Google API keys, previously considered harmless, now expose Gemini AI data due to a privilege escalation. Researchers found nearly 3,000 exposed keys across various sectors, including Google itself. These keys can authenticate to Gemini AI and access private data, potentially leading to significant financial losses for victims.

The Aeternum botnet loader has shifted its command-and-control (C2) operations to the Polygon blockchain, eliminating traditional central servers. This move makes it harder for authorities and security firms to disrupt the botnet by seizing infrastructure. The botnet uses smart contracts on the blockchain to issue commands, which are publicly recorded and immutable. Aeternum is a native C++ loader available in x32 and x64 builds. Operators manage infections via a web dashboard that allows them to select a smart contract, choose a command type, and specify a payload URL. Commands are written to the blockchain as transactions and are accessible to bots querying over 50 remote procedure call endpoints. The botnet's use of blockchain-based C2 complicates traditional takedown strategies, as there is no central infrastructure to seize. Commands stored on-chain are permanent and globally accessible, making proactive DDoS mitigation more critical. The threat actor LenAI has attempted to sell the entire Aeternum toolkit for $10,000, claiming a lack of time for support and involvement in another project. LenAI is also behind a second crimeware solution called ErrTraffic.

Trend Micro has disclosed and patched two critical vulnerabilities, CVE-2025-71210 and CVE-2025-71211, in its on-premise Apex One Management Console. These vulnerabilities allow for remote code execution (RCE) on vulnerable Windows systems. Trend Micro has released Critical Patch Build 14136 to address these vulnerabilities, which also fixes two high-severity privilege escalation flaws in the Windows agent and four more affecting the macOS agent. The vulnerabilities are due to path traversal weaknesses in the management console and require attackers to have access to it. Previously, Trend Micro disclosed two other critical vulnerabilities, CVE-2025-54948 and CVE-2025-54987, which were actively exploited in the wild. These vulnerabilities allowed for command injection and remote code execution. Trend Micro has released temporary mitigations and is urging users to apply them immediately to protect against potential attacks.

ManoMano, a European DIY e-commerce platform, disclosed a data breach impacting 38 million customers. The breach occurred in January 2026 due to unauthorized access to a third-party customer service provider. Exposed data includes full names, email addresses, phone numbers, and customer service communications. No account passwords were compromised. The company has taken steps to secure its environment and notified relevant authorities and affected customers. The breach was claimed by an individual using the alias 'Indra' on a hacker forum, alleging the theft of 37.8 million user accounts and thousands of support tickets. The compromised service provider is reportedly a Tunis-based customer support firm that suffered a Zendesk breach.

A critical vulnerability (CVE-2026-21902) in Juniper Networks' Junos OS Evolved, affecting PTX Series routers, allows unauthenticated remote code execution with root privileges. The flaw stems from incorrect permission assignment in the 'On-Box Anomaly Detection' framework, which is exposed over an external port by default. Successful exploitation could lead to full router takeover. The issue impacts versions before 25.4R1-S1-EVO and 25.4R2-EVO, with fixes available in newer versions. Juniper Networks has not observed active exploitation as of the advisory's publication.

Olympique de Marseille, a French football club, confirmed an attempted cyberattack after a threat actor claimed to have breached the club's systems earlier in February 2026. The attacker leaked a sample of allegedly stolen data, including information on 400,000 individuals, on a hacking forum. The club reassured that no banking details or passwords were compromised and advised fans to remain vigilant against phishing attempts. The threat actor claims the stolen database contains names, addresses, email addresses, mobile phone numbers, and order information, as well as details on 2,050 Drupal CMS accounts, including 34 staff members and 1,770 contributors and moderators. The club has reported the incident to the French data protection authority (CNIL) and filed a complaint.

