Executive Summary On February 17, 2026, a supply chain attack targeted the Cline CLI open-source package, resulting in the unauthorized installation of OpenClaw —an autonomous AI agent, on developer and CI/CD systems. The attack was executed by publishing a malicious version ( cline@2.3.0 ) to the npm registry using a compromised publish token. This version included a post-install script that silently installed OpenClaw globally on affected machines. The incident window las

Executive Summary On February 15, 2026, Advantest Corporation , a leading Japanese supplier of semiconductor test equipment, detected unusual activity within its IT environment. The company immediately activated its incident response protocols, isolated affected systems, and engaged third-party cybersecurity experts. On February 19, 2026, Advantest publicly disclosed that it was responding to a ransomware attack that may have impacted certain systems within its network. As o

Executive Summary The ClickFix campaign represents a significant escalation in the abuse of compromised legitimate websites to deliver advanced malware, culminating in the deployment of the custom MIMICRAT Remote Access Trojan. First identified by Elastic Security Labs and corroborated by multiple open-source intelligence channels, this campaign leverages a multi-stage infection chain, sophisticated defense evasion, and post-exploitation techniques that enable persistent a

Executive Summary Between January 11 and February 18, 2026, a Russian-speaking, financially motivated threat actor leveraged multiple commercial generative AI services to compromise over 600 Fortinet FortiGate firewalls across more than 55 countries. The campaign did not exploit any known FortiGate vulnerabilities; instead, it targeted exposed management interfaces and weak credentials lacking multi-factor authentication. The attacker used AI-assisted tools to automate scan

Executive Summary On February 18, 2026, the French Ministry of Economy publicly disclosed a significant data breach affecting approximately 1.2 million bank accounts in France. The breach was enabled by the compromise of an official’s credentials, which allowed a malicious actor to access the FICOBA national bank account database. The exposed data includes bank account numbers, account holder names, addresses, and, in some cases, tax identification numbers. No access to acc

Executive Summary Figure Technology Solutions, a prominent blockchain-based financial technology company, experienced a significant data breach in February 2026, resulting in the compromise of nearly 1 million user records. The breach was executed through a sophisticated social engineering attack, specifically a voice phishing (vishing) campaign, which enabled attackers to obtain an employee’s credentials and multi-factor authentication codes. This access allowed the threat a

Executive Summary Publication Date: February 19, 2026 The emergence of PromptSpy marks a pivotal moment in the evolution of Android malware, as it is the first known threat to leverage generative AI—specifically Google’s Gemini model—to automate persistence and evade removal. Discovered by ESET researchers, PromptSpy demonstrates how attackers can harness advanced AI capabilities to adapt to diverse device environments, automate complex UI interactions, and resist traditi

Executive Summary A sophisticated Android banking malware campaign is currently propagating through fake IPTV applications, distributing the Massiv banking trojan and targeting mobile banking users across Southern Europe, with a particular focus on Spain, Portugal, France, and Turkey. The attackers exploit the widespread demand for unofficial IPTV streaming services, enticing users to sideload malicious APKs from untrusted sources. Once installed, these counterfeit IPTV app

Executive Summary The CRESCENTHARVEST campaign represents a highly targeted and technically advanced cyber-espionage operation, focusing on supporters of the ongoing protests in Iran. This campaign utilizes sophisticated social engineering, protest-themed lures, and a custom Remote Access Trojan ( RAT ) to achieve persistent surveillance, credential theft, and exfiltration of sensitive data. The threat actors behind CRESCENTHARVEST employ advanced tactics such as DLL sidelo

Executive Summary Since July 2025, exploitation of zero-day vulnerabilities in Ivanti products has surged, with sophisticated threat actors targeting Ivanti Connect Secure , Ivanti Policy Secure , and Ivanti Neurons for ZTA Gateways . These attacks leverage previously unknown flaws to achieve remote code execution, persistent access, and lateral movement within enterprise environments. The campaign has been traced to multiple high-profile incidents across Europe, affecting c

