Cisco Talos exposed DKnife — a China-linked AitM framework active since 2019 on compromised routers and edge devices.

It monitors traffic, steals credentials, and hijacks app/software updates to deploy ShadowPad and DarkNimbus on PCs and phones.

🔗 Modules and infection chain → https://thehackernews.com/2026/02/china-linked-dknife-aitm-framework.html

German authorities warn of a state-linked phishing campaign abusing Signal account features to hijack chats.

Actors pose as support, steal PINs or trick targets into device linking—enabling message interception and impersonation across political, military, and media networks.

🔗 Read → https://thehackernews.com/2026/02/german-agencies-warn-of-signal-phishing.html

🔥 OpenClaw now scans every ClawHub skill using 🛡️ VirusTotal threat intel.

Uploads are hashed, analyzed via Code Insight, then auto-approved, flagged, or blocked. Daily rescans 🔍 check if clean skills turn malicious later.

⚠️ Hundreds of risky skills had slipped through earlier.

🔗 Read → https://thehackernews.com/2026/02/openclaw-integrates-virustotal-scanning.html

⚡ BeyondTrust patched pre-auth RCE (CVE-2026-1731) in Remote Support and PRA.

Attackers could run OS commands via crafted requests.~11K exposed instances found. Patches released.

🔗 Versions affected, fixes → https://thehackernews.com/2026/02/beyondtrust-fixes-critical-pre-auth-rce.html

🛑 Cloud worm malware campaign is systematically taking over cloud infrastructure.

TeamPCP exploits exposed Docker, Kubernetes, Redis, and React2Shell to mass-deploy proxies, scanners, crypto miners & ransomware across compromised clusters.

🔗 Read → https://thehackernews.com/2026/02/teampcp-worm-exploits-cloud.html

🛠️ Bloody Wolf tied to a spear-phishing campaign deploying NetSupport RAT across Central Asia and Russia.

~60 victims across government, finance, manufacturing. Malicious PDFs drop loaders that persist via scripts + scheduled tasks.

🔗 Details → https://thehackernews.com/2026/02/bloody-wolf-targets-uzbekistan-russia.html

🧪⚡ SOC teams aren’t failing on tools — they’re overloaded by triage. Constant validation loops are fueling burnout and SLA drift.

CISOs are moving to sandbox-first workflows, exposing live behavior early and reducing escalations, MTTR, and senior drag.

🔗 How evidence replaces guesswork → https://thehackernews.com/2026/02/how-top-cisos-solve-burnout-and-speed.html

⚠️ AI tools, supply chains, and trusted platforms are now attack paths.

Malicious AI skills, Signal phishing, Docker AI RCE, update hijacks — plus a record 31.4 Tbps DDoS. All in one week.

🔎 Read the full recap here: https://thehackernews.com/2026/02/weekly-recap-ai-skill-malware-31tbps.html

🚨 Microsoft traced a multi-stage intrusion to exposed SolarWinds Web Help Desk servers.

Attackers used unauthenticated RCE, moved laterally, and abused legit RMM tools for persistence — plus credential dumping and DCSync.

🔗 Tradecraft, CVEs, and lateral movement chain → https://thehackernews.com/2026/02/solarwinds-web-help-desk-exploited-for.html

⚠️ Singapore’s cyber agency says China-linked UNC3886 targeted all four national telecom operators.

Attackers used a firewall zero-day and rootkits to access parts of critical systems. Espionage activity was contained. No service disruption or customer data theft found.

🔗 Read → https://thehackernews.com/2026/02/china-linked-unc3886-targets-singapore.html

🚨🛡️ Fortinet Fixes Critical FortiClientEMS RCE (CVE-2026-21643, CVSS 9.1).

SQL injection flaw enables unauthenticated remote command execution via crafted requests. Affects EMS 7.4.4 (patch available).

Separate FortiCloud SSO bug is actively exploited for admin persistence and firewall config theft.

