Weekly Report: New Hacking Techniques and Critical CVEs 3 Feb- 9 Feb 2026

The week of February 3–9, 2026 saw threat actors increasingly abusing trusted platforms-cloud workloads, Linux‑on‑Windows via WSL, and enterprise‑grade ITSM appliances-to execute stealthy, AI‑accelerated operations. This report highlights four critical CVEs, two new offensive techniques, one national‑level breach, and key darkweb chatter that directly impact modern attack‑surface planning.

>>Outpace Attackers With AI-Based Automated Penetration Testing

NEW HACKING TECHNIQUES

1. AI‑Assisted Cloud Intrusion in Under 8 Minutes

Threat Actor Context: Probing adversaries using LLMs as offensive copilots.
Campaign Date: February 3, 2026 (first public case documented)

Attackers no longer treat AWS cloud environments as a target layer they “explore”; now they feed telemetry into LLMs and get back nearly working escalation scripts within seconds. In a 2026‑documented scenario:

• They started from leaked AWS keys in public S3 buckets.
• Then asked an LLM to generate optimized IAM‑enumeration, Lambda‑overwrite, and Secrets‑dumping logic.
• The attacker injected this code into an existing Lambda function, then stole compute from Amazon Bedrock (GPU clusters) for additional offensive homework.

What took hours manually now runs in 8–10 minutes end‑to‑end:
initial token → IAM‑sprawl → Lambda takeover → Secrets exfiltration → Bedrock abuse.

Why this matters
Security teams can’t only rely on “manual‑cloud‑hacking‑detection patterns” anymore. AI lets attackers test, iterate, and compose novel flows at machine speed.

2. Ransomware That Runs Inside WSL on Windows

Threat Family: Qilin / Agenda ransomware ecosystem
Technique Date: Early‑February 2026‑observed WSL‑loadout usage

Qilin‑affiliated operators began delivering Linux‑executable encryptors via Windows Subsystem for Linux (WSL). Instead of classic Windows PE‑based ransomware scanners, defenders now see Linux binaries running on Windows hosts.

Flow:

• Initial compromise: Remote‑access tools / RDP‑style access.
• Activate or provision WSL (often on developer machines).
• Upload a Linux‑ELF encryptor and execute it inside Linux, using namespaces that map Windows directories.
• Files are encrypted with a payload that looks less like ransomware and more like “legitimate dev tooling,” bypassing several EDR rules.

This technique is not just evasion-it’s a cross‑OS pivot strategy buried in a platform most teams assume is “safe to use.”

CRITICAL CVEs & ATTACK TECHNIQUES

1. SolarWinds Web Help Desk – Unauthenticated Deserialization RCE (CVE‑2025‑40551)

CVE ID: CVE‑2025‑40551
CVSS: 9.8 (Critical)
Exploitation Noted: February 4, 2026‑observed exploitation campaigns

Attackers send crafted serialized objects over HTTP to SolarWinds WHD endpoints. WHD deserializes them without proper gadget‑chain validation, enabling unauthenticated remote code execution under the WHD app context.

Shortly after a recorded intrusion on Feb 4:

• Attacker achieves shell within seconds.
• Pulls internal user and ticket data that help them pivot deeper.

CISA lists this as Known‑Exploited (KEV); any organization running internet‑facing WHD must urgently patch to 2026.1 or later and segment WHD behind a tight web layer.

CISO takeaway:

• Inventory all WHD instances and confirm they’re not exposed to the open internet unless absolutely required.
• Add WAF rules that flag suspicious serialization‑like payloads to /handler‑style routes.

2. Cisco AsyncOS – Maximum‑Severity Email Gateway RCE (CVE‑2025‑20393)

CVE ID: CVE‑2025‑20393
CVSS: 10.0
Affected Platform: Cisco Secure Email Gateway (SEG) & related AsyncOS‑based appliances
Exploitation Frame: Exploited by China‑linked APT group UAT‑9686 since late 2025, ongoing into Feb 2026

Misconfigured Spam‑Quarantine web interfaces in AsyncOS allow an attacker to inject OS‑command strings via HTTP parameters, getting root‑level code execution against email‑gateway hardware.

Attack impact:

• Attacker drops AquaShell-a lightweight backdoor-via the gateway.
• Uses SEG assets to copy and monitor all email traffic, including credential‑bearing messages.

CISO takeaway:

• Disable internet access to Spam Quarantine except via VPN.
• Lock down admin‑interface exposure and log all anomalous outbound connections from SEG gear.

INCIDENT 1: European Commission Breach via Ivanti EPMM Zero‑Days

Organization: European Commission
Date of Breach Detection: January 30, 2026 (exfiltration window), February 9, 2026 (official public disclosure)
Vulnerabilities Used: CVE‑2026‑1281 & CVE‑2026‑1340 (Ivanti EPMM)
Severity: Critical (Zero‑days)

Overview
The central MDM (mobile‑device) infrastructure of the European Commission was breached by actors exploiting CVE‑2026‑1281 (code‑injection) and CVE‑2026‑1340 (authentication‑bypass‑leading‑to‑RCE). The attackers achieved unauthorized access to staff data-names and mobile phone numbers-but could not demonstrate mobile‑device‑level compromise.

