Microsoft is introducing security improvements in Windows 11 Insider Preview builds to prevent batch files from being modified during execution. This change is aimed at enhancing performance and security in enterprise environments by ensuring code integrity through single-time signature validation. Additionally, Microsoft has improved the Shared Audio feature, allowing individual volume control for each listener and expanding support for more Bluetooth LE Audio accessories.

The **ScarCruft (APT37) Ruby Jumper campaign**, first discovered in **December 2025** and detailed in **February 2026**, marks a **significant expansion of tactics** to breach air-gapped networks and abuse legitimate cloud services for command-and-control (C2). The campaign deploys a **multi-stage infection chain** beginning with a malicious LNK file that drops a decoy document (e.g., an Arabic translation of a North Korean article on the Palestine-Israel conflict), an executable payload (**RESTLEAF**), a PowerShell script, and a batch file. RESTLEAF leverages **Zoho WorkDrive for C2**—the first known instance of ScarCruft using this service—to fetch shellcode, which then deploys **SNAKEDROPPER**. This implant installs a Ruby runtime, establishes persistence via a **scheduled task (`rubyupdatecheck`)** that replaces the RubyGems default file `operating_system.rb`, and drops **THUMBSBD** and **VIRUSTASK**, both designed to **weaponize removable media (USB drives)** for lateral movement into air-gapped systems. THUMBSBD supports **keylogging, audio/video surveillance, and file exfiltration**, while also creating **hidden directories on USB drives** to stage operator commands or store execution output. VIRUSTASK focuses on **initial access propagation** via USB drives, replacing legitimate files with malicious shortcuts that execute the Ruby interpreter when opened. The campaign also delivers **FOOTWINE**, a reconnaissance tool disguised as an APK file that harvests documents and monitors removable drive activity, and **BLUELIGHT**, a backdoor that adapts its C2 mode based on network connectivity (direct cloud communication or USB-based staging). This follows earlier ScarCruft operations, including **ransomware attacks (July 2025)**, **Operation HanKook Phantom (September 2025)**, and the **Contagious Interview campaign (February 2026)**, which targeted developers via malicious repositories and job-themed lures. The Ruby Jumper campaign underscores ScarCruft’s **expanded focus on air-gapped infiltration**, combining **cloud abuse with physical media exploitation** to evade network isolation and achieve persistent surveillance with minimal forensic traces. Zscaler ThreatLabz confirmed the use of **six distinct tools** in this campaign, five of which were previously undocumented.

A coordinated international operation, Project Compass, has arrested 30 members of 'The Com,' a cybercrime group linked to ransomware attacks, extortion, violent activities, and the production of child sexual exploitation material (CSAM). The group, primarily composed of young individuals, has targeted high-profile entities and engaged in phishing, vishing, and SIM swapping. Project Compass, led by Europol's European Counter Terrorism Centre, involves multiple countries and aims to disrupt the group's operations and safeguard victims. The Com has been connected to Russian cybercriminal gangs and has expanded its activities to include physical violence, extremist links, and the exploitation of minors.

The U.S. Department of the Treasury has sanctioned several large cyber scam networks in Southeast Asia, primarily in Burma and Cambodia. These operations, which used forced labor and human trafficking, stole over $10 billion from Americans in 2024, a 66% increase from the previous year. The scams included romance baiting and fake cryptocurrency investments. The sanctions target individuals and entities linked to the Karen National Army (KNA) and various organized crime networks. The U.S. has established a new task force, the Scam Center Strike Force, to disrupt Chinese cryptocurrency scam networks. This task force, supported by the U.S. Attorney's Office, the Department of Justice, the FBI, and the Secret Service, has already seized over $401 million in cryptocurrency and filed forfeiture proceedings for an additional $80 million in stolen funds. The Treasury Department’s Office of Foreign Assets Control has imposed additional sanctions on the Democratic Karen Benevolent Army (DKBA) and related entities. In a recent development, the U.S. Department of Justice (DoJ) seized $61 million worth of Tether linked to pig butchering crypto scams. The confiscated funds were traced to cryptocurrency addresses used for laundering proceeds from cryptocurrency investment scams. Threat actors target individuals by cultivating romantic relationships on dating and social media messaging apps, coercing victims into investing in fraudulent platforms that display fake high returns. Scammers route stolen money through multiple wallets to hide its nature and source. Tether has frozen around $4.2 billion in assets linked to illicit activity, including $250 million related to scam networks since June 2025.

