CISA has flagged an actively exploited vulnerability (CVE-2025-47813) in Wing FTP Server, which allows low-privilege attackers to discover the full local installation path of the application. This flaw can be chained with a critical remote code execution (RCE) bug (CVE-2025-47812) for further exploitation. The vulnerabilities were patched in May 2025, but attackers continue to exploit them in the wild. CISA has given federal agencies two weeks to secure their systems and encourages private sector organizations to apply mitigations immediately.

The UK's Companies House suspended its WebFiling dashboard after a security flaw allowed unauthorized access to corporate and personal details of directors. The vulnerability, introduced during an update in October 2025, enabled attackers to view and potentially modify registration details of around five million companies, exposing them to phishing and fraud. The flaw was discovered by Dan Neidle and John Hewitt, who demonstrated how easy it was to exploit. Companies House has taken the dashboard offline for investigation and has since restored the service. The agency confirmed that the flaw could only be exploited by logged-in users and that no user passwords or identity verification data were compromised. The extent of the impact and whether modifications were made remains unclear, and the agency is investigating further.

Microsoft is addressing an ongoing Exchange Online outage affecting multiple connection methods, including Outlook on the web, Outlook desktop, and Exchange ActiveSync. The issue, tracked under incident ID EX1253275, stems from a code conflict in a recent deployment related to authentication support. The misconfiguration causes intermittent access problems for some users. Microsoft has identified a section of service infrastructure not processing traffic efficiently and is making configuration changes to remediate the impact. The company expects the issue to be fully resolved by the next scheduled update. Other connection methods remain unaffected. The incident was first acknowledged on the day of the article at 06:42 AM UTC. While the exact number of users and regions impacted is not specified, the issue has been flagged as critical in the Microsoft 365 admin center. Additionally, Microsoft is investigating a separate outage affecting the Microsoft 365 Copilot web sign-in page and Copilot web clients.

Google has released security updates for Chrome to address two high-severity zero-day vulnerabilities (CVE-2026-3909 and CVE-2026-3910) that are being actively exploited in the wild. The vulnerabilities involve an out-of-bounds write in the Skia 2D graphics library and an inappropriate implementation in the V8 JavaScript and WebAssembly engine, potentially leading to out-of-bounds memory access or code execution. The patches are available in Chrome versions 146.0.7680.75/76 for Windows and macOS, and 146.0.7680.75 for Linux. These vulnerabilities highlight the ongoing threat of zero-day exploits in widely used software, emphasizing the importance of timely updates and patches to mitigate potential security risks.

Nudge Security has launched a solution to help organizations discover, monitor, and govern the use of AI tools within their environments. The tool provides continuous discovery, real-time monitoring, and proactive governance to mitigate risks associated with shadow AI usage. The solution integrates with identity providers (IdP) like Microsoft 365 and Google Workspace to detect AI tool adoption and monitor sensitive data sharing. It also offers alerts for risky activities and enforces AI usage policies. This development addresses the growing challenge of managing AI tools that are often adopted without IT oversight, posing potential security and compliance risks.

A high-severity privilege escalation flaw in the Linux kernel (CVE-2024-1086) is being exploited in ransomware attacks. Disclosed in January 2024, the vulnerability allows attackers with local access to escalate privileges to root level. It affects multiple major Linux distributions, including Debian, Ubuntu, Fedora, and Red Hat. The flaw was introduced in February 2014 and fixed in January 2024. Additionally, nine confused deputy vulnerabilities, codenamed CrackArmor, have been discovered in the Linux kernel's AppArmor module. These flaws, existing since 2017, allow unprivileged users to bypass kernel protections, escalate to root, and undermine container isolation guarantees. The vulnerabilities affect Linux kernels since version 4.11 and impact major distributions like Ubuntu, Debian, and SUSE. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed the exploitation of the initial flaw in ransomware campaigns and added it to its Known Exploited Vulnerabilities (KEV) catalog in May 2024. Federal agencies were ordered to secure their systems by June 20, 2024. Mitigations include blocking 'nf_tables', restricting access to user namespaces, or loading the Linux Kernel Runtime Guard (LKRG) module. Qualys Threat Research Unit discovered the CrackArmor flaws, which stem from a 'confused deputy' flaw allowing unprivileged local users to manipulate AppArmor security profiles. Over 12.6 million enterprise Linux systems are affected, and the flaws enable local privilege escalation, denial-of-service attacks, and container isolation bypass. Qualys has developed proof-of-concept exploits but has not publicly released them.

