DigiCert’s Open-Source Intelligence (OSINT) Report – January 30 – February 5, 2026

Hackers Exploiting Microsoft Office 0-day Vulnerability to Deploy Malware

(TLP: CLEAR) The Russia-linked threat actor UAC-0001 (APT28) is exploiting a critical Microsoft Office zero-day identified as CVE-2026-21509. Following Microsoft’s disclosure on January 26, 2026, the group began leveraging the vulnerability to compromise Ukrainian government entities and organizations across the European Union. Researchers identified weaponized documents within 24 hours of disclosure, using geopolitically themed lures such as a file referencing EU COREPER discussion on Ukraine. Additionally, a broader phishing campaign impersonated Ukrainian weather bulletins to target more than 60 email addresses at central executive bodies. When opened, these malicious Office documents trigger the exploit to initiate a WebDAV connection to actor-controlled infrastructure, download additional components, and deploy shellcode. The intrusion chain establishes persistence through COM hijacking and a scheduled task named “OneDriveHealth.” The final payload is the COVENANT post-exploitation framework, which uses the legitimate cloud service filen.io for command-and-control to better blend into normal network traffic. CERT-UA warns that this activity is likely to expand due to patching delays and the limited ability of some organizations to update Office environments quickly.

(TLP: CLEAR) Comments: The rapid weaponization of CVE-2026-21509 by UAC-0001, also known as APT28, underscores the group’s operational maturity and its ability to integrate vulnerability intelligence into active campaigns within hours of disclosure. The 24-hour turnaround between Microsoft’s public advisory and confirmed exploitation indicates either prior awareness of the flaw or highly efficient exploit development pipelines. This speed significantly compresses the defensive window for targeted entities, particularly government institutions with complex patch management cycles. The targeting pattern is consistent with APT28’s long-standing focus on Ukrainian government bodies and EU institutions, aligning with broader Russian intelligence objectives tied to the ongoing Russia–Ukraine conflict. The use of COREPER-themed lures and impersonated Ukrainian weather bulletins demonstrates precise social engineering tailored to diplomatic and administrative audiences. This reflects intelligence-driven targeting rather than opportunistic phishing. Technically, the abuse of WebDAV for payload staging and the use of the COVENANT framework over legitimate cloud storage infrastructure such as filen.io show a continued preference for living-off-the-land and cloud-blending techniques. By leveraging trusted services and registry-based COM hijacking for persistence, the operation reduces obvious indicators and complicates network-based detection. Overall, the campaign illustrates how state-aligned actors combine zero-day exploitation, geopolitical context, and evasive C2 methods to maintain strategic access across European government ecosystems.

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.PS-05: “Installation and execution of unauthorized software are prevented”. By enforcing a content filtering policy to block typical software download sites in addition to hacker tools and P2P services, organizations reduce the amount of malware and trojan horses that are introduced into their organization unknowingly by their users. This can be done via a protective DNS or forward web proxy solution with website categories feeds.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 4 distinct detection engines to provide Defense in Depth against malware and phishing and other abuses:

• The Lists Engine allows UltraDDR customers the ability to bring their own block lists and allow lists for FQDNs, domains, IP addresses, CIDR blocks, and registrars.
• The Categories Engine uses Digicert-provided Cyber Threat Intelligence feeds in 17 categories. Administrators can enable blocking on a category with just one button click.
• The Decision Engine uses a multi-petabyte adversarial infrastructure data lake and artificial intelligence techniques to determine if a previously unseen or recently changed domain is malicious in nature.
• The Ruleset Engine allows administrators the ability to build custom rules to augment and extend the other engines of UltraDDR.

