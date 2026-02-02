Every week brings new discoveries, attacks, and defenses that shape the state of cybersecurity. Some threats are stopped quickly, while others go unseen until they cause real damage.

Sometimes a single update, exploit, or mistake changes how we think about risk and protection. Every incident shows how defenders adapt — and how fast attackers try to stay ahead.

This week's recap brings you the key moments that matter most, in one place, so you can stay informed and ready for what's next.

⚡ Threat of the Week

Google Disrupts IPIDEA Residential Proxy Network — Google has crippled IPIDEA, a massive residential proxy network consisting of user devices that are being used as the last-mile link in cyberattack chains. According to the tech giant, not only do these networks permit bad actors to conceal their malicious traffic, but they also open up users who enroll their devices to further attacks. Residential IP addresses in the U.S., Canada, and Europe were seen as the most desirable. Google pursued legal measures to seize or sinkhole domains used as command‑and‑control (C2) for devices enrolled in the IPIDEA proxy network, cutting off operators' ability to route traffic through compromised systems. The disruption is assessed to have reduced IPIDEA's available pool of devices by millions. The proxy software is either pre-installed on devices or may be willingly installed by users, lured by the promise of monetizing their available internet bandwidth. Once devices are registered in the residential proxy network, operators sell access to it to their customers. Numerous proxy and VPN brands, marketed as separate businesses, were controlled by the same actors behind IPIDEA. The proxy network also promoted several SDKs as app monetization tools, quietly turning user devices into proxy exit nodes without their knowledge or consent once embedded. IPIDEA has also been linked to large-scale brute-forcing attacks targeting VPN and SSH services as far back as early 2024. The team from Device and Browser Info has since released a list of all IPIDEA-linked proxy exit IPs.

🔔 Top News

Microsoft Patches Exploited Office Flaw — Microsoft issued out-of-band security patches for a high-severity Microsoft Office zero-day vulnerability exploited in attacks. The vulnerability, tracked as CVE-2026-21509, carries a CVSS score of 7.8 out of 10.0. It has been described as a security feature bypass in Microsoft Office. "Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally," the tech giant said in an advisory. "This update addresses a vulnerability that bypasses OLE mitigations in Microsoft 365 and Microsoft Office, which protect users from vulnerable COM/OLE controls." Microsoft has not shared any details about the nature and the scope of attacks exploiting CVE-2026-21509.

‎️‍🔥 Trending CVEs

New vulnerabilities surface daily, and attackers move fast. Reviewing and patching early keeps your systems resilient.

Here are this week's most critical flaws to check first — CVE-2026-24423 (SmarterTools SmarterMail), CVE-2026-1281, CVE-2026-1340 (Ivanti Endpoint Manager Mobile), CVE-2025-40536, CVE-2025-40537, CVE-2025-40551, CVE-2025-40552, CVE-2025-40553 (SolarWinds Web Help Desk), CVE-2026-22709 (vm2), CVE-2026-1470, CVE-2026-0863 (n8n), CVE-2026-24858 (Fortinet FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb), CVE-2026-21509 (Microsoft Office), CVE-2025-30248, CVE-2025-26465 (Western Digital), CVE-2025-56005 (PLY), CVE-2026-23864 (React Server Components), CVE-2025-14756 (TP-Link), CVE‑2026‑0755 (Google gemini-mcp-tool), CVE-2025-9142 (Check Point Harmony SASE), CVE-2026-1504 (Google Chrome), CVE-2025-12556 (IDIS IP cameras), CVE-2026-0818 (Mozilla Thunderbird), CCVE-2025-52598, CVE-2025-52599, CVE-2025-52600, CVE-2025-52601, CVE-2025-8075 (Hanwha Wisenet cameras), CVE-2025-33217, CVE-2025-33218, CVE-2025-33219, CVE-2025-33220 (NVIDIA GPU Display Drivers), CVE-2025-0921 (Iconics Suite), CVE-2025-26385 (Johnson Controls), and SRC-2025-0001, SRC-2025-0002, SRC-2025-0003, SRC-2025-0004 (Samsung MagicINFO 9 Server).

📰 Around the Cyber World

Exposed C2 Server Reveals BYOB Infrastructure — Cybersecurity researchers have discovered an open directory on a command-and-control (C2) server at IP address 38.255.43[.]60 on port 8081, which has been found serving malicious payloads associated with the Build Your Own Botnet (BYOB) framework. "The open directory contained a complete deployment of the BYOB post-exploitation framework, including droppers, stagers, payloads, and multiple post-exploitation modules," Hunt.io said. "Analysis of the captured samples reveals a modular multi-stage infection chain designed to establish persistent remote access across Windows, Linux, and macOS platforms." The first stage is a dropper that implements multiple layers of obfuscation to evade signature-based detection, while fetching and executing an intermediate loader, which performs a series of security checks of its own before deploying the main remote access trojan (RAT) payload for reconnaissance and persistence. It also comes with capabilities to escalate privileges, log keystrokes, terminate processes, harvest emails, and inspect network traffic. Additional infrastructure linked to the threat actor has been found to host cryptocurrency mining payloads, indicating a two-pronged approach to compromising endpoints with different payloads.

🔧 Cybersecurity Tools

Vulnhalla: CyberArk open-sources a new tool that automates vulnerability triage by combining CodeQL analysis with AI models like GPT-4 or Gemini. It scans public code repositories, runs CodeQL queries to find potential issues, and then uses AI to decide which ones are real security flaws versus false positives. This helps developers and security teams quickly focus on genuine risks instead of wasting time sorting through noisy scan results.

OpenClaw: A personal AI assistant running in Cloudflare Workers, connecting to Telegram, Discord, and Slack with secure device pairing. It uses Claude via Anthropic API and optional R2 storage for persistence—showcasing how AI agents can run safely in a sandboxed, serverless Cloudflare setup.

Disclaimer: These tools are provided for research and educational use only. They are not security-audited and may cause harm if misused. Review the code, test in controlled environments, and comply with all applicable laws and policies.

Conclusion

Cybersecurity keeps moving fast. This week's stories show how attacks, defenses, and discoveries keep shifting the balance. Staying secure now means staying alert, reacting fast, and knowing what's changing around you.

The past few days proved that no one is too small to be a target and no system is ever fully safe. Every patch, every update, every fix counts — because threats don't wait.

Keep learning, stay cautious, and keep your guard up. The next wave of attacks is already forming.