Weekly threat intelligence roundup covering breaches, ransomware, and emerging AI-enabled tradecraft
Reporting during the week of Feb. 23 highlighted multiple unrelated security incidents and research findings rather than a single cohesive event. France’s Ministry of Economy disclosed unauthorized access to the national bank account registry FICOBA, exposing data tied to ~1.2 million accounts (e.g., names, addresses, account identifiers, and in some cases tax-related identifiers), with officials attributing access to compromised government credentials. Separately, Advantest reported a ransomware intrusion following third-party unauthorized access, University of Mississippi Medical Center experienced a ransomware event that disrupted clinics and electronic medical records, and Ukraine’s National Bank reported a supply-chain exposure at a contractor supporting its collectible coin online store (customer registration data exposed; payment data reportedly unaffected). In Taiwan, Taipei Grand Hotel said a third party accessed internal systems without authorization during the Lunar New Year period; the hotel took networks offline for forensics and warned customers to be cautious of suspicious messages.
Threat-actor and technique reporting also described ongoing campaigns and emerging tradecraft. MuddyWater (Iran-aligned) was reported targeting MENA organizations in “Operation Olalampo,” using phishing lures with malicious Office documents/macros to deploy tooling including GhostFetch, HTTP_VIP, a Rust backdoor CHAR, and an implant dubbed GhostBackDoor, with one chain also deploying AnyDesk for remote access. Separately, reporting on DPRK-linked crypto operations described sustained, social-engineering-led targeting of the crypto ecosystem following the Bybit theft, including AI-assisted persona and communication crafting and laundering via mixing/OTC pathways. Additional research noted internet-wide scanning telemetry involving OAST/Interactsh callback domains and shifts toward cookie-based injection, while another item profiled PRC-attributed Lotus Blossom as an espionage actor (including discussion of the Notepad++ ecosystem incident) and a separate post provided general reconnaissance methodology rather than incident-specific intelligence.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
22 events from the most recent confirmed update back to the earliest known activity.
Wynn breach details emerge with 800,000 records allegedly stolen
Sherpa Intelligence reported that ShinyHunters allegedly stole more than 800,000 Wynn records and demanded $1.5 million to prevent the data from being leaked.
Chrome zero-day CVE-2026-2441 is reported as exploited in the wild
Check Point reported that Chrome zero-day CVE-2026-2441 was being exploited in the wild, marking a notable active exploitation event.
Grandstream VoIP RCE vulnerability is publicly highlighted
Check Point's bulletin highlighted critical Grandstream VoIP remote code execution flaw CVE-2026-2329 as a significant newly reported vulnerability.
Researchers detail npm typosquatting worm targeting developer and AI secrets
Check Point summarized a supply-chain campaign in which an npm worm spread via typosquatting, stole developer and CI secrets, and targeted AI coding assistants to harvest LLM API keys.
Researchers report genAI-assisted FortiGate credential abuse campaign
A Russian-speaking actor was reported using commercial generative AI to scale credential abuse against FortiGate devices and then pivot to target Veeam servers.
Researchers show AI assistants can be abused as covert C2 proxies
Check Point researchers demonstrated that AI assistants such as Grok and Microsoft Copilot can be misused as covert command-and-control channels, highlighting a new AI-enabled threat technique.
National Bank of Ukraine contractor exposes coin store customer data
Check Point reported a supply-chain exposure at a contractor supporting the National Bank of Ukraine's collectible coin store, leaking customer registration data but not payment information.
Advantest reports ransomware after unauthorized network access
Advantest disclosed that an unauthorized party accessed parts of its network and that the incident involved ransomware, according to the Check Point bulletin and Sherpa roundup.
France discloses FICOBA registry breach affecting 1.2 million accounts
French authorities disclosed that attackers used stolen credentials to access the FICOBA national bank-account registry and exfiltrated data tied to 1.2 million accounts.
Taipei Grand Hotel is reported targeted in a cyberattack
Taiwan News published reporting that Taipei Grand Hotel had been targeted in a cyberattack, indicating a newly disclosed victim in Taiwan's hospitality sector.
University of Mississippi Medical Center detects ransomware attack
On February 19, 2026, the University of Mississippi Medical Center detected a ransomware attack that disrupted network and IT systems, including its Epic electronic medical record environment.
GreyNoise observes concentrated OAST scanning activity
Between February 14 and February 20, 2026, GreyNoise recorded 5,695 OAST domain occurrences across 3,882 sessions from 24 source IPs, with increased cookie-based injection and heavy Nuclei/loopback usage.
MuddyWater's Operation Olalampo is first observed
Group-IB said a new MuddyWater campaign dubbed Operation Olalampo was first observed on January 26, 2026, targeting organizations and individuals across the Middle East and North Africa with phishing and malware delivery.
