A self-propagating JavaScript worm exploited a malicious script on Russian Wikipedia, spreading across multiple Wikimedia projects and vandalizing pages. The worm modified user scripts and global JavaScript files, affecting approximately 3,996 pages and 85 user accounts. Wikimedia temporarily restricted editing to contain the attack and revert changes. The incident began when a Wikimedia employee account executed a dormant script, which then propagated through user sessions and global scripts. The worm's persistence mechanisms included modifying user-level and site-wide JavaScript files, allowing it to spread automatically. The injected code also edited random pages to insert hidden JavaScript loaders. Wikimedia has not yet released a detailed post-incident report.

A critical vulnerability (CVE-2026-1492) in the WordPress User Registration & Membership plugin, installed on over 60,000 sites, allows attackers to create admin accounts without authentication. This flaw, rated 9.8 in severity, enables full site control, data theft, and malware distribution. The developer has released a patch in version 5.1.3, with the latest version being 5.1.4. Hackers have already attempted to exploit this vulnerability in over 200 attacks in the past 24 hours. Website administrators are urged to update the plugin immediately or disable it if updating is not possible.

John Daghita, son of a U.S. government contractor and president of Command Services & Support (CMDSS), was arrested on Saint Martin for allegedly stealing $46 million in cryptocurrency from the U.S. Marshals Service (USMS). The arrest followed a joint operation by the FBI and France's Groupe d'Intervention de la Gendarmerie Nationale. Daghita, known online as "Lick," was linked to the theft through blockchain analysis by investigator ZachXBT, who traced funds to wallets associated with Daghita. The stolen funds included assets tied to the 2016 Bitfinex hack. Daghita was reportedly taunting ZachXBT via Telegram, even sending small amounts of stolen funds to the investigator's public wallet address in a "dust attack." Law enforcement seized multiple hard drives, security keys, and an undisclosed amount of U.S. dollars during the arrest.

Mimecast's State of Human Risk Report 2026 highlights a significant increase in insider threats, driven by AI misuse and employee negligence. The report identifies both malicious insiders and negligent employees as critical risks, with 42% of organizations reporting an uptick in such threats. AI tools are being exploited to enhance phishing attacks and facilitate data exfiltration, making insider risk a growing concern for cybersecurity leaders.

A critical authentication bypass vulnerability (CVE-2026-20127) in Cisco Catalyst SD-WAN has been actively exploited in zero-day attacks since at least 2023. The flaw allows remote attackers to compromise controllers and add malicious rogue peers to targeted networks. The vulnerability stems from a peering authentication mechanism that does not work properly, enabling attackers to log in as high-privileged users and manipulate network configurations. Cisco has released specific software updates to address the issue, and CISA has issued an emergency directive requiring federal agencies to patch affected systems by February 27, 2026. Attackers have been found to leverage the built-in update mechanism to stage a software version downgrade and escalate to the root user by exploiting CVE-2022-20775, and have taken steps to clear evidence of the intrusion by purging logs and command history. Additionally, Cisco has flagged two more Catalyst SD-WAN Manager security flaws (CVE-2026-20128 and CVE-2026-20122) as actively exploited in the wild, urging administrators to upgrade vulnerable devices. CVE-2026-20128 is an information disclosure issue affecting the Data Collection Agent (DCA) feature, allowing an authenticated, local attacker to gain DCA user privileges. CVE-2026-20122 is an arbitrary file overwrite bug affecting the API, allowing a remote, authenticated attacker to overwrite arbitrary files and gain elevated privileges. Cisco Talos has linked the attacks exploiting CVE-2026-20127 to UAT-8616, a highly sophisticated threat actor active since at least 2023. Cisco has also released updates to address two maximum-severity vulnerabilities in its Secure Firewall Management Center (FMC) software: CVE-2026-20079 and CVE-2026-20131.

Google Threat Intelligence Group (GTIG) reported tracking 90 zero-day vulnerabilities exploited in 2025, a 15% increase from 2024. Nearly half targeted enterprise software and appliances. Memory safety issues accounted for 35% of these exploits. Commercial spyware vendors were the largest users of zero-days, surpassing state-sponsored groups. China-linked espionage groups remained the most active among state actors, while financially motivated actors also increased their use of zero-days. The most targeted enterprise systems included security appliances, networking infrastructure, VPNs, and virtualization platforms. Google recommends reducing attack surfaces, continuous monitoring, and rapid patching to mitigate risks.

