2nd February – Threat Intelligence Report

2ND FEBRUARY – THREAT INTELLIGENCE REPORT February 2, 2026 For the latest discoveries in cyber research for the week of 2nd February, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES MicroWorld Technologies, maker of eScan antivirus, has suffered a supply-chain compromise. Malicious updates were pushed via the legitimate eScan updater, delivering multi-stage malware that establishes persistence, enables remote access, and blocks automatic updates. In response, eScan shut down its global update service for more than eight hours. Crunchbase, a private company intelligence platform, has confirmed a data breach of over 2 million records claimed by ShinyHunters threat group after a ransom demand was refused. The published files were stolen from its corporate network and include customer names, contact details, partner contracts and other internal documents. Crunchbase said that their operations were not disrupted. Qilin ransomware group has leaked an alleged database belonging to Tulsa International Airport in Oklahoma. The database include financial records, internal emails, and employee identification data. The airport authority has not yet confirmed compromise, and operations reportedly continue. Check Point Threat Emulation provides protection against this threat (Ransomware.Wins.Qilin.ta.*; Ransomware.Wins.Qilin) WorldLeaks extortion group has claimed responsibility for a data breach on the sportswear giant Nike. The threat group allegedly exposed samples totaling 1.4 terabytes of internal data including documents and archives related to the company’s supply chain and manufacturing operations. AI THREATS Clawdbot, an open source AI agent gateway, has more than 900 publicly exposed and often unauthenticated instances due to localhost auto approval behind reverse proxies. It enables credential theft, access to chat histories, and remote code execution. Researchers uncovered RedKitten, a 2026 campaign with LLM-assisted development indicators targeting Iranian activists and NGOs. The campaign uses password-protected Excel lures to deliver SloppyMIO, a C# implant that uses Telegram for C2 and GitHub/Google Drive for payloads, with steganographic configuration, AppDomain Manager injection, and scheduled task persistence. Researchers identified 16 malicious Chrome extensions for ChatGPT that exfiltrate authorization details and session tokens. The extensions inject scripts into the ChatGPT web application to monitor outbound requests, allowing attackers to hijack sessions and access chat histories. Researchers analyzed publicly accessible open-source LLM deployments via Ollama and revealed many with disabled guardrails and exposed system prompts, enabling spam, phishing, disinformation, and other abuse. VULNERABILITIES AND PATCHES A critical path traversal vulnerability (CVE-2025-8088) in WinRAR is actively exploited by government backed threat actors linked to Russia and China as well as financially motivated threat actors. Weaponized phishing forces WinRAR to write malware into the Windows Startup folder, enabling automatic execution for ransomware and credential theft. A patch is available on WinRAR 7.13. Check Point IPS provides protection against this threat (RARLAB WinRAR Directory Traversal (CVE-2025-8088)) SmarterTools addressed two critical SmarterMail flaws, including CVE-2026-24423 enabling remote code execution and CVE-2026-23760 allowing unauthenticated admin account takeover. The second flaw is actively exploited, and over 6,000 exposed SmarterMail servers are reportedly vulnerable. Check Point IPS provides protection against this threat (SmarterTools SmarterMail Remote Code Execution (CVE-2026-24423); SmarterTools SmarterMail Authentication Bypass (CVE-2026-23760)) Fortinet has fixed CVE-2026-24858, an authentication bypass in FortiCloud single sign on which allowed unauthorized access and admin creation on downstream devices. The flaw carries CVSS 9.4 and is actively exploited via FortiCloud SSO. THREAT INTELLIGENCE REPORTS Check Point Research