End-of-Day report
Timeframe: Dienstag 24-02-2026 18:00 - Mittwoch 25-02-2026 18:00
Handler: Felician Fuchs
Co-Handler: Guenes Holler
News
1Campaign platform helps malicious Google ads evade detection
A newly identified cybercrime service known as 1Campaign is enabling threat actors to run malicious Google Ads that remain online for extended periods while evading scrutiny from security researchers.
https://www.bleepingcomputer.com/news/security/1campaign-platform-helps-malicious-google-ads-evade-detection/
Phishing campaign targets freight and logistics orgs in the US, Europe
A financially motivated threat group dubbed "Diesel Vortex" is stealing credentials from freight and logistics operators in the U.S. and Europe in phishing attacks using 52 domains.
https://www.bleepingcomputer.com/news/security/phishing-campaign-targets-freight-and-logistics-orgs-in-the-us-europe/
The OpenClaw Hype: Analysis of Chatter from Open-Source Deep and Dark Web
OpenClaw has sparked heavy Telegram and dark web chatter, but Flares data shows more research hype than mass exploitation. Flare explains how its telemetry found real supply-chain risk in the skills marketplace, yet limited signs of large-scale criminal operationalization.
https://www.bleepingcomputer.com/news/security/the-openclaw-hype-analysis-of-chatter-from-open-source-deep-and-dark-web/
Marquis sues SonicWall over backup breach that led to ransomware attack
Marquis Software Solutions has filed a lawsuit against SonicWall, accusing the cybersecurity company of gross negligence and misrepresentation that allegedly led to a ransomware attack disrupting operations at 74 U.S. banks.
https://www.bleepingcomputer.com/news/security/marquis-sues-sonicwall-over-backup-breach-that-led-to-ransomware-attack/
Chinese cyberspies breached dozens of telecom firms, govt agencies
Googles Threat Intelligence Group (GTIG), Mandiant, and partners disrupted a global espionage campaign attributed to a suspected Chinese threat actor that used SaaS API calls to hide malicious traffic in attacks targeting telecom and government networks.
https://www.bleepingcomputer.com/news/security/chinese-cyberspies-breached-dozens-of-telecom-firms-govt-agencies/
UAC-0050 Targets European Financial Institution With Spoofed Domain and RMS Malware
A Russia-aligned threat actor has been observed targeting a European financial institution as part of a social engineering attack to likely facilitate intelligence gathering or financial theft, signaling a possible expansion of the threat actors targeting beyond Ukraine and into entities supporting the war-torn nation.
https://thehackernews.com/2026/02/uac-0050-targets-european-financial.html
RoguePilot Flaw in GitHub Codespaces Enabled Copilot to Leak GITHUB_TOKEN
A vulnerability in GitHub Codespaces could have been exploited by bad actors to seize control of repositories by injecting malicious Copilot instructions in a GitHub issue. The artificial intelligence (AI)-driven vulnerability has been codenamed RoguePilot by Orca Security. It has since been patched by Microsoft following responsible disclosure.
https://thehackernews.com/2026/02/roguepilot-flaw-in-github-codespaces.html
Malicious NuGet Packages Stole ASP.NET Data; npm Package Dropped Malware
Cybersecurity researchers have discovered four malicious NuGet packages that are designed to target ASP.NET web application developers to steal sensitive data. The campaign, discovered by Socket, exfiltrates ASP.NET Identity data, including user accounts, role assignments, and permission mappings, as well as manipulates authorization rules to create persistent backdoors in victim applications.
https://thehackernews.com/2026/02/malicious-nuget-packages-stole-aspnet.html
Spyware kann Kamera- und Mikrofonanzeige beim iPhone abdrehen
Eigentlich sollte man bei jeder iOS-App sehen können, dass Kamera- oder Mikrofonaufzeichnung laufen. Predator, ein Spionageprogramm, hackt diese aber.
https://www.heise.de/news/Spyware-kann-Kamera-und-Mikrofonanzeige-beim-iPhone-abdrehen-11188076.html
Best Western Hotels warnt vor Phishing-Attacken
Betrüger haben offenbar Zugang zu aktuellen Buchungsdaten von Best Western Hotels. Das Unternehmen warnt vor einer Phishingwelle.
https://www.heise.de/news/Best-Western-Hotels-warnt-vor-Phishing-Attacken-11188923.html
Der Cloudspeicher ist voll?! Was sich wirklich hinter den Warnungen verbirgt
Wenn dubiose E-Mails und hartnäckige PopUp-Fenster vor einem vollen Cloudspeicher warnen, ist allerhöchste Vorsicht angebracht. Während in manchen Fällen real existierende Softwareanbieter ein kostspieliges Abo unter die Leute bringen wollen, verstecken sich hinter anderen Varianten Kriminelle, die es auf die Kontodaten ihrer Opfer abgesehen haben.
