Eurail B.V., the operator of Eurail and Interrail passes, confirmed that data stolen in a breach earlier this year is now being sold on the dark web. The stolen data includes full names, passport details, ID numbers, bank account IBANs, health information, and contact details. Eurail is still investigating the extent of the data compromise and the number of affected customers. The company has notified data protection authorities and advised customers to update passwords and monitor bank accounts for suspicious activity.

A 40-year-old man in the Netherlands was arrested for downloading and refusing to delete confidential police documents that were accidentally shared with him. The man demanded a reward in exchange for deleting the files, leading to his arrest for computer trespassing. The incident began when a police officer mistakenly sent a download link instead of an upload link, and the man downloaded the files despite knowing the error. The Dutch police emphasized the legal obligation to report and refrain from accessing misdirected confidential materials.

Infostealer malware has been observed stealing OpenClaw configuration files containing API keys, authentication tokens, and other sensitive secrets. This marks the first known instance of such attacks targeting the popular AI assistant framework. The stolen data includes configuration details, authentication tokens, and persistent memory files, which could enable full compromise of the victim's digital identity. The malware, identified as a variant of the Vidar infostealer, executed a broad file-stealing routine that scanned for sensitive keywords. Researchers predict increased targeting of OpenClaw as it becomes more integrated into professional workflows. Additionally, security issues with OpenClaw have prompted the maintainers to partner with VirusTotal to scan for malicious skills uploaded to ClawHub, establish a threat model, and add the ability to audit for potential misconfigurations.

Researchers from ETH Zurich and USI discovered 27 vulnerabilities in Bitwarden, LastPass, Dashlane, and 1Password that could allow attackers to view and modify stored passwords. The flaws challenge the 'zero-knowledge encryption' claims of these services, with attacks ranging from integrity violations to complete vault compromise. The vulnerabilities were disclosed to the vendors, and remediation is underway. The researchers developed attack scenarios exploiting key escrow, vault encryption, sharing, and backwards compatibility features. Bitwarden was found to have a critical flaw in its organization onboarding process, allowing malicious auto-enrolment attacks. 1Password's use of a high-entropy cryptographic key provides it with a security advantage. Dashlane patched a downgrade attack vulnerability in November 2025. Bitwarden is addressing seven issues and accepting three as intentional design decisions. LastPass is working to enhance integrity guarantees.

The UK’s National Cyber Security Centre (NCSC) reported 204 nationally significant cyber incidents between September 2024 and August 2025, a 130% increase from the previous year. Recent high-profile attacks on Marks & Spencer, the Co-op Group, and Jaguar Land Rover highlighted the real-world impact of cyber threats. The NCSC emphasized the need for urgent action from business leaders to enhance cybersecurity defenses. The NCSC's 2025 Annual Review included a letter from the CEO of the Co-op Group, emphasizing the responsibility of senior leaders in protecting their businesses. The NCSC launched the Cyber Action Toolkit to help small organizations improve their cyber defenses. Additionally, the NCSC issued an alert to critical national infrastructure (CNI) providers about severe cyber threats targeting CNI, following coordinated cyber-attacks on Poland's energy infrastructure in December. NCSC CEO Richard Horne warned that SMEs are wrong to assume they won't be targeted by cyber-attacks and urged them to adopt Cyber Essentials certification to protect against common cybersecurity threats.

A new malvertising campaign uses SEO poisoning to distribute fake Microsoft Teams installers that deploy the Oyster backdoor on Windows devices. The malware, known as OysterLoader, provides attackers with remote access to corporate networks, enabling command execution, payload deployment, and file transfers. The campaign targets users searching for 'Teams download,' leading them to a fake site that mimics Microsoft's official download page. The malicious installer, signed with legitimate certificates, drops a DLL into the %APPDATA%\Roaming folder and creates a scheduled task for persistence. Microsoft revoked over 200 certificates used to sign malicious Teams installers in a wave of Rhysida ransomware attacks in October 2025. The threat group Vanilla Tempest, also tracked as VICE SPIDER and Vice Society, is a financially motivated actor that focuses on deploying ransomware and exfiltrating data for extortion. The Oyster malware, also known as Broomstick and CleanUpLoader, has been linked to multiple campaigns and ransomware operations, such as Rhysida. The campaign was first disclosed by Blackpoint Cyber in September 2025, highlighting how users searching for Teams online were redirected to bogus download pages, where they were offered a malicious MSTeamsSetup.exe instead of the legitimate client. The threat actor used Trusted Signing, SSL.com, DigiCert, and GlobalSign code signing services to sign the malicious installers and other post-compromise tools. In early 2026, OysterLoader evolved with new C2 infrastructure and obfuscation methods, including a multi-stage infection chain and dynamic API resolution to hinder detection and analysis.

A phishing campaign named Operation DoppelBrand has been targeting Fortune 500 companies, including Wells Fargo and USAA, between December 2025 and January 2026. The campaign, attributed to a financially motivated threat actor known as GS7, uses lookalike domains and cloned login portals to harvest credentials. The operation also deploys remote management tools for persistent access and monetizes compromised accounts. The infrastructure is highly automated, with over 150 domains identified, and targets major US financial institutions, investment firms, and technology brands.