Microsoft is investigating an issue affecting Samsung laptops running Windows 11 after the February 2026 security updates. Users lose access to the C:\ drive and cannot launch applications, encountering 'C:\ is not accessible – Access denied' errors. The problem impacts Windows 11 versions 25H2 and 24H2, primarily affecting Samsung Galaxy Book 4 and desktop models in Brazil, Portugal, South Korea, and India. The issue has been attributed to the Samsung Galaxy Connect app, which has been temporarily removed from the Microsoft Store. Samsung has republished a stable previous version of the app to stop recurrence on additional devices. Microsoft and Samsung are still working on a fix for affected devices.

Security researchers demonstrated a method to exfiltrate sensitive data from AWS Bedrock AgentCore Code Interpreter using DNS queries, bypassing network restrictions in Sandbox Mode. The technique involves embedding malicious instructions in files to create a covert command-and-control (C2) channel via DNS queries. The findings highlight architectural challenges in sandbox isolation and the risks of overly permissive IAM roles. AWS confirmed the behavior as intended and updated documentation, recommending migration to VPC mode for sensitive workloads.

Security validation is evolving towards agentic AI-driven approaches to address the fragmented nature of current validation tools. Traditional methods rely on disparate tools like BAS, pentesting, and vulnerability scanners, which do not integrate well and fail to reflect the interconnected nature of real-world attacks. Agentic AI promises continuous, context-aware validation that autonomously plans, executes, and reasons across complex workflows, providing a more holistic view of security posture. The shift involves three perspectives: adversarial (identifying attack paths), defensive (validating security controls), and risk (prioritizing exposures). Agentic AI can compress validation workflows from days to minutes by autonomously analyzing threats, mapping them to the environment, and surfacing critical insights. The effectiveness of agentic AI depends on a unified security data layer, or Security Data Fabric, which includes asset intelligence, exposure intelligence, and security control effectiveness. This fabric provides the context needed for AI to tailor validation to specific environments and threats.

A new infostealer malware named Shamos is targeting Mac devices through ClickFix attacks. The malware, developed by the COOKIE SPIDER group, steals data and credentials from web browsers, Keychain, Apple Notes, and cryptocurrency wallets. The attacks use malvertising and fake GitHub repositories to lure victims into executing shell commands that download and install the malware. Since June 2025, Shamos has attempted infections in over three hundred environments monitored by CrowdStrike. The malware uses anti-VM commands, AppleScript for reconnaissance, and creates persistence through a Plist file. Users are advised to avoid executing unknown commands and to seek help from trusted sources. A new variant of the MacSync stealer, related to Shamos, is distributed through a digitally signed, notarized Swift application, bypassing macOS Gatekeeper checks. This variant uses evasion techniques such as inflating the DMG file with decoy PDFs and performing internet connectivity checks. The malware runs largely in memory and cleans up temporary files after execution, leaving minimal traces behind. The associated developer certificate has been revoked. Three distinct ClickFix campaigns have been identified distributing the MacSync infostealer via fake AI tool installers. The campaigns use various lures, including OpenAI Atlas browser and ChatGPT conversations, to trick users into executing malicious commands. The latest variant of MacSync supports dynamic AppleScript payloads and in-memory execution to evade detection. The shell script retrieves the AppleScript infostealer payload from a hard-coded server and removes evidence of data theft. The malware harvests credentials, files, keychain databases, and cryptocurrency wallet seed phrases.

