HOT NEWS 2026 FEBRUARY HOT NEWS 2026 January(174) February(168) March(221) April(5) May(0) June(0) July(0) August(0) September(0) October(0) November(0) December(0) | HOT NEWS 2026 HOT NEWS 2025 HOT NEWS 2024
DATE |
NAME |
INFO |
CATEGORY |
SUBCATE |
| 28.2.26 | SURXRAT | Cyble uncovers SURXRAT’s evolution across versions, built on ArsinkRAT code, and now downloading large LLM modules signaling an expansion of its operational capabilities. | MALWARE | AI |
| 27.2.26 | APT37 | APT37 Adds New Capabilities for Air-Gapped Networks | GROUP | GROUP |
| 27.2.26 | Rekoobe Backdoor | Malicious Go “crypto” Module Steals Passwords and Deploys Rekoobe Backdoor | MALWARE | BACKDOOR |
| 27.2.26 |
CISCO SD-WAN THREAT HUNT GUIDE |
The authors are aware that since 2023, at least one malicious
cyber actor compromised Cisco SD-WANs via a previously unknown vulnerability, identified in late 2025 to be a zeroday exploit. This vulnerability is now patched in the latest updates from the vendor. |
REPORT | REPORT |
| 27.2.26 | CVE-2026-20127 | an authentication bypass vulnerability that allows an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. | ||
| 27.2.26 | CVE-2022-20775 | a path traversal vulnerability that allows an authenticated, local attacker to gain elevated privileges and execute arbitrary commands as root. | ||
| 27.2.26 | Emergency Directive 26-03: Mitigate Vulnerabilities in Cisco SD-WAN Systems | CISA is directing Federal Civilian Executive Branch (FCEB) agencies to inventory Cisco Software-Defined Wide-Area Networking (SD-WAN) systems, apply updates, and assess potential compromise following CISA-provided procedures and guidance. | DIRECTION | DIRECTION |
| 27.2.26 | Supplemental Direction ED 26-03: Hunt and Hardening Guidance for Cisco SD-WAN Systems | Emergency Directive 26-03: Mitigate Vulnerabilities in Cisco SD-WAN Systems directs Federal Civilian Executive Branch (FCEB) agencies to identify, update, and assess potential compromises to in-scope Cisco SD-WAN systems. | DIRECTION | DIRECTION |
| 27.2.26 | Steaelite RAT | Steaelite is a newly emerged remote access trojan (RAT) that grants attackers extensive, browser-based command over compromised Windows computers. | VIRUS | |
| 27.2.26 | Open-source payloads spread via malicious npm packages | Tenable researchers recently identified a dangerous npm package named “ambar-src” that underscores the increase in modern supply chain threats targeting the npm landscape. Within just a few days of its release, the package amassed approximately 50,000 downloads before being removed from the public registry. | VIRUS | |
| 27.2.26 | Fake Microsoft 365 Admin Center Loading Screen Stages Iframe-Delivered Credential Phishing | Symantec has observed a credential-phishing campaign using the urgent email subject “Immediate Action Required: Account Lockout [ID: <6-char>-2026]” to pressure recipients into acting quickly. | PHISHING | |
| 27.2.26 | Operation MacroMaze Targets Europe | Operation MacroMaze is a campaign attributed to the Swallowtail threat group (a.k.a. APT28 or Fancy Bear). Over several months, this campaign targeted entities in Central and Western Europe to exfiltrate data. | OPERATION | |
| 27.2.26 | Mercenary Akula Threat Group Targets European Financial Institution with RMM Payload | A report by researchers at BlueVoyant shares insights into recent activity that targeted a European financial institution. The campaign leveraged socially engineered spearphishing and multiple archive files to deliver a legitimate remote administration tool, Remote Manipulator System (RMS). | GROUP | |
| 27.2.26 | UnsolicitedBooker threat group deploys LuciDoor and MarsSnake backdoor variants | UnsolicitedBooker threat group, has recently shifted its crosshairs from Saudi Arabian organizations to telecommunications providers in Kyrgyzstan and Tajikistan. According to a recent Positive Technologies report, the threat actor employs two distinct C++ backdoors called LuciDoor and MarsSnake. | GROUP | |
| 27.2.26 | XMRig delivery campaign leverages BYOVD techniques | An advanced cryptojacking operation that relies on distribution of counterfeit software packages to infect computers with a XMRig cryptocurrency miner has been reported by the cybersecurity researchers from Trellix. Once installed, the malware acts as a complex, multi-stage threat. | CAMPAIGN | |
| 27.2.26 | NetSupport RAT delivery attributed to the GrayCharlie threat actor | GrayCharlie is a financially motivated threat actor that overlaps significantly with the cybercriminal group SmartApeSG. According to a newly published intelligence report by Insikt Group researchers, GrayCharlie specializes in breaching vulnerable WordPress websites and injecting malicious JavaScripts. | VIRUS | |
