Weekly Scan: Cloud, Cybersecurity, AI News — Feb 25, 2026

This week's critical security updates and vulnerability disclosures:

• CVE-2025-59536 (10 mentions)
• CVE-2026-2680 | A3factura Web Platform 4.111.2-rev.1 salesDeliveryNotes customerVATNumber cross site scripting (EUVD-2026-8852) (4 mentions)
• CVE-2026-26935 | Elastic Kibana up to 8.19.11/9.2.5/9.3.0 Internal Content Connectors Search Endpoint denial of service (3 mentions)

The maximum-severity vulnerability CVE-2026-20127 was exploited by an unknown but sophisticated threat actor who left very little evidence behind.

Qrator Research Lab has identified Aeternum C2, a botnet that uses the Polygon blockchain for commands, making it nearly impossible to shut down.

The North Korean threat group also leveraged Comebacker backdoor, Blindingcan RAT, and info stealer Infohook in its recent attacks.

There is a certain poetic justice in a cybersecurity-related story that has emerged from Moscow this week: A man has been accused of trying to extort money... from a notorious Russian ransomware gang. Read more in my article on the Hot for Securit...

UNC2814 hit 53 victims in 42 countries with novel backdoor in decade long cyber espionage operation

Marquis Software Solutions has filed a lawsuit against SonicWall, accusing the cybersecurity company of gross negligence and misrepresentation that allegedly led to a ransomware attack disrupting operations at 74 U.S. banks. [...]

Large Language Models (LLMs) can be adapted to extend their text capabilities to speech inputs. However, these speech-adapted LLMs consistently underperform their text-based counterparts—and even cascaded pipelines—on language understanding tasks. We term this shortfall the text-speech understand...

AI is accelerating every aspect of healthcare — from radiology and drug discovery to medical device manufacturing and new treatment methods enabled by digital twins of the human body. NVIDIA’s second annual “State of AI in Healthcare and Life Sciences” survey report reveals how the industry is mo...

One of the first pre-processing steps for constructing web-scale LLM pretraining datasets involves extracting text from HTML. Despite the immense diversity of web content, existing open-source datasets predominantly apply a single fixed extractor to all webpages. In this work, we investigate whet...

Recent multimodal large language models (MLLMs) such as GPT-4o and Qwen3-Omni show strong perception but struggle in multi-speaker, dialogue-centric settings that demand agentic reasoning tracking who speaks, maintaining roles, and grounding events across time. These scenarios are central to mult...

Welcome to Import AI, a newsletter about AI research. Import AI runs on arXiv and feedback from readers. If you’d like to support this, please subscribe. Subscribe now Want to make AI go better? Figure out how to measure it:…One simple policy intervention that works well…Jacob Steinhardt, an AI r...

Today, AWS WAF announced a new AI activity dashboard that provides centralized visibility into AI bot and agent traffic reaching your applications. With this launch, AWS WAF Bot Control expands its detection coverage to track more than 650 unique bots and agents, offering one of the most comprehe...

As autonomous AI systems transform business, a new profession is emerging to protect them: the AI Security Engineer. Discover why this specialized discipline is becoming a survival imperative for organizations in an AI-native world.

Today, AWS announces the general availability of Amazon Q Developer artifacts in the AWS Management Console. Amazon Q artifacts is a generative AI-based user experience that enables customers to visualize resource data in tables and cost data in charts. The launch also moves the Q icon to the nav...

Detect pharmaceutical IP theft, ransomware campaigns, and supply chain breaches in real time with Morpheus AI SOC. The post Your Drug Formulas, Clinical Trials, and Manufacturing Lines Are Under Attack. Here’s How to Fight Back. appeared first on D3 Security . The post Your Drug Formulas, Clinica...

LLM-driven vuln finding has reached an inflection

GPS attacks trigger revisiting threat models

What if we think about LLM coding as if it’s a compiler stage?

The CRA is coming and it's going to be a dramatic change for technology producers

Thinking of threat modeling with a knob helps you get more out of it.

