{"id":110,"date":"2026-02-27T21:36:34","date_gmt":"2026-02-27T21:36:34","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=110"},"modified":"2026-02-27T21:36:34","modified_gmt":"2026-02-27T21:36:34","slug":"openssl-rce-foxit-0-days-copilot-leak-ai-password-flaws-20-stories","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=110","title":{"rendered":"OpenSSL RCE, Foxit 0-Days, Copilot Leak, AI Password Flaws & 20+ Stories"},"content":{"rendered":"
\n

\ue804<\/i>Ravie Lakshmanan<\/span>\ue802<\/i>Feb 19, 2026<\/span><\/span>Cybersecurity \/ Hacking News<\/span><\/p>\n<\/div>\n

\n
<\/a><\/div>\n

The cyber threat space doesn\u2019t pause, and this week makes that clear. New risks, new tactics, and new security gaps are showing up across platforms, tools, and industries \u2014 often all at the same time.<\/p>\n

Some developments are headline-level. Others sit in the background but carry long-term impact. Together, they shape how defenders need to think about exposure, response, and preparedness right now.<\/p>\n

This edition of ThreatsDay Bulletin brings those signals into one place. Scan through the roundup for quick, clear updates on what\u2019s unfolding across the cybersecurity and hacking landscape.<\/p>\n

\n
\n
    \n
  1. \n <\/p>\n
    \n Privacy model hardening<\/span><\/p>\n

    \n Google announced<\/a> the first beta version of Android 17<\/a>, with two privacy and security enhancements: the deprecation of Cleartext Traffic Attribute and support for HPKE Hybrid Cryptography to enable secure communication using a combination of public key and symmetric encryption (AEAD). \u00abIf your app targets (Android 17) or higher and relies on usesCleartextTraffic<\/a>=’true’ without a corresponding Network Security Configuration, it will default to disallowing cleartext traffic,\u00bb Google said. \u00abYou are encouraged to migrate to Network Security Configuration files<\/a> for granular control.\u00bb\n <\/p>\n<\/p><\/div>\n<\/li>\n

  2. \n <\/p>\n
    \n RaaS expands cross-platform reach<\/span><\/p>\n

    \n A new analysis of the LockBit 5.0 ransomware has revealed that the Windows version packs in various defense evasion and anti-analysis techniques, including packing, DLL unhooking, process hollowing, patching Event Tracing for Windows (ETW) functions, and log clearing. \u00abWhat’s notable among the multiple systems support is its proclaimed capability to ‘work on all versions of Proxmox,'\u00bb Acronis said<\/a>. \u00abProxmox is an open-source virtualization platform and is being adopted by enterprises as an alternative to commercial hypervisors, which makes it another prime target of ransomware attacks.\u00bb The latest version also introduces dedicated builds tailored for enterprise environments, highlighting the continued evolution of ransomware-as-a-service (RaaS) operations.\n <\/p>\n<\/p><\/div>\n<\/li>\n

  3. \n <\/p>\n
    \n Mac users lured via nested obfuscation<\/span><\/p>\n

    \n Cybersecurity researchers have detailed a new evolution of the ClickFix social engineering tactic targeting macOS users. \u00abDubbed Matryoshka due to its nested obfuscation layers, this variant uses a fake installation\/fix flow to trick victims into executing a malicious Terminal command,\u00bb Intego said<\/a>. \u00abWhile the ClickFix tactic is not new, this campaign introduces stronger evasion techniques \u2014 including an in-memory, compressed wrapper and API-gated network communications \u2014 designed to hinder static analysis and automated sandboxes.\u00bb The campaign primarily targets users attempting to visit software review sites, leveraging typosquatting in the URL name to redirect them to fake sites and activate the infection chain.\n <\/p>\n<\/p><\/div>\n<\/li>\n

