Ankura CTIX FLASH Update – February 6, 2026

Malware Activity

Understanding Recent Cyber Threats Targeting Servers and Security Systems

Recent cybersecurity reports reveal that hackers are cleverly exploiting vulnerabilities in popular server management tools like NGINX and Baota Panel to redirect website traffic without detection. They inject malicious configurations into server files, especially targeting sites with Asian domains and government or educational sites, allowing them to secretly gather data or gain control over traffic. These attackers often use sophisticated scripts to maintain long-term access, making their activities hard to spot with regular security checks. Additionally, cybercriminals are exploiting outdated drivers, such as a revoked EnCase kernel driver, to disable security tools and bypass endpoint protections. They use fake updates and stolen VPN credentials to gain deep system access, aiming to kill security processes and stay hidden.  CTIX analysts will continue to report on the latest malware strains and attack methodologies.

• BleepingComputer: Hackers Compromise NGINX Servers To Redirect User Traffic article
• TheHackerNews: Malicious NGINX Configurations Enable Large-Scale Web Traffic Hijacking Campaign article
• BleepingComputer: EDR Killer Tool Uses Signed Kernel Driver from Forensic Software article

---

Threat Actor Activity

Asia State-Sponsored Cyberespionage Shadow Campaign Targets Critical Infrastructure Globally

Palo Alto Networks has identified a state-sponsored cyberespionage group, labeled TGR-STA-1030, conducting what is being dubbed as the Shadow Campaign against government and critical infrastructure across thirty-seven (37) countries. The group is believed to operate out of Asia, aligning with the GMT+8 time zone, and fits the profile of a Chinese threat actor, as reported by Palo Alto Networks. Since early 2025, TGR-STA-1030 has compromised at least seventy (70) organizations and targeted government infrastructure in 155 countries. Their targets include national law enforcement, border control agencies, finance ministries, and departments of trade, natural resources, and diplomacy. The group employs sophisticated email phishing to gain initial access, deploying a malware loader that only checks for five (5) security products to evade detection. Among their tools is ShadowGuard, a Linux kernel rootkit that allows for undetected data modification. Although they have not exploited zero-day vulnerabilities, the group attempts to exploit known flaws in products from Microsoft, SAP, Atlassian, D-Link, Apache, Commvault, and others. The scale and methods of TGR-STA-1030 pose significant long-term threats to national security and key services. CTIX Analyst will continue to monitor the latest emerging threat actor activities and campaigns.

• Security Week: TGR-STA-1030 Article
• Palo Alto Networks: Shadow Campaign Report

---

Vulnerabilities

Patch Bypass in n8n Enables Remote Code Execution and Full Server Compromise Risk

Multiple critical vulnerabilities in the n8n workflow automation platform expose organizations to severe compromise scenarios by allowing authenticated users with workflow permissions to escape the application sandbox and execute arbitrary system commands on the host server. The flaw attack chain, collectively tracked as

, stems from inadequate sanitization and incomplete AST-based sandboxing of user-written JavaScript expressions, effectively bypassing protections introduced for the earlier and highlighting a deeper mismatch between TypeScript’s compile-time checks and JavaScript’s runtime behavior that attackers can exploit to evade security controls. Researchers demonstrated that successful exploitation could grant filesystem access, enable credential and API key theft, facilitate lateral movement into internal and cloud environments, hijack AI workflows, and potentially expose data across tenants in multi-tenant deployments (particularly when combined with publicly accessible webhooks that allow remote triggering of malicious workflows). Security experts state that “if you can create a workflow, you can own the server,” underscoring the low barrier to exploitation once privileges are obtained. Additional critical flaws (including command injection in the Git node, arbitrary file write via the Merge node, stored cross-site scripting enabling session hijacking, and a path traversal bug that could lead to RCE on downstream systems) further expand the attack surface and reinforce concerns about systemic input validation weaknesses within automation features. Although there are no confirmed reports of widespread exploitation, researchers caution that workflow automation platforms increasingly represent high-value infrastructure targets due to their deep integrations with sensitive systems and credentials. CTIX analysts strongly advise organizations to upgrade to patched versions (1.123.17 and 2.5.2 or later), rotate encryption keys and stored secrets, audit workflows for suspicious expressions, restrict workflow creation to trusted users, and deploy hardened environments to reduce the likelihood and impact of compromise.

• Bleeping Computer: CVE-2026-25049 Article
• The Hacker News: CVE-2026-25049 Article

📧 Never Miss a Briefing

Stay informed and secure. Subscribe to Ankura’s Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure. 

Join the Cyber Flash Update community today.

^{© Copyright 2026. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.}