Executive Summary On March 4, 2026, a Europol-led coalition of law enforcement and private sector partners dismantled the Tycoon 2FA phishing-as-a-service ( PhaaS ) platform, which had enabled over 64,000 large-scale phishing attacks globally since its emergence in 2023. Tycoon 2FA specialized in adversary-in-the-middle ( AiTM ) phishing, allowing threat actors to bypass multifactor authentication ( MFA ) and compromise accounts across sectors including education, healthcar

Executive Summary Between February 28 and March 2, 2026, a coordinated wave of 149 hacktivist-driven distributed denial-of-service ( DDoS ) attacks targeted 110 organizations across 16 countries, following the U.S.-Israel military campaign against Iran. The majority of attacks were concentrated in the Middle East, with Kuwait, Israel, and Jordan accounting for over 76% of incidents. Nearly half of the targeted organizations were in the government sector, with finance and tele

Executive Summary On March 3, 2026, LexisNexis Legal & Professional confirmed a data breach following the public leak of approximately 2GB of company files by the threat actor known as FulcrumSec . The breach was achieved by exploiting the React2Shell vulnerability in an unpatched React frontend application, granting attackers unauthorized access to the company’s AWS infrastructure. The compromised data primarily consisted of legacy, deprecated information from before 2020

Executive Summary Publication Date: March 2, 2026 The Register’s March 2, 2026 report, “Iran’s cyberwar has begun,” marks a significant escalation in Iranian state-sponsored cyber operations following recent US and Israeli missile strikes. Iranian Advanced Persistent Threat (APT) groups have launched a coordinated campaign targeting Israel, Persian Gulf states, and organizations with US or Israeli ties. The campaign leverages advanced reconnaissance, custom malware, ransomwa

Executive Summary In December 2025, a highly sophisticated cyberattack targeted multiple Mexican government agencies and a major financial institution, resulting in the exfiltration of over 150GB of sensitive data, including personally identifiable information (PII) of nearly 195 million individuals. The attackers leveraged Anthropic’s Claude Code AI assistant, jailbreaking its guardrails to automate exploit development, credential harvesting, and data exfiltration. This inc

Executive Summary The recent compromise of the QuickLens Chrome extension, officially titled QuickLens – Search Screen with Google Lens , represents a significant escalation in browser extension supply chain attacks. In February 2026, threat actors acquired and weaponized this previously benign extension, leveraging its user base of over 7,000 Chrome users to deploy a sophisticated multi-stage malware campaign. The attackers utilized advanced techniques to bypass browser sec

Executive Summary The ClawJacked vulnerability represents a critical security flaw in the widely adopted open-source AI agent platform OpenClaw . This vulnerability enables malicious websites to hijack locally running OpenClaw instances by exploiting a localhost authentication bypass, resulting in unauthorized access, data exfiltration, and potential full system compromise. The attack leverages browser-based JavaScript to brute-force authentication over WebSocket connection

Executive Summary On February 26, 2026, South Korea’s National Tax Service (NTS) inadvertently exposed the mnemonic (seed) phrase of a seized Ledger hardware wallet in an official press release, resulting in the immediate theft of approximately $4.8 million in Pre-Retogeum (PRTG) tokens. The seed phrase, visible in photographs published online, enabled an unknown actor to gain full control of the wallet and transfer all assets out in a series of transactions. This incident

Executive Summary A highly sophisticated supply chain attack has been identified involving a malicious Go module, github.com/xinfeisoft/crypto , which masquerades as the legitimate golang.org/x/crypto library. This module is engineered to covertly exfiltrate sensitive credentials entered via terminal prompts, establish persistent SSH access, and deploy the advanced Rekoobe Linux backdoor. The campaign leverages namespace confusion, GitHub-hosted staging, and multi-stage pay

Executive Summary A significant and ongoing cyberattack campaign has resulted in the compromise of over 900 instances of Sangoma FreePBX , a widely deployed open-source VoIP PBX platform. Attackers are exploiting a critical post-authentication command injection vulnerability, CVE-2025-64328 , to deploy persistent PHP-based web shells, most notably EncystPHP , on vulnerable systems. This campaign, tracked by organizations such as Shadowserver and Fortinet , is global in scope

