⚡ Weekly Recap: Proxy Botnet, Office Zero-Day, MongoDB Ransoms, AI Hijacks & New Threats  Ravie Lakshmanan  Feb 02, 2026 Hacking News / Cybersecurity Every week brings new discoveries, attacks, and defenses that shape the state of cybersecurity. Some threats are stopped quickly, while others go unseen until they cause real damage. Sometimes a single update, exploit, or mistake changes how we think about risk and protection. Every incident shows how defenders adapt — and how fast attackers try to stay ahead. This week’s recap brings you the key moments that matter most, in one place, so you can stay informed and ready for what’s next. ⚡ Threat of the Week Google Disrupts IPIDEA Residential Proxy Network — Google has crippled IPIDEA, a massive residential proxy network consisting of user devices that are being used as the last-mile link in cyberattack chains. According to the tech giant, not only do these networks permit bad actors to conceal their malicious traffic, but they also open up users who enroll their devices to further attacks. Residential IP addresses in the U.S., Canada, and Europe were seen as the most desirable. Google pursued legal measures to seize or sinkhole domains used as command‑and‑control (C2) for devices enrolled in the IPIDEA proxy network, cutting off operators' ability to route traffic through compromised systems. The disruption is assessed to have reduced IPIDEA's available pool of devices by millions. The proxy software is either pre-installed on devices or may be willingly installed by users, lured by the promise of monetizing their available internet bandwidth. Once devices are registered in the residential proxy network, operators sell access to it to their customers. Numerous proxy and VPN brands, marketed as separate businesses, were controlled by the same actors behind IPIDEA. The proxy network also promoted several SDKs as app monetization tools, quietly turning user devices into proxy exit nodes without their knowledge or consent once embedded. IPIDEA has also been linked to large-scale brute-forcing attacks targeting VPN and SSH services as far back as early 2024. The team from Device and Browser Info has since released a list of all IPIDEA-linked proxy exit IPs. New Insights From 1800+ Security Leaders and Practitioners 99% of SOCs are already using AI, yet 81% say workloads increased in the past year. Teams have yet to unlock AI’s full impact. To find out why, Tines surveyed 1,800+ security leaders and practitioners worldwide for their biggest Voice of Security report yet. Get the Report ➝ 🔔 Top News Microsoft Patches Exploited Office Flaw — Microsoft issued out-of-band security patches for a high-severity Microsoft Office zero-day vulnerability exploited in attacks. The vulnerability, tracked as CVE-2026-21509, carries a CVSS score of 7.8 out of 10.0. It has been described as a security feature bypass in Microsoft Office. "Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally," the tech giant said in an advisory. "This update addresses a vulnerability that bypasses OLE mitigations in Microsoft 365 and Microsoft Office, which protect users from vulnerable COM/OLE controls." Microsoft has not shared any details about the nature and the scope of attacks exploiting CVE-2026-21509. Ivanti Patches Exploited EPMM Flaws — Ivanti rolled out security updates to address two security flaws impacting Ivanti Endpoint Manager Mobile (EPMM) that have been exploited in zero-day attacks. The vulnerabilities, tracked as CVE-2026-1281 and CVE-2026-1340, relate to code injection, allowing attackers to achieve unauthenticated remote code execution. "We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure," Ivanti said in an advisory, adding it does not have enough information about the threat actor tactics to provide "reliable atomic indicators." As of January 30, 2026, a public working proof-of-concept exploit is available. "As EPMM is an endpoint management solution for mobile devices, the impact of an attacker compromising the EPMM server is significant," Rapid7 said . "An attacker may be able to access Personally Identifiable Information (PII) regarding mobile device users, such as their names and email addresses, but also their mobile device information, such as their phone numbers, GPS information, and other sensitive unique identification information." Poland Links Cyber Attack on Power System to Static Tundra — The Polish computer emergency response team revealed that coordinated cyber attacks targeted more than 30 wind and photovoltaic farms, a private company from the manufacturing sector, and a large combined heat and power plant (CHP) supplying heat to almost half a million customers in the country. CERT Polska said the incident took place on December 29, 2025, describing the attacks as destructive. The agency attributed the attacks to a threat cluster dubbed Static Tundra, which is also tracked as