BLOG 2026 FEBRUARY 2026 2025 2024 2023
AI blog APT blog Attack blog BigBrother blog BotNet blog Cyber blog Cryptocurrency blog Exploit blog Hacking blog ICS blog Incident blog IoT blog Malware blog OS Blog Phishing blog Ransom blog Safety blog Security blog Social blog Spam blog Vulnerebility blog
2026 January(89) February(123) March(106) April(119) May(19) June(0) July(0) August(0) September(0) October(0) November(0) December(0)
| 28.2.26 | Cisco SD-WAN vulnerabilities (CVE-2026-20127, CVE-2022-20775) in active exploitation | On February 25, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and UK National Cyber Security Centre warned that vulnerabilities affecting Cisco software-defined wide-area network (SD-WAN) systems (CVE-2026-20127 and CVE-2022-20775) are actively being exploited. | Vulnerebility blog | SOPHOS |
| 28.2.26 | Nowhere, man: The 2026 Active Adversary Report | AI headline hype didn’t deliver a sea change for practical defense — but one below-the-radar development should | Cyber blog | SOPHOS |
| 28.2.26 | Our report on adversarial misuse of AI highlights model extraction, augmented attacks, and new AI-enabled malware. | AI blog | GTI | |
| 28.2.26 | Mandiant and Google Threat Intelligence Group (GTIG) have identified the zero-day exploitation of a high-risk vulnerability in Dell RecoverPoint for Virtual Machines, tracked as CVE-2026-22769, with a CVSSv3.1 score of 10.0 | Vulnerebility blog | GTI | |
| 28.2.26 | Counterfeit Network Gear Creates Cyber Risk in Critical Infrastructure | As the supply chain for information technology components and raw materials is squeezed by the AI boom, the secondary market is heating up, and introducing new cyber risk into the IT supply chain. | Cyber blog | Eclypsium |
| 28.2.26 | ENISA’s Updated Cybersecurity Methodology Aligns with NIS2 and EU Cybersecurity Act | ENISA’s Cybersecurity Exercise Methodology helps organizations align with NIS2 and the EU Cybersecurity Act while improving readiness and resilience. | BigBrother blog | Cyble |
| 28.2.26 | The Week in Vulnerabilities: WordPress, BeyondTrust, and Critical ICS Bugs | Critical WordPress, BeyondTrust, Honeywell CCTV, and PUSR router vulnerabilities surfaced on underground forums, while CISA issued 8 ICS advisories impacting critical manufacturing sectors. | Vulnerebility blog | Cyble |
| 28.2.26 | SURXRAT: From ArsinkRAT roots to LLM Module Downloads Signaling Capability Expansion | Cyble uncovers SURXRAT’s evolution across versions, built on ArsinkRAT code, and now downloading large LLM modules signaling an expansion of its operational capabilities. | Malware blog | Cyble |
| 28.2.26 | North Korean Lazarus Group Now Working With Medusa Ransomware | North Korean attackers continuing to mount extortion attacks against the U.S. healthcare sector despite indictment. | APT blog | SECURITY.COM |
| 28.2.26 | From Token Theft to Full System Takeover: Breaking OpenClaw’s RCE Flaw (CVE-2026-25253) | The SonicWall Capture Labs threat research team became aware of an authentication token theft vulnerability in OpenClaw, assessed its impact and developed mitigation measures. OpenClaw is a widely used open-source AI assistant platform that integrates with numerous messaging services and provides deep system-level capabilities. | Vulnerebility blog | SonicWall |
| 28.2.26 | Inside a New VioletRAT Campaign: Multi Staged Delivery and Stealthy Payload Execution | Recently, the SonicWall Capture Labs threat research team observed a new campaign spreading Violet RAT using a multistage Python-based APC injection technique. The campaign employs a multi-stage delivery chain that involves archives, batch scripts, and a Python loader to deploy the final payload via shellcode injection. The complete infection chain can be visualized in the following figure 1. | Malware blog | SonicWall |
| 28.2.26 | Bring the Fight to the Edge: Turning Time Into an Advantage in OT Security | Industrial organizations are facing a growing paradox in cybersecurity. While operational technology (OT) environments are increasingly connected, most security strategies still assume threats will only materialize once attackers reach the plant floor. | Security blog | Palo Alto |
| 28.2.26 | Caught in the Hook: RCE and API Token Exfiltration Through Claude Code Project Files | CVE-2025-59536 | CVE-2026-21852 | Check Point Research has discovered critical vulnerabilities in Anthropic’s Claude Code that allow attackers to achieve remote code execution and steal API credentials through malicious project configurations. | Vulnerebility blog | CHECKPOINT |
| 28.2.26 | 2025: The Untold Stories of Check Point Research | Check Point Research (CPR) continuously tracks threats, following the clues that lead to major players and incidents in the threat landscape. Whether it’s high-end financially-motivated campaigns or state-sponsored activity, our focus is to figure out what the threat is, report our findings to the relevant parties, and make sure Check Point customers stay protected. | Cyber blog | CHECKPOINT |
