TriZetto Provider Solutions, a healthcare IT company under Cognizant, suffered a data breach that exposed sensitive health data of over 3.4 million individuals. The breach began on November 19, 2024, and was detected on October 2, 2025. The exposed data includes names, addresses, Social Security numbers, and health insurance details. Affected providers were notified in December 2025, and customer notifications started in February 2026. TriZetto has enhanced its cybersecurity measures and offered free credit monitoring services to affected individuals. No financial data was compromised, and no misuse of the data has been reported.

North Korean threat actors, specifically clusters Jasper Sleet and Coral Sleet, are using AI to enhance their IT worker scams. These groups employ AI to fabricate identities, maintain digital personas, and socially engineer potential employers. The AI tools help them research job postings, generate fake resumes, and create convincing digital identities. Once employed, they use AI to perform job tasks, generate code snippets, and develop web infrastructure for malicious purposes. The use of AI complicates detection and response efforts, making these scams more effective and harder to detect.

Google's Threat Intelligence Group identified the Coruna exploit kit, targeting iOS versions 13.0 to 17.2.1. The kit includes five exploit chains and 23 exploits, some using non-public techniques. It has been used by multiple threat actors, including government-backed groups and financially motivated actors. The kit was first observed in February 2025 and has since been linked to campaigns involving Russian and Chinese actors. The exploit kit leverages vulnerabilities in WebKit and other components, some of which were patched by Apple but remained undocumented until later. The kit is designed to fingerprint devices and deliver appropriate exploits based on the iOS version. It avoids execution on devices in Lockdown Mode or private browsing. The Coruna exploit kit marks a shift from targeted spyware attacks to broader exploitation of iOS devices, including crypto theft attacks. The kit includes a stager loader called PlasmaGrid, which targets cryptocurrency wallet apps such as MetaMask, Phantom, Exodus, BitKeep, and Uniswap. The exploit kit was used in watering hole attacks targeting iPhone users visiting compromised Ukrainian websites in summer 2025 and on fake Chinese gambling and crypto websites in late 2025. The exploit kit includes a binary loader that deploys the final stage of the attack after the initial browser exploit succeeds. It uses custom encryption and compression methods to deliver payloads and is ineffective against the latest iOS versions. CISA added three of the 23 Coruna vulnerabilities to its catalog of Known Exploited Vulnerabilities, ordering federal agencies to patch the vulnerabilities by March 26, 2026. CISA also urged all organizations to prioritize patching these flaws to secure their devices against attacks.