| 27.2.26 | Moonrise RAT | Security researchers at ANY.RUN have identified Moonrise, a newly developed Go-based Remote Access Trojan (RAT) that aims at traditional static detection evasion. The malware provides the threat actors with comprehensive remote control over infected endpoints. | VIRUS | |
| 27.2.26 | Medusa Ransomware distributed by the Lazarus threat group | North Korean state-backed attackers are now using the Medusa ransomware and are continuing to mount extortion attacks on the U.S. healthcare sector. | RANSOM | |
| 27.2.26 | Financial Lures Leveraged to Spread Winos 4.0 to Taiwan | Phishing campaigns delivering Winos 4.0 (ValleyRAT) malware to targets in Taiwan are attributed to the Monarch (aka Silver Fox) threat group. The campaigns leveraged financial lures, specifically tax- and invoice-related documents, to deliver their payloads. | VIRUS | |
| 27.2.26 | PromptSpy Android malware | PromptSpy is a new Android malware variant utilizing generative AI to manipulate user interfaces dynamically. As reported by researchers from ESET, the malware leverages Google’s Gemini AI specifically to maintain a persistent presence on the infected devices. | VIRUS | |
| 27.2.26 | KazakRAT | While hunting for C2 infrastructure on Censys, we uncovered a suspected state-affiliated cluster targeting Kazakh and Afghan entities in a persistent campaign, with C2 servers active at the time of writing (20th Jan 2026) that have been operating unreported since at least August 2022. | MALWARE | RAT |
| 27.2.26 | DesckVB_RAT | This repository accompanies a full technical report documenting an active malware ecosystem centered around DesckVB RAT, a modular .NET Remote Access Trojan observed in live campaigns in early 2026. | MALWARE | RAT |
| 27.2.26 | Steaelite RAT | Steaelite RAT Enables Double Extortion Attacks from a Single Panel | MALWARE | RAT |
| 27.2.26 | Aeternum C2 | Exploring Aeternum C2: a new botnet that lives on the blockchain | BOTNET | BOTNET |
| 27.2.26 | Dohdoor | New Dohdoor malware campaign targets education and health care | MALWARE | BACKDOOR |
| 27.2.26 | CVE-2026-20127 | Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability | ||
| 26.2.26 | Claude Code Vulnerable to Arbitrary Code Execution Due to Insufficient Startup Warning | When Claude Code was started in a new directory, it displayed a warning asking, "Do you trust the files in this folder?". This warning did not properly document that selecting "Yes, proceed" would allow Claude Code to execute files in the folder without additional confirmation. This may not have been clear to a user so we have updated the warning to clarify this functionality. | ||
| 26.2.26 | CVE-2025-59536 | (CVSS score: 8.7) - A code injection vulnerability that allows execution of arbitrary shell commands automatically upon tool initialization when a user starts Claude Code in an untrusted directory. (Fixed in version 1.0.111 in October 2025) | ||
| 26.2.26 | CVE-2026-21852 | (CVSS score: 5.3) - An information disclosure vulnerability in Claude Code's project-load flow that allows a malicious repository to exfiltrate data, including Anthropic API keys. (Fixed in version 2.0.65 in January 2026) | ||
| 26.2.26 | Scattered LAPSUS$ Hunters | Cyber Intel Brief: Scattered Lapsus$ Hunters (SLH) Kicks Off Campaign to Recruit Women | GROUP | GROUP |
| 26.2.26 | GRIDTIDE | GRIDTIDE Global Cyber Espionage Campaign | CAMPAIGN | CAMPAIGN |
| 26.2.26 | UNC2814 | Exposing the Undercurrent: Disrupting the GRIDTIDE Global Cyber Espionage Campaign | GROUP | GROUP |
| 26.2.26 | CVE-2025-40538 | A broken access control vulnerability that allows an attacker to create a system admin user and execute arbitrary code as root via domain admin or group admin privileges. | ||
| 26.2.26 | CVE-2025-40539 | A type confusion vulnerability that allows an attacker to execute arbitrary native code as root. | ||
| 26.2.26 | CVE-2025-40540 | A type confusion vulnerability that allows an attacker to execute arbitrary native code as root. | ||
| 26.2.26 | CVE-2025-40541 | An insecure direct object reference (IDOR) vulnerability that allows an attacker to execute native code as root. | ||
| 26.2.26 | RoguePilot | RoguePilot: Exploiting GitHub Copilot for a Repository Takeover | EXPLOIT | EXPLOIT |
| 24.2.26 | UAC-0050 | Mercenary Akula Hits Ukraine-Supporting Financial Institution | GROUP | GROUP |
| 24.2.26 | UnsolicitedBooker | Poisonous Mars, or how LuciDoor knocks on the doors of the CIS | GROUP | GROUP |
| 24.2.26 | Detecting and preventing distillation attacks | We have identified industrial-scale campaigns by three AI laboratories—DeepSeek, Moonshot, and MiniMax—to illicitly extract Claude’s capabilities to improve their own models. These labs generated over 16 million exchanges with Claude through approximately 24,000 fraudulent accounts, in violation of our terms of service and regional access restrictions. | ATTACK | AI |