A previously undocumented threat activity cluster, tracked as UAT-10027, has been targeting U.S. education and healthcare sectors since at least December 2025. The campaign delivers a new backdoor named Dohdoor, which uses DNS-over-HTTPS (DoH) for command-and-control (C2) communications. The initial access vector is suspected to involve social engineering phishing techniques, leading to the execution of a PowerShell script that downloads and runs a malicious DLL. The backdoor is launched via DLL side-loading using legitimate Windows executables. The threat actor hides C2 servers behind Cloudflare infrastructure to evade detection. Dohdoor also unhooks system calls to bypass endpoint detection and response (EDR) solutions. While there are tactical similarities to Lazarus Group malware, the victimology differs from typical Lazarus targets.

Darktrace detected over 32 million high-confidence phishing emails in 2025, indicating a significant rise in identity-driven cyber threats. The report highlights the increasing sophistication of phishing tactics, including the use of newly created domains, malicious QR codes, and novel social engineering techniques. Identity compromise has overtaken vulnerability exploitation as the primary entry vector, with attackers leveraging stolen credentials and hijacked tokens to gain access. The report also reveals regional and sector-specific trends, with the Americas accounting for 47% of global security events and manufacturing being a major target for ransomware.

Cyber threats are evolving with increased speed and sophistication, blending into everyday activities such as ads, meeting invites, and software updates. Attackers are exploiting small gaps, delayed patches, misplaced trust, and rushed clicks to establish control more quickly and make cleanup harder.

The percentage of ransomware victims paying threat actors dropped to 28% in 2025, the lowest recorded, despite a 50% increase in attacks. Total on-chain payments reached $820 million, with projections exceeding $900 million. Factors like improved incident response, regulatory scrutiny, and law enforcement actions contributed to the decline. The median ransom payment surged by 368%, indicating larger payouts from fewer victims. The number of active extortion groups rose to 85, with notable attacks on Jaguar Land Rover, Marks & Spencer, and DaVita Inc. The U.S. remained the most targeted country. The ransomware payment rate has been declining for four consecutive years, and the average price for network access declined from $1,427 in Q1 2023 to $439 in Q1 2026.

A report by DataDog reveals that 87% of organizations have at least one exploitable software vulnerability in production, affecting 40% of all services. Vulnerabilities are most common in Java (59%), .NET (47%), and Rust (40%) services. Only 18% of critical dependency vulnerabilities remain critical after adjusting severity scores with runtime and CVE context. The report also highlights risks at both ends of the software lifecycle, including outdated dependencies and rapid adoption of new library versions.

The UK Information Commissioner's Office (ICO) is transitioning from a single-leader model to a board-run structure under the Data (Use and Access) Act 2025 (DUAA). This change aims to meet the agency's growing workload and bring diverse expertise to data protection. The shift will introduce new governance, investigatory powers, and secondary duties, including promoting innovation and competition. The ICO will also expand its Data Essentials training scheme for SMEs. Paul Arnold, the first CEO of the new ICO structure, and John Edwards, the current Information Commissioner, announced the changes at the IAPP Intensive London event on February 25, 2026. The transition is expected to be fully materialized within the next few weeks.

Microsoft has expanded the Windows Backup for Organizations feature to support more enterprise devices. The first sign-in restore experience now allows users to restore settings and Microsoft Store apps on first login to a new or reimaged Windows 11 device, extending support to hybrid-managed environments, multi-user device setups, and Windows 365 Cloud PCs. Originally announced in October 2025, Windows Backup for Organizations is designed to simplify backups and facilitate the transition to Windows 11. The feature is available for Entra-joined devices after installing the September 2025 Windows Monthly Cumulative Update. It backs up Windows settings, preferences, and Microsoft Store-installed apps on Windows 10 and Windows 11 systems, and restores them on Windows 11 PCs during device setup. Data is stored in the Exchange Online cloud, with encryption and strict access controls. The feature must be enabled by IT administrators via backup and restore policy settings.

A suspected Chinese threat actor, tracked as UNC2814, has conducted a global espionage campaign since at least 2017, targeting telecom and government networks. The campaign has impacted 53 organizations in 42 countries, with suspected infections in at least 20 more. The actor deployed a new C-based backdoor named GRIDTIDE, which abuses the Google Sheets API for command-and-control (C2) operations. The initial access vector is unknown, but previous exploits involved flaws in web servers and edge systems. GRIDTIDE performs host reconnaissance and supports commands for executing bash commands, uploading, and downloading files. Google, Mandiant, and partners disrupted the campaign by terminating associated Google Cloud projects and disabling known infrastructure. Organizations impacted by GRIDTIDE were notified, and support was offered to clean the infections. Google expects UNC2814 to resume activity using new infrastructure in the near future.

