The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert warning of active spyware campaigns targeting high-value Signal and WhatsApp users. These campaigns leverage sophisticated social engineering and zero-click exploits to compromise mobile devices and exfiltrate sensitive data. The targets include government officials, military personnel, political figures, and civil society organizations across the U.S., Middle East, and Europe. A new campaign, dubbed GhostPairing, abuses the legitimate device-linking feature to hijack WhatsApp accounts via pairing codes. This campaign was first spotted in Czechia but has the potential to spread to other regions. The attack involves tricking victims into linking an attacker's browser to their WhatsApp device, granting the attacker full access to the account without requiring any authentication. Germany's domestic intelligence agency has also warned of state-sponsored threat actors targeting high-ranking individuals via messaging apps like Signal. These attacks combine social engineering with legitimate features to steal data from politicians, military officers, diplomats, and investigative journalists in Germany and across Europe. The attacks involve impersonating Signal's support service and tricking targets into sharing their Signal PIN or an SMS verification code, leading to account hijacking. The second attack variant involves convincing the target to scan a QR code, abusing Signal’s legitimate linked-device feature to pair the account with the attacker’s device.

Cybersecurity researchers have uncovered a China-linked adversary-in-the-middle (AitM) framework called DKnife, active since at least 2019. The framework targets routers and edge devices to perform deep packet inspection, manipulate traffic, and deliver malware. It primarily targets Chinese-speaking users by harvesting credentials and delivering malware via popular Chinese services and applications. DKnife comprises seven Linux-based implants that enable a wide range of malicious activities, including DNS hijacking, binary download hijacking, and real-time user activity monitoring. The framework is linked to the Earth Minotaur threat activity cluster and shares infrastructural connections with WizardNet, a Windows implant deployed by TheWizards APT group. DKnife's infrastructure overlaps with a campaign delivering WizardNet, suggesting a shared development or operational lineage. The framework uses a component called yitiji.bin to create a bridged TAP interface on the router at the private IP address 10.3.3.3, allowing the threat actor to intercept and rewrite network packets in transit to the intended host. Additionally, DKnife monitors WeChat activities more analytically, tracking voice and video calls, text messages, images sent and received, and articles read on the platform.

SmarterTools has addressed a critical unauthenticated remote code execution (RCE) flaw in SmarterMail email software, tracked as CVE-2026-24423 with a CVSS score of 9.3. The vulnerability allows attackers to execute arbitrary OS commands by pointing SmarterMail to a malicious HTTP server. The flaw was discovered by researchers from watchTowr, CODE WHITE GmbH, and VulnCheck and was patched in version Build 9511, released on January 15, 2026. CISA has added CVE-2026-24423 to its KEV catalog, marking it as actively exploited in ransomware campaigns, and has given federal agencies until February 26, 2026, to patch or stop using affected versions. Additionally, another critical flaw (CVE-2026-23760) and a medium-severity vulnerability (CVE-2026-25067) were also addressed in subsequent updates.

The Electronic Frontier Foundation (EFF) has launched the 'Encrypt It Already' campaign urging major technology and communications companies to prioritize end-to-end encryption (E2EE) for user data and communications. The initiative focuses on three key areas: releasing promised E2EE features, enabling them by default, and launching data protection capabilities already available from competitors. The campaign highlights companies like Bluesky, Ring, and Google for their delayed or optional E2EE implementations. The EFF emphasizes the importance of E2EE in protecting user privacy from third-party access, including law enforcement and government agencies. The campaign also addresses the growing privacy concerns exacerbated by the rise of artificial intelligence (AI) and its potential for misuse. The EFF aims to hold companies accountable for their privacy promises and empower users to control their data.

Substack has confirmed a data breach that occurred in October 2025, during which attackers stole email addresses and phone numbers. The breach was detected on February 3, 2026, and confirmed via an email notification to users on February 5, 2026. Substack assured users that no credentials or financial information were accessed. A threat actor later leaked a database containing 697,313 records on BreachForums, claiming the data was scraped. Substack has patched the vulnerability and warned users about potential phishing attempts. Substack has a history of privacy incidents, including a 2020 email exposure. The platform has grown significantly since its launch in 2017, reaching over 50 million active subscriptions, including five million paid, by March 2025.

