{"id":50,"date":"2026-02-26T07:25:27","date_gmt":"2026-02-26T07:25:27","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=50"},"modified":"2026-02-26T07:25:27","modified_gmt":"2026-02-26T07:25:27","slug":"double-tap-skimmers-promptspy-ai-30tbps-ddos-docker-malware-more","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=50","title":{"rendered":"Double-Tap Skimmers, PromptSpy AI, 30Tbps DDoS, Docker Malware &#038; More"},"content":{"rendered":"<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">Feb 23, 2026<\/span><\/span><span class=\"p-tags\">Cybersecurity \/ Hacking<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjD4zrmWnbbBtQZsZm7orVyVisAR_ymd6dfSG7kPtgEo-CxVEphY0ZZXuQL4IiXd3ISaSR-qhY2uALIOlVgLCCZNyBiLd-WSfzR3x7NWo0xQWpwi6kTIZaZDHzwPzulQmWzndoAd-HDhPLtEYg-OrNyl-5FjPpDKSm1hPXVBnu-p6e8wtvpOFiWRUd1-pF9\/s1700-e365\/cyber-recap.jpg\" style=\"clear: left; display: block; float: left;  text-align: center;\"><\/a><\/div>\n<p>Security news rarely moves in a straight line. This week, it feels more like a series of sharp turns, some happening quietly in the background, others playing out in public view. The details are different, but the pressure points are familiar.<\/p>\n<p>Across devices, cloud services, research labs, and even everyday apps, the line between normal behavior and hidden risk keeps getting thinner. Tools meant to protect, update, or improve systems are also becoming pathways when something goes wrong.<\/p>\n<p>This recap gathers the signals in one place. Quick reads, real impact, and developments that deserve a closer look before they become next week\u2019s bigger problem.<\/p>\n<h2 style=\"text-align: left;\"><strong>\u26a1 Threat of the Week<\/strong><\/h2>\n<p><strong>Dell RecoverPoint for VMs Zero-Day Exploited <\/strong>\u2014 A maximum severity security vulnerability in Dell RecoverPoint for Virtual Machines has been exploited as a zero-day by a suspected China-nexus threat cluster dubbed UNC6201 since mid-2024. The activity involves the exploitation of CVE-2026-22769 (CVSS score: 10.0), a case of hard-coded credentials affecting versions prior to 6.0.3.1 HF1. Per Google, the hard-coded credential relates to an \u00abadmin\u00bb user for the Apache Tomcat Manager instance that could be used authenticate to the Dell RecoverPoint Tomcat Manager, upload a web shell named SLAYSTYLE via the \u00ab\/manager\/text\/deploy\u00bb endpoint, and execute commands as root on the appliance to drop the BRICKSTORM backdoor and its newer version dubbed GRIMBOLT.<\/p>\n<h2 style=\"text-align: left;\"><strong>\ud83d\udd14 Top News<\/strong><\/h2>\n<ul>\n<li><strong><a href=\"https:\/\/thehackernews.com\/2026\/02\/three-former-google-engineers-indicted.html\" rel=\"noopener\" target=\"_blank\">Former Google Engineers Indicted Over Alleged Trade Secret Theft <\/strong>\u2014 Two former Google engineers and one of their husbands have been indicted in the U.S. for allegedly committing trade secret theft from the search giant and other tech firms and transferring the information to unauthorized locations, including Iran. Samaneh Ghandali, 41, and her husband Mohammadjavad Khosravi (aka Mohammad Khosravi), 40, along with her sister Soroor Ghandali, 32, were accused of conspiring to commit trade secret theft from Google and other leading technology companies, theft and attempted theft of trade secrets, and obstruction of justice. The defendants are said to have transferred hundreds of sensitive files to a third-party communications platform and then accessed them from Iran after Samaneh Ghandali and Khosravi traveled to Iran in December 2023.<\/li>\n<li><strong>PromptSpy Android Malware Abuses Gemini for Persistence <\/strong>\u2014 Researchers at ESET analyzed what they described as the first Android malware to leverage generative artificial intelligence (AI) during its execution to set up persistence. Called PromptSpy, the malware uses Google Gemini to analyze the current screen and provide step-by-step instructions on how to ensure the malicious app remains pinned in the recent apps list by taking advantage of the operating system&#8217;s accessibility services. There are signs that the campaign is likely targeting users in Argentina. Google told The Hacker News that it did not find any apps containing the malware being distributed via Google Play.<\/li>\n<li><strong>Kenyan Dissident&#8217;s Phone Cracked Using Cellebrite&#8217;s Tool <\/strong>\u2014 Evidence has emerged that Kenyan authorities used a commercial forensic extraction tool manufactured by Israeli company Cellebrite to break into a prominent dissident&#8217;s phone. The Citizen Lab said it found the indicators on a personal phone belonging to Boniface Mwangi, a Kenyan pro-democracy activist who has announced plans to run for president in 2027. In a related development, Amnesty International found that the iPhone belonging to Teixeira C\u00e2ndido, an Angolan journalist and press freedom advocate, was successfully targeted by Intellexa&#8217;s Predator spyware in May 2024 after he opened an infected link received via WhatsApp.