Organizations transitioning from password-based authentication to passkeys must align with ISO/IEC 27001 compliance requirements. Passkeys, built on FIDO2 and WebAuthn standards, offer significant security improvements by eliminating password-related vulnerabilities. The transition involves mapping passkey adoption to specific ISO/IEC 27001 controls, assessing risks, and documenting procedures to meet compliance standards. Real-world implementations show reduced help desk calls and improved authentication success rates, but challenges such as downgrade attacks and account recovery complexity remain.

Over 260,000 Google Chrome users downloaded fake AI assistant extensions that steal login credentials, monitor emails, and enable remote access. Researchers at LayerX identified over 30 malicious extensions as part of a coordinated campaign called AiFrame. The extensions mimicked popular AI assistants like Claude AI, ChatGPT, Grok, and Google Gemini. The campaign used extension spraying to evade takedowns, directing users to remote infrastructure to avoid detection. The extensions exfiltrate data from Chrome and Gmail to attacker-controlled servers. LayerX warns that these extensions act as general-purpose access brokers, capable of harvesting data and monitoring user behavior. Many extensions have been removed from the Chrome Web Store, but users who downloaded them remain at risk. Additionally, cybersecurity researchers have discovered a malicious Google Chrome extension named CL Suite by @CLMasters (ID: jkphinfhmfkckkcnifhjiplhfoiefffl) that steals TOTP codes for Facebook and Meta Business accounts, Business Manager contact lists, and analytics data. The extension exfiltrates data to infrastructure controlled by the threat actor, including a backend at getauth[.]pro and a Telegram channel. The extension has 33 users as of writing and was first uploaded to the Chrome Web Store on March 1, 2025. About 500,000 VKontakte users have had their accounts silently hijacked through Chrome extensions masquerading as VK customization tools. The large-scale campaign has been codenamed VK Styles. The malware embedded in the extensions is designed to engage in active account manipulation by automatically subscribing users to the attacker's VK groups, resetting account settings every 30 days to override user preferences, manipulating CSRF tokens to bypass VK's security protections, and maintaining persistent control. A report published by Q Continuum found a huge collection of 287 Chrome extensions that exfiltrate browsing history to data brokers. These extensions have 37.4 million installations, representing roughly 1% of the global Chrome userbase.

A legitimate AgreeTo Outlook add-in was hijacked and turned into a phishing kit, stealing over 4,000 Microsoft account credentials. The attackers seized control of an abandoned domain associated with the add-in to serve a fake Microsoft login page. This incident highlights how overlooked and abandoned assets can become attack vectors. The add-in, distributed through Microsoft's store, ran inside Outlook, where users handle sensitive communications. It could request permissions to read and modify emails, exploiting the implicit trust in Microsoft's store. Microsoft has since removed the add-in from its store.

BeyondTrust has patched a critical pre-authentication remote code execution (RCE) vulnerability (CVE-2026-1731, CVSS 9.9) in Remote Support (RS) and Privileged Remote Access (PRA) products. The flaw could allow unauthenticated attackers to execute OS commands in the context of the site user, leading to unauthorized access, data exfiltration, and service disruption. The vulnerability affects RS versions 25.3.1 and prior, and PRA versions 24.3.4 and prior. Patches are available in RS versions 25.3.2 and later, and PRA versions 25.1.1 and later. Self-hosted customers must manually apply updates if not subscribed to automatic updates. The vulnerability was discovered on January 31, 2026, with approximately 11,000 exposed instances identified, including around 8,500 on-prem deployments. BeyondTrust secured all RS/PRA cloud systems by February 2, 2026. The flaw was discovered by Harsh Jaiswal and the Hacktron AI team. Threat actors can exploit the flaw through maliciously crafted client requests in low-complexity attacks that do not require user interaction. In June 2025, BeyondTrust fixed a high-severity RS/PRA Server-Side Template Injection vulnerability. Attackers have begun actively exploiting the CVE-2026-1731 vulnerability in the wild, abusing the get_portal_info endpoint to extract the x-ns-company value before establishing a WebSocket channel. A proof-of-concept exploit targeting the /get_portal_info endpoint was published on GitHub. CISA has added CVE-2026-1731 to its Known Exploited Vulnerabilities (KEV) catalog and ordered U.S. government agencies to secure their systems against the flaw by February 16, 2026. CISA also added four other vulnerabilities to its KEV catalog, including CVE-2026-20700, CVE-2025-15556, CVE-2025-40536, and CVE-2024-43468. CVE-2024-43468 was patched by Microsoft in October 2024 but is still being exploited in real-world attacks. CISA ordered U.S. government agencies to secure their systems against CVE-2024-43468 by March 5, 2026. CVE-2026-20700 was acknowledged by Apple to have been exploited in sophisticated attacks against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-15556 exploitation has been attributed to the China-linked state-sponsored threat actor Lotus Blossom, delivering a previously undocumented backdoor called Chrysalis.