| 24.2.26 | Monero Mining Campaign | Technical Deep Dive: The Monero Mining Campaign | CAMPAIGN | CAMPAIGN |
| 24.2.26 | Operation MacroMaze | Operation MacroMaze: new APT28 campaign using basic tooling and legit infrastructure | OPERATION | OPERATION |
| 23.2.26 | Massiv Android Trojan | Cybersecurity experts from Threat Fabric have identified a new Android banking trojan dubbed Massiv. | VIRUS | |
| 23.2.26 | New deployment campaign of the CastleLoader and LummaStealer malware | A resurgence in LummaStealer activity has been observed by the researchers from Bitdefender. | CAMPAIGN | |
| 23.2.26 | CrescentHarvest cyberespionage campaign | Acronis Threat Research Unit has identified a cyberespionage operation dubbed CrescentHarvest, which aims at surveillance and data theft and is targeted at supporters of ongoing protests in Iran. | CAMPAIGN | |
| 23.2.26 | CVE-2026-1281 and CVE-2026-1340 - Ivanti EPMM RCE Vulnerabilities | In late January, Ivanti released updates to address two critical vulnerabilities affecting Endpoint Manager Mobile (EPMM). | VULNEREBILITY | |
| 23.2.26 | Cuckoo infostealer spread via ClickFix techniques | A recent malware delivery campaign discovered by the researchers from Hunt.io involves attackers leveraging social engineering and typosquatted domains - specifically mimicking the popular Homebrew package manager - to deceive users into execution of malicious binaries. | VIRUS | |
| 23.2.26 | An Invitation to Phishing | Calendar invite spam is an increasingly observed tactic used by threat actors to steal credentials. Socially engineered emails designed to entice a recipient to accept a calendar invite direct potential victims to unwittingly share their login information. | PHISHING | |
| 23.2.26 | Interlock Ransomware: Activity Continues Into 2026 | Recent leak-site activity indicates Interlock operations continued into early 2026, with multiple newly listed alleged victims appearing in January–February. | RANSOM | |
| 23.2.26 | Prometei botnet deployment campaign | Researchers from eSentire’s Threat Response Unit identified recently an attempt to deploy the Prometei botnet on a Windows Server within the construction sector. | BOTNET | |
| 23.2.26 | SANDWORM_MODE | SANDWORM_MODE: Shai-Hulud-Style npm Worm Hijacks CI Workflows and Poisons AI Toolchains | MALWARE | WORM |
| 23.2.26 | Operation Olalampo | MuddyWater APT has launched a new cyber offensive operation, dubbed Operation Olalampo, deploying new malware variants and leveraging Telegram bots for command-and-control. | OPERATION | OPERATION |
| 22.2.26 | 7777 Botnet | Solving the 7777 Botnet enigma: A cybersecurity quest | BOTNET | BOTNET |
| 21.2.26 | CVE-2026-22769 | Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credential vulnerability. | ||
| 21.2.26 | Android.Phantom | Android.Phantom trojans are bundled with modded games and popular apps to infiltrate smartphones. They use machine learning and video broadcasts to engage in click fraud | MALWARE | ANDROID |
| 21.2.26 | CVE-2025-49113 | A deserialization of untrusted data vulnerability that allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php. (Fixed in June 2025) | ||
| 21.2.26 | CVE-2025-68461 | A cross-site scripting vulnerability via the animate tag in an SVG document. (Fixed in December 2025) | ||
| 21.2.26 | Pulsar RAT | Uncovering a Recent Pulsar RAT Sample in the Wild | MALWARE | RAT |
| 21.2.26 | Monero Mining Campaign | In the contemporary threat landscape, while ransomware grabs headlines with high-impact disruptions, cryptojacking operations have quietly evolved into sophisticated, persistent threats. | CAMPAIGN | CAMPAIGN |
| 20.2.26 | MIMICRAT | MIMICRAT: ClickFix Campaign Delivers Custom RAT via Compromised Legitimate Websites | MALWARE | RAT |
| 20.2.26 | AgreeToSteal | AgreeToSteal: The First Malicious Outlook Add-In Leads to 4,000 Stolen Credentials | HACKING | HACKING |
| 20.2.26 | AiFrame | “AiFrame”- Fake AI Assistant Extensions Targeting 260,000 Chrome Users via injected iframes | CAMPAIGN | CAMPAIGN |
| 20.2.26 | Ninja Browser & Lumma Infostealer | CTM360 has identified a large-scale malware campaign exploiting trusted Google services — including Google Groups, Google Docs, and Google Drive — to distribute Lumma Stealer and a trojanized Chromium-based “Ninja Browser.” | REPORT | REPORT |
| 20.2.26 | PromptSpy | PromptSpy ushers in the era of Android threats using GenAI | MALWARE | ANDROID |
| 20.2.26 | CVE-2026-26119 | Windows Admin Center Elevation of Privilege Vulnerability | ||
| 19.2.26 | Massiv | Massiv: When your IPTV app terminates your savings | CAMPAIGN | CAMPAIGN |
| 19.2.26 | CRESCENTHARVEST | CRESCENTHARVEST: Iranian protestors and dissidents targeted in cyberespionage campaign | CAMPAIGN | CAMPAIGN |
