Executive Summary Between February 28 and March 2, 2026, a coordinated wave of 149 hacktivist-driven distributed denial-of-service ( DDoS ) attacks targeted 110 organizations across 16 countries, following the U.S.-Israel military campaign against Iran. The majority of attacks were concentrated in the Middle East, with Kuwait, Israel, and Jordan accounting for over 76% of incidents. Nearly half of the targeted organizations were in the government sector, with finance and tele

Executive Summary On March 3, 2026, LexisNexis Legal & Professional confirmed a data breach following the public leak of approximately 2GB of company files by the threat actor known as FulcrumSec . The breach was achieved by exploiting the React2Shell vulnerability in an unpatched React frontend application, granting attackers unauthorized access to the company’s AWS infrastructure. The compromised data primarily consisted of legacy, deprecated information from before 2020

Executive Summary In December 2025, a highly sophisticated cyberattack targeted multiple Mexican government agencies and a major financial institution, resulting in the exfiltration of over 150GB of sensitive data, including personally identifiable information (PII) of nearly 195 million individuals. The attackers leveraged Anthropic’s Claude Code AI assistant, jailbreaking its guardrails to automate exploit development, credential harvesting, and data exfiltration. This inc

Executive Summary The recent compromise of the QuickLens Chrome extension, officially titled QuickLens – Search Screen with Google Lens , represents a significant escalation in browser extension supply chain attacks. In February 2026, threat actors acquired and weaponized this previously benign extension, leveraging its user base of over 7,000 Chrome users to deploy a sophisticated multi-stage malware campaign. The attackers utilized advanced techniques to bypass browser sec

Executive Summary The ClawJacked vulnerability represents a critical security flaw in the widely adopted open-source AI agent platform OpenClaw . This vulnerability enables malicious websites to hijack locally running OpenClaw instances by exploiting a localhost authentication bypass, resulting in unauthorized access, data exfiltration, and potential full system compromise. The attack leverages browser-based JavaScript to brute-force authentication over WebSocket connection

Executive Summary On February 26, 2026, South Korea’s National Tax Service (NTS) inadvertently exposed the mnemonic (seed) phrase of a seized Ledger hardware wallet in an official press release, resulting in the immediate theft of approximately $4.8 million in Pre-Retogeum (PRTG) tokens. The seed phrase, visible in photographs published online, enabled an unknown actor to gain full control of the wallet and transfer all assets out in a series of transactions. This incident

Executive Summary In October 2025, Canadian Tire experienced a significant data breach impacting approximately 38 million customer accounts. The breach resulted in the exposure of personally identifiable information (PII), including names, email addresses, phone numbers, physical addresses, dates of birth, and encrypted passwords. For a subset of users, partial credit card data—such as card type, expiry date, and masked card numbers—was also compromised. No bank account or l

Executive Summary Trend Micro has released urgent security patches addressing two critical remote code execution (RCE) vulnerabilities in the Apex One (on-premise) Management Console, identified as CVE-2025-54948 and CVE-2025-54987 . Both vulnerabilities are rated CVSS 9.4 (Critical) and have been confirmed as exploited in the wild. These flaws enable pre-authenticated remote attackers to upload malicious code and execute arbitrary commands on affected systems, posing a se

Executive Summary Google, in collaboration with Mandiant and industry partners, has disrupted the infrastructure of a suspected China-nexus cyber espionage group tracked as UNC2814 following confirmed breaches of at least 53 organizations across 42 countries. The campaign, which has been active since at least 2017, primarily targeted global telecommunications providers and government organizations. The attackers leveraged a novel backdoor, GRIDTIDE , which abused the Google

Executive Summary Publication Date: February 24, 2026 On February 24, 2026, the United States Department of the Treasury and Department of State announced sweeping sanctions against the Russian exploit broker Operation Zero and its principal, Sergey Sergeyevich Zelenyuk , under the Protecting American Intellectual Property Act (PAIPA). This unprecedented action targets the illicit trade in zero-day vulnerabilities and the theft of proprietary US cyber tools, marking the firs