Lithuania is advancing its cybersecurity capabilities through the 'Safe and Inclusive E-Society' mission, focusing on AI-driven fraud defense and digital resilience. The initiative, coordinated by Kaunas University of Technology (KTU) and funded by the government, aims to protect citizens and critical infrastructure from evolving cyber threats, including AI-generated fraud. The mission involves collaboration between universities, cybersecurity firms, and industry associations to develop adaptive, self-learning security solutions. The project addresses the rise of Generative AI (GenAI) and Large Language Models (LLMs) in cybercrime, which enable highly personalized and realistic phishing attacks. Traditional detection methods are becoming ineffective against these advanced threats. Lithuania's efforts include developing AI-powered defense systems for FinTech, critical infrastructure, and public safety, as well as combating disinformation and enhancing cyber threat intelligence.

Google has released a patch for a high-severity use-after-free vulnerability (CVE-2026-2441) in Chrome's CSSFontFeatureValuesMap, which is actively being exploited. The flaw, discovered by Shaheen Fazim, allows remote attackers to execute arbitrary code within a sandbox via crafted HTML pages. Users are advised to update to versions 145.0.7632.75/76 for Windows and macOS, and 144.0.7559.75 for Linux. This is the first actively exploited zero-day in Chrome for 2026, highlighting the ongoing threat of browser-based vulnerabilities. The vulnerability was disclosed to the vendor on February 11, 2026, only two days before it was patched. The flaw can likely be exploited for arbitrary code execution by getting the targeted user to visit a malicious website, although an additional vulnerability is likely needed to escape the sandbox and achieve complete system takeover. The patch was tagged as "cherry-picked" (or backported) across multiple commits, indicating its importance and urgency. The commit message notes that the patch addresses "the immediate problem" but indicates there's "remaining work" tracked in bug 483936078, suggesting this might be a temporary fix or that related issues still need to be addressed. The update was published on February 13, 2026, and accompanied by an advisory on CVE-2026-2441. Google has restricted access to bug details and links until a majority of users are updated with a fix. Google released eight emergency patches for Chrome in 2025 to protect against actively exploited vulnerabilities.

Cryptocurrency inflows to human trafficking operations surged 85% annually, totaling hundreds of millions of dollars. The growth is linked to Southeast Asian scam compounds, online casinos, and Chinese-language money laundering networks on Telegram. The trafficking activities are categorized into international escort services, labor placement agents, prostitution networks, and child sexual abuse material (CSAM) vendors. CSAM networks show increasing overlap with sadistic online extremism (SOE) communities, targeting minors through sextortion schemes. One dark web CSAM site used 5800 crypto addresses, generating over $530,000 since July 2022.

A new commercial spyware platform, ZeroDayRAT, is being advertised on Telegram, offering full remote control over compromised Android (versions 5–16) and iOS (up to version 26) devices. The malware provides extensive surveillance capabilities, including real-time tracking, data theft, and financial fraud. It can log app usage, SMS messages, and notifications, activate cameras and microphones, and steal cryptocurrency and banking credentials. ZeroDayRAT is marketed through Telegram channels and infections are initiated by persuading victims to install malicious binaries via smishing, phishing emails, counterfeit app stores, and links shared through WhatsApp or Telegram. The malware includes a dedicated web-based dashboard displaying device details, app usage, SMS messages, and live activity timeline. It also includes a crypto stealer and targets online banking apps, UPI platforms, and payment services like Apple Pay and PayPal. The malware is sold openly on Telegram with access to a panel featuring sales, customer support, and platform updates channels. ZeroDayRAT support spans Android 5 through 16 and iOS up to 26, and it provides a complete overview of the phone's makeup, including device model, SIM, location data, carrier info, live activity timeline, and recent SMS messages. The malware includes features such as SMS control, keylogger, microphone feed, screen recorder, bank stealer, and crypto stealer. ZeroDayRAT is priced at $2,000, indicating higher-than-average ambitions and targeting specific individuals or enterprises. The malware represents a convergence of nation-state-level capabilities with criminal economics, widening the target market for surveillance malware.

Dutch telecommunications provider Odido suffered a cyberattack that exposed personal data of 6.2 million customers. The breach occurred in their customer contact system, but no passwords, call logs, or billing information were affected. The company detected the incident on February 7 and has since taken steps to secure their systems and notify affected customers. The exposed data includes full names, addresses, mobile numbers, customer numbers, email addresses, IBANs, dates of birth, and identification data. Odido has reported the breach to the Dutch Data Protection Authority and is working with external cybersecurity experts to mitigate the incident.

ShinyHunters, a data extortion group, claims to have stolen over 600,000 Canada Goose customer records containing personal and payment-related data. Canada Goose has not found evidence of a breach in its own systems but is investigating the dataset, which includes customer names, email addresses, phone numbers, billing and shipping addresses, IP addresses, and partial payment card information. The data could be used for targeted phishing, social engineering, and fraud. ShinyHunters denies any link to recent SSO attacks, claiming the data originated from a third-party payment processor breach in August 2025.

