Daily Brief

An Asian state-aligned cyber group infiltrated networks in 37 countries, targeting government and critical infrastructure organizations in an extensive espionage campaign. The group, tracked as TGR-STA-1030, compromised at least 70 organizations, maintaining prolonged access to sensitive systems and data. Key targets included national police, parliaments, telecommunications, and finance ministries, with data exfiltration involving financial and military information. The group employs phishing emails and exploits known vulnerabilities in Microsoft Exchange, SAP, and Atlassian products to gain initial access. A newly discovered Linux kernel rootkit, ShadowGuard, facilitates stealthy operations by hiding process information at the kernel level. The Cybersecurity and Infrastructure Security Agency (CISA) and international partners are actively working to detect and mitigate the threats posed by this group. TGR-STA-1030 uses geopolitical events for timing attacks, with notable campaigns against Germany and the Czech Republic, exploiting global political tensions. The ongoing threat from this group underscores the need for enhanced cybersecurity measures and international collaboration to protect critical infrastructure.

The AISURU/Kimwolf botnet launched a massive DDoS attack in November 2025, peaking at 31.4 Tbps and lasting 35 seconds, marking a new record in attack scale. Cloudflare successfully detected and mitigated the attack, which is part of a series of hyper-volumetric DDoS campaigns by the botnet during Q4 2025. The botnet has compromised over 2 million Android devices, primarily off-brand Android TVs, using residential proxy networks like IPIDEA. Google intervened by disrupting IPIDEA's network, initiating legal actions, and collaborating with Cloudflare to dismantle the domain infrastructure controlling the botnet. In 2025, DDoS attacks surged by 121%, with Cloudflare mitigating 34.4 million network-layer attacks, highlighting a significant increase in both frequency and scale. The sophistication and size of DDoS attacks are evolving rapidly, challenging organizations to reassess their defense strategies beyond traditional on-premise solutions. IPIDEA's operations involve at least 600 trojanized Android apps and over 3,000 Windows binaries, turning devices into proxy exit nodes without user consent.

La Sapienza University in Rome experienced a cyberattack, leading to significant IT system disruptions and operational challenges for its 112,500 students. The university proactively shut down its network systems to protect data integrity and has been updating the community via social media. Italian newspaper reports suggest the attack involved ransomware, linked to the pro-Russian group Femwar02, using the Bablock/Rorschach strain. The ransomware, known for its fast encryption and customization, is believed to be built from leaked sources of Babuk, LockBit v2.0, and DarkSide. Authorities, including Italian CSIRT and the national cybersecurity agency, are collaborating with university technicians to restore systems from unaffected backups. No ransom has been opened by the university to prevent triggering a 72-hour countdown, and the ransom amount remains undisclosed. Students and staff are advised to be vigilant against phishing attempts and monitor for any suspicious account activity.

Betterment experienced a security breach in January, exposing personal data of approximately 1.4 million users, as revealed by Have I Been Pwned. The breach involved unauthorized access via a social engineering attack, exploiting third-party marketing and operations tools. Attackers used impersonation techniques to distribute fraudulent cryptocurrency promotions to Betterment customers. Betterment confirmed that no customer accounts, passwords, or login credentials were compromised in the breach. Exposed data includes names, email addresses, and for some users, physical addresses, phone numbers, and dates of birth. The ShinyHunters group claimed responsibility, allegedly accessing systems through voice phishing Okta single sign-on codes. Betterment is collaborating with a data analytics provider to assess the breach's impact and advises vigilance against unsolicited communications. The incident underscores the importance of safeguarding personal data, especially in financial services, to mitigate phishing and account takeover risks.

Conpet, Romania's national oil pipeline operator, experienced a cyberattack that disrupted its business systems and took down its website, though operational technologies remained unaffected. The attack did not impact Conpet's ability to transport crude oil and gasoline, ensuring continuity in fulfilling contractual obligations. The Qilin ransomware group claimed responsibility, alleging the theft of nearly 1TB of documents, including sensitive financial and personal data. Conpet is collaborating with national cybersecurity authorities to investigate and restore affected systems, and has filed a criminal complaint with DIICOT. This incident is part of a series of ransomware attacks targeting Romanian infrastructure, following breaches in the water management and energy sectors. The Qilin group, operating as a Ransomware-as-a-Service, has previously targeted major organizations globally, raising concerns over its expanding threat. The attack underscores the importance of robust cybersecurity measures to protect critical infrastructure from increasingly sophisticated ransomware operations.

