Alright team, it's been a packed 24 hours in the cyber world! We've got updates on some serious breaches, evolving malware, critical vulnerabilities, and a fair bit of regulatory action. Let's dive in:
Recent Cyber Attacks & Breaches 🚨
- Japanese semiconductor supplier Advantest is responding to a ransomware attack that impacted several company systems, highlighting a trend of increased targeting of industrial organisations.
- Criminals stole over $20 million in 2025 through ATM jackpotting, using malware like Ploutus to force cash dispensing, a cyber-physical attack on the rise.
- Abu Dhabi Finance Week inadvertently exposed passport details and other identity information of approximately 700 VIP attendees, including former British Prime Minister David Cameron, due to an unprotected cloud storage system.
- A supply chain attack on the `cline` npm package for an AI coding tool silently installed the OpenClaw AI framework on users' systems, exploiting a prompt injection vulnerability.
- A Ukrainian national was sentenced to five years in prison for facilitating a North Korean scheme to hire remote IT workers at US companies, funnelling funds to North Korea's munitions programs.
- Microsoft 365 Copilot had a bug that allowed it to summarise confidential emails from Sent Items and Drafts, bypassing Data Loss Prevention (DLP) policies, which has since been fixed.
- Polish authorities have detained a 47-year-old man suspected of ties to the Phobos ransomware group, part of Europol's ongoing Operation Aether.
- A Nigerian man was sentenced to eight years for using Warzone RAT to hack Massachusetts tax firms, stealing client data and filing over 1,000 fraudulent returns for $1.3 million.
🗞️ The Record | https://therecord.media/leading-japanese-semiconductor-supplier-ransomware
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/19/crims_atm_jackpotting/
🌑 Dark Reading | https://www.darkreading.com/cyber-risk/abu-dhabi-finance-week-leaked-vip-passport-details
🌑 Dark Reading | https://www.darkreading.com/application-security/supply-chain-attack-openclaw-cline-users
🤫 CyberScoop | https://cyberscoop.com/doj-ukrainian-north-korea-remote-worker-scheme-facilitator-sentenced/
📰 The Hacker News | https://thehackernews.com/2026/02/threatsday-bulletin-openssl-rce-foxit-0.html
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/nigerian-man-gets-eight-years-in-prison-for-hacking-tax-firms/
New Threat Research & Tradecraft 🔬
- ESET discovered PromptSpy, the first Android malware to use generative AI (Google Gemini) to adapt its persistence across different devices by interpreting UI elements. It functions as spyware, offering remote control, screen recording, and credential interception.
- Proofpoint uncovered "TrustConnect," a fake Remote Monitoring and Management (RMM) vendor selling a Remote Access Trojan (RAT) as a service (RATaaS), using a legitimate code-signing certificate and an AI-generated website to appear credible. RMM abuse surged 277% in 2025.
- "Starkiller" is a sophisticated Phishing-as-a-Service (PhaaS) tool that bypasses MFA by proxying legitimate login pages in real-time, stealing credentials and session tokens. Threat actors are also using device code vishing with legitimate Microsoft OAuth flows to compromise Microsoft Entra accounts, bypassing MFA.
- Chinese state-backed Volt Typhoon remains active and embedded in US critical infrastructure, aiming to pre-position for destructive attacks. SYLVANITE, another group, gains initial access to OT systems across various sectors before handing off to Volt Typhoon.
- North Korea's "Contagious Interview" campaign now includes a MetaMask backdoor, a lightweight JavaScript component, to steal wallet passwords from IT professionals in cryptocurrency, Web3, and AI sectors.
- LockBit 5.0 ransomware has evolved, now targeting Windows, Linux, ESXi, and Proxmox with advanced evasion techniques. "ClickFix" campaigns continue to use nested obfuscation and typosquatting (e.g., fake Homebrew sites) to deliver info-stealers and RATs like Matanbuchus 3.0, AstarionRAT, and Cuckoo Stealer.
- Kerberos delegation has been found to apply to machine accounts, not just human users, posing a significant risk if adversaries leverage it for Domain Administrator-equivalent privileges.
- Threat actors are weaponising inadvertently exposed vulnerable training applications (e.g., OWASP Juice Shop) in cloud environments to plant web shells and cryptocurrency miners. Atlassian Jira Cloud trials are also being abused for automated spam campaigns.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/19/genai_malware_android/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/promptspy-is-the-first-known-android-malware-to-use-generative-ai-at-runtime/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/19/rmm_rat_trustconnect/
🌑 Dark Reading | https://www.darkreading.com/threat-intelligence/starkiller-phishing-kit-mfa
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/hackers-target-microsoft-entra-accounts-in-device-code-vishing-attacks/
🗞️ The Record | https://therecord.media/researchers-warn-volt-typhoon-still-active-critical-infrastructure
📰 The Hacker News | https://thehackernews.com/2026/02/threatsday-bulletin-openssl-rce-foxit-0.html
Vulnerabilities & Active Exploitation ⚠️
- CISA has ordered federal agencies to patch a maximum-severity hardcoded-credential vulnerability (CVE-2026-22769) in Dell RecoverPoint within three days, as it's been actively exploited since mid-2024 by Chinese group UNC6201.
