Security Digest

Eight Minutes to Admin

APT28 zero-day, 149M credential leak, AI breaches AWS in 8 minutes, PST warns of worst security since WWII, Epstein political fallout, and more.

6 min read By FTRCRP

Threat Level: ELEVATED

πŸ”’ ITsec This Week

APT28 Exploits Microsoft Office Zero-Day (CVE-2026-21509)

Russia’s APT28 weaponized a critical Office vulnerability within days of disclosure, deploying RTF-based infection chains carrying MiniDoor and PixyNetLoader backdoors across Central and Eastern European targets. Microsoft’s emergency patch dropped Jan 26, but the speed of exploitation (days, not weeks) signals APT28 has streamlined their zero-day pipeline. If your org runs Office and didn’t patch by now, assume compromise and hunt accordingly.

149 Million Passwords Exposed in Massive Credential Leak

Researcher Jeremiah Fowler discovered an unprotected 96GB database holding 149 million stolen credentials, including roughly 48 million Gmail accounts. The dataset bears all the hallmarks of infostealer malware aggregation: structured dumps from Raccoon, RedLine, and similar commodity stealers. This is fuel for credential stuffing at industrial scale; check your exposure on breach notification services immediately.

Chinese State Group Amaranth Dragon Exploits WinRAR Flaw

APT41-linked Amaranth Dragon exploited CVE-2025-8088 in WinRAR to target government and law enforcement agencies across Southeast Asia. The group deployed a custom Amaranth Loader hidden behind Cloudflare infrastructure, making network-level detection significantly harder. This continues the pattern of Chinese state groups leveraging file-archiver vulnerabilities as initial access vectors against government targets.

AI Breached AWS Environment in 8 Minutes

Attackers leveraged AI to escalate from discovered credentials to full admin access in an AWS environment in just eight minutes. This is the clearest real-world demonstration yet of AI accelerating offensive operations. What used to take hours of manual enumeration now happens faster than most SOCs can triage an alert. Defenders need to rethink response timelines; the old playbooks assume human-speed attackers.

Conduent Data Breach Balloons to Millions

The ransomware attack on Conduent, a govtech contractor handling data for 100M+ Americans, proved far worse than initially disclosed. Sensitive personal, financial, and health data was exfiltrated at scale. The drip-feed disclosure pattern is textbook: minimize, delay, then quietly revise the numbers upward once the news cycle moves on.

Chinese Hackers Compromised Notepad++ Updates for Months

State-sponsored actors hijacked Notepad++’s auto-update mechanism starting June 2025, distributing malware through the official domain for roughly six months before discovery in December. Supply chain attacks via trusted developer tools remain one of the highest-impact vectors available. The dwell time here is alarming. Half a year of silent distribution through a tool installed on millions of developer machines.

TGR-STA-1030 Breaches 70 Government Entities

Palo Alto’s Unit 42 exposed a massive campaign by Asian state group TGR-STA-1030, compromising government and critical infrastructure organizations across 37 countries with active reconnaissance against 155. The breadth of targeting, spanning continents and sectors, suggests a strategic intelligence collection operation rather than opportunistic hacking. This is nation-state espionage operating at genuine global scale.

🌍 World Watch

US-Iran Standoff Intensifies

Indirect talks in Oman with US Central Command present and the USS Abraham Lincoln positioned nearby. Iran has declared key demands “off the table,” Saudi Arabia publicly opposes military action, and regional allies are quietly repositioning. The combination of military posturing and diplomatic deadlock makes this the most volatile the Persian Gulf has been since 2020.

Ukraine: June Deadline for Peace Deal

Zelenskyy revealed a US-imposed June deadline for a peace framework, with two rounds of Abu Dhabi talks producing a prisoner swap agreement. Meanwhile, Russia continued demolishing energy infrastructure, striking a maternity hospital, a miners’ bus, and a passenger train. Actions that make “ceasefire” a purely rhetorical concept. The gap between diplomatic timelines and battlefield reality continues to widen.

