Daily Digest

Chinese APT Exploits Dell Zero-Day in Espionage Campaign; Major Data Breaches Hit Figure, Betterment

Chinese APT Exploits Dell Zero-Day in Espionage Campaign; Major Data Breaches Hit Figure, Betterment

February 18, 2026
10 articles (8 new, 2 updated)
30 min read

Summary

This edition for February 18, 2026, covers a critical cyberespionage campaign by a Chinese APT group (UNC6201) exploiting a Dell RecoverPoint zero-day (CVE-2026-22769) to target VMware infrastructure. Additionally, major data breaches impacted nearly one million customers each at fintech firms Figure and Betterment, with the ShinyHunters group claiming responsibility. Other significant events include a critical RCE flaw in Grandstream VoIP phones, a breach of a French government database exposing 1.2 million bank accounts, and an actively exploited zero-day in Google Chrome.

Filter by Category

New Articles (8)

Metasploit Module Released for Critical RCE Flaw in Grandstream VoIP Phones (CVE-2026-2329)

CRITICAL

Critical Unauthenticated RCE Vulnerability (CVE-2026-2329) Disclosed in Grandstream GXP1600 Series VoIP Phones

Researchers at Rapid7 have disclosed a critical, unauthenticated remote code execution (RCE) vulnerability, CVE-2026-2329, affecting Grandstream GXP1600 series VoIP phones. The flaw is a stack-based buffer overflow in the phone's web API, allowing a remote attacker to gain root privileges on devices with default configurations. To demonstrate the severity, Rapid7 has released a Metasploit exploit module and a post-exploitation module for credential theft. Grandstream has issued firmware version 1.0.7.81 to patch the vulnerability. Given the availability of a public exploit, users are urged to update their devices immediately or apply network-level mitigations.

February 18, 2026
4 min read
RCEVulnerabilityVoIPGrandstreamMetasploit +2 more
Metasploit Module Released for Critical RCE Flaw in Grandstream VoIP Phones (CVE-2026-2329)
Vulnerability
Patch Management
Industrial Control Systems

French Government Database Breach Exposes 1.2 Million Bank Accounts via Stolen Credentials

HIGH

Hacker Breaches French Economy Ministry Database, Accessing Data on 1.2 Million Bank Accounts

The French Economy Ministry has confirmed a data breach affecting its FICOBA national bank account database. An unauthorized individual gained access to the system using credentials stolen from a government official, exposing the personal and banking information of 1.2 million account holders. The breach, which occurred in late January 2026, exposed names, addresses, bank account numbers, and tax IDs. However, the ministry clarified that the attacker could not view account balances or conduct transactions. The government has blocked the malicious access, filed a criminal complaint, and is in the process of notifying affected individuals.

February 18, 2026
4 min read
Data BreachGovernmentFranceStolen CredentialsPII +1 more
French Government Database Breach Exposes 1.2 Million Bank Accounts via Stolen Credentials
Data Breach
Cyberattack
Regulatory

Betterment Breach Escalates: ShinyHunters Leaks Detailed Financial and Personal Data of 1.4M Customers

CRITICAL

Betterment Data Breach Reveals Exposure of Highly Detailed Customer Financial and Personal Information

The data breach at investment advisor Betterment LLC, first disclosed in January 2026, is now understood to be far more severe. The incident stemmed from a social engineering attack that gave an attacker access to a third-party communications platform. The ShinyHunters ransomware group has since claimed responsibility and published a massive trove of data allegedly belonging to 1.4 million customers after Betterment refused to pay a ransom. Analysis of the leak shows it contains not just contact information but highly sensitive details including employer information, job titles, retirement plan data, and internal company notes, creating a significant risk of sophisticated, targeted fraud for affected individuals.

February 18, 2026
5 min read
Data BreachSocial EngineeringShinyHuntersFinanceInvestment +1 more
Betterment Breach Escalates: ShinyHunters Leaks Detailed Financial and Personal Data of 1.4M Customers
Data Breach
Threat Actor
Phishing

Cybercrime Goes Corporate: Huntress Report Finds Attackers Industrializing Tactics for Scale and Profit

INFORMATIONAL

Huntress 2026 Cyber Threat Report Reveals Industrialization of Cybercrime with Focus on Scalable Attacks

The Huntress 2026 Cyber Threat Report, released February 18, 2026, details a major shift in the cybercrime landscape towards an industrialized, business-like model. Analyzing data from millions of endpoints, the report finds that threat actors are prioritizing scalable, low-effort attacks that abuse trusted tools and identities over complex zero-days. This 'living off the land' approach maximizes profitability. The report highlights a significant 88% year-over-year increase in attacks targeting the manufacturing sector. It also warns of the growing use of AI in tradecraft, including deepfakes for impersonation and manipulation of AI chat tools to trick employees, lowering the barrier to entry for less skilled attackers.

February 18, 2026
5 min read
Threat IntelligenceCybercrimeLiving off the LandAIDeepfake +1 more
Cybercrime Goes Corporate: Huntress Report Finds Attackers Industrializing Tactics for Scale and Profit
Threat Intelligence
Threat Actor
Malware

Attackers Abuse Atlassian Jira Notifications in Large-Scale Phishing Campaign to Bypass Email Filters

HIGH

Large-Scale Phishing Campaign Abuses Atlassian Jira Notification System as a 'Digital Trojan Horse'

A widespread and ongoing phishing campaign is abusing the legitimate notification features of Atlassian's Jira platform to deliver malicious links to government and corporate targets worldwide. By creating tasks or comments in Jira, attackers trigger legitimate notification emails sent from Atlassian's own servers. These emails, bearing valid digital signatures, bypass most email security filters and appear trustworthy to recipients. The 'low and slow' campaign aims to harvest credentials and deliver malware by luring users to click on links within the seemingly benign project updates. The tactic highlights a growing trend of threat actors abusing trusted SaaS platforms to conduct their attacks.

