← Back to Security Blog
Security Briefing 6 min read

Microsoft's Six Zero-Days + 2M-Device Botnet Chaos

Microsoft's February Patch Tuesday brings six actively exploited zero-days. Meanwhile, a 2-million-device botnet accidentally crashed the I2P anonymity network, and a new extortion gang is swatting executives' families.


Critical: Microsoft Patch Tuesday — 6 Zero-Days

All Currently Supported Windows Versions Affected

Microsoft released patches for 50+ vulnerabilities including six actively exploited zero-days. Patch immediately — all are under active attack.

CVE Impact Severity
CVE-2026-21510 Windows Shell bypass — single click runs attacker code Critical
CVE-2026-21513 MSHTML browser bypass High
CVE-2026-21514 Microsoft Word security bypass High
CVE-2026-21533 Windows RDP privilege escalation to SYSTEM High
CVE-2026-21519 Desktop Window Manager escalation High
CVE-2026-21525 VPN disruption via RASMAN DoS Medium

BeyondTrust RCE — Exploited in 24 Hours

CVE-2026-1731: Critical pre-authentication RCE in BeyondTrust Remote Support and Privileged Remote Access. PoC was released and active exploitation began within 24 hours.

Recommended Actions

  1. Patch immediately if using BeyondTrust PRA
  2. Isolate exposed appliances until patched
  3. Review logs for unauthorized access

Ivanti EPMM — Single Actor Behind 83%

Security researchers have identified that one threat actor is responsible for 83% of all Ivanti EPMM exploitation attempts. CVE-2026-1281 and CVE-2026-1340 are being actively exploited.

This is a high-value target for attackers — patch urgently.


Major Breaches This Week

Organization Records Sector
Odido (Dutch telecom) 6.2M customers Telecom
Louis Vuitton/Dior/Tiffany 5.5M ($25M fine) Retail
ApolloMD Healthcare 626K patients Healthcare
Conpet (Romania) Qilin ransomware Energy/Critical Infrastructure

Kimwolf Botnet — 2 Million Devices

A massive botnet of 2+ million infected IoT devices (streaming boxes, routers, picture frames) accidentally crashed the I2P anonymity network by attempting to join 700,000 bots as nodes — a "Sybil attack" that overwhelmed the decentralized network.

The botnet operators have now compromised the Badbox 2.0 control panel (China-based Android TV botnet). Both FBI and Google are actively hunting the operators.


SLSH Extortion Gang — Extreme Tactics

Expert Advice: DO NOT PAY

A new English-language extortion gang called SLSH (Scattered Lapsus ShinyHunters) is using extreme harassment tactics including swatting executives and their families, threatening children, DDoS attacks, and notifying journalists/regulators.

Unit 221B strongly advises: Do not engage or pay. The group has no track record of honoring promises and paying only encourages escalation.

Intrusions typically begin via employee phone phishing claiming to be IT updates.


ClickFix Attack Evolution

ClickFix social engineering campaigns are now using DNS queries (nslookup) to retrieve PowerShell payloads — the first known use of DNS as a payload delivery channel for this attack type.

Also observed: Claude LLM artifacts being abused in ClickFix campaigns targeting macOS users with infostealers.


State Actors Using AI for Malware

Multiple threat actors (VoidLink, CANFAIL) are confirmed using LLMs for malware development. Google's GTIG report notes that AI-assisted attacks are becoming standard practice for nation-state actors.

Actor Target Focus
Russia Ukraine war technology deployments
North Korea Employee recruitment exploitation
Iran Supply chain and hiring process infiltration
China Edge device initial access

Today's Priorities

  1. PATCH NOW: Microsoft's 6 zero-days + BeyondTrust + Ivanti
  2. MONITOR: DNS-based payload delivery (ClickFix evolution)
  3. BRIEF: Executives on SLSH extortion tactics
  4. AUDIT: Chrome extensions (300+ malicious identified with 37M downloads)
  5. REVIEW: Employee security training on phone-based social engineering

Protect Your Organization with KENSAI

AI-powered vulnerability management with 332,660+ CVEs indexed.

Start Free Scan

Stay secure. Stay vigilant.

🗡️ KENSAI Security Team

🛡️ Is your website secure?

Discover vulnerabilities before attackers do.

Scan your website for free →

📚 Related Articles