Cloud migrations often lead to security blind spots due to dynamic infrastructure and multi-cloud architectures, necessitating real-time network visibility for effective cyber defense. Network-layer telemetry is crucial for overcoming inconsistencies in cloud logs, providing a consistent signal across diverse environments and enhancing threat detection. Corelight's Network Detection & Response (NDR) platform offers deep visibility and advanced anomaly detection to protect sensitive cloud environments from adversarial threats. Effective cloud security involves monitoring east-west and north-south traffic, container deviations, and TLS metadata to detect suspicious activities and potential breaches. Key threats visible in cloud network traffic include supply-chain compromises, infostealer-led intrusions, misuse of managed services, and cryptomining activities. Organizations are advised to implement traffic mirroring, standardize network telemetry, and establish baselines to improve detection accuracy and reduce noise. Continuous validation through adversary emulation is recommended to ensure detection capabilities for infostealers, cryptomining, and suspicious admin behavior. Applying traditional network security principles to modern cloud architectures is essential as attackers increasingly utilize AI to bypass existing controls.

APT36, linked to Pakistan, is now targeting India's startup ecosystem, marking a shift from its usual focus on government and defense sectors. The group employs spear-phishing emails with ISO images to deliver Crimson RAT, facilitating surveillance and data exfiltration. The attack chain includes malicious LNK shortcuts and batch scripts for persistence, disguised as legitimate files to deceive targets. This campaign suggests startups may be targeted for their connections to government or security operations, expanding the threat landscape. The operation aligns with Transparent Tribe's historical patterns, indicating a strategic expansion rather than a deviation from established objectives. Organizations in proximity to government sectors should reassess their security posture to mitigate potential risks from such targeted campaigns.

Substack has informed users of a data breach impacting email addresses and phone numbers, with the incident dating back to October 2025. CEO Chris Best confirmed that while personal data was accessed, credentials and financial information remained secure. The breach was discovered on February 3rd, with attackers exploiting a system flaw to access user data, which has since been patched. A database containing 697,313 records was leaked on BreachForums, though the exact number of affected users remains undisclosed. Substack warned users of potential phishing threats using the stolen information, urging caution with suspicious communications. The breach adds to Substack's security challenges, following a previous incident in 2020 where user emails were inadvertently exposed. Substack continues to be a popular platform for independent journalists, boasting five million paid subscriptions as of March 2025.

Italy's foreign minister reported thwarting cyberattacks from Russia targeting the Milano Cortina Winter Olympics and foreign ministry sites, including those in Washington, D.C. The attacks aimed at disrupting the Winter Olympics infrastructure, including hotels in Cortina, though specifics on the nature of the attacks were not disclosed. The UK's cybersecurity agency had previously cautioned against underestimating pro-Russia hacktivists, known for targeting global sporting events. Cloudflare's CEO threatened to withdraw free services to the Games and Italian citizens following a €14 million fine by Italy's telecom regulator for anti-piracy violations. Historical context shows Russia's long-standing use of global sporting events for political leverage, with past cyberattacks linked to the 2018 and 2024 Games. The International Olympic Committee has imposed an indefinite ban on Russian athletes competing under their national flag due to geopolitical tensions and past doping scandals. The ongoing geopolitical tensions and cyber activities underscore the need for robust cybersecurity measures during international events.

Recent vulnerabilities in the n8n automation tool, tracked as CVE-2026-25049, allow attackers to hijack servers and steal credentials, affecting AI-driven business processes. These flaws, with a CVSS rating of 9.4, arise from inadequate expression sanitization, enabling malicious code execution despite previous patch efforts. Authenticated users with workflow access can exploit these vulnerabilities to execute unintended commands on host systems, posing significant security risks. Pillar Security and SecureLayer 7 researchers disclosed these vulnerabilities, emphasizing the ease of exploitation and the high-value targets exposed. Successful exploitation could grant attackers access to sensitive credentials, including API keys and tokens for cloud and AI services, threatening broader organizational security. n8n has released patches and advises immediate updates, alongside reviewing user permissions and rotating sensitive credentials to mitigate potential breaches. The incident underscores the growing attractiveness of automation platforms as targets, given their integral role in organizational operations and data handling.

