Tech Threat Recap: February 16, 2026

🚨 The Week’s Biggest Cyber Shocks

Malicious Outlook Add-in Hijacked for Mass Phishing
The legitimate AgreeTo Outlook add-in was compromised and weaponized to steal over 4,000 Microsoft credentials. Attackers seized control of an abandoned domain to serve fake login pages. “Office add-ins are especially dangerous because they run inside Outlook, where users handle their most sensitive communications,” warned Koi Security’s Idan Dardikman. Microsoft has removed the add-in from its store.

Google Chrome Zero-Day Actively Exploited
Google rushed security patches for CVE-2026-2441, a high-severity use-after-free bug in CSS that enables arbitrary code execution. The company confirmed the exploit exists in the wild but hasn’t disclosed who’s behind it or who’s being targeted. This marks the first actively exploited Chrome vulnerability patched by Google in 2026.

BeyondTrust Flaw Under Active Attack
Less than 24 hours after disclosure, CVE-2026-1731 (CVSS 9.9) in BeyondTrust Remote Support is being actively exploited. The critical vulnerability allows unauthenticated remote code execution through specially crafted requests. GreyNoise data shows a single IP accounted for 86% of reconnaissance activity.

Apple Patches Exploited Zero-Day
Apple released urgent updates for iOS, iPadOS, macOS, tvOS, watchOS, and visionOS to fix CVE-2026-20700, a memory corruption flaw in dyld (Dynamic Link Editor). The vulnerability enables arbitrary code execution for attackers with memory write capability. Google’s Threat Analysis Group discovered and reported the bug.

SSHStalker Botnet Returns with Classic Tactics
A new Linux botnet named SSHStalker uses Internet Relay Chat (IRC) for command-and-control operations. The toolkit spreads through automated SSH scanning and brute forcing, masquerading as nmap. Once compromised, hosts scan for additional SSH targets in worm-like fashion, using 15-year-old CVEs for privilege escalation and deploying cryptocurrency miners.

TeamPCP Hijacks Cloud Infrastructure
The TeamPCP threat cluster systematically targets misconfigured cloud environments—Docker APIs, Kubernetes clusters, Redis servers—to hijack infrastructure for cryptocurrency mining, proxyware, data theft, and extortion. “Kubernetes clusters are not merely breached; they are converted into distributed botnets,” researchers warned.

Nation-State Hackers Weaponize AI
Google revealed evidence of state-sponsored groups using its Gemini AI at nearly every attack stage. Attackers embed Gemini APIs directly into malicious code, including a new malware family called HONESTCUE that generates working code from seemingly benign prompts. “The prompts appear benign in isolation and devoid of any context related to malware, allowing them to bypass Gemini’s safety filters.”

Defense Industrial Base Under Siege
Google Threat Intelligence Group reports the DIB sector faces a “relentless barrage” of cyber operations from Chinese, Iranian, North Korean, and Russian actors. These attacks extend beyond espionage into supply chain compromises and workforce infiltration, with pre-positioning efforts using zero-day vulnerabilities in edge network devices.

🔧 Critical Vulnerabilities to Patch Now

• CVE-2026-2441: Google Chrome (use-after-free bug)
• CVE-2026-20700: Apple iOS/iPadOS/macOS/tvOS/watchOS/visionOS (memory corruption)
• CVE-2026-1731: BeyondTrust Remote Support (RCE, CVSS 9.9)
• CVE-2026-25506: Munge authentication service (heap buffer overflow, CVSS 7.7)
• CVE-2026-25639: Axios JavaScript library
• CVE-2026-25646: libpng library
• CVE-2026-1357: WPvivid Backup & Migration plugin
• CVE-2026-0969: next-mdx-remote library
• CVE-2026-25881: SandboxJS
• CVE-2025-66630: Fiber v2 web framework

🎥 Must-Watch Cybersecurity Webinars

Quantum-Ready Security: Learn how post-quantum cryptography protects against future quantum computing threats that could break today’s encryption.

