CyberHappenings logo

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

News Summary

Hide ▲
Last updated: 18:30 19/02/2026 UTC
  • Silver Fox Exploits Microsoft-Signed WatchDog Driver to Deploy ValleyRAT Malware The threat actor Silver Fox has been exploiting a previously unknown vulnerable driver associated with WatchDog Anti-malware to deploy ValleyRAT malware. The driver, 'amsdk.sys' (version 1.0.600), is a validly signed Windows kernel device driver built on the Zemana Anti-Malware SDK. This driver allows arbitrary process termination and local privilege escalation, enabling the attackers to neutralize endpoint protection products and deploy the ValleyRAT remote access trojan. The campaign, first observed in late May 2025, targets Chinese-speaking victims using various social engineering techniques and trojanized software. The WatchDog driver has been patched, but attackers have adapted by modifying the driver to bypass hash-based blocklists. Silver Fox, also known as SwimSnake and UTG-Q-1000, is highly active and organized, targeting domestic users and companies to steal secrets and defraud victims. Recently, a newly identified cryptojacking campaign has been uncovered, spreading through pirated software installers. This campaign deploys system-level malware using a customised XMRig miner and a controller component for persistence. The controller, named Explorer.exe, functions as a state-driven orchestrator. The malware includes a hardcoded expiration date of December 23, 2025, for self-removal. The campaign uses a vulnerable signed driver, WinRing0x64.sys, to gain kernel-level access and modifies CPU registers to disable hardware prefetchers, boosting mining performance. The campaign connects to the Kryptex mining pool at xmr-sg.kryptex.network:8029. Read
  • Large-scale Africa-wide cybercrime crackdown arrests over 1,200 suspects Operation Serengeti 2.0, an INTERPOL-led international operation, resulted in the arrest of 1,209 cybercriminals across Africa. The operation targeted cross-border cybercrime gangs involved in ransomware, online scams, and business email compromise (BEC). The operation, conducted from June to August 2025, involved law enforcement from 18 African countries and the UK. Authorities seized $97.4 million and dismantled 11,432 malicious infrastructures linked to attacks on 88,000 victims worldwide. Following this, Operation Sentinel, conducted between October 27 and November 27, 2025, led to the arrest of 574 individuals and the recovery of $3 million linked to business email compromise, extortion, and ransomware incidents. The operation took down more than 6,000 malicious links and decrypted six distinct ransomware variants. The cybercrime cases investigated are connected to more than $21 million in financial losses. Most recently, Operation Red Card 2.0, conducted between December 8 and January 30, 2026, resulted in the arrest of 651 suspects and the recovery of over $4.3 million. The operation targeted investment fraud, mobile money scams, and fake loan applications, identifying 1,247 victims and seizing 2,341 devices and 1,442 malicious websites, domains, and servers. The operations were supported by data from private sector partners, including Cybercrime Atlas, Fortinet, Group-IB, Kaspersky, The Shadowserver Foundation, Team Cymru, Trend Micro, TRM Labs, and Uppsala Security. Cybercrime now accounts for 30% of all reported crime in Western and Eastern Africa and is increasing rapidly elsewhere on the continent. Interpol's 2025 Africa Cyberthreat Assessment Report noted that two-thirds of African member countries claim cyber-related offenses now account for a 'medium-to-high' (i.e., 10-30% or 30%+) share of all crimes. Interpol director of cybercrime, Neal Jetton, warned that the scale and sophistication of cyber-attacks across Africa are accelerating, especially against critical sectors like finance and energy. Read
  • Unauthenticated Remote Code Execution in Grandstream GXP1600 VoIP Phones A critical vulnerability (CVE-2026-2329) in Grandstream GXP1600 series VoIP phones allows unauthenticated remote code execution (RCE) with root privileges. The flaw, a stack-based buffer overflow, stems from the device's web-based API service. The vulnerability affects multiple GXP1600 models and has been addressed in firmware version 1.0.7.81. Exploiting this flaw could enable attackers to extract stored credentials, intercept phone calls, and eavesdrop on VoIP conversations. The issue was discovered by Rapid7 researcher Stephen Fewer and demonstrated via a Metasploit exploit module. The exploitation process involves writing multiple null bytes to construct a return-oriented programming (ROP) chain, allowing attackers to silently eavesdrop on communications. Read
  • Spanish Court Orders NordVPN and ProtonVPN to Block LaLiga Piracy Streams A Spanish court has ordered NordVPN and ProtonVPN to block 16 websites facilitating piracy of LaLiga football matches. The order applies to a dynamic list of IP addresses in Spain and was issued without a hearing. LaLiga and Telefónica must preserve digital evidence of unlawful transmissions. The ruling aligns with similar decisions in France and recognizes VPN providers' liability for piracy. Both VPN providers have questioned the decision's validity and process. LaLiga has previously targeted Cloudflare for facilitating illegal sports streaming and demonstrated that VPN providers fall under the EU Digital Services Regulation. NordVPN criticized the blocking approach, suggesting that hosting providers should be targeted instead, and noted that free VPN services remain a loophole for piracy. Read
  • Remcos RAT Enhances Real-Time Surveillance and Evasion Techniques A new variant of Remcos RAT has been observed with expanded real-time surveillance capabilities and improved evasion techniques. This version establishes direct online communication with attacker-controlled servers, enabling immediate monitoring and data theft. The malware now streams webcam footage in real time and transmits captured keystrokes instantly, reducing forensic traces on infected Windows systems. Researchers from Point Wild's Lat61 Threat Intelligence team detailed the changes, noting the malware's use of dynamic API loading and runtime decryption to avoid detection. Read
  • OAuth Device Code Phishing Campaigns Target Microsoft 365 Accounts A surge in phishing campaigns exploiting Microsoft’s OAuth device code authorization flow has been observed, targeting Microsoft 365 accounts. Both state-aligned and financially motivated actors are using social engineering to trick users into approving malicious applications, leading to account takeover and data theft. The attacks leverage the OAuth 2.0 device authorization grant, a legitimate process designed for devices with limited input capabilities. Once victims enter a device code generated by an attacker-controlled application, the threat actor receives a valid access token, granting control over the compromised account. The campaigns use QR codes, embedded buttons, and hyperlinked text to initiate the attack chain, often claiming to involve document sharing, token reauthorization, or security verification. The growth of these campaigns is linked to readily available phishing tools like SquarePhish2 and Graphish, which simplify device code abuse and require limited technical skill. Proofpoint observed financially motivated actor TA2723 and Russia-linked group UNK_AcademicFlare adopting this technique, targeting various sectors in the US and Europe. The activity, ongoing since September 2025, is being tracked by Proofpoint under the moniker UNK_AcademicFlare. The attacks involve using compromised email addresses belonging to government and military organizations to strike entities within government, think tanks, higher education, and transportation sectors in the U.S. and Europe. The adversary claims to share a link to a document that includes questions or topics for the email recipient to review before the meeting. The URL points to a Cloudflare Worker URL that mimics the compromised sender's Microsoft OneDrive account and instructs the victim to copy the provided code and click 'Next' to access the supposed document. Device code phishing was documented in detail by both Microsoft and Volexity in February 2025, attributing the use of the attack method to Russia-aligned clusters such as Storm-2372, APT29, UTA0304, and UTA0307. The October 2025 campaign is assessed to have been fueled by the ready availability of crimeware offerings like the Graphish phishing kit and red-team tools such as SquarePhish. To counter the risk posed by device code phishing, the best option is to create a Conditional Access policy using the Authentication Flows condition to block device code flow for all users. If that's not feasible, it's advised to use a policy that uses an allow-list approach to allow device code authentication for approved users, operating systems, or IP ranges. Threat actors are now targeting technology, manufacturing, and financial organizations in campaigns that combine device code phishing and voice phishing (vishing) to abuse the OAuth 2.0 Device Authorization flow and compromise Microsoft Entra accounts. Unlike previous attacks that utilized malicious OAuth applications to compromise accounts, these campaigns instead leverage legitimate Microsoft OAuth client IDs and the device authorization flow to trick victims into authenticating. This provides attackers with valid authentication tokens that can be used to access the victim's account without relying on regular phishing sites that steal passwords or intercept multi-factor authentication codes. Read