| 28.2.26 | New Dohdoor malware campaign targets education and health care | Cisco Talos discovered an ongoing malicious campaign since at least as early as December 2025 by a threat actor we track as “UAT-10027,” delivering a previously undisclosed backdoor dubbed “Dohdoor.” | Malware blog | CISCO TALOS |
| 28.2.26 | Henry IV, Hotspur, Hal, and hallucinations | Henry IV, Hotspur, Hal, and hallucinations | Cyber blog | CISCO TALOS |
| 28.2.26 | Active exploitation of Cisco Catalyst SD-WAN by UAT-8616 | Cisco Talos is tracking the active exploitation of CVE-2026-20127, a vulnerability in Cisco Catalyst SD-WAN Controller, formerly vSmart, that allows an unauthenticated remote attacker to bypass authentication and obtain administrative privileges. | Vulnerebility blog | CISCO TALOS |
| 28.2.26 | “Good enough” emulation: Fuzzing a single thread to uncover vulnerabilities | A Talos researcher used targeted emulation of the Socomec DIRIS M-70 gateway’s Modbus thread to uncover six patched vulnerabilities, showcasing efficient tools and methods for IoT security testing. | Vulnerebility blog | CISCO TALOS |
| 28.2.26 | Mobile app permissions (still) matter more than you may think | Start using a new app and you’ll often be asked to grant it permissions. But blindly accepting them could expose you to serious privacy and security risks. | Cyber blog | Eset |
| 28.2.26 | Faking it on the phone: How to tell if a voice call is AI or not | Can you believe your ears? Increasingly, the answer is no. Here’s what’s at stake for your business, and how to beat the deepfakers. | Cyber blog | Eset |
| 21.2.26 | Counterfeit Network Gear Creates Cyber Risk in Critical Infrastructure | As the supply chain for information technology components and raw materials is squeezed by the AI boom, the secondary market is heating up, and introducing new cyber risk into the IT supply chain. | AI blog | Eclypsium |
| 21.2.26 | The Week in Vulnerabilities: SolarWinds, Ivanti, and Critical ICS Exposure | Critical SolarWinds, Ivanti EPMM, Microsoft Office, and Siemens ICS vulnerabilities are being discussed on underground forums, while 15 CISA ICS advisories impacted Energy and Critical Manufacturing sectors. | Vulnerebility blog | Cyble |
| 21.2.26 | India’s AI Revolution: Why This Is India’s Most Significant Moment | Beenu Arora outlines India’s AI moment, rising deepfake and phishing threats, and why AI security must evolve alongside innovation and scale. | AI blog | Cyble |
| 21.2.26 | How the Protective Security Policy Framework Shapes Australia’s Commonwealth Cyber Security Strategy | The 2025 Commonwealth Cyber Security report outlines Essential Eight progress, compliance results, and key resilience challenges. | Cyber blog | Cyble |
| 21.2.26 | Strategic AI for Preemptive Cyber Defense and Attacker Cost Imposition | Modern AI security tools are heavily focused on reducing operational bottlenecks. It might help analysts clear an alert queue faster or prioritize which fires to put out first. While these efforts are valuable for efficiency, they don’t fundamentally change the game; they just help teams react more effectively to attacks that have already breached the perimeter. | AI blog | Silent Push |
| 21.2.26 | U.S. Public Sector Under Siege | Discover why Government and Education must prioritize Cyber Risk Management. | Cyber blog | Trend Micro |
| 21.2.26 | Spam Campaign Abuses Atlassian Jira, Targets Government and Corporate Entities | We uncover how a campaign used Atlassian Jira Cloud to launch automated and targeted spam campaigns, exploiting trusted SaaS workflows to bypass security controls. | Hacking blog | Trend Micro |
| 21.2.26 | Viral AI, Invisible Risks: What OpenClaw Reveals About Agentic Assistants | OpenClaw (aka Clawdbot or Moltbot) represents a new frontier in agentic AI: powerful, highly autonomous, and surprisingly easy to use. In this research, we examine how its capabilities compare to its predecessors’ and highlight the security risks inherent to the agentic AI paradigm. | AI blog | Trend Micro |
| 21.2.26 | Uncovering a Recent Pulsar RAT Sample in the Wild | This week, the SonicWall Capture Labs Threat Research Team analyzed an obfuscated .NET trojan frequently used in malicious campaigns. Pulsar RAT, is an open-sourced remote access tool that was derived from another open-sourced RAT named Quasar. Pulsar adds updated capabilities such as hooking clipboard changes, capturing webcam images, UAC bypass, and sending results back to attackers. | Malware blog | SonicWall |