Modern enterprise work heavily relies on browsers for accessing SaaS applications, identity providers, and AI tools. However, traditional security architectures focus on endpoints, networks, and email, leaving a significant visibility gap in browser activities. This gap allows a class of browser-only attacks to evade detection and investigation, posing a growing challenge for security teams. In 2026, browser attacks continue to leave little traditional evidence, making them difficult to detect and mitigate. These attacks include clickfix and UI-driven social engineering, malicious extensions, man-in-the-browser attacks, and HTML smuggling. Each of these attack types exploits the lack of visibility into browser activities, making them hard to prevent and investigate. The gap in browser-level observability is widening due to the increasing use of AI tools and AI-native browsers, which normalize actions like copying, pasting, and uploading sensitive information. This makes it even more challenging for security teams to evaluate risks and set effective controls.

The European Commission is imposing a fine on TikTok for violating the Digital Services Act (DSA) due to its addictive design features, including infinite scroll, autoplay, and personalized recommendations. The commission found that TikTok failed to assess the potential harm to users' physical and mental well-being, particularly minors and vulnerable adults. The fine could reach up to 6% of TikTok's global annual turnover if the findings are confirmed. TikTok is required to modify its core service design to include screen time breaks and disable addictive features.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a binding operational directive (BOD 26-02) requiring federal agencies to identify, remove, and replace end-of-life (EOL) edge devices, including routers, firewalls, and network switches, that no longer receive security updates. The directive aims to mitigate the substantial and constant threat of exploitation by advanced threat actors targeting these vulnerable devices. Agencies must decommission EOL devices within 12 to 18 months and establish continuous discovery processes to identify and manage devices approaching end-of-support status. CISA has also developed an end-of-support edge device list to assist agencies in this effort.

A new tool called KEV Collider has been developed to help security teams better triage the Known Exploited Vulnerabilities (KEV) Catalog by the US Cyber and Infrastructure Security Agency (CISA). The tool allows teams to filter vulnerabilities based on various criteria, making the list more relevant to their environments. The KEV Catalog, while useful, does not always align with the cybersecurity priorities of most organizations, often including vulnerabilities that are low-severity or low-probability for many companies. The KEV Collider integrates data from the KEV Catalog with other sources like CVSS scores, EPSS scores, and Metasploit exploit availability to provide a more comprehensive view. The tool aims to help security teams make better decisions about which vulnerabilities to prioritize, especially as the number of vulnerabilities continues to grow. The creator, Tod Beardsley, emphasizes that the KEV Catalog should not be treated as a must-patch list for all organizations, as it is primarily tailored to the needs of the federal civilian executive branch.

Kyle Svara, a 26-year-old from Illinois, pleaded guilty to hacking nearly 600 women's Snapchat accounts to steal nude photos. He used phishing and social engineering tactics to obtain access codes, then sold or traded the stolen content. Svara also worked with former university coach Steve Waithe, who was convicted of sextortion. Svara faces multiple charges, including aggravated identity theft and wire fraud, with sentencing scheduled for May 18, 2026.

A previously undocumented cyber espionage group, TGR-STA-1030, has breached at least 70 government and critical infrastructure organizations across 37 countries over the past year. The group, assessed to be of Asian origin, leverages phishing emails and exploits N-day vulnerabilities to deploy malware and maintain long-term access for espionage purposes. Targets include national law enforcement, ministries of finance, and departments related to economic, trade, natural resources, and diplomatic functions. The group uses a variety of tools, including Cobalt Strike, Behinder, and a Linux kernel rootkit named ShadowGuard.

Samsung Knox introduces advanced network security features for mobile devices, including granular firewall controls and Zero Trust Network Access (ZTNA). These features address the unique challenges of mobile device security, such as intermittent network connections and diverse app usage. The Knox Firewall provides detailed visibility and control over app-specific network access, while the ZTNA framework integrates with existing VPNs to offer continuous, context-aware access decisions. This approach reduces the attack surface and enhances threat response capabilities. The integration of these features within Samsung Galaxy devices ensures seamless deployment and compatibility with existing security infrastructure, making it a practical solution for enterprise mobile security.

Flickr disclosed a potential data breach affecting user information after a vulnerability in a third-party email service provider's system. The exposed data includes names, email addresses, IP addresses, and account activity. Flickr shut down the affected system within hours of discovering the issue on February 5, 2026. The company assured that passwords and payment card numbers were not compromised and advised users to review their account settings and update passwords.

