A phishing campaign uses a fake Google Account security page to deliver a Progressive Web App (PWA) that steals one-time passcodes, cryptocurrency wallet addresses, and proxies attacker traffic through victims’ browsers. The attack leverages PWA features and social engineering to deceive users into granting risky permissions and installing the malware. The campaign uses the domain google-prism[.]com and includes an optional Android APK for further device compromise.

A 22-year-old Alabama man, Jamarcus Mosley, pleaded guilty to extortion, cyberstalking, and computer fraud charges. Between April 2022 and May 2025, Mosley hijacked the social media accounts of hundreds of young women, including minors, by tricking them into sharing account recovery codes and passwords. He then threatened to release their private images or lock them out of their accounts unless they complied with his demands, which included surrendering additional accounts, sending sexually explicit content, or paying him money. Mosley's actions involved impersonating friends, accessing private images, and posting stolen content online when victims refused his demands. He is scheduled to be sentenced on May 27.

A Florida woman, Heidi Richards, was sentenced to 22 months in prison for operating a fraud scheme involving the trafficking of thousands of stolen Microsoft Certificate of Authenticity (COA) labels. Richards, who ran Trinity Software Distribution, was ordered to pay a $50,000 fine. The scheme involved buying genuine COA labels at below-retail prices, extracting the product keys, and selling them illegally worldwide, resulting in $5.1 million in payments to the supplier. The COA labels, which authenticate software like Windows and Office, are not legally permitted to be sold separately from the software they accompany. Richards and her accomplices extracted the product keys and sold them in bulk, circumventing Microsoft's licensing requirements. This case highlights the ongoing issue of software piracy and the legal consequences for those involved in trafficking unauthorized license keys.

Researchers disclosed multiple vulnerabilities in Google's Gemini AI assistant that could have exposed users to privacy risks and data theft. The flaws, collectively named the Gemini Trifecta, affected Gemini Cloud Assist, the Search Personalization Model, and the Browsing Tool. These vulnerabilities allowed for prompt injection attacks, search-injection attacks, and data exfiltration. Google has since patched the issues and implemented additional security measures. Additionally, a zero-click vulnerability in Gemini Enterprise, dubbed 'GeminiJack', was discovered in June 2025, allowing attackers to exfiltrate corporate data via indirect prompt injection. Google addressed this flaw by separating Vertex AI Search from Gemini Enterprise and updating their interaction with retrieval and indexing systems. A new prompt injection flaw in Google Gemini allowed attackers to bypass authorization guardrails and use Google Calendar as a data extraction mechanism. The flaw enabled unauthorized access to private meeting data and the creation of deceptive calendar events without any direct user interaction. The attack involved a malicious payload hidden within a standard calendar invite, which was activated when a user asked Gemini about their schedule. The flaw allowed Gemini to create a new calendar event and write a full summary of the target user's private meetings in the event's description. The issue was addressed following responsible disclosure, highlighting the need for evaluating large language models across key safety and security dimensions. Additionally, a high-severity flaw in Google's implementation of Gemini AI in the Chrome browser, tracked as CVE-2026-0628, could allow attackers to escalate privileges, violate user privacy, and access sensitive system resources. The flaw was discovered by researchers from Palo Alto Networks' Unit 42 and was patched by Google in early January. The vulnerabilities highlight the potential risks of AI tools being used as attack vectors rather than just targets.

Google is developing Merkle Tree Certificates (MTCs) to enhance the security of Chrome's HTTPS certificates against quantum computing threats. MTCs use compact Merkle Tree proofs to reduce bandwidth usage and improve performance while maintaining strong security. Google plans to integrate MTCs into Chrome's Root Store by 2027, ensuring a smooth transition to quantum-resistant certificates without disrupting existing TLS connections. The deployment will occur in three phases, with feasibility studies underway, public deployment scheduled for Q1 2027, and the introduction of the Chrome Quantum-resistant Root Store in Q3 2027. Chrome will also modernize certificate governance with ACME-only workflows, streamlined revocation systems, and enhanced oversight models. Chrome has no immediate plan to add traditional X.509 certificates containing post-quantum cryptography to the Chrome Root Store. MTCs are being developed in the PLANTS working group and aim to reduce the number of public keys and signatures in the TLS handshake to the bare minimum required.