| 21.2.26 | VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731) | On Feb. 6, 2026, BeyondTrust released a security advisory regarding CVE-2026-1731. BeyondTrust is an identity and access management platform. This specific vulnerability involves a pre-authentication remote code execution (RCE) issue within BeyondTrust remote support software. | Vulnerebility blog | Palo Alto |
| 21.2.26 | Phishing on the Edge of the Web and Mobile Using QR Codes | This article explores the misuse of QR codes in today's threat landscape, covering three areas of concern: | Phishing blog | Palo Alto |
| 21.2.26 | Critical Vulnerabilities in Ivanti EPMM Exploited | Two critical zero-day vulnerabilities (CVE-2026-1281 and CVE-2026-1340) affecting Ivanti Endpoint Manager Mobile (EPMM) are being actively exploited in the wild, affecting enterprise mobile fleets and corporate networks. These vulnerabilities allow unauthenticated attackers to remotely execute arbitrary code on target servers, granting them full control over mobile device management (MDM) infrastructure without requiring user interaction or credentials. | Vulnerebility blog | Palo Alto |
| 21.2.26 | AI in the Middle: Turning Web-Based AI Services into C2 Proxies & The Future Of AI Driven Attacks | Check Point Research (CPR) has discovered that certain AI assistants that support web browsing or URL fetching can be abused as covert command-and-control relays (“AI as a proxy”), allowing attacker traffic to blend seamlessly into legitimate, commonly permitted enterprise communications. | AI blog | CHECKPOINT |
| 21.2.26 | Using AI to defeat AI | In this week’s newsletter Martin considers how defenders can turn offensive AI tools against themselves. | AI blog | CISCO TALOS |
| 21.2.26 | “Good enough” emulation: Fuzzing a single thread to uncover vulnerabilities | A Talos researcher used targeted emulation of the Socomec DIRIS M-70 gateway’s Modbus thread to uncover six patched vulnerabilities, showcasing efficient tools and methods for IoT security testing. | Hacking blog | CISCO TALOS |
| 21.2.26 | PromptSpy ushers in the era of Android threats using GenAI | ESET researchers discover PromptSpy, the first known Android malware to abuse generative AI in its execution flow | Malware blog | Eset |
| 21.2.26 | Is Poshmark safe? How to buy and sell without getting scammed | Like any other marketplace, the social commerce platform has its share of red flags. It pays to know what to look for so you can shop or sell without headaches. | Spam blog | Eset |
| 21.2.26 | Is it OK to let your children post selfies online? | When it comes to our children’s digital lives, prohibition rarely works. It’s our responsibility to help them build a healthy relationship with tech. | Security blog | Eset |
| 21.2.26 | Turf Wars vs. Supply Chains: The Great Divergence in State Cyber Threats | Russia uses proxies; the PRC uses assembly lines. Discover how the Quartermaster, Breacher, and Specialist layers redefine 2026 threats. | BigBrother blog | Trelix |
| 21.2.26 | Technical Deep Dive: The Monero Mining Campaign | In the contemporary threat landscape, while ransomware grabs headlines with high-impact disruptions, cryptojacking operations have quietly evolved into sophisticated, persistent threats. | Cryptocurrency blog | Trelix |
| 18.2.26 | From BRICKSTORM to GRIMBOLT: UNC6201 Exploiting a Dell RecoverPoint for Virtual Machines Zero-Day | Mandiant and Google Threat Intelligence Group (GTIG) have identified the zero-day exploitation of a high-risk vulnerability in Dell RecoverPoint for Virtual Machines, tracked as CVE-2026-22769, with a CVSSv3.1 score of 10.0. | APT | GTI |
| 18.2.26 | Notepad++ v8.9.2 release - Double‑Lock Update Security | “the XML returned by the update server is now signed (XMLDSig), and the certificate & signature verification will be enforced starting with upcoming v8.9.2, expected in about one month.“ | Security | NOTEPAD |
| 18.2.26 | AI in the Middle: Turning Web-Based AI Services into C2 Proxies & The Future Of AI Driven Attacks | Check Point Research (CPR) has discovered that certain AI assistants that support web browsing or URL fetching can be abused as covert command-and-control relays (“AI as a proxy”), allowing attacker traffic to blend seamlessly into legitimate, commonly permitted enterprise communications. | AI | CHECKPOINT |
| 14.2.26 | When AI Secrets Go Public: The Rising Risk of Exposed ChatGPT API Keys | Cyble’s research reveals the exposure of ChatGPT API keys online, potentially enabling large‑scale abuse and hidden AI risk. | AI blog | Cyble |
| 14.2.26 | The US False Claims Act Becomes a Cybersecurity Enforcement Engine | DOJ recovered $52M in False Claims Act for cyber settlements, signaling tougher enforcement over contractor cybersecurity representations. | Cyber blog | Cyble |
| 14.2.26 | SMS & OTP Bombing Campaigns: Evolving API Abuse Targeting Multiple Regions | Cyble analyzes expanding OTP/SMS bombing ecosystems using high‑speed APIs, SSL bypass, and cross‑platform automation. | Security blog | Cyble |