| 19.2.26 | CVE-2026-2329 | CVE-2026-2329: Critical Unauthenticated Stack Buffer Overflow in Grandstream GXP1600 VoIP Phones (FIXED) | ||
| 18.2.26 | CVE-2026-2441 | (CVSS score: 8.8) - A use-after-free vulnerability in Google Chrome that could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page. | ||
| 18.2.26 | CVE-2024-7694 | (CVSS score: 7.2) - An arbitrary file upload vulnerability in TeamT5 ThreatSonar Anti-Ransomware versions 3.4.5 and earlier that could allow an attacker to upload malicious files and achieve arbitrary system command execution on the server. | ||
| 18.2.26 | CVE-2020-7796 | (CVSS score: 9.8) - A server-side request forgery (SSRF) vulnerability in Synacor Zimbra Collaboration Suite (ZCS) that could allow an attacker to send a crafted HTTP request to a remote host and obtain unauthorized access to sensitive information. | ||
| 18.2.26 | CVE-2008-0015 | (CVSS score: 8.8) - A stack-based buffer overflow vulnerability in Microsoft Windows Video ActiveX Control that could allow an attacker to achieve remote code execution by setting up a specially crafted web page. | ||
| 18.2.26 | CVE-2025-65717 | An issue in Visual Studio Code Extensions Live Server v5.7.9 allows attackers to exfiltrate files via user interaction with a crafted HTML page. | ||
| 18.2.26 | CVE-2025-65715 | An issue in the code-runner.executorMap setting of Visual Studio Code Extensions Code Runner v0.12.2 allows attackers to execute arbitrary code when opening a crafted workspace. | ||
| 18.2.26 | CVE-2025-65716 | An issue in Visual Studio Code Extensions Markdown Preview Enhanced v0.8.18 allows attackers to execute arbitrary code via uploading a crafted .Md file. | ||
| 18.2.26 | Keenadu | Divide and conquer: how the new Keenadu backdoor exposed links between major Android botnets | MALWARE | BACKDOOR |
| 17.2.26 | OpenClaw | Hudson Rock Identifies Real-World Infostealer Infection Targeting OpenClaw Configurations | MALWARE | AI AGENT |
| 17.2.26 |
Zero Knowledge
(About) Encryption: A Comparative Security Analysis of Three Cloud-based Password Managers |
Zero Knowledge Encryption is a term widely used by vendors of cloud-based password managers. Although it has no strict technical meaning, the term conveys the idea that the server, who stores encrypted password vaults on behalf of users, is unable to learn anything about the contents of those vaults. | PAPERS | PAPERS |
| 17.2.26 | SmartLoader | SmartLoader Clones Oura Ring MCP to Deploy Supply Chain Attack | MALWARE | LOADER |
| 16.2.26 | SSHStalker Linux botnet variant | Flare’s research team has identified "SSHStalker," a previously unreported Linux botnet operation. Rather than employing complex modern Command and Control (C2) servers, SSHStalker utilizes a resilient IRC infrastructure to manage various bot variants, including Tsunami and Keiten. | BOTNET | |
| 16.2.26 | Threat Actors Increasingly Integrate GenAI into Active Campaigns | A report by researchers of the Google Threat Intelligence Group highlights recent activity related to artificial intelligence as used by malicious actors. | CAMPAIGN | |
| 16.2.26 | IIS Servers Targeted in Long Term SEO Poisoning Campaigns | China-linked threat actors have been targeting IIS servers in ongoing SEO poisoning campaigns. According to a report by researchers at Elastic, these actors primarily compromise servers in Asian countries to push content directing visitors to illegal gambling or other illicit websites. | CAMPAIGN | |
| 16.2.26 | Japan-Targeted iCloud+ Payment Failure Scam Uses JavaScript-Driven Phishing Kit | A phishing campaign targeting Japanese users abuses a familiar iCloud+ “payment failed” theme to steal Apple Account credentials and, in a second step, harvest payment card details. | SPAM | |
| 16.2.26 | RenEngine | The game is over: when “free” comes at too high a price. What we know about RenEngine | MALWARE | ENGINE |
| 16.2.26 | CVE-2026-2441 | Use after free in CSS in Google Chrome prior to 145.0.7632.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | ||
| 15.2.26 | Storm-2603 | Storm-2603 Exploits CVE-2026-23760 to Stage Warlock Ransomware | GROUP | GROUP |
| 15.2.26 | ZeroDayRAT | ZeroDayRAT - New Spyware Targeting Android and iOS | MALWARE | OS |
| 15.2.26 | WAVESHAPER | C++ backdoor that runs as a background daemon, collects host system information, communicates with C2 over HTTP/HTTPS using curl, and downloads and executes follow-on payloads. | MALWARE | BACKDOOR |
| 15.2.26 | HYPERCALL | Golang-based downloader that reads an RC4-encrypted configuration file, connects to C2 over WebSockets on TCP 443, downloads malicious dynamic libraries, and reflectively loads them into memory. | MALWARE | DOWNLOADER |