Source: https://cybersecuritynews.com/microsoft-office-0-day-vulnerability-exploited/

Gakido CRLF Injection Vulnerability Let Attackers Bypass Security Controls

(TLP: CLEAR) A newly disclosed vulnerability in HappyHackingSpace’s Gakido HTTP client library allows HTTP header injection via CRLF sequences, meaning a malicious actor can smuggle additional headers into outbound requests when an application forward user controlled header values. The issue is tracked as CVE 2026 24489 under advisory RO 26 005, affects all versions prior to 0.1.1 1bc6019, and is rated medium severity. The root cause is insufficient sanitization in Gakido’s header handling logic, specifically the canonicalize_headers() function in gakido/headers.py. If a caller supplies header values containing carriage return line feed sequences (\r\n), lone line feeds (\n), or null bytes (\x00), the library fails to properly strip or reject these characters before constructing and sending the HTTP request. This breaks the assumed one header per line structure and permits arbitrary header insertion. In practice, exploitation is straightforward when an application allows user input to influence request headers. The proof of concept shows that embedding \r\n into a User Agent value results in an additional attacker chosen header (for example X Injected) being transmitted as a separate header in the same request. This capability can enable several downstream impacts depending on the deployment path, including bypassing server-side controls that rely on headers, manipulating proxy behavior and response handling, and cache poisoning by injecting cache control or related directives. The article also highlights session related abuse scenarios, such as introducing or fixing session identifiers via injected headers where intermediaries or backends accept them. The report indicates the vulnerability was privately reported on January 25, 2026, and publicly disclosed on January 27, 2026, with a patch released quickly as version 0.1.1 1bc6019 on GitHub. Organizations using Gakido are advised to upgrade immediately, with urgency for production services that handle sensitive HTTP communications or that accept user supplied values used to build outbound request headers.

(TLP: CLEAR) Comments: This vulnerability is best viewed as a trust boundary failure in a networking primitive. By allowing CRLF, LF, or null bytes to survive header canonicalization, the library can convert a single untrusted string into multiple protocol elements. That shifts the risk from “bad data in a header” to “attacker-controlled request shape,” which is more consequential in real deployments. A malicious actor will typically look for application paths where user input can influence outbound headers, even indirectly. Common patterns include webhook forwarders, URL fetchers, scraping and enrichment jobs, SSO and OAuth helpers, and internal microservices that accept “custom headers” for troubleshooting, impersonation, or tenant specific routing. The practical goal is usually not to inject an arbitrary header for its own sake, but to introduce headers that alter how intermediaries or backends interpret identity, routing, or policy. Exploitation often targets environments with reverse proxies, API gateways, service meshes, or CDNs, where specific headers can influence access controls or request handling. Examples include manipulating forwarded client identity headers to bypass IP based restrictions, injecting host routing headers that confuse virtual host selection, or adding rewrite style headers used by certain proxy configurations. Cache poisoning is also plausible if the request traverses shared caches, where injected cache control or cache keying headers can cause content to be stored and served incorrectly to other users. Operationally, defenders should also consider secondary effects in logs and telemetry. Newline based injection can corrupt structured logging, forge additional fields, and degrade detection logic that assumes one header value maps to one log field. Mitigation is not only upgrading the library, but also enforcing header allowlists, rejecting control characters at application boundaries, and minimizing any feature that maps user-controlled input into outbound headers.

(TLP: CLEAR) Recommended best practices/regulations: OWASP Web Application Firewall: “A ‘web application firewall (WAF)’ is an application firewall for HTTP applications. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. “While proxies generally protect clients, WAFs protect servers. A WAF is deployed to protect a specific web application or set of web applications. A WAF can be considered a reverse proxy. “WAFs may come in the form of an appliance, server plugin, or filter, and may be customized to an application. The effort to perform this customization can be significant and needs to be maintained as the application is modified.”

(TLP: CLEAR) DigiCert: Digicert’s Web Application Firewall, UltraWAF, equips your company with adaptable security features to counteract the most significant network and application-layer threats, including SQL injection, XSS, and DDoS attacks. It’s always-on security posture, combined with cloud-based scalability, ensures comprehensive protection against the OWASP top 10, advanced bot management, and vulnerability scanning, allowing you to effectively shield your critical and customer-facing applications from emerging threats.

