Abu Dhabi Finance Week (ADFW) organizers inadvertently exposed passport details and other identity information of approximately 700 attendees, including former British Prime Minister David Cameron and former White House communications director Anthony Scaramucci. The data was found unprotected on a cloud storage system associated with ADFW, accessible via off-the-shelf scanning software. The leak included passports, ID cards, and thousands of other documents, potentially exposed for at least two months. ADFW secured the server after being notified by the Financial Times, which reported the incident. The exposure poses reputational risks for Abu Dhabi as it seeks to establish itself as a global financial center.

A new Android malware named PromptSpy abuses Google's Gemini AI to maintain persistence by keeping itself pinned in the recent apps list. The malware captures lockscreen data, blocks uninstallation, gathers device information, takes screenshots, and records screen activity. It communicates with a command-and-control (C2) server and is distributed via a dedicated website targeting users in Argentina. The malware is an advanced version of VNCSpy and is likely financially motivated.

Operation Serengeti 2.0, an INTERPOL-led international operation, resulted in the arrest of 1,209 cybercriminals across Africa. The operation targeted cross-border cybercrime gangs involved in ransomware, online scams, and business email compromise (BEC). The operation, conducted from June to August 2025, involved law enforcement from 18 African countries and the UK. Authorities seized $97.4 million and dismantled 11,432 malicious infrastructures linked to attacks on 88,000 victims worldwide. Following this, Operation Sentinel, conducted between October 27 and November 27, 2025, led to the arrest of 574 individuals and the recovery of $3 million linked to business email compromise, extortion, and ransomware incidents. The operation took down more than 6,000 malicious links and decrypted six distinct ransomware variants. The cybercrime cases investigated are connected to more than $21 million in financial losses. Most recently, Operation Red Card 2.0, conducted between December 8, 2025, and January 30, 2026, resulted in the arrest of 651 suspects and the recovery of over $4.3 million. The operation targeted investment fraud, mobile money scams, and fake loan applications, identifying 1,247 victims and seizing 2,341 devices and 1,442 malicious websites, domains, and servers. The operation involved law enforcement agencies from 16 African countries: Angola, Benin, Cameroon, Côte d'Ivoire, Chad, Gabon, Gambia, Ghana, Kenya, Namibia, Nigeria, Rwanda, Senegal, Uganda, Zambia, and Zimbabwe. The operations were supported by data from private sector partners, including Cybercrime Atlas, Fortinet, Group-IB, Kaspersky, The Shadowserver Foundation, Team Cymru, Trend Micro, TRM Labs, and Uppsala Security. Cybercrime now accounts for 30% of all reported crime in Western and Eastern Africa and is increasing rapidly elsewhere on the continent. Interpol's 2025 Africa Cyberthreat Assessment Report noted that two-thirds of African member countries claim cyber-related offenses now account for a 'medium-to-high' (i.e., 10-30% or 30%+) share of all crimes. Interpol director of cybercrime, Neal Jetton, warned that the scale and sophistication of cyber-attacks across Africa are accelerating, especially against critical sectors like finance and energy.

Microsoft has patched a high-severity privilege escalation vulnerability (CVE-2026-26119) in Windows Admin Center, a browser-based management tool. The flaw, with a CVSS score of 8.8, could allow authenticated attackers to escalate privileges over a network. The vulnerability was discovered by Semperis researcher Andrea Pierini and was addressed in version 2511 released in December 2025. While not confirmed to be exploited in the wild, it has been assessed as 'Exploitation More Likely'.

A critical vulnerability (CVE-2026-2329) in Grandstream GXP1600 series VoIP phones allows unauthenticated remote code execution (RCE) with root privileges. The flaw, a stack-based buffer overflow, stems from the device's web-based API service. The vulnerability affects multiple GXP1600 models and has been addressed in firmware version 1.0.7.81. Exploiting this flaw could enable attackers to extract stored credentials, intercept phone calls, and eavesdrop on VoIP conversations. The issue was discovered by Rapid7 researcher Stephen Fewer and demonstrated via a Metasploit exploit module. The exploitation process involves writing multiple null bytes to construct a return-oriented programming (ROP) chain, allowing attackers to silently eavesdrop on communications.