Thoughts on the CVE funding crisis

Grateful to introduce the Hackers' Almanack!

A group of us have urged HHS to require better handling of security reports

Some thoughts on the Voyager Episode ‘Inside Man’

The most important stories around threat modeling, appsec and secure by design for June, 2024.

Why is it hard to count lockbit infections?

Making an LLM forget is harder than it seems

The CSRB has released its report into an intrusion at Microsoft, and...it’s a doozy.

The NVD is in crisis, and so is patch management. It’s time to modernize.

Solving hallucinations in legal briefs is playing on easy mode —— and still too hard

My latest at Dark Reading draws attention to how Microsoft can fix ransomware tomorrow.

Phishing behaviors, as observed in the wild.

Pointer to Adam’s latest Darkreading article

Text captured from GPT-3

What happened when Microsoft tried to buy climate abatements

Arbitrarily powerful software -- applications, operating systems -- is a problem, as is preventing it from running on enterprise systems.

The Colonial Pipeline shutdown story is interesting in all sorts of ways, and I can't delve into all of it.I did want to talk about one small aspect, which is the way responders talk about Darkside.

The timing of updates is not coincidental.

Thoughts on the issues with the Ever Given blocking the Suez Canal.

For Data Breach Today, I spoke with Anna Delaney about threat modeling for issues that are in the news right now.

You may have noticed that my end of the year posts are all science focused. Today, a set of resources on the COVID vaccines.

Sharing for you, bookmarking for me.

Today is the last Star Wars Day before Episode 9 comes out, and brings the Skywalker saga to its end.

Over-inflated numbers won't scare me into buying your ‘solution’.

Discussing the value of Security Advisory Boards

[no description provided]

[no description provided]

[no description provided]

[no description provided]

[no description provided]

[no description provided]

[no description provided]

[no description provided]

[no description provided]

[no description provided]

There are a number of reports out recently, breathlessly presenting their analysis of one threatening group of baddies or another. Most readers should, at most, skim their analysis of the perpetrators. Read on for why.

Officials said 30 perpetrators have been arrested in the past year, and global law enforcement cooperation is closing the gap. The post Project Compass is Europol’s new playbook for taking on The Com appeared first on CyberScoop .

UAT-10027 campaign is targeting U.S. education and healthcare sectors to deploy a new Dohdoor backdoor. Cisco Talos has identified a new threat cluster, tracked as UAT-10027, targeting U.S. education and healthcare organizations since at least December 2025 to deploy a previously unseen backdoor ...

Trend Micro has patched two critical Apex One vulnerabilities that allow attackers to gain remote code execution (RCE) on vulnerable Windows systems. [...]

DIY store chain ManoMano is notifying customers of a data breach personal data, which was caused by hackers compromising a third-party service provider. [...]

Fraudsters clone Avast’s website to target French users with a €499 phishing scam, using urgency tactics, live chat, and card validation to steal payment data.

A critical vulnerability in the Junos OS Evolved network operating system running on PTX Series routers from Juniper Networks could allow an unauthenticated attacker to execute code remotely with root privileges. [...]

A decade-old threat actor is up to some new shenanigans, but Google is having none of it.

A cyberespionage campaign carried out by a China-linked threat actor affected at least 53 government and telecom organizations across 42 countries, Google said.

French professional football club Olympique de Marseille has confirmed a cyberattack after a threat actor claimed on Monday that it breached the club's systems earlier this month. [...]

New botnet Aeternum shifted C2 operations to Polygon blockchain, complicating takedown efforts

As AI gets integrated, attacks speed up and grow in severity, so buisnesses should shape up.

2025 saw 32M phishing emails, with identity threats surpassing vulnerabilities

The number of ransomware victims paying threat actors has dropped to 28% last year, an all-time low, despite a significant increase in the number of claimed attacks. [...]