A verified game on Steam, BlockBlasters, was compromised to steal cryptocurrency from users. The malware was added to the game on August 30, 2025, and was active until September 21, 2025. The game targeted users with significant cryptocurrency holdings, leading to the theft of $150,000 from 261 to 478 Steam accounts. The attacker's operational security failure exposed their Telegram bot code and tokens. One victim, a gamer seeking funds for cancer treatment, lost $32,000. The community has since rallied to cover the loss. Similar incidents involving other Steam games have occurred this year. The FBI is now investigating eight malicious Steam games, including BlockBlasters, and is seeking victims who installed these games between May 2024 and January 2026. The investigation focuses on cryptocurrency theft and account hijacks. The FBI is asking for screenshots of communications with individuals who promoted the games and is legally mandated to identify victims of federal crimes it investigates, offering potential services, restitution, and rights under federal and/or state law.

Ukraine's Defense Forces were targeted in a charity-themed malware campaign between October and December 2025, delivering the PluggyApe backdoor, likely deployed by the Russian threat group Void Blizzard (Laundry Bear). The attacks began with instant messages over Signal or WhatsApp, directing recipients to malicious websites posing as charitable foundations. These sites distributed password-protected archives containing PluggyApe payloads. The malware profiles the host, sends victim information to attackers, and waits for further commands. In February 2026, a new campaign targeting Ukrainian entities was observed, employing judicial and charity-themed lures to deploy a JavaScript-based backdoor codenamed DRILLAPP. This campaign is likely orchestrated by threat actors linked to Russia and shares overlaps with the prior PluggyApe campaign. The malware is capable of uploading and downloading files, leveraging the microphone, and capturing images through the webcam. The threat actor is believed to be active since at least April 2024.

Google is testing a new security feature in Android 17 Beta 2 that prevents non-accessibility apps from using the Accessibility API when Advanced Protection Mode (AAPM) is enabled. This change aims to mitigate malware abuse of the API, which has been exploited to steal sensitive data. Only verified accessibility tools, such as screen readers and Braille-based access programs, are exempt from this restriction. The update also introduces a new contacts picker for granular control over contact data access.

OpenAI has clarified that ChatGPT advertisements are currently only available in the United States, despite recent updates to the privacy policy that mentioned ads, sparking speculation about a global rollout. OpenAI is taking a phased approach to ad deployment, focusing on learning from real-world use in the US before expanding further. The ads are personalized and appear below answers for logged-in users on Free and Go plans, with strict privacy measures in place to prevent data sharing with advertisers.

Betterleaks, a new open-source secrets scanner, has been introduced as an advanced successor to Gitleaks. Developed by Zach Rice and supported by Aikido Security, the tool scans directories, files, and git repositories for valid secrets using default or customized rules. Betterleaks aims to identify sensitive information such as credentials, API keys, and tokens before threat actors can exploit them. The tool features improved token efficiency scanning, parallelized Git scanning, and support for doubly/triply encoded secrets. Future updates plan to include LLM-assisted analysis, automatic secret revocation, and performance optimizations.

Microsoft has released an out-of-band (OOB) hotpatch update (KB5084597) for Windows 11 Enterprise devices to address critical remote code execution (RCE) vulnerabilities in the Routing and Remote Access Service (RRAS) management tool. The vulnerabilities, tracked as CVE-2026-25172, CVE-2026-25173, and CVE-2026-26111, could allow remote code execution when connecting to a malicious server. The hotpatch update is designed for devices using hotpatch updates instead of regular Patch Tuesday cumulative updates, ensuring no reboot is required for mission-critical systems.