Microsoft has disclosed a **DNS-based ClickFix variant** that marks the first use of DNS queries to stage and deliver malicious payloads. This new technique abuses the `nslookup` command to retrieve a PowerShell script embedded in the `NAME:` field of a DNS response from an attacker-controlled server (84[.]21.189[.]20), which then deploys **ModeloRAT** via a Python runtime and VBScript persistence mechanism. Concurrently, ClickFix campaigns continue to evolve with expanded tactics: **ConsentFix** abuses Azure CLI OAuth to bypass MFA, **CrashFix** uses malicious Chrome extensions to trigger browser crashes, and **SyncAppvPublishingServer.vbs** is repurposed to fetch in-memory loaders from Google Calendar dead drops. Threat actors are also exploiting AI platforms (ChatGPT, Grok, Claude) and Pastebin to distribute browser-based JavaScript payloads, targeting cryptocurrency transactions directly. Earlier phases of this ecosystem included **FileFix** (abusing File Explorer’s address bar), **MetaStealer** (fake Cloudflare Turnstile lures), and **CastleLoader**-driven Lumma Stealer surges. The latest developments highlight a shift toward **DNS staging**, **trusted platform abuse** (Google Groups, Azure CLI, SaaS infrastructure), and **cross-platform targeting** (Windows/Linux/macOS) with multi-stage loaders (AutoIt, Python, PowerShell) to maximize evasion. The integration of **DNS as a C2 channel**, **browser-native execution**, and **AI-driven distribution** underscores the campaign’s resilience despite 2025 law enforcement disruptions, with actors refining tradecraft to bypass security controls via social engineering, steganography, and legitimate service abuse.

Microsoft has fully resolved the Windows 11 'UNMOUNTABLE_BOOT_VOLUME' boot failure issue in the February 2026 Patch Tuesday security update (KB5077181), addressing a problem that left commercial systems unbootable after failed December 2025 updates. The issue, which affected Windows 11 versions 25H2 and 24H2, was initially mitigated by the optional KB5074105 preview update but is now considered fully resolved. Devices that became unbootable before the fix may still require manual recovery or enterprise support. Earlier, Microsoft linked the January 2026 boot failures to failed attempts to install the December 2025 security update, which left systems in an unstable state. The company had also released emergency out-of-band updates to fix an unrelated issue causing Microsoft Outlook to freeze when PST files were stored in cloud services. Prior updates included fixes for gaming performance issues, broken localhost HTTP connections, and Windows Recovery Environment (WinRE) problems, alongside cumulative updates for November and December 2025 introducing new features and addressing security vulnerabilities across Windows 11 versions 25H2/24H2 and 23H2.

ClickFix attacks, where users are tricked into running malicious commands by copying code from a webpage, have become a significant source of security breaches. These attacks are used by various threat actors, including the Interlock ransomware group and state-sponsored APTs. Recent data breaches at Kettering Health, DaVita, City of St. Paul, and Texas Tech University Health Sciences Centers have been linked to ClickFix-style tactics. A new variant of ClickFix attacks has emerged, targeting cryptocurrency users by abusing Pastebin comments to distribute malicious JavaScript. This attack tricks users into executing code that hijacks Bitcoin swap transactions, redirecting funds to attacker-controlled wallets. The campaign relies on social engineering that promises large profits from a supposed Swapzone.io arbitrage exploit, but instead runs malicious code that modifies the swap process directly within the victim's browser. The attacks exploit user behavior and technical gaps in detection to evade security measures and are delivered through SEO poisoning, malvertising, and other non-email vectors, making them harder to detect and prevent. Effective defense against ClickFix attacks requires browser-based detection and blocking to intercept these threats at the earliest opportunity.

