A new phishing kit called Starkiller has emerged, allowing attackers to bypass multi-factor authentication (MFA) by proxying legitimate login pages. The kit is distributed as a subscription-based service on the dark web, offering real-time session monitoring and keylogging capabilities. It mimics login pages of major services like Google, Microsoft, and banks, routing traffic through attacker-controlled infrastructure to steal credentials and authentication tokens. Starkiller uses Docker containers running headless Chrome instances to serve genuine page content, making it difficult for security vendors to detect or block. The toolkit is sold with updates and customer support, posing a significant escalation in phishing infrastructure. The service is part of a broader cybercrime offering by a threat group called Jinkusu, which provides additional features such as email harvesting and campaign analytics.

Advantest Corporation, a major supplier of automatic test equipment for the semiconductor industry, detected a ransomware attack on February 15, 2026. The company confirmed an IT network intrusion and activated incident response protocols. Preliminary findings suggest unauthorized access and ransomware deployment, but the extent of data exfiltration remains unclear. No ransomware group has claimed responsibility yet. Advantest employs 7,600 people, has an annual revenue of more than $5 billion, and a market capitalization of $120 billion. The company serves key chipmakers like Intel, Samsung, and TSMC. The attack follows recent ransomware incidents in the semiconductor sector and new Japanese government OT security guidelines for semiconductor factories.

BeyondTrust has patched a critical pre-authentication remote code execution (RCE) vulnerability (CVE-2026-1731, CVSS 9.9) in Remote Support (RS) and Privileged Remote Access (PRA) products. The flaw could allow unauthenticated attackers to execute OS commands in the context of the site user, leading to unauthorized access, data exfiltration, and service disruption. The vulnerability affects RS versions 25.3.1 and prior, and PRA versions 24.3.4 and prior. Patches are available in RS versions 25.3.2 and later, and PRA versions 25.1.1 and later. Self-hosted customers must manually apply updates if not subscribed to automatic updates. The vulnerability was discovered on January 31, 2026, with approximately 11,000 exposed instances identified, including around 8,500 on-prem deployments. BeyondTrust secured all RS/PRA cloud systems by February 2, 2026. The flaw was discovered by Harsh Jaiswal and the Hacktron AI team. Threat actors can exploit the flaw through maliciously crafted client requests in low-complexity attacks that do not require user interaction. In June 2025, BeyondTrust fixed a high-severity RS/PRA Server-Side Template Injection vulnerability. Attackers have begun actively exploiting the CVE-2026-1731 vulnerability in the wild, abusing the get_portal_info endpoint to extract the x-ns-company value before establishing a WebSocket channel. A proof-of-concept exploit targeting the /get_portal_info endpoint was published on GitHub. Threat actors have been observed exploiting CVE-2026-1731 to conduct network reconnaissance, deploy web shells, establish command-and-control (C2) channels, install backdoors and remote management tools, perform lateral movement, and exfiltrate data. The attacks have targeted financial services, legal services, high technology, higher education, wholesale and retail, and healthcare sectors across the U.S., France, Germany, Australia, and Canada. The vulnerability enables attackers to inject and execute arbitrary shell commands via the affected 'thin-scc-wrapper' script through the WebSocket interface. Attackers have deployed multiple web shells, including a PHP backdoor and a bash dropper, to maintain persistent access. Malware such as VShell and Spark RAT have been deployed as part of the exploitation. Out-of-band application security testing (OAST) techniques have been used to validate successful code execution and fingerprint compromised systems. Sensitive data, including configuration files, internal system databases, and a full PostgreSQL dump, have been exfiltrated to an external server. CVE-2026-1731 and CVE-2024-12356 share a common issue with input validation within distinct execution pathways. CVE-2026-1731 could be a target for sophisticated threat actors, similar to CVE-2024-12356 which was exploited by China-nexus threat actors like Silk Typhoon. CISA has confirmed that CVE-2026-1731 has been exploited in ransomware campaigns. CISA added CVE-2026-1731 to its Known Exploited Vulnerabilities (KEV) catalog on February 13 and gave federal agencies three days to apply the patch or stop using the product. Proof-of-concept (PoC) exploits for CVE-2026-1731 became available shortly after the initial disclosure, and exploitation was detected on January 31, making it a zero-day vulnerability for at least a week. CISA has activated the 'Known To Be Used in Ransomware Campaigns?' indicator in the KEV catalog for CVE-2026-1731. Customers of the cloud-based application (SaaS) had the patch applied automatically on February 2. Self-hosted instance customers need to either enable automatic updates or manually install the patch. For Remote Support, the recommended version is 25.3.2. For Privileged Remote Access, the recommended version is 25.1.1 or newer. Customers still using RS v21.3 and PRA v22.1 are recommended to upgrade to a newer version before applying the patch.