Executive Summary A critical zero-day vulnerability, CVE-2026-20127 , has been discovered and actively exploited in the wild, targeting Cisco Catalyst SD-WAN Controller (formerly vSmart ) and Cisco Catalyst SD-WAN Manager (formerly vManage ). This vulnerability, rated with a maximum CVSS score of 10.0, enables unauthenticated remote attackers to bypass authentication and obtain administrative privileges, granting them full control over affected SD-WAN environments. The expl

Executive Summary CVE-2026-20127 is a critical zero-day authentication bypass vulnerability (CVSS 10.0) affecting Cisco 's flagship SD-WAN products, specifically Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage). This vulnerability has been actively exploited in the wild since at least 2023 by a highly sophisticated threat actor tracked as UAT-8616 . Successful exploitation allows unauthenticated remote attackers to ga

Executive Summary The threat actor UAT-10027 has launched a sophisticated cyber campaign targeting the U.S. education and healthcare sectors, deploying a novel backdoor known as Dohdoor . This malware leverages DNS-over-HTTPS (DoH) for covert command-and-control (C2) communications, enabling it to bypass traditional network monitoring and security controls. The campaign, active since at least December 2025, utilizes advanced evasion techniques such as DLL sideloading, proces

Executive Summary On February 23, 2026, Olympique Marseille became the subject of a public cyberattack claim, with a hacker alleging possession and intent to sell a database containing information on approximately 400,000 supporters. The club responded promptly, issuing an official statement on February 24, 2026, confirming an attempted cyber intrusion but disputing the scale of the breach. Olympique Marseille emphasized that no banking data or passwords were compromised and

Executive Summary Between late 2025 and early 2026, the Russian state-sponsored threat group APT28 (also known as Fancy Bear , STRONTIUM , Sofacy , and Sednit ) orchestrated a sophisticated spear-phishing campaign targeting governmental, diplomatic, and critical infrastructure organizations across Western and Central Europe. This operation, widely referred to as Operation MacroMaze , leveraged macro-enabled Microsoft Office documents that exploited webhook-based infrastructu

Executive Summary The Iranian state-sponsored advanced persistent threat group MuddyWater (also tracked as Mango Sandstorm , TA450 , Seedworm , and G0069 ) has escalated its cyber-espionage operations in early 2026, deploying a sophisticated new malware family as geopolitical tensions in the Middle East intensify. The latest campaign is characterized by the use of a Rust-based remote access trojan, RustyWater , which demonstrates significant advancements in stealth, persiste

Executive Summary The China-aligned advanced persistent threat (APT) group UnsolicitedBooker has recently intensified its cyber-espionage operations against telecommunications providers in Central Asia, specifically targeting organizations in Kyrgyzstan and Tajikistan. Leveraging highly tailored spear-phishing campaigns, the group deploys two rare and technically sophisticated backdoors, LuciDoor and MarsSnake , both written in C++. These campaigns demonstrate a significant

Executive Summary The emergence of the Reynolds ransomware family marks a significant escalation in adversarial tradecraft, leveraging the Bring Your Own Vulnerable Driver (BYOVD) technique to systematically neutralize Endpoint Detection and Response ( EDR ) security tools. By embedding a vulnerable kernel-mode driver directly within its payload, Reynolds achieves a high degree of stealth and operational efficiency, enabling the ransomware to disable security controls and

Executive Summary The North Korea-linked threat actor UNC1069 has escalated its offensive operations against cryptocurrency organizations by integrating advanced artificial intelligence (AI) lures and multi-stage malware into its attack arsenal. Recent campaigns have demonstrated the use of AI-generated deepfake videos, sophisticated social engineering, and a modular malware framework targeting both Windows and macOS environments. The primary objective of these attacks is th

Executive Summary The Shields Up initiative, spearheaded by the Cybersecurity and Infrastructure Security Agency (CISA) , marks a pivotal shift in how organizations approach cybersecurity. As the threat landscape evolves with the proliferation of generative AI , cloud-native security platforms, and increasingly complex supply chains, both public and private sectors are urged to adopt advanced technologies and best practices. This report explores the technical and practical as