  • Klopatra Android Trojan Conducts Nighttime Bank Transfers A new Android banking malware, Massiv, is posing as an IPTV app to steal digital identities and access online banking accounts. The malware targets users in Spain, Portugal, France, and Turkey, with a particular focus on a Portuguese government app connected to Chave Móvel Digital. Massiv uses screen overlays, keylogging, SMS interception, and remote control to obtain sensitive data and can open new accounts in the victim's name for money laundering and loans. The malware provides two remote control modes: screen live-streaming and UI-tree mode, which extracts structured data from the Accessibility Service. This trend of using IPTV apps as lures for Android malware infections has increased over the past eight months. Previously, the Klopatra Android Trojan was identified, capable of performing unauthorized bank transfers while the device is inactive. Klopatra targets users in Italy and Spain, with over 3,000 devices infected. It disguises itself as the Mobdro streaming app and IPTV applications, leveraging their popularity to bypass security measures. The malware employs advanced techniques to evade detection and analysis, including anti-sandboxing methods, a commercial packer, and Hidden Virtual Network Computing (VNC) for remote control. Klopatra operates during nighttime hours, draining victims' bank accounts without alerting them. Read
Last updated: 16:15 19/02/2026 UTC
  • Critical Pre-Auth RCE Vulnerability in BeyondTrust Remote Support and PRA BeyondTrust has patched a critical pre-authentication remote code execution (RCE) vulnerability (CVE-2026-1731, CVSS 9.9) in Remote Support (RS) and Privileged Remote Access (PRA) products. The flaw could allow unauthenticated attackers to execute OS commands in the context of the site user, leading to unauthorized access, data exfiltration, and service disruption. The vulnerability affects RS versions 25.3.1 and prior, and PRA versions 24.3.4 and prior. Patches are available in RS versions 25.3.2 and later, and PRA versions 25.1.1 and later. Self-hosted customers must manually apply updates if not subscribed to automatic updates. The vulnerability was discovered on January 31, 2026, with approximately 11,000 exposed instances identified, including around 8,500 on-prem deployments. BeyondTrust secured all RS/PRA cloud systems by February 2, 2026. The flaw was discovered by Harsh Jaiswal and the Hacktron AI team. Threat actors can exploit the flaw through maliciously crafted client requests in low-complexity attacks that do not require user interaction. In June 2025, BeyondTrust fixed a high-severity RS/PRA Server-Side Template Injection vulnerability. Attackers have begun actively exploiting the CVE-2026-1731 vulnerability in the wild, abusing the get_portal_info endpoint to extract the x-ns-company value before establishing a WebSocket channel. A proof-of-concept exploit targeting the /get_portal_info endpoint was published on GitHub. CISA has added CVE-2026-1731 to its Known Exploited Vulnerabilities (KEV) catalog and ordered U.S. government agencies to secure their systems against the flaw by February 16, 2026. CISA also added four other vulnerabilities to its KEV catalog, including CVE-2026-2441, CVE-2024-7694, CVE-2020-7796, and CVE-2008-0015. CVE-2026-2441 is a use-after-free vulnerability in Google Chrome with a CVSS score of 8.8. CVE-2024-7694 is an arbitrary file upload vulnerability in TeamT5 ThreatSonar Anti-Ransomware versions 3.4.5 and earlier with a CVSS score of 7.2. CVE-2020-7796 is a server-side request forgery (SSRF) vulnerability in Synacor Zimbra Collaboration Suite (ZCS) with a CVSS score of 9.8. CVE-2008-0015 is a stack-based buffer overflow vulnerability in Microsoft Windows Video ActiveX Control with a CVSS score of 8.8. Google acknowledged that an exploit for CVE-2026-2441 exists in the wild. A report published by threat intelligence firm GreyNoise in March 2025 revealed that a cluster of about 400 IP addresses was actively exploiting multiple SSRF vulnerabilities, including CVE-2020-7796, to target susceptible instances in the U.S., Germany, Singapore, India, Lithuania, and Japan. The exploit for CVE-2008-0015 may connect to a remote server and download other malware, including the Dogkild worm. Federal Civilian Executive Branch (FCEB) agencies are recommended to apply the necessary fixes by March 10, 2026, for optimal protection. Read
  • Zscaler Acquires SquareX to Enhance Browser Security Zscaler has acquired SquareX, a browser security firm, to integrate its Browser Detection and Response (BDR) solution into its Zero Trust Exchange platform. The acquisition aims to extend security to unmanaged devices, allowing organizations to secure users within their preferred browsers like Google Chrome and Microsoft Edge without needing a full agent or a separate enterprise browser. The deal closed on February 5, 2026, and is part of Zscaler's strategy to enhance its security capabilities. SquareX's technology provides real-time threat detection and response directly within the browser, addressing threats like malicious extensions, phishing, and data leakage. Zscaler plans to complete the integration within the next few months, anticipating rapid demand despite SquareX's relatively small installed base. Read
  • VoidLink Malware Framework Targets Cloud and Container Environments VoidLink is a Linux-based command-and-control (C2) framework capable of long-term intrusion across cloud and enterprise environments. The malware generates implant binaries designed for credential theft, data exfiltration, and stealthy persistence on compromised systems. VoidLink combines multi-cloud targeting with container and kernel awareness in a single Linux implant, fingerprinting environments across major cloud providers and adjusting its behavior based on what it finds. The implant harvests credentials from environment variables, configuration files, and metadata APIs, and profiles security controls, kernel versions, and container runtimes before activating additional modules. VoidLink employs a modular plugin-based architecture that loads functionality as needed, including credential harvesting, environment fingerprinting, container escape, Kubernetes privilege escalation, and kernel-level stealth. The malware uses AES-256-GCM over HTTPS for encrypted C2 traffic, designed to resemble normal web activity. VoidLink stands out for its apparent development using a large language model (LLM) coding agent with limited human review, as indicated by unusual development artifacts such as structured "Phase X:" labels, verbose debug logs, and documentation left inside the production binary. The research concludes that VoidLink is not a proof-of-concept but an operational implant with live infrastructure, highlighting how AI-assisted development is lowering the barrier to producing functional, modular, and hard-to-detect malware. A previously unknown threat actor tracked as UAT-9921 has been observed leveraging VoidLink in campaigns targeting the technology and financial services sectors. UAT-9921 has been active since 2019, although they have not necessarily used VoidLink over the duration of their activity. The threat actor uses compromised hosts to install VoidLink command-and-control (C2), which are then used to launch scanning activities both internal and external to the network. VoidLink is deployed as a post-compromise tool, allowing the adversary to sidestep detection. The threat actor has been observed deploying a SOCKS proxy on compromised servers to launch scans for internal reconnaissance and lateral movement using open-source tools like Fscan. VoidLink uses three different programming languages: ZigLang for the implant, C for the plugins, and GoLang for the backend. The framework supports compilation on demand for plugins, providing support for the different Linux distributions that might be targeted. The plugins allow for gathering information, lateral movement, and anti-forensics. VoidLink comes fitted with a wide range of stealth mechanisms to hinder analysis, prevent its removal from the infected hosts, and even detect endpoint detection and response (EDR) solutions and devise an evasion strategy on the fly. VoidLink has an auditability feature and a role-based access control (RBAC) mechanism, which consists of three role levels: SuperAdmin, Operator, and Viewer. There are signs that there exists a main implant that has been compiled for Windows and can load plugins via a technique called DLL side-loading. Read