Pajemploi, a French social security service for parents and home-based childcare providers, reported a data breach on November 14, 2025, potentially exposing personal information of 1.2 million individuals. The breach affected registered professional caregivers working for private employers. The stolen data includes full names, places of birth, postal addresses, social security numbers, banking institution names, Pajemploi numbers, and accreditation numbers. The agency assured that bank account numbers, email addresses, phone numbers, and account passwords were not compromised. Pajemploi took immediate action to stop the attack and notified the French Data Protection Authority (CNIL) and the National Agency for the Security of Information Systems (ANSSI). In late January 2026, a cybersecurity incident impacted data associated with 1.2 million user accounts at the national bank account registry (FICOBA). Hackers gained access using stolen credentials from a civil servant, exfiltrating sensitive information including bank account details, account holder identity, physical address, and taxpayer identification number. The Ministry took immediate action to restrict access and is working to restore the system with enhanced security. Affected users will be notified individually, and banking institutions have been informed to raise awareness among customers. Numerous scam attempts are circulating, and users are advised to be vigilant.

The 'shift left' security strategy, which aims to integrate security earlier in the software development lifecycle (SDLC), has failed to deliver its promised benefits. Developers are overwhelmed with cognitive load, and businesses prioritize speed over security, leading to increased risks. A study by Qualys found that 7.3% of container images from public repositories were malicious, with 70% containing cryptomining software. The strategy has shifted the burden onto developers without adequate support, resulting in security being bypassed or ignored. To address these issues, experts recommend a 'shift down' approach, where security is embedded into the infrastructure layer, managed by specialized teams. This approach automates security checks and fixes, reducing the cognitive load on developers and making secure deployment the path of least resistance.

