Weekly Threat Bulletin – February 4th, 2026

TAMECAT PowerShell Backdoor Targets Edge and Chrome: Login Credentials at Risk

TAMECAT is a sophisticated PowerShell-based backdoor attributed to APT42, an Iranian state-sponsored hacking group, designed to steal login credentials from Microsoft Edge and Chrome browsers while evading detection. Deployed in long-term espionage operations targeting senior defense and government officials, NGOs, media, educational institutions, activists, and legal services in Western and Middle Eastern countries, its infection chain begins with social engineering followed by a VBScript downloader (SHA256: `5404e39f2f175a0fc993513ee52be3679a64c69c79e32caa656fbb7645965422`) that checks for antivirus products before fetching a loader from `tebi[.]io`. This loader, `nconf.txt` (SHA256: `bd1f0fb085c486e97d82b6e8acb3977497c59c3ac79f973f96c395e7f0ca97f8`), utilizes AES-encrypted payloads with the key `T2r0y1M1e1n1o0w1` and establishes C2 communication via Telegram bots, Discord, and HTTPS to domains such as `accurate-sprout-porpoise[.]glitch[.]me` and Cloudflare worker subdomains like `darijo-bosanac-dl[.]workers[.]dev`. TAMECAT collects OS details, computer name, and a hardcoded token (`GILNH9LX6TCZ9V8ZZSUF`), encrypting exfiltrated data via Borpos (AES-256, key: `kNz0CXiP0wEQnhZXYbvraigXvRVYHk1B`) over POST requests with a custom `Content-DPR` header. Credential theft is achieved by suspending Chrome processes using PsSuspend and leveraging browser debugging protocols (e.g., `--remote-debugging-port=9222`) to dump saved logins without disk writes, creating a Chrome directory in `%LocalAppData%` and using file paths like `%LocalAppData%\config.txt` for persistence. Obfuscation techniques include array fragments, wildcards, and string replacement, mirroring PowerStar variants, while MITRE ATT&CK techniques observed include PowerShell execution (T1059.001), suspected boot/logon autostart (T1547), credentials from password stores (T1555), web protocols for C2 (T1071.001), and obfuscated files/information (T1027). Detection and mitigation strategies involve monitoring for `wscript` spawning PowerShell, enabling PowerShell script-block logging, enforcing signed PowerShell execution policies, and monitoring for anomalous browser debugging activities.

Severity: Critical

Threat Details and IOCs

Mitigation Advice

• Block the domains `tebi[.]io` and `accurate-sprout-porpoise[.]glitch[.]me` in your web proxy, DNS sinkhole, and perimeter firewall.
• Add the file hashes `5404e39f2f175a0fc993513ee52be3679a64c69c79e32caa656fbb7645965422` and `bd1f0fb085c486e97d82b6e8acb3977497c59c3ac79f973f96c395e7f0ca97f8` to your Endpoint Detection and Response (EDR) and antivirus (AV) blocklists and initiate a full scan for these indicators.
• Create a detection rule in your EDR or SIEM to generate a high-priority alert for any process creation event where the Windows Script Host (`wscript.exe` or `cscript.exe`) is the parent process of a PowerShell (`powershell.exe`) process.
• In your Network Detection and Response (NDR) or SIEM platform, create a rule to detect and alert on any outbound HTTP/S POST requests that contain the custom header 'Content-DPR'.
• Use your EDR's live query or system management tools to search all endpoints for the presence of the file path `%LocalAppData%\config.txt`.

Compliance Best Practices

• Enable PowerShell Script Block Logging and Module Logging via Group Policy across all Windows endpoints and ensure the resulting logs (Event ID 4104 and 4103) are forwarded to your SIEM for monitoring and analysis.
• Implement a restrictive PowerShell execution policy, such as 'AllSigned', via Group Policy to prevent the execution of unsigned scripts. For high-security systems, deploy PowerShell in Constrained Language Mode.
• Use a tool like Windows Defender Application Control (WDAC) or AppLocker to create and enforce policies that restrict the execution of script files, such as VBScript (.vbs), for standard users.
• Use Group Policy Objects (GPOs) or a Mobile Device Management (MDM) solution to centrally manage and disable the 'Remote Debugging' capability in both Google Chrome and Microsoft Edge browsers.
• Implement an egress traffic filtering policy on your perimeter firewall and web proxy that denies outbound connections by default and only allows traffic to services and categories that are required for business operations, specifically blocking categories like anonymous proxies and chat services not used by the company.
• Develop and maintain a continuous security awareness training program that educates users on how to identify and report social engineering and phishing attempts, with periodic simulated phishing campaigns to measure effectiveness.

