Cybersecurity Weekly Recap: Feb. 7 to 13, 2026

Another dense week in cybersecurity. From a record batch of actively exploited zero-days across Microsoft and Apple, to a commercial spyware toolkit sold openly on Telegram, to state-backed hackers weaponizing AI models at every stage of the attack chain, the stories from this week paint a clear picture: threats are accelerating in speed, scale, and accessibility.

Here is what you need to know.

Zero-days dominated the week

Microsoft patches 58 flaws, six zero-days actively exploited

Microsoft's February 2026 Patch Tuesday landed on February 10 with fixes for 58 vulnerabilities, including six that were already being exploited in the wild. Three of the exploited flaws were publicly disclosed before patches were available.

The most critical zero-days include CVE-2026-21510, a Windows Shell security feature bypass that allows attackers to dodge SmartScreen prompts via crafted shortcut files. CVE-2026-21513 targets the MSHTML/Trident rendering engine and can be triggered when a user opens a malicious HTML or .lnk file. CVE-2026-21514 bypasses Object Linking and Embedding (OLE) mitigations in Microsoft Word through a specially crafted Office document.

On the privilege escalation side, CVE-2026-21533 affects Windows Remote Desktop Services and was reported by CrowdStrike, which found exploit binaries targeting U.S. and Canadian organizations since at least December 2025. CVE-2026-21519 targets the Desktop Window Manager and allows local attackers to escalate to SYSTEM privileges.

CrowdStrike warned that the public disclosure of CVE-2026-21533 will almost certainly accelerate attempts by threat actors to weaponize the exploit. Microsoft also began rolling out updated Secure Boot certificates to replace the 2011 certificates expiring in June 2026.

Sources: BleepingComputer, The Hacker News, Dark Reading, CrowdStrike

Apple fixes first zero-day of 2026

Apple released emergency security updates on February 11 to address CVE-2026-20700, a memory corruption vulnerability in dyld, the Dynamic Link Editor responsible for loading dynamic libraries across all Apple operating systems. An attacker with memory write capability can achieve arbitrary code execution. Apple described the exploitation as part of an "extremely sophisticated attack against specific targeted individuals" on iOS versions before iOS 26.

The flaw was discovered by Google's Threat Analysis Group (TAG), which is often an indicator of nation-state or commercial spyware activity. Apple also linked CVE-2026-20700 to two WebKit zero-days (CVE-2025-14174 and CVE-2025-43529) patched in December 2025, suggesting the same exploit chain was used across all three vulnerabilities. Tenable assigned a severity score of 9.8 (critical). Patches are available across iOS 26.3, iPadOS 26.3, macOS Tahoe 26.3, watchOS 26.3, tvOS 26.3, and visionOS 26.3.

Sources: BleepingComputer, The Hacker News, SecurityWeek

Malware and spyware

ZeroDayRAT: Nation-State spyware capabilities, now available on Telegram

Mobile security firm iVerify published research this week on ZeroDayRAT, a commercial spyware toolkit being sold openly on Telegram. The tool provides full remote access to both Android and iOS devices, including live camera streaming, screen recording, microphone access, GPS tracking, keylogging, and direct financial theft from banking and cryptocurrency wallet apps.

ZeroDayRAT supports Android 5 through 16 and iOS up to version 26. Its capabilities, once exclusive to nation-state spyware operations, are now packaged for mass-market criminals who need only a Telegram account and funds to purchase access. The developer provides buyer support through dedicated channels for sales, support, and updates.

What makes this particularly dangerous for businesses: a compromised employee phone becomes a vector for credential theft, account takeover, and data exfiltration. iVerify describes it as a "complete mobile compromise toolkit" and warns that its decentralized infrastructure (every operator runs their own server) makes takedown extremely difficult.

Sources: Dark Reading, BleepingComputer

Fake AI Chrome Extensions steal credentials from 300,000+ users

Researchers at LayerX uncovered a campaign they named "AiFrame" consisting of 30 malicious Chrome extensions masquerading as AI assistants. Collectively, the extensions were installed by over 300,000 users. The most popular, called "Gemini AI Sidebar," had 80,000 installs before removal.

All analyzed extensions communicated with infrastructure under a single domain (tapnetic[.]pro) and were designed to steal credentials, email content, and browsing activity. Some extensions specifically targeted Gmail users with scripts designed to extract full email threads. This follows a pattern: just a month earlier, 16 similar extensions were caught stealing session tokens from ChatGPT accounts, affecting 900,000 users.

The takeaway for anyone relying on browser extensions: audit your installed extensions regularly. Navigate to chrome://extensions and remove anything you don't recognize or no longer use. Enable two-factor authentication on all sensitive accounts.

