TECHZONE™

APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday https://thehackernews.com/2026/03/apt28-tied-to-cve-2026-21513-mshtml-0.html A recently disclosed security flaw patched by Microsoft may have been exploited by the Russia-linked state-sponsored threat actor known as APT28, according to new findings from Akamai. The vulnerability in question is CVE-2026-21513 (CVSS score: 8.8), a high-severity security feature bypass affecting the MSHTML Framework. "Protection mechanism failure in MSHTML Framework allows an unauthorized

North Korean Hackers Publish 26 npm Packages Hiding Pastebin C2 for Cross-Platform RAT https://thehackernews.com/2026/03/north-korean-hackers-publish-26-npm.html Cybersecurity researchers have disclosed a new iteration of the ongoing Contagious Interview campaign, where the North Korean threat actors have published a set of 26 malicious packages to the npm registry. The packages masquerade as developer tools, but contain functionality to extract the actual command-and-control (C2) by using seemingly harmless Pastebin content as a dead drop resolver and

This month in security with Tony Anscombe – February 2026 edition https://www.welivesecurity.com/en/videos/month-security-tony-anscombe-february-2026/ In this roundup, Tony looks at how opportunistic threat actors are taking advantage of weak authentication, unmanaged exposure, and popular AI tools

ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket https://thehackernews.com/2026/02/clawjacked-flaw-lets-malicious-sites.html OpenClaw has fixed a high-severity security issue that, if successfully exploited, could have allowed a malicious website to connect to a locally running artificial intelligence (AI) agent and take over control. "Our vulnerability lives in the core system itself – no plugins, no marketplace, no user-installed extensions – just the bare OpenClaw gateway, running exactly as documented," Oasis

Thousands of Public Google Cloud API Keys Exposed with Gemini Access After API Enablement https://thehackernews.com/2026/02/thousands-of-public-google-cloud-api.html New research has found that Google Cloud API keys, typically designated as project identifiers for billing purposes, could be abused to authenticate to sensitive Gemini endpoints and access private data. The findings come from Truffle Security, which discovered nearly 3,000 Google API keys (identified by the prefix "AIza") embedded in client-side code to provide Google-related services like

Mobile app permissions (still) matter more than you may think https://www.welivesecurity.com/en/mobile-security/mobile-app-permissions-still-matter-more-think/ Start using a new app and you’ll often be asked to grant it permissions. But blindly accepting them could expose you to serious privacy and security risks.

Pentagon Designates Anthropic Supply Chain Risk Over AI Military Dispute https://thehackernews.com/2026/02/pentagon-designates-anthropic-supply.html Anthropic on Friday hit back after U.S. Secretary of Defense Pete Hegseth directed the Pentagon to designate the artificial intelligence (AI) upstart as a "supply chain risk." "This action follows months of negotiations that reached an impasse over two exceptions we requested to the lawful use of our AI model, Claude: the mass domestic surveillance of Americans and fully autonomous weapons," the

DoJ Seizes $61 Million in Tether Linked to Pig Butchering Crypto Scams https://thehackernews.com/2026/02/doj-seizes-61-million-in-tether-linked.html The U.S. Department of Justice (DoJ) this week announced the seizure of $61 million worth of Tether that were allegedly associated with bogus cryptocurrency schemes known as pig butchering. The confiscated funds were traced to cryptocurrency addresses used for the laundering of criminally derived proceeds stolen from victims of cryptocurrency investment scams, the department added. "Criminal

900+ Sangoma FreePBX Instances Compromised in Ongoing Web Shell Attacks https://thehackernews.com/2026/02/900-sangoma-freepbx-instances.html The Shadowserver Foundation has revealed that over 900 Sangoma FreePBX instances still remain infected with web shells as part of attacks that exploited a command injection vulnerability starting in December 2025. Of these, 401 instances are located in the U.S., followed by 51 in Brazil, 43 in Canada, 40 in Germany, and 36 in France. The non-profit entity said the compromises are likely

Malicious Go Crypto Module Steals Passwords, Deploys Rekoobe Backdoor https://thehackernews.com/2026/02/malicious-go-crypto-module-steals.html Cybersecurity researchers have disclosed details of a malicious Go module that's designed to harvest passwords, create persistent access via SSH, and deliver a Linux backdoor named Rekoobe. The Go module, github[.]com/xinfeisoft/crypto, impersonates the legitimate "golang.org/x/crypto" codebase, but injects malicious code that's responsible for exfiltrating secrets entered via terminal password

ScarCruft Uses Zoho WorkDrive and USB Malware to Breach Air-Gapped Networks https://thehackernews.com/2026/02/scarcruft-uses-zoho-workdrive-and-usb.html The North Korean threat actor known as ScarCruft has been attributed to a fresh set of tools, including a backdoor that uses Zoho WorkDrive for command-and-control (C2) communications to fetch more payloads and an implant that uses removable media to relay commands and breach air-gapped networks. The campaign, codenamed Ruby Jumper by Zscaler ThreatLabz, involves the deployment of malware