DPRK social-engineering campaigns steal $37.5 million in early 2026
From January 1 to mid-February 2026, the DangerousPassword and Contagious Interview campaigns allegedly generated $37.5 million by tricking victims into installing malware that steals keys, seed phrases, and credentials.
DPRK-linked thefts reach a record $2 billion in 2025
The reporting states that DPRK-linked operators stole a record $2 billion in 2025, bringing cumulative known cryptocurrency thefts attributed to North Korea to more than $6 billion.
Cheyenne and Arapaho Tribes suffer disruptive intrusion
On December 8, 2025, the Cheyenne and Arapaho Tribes experienced an intrusion that disrupted schools and government operations; Rhysida later claimed responsibility according to the roundup.
Wynn breach reportedly begins with PeopleSoft access and employee credentials
Sherpa Intelligence reported that the ShinyHunters-linked breach of Wynn involved initial access in September 2025 through an Oracle PeopleSoft vulnerability and an employee's credentials.
DPRK-linked actors steal $1.46 billion from Bybit
On February 21, 2025, North Korea-linked operators allegedly stole about $1.46 billion in cryptoassets from Dubai-based exchange Bybit, in what the report describes as the largest confirmed crypto theft to date.
Lotus Blossom launches Notepad++ supply-chain operation
The group allegedly began a 2025-2026 supply-chain campaign targeting Notepad++ by manipulating update infrastructure to distribute trojanized updater components and deliver the Chrysalis backdoor via DLL sideloading.
Lotus Blossom targets a national certificate authority
In 2022, Lotus Blossom reportedly escalated from traditional intrusion methods to compromising a national certificate authority, marking a shift toward attacks on mechanisms of trust.
UNC6201 exploits Dell RecoverPoint zero-day in the wild
Check Point reported that suspected Chinese threat actor UNC6201 has exploited Dell RecoverPoint for VMs zero-day CVE-2026-22769 since mid-2024, indicating a prolonged real-world exploitation window before public reporting.
Lotus Blossom begins long-running cyber-espionage activity
Lotus Blossom is described as an APT active since at least 2009, conducting cyber-espionage operations primarily against government, military, and strategic-sector targets in the Asia-Pacific region.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
23rd February - Threat Intelligence Report - Check Point Research
research.checkpoint.com
Open sourceDPRK Linked Operators Sustain Aggressive Crypto Targeting 12 Months After Bybit Breach
cybersecuritynews.com
Open sourceMuddyWater Targets MENA Organizations with GhostFetch, CHAR, and HTTP_VIP
thehackernews.com
Open sourceInformation Security & Data Privacy Weekend News Roundup: February 20-22, 2026
sherpaintelligence.substack.com
Open sourceGreyNoise Labs Weekly OAST (Well-known Out-of-band Interaction Domains) Report • Week Ending 2026-02-20 - GreyNoise Labs
labs.greynoise.io
Open sourceTaipei Grand Hotel targeted in cyber attack | Taiwan News | Feb. 22, 2026 15:10
taiwannews.com.tw
Open sourceDark Web Profile: Lotus Blossom
socradar.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Mixed threat reporting: APT campaigns, malware delivery via compromised web assets, and ransomware exploitation
The provided items do not describe a single cohesive cybersecurity event; they span multiple unrelated threat reports and opinion pieces. Notable incident-level reporting includes **APT28** activity in Western/Central Europe (“Operation MacroMaze”) using spear-phishing lures with Office macros that beacon via `INCLUDEPICTURE` to `webhook[.]site` and then execute VBScript/CMD/batch stages for persistence and follow-on payload delivery. Separately, **MuddyWater** (Iran/MOIS-linked) was reported running “Operation Olalampo” against organizations in the Middle East and Africa, delivering new custom malware (including a **Char** backdoor using a **Telegram bot** for C2) and, in some cases, attempting exploitation of public-facing servers in addition to phishing. Criminal activity and initial-access tradecraft were also covered across distinct stories: a DFIR case study described exploitation of **Apache ActiveMQ** `CVE-2023-46604` to gain RCE, conduct post-exploitation (Metasploit/Meterpreter, privilege escalation, LSASS access, lateral movement), and ultimately deploy **LockBit**-branded ransomware via RDP using previously stolen credentials (with indications the payload was built using the leaked builder and used *Session* for communications). Multiple reports described malware delivery via compromised web assets and social engineering, including **GrayCharlie** injecting malicious JavaScript into WordPress sites to push **NetSupport RAT**, **Stealc**, and **SectopRAT** via fake updates/ClickFix-style CAPTCHAs, and a separate **ClickFix** campaign delivering a custom C++ RAT (**MIMICRAT**) through fake Cloudflare verification prompts that trick users into running PowerShell. Additional, unrelated threat reporting included a **NuGet** supply-chain attack (typosquatted `NCryptYo` plus companion packages) targeting ASP.NET Identity data and enabling backdoored authorization rules, and malicious Chrome extensions using a “**Promise Bomb**” browser-crash technique to drive users to run fake “CrashFix” PowerShell steps. Several other items were generic commentary/roundups (data breach trends, quantum preparedness, Enigma history, NATO public opinion polling, recon how-to, and a malware-newsletter link list) and do not add event-specific intelligence.