Over 200 Magento Stores Compromised via CVE-2025-54236 'SessionReaper' Zero-Day Exploit

A critical zero-day vulnerability, CVE-2025-54236, identified as "SessionReaper," is being actively exploited across Magento e-commerce platforms, enabling attackers to bypass authentication and achieve full server compromise. This flaw facilitates session hijacking and remote code execution by allowing the reuse of invalid session tokens. Over 200 Magento stores have experienced root-level compromises, with one campaign scanning 1,460 vulnerable Magento Commerce APIs and successfully breaching 216, evidenced by the exfiltration of files mimicking `/etc/passwd` listings. This campaign utilized a command-and-control (C2) server located at 93.152.230.161 in Finland. Concurrently, distinct webshell attacks targeting Magento sites in Canada and Japan exploited the same vulnerability, employing a C2 server at 115.42.60.163 in Hong Kong, with logs detailing successful shell deployments. Magento Commerce editions prior to official patches are affected, necessitating immediate application of Adobe's fixes, monitoring for the identified C2 IPs, enforcing strict session invalidation, and implementing Web Application Firewall (WAF) rules to block exploitation patterns.

Severity: Critical

Threat Details and IOCs

Mitigation Advice

• Apply the security patch for CVE-2025-54236 to all Magento Commerce instances immediately using the composer update process as recommended by Adobe.
• Add the IP addresses 93.152.230.161 and 115.42.60.163 to your firewall's blocklist to prevent communication with known malicious command-and-control servers.
• Scan web server file systems for the presence of suspicious files, specifically looking for webshells and log files named 'success_api_2025.txt', '404_key.txt', and 'key.txt'.
• Implement or enable a Web Application Firewall (WAF) rule specifically designed to detect and block HTTP requests attempting to exploit the SessionReaper vulnerability (CVE-2025-54236).
• Analyze web server and Magento application logs for unusual patterns of session reuse, multiple failed authentication attempts followed by a success from the same IP, or other anomalous session-related activities.

Compliance Best Practices

• Review and harden your platform's session management policies by enforcing strict session invalidation on logout, reducing session timeout periods, and implementing token binding to user IP addresses or browser fingerprints.
• Conduct a comprehensive security audit of all publicly exposed Magento APIs to identify and reduce the attack surface by disabling or restricting access to non-essential endpoints.
• Establish a formal threat hunting program to proactively search for indicators of compromise and anomalous activity on web-facing assets, rather than relying solely on reactive alerts.
• Implement a formal vulnerability management program that defines timelines and procedures for testing and deploying security patches for all critical software, including the Magento platform and its extensions.

CVE-2026-1281 CVE-2026-1340: Ivanti EPMM Zero-Day Vulnerabilities Enable Unauthenticated RCE

Ivanti has disclosed two critical zero-day vulnerabilities, CVE-2026-1281 and CVE-2026-1340, in Ivanti Endpoint Manager Mobile (EPMM), both actively exploited and rated with a CVSS score of 9.8. These code injection flaws enable unauthenticated remote code execution, allowing attackers to execute arbitrary commands, access sensitive data, and achieve persistence via web or reverse shells. CVE-2026-1281 has been added to CISA's Known Exploited Vulnerabilities catalog, mandating federal agencies to remediate by February 1, 2026. Affected versions include EPMM 12.5.0.0, 12.6.0.0, 12.7.0.0 and earlier, as well as 12.5.1.0 and 12.6.1.0 and earlier. Interim RPM-based patches are available, but a permanent fix is slated for EPMM 12.8.0.0 in Q1 2026. Organizations should detect compromise by reviewing Apache access logs for specific 404 HTTP status codes on vulnerable endpoints using the regex `^(?!127.0.0.1:d+.*$).*?/mifs/c/(aft|app)store/fob/.*?404`, and by monitoring for unusual administrator account activity, authentication setting changes, unexpected application pushes, network configuration alterations, or abnormal outbound network traffic. Remediation involves applying patches, restoring from known-good backups, or rebuilding the appliance, followed by resetting credentials and revoking certificates.

Severity: Critical

Threat Details and IOCs

Mitigation Advice

• Apply the interim RPM-based patches provided by Ivanti to all affected Endpoint Manager Mobile (EPMM) appliances immediately, as these vulnerabilities are actively exploited zero-days.
• Scan Apache access logs located at `/var/log/httpd/https-access_log` on all Ivanti EPMM appliances using the regex `^(?!127.0.0.1:d+.*$).*?/mifs/c/(aft|app)store/fob/.*?404` to identify potential exploitation attempts.
• Audit all Ivanti EPMM appliances for any newly created or modified administrator accounts and review for unexpected changes to SSO, LDAP, or authentication settings.
• Review Ivanti EPMM configurations for any unexpected pushed applications, policy updates, or changes to network or VPN settings.
• Monitor and investigate any unusual outbound network connections originating from Ivanti EPMM appliances, as this may indicate a web shell or reverse shell.
• If compromise is suspected, immediately reset all local EPMM account passwords and rotate all associated LDAP, KDC, and service account credentials.
• If compromise is suspected, revoke and replace all public certificates used by the affected Ivanti EPMM appliance to invalidate potentially stolen certificates.