Trojanized Gaming Tools Spread Java-Based RAT via Browser and Chat Platforms https://thehackernews.com/2026/02/trojanized-gaming-tools-spread-java.html Threat actors are luring unsuspecting users into running trojanized gaming utilities that are distributed via browsers and chat platforms to distribute a remote access trojan (RAT). "A malicious downloader staged a portable Java runtime and executed a malicious Java archive (JAR) file named jd-gui.jar," the Microsoft Threat Intelligence team said in a post on X. "This downloader used PowerShell

Meta Files Lawsuits Against Brazil, China, Vietnam Advertisers Over Celeb-Bait Scams https://thehackernews.com/2026/02/meta-files-lawsuits-against-brazil.html Meta on Thursday said it's taking legal action to tackle scams on its platforms by filing lawsuits against what it calls deceptive advertisers based in Brazil, China, and Vietnam. As part of the effort, the advertisers' methods of payment have been suspended, related accounts have been disabled, and the website domain names used to pull off the scams have been blocked. Concurrently, the social

Aeternum C2 Botnet Stores Encrypted Commands on Polygon Blockchain to Evade Takedown https://thehackernews.com/2026/02/aeternum-c2-botnet-stores-encrypted.html Cybersecurity researchers have disclosed details of a new botnet loader called Aeternum C2 that uses a blockchain-based command-and-control (C2) infrastructure to make it resilient to takedown efforts. "Instead of relying on traditional servers or domains for command-and-control, Aeternum stores its instructions on the public Polygon blockchain," Qrator Labs said in a report shared with The

UAT-10027 Targets U.S. Education and Healthcare with Dohdoor Backdoor https://thehackernews.com/2026/02/uat-10027-targets-us-education-and.html A previously undocumented threat activity cluster has been attributed to an ongoing malicious campaign targeting education and healthcare sectors in the U.S. since at least December 2025. The campaign is being tracked by Cisco Talos under the moniker UAT-10027. The end goal of the attacks is to deliver a never-before-seen backdoor codenamed Dohdoor. "Dohdoor utilizes the DNS-over-HTTPS (DoH)

ThreatsDay Bulletin: Kali Linux + Claude, Chrome Crash Traps, WinRAR Flaws, LockBit & 15+ Stories https://thehackernews.com/2026/02/threatsday-bulletin-kali-linux-claude.html Nothing here looks dramatic at first glance. That’s the point. Many of this week’s threats begin with something ordinary, like an ad, a meeting invite, or a software update. Behind the scenes, the tactics are sharper. Access happens faster. Control is established sooner. Cleanup becomes harder. Here is a quick look at the signals worth paying attention to. AI-powered command

Expert Recommends: Prepare for PQC Right Now https://thehackernews.com/2026/02/expert-recommends-prepare-for-pqc-right.html Introduction: Steal It Today, Break It in a Decade Digital evolution is unstoppable, and though the pace may vary, things tend to fall into place sooner rather than later. That, of course, applies to adversaries as well. The rise of ransomware and cyber extortion generated funding for a complex and highly professional criminal ecosystem. The era of the cloud brought general availability of

Microsoft Warns Developers of Fake Next.js Job Repos Delivering In-Memory Malware https://thehackernews.com/2026/02/fake-nextjs-repos-target-developers.html A "coordinated developer-targeting campaign" is using malicious repositories disguised as legitimate Next.js projects and technical assessments to trick victims into executing them and establish persistent access to compromised machines. "The activity aligns with a broader cluster of threats that use job-themed lures to blend into routine developer workflows and increase the likelihood of code

Malicious StripeApi NuGet Package Mimicked Official Library and Stole API Tokens https://thehackernews.com/2026/02/malicious-stripeapi-nuget-package.html Cybersecurity researchers have disclosed details of a new malicious package discovered on the NuGet Gallery, impersonating a library from financial services firm Stripe in an attempt to target the financial sector. The package, codenamed StripeApi.Net, attempts to masquerade as Stripe.net, a legitimate library from Stripe that has over 75 million downloads. It was uploaded by a user named

Cisco SD-WAN Zero-Day CVE-2026-20127 Exploited Since 2023 for Admin Access https://thehackernews.com/2026/02/cisco-sd-wan-zero-day-cve-2026-20127.html A newly disclosed maximum-severity security flaw in Cisco Catalyst SD-WAN Controller (formerly vSmart) and Catalyst SD-WAN Manager (formerly vManage) has come under active exploitation in the wild as part of malicious activity that dates back to 2023. The vulnerability, tracked as CVE-2026-20127 (CVSS score: 10.0), allows an unauthenticated remote attacker to bypass authentication and obtain