Playbook for the Secure Enterprise

MikeGPT Daily Threat Rundown

Thu, Feb 5, 2026 • 7-minute read

Industry Watch

EU Critical Infrastructure (NIS2) STEADY

EU Organizations (GDPR) STEADY

CyberSecurity Latest Rundown

Heroes, here's your curated threat landscape for Feb 05, 2026.

CRITICAL ITEMS

• Russian State Hackers Exploit Microsoft Office in Global Campaign

  Date & Time: 2026-02-04T23:08:04

  APT28 (Russian state-sponsored actors) is actively exploiting a critical Microsoft Office vulnerability to compromise diplomatic, maritime, and transport organizations globally. The attack vector relies on malicious documents that blend into standard business workflows.

  Business impact

  Successful exploitation grants state-level actors access to sensitive corporate strategy, intellectual property, and logistics data, potentially leading to geopolitical sanctions exposure or competitive disadvantage.
  Recommended action

  Ask your IT Security team: "Have we prioritized the latest Microsoft Office patches for all users, and are we blocking macro-enabled documents from external sources?"

  CVE: n/a | Compliance: SOX | Source: Ars Technica ↗ ↗

• Critical RCE Vulnerabilities Discovered in Google Looker

  Date & Time: 2026-02-04T11:00:00

  Tenable Research identified two novel vulnerabilities in Google Looker (both Cloud and On-Prem) that allow attackers to achieve Remote Code Execution (RCE) and completely compromise the instance. Google has released patches which must be applied immediately.

  Business impact

  An attacker could gain full control over business intelligence data, leading to the theft of proprietary analytics, customer data exposure, and potential manipulation of financial reporting metrics.
  Recommended action

  Ask your Data Engineering team: "If we run Looker on-premise, have we upgraded to the patched version released by Google this week?"

  CVE: n/a | Compliance: SOX, FISMA | Source: Tenable ↗ ↗

HIGH SEVERITY ITEMS

• Amaranth-Dragon Targets SE Asian Governments

  Date & Time: 2026-02-05T10:09:16

  A China-linked threat group tracked as Amaranth-Dragon (associated with APT41/Havoc) is conducting cyber-espionage campaigns targeting government and law enforcement agencies. They utilize malware such as Havoc and Amaranth to maintain persistence.

  Business impact

  Organizations with government contracts or operations in SE Asia face heightened risk of intellectual property theft and surveillance of communications.
  Recommended action

  Ask your SOC team: "Are we scanning for the 'Amaranth' and 'Havoc' malware signatures in our endpoint detection systems?"

  CVE: n/a | Compliance: SOX, HIPAA | Source: Security Affairs ↗ ↗

• 'Stan Ghouls' Group Targets Manufacturing with NetSupport RAT

  Date & Time: 2026-02-05T09:00:11

  The cybercriminal group "Stan Ghouls" (aka Bloody Wolf) is targeting manufacturing, finance, and IT sectors in Russia and Central Asia. They abuse the legitimate NetSupport remote administration tool to maintain unauthorized access.

  Business impact

  Unchecked remote access tools can lead to ransomware deployment or operational sabotage in manufacturing environments, causing significant downtime.
  Recommended action

  Ask your Security Operations team: "Do we have a policy to block or alert on the presence of NetSupport RAT binaries that are not authorized by IT?"

  CVE: n/a | Compliance: SOX, HIPAA | Source: Kaspersky ↗ ↗

OTHER NOTEWORTHY ITEMS

• Detecting Backdoored Language Models at Scale

  Date & Time: 2026-02-04T17:00:00

  Microsoft has released new research on detecting backdoors in open-weight language models, providing a framework to scan for malicious triggers in AI systems. This is crucial as organizations increasingly adopt open-source LLMs.

  CVE: n/a | Compliance: SOX | Source: Microsoft ↗ ↗

• Cyberspy Group Hacked Governments in 37 Countries

  Date & Time: 2026-02-05T11:00:00

  Palo Alto Networks reports a massive cyber-espionage campaign affecting critical infrastructure in 37 countries. While attribution is not definitive, evidence points toward Chinese threat actors.

  CVE: n/a | Compliance: SOX | Source: SecurityWeek ↗ ↗

EXECUTIVE INSIGHTS

• France’s Cybersecurity Roadmap: Digital Sovereignty

  Date & Time: 2026-02-05T11:42:40 Summary & Significance: France has unveiled a new national cybersecurity strategy focusing on talent development, deterrence, and European digital sovereignty. This may influence regulatory requirements for companies operating in the EU. Source: Cyble ↗

  The Buyer’s Guide to AI Usage Control

  Date & Time: 2026-02-05T11:30:00 Summary & Significance: As "AI everywhere" becomes reality, organizations are struggling with shadow AI tools embedded in SaaS and browsers. This guide discusses moving beyond legacy controls to manage AI usage risk effectively. Source: The Hacker News ↗

VENDOR SPOTLIGHT

• Votiro (Specialized Vendor)

  Specialization: Content Disarm and Reconstruction (CDR) / Zero Trust Content Security

  Why Votiro Today: Votiro is specifically relevant to the threat involving Russian-state hackers exploiting a Microsoft Office vulnerability, as their Content Disarm and Reconstruction (CDR) technology neutralizes weaponized documents by stripping out exploit code before it reaches the user. This capability also mitigates risks from actors like Stan Ghouls who deliver malware (such as NetSupport RAT) via malicious file attachments.

