Details emerged regarding a significant ransomware campaign orchestrated by the Warlock group (also tracked as Storm-2603 or Gold Salem), which successfully breached the network of software vendor SmarterTools.
In February 2026, the Symantec and Carbon Black Threat Hunter Team identified a sophisticated ransomware campaign initially misattributed to the Black Basta operation due to shared TTPs.
The Cyber Security Agency of Singapore (CSA) and the Infocomm Media Development Authority (IMDA) recently disclosed the conclusion of "Operation CYBER GUARDIAN," a massive 11-month multi-agency effort to counter a sophisticated campaign by the China-nexus APT group UNC3886.
ZeroDayRAT is a newly identified mobile spyware platform being sold openly on Telegram, with activity first observed in early February. Marketed as a fully managed service, it provides buyers with a centralized web-based control panel, dedicated support channels, and regular updates, allowing even non-technical operators to conduct advanced mobile surveillance and theft.
In early 2026, a sophisticated malware campaign was identified targeting users of the popular open-source archiver 7-Zip by utilizing a highly convincing lookalike website, 7zip[.]com.
Unit 42 researchers have developed a novel detection methodology that leverages cloud-based logging to "fingerprint" and identify specific threat actor groups based on their unique operational techniques.
Threat activity across the Asia-Pacific region is continuing to intensify, with more than 510 advanced persistent threat (APT) operations recorded globally in 2025, according to TeamT5.
According to researchers at Truesec, the December 2025 cyberattack on the Polish electrical grid marks a significant shift in Russian cyber warfare, specifically attributed to the threat actor DragonFly.
In early February 2026, a coordinated disclosure from Microsoft and Huntress alerted the security community to the active exploitation of CVE-2025-26399 (CVSS 9.8), a critical unauthenticated remote code execution (RCE) vulnerability in SolarWinds Web Help Desk (WHD).
A new threat actor identified as TeamPCP (also known as PCPcat, ShellForce, or DeadCatx3) has launched a sophisticated, worm-driven campaign targeting cloud-native infrastructure.
In February 2026, the Norwegian Police Security Service (PST) officially disclosed that Norway has been targeted by "Salt Typhoon," a sophisticated Chinese state-sponsored cyber espionage campaign.
ReliaQuest identified a spear-phishing campaign that uses Windows screensaver (.scr) files disguised as business documents to silently install legitimate remote monitoring and management (RMM) software and give attackers persistent, interactive remote access.
Bitdefender Labs has uncovered a coordinated supply chain campaign, dubbed ClawHavoc, targeting the OpenClaw (formerly Moltbot/Clawdbot) AI agent framework.
In January 2026, Microsoft Defender Experts identified a significant escalation in "ClickFix" activity that utilizes a new social engineering lure, which Huntress has attributed to the threat actor "KongTuke" in their blog post from mid-January on the same campaign.
Watchtowr Labs researchers identified a series of critical vulnerabilities in SmarterTools' SmarterMail email and collaboration server, most notably CVE-2026-24423 and an authentication bypass (tracked by watchTowr as WT-2026-0001).
Ransomware operators and malware developers are increasingly abusing virtual machines (VMs) provisioned through ISPsystem, a legitimate virtualization management platform, to deliver stealthy payloads.
The Sophos Counter Threat Unit (CTU) has identified a critical trend where Bulletproof Hosting (BPH) providers are leveraging legitimate ISPsystem VMmanager infrastructure to mass-provision virtual machines for cybercriminal operations.
The Iranian-linked Advanced Persistent Threat (APT) group known as Infy (or Prince of Persia) has demonstrated remarkable resilience, transitioning from a period of relative obscurity to a sophisticated, multi-stage operational model.
Researchers at Pillar Security recently disclosed two maximum-severity sandbox escape vulnerabilities tracked as CVE-2026-25049 in n8n, a leading open-source workflow automation platform.
SystemBC, also known as Coroxy or DroxiDat, remains a formidable and persistent threat in the cyber landscape.
TGR-STA-1030 (aka UNC6619) is a highly active, state-aligned cyber-espionage group assessed with high confidence to operate out of Asia.
On November 28, 2025, a threat actor executed a highly automated cloud intrusion against an AWS environment, escalating from initial access to administrative privileges in less than 10 minutes.
Between January 28 and February 2, 2026, security firm GreyNoise observed a coordinated reconnaissance campaign targeting Citrix ADC and NetScaler Gateway infrastructure, employing a combination of 63,000+ residential proxies and AWS-hosted IP addresses to conduct large-scale mapping and version enumeration.