Source: https://cybersecuritynews.com/gakido-crlf-injection-vulnerability/

Google Disrupts Extensive Residential Proxy Networks

(TLP: CLEAR) Google and industry partners have taken coordinated legal and technical action to disrupt IPIDEA, one of the world’s largest residential proxy networks. Residential proxy services allow customers to route traffic through IP addresses assigned to real households and small businesses, helping malicious actors blend activity into legitimate consumer traffic and evade detection. The disruption was led by the Google Threat Intelligence Group, which obtained court orders to seize domains used to manage infected devices and proxy traffic. Google also shared intelligence about IPIDEA software development kits with platform providers, law enforcement, and security researchers. On Android, Google Play Protect was updated to remove applications embedding IPIDEA SDKs, alert users, and block future installations on certified devices. These measures reportedly reduced the proxy pool by millions of devices and are expected to impact affiliated reseller services that relied on shared infrastructure. IPIDEA has been linked to botnets such as BadBox 2.0, Aisuru, and Kimwolf, and was observed supporting more than 550 threat groups in a single week, including actors tied to China, DPRK, Iran, and Russia. Beyond enabling cybercrime and espionage, the network exposed consumers to abuse risks, as infected devices were silently converted into proxy exit nodes.

(TLP: CLEAR) Comments: This disruption highlights how residential proxy ecosystems have matured into a foundational “access layer” for a wide range of malicious activity. By blending hostile traffic into ordinary consumer IP space, services like IPIDEA reduce the visibility that defenders typically gain from data center hosting patterns, and they complicate attribution by creating plausible deniability and geographic noise. The reported linkage to multiple botnets underscores that proxy providers can function as multipliers, not only monetizing bandwidth but also enabling downstream operations such as credential stuffing, password spraying, SaaS session abuse, fraud, and DDoS by masking operator infrastructure behind high volume, rotating residential egress. The mention of SDK distribution is particularly significant because it reflects an industrialized enrollment model that can scale quietly through “monetization” tooling rather than overt exploitation. That model shifts risk from a traditional compromise-and-control workflow to an ecosystem problem where legitimate app supply chains, resellers, and gray-market partnerships expand the proxy pool and create rapid regeneration after disruption. Observations that many brands are controlled by the same operators also aligns with common proxy market dynamics, where rebranding and reseller layering sustain continuity even when a single domain or service is degraded, meaning disruption can impose friction without necessarily eliminating the underlying capability.

(TLP: CLEAR) Recommended best practices/regulations: Request for Comments (RFC) 2827/Best Common Practice (BC) 38: “Ingress traffic filtering at the periphery of Internet connected networks will reduce the effectiveness of source address spoofing denial of service attacks. Network service providers and administrators have already begun implementing this type of filtering on periphery routers, and it is recommended that all service providers do so as soon as possible. In addition to aiding the Internet community to defeat this attack method, it can also assist service providers in locating the source of the attack if service providers can categorically demonstrate that their network already has ingress filtering in place on customer links.”

(TLP: CLEAR) DigiCert: Digicert UltraDDoS Protect can detect DDoS attacks and scrub your internet traffic through countermeasures, processes, and practices that are built upon more than 20 years of expertise in thwarting threats, delivered through a carrier-grade global infrastructure that has been engineered to provide the highest standards of availability, reliability, and scale.

Source: https://www.infosecurity-magazine.com/news/google-disrupts-proxy-networks/

Russian Hacker Alliance Launches Large-Scale Cyberattack on Denmark 

(TLP: CLEAR) A newly formed Russian hacker alliance led by Russian Legion, alongside Inteid and Cardinal, has launched a coordinated cyber campaign against Denmark in response to its 1.5 billion DKK military aid package to Ukraine. The group announced its intentions on Telegram on January 28, 2026, threatening distributed denial-of-service (DDoS) attacks as an initial measure, with more severe cyber operations to follow if their demands are ignored. They claim to have already disrupted Danish company and public sector websites, particularly targeted the energy sector, and scheduled a larger wave of attacks for February 2. The campaign currently centers on DDoS activity, using botnets to overwhelm servers and cause service outages. The group has suggested possible escalation beyond traffic flooding, including destructive or ransomware-style operations. Russian Legion and its allies present themselves as pro-Russian hacktivists aligned with Moscow’s geopolitical objectives, using Telegram to amplify messaging and psychological pressure. While many such campaigns remain limited to disruption rather than destructive impact, similar regional incidents have resulted in financial losses and operational downtime. Danish authorities have not issued detailed public statements, but reports indicate temporary outages across affected sectors as the situation continues to develop.

