Cybersecurity News | Daily Recap [19 Feb 2026]

Daily Recap, today’s briefing covers a surge of mobile threats led by PromptSpy leveraging Google Gemini for Android phishing in Argentina, along with Massiv banking malware and Keenadu infections spanning Russia, Japan, Germany, Brazil and the Netherlands. The update also highlights critical CVEs in Dell RecoverPoint for VMs, several VS Code extensions, Grandstream GXP1600 and Honeywell CCTV, notable breaches like Figure and ScreenConnect hijacks, evolving surveillance tools usage, and recent enforcement actions such as Red Card 2.0, with AI governance and security funding developments shaping the broader cyber landscape. #PromptSpy #Gemini #Argentina #Massiv #ChaveMovelDigital #Keenadu #Russia #Japan #Germany #Brazil #Netherlands #BRICKSTORM #GRIMBOLT #DellRecoverPointForVMs #VSCode #Grandstream #Honeywell #SmarterMail #Figure #ScreenConnect #VoltTyphoon #Cellebrite #Predator #TPLink #EX1227432 #Copilot #Grok #RedCard2

PromptSpy embeds Google Gemini for context-aware UI automation and persistence in Android phishing campaigns targeting Argentina. – PromptSpy AI
New Android banking malware Massiv poses as an IPTV app to steal identities and bypass protections (targeting Portuguese Chave Móvel Digital) via overlays, keylogging and Accessibility abuse. – Massiv Banking
Firmware backdoor Keenadu is preinstalled or delivered via OTA, linked to ad‑fraud botnets and ~13,000 infections across Russia, Japan, Germany, Brazil and the Netherlands, often requiring clean firmware or device replacement. – Keenadu Infections, Keenadu Firmware

Chinese state‑linked actors exploited CVE-2026-22769 in Dell RecoverPoint for VMs (used to deploy BRICKSTORM and GRIMBOLT), prompting CISA to order federal patching. – Dell Bug
Critical flaws in four popular VS Code extensions (Live Server, Code Runner, Markdown Preview Enhanced, Microsoft Live Preview) with >125–128 million installs could enable RCE, file exfiltration and lateral movement from dev machines. – VS Code Flaws, VS Code Report
Unauthenticated stack‑based overflow CVE-2026-2329 in Grandstream GXP1600 VoIP phones allows root RCE; vendor patched in firmware 1.0.7.81. – Grandstream RCE
Critical auth‑bypass CVE-2026-1670 in Honeywell CCTV products (CVSS 9.8) lets unauthenticated attackers change recovery emails and takeover camera accounts. – Honeywell CCTV
Flaws in SmarterMail (CVE-2026-24423, CVE-2026-23760) were rapidly weaponized via Telegram, with PoCs and stolen creds leading to mass exploitation and ransomware activity. – SmarterMail Flaws
Vulnerabilities in popular PDF platforms allowed account takeover and data exfiltration, prompting urgent patches and mitigations. – PDF Flaws

Fintech Figure suffered a breach exposing ~967,200 accounts (personal/contact data) after a social‑engineering attack; extortion group ShinyHunters claimed responsibility and posted ~2.5GB of loan applicant data. – Figure Breach
Attackers impersonated the US Social Security Administration to trick users into running a .cmd script that disables defenses and installs ConnectWise ScreenConnect as a persistent RAT across the US, UK, Canada and Northern Ireland. – ScreenConnect Hijack

Dragos warned a Beijing‑linked crew remains embedded in US electric, oil and gas networks (noting long‑term Voltzite activity, Sierra Wireless AirLink abuse and the JDY botnet) as new OT groups emerge. – VoltTyphoon Report
Citizen Lab found indicators that Kenyan authorities used Cellebrite forensic tools on an activist’s phone while in custody, and separate probes confirmed Intellexa’s Predator spyware was used against a journalist, highlighting abuse of commercial surveillance tools. – Cellebrite Findings
Texas filed suit alleging TP‑Link products allow unauthorized access by China, escalating legal pressure on networking vendors amid national‑security concerns. – TP‑Link Lawsuit

An Exchange Online heuristic logic error (tracked as EX1227432) caused anti‑phishing rules to mistakenly block thousands of legitimate URLs in emails and Microsoft Teams between Feb 5–12, triggering removals and misleading alerts. – Anti‑phishing Error
Microsoft confirmed a Copilot “work tab” bug was summarizing confidential emails from Sent Items and Drafts—bypassing sensitivity labels and DLP controls—and is rolling out fixes while notifying affected users. – Copilot Bug

Researchers showed AI assistants with web‑fetching (e.g., Grok, Microsoft Copilot) can be abused as stealthy C2 relays by malware using WebView2 to fetch attacker URLs and parse chat outputs. – AI C2 Abuse
At the India AI Impact Summit, leaders urged action to scale AI in classrooms responsibly—calling for teacher training, transparent policies, interoperable infrastructure and strong governance—and warned that cyber readiness must accompany AI deployment. – AI Education, Responsible AI
Cogent Security raised $42 million in Series A to build agentic AI for autonomous vulnerability remediation and workflow integration, bringing total funding to $53 million. – Cogent Funding

INTERPOL‑coordinated Operation Red Card 2.0 led to 651 arrests across 16 countries, recovery of >$4.3M, identification of 1,247 victims, seizure of 2,341 devices and takedown of 1,442 malicious sites linked to >$45M in losses. – Operation Red Card 2.0