Berserk Bear, Blue Kraken, Crouching Yeti, Dragonfly, Energetic Bear, Ghost Blizzard (formerly Bromine), and Havex. Static Tundra is assessed to be linked to Russia's Federal Security Service's (FSB) Center 16 unit. Prior reports from ESET and Dragos linked the attack with moderate confidence to a group that shares tactical overlaps with a cluster referred to as Sandworm. The group exhibits a deep understanding of electrical grid equipment and operations, strong proficiency in the industrial protocols used in power systems, and the ability to develop custom malware and wiper tools across IT and OT environments. The activity also reflects the adversary's grasp of substation operations and the operational dependencies within electrical systems. "Taking over these devices requires capabilities beyond simply understanding their technical flaws," Dragos said. "It requires knowledge of their specific implementation. The adversaries demonstrated this by successfully compromising RTUs at approximately 30 sites, suggesting they had mapped common configurations and operational patterns to exploit systematically." LLMJacking Campaign Targets Exposed AI Endpoints — Cybercriminals are searching for, hijacking, and monetizing exposed LLM and MCP endpoints at scale. The campaign, dubbed Operation Bizarre Bazaar, targets exposed or unprotected AI endpoints to hijack system resources, resell API access, exfiltrate data, and move laterally to internal systems. "The threat differs from traditional API abuse because compromised LLM endpoints can generate significant costs (inference is expensive), expose sensitive organizational data, and provide lateral movement opportunities," Pillar Security said. Organizations running self-hosted LLM infrastructure (Ollama, vLLM, local AI implementations) or deploying MCP servers for AI integrations face active targeting. Common misconfigurations that are under active exploitation include Ollama running on port 11434 without authentication, OpenAI-compatible APIs on port 8000, MCP servers accessible without access controls, development/staging AI infrastructure with public IPs, and production chatbot endpoints that lack authentication or rate limits. Access to the infrastructure is advertised on a marketplace that offers access to over 30 LLMs. Called silver[.]inc, it is hosted on bulletproof infrastructure in the Netherlands, and marketed on Discord and Telegram, with payments made via cryptocurrency or PayPal. Chinese Threat Actors Use PeckBirdy Framework — China-aligned threat actors have been using a cross-platform, multifunction JScript framework called PeckBirdy to conduct cyber espionage attacks since 2023, augmenting their activities with modular backdoors in two separate campaigns targeting gambling sites and government entities. The command-and-control (C2) framework, written in Microsoft's JScript legacy language, is aimed at flexible deployment by enabling execution across multiple environments, including web browsers, MSHTA, WScript, Classic ASP, Node JS, and .NET (ScriptControl). ‎️‍🔥 Trending CVEs New vulnerabilities surface daily, and attackers move fast. Reviewing and patching early keeps your systems resilient. Here are this week’s most critical flaws to check first — CVE-2026-24423 (SmarterTools SmarterMail), CVE-2026-1281, CVE-2026-1340 (Ivanti Endpoint Manager Mobile), CVE-2025-40536, CVE-2025-40537, CVE-2025-40551, CVE-2025-40552, CVE-2025-40553 (SolarWinds Web Help Desk), CVE-2026-22709 (vm2), CVE-2026-1470, CVE-2026-0863 (n8n), CVE-2026-24858 (Fortinet FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb), CVE-2026-21509 (Microsoft Office), CVE-2025-30248 , CVE-2025-26465 (Western Digital), CVE-2025-56005 (PLY), CVE-2026-23864 (React Server Components), CVE-2025-14756 (TP-Link), CVE‑2026‑0755 (Google gemini-mcp-tool), CVE-2025-9142 (Check Point Harmony SASE), CVE-2026-1504 (Google Chrome), CVE-2025-12556 (IDIS IP cameras), CVE-2026-0818 (Mozilla Thunderbird), CCVE-2025-52598, CVE-2025-52599, CVE-2025-52600, CVE-2025-52601, CVE-2025-8075 (Hanwha Wisenet cameras), CVE-2025-33217, CVE-2025-33218, CVE-2025-33219, CVE-2025-33220 (NVIDIA GPU Display Drivers), CVE-2025-0921 (Iconics Suite), CVE-2025-26385 (Johnson Controls), and SRC-2025-0001, SRC-2025-0002 , SRC-2025-0003, SRC-2025-0004 (Samsung MagicINFO 9 Server). 📰 Around the Cyber World Exposed C2 Server Reveals BYOB Infrastructure — Cybersecurity researchers have discovered an open directory on a command-and-control (C2) server at IP address 38.255.43[.]60 on port 8081, which has been found serving malicious payloads associated with the Build Your Own Botnet ( BYOB ) framework. "The open directory contained a complete deployment of the BYOB post-exploitation framework, including droppers, stagers, payloads, and multiple post-exploitation modules," Hunt.io said . "Analysis of the captured samples reveals a modular multi-stage infection chain des