A malicious Microsoft Visual Studio Code (VS Code) extension named "ClawdBot Agent - AI Coding Assistant" was discovered on the official Extension Marketplace. The extension, which posed as a free AI coding assistant, stealthily dropped a malicious payload on compromised hosts. The extension was taken down by Microsoft after being reported by cybersecurity researchers. The malicious extension executed a binary named "Code.exe" that deployed a legitimate remote desktop program, granting attackers persistent remote access to compromised hosts. The extension also incorporated multiple fallback mechanisms to ensure payload delivery, including retrieving a DLL from Dropbox and using hard-coded URLs to obtain the payloads. Additionally, security researchers found hundreds of unauthenticated Moltbot instances online, exposing sensitive data and credentials. Moltbot, an open-source personal AI assistant, can run 24/7 locally, maintaining a persistent memory and executing scheduled tasks. However, insecure deployments can lead to sensitive data leaks, corporate data exposure, credential theft, and command execution. Hundreds of Clawdbot Control admin interfaces are exposed online due to reverse proxy misconfiguration, allowing unauthenticated access and root-level system access. More than 230 malicious packages for OpenClaw (formerly Moltbot and ClawdBot) have been published in less than a week on the tool's official registry and on GitHub. These malicious skills impersonate legitimate utilities and inject information-stealing malware payloads onto users' systems, targeting sensitive data like API keys, wallet private keys, SSH credentials, and browser passwords. Users are advised to audit their configurations, revoke connected service integrations, and implement network controls to mitigate potential risks. A self-styled social networking platform built for AI agents, Moltbook, contained a misconfigured database that allowed full read and write access to all data. The exposure was due to a Supabase API key exposed in client-side JavaScript, granting unauthenticated access to the entire production database. Researchers accessed 1.5 million API authentication tokens, 30,000 email addresses, and thousands of private messages between agents. The API key exposure allowed attackers to impersonate any agent on the platform, post content, send messages, and interact as that agent. Unauthenticated users could edit existing posts, inject malicious content or prompt injection payloads, and deface the site. SecurityScorecard found 40,214 exposed OpenClaw instances associated with 28,663 unique IP addresses. 63% of observed deployments are vulnerable, with 12,812 instances exploitable via remote code execution (RCE) attacks. SecurityScorecard correlated 549 instances with prior breach activity and 1493 with known vulnerabilities. Three high-severity CVEs in OpenClaw have been discovered, with public exploit code available. OpenClaw instances are at risk of indirect prompt injection and API key leaks, with most exposures located in China, the US, and Singapore. A supply chain attack via the Cline npm package version 2.3.0 installed OpenClaw on users' systems, exploiting a prompt injection vulnerability in Cline's Claude Issue Triage workflow. The compromised Cline package was downloaded approximately 4,000 times over an eight-hour stretch. OpenClaw has broad permissions and full disk access, making it a high-value implant for attackers. Cline released version 2.4.0 to address the issue and revoked the compromised token. The attack affected all users who installed the Cline CLI package version 2.3.0 during an eight-hour window on February 17, 2026. The attack did not impact Cline's Visual Studio Code (VS Code) extension and JetBrains plugin. Cline maintainers released version 2.4.0 to mitigate the unauthorized publication and revoked the compromised token. Microsoft Threat Intelligence observed a small but noticeable uptick in OpenClaw installations on February 17, 2026, due to the supply chain compromise. Users are advised to update to the latest version, check their environment for any unexpected installation of OpenClaw, and remove it if not required. China's National Computer Network Emergency Response Technical Team (CNCERT) has issued a warning about the security risks stemming from the use of OpenClaw, an open-source and self-hosted autonomous AI agent. OpenClaw's inherently weak default security configurations and privileged access to the system could be exploited by bad actors to seize control of the endpoint. Prompt injections in OpenClaw can cause the agent to leak sensitive information if tricked into accessing and consuming malicious content. Indirect prompt injection (IDPI) or cross-domain prompt injection (XPIA) attacks can manipulate benign AI features like web page summarization or content analysis to run manipulated instructions. Researchers at PromptArmor found that the link preview feature in messaging apps like Telegram or Discord can be turned into a data exfiltration pathway when communicating with OpenClaw. OpenClaw may inadvertently and irrevocably delete critical information due to its misinterpretation of user instructions. Threat actors can upload malicious skills to repositories like ClawHub that, when installed, run arbitrary commands or deploy malware. Attackers can exploit recently disclosed security vulnerabilities in OpenClaw to compromise the system and leak sensitive data. Chinese authorities have moved to restrict state-run enterprises and government agencies from running OpenClaw AI apps on office computers. Threat actors have distributed malicious GitHub repositories posing as OpenClaw installers to deploy information stealers like Atomic and Vidar Stealer, and a Golang-based proxy malware known as GhostSocks.