  • UNC5518 Access-as-a-Service Campaign via ClickFix and Fake CAPTCHA Pages Microsoft and Malwarebytes have disclosed a DNS-based ClickFix variant that marks the first documented use of the `nslookup` command to stage and deliver malicious payloads. This technique abuses DNS queries to retrieve a PowerShell script embedded in the `NAME:` field of a DNS response from an attacker-controlled server (84[.]21.189[.]20), which then deploys ModeloRAT via a Python runtime and VBScript persistence mechanism. The attack chain begins with fake CAPTCHA lures, followed by social engineering tactics (e.g., fake system alerts, browser crashes, or instructional videos) to coerce victims into executing the `nslookup` command, which downloads a ZIP archive containing the final payload. This evolution builds on earlier ClickFix tactics, including ConsentFix (Azure CLI OAuth abuse), CrashFix (malicious Chrome extensions triggering browser crashes), and SyncAppvPublishingServer.vbs (Google Calendar dead drops). The latest DNS-based approach demonstrates the campaign’s adaptability, leveraging trusted native tools (`nslookup`), DNS as a C2 channel, and psychological manipulation (urgency tactics) to bypass security controls. Concurrently, ClickFix campaigns continue to expand with cross-platform targeting (Windows/Linux/macOS), AI platform abuse (ChatGPT, Grok, Claude), and weaponized SaaS infrastructure (Google Groups, Pastebin) to distribute payloads like Lumma Stealer and Odyssey Stealer. The integration of DNS staging, browser-native execution, and multi-stage loaders underscores the campaign’s resilience despite 2025 law enforcement disruptions, with actors refining tradecraft to maximize evasion via social engineering, steganography, and legitimate service abuse. Read
  • Silver Fox Exploits Microsoft-Signed WatchDog Driver to Deploy ValleyRAT Malware The threat actor Silver Fox has been exploiting a previously unknown vulnerable driver associated with WatchDog Anti-malware to deploy ValleyRAT malware. The driver, 'amsdk.sys' (version 1.0.600), is a validly signed Windows kernel device driver built on the Zemana Anti-Malware SDK. This driver allows arbitrary process termination and local privilege escalation, enabling the attackers to neutralize endpoint protection products and deploy the ValleyRAT remote access trojan. The campaign, first observed in late May 2025, targets Chinese-speaking victims using various social engineering techniques and trojanized software. The WatchDog driver has been patched, but attackers have adapted by modifying the driver to bypass hash-based blocklists. Silver Fox, also known as SwimSnake and UTG-Q-1000, is highly active and organized, targeting domestic users and companies to steal secrets and defraud victims. Recently, a newly identified cryptojacking campaign has been uncovered, spreading through pirated software installers. This campaign deploys system-level malware using a customised XMRig miner and a controller component for persistence. The controller, named Explorer.exe, functions as a state-driven orchestrator. The malware includes a hardcoded expiration date of December 23, 2025, for self-removal. The campaign uses a vulnerable signed driver, WinRing0x64.sys, to gain kernel-level access and modifies CPU registers to disable hardware prefetchers, boosting mining performance. The campaign connects to the Kryptex mining pool at xmr-sg.kryptex.network:8029. Read
  • Russian Threat Actors Target Ukrainian and Polish Organizations with Data-Wiping Malware and LotL Tactics Russian threat actors, specifically the Sandworm group, have targeted Ukrainian organizations and Poland's power sector using living-off-the-land (LotL) tactics and deploying data-wiping malware. The attacks, which began in June 2025, involved minimal malware to reduce detection and included the use of web shells and legitimate tools for reconnaissance and data theft. The threat actors exploited unpatched vulnerabilities to deploy web shells on public-facing servers, gaining initial access. They then used various tactics, including PowerShell commands, scheduled tasks, and legitimate software, to evade detection and perform reconnaissance. The attacks were characterized by the use of legitimate tools and minimal malware, demonstrating the actors' deep knowledge of Windows native tools. In addition to LotL tactics, Sandworm deployed multiple data-wiping malware families in June and September 2025, targeting Ukraine's education, government, and grain sectors. The grain sector, a vital economic sector, was targeted to disrupt Ukraine's war economy. The data-wiping malware used included ZeroLot and Sting, with initial access achieved by UAC-0099, who then transferred access to APT44 for wiper deployment. The activity is confirmed to be of Russian origin, with specific attribution to the Sandworm group. In December 2025, Sandworm targeted Poland's power sector with a new wiper malware called DynoWiper, aiming to disrupt the energy infrastructure. The attack, which occurred on December 29 and 30, 2025, targeted two combined heat and power (CHP) plants and a system managing renewable energy sources. The attack was unsuccessful in causing disruption, and Polish authorities attributed it to Russian services. The attack coincided with the tenth anniversary of Sandworm's 2015 attack on Ukraine's power grid. A new Russia-aligned threat activity cluster, InedibleOchotense, impersonated ESET in phishing attacks targeting Ukrainian entities starting in May 2025. This campaign involved sending spear-phishing emails and Signal text messages containing links to trojanized ESET installers, which delivered the Kalambur backdoor. InedibleOchotense is linked to the Sandworm (APT44) hacking group and has been observed conducting destructive campaigns in Ukraine, including the deployment of wiper malware ZEROLOT and Sting. Another Russia-aligned threat actor, RomCom, launched spear-phishing campaigns in mid-July 2025 exploiting a WinRAR vulnerability (CVE-2025-8088) targeting various sectors in Europe and Canada. RomCom also targeted a U.S.-based civil engineering company via a JavaScript loader dubbed SocGholish to deliver the Mythic Agent. The activity has been attributed with medium-to-high confidence to Unit 29155 of Russia's Main Directorate of the General Staff of the Armed Forces of the Russian Federation, also known as GRU. The targeted entity had worked for a city with close ties to Ukraine in the past. The ESET report noted that other Russian-aligned APT groups also maintained their focus on Ukraine and countries with strategic ties to Ukraine, while also expanding their operations to European entities. Gamaredon remained the most active APT group targeting Ukraine, with a noticeable increase in intensity and frequency of its operations during the reported period. Gamaredon selectively deployed one of Turla’s backdoors, indicating a rare instance of cooperation between Russia-aligned APT groups. Gamaredon’s toolset continued to evolve, incorporating new file stealers or tunneling services. The cyber attack on the Polish power grid in December 2025 was attributed with medium confidence to a Russian state-sponsored hacking group known as ELECTRUM. The attack targeted distributed energy resources (DERs) and affected communication and control systems at combined heat and power (CHP) facilities and systems managing renewable energy systems. ELECTRUM and KAMACITE share overlaps with the Sandworm cluster, with KAMACITE focusing on initial access and ELECTRUM conducting operations that bridge IT and OT environments. The attackers gained access to operational technology systems critical to grid operations and disabled key equipment beyond repair at the site. The attack was opportunistic and rushed, with the hackers attempting to inflict as much damage as possible by wiping Windows-based devices and resetting configurations. The majority of the equipment targeted was related to grid safety and stability monitoring. The coordinated attack on Poland's