- Critical Ivanti Endpoint Manager Mobile (EPMM) flaws (CVE-2026-1281, CVE-2026-1340) are being actively exploited to deploy reverse shells, web shells, and malware like Nezha and cryptocurrency miners.
- A critical (CVSS 9.3) unauthenticated RCE flaw (CVE-2026-2329) in Grandstream GXP1600 series VoIP phones allows remote attackers to gain root privileges and silently eavesdrop on calls.
- Microsoft patched a high-severity privilege escalation (CVE-2026-26119) in Windows Admin Center, allowing an authenticated attacker to elevate privileges over a network.
- OpenSSL fixed a stack buffer overflow (CVE-2025-15467) that could lead to Remote Code Execution (RCE) under certain conditions in its Cryptographic Message Syntax data processing.
- Researchers discovered 16 vulnerabilities in Foxit and Apryse PDF tools, potentially enabling account takeover, session hijacking, data exfiltration, and arbitrary JavaScript execution.
- CISA added an actively exploited GitLab Server-Side Request Forgery (SSRF) vulnerability (CVE-2021-22175) to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to patch by March 11.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-actively-exploited-dell-flaw-within-3-days/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/flaw-in-grandstream-voip-phones-allows-stealthy-eavesdropping/
📰 The Hacker News | https://thehackernews.com/2026/02/microsoft-patches-cve-2026-26119.html
📰 The Hacker News | https://thehackernews.com/2026/02/threatsday-bulletin-openssl-rce-foxit-0.html
Threat Landscape Commentary 🌐
- MIT CSAIL's 2025 AI Agent Index highlights that AI agents are becoming more capable but lack consensus on behaviour and safety standards. Most developers prioritise features over safety, and many agents ignore `robots.txt`, indicating traditional web protocols are insufficient.
- The proliferation of IoT devices in homes and offices presents significant security risks, with many lacking sufficient security features and storing unencrypted data at rest. Enterprises should segment IoT devices on separate networks and use dedicated accounts to prevent lateral movement.
- Google blocked over 1.75 million apps from the Play Store in 2025 due to policy violations, leveraging generative AI for improved detection. However, new research warns that LLM-generated passwords are fundamentally insecure due to their predictable nature.
- Dragos reports a sharp rise in ransomware groups targeting industrial organisations, with a 49% increase in 2025, impacting 3,300 industrial entities globally.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/20/ai_agents_abound_unbound_by/
🌑 Dark Reading | https://www.darkreading.com/iot/connected-compromised-iot-devices-turn-threats
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/google-blocked-over-175-million-play-store-app-submissions-in-2025/
📰 The Hacker News | https://thehackernews.com/2026/02/threatsday-bulletin-openssl-rce-foxit-0.html
Regulatory Issues & National Security ⚖️
- The UK government plans to mandate online platforms remove non-consensual intimate images within 48 hours, treating them with the same severity as child sexual abuse material (CSAM) and terrorism content, with significant fines for non-compliance.
- Texas is suing TP-Link for deceptive marketing and alleged Chinese hacking risks, claiming its products, despite "Made in Vietnam" labels, rely on Chinese components and could be compelled to share user data with the CCP. Poland has also banned Chinese-made vehicles with data-recording technology from military facilities due to similar national security concerns.
- Following the 2024 Change Healthcare attack, HHS is focusing heavily on identifying and mitigating security risks from third-party vendors in the health sector, recognising their potential for outsized impact.
- West Virginia has sued Apple, alleging iCloud facilitates CSAM distribution and storage, citing Apple's decision to abandon CSAM detection tools and its significantly lower reporting numbers compared to other tech giants.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/19/uk_intimate_images_online/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/texas-sues-tp-link-over-chinese-hacking-risks-user-deception/
📰 The Hacker News | https://thehackernews.com/2026/02/threatsday-bulletin-openssl-rce-foxit-0.html
🤫 CyberScoop | https://cyberscoop.com/hhs-burrows-into-identifying-risks-to-health-sector-from-third-party-vendors/
🗞️ The Record | https://therecord.media/apple-csam-west-virginia-lawsuit
Government Cybersecurity Initiatives 🏛️
- The US State Department is pushing for unified public-private sector efforts to transition to quantum-resistant encryption by 2035, emphasising that these long-term plans must outlive political leadership cycles to counter nation-state data harvesting.
- The Trump administration aims to accelerate the secure implementation of AI for cyber defence (detection, diversion, deception) while ensuring it doesn't expand the attack surface. This includes promoting US AI cybersecurity standards and strengthening the cyber workforce by consolidating existing training initiatives.
🤫 CyberScoop | https://cyberscoop.com/post-quantum-state-department-transition-plans-outlive-leadership-cycles/
🤫 CyberScoop | https://cyberscoop.com/trump-administration-ai-cybersecurity-oncd-strategy/
#CyberSecurity #ThreatIntelligence #Ransomware #Malware #Vulnerabilities #ZeroDay #ActiveExploitation #AI #Phishing #MFA #SupplyChainAttack #IoT #CriticalInfrastructure #NationalSecurity #DataPrivacy #RegulatoryCompliance #InfoSec #CyberAttack #IncidentResponse
