The global cybersecurity landscape continues to evolve at a rapid pace, with emerging threats and sophisticated attack tactics demanding constant vigilance from defenders. This week’s developments highlight a multifaceted threat environment, encompassing advancements in ransomware, innovative social engineering schemes targeting specific platforms, and critical vulnerabilities within widely used software. Organizations must remain informed to effectively manage their exposure and strengthen their security postures against these evolving digital risks.
This comprehensive overview details the latest cybersecurity news, focusing on the persistent threat of ransomware expansion, new social engineering tactics, and crucial security updates across various platforms. From evolving ransomware-as-a-service (RaaS) operations to novel malware delivery pipelines and the exploitation of software vulnerabilities, the cyber threat space shows no signs of slowing down, underscoring the critical need for continuous adaptation in cybersecurity strategies.
Ransomware Evolves, Expanding Cross-Platform Reach
New analysis of LockBit 5.0 ransomware reveals a sophisticated version packed with defense evasion and anti-analysis techniques. These include packing, DLL unhooking, process hollowing, patching Event Tracing for Windows (ETW) functions, and log clearing. What stands out is its proclaimed capability to operate on all versions of Proxmox, an open-source virtualization platform increasingly adopted by enterprises as a commercial hypervisor alternative. This makes Proxmox a prime target for future ransomware attacks.
The latest ransomware version also introduces dedicated builds tailored for enterprise environments, signifying the continued evolution of ransomware-as-a-service (RaaS) operations. Acronis noted the multifaceted systems support, highlighting the group’s ambition to broaden its attack surface across diverse infrastructure.
macOS Users Targeted by Sophisticated Social Engineering Tactics
Cybersecurity researchers have detailed a new evolution of the ClickFix social engineering tactic specifically targeting macOS users. Dubbed “Matryoshka” due to its nested obfuscation layers, this variant employs a deceptive installation/fix flow to trick victims into executing malicious Terminal commands. Intego reported that while the ClickFix tactic itself is not new, this campaign incorporates enhanced evasion techniques. These include an in-memory, compressed wrapper and API-gated network communications, designed to thwart static analysis and automated sandboxes.
This campaign primarily targets users attempting to visit software review sites. Threat actors leverage typosquatting in URLs, redirecting unsuspecting users to fake sites that initiate the infection chain. This sophisticated approach underscores the growing trend of social engineering adapting to target specific operating systems with intricate malware delivery mechanisms.
Loader Pipelines Facilitate Rapid Domain Takeover and Data Exfiltration
A recent ClickFix campaign observed in February 2026 has been delivering a malware-as-a-service (MaaS) loader known as Matanbuchus 3.0. Huntress dissected the attack chain, revealing the threat actors’ objective of deploying ransomware or exfiltrating data. The attackers rapidly progressed from initial access to lateral movement, gaining control of domain controllers via PsExec, rogue account creation, and Microsoft Defender exclusion staging.
The attack also resulted in the deployment of a custom implant named AstarionRAT, which supports 24 commands facilitating credential theft, SOCKS5 proxy, port scanning, reflective code loading, and shell execution. Data from cybersecurity firms indicates that ClickFix fueled a significant portion of malware loader activity in 2025, emphasizing its role as a critical component in modern cybercriminal operations.
Typosquatting Campaigns Target macOS Credentials
In yet another ClickFix campaign, threat actors are exploiting the “reliable trick” of typosquatting. Malicious instructions are hosted on fake websites disguised as legitimate Homebrew domains. The objective is to trick users into pasting these commands into the Terminal app under the pretense of installing the macOS package manager. Hunt.io documented an attack chain where commands from the typosquatted domain deliver a credential-harvesting loader and a second-stage macOS infostealer dubbed Cuckoo Stealer.
The injected installer loops on password prompts using ‘dscl . -authonly,’ ensuring the attacker obtains valid credentials before deploying the second stage. Cuckoo Stealer is a comprehensive macOS infostealer and RAT. It establishes LaunchAgent persistence, removes quarantine attributes, and maintains encrypted command-and-control communications. It collects browser credentials, session tokens, macOS Keychain data, Apple Notes, messaging sessions, VPN and FTP configurations, and data from over 20 cryptocurrency wallet applications. The use of ‘dscl . -authonly’ has been previously observed in attacks deploying Atomic Stealer.
