Welcome to your biweekly digest of curated cybersecurity intelligence.
Every two weeks, we bring you expert insights and handpicked articles covering the latest threats, threat actor activity, vulnerabilities, incident trends, and defensive strategies. Whether you’re on the front lines or shaping your organization’s security posture, Security Signals delivers the information you need to stay informed and ready.
For more articles, check out our #onpatrol4malware blog.
February 2026 Edition
Key stats from real-world telemetry and live attack observations over the past month – a concise look at what we’re seeing across malware, phishing, ransomware, C2s, and domain abuse.
This Edition’s Articles
Early March 2026 Cyber Threat Reports highlights fast-moving threats shaping the current landscape, from Agent Tesla, LockBit, MuddyWater, and APT37 to attacks targeting AWS credentials, Android devices, AI development tools, and enterprise SaaS access. This roundup reflects the real-world pace of phishing, credential theft, supply chain compromise, exposed infrastructure abuse, and ransomware-driven operations affecting defenders right now.
Punchbowl Phishing Attack Explained: How Digital Invites Are Used to Steal Credentials
Source: Cofense
(Published: 24 February 2026)
In today’s digital age, receiving online invitations to events has become commonplace. Read more.
Open Redirects: A Forgotten Vulnerability
Source: SANS Internet Storm Center
(Published: 24 February 2026)
Open redirect vulnerabilities often receive less attention than other web security issues, but they can still be abused in phishing campaigns and malware delivery chains. Read more.
Abusing Windows File Explorer and WebDAV for Malware Delivery
Source: Cofense
(Published: 25 February 2026)
Cofense Intelligence has been tracking how threat actors are abusing Windows File Explorer’s ability to retrieve remote files over Web-based Distributed Authoring and Versioning (WebDAV), and HTTP-based file management protocol, to trick victims into downloading malware. Read more.
Contagious Interview: Evolution of VS Code and Cursor Tasks Infection Chains – Part 1
Source: Abstract Security
(Published: 25 February 2026)
The ASTRO team has been actively tracking Contagious Interview techniques that abuse task auto-execution in integrated development environments (IDEs) such as Microsoft Visual Studio Code (VSCode) and Cursor to deliver malware. Read more.
Exposing the Undercurrent: Disrupting the GRIDTIDE Global Cyber Espionage Campaign
Source: Google Cloud Blog
(Published: 25 February 2026)
Last week, Google Threat Intelligence Group (GTIG), Mandiant, and partners took action to disrupt a global espionage campaign targeting telecommunications and government organizations in dozens of nations across four continents. Read more.
OCRFix: Botnet Trojan delivered through ClickFix and EtherHiding
Source: CYJAX
(Published: 25 February 2026)
During routine analysis, CYJAX identified a typosquatting phishing campaign which impersonated the Optical Character Recognition (OCR) tool Tesseract OCR. Read more.
Reynolds Ransomware: BYOVD Evasion & NSecKrnl Abuse
Source: Brandefense
(Published: 25 February 2026)
A new ransomware group tracked as “Reynolds” emerged in February 2026 and is reported to use Bring Your Own Vulnerable Driver (BYOVD) technique to disable security controls before encryption, thereby significantly increasing its chances of success even in well-equipped environments. Read more.
Unmasking Agent Tesla: A Deep Dive Into a Multi-Stage Campaign
Source: Fortinet
(Published: 25 February 2026)
Agent Tesla remains one of the most persistent threats in the cyber landscape today, continuing to evolve through multi-stage delivery chains and stealthy credential theft techniques. Read more.
[Op Report] Velvet Tempest linked to ClickFix campaigns for Termite Ransomware, HoK Activity Observed
Source: Deception.Pro
(Published: 26 February 2026)
During a 12-day Deception.Pro operation, researchers observed a high-severity, multi-stage intrusion chain that began with malvertising and a ClickFix-style fake CAPTCHA. Read more.
Free Games, Costly Consequences
Source: G DATA Security Blog
(Published: 26 February 2026)
PiviGames, a popular Spanish gaming platform is well-known in the gaming community for providing download links to pirated PC games. Read more.
GTFire Phishing Scheme Targets Organizations
Source: Group-IB
(Published: 26 February 2026)
Researchers uncovered a phishing campaign dubbed GTFire that leverages convincing login pages and infrastructure designed to harvest credentials from targeted organizations. Read more.
