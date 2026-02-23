Security news rarely moves in a straight line. This week, it feels more like a series of sharp turns, some happening quietly in the background, others playing out in public view. The details are different, but the pressure points are familiar.

Across devices, cloud services, research labs, and even everyday apps, the line between normal behavior and hidden risk keeps getting thinner. Tools meant to protect, update, or improve systems are also becoming pathways when something goes wrong.

This recap gathers the signals in one place. Quick reads, real impact, and developments that deserve a closer look before they become next week’s bigger problem.

⚡ Threat of the Week

Dell RecoverPoint for VMs Zero-Day Exploited — A maximum severity security vulnerability in Dell RecoverPoint for Virtual Machines has been exploited as a zero-day by a suspected China-nexus threat cluster dubbed UNC6201 since mid-2024. The activity involves the exploitation of CVE-2026-22769 (CVSS score: 10.0), a case of hard-coded credentials affecting versions prior to 6.0.3.1 HF1. Per Google, the hard-coded credential relates to an "admin" user for the Apache Tomcat Manager instance that could be used authenticate to the Dell RecoverPoint Tomcat Manager, upload a web shell named SLAYSTYLE via the "/manager/text/deploy" endpoint, and execute commands as root on the appliance to drop the BRICKSTORM backdoor and its newer version dubbed GRIMBOLT.

🔔 Top News

Former Google Engineers Indicted Over Alleged Trade Secret Theft — Two former Google engineers and one of their husbands have been indicted in the U.S. for allegedly committing trade secret theft from the search giant and other tech firms and transferring the information to unauthorized locations, including Iran. Samaneh Ghandali, 41, and her husband Mohammadjavad Khosravi (aka Mohammad Khosravi), 40, along with her sister Soroor Ghandali, 32, were accused of conspiring to commit trade secret theft from Google and other leading technology companies, theft and attempted theft of trade secrets, and obstruction of justice. The defendants are said to have transferred hundreds of sensitive files to a third-party communications platform and then accessed them from Iran after Samaneh Ghandali and Khosravi traveled to Iran in December 2023.

— Researchers at ESET analyzed what they described as the first Android malware to leverage generative artificial intelligence (AI) during its execution to set up persistence. Called PromptSpy, the malware uses Google Gemini to analyze the current screen and provide step-by-step instructions on how to ensure the malicious app remains pinned in the recent apps list by taking advantage of the operating system's accessibility services. There are signs that the campaign is likely targeting users in Argentina. Google told The Hacker News that it did not find any apps containing the malware being distributed via Google Play. Kenyan Dissident's Phone Cracked Using Cellebrite's Tool — Evidence has emerged that Kenyan authorities used a commercial forensic extraction tool manufactured by Israeli company Cellebrite to break into a prominent dissident's phone. The Citizen Lab said it found the indicators on a personal phone belonging to Boniface Mwangi, a Kenyan pro-democracy activist who has announced plans to run for president in 2027. In a related development, Amnesty International found that the iPhone belonging to Teixeira Cândido, an Angolan journalist and press freedom advocate, was successfully targeted by Intellexa's Predator spyware in May 2024 after he opened an infected link received via WhatsApp.

‎️‍🔥 Trending CVEs

New vulnerabilities surface daily, and attackers move fast. Reviewing and patching early keeps your systems resilient.

Here are this week’s most critical flaws to check first — CVE-2026-22769 (Dell RecoverPoint for Virtual Machines), CVE-2026-25926 (Notedpad++), CVE-2026-26119 (Microsoft Windows Admin Center), CVE-2026-2329 (Grandstream GXP1600 series), CVE-2025-65717 (Live Server), CVE-2026-1358 (Airleader Master), CVE-2026-25108 (FileZen), CVE-2026-25084, CVE-2026-24789 (ZLAN), CVE-2026-2577 (Nanobot), CVE-2026-25903 (Apache NiFi), CVE-2026-26019 (@langchain/community), CVE-2026-1670 (Honeywell CCTV), CVE-2025-7740 (Hitachi Energy SuprOS), CVE-2025-61928 (better-auth), CVE-2026-20140 (Splunk Enterprise for Windows), CVE-2026-27118 (@sveltejs/adapter-vercel), CVE-2026-27099, CVE-2026-27100 (Jenkins), CVE-2026-24733 (Apache Tomcat), CVE-2026-2648, CVE-2026-2649, CVE-2026-2650 (Google Chrome), CVE-2025-29969 (Windows Fundamentals), CVE-2025-64127, CVE-2025-64128, CVE-2025-64129, CVE-2025-64130 (Zenitel), CVE-2025-32355, CVE-2025-59793 (TRUfusion Enterprise), CVE-2026-1357 (WPvivid Backup plugin), CVE-2025-9501 (W3 Total Cache plugin), CVE-2025-13818 (ESET Management Agent for Windows), CVE-2025-11730 (ZYXEL ATP/USG series), CVE-2025-67303 (ComfyUI), and Joomla! unauthenticated file read, unauthenticated file deletion, and SQL injection vulnerabilities in Novarain/Tassos Framework (no CVEs).