Law Enforcement Action Against Ransomware Affiliates
Authorities in Poland have detained a 47-year-old man suspected of ties to the Phobos ransomware group. The suspect faces a potential prison sentence of up to five years. The Central Bureau for Combating Cybercrime (CBZC) stated that the individual used encrypted messaging to contact the Phobos criminal group, known for conducting ransomware attacks. The suspect’s devices allegedly contained logins, passwords, credit card numbers, and server IP addresses that could have been used for various attacks, including ransomware.
This arrest is part of Europol’s Operation Aether, which targets the 8Base ransomware group, believed to be linked to Phobos. Phobos ransomware attacks have targeted over 1,000 organizations globally, with cybercriminals reportedly obtaining over $16 million in ransom payments. This action highlights ongoing international efforts to dismantle ransomware operations.
Industrial Sector Faces Accelerating Ransomware Surge
There has been a sharp increase in ransomware groups targeting industrial organizations, as cybercriminals exploit vulnerabilities in operational technology (OT) and industrial control systems (ICS). Dragos reported that 119 ransomware groups targeted industrial organizations in 2025, a 49% increase from 80 in 2024. In 2025, 3,300 industrial organizations worldwide were hit by ransomware, compared with 1,693 in 2024. The manufacturing sector was the most targeted, followed by transportation.
Additionally, the hacking group Pyroxene has been observed conducting supply chain-leveraged attacks targeting defense, critical infrastructure, and industrial sectors, with operations expanding from the Middle East into North America and Western Europe. Pyroxene often leverages initial access provided by PARISITE to move from IT into OT networks. This activity overlaps with efforts attributed to Imperial Kitten (aka APT35), a threat actor affiliated with the cyber arm of the Islamic Revolutionary Guard Corps (IRGC).
Microsoft Copilot Vulnerability Bypassed Data Loss Prevention
Microsoft confirmed a bug where Microsoft 365 Copilot could summarize confidential emails from Sent Items and Drafts folders without user permission, bypassing data loss prevention (DLP) policies. The issue, identified as CW1226324, affected users since January 21, 2026, and a fix was deployed on February 3, 2026. Microsoft did not disclose the number of affected users or organizations.
Microsoft stated that Copilot chat was incorrectly processing email messages with a confidential label, summarizing them despite DLP policies being configured. A code issue allowed Copilot to access items in sent and draft folders even when confidential labels were in place. This vulnerability highlights the challenges in securing AI-powered tools that interact with sensitive organizational data.
Jira Trials Weaponized for Spam Campaigns
Threat actors are exploiting the trust and reputation of Atlassian Jira Cloud and its email system to conduct automated spam campaigns and bypass traditional email security. Operators created Atlassian Cloud trial accounts using randomized naming conventions, enabling the generation of disposable Jira Cloud instances at scale. Trend Micro reported that these emails were tailored to specific language groups, including English, French, German, Italian, Portuguese, and Russian speakers.
These campaigns distributed generic spam and specifically targeted sectors such as government and corporate entities. Active from late December 2025 through late January 2026, the attacks primarily targeted organizations using Atlassian Jira. The goal was to prompt recipients to click malicious links, initiating a redirect chain powered by the Keitaro Traffic Distribution System (TDS) leading to investment scams and online casino landing sites, suggesting financial gain was the primary objective.
GitLab SSRF Vulnerability Mandated Patch for Federal Agencies
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2021-22175, a GitLab Server-Side Request Forgery (SSRF) vulnerability, to its Known Exploited Vulnerabilities (KEV) catalog. This mandates Federal Civilian Executive Branch (FCEB) agencies to apply the patch by March 11, 2026. The vulnerability exists when requests to the internal network for webhooks are enabled.
In March 2025, GreyNoise revealed that a cluster of approximately 400 IP addresses was actively exploiting multiple SSRF vulnerabilities, including CVE-2021-22175, targeting susceptible instances in the U.S., Germany, Singapore, India, Lithuania, and Japan. This directive underscores the potential impact of this vulnerability on critical government infrastructure.