Over 900 Sangoma FreePBX instances remain compromised with web shells due to the exploitation of CVE-2025-64328, a high-severity command injection vulnerability. The attacks, ongoing since December 2025, have affected instances globally, with the highest concentrations in the U.S., Brazil, Canada, Germany, and France. The vulnerability allows post-authentication command injection, enabling remote access as the asterisk user. The U.S. CISA has added this vulnerability to its KEV catalog, and Fortinet has linked the attacks to the threat actor INJ3CTOR3, who uses a web shell named EncystPHP.

CISA has released an updated Malware Analysis Report (MAR) on RESURGE, a sophisticated malware that exploits vulnerabilities to establish stealthy SSH-based command-and-control access. The malware can remain dormant on compromised Ivanti Connect Secure devices, evading routine detection. The updated analysis highlights RESURGE's advanced network-level evasion techniques, including forged TLS certificates and cryptographic methods, posing an ongoing threat to affected networks. CISA emphasizes the importance of using the provided indicators of compromise (IOCs) and detection signatures to identify and mitigate RESURGE, urging organizations to implement the recommended actions. The malware is linked to a threat actor tracked as UNC5221, which exploited the CVE-2025-0282 vulnerability as a zero-day since mid-December 2024.

A malicious Go module named github[.]com/xinfeisoft/crypto impersonates the legitimate "golang.org/x/crypto" codebase to steal passwords and deploy the Rekoobe Linux backdoor. The module exploits namespace confusion to inject malicious code that exfiltrates secrets entered via terminal password prompts and executes a shell script that creates persistent access via SSH and loosens firewall restrictions. The campaign targets high-value boundaries like ReadPassword() and uses GitHub Raw as a rotating pointer for infrastructure rotation. The package remains listed on pkg.go.dev but has been blocked by the Go security team. The Rekoobe backdoor, known since 2015, is capable of receiving commands to download more payloads, steal files, and execute a reverse shell. It has been used by Chinese nation-state groups like APT31.

Organizations face significant challenges in patch management due to visibility gaps and lack of centralized control, particularly with third-party software. These gaps lead to unpatched vulnerabilities, compliance drift, and increased risk exposure. Modern solutions like Action1 aim to streamline detection, prioritization, and oversight of patch management processes, including third-party applications. Effective vulnerability management requires knowing what needs attention, acting quickly with proper tools, and confirming success. Centralized visibility and control are crucial for maintaining shorter remediation timelines, reducing repeat vulnerabilities, and demonstrating stronger audit readiness. Action1 offers a cloud-native platform that connects all endpoints, identifies missing updates, and provides granular control over patch deployment. It incorporates intelligence for prioritization and ensures visibility and accountability through detailed reporting and compliance dashboards.

Anthropic has introduced security review features in its Claude Code platform, designed to integrate security checks into AI-assisted development workflows. The new capabilities, now available in a limited research preview, automate the detection and remediation of common vulnerabilities in codebases, leveraging AI to enhance application security. These features are part of a broader trend toward embedding security directly into development tools and pipelines, addressing the challenges posed by AI-assisted coding and 'vibe coding.' The security review function allows developers to run ad hoc checks for vulnerabilities and implement fixes, with the option to integrate these checks into continuous integration/continuous deployment (CI/CD) pipelines. While the initial focus is on classic security issues like SQL injection and cross-site scripting, the tool is expected to evolve, though it is not intended to replace existing security measures. Security experts emphasize the need for a comprehensive approach to application security, combining AI-assisted tools with traditional methods and human oversight to ensure robust protection against emerging threats. The debut of Claude Code Security has impacted share prices of several security companies, highlighting the potential disruptive nature of AI-assisted security tools.

ManoMano, a European DIY e-commerce platform, disclosed a data breach impacting 38 million customers. The breach occurred in January 2026 due to unauthorized access to a third-party customer service provider. Exposed data includes full names, email addresses, phone numbers, and customer service communications. The stolen data includes information associated with 37.8 million ManoMano user accounts, over 900,000 service tickets, and over 13,000 attachments, pertaining to users across France, Germany, Italy, Spain, and the United Kingdom. No account passwords were compromised. The company has taken steps to secure its environment and notified relevant authorities and affected customers. The breach was claimed by an individual using the alias 'Indra' on a hacker forum, alleging the theft of 37.8 million user accounts and thousands of support tickets. The compromised service provider is reportedly a Tunis-based customer support firm that suffered a Zendesk breach.