Sources: BleepingComputer

Lazarus group poisons npm and PyPI with fake job campaign

North Korea's Lazarus Group is running a sophisticated supply chain attack codenamed "Graphalgo," targeting developers through fake recruitment campaigns tied to a fabricated company called "Veltrix Capital." The campaign has been active since May 2025 and uses LinkedIn, Facebook, and Reddit to lure developers into running malicious coding test assignments.

The malicious packages are distributed through npm and PyPI, with one package (bigmathutils) accumulating over 10,000 downloads before a weaponized version was pushed. The final payload is a remote access trojan (RAT) that supports file exfiltration, system reconnaissance, and checks for the MetaMask browser extension, signaling an intent to steal cryptocurrency funds. The RAT uses token-protected C2 communication, a technique seen in previous Lazarus campaigns.

Sources: The Hacker News

LummaStealer infections surge via CastleLoader campaigns

A fresh wave of LummaStealer infections was observed this week, driven by CastleLoader malware campaigns. LummaStealer remains one of the most active information-stealing malware families, targeting browser-stored credentials, cryptocurrency wallets, and session tokens.

Sources: BleepingComputer

AI as an attack tool

Google: State-backed hackers using Gemini AI across the entire attack chain

Google's Threat Intelligence Group (GTIG) published a report this week revealing that state-sponsored hackers from China, Iran, North Korea, and Russia are actively using Google's Gemini AI model to support cyberattacks at every stage, from reconnaissance to post-compromise operations.

Chinese threat group APT31 used Gemini alongside the Hexstrike open-source hacking tool to automate vulnerability analysis and generate targeted testing plans against specific U.S. organizations. Iranian APT42 leveraged Gemini for social engineering campaigns and rapid development of tailored malware. North Korean UNC2970 used it for OSINT gathering on job roles and salary data at cybersecurity companies. Russian actors used it for coding, translation, and information operations.

Google also reported on two notable malware families built with AI assistance: HonestCue, a downloader that calls the Gemini API to generate second-stage C# payloads and executes them directly in memory, and CoinBait, a phishing kit masquerading as a cryptocurrency exchange that was likely built using the Lovable AI development platform.

Additionally, GTIG flagged a rise in "distillation attacks," where adversaries systematically query Gemini to extract insights about the model's reasoning. One operation alone sent over 100,000 queries attempting to replicate Gemini's decision-making patterns.

Sources: BleepingComputer, The Hacker News

Those "summarize with AI" buttons may be lying to you

Dark Reading reported on growing concerns that AI summarization features embedded in apps and browsers may be producing inaccurate or misleading outputs. These tools condense emails, documents, and web pages into short summaries, but users often trust the output without verifying it against the source material. In a security context, this creates risk: a poorly summarized phishing warning could strip away the critical details that help someone recognize a threat.

Sources: Dark Reading

Data breaches

Odido Telecom breach exposes 6.2 Million customers

Dutch telecommunications provider Odido, the country's largest mobile network operator, disclosed a breach affecting 6.2 million customers. The attack was detected over the weekend of February 7 to 8 after attackers accessed a customer contact system and downloaded personal data including full names, addresses, phone numbers, email addresses, dates of birth, bank account numbers, and passport or driver's license numbers.

Odido confirmed that no passwords, call records, location data, or billing information were compromised. The company has blocked unauthorized access, engaged external cybersecurity experts, and reported the incident to the Dutch Data Protection Authority. No ransomware group has claimed responsibility, and the stolen data has not appeared publicly as of this writing.

Sources: BleepingComputer

European Commission discloses staff data breach

The European Commission confirmed a breach that exposed personal data belonging to staff members. Details remain limited, but the disclosure adds to a pattern of government and institutional targets being hit in the early weeks of 2026.

Sources: BleepingComputer

Romania's Conpet oil pipeline operator confirms data stolen

Romania's Conpet, the national oil pipeline transport operator, confirmed that data was stolen in a cyberattack. The company acknowledged the breach but provided limited details about the scope or the threat actor involved.

Sources: BleepingComputer

Volvo Group North America customer data exposed in conduent hack

Volvo Group North America confirmed that customer data was exposed through a breach at its third-party service provider, Conduent. The incident highlights the persistent risk of supply chain compromises, where an organization's data security depends on the security posture of every vendor in its ecosystem.

Sources: BleepingComputer

Hackers breach Senegal's National biometric database

Attackers breached Senegal's national biometric identification database, raising serious concerns about the security of government-held identity data in countries building out digital ID infrastructure. The breach underscores the high-value target that centralized biometric systems represent.

Sources: Dark Reading

Flickr data breach via external partner flaw

Flickr disclosed a data breach stemming from a security vulnerability in an external partner's systems. This is another reminder that third-party risk management is not optional.