🔗 See affected versions and patch guidance → https://thehackernews.com/2026/02/fortinet-patches-critical-sqli-flaw.html

🚨 Ivanti EPMM Zero-Day Exploits Breach Dutch Regulators, Linked to Wider 🇪🇺 EU Government Intrusions.

Attackers exploited CVSS 9.8 unauthenticated RCE flaws to access employee work contact data.
Related activity also impacted the European Commission and Finland’s Valtori systems.

🔗 Details → https://thehackernews.com/2026/02/dutch-authorities-confirm-ivanti-zero.html

Three practical questions security teams should answer before selecting an SSE platform:

⚙️ Deployment complexity
👁️ In-session visibility
🛡️ Real session risk coverage

🔗 Framework, tradeoffs, rollout risks → https://thehackernews.com/expert-insights/2026/02/3-questions-to-ask-before-your-next-sse.html

⚠️🛠️ Warlock ransomware breached SmarterTools via unpatched SmarterMail VM.

Attackers entered Jan 29, moved laterally, seized Active Directory, and staged Velociraptor pre-encryption. ~12 servers and a QC data center were hit; core apps and customer data stayed unaffected.

🔗 See exploited CVEs → https://thehackernews.com/2026/02/warlock-ransomware-breaches.html

Earn and learn at Infosec Compliance Now 2026!

Registration for the 6th annual Infosec Compliance Now virtual event is live! Attend and earn up to 4 free CPE credits while learning about AI-powered GRC, cyber resilience, continuous control monitoring using automation, and more.

Register Now ➜ https://thn.news/infosec-risk-summit

🕵️‍♂️⚠️ Ransomware Persists — But Encryption Is No Longer the Main Signal of Attack!

Picus reviewed 1.1M malware samples and found a shift toward stealth access over disruption. Encryption attacks fell 38% YoY as extortion moves to data theft and credential abuse.

🔗 Explore the full stealth-attack dataset → https://thehackernews.com/2026/02/from-ransomware-to-residency-inside.html

⚠️🛠️ Reynolds ransomware embeds its own BYOVD evasion, bundling a vulnerable driver to disable EDR before encryption.

It drops the NSecKrnl driver (CVE-2025-68947) to kill security tools, reducing detection and affiliate effort.

🔗 Read full attack chain and defense insights → https://thehackernews.com/2026/02/reynolds-ransomware-embeds-byovd-driver.html

🧑‍💻💻 North Korean operatives are using real LinkedIn accounts to land remote IT jobs in Western firms.

With impersonated profiles and verified emails, DPRK actors secure roles to fund weapons programs and conduct espionage—some gain admin access, steal data, and maintain persistence.

🔍 Read the full investigation → https://thehackernews.com/2026/02/dprk-operatives-impersonate.html

🕵️‍♂️💰 North Korea-linked UNC1069 used deepfake Zoom calls to hack crypto firms.

Posing via Telegram, attackers lured victims into fake meetings, triggering ClickFix commands that deployed multi-stage malware on macOS & Windows to steal wallets and credentials.

🔗 Read → https://thehackernews.com/2026/02/north-korea-linked-unc1069-uses-ai.html

Security startup @zast_ai secured new backing to scale AI-driven vulnerability validation.

Its research led to 119 CVE assignments after uncovering hundreds of zero-days. Affected targets included Azure SDK, Apache Struts, and Alibaba Nacos.

🔗 Funding, research scope, enterprise impact → https://thehackernews.com/2026/02/zastai-raises-6m-pre-to-scale-zero.html

🐧 Researchers uncovered SSHStalker, a Linux botnet using IRC for control and mass SSH compromise.

It exploits 16 legacy kernel flaws to infect unpatched systems, wipes logs, and maintains silent persistence.

🔗 Details → https://thehackernews.com/2026/02/sshstalker-botnet-uses-irc-c2-to.html