The MuddyWater threat actor, linked to Iran and also known as Static Kitten, Mercury, and Seedworm, has conducted a global phishing campaign targeting over 100 organizations, including government entities, embassies, diplomatic missions, foreign affairs ministries, consulates, international organizations, and telecommunications firms in the Middle East and North Africa (MENA) region. The campaign used compromised email accounts to send phishing emails with malicious Microsoft Word documents containing macros that dropped and launched the Phoenix backdoor, version 4. This backdoor provided remote control over infected systems. The campaign was active starting August 19, 2025, and used a command-and-control (C2) server registered under the domain screenai[.]online. The attackers employed three remote monitoring and management (RMM) tools and a custom browser credential stealer, Chromium_Stealer. The malware and tools were hosted on a temporary Python-based HTTP service linked to NameCheap's servers. The campaign highlights the ongoing use of trusted communication channels by state-backed threat actors to evade defenses and infiltrate high-value targets. The server and server-side command-and-control (C2) component were taken down on August 24, 2025, likely indicating a new stage of the attack. The MuddyWater threat actor has also targeted Israeli entities spanning academia, engineering, local government, manufacturing, technology, transportation, and utilities sectors. The hacking group has delivered a previously undocumented backdoor called MuddyViper. The attacks also singled out one technology company based in Egypt. The attack chains involve spear-phishing and the exploitation of known vulnerabilities in VPN infrastructure to infiltrate networks and deploy legitimate remote management tools. The campaign uses a loader named Fooder that decrypts and executes the C/C++-based MuddyViper backdoor. The MuddyViper backdoor enables the attackers to collect system information, execute files and shell commands, transfer files, and exfiltrate Windows login credentials and browser data. Additionally, the MuddyWater threat actor has deployed a new backdoor called UDPGangster that uses the User Datagram Protocol (UDP) for command-and-control (C2) purposes. The attack chain involves using spear-phishing tactics to distribute booby-trapped Microsoft Word documents that trigger the execution of a malicious payload once macros are enabled. The phishing messages impersonate the Turkish Republic of Northern Cyprus Ministry of Foreign Affairs and purport to invite recipients to an online seminar titled "Presidential Elections and Results." The VBA script in the dropper file is equipped to conceal any sign of malicious activity by displaying a Hebrew-language decoy image from Israeli telecommunications provider Bezeq about supposed disconnection periods in the first week of November 2025 across various cities in the country. UDPGangster establishes persistence through Windows Registry modifications and boasts of various anti-analysis checks to resist efforts made by security researchers to take it apart. UDPGangster connects to an external server ("157.20.182[.]75") over UDP port 1269 to exfiltrate collected data, run commands using "cmd.exe," transmit files, update C2 server, and drop and execute additional payloads. The MuddyWater threat actor has launched a new campaign targeting diplomatic, maritime, financial, and telecom entities in the Middle East with a Rust-based implant codenamed RustyWater. The campaign uses icon spoofing and malicious Word documents to deliver Rust-based implants capable of asynchronous C2, anti-analysis, registry persistence, and modular post-compromise capability expansion. The RustyWater implant gathers victim machine information, detects installed security software, sets up persistence by means of a Windows Registry key, and establishes contact with a command-and-control (C2) server (nomercys.it[.]com) to facilitate file operations and command execution. The RustyWater implant is also referred to as Archer RAT and RUSTRIC. The use of RUSTRIC was previously flagged by Seqrite Labs as part of attacks targeting IT, MSPs, human resources, and software development companies in Israel. Historically, MuddyWater has relied on PowerShell and VBS loaders for initial access and post-compromise operations, but the introduction of Rust-based implants represents a notable tooling evolution toward more structured, modular, and low noise RAT capabilities. The MuddyWater threat actor has launched a new campaign codenamed Operation Olalampo targeting organizations and individuals in the Middle East and North Africa (MENA) region. The campaign involves the deployment of new malware families including GhostFetch, HTTP_VIP, CHAR, and GhostBackDoor. GhostFetch is a first-stage downloader that profiles the system, validates mouse movements, checks screen resolution, and fetches and executes secondary payloads directly in memory. GhostBackDoor is a second-stage backdoor delivered by GhostFetch that supports an interactive shell, file read/write, and re-run GhostFetch. HTTP_VIP is a native downloader that conducts system reconnaissance and deploys AnyDesk from the C2 server. CHAR is a Rust backdoor controlled by a Telegram bot (username "stager_51_bot") that executes cmd.exe or PowerShell commands. The PowerShell command executed by CHAR is designed to execute a SOCKS5 reverse proxy or another backdoor named Kalim, upload data stolen from web browsers, and run unknown executables referred to as "sh.exe" and "gshdoc_release_X64_GUI.exe." The MuddyWater threat actor has been observed exploiting recently disclosed vulnerabilities on public-facing servers to obtain initial access to target networks. The MuddyWater APT group remains an active threat within the MENA region, with this operation primarily targeting organizations in the MENA region. The MuddyWater threat actor has targeted US companies in a new campaign that started in early February 2026. The campaign involves a previously unknown backdoor dubbed 'Dindoor' by cyber threat researchers. The Dindoor backdoor leverages Deno, the secure runtime for JavaScript and TypeScript, to execute. The backdoor was signed with a certificate issued to 'Amy Cherne'. An attempt to exfiltrate data from a software company using Rclone to a Wasabi cloud storage bucket was observed. A different, Python backdoor called Fakeset was found on the networks of a US airport. The Fakeset backdoor was signed by certificates issued to 'Amy Cherne' and 'Donald Gay'. The Donald Gay certificate has been used previously to sign malware linked to MuddyWater. The Donald Gay certificate was also used to sign a sample from the malware family tracked as 'Stagecomp', which downloads the Darkcomp backdoor. The Stagecomp and Darkcomp malware have been linked to MuddyWater by security vendors including Google, Microsoft, and Kaspersky.

