Daily Brief

North Korean threat group UNC1069 targets cryptocurrency sector using new macOS malware, focusing on financial theft and data collection for future campaigns. Mandiant researchers identified seven distinct macOS malware families in the attack, with SUGARLOADER and WAVESHAPER being the most detected. The attack involved sophisticated social engineering, utilizing AI-generated videos and compromised accounts to engage victims via Telegram. Victims were lured into a fake Zoom meeting, where deepfake videos and fake audio issues facilitated malware installation instructions. The malware deployment aimed to collect extensive data, potentially leveraging victim identities for further social engineering efforts. UNC1069 has adapted its tactics since 2018, now focusing on Web3 and cryptocurrency industries, highlighting the evolving threat landscape. This incident underscores the need for enhanced vigilance and robust security measures in the cryptocurrency sector against state-sponsored threats.

Microsoft released fixes for six zero-day vulnerabilities actively exploited before February's Patch Tuesday, addressing critical security concerns for Windows users. These vulnerabilities include security feature bypasses in Windows Shell, Internet Explorer, and Microsoft Word, with potential for remote code execution. Exploitation of these flaws often involves convincing users to open malicious links or files, a common attack vector due to user behavior. The vulnerabilities received high CVSS ratings, with three publicly disclosed, suggesting potential widespread exploitation and availability of proof-of-concept exploits. Microsoft has not provided specific details on the attackers or the extent of exploitation, leaving some uncertainty about the threat landscape. Organizations are urged to prioritize testing and deploying these patches to mitigate risks, especially given the potential for privilege escalation and denial of service. The repeated appearance of certain vulnerabilities, such as those in Desktop Window Manager, indicates previous patches may not have fully resolved the issues. These updates highlight the ongoing need for robust patch management processes to protect against evolving threats.

A fraudulent website impersonating 7-Zip is distributing a compromised installer that transforms user devices into residential proxy nodes, facilitating malicious activities like credential stuffing and phishing. The malicious site, 7zip[.]com, mimics the legitimate 7-Zip website, tricking users into downloading the installer, which retains normal functionality while deploying malicious files. Researchers at Malwarebytes identified that the installer is digitally signed with a revoked certificate and drops files in the system directory, creating an auto-start service for malicious executables. The malware modifies firewall settings to allow network connections and profiles the host system using Windows Management Instrumentation and APIs, sending data to iplogger[.]org. The campaign extends beyond 7-Zip, using trojanized installers for other popular applications like HolaVPN and TikTok, leveraging a rotating C2 infrastructure with encrypted communications. Security experts recommend avoiding URLs from unverified sources and bookmarking official download portals to prevent exposure to such threats. The discovery was supported by independent researchers who reverse-engineered the malware, confirming its primary function as proxyware and identifying its broader campaign scope.

Microsoft issued the KB5075912 update for Windows 10, addressing 58 vulnerabilities, including six zero-day exploits, as part of the February 2026 Patch Tuesday. The update is available for Windows 10 Enterprise LTSC users and those in the Extended Security Updates (ESU) program, ensuring continued protection against emerging threats. A key component of the update is the replacement of expiring Secure Boot certificates, crucial for maintaining system integrity and preventing security breaches. Another significant fix resolves an issue that previously hindered Windows 10 devices from shutting down or hibernating when System Guard Secure Launch was enabled. Microsoft has been proactive in warning users about the expiration of Secure Boot certificates, emphasizing the importance of timely updates to uphold security protocols. The update process is streamlined via the Windows Update settings, with no reported issues, facilitating a smooth transition for enterprise users. Organizations are encouraged to regularly apply these updates to mitigate risks and ensure robust security postures in their IT environments.

Microsoft released security updates for 58 vulnerabilities, including six zero-day threats, in its February 2026 Patch Tuesday, aiming to enhance system defenses across multiple platforms. Three of the six zero-day vulnerabilities were publicly disclosed, posing an immediate risk to users until patches are applied. Critical vulnerabilities fixed include elevation of privilege and information disclosure flaws, potentially allowing unauthorized access or data leaks. Notable zero-day vulnerabilities involve bypasses in Windows Shell, MSHTML Framework, and Microsoft Word, which could be exploited via malicious links or files. Microsoft collaborated with its Threat Intelligence Center, Security Response Center, and external researchers to identify and address these security gaps. Organizations are urged to prioritize these updates to mitigate potential exploitation risks and ensure continued operational security. The update also introduces built-in Sysmon functionality in Windows 11 insider builds, enhancing monitoring capabilities for system administrators.

