🚨 Update Your Detection Rules: New Remote Access Trojan
We caught a Go-based RAT and named it #Moonrise. At the time of the analysis, the sample had not yet been submitted to VirusTotal ❗️

The level of access enables credential harvesting, sensitive data collection, and preparation for further compromise without triggering static detections, leaving SOCs with no clear signals to act on.

⚠️ Observed capabilities include:
🔹 Privilege-related functions and persistence mechanisms
🔹 Data theft and credential harvesting
🔹 Process control and command execution
🔹 File upload and execution
🔹 User activity monitoring: screen capture and streaming, webcam and microphone access, keystroke logging, clipboard monitoring

One compromised endpoint can disrupt operations and lead to financial and reputational damage.

👾 See sample execution in a live analysis session

✅ Behavior-first triage in #ANYRUN Sandbox lets security teams confirm attacker actions, like remote command execution, UAC bypass attempts, and persistence-related activity, within minutes. Security teams reduce Tier-1 overload and unnecessary escalations, while containing incidents earlier.

👨‍💻 Equip your SOC with faster decisions and lower workload. See how ANY.RUN fits your workflows
#ExploreWithANYRUN

IOCs:
193[.]23[.]199[.]88
c7fd265b23b2255729eed688a211f8c3bd2192834c00e4959d1f17a0b697cd5e
8a422b8c4c6f9a183848f8d3d95ace69abb870549b593c080946eaed9e5457ad
7609c7ab10f9ecc08824db6e3c3fa5cbdd0dff2555276e216abe9eebfb80f59b
Ed5471d42bef6b32253e9c1aba49b01b8282fd096ad0957abcf1a1e27e8f7551
082fdd964976afa6f9c5d8239f74990b24df3dfa0c95329c6e9f75d33681b9f4
8d7c1bbdb6a8bf074db7fc1185ffd59af0faffb08e0eb46a373c948147787268

⚠️ Researchers uncovered a cryptojacking campaign hiding in pirated software bundles 🏴‍☠️ It drops a custom XMRig miner and abuses a flawed driver (CVE-2020-14979) to boost hashrate by 15–50%.

It can spread via USB drives, even into air-gapped systems.

🔗 Details → https://thehackernews.com/2026/02/wormable-xmrig-campaign-uses-byovd.html

Russia-linked APT28 ran a campaign across Europe from Sept 2025 to Jan 2026.

A Word doc acted as a silent beacon — opening it pinged a webhook, confirming the target engaged 📄📡 From there, basic VBScript and batch files set persistence and funneled command output back via Edge.

🔗Read → https://thehackernews.com/2026/02/apt28-targeted-european-entities-using.html

⚠️ Anthropic says it blocked 16 million+ exchanges tied to model distillation campaigns targeting Claude.

The activity used 24,000 fake accounts and proxy networks to extract coding, reasoning, and tool-use capabilities. Three China-based AI labs were attributed.

Anthropic warns stripped safeguards could pose national security risks.

🔗 Read → https://thehackernews.com/2026/02/anthropic-says-chinese-ai-firms-used-16.html

⚠️ Most Microsoft 365 breaches won’t start with zero-days. They’ll start with security settings left in “report only.”

Conditional Access not enforced. Legacy auth still on. High-privilege app registrations untouched. AI attackers automate what teams keep postponing.

🔗 Learn more → https://thehackernews.com/expert-insights/2026/02/ai-wont-break-microsoft-365-your.html

🛑 China-aligned group UnsolicitedBooker has shifted to telecom firms in Central Asia, deploying LuciDoor and MarsSnake backdoors via phishing docs.

Campaigns in Kyrgyzstan and Tajikistan used macro-laced Office files and loaders to gain remote control and steal data.

🔗 Details → https://thehackernews.com/2026/02/unsolicitedbooker-targets-central-asian.html

Sensitive data now spans cloud, SaaS, on-prem & AI pipelines.

The challenge isn’t storage, it’s knowing what’s sensitive and who can access it.

This new guide compares leading data classification tools of 2026.

🔗 Read more → https://thn.news/data-tools-li

🛡️💻 Lazarus used Medusa ransomware in a Middle East attack, Symantec reports.

The group also targeted a U.S. healthcare org. Medusa claims 366+ victims, with recent U.S. ransoms averaging $260K. Analysts see a shift to off-the-shelf RaaS over custom code.

🔗 Details → https://thehackernews.com/2026/02/lazarus-group-uses-medusa-ransomware-in.html

Most IAM teams still chase ticket volume. Real risk rises when weaknesses align into a toxic combination.

An orphan account without MFA isn’t minor. Add recent activity or elevated privileges and exposure increases sharply. Identity risk isn’t a checklist. It’s contextual.

🔗 How toxic combinations create real-world exposure → https://thehackernews.com/2026/02/identity-prioritization-isnt-backlog.html

🔥 TOMORROW: Infosec Compliance Now 2026!

