Global Espionage Campaigns & Record DDoS Attacks 🌐🚀. AI‑driven Threat Detection & Ransomware Evolution 🤖🛡️.

Hello, here is your daily cybersecurity and AI threat intelligence roundup for February 10, 2026.

Today's headlines

• Shadow campaigns exploited over 15 high‑profile software vulnerabilities.
• Amaranth‑Dragon leverages new CVE‑2025‑8088 for espionage in Southeast Asia.
• Critical infrastructure hit: Romania’s Conpet pipeline suffered a disruptive cyberattack.
• Cloud‑based threat‑actor tracking gains a novel detection technique using logging data.
• Record‑breaking 31.4 Tbps DDoS attack underscores growing volumetric threats.

1️⃣ Shadow Campaigns Reveal Global Espionage Ops

Key Points:

• Detected exploitation attempts on SAP Solution Manager, Microsoft Exchange, D‑Link, and other enterprise products.
• Attacks used public and zero‑day flaws such as XXE, remote code execution, and SQL injection.
• Unit42's Advanced Threat Prevention blocked the malicious activity across multiple regions.
• Threat actor demonstrated persistent targeting of supply‑chain and email systems.
• Continuous monitoring uncovered over a dozen distinct vulnerability classes.

Description:

Unit42’s Shadow Campaigns report details a worldwide espionage operation that has leveraged a broad set of vulnerabilities, from SAP privilege escalation to Microsoft Exchange remote code execution, to infiltrate organizations and exfiltrate data, with the service’s prevention tools stopping many attempts in real time.

Why It Matters:

The breadth of exploited flaws shows that threat actors are actively hunting for unpatched software across industries, highlighting the urgent need for comprehensive vulnerability management and continuous threat monitoring to protect sensitive information from state‑aligned espionage campaigns.

2️⃣ Amaranth‑Dragon Exploits CVE‑2025‑8088 in SE Asia

Key Points:

• Amaranth‑Dragon weaponizes the newly disclosed CVE‑2025‑8088 for targeted attacks.
• Campaign focuses on organizations in Southeast Asian governments and telecoms.
• Malware employs advanced evasion techniques and custom implants.
• Check Point observed rapid post‑exploit credential dumping and data exfiltration.
• Attribution points to a nexus linked to known APT‑41 activity.

Description:

Checkpoint researchers identified Amaranth‑Dragon as a sophisticated threat group that has adopted the recently released CVE‑2025‑8088 to conduct targeted espionage operations against critical infrastructure and government entities across Southeast Asia, using custom tools to maintain persistence and evade detection.

Why It Matters:

The rapid weaponization of a fresh vulnerability underscores the importance of swift patch deployment and threat‑intel sharing, as state‑aligned actors can quickly turn new exploits into operational capabilities that threaten regional stability and data confidentiality.

 3️⃣ Conpet Oil Pipeline Disruption Highlights Critical Infrastructure Risk

Key Points:

• Romania’s national oil pipeline operator, Conpet, experienced a cyberattack that took its website offline.
• Attack disrupted internal IT systems but did not affect physical oil flow.
• Preliminary analysis points to a credential‑theft based intrusion.
• Threat actors leveraged publicly available tools to move laterally.
• Incident emphasizes the vulnerability of energy sector IT assets.

Description:

The 9th February Threat Intelligence Report from Check Point details a cyber incident against Conpet, Romania’s national oil pipeline operator, where attackers compromised IT services, resulting in website downtime and highlighting the broader threat to energy infrastructure.

Why It Matters:

Even when physical operations remain unaffected, cyber disruptions can damage reputation, incur financial loss, and expose critical supply‑chain data, reinforcing the need for hardened perimeter defenses and incident‑response readiness in the energy sector.

 4️⃣ New Cloud Logging Method Tracks Threat Actors Across Platforms

Key Points:

• Introduces a technique that correlates cloud‑provider logs to uncover actor behavior.
• Successfully identified activities of Scattered Spider, Halcyon Silk Typhoon, and HAFNIUM.
• Method reduces detection latency by leveraging API‑level audit trails.
• Demonstrates increased visibility into multi‑cloud lateral movement.
• Provides actionable indicators for SOCs to hunt across Azure, AWS, and GCP.

Description:

Unit42 presents a novel detection approach that uses comprehensive cloud logging data to monitor and attribute malicious activities across major cloud platforms, revealing the tactics of several advanced threat groups operating in a multi‑cloud environment.

Why It Matters:

As enterprises migrate workloads to the cloud, traditional perimeter defenses lose efficacy; this logging‑based technique offers a scalable way to spot covert actor behavior early, enabling faster containment and reducing breach impact.

 5️⃣ CISA Report Highlights Abuse of Open‑Source Tools in Cyber Intrusions

Key Points:

• Publicly available scanning and exploitation tools were used in recent incidents.
• Adversaries combined these tools with custom scripts to achieve persistence.
• Report urges organizations to monitor tool usage and enforce strict access controls.
• Recommendations include inventorying legitimate admin tools and logging their execution.
• Collaboration with NCCIC encouraged for reporting suspicious activity.