The 2026 State of Browser Security Report reveals that browsers have become the most critical yet least protected control point in enterprises. AI-native browsers have shifted from experimental tools to mainstream business platforms, creating significant security blind spots. The report highlights the rapid evolution of browser capabilities, including AI copilots and generative AI tools, which are now integral to daily work tasks. However, enterprise security architectures have not kept pace, leaving a growing gap in visibility and control over sensitive data and user activities. The report also details the widespread use of AI tools within browser sessions, the exposure of sensitive data in 'trusted' apps, and the increasing prevalence of browser-based attacks that bypass traditional security controls.

Latin American organizations report low confidence in their nations' cyber defenses, with only 13% confident in their country's ability to protect critical infrastructure. The region faces a significant cybersecurity skills gap, with 69% lacking critical personnel and capabilities. Cyberattacks have surged by 53% year-over-year, driven by cybercrime syndicates from Southeast Asia and China. Latin American organizations now face an average of around 3,100 cyber threats per week, nearly double the 1,500 threats faced by US organizations. The lack of skilled professionals and investment in cyber resilience infrastructure hampers the region's digital progress, making it vulnerable to systemic risks. Phishing campaigns are particularly effective, and the healthcare and financial services sectors are heavily targeted.

A critical vulnerability, dubbed ContextCrush, in the Context7 MCP Server allows attackers to inject malicious instructions into AI development tools through trusted documentation channels. The flaw stems from unfiltered 'Custom Rules' that are delivered to AI agents without sanitization. The vulnerability could enable attackers to compromise development environments by executing harmful actions using the permissions of AI coding assistants. The issue was discovered by Noma Labs researchers and patched by Upstash on February 23, 2026.

This week's ThreatsDay Bulletin highlights several significant developments in the cybersecurity landscape. Researchers uncovered new bot scalping tactics targeting DDR5 memory, Samsung TV tracking capabilities, and a substantial privacy fine imposed on Reddit. These updates reflect the evolving threat landscape and the continuous shifts in cybersecurity dynamics.

Organizations are urged to prepare for the future threat of quantum computing, which could break current encryption standards. The 'harvest now, decrypt later' tactic involves attackers collecting encrypted data today to decrypt it later using quantum computers. Security leaders are encouraged to adopt post-quantum cryptography to protect long-term sensitive data. A webinar will discuss practical steps, including hybrid cryptography, to mitigate this emerging risk.

A criminal ring exploited war-displaced Ukrainian women to run an online gambling scheme, laundering nearly €4.75 million. The group targeted vulnerable women from war-torn areas, bringing them to Spain to open bank accounts and credit cards under their names. These accounts were used to place low-odds bets on online gambling platforms, generating steady profits. The operation involved stolen identities from over 5,000 citizens across 17 nationalities. Spanish and Ukrainian authorities arrested 12 suspects, seized numerous devices and vehicles, froze properties worth over €2 million, and blocked accounts holding more than €470,000.

Google's Threat Intelligence Group identified the Coruna exploit kit, targeting iOS versions 13.0 to 17.2.1. The kit includes five exploit chains and 23 exploits, some using non-public techniques. It has been used by multiple threat actors, including government-backed groups and financially motivated actors. The kit was first observed in February 2025 and has since been linked to campaigns involving Russian and Chinese actors. The exploit kit leverages vulnerabilities in WebKit and other components, some of which were patched by Apple but remained undocumented until later. The kit is designed to fingerprint devices and deliver appropriate exploits based on the iOS version. It avoids execution on devices in Lockdown Mode or private browsing. The Coruna exploit kit marks a shift from targeted spyware attacks to broader exploitation of iOS devices, including crypto theft attacks. The kit includes a stager loader called PlasmaGrid, which targets cryptocurrency wallet apps such as MetaMask, Phantom, Exodus, BitKeep, and Uniswap. The exploit kit was used in watering hole attacks targeting iPhone users visiting compromised Ukrainian websites in summer 2025 and on fake Chinese gambling and crypto websites in late 2025. The exploit kit includes a binary loader that deploys the final stage of the attack after the initial browser exploit succeeds. It uses custom encryption and compression methods to deliver payloads and is ineffective against the latest iOS versions.

An Iran-linked cyber threat actor, Dust Specter, has been targeting Iraqi government officials using AI-powered tools and previously undocumented malware. The campaign, detected in January 2026, involves impersonating the Iraqi Ministry of Foreign Affairs and compromising government infrastructure to host malicious payloads. The attack chains include the use of SplitDrop, TwinTask, TwinTalk, and GhostForm malware, with TwinTalk also linked to a previous campaign in July 2025. The campaign employs advanced techniques such as randomly generated URI paths for C2 communication, geofencing, and User-Agent verification. The use of compromised Iraqi government infrastructure and AI-assisted malware development highlights the sophistication of the attack.