A malicious Microsoft Visual Studio Code (VS Code) extension named "ClawdBot Agent - AI Coding Assistant" was discovered on the official Extension Marketplace. The extension, which posed as a free AI coding assistant, stealthily dropped a malicious payload on compromised hosts. The extension was taken down by Microsoft after being reported by cybersecurity researchers. The malicious extension executed a binary named "Code.exe" that deployed a legitimate remote desktop program, granting attackers persistent remote access to compromised hosts. The extension also incorporated multiple fallback mechanisms to ensure payload delivery, including retrieving a DLL from Dropbox and using hard-coded URLs to obtain the payloads. Additionally, security researchers found hundreds of unauthenticated Moltbot instances online, exposing sensitive data and credentials. Moltbot, an open-source personal AI assistant, can run 24/7 locally, maintaining a persistent memory and executing scheduled tasks. However, insecure deployments can lead to sensitive data leaks, corporate data exposure, credential theft, and command execution. Hundreds of Clawdbot Control admin interfaces are exposed online due to reverse proxy misconfiguration, allowing unauthenticated access and root-level system access. More than 230 malicious packages for OpenClaw (formerly Moltbot and ClawdBot) have been published in less than a week on the tool's official registry and on GitHub. These malicious skills impersonate legitimate utilities and inject information-stealing malware payloads onto users' systems, targeting sensitive data like API keys, wallet private keys, SSH credentials, and browser passwords. Users are advised to audit their configurations, revoke connected service integrations, and implement network controls to mitigate potential risks. A self-styled social networking platform built for AI agents, Moltbook, contained a misconfigured database that allowed full read and write access to all data. The exposure was due to a Supabase API key exposed in client-side JavaScript, granting unauthenticated access to the entire production database. Researchers accessed 1.5 million API authentication tokens, 30,000 email addresses, and thousands of private messages between agents. The API key exposure allowed attackers to impersonate any agent on the platform, post content, send messages, and interact as that agent. Unauthenticated users could edit existing posts, inject malicious content or prompt injection payloads, and deface the site. SecurityScorecard found 40,214 exposed OpenClaw instances associated with 28,663 unique IP addresses. 63% of observed deployments are vulnerable, with 12,812 instances exploitable via remote code execution (RCE) attacks. SecurityScorecard correlated 549 instances with prior breach activity and 1493 with known vulnerabilities. Three high-severity CVEs in OpenClaw have been discovered, with public exploit code available. OpenClaw instances are at risk of indirect prompt injection and API key leaks, with most exposures located in China, the US, and Singapore. A supply chain attack via the Cline npm package version 2.3.0 installed OpenClaw on users' systems, exploiting a prompt injection vulnerability in Cline's Claude Issue Triage workflow. The compromised Cline package was downloaded approximately 4,000 times over an eight-hour stretch. OpenClaw has broad permissions and full disk access, making it a high-value implant for attackers. Cline released version 2.4.0 to address the issue and revoked the compromised token. The attack affected all users who installed the Cline CLI package version 2.3.0 during an eight-hour window on February 17, 2026. The attack did not impact Cline's Visual Studio Code (VS Code) extension and JetBrains plugin. Cline maintainers released version 2.4.0 to mitigate the unauthorized publication and revoked the compromised token. Microsoft Threat Intelligence observed a small but noticeable uptick in OpenClaw installations on February 17, 2026, due to the supply chain compromise. Users are advised to update to the latest version, check their environment for any unexpected installation of OpenClaw, and remove it if not required.

A software error in PayPal's Working Capital loan application exposed sensitive personal information of users, including Social Security numbers, for nearly six months in 2025. The breach was discovered on December 12, 2025, and PayPal reversed the code change the following day. Affected users are offered credit monitoring and identity restoration services, and some experienced unauthorized transactions.

The frequency and power of Distributed Denial-of-Service (DDoS) attacks have escalated dramatically in 2025, with a 168% increase compared to 2024. The average Radware customer faced over 25,351 attempted DDoS attacks, equivalent to 139 incidents per day. The technology, telecommunications, and financial services sectors were the most targeted. Attacks have become faster, stronger, and harder to stop, with high-impact web DDoS attacks lasting less than 60 seconds. Hacktivism remains the primary driver behind these campaigns, coordinated through Telegram channels. The most targeted countries were Israel, the US, and Ukraine, with pro-Russian groups responsible for the highest number of campaigns.

A sophisticated ClickFix campaign abuses compromised legitimate websites to deliver MIMICRAT (AstarionRAT), a custom C++ remote access trojan (RAT). The campaign uses a multi-stage PowerShell chain to bypass security mechanisms and deploy the RAT, which supports Windows token impersonation, SOCKS5 tunneling, and 22 post-exploitation commands. The campaign targets victims across multiple geographies and languages, with suspected goals of ransomware deployment or data exfiltration.

The University of Mississippi Medical Center (UMMC) closed all its clinics statewide after a ransomware attack disrupted IT systems and blocked access to electronic medical records. The attack affected outpatient services, but hospital operations continue using downtime procedures. UMMC is investigating with assistance from CISA and the FBI. The attackers have communicated with UMMC, but no ransomware group has claimed responsibility. UMMC has shut down all network systems for risk assessment, and the impact on patient data remains uncertain.