Organizations are urged to prepare for the imminent threat of quantum computing by adopting Post-Quantum Cryptography (PQC) to secure long-term sensitive data. The 'Harvest Now, Decrypt Later' (HNDL) strategy employed by adversaries highlights the vulnerability of current encryption methods against future quantum-enabled decryption attacks. A structured approach to PQC migration is outlined, emphasizing the need for immediate action, strategic planning, and continuous monitoring to ensure data security against evolving threats.

CISA has released an updated Malware Analysis Report (MAR) on RESURGE, a sophisticated malware that exploits vulnerabilities to establish stealthy SSH-based command-and-control access. The malware can remain dormant on compromised Ivanti Connect Secure devices, evading routine detection. The updated analysis highlights RESURGE's advanced network-level evasion techniques, including forged TLS certificates and cryptographic methods, posing an ongoing threat to affected networks. CISA emphasizes the importance of using the provided indicators of compromise (IOCs) and detection signatures to identify and mitigate RESURGE, urging organizations to implement the recommended actions.

New York Attorney General Letitia James has filed a lawsuit against Valve Corporation, alleging that the company promotes illegal gambling through loot boxes in its games. The lawsuit claims that Valve's loot box features violate state gambling laws by offering random virtual prizes that can be exchanged for real money, similar to slot machines. The lawsuit targets loot box features in Counter-Strike 2, Team Fortress 2, and Dota 2, which allow players to pay for virtual containers with randomly selected items. The lawsuit highlights the potential harm to children, as they may be drawn into loot box purchases to win rare items and boost social status within gaming communities. The market for Counter-Strike weapon skins has ballooned into a multibillion-dollar economy, with individual items sometimes fetching prices over $1 million. Valve is accused of skewing the odds of winning rare items to make them more valuable, and the lawsuit seeks to permanently bar Valve from operating loot box features in New York, require Valve to return all profits generated by the practice, and impose fines for the alleged violations.

The **Contagious Interview campaign** has **expanded its tactics** with **three new execution paths** for delivering in-memory JavaScript malware via **malicious Next.js repositories**, as detailed in a February 2026 Microsoft report. The campaign now uses (1) **auto-execution via VS Code’s `tasks.json`** (triggered by `runOn: "folderOpen"`), (2) **build-time payloads embedded in modified libraries** (e.g., `jquery.min.js`) activated during `npm run dev`, and (3) **server startup scripts** that exfiltrate environment variables and fetch attacker-controlled code. These methods converge on a **memory-resident JavaScript payload** that profiles hosts, registers with a C2 server for a unique `instanceId`, and deploys a **second-stage controller** for persistent access, discovery, and exfiltration—all while minimizing disk traces. This evolution follows earlier waves, including **malicious VS Code projects (January 2026)** and **EtherRAT’s exploitation of React2Shell (December 2025)**, but introduces **greater operational resilience** through **alternative staging infrastructure** (GitHub gists, URL shorteners, blockchain-based NFT contracts) and **multi-platform payloads** (Node.js, Python, and npm dependencies like `eslint-validator`). The campaign continues to target **cryptocurrency/Web3 developers** and **global tech sectors**, leveraging **job-themed lures**, **fraudulent IT worker networks (WageMole)**, and **collaboration with North Korea’s financial fraud ecosystem**. GitLab’s recent ban of **131 accounts** tied to the campaign—along with the discovery of a **$1.64M revenue-tracking project**—highlights the operation’s **structured, enterprise-scale coordination**, blending **espionage, financial theft, and persistent access brokerage**.

A malicious NuGet package named StripeApi.Net was discovered impersonating the legitimate Stripe.net library. The package, uploaded on February 16, 2026, mimicked the official Stripe.net package to steal Stripe API tokens from developers. The package was removed before causing significant damage. This marks a shift in targeting from cryptocurrency to financial services.