A critical zero-click remote code execution (RCE) vulnerability (CVE-2026-28289) in FreeScout helpdesk platform allows attackers to hijack mail servers by sending a crafted email. The flaw bypasses a previous fix for another RCE issue (CVE-2026-27636) and enables unauthenticated command execution on the server. FreeScout versions up to 1.8.206 are affected, and immediate patching to version 1.8.207 is recommended. The vulnerability leverages a zero-width space (Unicode U+200B) to bypass security checks, allowing malicious file uploads and subsequent exploitation. Over 1,100 publicly exposed FreeScout instances are at risk, with potential impacts including full server compromise, data breaches, and lateral movement. Ox Security discovered a patch bypass that allowed reproduction of the same RCE on newly updated servers and escalated the attack chain to a zero-click RCE. The PHP-based Laravel framework, on which FreeScout is based, has over 83,000 GitHub stars and around 13,000 publicly exposed servers.

Organizations often assume multi-factor authentication (MFA) prevents credential-based attacks in Windows environments. However, attackers continue to exploit valid credentials through multiple authentication paths that bypass MFA. These paths include interactive Windows logons, direct RDP access, NTLM authentication, Kerberos ticket abuse, local administrator accounts, SMB authentication, and service accounts. Security teams must address these gaps to reduce credential abuse risks. Tools like Specops Secure Access can enforce MFA for Windows logons, VPN, and RDP connections, while Specops Password Policy helps enforce strong password policies and block compromised passwords.

Cisco has disclosed and patched a critical vulnerability in the RADIUS subsystem of Secure Firewall Management Center (FMC) Software. The flaw, CVE-2025-20265, allows unauthenticated, remote attackers to execute arbitrary shell commands on affected systems. This vulnerability affects FMC Software versions 7.0.7 and 7.7.0 when RADIUS authentication is enabled for web-based management or SSH. Additionally, Cisco has released security updates to patch two maximum-severity vulnerabilities in its Secure Firewall Management Center (FMC) software: an authentication bypass flaw (CVE-2026-20079) that allows attackers to gain root access to the underlying operating system, and a remote code execution (RCE) vulnerability (CVE-2026-20131) that lets attackers execute arbitrary Java code as root on unpatched devices. Cisco's Product Security Incident Response Team (PSIRT) has no evidence that these flaws are exploited in attacks or that proof-of-concept (PoC) exploit code has been published online. In March 2026, Cisco released a bundled publication containing 25 security advisories detailing vulnerabilities in enterprise networking products, including nine high-severity vulnerabilities in the ASA Firewall, Secure FMC, and Secure FTD appliances. Cisco is not aware of any of these vulnerabilities being exploited in the wild.

The FBI has seized the RAMP cybercrime forum, a platform known for facilitating ransomware operations and other cybercriminal activities. The seizure includes both the forum's Tor site and its clearnet domain, ramp4u[.]io, which now display a seizure notice. The forum was a hub for ransomware gangs to advertise their operations and recruit affiliates. The seizure provides law enforcement with access to a significant amount of data tied to the forum's users, including email addresses, IP addresses, and private messages. This could lead to the identification and potential arrest of threat actors who failed to follow proper operational security (opsec). RAMP was created in 2021 by individuals linked to the now-defunct Babuk ransomware group and was administered by key operators such as Mikhail Matveev (also known as Orange, Wazawaka, and BorisElcin) and Stallman. The forum was a prime hub for various ransomware groups, including LockBit, ALPHV/BlackCat, Conti, DragonForce, Qilin, Nova, Radiant, and RansomHub. Following the seizure, Stallman confirmed there were no plans to rebuild the forum, indicating a significant disruption to the cybercriminal ecosystem. Additionally, the FBI has seized the LeakBase cybercrime forum, a major online forum used by cybercriminals to buy and sell hacking tools and stolen data. The forum had over 142,000 members and more than 215,000 messages between members as of December 2025. The seizure is part of an international joint operation coordinated by Europol, known as 'Operation Leak,' involving law enforcement agencies in 14 countries. The operation included the shutdown of LeakBase's domains, posting seizure banners, and warning members of the seizure. Law enforcement executed search warrants, made arrests, and conducted interviews in multiple countries. The seizure banner notes that the forum's database and all its contents, including IP logs and private messages, will be used for evidentiary purposes in future investigations. The domain nameservers have been switched to ns1.fbi.seized.gov and ns2.fbi.seized.gov. The operation involved around 100 enforcement actions worldwide, including measures against 37 of the most active users of the platforms. LeakBase was active since 2021 and had over 142,000 members, offering access to databases, a market for selling leaks, exploits, and other cybercrime services, and an escrow payment system.