Telegram Bots Fuel Fortune 500 Phishing Campaigns
An elusive, financially motivated threat actor codenamed GS7 has been targeting Fortune 500 companies in a new phishing campaign. This campaign leverages trusted company branding with lookalike websites to harvest credentials via Telegram bots. Operation DoppelBrand targets top financial institutions like Wells Fargo, USAA, Navy Federal Credit Union, Fidelity Investments, and Citibank, as well as technology, healthcare, and telecommunications firms globally.
Victims are lured through phishing emails and redirected to counterfeit pages where credentials are harvested and transmitted to Telegram bots controlled by the attacker. SOCRadar indicates the group has a history dating back to 2022. GS7 has registered over 150 malicious domains recently, using registrars like NameCheap and OwnRegistrar and routing traffic through Cloudflare to evade detection. The group’s end goals include harvesting credentials and downloading remote management and monitoring (RMM) tools like LogMeIn Resolve to enable remote access or malware deployment, potentially positioning them as an initial access broker.
Remcos RAT Shifts to Live Command and Control Surveillance
Phishing emails disguised as invoices, job offers, or government notices are being used to distribute a new variant of the Remcos Remote Access Trojan (RAT). This variant facilitates comprehensive surveillance and control over infected systems. Point Wild reported a significant behavioral change in the latest Remcos variant; instead of stealing and storing data locally, it establishes direct online command-and-control (C2) communication for real-time access and control.
Specifically, it leverages the webcam to capture live video streams, enabling attackers to monitor targets remotely. This shift from local data exfiltration to live, online surveillance represents an evolution in Remcos’ capabilities, increasing the risk of immediate espionage and persistent monitoring.
Poland Restricts Chinese Vehicles on Military Bases
Poland’s Ministry of Defence has banned Chinese cars and other motor vehicles equipped with technology to record position, images, or sound from entering protected military facilities. This decision is attributed to national security concerns and aims to “limit the risk of access to sensitive data.” The ban also extends to connecting work phones to infotainment systems in motor vehicles produced in China.
The ban is not permanent; the Defence Ministry has called for a vetting process where carmakers can undergo a security assessment to allow their vehicles entry. Modern vehicles with advanced communication systems and sensors can collect and transmit data, necessitating appropriate safety regulations in protected zones. These measures align with NATO countries’ practices for critical infrastructure protection.
DKIM Replay Attacks Fuel Invoice Scams
Malicious actors are abusing legitimate invoices and dispute notifications from trusted vendors like PayPal, Apple, DocuSign, and Dropbox Sign to bypass email security controls. INKY reported that these platforms allow users to enter a ‘seller name’ or add a custom note when creating invoices or notifications. Attackers exploit this by inserting scam instructions and a phone number into these user-controlled fields.
The resulting invoice or dispute notice is sent to an email address controlled by the attacker, embedding malicious content within a legitimate, vendor-generated message. Because these emails originate from trusted companies, they bypass checks such as Domain-based Message Authentication, Reporting, and Conformance (DMARC). The attacker then forwards the “authentic-looking” message to intended targets, making it more likely to land in victims’ inboxes. This attack method is known as a DKIM replay attack.
Remote Monitoring and Management Software Abuse Surges
A new report from Huntress reveals a 277% year-over-year surge in the abuse of Remote Monitoring and Management (RMM) software, accounting for 24% of all observed incidents. Threat actors increasingly favor these tools due to their ubiquity in enterprise environments and their trusted nature, allowing malicious activity to blend with legitimate usage, thus evading detection.
RMM tools also offer enhanced stealth, persistence, and operational efficiency. Cybercriminals have developed playbooks around these legitimate tools for dropping malware, stealing credentials, and executing commands. This has led to a 53% drop in the use of traditional hacking tools, while remote access trojans and malicious scripts saw decreases of 20% and 11.7%, respectively.
Texas Targets China-Linked Tech Firms
Texas Attorney General Ken Paxton has sued TP-Link, alleging deceptive marketing of its networking devices and allowing the Chinese Communist Party (CCP) access to American consumers’ data. The lawsuit claims TP-Link products have been used by Chinese hacking groups for cyberattacks against the U.S. and that the company is subject to Chinese data laws requiring support for intelligence services.