<\/li>\n<li><strong>New Pre-Installed Android Malware Keenadu Detected in the Wild <\/strong>\u2014 A new Android backdoor that&#8217;s embedded deep into the device firmware can silently harvest data and remotely control its behavior, Kaspersky said. The malware, codenamed Keenadu, is said to have been delivered by means of compromised firmware through an over-the-air (OTA) update. This method allows it to run with high privileges from the moment the device is activated, providing attackers with extensive control over the device. It can also infect other installed apps, deploy additional software from APK files, and grant those apps any permission available on the system. Once active, Keenadu inherits elevated permissions and operates with minimal visibility. The malware triggers only under specific conditions, remaining dormant on devices set to Chinese languages or time zones and on those that lack the Google Play Store and Google Play Services. However, Keenadu&#8217;s distribution is not limited to pre-installed system components. In some cases, the malware has also been observed embedded within applications distributed through Android app stores. That said, there is very little a user can do when a piece of malware comes pre-installed on their brand new Android tablet. Because the malicious components are present in firmware rather than installed later as apps, affected users may have limited ability to detect or remove them through conventional methods. The activity has not been attributed to a specific threat actor, but Kaspersky said the developers demonstrated \u00aba deep understanding of the Android architecture, the app startup process, and the core security principles of the operating system.\u00bb<\/li>\n<li><strong>Password Managers&#8217; Zero Knowledge Claims Put to Test <\/strong>\u2014 A new study undertaken by researchers from ETH Zurich and Universit\u00e0 della Svizzera italiana has undermined claims from Bitwarden, Dashlane, and LastPass that the password managers guarantee \u00abzero knowledge\u00bb &#8212; an assurance that states there is no way for a malicious insider or a threat actor that has compromised the cloud infrastructure to access the vault data. Specifically, it found that these claims are not true under all circumstances, particularly when account recovery is in place, or password managers are set to share vaults or organize users into groups. The most severe of the attacks, targeting Bitwarden and LastPass, could allow an insider or attacker to read or write to the contents of entire vaults. Other attacks enable reading and modification of shared vaults. \u00abAttacks on the provider server infrastructure can be prevented by carefully designed operational security measures, but it is well within the bounds of reason to assume that these services are targeted by sophisticated nation-state-level adversaries, for example via software supply-chain attacks or spear-phishing,\u00bb the researchers said.<\/li>\n<\/ul>\n<h2 style=\"text-align: left;\"><strong>\u200e\ufe0f\u200d\ud83d\udd25 Trending CVEs<\/strong><\/h2>\n<p>New vulnerabilities surface daily, and attackers move fast. Reviewing and patching early keeps your systems resilient.<\/p>\n<p>Here are this week\u2019s most critical flaws to check first \u2014 CVE-2026-22769 (Dell RecoverPoint for Virtual Machines), CVE-2026-25926 (Notedpad++), CVE-2026-26119 (Microsoft Windows Admin Center), CVE-2026-2329 (Grandstream GXP1600 series), CVE-2025-65717 (Live Server), <a href=\"https:\/\/www.cisa.gov\/news-events\/ics-advisories\/icsa-26-043-10\" rel=\"noopener\" target=\"_blank\">CVE-2026-1358<\/a> (Airleader Master), <a href=\"https:\/\/jvn.jp\/en\/jp\/JVN84622767\/\" rel=\"noopener\" target=\"_blank\">CVE-2026-25108<\/a> (FileZen), <a href=\"https:\/\/www.cisa.gov\/news-events\/ics-advisories\/icsa-26-041-02\" rel=\"noopener\" target=\"_blank\">CVE-2026-25084, CVE-2026-24789<\/a> (ZLAN), <a href=\"https:\/\/www.tenable.com\/security\/research\/tra-2026-09\" rel=\"noopener\" target=\"_blank\">CVE-2026-2577<\/a> (Nanobot), <a href=\"https:\/\/nifi.apache.org\/documentation\/security\/\" rel=\"noopener\" target=\"_blank\">CVE-2026-25903<\/a> (Apache NiFi), <a href=\"https:\/\/github.com\/advisories\/GHSA-gf3v-fwqg-4vh7\" rel=\"noopener\" target=\"_blank\">CVE-2026-26019<\/a> (@langchain\/community), <a href=\"https:\/\/www.cisa.gov\/news-events\/ics-advisories\/icsa-26-048-04\" rel=\"noopener\" target=\"_blank\">CVE-2026-1670<\/a> (Honeywell