| 14.2.26 | The Week in Vulnerabilities: SolarWinds, AI Fixes Urged by Cyble | SolarWinds Web Help Desk and OpenClaw flaws are among the vulnerabilities, drawing significant interest by threat actors. | Vulnerebility blog | Cyble |
| 14.2.26 | A Peek Into Muddled Libra’s Operational Playbook | During a September 2025 incident response investigation, Unit 42 discovered a rogue virtual machine (VM) which we believe with high confidence to be used by the cybercrime group Muddled Libra (aka Scattered Spider, UNC3944). The contents of this rogue VM and activity from the attack provide valuable insight into the operational playbook of this threat actor. | APT blog | Palo Alto |
| 14.2.26 | New threat actor, UAT-9921, leverages VoidLink framework in campaigns | Cisco Talos recently discovered a new threat actor, UAT-9221, leveraging VoidLink in campaigns. Their activities may go as far back as 2019, even without VoidLink. | Malware blog | CISCO TALOS |
| 14.2.26 | Hand over the keys for Shannon’s shenanigans | In this week’s newsletter, Amy examines the rise of Shannon, an autonomous AI penetration testing tool, and what it means for security teams and risk management. | AI blog | CISCO TALOS |
| 14.2.26 | Ryan Liles, master of technical diplomacy | Ryan Liles reveals how he bridges the gap between Cisco’s product teams and third-party testing labs, mastering the art of technical diplomacy while driving industry standards forward and keeping the internet’s defenders ahead of the game. | Cyber blog | CISCO TALOS |
| 14.2.26 | Microsoft Patch Tuesday for February 2026 — Snort rules and prominent vulnerabilities | Microsoft has released its monthly security update for February 2026, which includes 55 vulnerabilities affecting a range of products, including one (CVE-2025-59498) that Microsoft marked as “Critical”. | OS Blog | CISCO TALOS |
| 14.2.26 | Naming and shaming: How ransomware groups tighten the screws on victims | When corporate data is exposed on a dedicated leak site, the consequences linger long after the attack fades from the news cycle | Ransom blog | Eset |
| 14.2.26 | Taxing times: Top IRS scams to look out for in 2026 | It’s time to file your tax return. And cybercriminals are lurking to make an already stressful period even more edgy. | Spam blog | Eset |
| 14.2.26 | The Bug Report - January 2026 Edition | New Year, new exploits! We break down critical January CVEs in Microsoft Office, n8n, and AI tools. Don't let your resolution be a breach—read the report. | Vulnerebility blog | Trelix |
| 14.2.26 | Dark Web Roast - January 2026 Edition | Welcome to January 2026's underground intelligence roundup, where criminal masterminds continue to demonstrate that the phrase "honour among thieves" remains the greatest oxymoron in cybercrime. | Hacking blog | Trelix |
| 14.2.26 | When SPNs Go Rogue: Detection and Remediation with Trellix NDR | To address this detection gap, the blog shows how Trellix Network Detection and Response (NDR) detects Kerberoasting activity by analyzing deviations in identity behavior and comparing network-level telemetry. | Security blog | Trelix |
| 13.2.26 | Malicious Chrome Extension Steals Meta Business Manager Exports and TOTP 2FA Seeds | Chrome extension CL Suite by @CLMasters neutralizes 2FA for Facebook and Meta Business accounts while exfiltrating Business Manager contact and analytics data. | Social blog | SOCKET |
| 13.2.26 | Lotus Blossom (G0030) and the Notepad++ Supply-Chain Espionage Campaign | In late 2025 and early 2026, a series of independent disclosures by software maintainers, security researchers, and national cyber authorities converged on an unsettling conclusion: for months, the update mechanism of one of the world’s most widely used open-source text editors had been quietly subverted. | APT blog | DomainTools Investigation |
| 13.2.26 | GTIG AI Threat Tracker: Distillation, Experimentation, and (Continued) Integration of AI for Adversarial Use | In the final quarter of 2025, Google Threat Intelligence Group (GTIG) observed threat actors increasingly integrating artificial intelligence (AI) to accelerate the attack lifecycle, achieving productivity gains in reconnaissance, social engineering, and malware development. This report serves as an update to our November 2025 findings regarding the advances in threat actor usage of AI tools. | AI blog | GTI |
| 10.2.26 | Reynolds: Defense Evasion Capability Embedded in Ransomware Payload | BYOVD component included in ransomware payload itself, rather than as a separate tool. | Ransom | SECURITY.COM |
| 10.2.26 | Understanding BYOVD Attacks and Mitigation Strategies | In recent years, the cybersecurity community has observed a notable increase in attacks leveraging the Bring Your Own Vulnerable Driver (BYOVD) technique. | Mobil | HELCYON |