EC-Council has expanded its certification portfolio with the launch of the Enterprise AI Credential Suite, introducing four new AI-focused certifications alongside the updated Certified CISO v4. This initiative aims to address the growing gap between AI adoption and workforce readiness, particularly in the U.S., where 700,000 workers need reskilling. The new certifications cover various aspects of AI adoption, security, and governance, aligning with U.S. priorities on workforce development and AI education. The launch is driven by the urgent need to prepare professionals for AI-driven risk environments, as AI adoption accelerates and attack surfaces expand. The certifications are designed to provide practical capabilities across AI adoption, security, and governance, helping organizations scale AI with confidence. The launch marks the largest single expansion of EC-Council's portfolio in its 25-year history, with the certifications structured around the Adopt. Defend. Govern. (ADG) framework. The International Monetary Fund (IMF) and the World Economic Forum (WEF) have highlighted workforce readiness as a primary constraint on AI-driven productivity and growth, with 67 percent of AI talent located in just 15 U.S. cities and women representing only 28 percent of the AI workforce.

Threat actors are using a new social engineering technique called InstallFix to trick users into executing malicious commands under the guise of installing legitimate CLI tools, such as Claude Code. The attackers create cloned installation pages with malicious commands that deliver the Amatera infostealer. The campaigns are promoted through malvertising on Google Ads, targeting users searching for installation guides. The Amatera infostealer steals browser credentials, cookies, and session tokens while evading detection.

Microsoft is rolling out an upgrade to Microsoft 365 Backup that enables file-level restore capabilities. This enhancement allows administrators to restore individual files and folders, reducing recovery time and improving efficiency. The feature is currently in public preview and is expected to reach general availability by late April or early May 2026. The upgrade is designed to protect against data loss from ransomware, accidental deletion, or data corruption, and is available exclusively to tenants with Microsoft 365 Backup already enabled. Admins with the SharePoint Backup Administrator role can use this feature to browse and search existing restore points for SharePoint sites and OneDrive accounts.

Iranian state-sponsored and affiliated cyber threat actors have **formalized a cyber-kinetic war doctrine**, integrating digital reconnaissance with physical strikes following the February 28, 2026, joint US-Israel military operation (*Epic Fury*). New research confirms Iran’s systematic compromise of **Hikvision and Dahua IP cameras** across Israel, Qatar, Bahrain, Kuwait, the UAE, Cyprus, and Lebanon—exploiting **five patched but widely unpatched vulnerabilities** (CVE-2017-7921, CVE-2021-36260, CVE-2023-6895, CVE-2025-34067, CVE-2021-33044) to enable **real-time battle damage assessment and missile-targeting support**. Check Point Research assesses this activity as a **predictive indicator of kinetic strikes**, mirroring tactics used during the June 2025 Israel-Iran conflict, such as the Weizmann Institute attack. The campaign extends beyond surveillance: **pro-Iranian actors breached Jordan’s Silos and Supply General Company via phishing**, while IRGC-linked groups conducted **limited but targeted ICS/SCADA attacks** and **DDoS campaigns against UAE/Bahrain government entities**. CrowdStrike and Flashpoint warn of escalating hybrid tactics, including **propaganda operations, data center missile strikes, and hacktivist proxies** (e.g., Russian Legion) expanding targets to US-based critical infrastructure. Analysts emphasize Iran’s strategy blends **cyber-enabled kinetic warfare, economic coercion, and psychological operations** to stretch adversary defenses, with **low-cost, high-impact cyber operations** becoming standard doctrine. Organizations are urged to **segment ICS networks, eliminate public WAN exposure for cameras, and monitor for unusual CCTV login patterns** as early warnings of physical threats. Prior waves included **149 hacktivist DDoS attacks** (70% by Keymous+/DieNet) against **110 organizations in 16 countries**, IRGC strikes on **Saudi Aramco and a U.A.E. AWS data center**, and **SMS phishing** via fake *RedAlert* app updates. UNC1549 (Nimbus Manticore) remains a top-tier threat, while Iranian cryptocurrency exchanges adjust operations amid sanctions-induced connectivity blackouts (internet at ~4% capacity). The UK NCSC and GTIG reiterate calls for **DDoS resilience, ICS segmentation, and supply-chain hardening**, with warnings that Iran’s **ransomware-as-smokescreen** and **wiper attacks** may intensify as the conflict progresses.