Explanation

• Vulnerable EPMM instance: internet‑facing endpoint for managing staff phones and tablets across EU institutions.
• Attackers exploit EPMM APIs and ad‑hoc code‑paths, gaining RCE and running queries on the mobile‑device database.
• Data: targeted employee identity and contact details rather than full access to each personal device.

Impact/Risk

• Loss of centralized mobile‑staff roster across EU‑governance teams.
• Increased risk of follow‑on spear‑phishing / SIM‑swap / MDM credential‑reuse attacks.
• Reputational and fiduciary damage to one of Europe’s largest public institutions.

CISO Takeaway

• Treat Ivanti EPMM and similar MDM platforms as critical‑asset tier.
• Follow Ivanti’s advisory; patch immediately, or perform strict isolation if patching is delayed.
• Lock down MDM‑admin access to fixed, logged jump‑boxes and apply MFA across all interfaces.

INCIDENT 2: Open VSX Registry Supply‑Chain Compromise (GlassWorm)

Attack Surface: Open VSX Registry (open‑source alternative to Microsoft VS Code Marketplace)
Attacker Technique: Stolen Open VSX Personal Access Token (OVSX_PAT) → Mass‑extension poisoning
Date: Malicious versions pushed around January 30, 2026; public disclosure drawn out into early February 4–6, 2026

Overview
Attackers used a leaked OVSX_PAT token from a GitHub codebase to push curated malicious updates to 49 popular VS Code extensions hosted on Open VSX. Each update includes GlassWorm, a core‑loader that exfiltrates SSH keys, cloud credentials, and cryptocurrency‑wallet data.

Explanation

• Developer accidentally commits OVSX_PAT (signed, long‑lived) into a public repo.
• Attacker reads and clones the token, authenticating to Open VSX API as that dev.
• For 49 extensions, authors’ benign‑version numbers are forcibly updated with GlassWorm‑backdoored versions.
• When VS Code checks for updates, it auto‑installs the backdoored extension-often without user notification.

GlassWorm uses Unicode steganography (zero‑width spaces and similar) to hide orchestrating logic. Once executed, it:

• Reads ~/.aws/credentials, ~/.ssh/id_rsa, CODE‑settings.json (often containing GitHub tokens), and browser wallet databases.
• Exfiltrates this data to attacker C2 servers, opening direct paths into cloud and Git infrastructures.

Impact/Risk

• Credential theft at scale across dev‑ecosystems (GitHub tokens, IAM access keys, SSH‑private keys).
• Realistic code‑repository compromise and later pivots into corporate cloud environments.
• Loss of sensitive cryptocurrency funds from wallet‑holdings exposed in browser‑extension‑style storage.

CISO Takeaway

• Immediately audit and rotate AWS keys, SSH keys, and API tokens for all development‑centric users.
• Enable code‑scan and secrets‑detection tools (e.g., pre‑commit hooks, CI‑enforced scanning) and never hard‑code OVSX_PAT.
• Implement strict extension‑allow‑lists in VS Code (push signed‑extension policies).

DARKWEB CHATTER & THREAT OUTLOOK (FEB 3–9, 2026)

BreachForums XSS‑Driven User‑Data Haul

Date: February 4, 2026 (abuse of MyBB‑powered XSS; screenshots then shared internally and on darkweb‑adjacent channels)

A stored/reflected XSS flaw on BreachForums allowed an attacker (allegedly “Nicotine”) to capture:

• Browser‑level fingerprinting (version, screen resolution, plugins)
• Session cookies and persistent auth tokens
• Network‑stack info (local IP, public IP, location hints)
• Wallet‑configurations (Phantom‑ or Trust‑Wallet‑style crumbs and associated keys)

Because BreachForums hosts thousands of frequent users in the criminal‑research and defsec circles, the XSS became a master‑collection operation: attackers gathered rich telemetry on other threat actors, enabling direction‑targeting (both as research‑targets and as scam‑victims).

Ransomware‑Ecosystem Coordination

• The Qilin / Agenda combo strengthened its pipeline, combining WSL‑enabled Linux encryptors with classic Windows‑target binaries.
• Darkweb forums show more templates for “Devops‑friendly” ransomware-not just click‑once‑install payloads but scripts designed to operate inside devops and CI/CD contexts.
• One forum thread reportedly hosted a lightweight “Cisco AsyncOS‑lambda‑ship,” implying that CVE‑2025‑20393 was weaponized before the canonical patches landed everywhere.

Such chatter, paired with glass‑worm‑type supply‑chain payloads, indicates that 2026 will be a year where developerto‑infrastructure paths are prime targets.

Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:

FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management

>>FireCompass Free Trial