Welcome to this week’s Cybersecurity Weekly Digest, your curated roundup of the most critical threats, attacks, breaches, and vulnerabilities making headlines from February 16 to 22, 2026.
This week proved to be one of the most eventful of the year so far. Ransomware operators doubled down on enterprise targets, with the Hellcat group breaching Ascom’s ticketing infrastructure and exfiltrating 44GB of sensitive data.
A financially motivated threat actor leveraged multiple AI services to compromise 600+ FortiGate devices in a landmark case of AI-powered offense.
On the vulnerability front, emergency patches landed for critical flaws in BeyondTrust, Ivanti EPMM, Splunk Enterprise, Windows Admin Center, and Google Chrome several of which are already seeing active exploitation in the wild.
Meanwhile, data breach disclosures from PayPal, SpyX, and California Cryobank exposed millions of users to identity theft risk. Rounding out the week, Cloudflare suffered a six-hour global outage triggered by a cascading password rotation failure, reminding the industry that availability itself remains a core security concern.
Threat Intelligence
The week opened with renewed concern over the Noodlophile information stealer, which has significantly evolved its attack strategies. Operators linked to the Vietnamese group UNC6229 are now utilizing fake job postings to target job seekers, students, and digital marketers, deploying multi-stage stealers and RATs via DLL sideloading. The latest variants also incorporate the djb2 hashing algorithm and XOR encoding to complicate reverse engineering. → Read More
A sophisticated Linux malware framework known as VoidLink emerged as a concerning example of AI-assisted threat development. Built using an LLM coding agent — evidenced by structured “Phase X:” labels and verbose debug logging left in the production binary — it combines multi-cloud targeting across AWS, GCP, Azure, Alibaba Cloud, and Tencent Cloud with kernel-level rootkit capabilities. → Read More
Researchers also confirmed this week that threat actors are now leveraging Grok and Microsoft Copilot as covert channels for stealthy malware communication, bypassing traditional C2 detection by disguising commands as legitimate AI API calls. → Read More
Security researchers unveiled that 200 unique domains are tied to the long-running Raspberry Robin operation, which has been active since 2019, spreading via infected USB drives. The domains are characterized by three-character patterns with uncommon two-letter TLDs (.wf, .pm, .re) and Fast Flux behaviors, making takedowns and tracking notoriously difficult. → Read More
Cyber Attack News
The most significant attack story of the week was the active exploitation of a critical RCE vulnerability in BeyondTrust appliances, where threat actors opened WebSocket connections and submitted malformed remoteVersion values to achieve code execution. GreyNoise telemetry revealed that a single IP address — 193[.]24[.]123[.]42 — was responsible for 83% of all exploitation attempts. → Read More
On February 21, a financially motivated threat actor confirmed to have leveraged multiple commercial generative AI services compromised over 600 FortiGate devices, marking a landmark case of AI-enabled offensive operations targeting enterprise network infrastructure at scale. → Read More
Cloudflare suffered a six-hour global service outage on February 21, 2026, disrupting customers worldwide. The root cause was traced to a password rotation error that cascaded into widespread service failures across multiple Cloudflare product lines. → Read More
The Hellcat ransomware group continued its aggressive campaign by compromising Ascom’s technical ticketing system, exfiltrating approximately 44GB of data that included source code, project details, invoices, and confidential documents. The group exploited Jira credentials harvested by Infostealer malware as their initial access vector. → Read More
Data Breach
PayPal disclosed a breach this week exposing customers’ Social Security Numbers (SSNs), dates of birth, and business PII. The combination of SSNs and business contact details creates a high-risk profile for identity theft and financial fraud targeting both consumers and merchants. → Read More
Consumer-grade spyware operation SpyX confirmed a massive breach affecting nearly 2 million users, with roughly 17,000 plaintext Apple Account credentials exposed. Troy Hunt of Have I Been Pwned verified the legitimacy of the leaked records, and Google subsequently removed the associated Chrome extension. → Read More
California Cryobank, one of America’s largest sperm donor repositories, confirmed a significant data breach that exposed sensitive customer PII. The intrusion was performed via SQL injection to extract customer records while simultaneously compromising logging systems to cover its tracks. → Read More
Vulnerabilities
This week was heavy with critical vulnerability disclosures across enterprise and consumer platforms. Below is a consolidated CVE table of the week’s key findings:
| CVE ID | CVSS | Affected Product | Description | Link |
|---|---|---|---|---|
| CVE-2026-1281 | 9.8 Critical | Ivanti EPMM | RCE actively exploited; single IP responsible for 83% of attacks | Read More |
| CVE-2026-20140 | High | Splunk Enterprise for Windows | Session hijacking via crafted requests | Read More |
| CVE-2025-26909 | 9.6 Critical | WP Ghost Plugin (200k+ sites) | Unauthenticated LFI → RCE | Read More |
| CVE-2025-26512 | 9.9 Critical | NetApp SnapCenter Server | Authenticated privilege escalation to remote admin | Read More |
| N/A | Critical | Ivanti EPMM (Zero-Day) | Two critical zero-days affecting enterprise MDM infrastructure | Read More |
| N/A | Critical | Windows Admin Center | Privilege escalation enabling full system takeover | Read More |
| N/A | High | OpenClaw AI Framework | Log Poisoning flaw injecting malicious data into AI agent logs | Read More |
| N/A | Critical | better-auth API Keys Plugin | Authentication bypass allowing unauthorized privilege escalation | Read More |
| N/A | High | DrayTek Routers | Active exploitation linked to ISP-wide router reboot loops | Read More |
Google issued an emergency Chrome security update this week to address a high-severity heap buffer overflow flaw that could allow attackers to crash the browser or execute code. → Read More
GitLab released patches for Community and Enterprise editions addressing multiple high-severity flaws, including CVE-2025-7659 (CVSS 8.0) in the Web IDE and CVE-2026-0958 (High 7.5), enabling DoS via resource exhaustion. → Read More
