehackernews.com/2026/02/microsoft-develops-scanner-to-detect.html
The First 90 Seconds: How Early Decisions Shape Incident Response Investigations
"Many incident response failures do not come from a lack of tools, intelligence, or technical skills. They come from what happens immediately after detection, when pressure is high, and information is incomplete. I have seen IR teams recover from sophisticated intrusions with limited telemetry. I have also seen teams lose control of investigations they should have been able to handle. The difference usually appears early. Not hours later, when timelines are built, or reports are written, but in the first moments after a responder realizes something is wrong."
https://thehackernews.com/2026/02/the-first-90-seconds-how-early.html

อ้างอิง
Electronic Transactions Development Agency (ETDA)