Executive Summary CVE-2026-26119 is a critical privilege escalation vulnerability affecting Microsoft Windows Admin Center , a browser-based management platform for Windows servers, clusters, and hybrid environments. This vulnerability, discovered by Andrea Pierini of Semperis and patched by Microsoft in version 2511 (December 2025), enables an authenticated attacker to escalate privileges over a network, potentially resulting in full domain compromise. Microsoft has clas

Executive Summary On February 13, 2026, at 22:00 local time, the Washington Hotel chain in Japan experienced a ransomware attack that resulted in the compromise of various business data and temporary disruption of operations across multiple properties. The incident was publicly disclosed between February 16 and 17, 2026. Immediate containment actions included disconnecting affected servers from the internet and engaging both law enforcement and external cybersecurity experts

Executive Summary In February 2026, the data extortion group ShinyHunters published a dataset containing over 600,000 customer records associated with the luxury outerwear brand Canada Goose . The dataset, totaling 1.67 GB in JSON format, includes customer names, email addresses, phone numbers, billing and shipping addresses, IP addresses, order histories, partial payment card data (including card brand, last four digits, and in some cases the first six digits/BIN), payment

Executive Summary A critical zero-day vulnerability, CVE-2026-2441 , has been identified in the Google Chrome web browser, specifically within its CSS engine. This vulnerability is currently being actively exploited in the wild, allowing remote attackers to execute arbitrary code within the browser sandbox by enticing users to visit malicious or compromised websites. Google has responded by releasing emergency security patches for all major platforms, including Windows, mac

Executive Summary Microsoft has issued a critical advisory regarding a sophisticated social engineering campaign known as the ClickFix attack, which leverages DNS lookups as a covert channel to deliver and execute malware. This attack is notable for its abuse of legitimate Windows utilities, particularly nslookup , to bypass traditional security controls and deliver multi-stage payloads. The campaign is highly effective due to its reliance on user interaction, typically tri

Executive Summary South Korea’s Personal Information Protection Commission (PIPC) has imposed a combined fine of approximately KRW 36 billion (US$25 million) on the Korean subsidiaries of Louis Vuitton , Christian Dior Couture , and Tiffany following significant data breaches that exposed the personal information of over 5.5 million customers. The breaches, which occurred between June and September 2025, were facilitated by inadequate security controls in the companies’ clou

Executive Summary A sophisticated phishing campaign is actively targeting users of Trezor and Ledger cryptocurrency hardware wallets through physical mail, a method rarely seen in the sector. Attackers are sending convincing letters that impersonate official communications from Trezor and Ledger , urging recipients to complete urgent "Authentication Check" or "Transaction Check" procedures by scanning QR codes. These QR codes direct users to phishing websites that closely

Executive Summary A newly identified threat actor, UAT-9921 , has launched a sophisticated campaign leveraging the modular VoidLink malware framework to target organizations in the technology and financial sectors. This campaign, first observed in September 2025, demonstrates advanced capabilities in cloud-native environments, with a focus on Linux-based infrastructure, Kubernetes, and Docker. VoidLink is engineered for stealth, persistence, and lateral movement, utilizing

Executive Summary Google’s Threat Analysis Group (TAG) and Mandiant have recently attributed a series of highly coordinated cyber operations targeting the global defense sector to state-sponsored actors from China , Iran , Russia , and North Korea . These campaigns are characterized by advanced, persistent, and multi-vector attacks leveraging sophisticated tactics, techniques, and procedures (TTPs) to compromise defense contractors, supply chain partners, and critical battlef

Executive Summary South Korea’s Personal Information Protection Commission (PIPC) has imposed a combined fine of approximately $25 million on the Korean subsidiaries of Louis Vuitton , Christian Dior Couture , and Tiffany for significant data breaches that exposed the personal information of more than 5.5 million customers. The breaches, which occurred between June 2025 and early 2026, were facilitated by inadequate security controls in the companies’ cloud-based customer ma