The Hacker News

🛑 China-aligned group UnsolicitedBooker has shifted to telecom firms in Central Asia, deploying LuciDoor and MarsSnake backdoors via phishing docs. Campaigns in Kyrgyzstan and Tajikistan used macro-laced Office files and loaders to gain remote control and steal data. 🔗 Details → https://thehackernews.com/2026/02/unsolicitedbooker-targets-central-asian.html

⚠️ Most Microsoft 365 breaches won’t start with zero-days. They’ll start with security settings left in “report only.” Conditional Access not enforced. Legacy auth still on. High-privilege app registrations untouched. AI attackers automate what teams keep postponing. 🔗 Learn more → https://thehackernews.com/expert-insights/2026/02/ai-wont-break-microsoft-365-your.html

⚠️ Anthropic says it blocked 16 million+ exchanges tied to model distillation campaigns targeting Claude. The activity used 24,000 fake accounts and proxy networks to extract coding, reasoning, and tool-use capabilities. Three China-based AI labs were attributed. Anthropic warns stripped safeguards could pose national security risks. 🔗 Read → https://thehackernews.com/2026/02/anthropic-says-chinese-ai-firms-used-16.html

Russia-linked APT28 ran a campaign across Europe from Sept 2025 to Jan 2026. A Word doc acted as a silent beacon — opening it pinged a webhook, confirming the target engaged 📄📡 From there, basic VBScript and batch files set persistence and funneled command output back via Edge. 🔗Read → https://thehackernews.com/2026/02/apt28-targeted-european-entities-using.html

⚠️ Researchers uncovered a cryptojacking campaign hiding in pirated software bundles 🏴‍☠️ It drops a custom XMRig miner and abuses a flawed driver (CVE-2020-14979) to boost hashrate by 15–50%. It can spread via USB drives, even into air-gapped systems. 🔗 Details → https://thehackernews.com/2026/02/wormable-xmrig-campaign-uses-byovd.html

🚨 Update Your Detection Rules: New Remote Access Trojan We caught a Go-based RAT and named it #Moonrise. At the time of the analysis, the sample had not yet been submitted to VirusTotal ❗️ The level of access enables credential harvesting, sensitive data collection, and preparation for further compromise without triggering static detections, leaving SOCs with no clear signals to act on. ⚠️ Observed capabilities include: 🔹 Privilege-related functions and persistence mechanisms 🔹 Data theft and credential harvesting 🔹 Process control and command execution 🔹 File upload and execution 🔹 User activity monitoring: screen capture and streaming, webcam and microphone access, keystroke logging, clipboard monitoring One compromised endpoint can disrupt operations and lead to financial and reputational damage. 👾See sample execution in a live analysis session ✅ Behavior-first triage in #ANYRUN Sandbox lets security teams confirm attacker actions, like remote command execution, UAC bypass attempts, and persistence-related activity, within minutes. Security teams reduce Tier-1 overload and unnecessary escalations, while containing incidents earlier. 👨‍💻 Equip your SOC with faster decisions and lower workload. See how ANY.RUN fits your workflows #ExploreWithANYRUN IOCs: 193[.]23[.]199[.]88 c7fd265b23b2255729eed688a211f8c3bd2192834c00e4959d1f17a0b697cd5e 8a422b8c4c6f9a183848f8d3d95ace69abb870549b593c080946eaed9e5457ad 7609c7ab10f9ecc08824db6e3c3fa5cbdd0dff2555276e216abe9eebfb80f59b Ed5471d42bef6b32253e9c1aba49b01b8282fd096ad0957abcf1a1e27e8f7551 082fdd964976afa6f9c5d8239f74990b24df3dfa0c95329c6e9f75d33681b9f4 8d7c1bbdb6a8bf074db7fc1185ffd59af0faffb08e0eb46a373c948147787268

🚨 WARNING: A new Go-based RAT, #Moonrise, evades AVs and escalates from one infected endpoint to network-wide compromise. The impact includes credential theft and hidden audio/video surveillance. Protect your company with strong early detection: https://thn.news/enterprise-sec

The threat curve keeps climbing. 🛒 Store skimmers 🧠 WP RAT chains 🏭 508 ICS alerts 🌐 30Tbps DDoS 🤖 Bot surge 📦 2.5K Docker malware 📢 1T scam ads 🎰 NPM gambling backdoor 📱 Samsung fingerprinting ☎️ Teams spoof shield 🔗 Full Weekly Recap live: https://thehackernews.com/2026/02/weekly-recap-double-tap-skimmers.html

⚠️ The real risk in enterprise AI isn’t the model — it’s the endpoint. Every new LLM API, dashboard, or connector expands the attack surface. Many were built fast, not secure. Exposed endpoints can leak data or inherit powerful service account access. 🔗 Why endpoint privilege now matters in LLM stacks → https://thehackernews.com/2026/02/how-exposed-endpoints-increase-risk.html

🤖 Researchers found 19 malicious npm packages spreading SANDWORM_MODE. The worm 🐛 steals npm/GitHub tokens, SSH keys, API secrets, and crypto keys, then propagates using stolen identities. It also injects into AI coding tools to harvest LLM API keys. 🔗 Read → https://thehackernews.com/2026/02/malicious-npm-packages-harvest-crypto.html

Microsoft says a Copilot bug (CW1226324) let Microsoft 365 Copilot summarize confidential emails, bypassing DLP policies. Since Jan 21, 2026, emails in Sent Items and Drafts with sensitivity labels were processed in Copilot Chat without permission. Microsoft fixed the issue on Feb 3 but hasn’t disclosed impact. 🔗 Details → https://thehackernews.com/2026/02/threatsday-bulletin-openssl-rce-foxit-0.html#copilot-bypassed-dlp-safeguards

Iran’s MuddyWater launched Operation Olalampo on Jan 26, 2026, targeting organizations across MENA. Group-IB says phishing Office macros drop new malware—GhostFetch, GhostBackDoor, HTTP_VIP, and the Rust backdoor CHAR. Some variants use Telegram for control, with signs of AI-assisted development. 🔗 Read → https://thehackernews.com/2026/02/muddywater-targets-mena-organizations.html