🎥 Cybersecurity Webinars

Learn How to Future-Proof Your Encryption Before Quantum Breaks It → Quantum computing is accelerating, and attackers are harvesting encrypted data for future decryption. This webinar covers practical post-quantum cryptography, hybrid encryption, and Zero Trust strategies to protect sensitive data before quantum threats become real.

Beyond the Model: Securing AI Agents in Real-World Systems → As organizations deploy autonomous AI agents with tool access and system permissions, the attack surface shifts beyond the model itself. This session explores indirect prompt injection, privilege escalation, multi-agent risk, and practical strategies to secure real-world AI systems without breaking workflows.

Pressure-Test Your Controls With Continuous CTI-Driven Validation → Security budgets are rising, yet breaches continue. This session shows how to move beyond assumption-based testing to continuous, CTI-driven exposure validation—pressure-testing controls against real attacker behavior, automating security checks, and building measurable resilience without overspending.

📰 Around the Cyber World

Online Store Infected with Skimmer — The online store of a top-10 global supermarket chain has been infected with a skimmer malware that scans for admin users for WordPress, Magento, PrestaShop, and OpenCart to evade detection. "The attack combines two components: a seemingly off-the-shelf skimmer framework with integrations for four popular e-commerce platforms, and a carefully localized fake payment form," Sansec said. "This fraud is called 'double-tap skimming': customers enter their card details into the fake form first, then see the real payment form where they have to enter their data again. Most people just accept that and complete the order, unaware their data was just stolen." The breach coincides with a broader wave of attacks targeting PrestaShop stores. In January 2026, PrestaShop urged merchants to check their stores for skimmers injected into theme template files.

— Claroty has called attention to security risks posed by the LonTalk proprietary protocol that's used for device-to-device communication in building management and automation systems (BMS and BAS). "LonTalk should not be underestimated as an attack vector for hacktivists and criminal entities, especially as BMS is enabled over IP networks," the company said. "LonTalk is certainly still relevant to BMS cybersecurity discussions, especially as BMS finds its way online for a number of strategic and bottom-line reasons. Commercial real estate, retail, hospitality, and data center sectors rely on BMS systems such as HVAC (heating, ventilation, and air conditioning), lighting, energy management, and security. Previously, these systems were operated independently by facility management, but they are now increasingly connected and integrated through advanced BMS and BAS capabilities." GrayCharlie Uses Compromised WordPress Sites to Deliver RATs — A threat actor known as GrayCharlie (aka HANEYMANEY, SmartApeSG, and ZPHP) has been observed compromising WordPress sites and injecting them with links to externally hosted JavaScript that redirects visitors to NetSupport RAT payloads delivered via fake browser update pages or ClickFix mechanisms. The threat first emerged in mid-2023. "These infections often progress to the deployment of StealC and SectopRAT," Recorded Future said. While most compromised websites appear to be opportunistic and span numerous industries, the cybersecurity company said it identified a cluster of U.S. law firm sites that were likely compromised around November 2025, likely through a supply chain attack involving a shared IT provider.

— Microsoft said it will start rolling out Brand Impersonation Protection for Teams Calling starting mid-March 2026 to detect and warn users of suspicious external calls to reduce fraud risks. "It will be enabled by default, requires no admin action, and aims to enhance security without changing existing policies," Microsoft said. The tech giant is also planning to introduce a "Report a Call" feature by mid-March 2026 to let users flag suspicious one-to-one calls. 2025 Records 508 ICS advisories from CISA — Between March 2010 and January 31, 2026, CISA/ICS-CERT published 3,637 ICS advisories about 12,174 vulnerabilities affecting 2,783 products from 689 vendors, Forescout said. 2025 recorded a high of 508 ICS advisories, covering 2,155 vulnerabilities across various products and vendors. The development marks the first year exceeding 500 advisories. The average severity rose to a CVSS score of 8.07 and 82% of advisories were classified as high or critical. In contrast, back in 2010, the average was 6.44, and it was classified as medium severity.

