30 sites were impacted in cyber attack against Poland’s energy infrastructure researchers reveal

In late December, a coordinated cyber attack targeted Poland’s decentralised energy infrastructure, hitting multiple distributed energy resource sites including combined heat and power facilities and wind and solar dispatch systems. While attackers damaged operational technology equipment beyond repair, power delivery was not disrupted. The affected capacity totalled around 1.2 GW, roughly 5 percent of national supply.

Public reporting confirms at least 12 impacted sites, though Dragos researchers believe the true number is closer to 30. Crucially, the absence of blackouts should not be seen as reassurance. Instead, it highlights the growing exposure of decentralised energy systems to targeted OT attacks.

Researchers attributed the activity with moderate confidence to a Russian-linked threat actor known as Electrum, distinct from but overlapping with APT44. The group demonstrated deep operational knowledge, disabling communications, corrupting OT devices, and wiping Windows systems. While a nationwide blackout was unlikely, researchers warn that frequency destabilisation could have triggered cascading failures, echoing previous European grid incidents.

eScan antivirus update infrastructure compromised to push malicious update

MicroWorld Technologies has confirmed that one of its regional eScan update servers was breached and used to distribute a malicious file to a limited number of customers during a two hour window on 20 January 2026. The incident affected only systems that pulled updates from the impacted regional cluster, with the company stressing that the eScan product itself was not vulnerable.

According to eScan, unauthorised access to update server configuration allowed a corrupt binary to be placed into the update path. The affected infrastructure was isolated within hours, rebuilt, and credentials rotated, with customer notifications and remediation issued shortly afterwards.

Researchers independently analysed the activity, reporting that a modified update component was used to deploy multi stage malware, disable further updates, and establish command and control access. While the two parties dispute the timeline of discovery, both recommend customers apply remediation updates and block associated command and control infrastructure to reduce ongoing risk.

Soundcloud data breach impacts 29.8 million accounts

SoundCloud has confirmed a major data breach affecting approximately 29.8 million user accounts, following unauthorised access to one of its ancillary service dashboards in December. Founded in 2007, the audio streaming platform hosts more than 400 million tracks from over 40 million artists worldwide, making the scale of exposure significant.

The company stated that no passwords or financial data were accessed. However, the stolen information included email addresses, names, usernames, profile statistics, avatars and, in some cases, geographic location data. Much of this information was already publicly visible on profiles, but the incident allowed attackers to map it directly to email addresses at scale.

Data breach notification service Have I Been Pwned confirmed the full extent of the exposure this week. SoundCloud has since acknowledged that the ShinyHunters extortion group was responsible, with attackers attempting to extort the company and using email flooding tactics to harass users and staff.

The incident highlights the growing risk of large scale data aggregation attacks, even where only limited datasets are involved.

Critical SolarWinds web help desk flaws patched

SolarWinds has released urgent security updates addressing multiple critical vulnerabilities in its Web Help Desk (WHD) software, including authentication bypass and remote command execution flaws that could be exploited by unauthenticated attackers. The patched issues include two authentication bypass vulnerabilities and two separate remote code execution flaws, all rated critical severity and exploitable in low complexity attacks.

Researchers reported the vulnerabilities, highlighting weaknesses that could allow attackers to execute commands remotely without valid credentials. SolarWinds also fixed a high severity hardcoded credentials issue that, in certain conditions, could grant unauthorised access to administrative functions.

Administrators are being urged to upgrade to Web Help Desk version 2026.1 as soon as possible. The warning is particularly acute given Web Help Desk’s history of active exploitation, with previous flaws added to CISA’s known exploited vulnerabilities catalogue.

With WHD widely deployed across government, healthcare, education and large enterprises, the updates underline the ongoing risk posed by exposed IT management platforms and the importance of rapid patching.

Microsoft Office zero day exploited, emergency updates deployed

Microsoft has released emergency out of band security updates to address CVE-2026-21509, a zero day vulnerability in Microsoft Office that is being actively exploited in the wild. The flaw allows attackers to bypass key security protections designed to block unsafe COM and OLE controls by abusing how Office handles untrusted input during security decisions.

Rated Important with a CVSS score of 7.8, the vulnerability requires user interaction, typically through phishing or social engineering that convinces a victim to open a malicious Office file. While the attack does not require privileges and is low complexity, successful exploitation can have severe impacts on confidentiality, integrity, and availability.

Microsoft confirmed exploitation through its Threat Intelligence Centre, making this the second actively exploited Office zero day patched this month. The issue affects both legacy and current Office versions.

Organisations are strongly advised to prioritise patching, ensure auto updates are enabled, and increase monitoring for suspicious Office attachments and anomalous COM or OLE behaviour.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.