Malicious JavaScript code delivered through the AppsFlyer Web SDK intercepted cryptocurrency wallet addresses on websites, replacing them with attacker-controlled addresses to divert funds. The payload was served from the official domain 'websdk.appsflyer.com' and targeted Bitcoin, Ethereum, Solana, Ripple, and TRON addresses. The incident impacted thousands of applications and end users, with the exposure window likely between March 9 and March 11, 2026. AppsFlyer confirmed unauthorized code delivery but stated the mobile SDK was unaffected and the issue has been resolved.

The GlassWorm malware campaign has resurfaced with a significant escalation, adding at least 72 new malicious Open VSX extensions since January 31, 2026. The malware uses invisible Unicode characters to hide malicious code and targets GitHub, NPM, and OpenVSX account credentials, as well as cryptocurrency wallet data. The campaign initially impacted 49 extensions, with an estimated 35,800 downloads, though this figure includes inflated numbers due to bots and visibility-boosting tactics. The Eclipse Foundation has revoked leaked tokens and introduced security measures, but the threat actors have pivoted to GitHub and now returned to OpenVSX with updated command-and-control endpoints. The malware's global reach includes systems in the United States, South America, Europe, Asia, and a government entity in the Middle East. Koi Security has accessed the attackers' server and shared victim data with law enforcement. The threat actors have posted a fresh transaction to the Solana blockchain, providing an updated C2 endpoint for downloading the next-stage payload. The attacker's server was inadvertently exposed, revealing a partial list of victims spanning the U.S., South America, Europe, and Asia, including a major government entity from the Middle East. The threat actor is assessed to be Russian-speaking and uses the open-source browser extension C2 framework named RedExt as part of their infrastructure. The third wave of GlassWorm uses Rust-based implants packaged inside the extensions and targets popular tools and developer frameworks like Flutter, Vim, Yaml, Tailwind, Svelte, React Native, and Vue. Additionally, a malicious Rust package named "evm-units" was discovered, targeting Windows, macOS, and Linux systems. This package, uploaded to crates.io in mid-April 2025, attracted over 7,000 downloads and was designed to stealthily execute on developer machines by masquerading as an Ethereum Virtual Machine (EVM) unit helper tool. The package checks for the presence of Qihoo 360 antivirus and alters its execution flow accordingly. The references to EVM and Uniswap indicate that the supply chain incident is designed to target developers in the Web3 space. The latest development involves the compromise of a legitimate developer's resources to push malicious updates to downstream users, with the malicious extensions having previously been presented as legitimate developer utilities and collectively accumulated over 22,000 Open VSX downloads prior to the malicious releases. A new GlassWorm malware attack through compromised OpenVSX extensions focuses on stealing passwords, crypto-wallet data, and developer credentials and configurations from macOS systems. The threat actor gained access to the account of a legitimate developer (oorzc) and pushed malicious updates with the GlassWorm payload to four extensions that had been downloaded 22,000 times. GlassWorm attacks first appeared in late October, hiding the malicious code using "invisible" Unicode characters to steal cryptocurrency wallet and developer account details. The malware also supports VNC-based remote access and SOCKS proxying. Over time and across multiple attack waves, GlassWorm impacted both Microsoft's official Visual Studio Code marketplace and its open-source alternative for unsupported IDEs, OpenVSX. In a previous campaign, GlassWorm showed signs of evolution, targeting macOS systems, and its developers were working to add a replacement mechanism for the Trezor and Ledger apps. A new report from Socket's security team describes a new campaign that relied on trojanizing the following extensions: oorzc.ssh-tools v0.5.1, oorzc.i18n-tools-plus v1.6.8, oorzc.mind-map v1.0.61, oorzc.scss-to-css-compile v1.3.4. The malicious updates were pushed on January 30, and Socket reports that the extensions had been innocuous for two years. This suggests that the oorzc account was most likely compromised by GlassWorm operators. According to the researchers, the campaign targets macOS systems exclusively, pulling instructions from Solana transaction memos. Notably, Russian-locale systems are excluded, which may hint at the origin of the attacker. GlassWorm loads a macOS information stealer that establishes persistence on infected systems via a LaunchAgent, enabling execution at login. It harvests browser data across Firefox and Chromium, wallet extensions and wallet apps, macOS keychain data, Apple Notes databases, Safari cookies, developer secrets, and documents from the local filesystem, and exfiltrates everything to the attacker's infrastructure at 45.32.150[.]251. Socket reported the packages to the Eclipse Foundation, the operator of the Open VSX platform, and the security team confirmed unauthorized publishing access, revoked tokens, and removed the malicious releases. The only exception is oorzc.ssh-tools, which was removed completely from Open VSX due to discovering multiple malicious releases. Currently, versions of the affected extensions on the market are clean, but developers who downloaded the malicious releases should perform a full system clean-up and rotate all their secrets and passwords.