(TLP: CLEAR) Comments: This campaign reflects a familiar pattern in pro-Russian cyber operations where geopolitical disputes quickly translate into coordinated digital disruption. The alliance led by Russian Legion appears to be leveraging DDoS activity as both a signaling mechanism and a psychological pressure tool. Historically, such groups use traffic floods to generate media visibility and public anxiety rather than cause lasting technical damage. However, the strategic selection of Denmark’s energy sector is notable. Even short-lived outages affecting utilities or government portals can amplify political narratives and undermine public confidence in critical infrastructure resilience. The timing, tied directly to Denmark’s military support for Ukraine, reinforces the hybrid warfare dimension. Since 2022, Russia-aligned collectives have repeatedly targeted NATO member states with similar campaigns following political announcements. While approximately 60% of these operations remain limited to DDoS-level disruption, the real risk lies in follow-on activity. Alliances of loosely coordinated hacktivist groups can escalate by sharing access, reconnaissance data, or vulnerabilities discovered during DDoS phases. Even if destructive payloads are not deployed, sustained volumetric attacks strain defensive resources and create opportunities for secondary intrusion attempts under the cover of noise.

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.IR-04: “Adequate resource capacity to ensure availability is maintained.” Businesses, particularly those located within NATO and allies, should maintain constant vigilance and regularly test and enhance their cybersecurity defensive capabilities, specifically DDoS mitigation strategies, architecture, monitoring, and procedures.

(TLP: CLEAR) DigiCert: Digicert UltraDDoS Protect scrubs malicious traffic away from your infrastructure, defusing the large, complex attacks that make headlines every day and threaten your operational stability. Powerful automation allows you to activate on-demand cloud protection through means that include DNS Redirection, BGP Redirection, and API-triggering. The result is incredibly fast response against DDoS trouble when you need it most.

Source: https://cyberpress.org/russian-hackers-hit-denmark/

SQL Injection Flaw Affects 40,000 WordPress Sites 

(TLP: CLEAR) A SQL injection vulnerability has impacted more than 40,000 WordPress sites running the Quiz and Survey Master (QSM) plugin, affecting versions 10.3.1 and earlier. The flaw, tracked as CVE-2025-67987, allowed any authenticated user with Subscriber-level access or higher to manipulate database queries through a vulnerable REST API function. The issue stemmed from improper handling of a parameter named is_linking, which was assumed to be numeric and inserted directly into an SQL query without sanitization or use of prepared statements. This enabled attackers to inject crafted SQL commands, potentially leading to unauthorized data access or extraction from site databases. Notably, administrative privileges were not required, expanding the potential attack surface to lower-privileged accounts. The vulnerability was responsibly disclosed to Patchstack in November 2025 and fixed in version 10.3.2, released in early December 2025. The patch enforces strict integer casting of the affected parameter to prevent injection. While there is no confirmed evidence of active exploitation, the flaw underscores persistent risks associated with insufficient input validation in widely deployed WordPress plugins.