AI Agents Are Expanding Your Attack Surface: Discover how AI agents browsing the web and accessing company systems create new security risks beyond traditional prompts.

Faster Cloud Breach Analysis: See how context-aware forensics and AI help security teams investigate cloud incidents in minutes instead of days.

🌍 Global Cyber Headlines

DragonForce Ransomware Cartel Expands
The DragonForce ransomware group, active since December 2023, has conducted 363 attacks while operating under a RaaS model. The group affiliates with LockBit and Qilin, maintains the RansomBay service, and recruits pentesters through dark web forums.

AdBlock Filters Expose VPN Users
A new fingerprinting technique called Adbleed uses country-specific adblock filter lists to de-anonymize VPN users. By probing blocked domains unique to each country’s filter list, researchers can identify which lists are active, revealing the user’s likely country or language.

China’s Tianfu Cup Returns Under Government Control
After skipping 2022-2025, China’s Tianfu Cup hacking competition returned under the Ministry of Public Security’s oversight. The contest, launched in 2018 as an alternative to Pwn2Own, now operates under regulations requiring citizens to report zero-day vulnerabilities to the government.

DoD Employee Charged as Money Mule
Samuel D. Marcus, a Department of Defense logistics specialist, was indicted for laundering millions for Nigerian scammers while employed by the government. The indictment alleges he converted fraud victim funds into cryptocurrency and moved them to foreign accounts.

Palo Alto Networks Avoids China Attribution
Palo Alto Networks’ Unit 42 chose not to attribute the TGR-STA-1030 cyber espionage campaign to China, citing concerns about potential retaliation. The campaign targeted 70+ government and critical infrastructure organizations across 37 countries.

Trend Micro’s New Threat Actor Taxonomy
Trend Micro unveiled a new attribution framework with standardized evidence scoring: Earth (espionage), Water (financially motivated), Fire (destructive), Wind (hacktivists), Aether (unknown), and Void (mixed motivation).

Cryptocurrency Flows to Human Trafficking Surge
Cryptocurrency flows to suspected human trafficking services based in Southeast Asia grew 85% in 2025, reaching hundreds of millions. This growth aligns with scam compounds, online casinos, and money laundering networks operating via Telegram.

Disney Fined $2.75M for Privacy Violations
Walt Disney agreed to a $2.75 million fine from California for violating the California Consumer Privacy Act by making it difficult for consumers to opt out of data sharing and sales.

Airport Systems Exposed via Leaked Credentials
Login credentials for a European airport service portal circulated on underground forums, potentially granting unauthorized access to Next Generation Operations Support Systems at approximately 200 airports across multiple countries. The portal lacked Multi-Factor Authentication.

🛠️ Cybersecurity Tools to Watch

SCAM (Security Comprehension Awareness Measure): A benchmark by 1Password testing how safely AI agents handle sensitive information in real workplace situations, measuring whether AI can recognize, avoid, and report risks before damage happens.

Quantickle: A browser-based graph visualization tool that helps analysts map and explore threat intelligence data, turning complex relationships into interactive network graphs to identify patterns and attack paths.

Tags: #cybersecurity #threatintelligence #zeroday #malware #ransomware #cloudsecurity #AIsecurity #nationstate #phishing #vulnerability #patching #infosec #databreach #hacking #technews #cyberattack #securitybreach #digitalthreats #onlineprivacy #cybercrime

Viral Phrases: “small gaps turn into big entry points,” “mixing old and new methods,” “overlooked assets become attack vectors,” “scale-first operation that favors reliability over stealth,” “every compromised system becomes a scanner,” “front lines extend into servers and supply chains,” “quantum computing could break today’s encryption,” “AI agents browsing the web create new risks,” “cryptocurrency flows to human trafficking surge 85%,” “attackers move faster than defenders,” “supply chain attacks infiltrate workforce,” “zero-day vulnerabilities stockpile for cyber espionage,” “browser fingerprinting de-anonymizes VPN users,” “money mules launder millions while employed by government,” “tools we trust become the threat.”

,