— New research has uncovered that Samsung's pre-installed weather app is fingerprinting its users by means of a "placeid" parameter that's trivially observable by the weather API provider. A test conducted on 42 Samsung devices found that the fingerprints were unique per device and survived IP changes across providers and VPN use. "Analysis of 9,211 weather API requests from 42 Samsung device owners over five days demonstrates that placeid combinations produce unique user identifiers in 96.4% of cases," Buchodi's Threat Intel said. "Every user with two or more saved locations had a fingerprint shared by no one else in the dataset." This, in turn, turns saved locations into a persistent cross-session tracking identifier, as each placeid identifies a unique location. The fingerprint represents an aggregate of all placeid values associated with a device's saved locations. In other words, a user tracking a combination of more than two or three locations can be uniquely identified. DDoS Attacks Jump 168% in 2025 — A new analysis released by Radware has revealed that the number of web DDoS attacks climbed 101.4% in 2025 compared to 2024, and bad bot activity increased 91.8%, fueled by generative AI tools. Malicious web application and API transactions rose 128% year over year. Network-layer DDoS attacks increased 168.2% year over year, with peak attack volumes reaching almost 30 terabits per second (Tbps). "Technology, telecommunications, and financial services were the most targeted sectors, together accounting for the majority of large-scale network DDoS campaigns," Radware said. "The technology sector alone represented 45% of all network-layer DDoS attacks, up sharply from 8.77% in 2024." Hacktivism, fueled by geopolitical and ideological conflict, remained a primary driver of DDoS activity.

— Qualys said it discovered more than 2,500 malicious images hosted on the Docker Hub. Of these, around 70% of them contained a hidden cryptominer. Others included backdoors, exploits, ransomware, keyloggers, and proxy infrastructure. "Pulling container images from public registries is no longer a neutral operational step," the company said. "It is a trust decision that directly affects infrastructure stability, cloud costs, and security risk." Nearly 1T Scam Ads Served on Social Media in 2025 — According to new findings from Juniper Research, online tech platforms made £3.8 billion ($5.2 billion) in revenue from malicious or scam ads in Europe alone. Nearly 1 trillion scam ads were served to social media users in 2025. The analyst firm also revealed earlier this month that e-commerce fraud will rise from $56bn in 2025 to $131 billion in 2030, posting a 133% increase over the period.

— The head of Russia's FSB security service accused Telegram of harboring criminal activity and failing to act on reports from Russian authorities. Bortnikov said Telegram ignored more than 150,000 requests for removal from Russian authorities. Russian officials also claimed that foreign intelligence services could read messages sent by Russian soldiers over the app. The messaging platform said "no breaches of Telegram's encryption have ever been found." The development comes as Russia started blocking and throttling Telegram traffic last week. Nigerian Man Sentenced to Eight Years in Prison for Bogus Tax Refund Scheme — A 37-year-old Nigerian man named Matthew A. Akande, who was living in Mexico, was sentenced to eight years in prison in the U.S. for his involvement in a criminal operation that involved unauthorized access to the computer networks of tax preparation firms in Massachusetts. Between in or about June 2016 and June 2021, Akande conspired to use stolen taxpayer information to file over 1,000 fraudulent tax returns seeking millions of dollars in tax refunds, the Justice Department said. The defendant was also ordered to pay $1,393,230 in restitution. He was arrested in October 2024 in the U.K. and extradited to the U.S. in March 2025. "To carry out the scheme, Akande caused fraudulent phishing emails to be sent to five Massachusetts tax preparation firms," the department said. The emails purported to be from a prospective client seeking the tax preparation firms’ services, but in truth were used to trick the firms into downloading remote access trojan malicious software (RAT malware), including malware known as Warzone RAT. Akande used the RAT malware to obtain the PII and prior year tax information of the tax preparation firms' clients, which Akande then used to cause fraudulent tax returns to be filed seeking refunds." Warzone RAT's infrastructure was seized by the U.S. Federal Bureau of Investigation in February 2024.

🔧 Cybersecurity Tools

Gixy Next → It is an open-source security analysis tool designed to audit NGINX configurations for common misconfigurations and vulnerabilities. It scans configuration files to detect issues such as unsafe directives, incorrect access controls, and insecure proxy settings that could expose applications to attacks. Built as a successor to the original Gixy project, it aims to provide updated checks and improved rule coverage for modern NGINX deployments.

The-One-WSL-BOF → It is an open-source Cobalt Strike Beacon Object File that lets operators interact with Windows Subsystem for Linux (WSL) directly from a Beacon session. It can list WSL distributions and run commands inside them without launching wsl.exe, reducing visible process activity and some logging artifacts.

Disclaimer: These tools are provided for research and educational use only. They are not security-audited and may cause harm if misused. Review the code, test in controlled environments, and comply with all applicable laws and policies.

Conclusion

If one theme runs through this week, it is quiet exposure. Risk is showing up in routine updates, trusted tools, and features most teams rarely question until something breaks.

The real issue is not a single flaw but the pattern beneath it. Small weaknesses are being chained together and scaled with automation faster than defenders can adjust.

Scan the full list carefully. One of these short updates will likely map closer to your own environment than it first appears.