power grid in late December targeted multiple distributed energy resource (DER) sites across the country, including combined heat and power (CHP) facilities and wind and solar dispatch systems. Although the attacker compromised operational technology (OT) systems damaging "key equipment beyond repair," they failed to disrupt power, totaling 1.2 GW or 5% of Poland’s energy supply. Based on public reports, there are at least 12 confirmed affected sites. However, researchers at Dragos, a critical industrial infrastructure (OT) and control systems (ICS) security company say that the number is approximately 30. Dragos attributes the attack with moderate confidence to a Russian threat actor it tracks as Electrum, which, although it overlaps with Sandworm (APT44), the researchers underline that it is a distinct activity cluster. Electrum targeted exposed and vulnerable systems involved in dispatch and grid-facing communication, remote terminal units (RTUs), network edge devices, monitoring and control systems, and Windows-based machines at DER sites. Electrum successfully disabled communications equipment at multiple sites, resulting in a loss of remote monitoring and control, but power generation on the units continued without interruption. Certain OT/ICS devices were disabled, and their configurations were corrupted beyond recovery, while Windows systems at the sites were wiped. Even if the attacks had been successful in cutting the power, the relatively narrow targeting scope wouldn’t have been enough to cause a nationwide blackout in Poland. However, they could have caused significant destabilization of the system frequency. "Such frequency deviations have caused cascading failures in other electrical systems, including the 2025 Iberian grid collapse," the researchers say. CERT Polska revealed that coordinated cyber attacks targeted more than 30 wind and photovoltaic farms, a private company from the manufacturing sector, and a large combined heat and power plant (CHP) in Poland on December 29, 2025. The attacks were attributed to a threat cluster dubbed Static Tundra, which is linked to Russia's Federal Security Service's (FSB) Center 16 unit. The attacks had a purely destructive objective but did not affect the ongoing production of electricity or the heat supply to end users. The attackers gained access to the internal network of power substations associated with a renewable energy facility to carry out reconnaissance and disruptive activities, including damaging the firmware of controllers, deleting system files, or launching custom-built wiper malware codenamed DynoWiper. In the intrusion aimed at the CHP, the adversary engaged in long-term data theft dating back to March 2025, enabling them to escalate privileges and move laterally across the network. The attackers' attempts to detonate the wiper malware were unsuccessful. The targeting of the manufacturing sector company is believed to be opportunistic, with the threat actor gaining initial access via a vulnerable Fortinet perimeter device. At least four different versions of DynoWiper have been discovered to date. The wiper's functionality involves initializing a pseudorandom number generator (PRNG) called Mersenne Twister, enumerating files and corrupting them using the PRNG, and deleting files. The malware does not have a persistence mechanism, a way to communicate with a command-and-control (C2) server, or execute shell commands, and it does not attempt to hide the activity from security programs. The attack targeting the manufacturing sector company involved the use of a PowerShell-based wiper dubbed LazyWiper that scripts overwrites files on the system with pseudorandom 32-byte sequences to render them unrecoverable. The malware used in the incident involving renewable energy farms was executed directly on the HMI machine. In the CHP plant and the manufacturing sector company, the malware was distributed within the Active Directory domain via a PowerShell script executed on a domain controller. The attacker used credentials obtained from the on-premises environment in attempts to gain access to cloud services, downloading selected data from services such as Exchange, Teams, and SharePoint. The attacker was particularly interested in files and email messages related to OT network modernization, SCADA systems, and technical work carried out within the organizations. The attack on Poland's energy sector in December 2025 was the first large-scale attack against decentralized energy resources (DERs) like wind turbines and solar farms. The attack occurred during a period when Poland was struggling with low temperatures and snowstorms just before the New Year. Dragos assessed with moderate confidence that the activity reflects tradecraft and objectives in line with the Electrum threat group, which overlaps with Sandworm. Electrum has worked alongside another threat actor, tracked as Kamicite, to conduct destructive attacks against Ukrainian ISPs and persistent scanning of industrial devices in the US. Kamicite gained initial access and persistence against organizations, and Electrum executed follow-on activity. Dragos has tracked Kamicite activities against the European ICS/OT supply chain since late 2024. The attack on Poland's energy sector was significant because it was the first major attack against decentralized energy resources (DERs). There was no evidence that the adversary had full control of the DERs, and there was no attempt to mis-operate these resources. Poland was fortunate because DERs make up a smaller portion of its energy portfolio than some other countries. If this same style of attack happened in the US, Australia, or certain parts of Europe where DERs are more prevalent, it could have been potentially catastrophic for the system. The attack highlighted the ongoing threat faced by the energy sector, with threat actors gaining initial access through vulnerable Internet-facing edge devices before deploying wipers that damaged remote terminal units (RTUs). CISA advised OT operators to prioritize updates that allow firmware verification and to immediately change default passwords on things like edge devices. Dragos recommended that organizations ensure architecture is defensible through methods like strict authorization practices, OT/IT segmentation, strict vendor access governance, secure remote access, and ICS network visibility and monitoring. Read
  • PhantomCaptcha Campaign and CANFAIL Malware Attacks Targeting Ukraine Aid and Government Groups A coordinated spear-phishing campaign, dubbed PhantomCaptcha, targeted organizations involved in Ukraine's war relief efforts. The campaign delivered a remote access trojan (RAT) using a WebSocket for command-and-control (C2). The attack took place on October 8, 2025, and impersonated the Ukrainian President's Office, using weaponized PDFs and fake Zoom meetings to trick victims into executing malicious PowerShell commands. The malware performed reconnaissance and enabled remote command execution and data exfiltration. The campaign targeted members of the International Red Cross, Norwegian Refugee Council, UNICEF Ukraine, Council of Europe's Register of Damage for Ukraine, and Ukrainian regional government administrations. The malware was hosted on Russian-owned infrastructure and connected to a remote WebSocket server for C2 operations. The campaign took six months to prepare and involved a sophisticated multi-stage spear-phishing operation, with the weaponized PDF appearing as a legitimate governmental communique. The attack chain included a heavily obfuscated PowerShell downloader to bypass signature-based defenses and hinder analysis. The second-stage payload collected various user data, which was XOR-encrypted and sent to the C2 server. The final payload was a lightweight PowerShell backdoor that repeatedly reconnected to the remote WebSocket server. The campaign demonstrated extensive operational planning, compartmentalized infrastructure, and deliberate exposure control, with the infrastructure active only for a single day. A previously undocumented threat actor has been attributed to attacks targeting Ukrainian organizations with malware known as CANFAIL. Google Threat Intelligence Group (GTIG) described the hack group as possibly affiliated with Russian intelligence services. The threat actor is assessed to have targeted defense, military, government, and energy organizations within the Ukrainian regional and national governments. The group has also exhibited growing interest in aerospace organizations, manufacturing companies with military and drone ties, nuclear and chemical research organizations, and international organizations involved in conflict monitoring and humanitarian aid in Ukraine. Read

