TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

F5 Labs

Weekly Threat Bulletin – February 4th, 2026

2026-02-03 · Read original ↗

ATT&CK techniques detected

21 predictions
T1059.001PowerShell
99%
“security systems, deploy powershell in constrained language mode. - use a tool like windows defender application control ( wdac ) or applocker to create and enforce policies that restrict the execution of script files, such as vbscript (. vbs ), for standard users. - use group po…”
T1059.001PowerShell
99%
“signed powershell execution policies, and monitoring for anomalous browser debugging activities. severity : critical threat details and iocs mitigation advice - block the domains ` tebi [. ] io ` and ` accurate - sprout - porpoise [. ] glitch [. ] me ` in your web proxy, dns sink…”
T1059.001PowerShell
99%
“your edr or siem to generate a high - priority alert for any process creation event where the windows script host ( ` wscript. exe ` or ` cscript. exe ` ) is the parent process of a powershell ( ` powershell. exe ` ) process. - in your network detection and response ( ndr ) or si…”
T1190Exploit Public-Facing Application
98%
“day vulnerability, cve - 2025 - 54236, identified as " sessionreaper, " is being actively exploited across magento e - commerce platforms, enabling attackers to bypass authentication and achieve full server compromise. this flaw facilitates session hijacking and remote code execu…”
T1071.001Web Protocols
98%
“##82b6e8acb3977497c59c3ac79f973f96c395e7f0ca97f8 ` ), utilizes aes - encrypted payloads with the key ` t2r0y1m1e1n1o0w1 ` and establishes c2 communication via telegram bots, discord, and https to domains such as ` accurate - sprout - porpoise [. ] glitch [. ] me ` and cloudflare …”
T1190Exploit Public-Facing Application
97%
“2026 - 1340, in ivanti endpoint manager mobile ( epmm ), both actively exploited and rated with a cvss score of 9. 8. these code injection flaws enable unauthenticated remote code execution, allowing attackers to execute arbitrary commands, access sensitive data, and achieve pers…”
T1190Exploit Public-Facing Application
87%
“the same ip, or other anomalous session - related activities. compliance best practices - review and harden your platform ' s session management policies by enforcing strict session invalidation on logout, reducing session timeout periods, and implementing token binding to user i…”
T1190Exploit Public-Facing Application
86%
“and implementing web application firewall ( waf ) rules to block exploitation patterns. severity : critical threat details and iocs mitigation advice - apply the security patch for cve - 2025 - 54236 to all magento commerce instances immediately using the composer update process …”
T1190Exploit Public-Facing Application
78%
“##hackernews. com / 2026 / 01 / two - ivanti - epmm - zero - day - rce - flaws. html https : / / www. hendryadrian. com / ivanti - warns - of - two - epmm - flaws - exploited - in - zero - day - attacks / https : / / www. thehackerwire. com / ivanti - emm - unauthenticated - rce …”
T1190Exploit Public-Facing Application
68%
“- 2025 - 15467 - openssl - pre - auth - rce / https : / / research. jfrog. com / post / potential - rce - vulnerabilityin - openssl - cve - 2025 - 15467 / https : / / socprime. com / blog / cve - 2025 - 15467 - vulnerability / https : / / sploitus. com / exploit? id = 11a67196 - …”
T1555.003Credentials from Web Browsers
68%
“over post requests with a custom ` content - dpr ` header. credential theft is achieved by suspending chrome processes using pssuspend and leveraging browser debugging protocols ( e. g., ` - - remote - debugging - port = 9222 ` ) to dump saved logins without disk writes, creating…”
T1003OS Credential Dumping
56%
“over post requests with a custom ` content - dpr ` header. credential theft is achieved by suspending chrome processes using pssuspend and leveraging browser debugging protocols ( e. g., ` - - remote - debugging - port = 9222 ` ) to dump saved logins without disk writes, creating…”
T1595.002Vulnerability Scanning
48%
“parsing external cms or pkcs # 7 content, including s / mime email processing and applications utilizing the affected apis. discovered by aisle using ai - driven vulnerability discovery and reported on december 14, 2025, this issue is one of 12 vulnerabilities found by the organi…”
T1071.001Web Protocols
42%
“over post requests with a custom ` content - dpr ` header. credential theft is achieved by suspending chrome processes using pssuspend and leveraging browser debugging protocols ( e. g., ` - - remote - debugging - port = 9222 ` ) to dump saved logins without disk writes, creating…”
T1190Exploit Public-Facing Application
39%
“: d +. * $ ). *? / mifs / c / ( aft | app ) store / fob /. *? 404 `, and by monitoring for unusual administrator account activity, authentication setting changes, unexpected application pushes, network configuration alterations, or abnormal outbound network traffic. remediation i…”
T1190Exploit Public-Facing Application
36%
“critical internal networks. restrict outbound connections from the appliance to only known - required destinations to prevent lateral movement. - review and test the backup and recovery procedures for critical appliances like ivanti epmm to ensure you can restore the system from …”
T1190Exploit Public-Facing Application
35%
“0 - 3. 0. 18, 3. 3. 0 - 3. 3. 5, 3. 4. 0 - 3. 4. 3, 3. 5. 0 - 3. 5. 4, and 3. 6. 0, with fixes available in 3. 0. 19, 3. 3. 6, 3. 4. 4, 3. 5. 5, and 3. 6. 1, respectively ; openssl 1. 1. 1, 1. 0. 2, and fips modules are not affected. this stack buffer overflow occurs in the cms m…”
T1190Exploit Public-Facing Application
34%
“potential exploitation attempts. - audit all ivanti epmm appliances for any newly created or modified administrator accounts and review for unexpected changes to sso, ldap, or authentication settings. - review ivanti epmm configurations for any unexpected pushed applications, pol…”
T1555.003Credentials from Web Browsers
33%
“weekly threat bulletin – february 4th, 2026 tamecat powershell backdoor targets edge and chrome : login credentials at risk tamecat is a sophisticated powershell - based backdoor attributed to apt42, an iranian state - sponsored hacking group, designed to steal login credentials …”
T1059.001PowerShell
32%
“weekly threat bulletin – february 4th, 2026 tamecat powershell backdoor targets edge and chrome : login credentials at risk tamecat is a sophisticated powershell - based backdoor attributed to apt42, an iranian state - sponsored hacking group, designed to steal login credentials …”
T1547.001Registry Run Keys / Startup Folder
30%
“over post requests with a custom ` content - dpr ` header. credential theft is achieved by suspending chrome processes using pssuspend and leveraging browser debugging protocols ( e. g., ` - - remote - debugging - port = 9222 ` ) to dump saved logins without disk writes, creating…”

Summary

These are the top threats you should know about this week.