| 15.2.26 | HIDDENCALL | Golang-based backdoor reflectively injected by HYPERCALL that provides hands-on keyboard access, supports command execution and file operations, and deploys additional malware. | MALWARE | BACKDOOR |
| 15.2.26 | SILENCELIFT | Minimal C/C++ backdoor that beacons host information and lock screen status to a hard-coded C2 server and can interrupt Telegram communications when executed with root privileges. | MALWARE | BACKDOOR |
| 15.2.26 | DEEPBREATH | Swift-based data miner deployed via HIDDENCALL that bypasses macOS TCC protections by modifying the TCC database to gain broad filesystem access and steals keychain credentials, browser data, Telegram data, and Apple Notes data. | MALWARE | MINER |
| 15.2.26 | SUGARLOADER | C++ downloader that uses an RC4-encrypted configuration to retrieve next-stage payloads and was made persistent via a manually created launch daemon. | MALWARE | DEAMON |
| 15.2.26 | CHROMEPUSH | C++ browser data miner deployed by SUGARLOADER that installs as a Chromium native messaging host masquerading as a Google Docs Offline extension and collects keystrokes, credentials, cookies, and optionally screenshots. | MALWARE | MINER |
| 15.2.26 | LummaStealer | LummaStealer Is Getting a Second Life Alongside CastleLoader | MALWARE | STEALER |
| 15.2.26 | CastleLoader | GrayBravo’s CastleLoader Activity Clusters Target Multiple Industries | MALWARE | LOADER |
| 14.2.26 | UAT-9921 | New threat actor, UAT-9921, leverages VoidLink framework in campaigns | GROUP | GROUP |
| 13.2.26 | MOONSHINE Exploit Kit | MOONSHINE Exploit Kit and DarkNimbus Backdoor Enabling Earth Minotaur’s Multi-Platform Attacks | EXPLOIT | EXPLOIT KIT |
| 13.2.26 | PyMuPDF path traversal and arbitrary file write vulnerabilities | A path traversal vulnerability leading to arbitrary file write exist in PyMuPDF version 1.26.5, within the ‘embedded_get’ function in ‘main.py’. This vulnerability is caused by improper handling of untrusted embedded file metadata, which is used directly as an output path, enabling attackers to write files to arbitrary locations on the local system. | ALERT | ALERT |
| 13.2.26 | CVE-2026-1731 | BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain a critical pre-authentication remote code execution vulnerability. By sending specially crafted requests, an unauthenticated remote attacker may be able to execute operating system commands in the context of the site user. | ||
| 13.2.26 | Fake recruiter campaign | A new branch of a fake job recruitment campaign, dubbed "graphalgo," is targeting developers with a RAT. | CAMPAIGN | CAMPAIGN |
| 12.2.26 | HTM Phishing Across Private and Public Sectors: Targeted Filenames + Telegram Exfil | Over the past few days Symantec has observed a lightweight credential-harvesting campaign that delivers an HTML/HTM attachment directly via email (EMAIL → HTM). HTM filenames pattern (recipient_company_domain_quote.htm) strongly suggests the actor is generating lures per target organization. | PHISHING | |
| 12.2.26 | Dating App Masquerade: SpyMax Targets Minglers in France | Android SpyMax has been observed in France, targeting minglers by posing as a dating app (“France Social: Rencontre, Chat”). If downloaded and installed, the app (France social.apk) quickly pivots from “dating” to privilege acquisition, prompting the victim to enable a custom Accessibility Service and grant Device Administrator rights. | VIRUS | |
| 12.2.26 | Guloader is Always Evolving | GuLoader is a sophisticated malware downloader primarily used to deliver Remote Access Trojans and information stealers. Active since 2019, the malware is known for its use of anti-analysis techniques which allow it to conceal its functionality from automated tools and security researchers. | VIRUS | |
| 12.2.26 | NetSupport RAT deployed in latest campaign attributed to the Stan Ghouls threat group | Stan Ghouls threat group (aka Bloody Wolf) has been launching targeted attacks against organizations within Russia, Kyrgyzstan, Kazakhstan, and Uzbekistan since at least 2023. These attacks are characterized by utilizing campaign-specific infrastructure and leveraging custom Java-based malware loaders. | VIRUS | |
| 12.2.26 | PCHunter tool abused by ransomware actors | PCHunter is a Windows system analysis and security tool designed for in-depth inspection and malware removal. It is often used by security professionals for deep detection of malicious activity, including rootkits, hidden processes, and unauthorized kernel drivers | RANSOM | |
| 12.2.26 | DKnife - an Adversary-in-the-Middle (AitM) framework | DKnife is a sophisticated Adversary-in-the-Middle (AitM) framework designed to monitor gateways and manipulate network traffic. | HACKING | |