Researchers at PromptArmor identified a vulnerability where AI agents in messaging apps can be exploited to leak sensitive data via link previews. This zero-click prompt injection flaw allows attackers to exfiltrate data without user interaction, affecting platforms like Slack, Telegram, and Microsoft Teams. AI agents can be tricked into appending sensitive information, such as API keys, to URLs that are automatically fetched by link previews. PromptArmor suggests that the responsibility lies with messaging apps to allow developers to customize link preview settings to mitigate this risk. Vulnerable combinations include Microsoft Teams with Copilot Studio and Discord with OpenClaw, while safer setups involve Claude in Slack and OpenClaw via Signal in Docker. Organizations using AI agents in messaging environments should reassess their configurations to prevent unintended data exposure. The report serves as a caution against deploying AI agents in sensitive environments until messaging apps enhance their security frameworks.

North Korean IT operatives are impersonating professionals on LinkedIn to secure remote jobs, using verified profiles to enhance credibility and infiltrate Western companies. This operation, tracked as Jasper Sleet and PurpleDelta, aims to fund DPRK's weapons programs and conduct espionage by accessing sensitive data and demanding ransoms. The Norwegian Police Security Service has reported multiple cases of Norwegian businesses hiring North Korean IT workers, inadvertently supporting the regime's financial goals. Cybersecurity firms have identified tactics such as chain-hopping and token swapping to obscure cryptocurrency transactions linked to these operations. A parallel campaign, Contagious Interview, uses fake job offers to execute malicious code, leveraging blockchain smart contracts for command-and-control resilience. Recent techniques include deploying JavaScript malware via Microsoft VS Code task files, leading to persistent access and theft of digital assets. CrowdStrike reports the evolution of Labyrinth Chollima into specialized units, maintaining centralized coordination within DPRK's cyber apparatus for targeted operations. Organizations are advised to verify candidate identities through direct LinkedIn connections and monitor for suspicious hiring practices to mitigate infiltration risks.

Volvo Group North America reports a data breach due to a security incident at Conduent, affecting nearly 17,000 customers and staff with exposed personal details. The breach at Conduent, a business process outsourcing firm, occurred between October 2024 and January 2025, compromising sensitive information such as Social Security Numbers and health insurance details. Conduent's breach has affected a total of 26 million individuals across Oregon and Texas, with ongoing notifications being sent to impacted parties. In response, Volvo Group North America offers free identity monitoring services, credit and dark web monitoring, and identity restoration to affected customers and employees. The breach emphasizes the vulnerability of supply chains, as Volvo Group North America also faced a separate breach from Miljödata, impacting 1.5 million individuals. Organizations are advised to enhance third-party risk management strategies to prevent similar incidents and protect sensitive data effectively.

Microsoft is rolling out updated Secure Boot certificates via Windows updates, replacing 2011 certificates set to expire in June 2026, ensuring continued protection against boot-level malware threats. Secure Boot, introduced in 2011, prevents malicious software from executing during startup by verifying bootloaders against trusted digital certificates stored in UEFI firmware. The certificate refresh is a significant security maintenance effort, impacting millions of device configurations across various hardware manufacturers and OEMs. Automatic updates will be applied to devices managed by Microsoft, while others may require manual updates using management tools like registry keys and Group Policy settings. Devices failing to update before the June deadline will enter a "degraded security state," lacking protection against new vulnerabilities and mitigations. Microsoft advises upgrading to Windows 11 for continued support, as older versions like Windows 10 will not receive the new certificates unless enrolled in Extended Security Updates. Organizations are encouraged to check OEM support pages for necessary firmware updates to ensure compatibility with the new Secure Boot certificates.

Tines introduces a workflow that automates AWS incident investigations, reducing manual data gathering and improving efficiency for security analysts. The workflow addresses the "context gap" in incident response by integrating CLI data directly into ticketing systems like Jira and ServiceNow. Tines agents execute AWS CLI commands securely, using read-only credentials, ensuring cloud environments remain protected. Dynamic command generation allows the workflow to adapt to various incident contexts, enhancing flexibility and responsiveness. AI-driven data formatting transforms dense CLI outputs into readable summaries, streamlining information processing for analysts. Implementing this automation can significantly reduce Mean Time to Resolution (MTTR) and alleviate analyst burnout from repetitive tasks. The solution exemplifies how intelligent workflows can fundamentally improve a security operations center's effectiveness and security posture.