The rapid integration of AI into enterprise workflows has outpaced traditional security measures, creating a significant governance gap in AI usage and control. AI tools are embedded across various platforms, including SaaS, CRMs, and personal projects, complicating visibility and management for security teams. Traditional security controls fail to address AI interaction points, necessitating a shift to interaction-centric governance for effective oversight. AI Usage Control (AUC) emerges as a new governance layer, focusing on real-time AI behavior management rather than static data controls. AUC provides comprehensive oversight by answering critical questions about AI usage, identity, and conditions, enhancing security posture. The Buyer’s Guide for AI Usage Control offers a framework for evaluating AI security solutions, emphasizing interaction-centric governance. Organizations mastering AI governance can leverage AI's potential securely, aligning innovation with compliance and risk management strategies.

Automated investment platform Betterment suffered a data breach in January, affecting 1.4 million accounts, with personal information such as email addresses and geographic data compromised. The breach involved a social engineering attack, allowing threat actors to send fraudulent emails disguised as Betterment promotions, aiming to deceive customers into a cryptocurrency scam. Betterment confirmed that no customer accounts, passwords, or login information were compromised, thanks to a forensic investigation by cybersecurity firm CrowdStrike. The breach primarily impacted customer contact information, including names and emails, with some cases involving additional data like physical addresses and phone numbers. Following the breach, Betterment experienced a DDoS attack, causing intermittent outages on its website and mobile app, though details on any extortion attempts remain undisclosed. Betterment has reassured customers that the unauthorized access has been removed and continues to monitor the situation for any potential threats. This incident underscores the importance of robust security measures and vigilant monitoring to protect customer data and maintain trust in fintech services.

OpenNebula, a cloud management platform, addresses increasing interest in sovereign cloud solutions, driven by geopolitical changes and regulatory pressures, particularly in Europe. Sovereignty in cloud services is interpreted differently across sectors and regions, with public sectors prioritizing control and jurisdiction over cost. In the EU, there is a growing call for businesses to reduce reliance on U.S. hyperscalers, favoring local, sovereign solutions to align with regulatory expectations. The private sector's focus remains cost-driven, but recent geopolitical dynamics and licensing concerns, such as VMware's acquisition by Broadcom, are shifting priorities. OpenNebula's approach to sovereignty includes control over the technology stack and infrastructure, appealing to organizations seeking vendor-neutral alternatives. The European Commission emphasizes reducing dependency on foreign platforms, influencing cloud strategy decisions among businesses and public entities. Companies like SUSE are promoting tools to help organizations align with the EU Cloud Sovereignty Framework, supporting the shift towards sovereign cloud solutions.

Infy, an Iranian state-sponsored group, resumed operations with new C2 servers following Iran's internet blackout, indicating strategic adaptation to governmental actions. SafeBreach identified Infy's cessation of C2 maintenance during the blackout, suggesting limited operational capabilities or motivation during the shutdown. Renewed activity was detected on January 26, 2026, with Infy establishing new C2 infrastructure, coinciding with the easing of internet restrictions in Iran. Infy's updated malware, including Tornado version 51, employs both HTTP and Telegram for command-and-control, enhancing its operational flexibility and stealth. The group has weaponized a 1-day WinRAR vulnerability to deliver payloads, indicating a shift in tactics to improve attack success rates. SafeBreach's analysis of Telegram communications revealed extensive data exfiltration and command activity, providing insights into Infy's operational methods and targets. Infy's continued evolution in tradecraft and infrastructure underscores the persistent threat posed by state-sponsored actors in advancing geopolitical objectives.

A new spam wave is impacting global users, exploiting unsecured Zendesk support systems to flood inboxes with "Activate account" emails. Attackers are leveraging Zendesk's ticket submission forms to generate automated confirmation emails, bypassing spam filters and overwhelming recipients. The spam campaign mirrors a similar incident from January, where Zendesk's system vulnerabilities were exploited for large-scale spam distribution. Major companies like Dropbox and 2K were previously affected, advising users to disregard the unsolicited emails. Zendesk has implemented enhanced monitoring and activity limits to counter such abuses but the recent attack suggests vulnerabilities remain. Organizations are advised to restrict ticket creation to verified users and remove email placeholders to mitigate potential abuse. This incident underscores the importance of securing customer support portals to prevent exploitation by threat actors.