Threat Pulse – February 2026

Each month, DigitalXRAID’s Security Operations Centre (SOC) analysts share the top threats affecting businesses globally. Take action to protect your organisation against these prolific threats.

If you’ve been affected by any of these threats, we’re here to help. You can call our Cyber Emergency line any time of the day or night for help with active cyberattacks.

DigitalXRAID’s SOC analysts constantly monitor for zero-day threats and update our signature databases using the most comprehensive Threat Intelligence and Open Threat Exchange databases available worldwide.

Cyber Incidents in February

VMware ESXi Vulnerability Exploited 

In early February 2026, cybercriminals began exploiting a critical vulnerability affecting VMware ESXi servers. Attackers used the flaw to escape restricted environments and gain deeper access to enterprise systems. This allowed them to deploy ransomware and compromise sensitive infrastructure.  

The incident highlighted the ongoing risks associated with unpatched software and the importance of regularly updating virtualisation systems used by many organisations. 

Odido Telecom Data Breach 

In February 2026, Dutch telecommunications provider Odido experienced a major data breach attributed to the hacking group ShinyHunters. Approximately six million customers had their personal information stolen, including names, phone numbers, email addresses and in some cases sensitive identification documents.  

The attackers later began leaking the stolen data online in an attempt to pressure the company, raising concerns about identity theft and customer privacy. 

Advantest Cyberattack 

On 19 February 2026, semiconductor testing company Advantest reported a cyberattack involving unauthorised access to parts of its internal network. The company quickly launched an investigation and implemented security measures to contain the incident.  

Early reports suggested ransomware activity may have been involved, although the full extent of the breach and whether sensitive customer data was accessed remained under investigation. 

Cloud Data Exposure at Abu Dhabi Finance Week 

During February 2026, a major data exposure occurred related to Abu Dhabi Finance Week when an unsecured cloud server was discovered online. The database contained sensitive documents such as passports and identification details belonging to hundreds of individuals, including high-profile attendees.  

The leak was caused by a misconfigured cloud storage system, highlighting the ongoing cyber security risks associated with poor cloud security practices.  

Increase in Global Ransomware Activity 

Cyber security researchers reported a significant rise in ransomware attacks worldwide during February 2026. Around 82 publicly disclosed ransomware incidents were recorded during the month, with healthcare organisations being the most frequently targeted sector.  

Several ransomware groups, including Qilin, CL0P, Play and Akira, were particularly active. This trend shows that ransomware continues to be one of the most serious and widespread cyber threats facing organisations globally. 

AI-Assisted Compromise of FortiGate Firewalls 

In February 2026, a notable offensive campaign saw a Russian-speaking, financially motivated threat actor use commercial generative AI tools to automate attacks against exposed FortiGate devices, successfully compromising 600 + firewall appliances across 55 countries.  

Rather than exploiting any published FortiGate software vulnerability, the attacker scanned for exposed management interfaces with weak or default credentials, then leveraged AI-generated tooling and scripts to orchestrate large-scale credential stuffing, automated reconnaissance, and dynamic attack plans, effectively lowering the barrier for a low-skill operator to conduct widespread intrusion.  

Once access was gained, the actor harvested credentials, pulled configuration data, and used extracted information to pivot into internal networks, potentially enabling further exploitation such as lateral movement or ransomware deployment. This activity illustrates how AI can amplify existing TTPs like brute-force and automated recon, transforming them into high-impact, high-scale operations. 

PromptSpy: First Generative AI-Embedded Android Malware 

Researchers in February 2026 identified PromptSpy, the first known Android malware to embed generative AI (Google Gemini) within its execution flow to adapt its behaviour dynamically on compromised devices.  

Instead of relying on static instructions, PromptSpy sends screen UI snapshots and context to the AI model to receive step-by-step guidance on how to interact with the device interface, particularly to ensure persistence by locking itself into the recent-apps list and preventing easy uninstallation. The malware also deploys a VNC module for remote device control, captures lockscreen credentials, takes screenshots, and records video activity.  

This represents a significant evolution in mobile threat TTPs by integrating AI into runtime persistence and evasion mechanisms, making detection and static analysis harder. 

Exploitation of Cisco SD-WAN Authentication Bypass 

Throughout late February and into March technical advisories highlighted active exploitation of a critical authentication bypass vulnerability in Cisco SD-WAN infrastructure (affecting SD-WAN Controller and Manager), allowing unauthenticated attackers to gain administrative access and manipulate configuration.  

While the vulnerability was reported earlier, continued exploitation highlighted that attackers were successfully bypassing authentication to compromise orchestration components, enabling access to backend management interfaces and configuration layers.  

These tactics are typical of network device compromise where excessive trust in exposed services and inadequate access controls lead to privilege escalation and lateral movement. 

Phishing Campiagn Using Purchase Order Attachment to Gain Passwords 

A phishing campaign is distributing an attachment titled “New PO 500PCS.pdf.htm”, masquerading as a purchase order but actually delivering a credential-harvesting HTML page. 

Upon execution, the file opens a browser-based phishing form pre-filled with the recipient’s email address and prompts for account credentials under the guise of document verification. The script covertly captures submitted usernames and passwords along with IP address, geolocation, and user-agent data, transmitting the information to an attacker-controlled Telegram bot for command-and-control.  

Victims are shown a staged authentication failure to induce multiple password submissions before being redirected to a decoy invoice image hosted on ImgBB (ibb[.]co) to reduce suspicion and delay reporting. The attack leverages double file extensions (.pdf.htm), social engineering targeting finance and operations personnel, and encrypted Telegram channels to evade detection.  