PromptSpy, an advanced Android malware, uses Google's Gemini AI to maintain persistence by pinning itself in the recent apps list. The malware captures lockscreen data, blocks uninstallation, gathers device information, takes screenshots, and records screen activity. It communicates with a hard-coded C2 server and is distributed via a dedicated website targeting users in Argentina. PromptSpy is the first known Android malware to use generative AI in its execution flow, sending screen data to Gemini to receive instructions for maintaining persistence. The malware is an advanced version of VNCSpy and is likely financially motivated. Researchers have discovered that PromptSpy was first found in February 2026, with initial samples uploaded to VirusTotal from Hong Kong and Argentina. ESET has not observed the malware in its telemetry, suggesting it may be a proof-of-concept. ESET attributed PromptSpy to Chinese developers with medium confidence, but has not linked it to any known threat actor. PromptSpy deploys a VNC module on compromised systems, enabling operators to view the victim’s screen and take full control of the Android device. The malware saves both its previous prompts and Gemini’s responses, allowing Gemini to understand context and coordinate multistep interactions.

In 2026, cyber insurance underwriting increasingly focuses on identity posture, driven by the rising prevalence of credential compromise in cyber-attacks. Insurers and regulators prioritize factors like password hygiene, privileged access management, and multi-factor authentication (MFA) coverage to assess cyber risk and determine insurance costs. Organizations must demonstrate strong identity controls to secure favorable terms, as credential compromise remains a critical attack vector.

The US has charged 87 individuals in a conspiracy involving ATM jackpotting fraud, linked to the Venezuelan crime syndicate Tren de Aragua. The defendants allegedly used Ploutus malware to hack ATMs, causing $40.73 million in losses by August 2025. The conspiracy involved surveillance, malware deployment, and money laundering to fund further criminal activities. In July 2025, the U.S. government sanctioned key members of Tren de Aragua, including Hector Rusthenford Guerrero Flores, for their involvement in various criminal activities. Two Venezuelan nationals, Luz Granados and Johan Gonzalez-Jimenez, were convicted of stealing hundreds of thousands of dollars from U.S. banks using ATM jackpotting and will be deported after serving their sentences. The FBI reported 1,900 ATM jackpotting incidents since 2020, with 700 occurring in 2025, and losses of more than $20 million in 2025 due to these incidents.

