TL;DR

• [Vulnerabilities] Internet-exposed “utility” apps (SolarWinds WHD, SmarterMail, React Native dev servers) are being reliably weaponized for initial access, then leveraged for domain replication abuse (DCSync), RMM deployment, tunneling, and stealthy Linux persistence (eBPF rootkits).
• [Threat Actors] State-aligned and DPRK-linked operators are scaling high-touch tradecraft—recruitment/personal-email lures against the DIB, compromised messaging (Telegram) and staged video calls—to deliver multi-platform malware (including macOS) targeting credentials, sessions, and DeFi infrastructure.
• [AI/Cloud] AI assistants and cloud logs are now core battlegrounds: large-scale “memory/recommendation poisoning” via pre-filled AI links is emerging, while cloud-telemetry-based fingerprinting is proving effective at distinguishing nation-state from cybercrime operations across multi-tenant environments.

AlphaHunt

Stop doomscrolling, start decisioning. We chewed through the muck so your team doesn’t have to. → Subscribe!

Like this? Forward this to a friend!

(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

Current Stories

TL;DR

• [Vulnerabilities] Internet-exposed SolarWinds Web Help Desk (WHD) exploitation is being used as initial access followed by “hands-on” ops: PowerShell+BITS, Zoho ManageEngine RMM, reverse SSH/RDP, credential theft, and DCSync.

• [Geopolitics] Defense industrial base targeting is increasingly personnel-driven (recruitment + personal email) and edge-device heavy: GTIG cites Russia-linked UAS themes tied to Ukraine and China-linked edge/appliance access as the dominant volume driver.

• [Threat Actors] DPRK-nexus UNC1069 continues to scale crypto/DeFi intrusions using compromised Telegram accounts + fake Zoom meetings to deliver ClickFix payloads, then deploys multiple macOS malware families for credential/cookie/session theft.

• [Breach] Conduent’s 2025 ransomware data theft impact continues to expand: disclosures point to 15.4M affected in Texas and 10.5M in Oregon, with exposed data including SSNs and medical/insurance information.

• [Intrusion Sets] Unit 42’s “Shadow Campaigns” describe state-aligned espionage (TGR-STA-1030) at scale: compromises across 37 countries and reconnaissance spanning 155, plus novel Linux stealth tooling (eBPF rootkit “ShadowGuard”).

References

• (2026-02-06) Analysis of active exploitation of SolarWinds Web Help Desk

• (2026-02-03) Known Exploited Vulnerabilities Catalog

• (2026-02-10) Beyond the Battlefield: Threats to the Defense Industrial Base

• (2026-02-09) UNC1069 Targets Cryptocurrency Sector with New Tooling and AI-Enabled Social Engineering

• (2026-02-05) Data breach at govtech giant Conduent balloons, affecting millions more Americans

• (2026-02-05) The Shadow Campaigns: Uncovering Global Espionage

AlphaHunt Converge - Plug in your Flight Crew

Get intelligence where it counts. No dashboards. No detours. AlphaHunt Converge teases out your intent, reviews the results and delivers actionable intel right inside Slack. We turn noise into signal and analysts into force multipliers.

Anticipate, Don’t Chase.

Plug it In!

Emerging Stories, Forecasts, Suggested Pivots and Detection Opportunities..