CCTV), <a href=\"https:\/\/www.cisa.gov\/news-events\/ics-advisories\/icsa-26-043-09\" rel=\"noopener\" target=\"_blank\">CVE-2025-7740<\/a> (Hitachi Energy SuprOS), <a href=\"https:\/\/github.com\/better-auth\/better-auth\/security\/advisories\/GHSA-99h5-pjcv-gr6v\" rel=\"noopener\" target=\"_blank\">CVE-2025-61928<\/a> (better-auth), <a href=\"https:\/\/op-c.net\/blog\/cve-2026-20140-splunk-windows-privilege-escalation-dll-hijacking\/\" rel=\"noopener\" target=\"_blank\">CVE-2026-20140<\/a> (Splunk Enterprise for Windows), <a href=\"https:\/\/www.aikido.dev\/blog\/sveltespill-cache-deception-sveltekit-vercel\" rel=\"noopener\" target=\"_blank\">CVE-2026-27118<\/a> (<a href=\"https:\/\/github.com\/sveltejs\/kit\/security\/advisories\/GHSA-9pq4-5hcf-288c\" rel=\"noopener\" target=\"_blank\">@sveltejs\/adapter-vercel<\/a>), <a href=\"https:\/\/www.jenkins.io\/security\/advisory\/2026-02-18\/\" rel=\"noopener\" target=\"_blank\">CVE-2026-27099, CVE-2026-27100<\/a> (Jenkins), <a href=\"https:\/\/lists.apache.org\/thread\/6xk3t65qpn1myp618krtfotbjn1qt90f\" rel=\"noopener\" target=\"_blank\">CVE-2026-24733<\/a> (Apache Tomcat), <a href=\"https:\/\/chromereleases.googleblog.com\/2026\/02\/stable-channel-update-for-desktop_18.html\" rel=\"noopener\" target=\"_blank\">CVE-2026-2648, CVE-2026-2649, CVE-2026-2650<\/a> (Google Chrome), <a href=\"https:\/\/www.safebreach.com\/blog\/safebreach_labs_discovers_cve-2025-29969\/\" rel=\"noopener\" target=\"_blank\">CVE-2025-29969<\/a> (Windows Fundamentals), CVE-2025-64127, CVE-2025-64128, CVE-2025-64129, CVE-2025-64130 (Zenitel), <a href=\"https:\/\/www.rcesecurity.com\/2026\/02\/when-audits-fail-from-pre-auth-ssrf-to-rce-in-trufusion-enterprise\/\" rel=\"noopener\" target=\"_blank\">CVE-2025-32355, CVE-2025-59793<\/a> (TRUfusion Enterprise), <a href=\"https:\/\/www.wordfence.com\/blog\/2026\/02\/800000-wordpress-sites-affected-by-arbitrary-file-upload-vulnerability-in-wpvivid-backup-wordpress-plugin\/\" rel=\"noopener\" target=\"_blank\">CVE-2026-1357<\/a> (WPvivid Backup plugin), <a href=\"https:\/\/www.rcesecurity.com\/2025\/11\/exploiting-a-pre-auth-rce-in-w3-total-cache-for-wordpress-cve-2025-9501\/\" rel=\"noopener\" target=\"_blank\">CVE-2025-9501<\/a> (W3 Total Cache plugin), <a href=\"https:\/\/support.eset.com\/en\/ca8913-eset-customer-advisory-local-privilege-escalation-via-insecure-temporary-batch-file-execution-in-eset-management-agent-for-windows-fixed\" rel=\"noopener\" target=\"_blank\">CVE-2025-13818<\/a> (ESET Management Agent for Windows), <a href=\"https:\/\/rainpwn.blog\/blog\/cve-2025-11730\/\" rel=\"noopener\" target=\"_blank\">CVE-2025-11730<\/a> (ZYXEL ATP\/USG series), <a href=\"https:\/\/xlab.tencent.com\/en\/2026\/01\/06\/xlab-26-001\/\" rel=\"noopener\" target=\"_blank\">CVE-2025-67303<\/a> (ComfyUI), and <a href=\"https:\/\/ssd-disclosure.com\/joomla-novarain-tassos-framework-vulnerabilities\/\" rel=\"noopener\" target=\"_blank\">Joomla! unauthenticated file read, unauthenticated file deletion, and SQL injection vulnerabilities<\/a> in Novarain\/Tassos Framework (no CVEs).<\/p>\n<h2 style=\"text-align: left;\"><strong>\ud83c\udfa5 Cybersecurity Webinars<\/strong><\/h2>\n<ul>\n<li><a href=\"https:\/\/thehacker.news\/post-quantum-cryptography?source=recap\" rel=\"noopener\" target=\"_blank\">Learn How to Future-Proof Your Encryption Before Quantum Breaks It<\/a> \u2192 Quantum computing is accelerating, and attackers are harvesting encrypted data for future decryption. This webinar covers practical post-quantum cryptography, hybrid encryption, and Zero Trust strategies to protect sensitive data before quantum threats become real.<\/li>\n<li><a href=\"https:\/\/thehacker.news\/ai-agents-attack-surface?source=recap\" rel=\"noopener\" target=\"_blank\">Beyond the Model: Securing AI Agents in Real-World Systems<\/a> \u2192 As organizations deploy autonomous AI agents with tool access and system permissions, the attack surface shifts beyond the model itself. This session explores indirect prompt injection, privilege escalation, multi-agent risk, and practical strategies to secure real-world AI systems without breaking workflows.<\/li>\n<li><a href=\"https:\/\/thehacker.news\/automate-testing-security-posture?source=recap\" rel=\"noopener\" target=\"_blank\">Pressure-Test Your Controls With Continuous CTI-Driven Validation<\/a> \u2192 Security budgets are rising, yet breaches continue. This session shows how to move beyond assumption-based testing to continuous, CTI-driven exposure validation\u2014pressure-testing controls against real attacker behavior, automating security checks, and building measurable resilience without overspending.