Impact includes credential compromise, account takeover, and potential downstream exploitation or resale. Recommended mitigations include blocking HTML attachments with double extensions, enforcing MFA, monitoring outbound Telegram traffic, and strengthening email filtering and user awareness controls. 

ZeroDayRAT malware grants full access to Android, iOS devices 

ZeroDayRAT is a new mobile spyware platform advertised via Telegram that provides full remote control over infected Android and iOS devices. The malware reportedly targets Android versions 5 through 16 and iOS devices up to iOS 26, significantly broadening its potential victim base across both legacy and current mobile systems.  

Once deployed, it enables screen recording, keylogging, live camera and microphone access, SMS and notification interception, call monitoring, GPS tracking, file exfiltration, and credential harvesting from banking and cryptocurrency applications, including the capture of one-time passwords to bypass multi-factor authentication.  

Organisations should enforce mobile device management (MDM) controls, restrict sideloading and installation from untrusted sources, mandate OS updates and patching, enable strong MFA resistant to OTP interception (e.g., hardware-backed or phishing-resistant MFA), and monitor for anomalous mobile device behaviour and unauthorised accessibility service abuse. Users should install apps only from official app stores, review app permissions regularly, and deploy reputable mobile threat defence solutions where possible. 

Multiple Adobe Bulletins Issued 

Adobe issued multiple February 2026, security bulletins covering critical/important issues (generally memory corruption / arbitrary code execution / information exposure / DoS in the affected desktop applications).  

Examples include InDesign (APSB26-17), Substance 3D Designer (APSB26-19), Substance 3D Stager (APSB26-20), Bridge (APSB26-21), and DNG SDK (APSB26-23); Adobe noted it was not aware of in-the-wild exploitation for those updates at time of publication. 

Medical Device Maker UFP Technologies Warns of Data Stolen in Cyberattack 

American manufacturer of medical devices, UFP Technologies, has disclosed that a cyber security incident has compromised its IT systems and data. UFP Technologies is a publicly traded medical engineering and manufacturing company that produces a broad range of devices and components used in surgery, wound care, implants, orthopedic applications, and healthcare wearables.  

In a filing submitted yesterday with the US Securities and Exchange Commission (SEC), UFP Technologies disclosed that it detected suspicious activity on its IT systems on February 14. The firm immediately deployed isolation and remediation measures and engaged external cyber security advisors to help with the investigation.  

At the time of publishing, no ransomware group has publicly claimed the attack on UFP Technologies. UFP Technologies mentioned that, at this time, it has not determined whether personal information has been exfiltrated.  

The company stated that, despite the cyber security incident, its primary IT systems remain operational. Based on current evidence and assessments, UFP Technologies states it is unlikely that the incident will have a material impact on its operations or financials. 

Suspected Ransomware Attempt at a London Housing Association

In late February 2026, a significant London housing association, which manages property portfolios, tenant records, and rental payment data, publicly acknowledged it was investigating a suspected ransomware attack after detecting anomalous administrative activity.  

Systems were taken offline proactively, remote access credentials were reset, and external cyber security specialists were engaged to contain the incident. While no data exfiltration was confirmed at the time of reporting, the pattern, suspicious admin activity leading to locked systems and credential resets and strongly matches ransomware discovery and containment TTPs. 

Coordinated AI-Driven Cyberattack Attempts on Financial Institutions 

In February 2026, authorities in the United Arab Emirates (UAE) disclosed that they had successfully thwarted a coordinated wave of sophisticated cyberattacks targeting government networks and the financial sector as part of a broader campaign.  

According to official briefings, attackers employed artificial intelligence across the attack lifecycle, from automated reconnaissance to adaptive phishing, to probe and attempt infiltration into national payment systems, banks, and digital financial services platforms.  

The UAE Cyber Security Council described the activity as a “qualitative shift” in adversary tactics, noting that defensive systems detected and neutralised intrusion attempts before major operational impacts could occur. These attacks included network infiltration attempts, ransomware deployment efforts, and precision phishing campaigns, with financial institutions specifically identified as a primary target due to their role in systemic digital finance infrastructure. 

Microsoft Patch Tuesday  

Microsoft’s February 2026 Patch Tuesday addressed more than fifty vulnerabilities, including multiple security feature bypasses, spoofing issues, privilege escalation flaws, and Office-related weaknesses. Several were added to known exploited vulnerability tracking lists due to confirmed in-the-wild exploitation, making rapid patch deployment and endpoint monitoring especially critical for Microsoft 365 tenants during that period. 

Cyber Incident at Ireland’s Health Research Board

A cyberattack disrupted operations at the Ireland Health Research Board (HRB), a public agency responsible for funding and coordinating health research. Staff were instructed not to use laptops or professional phones while IT teams isolated systems and contained the incident, indicating a suspected breach affecting internal networks, possibly ransomware or unauthorised access. Details about data exfiltration remain unconfirmed, but investigations were ongoing at the end of February. 

Supply-Chain API Token Theft Campaign 

In the last week of February 2026, threat intelligence summaries identified a software supply chain attack focused on a malicious NuGet package purporting to be related to Stripe’s API library. This malicious library was used to steal API tokens, which can grant attackers access to payment workflows or financial service APIs if not properly scoped and rotated.  

Although this was not a direct compromise of a bank system, such token theft poses severe risks when embedded into the DevOps pipelines or CI/CD workflows of fintech platforms and financial services. 

DigitalXRAID exists to ensure that the bad guys don’t win. We’re driven and motivated to protect customers. Our expertise and unrivalled service means we can take care of your security, while you take care of business.

Talk to the team to see how you can start protecting your business against cyberattacks today.