In 2025, Google blocked over 1.75 million app submissions to the Google Play Store due to policy violations and rejected 255,000 apps from accessing sensitive user data. The company implemented over 10,000 safety checks and integrated AI models to enhance detection capabilities. Additionally, Google banned 80,000 bad developer accounts and blocked 160 million spam ratings to protect user perception. Play Protect identified 27 million malicious sideloaded apps and blocked 266 million installation attempts from risky apps. The Play Integrity API now processes over 20 billion checks daily, and Android 16 introduced protections against tapjacking attacks.

A new variant of Remcos RAT has been observed with expanded real-time surveillance capabilities and improved evasion techniques. This version establishes direct online communication with attacker-controlled servers, enabling immediate monitoring and data theft. The malware now streams webcam footage in real time and transmits captured keystrokes instantly, reducing forensic traces on infected Windows systems. Researchers from Point Wild's Lat61 Threat Intelligence team detailed the changes, noting the malware's use of dynamic API loading and runtime decryption to avoid detection.

A Chinese APT group, identified as UNC6201, has been exploiting a critical zero-day vulnerability (CVE-2026-22769) in Dell's RecoverPoint for Virtual Machines since mid-2024. The flaw, a hardcoded credential bug with a CVSS score of 10.0, allows unauthenticated attackers to gain root-level access and maintain persistence. The group has used this vulnerability to deploy malware, including Slaystyle, Brickstorm, and a new backdoor called Grimbolt. Mandiant has also observed novel tactics such as creating ghost NICs and using iptables for single packet authorization (SPA). CISA has ordered federal agencies to patch the vulnerability within three days, highlighting its active exploitation and significant risk to federal systems.

GoldFactory, a financially motivated cybercrime group, has been targeting mobile users in Indonesia, Thailand, and Vietnam since October 2024. The group distributes modified banking applications that act as conduits for Android malware, leading to over 11,000 infections. The malware impersonates government services and trusted local brands to trick victims into installing the malicious apps, which then abuse Android's accessibility services for remote control and data theft. In July 2025, GoldFactory launched a sophisticated fraud campaign targeting Indonesia's Coretax tax platform, intensifying in January 2026. This campaign impersonated Coretax to trick users into installing malicious mobile applications, resulting in an estimated $1.5m to $2m in financial impact. The operation involved phishing websites, WhatsApp impersonation, and vishing calls to direct victims to download fraudulent APK files, deploying multiple malware families including Gigabud.RAT and MMRat.

Infostealers are increasingly targeting both personal and corporate users, harvesting credentials, session data, and user activity. Researchers analyzed 90,000 leaked infostealer dumps containing over 800 million rows of data, revealing how attackers associate technical data with real users, organizations, and behavioral patterns. This convergence collapses the boundary between personal and professional identities, escalating enterprise-level risks. The datasets included credentials, browser cookies, browsing history, and system-level files, enabling attackers to identify individuals, their employers, and roles within organizations. This data is used for targeted phishing, social engineering, and extortion, with significant implications for both personal and corporate security.

The OpenSSL project has addressed a critical stack buffer overflow flaw (CVE-2025-15467) that could lead to remote code execution (RCE) under specific conditions. This vulnerability resides in the processing of Cryptographic Message Syntax (CMS) data with maliciously crafted AEAD parameters. The flaw is part of a broader set of 12 vulnerabilities disclosed by AISLE, including another high-severity issue (CVE-2025-11187) that could trigger a stack-based buffer overflow due to missing validation. The OpenSSL team has released patches to mitigate these vulnerabilities, urging users to update their systems to prevent potential exploitation. This development highlights the ongoing need for vigilance in securing cryptographic libraries, which are fundamental to many digital security protocols.

Matthew Abiodun Akande, a 37-year-old Nigerian national, was sentenced to eight years in prison for hacking multiple tax preparation firms in Massachusetts. He stole clients' personal information to file over 1,000 fraudulent tax returns, seeking $8.1 million in refunds and successfully obtaining $1.3 million between June 2016 and June 2021. Akande used Warzone RAT malware and phishing emails to gain access to the firms' systems. Akande was arrested in October 2024 at London's Heathrow Airport and extradited to the United States in March 2025. He was indicted by a federal grand jury in July 2022 while living in Mexico.