Cybersecurity researchers have identified a new ransomware family, Reynolds, which incorporates a bring your own vulnerable driver (BYOVD) tactic to disable Endpoint Detection and Response (EDR) tools. The ransomware deploys a vulnerable NsecSoft NSecKrnl driver, exploiting a known flaw (CVE-2025-68947) to terminate processes of security programs like Avast and CrowdStrike Falcon. This approach allows the ransomware to evade detection more effectively by integrating the defense evasion component directly within the payload, eliminating the need for separate deployment. The campaign also involved a suspicious side-loaded loader and the GotoHTTP remote access program, suggesting efforts to maintain persistent access to compromised systems. The tactic of bundling defense evasion with ransomware is not new, previously seen in Ryuk and Obscura attacks, complicating defensive measures for cybersecurity teams. The rise of new ransomware groups and the resurgence of LockBit 5.0 have contributed to increased ransomware activity, with significant growth in both attacks and average ransom payments in 2025. The trend towards data theft over encryption in ransomware attacks continues, with a notable increase in non-encryption attacks exerting pressure on victims.

Picus Labs' Red Report 2026 identifies a strategic shift in cyberattacks, focusing on stealth and persistence rather than disruptive ransomware encryption. Analysis of over 1.1 million malicious files shows a 38% decline in ransomware encryption, indicating a move towards data extortion and prolonged system access. Credential theft has become a dominant tactic, appearing in nearly 25% of attacks, with attackers exploiting saved credentials from browsers and password managers. The report reveals that 80% of top MITRE ATT&CK techniques now prioritize evasion and persistence, challenging traditional detection methods. Advanced malware increasingly employs sandbox evasion techniques, assessing execution environments to avoid detection and remain dormant until reaching real systems. Despite AI discussions, the report finds limited use of AI-driven techniques, with attackers relying on established methods like process injection and scripting. Organizations are encouraged to focus on behavior-based detection and credential hygiene to counter these evolving threats effectively.

Singapore's Cyber Security Agency led a major operation to remove the China-linked APT group UNC3886 from telecom networks, marking the country's largest cyber defense effort. Operation Cyber Guardian involved over 100 personnel from government, military, intelligence, and industry, working collaboratively to secure telecom infrastructure. UNC3886 infiltrated all four major telecom providers, using an unknown vulnerability and custom rootkits to maintain a low-profile presence within critical network systems. The group's activities focused on extracting technical network information for long-term intelligence rather than immediate disruptions or data theft. Singapore's response included identifying compromised devices, closing access paths, patching vulnerabilities, and enhancing monitoring to prevent reinfiltration. The incident underscores the vulnerability of telecom networks, which are key targets due to their role in government, enterprise, and consumer communications. Singapore's experience serves as a warning to telecom operators globally to anticipate sophisticated threats and strengthen their defensive measures.

Microsoft plans to implement mobile-style app permission prompts in Windows 11, enhancing user control over app access to sensitive resources like files, cameras, and microphones. The "Windows Baseline Security Mode" will enable runtime integrity safeguards by default, ensuring only properly signed apps, services, and drivers can operate. Users will receive clear prompts to grant or deny app permissions, similar to smartphone systems, and can revoke access at any time, increasing transparency and control. This initiative is part of Microsoft's Secure Future Initiative, launched after a U.S. Cyber Safety Review Board report criticized Microsoft's security culture following a breach by Chinese hackers. Microsoft collaborates with developers and enterprises for a phased rollout, adjusting based on feedback, aiming to bolster security and privacy across its ecosystem. Additional security measures include securing Entra ID sign-ins, disabling ActiveX controls in Microsoft 365, and updating security defaults to block legacy authentication protocols. These updates aim to provide users and IT administrators with better visibility and control, raising the security and privacy standards for Windows users.

ZeroDayRAT is a new commercial spyware platform targeting Android and iOS devices, offering full remote control to cybercriminals via Telegram. The malware supports Android versions 5 through 16 and iOS up to version 26, allowing comprehensive device management through a detailed control panel. Capabilities include real-time surveillance, data theft, financial fraud, GPS tracking, and activation of cameras and microphones for live feeds. Keylogging and credential theft features pose significant risks, including bypassing two-factor authentication and targeting cryptocurrency and banking apps. The malware's delivery method remains unspecified, but its potential impact on enterprise security and individual privacy is substantial. Researchers recommend downloading apps only from official stores and enabling security features like Lockdown Mode on iOS and Advanced Protection on Android. Organizations should remain vigilant as compromised employee devices could lead to broader security breaches.