OpenSSL RCE, Foxit 0-Days, Copilot Leak, AI Password Flaws & 20+ Tales

Google introduced the primary beta model of Android 17, with two privateness and safety enhancements: the deprecation of Cleartext Visitors Attribute and help for HPKE Hybrid Cryptography to allow safe communication utilizing a mix of public key and symmetric encryption (AEAD). “If your app targets (Android 17) or higher and relies on usesCleartextTraffic=’true’ without a corresponding Network Security Configuration, it will default to disallowing cleartext traffic,” Google mentioned. “You are encouraged to migrate to Network Security Configuration files for granular control.”

A brand new evaluation of the LockBit 5.0 ransomware has revealed that the Home windows model packs in varied protection evasion and anti-analysis methods, together with packing, DLL unhooking, course of hollowing, patching Occasion Tracing for Home windows (ETW) capabilities, and log clearing. “What’s notable among the multiple systems support is its proclaimed capability to ‘work on all versions of Proxmox,'” Acronis mentioned. “Proxmox is an open-source virtualization platform and is being adopted by enterprises as an alternative to commercial hypervisors, which makes it another prime target of ransomware attacks.” The newest model additionally introduces devoted builds tailor-made for enterprise environments, highlighting the continued evolution of ransomware-as-a-service (RaaS) operations.

Cybersecurity researchers have detailed a brand new evolution of the ClickFix social engineering tactic concentrating on macOS customers. “Dubbed Matryoshka due to its nested obfuscation layers, this variant uses a fake installation/fix flow to trick victims into executing a malicious Terminal command,” Intego mentioned. “While the ClickFix tactic is not new, this campaign introduces stronger evasion techniques — including an in-memory, compressed wrapper and API-gated network communications — designed to hinder static analysis and automated sandboxes.” The marketing campaign primarily targets customers trying to go to software program evaluate websites, leveraging typosquatting within the URL identify to redirect them to faux websites and activate the an infection chain.

One other new ClickFix marketing campaign detected in February 2026 has been noticed delivering a malware-as-a-service (MaaS) loader often known as Matanbuchus 3.0. Huntress, which dissected the assault chain, mentioned the final word goal of the intrusion was to deploy ransomware or exfiltrate information based mostly on the truth that the menace actor quickly progressed from preliminary entry to lateral motion to area controllers through PsExec, rogue account creation, and Microsoft Defender exclusion staging. The assault additionally led to the deployment of a customized implant dubbed AstarionRAT that helps 24 instructions to facilitate credential theft, SOCKS5 proxy, port scanning, reflective code loading, and shell execution. In keeping with information from the cybersecurity firm, ClickFix fueled 53% of all malware loader exercise in 2025.

In yet one more ClickFix marketing campaign, menace actors are counting on the “reliable trick” to host malicious directions on faux web sites disguised as Homebrew (“homabrews[.]org”) to trick customers into pasting them on the Terminal app underneath the pretext of putting in the macOS bundle supervisor. Within the assault chain documented by Hunt.io, the instructions within the typosquatted Homebrew area are used to ship a credential-harvesting loader and a second-stage macOS infostealer dubbed Cuckoo Stealer. “The injected installer looped on password prompts using ‘dscl . -authonly,’ ensuring the attacker obtained working credentials before deploying the second stage,” Hunt.io mentioned. “Cuckoo Stealer is a full-featured macOS infostealer and RAT: It establishes LaunchAgent persistence, removes quarantine attributes, and maintains encrypted HTTPS command-and-control communications. It collects browser credentials, session tokens, macOS Keychain data, Apple Notes, messaging sessions, VPN and FTP configurations, and over 20 cryptocurrency wallet applications.” Using “dscl . -authonly” has been beforehand noticed in assaults deploying Atomic Stealer.

Authorities from Poland’s Central Bureau for Combating Cybercrime (CBZC) have detained a 47-year-old man over suspected ties to the Phobos ransomware group. He faces a possible jail sentence of as much as 5 years. The CBZC mentioned the “47-year-old used encrypted messaging to contact the Phobos criminal group, known for conducting ransomware attacks,” including the suspect’s units contained logins, passwords, bank card numbers, and server IP addresses that might have been used to launch “various attacks, including ransomware.” The arrest is a part of Europol’s Operation Aether, which targets the 8Base ransomware group, believed to be linked to Phobos. It has been nearly precisely a 12 months since worldwide legislation enforcement dismantled the 8Base crew. Greater than 1,000 organizations world wide have been focused in Phobos ransomware assaults, and the cybercriminals are believed to have obtained over $16 million in ransom funds.

