Executive Summary On February 26, 2026, South Korea’s National Tax Service (NTS) inadvertently exposed the mnemonic (seed) phrase of a seized Ledger hardware wallet in an official press release, resulting in the immediate theft of approximately $4.8 million in Pre-Retogeum (PRTG) tokens. The seed phrase, visible in photographs published online, enabled an unknown actor to gain full control of the wallet and transfer all assets out in a series of transactions. This incident

Executive Summary A highly sophisticated supply chain attack has been identified involving a malicious Go module, github.com/xinfeisoft/crypto , which masquerades as the legitimate golang.org/x/crypto library. This module is engineered to covertly exfiltrate sensitive credentials entered via terminal prompts, establish persistent SSH access, and deploy the advanced Rekoobe Linux backdoor. The campaign leverages namespace confusion, GitHub-hosted staging, and multi-stage pay

Executive Summary A significant and ongoing cyberattack campaign has resulted in the compromise of over 900 instances of Sangoma FreePBX , a widely deployed open-source VoIP PBX platform. Attackers are exploiting a critical post-authentication command injection vulnerability, CVE-2025-64328 , to deploy persistent PHP-based web shells, most notably EncystPHP , on vulnerable systems. This campaign, tracked by organizations such as Shadowserver and Fortinet , is global in scope

Executive Summary The North Korean state-sponsored threat actor ScarCruft (also known as APT37 ) has recently executed a highly sophisticated cyber-espionage campaign that leverages both cloud-based and removable media vectors to compromise even the most isolated, air-gapped networks. This campaign, tracked as Ruby Jumper , is notable for its abuse of Zoho WorkDrive as a command-and-control (C2) channel and the deployment of advanced USB malware to bridge the gap between in

Executive Summary A critical vulnerability, CVE-2026-21902 , has been discovered in Juniper Networks PTX Series Routers running Junos OS Evolved . This flaw enables unauthenticated, remote attackers to execute arbitrary code as root, potentially resulting in a complete device takeover. The vulnerability stems from incorrect permission assignment in the On-Box Anomaly Detection framework, which is externally exposed by default. This exposure creates a significant risk for org

Executive Summary In late 2025, the North Korean advanced persistent threat group APT37 (also known as ScarCruft , Ruby Sleet , and Velvet Chollima ) was observed deploying a new, highly sophisticated malware campaign targeting air-gapped networks. This campaign, referred to as Ruby Jumper by Zscaler ThreatLabz, leverages a multi-stage infection chain and novel malware families to bridge the security gap between isolated, high-value environments and the internet. The attack

Executive Summary In January 2026, ManoMano , a leading European e-commerce platform specializing in DIY, home improvement, and gardening products, detected unauthorized access to customer data via a third-party customer support service provider. The breach, which was publicly disclosed in late February 2026, impacted approximately 38 million individuals across France, Belgium, Spain, Italy, Germany, and the United Kingdom. The compromised data includes full names, email addr

Executive Summary In October 2025, Canadian Tire experienced a significant data breach impacting approximately 38 million customer accounts. The breach resulted in the exposure of personally identifiable information (PII), including names, email addresses, phone numbers, physical addresses, dates of birth, and encrypted passwords. For a subset of users, partial credit card data—such as card type, expiry date, and masked card numbers—was also compromised. No bank account or l

Executive Summary Trend Micro has released urgent security patches addressing two critical remote code execution (RCE) vulnerabilities in the Apex One (on-premise) Management Console, identified as CVE-2025-54948 and CVE-2025-54987 . Both vulnerabilities are rated CVSS 9.4 (Critical) and have been confirmed as exploited in the wild. These flaws enable pre-authenticated remote attackers to upload malicious code and execute arbitrary commands on affected systems, posing a se

Executive Summary Google, in collaboration with Mandiant and industry partners, has disrupted the infrastructure of a suspected China-nexus cyber espionage group tracked as UNC2814 following confirmed breaches of at least 53 organizations across 42 countries. The campaign, which has been active since at least 2017, primarily targeted global telecommunications providers and government organizations. The attackers leveraged a novel backdoor, GRIDTIDE , which abused the Google