Will you be joining us tomorrow? Register for Infosec Compliance Now to learn about AI governance, global regulations, and audit readiness from industry experts.

Bonus: Earn up to 4 CPE credits.

🔗 Register Now → https://thn.news/cyber-risk-2026

🚨 Kremlin-linked cyber hit on Ukraine aid.

Spoofed court email tricked European reconstruction bank into installing malware via nested archives, then RMS remote control. Classic Ukraine playbook, new Western targets.

🔗 Read → https://thehackernews.com/2026/02/uac-0050-targets-european-financial.html

⚠️ A flaw in #GitHub Codespaces let attackers hide malicious Copilot instructions inside a GitHub issue.

When a developer opened a Codespace from that issue, Copilot could silently run the injected prompt and leak a privileged GITHUB_TOKEN.

The research also warns of “promptware” attacks built entirely through prompts.

🔗 Exploit Details → https://thehackernews.com/2026/02/roguepilot-flaw-in-github-codespaces.html

🚨 CISA added CVE-2026-25108 to its KEV list after active exploitation. The FileZen bug allows an authenticated user to execute OS commands via crafted HTTP requests.

Impacts versions 4.2.1–4.2.8 and 5.0.0–5.0.10 when Antivirus Check is enabled. At least one incident confirmed.

🔗 Read → https://thehackernews.com/2026/02/cisa-confirms-active-exploitation-of.html

⚠️ ALERT: SolarWinds patched four critical 9.1 CVSS flaws in Serv-U that can lead to remote code execution as root.

SolarWinds says there’s no sign of active attacks, but earlier Serv-U flaws were used by Storm-0322.

🔗 Details → https://thehackernews.com/2026/02/solarwinds-patches-4-critical-serv-u.html

Most breaches start with low-severity alerts no one owns.

SolarWinds had DNS quirks, odd Azure AD auth, strange SAML tokens. Each looked minor. Together, they meant compromise.

SOCs are built for volume and speed. Rare, cross-domain signals fall outside playbooks and KPIs.

🔗 Why long-tail alerts slip through SOCs → https://thehackernews.com/expert-insights/2026/02/the-riskiest-alert-types-and-why.html

🔥 Microsoft just open-sourced LiteBox, a Rust-based sandboxing library OS.

Developed via the LVBS project, it shrinks attack surfaces by stripping the interface between apps and the host. It enables unmodified Linux programs to run securely on Windows or within isolated Linux environments.

🔗 Read: https://thehackernews.com/2026/02/weekly-recap-double-tap-skimmers.html#:~:text=Microsoft%20Unveils%20LiteBox

🚨 A former L3Harris employee was sentenced to just over 7 years for selling 8 zero-day exploits to Russian broker Operation Zero.

Prosecutors say he received up to $4M in crypto, and the theft is estimated to have cost L3Harris $35M.

Washington has sanctioned the broker and related entities.

🔗 Full story here: https://thehackernews.com/2026/02/defense-contractor-employee-jailed-for.html

⚡ 53% of national security orgs still rely on manual data transfers, inviting human error as attacks surge 25%.

The Everfox CYBER360 report calls for a "Cybersecurity Trinity": Zero Trust + Data-Centric Security + Cross-Domain Solutions.

🔗 The framework for mission-speed security: https://thehackernews.com/2026/02/manual-processes-are-putting-national.html

🚨 Over 50,000 npm and 4,500 NuGet users were hit by malicious packages before they were pulled.

The NuGet attack rewrote ASP_NET authorization for instant admin access, while the npm variant used preinstall hooks to deploy OS-specific malware and exfiltrate data.

🔗 Read → https://thehackernews.com/2026/02/malicious-nuget-packages-stole-aspnet.html

AI agents aren't taking over humanity… yet. But they are accessing your corporate data in ways you probably can't see.

The Model Context Protocol (MCP) is unlocking agentic AI, and your employees are already using it to connect AI tools to SaaS apps—working smarter and faster with tools they already know. But each MCP connection creates a new data highway with expansive permissions and scopes.

Which is why Nudge Security built automatic discovery for risky MCP connections. Now you can see:

• Which MCP server connections exist in your environment
• Which apps and data they're accessing
Their full permissions and scopes
• With clear visibility into every connection, you can stay ahead of emerging risks and start governing your agent workforce.

Learn more about AI governance with Nudge: https://thn.news/nudge-ai-risk

🎙️💰 Cybercriminals linked to Scattered LAPSUS$ Hunters are paying women $500–$1,000 per call to do vishing attacks.

They supply scripts, target IT help desks to reset passwords, bypass MFA & drop remote tools.

🔗 Help desk attack chain → https://thehackernews.com/2026/02/slh-offers-5001000-per-call-to-recruit.html