A China-linked cyber espionage operation, tracked as CL-STA-1087, has targeted Southeast Asian military organizations since at least 2020. The campaign, characterized by strategic patience and precision intelligence collection, uses custom malware like AppleChris and MemFun to maintain persistent access and evade detection. The attackers focus on military capabilities, organizational structures, and collaborative efforts with Western forces. The malware employs advanced techniques such as DLL hijacking, process hollowing, and sandbox evasion to avoid detection. The campaign includes the use of Pastebin and Dropbox for command-and-control (C2) communication, with some variants using Pastebin as a fallback. The threat actors also utilize a custom version of Mimikatz, named Getpass, to extract credentials and escalate privileges.

Poland's National Centre for Nuclear Research (NCBJ) reported a cyberattack on its IT infrastructure. The attack was detected and blocked by security systems before causing any impact. The MARIA reactor, used for scientific experiments and medical isotope production, was not affected. The attack has been attributed to potential Iranian involvement, though false flags are being considered. Poland's power grid was previously targeted by the Russian threat group APT44 in January 2026.

Meta has announced it will discontinue end-to-end encryption (E2EE) support for Instagram chats starting May 8, 2026. Users with affected chats will receive instructions to download media or messages they wish to retain. This decision follows Meta's initial rollout of E2EE for Instagram direct messages in 2021, which was later expanded to all adult users in Ukraine and Russia during the Russo-Ukrainian war. The move comes amid ongoing debates over encryption's impact on privacy and law enforcement capabilities. Meta's decision aligns with TikTok's recent stance against implementing E2EE, citing concerns over user safety, particularly for young people. Despite internal warnings in 2019 about the challenges E2EE poses for detecting illegal activities like CSAM and terrorist propaganda, Meta has proceeded with encryption plans for Facebook and Instagram.

Microsoft is investigating multiple issues affecting the classic Outlook desktop email client, including a bug that causes the mouse pointer to disappear, making the app unusable. Additionally, Microsoft is addressing email synchronization and connection problems, such as "Can't connect to the server" errors when creating groups and sync issues with Gmail and Yahoo accounts. The company has acknowledged these problems and provided temporary workarounds while continuing their investigation.