Mar 21, 2026
Security Research Roundup: Supply-Chain Malware, Phishing Operations, and Evolving Social Engineering
Multiple security reports and investigations highlighted active threats spanning software supply chain abuse, phishing operations, and commodity malware delivery. Socket identified **four malicious NuGet packages** (e.g., *NCryptYo*, *DOMOAuth2_*, *IRAOAuth2.0*, *SimpleWriter_*) published by `hamzazaheer` that targeted **ASP.NET** developers by exfiltrating ASP.NET Identity data (users/roles/permissions) and manipulating authorization to maintain persistence; the campaign used a staged loader that set up a local proxy on `localhost:7152` to relay traffic to dynamically resolved C2 infrastructure. Separately, investigators disrupted a logistics-focused **phishing-as-a-service** operation (“**Diesel Vortex**”) tied to Russian/Armenian operators, which used dozens of domains to target users of platforms such as **DAT**, **Truckstop**, **Penske Logistics**, **EFS**, and **Timocom**, resulting in theft of over **1,600 credentials** and attempted **EFS check fraud**. Fortinet also detailed a **multi-stage Agent Tesla** infection chain delivered via phishing with RAR attachments leading to `.jse` and PowerShell stages, culminating in in-memory execution and process hollowing into `C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe`. Threat intelligence and ecosystem reporting also underscored how attackers are scaling operations and bypassing traditional controls. Group-IB reported **MuddyWater** (“Operation Olalampo”) targeting the **MENA** region with new tooling including **GhostFetch** and a Rust backdoor (**CHAR**) controlled via **Telegram**, plus variants that deploy **AnyDesk**; the report noted indicators consistent with **AI-assisted development**. Dark Reading described the rise of **telephone-oriented attack delivery (TOAD)** emails—messages containing only a phone number—which accounted for a significant share of gateway-bypassing detections in StrongestLayer’s dataset, reflecting a shift toward social-engineering paths that evade link/attachment scanning. Confiant reported disrupting **D-Shortiez** malvertising operations after discovering exposed internal testing/admin infrastructure, attributing **59 million** malicious ad impressions (primarily US-targeted) to scam campaigns, while Interpol-backed **Operation Red Card 2.0** reported **651 arrests** and **$4.3M** recovered across 16 African countries in actions against fraud rings and cybercrime syndicates.
Mar 21, 2026
Multi-stage phishing and supply-chain malware campaigns targeting credentials and long-term access
Multiple reports highlight active campaigns using *phishing* and *software supply-chain abuse* to steal credentials and establish persistence. eSentire described an espionage-focused operation targeting residents of India with emails impersonating the Income Tax Department, leading victims to a malicious archive that uses DLL side-loading with a legitimate signed Microsoft application, extensive anti-analysis checks, in-memory shellcode unpacking, UAC bypass, and process masquerading; the payload was identified as a **Blackmoon**-family variant that specifically attempts to disable **Avast Free Antivirus** by automating UI interactions to add exclusions. Separately, Aikido reported a malicious npm package (`ansi-universal-ui`) that deploys a multi-stage infostealer (“**G_Wagon**”) by abusing `postinstall` execution, downloading a Python runtime, running an obfuscated payload, and exfiltrating browser credentials, cloud credentials, Discord tokens, and data from 100+ cryptocurrency wallets to an Appwrite storage bucket; it also includes a Windows DLL used for browser-process injection via NT native APIs. In parallel, network-edge exploitation remains a key access vector: Risky Business reported a renewed wave of attacks against **Fortinet FortiGate** devices via a vulnerability Fortinet allegedly “patched” in December but which attackers can still exploit, enabling SSO authentication bypass (via crafted SAML), creation of new admin accounts, and theft of device configuration; mitigations include disabling the FortiCloud SSO feature (not enabled by default). Several other items are general awareness or roundup content rather than specific incident reporting: TechTarget and other blogs emphasized ongoing phishing/email risk (including relay spam abusing legitimate Zendesk instances) and password hygiene, while The Hacker News published a multi-story bulletin that includes (among other items) a spear-phishing campaign in Afghanistan delivering a FALSECUB backdoor via a GitHub-hosted ISO and LNK execution chain; Risky Business also covered Iran’s internet blackout and Starlink jamming/spoofing as a communications-control issue rather than an enterprise cyber incident.
Mar 21, 2026