North Korean state actors have been using fake or stolen identities to secure IT jobs in various companies, particularly in the blockchain and technology sectors. These actors have stolen virtual currency and funneled money to North Korea's weapons program. The practice has escalated with the rise of remote work and AI, enabling fraudsters to impersonate employees and gain privileged access to company networks. Labyrinth Chollima, a prolific North Korean-linked cyber threat group, has recently evolved into three distinct hacking groups: Labyrinth Chollima, Golden Chollima, and Pressure Chollima. Labyrinth Chollima continues to focus on cyber espionage, targeting industrial, logistics, and defense companies, while Golden Chollima and Pressure Chollima have shifted towards targeting cryptocurrency entities. Each group uses distinct toolsets in their malware campaigns, all evolutions of the same malware framework used by Labyrinth Chollima in the 2000s and 2010s. A joint investigation led by Mauro Eldritch, founder of BCA LTD, conducted together with threat-intel initiative NorthScan and ANY.RUN, uncovered a network of remote IT workers tied to Lazarus Group's Famous Chollima division. Researchers captured live activity of Lazarus operators on what they believed were real developer laptops, which were actually fully controlled, long-running sandbox environments created by ANY.RUN. Thousands of North Korean IT workers have infiltrated the job market over the past two years, exploiting vulnerabilities in hiring processes and remote work environments. Over 320 cases of North Korean operatives infiltrating companies by posing as remote IT workers were identified in August 2025. The Justice Department has shut down several laptop farms used by these actors, but the problem persists, with security experts warning of significant security risks and financial losses for affected companies. The U.S. Treasury's Office of Foreign Assets Control (OFAC) has recently sanctioned two individuals and two entities for their role in these schemes, identifying financial transfers worth nearly $600,000 and over $1 million in profits generated since 2021. Japan, South Korea, and the United States are collaborating to combat North Korean IT worker schemes. The three countries held a joint forum on August 26, 2025, in Tokyo to improve collaboration, with both Japan and South Korea issuing updated advisories on the threat. The United States sanctioned four entities for their roles in the IT worker fraud schemes, accusing them of working to help the Democratic People's Republic of Korea (DPRK) to generate revenue. Recently, five U.S. citizens pleaded guilty to assisting North Korea's illicit revenue generation schemes by enabling IT worker fraud. The scheme impacted more than 136 U.S. victim companies, generated more than $2.2 million in revenue for the DPRK regime, and compromised the identities of more than 18 U.S. persons. The US government has seized $15m worth of gains in Tether (USDT) from APT38 actors, seeking to return the funds to their rightful owners. North Korean IT recruiters target and lure developers into renting their identities for illicit fundraising. Famous Chollima, part of North Korea’s state-sponsored Lazarus group, uses deep fake videos and avoids appearing on camera during interviews. Legitimate engineers are recruited to act as figureheads in DPRK agents’ operations to secure remote jobs at targeted companies. Compromised engineers receive a percentage of the salary, between 20% and 35%, for the duration of the contract. DPRK agents use compromised engineers' computers as proxies for malicious activities to hide their location and traces. North Korean recruiters use AI-powered tools like AIApply, Simplify Copilot, Final Round AI, and Saved Prompts to autofill job applications and create resumes. The threat actor used Astrill VPN, a popular service among North Korean fake IT workers, for remote connections. The Famous Chollima team involved in this operation consisted of six members, who used the names Mateo, Julián, Aaron, Jesús, Sebastián, and Alfredo. The DPRK IT worker scheme is also tracked as Jasper Sleet, PurpleDelta, and Wagemole. The scheme aims to generate revenue, conduct espionage, and in some cases, demand ransoms. DPRK IT workers transfer cryptocurrency through various money laundering techniques, including chain-hopping and token swapping. Norwegian businesses have been impacted by IT worker schemes, with salaries likely funding North Korea's weapons and nuclear programs. A campaign dubbed Contagious Interview uses fake hiring flows to lure targets into executing malicious code. The campaign employs EtherHiding, a technique using blockchain smart contracts to host and retrieve command-and-control infrastructure. New variants of the Contagious Interview campaign use malicious Microsoft VS Code task files to execute JavaScript malware. The Koalemos RAT campaign involves malicious npm packages to deploy a modular JavaScript remote access trojan (RAT) framework. Oleksandr Didenko, a 39-year-old Ukrainian national, was sentenced to five years in prison for providing North Korean IT workers with stolen identities to infiltrate U.S. companies. Didenko pleaded guilty to aggravated identity theft and wire fraud conspiracy in November 2025 and was arrested in Poland in May 2024. Didenko provided North Korean remote workers with at least 871 proxy identities and proxy accounts on three freelance IT hiring platforms. Didenko facilitated the operation of at least eight 'laptop farms' in Virginia, Tennessee, California, Florida, Ecuador, Poland, and Ukraine. Christina Marie Chapman, a 50-year-old woman from Arizona, was sentenced to 102 months in prison for running a 'laptop farm' from her home between October 2020 and October 2023.

Linwei Ding, a former Google engineer, has been convicted of stealing over 2,000 confidential documents containing AI-related trade secrets to benefit China. The theft occurred between May 2022 and April 2023, involving sensitive information about Google's supercomputing infrastructure, AI models, and custom hardware. Ding was found guilty on seven counts of economic espionage and seven counts of theft of trade secrets. Additionally, three former Google engineers and one of their husbands have been indicted in the U.S. for allegedly committing trade secret theft from Google and other tech firms and transferring the information to unauthorized locations, including Iran. The stolen data included details about Google's Tensor Processing Unit chips, Cluster Management System software, and other proprietary technologies. Ding used deceitful methods to cover up the theft, including transferring data to his personal Google Cloud account and using an accomplice to fake his presence at work. He also applied to a Shanghai-based talent program sponsored by Beijing, aiming to enhance China's AI capabilities. Ding was originally indicted in March 2024 after lying and not cooperating with Google's internal investigation. He was secretly affiliated with two China-based technology companies and negotiated a role as CTO at one of them. Ding founded his own AI company in China (Shanghai Zhisuan Technology Co.) and served as its CEO, intending to benefit entities controlled by the government of China. Ding faces a maximum sentence of 10 years for each theft count and 15 years for each espionage count.