Iranian state-sponsored and affiliated cyber threat actors are actively escalating retaliatory campaigns following joint Israeli-US military strikes on February 28, 2026, with Google’s Threat Intelligence Group (GTIG) warning of imminent, aggressive cyber-attacks against a broadened target set. While Iran’s digital infrastructure remains severely disrupted (internet connectivity at ~4% of normal), over 150 hacktivist incidents—DDoS attacks, defacements, and unverified breach claims—were recorded within 48 hours, targeting government, banking, aviation, and telecom sectors globally. The UK’s NCSC has now issued an urgent advisory for organizations with Middle East exposure to review cybersecurity postures, warning that Iranian actors maintain operational capability despite the blackout and may exploit supply chains or regional offices as attack vectors. Prior to this surge, Iranian actors conducted long-term espionage and destructive campaigns, including the use of ‘wiper’ malware, spear-phishing against global embassies, and cyber-enabled kinetic targeting—such as maritime AIS reconnaissance to facilitate missile strikes. Groups like APT42, Subtle Snail (UNC1549), and Imperial Kitten deployed tailored malware (e.g., MINIBIKE, TAMECAT) to infiltrate telecommunications, aerospace, and defense sectors, while MuddyWater accessed live CCTV streams for real-time attack planning. U.S. agencies, including CISA, continue to urge critical infrastructure operators to implement multi-factor authentication, maintain offline backups, and report incidents promptly, as Iran’s tactics evolve to combine ransomware-as-a-smokescreen, destructive wipers, and multi-actor obfuscation.

Deepfakes and injection attacks are increasingly being used to bypass identity verification systems, enabling fraudulent account creation, account takeovers, and unauthorized access to sensitive systems. These attacks target the moment when a system concludes that a user is real, using high-fidelity synthetic media, replayed real footage, automation, and injection attacks to compromise the verification process. Enterprises need full-session validation, including perception, device integrity, and behavioral signals, to detect and prevent these sophisticated attacks.

A critical zero-day vulnerability (CVE-2026-20127) in Cisco Catalyst SD-WAN Controller and Manager is being actively exploited by a sophisticated threat actor, tracked as UAT-8616. The flaw allows unauthenticated remote attackers to bypass authentication and gain administrative privileges. The exploitation dates back to 2023, and Cisco has credited the Australian Signals Directorate's Australian Cyber Security Centre (ASD-ACSC) for reporting the vulnerability. The vulnerability has a CVSS score of 10.0, indicating maximum severity. Cisco is actively tracking the exploitation and post-compromise activities associated with this flaw. The threat actor is described as highly sophisticated, and the exploitation has been ongoing for some time.

Anthropic's Claude AI service is experiencing a worldwide outage affecting all platforms and regions. The incident began on March 2, 2026, with users reporting elevated errors and failed requests. The investigation is ongoing, and no estimated time of resolution has been provided.

SafeLine WAF is a self-hosted web application firewall designed to protect SaaS platforms from bot attacks. It inspects HTTP requests for malicious behavior, including business logic exploitation, and offers features like semantic analysis, anti-bot challenges, rate limiting, and identity controls. The tool is easy to deploy and integrates seamlessly into existing SaaS stacks, providing detailed attack logs and trend analysis. SafeLine aims to reduce fake sign-ups, credential stuffing, API scraping, and abusive automation, thereby stabilizing server costs and improving user experience. The solution is particularly beneficial for SaaS teams without dedicated security personnel, offering a free edition with basic protections and advanced features available through paid licenses.

A high-severity vulnerability in OpenClaw, codenamed ClawJacked, allows malicious websites to hijack locally running AI agents through WebSocket connections. The flaw exploits missing rate-limiting and auto-approval of trusted devices, enabling attackers to take control of the AI agent. OpenClaw has released a fix in version 2026.2.25, urging users to update immediately and enforce strict governance controls. The vulnerability is caused by the OpenClaw gateway service binding to localhost by default and exposing a WebSocket interface, allowing attackers to brute-force the management password and gain admin-level permissions. Once authenticated, attackers can interact directly with the AI platform, dumping credentials, listing connected nodes, stealing credentials, and reading application logs. The fix tightens WebSocket security checks and adds additional protections to prevent attackers from abusing localhost loopback connections.

The percentage of ransomware victims paying threat actors dropped to 28% in 2025, the lowest recorded, despite a 50% increase in attacks. Total on-chain payments reached $820 million, with projections exceeding $900 million. Factors like improved incident response, regulatory scrutiny, and law enforcement actions contributed to the decline. The median ransom payment surged by 368%, indicating larger payouts from fewer victims. The number of active extortion groups rose to 85, with notable attacks on Jaguar Land Rover, Marks & Spencer, and DaVita Inc. The U.S. remained the most targeted country. The ransomware payment rate has been declining for four consecutive years, and the average price for network access declined from $1,427 in Q1 2023 to $439 in Q1 2026. Ransomware actors are extorting bigger payments from a smaller number of victims, and the median payment increased 368%, from $12,738 in 2024 to $59,556 in 2025. The US was the most heavily targeted country, followed by Canada, Germany, the UK, and other parts of Europe. Manufacturing and finance/professional services were the most heavily hit in most of these countries, although Canada and Germany had a high compromise rate in supply chains, logistics, and critical infrastructure.