Latest updates

Browse →

Abu Dhabi Finance Week Cloud Storage Leak Exposes VIP Attendee Data

Updated: · First: 19.02.2026 22:50 · 📰 1 src / 1 articles

Abu Dhabi Finance Week (ADFW) organizers inadvertently exposed passport details and other identity information of approximately 700 attendees, including former British Prime Minister David Cameron and former White House communications director Anthony Scaramucci. The data was found unprotected on a cloud storage system associated with ADFW, accessible via off-the-shelf scanning software. The leak included passports, ID cards, and thousands of other documents, potentially exposed for at least two months. ADFW secured the server after being notified by the Financial Times, which reported the incident. The exposure poses reputational risks for Abu Dhabi as it seeks to establish itself as a global financial center.

PromptSpy Android Malware Uses Gemini AI for Persistence

Updated: · First: 19.02.2026 19:52 · 📰 1 src / 1 articles

A new Android malware named PromptSpy abuses Google's Gemini AI to maintain persistence by keeping itself pinned in the recent apps list. The malware captures lockscreen data, blocks uninstallation, gathers device information, takes screenshots, and records screen activity. It communicates with a command-and-control (C2) server and is distributed via a dedicated website targeting users in Argentina. The malware is an advanced version of VNCSpy and is likely financially motivated.

Large-scale Africa-wide cybercrime crackdown arrests over 1,200 suspects

Updated: 19.02.2026 19:50 · First: 22.08.2025 13:08 · 📰 9 src / 12 articles

Operation Serengeti 2.0, an INTERPOL-led international operation, resulted in the arrest of 1,209 cybercriminals across Africa. The operation targeted cross-border cybercrime gangs involved in ransomware, online scams, and business email compromise (BEC). The operation, conducted from June to August 2025, involved law enforcement from 18 African countries and the UK. Authorities seized $97.4 million and dismantled 11,432 malicious infrastructures linked to attacks on 88,000 victims worldwide. Following this, Operation Sentinel, conducted between October 27 and November 27, 2025, led to the arrest of 574 individuals and the recovery of $3 million linked to business email compromise, extortion, and ransomware incidents. The operation took down more than 6,000 malicious links and decrypted six distinct ransomware variants. The cybercrime cases investigated are connected to more than $21 million in financial losses. Most recently, Operation Red Card 2.0, conducted between December 8, 2025, and January 30, 2026, resulted in the arrest of 651 suspects and the recovery of over $4.3 million. The operation targeted investment fraud, mobile money scams, and fake loan applications, identifying 1,247 victims and seizing 2,341 devices and 1,442 malicious websites, domains, and servers. The operation involved law enforcement agencies from 16 African countries: Angola, Benin, Cameroon, Côte d'Ivoire, Chad, Gabon, Gambia, Ghana, Kenya, Namibia, Nigeria, Rwanda, Senegal, Uganda, Zambia, and Zimbabwe. The operations were supported by data from private sector partners, including Cybercrime Atlas, Fortinet, Group-IB, Kaspersky, The Shadowserver Foundation, Team Cymru, Trend Micro, TRM Labs, and Uppsala Security. Cybercrime now accounts for 30% of all reported crime in Western and Eastern Africa and is increasing rapidly elsewhere on the continent. Interpol's 2025 Africa Cyberthreat Assessment Report noted that two-thirds of African member countries claim cyber-related offenses now account for a 'medium-to-high' (i.e., 10-30% or 30%+) share of all crimes. Interpol director of cybercrime, Neal Jetton, warned that the scale and sophistication of cyber-attacks across Africa are accelerating, especially against critical sectors like finance and energy.

Privilege Escalation Flaw in Windows Admin Center Patched

Updated: · First: 19.02.2026 19:40 · 📰 1 src / 1 articles

Microsoft has patched a high-severity privilege escalation vulnerability (CVE-2026-26119) in Windows Admin Center, a browser-based management tool. The flaw, with a CVSS score of 8.8, could allow authenticated attackers to escalate privileges over a network. The vulnerability was discovered by Semperis researcher Andrea Pierini and was addressed in version 2511 released in December 2025. While not confirmed to be exploited in the wild, it has been assessed as 'Exploitation More Likely'.

Unauthenticated Remote Code Execution in Grandstream GXP1600 VoIP Phones

Updated: 19.02.2026 19:16 · First: 18.02.2026 18:35 · 📰 2 src / 2 articles

A critical vulnerability (CVE-2026-2329) in Grandstream GXP1600 series VoIP phones allows unauthenticated remote code execution (RCE) with root privileges. The flaw, a stack-based buffer overflow, stems from the device's web-based API service. The vulnerability affects multiple GXP1600 models and has been addressed in firmware version 1.0.7.81. Exploiting this flaw could enable attackers to extract stored credentials, intercept phone calls, and eavesdrop on VoIP conversations. The issue was discovered by Rapid7 researcher Stephen Fewer and demonstrated via a Metasploit exploit module. The exploitation process involves writing multiple null bytes to construct a return-oriented programming (ROP) chain, allowing attackers to silently eavesdrop on communications.

Google Play Security Measures Block 1.75 Million App Submissions in 2025

Updated: · First: 19.02.2026 19:00 · 📰 1 src / 1 articles

In 2025, Google blocked over 1.75 million app submissions to the Google Play Store due to policy violations and rejected 255,000 apps from accessing sensitive user data. The company implemented over 10,000 safety checks and integrated AI models to enhance detection capabilities. Additionally, Google banned 80,000 bad developer accounts and blocked 160 million spam ratings to protect user perception. Play Protect identified 27 million malicious sideloaded apps and blocked 266 million installation attempts from risky apps. The Play Integrity API now processes over 20 billion checks daily, and Android 16 introduced protections against tapjacking attacks.

Remcos RAT Enhances Real-Time Surveillance and Evasion Techniques

Updated: · First: 19.02.2026 18:30 · 📰 1 src / 1 articles

A new variant of Remcos RAT has been observed with expanded real-time surveillance capabilities and improved evasion techniques. This version establishes direct online communication with attacker-controlled servers, enabling immediate monitoring and data theft. The malware now streams webcam footage in real time and transmits captured keystrokes instantly, reducing forensic traces on infected Windows systems. Researchers from Point Wild's Lat61 Threat Intelligence team detailed the changes, noting the malware's use of dynamic API loading and runtime decryption to avoid detection.

Chinese APT Group Exploits Dell Zero-Day for Two Years

Updated: 19.02.2026 17:30 · First: 18.02.2026 12:10 · 📰 2 src / 3 articles

A Chinese APT group, identified as UNC6201, has been exploiting a critical zero-day vulnerability (CVE-2026-22769) in Dell's RecoverPoint for Virtual Machines since mid-2024. The flaw, a hardcoded credential bug with a CVSS score of 10.0, allows unauthenticated attackers to gain root-level access and maintain persistence. The group has used this vulnerability to deploy malware, including Slaystyle, Brickstorm, and a new backdoor called Grimbolt. Mandiant has also observed novel tactics such as creating ghost NICs and using iptables for single packet authorization (SPA). CISA has ordered federal agencies to patch the vulnerability within three days, highlighting its active exploitation and significant risk to federal systems.