February 18, 2026
4 min read
PhishingAtlassianJiraSaaS SecurityCredential Harvesting +1 more
Attackers Abuse Atlassian Jira Notifications in Large-Scale Phishing Campaign to Bypass Email Filters
Phishing
Cyberattack
Cloud Security

New 'Contagious Interview' and 'CrescentHarvest' Campaigns Target Crypto Wallets and Iranian Dissidents

HIGH

Stealthy 'Contagious Interview' and 'CrescentHarvest' Campaigns Emerge with Targeted Attacks

Two distinct and sophisticated cyber threat campaigns were reported on February 18, 2026. The first, dubbed 'Contagious Interview,' is a financially motivated operation targeting MetaMask browser wallets. It uses injected malicious code to surgically alter transaction data in real-time, redirecting cryptocurrency to attacker-controlled wallets. The second campaign, 'CrescentHarvest,' is attributed to an Iranian threat actor and focuses on cyber-espionage against political dissidents and protestors. This campaign uses phishing to deploy surveillance malware designed to harvest sensitive communications. Both campaigns highlight a trend towards precision-targeted, stealthy attacks for financial gain and political suppression.

February 18, 2026
5 min read
CryptocurrencyMetaMaskCyberespionageIranMalware +1 more
New 'Contagious Interview' and 'CrescentHarvest' Campaigns Target Crypto Wallets and Iranian Dissidents
Threat Actor
Malware
Phishing

Malicious GitHub Fork of 'Triton' macOS App Used to Distribute Windows Malware

MEDIUM

Malicious GitHub Fork of 'Triton' App Discovered Delivering Windows Malware in Supply Chain Attack

A malicious supply chain attack was identified on GitHub on February 17, 2026, targeting users through a deceptive fork of a legitimate open-source application. Attackers cloned 'Triton,' a macOS client for the omg.lol service, and created a malicious repository under the account name 'JaoAureliano.' The repository's README file lured users into downloading a trojanized ZIP file, `Software_3.1.zip`. While the original project is for macOS, the malicious payload was designed to infect Windows systems. This incident highlights the ongoing threat of software supply chain attacks that abuse the trust inherent in the open-source ecosystem.

February 18, 2026
4 min read
Supply Chain AttackGitHubMalwareOpen SourceTrojan
Malicious GitHub Fork of 'Triton' macOS App Used to Distribute Windows Malware
Supply Chain Attack
Malware
Threat Actor

UC Berkeley to Host Regional Summits to Strengthen Cyber Civil Defense

INFORMATIONAL

UC Berkeley Announces Regional Summits to Bolster Cyber Civil Defense

The UC Berkeley Center for Long-Term Cybersecurity (CLTC) announced on February 17, 2026, that it will host three regional Cyber Civil Defense Summits in 2026. The initiative aims to build collaboration between volunteer cyber defenders, government officials, researchers, and emergency responders to better protect under-resourced community organizations like schools and local critical infrastructure. The summits will be co-hosted with partner states, including New Jersey and Louisiana, and will build on the CLTC's previous work to create replicable models for community-based cyber defense and resilience.

February 18, 2026
3 min read
Cyber Civil DefensePolicyCommunityPublic-Private PartnershipCybersecurity
UC Berkeley to Host Regional Summits to Strengthen Cyber Civil Defense
Policy and Compliance
Security Operations

Updated Articles (2)

Fintech Firm Figure Technologies Breached by ShinyHunters; 1 Million Customer Records Leaked

HIGH

Figure Technologies Confirms Data Breach After Employee Targeted in Phishing Attack, ShinyHunters Leaks 2.5GB of Customer Data

Update:

The Figure Technology Solutions data breach, involving the leak of nearly one million customer records by ShinyHunters, has been independently confirmed by the data breach notification service 'Have I Been Pwned'. The service added 967,000 unique email addresses to its database, validating the scope of the incident. Additionally, new reports indicate the breach occurred while Figure was managing a secondary stock offering, adding a layer of financial sensitivity to the timing of the attack. Figure's security team reportedly blocked compromised access quickly and engaged an external digital forensics firm for investigation.

February 15, 2026
Updated: February 18, 2026
5 min read
ShinyHuntersData BreachPhishingSocial EngineeringFintech +2 more
Fintech Firm Figure Technologies Breached by ShinyHunters; 1 Million Customer Records Leaked
Data Breach
Threat Actor
Phishing

Google Scrambles to Patch First Actively Exploited Chrome Zero-Day of 2026

CRITICAL

Google Releases Emergency Patch for Actively Exploited Chrome Zero-Day CVE-2026-2441

Update:

Further details regarding the actively exploited Chrome zero-day, CVE-2026-2441, confirm that the critical patch was released on February 13, 2026. This update also explicitly identifies Vivaldi and Opera as additional Chromium-based browsers impacted by the use-after-free vulnerability, alongside Microsoft Edge and Brave. Remediation efforts continue to emphasize immediate software updates, aligning with the D3FEND technique D3-SU - Software Update, to protect against ongoing exploitation. Users are urged to ensure all Chromium-based browsers are updated and restarted.

February 17, 2026
Updated: February 18, 2026
4 min read
zero-dayuse-after-freebrowser securitychromiumGoogle Chrome
Google Scrambles to Patch First Actively Exploited Chrome Zero-Day of 2026
Vulnerability
Patch Management

📢 Share This Publication

Help others stay informed about cybersecurity threats