Two malware strains were discovered in an organization's network after attackers exploited two zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). The vulnerabilities, CVE-2025-4427 and CVE-2025-4428, allow for authentication bypass and remote code execution, respectively. Attackers used these flaws to gain access to the EPMM server, execute arbitrary code, and maintain persistence. The attack began around May 15, 2025, following the publication of a proof-of-concept exploit. The malware sets include loaders that enable arbitrary code execution and data exfiltration. The vulnerabilities affect Ivanti EPMM development branches 11.12.0.4, 12.3.0.1, 12.4.0.1, and 12.5.0.0 and their earlier releases. A China-nexus espionage group was leveraging the vulnerabilities since at least May 15, 2025. The threat actor targeted the /mifs/rs/api/v2/ endpoint with HTTP GET requests and used the ?format= parameter to send malicious remote commands. The malware sets include distinct loaders with the same name, and malicious listeners that allow injecting and running arbitrary code on the compromised system. The threat actor delivered the malware through separate HTTP GET requests in segmented, Base64-encoded chunks. Organizations are advised to update their EPMM instances, monitor for suspicious activity, and implement access restrictions to prevent unauthorized access to mobile device management systems. Ivanti has disclosed two additional critical vulnerabilities, CVE-2026-1281 and CVE-2026-1340, which were exploited in zero-day attacks. These code-injection vulnerabilities allow remote attackers to execute arbitrary code on vulnerable devices without authentication. Ivanti has released RPM scripts to mitigate the vulnerabilities and advises applying them as soon as possible. The vulnerabilities will be permanently fixed in EPMM version 12.8.0.0, scheduled for release later in Q1 2026. CISA has added CVE-2026-1281 to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation. The vulnerabilities affect EPMM versions 12.5.0.0 and prior, 12.6.0.0 and prior, and 12.7.0.0 and prior (Fixed in RPM 12.x.0.x), and EPMM 12.5.1.0 and prior and 12.6.1.0 and prior (Fixed in RPM 12.x.1.x). The RPM patch does not survive a version upgrade and must be reapplied if the appliance is upgraded to a new version. The vulnerabilities affect the In-House Application Distribution and the Android File Transfer Configuration features and do not affect other products, including Ivanti Neurons for MDM, Ivanti Endpoint Manager (EPM), or Ivanti Sentry. Successful exploitation of the EPMM appliance will enable arbitrary code execution on the appliance and allow lateral movement to the connected environment. EPMM contains sensitive information about devices managed by the appliance. Legitimate use of the capabilities will result in 200 HTTP response codes in the Apache Access Log, whereas successful or attempted exploitation will cause 404 HTTP response codes. Customers are advised to review EPMM administrators for new or recently changed administrators, authentication configuration, new push applications for mobile devices, configuration changes to applications, new or recently modified policies, and network configuration changes. In the event of compromise, users are advised to restore the EPMM device from a known good backup or build a replacement EPMM and then migrate data to the device. After restoring, users should reset the password of any local EPMM accounts, reset the password for the LDAP and/or KDC service accounts, revoke and replace the public certificate used for EPMM, and reset the password for any other internal or external service accounts configured with the EPMM solution. The Dutch Data Protection Authority (AP) and the Council for the Judiciary confirmed that their systems were impacted by cyber attacks exploiting Ivanti EPMM vulnerabilities. Work-related data of AP employees, including names, business email addresses, and telephone numbers, were accessed by unauthorized persons. The European Commission identified traces of a cyber attack that may have resulted in access to names and mobile numbers of some of its staff members. Finland's state information and communications technology provider, Valtori, disclosed a breach that exposed work-related details of up to 50,000 government employees. The attacker gained access to information used in operating the service, including names, work email addresses, phone numbers, and device details. Investigations showed that the management system did not permanently delete removed data but only marked it as deleted, potentially compromising device and user data belonging to all organizations that have used the service during its lifecycle. The European Commission's central infrastructure managing mobile devices discovered signs of a breach on January 30, 2026, which may have resulted in access to staff names and mobile numbers. The Dutch justice and security secretary confirmed that the Council for the Judiciary (Rvdr) and the Dutch Data Protection Authority (AP) were breached, with unauthorized access to work-related data of AP employees, including names, business email addresses, and telephone numbers. Finnish government ICT center Valtori discovered a breach on January 30, 2026, affecting its mobile device management service, potentially exposing details of up to 50,000 government workers. Ivanti released patches for two critical (CVSS 9.8) zero-day bugs in EPMM on January 29, 2026, noting that a very limited number of customers had been exploited at the time of disclosure. CVE-2026-1281 and CVE-2026-1340 are code injection flaws that could allow attackers to achieve unauthenticated remote code execution. A significant chunk of the exploitation attempts targeting a newly disclosed security flaw in Ivanti Endpoint Manager Mobile (EPMM) can be traced back to a single IP address on bulletproof hosting infrastructure offered by PROSPERO. GreyNoise recorded 417 exploitation sessions from 8 unique source IP addresses between February 1 and 9, 2026, with 83% originating from 193.24.123[.]42. The same IP address exploited three other CVEs across unrelated software, indicating the use of automated tooling. 85% of the exploitation sessions beaconed home via DNS to confirm target exploitability without deploying malware or exfiltrating data. PROSPERO is linked to another autonomous system called Proton66, which has a history of distributing desktop and Android malware. Defused Cyber reported a "sleeper shell" campaign that deployed a dormant in-memory Java class loader to compromised EPMM instances, indicative of initial access broker tradecraft. Organizations are advised to apply patches, audit internet-facing MDM infrastructure, review DNS logs for OAST-pattern callbacks, monitor for the /mifs/403.jsp path on EPMM instances, and block PROSPERO's autonomous system (AS200593) at the network perimeter level. The European Commission's central infrastructure managing mobile devices was breached on January 30, 2026, resulting in the compromise of staff names and mobile numbers. Valtori, the public managed services provider for Finland's government, was breached on January 30, 2026, affecting around 50,000 individuals associated with the central government. The Dutch Data Protection Authority (AP) and the Council for the Judiciary confirmed breaches on February 6, 2026, naming Ivanti EPMM as the culprit. Shadowserver tracked a voluminous wave of attempted attacks concentrated around February 9, 2026, with 83% of exploitation attempts traced to a single IP address on bulletproof hosting infrastructure offered by PROSPERO. The IP address linked to the exploitation attempts was still active as of February 12, 2026. Threat intelligence observations show that a single threat actor is responsible for most of the active exploitation of two critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), tracked as CVE-2026-21962 and CVE-2026-24061. The security issues have been flagged as actively exploited in zero-day attacks in Ivanti's security advisory, where the company also announced hotfixes. Both flaws received a critical severity rating and allow an attacker to inject code without authentication, leading to remote code execution (RCE) on vulnerable systems. A single IP address hosted on bulletproof infrastructure is responsible for over 83% of exploitation activity related to the two vulnerabilities. Between February 1st and 9th, the monitoring platform observed 417 exploitation sessions originating from 8 unique source IP addresses, and centered on CVE-2026-21962 and CVE-2026-24061. The highest volume, 83%, comes from 193[.]24[.]123[.]42, hosted by PROSPERO OOO (AS200593), which Censys analysts marked as a bulletproof autonomous system used to target various software products. A sharp spike occurred on February 8, with 269 recorded sessions in a single day, almost 13 times the daily average of 22 sessions. Of the 417 exploitation sessions, 354 (85%) used OAST-style DNS callbacks to verify command execution capability, pointing to initial access broker activity. The PROSPERO OOO IP address is not limited to Ivanti targeting, as it simultaneously exploited three more vulnerabilities: CVE-2026-21962 in Oracle WebLogic, CVE-2026-24061 in GNU Inetutils Telnetd, and CVE-2025-24799 in GLPI. The Oracle WebLogic flaw had the lion’s share in session volumes, dwarfing the rest with 2,902 sessions, followed by the Telnetd issue with 497 sessions. Exploitation activity appears fully automated, rotating between three hundred user agents. Ivanti's fixes for CVE-2026-1281 and CVE-2026-1340 are not permanent. The company promised to release complete patches in the first quarter of this year, with the release of EPMM version 12.8.0.0. Until then, it is recommended to use RPM packages 12.x.0.x for EPMM versions 12.5.0.x, 12.6.0.x, and 12.7.0.x, and RPM 12.x.1.x for EPMM versions 12.5.1.0 and 12.6.1.0.