Executive Summary Publication Date: February 24, 2026 On February 24, 2026, the United States Department of the Treasury and Department of State announced sweeping sanctions against the Russian exploit broker Operation Zero and its principal, Sergey Sergeyevich Zelenyuk , under the Protecting American Intellectual Property Act (PAIPA). This unprecedented action targets the illicit trade in zero-day vulnerabilities and the theft of proprietary US cyber tools, marking the firs

Executive Summary A critical zero-day vulnerability, CVE-2026-20127 , has been discovered and actively exploited in the wild, targeting Cisco Catalyst SD-WAN Controller (formerly vSmart ) and Cisco Catalyst SD-WAN Manager (formerly vManage ). This vulnerability, rated with a maximum CVSS score of 10.0, enables unauthenticated remote attackers to bypass authentication and obtain administrative privileges, granting them full control over affected SD-WAN environments. The expl

Executive Summary CVE-2026-20127 is a critical zero-day authentication bypass vulnerability (CVSS 10.0) affecting Cisco 's flagship SD-WAN products, specifically Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage). This vulnerability has been actively exploited in the wild since at least 2023 by a highly sophisticated threat actor tracked as UAT-8616 . Successful exploitation allows unauthenticated remote attackers to ga

Executive Summary The threat actor UAT-10027 has launched a sophisticated cyber campaign targeting the U.S. education and healthcare sectors, deploying a novel backdoor known as Dohdoor . This malware leverages DNS-over-HTTPS (DoH) for covert command-and-control (C2) communications, enabling it to bypass traditional network monitoring and security controls. The campaign, active since at least December 2025, utilizes advanced evasion techniques such as DLL sideloading, proces

Executive Summary On February 23, 2026, Olympique Marseille became the subject of a public cyberattack claim, with a hacker alleging possession and intent to sell a database containing information on approximately 400,000 supporters. The club responded promptly, issuing an official statement on February 24, 2026, confirming an attempted cyber intrusion but disputing the scale of the breach. Olympique Marseille emphasized that no banking data or passwords were compromised and

Executive Summary Between late 2025 and early 2026, the Russian state-sponsored threat group APT28 (also known as Fancy Bear , STRONTIUM , Sofacy , and Sednit ) orchestrated a sophisticated spear-phishing campaign targeting governmental, diplomatic, and critical infrastructure organizations across Western and Central Europe. This operation, widely referred to as Operation MacroMaze , leveraged macro-enabled Microsoft Office documents that exploited webhook-based infrastructu

Executive Summary The Iranian state-sponsored advanced persistent threat group MuddyWater (also tracked as Mango Sandstorm , TA450 , Seedworm , and G0069 ) has escalated its cyber-espionage operations in early 2026, deploying a sophisticated new malware family as geopolitical tensions in the Middle East intensify. The latest campaign is characterized by the use of a Rust-based remote access trojan, RustyWater , which demonstrates significant advancements in stealth, persiste

Executive Summary The China-aligned advanced persistent threat (APT) group UnsolicitedBooker has recently intensified its cyber-espionage operations against telecommunications providers in Central Asia, specifically targeting organizations in Kyrgyzstan and Tajikistan. Leveraging highly tailored spear-phishing campaigns, the group deploys two rare and technically sophisticated backdoors, LuciDoor and MarsSnake , both written in C++. These campaigns demonstrate a significant

Executive Summary A critical vulnerability, CVE-2026-2329 , has been identified in the Grandstream GXP1600 series of VoIP phones, exposing organizations to severe risks including remote code execution, credential theft, and real-time call interception. This stack-based buffer overflow flaw, rated CVSS 9.3, allows unauthenticated attackers to gain root-level access to affected devices over the network. The vulnerability is trivial to exploit, with public Metasploit modules an

Executive Summary A sophisticated, AI-assisted threat campaign has compromised over 600 FortiGate devices in 55 countries, marking a significant escalation in the use of artificial intelligence by cybercriminals. The campaign, first identified by Amazon Threat Intelligence , did not exploit any inherent vulnerabilities in FortiGate software. Instead, the attackers leveraged exposed management interfaces and weak, single-factor credentials, automating reconnaissance and expl