A critical "EDR Killer" technique utilizes a legitimate but vulnerable driver associated with OpenText's EnCase forensic software to systematically dismantle system defenses.
In early February 2026, Microsoft Threat Intelligence released a comprehensive analysis of the evolving threat landscape for macOS systems, specifically focusing on the rise of Python-based infostealers.
CISA has updated its Known Exploited Vulnerabilities (KEV) catalog to reflect that ransomware groups are now actively chaining three VMware vulnerabilities originally patched in early 2025.
X-Labs recently uncovered a multi-stage credential-phishing campaign designed to evade email and content scanning by utilizing harmless-looking PDF files and layered redirection.
On January 29, 2026, Ivanti disclosed two critical zero-day vulnerabilities, CVE-2026-1281 and CVE-2026-1340, affecting Ivanti Endpoint Manager Mobile (EPMM).
A sophisticated supply chain attack has targeted the Open VSX Registry, leveraging compromised developer credentials to distribute a malware loader known as "Glassworm."
Security researchers have identified a sophisticated new Ransomware-as-a-Service (RaaS) operation dubbed "Vect."
Metro4Shell (CVE-2025-11953) is a critical remote code execution (RCE) vulnerability with a CVSS score of 9.8, affecting the Metro Development Server within the widely used @react-native-community/cli npm package.
In mid-2025, the official update mechanism for the widely used open-source text editor Notepad++ was compromised in a supply chain attack that persisted for roughly six months.
CrowdStrike has re-evaluated the activity of LABYRINTH CHOLLIMA (historically associated with the "Lazarus Group") and determined that the entity has fractured into three distinct operational subgroups: GOLDEN CHOLLIMA, PRESSURE CHOLLIMA, and a refined core LABYRINTH CHOLLIMA.
GTIG researchers have identified a significant expansion in the tradecraft used by the financially motivated threat group ShinyHunters (tracked under various clusters including UNC6240, UNC6661, and UNC6671).
The vulnerability, CVE-2026-21509 (CVSS 7.8), involves an over-reliance on untrusted inputs that allows attackers to bypass Object Linking and Embedding (OLE) mitigations.
CVE-2025-0921 is a medium-severity vulnerability (CVSS 6.5) involving "Execution with Unnecessary Privileges" within the ICONICS Suite and various Mitsubishi Electric industrial software products, including GENESIS64 and MC Works64.
Sekoia.io researchers have identified a widespread malicious framework dubbed "IClickFix," which automates the deployment of the "ClickFix" social engineering tactic across compromised WordPress websites.
The Department of Justice (DOJ) published a press release yesterday, announcing the indictment of a former Google software engineer, Linwei Ding, on seven counts of economic espionage and seven counts of theft of trade secrets.
A recent investigation by FortiGuard Labs highlights the evolving tactics of the Interlock ransomware group, a non-Ransomware-as-a-Service (RaaS) entity that maintains exclusive control over its malware development and operations.
SmarterTools has released urgent security updates to address two critical vulnerabilities in its SmarterMail email server software, most notably CVE-2026-24423 and CVE-2026-23760.
In January 2026, the Google Threat Intelligence Group (GTIG) led a major operation to disrupt IPIDEA, identified as one of the world's largest residential proxy networks.
The Blackpoint SOC has identified a novel threat campaign delivering the Amatera Stealer through a sophisticated Fake CAPTCHA social engineering chain.
A novel phishing technique has been identified that leverages the legitimate infrastructure of Zoom to deliver Telephone-Oriented Attack Delivery (TOAD) payloads.
TA584, a prolific initial access broker (IAB) also tracked as Storm-0900, has significantly evolved its tactics throughout 2025 to bypass modern security controls.
A critical supply chain attack was identified by security firm Morphisec affecting MicroWorld Technologies' eScan antivirus product.
n late 2025, the Aisuru botnet (also known as Kimwolf) launched a series of massive distributed denial-of-service (DDoS) attacks, culminating in a record-breaking peak of 31.4 Terabits per second (Tbps) and 200 million requests per second (rps).
The JFrog Security Research team identified two significant vulnerabilities in the n8n workflow automation platform, CVE-2026-1470 and CVE-2026-0863, that allow attackers to bypass sandboxing mechanisms and achieve Remote Code Execution (RCE).