Threats

Threats

APT UNC6201 Exploited Dell Zero-Day Since Mid-2024, Deploying Novel Grimbolt Backdoor and ESXi Ghost NICs

Mandiant and the Google Threat Intelligence Group (GTIG) have disclosed that a suspected Chinese state-backed threat group tracked as UNC6201 has been exploiting a maximum-severity Dell zero-day vulnerability since mid-2024 — remaining undetected in victim networks for over 18 months. The vulnerability, CVE-2026-22769, is a hardcoded-credential flaw in Dell RecoverPoint for

Threats

SmartLoader Campaign Trojanizes Oura MCP Server With Fake GitHub Network to Deploy StealC Infostealer

A new SmartLoader campaign is targeting developers through trojanized AI tooling — cloning a legitimate Model Context Protocol (MCP) server for Oura Health's smart ring and distributing it through the MCP Market registry to deliver the StealC infostealer. The campaign, documented by Straiker's AI Research (STAR) Labs,

Threats

Kaspersky Uncovers Keenadu Backdoor Pre-Installed in Android Firmware Across Multiple Device Brands

Kaspersky researchers have identified a new Android malware family called Keenadu that is being distributed through compromised device firmware, system apps, and even Google Play — giving attackers complete control over infected devices and the ability to compromise every application installed on them. As of February 2026, Kaspersky has confirmed 13,

Threats

Check Point Demonstrates AI Chatbots as Covert C2 Channels — Grok and Copilot Exploited Without Authentication

Check Point Research (CPR) has published findings showing that AI assistants with web-browsing capabilities can be weaponized as covert command-and-control infrastructure — allowing malware to communicate with attacker servers through trusted AI domains that blend seamlessly into normal enterprise traffic. The technique was demonstrated against Grok and Microsoft Copilot, both of

Threats

Microsoft Exposes "AI Recommendation Poisoning" — Businesses Secretly Manipulating Chatbot Memory via Summarize Buttons

Microsoft's Defender Security Research Team has uncovered a widespread campaign in which legitimate businesses are embedding hidden prompt injection commands inside "Summarize with AI" buttons on their websites — hijacking AI assistant memory to bias future recommendations in their favor. The technique, which Microsoft has dubbed AI

Threats

GS7 Threat Group Targets Fortune 500 Financial Institutions With Near-Perfect Brand Impersonation in Operation DoppelBrand

A financially motivated threat group tracked as GS7 has been running a large-scale phishing operation against Fortune 500 financial institutions, constructing near-perfect replicas of corporate login portals to harvest credentials and deploy remote access tools, according to research published by SOCRadar. The campaign, dubbed Operation DoppelBrand, was first observed between

Threats

Infostealers Begin Targeting OpenClaw AI Agent Configuration Files, Stealing Gateway Tokens and Cryptographic Keys

Information-stealing malware has been caught exfiltrating configuration files from OpenClaw, the rapidly growing open-source AI agent platform, in what researchers describe as the first observed case of infostealers targeting AI agent infrastructure. "This finding marks a significant milestone in the evolution of infostealer behavior: the transition from stealing browser

Threats

Former L3Harris Cyber Executive Sold Eight Zero-Day Exploit Kits to Russian Broker, DoJ Reveals

A former senior executive at L3Harris's cyber subsidiary Trenchant sold eight zero-day exploit kits to a broker who regularly provided exploits to the Russian government, according to a sentencing memorandum published by the US Department of Justice. Peter Williams, the former General Manager of Trenchant, pleaded guilty to

Threats

Hijacked Google Ads and Fake Claude AI Guides Used to Deliver MacSync Infostealer Through ClickFix Campaign

Attackers are hijacking verified Google Ads accounts and abusing a public Claude AI artifact page to deliver the MacSync infostealer to macOS users through ClickFix social engineering, according to researchers at Moonlock Lab. The campaign combines three distinct social engineering layers — hijacked advertising infrastructure, trusted AI platform content, and Terminal

Threats

Lazarus Group Poisons npm and PyPI With Fake Recruitment Campaign Deploying Token-Based RAT

The North Korea-linked Lazarus Group has been planting malicious packages across both npm and PyPI repositories through an elaborate fake recruitment campaign targeting developers in the blockchain and cryptocurrency space, deploying a modular remote access trojan with a command-and-control mechanism unique to North Korean operations. ReversingLabs researchers discovered the campaign,

Threats

Single Bulletproof Hosting IP Behind 83% of Ivanti EPMM Exploitation as Sleeper Shells Target MDM Infrastructure

A single IP address on bulletproof hosting infrastructure is responsible for 83% of all exploitation attempts targeting the critical Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities that have already compromised multiple European government agencies. Threat intelligence firm GreyNoise recorded 417 exploitation sessions from 8 unique source IPs between February 1-9, with

Threats

Crazy Ransomware Operator Weaponizes Employee Monitoring Software for Stealth Persistence

A Crazy ransomware affiliate is abusing legitimate employee monitoring software and remote support tools to maintain stealth persistence inside corporate networks, blending malicious activity with normal administrative operations before deploying ransomware. Researchers at Huntress investigated multiple intrusions where the threat actor deployed Net Monitor for Employees Professional alongside the SimpleHelp