![Cybersecurity News | Daily Recap [20 Feb 2026]](https://www.hendryadrian.com/tweet/image/DailyRecap.png "Cybersecurity News | Daily Recap [20 Feb 2026]")
Daily Recap, Android and AI malware like PromptSpy are using Gemini at runtime to control UI actions, deploy a VNC module, steal unlock credentials, and prevent uninstallation. Infostealers are becoming key entry points linked to Bitter APT, Volt Typhoon remains embedded in US utilities, and ransomware incidents target Advantest and tribal services, highlighting ongoing risks to critical infrastructure and government services. #PromptSpy #VoltTyphoon
Android & AI Malware
- PromptSpy uses Googleās Gemini generative AI at runtime to analyze UI XML and issue JSON tap/swipe instructions that pin the app in Recent Apps, deploy a VNC module, steal unlock credentials, and block uninstall (removal requires Safe Mode) ā PromptSpy AI, PromptSpy AI, PromptSpy AI
Infostealers & Credential Risks
- Infostealers are evolving into primary entry points by harvesting tokens, cookies, AI memories and credentials to fuel APTs, sextortion, and high-fidelity attacks while feeding operator pipelines and tying incidents to groups like Bitter APT ā Infostealer Trends, Infostealer Identity
Nationāstate & Critical Infrastructure
- Volt Typhoon (Chinese-linked) remained embedded in US utilities through 2025, pre-positioning in OT networks for disruptive strikes and leaving many small-sector breaches potentially undiscovered ā Volt Typhoon
- Three former Google employees are indicted for allegedly stealing processor security and cryptography trade secrets and transferring them to locations including Iran, accused of exfiltration, obstruction, and evidence deletion ā Google Engineers
Ransomware & Targeted Attacks
- Japanese semiconductor test-equipment supplier Advantest is responding to a ransomware incident that impacted multiple systems after networks were isolated and investigations launched amid a wider surge in attacks on industrial firms ā Advantest Ransom
- A ransomware gang shut down schools and threatened the Cheyenne and Arapaho Tribes, underscoring ongoing extortion risks to tribal services and education systems ā Tribes Threat
Financial Crime & Law Enforcement
- INTERPOLās Operation Red Card 2.0 in 16 African countries led to 651 arrests, recovery of >$4.3 million, disruption of scams tied to ~$45 million in losses, and seizure of devices and infrastructure over eight weeks ā Operation Red Card
- The FBI reports >700 ATM jackpotting incidents in 2025 (over $20 million losses) and ~1,900 total since 2020, with Ploutus-family malware enabling direct ATM control after physical access ā ATM Jackpotting
- A Nigerian national was sentenced to 8 years for hacking Massachusetts tax firms using Warzone RAT and filing >1,000 fraudulent returns seeking ~$8.1 million in refunds via CEOāimpersonation phishing ā Hacker Sentenced
Data Breaches & Exposures
- Franceās economy ministry disclosed the FICOBA registry breach exposing ~1.2 million bank accounts after an officialās credentials were stolen; access has been terminated and notifications issued ā FICOBA Breach
- Blockchain lender Figure Technology suffered a breach claiming ~967,000 user records leaked (names, DoBs, addresses, phones) after a socialāengineering incident and a ShinyHunters data dump of ~2.4GB ā Figure Breach
Vulnerabilities & Emergency Patching
- A critical stackābuffer overflow (CVEā2026ā2329) in Grandstream GXP1600 VoIP phones allows unauthenticated remote root and silent call eavesdropping; Rapid7 released exploitation details and Grandstream published firmware 1.0.7.81āadmins must update immediately ā Grandstream Flaw
- CISA ordered federal agencies to patch a maxāseverity hardcodedācredential flaw in Dell RecoverPoint (CVEā2026ā22769) within 3 days after active exploitation since midā2024, attributed to suspected UNC6201 which deployed payloads like SLAYSTYLE, BRICKSTORM, and GRIMBOLT ā Dell Patch Order
Policy, Platform & Industry
- The UK will require tech firms to remove nonconsensual intimate images within 48 hours, mandate crossāplatform takedowns and hashing, and give Ofcom/DSIT powers to fine or block noncompliant services following nudification incidents linked to Grok ā UK Takedown Rule
- Google blocked >1.75 million Play submissions in 2025 and rejected 255,000+ apps for excessive sensitive-data access after expanding AIāassisted reviews, Play Protect, and Android 16 defenses ā Play Store Blocks
- Venice Security (formerly Valkyrie) emerged from stealth with $33M to launch an adaptive privileged access management platform that removes standing privileges across cloud, onāprem and SaaS environmentsābacked by a $25M Series A led by IVP ā Venice Security