Cisco has warned about two actively exploited flaws in Catalyst SD-WAN Manager (formerly vManage). One flaw (CVE-2026-20122) allows an authenticated attacker with read-only API access to overwrite files on the system. The other (CVE-2026-20128) could let an attacker with valid credentials gain Data Collection Agent (DCA) user privileges. Cisco also released patches for multiple vulnerabilities affecting Secure Firewall Management Center, including two high-risk issues (CVE-2026-20079 and CVE-2026-20131) that could let unauthenticated remote attackers bypass authentication and execute arbitrary Java code as root.
CISA has added a Broadcom VMware Aria Operations command injection flaw (CVE-2026-22719) and an integer overflow issue (CVE-2026-21385) in Qualcomm products to its list of actively exploited vulnerabilities. Users are strongly recommended to update to the patched VMware Aria Operations versions (8.18.6, 9.0.2, VCF 5.2.3, VCF 9.0.2) or implement a workaround provided by Broadcom. Another addition to the KEV is two security issues affecting Hikvision and Rockwell Automation products (CVE-2017-7921, CVE-2017-7921).
The agency has also updated its security advisory on Resurge, a sophisticated malicious implant used in zero-day attacks exploiting the critical vulnerability (CVE-2025-0282) to compromise Ivanti Connect Secure devices.
A GTIG report found that 90 zero-day vulnerabilities were exploited in 2025, of which, 47 targeted end-user platforms and 43 targeted enterprise products. Common flaw types included remote code execution, privilege escalation, injection, deserialization bugs, authorization bypasses, and memory corruption. Memory safety issues made up 35% of all exploited zero-days. The most targeted enterprise systems were security appliances, networking infrastructure, VPNs, and virtualization platforms likely because they provide privileged network access and often lack strong monitoring.
Operating systems were the most exploited category, with 24 desktop OS zero-days and 15 mobile ones. Web browser zero-days dropped to eight, much fewer than in previous years. Microsoft was the most targeted vendor (25 flaws), followed by Google (11) and Apple (8). For the first time, commercial spyware vendors used more zero-day exploits than state-sponsored groups, suggesting a shift in the zero-day threat landscape.
Security researchers at GreyNoise have observed a coordinated reconnaissance campaign targeting SonicWall SonicOS infrastructure, logging 84,142 scanning sessions between February 22 and February 25, 2026. The activity originated from 4,305 unique IP addresses spanning 20 autonomous systems and focused on VPN enumeration and credential testing endpoints.
A new iOS exploit kit called Coruna has been leveraged by both a suspected Russian espionage group and a Chinese cybercrime gang. The toolkit contains 23 exploits grouped into five exploit chains and can target iPhones running iOS 13.0 through iOS 17.2.1. In one case, the toolkit was used in watering hole attacks against Ukrainian users. The activity was linked to UNC6353, a suspected Russian state-backed group. The malicious code was hidden inside compromised Ukrainian websites and delivered through a hidden iFrame.
CERT-UA said it has observed multiple cases of phishing emails starting in January 2026, allegedly sent on behalf of central executive authorities and regional administrations. During January–February 2026, CERT-UA observed several malware tools, including SHADOWSNIFF (a stealer distributed via GitHub), SALATSTEALER (a malware-as-a-service stealer), and DEAFTICK (a primitive backdoor written in Go).
A China-linked hacking group, tracked as ‘UAT-9244,’ has been targeting telecommunications companies in South America since 2024, infiltrating Windows, Linux, and network devices. Researchers from Cisco Talos say the group is connected to the FamousSparrow and Tropic Trooper hacker groups, but appears to be a separate operation. The attackers used three new malware tools called TernDoor (a Windows backdoor), PeerTime (a Linux backdoor that uses BitTorrent), and BruteEntry (a tool that scans passwords and builds proxy networks).
Cybersecurity researchers at ClearSky have uncovered a targeted Russian campaign against Ukrainian entities leveraging two previously undocumented malware strains, dubbed ‘BadPaw’ and ‘MeowMeow.’ The malware features remote shell access, allowing attackers to execute PowerShell commands and perform file system operations, including reading, writing, verifying, and deleting files on compromised systems.
An alleged India-linked cyber-espionage campaign targeted government agencies and critical infrastructure operators in Pakistan, Bangladesh and Sri Lanka over the past year. The activity was attributed to an India-nexus threat actor tracked as SloppyLemming (aka Outrider Tiger and Fishing Elephant). The operation ran from January 2025 for nearly a year and used a malicious PDF containing the BurrowShell backdoor, and an Excel document with malware capable of keylogging and reconnaissance.
Ctrl-Alt-Intel researchers discovered a Netherlands-hosted virtual private server they attribute to the Iranian-linked MuddyWater cyber-espionage group. Due to opsec mistakes made by the threat actor, researchers were able to analyze the group’s TTPs, including custom C&C frameworks, a Tsundere botnet using Ethereum smart contracts, and targeting, which included organizations in Israel, Jordan, Egypt, the UAE, Portugal, and the United States.
Microsoft detected a phishing attack that misuses OAuth’s normal redirection feature to target government and public-sector organizations. Attackers create a fake application with a redirect link that points to a malicious website hosting malware. They then send phishing links that ask victims to sign in. After the victim authenticates, the OAuth process redirects them to the attacker’s site using silent authentication and invalid scopes without stealing the user’s tokens.