There was a pointy rise within the variety of ransomware teams concentrating on industrial organizations as cybercriminals proceed to use vulnerabilities in operational expertise (OT) and industrial management programs (ICS), Dragos warned. A complete of 119 ransomware teams concentrating on industrial organizations have been tracked throughout 2025, a 49% improve from the 80 tracked in 2024. 2025 noticed 3,300 industrial organizations world wide hit by ransomware, in contrast with 1693 in 2024. Essentially the most focused sector was manufacturing, adopted by transportation. As well as, a hacking group tracked as Pyroxene has been noticed conducting “supply chain-leveraged attacks targeting defense, critical infrastructure, and industrial sectors, with operations expanding from the Middle East into North America and Western Europe.” It usually leverages preliminary entry offered by PARISITE, to allow motion from IT into OT networks. Pyroxene overlaps with exercise attributed to Imperial Kitten (aka APT35), a menace actor affiliated with the cyber arm of the Islamic Revolutionary Guard Corps (IRGC).

Microsoft confirmed a bug (CW1226324) that allow Microsoft 365 Copilot summarize confidential emails from Despatched Objects and Drafts folders since January 21, 2026, with out customers’ permission, bypassing information loss prevention (DLP) insurance policies put in place to safeguard delicate information. A repair was deployed by the corporate on February 3, 2026. Nevertheless, the corporate didn’t disclose what number of customers or organizations have been affected. “Users’ email messages with a confidential label applied are being incorrectly processed by Microsoft 365 Copilot chat,” Microsoft mentioned. “The Microsoft 365 Copilot “work tab” Chat is summarizing email messages even though these email messages have a sensitivity label applied, and a DLP policy is configured. A code issue is allowing items in the sent items and draft folders to be picked up by Copilot even though confidential labels are set in place.”

Risk actors are abusing the belief and repute related to Atlassian Jira Cloud and its linked e-mail system to run automated spam campaigns and bypass conventional e-mail safety. To perform this, the operators created Atlassian Cloud trial accounts utilizing randomized naming conventions, permitting them to generate disposable Jira Cloud situations at scale. “Emails were tailored to target specific language groups, targeting English, French, German, Italian, Portuguese, and Russian speakers — including highly skilled Russian professionals living abroad,” Development Micro mentioned. “These campaigns not only distributed generic spam, but also specifically targeted sectors such as government and corporate entities.” The assaults, energetic from late December 2025 via late January 2026, primarily focused organizations utilizing Atlassian Jira. The aim was to get recipients to open the emails and click on on malicious hyperlinks, which might provoke a redirect chain powered by the Keitaro Visitors Distribution System (TDS) after which lastly cause them to pages peddling funding scams and on-line on line casino touchdown websites, suggesting that monetary achieve was possible the principle goal.

The U.S. Cybersecurity and Infrastructure Safety Company (CISA), on February 18, 2026, added CVE-2021-22175 to its Identified Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Government Department (FCEB) companies to use the patch by March 11, 2026. “GitLab contains a server-side request forgery (SSRF) vulnerability when requests to the internal network for webhooks are enabled,” CISA mentioned. In March 2025, GreyNoise revealed {that a} cluster of about 400 IP addresses was actively exploiting a number of SSRF vulnerabilities, together with CVE-2021-22175, to focus on vulnerable situations within the U.S., Germany, Singapore, India, Lithuania, and Japan.