Gaza Ceasefire Failing

Over 556 Palestinians killed since the October ceasefire began. The Rafah crossing reopened but violence persists on multiple fronts. Trump’s “Board of Peace” convenes Feb 19, and Israel acknowledged Palestinian casualty figures for the first time. A small rhetorical shift against a backdrop of continued killing.

GRU Deputy Chief Shot in Moscow

Lt. Gen. Vladimir Alexeyev, sanctioned over the Skripal poisoning, was shot multiple times near his Moscow residence. He’s the latest high-ranking Russian military official targeted since the Ukraine war began. Whether this was Ukrainian intelligence, internal faction warfare, or something else entirely, senior Russian military leadership is demonstrably not safe even in Moscow.

EU’s 20th Sanctions Package Against Russia

The EU adopted its 20th sanctions package: a full ban on maritime services for Russian crude, 43 additional shadow fleet vessels targeted, new import bans on metals and minerals, and tightened export controls. The shadow fleet crackdown is the most consequential element. Russia’s ability to circumvent oil price caps depends on those vessels. Enforcement remains the open question.

πŸ‡³πŸ‡΄ Norway Focus

PST: Norway Faces Most Serious Security Situation Since WWII

The Norwegian Police Security Service (PST) released its National Threat Assessment 2026 on February 6, with Director General Beate GangΓ₯s delivering a stark warning. Foreign states are conducting intelligence operations and employing hybrid means inside Norway to undermine national resilience. PST highlights that state actors may now attempt terrorist attacks through proxy actors, making detection significantly harder. The threat landscape is described as more fragmented and complex than ever, with radicalisation of minors continuing to accelerate online.

πŸ” Coming From FTRCRP

Investigation: The .md TLD Namespace Collision Threat

FTRCRP is investigating a novel attack surface: Moldova’s .md country-code TLD collides with the ubiquitous .md markdown file extension. Notably, Moldova is pro-EU and cooperating with Western institutions. That means there is a realistic path to registrar cooperation and takedown enforcement if malicious actors are found abusing the namespace. This is a significantly better position than dealing with hostile-state TLDs. Our research found that 57% of tested domains actively detect AI agents via user-agent and referrer headers, serving different content to automated systems than to human visitors. The infrastructure for large-scale prompt injection through this namespace collision is already in place, and most developers and AI systems are completely unaware. Full article coming soon.

πŸ•΅οΈ Political & Intelligence Unrest

Epstein Files Shake Political Establishment

The DOJ’s release of 3.5 million pages of Epstein documents has triggered a political firestorm. The current US president is mentioned over 1,000 times, while Elon Musk’s emails requesting details about “the wildest party” on Epstein’s island surfaced publicly. Congressional leaders accuse the DOJ of incomplete compliance with the Epstein Files Transparency Act, and questions about prosecutions have been met with nonanswers. The fallout extends beyond the US. Slovakia’s national security adviser resigned after dinner invitations from Epstein emerged, and the British PM suggested Prince Andrew cooperate with investigators. This is shaping up as one of the largest intelligence and political trust crises in recent memory.

⚑ Quick Hits

  • Starlink: Ukraine deactivated 63 of 80 Russian-used Starlink terminals. Battlefield comms disruption at scale.
  • Japan: Building underground missile facilities in preparation for potential China conflict.
  • Russia: Warns of “nuclear winter” if Western forces enter Ukraine. Escalatory rhetoric continues.
  • Sudan: Famine expanding. US/UAE pledge $700M in humanitarian aid.
  • Thailand: Seizes disputed Cambodian border territory. Southeast Asian tensions flaring.
  • India: Operation Sindoor. Repair efforts underway at Pakistan’s Bholari base.
  • Finland: Expanding army reserves to 1M soldiers by 2031. Largest Nordic military buildup in decades.
  • Ransomware: Gangs now recruiting insiders. Employees and contractors targeted as an alternative to technical exploitation.

FTRCRP | Future Trust & Responsible Computing Practice Curated by SCR1B3 Β· Reviewed by Mr0