InfoSec Briefing - February 10, 2026

🎧 Audio Briefing

Playback Speed:

Good morning. This is your security briefing for Monday, February 09, 2026, covering four critical developments in the threat landscape. All attribution is by the article authors. All article analysis is automated.

Microsoft reports that threat actors are actively exploiting internet-exposed SolarWinds Web Help Desk instances to achieve unauthenticated remote code execution. The exploitation enables initial access to victim networks, lateral movement, and potential complete domain compromise, placing organizations running unpatched WHD instances at severe risk.

Defused Cyber has identified a sophisticated attack campaign where attackers are exploiting two CVEs in Ivanti Endpoint Manager Mobile to plant dormant in-memory backdoors. Active since February 4th, the campaign uses a Java class loader technique that remains inactive until triggered by a specific parameter, suggesting Initial Access Broker tactics for establishing persistent footholds.

Mandiant reports that North Korean threat actor UNC1069 has targeted the cryptocurrency and DeFi sectors using AI-generated video lures and compromised Telegram accounts for sophisticated social engineering. The group deployed seven unique malware families designed to harvest credentials, browser data, and session tokens, targeting cryptocurrency startups, software developers, venture capital firms, and centralized exchanges.

The Cyber Security Agency of Singapore and Infocomm Media Development Authority report that Advanced Persistent Threat actor UNC3886 targeted Singapore's four major telecommunications operators using zero-day exploits and rootkits. Operation CYBER GUARDIAN, an 11-month multi-agency response involving over 100 cyber defenders, successfully detected and disrupted the attacks, with unauthorized access confirmed but no evidence of sensitive customer data exfiltration found.

That concludes today's briefing.

📰 Articles Covered

Analysis of active exploitation of SolarWinds Web Help Desk - Microsoft

A sophisticated intrusion campaign has been identified where threat actors actively exploited internet-exposed **SolarWinds Web Help Desk (WHD)** instances to gain initial access to victim networks 【1】. This exploitation enabled them to achieve **unauthenticated remote code execution**, which then facilitated lateral movement and the potential for a complete domain compromise 【1】.

**Who is Affected:**
Organizations that are using **unpatched SolarWinds Web Help Desk instances** are vulnerable to these attacks 【1】.

**Security Implications:**
The security implications are significant, as a single exploited vulnerability in the WHD software can lead to extensive compromise of an organization's network 【1】. The attackers demonstrated a high level of sophistication by employing "living-off-the-land" techniques, utilizing legitimate administrative tools, and implementing low-noise persistence mechanisms to evade detection 【1】.

**Technical Details:**
The campaign, which occurred in December 2025, leveraged several vulnerabilities, including **CVE-2025-40551, CVE-2025-40536, and CVE-2025-26399** 【1】.
- Attackers used **PowerShell** in conjunction with **BITS (Background Intelligent Transfer Service)** to download payloads 【1】.
- They installed **Zoho ManageEngine** to establish remote control capabilities 【1】.
- The actors performed extensive **enumeration of sensitive domain users and groups** 【1】.
- Persistence was established through **reverse SSH and RDP access** 【1】.
- **DLL sideloading** was used via `wab.exe` to abuse `sspicli.dll` for credential theft 【1】.
- In some instances, the activity escalated to **DCSync** attacks, which are used to replicate password hashes from a domain controller 【1】.

**What Defenders Should Know:**
Defenders need to take immediate action to protect their environments 【1】:
- **Prioritize patching** all SolarWinds WHD instances 【1】.
- **Restrict external exposure** of WHD servers 【1】.
- **Remove any unauthorized remote monitoring and management (RMM) solutions**, such as Zoho ManageEngine, if found 【1】.
- **Reset credentials and isolate** any hosts suspected of being compromised 【1】.
Microsoft Defender XDR offers protection against these threats through various alerts and provides hunting queries to help detect exploitation activities, including suspicious command executions, potential `ntds.dit` theft, and the identification of vulnerable WHD servers 【1】.
Sleeper Shells: How Attackers Are Planting Dormant Backdoors in Ivanti EPMM - Defused Cyber

A recent cybersecurity campaign, beginning on February 4th, 2026, has been observed targeting **Ivanti Endpoint Manager Mobile (EPMM)**. Attackers are exploiting two critical vulnerabilities: **CVE-2026-1281** (authentication bypass) and **CVE-2026-1340** (remote code execution) 【1】.