Sources: Hackread

Ransomware and extortion

BridgePay ransomware attack triggers nationwide payment outages

U.S. payment gateway provider BridgePay Network Solutions confirmed that a ransomware attack on February 6 knocked its entire payment processing infrastructure offline. Core systems including the BridgePay Gateway API, PayGuardian Cloud API, virtual terminal, hosted payment pages, and boarding portals were all rendered unavailable.

The outage forced merchants and municipalities across the United States to revert to cash-only operations. The City of Palm Bay, Florida and the City of Frisco, Texas both reported their online billing portals were affected. BridgePay engaged the FBI, U.S. Secret Service, and external forensic teams. Initial analysis indicates no payment card data was compromised. As of February 12, the company reported "positive progress" in recovery efforts and expressed hope that services could be restored within the following week.

Sources: BleepingComputer

Crazy ransomware gang abuses employee monitoring tool

A ransomware operation dubbed "Crazy" was observed abusing a legitimate employee monitoring tool to maintain persistence and conduct surveillance inside compromised networks before deploying their payload. Using legitimate software as cover is a tactic that continues to challenge detection.

Sources: BleepingComputer

Reynolds ransomware embeds BYOVD driver in payload

The Reynolds ransomware variant was caught embedding a Bring Your Own Vulnerable Driver (BYOVD) component directly into its payload. By loading a legitimate but vulnerable signed driver, the ransomware can disable endpoint protection software before encrypting files. This technique continues to grow in popularity across ransomware families.

Sources: The Hacker News

Black basta bundles BYOVD with ransomware payload

In a parallel development, the Black Basta ransomware gang was also observed bundling BYOVD techniques into its payloads. Two major ransomware families adopting the same driver-abuse technique in the same week signals that BYOVD is becoming a standard feature in the ransomware playbook.

Sources: Dark Reading

Warlock ransomware breaches smartertools via its own software

The Warlock ransomware gang exploited vulnerabilities in SmarterTools' own SmarterMail product to breach the company's network. Using a vendor's own software against them is a particularly ironic and effective attack vector.

Sources: The Hacker News, Dark Reading, BleepingComputer

Nation-State threats

Chinese cyberspies breach all four of Singapore's largest telcos

Singapore's Cyber Security Agency (CSA) revealed that the Chinese-linked APT group UNC3886 conducted a targeted espionage campaign against all four of Singapore's major telecommunications providers: Singtel, StarHub, M1, and SIMBA Telecom. The campaign, detected last year, used a zero-day exploit to bypass a perimeter firewall and deployed rootkits for persistent access.

In response, Singapore launched Operation Cyber Guardian, its largest coordinated cybersecurity response to date, involving over 100 cyber defenders across six government agencies over an 11-month period. While the attackers accessed some critical systems, no services were disrupted and no customer data was confirmed stolen.

Sources: BleepingComputer

DPRK operatives impersonate IT professionals

North Korean operatives continued their campaign of posing as legitimate IT workers to gain employment at Western companies. Once inside, these operatives exfiltrate data and generate revenue for the North Korean regime. The FBI has repeatedly warned about this tactic, which exploits remote hiring processes.

Sources: The Hacker News

North Korean hackers deploy new macOS malware for crypto theft

A separate North Korean campaign was caught using previously unseen macOS malware to target cryptocurrency firms. The malware was delivered through social engineering and is designed to steal wallet credentials and private keys from Apple devices.

Sources: BleepingComputer

China's dKnife spyware hijacked internet routers since 2019

Hackread reported on research revealing that a Chinese-linked spyware framework called dKnife has been compromising internet routers since 2019. The long-running campaign highlights the persistent threat to network edge devices.

Sources: Hackread

State actor targets 155 Countries in espionage operation

BleepingComputer reported on an espionage campaign attributed to a state-level actor that has targeted organizations across 155 countries. The breadth of targeting suggests a well-resourced intelligence operation with global reach.

Sources: BleepingComputer

Exploited vulnerabilities

BeyondTrust critical RCE flaw now exploited in attacks

A critical remote code execution vulnerability in BeyondTrust's Remote Support (RS) and Privileged Remote Access (PRA) software is now being actively exploited. Organizations using BeyondTrust should patch immediately.

Sources: BleepingComputer, BleepingComputer

Ivanti EPMM zero-day bugs under active exploit

Ivanti disclosed zero-day vulnerabilities in its Endpoint Manager Mobile (EPMM) product that are being actively exploited. Dutch authorities confirmed they were among those impacted.

Sources: Dark Reading, The Hacker News

SolarWinds web help desk flaws lead to velociraptor deployment

Attackers exploited vulnerabilities in SolarWinds Web Help Desk to deploy the Velociraptor forensic tool and Zoho agents on target networks. This is another case of legitimate security tools being repurposed for malicious operations.

Sources: Dark Reading, BleepingComputer

Windows 11 Notepad flaw allowed silent file execution

A vulnerability in Windows 11's Notepad application allowed files to execute silently through Markdown links. The flaw meant that simply clicking a link within a Notepad document could trigger code execution without any warning to the user. Microsoft has patched the issue.