Amazon has disrupted a years-long Russian state-sponsored campaign targeting Western critical infrastructure, including energy sector organizations and cloud-hosted network infrastructure. The campaign, attributed to the GRU-affiliated APT44 group, initially leveraged vulnerabilities in WatchGuard Firebox and XTM, Atlassian Confluence, and Veeam to gain initial access. However, starting in 2025, APT44 shifted its tactics to target misconfigured network edge devices, reducing their exposure and resource expenditure. The group targeted enterprise routers, VPN concentrators, network management appliances, and cloud-based project management systems to harvest credentials and establish persistent access. Amazon's intervention led to the disruption of the campaign, highlighting the ongoing threat posed by state-sponsored cyber actors. APT44, also known as FROZENBARENTS, Sandworm, Seashell Blizzard, and Voodoo Bear, has been active since at least 2021. The group exploited vulnerabilities in WatchGuard Firebox and XTM (CVE-2022-26318), Atlassian Confluence (CVE-2021-26084, CVE-2023-22518), and Veeam (CVE-2023-27532) to compromise network edge devices. The campaign involved credential replay attacks and targeted energy, technology/cloud services, and telecom service providers across North America, Western and Eastern Europe, and the Middle East. Amazon's threat intelligence team identified and notified affected customers, disrupting active threat actor operations. Additionally, APT28, another GRU-affiliated group, has been conducting a sustained credential-harvesting campaign targeting users of UKR[.]net, a webmail and news service popular in Ukraine. The campaign, observed between June 2024 and April 2025, involves deploying UKR[.]net-themed login pages on legitimate services like Mocky to entice recipients into entering their credentials and 2FA codes. Links to these pages are embedded within PDF documents distributed via phishing emails, often shortened using services like tiny[.]cc or tinyurl[.]com. In some cases, APT28 uses subdomains created on platforms like Blogger (*.blogspot[.]com) to launch a two-tier redirection chain leading to the credential harvesting page. The campaign is part of a broader set of phishing and credential theft operations targeting various institutions in pursuit of Russia's strategic objectives. APT28's recent campaign targeted Turkish renewable energy scientists with a climate change policy document from a real Middle Eastern think tank. The group used phishing emails themed to match their intended targets and written in the targets' native tongues. Victims were redirected to a login page mimicking a legitimate online service after following a link in a phishing email. APT28 used regular hosted services rather than custom tools and infrastructure for their attacks. The targets included an IT integrator based in Uzbekistan, a European think tank, a military organization in North Macedonia, and scientists and researchers associated with a Turkish energy and nuclear research organization. The campaign was highly selective and consistent with GRU collection priorities, aligning with geopolitical, military, or strategic intelligence objectives. APT28 has been targeting organizations associated with energy research, defense collaboration, and government communication in a new credential-harvesting campaign. The group used phishing pages impersonating Microsoft Outlook Web Access (OWA), Google, and Sophos VPN portals. Victims were redirected to legitimate domains after entering their credentials. APT28 relied heavily on free hosting and tunneling services such as Webhook.site, InfinityFree, Byet Internet Services, and Ngrok to host phishing content, capture user data, and manage redirections. In February 2025, APT28 deployed a Microsoft OWA phishing page and used the ShortURL link-shortening service for the first-stage redirection. The group employed a webhook relying on HTML to load a PDF lure document in the browser for two seconds before redirecting the victim to a second webhook hosting the spoofed OWA login page. In July, APT28 deployed a spoofed OWA login portal containing Turkish-language text and targeting Turkish scientists and researchers. In June, APT28 deployed a spoofed Sophos VPN password reset page hosted on InfinityFree infrastructure. In September, APT28 hosted two spoofed OWA expired password pages on an InfinityFree domain. In April, Recorded Future discovered a spoofed Google password reset page in Portuguese, hosted on a free apex domain from Byet Internet Services. APT28 abused Ngrok's free service to connect servers behind a firewall to a proxy server and expose that server to the internet without changing firewall rules. APT28's ability to adapt its infrastructure and rebrand credential-harvesting pages suggests it will continue to abuse free hosting, tunneling, and link-shortening services to reduce operational costs and obscure attribution. Recently, APT28 exploited CVE-2026-21509, a recently patched vulnerability in multiple versions of Microsoft Office. The attacks involved malicious DOC files themed around EU COREPER consultations in Ukraine and impersonated the Ukrainian Hydrometeorological Center. The malicious document triggers a WebDAV-based download chain that installs malware via COM hijacking, a malicious DLL (EhStoreShell.dll), shellcode hidden in an image file (SplashScreen.png), and a scheduled task (OneDriveHealth). The scheduled task execution leads to the termination and restart of the explorer.exe process, ensuring the loading of the EhStoreShell.dll file. This DLL executes shellcode from the image file, which launches the COVENANT software (framework) on the computer. COVENANT uses the Filen (filen.io) cloud storage service for command-and-control (C2) operations. APT28 used three more documents in attacks against various EU-based organizations, indicating that the campaign extends beyond Ukraine. APT28 has also been linked to the exploitation of CVE-2026-21513, a high-severity security feature bypass in the MSHTML Framework, as a zero-day before it was patched in February 2026. The vulnerability allows an attacker to bypass security features by manipulating browser and Windows Shell handling, leading to potential code execution. The group used a malicious Windows Shortcut (LNK) file that embeds an HTML file to exploit CVE-2026-21513, initiating communication with the domain wellnesscaremed[.]com. The exploit leverages nested iframes and multiple DOM contexts to manipulate trust boundaries, bypassing Mark-of-the-Web (MotW) and Internet Explorer Enhanced Security Configuration (IE ESC). The technique allows execution of malicious code outside the browser sandbox via ShellExecuteExW. The vulnerable code path can be triggered through any component embedding MSHTML, suggesting additional delivery mechanisms beyond LNK-based phishing should be expected.