A small group of hacktivists exploited AI platforms to infiltrate at least nine Mexican government agencies, stealing over 195 million identities, 2.2 million property records, and other sensitive data. The attackers used Anthropic's Claude and OpenAI's ChatGPT to bypass security measures, find vulnerabilities, and build attack tools. The breach lasted over a month, with backdoors left in compromised systems. The attackers masqueraded as legitimate penetration testers to bypass AI guardrails within 40 minutes. They had no clear financial motive and showed significant technical proficiency in co-opting AI for their operations.

Google Threat Intelligence Group (GTIG) reported tracking 90 zero-day vulnerabilities exploited in 2025, a 15% increase from 2024. Nearly half targeted enterprise software and appliances, with 43 (48%) zero-days identified, up from 36 (46%) in 2024. Memory safety issues accounted for 35% of these exploits. Commercial spyware vendors were the largest users of zero-days, surpassing state-sponsored groups. China-linked espionage groups remained the most active among state actors, while financially motivated actors also increased their use of zero-days. The most targeted enterprise systems included security appliances, networking infrastructure, VPNs, and virtualization platforms. Google recommends reducing attack surfaces, continuous monitoring, and rapid patching to mitigate risks.

Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs) are leveraging AI-powered risk management to scale their cybersecurity services. This approach helps them deliver measurable value, build client trust, and drive recurring revenue. The guide outlines the challenges MSPs face and how AI-powered risk management can solve these issues, enabling scalable and efficient service delivery.

Derrick Van Yeboah, a Ghanaian national, pleaded guilty to his role in a fraud ring that stole over $100 million from U.S. victims through business email compromise (BEC) attacks and romance scams. The operation, active from 2016 to May 2023, involved multiple accomplices and targeted vulnerable individuals and businesses. Van Yeboah, a high-ranking member, is set to pay over $10 million in restitution and faces up to 20 years in prison.

The U.S. Secret Service has seized 300 SIM servers and 100,000 SIM cards in the New York tri-state area, which were used to threaten U.S. government officials and posed an imminent threat to national security. The seizure occurred near the United Nations General Assembly, and the devices could be weaponized for various attacks on telecommunications infrastructure. The FBI is also investigating a breach affecting systems used to manage surveillance and wiretap warrants, which was addressed but details on scope and impact remain undisclosed. Early evidence suggests involvement of nation-state threat actors, including the Chinese hacker group Salt Typhoon, which compromised U.S. federal government systems for court-authorized network wiretapping requests in 2024.

China-nexus threat actor UAT-9244 has been targeting telecommunications providers in South America since at least 2024. The group conducts extensive reconnaissance before deploying malware families like TernDoor, PeerTime, and BruteEntry. UAT-9244 also establishes Operational Relay Box (ORB) nodes, which other China-nexus actors may use, indicating a dual role in espionage and initial access provision. The group uses a mix of open-source malware, custom tooling, and 1-day vulnerabilities in edge networking products. Recent activity shows overlaps with FamousSparrow and Tropic Trooper, suggesting a broader China-linked operation. UAT-9244 has been active since at least November 2024, deploying TernDoor through DLL side-loading, PeerTime using BitTorrent for C2 communications, and BruteEntry to build proxy infrastructure (ORBs).