<\/li>\n<\/ul>\n<p><strong>\ud83d\udcf0 Around the Cyber World<\/strong><\/p>\n<ul>\n<li><strong>Online Store Infected with Skimmer <\/strong>\u2014 The online store of a top-10 global supermarket chain has been infected with a skimmer malware that scans for admin users for WordPress, Magento, PrestaShop, and OpenCart to evade detection. \u00abThe attack combines two components: a seemingly off-the-shelf skimmer framework with integrations for four popular e-commerce platforms, and a carefully localized fake payment form,\u00bb Sansec <a href=\"https:\/\/sansec.io\/research\/global-retailer-prestashop-hacked\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abThis fraud is called &#8216;double-tap skimming&#8217;: customers enter their card details into the fake form first, then see the real payment form where they have to enter their data again. Most people just accept that and complete the order, unaware their data was just stolen.\u00bb The breach coincides with a broader wave of attacks targeting PrestaShop stores. In January 2026, PrestaShop <a href=\"https:\/\/help-center.prestashop.com\/hc\/en-us\/articles\/33259937046034-Security-Alert-Recommended-Check-of-Your-Stores\" rel=\"noopener\" target=\"_blank\">urged<\/a> merchants to check their stores for skimmers injected into theme template files.<\/li>\n<li><strong>Nigeria Arrests 7 for Running Scam Center <\/strong>\u2014 Nigerian authorities arrested seven suspects who ran a cyber scam center in the city of Agbor. The group used social media ads to lure U.K. victims to bogus crypto investment portals. Hundreds of fake Facebook accounts were potentially used to target victims. \u00abUsing these bogus social media accounts to impersonate cryptocurrency traders, they targeted people who used legitimate investment platforms, sharing false positive reviews to lure people into sending money to the fraudsters,\u00bb the U.K. National Crime Agency (NCA) <a href=\"https:\/\/www.nationalcrimeagency.gov.uk\/news\/fraudsters-arrested-in-nigeria-following-nca-intelligence-sharing\" rel=\"noopener\" target=\"_blank\">said<\/a>. Meta said it&#8217;s working with law enforcement to identify and remove all accounts used in these operations. \u00abThe group used fake social media accounts impersonating cryptocurrency traders, along with fraudulent Facebook groups featuring fabricated testimonials, to target individuals engaging with legitimate investment platforms,\u00bb it <a href=\"https:\/\/about.fb.com\/news\/2026\/02\/meta-works-with-the-uk-national-crime-agency-and-the-nigerian-police-force-to-disrupt-alleged-online-scams-centre-in-nigeria\/\" rel=\"noopener\" target=\"_blank\">added<\/a>. In the first half of 2025, the company noted it took down 12 million accounts across Facebook, Instagram, and WhatsApp associated with criminal scam centers.<\/li>\n<li><strong>LonTalk Protocol Analyzed <\/strong>\u2014 Claroty has called attention to security risks posed by the LonTalk proprietary protocol that&#8217;s used for device-to-device communication in building management and automation systems (BMS and BAS). \u00abLonTalk should not be underestimated as an attack vector for hacktivists and criminal entities, especially as BMS is enabled over IP networks,\u00bb the company <a href=\"https:\/\/claroty.com\/team82\/research\/examining-the-legacy-bms-lontalk-protocol\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abLonTalk is certainly still relevant to BMS cybersecurity discussions, especially as BMS finds its way online for a number of strategic and bottom-line reasons. Commercial real estate, retail, hospitality, and data center sectors rely on BMS systems such as HVAC (heating, ventilation, and air conditioning), lighting, energy management, and security. Previously, these systems were operated independently by facility management, but they are now increasingly connected and integrated through advanced BMS and BAS capabilities.\u00bb<\/li>\n<li><strong>GrayCharlie Uses Compromised WordPress Sites to Deliver RATs <\/strong>\u2014 A threat actor known as GrayCharlie (aka HANEYMANEY, SmartApeSG, and ZPHP) has been observed compromising WordPress sites and injecting them with links to externally hosted JavaScript that redirects visitors to NetSupport RAT payloads delivered via fake browser update pages or ClickFix mechanisms. The threat first emerged in mid-2023. \u00abThese infections often progress to the deployment of StealC and SectopRAT,\u00bb Recorded Future <a href=\"https:\/\/www.recordedfuture.com\/research\/graycharlie-hijacks-law-firm-sites-suspected-supply-chain-attack\" rel=\"noopener\" target=\"_blank\">said<\/a>. While most compromised websites appear to be opportunistic and span numerous industries, the cybersecurity company said it identified a cluster of U.S. law firm sites that were likely compromised around November 2025, likely through a supply chain attack involving a shared IT provider.