A critical authentication bypass vulnerability (CVE-2026-20127) in Cisco Catalyst SD-WAN has been actively exploited in zero-day attacks since at least 2023. The flaw allows remote attackers to compromise controllers and add malicious rogue peers to targeted networks. The vulnerability stems from a peering authentication mechanism that does not work properly, enabling attackers to log in as high-privileged users and manipulate network configurations. Cisco has released specific software updates to address the issue, and CISA has issued an emergency directive requiring federal agencies to patch affected systems by February 27, 2026. Attackers have been found to leverage the built-in update mechanism to stage a software version downgrade and escalate to the root user by exploiting CVE-2022-20775, and have taken steps to clear evidence of the intrusion by purging logs and command history.

OpenAI has disrupted multiple activity clusters misusing its ChatGPT AI tool for cyberattacks, including nation-state actors from Russia, North Korea, and China. These actors have used ChatGPT to develop malware, conduct phishing campaigns, and engage in influence operations. The Russian threat actor developed a remote access trojan (RAT) and credential stealer, while the North Korean group created malware and command-and-control (C2) infrastructure. The Chinese group, UNK_DropPitch, generated phishing content and tooling for routine tasks. Additionally, Chinese law enforcement used ChatGPT to draft and edit reports on smear campaigns against Chinese dissidents and Japanese Prime Minister Sanae Takaichi. OpenAI also blocked accounts used for scams, influence operations, and surveillance, including networks from Cambodia, Myanmar, Nigeria, and individuals linked to Chinese government entities.

UFP Technologies, a medical device manufacturer, disclosed a cyberattack that compromised its IT systems and resulted in data theft. The incident, detected on February 14, affected billing and label-making functions. While the threat actor was removed, some data was stolen or destroyed. The nature of the malware is unclear, but ransomware or a wiper attack is suspected. UFP Technologies has not confirmed the exfiltration of personal information or received ransom demands.

The PCI Security Standards Council (PCI SSC) released its first annual report, emphasizing the increasing sophistication and speed of threats targeting payment systems. The report underscores the need for global coordination, education, and collaboration to advance payment security across various sectors. Threat actors are increasingly targeting payment cards, point-of-sale systems, and processing systems through methods like skimming, jackpotting, and credential theft. The council's initiatives aim to secure mobile, data, device, software, and card products by updating standards and compliance requirements.

Multiple vulnerabilities in Anthropic's Claude Code AI-powered coding assistant allow remote code execution and API key exfiltration. The flaws exploit configuration mechanisms, including Hooks, Model Context Protocol (MCP) servers, and environment variables. Three vulnerabilities were identified, with fixes released in versions 1.0.87, 1.0.111, and 2.0.65. Exploitation could lead to arbitrary code execution, data exfiltration, and unauthorized access to AI infrastructure. The vulnerabilities highlight the risks associated with AI-powered tools that execute commands and initiate network communication autonomously.

IBM X-Force's 2025 Threat Intelligence Index reveals that 56% of tracked vulnerabilities required no authentication before exploitation. The report highlights the growing threat of infostealer credential theft, with 300,000 ChatGPT credentials discovered on the dark web. AI is being weaponized by attackers to find weak access points, create deepfakes, and exploit agentic AI systems, expanding the blast radius of compromises. Supply chain attacks have quadrupled over the last five years, with criminals and state-sponsored actors adopting advanced techniques, blurring the lines between their tactics.