| 12.2.26 | CVE-2026-21858 - n8n Workflow vulnerability | CVE-2026-21858 is a recently disclosed critical (CVSS score 10.0) Arbitrary File Read vulnerability affecting n8n, which is a workflow automation tool. If successfully exploited the flaw might allow attackers to access files on the underlying vulnerable server through execution of certain form-based workflows. The vulnerability has been already patched in product version 1.121.0 or newer. | VULNEREBILITY | |
| 12.2.26 | From Spreadsheet to Control: How XWorm RAT Infiltrates Systems | XWorm is a well-established, highly modular Remote Access Trojan (RAT). Features available in this RAT include data exfiltration, encrypted C2 communications, full system control, and surveillance. Researchers at Fortinet have published details about recent phishing campaigns attempting to deliver this payload through various financial or business-themed lures. | VIRUS | |
| 12.2.26 | CVE-2025-69200 - phpMyFAQ vulnerability | CVE-2025-69200 is a recently disclosed high severity (CVSS score 7.5) Information Disclosure vulnerability affecting phpMyFAQ, which is an open-source, database-driven FAQ (Frequently Asked Questions) web application. | VULNEREBILITY | |
| 12.2.26 | PowerTool abused by ransomware actors | PowerTool is a Windows security utility used to detect and analyze rootkits, bootkits, hidden processes, and other kernel-level threats. Recent threat intelligence indicates that multiple ransomware operators are abusing PowerTool in an attempt to disable security products. | RANSOM | |
| 12.2.26 | Malicious ClawHub Skills | Researchers from Koi Security have recently audited the ClawHub “skills” marketplace and found 341 malicious skills—most attributed to a coordinated campaign they call “ClawHavoc.” | VIRUS | |
| 12.2.26 | Opportunistic MassLogger campaign: .Z archives and PDF-lookalike executables | Symantec has observed a MassLogger malspam campaign that used routine “business workflow” themes—procurement, invoices, shipping paperwork, and document transmittals—while impersonating two legitimate organizations. | CAMPAIGN | |
| 12.2.26 | CVE-2026-24061 - GNU InetUtils vulnerability | CVE-2026-24061 is a recently disclosed critical (CVSS score 9.8) Argument Injection vulnerability affecting the GNU InetUtils telnetd service in versions from 1.9.3 through 2.7. | VULNEREBILITY | |
| 12.2.26 | CVE-2026-20700 | A memory corruption issue was addressed with improved state management. This issue is fixed in watchOS 26.3, tvOS 26.3, macOS Tahoe 26.3, visionOS 26.3, iOS 26.3 and iPadOS 26.3. | ||
|
11.2.26 |
SideCopy Launch Cross-Platform RAT Campaigns | Espionage Without Noise: Understanding APT36’s Enduring Campaigns | CAMPAIGN | CAMPAIGN |
|
11.2.26 |
CASL Ability contains a prototype pollution vulnerability | A prototype pollution vulnerability present in CASL Ability versions 2.4.0 through 6.7.4 is triggered through the rulesToFields() function in the extra module. The program’s library contains a method called setByPath() that does not properly sanitize property names, allowing attackers to add or modify properties on an object’s prototype. | ALERT | ALERT |
|
11.2.26 |
(CVSS score: 7.8) - An improper privilege management in Windows Remote Desktop that allows an authorized attacker to elevate privileges locally. |
|||
|
11.2.26 |
(CVSS score: 6.2) - A null pointer dereference in Windows Remote Access Connection Manager that allows an unauthorized attacker to deny service locally. |
|||
|
11.2.26 |
(CVSS score: 7.8) - An access of resource using incompatible type ('type confusion') in the Desktop Window Manager that allows an authorized attacker to elevate privileges locally. |
|||
|
11.2.26 |
(CVSS score: 7.8) - A reliance on untrusted inputs in a security decision in Microsoft Office Word that allows an unauthorized attacker to bypass a security feature locally. |
|||
|
11.2.26 |
(CVSS score: 8.8) - A protection mechanism failure in MSHTML Framework that allows an unauthorized attacker to bypass a security feature over a network. |
|||
|
11.2.26 |
(CVSS score: 8.8) - A protection mechanism failure in Windows Shell that allows an unauthorized attacker to bypass a security feature over a network. |
|||
|
11.2.26 |
Old-School IRC, New Victims: Inside the Newly Discovered SSHStalker Linux Botnet |
|||
|
11.2.26 |
UNC1069 Targets Cryptocurrency Sector with New Tooling and AI-Enabled Social Engineering |
|||
|
11.2.26 |
LABYRINTH CHOLLIMA Evolves into Three Adversaries |
CLUSTER |
||
|
11.2.26 |
No Fool's Errand: The Koalemos RAT Campaign |
RAT |
||
|
10.2.26 |
Largest Multi-Agency Cyber Operation Mounted to Counter Threat Posed by Advanced Persistent Threat (APT) Actor UNC3886 to Singapore’s Telecommunications Sector |
|||
|
10.2.26 |
An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiClientEMS 7.4.4 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests. |