(TLP: CLEAR) Comments: This vulnerability illustrates a recurring structural weakness in the WordPress ecosystem: plugin-level trust assumptions combined with broad authenticated access. Although exploitation required a logged-in account, Subscriber-level access is a low barrier in many environments, particularly sites that allow public registration for quizzes, surveys, or gated content. In such cases, an attacker could self-register and immediately test injection payloads, turning what appears to be a “limited” flaw into a practical entry point. The technical root cause is also significant. The query was constructed without prepared statements and relied on assumed numeric input, reflecting insecure development practices that continue to surface in high-install plugins. Even though the fix forces integer casting, the broader lesson is that type enforcement alone is not a substitute for parameterized queries and strict capability checks within REST endpoints. From a threat perspective, SQL injection in WordPress environments often serves as a pivot. Beyond data extraction, attackers can harvest hashed credentials, enumerate admin accounts, or extract API keys stored in the database. In multi-plugin deployments, database access can expose secrets that enable lateral movement or further exploitation. Given the scale of the install base, even a small percentage of unpatched sites presents an attractive opportunity for automated scanning and credential harvesting campaigns.

(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 6.4.2: “For public-facing web applications, an automated technical solution is deployed that continually detects and prevents web-based attacks, with at least the following: 

• Is installed in front of public-facing web applications and is configured to detect and prevent web-based attacks.
• Actively running and up to date as applicable. 
• Generating audit logs. 
• Configured to either block web-based attacks or generate an alert that is immediately investigated.

(TLP: CLEAR) DigiCert: Digicert’s Web Application Firewall, UltraWAF, sits in front of web applications to protect them against a variety of attacks such as SQLi, XSS, and CSRF. It also integrates bot protections to stop bots and application-layer DDoS attacks.

Source: https://www.infosecurity-magazine.com/news/wordpress-sql-injection-flaw-40000/

SystemBC Botnet Hijacked 10,000 Devices Worldwide to Use for DDoS Attacks

(TLP: CLEAR) SystemBC is a long-running malware family first identified in 2019 that has evolved into a large-scale botnet controlling more than 10,000 compromised devices worldwide. It primarily functions as a SOCKS5 proxy and backdoor, converting infected systems into relay nodes that allow threat actors to route malicious traffic through victim machines. This backconnect architecture helps obscure attacker infrastructure, complicates attribution, and enables long-term persistence within targeted environments. Despite law enforcement efforts such as Europol’s Operation Endgame in May 2024, SystemBC has adapted rather than diminished. Operators have shifted from residential networks to hosting providers, increasing infection longevity, with an average dwell time of 38 days and some compromises lasting over 100 days. The United States hosts the largest number of infected devices, followed by Germany, France, and Singapore. Researchers also identified compromises in sensitive government environments. A newly discovered Perl-based variant, initially undetected by antivirus engines, is delivered via packed ELF droppers. This evolution underscores SystemBC’s continued role as an early-stage access mechanism frequently preceding ransomware and broader intrusion campaigns.

(TLP: CLEAR) Comments: SystemBC’s continued evolution demonstrates how mature criminal infrastructure adapts under sustained disruption pressure. Rather than collapsing after coordinated takedowns such as Operation Endgame, operators shifted tactics by targeting hosting providers instead of residential endpoints. This move materially changes the threat profile. Compromised servers offer higher bandwidth, longer persistence, and more stable uptime than consumer devices, making them more valuable for staging ransomware, data exfiltration, and lateral movement. The discovery of a Perl-based variant with zero initial detections highlights another critical trend: adversaries are prioritizing development paths that evade static signature controls. Use of UPX-packed ELF droppers and multi-payload execution suggests automation and scalability, not opportunistic activity. The presence of Russian-language artifacts may indicate origin, but more importantly reflects operational confidence rather than concealment urgency. SystemBC’s role as a SOCKS5 proxy network is strategically significant. By embedding command-and-control traffic inside legitimate hosting infrastructure, attackers reduce anomaly visibility and complicate blocking efforts. Its correlation with ransomware precursor activity reinforces that detection of SystemBC should be treated as an early intrusion indicator, not a standalone nuisance infection.

(TLP: CLEAR) Recommended best practices/regulations: Critical Infrastructure and Security Agency (CISA) publication “Additional DDoS Guidance for Federal Agencies”: “Many ISPs have DDoS protections, but a dedicated DDoS protection service would likely provide more robust protections against larger or more advanced DDoS attacks. Agencies should evaluate current defenses against DDoS, verify DDoS protections are in place, and consider implementing more robust protections if the agency determines its current protections may be lacking.”