A trojanized version of FileZilla 3.69.5 is being circulated online, MalwareBytes warns. It looks like the normal program but includes a hidden malicious DLL file. When a user installs and opens FileZilla, Windows loads this malicious file first. The malware then runs inside the program, allowing attackers to steal saved FTP credentials, connect to a command-and-control server, and potentially stay active on the system.
A separate report from MalwareBytes details a sophisticated phishing campaign that is leveraging a website disguised as a Google Account security page to distribute one of the most fully featured browser-based surveillance toolkits observed in the wild
Intrinsec released a technical report detailing an emerging infostealer called ‘AuraStealer,’ developed by a group of Russian speaking actors
Socket’s threat research team discovered malicious packages on Packagist disguised as helpful Laravel utilities. When installed through Composer, the apps downloaded an encrypted PHP remote access trojan (RAT). The malware allowed attackers to remotely control infected systems and send data back to a command-and-control (C&C) server.
Socket has also observed a new wave of malicious activity linked to North Korea’s long-running “Contagious Interview” campaign, with the threat actor publishing 26 malicious packages to the npm registry. The new operation has been attributed to a North Korean threat cluster known as Famous Chollima.
Another North Korea-linked operation has been caught deploying a previously undocumented malware toolkit designed to infiltrate air-gapped systems and move data between isolated and internet-connected networks. The campaign, dubbed ‘Ruby Jumper,’ has been attributed to APT37 aka ScarCruft, Ricochet Chollima, and InkySquid.
Chinese-affiliated state-backed threat actor, tracked as ‘Silver Dragon,’ has been linked to a wave of cyberattacks targeting government and enterprise entities across Europe and Southeast Asia since at least mid-2024. Silver Dragon gains initial access by exploiting vulnerable public-facing servers and distributing phishing emails with malicious attachments. To maintain persistence, the group hijacks legitimate Windows services, enabling its malware to blend in with normal system processes and evade detection.
A suspected Iran-linked threat actor, tracked by Zscaler ThreatLabz as Dust Specter, has been targeting Iraqi government officials by impersonating Iraq’s Ministry of Foreign Affairs. Observed in January 2026, the campaign employs two distinct infection chains and delivers previously undocumented malware families, including SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM.
South Korea’s National Tax Service (NTS) accidentally revealed the recovery phrase to a seized cryptocurrency wallet, allowing someone to steal millions of dollars in digital assets. The wallet was taken during raids on 124 wealthy tax evaders. In total, authorities confiscated digital assets worth 8.1 billion won (about $5.6 million).
An international law enforcement operation coordinated by Europol has dismantled key infrastructure behind Tycoon2FA, a large phishing-as-a-service (PhaaS) platform responsible for sending tens of millions of phishing messages each month. Authorities seized and took offline 330 domains used by the criminal service, including control panels and phishing websites. In a separate action, the FBI seized two domains used by the cybercrime forum LeakBase as part of an international effort codenamed “Operation Leak.”
A former US Air Force officer has been arrested for allegedly working with a Chinese hacker to train China’s military pilots. Gerald Eddie Brown, 65, was arrested in Jeffersonville, Indiana. Authorities say he spent almost three years living in China, where he trained pilots connected to the People’s Liberation Army Air Force (PLAAF).
John Daghita, son of Dean Daghita, CEO of Virginia-based Command Services & Support (CMDSS), was arrested on Saint Martin for allegedly stealing over $46 million in cryptocurrency from the US Marshals Service (USMS). Authorities seized cash, hard drives, and security keys during the arrest. CMDSS has managed and disposed of USMS digital assets since October 2024, including funds linked to the 2016 Bitfinex hack, one of the largest crypto thefts in history. Blockchain investigator ZachXBT traced $23 million from USMS wallets to Daghita after he exposed himself during a dispute with another hacker in a private Telegram chat, demonstrating the ability to move large sums between wallets in real time.
Evgenii Ptitsyn, a Russian national,43, pled guilty in a US court to a wire fraud conspiracy charge linked to a ransomware operation. Ptitsyn managed the sale, distribution, and operation of Phobos ransomware, which targeted over 1,000 public and private entities globally, extorting more than $39 million in ransom payments. He was extradited from South Korea in November 2024 to face US charges.
Spain’s National Police have dismantled a Ukrainian criminal network operating in Alicante and Valencia. The group allegedly was involved in human trafficking, identity theft, document forgery, computer fraud, swindling, and money laundering. They used stolen identities from more than 5,000 people of 17 nationalities to create multiple accounts on online gambling platforms and placed thousands of automated bets using bots. The scheme generated about €4.75 million in illegal profits. The organization also recruited vulnerable Ukrainian women from war-affected areas and opened bank accounts in their names to move the money. Police arrested 12 suspects and solved 240 related complaints.
An American woman was sentenced to 22 months in US prison and ordered to pay a $50,000 fine after being convicted of conspiring to traffic in illicit Microsoft certificate of authenticity (COA) labels. Heidi Richards, 52, purchased thousands of genuine COA labels from co-conspirators at well below retail prices, extracted the product key codes, and sold them in bulk. Of note, the US law prohibits the sale of standalone COA labels separate from their associated software.