Cyber Security News Daily Recap

Cybersecurity News | Daily Recap [28 Feb 2026]

admin
Cybersecurity News | Daily Recap [28 Feb 2026]

Daily Recap, North Korea-linked operators use removable drives and Zoho WorkDrive C2 in the Ruby Jumper campaign to deploy RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK and FOOTWINE to bridge air-gapped networks and exfiltrate data. The recap also covers MuddyWater’s Rust-based payload for patient espionage, RESURGE on Ivanti Connect Secure with CVE-2025-0282, widespread FreePBX web shells after CVE-2025-64328, Apex One RCE patches, and policy actions around Anthropic, EU youth safeguards, Samsung ACR privacy, and other related incidents. #RubyJumper #ZohoWorkDrive #RESTLEAF #SNAKEDROPPER #THUMBSBD #VIRUSTASK #FOOTWINE #ScarCruftUSB #MuddyWater #nomercys_it #RESURGE #IvantiConnectSecure #CVE-2025-0282 #FreePBX #CVE-2025-64328 #SangomaFreePBX #ApexOne #ApexOneRCE #TrendMicro #Anthropic #Trump #EUYouthRules #SamsungACR #ManoManoBreach #OnlyFake #Predator #Oblivion #InsiktGroup #OperationZero

State-backed APTs

  • North Korea-linked operators use removable drives and Zoho WorkDrive C2 in the Ruby Jumper campaign, deploying RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK and FOOTWINE to bridge air-gapped networks and exfiltrate data – Ruby Jumper, ScarCruft USB
  • MuddyWater conducts patient espionage by abusing RMM and macros to deliver a Rust-based payload disguised as legitimate files (e.g., Certificationkit.ini/reddit.exe) that phones home to nomercys.it – MuddyWater Rust

Exploits & Implants

  • CISA warns the RESURGE implant exploited CVE-2025-0282 in Ivanti Connect Secure, can remain dormant until a crafted TLS handshake, and includes components like libdsupgrade.so and a SpawnSloth variant – RESURGE Alert
  • Over 900 Sangoma FreePBX instances remain infected with web shells (EncystPHP) after exploitation of CVE-2025-64328, with intrusions linked to INJ3CTOR3; vendors urge updates and restricted admin access – FreePBX Webshells, FreePBX Webshells
  • Trend Micro released patches for two critical RCEs in Apex Oneβ€˜s management console caused by path traversal flaws and urges immediate updates (Critical Patch Build 14136) – Apex One RCE

Ransomware & Access

  • The current SMB ransomware wave is being fueled by Initial Access Brokers and infostealers, requiring proactive intelligence to surface compromised credentials before they’re weaponized – SMB Ransomware
  • Trojanized gaming tools are spreading a Java-based RAT that stages a portable Java runtime, runs a malicious jd-gui.jar, disables defenses, establishes persistence, and exfiltrates to 79.110.49.15 – Java RAT

Policy & Privacy

  • President Trump ordered federal agencies to phase out Anthropic tech amid a Pentagon supply-chain risk designation and threats of contract and DPA action over AI military use and safety – Anthropic Ban, Anthropic Supply
  • EU lawmakers recommend barring under-16s from social media without parental consent and Instagram will alert parents when teens repeatedly search for self-harm terms as platforms expand safeguards internationally – EU Youth Rules, Instagram Alerts
  • Samsung agreed to stop collecting ACR viewing data from Texas consumers without consent and will add clear consent screens after suit by the state AG – Samsung ACR

Crime & Fraud

  • The DoJ seized $61 million in Tether tied to pig-butchering scams run from Southeast Asia, part of laundering networks that coerce operators and route stolen funds through multiple wallets – Tether Seizure
  • Ukrainian operator Yurii Nazarenko pleaded guilty to running OnlyFake, an AI-driven site that generated over 10,000 fake IDs used to bypass KYC; he agreed to forfeit $1.2 million and faces prison time – OnlyFake Guilty
  • Meta filed lawsuits against advertisers in Brazil, China and Vietnam linked to celeb-bait scams, while suspending payments and blocking scam infrastructures and domains – Meta Lawsuits

Breaches & Data Theft

  • A January compromise of a third-party support provider exposed data for roughly 38 million ManoMano customers (names, emails, phones, tickets, attachments); the company revoked access and notified authorities – ManoMano Breach, ManoMano Breach

Insider & Espionage

  • Former USAF Major Gerald Eddie Brown was arrested for conspiring to provide combat flight training to the People’s Liberation Army Air Force with convicted hacker Stephen Su Bin, in violation of ITAR – Air Force Arrest
  • A Greek court sentenced Intellexa founder Tal Dilian and associates over unlawful use of Predator spyware in mass surveillance cases, delivering combined terms capped at 8 years under Greek law – Intellexa Verdict

Cloud & API Security

  • Exposed client-side Google API keys can authenticate to Gemini, with researchers finding nearly 3,000 live keys that could leak private AI data and incur costly API calls; Google and TruffleSecurity have issued mitigations – Gemini Keys

Patching & Third-Party Risk

  • Common third-party software (PDF readers, office suites, email clients, RMM) significantly enlarges enterprise attack surface and continuous third-party patching/visibility is critical to reduce scalable risk – Third-Party Patching

Threat Intel & Geopolitics

  • Insikt Group warns Russia may escalate to coordinated β€œNew Generation Warfare,” combining cyber operations, sabotage and influence campaigns against NATO partners over the coming years – Russia Warfare
  • The U.S. Treasury sanctioned Sergey Zelenyuk and Matrix LLC (Operation Zero) for brokering stolen U.S. exploits to unauthorized customers and intelligence buyers – Operation Zero
  • Weekly roundups synthesize developments from space security and AI-agent vulnerabilities to malware like Predator and Oblivion, underscoring growing interconnections between tech, policy and threat actors – SecurityWeek Roundup, Cyber Express

Cybersecurity News | Daily Recap – hendryadrian.com