Zero Day Wire - Zero Day Wire (Page 3)

Threats

Single Bulletproof Hosting IP Behind 83% of Ivanti EPMM Exploitation as Sleeper Shells Target MDM Infrastructure

A single IP address on bulletproof hosting infrastructure is responsible for 83% of all exploitation attempts targeting the critical Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities that have already compromised multiple European government agencies. Threat intelligence firm GreyNoise recorded 417 exploitation sessions from 8 unique source IPs between February 1-9, with

Breaches

First Malicious Outlook Add-In Discovered in the Wild After Abandoned Domain Hijack Steals 4,000 Credentials

Researchers at Koi Security have discovered what they describe as the first known malicious Microsoft Outlook add-in detected in the wild — a supply chain attack that exploited an abandoned developer domain to serve a phishing kit directly inside Outlook, stealing over 4,000 Microsoft credentials. The campaign, codenamed AgreeToSteal, targeted

Alerts

Apple Patches First Zero-Day of 2026 After Google TAG Discovers Exploitation in Targeted Attacks

Apple has released security updates across its entire product ecosystem to address a zero-day vulnerability that the company says has been exploited in "extremely sophisticated" attacks targeting specific individuals. The vulnerability, tracked as CVE-2026-20700, is a memory corruption flaw in dyld — Apple's Dynamic Link Editor responsible

Threats

Crazy Ransomware Operator Weaponizes Employee Monitoring Software for Stealth Persistence

A Crazy ransomware affiliate is abusing legitimate employee monitoring software and remote support tools to maintain stealth persistence inside corporate networks, blending malicious activity with normal administrative operations before deploying ransomware. Researchers at Huntress investigated multiple intrusions where the threat actor deployed Net Monitor for Employees Professional alongside the SimpleHelp

Breaches

Dutch Police Arrest Third Suspect Behind JokerOTP Phishing Platform That Caused $10M in Losses

Netherlands police have arrested a 21-year-old man from Dordrecht suspected of selling access to the JokerOTP phishing automation platform — a tool designed to intercept one-time passwords through automated voice calls that tricked victims into handing over their MFA codes. The arrest is the third in a three-year investigation that dismantled

Threats

North Korean UNC1069 Deploys AI-Generated Deepfakes and Seven Malware Families to Target Crypto Sector

Google Mandiant has detailed a sophisticated North Korean intrusion campaign in which the threat group UNC1069 used AI-generated deepfake video calls, compromised Telegram accounts, and ClickFix social engineering to deploy seven unique malware families against cryptocurrency sector targets. UNC1069 — also tracked as CryptoCore and MASAN — has been active since at

Threats

LummaStealer Rebounds With CastleLoader Campaigns as ClickFix Infections Surge Globally

LummaStealer — the prolific infostealer-as-a-service operation that law enforcement disrupted in May 2025 — has staged a significant comeback, with Bitdefender researchers documenting a major surge in infections between December 2025 and January 2026. The resurgence is powered by CastleLoader, a modular malware loader that uses ClickFix social engineering to trick users

Threats

Kimwolf IoT Botnet Disrupts I2P Anonymity Network in Massive Sybil Attack

The massive IoT botnet known as Kimwolf has spent the past week disrupting the Invisible Internet Project (I2P), a decentralized anonymity network, after its operators attempted to join approximately 700,000 infected devices as nodes on the network. The incident represents one of the largest Sybil attacks ever observed against

Alerts

Microsoft February 2026 Patch Tuesday Fixes Six Actively Exploited Zero-Days Across Windows, Office, and Remote Desktop

Microsoft's February 2026 Patch Tuesday addresses 59 vulnerabilities across Windows, Office, Azure, Edge, Exchange, and Hyper-V — including six zero-day flaws already being exploited in the wild. All six have been added to CISA's Known Exploited Vulnerabilities catalog with a March 3 federal patching deadline. Of the

Alerts

Fortinet Patches Two Critical Flaws — FortiClientEMS SQLi and Actively Exploited FortiCloud SSO Bypass

Fortinet has released security updates addressing two critical vulnerabilities, including an unauthenticated SQL injection in FortiClientEMS and a FortiCloud SSO authentication bypass that is already being exploited in the wild. CVE-2026-21643 — FortiClientEMS SQL Injection (CVSS 9.1) The first flaw, tracked as CVE-2026-21643, is a SQL injection vulnerability in FortiClientEMS

Alerts

BeyondTrust Patches Critical Unauthenticated RCE in Remote Support and Privileged Remote Access (CVE-2026-1731)

BeyondTrust has issued patches for a critical pre-authentication remote code execution vulnerability in its Remote Support (RS) and Privileged Remote Access (PRA) products — the same software previously exploited as zero-days in the 2024 breach of the U.S. Treasury Department. Tracked as CVE-2026-1731, the flaw is an OS command injection

Threats

Chinese APT UNC3886 Targeted All Four Singapore Telecoms in Espionage Campaign

Singapore's Cyber Security Agency (CSA) has disclosed that the China-linked cyber espionage group UNC3886 conducted a deliberate campaign against the country's entire telecommunications sector, targeting all four major operators — M1, SIMBA Telecom, Singtel, and StarHub. The disclosure follows comments made over six months ago by Singapore&