TL;DR

• [Vulnerabilities] Multiple newly exploited CVEs (Office CVE-2026-21509, Cisco UC, vCenter, WinRAR CVE-2025-8088, dev-tooling and webmail bugs) are driving rapid, opportunistic access across user and admin planes.
• [Identity] Attackers increasingly favor “session-first” techniques—SSO/SAML abuse, QR/callback/Teams phishing, and post-login admin creation—making patched infrastructure insufficient without strong identity boundaries.
• [Threat Actors/ICS] Activity ranges from new ransomware (Osiris with BYOVD) to Sandworm’s DynoWiper operations against Poland’s grid, underscoring continued convergence of financially motivated and geopolitical threats.

AlphaHunt

Stop doomscrolling, start decisioning. We chewed through the muck so your team doesn’t have to. → Subscribe!

Like this? Forward this to a friend!

(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

Current Stories

TL;DR

• [Vulnerabilities] Patch/mitigate a fast-moving exploitation wave: Microsoft Office CVE-2026-21509 (exploited) plus multiple CISA KEV adds (Cisco UC CVE-2026-20045, VMware vCenter CVE-2024-37079, and Vite/Prettier/Zimbra CVEs).

• [Identity/Edge] Fortinet reports FortiCloud SSO abuse impacting even fully patched devices; observed rogue SSO logins and follow-on local admin creation (persistence) reinforce a “session-first” attacker focus.

• [Threat Actors] Multiple actor types continue exploiting WinRAR CVE-2025-8088 (n-day) by dropping payloads into the Windows Startup folder via path traversal + ADS for reliable persistence.

• [Geopolitics/ICS] ESET attributes the late-2025 attempted disruption of Poland’s power grid to Sandworm, using newly analyzed wiper malware DynoWiper.

• [Data Breach] Nike is investigating a potential incident after WorldLeaks claimed a large internal data leak; authenticity and customer-data exposure remain unverified in public reporting.

References

• (2026-01-27) Diverse Threat Actors Exploiting Critical WinRAR Vulnerability CVE-2025-8088

• (2026-01-22) Analysis of Single Sign-On Abuse on FortiOS

• (2026-01-26) Microsoft Office Security Feature Bypass Vulnerability (CVE-2026-21509)

• (2026-01-22) CISA Adds Four Known Exploited Vulnerabilities to Catalog

• (2026-01-23) CISA Adds One Known Exploited Vulnerability to Catalog

• (2026-01-21) CISA Adds One Known Exploited Vulnerability to Catalog

• (2026-01-21) Cisco Unified Communications Products Remote Code Execution Vulnerability

• (2026-01-23) ESET Research: Sandworm behind cyberattack on Poland’s power grid in late 2025

• (2026-01-27) Nike probes potential cyber incident after hackers claim data leak

AlphaHunt Converge - Plug in your Flight Crew

Get intelligence where it counts. No dashboards. No detours. AlphaHunt Converge teases out your intent, reviews the results and delivers actionable intel right inside Slack. We turn noise into signal and analysts into force multipliers.

Anticipate, Don’t Chase.

Plug it In!

Emerging Stories, Forecasts, Detection Ideas and Suggested Pivots