https://www.watchlist-internet.at/news/cloudspeicher-ist-voll/
Phishing operation with links to Russia, Armenia compromised Western cargo companies, researchers find
Over a five-month period, the group, dubbed Diesel Vortex, stole more than 1,600 login credentials from accounts at logistics platforms, which allowed thieves to intercept and divert freight shipments and commit check fraud.
https://therecord.media/phishing-operation-russia-armenia-targeting-us-european-cargo
Caught in the Hook: RCE and API Token Exfiltration Through Claude Code Project Files | CVE-2025-59536 | CVE-2026-21852
Check Point Research has discovered critical vulnerabilities in Anthropic-s Claude Code that allow attackers to achieve remote code execution and steal API credentials through malicious project configurations. The vulnerabilities exploit various configuration mechanisms including Hooks, Model Context Protocol (MCP) servers, and environment variables -executing arbitrary shell commands and exfiltrating Anthropic API keys when users clone and open untrusted repositories.
https://research.checkpoint.com/2026/rce-and-api-token-exfiltration-through-claude-code-project-files-cve-2025-59536/
2026 GreyNoise State of the Edge Report: Where Attacks Concentrate and Defenses Fall Short
GreyNoise analyzed 2.97 billion malicious sessions over 162 days - and the patterns challenge assumptions about where edge defenses are strongest. From VPN targeting to infrastructure concentration to attackers rapidly rotating through fresh IPs, new research quantifies where the gaps are and what to do about it. Read the full findings.
https://www.greynoise.io/blog/2026-greynoise-state-of-the-edge-report-where-attacks-concentrate-defenses-fall-short
Unmasking Agent Tesla: A Deep Dive into a Multi-Stage Campaign
Agent Tesla remains one of the most persistent threats in the cyber landscape today. It allows even low-skilled threat actors to harvest sensitive data through a highly sophisticated delivery pipeline. This research blog breaks down a recent multi-stage infection chain that utilizes a blend of phishing, obfuscated and encrypted scripts, and advanced in-memory execution and evasion techniques.
https://www.fortinet.com/blog/threat-research/unmasking-agent-tesla-deep-dive-into-multi-stage-campaign
CVE-2025-59201 - Network Connection Status Indicator (NCSI) EoP
It-s been a while since I last dug into a Patch Tuesday release. With an extraordinarily high number of 177 CVEs, including 6 that were either already public or exploited in the wild, the October 2025 one seemed like a good opportunity to get back at it. The one I ended up investigating in depth was CVE-2025-59201, an elevation of privilege in the -Network Connection Status Indicator-.
https://itm4n.github.io/cve-2025-59201-ncsi-eop/
Vulnerabilities
Cisco Catalyst SD-WAN Vulnerabilities
Multiple vulnerabilities in Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an attacker to access an affected system, elevate privileges to root, gain access to sensitive information, and overwrite arbitrary files. For more information about these vulnerabilities, see the Details section of this advisory. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. This advisory is available at
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v
CISA and Partners Release Guidance for Ongoing Global Exploitation of Cisco SD-WAN Systems
The purpose of this Alert is to provide resources for organizations with Cisco Software-Defined Wide-Area Networking (SD-WAN) systems, including Federal Civilian Executive Branch (FCEB) agencies, to address ongoing exploitation of multiple vulnerabilities. Notably, the Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-20127 and CVE-2022-20775 to its Known Exploited Vulnerabilities (KEV) Catalog on Feb. 25, 2026.
https://www.cisa.gov/news-events/alerts/2026/02/25/cisa-and-partners-release-guidance-ongoing-global-exploitation-cisco-sd-wan-systems
Zyxel warns of critical RCE flaw affecting over a dozen routers
Taiwan networking provider Zyxel has released security updates to address a critical vulnerability affecting over a dozen router models that can allow unauthenticated attackers to gain remote command execution on unpatched devices.
https://www.bleepingcomputer.com/news/security/zyxel-warns-of-critical-rce-flaw-affecting-over-a-dozen-routers/
Schadcode-Lücken in Dell Repository Manager, Wyse Management Suite geschlossen
Dells Fernwartungstools Repository Manager und Wyse Management Suite sind verwundbar. Sicherheitsupdates schließen mehrere Lücken.
https://www.heise.de/news/Schadcode-Luecken-in-Dell-Repository-Manager-Wyse-Management-Suite-geschlossen-11188796.html
Drupal UI Icons - Critical - Cross-site Scripting - SA-CONTRIB-2026-010
https://www.drupal.org/sa-contrib-2026-010
LWN: Security updates for Wednesday
https://lwn.net/Articles/1060185/