Abu Dhabi Finance Week (ADFW) organizers inadvertently exposed passport details and other identity information of approximately 700 attendees, including former British Prime Minister David Cameron and former White House communications director Anthony Scaramucci. The data was found unprotected on a cloud storage system associated with ADFW, accessible via off-the-shelf scanning software. The leak included passports, ID cards, and thousands of other documents, potentially exposed for at least two months. ADFW secured the server after being notified by the Financial Times, which reported the incident. The exposure poses reputational risks for Abu Dhabi as it seeks to establish itself as a global financial center.

Operation Serengeti 2.0, an INTERPOL-led international operation, resulted in the arrest of 1,209 cybercriminals across Africa. The operation targeted cross-border cybercrime gangs involved in ransomware, online scams, and business email compromise (BEC). The operation, conducted from June to August 2025, involved law enforcement from 18 African countries and the UK. Authorities seized $97.4 million and dismantled 11,432 malicious infrastructures linked to attacks on 88,000 victims worldwide. Following this, Operation Sentinel, conducted between October 27 and November 27, 2025, led to the arrest of 574 individuals and the recovery of $3 million linked to business email compromise, extortion, and ransomware incidents. The operation took down more than 6,000 malicious links and decrypted six distinct ransomware variants. The cybercrime cases investigated are connected to more than $21 million in financial losses. Most recently, Operation Red Card 2.0, conducted between December 8, 2025, and January 30, 2026, resulted in the arrest of 651 suspects and the recovery of over $4.3 million. The operation targeted investment fraud, mobile money scams, and fake loan applications, identifying 1,247 victims and seizing 2,341 devices and 1,442 malicious websites, domains, and servers. The operation involved law enforcement agencies from 16 African countries: Angola, Benin, Cameroon, Côte d'Ivoire, Chad, Gabon, Gambia, Ghana, Kenya, Namibia, Nigeria, Rwanda, Senegal, Uganda, Zambia, and Zimbabwe. The operations were supported by data from private sector partners, including Cybercrime Atlas, Fortinet, Group-IB, Kaspersky, The Shadowserver Foundation, Team Cymru, Trend Micro, TRM Labs, and Uppsala Security. Cybercrime now accounts for 30% of all reported crime in Western and Eastern Africa and is increasing rapidly elsewhere on the continent. Interpol's 2025 Africa Cyberthreat Assessment Report noted that two-thirds of African member countries claim cyber-related offenses now account for a 'medium-to-high' (i.e., 10-30% or 30%+) share of all crimes. Interpol director of cybercrime, Neal Jetton, warned that the scale and sophistication of cyber-attacks across Africa are accelerating, especially against critical sectors like finance and energy.

Microsoft has patched a high-severity privilege escalation vulnerability (CVE-2026-26119) in Windows Admin Center, a browser-based management tool. The flaw, with a CVSS score of 8.8, could allow authenticated attackers to escalate privileges over a network. The vulnerability was discovered by Semperis researcher Andrea Pierini and was addressed in version 2511 released in December 2025. While not confirmed to be exploited in the wild, it has been assessed as 'Exploitation More Likely'.

A critical vulnerability (CVE-2026-2329) in Grandstream GXP1600 series VoIP phones allows unauthenticated remote code execution (RCE) with root privileges. The flaw, a stack-based buffer overflow, stems from the device's web-based API service. The vulnerability affects multiple GXP1600 models and has been addressed in firmware version 1.0.7.81. Exploiting this flaw could enable attackers to extract stored credentials, intercept phone calls, and eavesdrop on VoIP conversations. The issue was discovered by Rapid7 researcher Stephen Fewer and demonstrated via a Metasploit exploit module. The exploitation process involves writing multiple null bytes to construct a return-oriented programming (ROP) chain, allowing attackers to silently eavesdrop on communications.

In 2025, Google blocked over 1.75 million app submissions to the Google Play Store due to policy violations and rejected 255,000 apps from accessing sensitive user data. The company implemented over 10,000 safety checks and integrated AI models to enhance detection capabilities. Additionally, Google banned 80,000 bad developer accounts and blocked 160 million spam ratings to protect user perception. Play Protect identified 27 million malicious sideloaded apps and blocked 266 million installation attempts from risky apps. The Play Integrity API now processes over 20 billion checks daily, and Android 16 introduced protections against tapjacking attacks.