| 7.2.2026 | Malicious use of virtual machine infrastructure | Bulletproof hosting providers are abusing the legitimate ISPsystem infrastructure to supply virtual machines to cybercriminals | Malware blog | SOPHOS |
| 7.2.2026 | Inside a Multi-Stage Android Malware Campaign Leveraging RTO-Themed Social Engineering | In recent years, Android malware campaigns in India have increasingly abused the trust associated with government services and official digital platforms. By imitating well-known portals and leveraging social engineering through messaging applications, threat actors exploit user urgency and lack... | Malware blog | Seqrite |
| 7.2.2026 | France’s Cybersecurity Roadmap: Talent, Deterrence, and European Digital Sovereignty | France’s 2026-2030 cybersecurity strategy prioritizes talent, aiming to build Europe’s largest cyber workforce and strengthen national resilience. | BigBrother blog | Cyble |
| 7.2.2026 | Ransomware Attacks Have Surged 30% Since Q4 2025 | Ransomware groups have averaged nearly 700 victims a month in the last four months, and many attacks have posed supply chain risks. | Ransom blog | Cyble |
| 7.2.2026 | The Week in Vulnerabilities: Open-Sources Fixes Urged by Cyble | Vulnerabilities affecting n8n, OpenSSL and GNU Inetutils are among the flaws being noticed by threat actors and security researchers alike. | Vulnerebility blog | Cyble |
| 7.2.2026 | Desperate Perth Renters Targeted by Rising Australian Housing Scam | Cyble uncovers ShadowHS, a stealthy fileless Linux framework running entirely in memory for covert, adaptive post‑exploitation control. | Spam blog | Cyble |
| 7.2.2026 | Black Basta: Defense Evasion Capability Embedded in Ransomware Payload | A recent Black Basta attack campaign was notable because the ransomware contained a bring-your-own-vulnerable-driver (BYOVD) defense evasion component embedded within the ransomware payload itself. | Ransom blog | SECURITY.COM |
| 7.2.2026 | Viral AI, Invisible Risks: What OpenClaw Reveals About Agentic Assistants | OpenClaw (aka Clawdbot or Moltbot) represents a new frontier in agentic AI: powerful, highly autonomous, and surprisingly easy to use. In this research, we examine how its capabilities compare to its predecessors’ and highlight the security risks inherent to the agentic AI paradigm. | AI blog | Trend Micro |
| 7.2.2026 | Living Off Legit Tools: Stealthy Installation of Remote Monitoring Agents Using SmartScreen Bypass | Recently, the SonicWall Capture Labs threat research team has observed a new campaign delivering batch files leading to unwanted installation of remote connect software like ScreenConnect or Action1 Agent. Once installed, a service is created so, threat actors may get control of the infected system. | Vulnerebility blog | SonicWall |
| 7.2.2026 | FlowiseAI Custom MCP Node Remote Code Execution | SonicWall Capture Labs threat research team became aware of the threat CVE-2025-59528, assessed its impact, and developed mitigation measures for this vulnerability. CVE-2025-59528, also known as Flowise CustomMCP Code Injection, is a critical remote code execution vulnerability affecting FlowiseAI Flowise in versions >= 2.2.7-patch.1 and < 3.0.6. | AI blog | SonicWall |
| 7.2.2026 | Novel Technique to Detect Cloud Threat Actor Operations | Cloud-based alerting systems often struggle to distinguish between normal cloud activity and targeted malicious operations by known threat actors. The difficulty doesn’t lie in an inability to identify complex alerting operations across thousands of cloud resources or in a failure to follow identity resources, the problem lies in the accurate detection of known persistent threat actor group techniques specifically within cloud environments. | Hacking blog | Palo Alto |
| 7.2.2026 | Why Smart People Fall For Phishing Attacks | The cybersecurity landscape of 2026 is stronger than ever with countless security resources and protective tools. Despite robust defenses at anyone’s fingertips, common phishing scams and spoofing attacks remain an ongoing issue. Unfortunately, the reality is that these attacks aren’t disappearing; they’re simply evolving. | Phishing blog | Palo Alto |
| 7.2.2026 | The Shadow Campaigns: Uncovering Global Espionage | This investigation unveils a new cyberespionage group that Unit 42 tracks as TGR-STA-1030. We refer to the group’s activity as the Shadow Campaigns. We assess with high confidence that TGR-STA-1030 is a state-aligned group that operates out of Asia. Over the past year, this group has compromised government and critical infrastructure organizations across 37 countries. | APT blog | Palo Alto |