  4. \n <\/p>\n
    \n Loader pipeline drives rapid domain takeover<\/span><\/p>\n

    \n Another new ClickFix campaign detected in February 2026 has been observed delivering a malware-as-a-service (MaaS) loader known as Matanbuchus 3.0. Huntress, which dissected<\/a> the attack chain, said the ultimate objective of the intrusion was to deploy ransomware or exfiltrate data based on the fact that the threat actor rapidly progressed from initial access to lateral movement to domain controllers via PsExec, rogue account creation, and Microsoft Defender exclusion staging. The attack also led to the deployment of a custom implant dubbed AstarionRAT that supports 24 commands to facilitate credential theft, SOCKS5 proxy, port scanning, reflective code loading, and shell execution. According to data from the cybersecurity company, ClickFix fueled 53% of all malware loader activity<\/a> in 2025.\n <\/p>\n<\/p><\/div>\n<\/li>\n

  5. \n <\/p>\n
    \n Typosquat chain targets macOS credentials<\/span><\/p>\n

    \n In yet another ClickFix campaign, threat actors are relying on the \u00abreliable trick\u00bb to host malicious instructions on fake websites disguised as Homebrew (\u00abhomabrews[.]org\u00bb) to trick users into pasting them on the Terminal app under the pretext of installing the macOS package manager. In the attack chain documented by Hunt.io, the commands in the typosquatted Homebrew domain are used to deliver a credential-harvesting loader and a second-stage macOS infostealer dubbed Cuckoo Stealer. \u00abThe injected installer looped on password prompts using ‘dscl . -authonly<\/a>,’ ensuring the attacker obtained working credentials before deploying the second stage,\u00bb Hunt.io said<\/a>. \u00abCuckoo Stealer is a full-featured macOS infostealer and RAT: It establishes LaunchAgent persistence, removes quarantine attributes, and maintains encrypted HTTPS command-and-control communications. It collects browser credentials, session tokens, macOS Keychain data, Apple Notes, messaging sessions, VPN and FTP configurations, and over 20 cryptocurrency wallet applications.\u00bb The use of \u00abdscl . -authonly\u00bb has been previously observed<\/a> in attacks deploying Atomic Stealer.\n <\/p>\n<\/p><\/div>\n<\/li>\n

  6. \n <\/p>\n
    \n Phobos affiliate detained in Europe<\/span><\/p>\n

    \n Authorities from Poland’s Central Bureau for Combating Cybercrime (CBZC) have detained a 47-year-old man over suspected ties to the Phobos ransomware group. He faces a potential prison sentence of up to five years. The CBZC said<\/a> the \u00ab47-year-old used encrypted messaging to contact the Phobos criminal group, known for conducting ransomware attacks,\u00bb adding the suspect’s devices contained logins, passwords, credit card numbers, and server IP addresses that could have been used to launch \u00abvarious attacks, including ransomware.\u00bb The arrest is part of Europol’s Operation Aether, which targets the 8Base ransomware group, believed to be linked to Phobos. It has been almost exactly a year since international law enforcement dismantled the 8Base crew. More than 1,000 organizations around the world have been targeted in Phobos ransomware attacks, and the cybercriminals are believed to have obtained over $16 million in ransom payments.\n <\/p>\n<\/p><\/div>\n<\/li>\n

  7. \n <\/p>\n
    \n Industrial ransomware surge accelerates<\/span><\/p>\n

    \n There has been a sharp rise in the number of ransomware groups targeting industrial organizations as cybercriminals continue to exploit vulnerabilities in operational technology (OT) and industrial control systems (ICS), Dragos warned<\/a>. A total of 119 ransomware groups targeting industrial organizations were tracked during 2025, a 49% increase from the 80 tracked in 2024. 2025 saw 3,300 industrial organizations around the world hit by ransomware, compared with 1693 in 2024. The most targeted sector was manufacturing, followed by transportation. In addition, a hacking group tracked as Pyroxene has been observed conducting \u00absupply chain-leveraged attacks targeting defense, critical infrastructure, and industrial sectors, with operations expanding from the Middle East into North America and Western Europe.\u00bb It often leverages initial access provided by PARISITE, to enable movement from IT into OT networks. Pyroxene overlaps with activity attributed to Imperial Kitten (aka APT35), a threat actor affiliated with the cyber arm of the Islamic Revolutionary Guard Corps (IRGC).\n <\/p>\n<\/p><\/div>\n<\/li>\n