|||
|
9.2.26 |
CVE-2026-23760 is a recently disclosed critical (CVSS score 9.3) Authentication Bypass vulnerability affecting SmarterTools SmarterMail software, which is an email, groupware, and collaboration server designed as an alternative to enterprise collaboration solutions such as Microsoft Exchange. |
|||
|
9.2.26 |
Darktrace reports a multi-stage macOS phishing campaign where a lure email delivers an AppleScript file disguised as a Microsoft document (for example, “.docx.scpt”) and depends on a user click to execute. |
|||
|
9.2.26 |
||||
|
9.2.26 |
Recent reports exposed a campaign targeting Kazakh and Afghan organizations with the KazakRAT remote access trojan in January 2026. The actors behind it may have been operating since August 2022. |
|||
|
9.2.26 |
WinRAR CVE-2025-8088 Drives Targeted Espionage in Southeast Asia |
Check Point Research ties espionage campaigns in Southeast Asia to a China-nexus actor dubbed Amaranth-Dragon, targeting government and law enforcement. |
||
|
9.2.26 |
Billbug Threat Actor Compromised Notepadd++ Update Infrastructure |
Notepad++, a popular text editor for Windows, was the victim of a supply-chain attack by Chinese state-linked hackers identified as Billbug (aka Lotus Blossom, Spring Dragon). |
||
|
9.2.26 |
Recent Black Basta Ransomware Campaign Embeds Vulnerable Driver in Payload |
A recent Black Basta attack campaign was notable because the ransomware contained a bring-your-own-vulnerable-driver (BYOVD) defense evasion component embedded within the ransomware payload itself |
||
|
9.2.26 |
Operation Neusploit: Swallowtail Exploits CVE-2026-21509 to Deliver Backdoors |
Swallowtail (aka APT28 or Fancy Bear) is a Russian espionage group observed exploiting a recently disclosed Microsoft Office Security Feature Bypass Vulnerability, identified as CVE-2026-21509. In a campaign tagged "Operation Neusploit" by researchers at Zscaler, the group distributes specially crafted Office documents in RTF format. |
||
|
9.2.26 |
CVE-2026-21509: Microsoft Office Security Feature Bypass Vulnerability |
Microsoft has issued an emergency fix for a high-severity Microsoft Office zero‑day flaw, tracked as CVE-2026-21509 (CVSS Score: 7.8). Attackers are reported to be actively exploiting it to bypass security features via malicious documents that are distributed together with social engineering lures to trick users into opening them. |
||
|
9.2.26 |
Researchers have published a deeper technical breakdown of DynoWiper, a new data-wiping malware used in a December 2025 attack on a Polish energy company’s IT systems, expanding on earlier reporting and identifying similarities to the ZOV wiper observed in Ukraine earlier in the year. DynoWiper overwrites data and forces reboots, it focused on the IT environment rather than industrial control systems. |
|||
|
9.2.26 |
Infostealers are a commonly observed payload in malware campaigns. They are often distributed through social engineering tactics such as the popular ClickFix method, malvertising, or disguised as installers for popular software. A recent Microsoft report highlights this activity, specifically focusing on macOS and Python-based stealers. |
|||
| 9.2.26 | TeamPCP | Threat Alert: TeamPCP, An Emerging Force in the Cloud Native and Ransomware Landscape | CAMPAIGN | CAMPAIGN |
| 9.2.26 | TeamPCP | Threat Alert: TeamPCP, An Emerging Force in the Cloud Native and Ransomware Landscape | HACKING | CLUSTER |
| 9.2.26 | Vortex Werewolf (SkyCloak) | A new cluster is distributing malware via phishing. We demonstrate how the attack works through fake pages simulating file downloads from Telegram. | HACKING | CLUSTER |
| 9.2.26 | Stan Ghouls | Stan Ghouls targeting Russia and Uzbekistan with NetSupport RAT | GROUP | GROUP |
| 9.2.26 | CVE-2026-1731 | BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain a critical pre-authentication remote code execution vulnerability. By sending specially crafted requests, an unauthenticated remote attacker may be able to execute operating system commands in the context of the site user. | VULNEREBILITY | VULNEREBILITY |
| 8.2.26 | CVE-2025-11953 | The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments. | VULNEREBILITY | VULNEREBILITY |
| 6.2.26 | DKnife | Knife Cutting the Edge: Disclosing a China-nexus gateway-monitoring AitM framework | HACKING | HACKING |
| 6.2.26 | Shadow Campaigns | The Shadow Campaigns: Uncovering Global Espionage | CAMPAIGN | CAMPAIGN |
| 6.2.26 | Evaluating and mitigating the growing risk of LLM-discovered 0-days | Claude Opus 4.6, released today, continues a trajectory of meaningful improvements in AI models’ cybersecurity capabilities. Last fall, we wrote that we believed we were at an inflection point for AI's impact on cybersecurity—that progress could become quite fast, and now was the moment to accelerate defensive use of AI. | VULNEREBILITY | VULNEREBILITY |