A new variant of Remcos RAT has been observed with expanded real-time surveillance capabilities and improved evasion techniques. This version establishes direct online communication with attacker-controlled servers, enabling immediate monitoring and data theft. The malware now streams webcam footage in real time and transmits captured keystrokes instantly, reducing forensic traces on infected Windows systems. Researchers from Point Wild's Lat61 Threat Intelligence team detailed the changes, noting the malware's use of dynamic API loading and runtime decryption to avoid detection.

A Chinese APT group, identified as UNC6201, has been exploiting a critical zero-day vulnerability (CVE-2026-22769) in Dell's RecoverPoint for Virtual Machines since mid-2024. The flaw, a hardcoded credential bug with a CVSS score of 10.0, allows unauthenticated attackers to gain root-level access and maintain persistence. The group has used this vulnerability to deploy malware, including Slaystyle, Brickstorm, and a new backdoor called Grimbolt. Mandiant has also observed novel tactics such as creating ghost NICs and using iptables for single packet authorization (SPA). CISA has ordered federal agencies to patch the vulnerability within three days, highlighting its active exploitation and significant risk to federal systems.

GoldFactory, a financially motivated cybercrime group, has been targeting mobile users in Indonesia, Thailand, and Vietnam since October 2024. The group distributes modified banking applications that act as conduits for Android malware, leading to over 11,000 infections. The malware impersonates government services and trusted local brands to trick victims into installing the malicious apps, which then abuse Android's accessibility services for remote control and data theft. In July 2025, GoldFactory launched a sophisticated fraud campaign targeting Indonesia's Coretax tax platform, intensifying in January 2026. This campaign impersonated Coretax to trick users into installing malicious mobile applications, resulting in an estimated $1.5m to $2m in financial impact. The operation involved phishing websites, WhatsApp impersonation, and vishing calls to direct victims to download fraudulent APK files, deploying multiple malware families including Gigabud.RAT and MMRat.

Infostealers are increasingly targeting both personal and corporate users, harvesting credentials, session data, and user activity. Researchers analyzed 90,000 leaked infostealer dumps containing over 800 million rows of data, revealing how attackers associate technical data with real users, organizations, and behavioral patterns. This convergence collapses the boundary between personal and professional identities, escalating enterprise-level risks. The datasets included credentials, browser cookies, browsing history, and system-level files, enabling attackers to identify individuals, their employers, and roles within organizations. This data is used for targeted phishing, social engineering, and extortion, with significant implications for both personal and corporate security.

The OpenSSL project has addressed a critical stack buffer overflow flaw (CVE-2025-15467) that could lead to remote code execution (RCE) under specific conditions. This vulnerability resides in the processing of Cryptographic Message Syntax (CMS) data with maliciously crafted AEAD parameters. The flaw is part of a broader set of 12 vulnerabilities disclosed by AISLE, including another high-severity issue (CVE-2025-11187) that could trigger a stack-based buffer overflow due to missing validation. The OpenSSL team has released patches to mitigate these vulnerabilities, urging users to update their systems to prevent potential exploitation. This development highlights the ongoing need for vigilance in securing cryptographic libraries, which are fundamental to many digital security protocols.

Matthew Abiodun Akande, a 37-year-old Nigerian national, was sentenced to eight years in prison for hacking multiple tax preparation firms in Massachusetts. He stole clients' personal information to file over 1,000 fraudulent tax returns, seeking $8.1 million in refunds and successfully obtaining $1.3 million between June 2016 and June 2021. Akande used Warzone RAT malware and phishing emails to gain access to the firms' systems. Akande was arrested in October 2024 at London's Heathrow Airport and extradited to the United States in March 2025. He was indicted by a federal grand jury in July 2022 while living in Mexico.