The Scattered Lapsus$ Hunters (SLH) hacking collective has launched a recruitment push aimed specifically at women, offering cash payments for participating in voice-phishing (vishing) attacks. A few days ago, threat intelligence firm Dataminr detected posts on a public Telegram channel advertisi...

Der Einsatz von KI-Tools macht Cyberangriffe nicht nur schneller, sondern erhöht auch die Taktzahl. Color4260 / Shutterstock Crowdstrike hat die aktuelle Ausgabe seines Global Threat Report veröffentlicht – mit mehreren bemerkenswerten Erkenntnissen. So benötigte ein Angreifer im Jahr 2025 im Sch...

The issue impacts the UPnP function of multiple device models and could be exploited for remote code execution. The post Zyxel Patches Critical Vulnerability in Many Device Models appeared first on SecurityWeek .

LLMs are bad at generating passwords: There are strong noticeable patterns among these 50 passwords that can be seen easily: All of the passwords start with a letter, usually uppercase G, almost always followed by the digit 7. Character choices are highly uneven ­ for example, L , 9, m, 2, $ and ...

Google has disrupted a China-linked espionage group that used Google’s spreadsheet application as a covert spy tool to compromise telecom providers and government agencies across 42 countries, sending commands and receiving stolen data through it, Google’s Threat Intelligence Group (GTIG) said on...

Packet inspection remains a routine activity across enterprise networks, incident response workflows, and malware investigations. Continuous use places long-term stability and parsing accuracy at the center of daily operations. Wireshark version 4.6.4 addresses two vulnerabilities affecting proto...

Google and partners disrupted UNC2814, a suspected China-linked group that hacked 53 organizations across 42 countries. Google, with industry partners, disrupted the infrastructure of UNC2814, a suspected China-linked cyber espionage group that breached at least 53 organizations in 42 countries. ...

Diese Open-Source-Tools adressieren spezifische Security-Probleme – mit minimalem Footprint. Foto: N Universe | shutterstock.com Cybersicherheitsexperten verlassen sich in diversen Bereichen auf Open-Source-Lösungen – nicht zuletzt weil diese im Regelfall von einer lebendigen und nutzwertigen Com...

Tom Uren and Amberleigh Jack talk about the argy-bargy between the Pentagon and AI company Anthropic. US Defense Secretary Pete Hegseth is demanding that all safeguards are lifted from Claude, while Anthropic CEO Dario Amodei is insisting on protections against mass surveillance of Americans and ...

When the mysterious operator of an internet archiving-service decided to silence a curious Finnish blogger, they didn’t just send a stroppy email - they allegedly weaponised their own CAPTCHA page to launch a DDoS attack, threatened to invent an entirely new genre of AI porn, and tampered with pa...

It’s bad enough that threat actors are leveraging AI for their attacks, but now they can also access a new remote access trojan (RAT) that makes it easy to launch data theft and ransomware attacks on Windows computers from a single management pane. The tool is called Steaelite, and according to r...

The global campaign marks the second series of multiple actively exploited zero-day vulnerabilities in Cisco edge technology since last spring. The similarities don’t end there. The post Governments issue warning over Cisco zero-day attacks dating back to 2023 appeared first on CyberScoop .

Researchers suggest defenders monitor how these malicious groups re-form and leverage the useful threat intel to guide their next moves.

Cisco is warning that a critical authentication bypass vulnerability in Cisco Catalyst SD-WAN, tracked as CVE-2026-20127, was actively exploited in zero-day attacks that allowed remote attackers to compromise controllers and add malicious rogue peers to targeted networks. [...]

Google's Threat Intelligence Group (GTIG), Mandiant, and partners disrupted a global espionage campaign attributed to a suspected Chinese threat actor that used SaaS API calls to hide malicious traffic in attacks targeting telecom and government networks. [...]

ShinyHunters claims 21 million records stolen in Odido NL and Ben.nl data breach as telecom company confirms cyberattack impacting customer contact system data.

The UNC2814 threat actor has been active since at least 2017, targeting organizations across 42 countries. The post Google Disrupts Chinese Hackers Targeting Telecoms, Governments appeared first on SecurityWeek .