  Key Capability: Real-time sanitization of files and email attachments to neutralize hidden zero-day exploits and malware.

  Recommended Actions: 1. Navigate to Votiro Management Console → Policies → [Select Active Email/Web Policy] → File Types → Documents 2. Navigate to Votiro Management Console → Policies → [Select Active Policy] → Archives → Settings 3. Navigate to Votiro Management Console → System Settings → Updates

  Verification Steps: - Navigate to Analytics → Incidents/Traffic Log and filter by 'Sanitized' status for Office documents. - Download a sanitized sample file and inspect properties.

  This guidance is based on general Votiro Cloud and On-Premises platform knowledge. UI paths may vary slightly between Votiro Disarmer versions (e.g., v8 vs v9/Cloud).

  Learn More About Votiro ↗

DETECTION & RESPONSE KIT

• ⚠️ Disclaimer: Test all detection logic in non-production environments before deployment.

  1. Vendor Platform Configuration - Votiro

  TEXT [copy]

  # Actionable Guidance for Votiro
  # Generated: 2026-02-05 14:35:43
  
  # Step 1: Navigate to Votiro Management Console → Policies → [Select Active Email/Web Policy] → File Types → Documents
  #   Purpose: Enforce Positive Selection (CDR) on all Microsoft Office formats to neutralize zero-day exploits used by Russian-state actors.
  #   Expected: Configuration ensures that .doc, .docx, .xls, and .ppt files are set to 'Sanitize' (Reconstruct). This strips embedded macros, OLE objects, and malformed structures while preserving safe content.
  
  # Step 2: Navigate to Votiro Management Console → Policies → [Select Active Policy] → Archives → Settings
  #   Purpose: Mitigate NetSupport RAT delivery via compressed attachments (ZIP/RAR) often used by actors like Stan Ghouls.
  #   Expected: Enable 'Recursive Sanitization' to ensure Votiro unpacks archives, sanitizes the nested files (payloads), and repacks them. Ensure 'Block Password Protected' is enabled if decryption keys are not available.
  
  # Step 3: Navigate to Votiro Management Console → System Settings → Updates
  #   Purpose: Ensure the TrueCDR engine definitions are current to recognize the latest file structure anomalies.
  #   Expected: System confirms 'Latest Engine Version' is active, ensuring the reconstruction process understands the most recent Microsoft Office file specifications.
  
  # Verification Steps:
  #   - Navigate to Analytics → Incidents/Traffic Log and filter by 'Sanitized' status for Office documents.
  #     Expected: Logs should show incoming Office files marked as 'Sanitized'. Drill-down details should indicate 'Macros Removed' or 'Objects Removed' without blocking the file delivery.
  #   - Download a sanitized sample file and inspect properties.
  #     Expected: The file opens in MS Office without triggering 'Enable Content' security warnings (macros stripped), and the file metadata/structure is normalized.
  

  2. YARA Rule for ShadowPad/DKnife

  YARA [copy]

  rule APT_ShadowPad_DKnife_Indicators {
  meta:
      description = "Detects ShadowPad/DKnife artifacts based on Talos reporting"
      author = "Threat Rundown"
      date = "2026-02-05"
      reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shadowpad"
      severity = "high"
      tlp = "white"
  strings:
      $s1 = "ShadowPad" ascii wide
      $s2 = "PoisonPlug" ascii wide
      $s3 = "SnappyBee" ascii wide
      $s4 = "XShellGhost" ascii wide
      $s5 = "ShadowRelay" ascii wide
      $s6 = "DracuLoader" ascii wide
  condition:
      any of ($s*)
  }
  

  3. SIEM Query — Amaranth-Dragon Process Detection

  SPLUNK [copy]

  index=security sourcetype="endpoint_process"
  process_name="malware.exe" OR process_name="Havoc" OR user_agent="Amaranth"
  | eval risk_score=case(
      process_name=="malware.exe", 50,
      process_name=="Havoc", 80,
      user_agent=="Amaranth", 90,
      1==1, 25)
  | where risk_score >= 50
  | table _time, src_ip, dest_ip, process_name, user_agent, risk_score
  | sort -_time
  

  4. PowerShell Script — RedTail/XMRig Check

  POWERSHELL [copy]

  $computers = "localhost", "SERVER01", "WKSTN01"
  foreach ($computer in $computers) {
      if (Test-Connection -ComputerName $computer -Count 1 -Quiet) {
          # Check for XMRig miner associated with RedTail (Cyble Intelligence)
          Invoke-Command -ComputerName $computer -ScriptBlock {
              $suspect = Get-Process -Name "xmrig" -ErrorAction SilentlyContinue
              if ($suspect) {
                  Write-Host "[ALERT] XMRig process found on $env:COMPUTERNAME" -ForegroundColor Red
              }
              if (Test-Path "C:\Windows\Temp\xmrig.exe") {
                  Write-Host "[ALERT] XMRig file artifact found on $env:COMPUTERNAME" -ForegroundColor Red
              }
          }
      }
  }
  

  This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!