The Lazarus Group, a North Korea-linked threat actor, has expanded its operations to target European defense companies in 2025, leveraging a coordinated Operation DreamJob campaign. The attack involved fake recruitment lures and the deployment of various malware, including the ScoringMathTea RAT. This campaign follows earlier attacks on a decentralized finance (DeFi) organization in 2024, where the group deployed multiple cross-platform malware variants, including PondRAT, ThemeForestRAT, and RemotePE. In 2026, North Korean hackers have been observed using AI-generated video and the ClickFix technique to deliver malware for macOS and Windows to targets in the cryptocurrency sector. The threat actor's goal is financial, as suggested by the role of the tools used in an attack on a fintech company investigated by Google's Mandiant researchers. The attack had a strong social engineering component, with the victim being contacted over Telegram from a compromised executive account. The hackers used a Calendly link to a spoofed Zoom meeting page and showed a deepfake video of a CEO to facilitate the attack. Mandiant researchers found seven distinct macOS malware families attributed to UNC1069, a threat group they've been tracking since 2018. UNC1069 has been active since at least April 2018 and is also tracked under the monikers CryptoCore and MASAN. The group has used generative AI tools like Gemini to produce lure material and other messaging related to cryptocurrency. They have attempted to misuse Gemini to develop code to steal cryptocurrency and have leveraged deepfake images and video lures mimicking individuals in the cryptocurrency industry. The group has shifted from spear-phishing techniques and traditional finance (TradFi) targeting towards the Web3 industry since at least 2023, targeting centralized exchanges (CEX), software developers at financial institutions, high-technology companies, and individuals at venture capital funds. In the latest intrusion documented by Google's threat intelligence division, UNC1069 deployed as many as seven unique malware families, including several new malware families such as SILENCELIFT, DEEPBREATH, and CHROMEPUSH. The attack involved a social engineering scheme using a compromised Telegram account, a fake Zoom meeting, a ClickFix infection vector, and reported usage of AI-generated video to deceive the victim. The group used a fake website masquerading as Zoom to deceive victims and reused videos of previous victims to deceive new victims. The attack proceeded with a ClickFix-style troubleshooting command to deliver malware, leading to the deployment of various malicious components designed to gather system information, provide hands-on keyboard access, and steal sensitive data. Additionally, the Lazarus Group has been active since May 2025 with a campaign codenamed graphalgo, involving malicious packages in npm and PyPI repositories. Developers are targeted via social platforms like LinkedIn, Facebook, and Reddit. The campaign includes a fake company named Veltrix Capital in the blockchain and cryptocurrency trading space. Malicious packages are used to deploy a remote access trojan (RAT) that fetches and executes commands from an external server. The RAT supports commands to gather system information, enumerate files and directories, list running processes, create folders, rename files, delete files, and upload/download files. The command-and-control (C2) communication is protected by a token-based mechanism. The campaign checks for the MetaMask browser extension, indicating a focus on cryptocurrency theft. A malicious npm package called "duer-js" was found to harbor a Windows information stealer called Bada Stealer, capable of gathering Discord tokens, passwords, cookies, autofill data, cryptocurrency wallet details, and system information. Another malware campaign weaponizes npm to extort cryptocurrency payments from developers during package installation, blocking installation until victims pay 0.1 USDC/ETH to the attacker's wallet. The campaign has been ongoing since at least May 2025 and is characterized by modularity, allowing the threat actor to quickly resume it in case of partial compromise. The threat actor relies on packages published on the npm and PyPI registries that act as downloaders for a remote access trojan (RAT). Researchers found 192 malicious packages related to this campaign, which they dubbed 'Graphalgo'. The threat actor creates fake companies in the blockchain and crypto-trading sectors and publishes job offerings on various platforms, like LinkedIn, Facebook, and Reddit. Developers applying for the job are required to show their skills by running, debugging, and improving a given project, which causes a malicious dependency from a legitimate repository to be installed and executed. The package named 'bigmathutils,' with 10,000 downloads, was benign until it reached version 1.1.0, which introduced malicious payloads. The package was later removed and marked as deprecated. The Graphalgo name of the campaign is derived from packages that have 'graph' in their name, typically impersonating legitimate, popular libraries like graphlib. From December 2025 onward, the North Korean actor shifted to packages with 'big' in their name. The actor uses Github Organizations, which are shared accounts for collaboration across multiple projects. Malicious code is introduced indirectly via dependencies hosted on npm and PyPI. The RAT can list the running processes on the host, execute arbitrary commands per instructions from the command-and-control (C2) server, and exfiltrate files or drop additional payloads. The RAT checks whether the MetaMask cryptocurrency extension is installed on the victim’s browser, indicating its money-stealing goals. The RAT's C2 communication is token-protected to lock out unauthorized observers, a common tactic for North Korean hackers. ReversingLabs has found multiple variants written in JavaScript, Python, and VBS, showing an intention to cover all possible targets. ReversingLabs attributes the Graphalgo fake recruiter campaign to the Lazarus group with medium-to-high confidence based on the approach, the use of coding tests as an infection vector, and the cryptocurrency-focused targeting, all of which align with previous activity associated with the North Korean threat actor. The delayed activation of malicious code in the packages is consistent with Lazarus' patience displayed in other attacks. The Git commits show the GMT +9 time zone, matching North Korea time. In a new iteration of the ongoing Contagious Interview campaign, North Korean hackers have published 26 malicious npm packages to the npm registry. These packages masquerade as developer tools but contain functionality to extract the actual command-and-control (C2) by using Pastebin content as a dead drop resolver. The C2 infrastructure is hosted on Vercel across 31 deployments. The campaign is being tracked under the moniker StegaBin. The loader extracts C2 URLs steganographically encoded within three Pastebin pastes, which are innocuous computer science essays. The decoder strips zero-width Unicode characters, reads a 5-digit length marker from the beginning, calculates evenly-spaced character positions throughout the text, and extracts the characters at those positions. The extracted characters are then split on a ||| separator to produce an array of C2 domain names. The malware reaches out to the decoded domain to fetch platform-specific payloads for Windows, macOS, and Linux. The Trojan connects to 103.106.67[.]63:1244 to await further instructions that allow it to change the current directory and execute shell commands. The comprehensive intelligence collection suite contains nine modules to facilitate Microsoft Visual Studio Code (VS Code) persistence, keylogging and clipboard theft, browser credential harvesting, TruffleHog secret scanning, and Git repository and SSH key exfiltration. The vs module uses a malicious tasks.json file to contact a Vercel domain every time a project is opened in VS Code. The clip module acts as a keylogger, mouse tracker, and clipboard stealer with support for active window tracking and conducts periodic exfiltration every 10 minutes. The bro module is a Python payload to steal browser credential stores. The j module is a Node.js module used for browser and cryptocurrency theft by targeting Google Chrome, Brave, Firefox, Opera, and Microsoft Edge, and extensions like MetaMask, Phantom, Coinbase Wallet, Binance, Trust, Exodus, and Keplr. The z module enumerates the file system and steals files matching certain predefined patterns. The n module acts as a RAT to grant the attacker the ability to remotely control the infected host in real-time via a persistent WebSocket connection to 103.106.67[.]63:1247 and exfiltrate data of interest over FTP. The truffle module downloads the legitimate TruffleHog secrets scanner from the official GitHub page to discover and exfiltrate developer secrets. The git module collects files from .ssh directories, extracts Git credentials, and scans repositories. The sched module is the same as "vendor/scrypt-js/version.js" and is redeployed as a persistence mechanism. The North Korean actors have also been observed publishing malicious npm packages (e.g., express-core-validator) to fetch a next-stage JavaScript payload hosted on Google Drive. Only a single package has been published with this new technique, indicating that FAMOUS CHOLLIMA will continue to leverage multiple techniques and infrastructure to deliver follow-on payloads.