  8. \n <\/p>\n
    \n Copilot bypassed DLP safeguards<\/span><\/p>\n

    \n Microsoft confirmed<\/a> a bug (CW1226324<\/a>) that let Microsoft 365 Copilot summarize confidential emails from Sent Items and Drafts folders since January 21, 2026, without users’ permission, bypassing data loss prevention (DLP) policies put in place to safeguard sensitive data. A fix was deployed by the company on February 3, 2026. However, the company did not disclose how many users or organizations were affected. \u00abUsers’ email messages with a confidential label applied are being incorrectly processed by Microsoft 365 Copilot chat,\u00bb Microsoft said. \u00abThe Microsoft 365 Copilot ‘work tab’ Chat is summarizing email messages even though these email messages have a sensitivity label applied, and a DLP policy is configured. A code issue is allowing items in the sent items and draft folders to be picked up by Copilot even though confidential labels are set in place.\u00bb (Update: As of February 19, 2026, Microsoft said the root cause of this issue has been addressed for most customers, and that it’s now \u00abcompleting a longer-term, comprehensive sync to apply this fix retroactively to previously affected messages within the Sent and Draft folders to fully remediate the impact.\u00bb)\n <\/p>\n<\/p><\/div>\n<\/li>\n

  9. \n <\/p>\n
    \n Jira trials weaponized for spam<\/span><\/p>\n

    \n Threat actors are abusing the trust and reputation associated with Atlassian Jira Cloud and its connected email system to run automated spam campaigns and bypass traditional email security. To accomplish this, the operators created Atlassian Cloud trial accounts using randomized naming conventions, allowing them to generate disposable Jira Cloud instances at scale. \u00abEmails were tailored to target specific language groups, targeting English, French, German, Italian, Portuguese, and Russian speakers \u2014 including highly skilled Russian professionals living abroad,\u00bb Trend Micro said<\/a>. \u00abThese campaigns not only distributed generic spam, but also specifically targeted sectors such as government and corporate entities.\u00bb The attacks, active from late December 2025 through late January 2026, primarily targeted organizations using Atlassian Jira. The goal was to get recipients to open the emails and click on malicious links, which would initiate a redirect chain powered by the Keitaro Traffic Distribution System (TDS) and then finally lead them to pages peddling investment scams and online casino landing sites, suggesting that financial gain was likely the main objective.\n <\/p>\n<\/p><\/div>\n<\/li>\n

  10. \n <\/p>\n
    \n GitLab SSRF now federally mandated patch<\/span><\/p>\n

    \n The U.S. Cybersecurity and Infrastructure Security Agency (CISA), on February 18, 2026, added<\/a> CVE-2021-22175 to its Known Exploited Vulnerabilities (KEV<\/a>) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the patch by March 11, 2026. \u00abGitLab contains a server-side request forgery (SSRF) vulnerability when requests to the internal network for webhooks are enabled,\u00bb CISA said. In March 2025, GreyNoise revealed that a cluster of about 400 IP addresses was actively exploiting multiple SSRF vulnerabilities, including CVE-2021-22175, to target susceptible instances in the U.S., Germany, Singapore, India, Lithuania, and Japan.\n <\/p>\n<\/p><\/div>\n<\/li>\n

  11. \n <\/p>\n
    \n Telegram bots fuel Fortune 500 phishing<\/span><\/p>\n

    \n An elusive, financially motivated threat actor dubbed GS7 has been targeting Fortune 500 companies in a new phishing campaign that leverages trusted company branding with lookalike websites aimed at harvesting credentials via Telegram bots. The campaign, codenamed Operation DoppelBrand<\/a>, targets top financial institutions, including Wells Fargo, USAA, Navy Federal Credit Union, Fidelity Investments, and Citibank, as well as technology, healthcare, and telecommunications firms worldwide. Victims are lured through phishing emails and redirected to counterfeit pages where credentials are harvested and transmitted to Telegram bots controlled by the attacker. According to SOCRadar, the group itself, however, has a history stretching back to 2022. The threat actor is said to have registered more than 150 malicious domains in recent months using registrars such as NameCheap and OwnRegistrar, and routing traffic through Cloudflare to evade detection. GS7’s end goals include not only harvesting credentials, but also downloading remote management and monitoring (RMM) tools like LogMeIn Resolve on victim systems to enable remote access or the deployment of malware. This has raised the possibility that the group may even act as an initial access broker (IAB), selling the access to ransomware groups or other affiliates.\n <\/p>\n<\/p><\/div>\n<\/li>\n