Description:

The CISA advisory outlines how threat actors are leveraging widely‑available open‑source utilities to conduct reconnaissance, exploit vulnerabilities, and maintain footholds within victim networks, stressing the need for heightened awareness and governance.

Why It Matters:

Open‑source tools lower the entry barrier for attackers, making it essential for defenders to differentiate benign usage from malicious activity, thereby preventing tool misuse from escalating into full‑scale compromises.

 6️⃣ Record‑Setting 31.4 Tbps DDoS Attack Marks 2025 Surge

Key Points:

• A 31.4 Tbps volumetric attack set a new record for the year.
• Attack leveraged amplification of UDP‑based protocols and mis‑configured DNS servers.
• Cloudflare mitigated the traffic using its global Anycast network.
• Report notes a 42% increase in multi‑vector DDoS campaigns versus Q3 2025.
• Recommendations include scrubbing services and upstream traffic filtering.

Description:

Cloudflare’s Q4 2025 DDoS Threat Report documents a historic 31.4 Tbps attack that overwhelmed targeted networks, demonstrating the scale of modern volumetric threats and the effectiveness of large‑scale mitigation infrastructure.

Why It Matters:

The unprecedented size of the attack highlights the growing capability of adversaries to disrupt services, urging organizations to adopt robust DDoS protection strategies and ensure upstream providers can handle extreme traffic spikes.

 7️⃣ Rise of the Digital Parasite Extends Ransomware Dwell Time

Key Points:

• Ransomware groups are shifting toward long‑term persistence, termed the “Digital Parasite”.
• Red Report 2026 shows increased use of legitimate admin tools for stealth.
• Victims experience longer undetected dwell times before ransom demand.
• Emphasis on moving laterally and exfiltrating data before encryption.
• Security teams advised to adopt continuous monitoring and endpoint detection.

Description:

The Hacker News reports on the emerging “Digital Parasite” model where ransomware operators maintain footholds within networks for extended periods, blending traditional ransomware tactics with sophisticated espionage techniques to maximize impact.

Why It Matters:

Extended dwell allows attackers to gather valuable data and impair recovery, making early detection and comprehensive threat hunting vital to limit damage and avoid costly ransom payments.

 8️⃣ CrowdStrike Linux Sensor Enhances Web‑Shell Detection

Key Points:

• New Linux sensor leverages behavioral analytics to spot malicious web shells.
• Detection covers fileless techniques and obfuscated scripts.
• Integration with Falcon platform provides real‑time alerts and automated response.
• Field tests show a 68% reduction in false positives compared to signature‑only methods.
• Supports remediation actions such as quarantine and process termination.

Description:

CrowdStrike’s latest blog details the advanced capabilities of its Linux sensor, which now incorporates sophisticated web‑shell detection mechanisms that identify anomalous file activity and command execution patterns across containerized environments.

Why It Matters:

Web shells remain a common persistence mechanism for attackers targeting Linux servers; enhanced detection reduces the window of exposure and helps organizations secure critical infrastructure against stealthy compromise.

 9️⃣ CrowdStrike Recognized as Gartner’s Sole Customers’ Choice for EASM

Key Points:

• Gartner’s 2025 Voice of the Customer named CrowdStrike the only vendor achieving Customers’ Choice for External Attack Surface Management.
• Award reflects high satisfaction with Falcon’s exposure management and asset discovery.
• Customers cite rapid detection of shadow IT and streamlined remediation workflows.
• Recognition boosts market confidence in cloud‑native EASM solutions.
• CrowdStrike plans further AI‑driven enhancements for surface monitoring.

Description:

CrowdStrike announced its distinction as the exclusive Customers’ Choice award holder in Gartner’s 2025 EASM category, underscoring the platform’s effectiveness in identifying and managing external attack surfaces for enterprise clients.

Why It Matters:

Strong customer endorsement validates the importance of continuous external surface monitoring, encouraging organizations to adopt EASM tools that can proactively reduce attack vectors before they are exploited.

 🔟 VMware vDefend Advances Zero‑Trust Lateral Security

Key Points:

• vDefend introduces micro‑segmentation and identity‑based policies for lateral movement control.
• Solution integrates with VMware Cloud Foundation to provide continuous risk assessment.
• Early adopters report a 73% reduction in successful lateral attacks.
• Supports AI‑driven anomaly detection across private and hybrid clouds.
• Provides automated policy enforcement and incident response playbooks.

Description:

VMware’s security blog outlines the capabilities of vDefend, a new zero‑trust solution that enforces granular lateral security controls within private cloud environments, leveraging AI to detect anomalous behavior and automatically remediate threats.

Why It Matters:

As attackers increasingly target east‑west traffic within data centers, adopting zero‑trust architectures like vDefend is critical for limiting breach impact and maintaining compliance across modern multi‑cloud deployments.

Stay vigilant and keep your defenses updated.