CISA has added two critical vulnerabilities (CVE-2017-7921 and CVE-2021-22681) affecting Hikvision and Rockwell Automation products to its KEV catalog due to evidence of active exploitation. The flaws, both with a CVSS score of 9.8, could allow privilege escalation and unauthorized access. Federal agencies are urged to patch by March 26, 2026. CVE-2017-7921 impacts multiple Hikvision products, enabling privilege escalation and access to sensitive information. CVE-2021-22681 affects Rockwell Automation Studio 5000 Logix Designer, RSLogix 5000, and Logix Controllers, allowing unauthorized users to bypass authentication and alter configurations.

A security audit by Koi Security identified 341 malicious skills on ClawHub, a marketplace for OpenClaw users, which distribute Atomic Stealer malware to steal sensitive data from macOS and Windows systems. The campaign, codenamed ClawHavoc, uses social engineering tactics to trick users into installing malicious prerequisites. The skills masquerade as legitimate tools, including cryptocurrency utilities, YouTube tools, and finance applications. OpenClaw has added a reporting feature and partnered with VirusTotal to scan skills uploaded to ClawHub, providing an additional layer of security for the OpenClaw community. The malware targets API keys, credentials, and other sensitive data, exploiting the open-source ecosystem's vulnerabilities. The campaign coincides with a report from OpenSourceMalware, highlighting the same threat. The intersection of AI agent capabilities and persistent memory amplifies the risks, enabling stateful, delayed-execution attacks. New findings reveal almost 400 fake crypto trading add-ons in the project behind the viral Moltbot/OpenClaw AI assistant tool can lead users to install information-stealing malware. These addons, called skills, masquerade as cryptocurrency trading automation tools and target ByBit, Polymarket, Axiom, Reddit, and LinkedIn. The malicious skills share the same command-and-control (C2) infrastructure, 91.92.242.30, and use sophisticated social engineering to convince users to execute malicious commands which then steals crypto assets like exchange API keys, wallet private keys, SSH credentials, and browser passwords. Additionally, fake OpenClaw installers hosted on GitHub and promoted by Bing AI instructed users to run commands that deployed information stealers and proxy malware. Threat actors set up malicious GitHub repositories posing as OpenClaw installers, which were recommended by Bing in its AI-powered search results. The malicious repositories contained shell scripts paired with Mach-O executables identified as Atomic Stealer malware for macOS users. For Windows users, the threat actor delivered OpenClaw_x64.exe, which deployed multiple malicious executables, including Rust-based malware loaders and Vidar stealer. Another Windows executable delivered was the GhostSocks backconnect proxy malware, designed to convert users' machines into proxy nodes.

A self-propagating JavaScript worm exploited a malicious script on Russian Wikipedia, spreading across multiple Wikimedia projects and vandalizing pages. The worm modified user scripts and global JavaScript files, affecting approximately 3,996 pages and 85 user accounts. Wikimedia temporarily restricted editing to contain the attack and revert changes. The incident began when a Wikimedia employee account executed a dormant script, which then propagated through user sessions and global scripts. The worm's persistence mechanisms included modifying user-level and site-wide JavaScript files, allowing it to spread automatically. The injected code also edited random pages to insert hidden JavaScript loaders. Wikimedia has not yet released a detailed post-incident report.

A critical vulnerability (CVE-2026-1492) in the WordPress User Registration & Membership plugin, installed on over 60,000 sites, allows attackers to create admin accounts without authentication. This flaw, rated 9.8 in severity, enables full site control, data theft, and malware distribution. The developer has released a patch in version 5.1.3, with the latest version being 5.1.4. Hackers have already attempted to exploit this vulnerability in over 200 attacks in the past 24 hours. Website administrators are urged to update the plugin immediately or disable it if updating is not possible.