(TLP: CLEAR) DigiCert: Digicert UltraDDoS Protect is operated by our dedicated, 24/7 Security Operations Center that works to mitigate attacks against infrastructure, applications, and supporting services. Their work is backed by industry-leading Service Level Agreements (SLAs) for mitigation timeliness and effectiveness.

Source: https://cybersecuritynews.com/systembc-botnet-hijacked-10000-devices/

Italy blames Russia-linked hackers for cyberattacks ahead of Winter Olympics

(TLP: CLEAR) Italy has blocked a wave of cyberattacks described as being of Russian origin that targeted diplomatic missions abroad and infrastructure connected to the 2026 Winter Olympics. Foreign Minister Antonio Tajani stated that multiple foreign ministry offices, beginning with Washington, were affected, along with sites tied to the Games, including hotels in Cortina d’Ampezzo. Approximately 120 targets were reportedly involved, including consulates in Sydney, Toronto, and Paris, although no significant disruption was reported. The pro-Russian hacktivist group NoName057(16) claimed responsibility, framing the campaign as retaliation for Italy’s support of Ukraine. The group, active since Russia’s 2022 invasion of Ukraine, is known for conducting distributed denial-of-service attacks against European countries backing Kyiv. The incidents occur ahead of the February 2026 Winter Olympics in Milan and Cortina and follow a pattern of Russia-linked cyber activity targeting major sporting events. Past examples include the 2018 Pyeongchang Winter Olympics disruption attributed to the Sandworm group and previous cyber operations linked to Russia in response to doping sanctions and geopolitical tensions.

(TLP: CLEAR) Comments: The attempted disruption of Italian diplomatic infrastructure and Olympic-linked systems reflects a continuation of low-cost, high-visibility cyber pressure aligned with broader geopolitical tensions stemming from the Russia–Ukraine conflict. The claimed involvement of NoName057(16) is consistent with the group’s established pattern of targeting European states that provide political or military support to Ukraine. Their operations typically rely on distributed denial-of-service activity rather than destructive intrusions, emphasizing signaling and psychological impact over long-term technical compromise. The selection of diplomatic missions and Winter Olympics infrastructure is strategically symbolic. Diplomatic networks represent sovereign authority abroad, while Olympic systems carry reputational and economic significance. Even short-lived outages can generate media amplification, reinforcing narratives of vulnerability and retaliation. This aligns with hybrid influence objectives, where cyber disruption complements information operations to create political friction. Historically, Russian-linked actors have leveraged major sporting events for strategic messaging, as seen during the 2018 Pyeongchang Olympics. While current activity appears limited to service disruption, the targeting profile suggests contingency escalation potential, particularly if geopolitical tensions intensify. The primary objective appears to be coercive signaling rather than sustained operational damage.

(TLP: CLEAR) Recommended best practices/regulations: NIST Special Publication 800-189: “Distributed denial-of-service (DDoS) is a form attack where the attack traffic is generated from many distributed sources to achieve a high-volume attack and directed towards an intended victim (i.e., system or server). To conduct a direct DDoS attack, the attacker typically makes use of a few powerful computers or a vast number of unsuspecting, compromised third-party devices (e.g., laptops, tablets, cell phones, Internet of Things (IoT) devices, etc.). The latter scenario is often implemented through botnets. In many DDoS attacks, the IP source addresses in the attack messages are “spoofed” to avoid traceability.”

(TLP: CLEAR) DigiCert: Digicert UltraDDoS Protect provides flexible, automated, and always-on protection across 15 Points of Presence (PoPs) and >15Tbps of DDoS mitigation capacity to enable customer availability and performance under even the largest and most complex DDoS attacks (layer 3 through layer 7). An automated intelligence feed that is constantly updating mitigation devices allows protection against emerging attack vectors and common attack sources.

Source: https://therecord.media/italy-blames-russia-linked-hackers-winter-games-cyberattack