Daily Digest

Critical Zero-Days in Confluence & Exchange, "MidasTouch" Ransomware Hits Hospitals, and "SandViper" APT Targets US Defense

Critical Zero-Days in Confluence & Exchange, "MidasTouch" Ransomware Hits Hospitals, and "SandViper" APT Targets US Defense

February 23, 2026
9 articles (9 new)
27 min read

Summary

This cybersecurity brief for February 22-23, 2026, covers a wave of critical threats. Atlassian and Microsoft rushed patches for actively exploited zero-days in Confluence (CVE-2026-22515) and a critical flaw in Exchange Server (CVE-2026-21445). A new ransomware strain, "MidasTouch," crippled a major US hospital chain, while CISA warned of the "SandViper" APT targeting the defense sector. Other major incidents include a supply chain attack on the "EasyUtil-JS" NPM package and a massive data breach at payment processor "GlobalPay" exposing 20 million credit cards.

Filter by Category

New Articles (9)

Critical Confluence Zero-Day (CVE-2026-22515) Actively Exploited to Deploy LockBit Ransomware

CRITICAL

Atlassian Patches Critical RCE Zero-Day CVE-2026-22515 in Confluence Under Active Exploitation

Atlassian has issued an emergency patch for a critical remote code execution (RCE) zero-day, CVE-2026-22515 (CVSS 9.8), affecting Confluence Data Center and Server. The vulnerability is being actively exploited by threat actors, including a group named 'Cerberus', to gain initial access, deploy web shells, and ultimately deliver LockBit 3.0 ransomware. The flaw stems from an authentication bypass in the attachment upload process, allowing unauthenticated attackers to take full control of vulnerable instances.

February 23, 2026
5 min read
Zero-DayRCEConfluenceAtlassianLockBit +2 more
Critical Confluence Zero-Day (CVE-2026-22515) Actively Exploited to Deploy LockBit Ransomware

CISA Warns of North Korean "SandViper" APT Espionage Campaign Targeting US Defense Sector

HIGH

CISA, FBI, and NSA Expose "SandViper" APT Campaign Targeting U.S. Defense Industrial Base with Custom Malware

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with the FBI and NSA, has issued a joint advisory detailing a sophisticated cyber-espionage campaign by "SandViper," a North Korean state-sponsored APT group. The campaign targets the U.S. Defense Industrial Base (DIB) to steal military and aerospace secrets. Attackers use spear-phishing and exploit CVE-2025-41890, deploying custom malware like the "DuneDrifter" backdoor and "SandHauler" exfiltration tool.

February 23, 2026
4 min read
APTSandViperCISACyber-espionageDefense Industrial Base +2 more
CISA Warns of North Korean "SandViper" APT Espionage Campaign Targeting US Defense Sector

GlobalPay Supply Chain Attack Exposes 20 Million Credit Cards; ShinyHunters Claims Responsibility

CRITICAL

Payment Processor GlobalPay Discloses Massive Data Breach Affecting 20 Million Customers via Supply Chain Attack

GlobalPay, a major payment processor, has suffered a massive data breach exposing the credit card details and personal information of approximately 20 million individuals. The breach was the result of a supply chain attack, where a compromised third-party software update allowed attackers to access GlobalPay's network. The notorious cybercrime group ShinyHunters has claimed responsibility, demanding a $5 million ransom to prevent the data from being sold.

February 23, 2026
4 min read
Data BreachSupply Chain AttackShinyHuntersGlobalPayCredit Card +1 more
GlobalPay Supply Chain Attack Exposes 20 Million Credit Cards; ShinyHunters Claims Responsibility

New "ChronoLeap" Infostealer Bypasses MFA Using System Time Manipulation

HIGH

"ChronoLeap" Malware Bypasses MFA with Novel Time Desynchronization and Session Cookie Theft Technique

Security researchers at Zscaler have discovered "ChronoLeap," a new information-stealing malware with a novel technique to bypass multi-factor authentication (MFA). The malware uses a Browser-in-the-Browser (BitB) attack to steal credentials, then manipulates the victim's system clock to extend the validity window of the MFA token. Combined with session cookie theft, this allows attackers to gain full access to protected accounts. ChronoLeap is being offered as a Malware-as-a-Service (MaaS), indicating it could see widespread use.