Broadcom's acquisition of VMware in 2023 has triggered widespread migrations to alternative hypervisors, introducing significant technical and operational risks. IT teams face challenges such as price hikes, licensing changes, and operational issues, including VMware Workstation auto-update failures. Gartner predicts VMware will lose 35% of its workloads by 2028, with migrations to platforms like Microsoft Hyper-V, Azure Stack HCI, Nutanix AHV, Proxmox VE, or KVM. These migrations are high-stakes, requiring careful planning to ensure data integrity and availability. The process of migrating hypervisors is technically risky due to incompatibilities in disk formats, hardware abstractions, driver stacks, and networking models. Backup and recovery are critical, with a need for full-image, application-consistent backups that can be restored to dissimilar hardware or virtualization platforms. IT teams must perform recovery drills before migration and maintain parallel protection during transitions. Key risks include underestimating downtime, backup and recovery gaps, and an expanding attack surface. Teams must plan for worst-case scenarios, validate backups, and protect backup images against ransomware. A unified cyber protection platform can simplify the migration process and reduce complexity.

Threat actor Storm-2561 is distributing fake enterprise VPN clients for Ivanti, Cisco, and Fortinet to steal VPN credentials. The attackers use SEO poisoning to redirect victims to spoofed sites mimicking legitimate VPN vendors. The fake VPN clients install a loader and the Hyrax infostealer, capturing and exfiltrating credentials while displaying a legitimate-looking login interface. The malware also steals VPN configuration data and creates persistence via the Windows RunOnce registry key. Microsoft researchers discovered the campaign involved domains related to multiple VPN vendors and provided IoCs and hunting guidance to mitigate the threat. The campaign was first documented by Cyjax in May 2025 and later by Zscaler in October 2025. Microsoft observed the activity in mid-January 2026 and has since taken down the attacker-controlled GitHub repositories and revoked the legitimate certificate to neutralize the operation.

Operation Serengeti 2.0, an INTERPOL-led international operation, resulted in the arrest of 1,209 cybercriminals across Africa. The operation targeted cross-border cybercrime gangs involved in ransomware, online scams, and business email compromise (BEC). The operation, conducted from June to August 2025, involved law enforcement from 18 African countries and the UK. Authorities seized $97.4 million and dismantled 11,432 malicious infrastructures linked to attacks on 88,000 victims worldwide. Following this, Operation Sentinel, conducted between October 27 and November 27, 2025, led to the arrest of 574 individuals and the recovery of $3 million linked to business email compromise, extortion, and ransomware incidents. The operation took down more than 6,000 malicious links and decrypted six distinct ransomware variants. The cybercrime cases investigated are connected to more than $21 million in financial losses. Most recently, Operation Red Card 2.0, conducted between December 8, 2025, and January 30, 2026, resulted in the arrest of 651 suspects and the recovery of over $4.3 million. The operation targeted investment fraud, mobile money scams, and fake loan applications, identifying 1,247 victims and seizing 2,341 devices and 1,442 malicious websites, domains, and servers. The operation involved law enforcement agencies from 16 African countries: Angola, Benin, Cameroon, Côte d'Ivoire, Chad, Gabon, Gambia, Ghana, Kenya, Namibia, Nigeria, Rwanda, Senegal, Uganda, Zambia, and Zimbabwe. The operations were supported by data from private sector partners, including Cybercrime Atlas, Fortinet, Group-IB, Kaspersky, The Shadowserver Foundation, Team Cymru, Trend Micro, TRM Labs, and Uppsala Security. Cybercrime now accounts for 30% of all reported crime in Western and Eastern Africa and is increasing rapidly elsewhere on the continent. Interpol's 2025 Africa Cyberthreat Assessment Report noted that two-thirds of African member countries claim cyber-related offenses now account for a 'medium-to-high' (i.e., 10-30% or 30%+) share of all crimes. Interpol director of cybercrime, Neal Jetton, warned that the scale and sophistication of cyber-attacks across Africa are accelerating, especially against critical sectors like finance and energy. Additionally, Operation Synergia III, conducted between July 2025 and January 2026, involved authorities from 72 countries. The operation resulted in 94 arrests and 110 suspects under investigation. Police in Togo arrested 10 suspects operating a fraud ring involving social media hacking, romance scams, and sextortion. Bangladeshi police arrested 40 suspects and seized 134 electronic devices related to loan scams, job scams, identity theft, and credit card fraud. Chinese investigators in Macau identified over 33,000 phishing and fraudulent websites impersonating casinos, banks, government sites, and payment services.