**What Happened:**
The attackers are using a sophisticated method to establish a dormant backdoor. Instead of immediately executing commands, they upload an in-memory Java class loader to the `/mifs/403.jsp` endpoint. This "sleeper shell" remains inactive until triggered, a tactic often employed by Initial Access Brokers (IABs) who establish a foothold for later sale or use 【1】.

**Who is Affected:**
**Ivanti EPMM** instances are vulnerable to this attack. The campaign's deliberate nature suggests a targeted approach rather than a widespread, indiscriminate exploit 【1】.

**Security Implications:**
The primary security concern is the creation of a **hidden, in-memory backdoor** that is difficult to detect because it does not write to disk. This dormant presence allows attackers to maintain access without immediate signs of compromise, making it a significant threat 【1】.

**Technical Details:**
The exploit involves uploading a Java class named `base.Info` to `/mifs/403.jsp`. This class acts as a loader for a second-stage Java class, which is activated by a specific trigger parameter, `k0f53cf964d387` 【1】. The payload is designed to operate entirely in memory, evading traditional file-based detection methods 【1】.

**What Defenders Should Know:**
Defenders need to be aware that the **absence of immediate exploitation does not guarantee system safety**; the access may simply be waiting for activation 【1】. Recommended actions include:
- **Patching Ivanti EPMM** immediately 【1】.
- **Restarting affected application servers** to clear any in-memory implants 【1】.
- **Reviewing access logs** for suspicious activity, such as:
- Requests to `/mifs/403.jsp` 【1】.
- Large Base64 encoded parameters that begin with `yv66vg` 【1】.
- The presence of the parameter name `k0f53cf964d387` 【1】.
- Response bodies containing `3cd3d` or `e60537` 【1】.
- Any response containing `ERROR://` 【1】.

The article stresses that these "quiet compromises" can be more dangerous than those causing immediate damage, as they allow attackers to establish a persistent presence undetected 【1】.
UNC1069 Targets Cryptocurrency Sector with New Tooling and AI-Enabled Social Engineering - Mandiant

A North Korean threat actor known as **UNC1069** has been observed targeting the **cryptocurrency and decentralized finance (DeFi)** sectors with sophisticated new tools and AI-driven social engineering tactics. This group, active since at least 2018, has evolved its methods to focus on Web3 industries, including cryptocurrency startups, software developers, and venture capital firms.

**What Happened:**
UNC1069 orchestrated a targeted intrusion by compromising a legitimate executive's Telegram account. They then initiated contact with a victim, building rapport before sending a Calendly link to schedule a meeting. This link led to a spoofed Zoom meeting hosted on the attacker's infrastructure. During the fake meeting, the victim was presented with what appeared to be an AI-generated video of a CEO from another cryptocurrency company, used as a lure to deceive the victim into believing there were audio issues. This ruse was employed to trick the victim into running malicious commands disguised as troubleshooting steps. These commands initiated an infection chain that deployed seven unique malware families, including new tools designed to capture host and victim data.

**Who is Affected:**
The primary targets of UNC1069 are entities and individuals within the **cryptocurrency and DeFi sectors**. This includes:
- Cryptocurrency startups
- Software developers in financial institutions
- Venture capital firms and their employees/executives
- Centralized exchanges (CEX)

**Security Implications:**
The attack demonstrates a significant escalation in UNC1069's capabilities, marked by the deployment of multiple new malware families. The extensive tooling used indicates a determined effort to harvest credentials, browser data, and session tokens for financial theft. The use of AI-generated content and sophisticated social engineering highlights the increasing sophistication of financially motivated threat actors. The ability to bypass macOS privacy features like the TCC database and steal sensitive user data poses a severe risk to individuals and organizations in the targeted sectors.