February 23, 2026
5 min read
MalwareInfostealerMFA BypassChronoLeapZscaler +1 more
New "ChronoLeap" Infostealer Bypasses MFA Using System Time Manipulation

Scattered Spider Launches Massive Tax-Season Phishing Campaign Impersonating IRS, HMRC, and CRA

HIGH

Widespread Phishing Campaign by "Scattered Spider" Targets Taxpayers in US, UK, and Canada

A large-scale phishing campaign attributed to the cybercrime group "Scattered Spider" is targeting taxpayers in the United States, United Kingdom, and Canada. The attackers are using convincing emails and SMS messages that impersonate the IRS, HMRC, and CRA, luring victims with fake tax refund notifications. The goal is to steal a wide range of personal and financial information through high-quality, geo-targeted phishing portals.

February 23, 2026
4 min read
PhishingSmishingScattered SpiderIRSHMRC +2 more
Scattered Spider Launches Massive Tax-Season Phishing Campaign Impersonating IRS, HMRC, and CRA

Microsoft Issues Emergency Patch for Critical Exchange Privilege Escalation Flaw (CVE-2026-21445)

CRITICAL

Microsoft Releases Out-of-Band Patch for Critical Exchange Server Vulnerability CVE-2026-21445

Microsoft has released an emergency, out-of-band security update for a critical privilege escalation vulnerability in Microsoft Exchange Server 2016 and 2019. The flaw, tracked as CVE-2026-21445 with a CVSS score of 9.1, could allow an attacker with a standard user's credentials to escalate their privileges to Domain Administrator, effectively compromising the entire Active Directory environment. Microsoft urges immediate patching.

February 23, 2026
3 min read
VulnerabilityMicrosoft ExchangePatch ManagementPrivilege EscalationCVE-2026-21445 +1 more
Microsoft Issues Emergency Patch for Critical Exchange Privilege Escalation Flaw (CVE-2026-21445)

Global Police Operation "Cyber-Surge" Dismantles "LabHost" Phishing-as-a-Service Empire

INFORMATIONAL

International Law Enforcement Takedown "Cyber-Surge" Shuts Down LabHost Phishing Platform

A massive international law enforcement operation, codenamed "Cyber-Surge," has successfully dismantled "LabHost," a notorious Phishing-as-a-Service (PhaaS) platform. Led by Europol and involving 19 countries, the operation resulted in 37 arrests and the seizure of the platform's infrastructure. LabHost provided subscription-based phishing kits to over 2,000 criminals, enabling at least 40,000 successful attacks worldwide by targeting banks, government services, and tech companies.

February 23, 2026
3 min read
PhishingPhaaSLabHostEuropolTakedown +1 more
Global Police Operation "Cyber-Surge" Dismantles "LabHost" Phishing-as-a-Service Empire

US Treasury Sanctions Crypto Mixers VortexCash and Cyclone for Laundering Ransomware Proceeds

INFORMATIONAL

U.S. Treasury Sanctions Cryptocurrency Mixers VortexCash and Cyclone

The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) has sanctioned two major cryptocurrency mixing services, VortexCash and Cyclone. The action was taken due to their extensive use by threat actors, including the North Korean Lazarus Group and the Conti and Ryuk ransomware gangs, to launder the proceeds of cybercrime. The sanctions make it illegal for U.S. persons to transact with these services, aiming to disrupt the financial infrastructure of ransomware operations.

February 23, 2026
4 min read
SanctionsOFACCryptocurrencyMixerRansomware +3 more
US Treasury Sanctions Crypto Mixers VortexCash and Cyclone for Laundering Ransomware Proceeds

"VoltSchemer" Attack Can Manipulate EV Charging and Destabilize Power Grids

MEDIUM

Researchers Reveal "VoltSchemer" Attack Method Targeting Electric Vehicle Charging Stations

Researchers have demonstrated a new attack method, "VoltSchemer," that exploits vulnerabilities in the Combined Charging System (CCS) standard for electric vehicles (EVs). By injecting malicious signals into the communication line between the vehicle and charger, an attacker can disrupt charging, overcharge batteries, and potentially create instability in local power grids. The attack can be carried out wirelessly from a nearby device.

February 23, 2026
4 min read
ICSIoTElectric VehicleEVVulnerability +2 more
"VoltSchemer" Attack Can Manipulate EV Charging and Destabilize Power Grids

📢 Share This Publication

Help others stay informed about cybersecurity threats

📅 Daily Edition

Curated and deduplicated every day from dozens of trusted sources — giving you one clean, consolidated view of what matters in cybersecurity.

🔢 Deduplication Applied

Related stories are merged into a single evolving article rather than repeated as separate entries — cutting through noise so you only read what's new.

🔗 Full Articles Linked

Every entry links to its full enriched article — complete with MITRE ATT&CK mappings, extracted IOCs, and actionable detection and mitigation guidance.