The Lazarus Group, a North Korea-linked threat actor, has expanded its operations to target European defense companies in 2025, leveraging a coordinated Operation DreamJob campaign. The attack involved fake recruitment lures and the deployment of various malware, including the ScoringMathTea RAT. This campaign follows earlier attacks on a decentralized finance (DeFi) organization in 2024, where the group deployed multiple cross-platform malware variants, including PondRAT, ThemeForestRAT, and RemotePE. In 2026, North Korean hackers have been observed using AI-generated video and the ClickFix technique to deliver malware for macOS and Windows to targets in the cryptocurrency sector. The threat actor's goal is financial, as suggested by the role of the tools used in an attack on a fintech company investigated by Google's Mandiant researchers. The attack had a strong social engineering component, with the victim being contacted over Telegram from a compromised executive account. The hackers used a Calendly link to a spoofed Zoom meeting page and showed a deepfake video of a CEO to facilitate the attack. Mandiant researchers found seven distinct macOS malware families attributed to UNC1069, a threat group they've been tracking since 2018. UNC1069 has been active since at least April 2018 and is also tracked under the monikers CryptoCore and MASAN. The group has used generative AI tools like Gemini to produce lure material and other messaging related to cryptocurrency. They have attempted to misuse Gemini to develop code to steal cryptocurrency and have leveraged deepfake images and video lures mimicking individuals in the cryptocurrency industry. The group has shifted from spear-phishing techniques and traditional finance (TradFi) targeting towards the Web3 industry since at least 2023, targeting centralized exchanges (CEX), software developers at financial institutions, high-technology companies, and individuals at venture capital funds. In the latest intrusion documented by Google's threat intelligence division, UNC1069 deployed as many as seven unique malware families, including several new malware families such as SILENCELIFT, DEEPBREATH, and CHROMEPUSH. The attack involved a social engineering scheme using a compromised Telegram account, a fake Zoom meeting, a ClickFix infection vector, and reported usage of AI-generated video to deceive the victim. The group used a fake website masquerading as Zoom to deceive victims and reused videos of previous victims to deceive new victims. The attack proceeded with a ClickFix-style troubleshooting command to deliver malware, leading to the deployment of various malicious components designed to gather system information, provide hands-on keyboard access, and steal sensitive data. Additionally, the Lazarus Group has been active since May 2025 with a campaign codenamed graphalgo, involving malicious packages in npm and PyPI repositories. Developers are targeted via social platforms like LinkedIn, Facebook, and Reddit. The campaign includes a fake company named Veltrix Capital in the blockchain and cryptocurrency trading space. Malicious packages are used to deploy a remote access trojan (RAT) that fetches and executes commands from an external server. The RAT supports commands to gather system information, enumerate files and directories, list running processes, create folders, rename files, delete files, and upload/download files. The command-and-control (C2) communication is protected by a token-based mechanism. The campaign checks for the MetaMask browser extension, indicating a focus on cryptocurrency theft. A malicious npm package called "duer-js" was found to harbor a Windows information stealer called Bada Stealer, capable of gathering Discord tokens, passwords, cookies, autofill data, cryptocurrency wallet details, and system information. Another malware campaign weaponizes npm to extort cryptocurrency payments from developers during package installation, blocking installation until victims pay 0.1 USDC/ETH to the attacker's wallet. The campaign has been ongoing since at least May 2025 and is characterized by modularity, allowing the threat actor to quickly resume it in case of partial compromise. The threat actor relies on packages published on the npm and PyPi registries that act as downloaders for a remote access trojan (RAT). Researchers found 192 malicious packages related to this campaign, which they dubbed 'Graphalgo'. The threat actor creates fake companies in the blockchain and crypto-trading sectors and publishes job offerings on various platforms, like LinkedIn, Facebook, and Reddit. Developers applying for the job are required to show their skills by running, debugging, and improving a given project, which causes a malicious dependency from a legitimate repository to be installed and executed. The package named 'bigmathutils,' with 10,000 downloads, was benign until it reached version 1.1.0, which introduced malicious payloads. The package was later removed and marked as deprecated. The Graphalgo name of the campaign is derived from packages that have 'graph' in their name, typically impersonating legitimate, popular libraries like graphlib. From December 2025 onward, the North Korean actor shifted to packages with 'big' in their name. The actor uses Github Organizations, which are shared accounts for collaboration across multiple projects. Malicious code is introduced indirectly via dependencies hosted on npm and PyPI. The RAT can list the running processes on the host, execute arbitrary commands per instructions from the command-and-control (C2) server, and exfiltrate files or drop additional payloads. The RAT checks whether the MetaMask cryptocurrency extension is installed on the victim’s browser, indicating its money-stealing goals. The RAT's C2 communication is token-protected to lock out unauthorized observers, a common tactic for North Korean hackers. ReversingLabs has found multiple variants written in JavaScript, Python, and VBS, showing an intention to cover all possible targets. ReversingLabs attributes the Graphalgo fake recruiter campaign to the Lazarus group with medium-to-high confidence based on the approach, the use of coding tests as an infection vector, and the cryptocurrency-focused targeting, all of which align with previous activity associated with the North Korean threat actor. The delayed activation of malicious code in the packages is consistent with Lazarus' patience displayed in other attacks. The Git commits show the GMT +9 time zone, matching North Korea time.