Texas Attorney General Ken Paxton has filed lawsuits against Sony, Samsung, LG, Hisense, and TCL Technology Group Corporation for allegedly using Automated Content Recognition (ACR) technology to secretly capture screenshots of users' viewing activity every 500 milliseconds and sell the data without consent. The suits highlight concerns about data access by Chinese companies under China's National Security Law. A Texas court initially issued a temporary restraining order (TRO) against Samsung, prohibiting the company from collecting audio and visual data from Texas consumers' smart TVs. However, the court vacated the TRO the following day, allowing Samsung to continue its data collection practices. The TRO, which was set to extend until January 19, followed allegations that Samsung's ACR enrollment practices are deceptive and violate the Texas Deceptive Trade Practices Act (DTPA). The court also noted that users are pressured into consenting to data collection through dark patterns, making it difficult to fully opt out. The lawsuits allege that the collected data is sold to third parties for ad targeting, violating users' privacy rights. This follows a similar 2017 case against Vizio, which settled for $2.2 million for similar practices. Samsung and the State of Texas have reached a settlement agreement over the alleged unlawful collection of content-viewing information through its smart TVs. As part of the agreement, Samsung will revise its privacy disclosures to clearly explain its data collection and processing practices to consumers. Samsung must halt any collection or processing of ACR viewing data without obtaining Texas consumers’ express consent and update its smart TVs to implement clear and conspicuous disclosures and consent screens.