GoldFactory Deploys Modified Banking Apps in Southeast Asia

Updated: 19.02.2026 17:30 · First: 04.12.2025 11:27 · 📰 2 src / 3 articles

GoldFactory, a financially motivated cybercrime group, has been targeting mobile users in Indonesia, Thailand, and Vietnam since October 2024. The group distributes modified banking applications that act as conduits for Android malware, leading to over 11,000 infections. The malware impersonates government services and trusted local brands to trick victims into installing the malicious apps, which then abuse Android's accessibility services for remote control and data theft. In July 2025, GoldFactory launched a sophisticated fraud campaign targeting Indonesia's Coretax tax platform, intensifying in January 2026. This campaign impersonated Coretax to trick users into installing malicious mobile applications, resulting in an estimated $1.5m to $2m in financial impact. The operation involved phishing websites, WhatsApp impersonation, and vishing calls to direct victims to download fraudulent APK files, deploying multiple malware families including Gigabud.RAT and MMRat.

Infostealers Exploit Stolen Credentials to Construct Real Identities

Updated: · First: 19.02.2026 17:05 · 📰 1 src / 1 articles

Infostealers are increasingly targeting both personal and corporate users, harvesting credentials, session data, and user activity. Researchers analyzed 90,000 leaked infostealer dumps containing over 800 million rows of data, revealing how attackers associate technical data with real users, organizations, and behavioral patterns. This convergence collapses the boundary between personal and professional identities, escalating enterprise-level risks. The datasets included credentials, browser cookies, browsing history, and system-level files, enabling attackers to identify individuals, their employers, and roles within organizations. This data is used for targeted phishing, social engineering, and extortion, with significant implications for both personal and corporate security.

OpenSSL RCE Vulnerability Patched

Updated: · First: 19.02.2026 16:35 · 📰 1 src / 1 articles

The OpenSSL project has addressed a critical stack buffer overflow flaw (CVE-2025-15467) that could lead to remote code execution (RCE) under specific conditions. This vulnerability resides in the processing of Cryptographic Message Syntax (CMS) data with maliciously crafted AEAD parameters. The flaw is part of a broader set of 12 vulnerabilities disclosed by AISLE, including another high-severity issue (CVE-2025-11187) that could trigger a stack-based buffer overflow due to missing validation. The OpenSSL team has released patches to mitigate these vulnerabilities, urging users to update their systems to prevent potential exploitation. This development highlights the ongoing need for vigilance in securing cryptographic libraries, which are fundamental to many digital security protocols.

Nigerian National Sentenced for Tax Firm Hacking and Fraudulent Refunds

Updated: · First: 19.02.2026 15:51 · 📰 1 src / 1 articles

Matthew Abiodun Akande, a 37-year-old Nigerian national, was sentenced to eight years in prison for hacking multiple tax preparation firms in Massachusetts. He stole clients' personal information to file over 1,000 fraudulent tax returns, seeking $8.1 million in refunds and successfully obtaining $1.3 million between June 2016 and June 2021. Akande used Warzone RAT malware and phishing emails to gain access to the firms' systems. Akande was arrested in October 2024 at London's Heathrow Airport and extradited to the United States in March 2025. He was indicted by a federal grand jury in July 2022 while living in Mexico.

Record High in Industrial Control System Vulnerabilities Reported in 2025

Updated: · First: 19.02.2026 15:00 · 📰 1 src / 1 articles

In 2025, the number of industrial control system (ICS) security advisories exceeded 500 for the first time, with a significant increase in the severity of vulnerabilities. The total number of CVEs published reached 2155 across 508 advisories, up from 103 CVEs in 67 advisories in 2011. The average CVSS score of advisories also climbed to above 8.0 in 2024 and 2025, indicating more severe vulnerabilities. The most affected asset types included Purdue Level 1 devices, Level 3 operation systems, Level 2 control systems, and industrial network infrastructure. Critical manufacturing and energy sectors were the most impacted, with transportation and healthcare also experiencing notable increases in vulnerabilities.

U.S. Proposed Ban on TP-Link Networking Gear

Updated: 19.02.2026 14:36 · First: 09.11.2025 20:14 · 📰 2 src / 2 articles

The U.S. government is considering a ban on the sale of TP-Link networking devices due to national security concerns over the company's ties to China. TP-Link denies these allegations, maintaining it operates independently and manufactures its products in Vietnam. Texas has sued TP-Link for deceptive marketing and allowing Chinese state-backed hackers to exploit firmware vulnerabilities. The ban is supported by multiple federal agencies and follows reports of Chinese state-sponsored hacking groups exploiting vulnerabilities in TP-Link routers. The proposed ban highlights broader issues with the security of consumer-grade routers, which often ship with outdated firmware and default settings that can be easily compromised.

OAuth Device Code Phishing Campaigns Target Microsoft 365 Accounts

Updated: 19.02.2026 14:30 · First: 18.12.2025 18:00 · 📰 4 src / 5 articles

A surge in phishing campaigns exploiting Microsoft’s OAuth device code authorization flow has been observed, targeting Microsoft 365 accounts. Both state-aligned and financially motivated actors are using social engineering to trick users into approving malicious applications, leading to account takeover and data theft. The attacks leverage the OAuth 2.0 device authorization grant, a legitimate process designed for devices with limited input capabilities. Once victims enter a device code generated by an attacker-controlled application, the threat actor receives a valid access token, granting control over the compromised account. The campaigns use QR codes, embedded buttons, and hyperlinked text to initiate the attack chain, often claiming to involve document sharing, token reauthorization, or security verification. The growth of these campaigns is linked to readily available phishing tools like SquarePhish2 and Graphish, which simplify device code abuse and require limited technical skill. Proofpoint observed financially motivated actor TA2723 and Russia-linked group UNK_AcademicFlare adopting this technique, targeting various sectors in the US and Europe. The activity, ongoing since September 2025, is being tracked by Proofpoint under the moniker UNK_AcademicFlare. The attacks involve using compromised email addresses belonging to government and military organizations to strike entities within government, think tanks, higher education, and transportation sectors in the U.S. and Europe. The adversary claims to share a link to a document that includes questions or topics for the email recipient to review before the meeting. The URL points to a Cloudflare Worker URL that mimics the compromised sender's Microsoft OneDrive account and instructs the victim to copy the provided code and click 'Next' to access the supposed document. Device code phishing was documented in detail by both Microsoft and Volexity in February 2025, attributing the use of the attack method to Russia-aligned clusters such as Storm-2372, APT29, UTA0304, and UTA0307. The October 2025 campaign is assessed to have been fueled by the ready availability of crimeware offerings like the Graphish phishing kit and red-team tools such as SquarePhish. To counter the risk posed by device code phishing, the best option is to create a Conditional Access policy using the Authentication Flows condition to block device code flow for all users. If that's not feasible, it's advised to use a policy that uses an allow-list approach to allow device code authentication for approved users, operating systems, or IP ranges. Threat actors are now targeting technology, manufacturing, and financial organizations in campaigns that combine device code phishing and voice phishing (vishing) to abuse the OAuth 2.0 Device Authorization flow and compromise Microsoft Entra accounts. Unlike previous attacks that utilized malicious OAuth applications to compromise accounts, these campaigns instead leverage legitimate Microsoft OAuth client IDs and the device authorization flow to trick victims into authenticating. This provides attackers with valid authentication tokens that can be used to access the victim's account without relying on regular phishing sites that steal passwords or intercept multi-factor authentication codes.