Marquis Software Solutions has **filed a lawsuit** against SonicWall, alleging **gross negligence and misrepresentation** in the handling of its MySonicWall cloud backup breach, which directly enabled a **ransomware attack** disrupting 74 U.S. banks in August 2025. The lawsuit reveals that SonicWall introduced a **security gap via an API code change in February 2025**, allowing unauthorized access to firewall configuration backups—including AES-256-encrypted credentials and MFA scratch codes. Marquis, whose firewall was fully patched and MFA-enabled, confirms attackers exploited this stolen data to bypass defenses, contradicting earlier assumptions about unpatched devices. The breach exposed **personal and financial data** of Marquis’ clients, triggering **over 36 consumer class-action lawsuits** and prompting Marquis to seek damages, indemnification, and legal fees. The SonicWall incident began as a targeted compromise of its MySonicWall portal, initially reported in September 2025 as affecting fewer than 5% of customers but later revised to confirm **all cloud backup users** were impacted. Stolen configuration files—containing credentials, network topology, and encrypted secrets—fueled follow-on attacks, including the **Marquis ransomware breach** (January 2026 disclosure) and Akira ransomware campaigns abusing OTP seeds to bypass MFA. SonicWall collaborated with Mandiant to attribute the breach to **state-sponsored actors** and released remediation tools, but the Marquis lawsuit underscores the **long-tail risks** of exposed backup data, even post-containment. Over **950 unpatched SMA1000 appliances** remain exposed online, while CISA and SonicWall urge firmware updates, credential resets, and MFA enforcement.

The **ShinyHunters and Scattered Spider collaboration**, operating under the **Scattered Lapsus$ Hunters (SLH) alliance**, has escalated its extortion and social engineering tactics in **early 2026** by **recruiting women for vishing attacks** targeting IT help desks, offering **$500–$1,000 per successful call** alongside pre-written scripts. This calculated evolution aims to exploit psychological biases and bypass traditional attacker profiles, increasing the success rate of impersonation and credential harvesting. The group continues to combine **technical intrusions** with **psychological harassment, swatting, and media manipulation** to coerce payments, while leveraging **legitimate services, residential proxies, and tunneling tools** (e.g., Ngrok, Luminati) to evade detection. The alliance’s latest developments include the **ShinySp1d3r RaaS platform**, **Zendesk phishing campaigns**, and **targeted intrusions against financial sectors**, demonstrating a **multi-pronged expansion** in both **technical sophistication** and **psychological warfare**. Their tactics now involve **recruiting diverse social engineering operatives**, deploying **virtual machines for post-exploitation reconnaissance**, and exploiting **cloud APIs (e.g., Microsoft Graph)** to access Azure environments. Despite law enforcement arrests and shutdown claims, SLH remains a **high-risk, low-trust threat actor**, with **no guarantee of data deletion** post-payment and a pattern of **rebranding to evade pressure**. Victims are advised to **refuse engagement** beyond a firm "no payment" stance, as compliance only fuels further escalation and harassment.

OpenClaw, an AI-powered automation framework, has gained significant attention due to its potential security risks, particularly in its plugin ecosystem. The framework allows users to manage emails, schedules, and system tasks through modular 'skills' that can be installed from a marketplace called ClawHub. Security researchers have identified critical vulnerabilities, including remote code execution and credential theft, which have led to discussions across security research feeds, Telegram channels, and underground forums. While the framework has not yet been fully weaponized for mass exploitation, the supply chain risks associated with its plugin ecosystem are real and pose a significant threat.

IBM X-Force reports a 44% surge in cyberattacks targeting public-facing applications, primarily due to missing authentication controls and AI-enabled vulnerability scanning. Vulnerability exploitation led to 40% of incidents in 2025, while active ransomware and extortion groups grew by 49%, with publicly disclosed victim counts rising by 12%. AI is accelerating attacker operations, including reconnaissance and advanced ransomware attacks.

Ineffective triage processes in security operations centers (SOCs) are leading to increased business risks, including missed SLAs, higher costs per case, and more opportunities for real threats to evade detection. Five key issues—lack of real evidence, dependency on analyst seniority, delays in triage, over-escalation, and manual work—are identified as major contributors to these problems. High-performing teams are addressing these issues by leveraging execution evidence early in the triage process, using interactive sandboxes to validate behavior and reduce uncertainty. The use of sandboxes like ANY.RUN allows teams to see the full attack chain quickly, leading to faster, evidence-backed decisions. This approach reduces the cost per case, minimizes missed threats, and ensures consistent triage outcomes across shifts. Additionally, it helps in shrinking the time-to-decision, reducing escalation volumes, and increasing Tier 1 capacity by automating repetitive tasks.