In 2025, the number of industrial control system (ICS) security advisories exceeded 500 for the first time, with a significant increase in the severity of vulnerabilities. The total number of CVEs published reached 2155 across 508 advisories, up from 103 CVEs in 67 advisories in 2011. The average CVSS score of advisories also climbed to above 8.0 in 2024 and 2025, indicating more severe vulnerabilities. The most affected asset types included Purdue Level 1 devices, Level 3 operation systems, Level 2 control systems, and industrial network infrastructure. Critical manufacturing and energy sectors were the most impacted, with transportation and healthcare also experiencing notable increases in vulnerabilities.

The U.S. government is considering a ban on the sale of TP-Link networking devices due to national security concerns over the company's ties to China. TP-Link denies these allegations, maintaining it operates independently and manufactures its products in Vietnam. Texas has sued TP-Link for deceptive marketing and allowing Chinese state-backed hackers to exploit firmware vulnerabilities. The ban is supported by multiple federal agencies and follows reports of Chinese state-sponsored hacking groups exploiting vulnerabilities in TP-Link routers. The proposed ban highlights broader issues with the security of consumer-grade routers, which often ship with outdated firmware and default settings that can be easily compromised.

A surge in phishing campaigns exploiting Microsoft’s OAuth device code authorization flow has been observed, targeting Microsoft 365 accounts. Both state-aligned and financially motivated actors are using social engineering to trick users into approving malicious applications, leading to account takeover and data theft. The attacks leverage the OAuth 2.0 device authorization grant, a legitimate process designed for devices with limited input capabilities. Once victims enter a device code generated by an attacker-controlled application, the threat actor receives a valid access token, granting control over the compromised account. The campaigns use QR codes, embedded buttons, and hyperlinked text to initiate the attack chain, often claiming to involve document sharing, token reauthorization, or security verification. The growth of these campaigns is linked to readily available phishing tools like SquarePhish2 and Graphish, which simplify device code abuse and require limited technical skill. Proofpoint observed financially motivated actor TA2723 and Russia-linked group UNK_AcademicFlare adopting this technique, targeting various sectors in the US and Europe. The activity, ongoing since September 2025, is being tracked by Proofpoint under the moniker UNK_AcademicFlare. The attacks involve using compromised email addresses belonging to government and military organizations to strike entities within government, think tanks, higher education, and transportation sectors in the U.S. and Europe. The adversary claims to share a link to a document that includes questions or topics for the email recipient to review before the meeting. The URL points to a Cloudflare Worker URL that mimics the compromised sender's Microsoft OneDrive account and instructs the victim to copy the provided code and click 'Next' to access the supposed document. Device code phishing was documented in detail by both Microsoft and Volexity in February 2025, attributing the use of the attack method to Russia-aligned clusters such as Storm-2372, APT29, UTA0304, and UTA0307. The October 2025 campaign is assessed to have been fueled by the ready availability of crimeware offerings like the Graphish phishing kit and red-team tools such as SquarePhish. To counter the risk posed by device code phishing, the best option is to create a Conditional Access policy using the Authentication Flows condition to block device code flow for all users. If that's not feasible, it's advised to use a policy that uses an allow-list approach to allow device code authentication for approved users, operating systems, or IP ranges. Threat actors are now targeting technology, manufacturing, and financial organizations in campaigns that combine device code phishing and voice phishing (vishing) to abuse the OAuth 2.0 Device Authorization flow and compromise Microsoft Entra accounts. Unlike previous attacks that utilized malicious OAuth applications to compromise accounts, these campaigns instead leverage legitimate Microsoft OAuth client IDs and the device authorization flow to trick victims into authenticating. This provides attackers with valid authentication tokens that can be used to access the victim's account without relying on regular phishing sites that steal passwords or intercept multi-factor authentication codes.