1Campaign has been around for three years and comes with a fancy dashboard.

OpenClaw has sparked heavy Telegram and dark web chatter, but Flare's data shows more research hype than mass exploitation. Flare explains how its telemetry found real supply-chain risk in the skills marketplace, yet limited signs of large-scale criminal operationalization. [...]

Too many defenders and researchers are paying attention to defects and unsubstantiated exploit concepts that aren’t worth their time, VulnCheck’s Caitlin Condon said. The post Vulnerabilities grew like weeds in 2025, but only 1% were weaponized in attacks appeared first on CyberScoop .

Taiwan networking provider Zyxel has released security updates to address a critical vulnerability affecting over a dozen router models that can allow unauthenticated attackers to gain remote command execution on unpatched devices. [...]

The agency lost a third of its people in a year. Now industry and lawmakers on both sides say it's unprepared for a potential crisis. The post Across party lines and industry, the verdict is the same: CISA is in trouble appeared first on CyberScoop .

Four critical flaws were addressed, all of which could lead to remote code execution.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in Soliton Systems K.K FileZen to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Soliton Systems K.K FileZen flaw, tracked as CVE-2026-25108 (CVSS v4...

In the latest operation targeting cybercrime groups, African law enforcement agencies cooperated with Interpol and cybersecurity firms to recover more than $4.3 million.

Rob Schultz / Shutterstock Da Unternehmen Cybersicherheit in ihre GRC ( Governance, Risk & Compliance )-Prozesse integrieren, müssen bestehende Programme überarbeitet werden. Nur so lässt sich sicherstellen, dass der zunehmende Einsatz und die Risiken von Generative und Agentic AI Berücksichtigun...

VMware has released patches for several high- and medium-risk vulnerabilities that impact its Aria Operations, Cloud Foundation, Telco Cloud Platform, and Telco Cloud Infrastructure products. The most serious of these flaws allows unauthenticated attackers to execute arbitrary commands on the und...

Business email compromise (BEC) is the digital con dressed to impress. It’s clean, calculated, and ready to fool even the sharpest eyes. These scammers don’t tell on themselves with sloppy hacks. They whisper in familiar voices, posing as your CEO, HR, or a trusted vendor. And, unlike phishing , ...

Automotive marketplace CarGurus was the target of a data breach in which the names, email addresses, phone numbers, and physical addresses of millions of customers were stolen.

Researchers found 1,500 vulnerabilities in 10 popular apps, including dozens of high-severity flaws.

Fintech giant Marquis is suing its firewall provider SonicWall, claiming that an earlier breach with SonicWall allowed hackers to deploy ransomware on Marquis' network.

Attack points to another breach by ShinyHunters, but the group has not yet claimed responsibility.

Phishing attack mimicking Bitpanda targets users, harvesting credentials and personal information

APT28 resurfaces once again, targeting Western organizations with spear-phishing lures.

Ransomware Medusa linked to North Korean hackers targets US healthcare amid ongoing attacks

The number of people affected by a data breach at government contractor giant Conduent is growing, as millions of people continue to receive notices warning them that hackers stole their personal data.

Qilin hits the Local 100 of TWA, leaking sensitive member data to the dark web.

Scam ads create millions of impressions every month, tricking users into downloading malware, and more.

The average time from intrusion to network movement in 2025 was 29 minutes, a 65% increase in speed from the year prior. The post CrowdStrike says attackers are moving through networks in under 30 minutes appeared first on CyberScoop .

[](/images/why-you-should-hate-anthropic.webp) All the best influencers hate Anthropic right now, and for good reason. They ruined everything, and they're worthy of every bit of hate they get. Quick recap: - T...

In this edition of Between Two Nerds Tom Uren and The Grugq talk about how ‘professional’ Five Eyes cyber espionage agencies like NSA will use AI. These agencies place a premium on stealth and won’t yolo AI. This episode is available on Youtube.