  12. \n <\/p>\n
    \n Remcos shifts to live C2 surveillance<\/span><\/p>\n

    \n Phishing emails disguised as invoices, job offers, or government notices are being used to distribute a new variant of Remcos RAT to facilitate comprehensive surveillance and control over infected systems. \u00abThe latest Remcos variant has been observed exhibiting a significant change in behaviour compared to previous versions,\u00bb Point Wild said<\/a>. \u00abInstead of stealing and storing data locally on the infected system, this variant establishes direct online command-and-control (C2) communication, enabling real-time access and control. In particular, it leverages the webcam to capture live video streams, allowing attackers to monitor targets remotely. This shift from local data exfiltration to live, online surveillance represents an evolution in Remcos\u2019 capabilities, increasing the risk of immediate espionage and persistent monitoring.\u00bb\n <\/p>\n<\/p><\/div>\n<\/li>\n

  13. \n <\/p>\n
    \n China-made vehicles restricted on bases<\/span><\/p>\n

    \n Poland’s Ministry of Defence has banned Chinese cars, and other motor vehicles equipped with technology to record position, images, or sound, from entering protected military facilities due to national security concerns and to \u00ablimit the risk of access to sensitive data.\u00bb The ban also extends to connecting work phones to infotainment systems in motor vehicles produced in China. The ban isn’t permanent: the Defence Ministry has called for the development of a vetting process to allow carmakers to undergo a security assessment that, if passed, can allow their vehicles to enter protected facilities. \u00abModern vehicles equipped with advanced communication systems and sensors can collect and transmit data, so their presence in protected zones requires appropriate safety regulations,\u00bb the Polish Army said<\/a>. The measures introduced are preventive and comply with the practices of NATO countries and other allies to ensure the highest standards of defense infrastructure protection. They are part of a wider process of adapting security procedures to the changing technological environment and current requirements for the protection of critical infrastructure.\u00bb\n <\/p>\n<\/p><\/div>\n<\/li>\n

  14. \n <\/p>\n
    \n DKIM replay fuels invoice scams<\/span><\/p>\n

    \n Bad actors are abusing legitimate invoices and dispute notifications from trusted vendors, such as PayPal, Apple, DocuSign, and Dropbox Sign (formerly HelloSign), to bypass email security controls. \u00abThese platforms often allow users to enter a ‘seller name’ or add a custom note when creating an invoice or notification,\u00bb Casey-owned INKY said<\/a>. \u00abAttackers abuse this functionality by inserting scam instructions and a phone number into those user-controlled fields. They then send the resulting invoice or dispute notice to an email address they control, ensuring the malicious content is embedded in a legitimate, vendor-generated message.\u00bb Because these emails originate from a legitimate company, they bypass checks like Domain-based Message Authentication, Reporting and Conformance (DMARC). As soon as the legitimate email is received, the attacker proceeds to forward it to the intended targets, allowing the \u00abauthentic looking\u00bb message to land in the victims’ inboxes. The attack is known as a DKIM replay attack.\n <\/p>\n<\/p><\/div>\n<\/li>\n

  15. \n <\/p>\n
    \n RMM abuse surges 277%<\/span><\/p>\n

    \n A new report from Huntress has revealed that the abuse of Remote Monitoring and Management (RMM) software surged 277% year-over-year, accounting for 24% of all observed incidents. Threat actors have begun to increasingly favor these tools because they are ubiquitous in enterprise environments, and the trusted nature of the RMM software allows malicious activity to blend in with legitimate usage, making detection harder for defenders. They also offer increased stealth, persistence, and operational efficiency. \u00abAs cybercriminals built entire playbooks around these legitimate, trusted tools to drop malware, steal credentials, and execute commands, the use of traditional hacking tools plummeted by 53%, while remote access trojans and malicious scripts dropped by 20% and 11.7%, respectively,\u00bb the company said<\/a>.\n <\/p>\n<\/p><\/div>\n<\/li>\n