A new phishing kit called Starkiller has emerged, allowing attackers to bypass multi-factor authentication (MFA) by proxying legitimate login pages. The kit is distributed as a subscription-based service on the dark web, offering real-time session monitoring and keylogging capabilities. It mimics login pages of major services like Google, Microsoft, and banks, routing traffic through attacker-controlled infrastructure to steal credentials and authentication tokens. Starkiller uses a headless Chrome instance to serve genuine page content, making it difficult for security vendors to detect or block. The toolkit is sold with updates and customer support, posing a significant escalation in phishing infrastructure.

AI-powered adversarial systems are significantly reducing the time between exposure and exploitation, leveraging machine speed and scale to identify and exploit vulnerabilities faster than traditional security teams can respond. This acceleration is driven by AI's ability to automate reconnaissance, simulate attack sequences, and prioritize exploitable vulnerabilities. Additionally, AI adoption introduces new attack surfaces, including model context protocol vulnerabilities and supply chain hallucinations.

Multiple high-to-critical severity vulnerabilities in popular VSCode extensions, collectively downloaded over 128 million times, expose developers to remote code execution (RCE) and file theft. The affected extensions include Live Server, Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview. Researchers at Ox Security discovered these flaws in June 2025 but received no response from maintainers. Exploitation could lead to lateral movement, data exfiltration, and system takeover in corporate environments. Microsoft silently fixed the Live Preview vulnerability in version 0.4.16 released in September 2025. The vulnerabilities also affect AI-powered IDEs Cursor and Windsurf.

A new Android banking malware, Massiv, is posing as an IPTV app to steal digital identities and access online banking accounts. The malware targets users in Spain, Portugal, France, and Turkey, with a particular focus on a Portuguese government app connected to Chave Móvel Digital. Massiv uses screen overlays, keylogging, SMS interception, and remote control to obtain sensitive data and can open new accounts in the victim's name for money laundering and loans. The malware provides two remote control modes: screen live-streaming and UI-tree mode, which extracts structured data from the Accessibility Service. This trend of using IPTV apps as lures for Android malware infections has increased over the past eight months. Previously, the Klopatra Android Trojan was identified, capable of performing unauthorized bank transfers while the device is inactive. Klopatra targets users in Italy and Spain, with over 3,000 devices infected. It disguises itself as the Mobdro streaming app and IPTV applications, leveraging their popularity to bypass security measures. The malware employs advanced techniques to evade detection and analysis, including anti-sandboxing methods, a commercial packer, and Hidden Virtual Network Computing (VNC) for remote control. Klopatra operates during nighttime hours, draining victims' bank accounts without alerting them.

OpenClaw has patched six new vulnerabilities in its agentic AI assistant, including server-side request forgery (SSRF), missing authentication, and path traversal bugs. The vulnerabilities range from moderate to high severity, with some lacking CVE IDs. The flaws affect various components, including the Gateway tool, Telnyx webhook authentication, and browser upload functionality. Endor Labs highlighted the importance of data flow analysis and defense-in-depth validation for AI agent infrastructure. The research also revealed ongoing security concerns, such as misconfigured instances exposed to the public internet and the risk of indirect prompt injection. One additional vulnerability remains unpatched, and major security concerns persist over OpenClaw's undocumented enterprise use.

A new campaign, CRESCENTHARVEST, targets supporters of Iran's ongoing protests to conduct information theft and long-term espionage. The campaign delivers a remote access trojan (RAT) and information stealer to execute commands, log keystrokes, and exfiltrate sensitive data. The attacks exploit geopolitical developments to lure victims into opening malicious .LNK files disguised as protest-related images or videos. The campaign is believed to be the work of an Iran-aligned threat group and is the second such campaign identified targeting individuals involved in the nationwide protests in Iran that began towards the end of 2025.

Cybercriminals have created a fake cryptocurrency called 'Google Coin' and used a Gemini chatbot to convince people to buy it. The scam involves a professional-looking presale site mimicking Google's branding and a chatbot impersonating Google's AI assistant. The chatbot provides a polished sales pitch, ultimately leading victims to send irreversible crypto payments to attackers. This scam demonstrates the evolving use of AI by malicious actors to amplify financially motivated campaigns.