Zscaler has acquired SquareX, a browser security firm, to integrate its Browser Detection and Response (BDR) solution into its Zero Trust Exchange platform. The acquisition aims to extend security to unmanaged devices, allowing organizations to secure users within their preferred browsers like Google Chrome and Microsoft Edge without needing a full agent or a separate enterprise browser. The deal closed on February 5, 2026, and is part of Zscaler's strategy to enhance its security capabilities. SquareX's technology provides real-time threat detection and response directly within the browser, addressing threats like malicious extensions, phishing, and data leakage. Zscaler plans to complete the integration within the next few months, anticipating rapid demand despite SquareX's relatively small installed base.

The **GPUGate malware campaign** continues to evolve, now leveraging **Claude AI artifacts and Google Ads** to distribute **MacSync and AMOS infostealers** via **ClickFix attacks**. Over **15,600 users** have accessed malicious Claude-generated guides, which instruct victims to execute Terminal commands fetching malware payloads. This follows earlier waves abusing **ChatGPT/Grok chats, fake GitHub repositories, and malvertising** to deploy stealers targeting credentials, crypto wallets, and system data. The campaign, active since **April 2023**, has expanded from traditional phishing to **abusing AI ecosystems, supply-chain weaknesses, and trusted platforms** (e.g., Homebrew, LogMeIn, AI assistants). Russian-speaking actors operate **AMOS as a Malware-as-a-Service (MaaS)**, with stolen logs sold in underground markets to fuel fraud, ransomware, and account takeovers. The latest **Claude artifact abuse** underscores the shift toward **high-impact, scalable distribution channels**, exploiting weak platform vetting and user trust in AI-generated content. Organizations should monitor for **suspicious Terminal activity, C2 traffic to domains like `a2abotnet[.]com`, and unauthorized data egress** while educating users on **ClickFix-style lures** and unverified AI tool instructions.

South Korea's Personal Information Protection Commission (PIPC) fined Louis Vuitton, Christian Dior Couture, and Tiffany a total of $25 million for failing to implement adequate security measures, leading to data breaches that exposed over 5.5 million customers' personal information. The breaches occurred due to malware infection, phishing attacks, and inadequate access controls on cloud-based customer management services. The fines were imposed for violations such as not restricting access rights to IP addresses, failing to apply secure authentication methods, and delaying breach notifications beyond the legally required 72-hour window.