Law enforcement agencies in the U.S. and Europe, along with private partners, have disrupted the SocksEscort cybercrime proxy network. This network relied on edge devices compromised by the AVRecon malware for Linux. The disruption involved taking down multiple servers and domains, freezing cryptocurrency, and disconnecting infected devices. The network had been active for over a decade, offering access to 'clean' IP addresses from major ISPs and facilitating various fraudulent activities. The SocksEscort network had an average of 20,000 infected devices weekly and was used in several high-value fraud cases, including the theft of $1 million in cryptocurrency and losses of $700,000 from a Pennsylvania-based manufacturing business. The network offered access to about 369,000 different IP addresses in 163 countries since summer 2020, with the service listing nearly 8,000 infected routers as of February 2026. The compromised devices were infected through a vulnerability in the residential modems of a specific brand. International law enforcement partners executed Operation Lightning to dismantle the SocksEscort proxy service, which compromised over 360,000 routers and IoT devices in 163 countries since 2020. The operation involved seizing 34 domains and 23 servers in seven countries, freezing $3.5 million in cryptocurrency, and disconnecting all infected devices. The malware enabled various criminal activities, including ransomware, DDoS attacks, and the distribution of child sexual abuse material (CSAM). The payment platform for SocksEscort received almost $6 million from proxy service customers.

Google has released emergency updates for Chrome to patch two actively exploited zero-day vulnerabilities (CVE-2026-3909 and CVE-2026-3910). The first is an out-of-bounds write flaw in Skia, a 2D graphics library, which could lead to browser crashes or code execution. The second is an inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine. Both vulnerabilities were discovered and patched within two days of reporting, affecting Windows, macOS, and Linux systems. The updates are rolling out to users, though it may take days or weeks to reach all users. Google has not disclosed further details about the attacks exploiting these vulnerabilities. Google has patched a total of three actively weaponized Chrome zero-days since the start of the year.

Starbucks disclosed a data breach affecting 889 employee accounts in its Partner Central system. The breach occurred between January 19 and February 11, 2026, after threat actors obtained login credentials through phishing websites impersonating Partner Central. The exposed data includes names, Social Security numbers, dates of birth, and financial account details. Starbucks has notified law enforcement and is offering affected employees two years of free identity theft protection and credit monitoring.

Veeam has released security updates to address multiple critical vulnerabilities in its Backup & Replication software, including seven new RCE flaws. The latest updates patch vulnerabilities (CVE-2026-21666, CVE-2026-21667, CVE-2026-21668, CVE-2026-21669, CVE-2026-21671, CVE-2026-21672, and CVE-2026-21708) that allow low-privileged domain users and Backup Viewers to execute remote code on vulnerable backup servers. Additionally, several high-severity bugs were addressed, which could be exploited to escalate privileges, extract SSH credentials, and manipulate files on Backup Repositories. All vulnerabilities affect earlier versions and have been fixed in versions 12.3.2.4465 and 13.0.1.2067. Veeam has warned admins to upgrade to the latest release promptly, as threat actors often develop exploits post-patch release. Ransomware gangs, including FIN7 and the Cuba ransomware gang, have targeted VBR servers to simplify data theft and block restoration efforts.