The QuickLens Chrome extension, initially a legitimate tool for Google Lens searches, was compromised to push malware and steal cryptocurrency and credentials from approximately 7,000 users. The malicious version 5.8, released on February 17, 2026, introduced ClickFix attacks and info-stealing functionality. The extension was removed from the Chrome Web Store by Google after the discovery. The compromised extension stripped browser security headers, communicated with a command-and-control (C2) server, and executed malicious JavaScript scripts on every page load. It targeted various cryptocurrency wallets, login credentials, payment information, and sensitive form data. Users are advised to remove the extension, scan their devices for malware, and reset passwords.

South Korea’s National Tax Service (NTS) accidentally exposed the mnemonic recovery phrase of a seized cryptocurrency wallet during a press release, leading to the theft of $4.8 million in crypto assets. The funds were stored in a Ledger cold wallet confiscated during raids on tax evaders. The recovery phrase, visible in photos released by the NTS, allowed attackers to transfer 4 million Pre-Retogeum (PRTG) tokens to a new address. The NTS has since removed the press release, and no investigation details have been disclosed. This incident highlights the critical importance of securing wallet seed phrases and the risks of exposing them publicly.

A security researcher disclosed a vulnerability in January 2026 that was used to build the Kimwolf botnet, the world's largest and most disruptive botnet. The botmaster, known as 'Dort,' has been linked to various cybercrime activities, including DDoS attacks, doxing, and email flooding. Dort has also been connected to the cybercrime group LAPSUS$ and has used multiple aliases such as 'CPacket' and 'M1ce.' The investigation reveals Dort's involvement in Minecraft cheating software and the development of tools for bypassing CAPTCHA services and creating temporary email addresses. Dort's real identity is suspected to be Jacob Butler, a resident of Ottawa, Canada.

Google API keys, previously considered harmless, now expose Gemini AI data due to a privilege escalation. Researchers found nearly 3,000 exposed keys across various sectors, including Google itself. These keys can authenticate to Gemini AI and access private data, potentially leading to significant financial losses for victims. New research from Truffle Security and Quokka has revealed the extent of this issue, with thousands of API keys embedded in client-side code and Android apps. Google has implemented measures to block leaked API keys and notify affected parties.

The U.S. Department of Defense (DoD) has designated Anthropic as a supply chain risk due to an impasse in negotiations over the use of its AI model, Claude. The Pentagon demands unrestricted use for military applications, including mass domestic surveillance and autonomous weapons, which Anthropic refuses. The DoD has ordered federal agencies and contractors to cease using Anthropic's technology, while Anthropic argues the designation is legally unsound and sets a dangerous precedent. Anthropic's stance aligns with broader concerns about AI ethics, as other tech companies and employees express support for its position.