Starkiller Phishing Kit Bypasses MFA via Proxy-Based Attacks

Updated: · First: 19.02.2026 14:00 · 📰 1 src / 1 articles

A new phishing kit called Starkiller has emerged, allowing attackers to bypass multi-factor authentication (MFA) by proxying legitimate login pages. The kit is distributed as a subscription-based service on the dark web, offering real-time session monitoring and keylogging capabilities. It mimics login pages of major services like Google, Microsoft, and banks, routing traffic through attacker-controlled infrastructure to steal credentials and authentication tokens. Starkiller uses a headless Chrome instance to serve genuine page content, making it difficult for security vendors to detect or block. The toolkit is sold with updates and customer support, posing a significant escalation in phishing infrastructure.

AI-Driven Attack Acceleration and New Attack Surfaces

Updated: · First: 19.02.2026 13:55 · 📰 1 src / 1 articles

AI-powered adversarial systems are significantly reducing the time between exposure and exploitation, leveraging machine speed and scale to identify and exploit vulnerabilities faster than traditional security teams can respond. This acceleration is driven by AI's ability to automate reconnaissance, simulate attack sequences, and prioritize exploitable vulnerabilities. Additionally, AI adoption introduces new attack surfaces, including model context protocol vulnerabilities and supply chain hallucinations.

Critical vulnerabilities in popular VSCode extensions enable RCE and file theft

Updated: 19.02.2026 12:45 · First: 17.02.2026 23:27 · 📰 3 src / 3 articles

Multiple high-to-critical severity vulnerabilities in popular VSCode extensions, collectively downloaded over 128 million times, expose developers to remote code execution (RCE) and file theft. The affected extensions include Live Server, Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview. Researchers at Ox Security discovered these flaws in June 2025 but received no response from maintainers. Exploitation could lead to lateral movement, data exfiltration, and system takeover in corporate environments. Microsoft silently fixed the Live Preview vulnerability in version 0.4.16 released in September 2025. The vulnerabilities also affect AI-powered IDEs Cursor and Windsurf.

Klopatra Android Trojan Conducts Nighttime Bank Transfers

Updated: 19.02.2026 12:24 · First: 30.09.2025 23:28 · 📰 5 src / 5 articles

A new Android banking malware, Massiv, is posing as an IPTV app to steal digital identities and access online banking accounts. The malware targets users in Spain, Portugal, France, and Turkey, with a particular focus on a Portuguese government app connected to Chave Móvel Digital. Massiv uses screen overlays, keylogging, SMS interception, and remote control to obtain sensitive data and can open new accounts in the victim's name for money laundering and loans. The malware provides two remote control modes: screen live-streaming and UI-tree mode, which extracts structured data from the Accessibility Service. This trend of using IPTV apps as lures for Android malware infections has increased over the past eight months. Previously, the Klopatra Android Trojan was identified, capable of performing unauthorized bank transfers while the device is inactive. Klopatra targets users in Italy and Spain, with over 3,000 devices infected. It disguises itself as the Mobdro streaming app and IPTV applications, leveraging their popularity to bypass security measures. The malware employs advanced techniques to evade detection and analysis, including anti-sandboxing methods, a commercial packer, and Hidden Virtual Network Computing (VNC) for remote control. Klopatra operates during nighttime hours, draining victims' bank accounts without alerting them.

Six New OpenClaw Vulnerabilities Patched

Updated: · First: 19.02.2026 12:00 · 📰 1 src / 1 articles

OpenClaw has patched six new vulnerabilities in its agentic AI assistant, including server-side request forgery (SSRF), missing authentication, and path traversal bugs. The vulnerabilities range from moderate to high severity, with some lacking CVE IDs. The flaws affect various components, including the Gateway tool, Telnyx webhook authentication, and browser upload functionality. Endor Labs highlighted the importance of data flow analysis and defense-in-depth validation for AI agent infrastructure. The research also revealed ongoing security concerns, such as misconfigured instances exposed to the public internet and the risk of indirect prompt injection. One additional vulnerability remains unpatched, and major security concerns persist over OpenClaw's undocumented enterprise use.

CRESCENTHARVEST Campaign Targets Iran Protest Supporters with RAT Malware

Updated: · First: 19.02.2026 10:13 · 📰 1 src / 1 articles

A new campaign, CRESCENTHARVEST, targets supporters of Iran's ongoing protests to conduct information theft and long-term espionage. The campaign delivers a remote access trojan (RAT) and information stealer to execute commands, log keystrokes, and exfiltrate sensitive data. The attacks exploit geopolitical developments to lure victims into opening malicious .LNK files disguised as protest-related images or videos. The campaign is believed to be the work of an Iran-aligned threat group and is the second such campaign identified targeting individuals involved in the nationwide protests in Iran that began towards the end of 2025.

Gemini Chatbot Abused in Fake Crypto Scam

Updated: · First: 18.02.2026 23:47 · 📰 1 src / 1 articles

Cybercriminals have created a fake cryptocurrency called 'Google Coin' and used a Gemini chatbot to convince people to buy it. The scam involves a professional-looking presale site mimicking Google's branding and a chatbot impersonating Google's AI assistant. The chatbot provides a polished sales pitch, ultimately leading victims to send irreversible crypto payments to attackers. This scam demonstrates the evolving use of AI by malicious actors to amplify financially motivated campaigns.

Critical Authentication Bypass Flaw in Honeywell CCTV Systems

Updated: · First: 18.02.2026 22:58 · 📰 1 src / 1 articles

A critical vulnerability (CVE-2026-1670) in multiple Honeywell CCTV products allows unauthenticated attackers to change recovery email addresses, enabling account takeover and unauthorized access to camera feeds. The flaw, rated 9.8 in severity, affects mid-level surveillance products used in commercial, industrial, and critical infrastructure settings. As of February 17, 2026, no public exploitation has been reported, but CISA advises mitigations to reduce risk.

Email Bombing Exploits Cognitive Overload for Fraud and Harassment

Updated: · First: 18.02.2026 22:56 · 📰 1 src / 1 articles

Email bombing, a technique used to overwhelm inboxes, is exploited for both fraud and harassment by targeting cognitive overload. This method buries critical information under a deluge of emails, making it difficult for victims to process important messages. The same tactic is employed in harassment to silence victims and in fraud to hide evidence, highlighting a shared attack surface. This reveals a blind spot in threat intelligence, where defenses are organized around adversary types rather than human vulnerabilities.

AI Assistants Abused as Command-and-Control Proxies

Updated: 18.02.2026 22:18 · First: 17.02.2026 20:08 · 📰 3 src / 3 articles

Researchers have demonstrated that AI assistants like Microsoft Copilot and xAI Grok can be exploited as command-and-control (C2) proxies. This technique leverages the AI's web-browsing capabilities to create a bidirectional communication channel for malware operations, enabling attackers to blend into legitimate enterprise communications and evade detection. The method, codenamed AI as a C2 proxy, allows attackers to generate reconnaissance workflows, script actions, and dynamically decide the next steps during an intrusion. The attack requires prior compromise of a machine and installation of malware, which then uses the AI assistant as a C2 channel through specially crafted prompts. This approach bypasses traditional defenses like API key revocation or account suspension. According to new findings from Check Point Research (CPR), platforms including Grok and Microsoft Copilot can be manipulated through their public web interfaces to fetch attacker-controlled URLs and return responses. The AI service acts as a proxy, relaying commands to infected machines and sending stolen data back out, without requiring an API key or even a registered account. The method relies on AI assistants that support URL fetching and content summarization, allowing attackers to tunnel encoded data through query parameters and receive embedded commands in the AI's reply. Malware can interact with the AI interface invisibly using a WebView2 browser component inside a C++ program. The research also outlined a broader trend: malware that integrates AI into its runtime decision-making, sending host information to a model and receiving guidance on actions to prioritize.