Yurii Nazarenko, a 27-year-old Ukrainian man, pleaded guilty to operating OnlyFake, an AI-powered platform that generated and sold over 10,000 fake identification documents. The service created realistic counterfeit passports, driver's licenses, and Social Security cards for customers worldwide, primarily to bypass Know Your Customer (KYC) verification requirements at banks and cryptocurrency exchanges. Nazarenko accepted cryptocurrency payments and attempted to cover his tracks by routing payments through multiple wallets. He was extradited from Romania in September 2025 and faces up to 15 years in prison, with sentencing scheduled for June 26, 2026.

The UK government's Vulnerability Monitoring Service (VMS) has reduced its backlog of critical vulnerabilities by 75% and decreased cyber-attack fix times by 87%. The service, introduced as part of the blueprint for modern digital government, uses commercial and proprietary scanning tools to identify and address DNS-related vulnerabilities in public sector internet-facing assets. The VMS scans 6000 UK public sector bodies, detecting around 1000 different types of cyber vulnerabilities. Additionally, the government launched the Cyber Profession initiative to attract and develop cyber talent.

Threat actors are distributing a Java-based remote access trojan (RAT) through trojanized gaming utilities spread via browsers and chat platforms. The malware uses PowerShell and living-off-the-land binaries (LOLBins) for stealthy execution and evades detection by deleting the initial downloader and configuring Microsoft Defender exclusions. The RAT connects to a command-and-control (C2) server for data exfiltration and additional payload deployment. The disclosure coincides with the emergence of Steaelite, a new Windows RAT malware family advertised on criminal forums, which combines data theft and ransomware capabilities in a single web panel. Additionally, two new RAT families, DesckVB RAT and KazakRAT, have been discovered, enabling comprehensive remote control over infected hosts.

Meta has filed lawsuits against advertisers based in Brazil, China, and Vietnam for engaging in deceptive advertising practices, including celeb-bait scams and cloaking techniques. The company has also issued cease and desist letters to marketing consultants offering services to bypass ad policy enforcement systems. The scams involved misusing celebrity images to promote fraudulent healthcare products, investment schemes, and other malicious activities. Meta has taken steps to suspend payment methods, disable related accounts, and block domain names used in these scams. The company has also developed protections for celebrities whose images are frequently used in such schemes. Additionally, Meta's actions come in the wake of reports indicating a significant portion of its ad sales in China were linked to scams, illegal gambling, and other banned content.

Marquis Software Solutions has **filed a lawsuit** against SonicWall, alleging **gross negligence and misrepresentation** in the handling of its MySonicWall cloud backup breach, which directly enabled a **ransomware attack** disrupting **780,000+ individuals** across 700+ U.S. banks and credit unions in August 2025. The lawsuit reveals that SonicWall introduced a **security gap via an API code change in February 2025**, allowing unauthorized access to firewall configuration backups—including AES-256-encrypted credentials and MFA scratch codes. Marquis, whose firewall was fully patched and MFA-enabled, confirms attackers exploited this stolen data to bypass defenses, contradicting earlier assumptions about unpatched devices. The breach exposed **personal and financial data** of Marquis’s clients, triggering **over 36 consumer class-action lawsuits** and prompting Marquis to seek damages, indemnification, and legal fees. The SonicWall incident began as a targeted compromise of its MySonicWall portal, initially reported in September 2025 as affecting fewer than 5% of customers but later revised to confirm **all cloud backup users** were impacted. Stolen configuration files—containing credentials, network topology, and encrypted secrets—fueled follow-on attacks, including the **Marquis ransomware breach** (January 2026 disclosure) and Akira ransomware campaigns abusing OTP seeds to bypass MFA. SonicWall collaborated with Mandiant to attribute the breach to **state-sponsored actors** and released remediation tools, but the Marquis lawsuit underscores the **long-tail risks** of exposed backup data, even post-containment. Over **950 unpatched SMA1000 appliances** remain exposed online, while CISA and SonicWall urge firmware updates, credential resets, and MFA enforcement. Legal experts note the case could set a precedent for **vendor liability**, as enterprises increasingly sue cybersecurity providers for contribution or negligence. The lawsuit also highlights the need for robust vendor due diligence and SLAs that address worst-case scenarios, including vendor-caused breaches. SonicWall may face further legal challenges from Marquis’s clients or regulatory actions if found liable for the downstream impact.

Google API keys, previously considered harmless, now expose Gemini AI data due to a privilege escalation. Researchers found nearly 3,000 exposed keys across various sectors, including Google itself. These keys can authenticate to Gemini AI and access private data, potentially leading to significant financial losses for victims.