An elusive, financially motivated menace actor dubbed GS7 has been concentrating on Fortune 500 firms in a brand new phishing marketing campaign that leverages trusted firm branding with lookalike web sites aimed toward harvesting credentials through Telegram bots. The marketing campaign, codenamed Operation DoppelBrand, targets prime monetary establishments, together with Wells Fargo, USAA, Navy Federal Credit score Union, Constancy Investments, and Citibank, in addition to expertise, healthcare, and telecommunications corporations worldwide. Victims are lured via phishing emails and redirected to counterfeit pages the place credentials are harvested and transmitted to Telegram bots managed by the attacker. In keeping with SOCRadar, the group itself, nevertheless, has a historical past stretching again to 2022. The menace actor is claimed to have registered greater than 150 malicious domains in current months utilizing registrars similar to NameCheap and OwnRegistrar, and routing visitors via Cloudflare to evade detection. GS7’s finish targets embody not solely harvesting credentials, but in addition downloading distant administration and monitoring (RMM) instruments like LogMeIn Resolve on sufferer programs to allow distant entry or the deployment of malware. This has raised the likelihood that the group might even act as an preliminary entry dealer (IAB), promoting the entry to ransomware teams or different associates.

Phishing emails disguised as invoices, job presents, or authorities notices are getting used to distribute a brand new variant of Remcos RAT to facilitate complete surveillance and management over contaminated programs. “The latest Remcos variant has been observed exhibiting a significant change in behaviour compared to previous versions,” Level Wild mentioned. “Instead of stealing and storing data locally on the infected system, this variant establishes direct online command-and-control (C2) communication, enabling real-time access and control. In particular, it leverages the webcam to capture live video streams, allowing attackers to monitor targets remotely. This shift from local data exfiltration to live, online surveillance represents an evolution in Remcos’ capabilities, increasing the risk of immediate espionage and persistent monitoring.”

Poland’s Ministry of Defence has banned Chinese language vehicles, and different motor autos outfitted with expertise to report place, photographs, or sound, from coming into protected army services resulting from nationwide safety issues and to “limit the risk of access to sensitive data.” The ban additionally extends to connecting work telephones to infotainment programs in motor autos produced in China. The ban is not everlasting: the Defence Ministry has known as for the event of a vetting course of to permit carmakers to endure a safety evaluation that, if handed, can enable their autos to enter protected services. “Modern vehicles equipped with advanced communication systems and sensors can collect and transmit data, so their presence in protected zones requires appropriate safety regulations,” the Polish Military mentioned. The measures launched are preventive and adjust to the practices of NATO international locations and different allies to make sure the very best requirements of protection infrastructure safety. They’re a part of a wider strategy of adapting safety procedures to the altering technological atmosphere and present necessities for the safety of important infrastructure.”

Unhealthy actors are abusing official invoices and dispute notifications from trusted distributors, similar to PayPal, Apple, DocuSign, and Dropbox Signal (previously HelloSign), to bypass e-mail safety controls. “These platforms often allow users to enter a ‘seller name’ or add a custom note when creating an invoice or notification,” Casey-owned INKY mentioned. “Attackers abuse this functionality by inserting scam instructions and a phone number into those user-controlled fields. They then send the resulting invoice or dispute notice to an email address they control, ensuring the malicious content is embedded in a legitimate, vendor-generated message.” As a result of these emails originate from a official firm, they bypass checks like Area-based Message Authentication, Reporting and Conformance (DMARC). As quickly because the official e-mail is acquired, the attacker proceeds to ahead it to the supposed targets, permitting the “authentic looking” message to land within the victims’ inboxes. The assault is named a DKIM replay assault.

A brand new report from Huntress has revealed that the abuse of Distant Monitoring and Administration (RMM) software program surged 277% year-over-year, accounting for twenty-four% of all noticed incidents. Risk actors have begun to more and more favor these instruments as a result of they’re ubiquitous in enterprise environments, and the trusted nature of the RMM software program permits malicious exercise to mix in with official utilization, making detection tougher for defenders. Additionally they provide elevated stealth, persistence, and operational effectivity. “As cybercriminals built entire playbooks around these legitimate, trusted tools to drop malware, steal credentials, and execute commands, the use of traditional hacking tools plummeted by 53%, while remote access trojans and malicious scripts dropped by 20% and 11.7%, respectively,” the corporate mentioned.

