===================== = End-of-Day report = =====================

Timeframe: Dienstag 24-02-2026 18:00 − Mittwoch 25-02-2026 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler

===================== = News = =====================

∗∗∗ 1Campaign platform helps malicious Google ads evade detection ∗∗∗ --------------------------------------------- A newly identified cybercrime service known as 1Campaign is enabling threat actors to run malicious Google Ads that remain online for extended periods while evading scrutiny from security researchers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/1campaign-platform-helps-mali...

∗∗∗ Phishing campaign targets freight and logistics orgs in the US, Europe ∗∗∗ --------------------------------------------- A financially motivated threat group dubbed "Diesel Vortex" is stealing credentials from freight and logistics operators in the U.S. and Europe in phishing attacks using 52 domains. --------------------------------------------- https://www.bleepingcomputer.com/news/security/phishing-campaign-targets-fre...

∗∗∗ The OpenClaw Hype: Analysis of Chatter from Open-Source Deep and Dark Web ∗∗∗ --------------------------------------------- OpenClaw has sparked heavy Telegram and dark web chatter, but Flares data shows more research hype than mass exploitation. Flare explains how its telemetry found real supply-chain risk in the skills marketplace, yet limited signs of large-scale criminal operationalization. --------------------------------------------- https://www.bleepingcomputer.com/news/security/the-openclaw-hype-analysis-of...

∗∗∗ Marquis sues SonicWall over backup breach that led to ransomware attack ∗∗∗ --------------------------------------------- Marquis Software Solutions has filed a lawsuit against SonicWall, accusing the cybersecurity company of gross negligence and misrepresentation that allegedly led to a ransomware attack disrupting operations at 74 U.S. banks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/marquis-sues-sonicwall-over-b...

∗∗∗ Chinese cyberspies breached dozens of telecom firms, govt agencies ∗∗∗ --------------------------------------------- Googles Threat Intelligence Group (GTIG), Mandiant, and partners disrupted a global espionage campaign attributed to a suspected Chinese threat actor that used SaaS API calls to hide malicious traffic in attacks targeting telecom and government networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/chinese-cyberspies-breached-d...

∗∗∗ UAC-0050 Targets European Financial Institution With Spoofed Domain and RMS Malware ∗∗∗ --------------------------------------------- A Russia-aligned threat actor has been observed targeting a European financial institution as part of a social engineering attack to likely facilitate intelligence gathering or financial theft, signaling a possible expansion of the threat actors targeting beyond Ukraine and into entities supporting the war-torn nation. --------------------------------------------- https://thehackernews.com/2026/02/uac-0050-targets-european-financial.html

∗∗∗ RoguePilot Flaw in GitHub Codespaces Enabled Copilot to Leak GITHUB_TOKEN ∗∗∗ --------------------------------------------- A vulnerability in GitHub Codespaces could have been exploited by bad actors to seize control of repositories by injecting malicious Copilot instructions in a GitHub issue. The artificial intelligence (AI)-driven vulnerability has been codenamed RoguePilot by Orca Security. It has since been patched by Microsoft following responsible disclosure. --------------------------------------------- https://thehackernews.com/2026/02/roguepilot-flaw-in-github-codespaces.html

∗∗∗ Malicious NuGet Packages Stole ASP.NET Data; npm Package Dropped Malware ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered four malicious NuGet packages that are designed to target ASP.NET web application developers to steal sensitive data. The campaign, discovered by Socket, exfiltrates ASP.NET Identity data, including user accounts, role assignments, and permission mappings, as well as manipulates authorization rules to create persistent backdoors in victim applications. --------------------------------------------- https://thehackernews.com/2026/02/malicious-nuget-packages-stole-aspnet.html

∗∗∗ Spyware kann Kamera- und Mikrofonanzeige beim iPhone abdrehen ∗∗∗ --------------------------------------------- Eigentlich sollte man bei jeder iOS-App sehen können, dass Kamera- oder Mikrofonaufzeichnung laufen. Predator, ein Spionageprogramm, hackt diese aber. --------------------------------------------- https://www.heise.de/news/Spyware-kann-Kamera-und-Mikrofonanzeige-beim-iPhon...

∗∗∗ Best Western Hotels warnt vor Phishing-Attacken ∗∗∗ --------------------------------------------- Betrüger haben offenbar Zugang zu aktuellen Buchungsdaten von Best Western Hotels. Das Unternehmen warnt vor einer Phishingwelle. --------------------------------------------- https://www.heise.de/news/Best-Western-Hotels-warnt-vor-Phishing-Attacken-11...