  16. \n <\/p>\n
    \n Texas targets China-linked tech firms<\/span><\/p>\n

    \n Texas Attorney General Ken Paxton has sued<\/a> TP-Link for \u00abdeceptively marketing its networking devices and allowing the Chinese Communist Party (‘CCP’) to access American consumers’ devices in their homes.\u00bb Paxton’s lawsuit alleges that TP Link’s products have been used by Chinese hacking groups to launch cyber attacks against the U.S. and that the company is subject to Chinese data laws, which it said require firms operating in the country to support its intelligence services by \u00abdivulging Americans’ data.\u00bb TP-Link told<\/a> The Record that these allegations are \u00abwithout merit\u00bb and that neither the Chinese government nor the Chinese Communist Party (CCP) exercises control over the company, its products, or user data. It also added that all U.S. user data is stored on domestic Amazon Web Services (AWS) servers. In a second lawsuit, Paxton also accused<\/a> Anzu Robotics of misleading Texas consumers about the \u00aborigin, data practices, and security risks of its drones.\u00bb Paxton’s office described the company’s products as \u00ab21st century Trojan horse linked to the CCP.\u00bb\n <\/p>\n<\/p><\/div>\n<\/li>\n

  17. \n <\/p>\n
    \n MetaMask backdoor expands DPRK campaign<\/span><\/p>\n

    \n The North Korea-linked campaign known as Contagious Interview is designed to target IT professionals working in cryptocurrency, Web3, and artificial intelligence sectors to steal sensitive data and financial information using malware such as BeaverTail and InvisibleFerret. However, recent iterations of the campaign have expanded their data theft capabilities by tampering with the MetaMask wallet extension (if it’s installed) through a lightweight JavaScript backdoor that shares the same functionality as InvisibleFerret, according to security researcher Seongsu Park. \u00abThrough the backdoor, attackers instruct the infected system to download and install a fake version of the popular MetaMask cryptocurrency wallet extension, complete with a dynamically generated configuration file that makes it appear legitimate,\u00bb Park said<\/a>. \u00abOnce installed, the compromised MetaMask extension silently captures the victim’s wallet unlock password and transmits it to the attackers\u2019 command-and-control server, giving them complete access to cryptocurrency funds.\u00bb\n <\/p>\n<\/p><\/div>\n<\/li>\n

  18. \n <\/p>\n
    \n Booking.com kits hit hotels, guests<\/span><\/p>\n

    \n Bridewell has warned of a resurgence in malicious activity targeting the hotel and retail sector. \u00abThe primary motivation driving this incident is financial fraud, targeting two victims: hotel businesses and hotel customers, in sequential order,\u00bb security researcher Joshua Penny said<\/a>. \u00abThe threat actor(s) utilize impersonation of the Booking.com platform through two distinct phishing kits dedicated to harvesting credentials and banking information from each victim, respectively.\u00bb It’s worth noting that the activity shares overlap with a prior activity wave disclosed by Sekoia in November 2025, although the use of a dedicated phishing kit is a new approach by either the same or new operators.\n <\/p>\n<\/p><\/div>\n<\/li>\n

  19. \n <\/p>\n
    \n EPMM exploits enable persistent access<\/span><\/p>\n

    \n The recently disclosed security flaws in Ivanti Endpoint Manager Mobile (EPMM) have been exploited by bad actors to establish a reverse shell, deliver JSP web shells, conduct reconnaissance, and download malware, including Nezha, cryptocurrency miners, and backdoors for remote access. The two critical vulnerabilities, CVE-2026-1281 and CVE-2026-1340, allow unauthenticated attackers to remotely execute arbitrary code on target servers, granting them full control over mobile device management (MDM) infrastructure without requiring user interaction or credentials. According to Palo Alto Networks Unit 42, the campaign has affected state and local government, healthcare, manufacturing, professional and legal services, and high technology sectors in the U.S., Germany, Australia, and Canada. \u00abThreat actors are accelerating operations, moving from initial reconnaissance to deploying dormant backdoors designed to maintain long-term access even after organizations apply patches,\u00bb the cybersecurity company said<\/a>. In a related development, Germany’s Federal Office for Information Security (BSI) has reported<\/a> evidence of exploitation since the summer of 2025 and has urged organizations to audit their systems for indicators of compromise (IoCs) as far back as July 2025.\n <\/p>\n<\/p><\/div>\n<\/li>\n