has published the 2026 Cyber Security Report, highlighting AI as a force multiplier across attacks, fragmentation in ransomware with data only extortion, and multi-channel social engineering attacks. It maps threat activity to geopolitics and identity driven paths, quantifies risky AI usage, and provides sector and regional breakouts. Polish CERT detailed coordinated destructive attacks on Polish energy and manufacturing sectors, attributed to Static Tundra, using FortiGate SSL VPN access. The attackers conducted reconnaissance, firmware damage, lateral movement, and deployed DynoWiper and LazyWiper that corrupt files. Researchers have uncovered renewed Matanbuchus downloader campaigns using Microsoft Installer files disguised as legitimate installers, with frequent component changes to evade antivirus and machine learning detection. In many cases, the loader is used for further ransomware deployment. Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Trojan-Downloader.Wins.Matanbuchus.ta.*; Trojan-Downloader.Wins.Matanbuchus; Trojan-Downloader.Win.Matanbuchus) Researchers have identified PyRAT, a Python based cross platform RAT for Windows and Linux, using unencrypted HTTP POST C2, fingerprinting victims, and file and screenshot exfiltration. Persistence uses a deceptive autostart on Linux and a user Run key on Windows, with semi persistent identifiers. Researchers have found an Android campaign distributing a RAT via fake security alerts installing TrustBastion, which retrieves a second-stage payload from Hugging Face. The malware abuses Accessibility Services, deploys credential-stealing overlays, and uses server-side polymorphism to regenerate payloads every 15 minutes. GO UP BACK TO ALL POSTS POPULAR POSTS CHECK POINT RESEARCH PUBLICATIONS GLOBAL CYBER ATTACK REPORTS THREAT RESEARCH “The Turkish Rat” Evolved Adwind in a Massive Ongoing Phishing Campaign CHECK POINT RESEARCH PUBLICATIONS GLOBAL CYBER ATTACK REPORTS SECURITY REPORT THREAT RESEARCH 2024’s Cyber Battleground Unveiled: Escalating Ransomware Epidemic, the Evolution of Cyber Warfare Tactics and strategic use of AI in defense – Insights from Check Point’s Latest Security Report GLOBAL CYBER ATTACK REPORTS 8th May – Threat Intelligence Report BLOGS AND PUBLICATIONS CHECK POINT RESEARCH PUBLICATIONS GLOBAL CYBER ATTACK REPORTS THREAT RESEARCH January 22, 2020 THE 2020 CYBER SECURITY REPORT GLOBAL CYBER ATTACK REPORTS December 15, 2021 STEALTHLOADER MALWARE LEVERAGING LOG4SHELL CHECK POINT RESEARCH PUBLICATIONS GLOBAL CYBER ATTACK REPORTS THREAT RESEARCH February 17, 2020 “THE TURKISH RAT” EVOLVED ADWIND IN A MASSIVE ONGOING PHISHING CAMPAIGN CHECK POINT RESEARCH PUBLICATIONS GLOBAL CYBER ATTACK REPORTS THREAT RESEARCH January 22, 2020 THE 2020 CYBER SECURITY REPORT GLOBAL CYBER ATTACK REPORTS December 15, 2021 STEALTHLOADER MALWARE LEVERAGING LOG4SHELL CHECK POINT RESEARCH PUBLICATIONS GLOBAL CYBER ATTACK REPORTS THREAT RESEARCH February 17, 2020 “THE TURKISH RAT” EVOLVED ADWIND IN A MASSIVE ONGOING PHISHING CAMPAIGN CHECK POINT RESEARCH PUBLICATIONS GLOBAL CYBER ATTACK REPORTS THREAT RESEARCH January 22, 2020 THE 2020 CYBER SECURITY REPORT 123 This website uses cookies in order to optimize your user experience as well as for advertising and analytics.  For further information, please read our Privacy Policy and ourCookie Notice. 404 Not Found nginx When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer. More information Allow All Manage Consent Preferences Functional Cookies Functional Cookies These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly. Strictly Necessary Cookies Always Active These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information. Performance Cookies Performance Cookies These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance. Targeting Cookies Targeting Cookies These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising. Performance Cookies Clear checkbox label label Apply Cancel Consent Leg.Interest checkbox label label checkbox label label checkbox label label Reject All Confirm My Choices