| 7.2.2026 | Amaranth-Dragon: Weaponizing CVE-2025-8088 for Targeted Espionage in the Southeast Asia | Check Point Research (CPR) has been tracking Amaranth-Dragon, a nexus of APT-41, previously aligned with Chinese interests. The group launched highly targeted cyber-espionage campaigns throughout 2025 against government and law enforcement agencies in Southeast Asia. | APT blog | CHECKPOINT |
| 7.2.2026 | All gas, no brakes: Time to come to AI church | This week, Joe cautions the rush to adopt AI tools rife with truly awful security vulnerabilities. | AI blog | CISCO TALOS |
| 7.2.2026 | Knife Cutting the Edge: Disclosing a China-nexus gateway-monitoring AitM framework | Cisco Talos uncovered “DKnife,” a fully featured gateway-monitoring and adversary-in-the-middle (AitM) framework comprising seven Linux-based implants. | Hacking blog | CISCO TALOS |
| 7.2.2026 | OfferUp scammers are out in force: Here’s what you should know | The mobile marketplace app has a growing number of users, but not all of them are genuine. Watch out for these common scams. | Spam blog | Eset |
| 7.2.2026 | A slippery slope: Beware of Winter Olympics scams and other cyberthreats | It’s snow joke – sporting events are a big draw for cybercriminals. Make sure you’re not on the losing side by following these best practices. | Spam blog | Eset |
| 7.2.2026 | Cybereason TTP Briefing Q4 2025: Diverse Phishing Tactics and RATs on the Rise | Explore the most effective trends, techniques, and procedures used by threat actors in Q4 2025, with frontline threat intelligence from our incident response experts. | Phishing blog | Cybereason |
| 7.2.2026 | Fake Installer: Ultimately, ValleyRAT infection | In this Threat Analysis Report, Cybereason explores the fake installer, ValleyRAT | Malware blog | Cybereason |
| 7.2.2026 | APT28’s Stealthy Multi-Stage Campaign Leveraging CVE‑2026‑21509 and Cloud C2 Infrastructure | Russian state-sponsored threat group APT28 (aka Fancy Bear or UAC-0001) has launched a sophisticated espionage campaign targeting European military and government entities, specifically targeting maritime and transport organizations across Poland, Slovenia, Turkey, Greece, the UAE, and Ukraine. | APT blog | Trelix |
| 7.2.2026 | The Crown Jewels of Active Directory: How Trellix Helix Detects NTDS.dit Theft | This blog from the Trellix Advanced Research Center examines a security incident where adversaries infiltrated a system, extracted the NTDS.dit database, and worked to remove it from the environment while circumventing standard security measures. | Hacking blog | Trelix |
| 1.2.26 | Eeny, meeny, miny, moe? How ransomware operators choose victims | Most ransomware attacks are opportunistic, not targeted at a specific sector or region | Ransom blog | SOPHOS |
| 1.2.26 | Generative AI and cybersecurity: What Sophos experts expect in 2026 | AI has dominated cybersecurity headlines for years, but as we enter 2026, the conversation is shifting from hype to hard realities. Across incident response, threat intelligence, and security operations, Sophos experts see clearer signals of where AI is truly making an impact. For IT teams already stretched thin, this isn’t theoretical — it’s reshaping daily decisions. | AI blog | SOPHOS |
| 1.2.26 | Beyond MFA: Building true resilience against identity-based attacks | As identity-driven attacks continue to rise, organizations must go beyond MFA to build resilience. Sophos experts and recent Gartner research agree: It’s time for an identity-first security strategy backed by continuous detection and response. For many organizations, keeping pace with identity threats feels overwhelming, especially as hybrid environments expand. But there’s a clear path forward. | Hacking blog | SOPHOS |
| 1.2.26 | Microsoft Office vulnerability (CVE-2026-21509) in active exploitation | On January 26, 2026, Microsoft released an out-of-band update to address a high-severity (CVSS score of 7.8) vulnerability affecting multiple Microsoft Office products. This vulnerability, tracked as CVE-2026-21509, is being actively exploited in the wild and has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog. | Vulnerebility blog | SOPHOS |
| 1.2.26 | This week Google and partners took action to disrupt what we believe is one of the largest residential proxy networks in the world, the IPIDEA proxy network. IPIDEA’s proxy infrastructure is a little-known component of the digital ecosystem leveraged by a wide array of bad actors. | Cyber blog | GTI | |
| 1.2.26 | Fortinet Under Fire: Why Your Network Edge Remains Attackers' Favorite Entry Point | Fortinet’s January patch for CVE-2025-59718 didn’t hold. On January 21, FortiGate admins began reporting that patched systems were still being exploited. Two days later, Fortinet confirmed the patch had failed to fully remediate the vulnerability. As reported by BleepingComputer, Fortinet is now recommending that admins restrict administrative access and disable FortiCloud SSO while they work on a follow-up fix. | Vulnerebility blog | Eclypsium |