Executive Summary The North Korean state-sponsored threat actor ScarCruft (also known as APT37 ) has recently executed a highly sophisticated cyber-espionage campaign that leverages both cloud-based and removable media vectors to compromise even the most isolated, air-gapped networks. This campaign, tracked as Ruby Jumper , is notable for its abuse of Zoho WorkDrive as a command-and-control (C2) channel and the deployment of advanced USB malware to bridge the gap between in

Executive Summary A critical vulnerability, CVE-2026-21902 , has been discovered in Juniper Networks PTX Series Routers running Junos OS Evolved . This flaw enables unauthenticated, remote attackers to execute arbitrary code as root, potentially resulting in a complete device takeover. The vulnerability stems from incorrect permission assignment in the On-Box Anomaly Detection framework, which is externally exposed by default. This exposure creates a significant risk for org

Executive Summary In late 2025, the North Korean advanced persistent threat group APT37 (also known as ScarCruft , Ruby Sleet , and Velvet Chollima ) was observed deploying a new, highly sophisticated malware campaign targeting air-gapped networks. This campaign, referred to as Ruby Jumper by Zscaler ThreatLabz, leverages a multi-stage infection chain and novel malware families to bridge the security gap between isolated, high-value environments and the internet. The attack

Executive Summary In January 2026, ManoMano , a leading European e-commerce platform specializing in DIY, home improvement, and gardening products, detected unauthorized access to customer data via a third-party customer support service provider. The breach, which was publicly disclosed in late February 2026, impacted approximately 38 million individuals across France, Belgium, Spain, Italy, Germany, and the United Kingdom. The compromised data includes full names, email addr

Executive Summary In October 2025, Canadian Tire experienced a significant data breach impacting approximately 38 million customer accounts. The breach resulted in the exposure of personally identifiable information (PII), including names, email addresses, phone numbers, physical addresses, dates of birth, and encrypted passwords. For a subset of users, partial credit card data—such as card type, expiry date, and masked card numbers—was also compromised. No bank account or l

Executive Summary Trend Micro has released urgent security patches addressing two critical remote code execution (RCE) vulnerabilities in the Apex One (on-premise) Management Console, identified as CVE-2025-54948 and CVE-2025-54987 . Both vulnerabilities are rated CVSS 9.4 (Critical) and have been confirmed as exploited in the wild. These flaws enable pre-authenticated remote attackers to upload malicious code and execute arbitrary commands on affected systems, posing a se

Executive Summary Google, in collaboration with Mandiant and industry partners, has disrupted the infrastructure of a suspected China-nexus cyber espionage group tracked as UNC2814 following confirmed breaches of at least 53 organizations across 42 countries. The campaign, which has been active since at least 2017, primarily targeted global telecommunications providers and government organizations. The attackers leveraged a novel backdoor, GRIDTIDE , which abused the Google

Executive Summary Publication Date: February 24, 2026 On February 24, 2026, the United States Department of the Treasury and Department of State announced sweeping sanctions against the Russian exploit broker Operation Zero and its principal, Sergey Sergeyevich Zelenyuk , under the Protecting American Intellectual Property Act (PAIPA). This unprecedented action targets the illicit trade in zero-day vulnerabilities and the theft of proprietary US cyber tools, marking the firs

Executive Summary A critical zero-day vulnerability, CVE-2026-20127 , has been discovered and actively exploited in the wild, targeting Cisco Catalyst SD-WAN Controller (formerly vSmart ) and Cisco Catalyst SD-WAN Manager (formerly vManage ). This vulnerability, rated with a maximum CVSS score of 10.0, enables unauthenticated remote attackers to bypass authentication and obtain administrative privileges, granting them full control over affected SD-WAN environments. The expl

Executive Summary CVE-2026-20127 is a critical zero-day authentication bypass vulnerability (CVSS 10.0) affecting Cisco 's flagship SD-WAN products, specifically Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage). This vulnerability has been actively exploited in the wild since at least 2023 by a highly sophisticated threat actor tracked as UAT-8616 . Successful exploitation allows unauthenticated remote attackers to ga