  20. \n <\/p>\n
    \n AI passwords lack true randomness<\/span><\/p>\n

    \n New research by Irregular has found<\/a> that passwords generated directly by a large language model (LLM) may appear strong but are fundamentally insecure, as \u00abLLMs are designed to predict tokens \u2013 the opposite of securely and uniformly sampling random characters.\u00bb The artificial intelligence (AI) security company said it detected LLM-generated passwords in the real world as part of code development tasks instead of leaning on traditional secure password generation methods. \u00abPeople and coding agents should not rely on LLMs to generate passwords,\u00bb the company said. \u00abLLMs are optimized to produce predictable, plausible outputs, which is incompatible with secure password generation. AI coding agents should be directed to use secure password generation methods instead of relying on LLM-output passwords. Developers using AI coding assistants should review generated code for hardcoded credentials and ensure agents use cryptographically secure methods or established password managers.\u00bb\n <\/p>\n<\/p><\/div>\n<\/li>\n

  21. \n <\/p>\n
    \n PDF engine flaws enable account takeover<\/span><\/p>\n

    \n Cybersecurity researchers have discovered more than a dozen vulnerabilities (CVE-2025-70401, CVE-2025-70402, and CVE-2025-66500<\/a>) in popular PDF platforms from Foxit and Apryse, potentially allowing attackers to exploit them for account takeover, session hijacking, data exfiltration, and arbitrary JavaScript execution. \u00abRather than isolated bugs, the issues cluster around recurring architectural failures in how PDF platforms handle untrusted input across layers,\u00bb Novee Security researchers Lidor Ben Shitrit, Elad Meged, and Avishai Fradlis said<\/a>. \u00abSeveral vulnerabilities were exploitable with a single request and affected trusted domains commonly embedded inside enterprise applications.\u00bb The issues have been addressed by both Apryse and Foxit through product updates.\n <\/p>\n<\/p><\/div>\n<\/li>\n

  22. \n <\/p>\n
    \n Training labs expose cloud backdoors<\/span><\/p>\n

    \n A \u00abwidespread\u00bb security issue has been discovered where security vendors inadvertently expose deliberately vulnerable training applications, such as OWASP Juice Shop, DVWA, bWAPP, and Hackazon, to the public internet. This can open organizations to severe security risks when they are executed from a privileged cloud account. \u00abPrimarily deployed for internal testing, product demonstrations, and security training, these applications were frequently left accessible in their default or misconfigured states,\u00bb Pentera Labs said<\/a>. \u00abThese critical flaws not only allowed attackers full control over the compromised compute engine but also provided pathways for lateral movement into sensitive internal systems. Violations of the principle of least privilege and inadequate sandboxing measures further facilitated privilege escalation, endangering critical infrastructure and sensitive organizational data.\u00bb Further analysis has determined that threat actors are exploiting this blind spot to plant web shells, cryptocurrency miners, and persistence mechanisms on compromised systems.\n <\/p>\n<\/p><\/div>\n<\/li>\n

  23. \n <\/p>\n
    \n Evasion loader refines C2 stealth<\/span><\/p>\n

    \n The malware loader known as Oyster (aka Broomstick or CleanUpLoader) has continued to evolve into early 2026, fine-tuning its C2 infrastructure and obfuscation methods, per findings from Sekoia. The malware is distributed mainly through fake websites that distribute installers for legitimate software like Microsoft Teams, with the core payload often deployed as a DLL for persistent execution. \u00abThe initial stage leverages excessive legitimate API call hammering and simple anti-debugging traps to thwart static analysis,\u00bb the company said<\/a>. \u00abThe core payload is delivered in a highly obfuscated manner. The final stage implements a robust C2 communication protocol that features a dual-layer server infrastructure and highly-customized data encoding.\u00bb\n <\/p>\n<\/p><\/div>\n<\/li>\n

