End-of-Day report
Timeframe: Mittwoch 04-02-2026 18:00 - Donnerstag 05-02-2026 18:00
Handler: Guenes Holler
Co-Handler: Michael Schlagenhaufer
News
Zendesk spam wave returns, floods users with Activate account emails
A fresh wave of spam is hitting inboxes worldwide, with users reporting that they are once again being bombarded by automated emails generated through companies unsecured Zendesk support systems. Some recipients say they are receiving hundreds of messages with strange or alarming subject lines.
https://www.bleepingcomputer.com/news/security/zendesk-spam-wave-returns-floods-users-with-activate-account-emails/
CISA: VMware ESXi flaw now exploited in ransomware attacks
CISA confirmed on Wednesday that ransomware gangs have begun exploiting a high-severity VMware ESXi sandbox escape vulnerability that was used in zero-day attacks since at least February 2024. Broadcom patched this ESXi arbitrary-write vulnerability (tracked as CVE-2025-22225) almost one year ago, in March 2025, alongside a memory leak (CVE-2025-22226) and a TOCTOU flaw (CVE-2025-22224), and tagged them all as actively exploited zero-days.
https://www.bleepingcomputer.com/news/security/cisa-vmware-esxi-flaw-now-exploited-in-ransomware-attacks/
Broken Phishing URLs, (Thu, Feb 5th)
For a few days, many phishing emails that landed into my mailbox contain strange URLs. [..] But the format of the URLs is broken! In a URL, parameters are extra pieces of information added after a question mark (?) to tell a website more details about a request; they are written as name=value pairs (for example -email=user@domain-), and multiple parameters are separated by an ampersand (&). [..] Threat actors implement this to break security controls.
https://isc.sans.edu/diary/rss/32686
Three clues that your LLM may be poisoned with a sleeper-agent back door
The threat sees an attacker embed a hidden backdoor into the model's weights - the importance assigned to the relationship between pieces of information - during its training. Attackers can activate the backdoor using a predefined phrase. [..] In a research paper [PDF] published this week, Kumar and coauthors detailed a lightweight scanner to help enterprises detect backdoored models.
https://go.theregister.com/feed/www.theregister.com/2026/02/05/llm_poisoned_how_to_tell/
Technical Analysis of Marco Stealer
Zscaler ThreatLabz has discovered an information stealer that we named Marco Stealer, which was first observed in June 2025. Marco Stealer primarily targets browser data, cryptocurrency wallet information, files from popular cloud services like Dropbox and Google Drive, and other sensitive files stored on the victim-s system. Marco Stealer implements several anti-analysis techniques including string encryption and terminating security tools.
https://www.zscaler.com/blogs/security-research/technical-analysis-marco-stealer
The Shadow Campaigns: Uncovering Global Espionage
This investigation unveils a new cyberespionage group that Unit 42 tracks as TGR-STA-1030. We refer to the group-s activity as the Shadow Campaigns. [..] Over the past year, this group has compromised government and critical infrastructure organizations across 37 countries. This means that approximately one out of every five countries has experienced a critical breach from this group in the past year.
https://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage/
Black Basta: Defense Evasion Capability Embedded in Ransomware Payload
Normally the BYOVD defense evasion component of an attack would involve a distinct tool that would be deployed on the system prior to the ransomware payload in order to disable security software. However, in this attack, the vulnerable driver (an NsecSoft NSecKrnl driver) was bundled with the ransomware itself.
https://www.security.com/threat-intelligence/black-basta-ransomware-byovd
Knife Cutting the Edge: Disclosing a China-nexus gateway-monitoring AitM framework
Cisco Talos uncovered -DKnife,- a fully featured gateway-monitoring and adversary-in-the-middle (AitM) framework comprising seven Linux-based implants that perform deep-packet inspection, manipulate traffic, and deliver malware via routers and edge devices. [..] DKnife-s attacks target a wide range of devices, including PCs, mobile devices, and Internet of Things (IoT) devices. It delivers and interacts with the ShadowPad and DarkNimbus backdoors by hijacking binary downloads and Android application updates.