The Aeternum botnet loader has shifted its command-and-control (C2) operations to the Polygon blockchain, eliminating traditional central servers. This move makes it harder for authorities and security firms to disrupt the botnet by seizing infrastructure. The botnet uses smart contracts on the blockchain to issue commands, which are publicly recorded and immutable. Aeternum is a native C++ loader available in x32 and x64 builds. Operators manage infections via a web dashboard that allows them to select a smart contract, choose a command type, and specify a payload URL. Commands are written to the blockchain as transactions and are accessible to bots querying over 50 remote procedure call endpoints. The botnet's use of blockchain-based C2 complicates traditional takedown strategies, as there is no central infrastructure to seize. Commands stored on-chain are permanent and globally accessible, making proactive DDoS mitigation more critical. The threat actor LenAI has attempted to sell the entire Aeternum toolkit for $10,000, claiming a lack of time for support and involvement in another project. LenAI is also behind a second crimeware solution called ErrTraffic.

Trend Micro has disclosed and patched two critical vulnerabilities, CVE-2025-71210 and CVE-2025-71211, in its on-premise Apex One Management Console. These vulnerabilities allow for remote code execution (RCE) on vulnerable Windows systems. Trend Micro has released Critical Patch Build 14136 to address these vulnerabilities, which also fixes two high-severity privilege escalation flaws in the Windows agent and four more affecting the macOS agent. The vulnerabilities are due to path traversal weaknesses in the management console and require attackers to have access to it. Previously, Trend Micro disclosed two other critical vulnerabilities, CVE-2025-54948 and CVE-2025-54987, which were actively exploited in the wild. These vulnerabilities allowed for command injection and remote code execution. Trend Micro has released temporary mitigations and is urging users to apply them immediately to protect against potential attacks.

A critical vulnerability (CVE-2026-21902) in Juniper Networks' Junos OS Evolved, affecting PTX Series routers, allows unauthenticated remote code execution with root privileges. The flaw stems from incorrect permission assignment in the 'On-Box Anomaly Detection' framework, which is exposed over an external port by default. Successful exploitation could lead to full router takeover. The issue impacts versions before 25.4R1-S1-EVO and 25.4R2-EVO, with fixes available in newer versions. Juniper Networks has not observed active exploitation as of the advisory's publication.

Olympique de Marseille, a French football club, confirmed an attempted cyberattack after a threat actor claimed to have breached the club's systems earlier in February 2026. The attacker leaked a sample of allegedly stolen data, including information on 400,000 individuals, on a hacking forum. The club reassured that no banking details or passwords were compromised and advised fans to remain vigilant against phishing attempts. The threat actor claims the stolen database contains names, addresses, email addresses, mobile phone numbers, and order information, as well as details on 2,050 Drupal CMS accounts, including 34 staff members and 1,770 contributors and moderators. The club has reported the incident to the French data protection authority (CNIL) and filed a complaint.

A previously undocumented threat activity cluster, tracked as UAT-10027, has been targeting U.S. education and healthcare sectors since at least December 2025. The campaign delivers a new backdoor named Dohdoor, which uses DNS-over-HTTPS (DoH) for command-and-control (C2) communications. The initial access vector is suspected to involve social engineering phishing techniques, leading to the execution of a PowerShell script that downloads and runs a malicious DLL. The backdoor is launched via DLL side-loading using legitimate Windows executables. The threat actor hides C2 servers behind Cloudflare infrastructure to evade detection. Dohdoor also unhooks system calls to bypass endpoint detection and response (EDR) solutions. While there are tactical similarities to Lazarus Group malware, the victimology differs from typical Lazarus targets.

Darktrace detected over 32 million high-confidence phishing emails in 2025, indicating a significant rise in identity-driven cyber threats. The report highlights the increasing sophistication of phishing tactics, including the use of newly created domains, malicious QR codes, and novel social engineering techniques. Identity compromise has overtaken vulnerability exploitation as the primary entry vector, with attackers leveraging stolen credentials and hijacked tokens to gain access. The report also reveals regional and sector-specific trends, with the Americas accounting for 47% of global security events and manufacturing being a major target for ransomware.

Cyber threats are evolving with increased speed and sophistication, blending into everyday activities such as ads, meeting invites, and software updates. Attackers are exploiting small gaps, delayed patches, misplaced trust, and rushed clicks to establish control more quickly and make cleanup harder.