John Daghita, son of a U.S. government contractor and president of Command Services & Support (CMDSS), was arrested on Saint Martin for allegedly stealing $46 million in cryptocurrency from the U.S. Marshals Service (USMS). The arrest followed a joint operation by the FBI and France's Groupe d'Intervention de la Gendarmerie Nationale. Daghita, known online as "Lick," was linked to the theft through blockchain analysis by investigator ZachXBT, who traced funds to wallets associated with Daghita. The stolen funds included assets tied to the 2016 Bitfinex hack. Daghita was reportedly taunting ZachXBT via Telegram, even sending small amounts of stolen funds to the investigator's public wallet address in a "dust attack." Law enforcement seized multiple hard drives, security keys, and an undisclosed amount of U.S. dollars during the arrest.

Mimecast's State of Human Risk Report 2026 highlights a significant increase in insider threats, driven by AI misuse and employee negligence. The report identifies both malicious insiders and negligent employees as critical risks, with 42% of organizations reporting an uptick in such threats. AI tools are being exploited to enhance phishing attacks and facilitate data exfiltration, making insider risk a growing concern for cybersecurity leaders.

A critical authentication bypass vulnerability (CVE-2026-20127) in Cisco Catalyst SD-WAN has been actively exploited in zero-day attacks since at least 2023. The flaw allows remote attackers to compromise controllers and add malicious rogue peers to targeted networks. The vulnerability stems from a peering authentication mechanism that does not work properly, enabling attackers to log in as high-privileged users and manipulate network configurations. Cisco has released specific software updates to address the issue, and CISA has issued an emergency directive requiring federal agencies to patch affected systems by February 27, 2026. Attackers have been found to leverage the built-in update mechanism to stage a software version downgrade and escalate to the root user by exploiting CVE-2022-20775, and have taken steps to clear evidence of the intrusion by purging logs and command history. Additionally, Cisco has flagged two more Catalyst SD-WAN Manager security flaws (CVE-2026-20128 and CVE-2026-20122) as actively exploited in the wild, urging administrators to upgrade vulnerable devices. CVE-2026-20128 is an information disclosure issue affecting the Data Collection Agent (DCA) feature, allowing an authenticated, local attacker to gain DCA user privileges. CVE-2026-20122 is an arbitrary file overwrite bug affecting the API, allowing a remote, authenticated attacker to overwrite arbitrary files and gain elevated privileges. Cisco Talos has linked the attacks exploiting CVE-2026-20127 to UAT-8616, a highly sophisticated threat actor active since at least 2023. Cisco has also released updates to address two maximum-severity vulnerabilities in its Secure Firewall Management Center (FMC) software: CVE-2026-20079 and CVE-2026-20131.

The 2026 State of Browser Security Report reveals that browsers have become the most critical yet least protected control point in enterprises. AI-native browsers have shifted from experimental tools to mainstream business platforms, creating significant security blind spots. The report highlights the rapid evolution of browser capabilities, including AI copilots and generative AI tools, which are now integral to daily work tasks. However, enterprise security architectures have not kept pace, leaving a growing gap in visibility and control over sensitive data and user activities. The report also details the widespread use of AI tools within browser sessions, the exposure of sensitive data in 'trusted' apps, and the increasing prevalence of browser-based attacks that bypass traditional security controls.

Latin American organizations report low confidence in their nations' cyber defenses, with only 13% confident in their country's ability to protect critical infrastructure. The region faces a significant cybersecurity skills gap, with 69% lacking critical personnel and capabilities. Cyberattacks have surged by 53% year-over-year, driven by cybercrime syndicates from Southeast Asia and China. Latin American organizations now face an average of around 3,100 cyber threats per week, nearly double the 1,500 threats faced by US organizations. The lack of skilled professionals and investment in cyber resilience infrastructure hampers the region's digital progress, making it vulnerable to systemic risks. Phishing campaigns are particularly effective, and the healthcare and financial services sectors are heavily targeted.