<\/li>\n<li><strong>Why Patch Everything is a Recipe for Burnout <\/strong>\u2014 Dataminr&#8217;s 2026 Cyber Threat Landscape Report has revealed that the \u00abpatching treadmill is broken,\u00bb driven by reliance on CVSS scores and a surge in patch bypasses, where vendors don&#8217;t address the root causes of issues, thereby opening the door to re-exploitation by threat actors days or weeks after the initial patch was released. \u00abWith thousands of CVEs disclosed every year, security teams can\u2019t just rely on the common vulnerability severity score (CVSS) to decide what to patch,\u00bb Dataminr <a href=\"https:\/\/www.dataminr.com\/resources\/blog\/reflections-on-2026-cyber-threat-landscape-report\/\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abThese scores focus on the technical impacts of a vulnerability, but tell you very little about actual risk to your organization. There has to be a balance between the CVSS, potential economic impact, exposure, and likelihood of being targeted. The focus has to shift from &#8216;is this a critical CVE?&#8217; to &#8216;is this specific flaw being targeted in my sector, and can the attacker actually reach my crown jewels through it?'\u00bb<\/li>\n<li><strong>Phishing Campaigns in Taiwan Deliver Winos 4.0 <\/strong>\u2014 Targeting phishing campaigns have targeted Taiwan with themes designed to exploit local business processes and ultimately deliver a known remote access trojan called Winos 4.0 (aka ValleyRAT) and malicious plugins through weaponized attachments or embedded links. \u00abThe lures mimic official communications, such as tax audit notifications, tax filing software installers, and cloud-based e-invoice downloads,\u00bb Fortinet FortiGuard Labs <a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/massive-winos-40-campaigns-target-taiwan\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abOver the past two months, we have identified various delivery techniques, including malicious LNK files used for a downloader, DLL side-loading via legitimate executables to load shellcode, and BYOVD (Bring Your Own Vulnerable Driver) attacks using &#8216;wsftprm.sys.'\u00bb The driver is used to terminate processes associated with a hard-coded list of security products. The use of Winos 4.0 is unique to a Chinese cybercrime group known as <a href=\"https:\/\/bbs.kafan.cn\/thread-2288675-1-1.html\" rel=\"noopener\" target=\"_blank\">Silver Fox<\/a>.<\/li>\n<li><strong>Teams Gets Brand Impersonation Protection <\/strong>\u2014 Microsoft said it will start rolling out Brand Impersonation Protection for Teams Calling starting mid-March 2026 to detect and warn users of suspicious external calls to reduce fraud risks. \u00abIt will be enabled by default, requires no admin action, and aims to enhance security without changing existing policies,\u00bb Microsoft <a href=\"https:\/\/mc.merill.net\/message\/MC1219793\" rel=\"noopener\" target=\"_blank\">said<\/a>. The tech giant is also planning to <a href=\"https:\/\/mc.merill.net\/message\/MC1223828\" rel=\"noopener\" target=\"_blank\">introduce<\/a> a \u00abReport a Call\u00bb feature by mid-March 2026 to let users flag suspicious one-to-one calls.<\/li>\n<li><strong>2025 Records 508 ICS advisories from CISA <\/strong>\u2014 Between March 2010 and January 31, 2026, CISA\/ICS-CERT published 3,637 ICS advisories about 12,174 vulnerabilities affecting 2,783 products from 689 vendors, Forescout <a href=\"https:\/\/www.forescout.com\/blog\/ics-cybersecurity-in-2026-vulnerabilities-and-the-path-forward\/\" rel=\"noopener\" target=\"_blank\">said<\/a>. 2025 recorded a high of 508 ICS advisories, covering 2,155 vulnerabilities across various products and vendors. The development marks the first year exceeding 500 advisories. The average severity rose to a CVSS score of 8.07 and 82% of advisories were classified as high or critical. In contrast, back in 2010, the average was 6.44, and it was classified as medium severity.<\/li>\n<li><strong>Microsoft Unveils LiteBox <\/strong>\u2014 Microsoft has released <a href=\"https:\/\/github.com\/microsoft\/litebox\" rel=\"noopener\" target=\"_blank\">LiteBox<\/a>, a Rust-based project described as a \u00absandboxing library OS that drastically cuts down the interface to the host, thereby reducing attack surface.\u00bb Developed in collaboration with the Linux Virtualization Based Security (<a href=\"https:\/\/kernel-recipes.org\/en\/2025\/schedule\/linux-virtualization-based-security-why-what-and-how\/\" rel=\"noopener\" target=\"_blank\">LVBS<\/a>) project, the goal is to sandbox applications by minimizing host system interactions and supporting various use cases like running Linux programs on Windows or sandboxing Linux applications.