| 1.2.26 | ShadowHS: A Fileless Linux Post‑Exploitation Framework Built on a Weaponized hackshell | Cyble uncovers ShadowHS, a stealthy fileless Linux framework running entirely in memory for covert, adaptive post‑exploitation control. | Malware blog | Cyble |
| 1.2.26 | The Week in Vulnerabilities: Cyble Urges Oracle, OpenStack Fixes | Oracle, OpenStack, SAP, Salesforce and ServiceNow are among the high-profile enterprise products with vulnerabilities in need of attention by security teams. | Vulnerebility blog | Cyble |
| 1.2.26 | Special Alert: SLSH Malicious "Supergroup" Targeting 100+ Organizations via Live Phishing Panels | A massive identity-theft campaign is currently active, targeting Okta Single Sign-On (SSO) and other SSO platform accounts across 100+ high-value enterprises. | Phishing blog | Silent Push |
| 1.2.26 | PureRAT: Attacker Now Using AI to Build Toolset | Vietnam-based cybercrime actor appears to now be using AI to write scripts used in phishing campaigns | Malware blog | SECURITY.COM |
| 1.2.26 | Chrome Extensions: Are you getting more than you bargained for? | Browser extensions can be really useful, but hidden dangers may lurk beyond their marketing. | Hacking blog | SECURITY.COM |
| 1.2.26 | PeckBirdy: A Versatile Script Framework for LOLBins Exploitation Used by China-aligned Threat Groups | PeckBirdy is a sophisticated JScript-based C&C framework used by China-aligned APT groups to exploit LOLBins across multiple environments, delivering advanced backdoors to target gambling industries and Asian government entities. | Exploit blog | Trend Micro |
| 1.2.26 | Embracing Choice in Cybersecurity: TrendAI Vision One™ and SentinelOne Integration | Discover how the TrendAI Vision One and SentinelOne integration exemplifies our commitment to endpoint flexibility. | Cyber blog | Trend Micro |
| 1.2.26 | Pwn2Own: Researchers Earn $1 Million for 76 Zero-Days | Discover how TrendAI Zero Day Initiative (ZDI) identified critical vulnerabilities across connected vehicles, EV chargers, and automotive systems. | Cyber blog | Trend Micro |
| 1.2.26 | "Ni8mare" - RCE Vulnerability in N8n AI Workflow Automation (CVE-2026-21858) | The SonicWall Capture Labs threat research team became aware of a Critical unauthenticated file read vulnerability in n8n – a flexible AI workflow automation platform, assessed their impact, and developed mitigation measures. | Vulnerebility blog | SonicWall |
| 1.2.26 | njRAT: A Persistent Commodity Threat in the Modern Landscape | The SonicWall Capture Labs threat research team continues to monitor the activity of the infamous njRAT (also known as Bladabindi), a prolific Remote Access Trojan (RAT) that remains a staple in the toolkit of various threat actors. | Malware blog | SonicWall |
| 1.2.26 | Multiple vulnerabilities in SolarWinds Web Help Desk Leading to RCE: CVE-2025-40551 | The SonicWall Capture Labs threat research team became aware of a critical vulnerability chain in SolarWinds Web Help Desk (WHD), assessed its impact and developed mitigation measures. | Vulnerebility blog | SonicWall |
| 1.2.26 | Understanding the Russian Cyber Threat to the 2026 Winter Olympics | The 2026 Winter Games in Milano Cortina extend beyond sport. Tensions between the Russian Federation and the International Olympic Committee (IOC), stemming from disputes over compliance and governance, lie within a broader geopolitical context. | Cyber blog | Palo Alto |
| 1.2.26 | Happy 9th Anniversary, CTA: A Celebration of Collaboration in Cyber Defense | At certain moments in a career, you get the rare opportunity to look back and say, this work mattered. Not because of an individual accomplishment, but because it contributed to something larger — something that changed how an industry thinks and operates. The Cyber Threat Alliance (CTA) is one of those efforts. | Cyber blog | Palo Alto |
| 1.2.26 | The Next Frontier of Runtime Assembly Attacks: Leveraging LLMs to Generate Phishing JavaScript in Real Time | Imagine visiting a webpage that looks perfectly safe. It has no malicious code, no suspicious links. Yet, within seconds, it transforms into a personalized phishing page. | AI blog | Palo Alto |
| 1.2.26 | Privileged File System Vulnerability Present in a SCADA System | This report details a vulnerability we found in the Iconics Suite, tracked as CVE-2025-0921 with a Medium CVSS score of 6.5. Iconics Suite is the name of a supervisory control and data acquisition (SCADA) system. This system is used for controlling and monitoring industrial processes in different industries including automotive, energy and manufacturing. | ICS blog | Palo Alto |