Henry IV, Hotspur, Hal, and hallucinations
Source: Cisco Talos
(Published: 26 February 2026)
Welcome to this week’s edition of the Threat Source newsletter. Read more.
Malicious Go “crypto” Module Steals Passwords and Deploys Rekoobe Backdoor
Source: Socket
(Published: 26 February 2026)
Socket’s Threat Research Team uncovered a malicious Go module, github[.]com/xinfeisoft/crypto, that imitates the legitimate golang[.]org/x/crypto codebase but inserts a backdoor in ssh/terminal/terminal.go. Read more.
New Dohdoor malware campaign targets education and health care
Source: Cisco Talos
(Published: 26 February 2026)
Cisco Talos discovered an ongoing malicious campaign since at least as early as December 2025 by a threat actor we track as “UAT-10027,” delivering a previously undisclosed backdoor dubbed “Dohdoor.”. Read more.
Novel DPRK stager using Pastebin and text steganography
Source: kmsec.uk
(Published: 26 February 2026)
This is a quick one as FAMOUS CHOLLIMA has been keeping me busy this week by testing Google Drive as a stager and my longer write-up on tracking their IP addresses through temporary mailboxes. Read more.
PlugX Meeting Invitation via MSBuild and GDATA
Source: LAB52
(Published: 26 February 2026)
In relation to the latest variant of the PlugX RAT executed by STATICPLUGIN analyzed by IIJ-SECT, LAB52 aims to complement this information with additional observed deployment activity and encryption characteristics in samples analyzed by this team. Read more.
ShinyHunters Fast-Tracks SaaS Access With Subdomain Impersonation
Source: ReliaQuest
(Published: 26 February 2026)
Researchers observed threat actor ShinyHunters leveraging subdomain impersonation techniques to accelerate access to SaaS environments and improve the credibility of phishing lures. Read more.
VEN0m Ransomware: DFIR Analysis, Detection Engineering & Key Recovery
Source: Ransom-ISAC
(Published: 26 February 2026)
On February 23, 2026, Tammy Harper raised with the Ransom-ISAC community of a new ransomware payload utilising User Access Control (UAC) bypass and Bring Your Own Vulnerable Driver (BYOVD) techniques. Read more.
APT36 : Multi-Vector Execution Malware Campaign Targeting Indian Government Entities
Source: CYFIRMA
(Published: 27 February 2026)
CYFIRMA has identified a targeted malware campaign attributed to the Pakistan-aligned threat actor Transparent Tribe (also known as APT36). Read more.
Contagious Interview Campaign Abusing VSCode Distributed on Github
Source: ENKI WhiteHat
(Published: 27 February 2026)
We recently identified multiple instances of malware on Github that abuse VS Code automation features. Read more.
Fake Zoom and Google Meet Scams Install Teramind
Source: Malwarebytes
(Published: 27 February 2026)
Researchers identified a campaign using fake Zoom and Google Meet downloads that silently install the Teramind monitoring tool to spy on victims. Read more.
Hook, line, and vault: A technical deep dive into the 1Phish kit
Source: Datadog Security Labs
(Published: 27 February 2026)
The 1Phish kit evolved between September 2025 and February 2026 from a basic credential harvester into an MFA-aware, multi-stage phishing kit targeting 1Password users. Read more.
Inside a Fake Google Security Check That Becomes a Browser RAT
Source: Malwarebytes
(Published: 27 February 2026)
A website disguised as a Google Account security check is distributing a browser-based remote access tool capable of surveillance and credential theft. Read more.
StegaBin: 26 Malicious npm Packages Use Pastebin Steganography to Deploy Multi-Stage Credential Stealer
Source: Socket
(Published: 27 February 2026)
Socket’s AI-powered threat detection systems identified 26 malicious npm packages published over a two-day period that deploy a multi-stage credential and secret harvesting operation targeting developers. Read more.
The ClawHavoc Campaign
Source: PolySwarm
(Published: 27 February 2026)
The ClawHavoc campaign exploited the permissive nature of ClawHub, the official marketplace for OpenClaw Skills, which are plugin packages that extend the open-source AI agent’s capabilities across automation, cryptocurrency monitoring, social media assistance, and productivity tasks. Read more.