| 5.2.26 | Amaranth-Dragon | Amaranth-Dragon: Weaponizing CVE-2025-8088 for Targeted Espionage in the Southeast Asia | APT | APT |
| 5.2.26 | CVE-2026-25049 | n8n is an open source workflow automation platform. Prior to versions 1.123.17 and 2.5.2, an authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n. | VULNEREBILITY | VULNEREBILITY |
| 5.2.26 | NGINX Configurations Enable Large-Scale Web Traffic Hijacking Campaign | Web Traffic Hijacking: When Your Nginx Configuration Turns Malicious | CAMPAIGN | CAMPAIGN |
| 5.2.26 |
The Trigger in the
Haystack: Extracting and Reconstructing LLM Backdoor Triggers |
Detecting whether a model has been poisoned is a longstanding problem in AI security. In this work, we present a practical scanner for identifying sleeper agent-style backdoors in causal language models. | PAPERS | PAPERS |
| 5.2.26 | Dead#Vax | Analyzing Dead#Vax: Analyzing Multi-Stage VHD Delivery and Self-Parsing Batch Scripts to Deploy In-Memory Shellcode | CAMPAIGN | CAMPAIGN |
| 4.2.26 | Operation Bizarre Bazaar | Operation Bizarre Bazaar: First Attributed LLMjacking Campaign with Commercial Marketplace Monetization | OPERATION | OPERATION |
| 4.2.26 | CVE-2024-37079 | vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution. | VULNEREBILITY | VULNEREBILITY |
| 4.2.26 | CVE-2026-23760 | SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts. | VULNEREBILITY | VULNEREBILITY |
| 4.2.26 | CVE-2021-39935 | (CVSS score: 7.5/6.8) - A server-side request forgery (SSRF) vulnerability in GitLab Community and Enterprise Editions that could allow unauthorized external users to perform Server Side Requests via the CI Lint API | VULNEREBILITY | VULNEREBILITY |
| 4.2.26 | CVE-2025-64328 | (CVSS score: 8.6) - An operating system command injection vulnerability in Sangoma FreePBX that could allow for a post-authentication command injection by an authenticated known user via the testconnection -> check_ssh_connect() function and potentially obtain remote access to the system as an asterisk user | VULNEREBILITY | VULNEREBILITY |
| 4.2.26 | CVE-2019-19006 | (CVSS score: 9.8) - An improper authentication vulnerability in Sangoma FreePBX that potentially allows unauthorized users to bypass password authentication and access services provided by the FreePBX administrator | VULNEREBILITY | VULNEREBILITY |
| 4.2.26 | CVE-2025-40551 | SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication. | VULNEREBILITY | VULNEREBILITY |
| 4.2.26 | DockerDash | DockerDash: Two Attack Paths, One AI Supply Chain Crisis | VULNEREBILITY | VULNEREBILITY |
| 3.2.26 | Operation Neusploit | APT28 Leverages CVE-2026-21509 in Operation Neusploit | OPERATION | OPERATION |
| 3.2.26 | Metro4Shell | Metro4Shell: Exploitation of React Native’s Metro Server in the Wild | EXPLOIT | EXPLOIT |
| 3.2.26 | APT28 | APT28 Leverages CVE-2026-21509 in Operation Neusploit | APT | APT |
| 3.2.26 | Chrysalis Backdoor | The Chrysalis Backdoor: A Deep Dive into Lotus Blossom’s toolkit | MALWARE | BACKDOOR |
| 3.2.26 | CVE-2026-25253 | OpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection without prompting, sending a token value. | VULNEREBILITY | VULNEREBILITY |
| 2.2.26 | "Бюлетень небезпеки": UAC-0001 (APT28) здійснює кібератаки у відношенні України та країн ЄС з використанням експлойту CVE-2026-21509 (CERT-UA#19542) | Виявлено DOC-файл "Consultation_Topics_Ukraine(Final).doc", що містив експлойт CVE-2026-21509 та був присвячений консультаціям Комітету постійних представників при ЄС (COREPER) по ситуації в Україні. | BATTLEFIELD UKRAINE | BATTLEFIELD UKRAINE |
| 2.2.26 | RedKitten | RedKitten: AI-accelerated campaign targeting Iranian protests | CAMPAIGN | CAMPAIGN |
| 2.2.26 | ShinyHunters | Vishing for Access: Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft | CAMPAIGN | CAMPAIGN |
| 2.2.26 | Energy Sector Incident Report - 29 December 2025 | On 29 December 2025, in the morning and afternoon hours, coordinated attacks took place in Polish cyberspace. They were directed at more than 30 wind and photovoltaic farms, a private company from the manufacturing sector, and a large combined heat and power plant supplying heat to almost half a million customers in Poland. | CERT | CERT |
| 2.2.26 | UAT-8099 | Dissecting UAT-8099: New persistence mechanisms and regional focus | GROUP | GROUP |
| 2.2.26 | Critical eScan Supply Chain Compromise | On January 20, 2026, Morphisec identified an active supply chain compromise affecting MicroWorld Technologies’ eScan antivirus product. | INCIDENT | INCIDENT |
| 2.2.26 | GlassWorm Loader | GlassWorm Loader Hits Open VSX via Developer Account Compromise | MALWARE | LOADER |
|
|
|
|
|
|