Microsoft's February Patch Tuesday brings six actively exploited zero-days. Meanwhile, a 2-million-device botnet accidentally crashed the I2P anonymity network, and a new extortion gang is swatting executives' families.
Microsoft released patches for 50+ vulnerabilities including six actively exploited zero-days. Patch immediately — all are under active attack.
| CVE | Impact | Severity |
|---|---|---|
| CVE-2026-21510 | Windows Shell bypass — single click runs attacker code | Critical |
| CVE-2026-21513 | MSHTML browser bypass | High |
| CVE-2026-21514 | Microsoft Word security bypass | High |
| CVE-2026-21533 | Windows RDP privilege escalation to SYSTEM | High |
| CVE-2026-21519 | Desktop Window Manager escalation | High |
| CVE-2026-21525 | VPN disruption via RASMAN DoS | Medium |
CVE-2026-1731: Critical pre-authentication RCE in BeyondTrust Remote Support and Privileged Remote Access. PoC was released and active exploitation began within 24 hours.
Security researchers have identified that one threat actor is responsible for 83% of all Ivanti EPMM exploitation attempts. CVE-2026-1281 and CVE-2026-1340 are being actively exploited.
This is a high-value target for attackers — patch urgently.
| Organization | Records | Sector |
|---|---|---|
| Odido (Dutch telecom) | 6.2M customers | Telecom |
| Louis Vuitton/Dior/Tiffany | 5.5M ($25M fine) | Retail |
| ApolloMD Healthcare | 626K patients | Healthcare |
| Conpet (Romania) | Qilin ransomware | Energy/Critical Infrastructure |
A massive botnet of 2+ million infected IoT devices (streaming boxes, routers, picture frames) accidentally crashed the I2P anonymity network by attempting to join 700,000 bots as nodes — a "Sybil attack" that overwhelmed the decentralized network.
The botnet operators have now compromised the Badbox 2.0 control panel (China-based Android TV botnet). Both FBI and Google are actively hunting the operators.
A new English-language extortion gang called SLSH (Scattered Lapsus ShinyHunters) is using extreme harassment tactics including swatting executives and their families, threatening children, DDoS attacks, and notifying journalists/regulators.
Unit 221B strongly advises: Do not engage or pay. The group has no track record of honoring promises and paying only encourages escalation.
Intrusions typically begin via employee phone phishing claiming to be IT updates.
ClickFix social engineering campaigns are now using DNS queries (nslookup) to retrieve PowerShell payloads — the first known use of DNS as a payload delivery channel for this attack type.
Also observed: Claude LLM artifacts being abused in ClickFix campaigns targeting macOS users with infostealers.
Multiple threat actors (VoidLink, CANFAIL) are confirmed using LLMs for malware development. Google's GTIG report notes that AI-assisted attacks are becoming standard practice for nation-state actors.
| Actor | Target Focus |
|---|---|
| Russia | Ukraine war technology deployments |
| North Korea | Employee recruitment exploitation |
| Iran | Supply chain and hiring process infiltration |
| China | Edge device initial access |
AI-powered vulnerability management with 332,660+ CVEs indexed.
Start Free ScanStay secure. Stay vigilant.
🗡️ KENSAI Security Team