A critical vulnerability (CVE-2026-1670) in multiple Honeywell CCTV products allows unauthenticated attackers to change recovery email addresses, enabling account takeover and unauthorized access to camera feeds. The flaw, rated 9.8 in severity, affects mid-level surveillance products used in commercial, industrial, and critical infrastructure settings. As of February 17, 2026, no public exploitation has been reported, but CISA advises mitigations to reduce risk.

Email bombing, a technique used to overwhelm inboxes, is exploited for both fraud and harassment by targeting cognitive overload. This method buries critical information under a deluge of emails, making it difficult for victims to process important messages. The same tactic is employed in harassment to silence victims and in fraud to hide evidence, highlighting a shared attack surface. This reveals a blind spot in threat intelligence, where defenses are organized around adversary types rather than human vulnerabilities.

Researchers have demonstrated that AI assistants like Microsoft Copilot and xAI Grok can be exploited as command-and-control (C2) proxies. This technique leverages the AI's web-browsing capabilities to create a bidirectional communication channel for malware operations, enabling attackers to blend into legitimate enterprise communications and evade detection. The method, codenamed AI as a C2 proxy, allows attackers to generate reconnaissance workflows, script actions, and dynamically decide the next steps during an intrusion. The attack requires prior compromise of a machine and installation of malware, which then uses the AI assistant as a C2 channel through specially crafted prompts. This approach bypasses traditional defenses like API key revocation or account suspension. According to new findings from Check Point Research (CPR), platforms including Grok and Microsoft Copilot can be manipulated through their public web interfaces to fetch attacker-controlled URLs and return responses. The AI service acts as a proxy, relaying commands to infected machines and sending stolen data back out, without requiring an API key or even a registered account. The method relies on AI assistants that support URL fetching and content summarization, allowing attackers to tunnel encoded data through query parameters and receive embedded commands in the AI's reply. Malware can interact with the AI interface invisibly using a WebView2 browser component inside a C++ program. The research also outlined a broader trend: malware that integrates AI into its runtime decision-making, sending host information to a model and receiving guidance on actions to prioritize.

Predator spyware, developed by Intellexa, has been using a zero-click infection mechanism called Aladdin, which infects targets by displaying malicious advertisements. This vector is hidden behind shell companies across multiple countries and leverages the commercial mobile advertising system to deliver malware. The spyware is still operational and actively developed, with additional delivery vectors like Triton targeting Samsung Exynos devices. The infection occurs when a target views a malicious ad, which triggers a redirection to Intellexa’s exploit delivery servers. The ads are served through a complex network of advertising firms, making defense measures challenging. Despite sanctions and investigations, including fines from the Greek Data Protection Authority, Intellexa remains active and prolific in zero-day exploitation. Recent leaks reveal that Intellexa's Predator spyware has been marketed under various names, including Helios, Nova, Green Arrow, and Red Arrow. The spyware exploits multiple zero-day vulnerabilities in Android and iOS devices, and uses frameworks like JSKit for native code execution. Intellexa also has the capability to remotely access the surveillance systems of its customers using TeamViewer. The spyware collects extensive data from targeted devices, including messaging apps, calls, emails, device locations, screenshots, passwords, and other on-device information. New research has confirmed that Predator spyware was used to target an Angolan journalist, Teixeira Cândido, in May 2024 via a WhatsApp link. The infection lasted less than one day and was removed when the device was restarted. Attackers made 11 additional attempts to re-infect the device, all of which failed. Predator spyware incorporates advanced anti-analysis mechanisms and has explicit checks to avoid running in U.S. and Israeli locales.