  24. \n <\/p>\n
    \n Stealer taunts researchers in code<\/span><\/p>\n

    \n Noodlophile is the name given to an information-stealing malware that has been distributed via fake AI tools promoted on Facebook. Assessed to be the work of a threat actor based in Vietnam, it was first documented by Morphisec in May 2025. Since then, there have been other reports detailing various campaigns, such as UNC6229 and PXA Stealer, orchestrated by Vietnamese cybercriminals<\/a>. Morphisec’s latest analysis of Noodlophile has revealed that the threat actor \u00abpadded the malware with millions of repeats of a colorful Vietnamese phrase translating to ‘f*** you, Morphisec,'\u00bb suggesting that the operators were not thrilled about getting exposed. \u00abNot just to vent frustration over disrupted campaigns, but also to bloat the file and crash AI-based analysis tools that are based on the Python disassemble library \u2013 dis.dis(obj),\u00bb security researcher Michael Gorelik said<\/a>.\n <\/p>\n<\/p><\/div>\n<\/li>\n

  25. \n <\/p>\n
    \n Crypto library RCE risk patched<\/span><\/p>\n

    \n The OpenSSL project has patched a stack buffer overflow flaw that can lead to remote code execution attacks under certain conditions. The vulnerability, tracked as CVE-2025-15467<\/a>, resides in how the library processes Cryptographic Message Syntax data. Threat actors can use CMS packets with maliciously crafted AEAD parameters to crash OpenSSL and run malicious code. CVE-2025-15467 is one of 12 issues that were disclosed<\/a> by AISLE late last month. Another high-severity vulnerability is CVE-2025-11187<\/a>, which could trigger a stack-based buffer overflow due to a missing validation.\n <\/p>\n<\/p><\/div>\n<\/li>\n

  26. \n <\/p>\n
    \n Machine accounts expand delegation risk<\/span><\/p>\n

    \n New research from Silverfort has cleared a \u00abcommon assumption\u00bb that Kerberos delegation<\/a> — which allows a service to request resources or perform actions on behalf of a user — applies not just to human users, but also to machine accounts as well. In other words, a computer account can be delegated on behalf of highly privileged machine identities such as domain controllers. \u00abThat means a service trusted for delegation can act not just on behalf of other users, but also on behalf of machine accounts, the most critical non-human identities (NHIs) in any domain,\u00bb Silverfort researcher Dor Segal said<\/a>. \u00abThe risk is obvious. If an adversary can leverage delegation, it can act on behalf of sensitive machine accounts, which in many environments hold privileges equivalent to Domain Administrator.\u00bb To counter the risk, it’s advised to run \u00abSet-ADAccountControl -Identity \u201cHOST01$\u201d -AccountNotDelegated $true\u00bb for each sensitive machine account.\n <\/p>\n<\/p><\/div>\n<\/li>\n<\/ol>\n<\/section>\n<\/div>\n

    Security news rarely breaks in isolation. One incident leads to another, new research builds on older findings, and attacker playbooks keep adjusting along the way. The result is a constant stream of signals that are easy to miss without a structured view.<\/p>\n

    This roundup pulls those signals together into a single, readable snapshot. Go through the full list to get quick clarity on the developments shaping defender priorities and risk conversations right now.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

    \ue804Ravie Lakshmanan\ue802Feb 19, 2026Cybersecurity \/ Hacking News The cyber threat space doesn\u2019t pause, and this week makes that clear. New risks, new tactics, and new security gaps are showing up…<\/p>\n","protected":false},"author":1,"featured_media":111,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[318,74,11,317,75,315,319,316,187],"class_list":["post-110","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-0days","tag-copilot","tag-flaws","tag-foxit","tag-leak","tag-openssl","tag-password","tag-rce","tag-stories"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/110","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=110"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/110\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/111"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=110"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=110"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=110"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}