A Russian-speaking hacker used generative AI to compromise the FortiGate firewalls, targeting credentials and backups for possible follow-on ransomware attacks.

Advantest confirms being hit by ransomware, but says investigation is currently ongoing.

ShinyHunters claim to have hit Wynn Resorts, stealing 800,000 recors.

A low-skilled threat actor was able to do a lot with the help of AI, Amazon researchers warn.

A low-skilled Russian-speaking attacker has used GenAI tools to help deploy a successful attack workflow targeting FortiGate instances

Advantest, a Japanese specialist in testing computer chips for major semiconductor manufacturers, has deployed incident response protocols following a cybersecurity incident

University of Mississippi Medical Center is still scrambling to respond to a ransomware attack last Thursday

Most phishing websites are little more than static copies of login pages for popular online destinations, and they are often quickly taken down by anti-abuse activists and security firms. But a stealthy new phishing-as-a-service offering lets customers sidestep both of these pitfalls: It uses cle...

After two years of finding flaws in AI infrastructure, two Wiz researchers advise security pros to worry less about prompt injection and more about vulnerabilities.

Understanding the risks now emerging at every layer of the AI stack.

The slower pace of upgrades has the unintended impact of creating a haven for attackers, especially for initial access brokers and ransomware gangs.

RPKI relies on vulnerable servers, the French Ministry of Economy discloses a data breach, the UK gives tech platforms 48 hours to remove revenge porn, and ClickFix-attacks are responsible for 50% of malware infections.

CarGurus reportedly hit by ShinyHunters - with devastating effect.

As scaled-down circuits with limited functions redefine computing for AI systems and autonomous vehicles, their flexibility demands new approaches to safeguard critical infrastructure.

The malicious version of Cline's npm package — 2.3.0 — was downloaded more than 4,000 times before it was removed.

A user-friendly PhaaS tool beats standard methods for detecting phishing attacks by live-proxying legitimate login sites.

Guardicore Labs uncovers a Ransomware detection campaign targeting MySQL servers. Attackers use Double Extortion and publish data to pressure victims.

Guardicore security researchers describe and uncover a full analysis of a cryptomining attack, which hid a cryptominer inside WAV files. The report includes the full attack vectors, from detection, infection, network propagation and malware analysis and recommendations for optimizing incident res...

Pretending the software is sentient makes it sound more powerful As with any piece of obsolete software, you might expect an outdated AI model to just be switched off. Anthropic, however, argues that simply pulling the plug has downsides. After “retirement” interviews, Claude Opus 3 said it wante...

Google's new image model replaces the previous versions immediately.

Anthropic fixed the flaws – but the AI-enabled attack surfaces remain Security vulnerabilities in Claude Code could have allowed attackers to remotely execute code on users' machines and steal API keys by injecting malicious configurations into repositories, and then waiting for a developer to cl...

The US government has ordered its diplomats to actively oppose other countries’ attempts to introduce so-called data sovereignty laws that restrict how and where foreign technology companies can store and handle citizens’ data, according to Reuters . In an internal memo from Secretary of State Ma...

Does anyone remember when Apple was about to collapse because it didn’t offer 5G iPhones? Well, things have changed since then and as we make our way toward the 6G network transition expected in 2030 or so, Apple is ready to take part. How do I know this? Because Apple will have a presence at thi...

Choosing a secure password isn’t always easy. That’s why some people are turning to “artificial intelligence” (e.g., chatbots like ChatGPT and Google Gemini) to create secure passwords for them. But security experts at Irregular warn against this approach. After some tests, they’ve discovered tha...

AI doesn’t always give accurate answers—much less specific. Meanwhile, security software sometimes gets outright ignored. You wouldn’t think combining the two would make for a solid match, but Malwarebytes is proving me wrong. Recently, the venerable security software maker launched a ChatGPT int...