In a separate lawsuit, Paxton accused Anzu Robotics of misleading Texas consumers about the origin, data practices, and security risks of its drones, describing the company’s products as “21st-century Trojan horses linked to the CCP.” These actions reflect growing governmental scrutiny of technology firms with alleged ties to foreign governments.
MetaMask Backdoor Expands North Korea-Linked Campaign
The North Korea-linked campaign known as Contagious Interview targets IT professionals in the cryptocurrency, Web3, and artificial intelligence sectors to steal sensitive data and financial information using malware such as BeaverTail and InvisibleFerret. Recent iterations of the campaign have expanded data theft capabilities by tampering with the MetaMask wallet extension. Security researcher Seongsu Park reported that a lightweight JavaScript backdoor, sharing functionality with InvisibleFerret, is used for this purpose.
Through the backdoor, attackers instruct the infected system to download and install a fake MetaMask extension with a dynamically generated configuration file to appear legitimate. Once installed, the compromised extension captures the victim’s wallet unlock password and transmits it to the attacker’s C2 server, granting them full access to cryptocurrency funds. This highlights the sophisticated methods threat actors use to infiltrate and exploit users in niche technological sectors.
Booking.com Kits Target Hotels and Guests
Bridewell has warned of a resurgence in malicious activity targeting the hotel and retail sectors, primarily driven by financial fraud. The threat actors impersonate the Booking.com platform using two distinct phishing kits designed to harvest credentials and banking information from both hotel businesses and guests sequentially. This activity shares overlaps with a prior wave of activity disclosed in November 2025, but the use of a dedicated phishing kit represents a new approach.
This resurgence underscores the ongoing threats to the hospitality industry and highlights the need for enhanced security measures for both businesses and consumers interacting with online booking platforms.
EPMM Exploits Enable Persistent Access in Critical Sectors
Recently disclosed security flaws in Ivanti Endpoint Manager Mobile (EPMM) have been exploited by attackers to establish reverse shells, deliver JSP web shells, conduct reconnaissance, and download malware, including Nezha, cryptocurrency miners, and backdoors for remote access. The two critical vulnerabilities, CVE-2026-1281 and CVE-2026-1340, allow unauthenticated attackers to remotely execute arbitrary code on target servers, providing full control over mobile device management (MDM) infrastructure.
Palo Alto Networks Unit 42 reports that the campaign has affected state and local government, healthcare, manufacturing, professional and legal services, and high-technology sectors in the U.S., Germany, Australia, and Canada. Threat actors are accelerating operations, deploying dormant backdoors designed to maintain long-term access even after patches are applied. Germany’s Federal Office for Information Security (BSI) has reported evidence of exploitation since the summer of 2025, urging organizations to audit their systems.
AI-Generated Passwords Lack True Randomness
New research from Irregular indicates that passwords generated directly by large language models (LLMs) may appear strong but are fundamentally insecure. LLMs are designed to predict tokens, which is the opposite of securely and uniformly sampling random characters. The AI security company detected LLM-generated passwords in real-world code development tasks, rather than users relying on traditional secure password generation methods.
The company advises against using LLMs for password generation, as they produce predictable outputs incompatible with secure generation. AI coding agents should be directed to use secure password generation methods instead. Developers using AI coding assistants should review generated code for hardcoded credentials and ensure agents utilize cryptographically secure methods or established password managers.
PDF Engine Flaws Lead to Account Takeover Risk
Cybersecurity researchers have discovered over a dozen vulnerabilities in popular PDF platforms from Foxit and Apryse. These flaws, including CVE-2025-70401, CVE-2025-70402, and CVE-2025-66500, could potentially allow attackers to exploit them for account takeover, session hijacking, data exfiltration, and arbitrary JavaScript execution. Novee Security researchers noted that these issues stem from recurring architectural failures in how PDF platforms handle untrusted input across layers.
Several vulnerabilities were exploitable with a single request and affected trusted domains commonly embedded within enterprise applications. Both Apryse and Foxit have addressed these issues through product updates, highlighting the ongoing need for vigilance in software supply chain security.