Legitimate dYdX-related packages on npm and PyPI have been compromised to distribute malicious versions that steal cryptocurrency wallet credentials and execute remote access trojans (RATs). The compromised packages target JavaScript and Python ecosystems, with different payloads for each. The attack is suspected to involve developer account compromise, allowing threat actors to push malicious updates using legitimate credentials. The affected packages include @dydxprotocol/v4-client-js (npm) versions 3.4.1, 1.22.1, 1.15.2, and 1.0.31, and dydx-v4-client (PyPI) version 1.1.5post1. The malicious code targets core registry files and uses obfuscation techniques to evade detection. Users are advised to isolate affected machines, move funds to new wallets from clean systems, and rotate all API keys and credentials. This incident highlights a persistent pattern of supply chain attacks targeting dYdX-related assets.

Infosecurity Europe introduces the Cyber Startup Programme to support emerging cybersecurity innovators. The initiative includes a dedicated exhibition area, tailored conference sessions, and a startup award competition. The program aims to provide visibility, networking opportunities, and growth support for early-stage companies. The Cyber Startup Programme will debut at Infosecurity Europe 2026, featuring a dedicated Cyber Startups Zone and a live award competition on June 2, 2026. The program is delivered in collaboration with UK Cyber Flywheel and the UK Department for Science, Innovation and Technology (DSIT).

Anthropic's Claude Opus 4.6, a large language model (LLM), discovered over 500 previously unknown high-severity security flaws in major open-source libraries such as Ghostscript, OpenSC, and CGIF. The model, launched on February 6, 2026, demonstrated improved capabilities in code review, debugging, and vulnerability detection. The flaws were identified without requiring task-specific tooling or specialized prompting. Anthropic validated each flaw to ensure they were not hallucinated and prioritized severe memory corruption vulnerabilities. The identified vulnerabilities have since been patched by the respective maintainers.

Zscaler has acquired SquareX, a browser security firm, to integrate its Browser Detection and Response (BDR) solution into its Zero Trust Exchange platform. The acquisition aims to extend security to unmanaged devices, allowing organizations to secure users within their preferred browsers like Google Chrome and Microsoft Edge without needing a full agent or a separate enterprise browser. The deal closed on February 5, 2026, and is part of Zscaler's strategy to enhance its security capabilities.

Spain's Ministry of Science has partially shut down its IT systems following a claimed breach by a threat actor using the alias 'GordonFreeman.' The ministry cited a 'technical incident' and suspended administrative procedures. The attacker claims to have exploited an Insecure Direct Object Reference (IDOR) vulnerability to gain admin-level access and leaked data samples, including personal records and official documents. The authenticity of the leaked data has not been confirmed.

Ransomware operators are exploiting virtual machines (VMs) provisioned by ISPsystem's VMmanager to host and deliver malicious payloads at scale. Researchers at Sophos observed this tactic during investigations into 'WantToCry' ransomware incidents, noting that attackers used Windows VMs with identical hostnames, suggesting default templates generated by VMmanager. The same hostnames were found in the infrastructure of multiple ransomware groups, including LockBit, Qilin, Conti, BlackCat/ALPHV, and Ursnif, as well as various malware campaigns involving RedLine and Lummar info-stealers. ISPsystem's VMmanager platform allows malicious actors to spin up VMs for command-and-control (C2) and payload-delivery infrastructure, hiding malicious systems among thousands of innocuous ones. This complicates attribution and makes quick takedowns unlikely. The majority of the malicious VMs were hosted by a small cluster of providers with a bad reputation or sanctions, including Stark Industries Solutions Ltd., Zomro B.V., First Server Limited, Partner Hosting LTD, and JSC IOT.

Microsoft plans to retire Exchange Web Services (EWS) for Exchange Online by April 2027, beginning with a phased disablement starting October 2026. EWS, a cross-platform API for accessing Exchange mailbox items, will no longer be supported in Exchange Online but will remain functional in on-premises Exchange Server installations. Administrators can manage the transition via an application allowlist, and Microsoft will conduct 'scream tests' to identify hidden dependencies. Developers are advised to migrate to the Microsoft Graph API, which offers near-complete feature parity with EWS.