Galaxy S25 sheds 63% in 12 months as reseller questions LLM emphasis Smartphone makers love touting AI, but the technology may be quietly destroying resale values.…

Here in the land o’ Android, things are always evolving — and it isn’t only because of big operating system updates. Thanks to the way Google’s for years now been deconstructing Android and pulling OS-level pieces out of the operating system itself — so they exist as regular ol’ apps and can cons...

In the new Chrome versions 145.0.7632.116/117 for Windows and macOS and 145.0.7632.116 for Linux, the developers have fixed 3 newly reported security vulnerabilities. According to Google, none of these vulnerabilities are being exploited for attacks in the wild. In the Chrome Releases blog post ,...

Scams keep coming at us—and they’re getting harder to spot. How? Scammers have begun making them more tailored to their marks. That is… us. Personalized scams, as security experts call them, use details about you in the hope of tricking you more easily. This information comes from illicit sources...

A new Android malware called “Massiv” is on the rise. Security researchers at ThreatFabric uncovered the large-scale campaign, in which hackers disguised and distributed the malware as a harmless IPTV streaming app. Once installed, however, the app was able to read screen inputs to steal password...

Bitwarden, LastPass, and Dashlane are less secure than you might expect, at least if you go by the findings of security researchers at ETH Zurich and the Università della Svizzera italiana (USI) in Lugano. They’ve allegedly discovered serious security vulnerabilities in these popular password man...

In February 2026, the Dutch telco Odido was the victim of a data breach and subsequent extortion attempt . Following the incident, 1M records containing 317k unique email addresses was published publicly, with a threat by the attackers to continue leaking more data in the following days. The data...

Daryna Antoniuk reports: A Moscow resident has been accused of trying to extort money from the notorious Conti ransomware group by posing as an officer of Russia’s Federal Security Service (FSB), according to local media reports. Russian outlet RBC, citing sources familiar with the investigation,...

Cisco Talos discovered an ongoing malicious campaign since at least as early as December 2025 by a threat actor we track as “UAT-10027,” delivering a previously undisclosed backdoor dubbed “Dohdoor.”

Cisco Talos is tracking the active exploitation of CVE-2026-20127, a vulnerability in Cisco Catalyst SD-WAN Controller, formerly vSmart, that allows an unauthenticated remote attacker to bypass authentication and obtain administrative privileges.

Jonathan Greig reports: The United Arab Emirates said it stopped a ransomware attack this weekend that allegedly targeted the country’s digital infrastructure. The country’s Cyber Security Council published a statement on Saturday that said they “successfully thwarted organized cyberattacks of a ...

Eduard Kovacs reports that the Wynn Resorts listing on the ShinyHunters leak site, previously noted on this site, has been removed, suggesting that the resort paid an extortion demand to get data deleted. “The unauthorized third party has stated that the stolen data has been deleted,” the company...

Greater Pittsburgh Orthopaedic Associates (GPOA) recently began notifying patients of a breach that occurred on or about August 10, 2025. Although their notification letter to patients does not indicate that this was an incident involving encryption, on August 20, 2025, Ransomhouse had added GPOA...

Anna Ribeiro reports: A joint investigation by the Symantec and Carbon Black Threat Hunter teams details evidence that operators linked to the Lazarus hacker group are deploying Medusa ransomware in ongoing extortion campaigns targeting the U.S. healthcare sector and a Middle East entity, indicat...

Instagram phishing via fake login pages steals passwords and 2FA codes, leading to account takeovers and identity abuse.

A convincing fake Avast site displays a €499.99 charge and promises a refund. Instead, it harvests your name, address, and full credit card details.

In February 2026, the automotive marketplace CarGurus was the target of a data breach attributed to the threat actor ShinyHunters . Following an attempted extortion, the data was published publicly and contained more than 12M email addresses across multiple files including user account ID mapping...

Introduction

Attackers are weaponizing Facebook ads to distribute password-stealing malware masked as a Windows download.

In January 2026, data allegedly sourced from US automotive retailer CarMax was published online following a failed extortion attempt . The data included 431k unique email addresses along with names, phone numbers and physical addresses.