The percentage of ransomware victims paying threat actors dropped to 28% in 2025, the lowest recorded, despite a 50% increase in attacks. Total on-chain payments reached $820 million, with projections exceeding $900 million. Factors like improved incident response, regulatory scrutiny, and law enforcement actions contributed to the decline. The median ransom payment surged by 368%, indicating larger payouts from fewer victims. The number of active extortion groups rose to 85, with notable attacks on Jaguar Land Rover, Marks & Spencer, and DaVita Inc. The U.S. remained the most targeted country. The ransomware payment rate has been declining for four consecutive years, and the average price for network access declined from $1,427 in Q1 2023 to $439 in Q1 2026.

A report by DataDog reveals that 87% of organizations have at least one exploitable software vulnerability in production, affecting 40% of all services. Vulnerabilities are most common in Java (59%), .NET (47%), and Rust (40%) services. Only 18% of critical dependency vulnerabilities remain critical after adjusting severity scores with runtime and CVE context. The report also highlights risks at both ends of the software lifecycle, including outdated dependencies and rapid adoption of new library versions.

The UK Information Commissioner's Office (ICO) is transitioning from a single-leader model to a board-run structure under the Data (Use and Access) Act 2025 (DUAA). This change aims to meet the agency's growing workload and bring diverse expertise to data protection. The shift will introduce new governance, investigatory powers, and secondary duties, including promoting innovation and competition. The ICO will also expand its Data Essentials training scheme for SMEs. Paul Arnold, the first CEO of the new ICO structure, and John Edwards, the current Information Commissioner, announced the changes at the IAPP Intensive London event on February 25, 2026. The transition is expected to be fully materialized within the next few weeks.

Microsoft has expanded the Windows Backup for Organizations feature to support more enterprise devices. The first sign-in restore experience now allows users to restore settings and Microsoft Store apps on first login to a new or reimaged Windows 11 device, extending support to hybrid-managed environments, multi-user device setups, and Windows 365 Cloud PCs. Originally announced in October 2025, Windows Backup for Organizations is designed to simplify backups and facilitate the transition to Windows 11. The feature is available for Entra-joined devices after installing the September 2025 Windows Monthly Cumulative Update. It backs up Windows settings, preferences, and Microsoft Store-installed apps on Windows 10 and Windows 11 systems, and restores them on Windows 11 PCs during device setup. Data is stored in the Exchange Online cloud, with encryption and strict access controls. The feature must be enabled by IT administrators via backup and restore policy settings.

A suspected Chinese threat actor, tracked as UNC2814, has conducted a global espionage campaign since at least 2017, targeting telecom and government networks. The campaign has impacted 53 organizations in 42 countries, with suspected infections in at least 20 more. The actor deployed a new C-based backdoor named GRIDTIDE, which abuses the Google Sheets API for command-and-control (C2) operations. The initial access vector is unknown, but previous exploits involved flaws in web servers and edge systems. GRIDTIDE performs host reconnaissance and supports commands for executing bash commands, uploading, and downloading files. Google, Mandiant, and partners disrupted the campaign by terminating associated Google Cloud projects and disabling known infrastructure. Organizations impacted by GRIDTIDE were notified, and support was offered to clean the infections. Google expects UNC2814 to resume activity using new infrastructure in the near future.

Organizations are urged to prepare for the imminent threat of quantum computing by adopting Post-Quantum Cryptography (PQC) to secure long-term sensitive data. The 'Harvest Now, Decrypt Later' (HNDL) strategy employed by adversaries highlights the vulnerability of current encryption methods against future quantum-enabled decryption attacks. A structured approach to PQC migration is outlined, emphasizing the need for immediate action, strategic planning, and continuous monitoring to ensure data security against evolving threats.

New York Attorney General Letitia James has filed a lawsuit against Valve Corporation, alleging that the company promotes illegal gambling through loot boxes in its games. The lawsuit claims that Valve's loot box features violate state gambling laws by offering random virtual prizes that can be exchanged for real money, similar to slot machines. The lawsuit targets loot box features in Counter-Strike 2, Team Fortress 2, and Dota 2, which allow players to pay for virtual containers with randomly selected items. The lawsuit highlights the potential harm to children, as they may be drawn into loot box purchases to win rare items and boost social status within gaming communities. The market for Counter-Strike weapon skins has ballooned into a multibillion-dollar economy, with individual items sometimes fetching prices over $1 million. Valve is accused of skewing the odds of winning rare items to make them more valuable, and the lawsuit seeks to permanently bar Valve from operating loot box features in New York, require Valve to return all profits generated by the practice, and impose fines for the alleged violations.