A coordinated spear-phishing campaign, dubbed PhantomCaptcha, targeted organizations involved in Ukraine's war relief efforts. The campaign delivered a remote access trojan (RAT) using a WebSocket for command-and-control (C2). The attack took place on October 8, 2025, and impersonated the Ukrainian President's Office, using weaponized PDFs and fake Zoom meetings to trick victims into executing malicious PowerShell commands. The malware performed reconnaissance and enabled remote command execution and data exfiltration. The campaign targeted members of the International Red Cross, Norwegian Refugee Council, UNICEF Ukraine, Council of Europe's Register of Damage for Ukraine, and Ukrainian regional government administrations. The malware was hosted on Russian-owned infrastructure and connected to a remote WebSocket server for C2 operations. The campaign took six months to prepare and involved a sophisticated multi-stage spear-phishing operation, with the weaponized PDF appearing as a legitimate governmental communique. The attack chain included a heavily obfuscated PowerShell downloader to bypass signature-based defenses and hinder analysis. The second-stage payload collected various user data, which was XOR-encrypted and sent to the C2 server. The final payload was a lightweight PowerShell backdoor that repeatedly reconnected to the remote WebSocket server. The campaign demonstrated extensive operational planning, compartmentalized infrastructure, and deliberate exposure control, with the infrastructure active only for a single day. A previously undocumented threat actor has been attributed to attacks targeting Ukrainian organizations with malware known as CANFAIL. Google Threat Intelligence Group (GTIG) described the hack group as possibly affiliated with Russian intelligence services. The threat actor is assessed to have targeted defense, military, government, and energy organizations within the Ukrainian regional and national governments. The group has also exhibited growing interest in aerospace organizations, manufacturing companies with military and drone ties, nuclear and chemical research organizations, and international organizations involved in conflict monitoring and humanitarian aid in Ukraine.

State-sponsored actors from China, Iran, North Korea, and Russia have intensified cyber operations against the defense industrial base (DIB) sector. The attacks focus on defense entities involved in the Russia-Ukraine War, exploitation of hiring processes, use of edge devices for initial access, and supply chain risks from breaches in the manufacturing sector. The campaigns involve sophisticated malware, phishing, and social engineering tactics to evade detection and exfiltrate sensitive data.

VoidLink is a Linux-based command-and-control (C2) framework capable of long-term intrusion across cloud and enterprise environments. The malware generates implant binaries designed for credential theft, data exfiltration, and stealthy persistence on compromised systems. VoidLink combines multi-cloud targeting with container and kernel awareness in a single Linux implant, fingerprinting environments across major cloud providers and adjusting its behavior based on what it finds. The implant harvests credentials from environment variables, configuration files, and metadata APIs, and profiles security controls, kernel versions, and container runtimes before activating additional modules. VoidLink employs a modular plugin-based architecture that loads functionality as needed, including credential harvesting, environment fingerprinting, container escape, Kubernetes privilege escalation, and kernel-level stealth. The malware uses AES-256-GCM over HTTPS for encrypted C2 traffic, designed to resemble normal web activity. VoidLink stands out for its apparent development using a large language model (LLM) coding agent with limited human review, as indicated by unusual development artifacts such as structured "Phase X:" labels, verbose debug logs, and documentation left inside the production binary. The research concludes that VoidLink is not a proof-of-concept but an operational implant with live infrastructure, highlighting how AI-assisted development is lowering the barrier to producing functional, modular, and hard-to-detect malware. A previously unknown threat actor tracked as UAT-9921 has been observed leveraging VoidLink in campaigns targeting the technology and financial services sectors. UAT-9921 has been active since 2019, although they have not necessarily used VoidLink over the duration of their activity. The threat actor uses compromised hosts to install VoidLink command-and-control (C2), which are then used to launch scanning activities both internal and external to the network. VoidLink is deployed as a post-compromise tool, allowing the adversary to sidestep detection. The threat actor has been observed deploying a SOCKS proxy on compromised servers to launch scans for internal reconnaissance and lateral movement using open-source tools like Fscan. VoidLink uses three different programming languages: ZigLang for the implant, C for the plugins, and GoLang for the backend. The framework supports compilation on demand for plugins, providing support for the different Linux distributions that might be targeted. The plugins allow for gathering information, lateral movement, and anti-forensics. VoidLink comes fitted with a wide range of stealth mechanisms to hinder analysis, prevent its removal from the infected hosts, and even detect endpoint detection and response (EDR) solutions and devise an evasion strategy on the fly. VoidLink has an auditability feature and a role-based access control (RBAC) mechanism, which consists of three role levels: SuperAdmin, Operator, and Viewer. There are signs that there exists a main implant that has been compiled for Windows and can load plugins via a technique called DLL side-loading.

Criminal IP has integrated its threat intelligence platform with IBM QRadar SIEM and QRadar SOAR. This integration enables security teams to leverage external IP-based threat intelligence directly within QRadar's detection, investigation, and response workflows. The integration enhances real-time threat visibility, supports interactive investigations, and extends intelligence into automated SOAR workflows, improving detection accuracy and response efficiency.

The Munich Security Index (MSI) 2026 report highlights that G7 nations have identified cyber threats as their most significant risk for the second consecutive year. Cyber-attacks were ranked as the top concern in 2025, followed by economic or financial crises and disinformation campaigns. This trend contrasts with the BICS nations, where cyber threats have fallen to eighth place, with climate change now seen as the most urgent risk. In the UK, US, and India, concerns over various threats have grown, particularly in the US, where economic and political instability is a major concern. The report is based on surveys conducted in November 2025, with a margin of error of 3.1 percent.