Sources: BleepingComputer

WordPress Plugin with 900K installs vulnerable to critical RCE

A widely used WordPress plugin with 900,000 active installations was found to contain a critical remote code execution vulnerability. WordPress administrators should check for and apply the patch immediately.

Sources: BleepingComputer

Fraud, phishing, and social engineering

Malicious Outlook add-in hijacks 4,000 Microsoft accounts

Researchers discovered a malicious Outlook add-in distributed through the Microsoft Store that was used to hijack approximately 4,000 Microsoft accounts. The add-in appeared legitimate but was designed to steal credentials. This is notable as the first reported case of a malicious Outlook add-in used for credential theft at this scale.

Sources: BleepingComputer, The Hacker News

Police arrest seller of JokerOTP MFA capture tool

Law enforcement arrested the seller of JokerOTP, a tool designed to capture multi-factor authentication passcodes in real time. The tool intercepted one-time passwords as victims entered them, enabling attackers to bypass MFA protections.

Sources: BleepingComputer

One in two Americans report romance scam exposure

Dark Reading reported that roughly half of American adults have encountered a romance scam. The finding highlights the scale of social engineering targeting individuals through dating platforms and social media.

Sources: Dark Reading

Fugitive behind $73M pig butchering scheme gets 20 years

A fugitive behind a $73 million pig butchering investment fraud scheme received a 20-year prison sentence. Pig butchering scams combine romance fraud with fake investment platforms to drain victims' savings over extended periods.

Sources: BleepingComputer

Pride month phishing targets employees via trusted email services

Hackread reported on a phishing campaign that exploited Pride Month themes and abused trusted email services to target employees. The campaign used emotionally appealing content to bypass both technical filters and human skepticism.

Sources: Hackread

Signal QR codes used to spy on military and political leaders

Attackers are using QR codes within the Signal messaging app as a vector to target military and political leaders. German agencies also issued warnings about Signal-based phishing campaigns this week.

Sources: Hackread, The Hacker News

Industry and product news

GitGuardian raises $50M series C

GitGuardian raised $50 million in Series C funding to address non-human identities and AI agent security. As organizations deploy more automated systems and API keys, securing machine identities is becoming a critical challenge.

Sources: Hackread

Zast.AI raises $6M for AI-powered code security

Zast.AI secured $6 million in pre-seed funding to scale its zero-trust approach to AI-powered code security analysis.

Sources: The Hacker News

Bitwarden Introduces Cupid Vault for Secure Password Sharing

Timed for Valentine's Day, Bitwarden launched Cupid Vault, a feature enabling secure password sharing between partners. The feature addresses a real need: shared streaming accounts, financial logins, and household services often require credential sharing that most people handle insecurely.

Sources: BleepingComputer

Microsoft announces mobile-style windows security controls

Microsoft announced new security controls for Windows that adopt a mobile-style approach to blocking risky software, tightening runtime rules by default while allowing exceptions when needed.

Sources: BleepingComputer

Firefox users get AI kill switch for better privacy

Firefox introduced a feature allowing users to disable AI-related functionality for improved privacy, giving users explicit control over whether AI features can access their browsing data.

Sources: Hackread

What this week means for email security

Several of this week's stories connect directly to email security.

The malicious Outlook add-in that hijacked 4,000 accounts is a reminder that email threats don't always come in the form of phishing messages. They can also arrive through the tools and extensions people install to enhance their email experience. Similarly, the fake AI Chrome extensions stealing Gmail content show that your inbox is a target even when the attack happens outside the email itself.

The Lazarus Group's recruitment-themed supply chain attacks rely heavily on email and messaging platforms for initial contact. The Pride Month phishing campaign abused trusted email services to bypass filters. And every data breach disclosed this week, from Odido's 6.2 million records to the European Commission's staff data, creates fresh fuel for future business email compromise campaigns.

Protecting email is not just about filtering inbound messages. It requires understanding the full ecosystem of threats: malicious add-ins, compromised credentials, social engineering on adjacent platforms, and the downstream effects of every breach.

Ṣọ Email Security monitors these signals in real time, directly in your browser, with zero data leaving your device.

AI-powered protection, zero data collection. That's the Ṣọ promise. soemailsecurity.com

---

Sources

This recap draws from reporting by the following publications during the week of February 7 to 13, 2026:

BleepingComputer — bleepingcomputer.com The Hacker News — thehackernews.com Dark Reading — darkreading.com Hackread — hackread.com SecurityWeek — securityweek.com CrowdStrike — crowdstrike.com Help Net Security — helpnetsecurity.com Tenable — tenable.com Rapid7 — rapid7.com

Individual story links are cited inline throughout the article. All statistics and claims are attributed to their original reporting sources.