![Threat Research | Weekly Recap [22 Feb 2026]](https://www.hendryadrian.com/tweet/image/WeeklyRecap.png "Threat Research | Weekly Recap [22 Feb 2026]")
Cybersecurity Threat Research ‘Weekly’ Recap: This overview highlights infostealers, RATs, supply-chain and CI/AI toolchain compromises, vulnerabilities, ransomware activity, and phishing campaigns, featuring notable actors and families such as CharlieKirk, XWorm, SANDWORM_MODE, QakBot, and Lynx. It also emphasizes trends like AI-driven C2 abuse, adaptive phishing via Telegram, firmware and mobile backdoors, and notable incidents involving Dell RecoverPoint, Ivanti EPMM, BeyondTrust, and SolarWinds WHD. #CharlieKirk #ArkanixStealer #MIMICRAT #ClickFix #LunarApplication #XWorm #TrustConnect #DocConnect #Foxveil #GrayCharlie #AtlassianJira #SANDWORM_MODE #Notepad++ #LotusBlossom #Chrysalis #UNC6201 #DellRecoverPoint #BeyondTrust #IvantiEPMM #SolarWindsWHD #IngressNGINX #QakBot #SinobiRansomware #LynxRansomware #Keenadu #Velociraptor #Cloudflared #DaisyCloud #Redline
Tag: SSO
Arkanix Stealer, an information‑stealing operation promoted on dark web forums in late 2025, offered modular Python and premium C++ builds with VMProtect and extensive data‑theft capabilities across browsers, wallets, messengers, and gaming platforms. Kaspersky researchers found indicators of LLM‑assisted development, a short‑lived Discord community and referral program, and published IoCs while the operator abruptly took down the project two months after launch. #ArkanixStealer #Kaspersky
Thegentlemen claim to have compromised Line Up Korea Co., Ltd., a South Korean IT consulting company, encrypting systems and exfiltrating data. They threaten to leak the stolen information unless a ransom is paid. #SouthKorea
A ransomware claim alleges that thegentlemen targeted Sasin Colleges & Universities in Thailand, threatening to encrypt systems and leak data. The claim ties the incident to Sasin School of Management, Thailand’s first internationally accredited business school established in 1982, which offers MBA, Executive MBA, DBA, and custom executive education. #Thailand
Pollo Cibao, a Dominican Republic-based poultry producer and processor with over 1,800 direct employees, is identified as the victim in a ransomware claim attributed to thegentlemen. The claim notes Pollo Cibao’s involvement in incubation, raising, fattening, processing of poultry and manufacturing of animal feed, with the Dominican Republic identified as the impacted country. #DominicanRepublic
Intellexa’s Predator spyware can suppress iOS recording indicators to secretly stream camera and microphone feeds from infected devices. Jamf’s analysis shows Predator hooks SpringBoard’s sensor update path (HiddenDot::setupHook) to nullify SBSensorActivityDataProvider and prevent the green/orange dots from appearing, while using ARM64 pattern matching and PAC redirection to enable camera access. #Predator #Intellexa
A Russian-speaking, financially motivated actor used commercial generative AI to automate scanning and brute-force attacks against exposed FortiGate management interfaces, compromising over 600 devices in 55 countries. Amazon Threat Intelligence found the campaign leveraged multiple AI tools to scale credential harvesting, Active Directory compromise, and targeting of backup infrastructure consistent with…
Socket’s Threat Research Team discovered a Shai-Hulud-like supply chain worm campaign tracked as SANDWORM_MODE that spread through at least 19 typosquatting npm packages and a malicious GitHub Action, harvesting developer and CI secrets, exfiltrating via HTTPS/GitHub API/DNS, and persisting via git hooks and MCP server injection targeting AI coding assistants. npm, GitHub, and Cloudflare removed related infrastructure, but defenders must treat the identified packages and injected workflows as active compromise risks and rotate/revoke affected tokens, audit global git templates, and inspect AI assistant configs for rogue MCP servers. #SANDWORM_MODE #suport-color
CharlieKirk Grabber is a Python-based Windows infostealer that performs rapid “smash-and-grab” credential harvesting, system reconnaissance, and immediate exfiltration using legitimate Windows utilities and multithreading to minimize runtime. It stages browser credentials, Discord tokens, Wi‑Fi and game session artifacts, compresses them, uploads the archive to GoFile, and sends the download link via Discord or Telegram for attacker retrieval. #CharlieKirk #GoFile
Thieves stole over $20 million from compromised ATMs last year using ATM jackpotting, a malware-assisted technique that forces machines to dispense cash without bank authorization. The FBI warns of more than 1,900 incidents since 2020 (700+ in 2025), noting Ploutus exploits the XFS API and listing digital and physical indicators for…
Multiple critical vulnerabilities (CVE-2026-25715, CVE-2026-24455, CVE-2026-26049, CVE-2026-26048) in the Jinan USR IOT PUSR USR-W610 (…
FortiGuard Labs observed a phishing campaign delivering a new XWorm RAT variant via malicious Excel attachments that exploit CVE-2018-0802 to execute an HTA which runs JScript/PowerShell, loads a fileless .NET module, and deploys XWorm into Msbuild.exe via process hollowing. XWorm v7.2 communicates with AES-encrypted C2 servers (example: berlin101.com:6000), supports a modular plugin architecture and extensive control commands enabling full remote control, data exfiltration, DDoS, and ransomware capabilities. #XWorm #MicrosoftWindows
![Cybersecurity News | Daily Recap [20 Feb 2026]](https://www.hendryadrian.com/tweet/image/DailyRecap.png "Cybersecurity News | Daily Recap [20 Feb 2026]")
Daily Recap, Android and AI malware like PromptSpy are using Gemini at runtime to control UI actions, deploy a VNC module, steal unlock credentials, and prevent uninstallation. Infostealers are becoming key entry points linked to Bitter APT, Volt Typhoon remains embedded in US utilities, and ransomware incidents target Advantest and tribal services, highlighting ongoing risks to critical infrastructure and government services. #PromptSpy #VoltTyphoon
Elastic Security Labs discovered a multi-stage ClickFix campaign that compromises legitimate websites to deliver a five-stage chain culminating in a custom native RAT called MIMICRAT. The attack uses an obfuscated PowerShell downloader with ETW and AMSI bypass, a Lua-based in-memory loader and Meterpreter-like shellcode, and a C++ implant with token impersonation and SOCKS5 tunneling. #MIMICRAT #ClickFix
Advantest disclosed a ransomware attack that may have affected customer or employee data after an intruder gained access to parts of its corporate network on February 15. The company isolated affected systems, engaged third-party cybersecurity specialists, and says the investigation is ongoing while it prepares to notify any impacted individuals. #Advantest #NTT