https://blog.talosintelligence.com/knife-cutting-the-edge/
Sanctioned Bulletproof Host Linked to Hijacking of Old Home Routers
Compromised home routers in 30+ countries had DNS traffic redirected, sending users to malicious sites while normal browsing appeared unaffected. [..] According to Infoblox, the manipulated DNS traffic was routed to resolvers hosted by Aeza International, a Russian bulletproof hosting provider sanctioned by the US government in July 2025.
https://hackread.com/sanctioned-bulletproof-host-hijack-old-home-routers/
How to write your first obfuscator of Java Bytecode
In this article I describe Java bytecode obfuscation, using one of the challenges I did in 2023 as part of the interviews with Quarkslab for the position of Java compiler engineer in QShield.
http://blog.quarkslab.com/how-to-write-your-first-obfuscator-of-java-bytecode.html
Vulnerabilities
Cisco Security Advisories 05.02.2026
Cisco Meeting Management, Cisco Secure Web Appliance, Cisco TelePresence Collaboration Endpoint Software and RoomOS, Cisco Prime Infrastructure, Cisco Evolved Programmable Network Manager and Cisco Prime Infrastructure,
https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs=1&firstPublishedStartDate=2026%2F02%2F04&firstPublishedEndDate=2026%2F02%2F05&pageNum=1&isRenderingBugList=false&isRenderingCveList=false&isRenderingCveAdvisoryList=false
Security updates for Thursday
Security updates have been issued by AlmaLinux (brotli, curl, kernel, python-wheel, and python3.12), Debian (containerd), Fedora (gnupg2, pgadmin4, phpunit10, phpunit11, phpunit12, phpunit8, phpunit9, and yarnpkg), Mageia (expat), Oracle (qemu-kvm and util-linux), Red Hat (kernel, kernel-rt, opentelemetry-collector, and python3.12-wheel), SUSE (abseil-cpp, dpdk, freerdp, glib2, ImageMagick, java-11-openj9, java-17-openj9, java-1_8_0-ibm, java-1_8_0-openj9, java-1_8_0-openjdk, java-21-openj9, kernel, libsoup, libsoup-3_0-0, openssl-3, patch, python-Django, rekor, rizin, udisks2, and xrdp), and Ubuntu (gh, linux, linux-aws, linux-azure, linux-azure-5.15, linux-gcp, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-oracle, linux-raspi, linux, linux-aws, linux-azure, linux-gcp, linux-oem-6.17, linux-oracle, linux-raspi, linux-realtime, linux, linux-gke, linux-gkeop, linux-hwe-6.8, linux-oracle, linux-oracle-6.8, linux-raspi, linux-fips, linux-aws-fips, linux-azure-fips, linux-gcp-fips, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-realtime, linux-intel-iot-realtime, and linux-realtime, linux-realtime-6.8, linux-raspi-realtime).
https://lwn.net/Articles/1057381/
Automatisierungstool n8n: Weitere kritische Lücken gestopft
Im Automatisierungstool n8n haben die Entwickler weitere Sicherheitslücken gestopft. Ein Update auf die jüngste Fassung ist empfehlenswert. [..] Eine Auflistung der neuen CVE-Einträge nach Schweregrad sortiert bietet jedoch einen Überblick, Details finden sich auf der n8n-Sicherheitsseite.
https://heise.de/-11165845
Splunk: SVD-2026-0201: Third-Party Package Updates in Splunk SOAR - February 2026
https://advisory.splunk.com//advisories/SVD-2026-0201
Splunk: SVD-2025-1205: Incorrect permissions assignment on Splunk Enterprise for Windows during new installation or upgrade
https://advisory.splunk.com//advisories/SVD-2025-1205
Zyxel security advisory for post-authentication command injection vulnerability in the DDNS configuration CLI command of ZLD firewalls
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-post-authentication-command-injection-vulnerability-in-the-ddns-configuration-cli-command-of-zld-firewalls-02-05-2026
Patchday Android: Treiberlücke gefährdet Pixel-Smartphones
https://heise.de/-11165905