Texas Lawyer Normal Ken Paxton has sued TP-Hyperlink for “deceptively marketing its networking devices and allowing the Chinese Communist Party (‘CCP’) to access American consumers’ devices in their homes.” Paxton’s lawsuit alleges that TP Hyperlink’s merchandise have been utilized by Chinese language hacking teams to launch cyber assaults in opposition to the U.S. and that the corporate is topic to Chinese language information legal guidelines, which it mentioned require corporations working within the nation to help its intelligence companies by “divulging Americans’ data.” TP-Hyperlink instructed The File that these allegations are “without merit” and that neither the Chinese language authorities nor the Chinese language Communist Occasion (CCP) workouts management over the corporate, its merchandise, or consumer information. It additionally added that each one U.S. consumer information is saved on home Amazon Net Companies (AWS) servers. In a second lawsuit, Paxton additionally accused Anzu Robotics of deceptive Texas shoppers concerning the “origin, data practices, and security risks of its drones.” Paxton’s workplace described the corporate’s merchandise as “21st century Trojan horse linked to the CCP.”

The North Korea-linked marketing campaign often known as Contagious Interview is designed to focus on IT professionals working in cryptocurrency, Web3, and synthetic intelligence sectors to steal delicate information and monetary data utilizing malware similar to BeaverTail and InvisibleFerret. Nevertheless, current iterations of the marketing campaign have expanded their information theft capabilities by tampering with the MetaMask pockets extension (if it is put in) via a light-weight JavaScript backdoor that shares the identical performance as InvisibleFerret, in line with safety researcher Seongsu Park. “Through the backdoor, attackers instruct the infected system to download and install a fake version of the popular MetaMask cryptocurrency wallet extension, complete with a dynamically generated configuration file that makes it appear legitimate,” Park mentioned. “Once installed, the compromised MetaMask extension silently captures the victim’s wallet unlock password and transmits it to the attackers’ command-and-control server, giving them complete access to cryptocurrency funds.”

Bridewell has warned of a resurgence in malicious exercise concentrating on the resort and retail sector. “The primary motivation driving this incident is financial fraud, targeting two victims: hotel businesses and hotel customers, in sequential order,” safety researcher Joshua Penny mentioned. “The threat actor(s) utilize impersonation of the Booking.com platform through two distinct phishing kits dedicated to harvesting credentials and banking information from each victim, respectively.” It is value noting that the exercise shares overlap with a previous exercise wave disclosed by Sekoia in November 2025, though the usage of a devoted phishing equipment is a brand new method by both the identical or new operators.

The just lately disclosed safety flaws in Ivanti Endpoint Supervisor Cellular (EPMM) have been exploited by unhealthy actors to ascertain a reverse shell, ship JSP internet shells, conduct reconnaissance, and obtain malware, together with Nezha, cryptocurrency miners, and backdoors for distant entry. The 2 important vulnerabilities, CVE-2026-1281 and CVE-2026-1340, enable unauthenticated attackers to remotely execute arbitrary code heading in the right direction servers, granting them full management over cellular system administration (MDM) infrastructure with out requiring consumer interplay or credentials. In keeping with Palo Alto Networks Unit 42, the marketing campaign has affected state and native authorities, healthcare, manufacturing, skilled and authorized companies, and excessive expertise sectors within the U.S., Germany, Australia, and Canada. “Threat actors are accelerating operations, moving from initial reconnaissance to deploying dormant backdoors designed to maintain long-term access even after organizations apply patches,” the cybersecurity firm mentioned. In a associated improvement, Germany’s Federal Workplace for Data Safety (BSI) has reported proof of exploitation because the summer time of 2025 and has urged organizations to audit their programs for indicators of compromise (IoCs) way back to July 2025.

New analysis by Irregular has discovered that passwords generated immediately by a big language mannequin (LLM) might seem sturdy however are basically insecure, as “LLMs are designed to predict tokens – the opposite of securely and uniformly sampling random characters.” The unreal intelligence (AI) safety firm mentioned it detected LLM-generated passwords in the true world as a part of code improvement duties as an alternative of leaning on conventional safe password technology strategies. “People and coding agents should not rely on LLMs to generate passwords,” the corporate mentioned. “LLMs are optimized to produce predictable, plausible outputs, which is incompatible with secure password generation. AI coding agents should be directed to use secure password generation methods instead of relying on LLM-output passwords. Developers using AI coding assistants should review generated code for hardcoded credentials and ensure agents use cryptographically secure methods or established password managers.”