In 2025, the number of industrial control system (ICS) security advisories exceeded 500 for the first time, with a significant increase in the severity of vulnerabilities. The total number of CVEs published reached 2155 across 508 advisories, up from 103 CVEs in 67 advisories in 2011. The average CVSS score of advisories also climbed to above 8.0 in 2024 and 2025, indicating more severe vulnerabilities. The most affected asset types included Purdue Level 1 devices, Level 3 operation systems, Level 2 control systems, and industrial network infrastructure. Critical manufacturing and energy sectors were the most impacted, with transportation and healthcare also experiencing notable increases in vulnerabilities.

The U.S. government is considering a ban on the sale of TP-Link networking devices due to national security concerns over the company's ties to China. TP-Link denies these allegations, maintaining it operates independently and manufactures its products in Vietnam. Texas has sued TP-Link for deceptive marketing and allowing Chinese state-backed hackers to exploit firmware vulnerabilities. The ban is supported by multiple federal agencies and follows reports of Chinese state-sponsored hacking groups exploiting vulnerabilities in TP-Link routers. The proposed ban highlights broader issues with the security of consumer-grade routers, which often ship with outdated firmware and default settings that can be easily compromised.

A surge in phishing campaigns exploiting Microsoft’s OAuth device code authorization flow has been observed, targeting Microsoft 365 accounts. Both state-aligned and financially motivated actors are using social engineering to trick users into approving malicious applications, leading to account takeover and data theft. The attacks leverage the OAuth 2.0 device authorization grant, a legitimate process designed for devices with limited input capabilities. Once victims enter a device code generated by an attacker-controlled application, the threat actor receives a valid access token, granting control over the compromised account. The campaigns use QR codes, embedded buttons, and hyperlinked text to initiate the attack chain, often claiming to involve document sharing, token reauthorization, or security verification. The growth of these campaigns is linked to readily available phishing tools like SquarePhish2 and Graphish, which simplify device code abuse and require limited technical skill. Proofpoint observed financially motivated actor TA2723 and Russia-linked group UNK_AcademicFlare adopting this technique, targeting various sectors in the US and Europe. The activity, ongoing since September 2025, is being tracked by Proofpoint under the moniker UNK_AcademicFlare. The attacks involve using compromised email addresses belonging to government and military organizations to strike entities within government, think tanks, higher education, and transportation sectors in the U.S. and Europe. The adversary claims to share a link to a document that includes questions or topics for the email recipient to review before the meeting. The URL points to a Cloudflare Worker URL that mimics the compromised sender's Microsoft OneDrive account and instructs the victim to copy the provided code and click 'Next' to access the supposed document. Device code phishing was documented in detail by both Microsoft and Volexity in February 2025, attributing the use of the attack method to Russia-aligned clusters such as Storm-2372, APT29, UTA0304, and UTA0307. The October 2025 campaign is assessed to have been fueled by the ready availability of crimeware offerings like the Graphish phishing kit and red-team tools such as SquarePhish. To counter the risk posed by device code phishing, the best option is to create a Conditional Access policy using the Authentication Flows condition to block device code flow for all users. If that's not feasible, it's advised to use a policy that uses an allow-list approach to allow device code authentication for approved users, operating systems, or IP ranges. Threat actors are now targeting technology, manufacturing, and financial organizations in campaigns that combine device code phishing and voice phishing (vishing) to abuse the OAuth 2.0 Device Authorization flow and compromise Microsoft Entra accounts. Unlike previous attacks that utilized malicious OAuth applications to compromise accounts, these campaigns instead leverage legitimate Microsoft OAuth client IDs and the device authorization flow to trick victims into authenticating. This provides attackers with valid authentication tokens that can be used to access the victim's account without relying on regular phishing sites that steal passwords or intercept multi-factor authentication codes.

AI-powered adversarial systems are significantly reducing the time between exposure and exploitation, leveraging machine speed and scale to identify and exploit vulnerabilities faster than traditional security teams can respond. This acceleration is driven by AI's ability to automate reconnaissance, simulate attack sequences, and prioritize exploitable vulnerabilities. Additionally, AI adoption introduces new attack surfaces, including model context protocol vulnerabilities and supply chain hallucinations.