The **Aisuru/Kimwolf botnet ecosystem** has escalated its global threat, now conducting **record-breaking DDoS campaigns**—including a **31.4 Tbps attack in November 2025** and a **holiday-themed "The Night Before Christmas" campaign** (December 19, 2025) with peaks of **24 Tbps, 9 Bpps, and 205 Mrps**. This follows the **29.7 Tbps assault in Q3 2025** and **disruption of the IPIDEA proxy network** (January 2026), which had enabled the botnets’ **lateral movement into government, healthcare, and critical infrastructure networks** via **33,000+ compromised endpoints** in universities and **8,000 in U.S./foreign government systems**. With **over 6 million infected devices** (1–4M IoT for Aisuru; **>2M Android TVs/boxes** for Kimwolf), the botnets now blend **hyper-volumetric DDoS** with **residential proxy monetization**, targeting sectors beyond gaming to include **telecom, IT, finance, and AI companies**. Cloudflare reported **47.1 million DDoS attacks mitigated in 2025** (100% YoY increase), with **hyper-volumetric incidents surging 40% QoQ in Q4**—highlighting the botnets’ **rapid evolution in scale, sophistication, and cross-sector impact**. Despite **Google’s January 2026 takedown of IPIDEA** (reducing proxy devices by millions), persistent infections and **new attack vectors** (e.g., **trojanized apps, ENS-based C2**) underscore the ongoing systemic risk to **global internet stability and enterprise security**.

Rome’s La Sapienza University suffered a cyberattack that disrupted its IT systems, causing widespread operational disruptions. The university shut down its network systems as a precautionary measure to ensure data integrity and security. The attack is suspected to be ransomware, attributed to the pro-Russian threat actor Femwar02, with similarities to the Bablock/Rorschach ransomware strain. The university is working with Italian cybersecurity authorities to restore systems from backups. The university has not disclosed the ransom amount, but the risk of data leakage remains significant. Students and staff are advised to remain vigilant against phishing attacks.

The Qilin ransomware group has been active, targeting multiple organizations, including Inotiv, a U.S.-based pharmaceutical company, Creative Box Inc. (CBI), a subsidiary of Nissan, Mecklenburg County Public Schools (MCPS), Asahi Group, Synnovis, a UK pathology services provider, and Conpet, Romania's national oil pipeline operator. The latest attack was on Conpet, where Qilin claims to have stolen nearly 1TB of documents and leaked over a dozen photos of internal documents containing financial information and passport scans as proof of the breach. The attack caused significant operational disruption, including the temporary takedown of the company's website. The group has also targeted other Japanese companies, including Shinko Plastics and Osaki Medical. The Qilin ransomware group operates as a ransomware-as-a-service (RaaS) network, providing tools and infrastructure to affiliates and taking a 15–20% share of ransom payments. The group's malware is custom-built in Rust and C for cross-platform attacks, including Windows, Linux, and ESXi systems. The Qilin ransomware operation was first launched as "Agenda" in August 2022 and rebranded to Qilin by September 2022. Qilin ransomware operation has attacked more than 700 victims across 62 countries in 2025. The Qilin ransomware operation has published over 40 new victims per month in the second half of 2025. The Qilin ransomware operation uses the Windows Subsystem for Linux (WSL) to execute Linux encryptors on Windows systems, evading traditional security tools. Qilin ransomware group has been observed exploiting unpatched VPN appliances and lack of multi-factor authentication (MFA) to gain initial access to corporate networks. Qilin ransomware group has been observed targeting small-to-medium-sized businesses in the construction, healthcare, and financial sectors. Qilin ransomware group has been observed using new extortion channels, including Telegram and public sites such as WikiLeaksV2. Qilin ransomware group has been observed collaborating with affiliates of the Scattered Spider group. Qilin ransomware group has been observed operating as a ransomware-as-a-service (RaaS) group since 2023, leasing its tools and infrastructure to affiliates. Qilin ransomware group has been observed publishing victims' data on dark-web leak sites if no ransom is paid. Asahi Group Holdings confirmed that the personal data of approximately 1.914 million individuals, including 1.525 million customers, was or may have been exposed in the cyber-attack. The exposed data includes names, genders, dates of birth, postal addresses, email addresses, and phone numbers. Asahi Group Holdings spent two months investigating the breach, conducting root cause analysis, integrity checks, containing the ransomware, restoring systems, and strengthening security. Atsushi Katsuki, President and Group CEO of Asahi Group Holdings, publicly apologized for the difficulties caused by the disruptions. Asahi Group Holdings is reviewing the potential impact of the incident on its financial results for fiscal year 2025. The Qilin ransomware group claimed responsibility for the cyber-attack on Asahi Group Holdings. Asahi Group Holdings temporarily suspended its operations in Japan in late September following a system failure due to the ransomware attack. The disruptions included order and shipment operations, call centers, and customer service desks. Asahi Group Holdings postponed the launch of a new product scheduled to be released in October due to the cyber-attack. On October 7, the Qilin ransomware group listed Asahi on its data leak site, claiming to have stolen 27 GB of files from the company. Inotiv is notifying 9,542 individuals that their personal information was stolen in the August 2025 ransomware attack. Inotiv has restored availability and access to impacted networks and systems affected by the August 2025 ransomware attack. The Qilin ransomware group claimed responsibility for the breach in August 2025, leaked data samples, and said they exfiltrated over 162,000 files totaling 176 GB from Inotiv. Asahi Group Holdings is considering the creation of a dedicated cybersecurity unit within the group. Asahi Group Holdings is scrapping the use of virtual private networks (VPNs) and is adopting a stricter zero-trust model. Asahi Group Holdings has postponed the disclosure of sales performance for its operating due to the ongoing effects of the cyber-attack on its systems. Asahi Group Holdings recorded a 20% year-on-year drop in alcohol sales in Japan in November 2025 due to the cyber-attack. Asahi Group Holdings has refrained from releasing monthly sales data by category and brand due to the ongoing effects of the cyber-attack on its systems. November marks the third consecutive month Asahi Group Holdings has skipped disclosures of sales data, citing difficulties in accurately compiling the figures.