Anthropic has introduced security review features in its Claude Code platform, designed to integrate security checks into AI-assisted development workflows. The new capabilities, now available in a limited research preview, automate the detection and remediation of common vulnerabilities in codebases, leveraging AI to enhance application security. These features are part of a broader trend toward embedding security directly into development tools and pipelines, addressing the challenges posed by AI-assisted coding and 'vibe coding.' The security review function allows developers to run ad hoc checks for vulnerabilities and implement fixes, with the option to integrate these checks into continuous integration/continuous deployment (CI/CD) pipelines. While the initial focus is on classic security issues like SQL injection and cross-site scripting, the tool is expected to evolve, though it is not intended to replace existing security measures. Security experts emphasize the need for a comprehensive approach to application security, combining AI-assisted tools with traditional methods and human oversight to ensure robust protection against emerging threats. The debut of Claude Code Security has impacted share prices of several security companies, highlighting the potential disruptive nature of AI-assisted security tools. However, the initial iteration of Claude Code Security has faced criticism for being slow and prone to false positives. Tests have shown that the tool takes significantly longer to review code compared to other tools like OpenGrep. Additionally, the tool's reliance on the same foundational AI for both writing and reviewing code has been questioned, with experts arguing that this practice is not ideal for security. The rapid adoption of AI-assisted development platforms has also led to an increase in security debt and high-severity vulnerabilities, with 82% of companies accruing more debt compared to 74% last year.

Microsoft is introducing security improvements in Windows 11 Insider Preview builds to prevent batch files from being modified during execution. This change is aimed at enhancing performance and security in enterprise environments by ensuring code integrity through single-time signature validation. Additionally, Microsoft has improved the Shared Audio feature, allowing individual volume control for each listener and expanding support for more Bluetooth LE Audio accessories.

The **ScarCruft (APT37) Ruby Jumper campaign**, first discovered in **December 2025** and detailed in **February 2026**, marks a **significant expansion of tactics** to breach air-gapped networks and abuse legitimate cloud services for command-and-control (C2). The campaign deploys a **multi-stage infection chain** beginning with a malicious LNK file that drops a decoy document (e.g., an Arabic translation of a North Korean article on the Palestine-Israel conflict), an executable payload (**RESTLEAF**), a PowerShell script, and a batch file. RESTLEAF leverages **Zoho WorkDrive for C2**—the first known instance of ScarCruft using this service—to fetch shellcode, which then deploys **SNAKEDROPPER**. This implant installs a Ruby runtime, establishes persistence via a **scheduled task (`rubyupdatecheck`)** that replaces the RubyGems default file `operating_system.rb`, and drops **THUMBSBD** and **VIRUSTASK**, both designed to **weaponize removable media (USB drives)** for lateral movement into air-gapped systems. THUMBSBD supports **keylogging, audio/video surveillance, and file exfiltration**, while also creating **hidden directories on USB drives** to stage operator commands or store execution output. VIRUSTASK focuses on **initial access propagation** via USB drives, replacing legitimate files with malicious shortcuts that execute the Ruby interpreter when opened. The campaign also delivers **FOOTWINE**, a reconnaissance tool disguised as an APK file that harvests documents and monitors removable drive activity, and **BLUELIGHT**, a backdoor that adapts its C2 mode based on network connectivity (direct cloud communication or USB-based staging). This follows earlier ScarCruft operations, including **ransomware attacks (July 2025)**, **Operation HanKook Phantom (September 2025)**, and the **Contagious Interview campaign (February 2026)**, which targeted developers via malicious repositories and job-themed lures. The Ruby Jumper campaign underscores ScarCruft’s **expanded focus on air-gapped infiltration**, combining **cloud abuse with physical media exploitation** to evade network isolation and achieve persistent surveillance with minimal forensic traces. Zscaler ThreatLabz confirmed the use of **six distinct tools** in this campaign, five of which were previously undocumented.

A coordinated international operation, Project Compass, has arrested 30 members of 'The Com,' a cybercrime group linked to ransomware attacks, extortion, violent activities, and the production of child sexual exploitation material (CSAM). The group, primarily composed of young individuals, has targeted high-profile entities and engaged in phishing, vishing, and SIM swapping. Project Compass, led by Europol's European Counter Terrorism Centre, involves multiple countries and aims to disrupt the group's operations and safeguard victims. The Com has been connected to Russian cybercriminal gangs and has expanded its activities to include physical violence, extremist links, and the exploitation of minors.

