Ankura CTIX FLASH Update – February 3, 2026

Malware Activity

Data Theft, Social Engineering, and Malicious Apps

Recent reports highlight a surge in sophisticated cyberattacks involving data theft, social engineering, and malware. The hacking group ShinyHunters, along with similar threat actors, uses fake phone calls (vishing) and impersonation of IT staff to trick employees into revealing login details and multi-factor authentication codes. These attackers gain access to cloud services like Google Drive and Microsoft 365, then move laterally to steal or delete sensitive information, often engaging in extortion by leaking data. Meanwhile, a new Android malware campaign exploits trusted platforms like Hugging Face to host malicious APK files, which disguise themselves as legitimate security apps. Once installed, these apps use device permissions to monitor activity, capture data, and mimic banking apps to steal financial information. Experts warn users to avoid third-party app stores, scrutinize app permissions, and enable stronger security measures such as hardware security keys and vigilant monitoring to defend against these evolving threats. CTIX analysts will continue to report on the latest malware strains and attack methodologies.

• BleepingComputer: Mandiant Details How ShinyHunters Abuse SSO To Steal Cloud Data article
• TheHackerNews: Mandiant Finds ShinyHunters Style Vishing Attacks Stealing MFA to Breach SaaS Platforms article
• BleepingComputer: Hugging Face Abused To Spread Thousands Of Android Malware Variants article
• SecurityWeek: Hugging Face Abused to Deploy Android RAT article

Threat Actor Activity

Notepad++ Supply Chain Attack Targeted Update Feature to Deliver Malware, Suspected State-Sponsored Hackers

State-sponsored attackers, likely linked to Chinese groups as reported by multiple independent researchers, hijacked Notepad++'s update mechanism to redirect traffic to malicious servers. The attack, which compromised the hosting provider's infrastructure rather than Notepad++ code, began in June 2025 and targeted specific users, particularly in telecommunications and financial services in East Asia. The attackers exploited a flaw in the update verification process, allowing them to serve tampered update manifests. Despite losing server access temporarily in September 2025, they maintained control until December by using stolen internal service credentials. The incident was attributed to the Violet Typhoon group (aka APT31) and later linked to the Chinese APT group Lotus Blossom by Rapid 7 researchers, who identified a sophisticated backdoor named Chrysalis. This campaign exposes aspects of security exposure faced by software supply chains, especially those involving open-source projects. The attack followed a pattern similar to previous incidents like ASUS's ShadowHammer campaign, with selective targeting rather than broad exploitation. Notepad++ has since migrated to a new hosting provider, strengthened its update mechanism, and implemented cryptographic signing for updates in version 8.8.9. CTIX Analysts advise users to change credentials, update systems, and enable automatic updates. The Notepad++ team plans further security enhancements, including mandatory certificate signature verification in version 8.9.2, expected soon.

• Bleeping Computer: Notepad++ Attack Article
• The Record: Notepad++ Attack Article
• The Hacker News: Notepad++ Attack Article
• SentinelOne: ASUS Supply Chain Attack Article

Vulnerabilities

Ivanti EPMM Zero-Day RCE Flaws Actively Exploited, Prompting Emergency Mitigations and Federal Action

Ivanti disclosed and patched two (2) critical zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM),

CVE-2026-1281

and

CVE-2026-1340

, both unauthenticated remote code execution (RCE) flaws with CVSS scores of 9.8 that were actively exploited prior to public disclosure. Affecting multiple EPMM 12.5.x–12.7.x releases, the vulnerabilities stem from code-injection issues in the In-House Application Distribution and Android File Transfer Configuration features and allow attackers to execute arbitrary code, access highly sensitive data stored on the appliance (including administrator and user credentials, device identifiers, network details, and potentially location data), and make configuration changes that could facilitate persistence or lateral movement. Ivanti released temporary RPM-based hotfixes that require no downtime but do not persist across version upgrades, with a permanent fix scheduled for EPMM

12.8.0.0

later in Q1 2026, while acknowledging a limited number of confirmed compromises and limited visibility into attacker TTPs. Detection guidance centers on identifying anomalous 404 responses to specific endpoints in Apache access logs, though Ivanti warned attackers may delete local logs post-compromise, recommending off-device log review where possible. Rather than attempting cleanup, Ivanti advises organizations to treat suspected compromises as full incidents, restore from known-good backups or rebuild appliances, reset credentials, and replace certificates, while also reviewing Ivanti Sentry systems for potential downstream impact. The U.S. Cybersecurity and Infrastructure Security Agency (CISA)added

CVE-2026-1281

to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies remediate by no later than February 1, 2026. Independent research by watchTowr Labs confirmed the flaws are exploitable over HTTP via crafted GET requests abusing app store-related Bash scripts, reinforcing warnings that patching alone may be insufficient for internet-exposed EPMM instances. CTIX analysts urge any affected administrators to follow Ivanti's guidance to investigate potential compromises.

• Bleeping Computer: CVE-2026-1281 and CVE-2026-1340 Article
• The Hacker News: CVE-2026-1281 and CVE-2026-1340 Article

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.