Cloud migrations introduce security blind spots due to dynamic infrastructure and overlapping APIs, necessitating real-time visibility for effective cyber defense. Network-layer telemetry provides consistent, provider-agnostic signals for detection and investigation, overcoming the challenges of cloud log standardization. Adversaries exploit cloud environments through supply-chain compromises, infostealer-led intrusions, and misuse of managed services, highlighting the need for comprehensive network monitoring. Effective cloud security involves monitoring east-west and north-south traffic, container traffic, TLS metadata, DNS data, and flow logs. Establishing baselines, alerting on anomalies, and continuous validation are key steps in maintaining robust cloud security.

Researchers at Orca Security discovered multiple attack vectors in GitHub Codespaces that allow remote code execution (RCE) by exploiting default behaviors in cloud-based development environments. These vulnerabilities enable attackers to execute arbitrary commands, steal credentials, and access sensitive resources without explicit user approval. The issue arises from the automatic execution of repository-defined configuration files, which can be manipulated to trigger malicious activities upon environment startup or when checking out a pull request.

A report from Cellebrite reveals that smartphones are now a key source of digital evidence in nearly all police investigations. The 2026 Industry Trends Report, based on interviews with 1200 law enforcement practitioners, shows a significant increase in the reliance on digital evidence, with 95% agreeing it is crucial for solving cases. Smartphones are cited as the top source of digital evidence, and agencies are reallocating resources to digital investigations. However, the complexity of digital evidence and challenges such as locked devices and training gaps are increasing workloads.

Recent cyber threat intelligence highlights a trend toward operational efficiency in attacker techniques. Intrusions are starting from ordinary workflows and tools, with attackers industrializing their operations through shared infrastructure, repeatable playbooks, and affiliate-style ecosystems. The focus is on reducing time between access and impact, leveraging automation, and exploiting known security gaps rather than unknown threats.

Amaranth-Dragon, a China-linked threat actor, has conducted targeted espionage campaigns against government and law enforcement agencies in Southeast Asia throughout 2025. The group exploited CVE-2025-8088, a WinRAR vulnerability, to deliver malicious payloads, including the Havoc C2 framework and TGAmaranth RAT. The campaigns were timed to coincide with sensitive political and security events, demonstrating a high degree of stealth and operational discipline. The group's tactics, tools, and procedures (TTPs) show strong links to APT41, suggesting a shared ecosystem or resource pool. The attackers leveraged the vulnerability within days of its disclosure in August 2025 and used the Havoc Framework as the Command and Control (C&C) platform.

The rapid proliferation of AI tools in enterprise environments has outpaced traditional security controls, creating a governance gap. AI Usage Control (AUC) has emerged as a new category to address this gap by focusing on real-time interaction governance rather than legacy tool-centric approaches. Enterprises are encouraged to adopt AUC to manage AI risks effectively, ensuring visibility and control over AI interactions across various platforms and tools.

A data breach at Betterment, a fintech firm managing $65 billion in assets, exposed personal information of 1.4 million accounts. The breach, occurring in January 2026, involved stolen email addresses, names, geographic data, dates of birth, physical addresses, phone numbers, device information, and employment details. The attackers also sent fraudulent emails attempting to lure customers into a cryptocurrency scam. Betterment confirmed no customer accounts or login information were compromised, but the breach included significant contact information.