Training Labs Expose Cloud Backdoors
A “widespread” security issue has been identified where security vendors inadvertently expose deliberately vulnerable training applications, such as OWASP Juice Shop, DVWA, bWAPP, and Hackazon, to the public internet. This can expose organizations to severe security risks when these applications are executed from a privileged cloud account. Pentera Labs reported that these applications were frequently left accessible in their default or misconfigured states, primarily deployed for internal testing and demonstrations.
These critical flaws not only allowed attackers full control over the compromised compute engine but also provided pathways for lateral movement into sensitive internal systems. Violations of the principle of least privilege and inadequate sandboxing measures facilitated privilege escalation, endangering critical infrastructure and sensitive organizational data. Threat actors are exploiting this blind spot to plant web shells, cryptocurrency miners, and persistence mechanisms.
Evasion Loader Refines Command and Control Stealth
The malware loader known as Oyster (also referred to as Broomstick or CleanUpLoader) has continued to evolve into early 2026, refining its C2 infrastructure and obfuscation methods. Sekoia findings indicate the malware is primarily distributed through fake websites offering installers for legitimate software like Microsoft Teams, with the core payload often deployed as a DLL. The initial stage employs excessive legitimate API call hammering and simple anti-debugging traps to thwart static analysis.
The core payload is delivered in a highly obfuscated manner. The final stage implements a robust C2 communication protocol featuring a dual-layer server infrastructure and highly customized data encoding. This evolution highlights the persistent efforts by malware developers to maintain stealth and evade detection.
Information Stealer Taunts Researchers in Code
Noodlophile, an information-stealing malware distributed via fake AI tools promoted on Facebook, is assessed to be the work of a threat actor based in Vietnam. First documented in May 2025, subsequent reports detailed campaigns like UNC6229 and PXA Stealer orchestrated by Vietnamese cybercriminals. Morphisec’s latest analysis of Noodlophile revealed that the threat actor padded the malware with millions of repetitions of a Vietnamese phrase translating to “f*** you, Morphisec,” suggesting displeasure at being exposed.
Security researcher Michael Gorelik noted this wasn’t just to vent frustration but also to bloat the file and crash AI-based analysis tools reliant on the Python disassemble library. This act of defiance underlines the cat-and-mouse game between malware developers and security researchers.
Crypto Library RCE Vulnerability Patched
The OpenSSL project has patched a stack buffer overflow flaw that could lead to remote code execution under specific conditions. The vulnerability, tracked as CVE-2025-15467, resides in how the library processes Cryptographic Message Syntax data. Threat actors can use CMS packets with maliciously crafted AEAD parameters to crash OpenSSL and execute malicious code. CVE-2025-15467 is one of 12 issues disclosed by AISLE late last month. Another high-severity vulnerability, CVE-2025-11187, could trigger a stack-based buffer overflow due to missing validation.
The patching of this critical vulnerability in a widely used cryptographic library is a vital step in securing systems that rely on robust encryption and secure communication protocols.
Machine Accounts Expand Delegation Risk
New research from Silverfort has demonstrated that Kerberos delegation, which allows a service to request resources or perform actions on behalf of a user, also applies to machine accounts. This means a computer account can be delegated on behalf of highly privileged machine identities, such as domain controllers. Silverfort researcher Dor Segal explained that if an adversary can leverage delegation, they can act on behalf of sensitive machine accounts, which often hold privileges equivalent to Domain Administrator.
To mitigate this risk, it is advised to run “Set-ADAccountControl -Identity “HOST01$” -AccountNotDelegated $true” for each sensitive machine account. This research highlights a critical, often overlooked, threat vector related to machine identity management within Active Directory environments.
The continuous stream of cybersecurity news underscores the dynamic nature of threats and the adaptive strategies employed by cybercriminals. As new vulnerabilities are discovered and patched, and as threat actors refine their techniques, organizations must remain proactive. The upcoming weeks will likely see further analysis of these trends, focusing on how defenders can integrate these evolving threats into their risk management frameworks. The mandated patching deadlines and ongoing investigations into ransomware groups indicate a concerted effort to improve overall digital security, though the constant emergence of novel attack vectors suggests this will remain a challenging landscape.