<\/li>\n<li><strong>ChainedShark Targets Chinese Research Sector <\/strong>\u2014 A new APT group codenamed ChainedShark is targeting China&#8217;s academic and scientific research sector. Active since May 2024, the group&#8217;s main focus has been the collection of intelligence on Chinese diplomacy and marine technology. Past victims include universities and research institutions specializing in international relations. Its arsenal integrates N-day vulnerability exploits and highly complex custom trojans such as LinkedShell. \u00abChainedShark exhibits clear geopolitical motivations, focusing its attacks on experts and scholars in international relations and marine sciences within Chinese academic and research institutions,\u00bb NSFOCUS <a href=\"https:\/\/nsfocusglobal.com\/top-security-incidents-of-2025-the-emergence-of-the-chainedshark-apt-group\/\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abThe group demonstrates strong social engineering capabilities, crafting fluent, natural, and high-quality Chinese-language lures. It skillfully exploits professional scenarios\u2014such as conference invitations and academic call-for-papers\u2014to create deceptive attack vectors, effectively lowering targets&#8217; guard.\u00bb<\/li>\n<li><strong>Samsung Weather App as a Way for User Fingerprinting <\/strong>\u2014 New research has uncovered that Samsung&#8217;s pre-installed weather app is fingerprinting its users by means of a \u00abplaceid\u00bb parameter that&#8217;s trivially observable by the weather API provider. A test conducted on 42 Samsung devices found that the fingerprints were unique per device and survived IP changes across providers and VPN use. \u00abAnalysis of 9,211 weather API requests from 42 Samsung device owners over five days demonstrates that placeid combinations produce unique user identifiers in 96.4% of cases,\u00bb Buchodi&#8217;s Threat Intel <a href=\"https:\/\/www.buchodi.com\/your-samsung-weather-app-is-a-fingerprint\/\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abEvery user with two or more saved locations had a fingerprint shared by no one else in the dataset.\u00bb This, in turn, turns saved locations into a persistent cross-session tracking identifier, as each placeid identifies a unique location. The fingerprint represents an aggregate of all placeid values associated with a device&#8217;s saved locations. In other words, a user tracking a combination of more than two or three locations can be uniquely identified.<\/li>\n<li><strong>DDoS Attacks Jump 168% in 2025 <\/strong>\u2014 A <a href=\"https:\/\/www.radware.com\/threat-analysis-report\/\" rel=\"noopener\" target=\"_blank\">new analysis<\/a> released by Radware has revealed that the number of web DDoS attacks climbed 101.4% in 2025 compared to 2024, and bad bot activity increased 91.8%, fueled by generative AI tools. Malicious web application and API transactions rose 128% year over year. Network-layer DDoS attacks increased 168.2% year over year, with peak attack volumes reaching almost 30 terabits per second (Tbps). \u00abTechnology, telecommunications, and financial services were the most targeted sectors, together accounting for the majority of large-scale network DDoS campaigns,\u00bb Radware said. \u00abThe technology sector alone represented 45% of all network-layer DDoS attacks, up sharply from 8.77% in 2024.\u00bb Hacktivism, fueled by geopolitical and ideological conflict, remained a primary driver of DDoS activity.<\/li>\n<li><strong>Over 2,500 Malicious Images Flagged on Docker Hub <\/strong>\u2014 Qualys said it discovered more than 2,500 malicious images hosted on the Docker Hub. Of these, around 70% of them contained a hidden cryptominer. Others included backdoors, exploits, ransomware, keyloggers, and proxy infrastructure. \u00abPulling container images from public registries is no longer a neutral operational step,\u00bb the company <a href=\"https:\/\/blog.qualys.com\/product-tech\/2026\/01\/22\/public-container-registry-security-risks-malicious-images\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abIt is a trust decision that directly affects infrastructure stability, cloud costs, and security risk.