Polish authorities have arrested a 47-year-old man suspected of ties to the Phobos ransomware group. The arrest is part of "Operation Aether," a broader international effort coordinated by Europol. The suspect was found with stolen credentials, credit card numbers, and server access data, which could facilitate ransomware attacks. The suspect faces charges under Article 269b of Poland's Criminal Code, with a maximum prison sentence of five years if found guilty. Operation Aether has targeted Phobos-linked individuals at multiple levels, including backend infrastructure operators and affiliates involved in network intrusions and data encryption. The operation has led to the extradition of a key Phobos administrator to the United States and the seizure of 27 servers in Thailand. A Russian national, Evgenii Ptitsyn, pleaded guilty to a wire fraud conspiracy charge related to his role in administering the Phobos ransomware operation. Ptitsyn was extradited from South Korea in November 2024 and is facing up to 20 years in prison. The Phobos ransomware gang has collected over $39 million from more than 1,000 victims worldwide.

A global operation led by Microsoft and Europol, supported by multiple industry partners, seized infrastructure linked to the Tycoon2FA phishing-as-a-service (PhaaS) operation. Tycoon2FA offered subscription-based services that intercepted live authentication sessions, bypassing multi-factor authentication (MFA) and enabling large-scale attacks on corporate inboxes. The operation resulted in the seizure of over 300 domains associated with Tycoon2FA, which had around 2000 users and used more than 24,000 domains since its launch in August 2023. The primary operator, identified as using the online identities 'SaaadFridi' and 'Mr_Xaad,' remains at large. Tycoon2FA was generating tens of millions of phishing emails each month by mid-2025, reaching more than 60% of all blocked phishing attempts. The platform was sold through Telegram for $120 for 10 days of access or $350 for a month of access to a web-based administration panel, lowering the barrier for low-skilled criminals to launch sophisticated, MFA-bypassing attacks at scale. The platform was linked to over 64,000 phishing incidents and facilitated unauthorized access to nearly 100,000 organizations globally.

Bitwarden has introduced support for logging into Windows 11 using passkeys stored in its encrypted vault. This feature enables phishing-resistant authentication by allowing users to log in via a security key option and QR code scan from a mobile device. The feature is available across all Bitwarden plans, including the free tier. To use the feature, users must have Entra ID-joined devices, FIDO2 security key sign-in enabled, and a registered Entra ID passkey stored in their Bitwarden vault. Bitwarden acts as the passkey provider, storing credentials in the user’s synced vault rather than binding them to a single device. This approach enhances security by reducing the risk of credential exposure to phishing attacks.

Microsoft's October 2025 security updates (KB5066835) initially disabled USB mice and keyboards in the Windows Recovery Environment (WinRE), affecting both client (Windows 11 24H2 and 25H2) and server (Windows Server 2025) platforms. This issue made WinRE unusable for troubleshooting or repairing the OS, prompting users to switch to Bluetooth or PS/2 input devices as a workaround. Microsoft has since released an emergency update (KB5070773) to resolve the issue, which started rolling out on October 21, 2025. This update restores USB functionality in WinRE, allowing users to navigate recovery options. Affected customers can also use touchscreen, PS/2 devices, or USB recovery drives as workarounds. OEMs and enterprises can use PXE in Configuration Manager to install the update, while IT administrators can deploy push-button reset features using Windows ADK and WinPE add-on. Additionally, Microsoft confirmed in February 2026 that the October 2025 KB5068164 update for Windows 10 also broke WinRE. A new update (KB5075039) was released to fix this issue, requiring the WinRE partition to be at least 256MB in size.

A threat actor is mass-emailing restaurant patrons using the HungerRush POS platform, claiming to have access to customer and restaurant data. The attacker demands a response from HungerRush or threatens to expose the data. The emails were sent using Twilio SendGrid, a service previously used by HungerRush for legitimate communications. The attacker claims to have access to millions of customer records, including names, emails, passwords, addresses, phone numbers, dates of birth, and credit card information. HungerRush has not confirmed a breach, but customers are advised to be vigilant for potential phishing attempts.