A critical authentication bypass vulnerability in SmarterMail email software (WT-2026-0001, CVE-2026-23760) has been actively exploited in the wild just two days after a patch was released. The flaw allows attackers to reset the system administrator password via a crafted HTTP request, leading to remote code execution (RCE) on the underlying operating system. The vulnerability was patched on January 15, 2026, but attackers reverse-engineered the patch to exploit it. Over 6,000 SmarterMail servers were found exposed online and likely vulnerable to attacks exploiting the flaw. Shadowserver is tracking these servers, with more than 4,200 in North America and nearly 1,000 in Asia. Macnica threat researcher Yutaka Sejiyama found over 8,550 SmarterMail instances still vulnerable. CISA added the vulnerability to its list of actively exploited vulnerabilities, ordering U.S. government agencies to secure their servers by February 16. Threat actors rapidly shared proof-of-concept exploits, offensive tools, and stolen administrator credentials related to SmarterMail vulnerabilities on underground Telegram channels and cybercrime forums. SmarterTools was breached in January 2026 after attackers exploited an unpatched SmarterMail server running on an internal VM. Ransomware operators gained initial access through SmarterMail vulnerabilities and waited before triggering encryption payloads. Over 34,000 servers were found on Shodan with indications of running SmarterMail, with 1,185 vulnerable to authentication bypass or RCE flaws. CISA added CVE-2026-24423 to the Known Exploited Vulnerabilities catalog in February 2026, confirming active ransomware exploitation.

Microsoft is addressing a bug in its anti-spam service that incorrectly blocks URLs in Exchange Online and Microsoft Teams, causing some emails to be quarantined. The issue began on September 5, 2025, affecting users who received false alerts about malicious URLs. Over 6,000 URLs have been identified as affected, and Microsoft is working to unblock them and recover any incorrectly flagged messages. The bug is due to the anti-spam engine mistakenly tagging URLs within other URLs as potentially malicious. Microsoft has deployed a partial fix and is continuing to address the impact. The incident has been classified as an event with noticeable user impact, although the exact number of affected customers and regions remains undisclosed. In a new development, on February 5, 2026, another incident began where Exchange Online mistakenly flags legitimate emails as phishing and quarantines them. This issue is caused by a new URL rule that incorrectly flags some URLs as malicious. Microsoft is working to release quarantined emails and confirm that legitimate URLs are unblocked. The incident, tracked by Microsoft under EX1227432, was not fully resolved until February 12. The root cause was a logic error in a detection system designed to identify new credential phishing attacks, which also led to false positive alerts. Other security tools within Microsoft's detection infrastructure amplified the incident's impact, and a separate bug in the company's security signature systems further delayed efforts to roll back the flawed detection rules. Microsoft will issue a final report within five business days of full resolution. Similar issues have occurred throughout the year, including a May 2025 incident where a machine learning model incorrectly flagged Gmail emails as spam in Exchange Online.

The threat actor Silver Fox has been exploiting a previously unknown vulnerable driver associated with WatchDog Anti-malware to deploy ValleyRAT malware. The driver, 'amsdk.sys' (version 1.0.600), is a validly signed Windows kernel device driver built on the Zemana Anti-Malware SDK. This driver allows arbitrary process termination and local privilege escalation, enabling the attackers to neutralize endpoint protection products and deploy the ValleyRAT remote access trojan. The campaign, first observed in late May 2025, targets Chinese-speaking victims using various social engineering techniques and trojanized software. The WatchDog driver has been patched, but attackers have adapted by modifying the driver to bypass hash-based blocklists. Silver Fox, also known as SwimSnake and UTG-Q-1000, is highly active and organized, targeting domestic users and companies to steal secrets and defraud victims. Recently, a newly identified cryptojacking campaign has been uncovered, spreading through pirated software installers. This campaign deploys system-level malware using a customised XMRig miner and a controller component for persistence. The controller, named Explorer.exe, functions as a state-driven orchestrator. The malware includes a hardcoded expiration date of December 23, 2025, for self-removal. The campaign uses a vulnerable signed driver, WinRing0x64.sys, to gain kernel-level access and modifies CPU registers to disable hardware prefetchers, boosting mining performance. The campaign connects to the Kryptex mining pool at xmr-sg.kryptex.network:8029.

Cogent Security has raised $42 million in Series A funding to develop autonomous AI agents for vulnerability remediation. The funding will accelerate product development for their agentic AI platform, which automates investigation, prioritization, and remediation tasks in vulnerability management. The platform integrates vulnerability data across environments, reduces scanner noise, and incorporates business context to prioritize risks beyond standard severity scores. The company aims to streamline security operations by automating coordination tasks, allowing security teams to focus on critical threats.