Why Digital Squatting Still Works in 2026-And Why Defense Is So Hard
Source: LastPass
(Published: 27 February 2026)
Digital squatting and phishing are often treated as separate threat vectors, but they are deeply intertwined. Read more.
Zerobot Malware Targets n8n Automation Platform
Source: Akamai
(Published: 27 February 2026)
The Akamai SIRT discovered an ongoing Mirai-based malware campaign, dubbed Zerobot, targeting a variety of recent CVEs, including those affecting Tenda AC1206 routers and the n8n workflow automation platform. Read more.
A Fake FileZilla Site Hosts a Malicious Download
Source: Malwarebytes
(Published: 02 March 2026)
Attackers are distributing malware through a fake FileZilla website designed to trick users into downloading a malicious installer. Read more.
Exorcising Demons: Fake Tech Support Delivers Havoc Command and Control
Source: Huntress
(Published: 02 March 2026)
Fake browser alerts and tech support lures are being used to deliver the Havoc command-and-control framework through deceptive user prompts and staged execution chains. Read more.
Funnull Resurfaces: Exposing RingH23 Arsenal and MacCMS Supply Chain Attacks
Source: QiAnXin X Lab
(Published: 02 March 2026)
Funnull (Funnull Technology Inc.), also known as Fangneng CDN, is a Philippines-registered company that publicly claims to provide CDN services. Read more.
Iranian APT Activity During Geopolitical Escalation
Source: Nozomi Networks
(Published: 02 March 2026)
Researchers observed increased cyber activity linked to Iranian threat groups during escalating geopolitical tensions in the Middle East. Read more.
Oblivion RAT – An Android Spyware Platform With a Built-In APK Factory
Source: iVerify
(Published: 02 March 2026)
Oblivion RAT is a new Android remote access trojan sold as a malware-as-a-service (MaaS) platform on cybercrime networks for $300/month. Read more.
PromptSpy Android Malware Uses Generative AI
Source: PolySwarm
(Published: 02 March 2026)
PromptSpy is the first documented Android malware family to integrate generative AI, specifically Google’s Gemini, into its execution flow for dynamic, context-aware persistence. Read more.
SloppyLemming Deploys BurrowShell and Rust-Based RAT to Target Pakistan and Bangladesh
Source: Arctic Wolf
(Published: 02 March 2026)
Over the last 12 months, Arctic Wolf has been tracking an extensive cyber espionage campaign conducted by SloppyLemming, an India-nexus threat actor, targeting government entities and critical infrastructure operators in Pakistan and Bangladesh. Read more.
Fooling AI Agents: Web-Based Indirect Prompt Injection Observed in the Wild
Source: Unit 42 (Palo Alto Networks)
(Published: 03 March 2026)
Large language models (LLMs) and AI agents are becoming deeply integrated into web browsers, search engines and automated content-processing pipelines. Read more.
Doppelganger RRN Disinformation Infrastructure Ecosystem
Source: DomainTools Intelligence
(Published: 04 March 2026)
Researchers identified a large disinformation infrastructure linked to the Doppelganger campaign that leverages cloned news domains and coordinated social amplification. Read more.
Fake Discount Scams Spread Across E-Commerce Platforms
Source: Guard.io
(Published: 04 March 2026)
Security researchers observed a wave of fake discount campaigns designed to lure users into phishing pages that harvest payment details and login credentials. Read more.
Fake FedEx Email Delivers Donut Malware
Source: SANS Internet Storm Center
(Published: 04 March 2026)
A phishing email impersonating FedEx delivery notifications is distributing malware using malicious attachments designed to trick recipients into executing embedded payloads. Read more.
Malicious NuGet Package Targets Stripe Developers
Source: ReversingLabs
(Published: 04 March 2026)
Researchers discovered a malicious NuGet package designed to target developers working with Stripe integrations and steal sensitive credentials. Read more.
SurxRAT Downloads Large LLM Module From Hugging Face
Source: Cyble
(Published: 04 March 2026)
Security researchers discovered SurxRAT downloading a large language model module from Hugging Face to enhance its command processing and evasion capabilities. Read more.
2026 Ransomware Cartelization: Qilin, LockBit, and Akira Convergence
Source: SecureBlink
(Published: 05 March 2026)
Researchers highlight increasing collaboration between ransomware groups including Qilin, LockBit, and Akira as part of a growing trend of ransomware cartelization. Read more.