\u00bb<\/li>\n<li><strong>Nearly 1T Scam Ads Served on Social Media in 2025 <\/strong>\u2014 According to <a href=\"https:\/\/www.juniperresearch.com\/resources\/free-research\/protecting-users-from-scam-ads-a-call-for-social-media-platform-accountability\/\" rel=\"noopener\" target=\"_blank\">new findings<\/a> from Juniper Research, online tech platforms made \u00a33.8 billion ($5.2 billion) in revenue from malicious or scam ads in Europe alone. Nearly 1 trillion scam ads were served to social media users in 2025. The analyst firm also <a href=\"https:\/\/www.juniperresearch.com\/press\/fraudulent-ecommerce-transactions-to-surpass-131bn\/\" rel=\"noopener\" target=\"_blank\">revealed<\/a> earlier this month that e-commerce fraud will rise from $56bn in 2025 to $131 billion in 2030, posting a 133% increase over the period.<\/li>\n<li><strong>Malicious npm Packages Hijack Gambling Outcomes <\/strong>\u2014 Researchers have discovered malicious npm packages, json-bigint-extend, jsonfx, and jsonfb, that mimic the legitimate json-bigint library, but contain functionality to install two backdoors to execute additional code fetched from an endpoint, run arbitrary SQL commands, download file contents, and list server-side files and directories. \u00abUpon further inspection of the fetched code, it seems to be a complex cashflow-rewriting system used to manipulate a gambling game,\u00bb Aikido <a href=\"https:\/\/www.aikido.dev\/blog\/npm-backdoor-lets-hackers-hijack-gambling-outcomes\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abThe most sophisticated component of this backdoor is the fixFlow function, a balance manipulation engine that retroactively rewrites a user&#8217;s gambling history to achieve a desired balance change while maintaining the appearance of legitimate gameplay.\u00bb It&#8217;s suspected that the malware is designed to target a gambling app named Bappa Rummy. It&#8217;s no longer listed on the official Google Play Store.<\/li>\n<li><strong>Telegram Disputes Claims About Encryption <\/strong>\u2014 The head of Russia&#8217;s FSB security service <a href=\"https:\/\/www.reuters.com\/business\/media-telecom\/telegram-dismisses-russian-claims-about-encryption-breaches-by-foreign-2026-02-19\/\" rel=\"noopener\" target=\"_blank\">accused<\/a> Telegram of harboring criminal activity and failing to act on reports from Russian authorities. Bortnikov said Telegram ignored more than 150,000 requests for removal from Russian authorities. Russian officials also claimed that foreign intelligence services could read messages sent by Russian soldiers over the app. The messaging platform said \u00abno breaches of Telegram&#8217;s encryption have ever been found.\u00bb The development comes as Russia started blocking and throttling Telegram traffic last week.<\/li>\n<li><strong>Nigerian Man Sentenced to Eight Years in Prison for Bogus Tax Refund Scheme <\/strong>\u2014 A 37-year-old Nigerian man named <a href=\"https:\/\/www.justice.gov\/usao-ma\/pr\/computer-intrusion-and-theft-charges-unsealed-against-two-men\" rel=\"noopener\" target=\"_blank\">Matthew A. Akande<\/a>, who was living in Mexico, was sentenced to eight years in prison in the U.S. for his involvement in a criminal operation that involved unauthorized access to the computer networks of tax preparation firms in Massachusetts. Between in or about June 2016 and June 2021, Akande conspired to use stolen taxpayer information to file over 1,000 fraudulent tax returns seeking millions of dollars in tax refunds, the Justice Department said. The defendant was also ordered to pay $1,393,230 in restitution. He was arrested in October 2024 in the U.K. and extradited to the U.S. in March 2025. \u00abTo carry out the scheme, Akande caused fraudulent phishing emails to be sent to five Massachusetts tax preparation firms,\u00bb the department <a href=\"https:\/\/www.justice.gov\/usao-ma\/pr\/nigerian-man-sentenced-eight-years-prison-computer-intrusion-and-theft\" rel=\"noopener\" target=\"_blank\">said<\/a>. The emails purported to be from a prospective client seeking the tax preparation firms\u2019 services, but in truth were used to trick the firms into downloading remote access trojan malicious software (RAT malware), including malware known as Warzone RAT. Akande used the RAT malware to obtain the PII and prior year tax information of the tax preparation firms&#8217; clients, which Akande then used to cause fraudulent tax returns to be filed seeking refunds.\u00bb Warzone RAT&#8217;s infrastructure was seized by the U.S. Federal Bureau of Investigation in February 2024.