**Technical Details:**
The intrusion involved a multi-stage infection chain:
- **Initial Vector:** A compromised Telegram account and a spoofed Zoom meeting link.
- **Social Engineering:** Use of AI-generated video (deepfake) and a "ClickFix" attack, where victims are tricked into running malicious commands for "troubleshooting."
- **Malware Deployment:**
- **WAVESHAPER:** A backdoor that downloads and executes further payloads.
- **HYPERCALL:** A downloader that loads malicious dynamic libraries.
- **HIDDENCALL:** A backdoor providing hands-on keyboard access.
- **SUGARLOADER:** A downloader used to deploy other malware.
- **SILENCELIFT:** A backdoor that beacons host information and can interrupt Telegram communications.
- **DEEPBREATH:** A data miner that manipulates the macOS TCC database to steal credentials, browser data, and user data from Telegram and Apple Notes.
- **CHROMEPUSH:** A data miner that installs as a browser extension to log keystrokes, capture credentials, and steal browser cookies.
- **Persistence:** Achieved through mechanisms like launch daemons for SUGARLOADER.
- **Data Harvesting:** DEEPBREATH and CHROMEPUSH are designed to exfiltrate sensitive user information.

**What Defenders Should Know:**
- **AI-Enabled Social Engineering:** Be aware of increasingly sophisticated social engineering tactics that may involve AI-generated content, such as deepfake videos, to deceive victims.
- **Targeted Attacks:** The cryptocurrency and DeFi sectors are prime targets for financially motivated threat actors like UNC1069.
- **Evolving Tooling:** UNC1069 is actively developing and deploying new malware families, indicating a continuous effort to enhance their capabilities.
- **macOS Vulnerabilities:** Defenders should be particularly vigilant about macOS security, as UNC1069 has developed tools like DEEPBREATH that can bypass native privacy controls.
- **Comprehensive Detection:** Implement robust security measures that can detect a wide range of malware and advanced persistent threats, including those that leverage novel infection vectors and data exfiltration techniques.
- **Indicators of Compromise (IOCs):** Utilize provided network and host-based IOCs, including domain names, file hashes, and YARA rules, to hunt for and detect UNC1069 activity.
- **Security Operations:** Leverage security solutions that offer detection rules for the specific tactics, techniques, and procedures employed by UNC1069, such as those available in Google SecOps.
Largest Multi-Agency Cyber Operation Mounted to Counter Threat Posed by Advanced Persistent Threat (APT) Actor UNC3886 to Singapore’s Telecommunications Sector - Cyber Security Agency of Singapore (CSA) and Infocomm Media Development Authority (IMDA)

A significant, multi-agency cybersecurity operation, named **Operation CYBER GUARDIAN**, was conducted to combat the threat posed by the **Advanced Persistent Threat (APT) actor UNC3886** to Singapore's telecommunications sector. This operation, which lasted over eleven months, involved more than 100 cyber defenders from various government agencies and telecommunications operators.

**What Happened:**
Operation CYBER GUARDIAN was a coordinated, whole-of-government response to a sophisticated cyber threat actor targeting critical infrastructure. The operation aimed to detect, disrupt, and defend against UNC3886's activities within Singapore's telecommunications networks.

**Who is Affected:**
The primary targets of APT actor UNC3886 were **Singapore's four major telecommunications operators**: M1, SIMBA Telecom, Singtel, and StarHub. These organizations are crucial as they underpin the nation's digital economy and handle vast amounts of sensitive data.

**Security Implications:**
The implications of a successful attack on telecommunications companies are severe, as they are **strategic targets that power the digital economy**. Compromises could potentially **undermine national security and the economy**. While the operation has largely contained the attacks, there was **unauthorized access into some parts of telco networks and systems**. However, **no evidence of sensitive customer data exfiltration or disruption of telecommunications services** has been found so far.

**Technical Details:**
APT actor UNC3886 employed advanced techniques, including the use of a **zero-day exploit to bypass firewalls** and **rootkits to maintain persistent access and evade detection**. The actor was observed **exfiltrating a small amount of technical, network-related data**.

**What Defenders Should Know:**
The threat is ongoing, and future attacks are anticipated. Defenders must be prepared for **state-sponsored actors targeting telecommunications companies**. Key actions include:
- **Strengthening cyber defenses**.
- **Enhancing detection capabilities**.
- **Deploying active monitoring systems**.
- **Conducting joint threat hunting and penetration testing**.
- **Leveling up capabilities across the cyber ecosystem** to ensure timely and effective responses against sophisticated adversaries 【1】.