| 1.2.26 | Cyber Security Report 2026 | Check Point Research continuously investigates real-world attacks, vulnerabilities, attackers’ infrastructure, and emerging techniques across global networks and environments. The Cyber Security Report 2026 consolidates our research efforts throughout 2025 to deliver a clear, data-driven view of the current threat landscape and its trajectory in 2026. | Cyber blog | |
| 1.2.26 | KONNI Adopts AI to Generate PowerShell Backdoors | Check Point Research (CPR) identified an ongoing phishing campaign that we associate with KONNI, a North Korean–linked threat actor active since at least 2014. KONNI is best known for targeting organizations and individuals in South Korea, with a focus on diplomatic channels, international relations, NGOs, academia, and government. | Malware blog | |
| 1.2.26 | IR Trends Q4 2025: Exploitation remains dominant, phishing campaign targets Native American tribal organizations | A drop in exploitation and ransomware, but a spike in phishing and credential abuse, show why timely patching and robust MFA matter more than ever. | Cyber blog | CISCO TALOS |
| 1.2.26 | I'm locked in! | Hazel reflects on how to find balance while staying informed, then delivers practical updates and insights on the latest cybersecurity threats. | Cyber blog | CISCO TALOS |
| 1.2.26 | Dissecting UAT-8099: New persistence mechanisms and regional focus | Cisco Talos has identified a new, regionally targeted campaign by UAT-8099 that leverages advanced persistence techniques and custom BadIIS malware variants to compromise IIS servers, particularly in Thailand and Vietnam. | APT blog | CISCO TALOS |
| 1.2.26 | Foxit, Epic Games Store, MedDreams vulnerabilities | Cisco Talos’ Vulnerability Discovery & Research team recently disclosed three vulnerabilities in Foxit PDF Editor, one in the Epic Games Store, and twenty-one in MedDream PACS.. The vulnerabilities mentioned in this blog post have been patched by their respective vendors, al | Vulnerebility blog | CISCO TALOS |
| 1.2.26 | Microsoft releases update to address zero-day vulnerability in Microsoft Office | Microsoft has published three out-of-band (OOB) updates so far in January 2026. One of these updates was released to address a vulnerability, CVE-2026-21509, affecting Microsoft Office that has been reportedly exploited in the wild. | Vulnerebility blog | CISCO TALOS |
| 1.2.26 | I scan, you scan, we all scan for... knowledge? | In this week's newsletter, Bill hammers home the old adage, "Know your environment" — even throughout alert fatigue. | Cyber blog | CISCO TALOS |
| 1.2.26 | Predicting 2026 | In this week’s newsletter, Martin examines the evolving landscape for 2026, highlighting key threats, emerging trends like AI-driven risks, and the continued importance of addressing familiar vulnerabilities. | Cyber blog | CISCO TALOS |
| 1.2.26 | This month in security with Tony Anscombe – January 2026 edition | The trends that emerged in January offer useful clues about the risks and priorities that security teams are likely to contend with throughout the year | Cyber blog | Eset |
| 1.2.26 | DynoWiper update: Technical analysis and attribution | ESET researchers present technical details on a recent data destruction incident affecting a company in Poland’s energy sector | Malware blog | Eset |
| 1.2.26 | Love? Actually: Fake dating app used as lure in targeted spyware campaign in Pakistan | ESET researchers discover an Android spyware campaign targeting users in Pakistan via romance scam tactics, revealing links to a broader spy operation | Malware blog | Eset |
| 1.2.26 | Drowning in spam or scam emails? Here’s probably why | Has your inbox recently been deluged with unwanted and even outright malicious messages? Here are 10 possible reasons – and how to stem the tide. | Spam blog | Eset |
| 1.2.26 | ESET Research: Sandworm behind cyberattack on Poland’s power grid in late 2025 | Malware blog | Eset | |
| 1.2.26 | Children and chatbots: What parents should know | As children turn to AI chatbots for answers, advice, and companionship, questions emerge about their safety, privacy, and emotional development | AI blog | Eset |
| 1.2.26 | Identity & Beyond: 2026 Incident Response Predictions | DFIR expert Jamie Mamroe shares 2026 Incident Response Predictions around Identity and Cloud attacks | Incident blog | Cybereason |
| 1.2.26 | Bypassing Windows Administrator Protection | A headline feature introduced in the latest release of Windows 11, 25H2 is Administrator Protection. The goal of this feature is to replace User Account Control (UAC) with a more robust and importantly, securable system to allow a local user to access administrator privileges only when necessary. | Vulnerebility blog | Project Zero |
| 1.2.26 | From Digital Innovation to Patient Harm: Why Healthcare Cybersecurity Is Now a C-Suite Imperative | Healthcare is in the midst of a digital revolution, but without cybersecurity at the center of this transformation, innovation becomes a liability. | Cyber blog | Trelix |