The U.S. Department of the Treasury has sanctioned several large cyber scam networks in Southeast Asia, primarily in Burma and Cambodia. These operations, which used forced labor and human trafficking, stole over $10 billion from Americans in 2024, a 66% increase from the previous year. The scams included romance baiting and fake cryptocurrency investments. The sanctions target individuals and entities linked to the Karen National Army (KNA) and various organized crime networks. The U.S. has established a new task force, the Scam Center Strike Force, to disrupt Chinese cryptocurrency scam networks. This task force, supported by the U.S. Attorney's Office, the Department of Justice, the FBI, and the Secret Service, has already seized over $401 million in cryptocurrency and filed forfeiture proceedings for an additional $80 million in stolen funds. The Treasury Department’s Office of Foreign Assets Control has imposed additional sanctions on the Democratic Karen Benevolent Army (DKBA) and related entities. In a recent development, the U.S. Department of Justice (DoJ) seized $61 million worth of Tether linked to pig butchering crypto scams. The confiscated funds were traced to cryptocurrency addresses used for laundering proceeds from cryptocurrency investment scams. Threat actors target individuals by cultivating romantic relationships on dating and social media messaging apps, coercing victims into investing in fraudulent platforms that display fake high returns. Scammers route stolen money through multiple wallets to hide its nature and source. Tether has frozen around $4.2 billion in assets linked to illicit activity, including $250 million related to scam networks since June 2025.

Over 900 Sangoma FreePBX instances remain compromised with web shells due to the exploitation of CVE-2025-64328, a high-severity command injection vulnerability. The attacks, ongoing since December 2025, have affected instances globally, with the highest concentrations in the U.S., Brazil, Canada, Germany, and France. The vulnerability allows post-authentication command injection, enabling remote access as the asterisk user. The U.S. CISA has added this vulnerability to its KEV catalog, and Fortinet has linked the attacks to the threat actor INJ3CTOR3, who uses a web shell named EncystPHP.

CISA has released an updated Malware Analysis Report (MAR) on RESURGE, a sophisticated malware that exploits vulnerabilities to establish stealthy SSH-based command-and-control access. The malware can remain dormant on compromised Ivanti Connect Secure devices, evading routine detection. The updated analysis highlights RESURGE's advanced network-level evasion techniques, including forged TLS certificates and cryptographic methods, posing an ongoing threat to affected networks. CISA emphasizes the importance of using the provided indicators of compromise (IOCs) and detection signatures to identify and mitigate RESURGE, urging organizations to implement the recommended actions. The malware is linked to a threat actor tracked as UNC5221, which exploited the CVE-2025-0282 vulnerability as a zero-day since mid-December 2024.

A malicious Go module named github[.]com/xinfeisoft/crypto impersonates the legitimate "golang.org/x/crypto" codebase to steal passwords and deploy the Rekoobe Linux backdoor. The module exploits namespace confusion to inject malicious code that exfiltrates secrets entered via terminal password prompts and executes a shell script that creates persistent access via SSH and loosens firewall restrictions. The campaign targets high-value boundaries like ReadPassword() and uses GitHub Raw as a rotating pointer for infrastructure rotation. The package remains listed on pkg.go.dev but has been blocked by the Go security team. The Rekoobe backdoor, known since 2015, is capable of receiving commands to download more payloads, steal files, and execute a reverse shell. It has been used by Chinese nation-state groups like APT31.

Organizations face significant challenges in patch management due to visibility gaps and lack of centralized control, particularly with third-party software. These gaps lead to unpatched vulnerabilities, compliance drift, and increased risk exposure. Modern solutions like Action1 aim to streamline detection, prioritization, and oversight of patch management processes, including third-party applications. Effective vulnerability management requires knowing what needs attention, acting quickly with proper tools, and confirming success. Centralized visibility and control are crucial for maintaining shorter remediation timelines, reducing repeat vulnerabilities, and demonstrating stronger audit readiness. Action1 offers a cloud-native platform that connects all endpoints, identifies missing updates, and provides granular control over patch deployment. It incorporates intelligence for prioritization and ensures visibility and accountability through detailed reporting and compliance dashboards.

ManoMano, a European DIY e-commerce platform, disclosed a data breach impacting 38 million customers. The breach occurred in January 2026 due to unauthorized access to a third-party customer service provider. Exposed data includes full names, email addresses, phone numbers, and customer service communications. The stolen data includes information associated with 37.8 million ManoMano user accounts, over 900,000 service tickets, and over 13,000 attachments, pertaining to users across France, Germany, Italy, Spain, and the United Kingdom. No account passwords were compromised. The company has taken steps to secure its environment and notified relevant authorities and affected customers. The breach was claimed by an individual using the alias 'Indra' on a hacker forum, alleging the theft of 37.8 million user accounts and thousands of support tickets. The compromised service provider is reportedly a Tunis-based customer support firm that suffered a Zendesk breach.