A critical vulnerability, dubbed ContextCrush, in the Context7 MCP Server allows attackers to inject malicious instructions into AI development tools through trusted documentation channels. The flaw stems from unfiltered 'Custom Rules' that are delivered to AI agents without sanitization. The vulnerability could enable attackers to compromise development environments by executing harmful actions using the permissions of AI coding assistants. The issue was discovered by Noma Labs researchers and patched by Upstash on February 23, 2026.

This week's ThreatsDay Bulletin highlights several significant developments in the cybersecurity landscape. Researchers uncovered new bot scalping tactics targeting DDR5 memory, Samsung TV tracking capabilities, and a substantial privacy fine imposed on Reddit. These updates reflect the evolving threat landscape and the continuous shifts in cybersecurity dynamics.

Organizations are urged to prepare for the future threat of quantum computing, which could break current encryption standards. The 'harvest now, decrypt later' tactic involves attackers collecting encrypted data today to decrypt it later using quantum computers. Security leaders are encouraged to adopt post-quantum cryptography to protect long-term sensitive data. A webinar will discuss practical steps, including hybrid cryptography, to mitigate this emerging risk.

A criminal ring exploited war-displaced Ukrainian women to run an online gambling scheme, laundering nearly €4.75 million. The group targeted vulnerable women from war-torn areas, bringing them to Spain to open bank accounts and credit cards under their names. These accounts were used to place low-odds bets on online gambling platforms, generating steady profits. The operation involved stolen identities from over 5,000 citizens across 17 nationalities. Spanish and Ukrainian authorities arrested 12 suspects, seized numerous devices and vehicles, froze properties worth over €2 million, and blocked accounts holding more than €470,000.

An Iran-linked cyber threat actor, Dust Specter, has been targeting Iraqi government officials using AI-powered tools and previously undocumented malware. The campaign, detected in January 2026, involves impersonating the Iraqi Ministry of Foreign Affairs and compromising government infrastructure to host malicious payloads. The attack chains include the use of SplitDrop, TwinTask, TwinTalk, and GhostForm malware, with TwinTalk also linked to a previous campaign in July 2025. The campaign employs advanced techniques such as randomly generated URI paths for C2 communication, geofencing, and User-Agent verification. The use of compromised Iraqi government infrastructure and AI-assisted malware development highlights the sophistication of the attack.

A critical zero-click remote code execution (RCE) vulnerability (CVE-2026-28289) in FreeScout helpdesk platform allows attackers to hijack mail servers by sending a crafted email. The flaw bypasses a previous fix for another RCE issue (CVE-2026-27636) and enables unauthenticated command execution on the server. FreeScout versions up to 1.8.206 are affected, and immediate patching to version 1.8.207 is recommended. The vulnerability leverages a zero-width space (Unicode U+200B) to bypass security checks, allowing malicious file uploads and subsequent exploitation. Over 1,100 publicly exposed FreeScout instances are at risk, with potential impacts including full server compromise, data breaches, and lateral movement. Ox Security discovered a patch bypass that allowed reproduction of the same RCE on newly updated servers and escalated the attack chain to a zero-click RCE. The PHP-based Laravel framework, on which FreeScout is based, has over 83,000 GitHub stars and around 13,000 publicly exposed servers.

Organizations often assume multi-factor authentication (MFA) prevents credential-based attacks in Windows environments. However, attackers continue to exploit valid credentials through multiple authentication paths that bypass MFA. These paths include interactive Windows logons, direct RDP access, NTLM authentication, Kerberos ticket abuse, local administrator accounts, SMB authentication, and service accounts. Security teams must address these gaps to reduce credential abuse risks. Tools like Specops Secure Access can enforce MFA for Windows logons, VPN, and RDP connections, while Specops Password Policy helps enforce strong password policies and block compromised passwords.