Iranian state-sponsored and affiliated cyber threat actors have escalated retaliatory campaigns following the February 28, 2026, joint Israeli-US military strikes (codenamed *Epic Fury* and *Roaring Lion*), with a documented surge of **149 hacktivist DDoS attacks** targeting **110 organizations across 16 countries**—primarily Kuwait (28%), Israel (27.1%), and Jordan (21.5%). Over 70% of this activity was driven by just two groups, **Keymous+ and DieNet**, while pro-Russian actors (Cardinal, Russian Legion) claimed breaches of Israeli military networks, including the Iron Dome system. Concurrently, Iran’s IRGC launched disruptive strikes against **Saudi Aramco and an AWS data center in the U.A.E.**, aiming to inflict global economic pain, and revived old personas (e.g., Cotton Sandstorm’s *Altoufan Team*) to target Bahraini infrastructure. The campaign aligns with Iran’s established playbook of blending espionage, disruption, and psychological operations, leveraging **ransomware-as-a-smokescreen**, destructive wipers, and multi-actor obfuscation. UNC1549 (Nimbus Manticore/Subtle Snail) remained the **fourth most active threat actor in H2 2025**, focusing on defense, aerospace, and telecommunications sectors, while SMS phishing campaigns exploited wartime urgency to deploy mobile surveillance malware via fake *RedAlert* app updates. The UK NCSC and Google’s Threat Intelligence Group (GTIG) continue to warn of heightened risks for organizations with Middle East exposure, emphasizing **DDoS resilience, ICS segmentation, and supply-chain hardening** as critical mitigations. Iranian cryptocurrency exchanges, meanwhile, adjusted operations to manage volatility under sanctions and connectivity constraints, signaling the regime’s reliance on shadow economic infrastructure during conflict.

The article draws parallels between the Netflix show Stranger Things and modern cybersecurity threats, highlighting the risks of botnets, APTs, and AI-enabled cyberattacks. It emphasizes the importance of telemetry data, early warning insights, and agentic workflows in defending against these threats. The narrative underscores the need for unified visibility and control to protect enterprise networks from sophisticated attacks.

A coalition of seven governments, including Australia, Canada, Japan, the UK, and the US, along with Finland and Sweden, has launched voluntary cybersecurity and cyber resilience principles for 6G networks. The Global Coalition on Telecoms (GCOT) aims to guide the development of secure and resilient 6G infrastructure, targeting initial commercial rollouts in 2029-2030. The guidelines emphasize containment, confidentiality, integrity, resilience, and regulatory compliance, with support from industry partners like AT&T, BT, Ericsson, and NVIDIA.

The University of Mississippi Medical Center (UMMC) has resumed normal operations nine days after a ransomware attack disrupted IT systems and blocked access to electronic medical records. All clinics statewide have reopened, and UMMC is working to reschedule missed appointments. The attack led to the cancellation of outpatient procedures, ambulatory surgeries, and imaging appointments, but hospital operations continued using downtime procedures. UMMC is investigating with assistance from CISA, the FBI, and the Department of Homeland Security. The attackers have communicated with UMMC, but no ransomware group has claimed responsibility. UMMC operates seven hospitals, 35 clinics, and over 200 telehealth sites statewide, including the state's only organ and bone marrow transplant program, the only children's hospital, the only Level I trauma center, and one of two Telehealth Centers of Excellence in the United States.

A brute force attack on an exposed RDP server led to the discovery of a ransomware infrastructure network. The attack, initially dismissed as routine, uncovered unusual credential-hunting behavior, a web of geo-distributed infrastructure, and a shady VPN service linked to ransomware-as-a-service operations. The investigation revealed a sophisticated network of IP addresses and domain names associated with Hive ransomware and BlackSuite, highlighting the need for thorough incident response beyond traditional methods.

A new RFP Guide for Evaluating AI Usage Control (AUC) and AI Governance Solutions has been released to help organizations structure their AI security requirements. The guide shifts focus from app proliferation to interaction-level inspection, emphasizing measurable criteria over vague goals. It includes an 8-pillar framework to assess vendor capabilities in AI discovery, contextual awareness, policy governance, real-time enforcement, auditability, architecture fit, deployment, and future-proofing. The guide aims to prevent feature-washing by legacy vendors and ensures enforceable, measurable controls for AI governance.

The OpenID Foundation warns of systemic gaps in handling digital accounts of the deceased, which could lead to fraud and exploitation. The absence of global standards for managing devices, email, social media, cryptocurrency, and other accounts after death could be exploited using AI deepfakes for manipulation, disinformation, or profit. The report calls for a coordinated framework to ensure proper access and protection of digital assets post-mortem.