ActiveMQ Exploit Deploys LockBit Ransomware
Source: CyberPress
(Published: 05 March 2026)
Threat actors are exploiting vulnerable Apache ActiveMQ servers to deploy LockBit ransomware in targeted intrusion campaigns. Read more.
Agent Tesla Campaign Evolves to Evade Detection
Source: CyberPress
(Published: 05 March 2026)
A new campaign distributing Agent Tesla malware is using updated delivery techniques and obfuscation to evade traditional detection mechanisms. Read more.
ZeroDayRAT Targets Mobile Devices
Source: CyberPress
(Published: 05 March 2026)
Researchers uncovered a new remote access trojan called ZeroDayRAT designed to target mobile devices and steal sensitive data. Read more.
Charming Kitten Activity Escalates in Iran-Israel Cyber Conflict
Source: FalconFeeds
(Published: 06 March 2026)
Researchers observed increased cyber activity linked to the Iranian threat group Charming Kitten amid escalating tensions in the Iran-Israel cyber conflict. Read more.
Inside a New Violetrat Campaign
Source: SonicWall
(Published: 06 March 2026)
Researchers uncovered a multi-stage malware campaign delivering Violetrat through layered payload execution designed to evade security detection. Read more.
Moonrise RAT: Emerging Remote Access Threat
Source: CyberSec Sentinel
(Published: 06 March 2026)
The Moonrise RAT malware family has emerged as a serious threat capable of persistent access, credential theft, and remote command execution. Read more.
TAXISPY RAT : Analysis of TaxiSpy RAT – Russian Banking – Focused Android Malware with Full Remote Control
Source: CYFIRMA
(Published: 06 March 2026)
This report analyzes a highly sophisticated Android Banking Trojan with integrated Remote Access Trojan (RAT) functionality, specifically targeting Russian financial institutions. Read more.
UnsolicitedBooker Deploys MarsSnake Against Telecom Providers
Source: CyberSec Sentinel
(Published: 06 March 2026)
A threat actor tracked as UnsolicitedBooker has been deploying the MarsSnake malware family against telecommunications organizations. Read more.
Hydra-Saiga: Covert Espionage and Infiltration of Critical Utilities
Source: VMRay
(Published: 07 March 2026)
Analysts detail a covert espionage campaign dubbed Hydra-Saiga that targets critical utility infrastructure with stealthy malware implants. Read more.
Iran-Linked Dust Specter Launches Cyberattack on Iraqi Officials
Source: Hive Pro
(Published: 07 March 2026)
Iranian-linked threat group Dust Specter conducted targeted cyber operations against Iraqi officials in a campaign involving credential harvesting and malware delivery. Read more.
Mercenary Akula’s Court-Themed Campaign Hits European Finance
Source: Hive Pro
(Published: 07 March 2026)
A campaign attributed to Mercenary Akula used court-themed lures to target financial institutions across Europe with phishing and malware payloads. Read more.
Operation Olalampo: MuddyWater Expands Campaign Across MENA
Source: Hive Pro
(Published: 08 March 2026)
The MuddyWater threat group expanded its Operation Olalampo campaign targeting organizations across the Middle East and North Africa region. Read more.
APT37 Adds New Capabilities to Target Air-Gapped Networks
Source: Zscaler
(Published: 09 March 2026)
Researchers report that North Korean threat group APT37 has developed new techniques for targeting air-gapped networks and sensitive systems. Read more.
Behind the console: Active phishing campaign targeting AWS console credentials
Source: Datadog Security Labs
(Published: 09 March 2026)
Datadog Security Research identified an active adversary-in-the-middle (AiTM) phishing campaign targeting AWS Console credentials. Read more.
Iranian APT MuddyWater Uses Dindoor Malware to Target U.S. Networks
Source: SOCRadar
(Published: 09 March 2026)
A recently uncovered cyber espionage campaign attributed to the Iranian state-linked threat group MuddyWater has drawn attention from security researchers after several organizations in the United States were compromised using newly observed malware. Read more.
Sandworm_MODE NPM Supply Chain Attack Targets AI Development Tools
Source: Hive Pro
(Published: 09 March 2026)
Researchers uncovered a supply chain attack on the NPM ecosystem targeting AI development tools and attributed to activity consistent with Sandworm operations. Read more.
Want more articles? Check out the previous edition of Security Signals here.