Predator Spyware Exploits Zero-Click Infection Vector via Malicious Ads

Updated: 18.02.2026 19:30 · First: 04.12.2025 22:47 · 📰 4 src / 5 articles

Predator spyware, developed by Intellexa, has been using a zero-click infection mechanism called Aladdin, which infects targets by displaying malicious advertisements. This vector is hidden behind shell companies across multiple countries and leverages the commercial mobile advertising system to deliver malware. The spyware is still operational and actively developed, with additional delivery vectors like Triton targeting Samsung Exynos devices. The infection occurs when a target views a malicious ad, which triggers a redirection to Intellexa’s exploit delivery servers. The ads are served through a complex network of advertising firms, making defense measures challenging. Despite sanctions and investigations, including fines from the Greek Data Protection Authority, Intellexa remains active and prolific in zero-day exploitation. Recent leaks reveal that Intellexa's Predator spyware has been marketed under various names, including Helios, Nova, Green Arrow, and Red Arrow. The spyware exploits multiple zero-day vulnerabilities in Android and iOS devices, and uses frameworks like JSKit for native code execution. Intellexa also has the capability to remotely access the surveillance systems of its customers using TeamViewer. The spyware collects extensive data from targeted devices, including messaging apps, calls, emails, device locations, screenshots, passwords, and other on-device information. New research has confirmed that Predator spyware was used to target an Angolan journalist, Teixeira Cândido, in May 2024 via a WhatsApp link. The infection lasted less than one day and was removed when the device was restarted. Attackers made 11 additional attempts to re-infect the device, all of which failed. Predator spyware incorporates advanced anti-analysis mechanisms and has explicit checks to avoid running in U.S. and Israeli locales.

SmarterMail Authentication Bypass Exploited Post-Patch

Updated: 18.02.2026 18:27 · First: 22.01.2026 11:46 · 📰 4 src / 4 articles

A critical authentication bypass vulnerability in SmarterMail email software (WT-2026-0001, CVE-2026-23760) has been actively exploited in the wild just two days after a patch was released. The flaw allows attackers to reset the system administrator password via a crafted HTTP request, leading to remote code execution (RCE) on the underlying operating system. The vulnerability was patched on January 15, 2026, but attackers reverse-engineered the patch to exploit it. Over 6,000 SmarterMail servers were found exposed online and likely vulnerable to attacks exploiting the flaw. Shadowserver is tracking these servers, with more than 4,200 in North America and nearly 1,000 in Asia. Macnica threat researcher Yutaka Sejiyama found over 8,550 SmarterMail instances still vulnerable. CISA added the vulnerability to its list of actively exploited vulnerabilities, ordering U.S. government agencies to secure their servers by February 16. Threat actors rapidly shared proof-of-concept exploits, offensive tools, and stolen administrator credentials related to SmarterMail vulnerabilities on underground Telegram channels and cybercrime forums. SmarterTools was breached in January 2026 after attackers exploited an unpatched SmarterMail server running on an internal VM. Ransomware operators gained initial access through SmarterMail vulnerabilities and waited before triggering encryption payloads. Over 34,000 servers were found on Shodan with indications of running SmarterMail, with 1,185 vulnerable to authentication bypass or RCE flaws. CISA added CVE-2026-24423 to the Known Exploited Vulnerabilities catalog in February 2026, confirming active ransomware exploitation.

Microsoft Anti-Spam Service Misidentifies Safe URLs in Exchange Online and Teams

Updated: 18.02.2026 18:26 · First: 09.09.2025 16:40 · 📰 3 src / 4 articles

Microsoft is addressing a bug in its anti-spam service that incorrectly blocks URLs in Exchange Online and Microsoft Teams, causing some emails to be quarantined. The issue began on September 5, 2025, affecting users who received false alerts about malicious URLs. Over 6,000 URLs have been identified as affected, and Microsoft is working to unblock them and recover any incorrectly flagged messages. The bug is due to the anti-spam engine mistakenly tagging URLs within other URLs as potentially malicious. Microsoft has deployed a partial fix and is continuing to address the impact. The incident has been classified as an event with noticeable user impact, although the exact number of affected customers and regions remains undisclosed. In a new development, on February 5, 2026, another incident began where Exchange Online mistakenly flags legitimate emails as phishing and quarantines them. This issue is caused by a new URL rule that incorrectly flags some URLs as malicious. Microsoft is working to release quarantined emails and confirm that legitimate URLs are unblocked. The incident, tracked by Microsoft under EX1227432, was not fully resolved until February 12. The root cause was a logic error in a detection system designed to identify new credential phishing attacks, which also led to false positive alerts. Other security tools within Microsoft's detection infrastructure amplified the incident's impact, and a separate bug in the company's security signature systems further delayed efforts to roll back the flawed detection rules. Microsoft will issue a final report within five business days of full resolution. Similar issues have occurred throughout the year, including a May 2025 incident where a machine learning model incorrectly flagged Gmail emails as spam in Exchange Online.

Silver Fox Exploits Microsoft-Signed WatchDog Driver to Deploy ValleyRAT Malware

Updated: 18.02.2026 18:00 · First: 02.09.2025 11:39 · 📰 4 src / 8 articles

The threat actor Silver Fox has been exploiting a previously unknown vulnerable driver associated with WatchDog Anti-malware to deploy ValleyRAT malware. The driver, 'amsdk.sys' (version 1.0.600), is a validly signed Windows kernel device driver built on the Zemana Anti-Malware SDK. This driver allows arbitrary process termination and local privilege escalation, enabling the attackers to neutralize endpoint protection products and deploy the ValleyRAT remote access trojan. The campaign, first observed in late May 2025, targets Chinese-speaking victims using various social engineering techniques and trojanized software. The WatchDog driver has been patched, but attackers have adapted by modifying the driver to bypass hash-based blocklists. Silver Fox, also known as SwimSnake and UTG-Q-1000, is highly active and organized, targeting domestic users and companies to steal secrets and defraud victims. Recently, a newly identified cryptojacking campaign has been uncovered, spreading through pirated software installers. This campaign deploys system-level malware using a customised XMRig miner and a controller component for persistence. The controller, named Explorer.exe, functions as a state-driven orchestrator. The malware includes a hardcoded expiration date of December 23, 2025, for self-removal. The campaign uses a vulnerable signed driver, WinRing0x64.sys, to gain kernel-level access and modifies CPU registers to disable hardware prefetchers, boosting mining performance. The campaign connects to the Kryptex mining pool at xmr-sg.kryptex.network:8029.

Cogent Security Secures $42M for AI-Driven Vulnerability Management

Updated: · First: 18.02.2026 16:47 · 📰 1 src / 1 articles

Cogent Security has raised $42 million in Series A funding to develop autonomous AI agents for vulnerability remediation. The funding will accelerate product development for their agentic AI platform, which automates investigation, prioritization, and remediation tasks in vulnerability management. The platform integrates vulnerability data across environments, reduces scanner noise, and incorporates business context to prioritize risks beyond standard severity scores. The company aims to streamline security operations by automating coordination tasks, allowing security teams to focus on critical threats.