∗∗∗ Der Cloudspeicher ist voll?! Was sich wirklich hinter den Warnungen verbirgt ∗∗∗ --------------------------------------------- Wenn dubiose E-Mails und hartnäckige PopUp-Fenster vor einem vollen Cloudspeicher warnen, ist allerhöchste Vorsicht angebracht. Während in manchen Fällen real existierende Softwareanbieter ein kostspieliges Abo unter die Leute bringen wollen, verstecken sich hinter anderen Varianten Kriminelle, die es auf die Kontodaten ihrer Opfer abgesehen haben. --------------------------------------------- https://www.watchlist-internet.at/news/cloudspeicher-ist-voll/

∗∗∗ Phishing operation with links to Russia, Armenia compromised Western cargo companies, researchers find ∗∗∗ --------------------------------------------- Over a five-month period, the group, dubbed Diesel Vortex, stole more than 1,600 login credentials from accounts at logistics platforms, which allowed thieves to intercept and divert freight shipments and commit check fraud. --------------------------------------------- https://therecord.media/phishing-operation-russia-armenia-targeting-us-europ...

∗∗∗ Caught in the Hook: RCE and API Token Exfiltration Through Claude Code Project Files | CVE-2025-59536 | CVE-2026-21852 ∗∗∗ --------------------------------------------- Check Point Research has discovered critical vulnerabilities in Anthropic’s Claude Code that allow attackers to achieve remote code execution and steal API credentials through malicious project configurations. The vulnerabilities exploit various configuration mechanisms including Hooks, Model Context Protocol (MCP) servers, and environment variables -executing arbitrary shell commands and exfiltrating Anthropic API keys when users clone and open untrusted repositories. --------------------------------------------- https://research.checkpoint.com/2026/rce-and-api-token-exfiltration-through-...

∗∗∗ 2026 GreyNoise State of the Edge Report: Where Attacks Concentrate and Defenses Fall Short ∗∗∗ --------------------------------------------- GreyNoise analyzed 2.97 billion malicious sessions over 162 days — and the patterns challenge assumptions about where edge defenses are strongest. From VPN targeting to infrastructure concentration to attackers rapidly rotating through fresh IPs, new research quantifies where the gaps are and what to do about it. Read the full findings. --------------------------------------------- https://www.greynoise.io/blog/2026-greynoise-state-of-the-edge-report-where-...

∗∗∗ Unmasking Agent Tesla: A Deep Dive into a Multi-Stage Campaign ∗∗∗ --------------------------------------------- Agent Tesla remains one of the most persistent threats in the cyber landscape today. It allows even low-skilled threat actors to harvest sensitive data through a highly sophisticated delivery pipeline. This research blog breaks down a recent multi-stage infection chain that utilizes a blend of phishing, obfuscated and encrypted scripts, and advanced in-memory execution and evasion techniques. --------------------------------------------- https://www.fortinet.com/blog/threat-research/unmasking-agent-tesla-deep-div...

∗∗∗ CVE-2025-59201 - Network Connection Status Indicator (NCSI) EoP ∗∗∗ --------------------------------------------- It’s been a while since I last dug into a Patch Tuesday release. With an extraordinarily high number of 177 CVEs, including 6 that were either already public or exploited in the wild, the October 2025 one seemed like a good opportunity to get back at it. The one I ended up investigating in depth was CVE-2025-59201, an elevation of privilege in the “Network Connection Status Indicator”. --------------------------------------------- https://itm4n.github.io/cve-2025-59201-ncsi-eop/

===================== = Vulnerabilities = =====================

∗∗∗ Cisco Catalyst SD-WAN Vulnerabilities ∗∗∗ --------------------------------------------- Multiple vulnerabilities in Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an attacker to access an affected system, elevate privileges to root, gain access to sensitive information, and overwrite arbitrary files. For more information about these vulnerabilities, see the Details section of this advisory. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. This advisory is available at --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisor...

∗∗∗ CISA and Partners Release Guidance for Ongoing Global Exploitation of Cisco SD-WAN Systems ∗∗∗ --------------------------------------------- The purpose of this Alert is to provide resources for organizations with Cisco Software-Defined Wide-Area Networking (SD-WAN) systems, including Federal Civilian Executive Branch (FCEB) agencies, to address ongoing exploitation of multiple vulnerabilities. Notably, the Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-20127 and CVE-2022-20775 to its Known Exploited Vulnerabilities (KEV) Catalog on Feb. 25, 2026. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2026/02/25/cisa-and-partners-release...

∗∗∗ Zyxel warns of critical RCE flaw affecting over a dozen routers ∗∗∗ --------------------------------------------- Taiwan networking provider Zyxel has released security updates to address a critical vulnerability affecting over a dozen router models that can allow unauthenticated attackers to gain remote command execution on unpatched devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/zyxel-warns-of-critical-rce-f...

∗∗∗ Schadcode-Lücken in Dell Repository Manager, Wyse Management Suite geschlossen ∗∗∗ --------------------------------------------- Dells Fernwartungstools Repository Manager und Wyse Management Suite sind verwundbar. Sicherheitsupdates schließen mehrere Lücken. --------------------------------------------- https://www.heise.de/news/Schadcode-Luecken-in-Dell-Repository-Manager-Wyse-...

∗∗∗ Drupal UI Icons - Critical - Cross-site Scripting - SA-CONTRIB-2026-010 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2026-010

∗∗∗ LWN: Security updates for Wednesday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1060185/