Compliance Best Practices

• Develop and schedule a plan to upgrade all Ivanti EPMM appliances to version 12.8.0.0 as soon as it is released to ensure the permanent fix for CVE-2026-1281 and CVE-2026-1340 is applied.
• Implement network segmentation to isolate Ivanti EPMM appliances from critical internal networks. Restrict outbound connections from the appliance to only known-required destinations to prevent lateral movement.
• Review and test the backup and recovery procedures for critical appliances like Ivanti EPMM to ensure you can restore the system from a known-good, pre-exploitation backup in a timely manner.
• Configure log forwarding from Ivanti EPMM appliances to a central SIEM and create automated alerts for the indicators of compromise mentioned in the advisory, such as suspicious 404 errors or unauthorized configuration changes.
• Establish an Attack Surface Management (ASM) program to continuously discover and inventory all internet-facing assets to ensure they are monitored, patched, and properly configured.

CVE-2025-15467: Critical OpenSSL Flaw Enables Pre-Auth Remote Code Execution

A critical pre-authentication remote code execution vulnerability, CVE-2025-15467 (CVSS 9.8), affects OpenSSL versions 3.0, 3.3, 3.4, 3.5, and 3.6. Specifically, vulnerable versions include 3.0.0-3.0.18, 3.3.0-3.3.5, 3.4.0-3.4.3, 3.5.0-3.5.4, and 3.6.0, with fixes available in 3.0.19, 3.3.6, 3.4.4, 3.5.5, and 3.6.1, respectively; OpenSSL 1.1.1, 1.0.2, and FIPS modules are not affected. This stack buffer overflow occurs in the CMS module, within the `evp_cipher_get_asn1_aead_params()` function, when processing malformed encrypted messages that contain an oversized Initialization Vector (IV) for AEAD ciphers like AES-GCM. The flaw allows an unauthenticated attacker to trigger the overflow before any cryptographic validation, leading to a denial of service and potentially remote code execution, depending on system mitigations. The vulnerability impacts any service parsing external CMS or PKCS#7 content, including S/MIME email processing and applications utilizing the affected APIs. Discovered by AISLE using AI-driven vulnerability discovery and reported on December 14, 2025, this issue is one of 12 vulnerabilities found by the organization.

Severity: Critical

Threat Details and IOCs

Mitigation Advice

• Immediately upgrade systems with vulnerable OpenSSL versions (3.0.0-3.0.18, 3.3.0-3.3.5, 3.4.0-3.4.3, 3.5.0-3.5.4, 3.6.0) to the corresponding patched versions (3.0.19, 3.3.6, 3.4.4, 3.5.5, 3.6.1).
• Use your vulnerability management platform or asset inventory tools to scan the entire environment to identify all assets running any version of OpenSSL 3.x.
• Prioritize patching for internet-facing systems and internal services that process untrusted data, especially mail servers, web servers, and any application that handles S/MIME or CMS content.
• Identify all systems running End-of-Life OpenSSL versions 3.1 and 3.2 and create an emergency plan to upgrade them to a supported, patched branch, such as 3.6.1 or higher.

Compliance Best Practices

• Implement a Software Bill of Materials (SBOM) program to maintain a continuous and accurate inventory of all software components and their versions, including third-party libraries like OpenSSL, across all systems.
• Establish and enforce a secure build policy for all operating systems and in-house applications that mandates the use of modern compiler hardening features, such as stack canaries and Address Space Layout Randomization (ASLR).
• Develop and enforce a technology lifecycle management policy that mandates planning and migrating from software and libraries at least six months before their published End-of-Life (EOL) date.
• Initiate a research project to evaluate and pilot AI-driven security tools for proactive vulnerability discovery and risk analysis within your own environment.

Safety Broken: PyTorch “Safe” Mode Bypassed by Critical RCE Flaw

A high-severity remote code execution flaw, CVE-2026-24747 (CVSS 8.8), has been identified in PyTorch versions 2.9.1 and earlier, allowing attackers to execute arbitrary code even when the `weights_only=True` "safe" loading mechanism is enabled. This vulnerability resides in the `weights_only=True` unpickler, which failed to properly validate pickle opcodes and storage metadata. Attackers can craft malicious checkpoint files (.pth) that, when loaded, trigger memory corruption—specifically, heap memory corruption through `SETITEM` or `SETITEMS` opcodes on non-dictionary types, or a storage size mismatch—thereby hijacking the victim's process. This poses a significant risk to the AI supply chain, given the common practice of downloading model checkpoints from public repositories. The PyTorch team has released a fix in version 2.10.0, and users are strongly advised to update their environments immediately to secure their loading practices.

Severity: Critical

Threat Details and IOCs

Mitigation Advice

• Update all PyTorch installations to version 2.10.0 or later on all developer workstations and servers.
• Scan all company assets to identify systems running vulnerable PyTorch versions (2.9.1 and earlier) and compile a list for prioritized patching.

Compliance Best Practices

• Establish a formal policy requiring all externally sourced machine learning models and checkpoint files (e.g., from Hugging Face or GitHub) to be scanned and validated in an isolated sandbox environment before use.
• Tune Endpoint Detection and Response (EDR) rules to specifically monitor for anomalous process execution, memory corruption, or suspicious file I/O originating from Python processes that are loading machine learning models.
• Implement a process to generate and maintain a Software Bill of Materials (SBOM) for all AI/ML projects to ensure a current inventory of all libraries and dependencies.