<\/li>\n<li><strong>New Campaigns Distribute njRAT, Pulsar RAT, XWorm, and Prometei <\/strong>\u2014 In a new campaign, threat actors are <a href=\"https:\/\/www.netresec.com\/?page=Blog&amp;month=2026-02&amp;post=njRAT-runs-MassLogger\" rel=\"noopener\" target=\"_blank\">leveraging<\/a> the njRAT remote access trojan to deliver the MassLogger infostealer. Another campaign has been <a href=\"https:\/\/www.pointwild.com\/threat-intelligence\/when-malware-talks-back\" rel=\"noopener\" target=\"_blank\">found<\/a> to use a Donut loader to distribute Pulsar RAT as part of a sophisticated, multi-stage malware attack. What&#8217;s notable about this activity is that Pulsar RAT is used to actively control a compromised host, allowing an attacker to initiate a real-time chat session with the victim to interact and probe system usage. Also discovered are two campaigns using phishing emails to distribute XWorm: One uses a <a href=\"https:\/\/any.run\/cybersecurity-blog\/xworm-latam-campaign\/\" rel=\"noopener\" target=\"_blank\">JavaScript dropper to target Brazilian users<\/a>, and another begins with phishing emails delivering a <a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/deep-dive-into-new-xworm-campaign-utilizing-multiple-themed-phishing-emails\" rel=\"noopener\" target=\"_blank\">malicious Excel attachment<\/a> to targeted users. The Excel file exploits CVE-2018-0802, a memory corruption flaw in Office patched in 2018, to download and execute an HTA file on the victim&#8217;s device, which, in turn, triggers PowerShell to download and run a fileless .NET module directly into memory. The module then uses process hollowing to inject and execute the XWorm payload within a newly created MSBuild.exe process. Last but not least, Windows servers are being targeted by threat actors to infect them with a botnet known as Prometei. \u00abIt features extensive capabilities, including remote control functionality, credential harvesting, crypto-mining (Monero), lateral movement, command-and-control (C2) over both the clearweb and TOR network, and self-preservation measures that harden compromised systems against other threat actors, to maintain exclusive access,\u00bb eSentire <a href=\"https:\/\/www.esentire.com\/blog\/tenant-from-hell-prometeis-unauthorized-stay-in-your-windows-server\" rel=\"noopener\" target=\"_blank\">said<\/a>.<\/li>\n<\/ul>\n<h2 style=\"text-align: left;\"><strong>\ud83d\udd27 Cybersecurity Tools<\/strong><\/h2>\n<ul>\n<li><a href=\"https:\/\/github.com\/megamansec\/gixy-next\" rel=\"noopener\" target=\"_blank\">Gixy Next<\/a> \u2192 It is an open-source security analysis tool designed to audit NGINX configurations for common misconfigurations and vulnerabilities. It scans configuration files to detect issues such as unsafe directives, incorrect access controls, and insecure proxy settings that could expose applications to attacks. Built as a successor to the original Gixy project, it aims to provide updated checks and improved rule coverage for modern NGINX deployments.<\/li>\n<li><a href=\"https:\/\/github.com\/MayerDaniel\/the-one-wsl-bof\" rel=\"noopener\" target=\"_blank\">The-One-WSL-BOF<\/a> \u2192 It is an open-source Cobalt Strike Beacon Object File that lets operators interact with Windows Subsystem for Linux (WSL) directly from a Beacon session. It can list WSL distributions and run commands inside them without launching wsl.exe, reducing visible process activity and some logging artifacts.<\/li>\n<\/ul>\n<p><em>Disclaimer: These tools are provided for research and educational use only. They are not security-audited and may cause harm if misused. Review the code, test in controlled environments, and comply with all applicable laws and policies.<\/em><\/p>\n<h2 style=\"text-align: left;\"><strong>Conclusion<\/strong><\/h2>\n<p>If one theme runs through this week, it is quiet exposure. Risk is showing up in routine updates, trusted tools, and features most teams rarely question until something breaks.<\/p>\n<p>The real issue is not a single flaw but the pattern beneath it. Small weaknesses are being chained together and scaled with automation faster than defenders can adjust.<\/p>\n<p>Scan the full list carefully. One of these short updates will likely map closer to your own environment than it first appears.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ue804Ravie Lakshmanan\ue802Feb 23, 2026Cybersecurity \/ Hacking Security news rarely moves in a straight line. This week, it feels more like a series of sharp turns, some happening quietly in the&hellip;<\/p>\n","protected":false},"author":1,"featured_media":51,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[134,135,136,131,42,133,132],"class_list":["post-50","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-30tbps","tag-ddos","tag-docker","tag-doubletap","tag-malware","tag-promptspy","tag-skimmers"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/50","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=50"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/50\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/51"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=50"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=50"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=50"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}