Cybersecurity researchers have found greater than a dozen vulnerabilities (CVE-2025-70401, CVE-2025-70402, and CVE-2025-66500) in widespread PDF platforms from Foxit and Apryse, probably permitting attackers to use them for account takeover, session hijacking, information exfiltration, and arbitrary JavaScript execution. “Rather than isolated bugs, the issues cluster around recurring architectural failures in how PDF platforms handle untrusted input across layers,” Novee Safety researchers Lidor Ben Shitrit, Elad Meged, and Avishai Fradlis mentioned. “Several vulnerabilities were exploitable with a single request and affected trusted domains commonly embedded inside enterprise applications.” The problems have been addressed by each Apryse and Foxit via product updates.

A “widespread” safety subject has been found the place safety distributors inadvertently expose intentionally susceptible coaching functions, similar to OWASP Juice Store, DVWA, bWAPP, and Hackazon, to the general public web. This may open organizations to extreme safety dangers when they’re executed from a privileged cloud account. “Primarily deployed for internal testing, product demonstrations, and security training, these applications were frequently left accessible in their default or misconfigured states,” Pentera Labs mentioned. “These critical flaws not only allowed attackers full control over the compromised compute engine but also provided pathways for lateral movement into sensitive internal systems. Violations of the principle of least privilege and inadequate sandboxing measures further facilitated privilege escalation, endangering critical infrastructure and sensitive organizational data.” Additional evaluation has decided that menace actors are exploiting this blind spot to plant internet shells, cryptocurrency miners, and persistence mechanisms on compromised programs.

The malware loader often known as Oyster (aka Broomstick or CleanUpLoader) has continued to evolve into early 2026, fine-tuning its C2 infrastructure and obfuscation strategies, per findings from Sekoia. The malware is distributed primarily via faux web sites that distribute installers for official software program like Microsoft Groups, with the core payload usually deployed as a DLL for persistent execution. “The initial stage leverages excessive legitimate API call hammering and simple anti-debugging traps to thwart static analysis,” the corporate mentioned. “The core payload is delivered in a highly obfuscated manner. The final stage implements a robust C2 communication protocol that features a dual-layer server infrastructure and highly-customized data encoding.”

Noodlophile is the identify given to an information-stealing malware that has been distributed through faux AI instruments promoted on Fb. Assessed to be the work of a menace actor based mostly in Vietnam, it was first documented by Morphisec in Could 2025. Since then, there have been different experiences detailing varied campaigns, similar to UNC6229 and PXA Stealer, orchestrated by Vietnamese cybercriminals. Morphisec’s newest evaluation of Noodlophile has revealed that the menace actor “padded the malware with millions of repeats of a colorful Vietnamese phrase translating to ‘f*** you, Morphisec,'” suggesting that the operators weren’t thrilled about getting uncovered. “Not just to vent frustration over disrupted campaigns, but also to bloat the file and crash AI-based analysis tools that are based on the Python disassemble library – dis.dis(obj),” safety researcher Michael Gorelik mentioned.

The OpenSSL challenge has patched a stack buffer overflow flaw that may result in distant code execution assaults underneath sure situations. The vulnerability, tracked as CVE-2025-15467, resides in how the library processes Cryptographic Message Syntax information. Risk actors can use CMS packets with maliciously crafted AEAD parameters to crash OpenSSL and run malicious code. CVE-2025-15467 is one in every of 12 points that have been disclosed by AISLE late final month. One other high-severity vulnerability is CVE-2025-11187, which might set off a stack-based buffer overflow resulting from a lacking validation.

New analysis from Silverfort has cleared a “common assumption” that Kerberos delegation — which permits a service to request sources or carry out actions on behalf of a consumer — applies not simply to human customers, but in addition to machine accounts as nicely. In different phrases, a pc account could be delegated on behalf of extremely privileged machine identities similar to area controllers. “That means a service trusted for delegation can act not just on behalf of other users, but also on behalf of machine accounts, the most critical non-human identities (NHIs) in any domain,” Silverfort researcher Dor Segal mentioned. “The risk is obvious. If an adversary can leverage delegation, it can act on behalf of sensitive machine accounts, which in many environments hold privileges equivalent to Domain Administrator.” To counter the chance, it is suggested to run “Set-ADAccountControl -Identity “HOST01$” -AccountNotDelegated $true” for every delicate machine account.