Google Disrupts Global Chinese Spy Campaign; Lazarus Group Adopts Medusa Ransomware; Massive Data Breaches Rock Corporations

Google and Mandiant Disrupt Long-Running Chinese Espionage Campaign by UNC2814 Leveraging Google Sheets for C2

On February 25, 2026, Google and Mandiant revealed they had disrupted a massive, multi-year cyber espionage campaign attributed to UNC2814, a suspected China-nexus threat actor. The operation compromised at least 53 organizations in 42 countries, primarily in the telecommunications and government sectors. The attackers utilized a novel C-based backdoor named GRIDTIDE, which cleverly abused the legitimate Google Sheets API for command and control, allowing its traffic to blend in with normal cloud activity. The joint disruption effort involved terminating the actor's cloud projects, disabling accounts, and taking down associated infrastructure, marking a significant blow to a prolific and distinct espionage group.

UNC2814GRIDTIDECyber EspionageAPTGoogle Sheets +3 more

Google & Mandiant Dismantle Global Chinese Spy Network Using Novel "GRIDTIDE" Backdoor

North Korea's Lazarus Group Adopts Medusa Ransomware, Targeting Healthcare

Lazarus Group Observed Using Medusa Ransomware-as-a-Service in Attacks on U.S. Healthcare and Middle East

In a notable strategic shift, North Korea's state-sponsored Lazarus Group has been observed deploying Medusa ransomware in its financially motivated campaigns. Security researchers reported on February 24, 2026, that the prolific APT group used the ransomware-as-a-service (RaaS) offering in a successful attack in the Middle East and a failed attempt against a U.S. healthcare organization. This adoption of an off-the-shelf ransomware platform, rather than their custom tools, suggests Lazarus is industrializing its cybercrime efforts. The attacks leveraged a familiar toolkit, including the Comebacker backdoor and BLINDINGCAN RAT, indicating a blend of sophisticated espionage tradecraft with mainstream criminal tactics.

Lazarus GroupMedusaRansomwareRaaSHealthcare +3 more

North Korea's Lazarus Group Adopts Medusa Ransomware, Targeting Healthcare

ShinyHunters Leaks 12.4 Million CarGurus Records After Failed Extortion

ShinyHunters Leaks 12.4 Million User Records from CarGurus, Including Finance Application Data

The extortion group ShinyHunters has leaked a massive 6.1GB database containing 12.4 million user records allegedly stolen from the automotive marketplace CarGurus. The data, which includes full names, emails, phone numbers, and highly sensitive auto finance pre-qualification details, was published on February 21, 2026, after an extortion attempt failed. The breach tracking service 'Have I Been Pwned' has integrated the data, noting that it introduced 3.7 million new email addresses to its database. The incident places millions of users at significant risk of targeted phishing, identity theft, and financial fraud.

ShinyHuntersCarGurusData BreachData LeakExtortion +2 more

ShinyHunters Leaks 12.4 Million CarGurus Records After Failed Extortion

Wynn Resorts Confirms ShinyHunters Stole Data of 800,000 Employees, May Have Paid Ransom

Wynn Resorts Confirms Employee Data Breach by ShinyHunters After $1.5M Ransom Demand

Wynn Resorts confirmed on February 24, 2026, that it was the victim of a data breach by the ShinyHunters extortion group, resulting in the theft of sensitive data for approximately 800,000 employees. The stolen information includes Social Security numbers, names, and contact details. The initial intrusion reportedly occurred in September 2025 via a vulnerability in the company's Oracle PeopleSoft platform. ShinyHunters demanded a $1.5 million ransom and later removed Wynn from its leak site, strongly suggesting a payment was made. Wynn is now facing a class-action lawsuit and is offering identity protection services to affected employees.

ShinyHuntersWynn ResortsData BreachExtortionOracle PeopleSoft +3 more

Wynn Resorts Confirms ShinyHunters Stole Data of 800,000 Employees, May Have Paid Ransom

Medical Device Maker UFP Technologies Hit by Ransomware, Data Stolen and Destroyed

UFP Technologies Discloses Ransomware Attack Resulting in Data Theft and Operational Disruption

UFP Technologies, a U.S.-based manufacturer of medical devices, disclosed in a February 24 SEC filing that it suffered a ransomware attack on February 14, 2026. The company's CFO described it as a 'classic ransomware attack' where data was both stolen and destroyed. The incident caused significant disruption to IT systems, impacting billing, shipping, and other functions, leading to short-term shipment delays. While the company believes the threat actor has been removed and systems will be restored, an investigation is ongoing to determine the scope of the compromised data. No specific ransomware group has claimed responsibility.

RansomwareUFP TechnologiesMedical DeviceManufacturingData Breach +1 more

Medical Device Maker UFP Technologies Hit by Ransomware, Data Stolen and Destroyed

CISA Orders Patching for Two Actively Exploited Cisco SD-WAN Flaws

CRITICAL

CISA Adds Two Actively Exploited Cisco SD-WAN Vulnerabilities to KEV Catalog

On February 25, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two vulnerabilities affecting Cisco Catalyst SD-WAN products to its Known Exploited Vulnerabilities (KEV) catalog, signaling they are under active attack. The flaws are CVE-2026-20127, a critical authentication bypass, and CVE-2022-20775, a path traversal vulnerability. Under Binding Operational Directive (BOD) 22-01, federal agencies are now mandated to apply the necessary patches by a specified deadline to protect their networks from these significant risks.

CISAKEVCiscoSD-WANVulnerability +3 more

4 min read

CISA Orders Patching for Two Actively Exploited Cisco SD-WAN Flaws

CISA Warns of Actively Exploited RCE Flaw in Soliton FileZen Appliance

CRITICAL

CISA Adds Actively Exploited Soliton FileZen RCE Vulnerability to KEV Catalog

On February 24, 2026, CISA added a critical OS command injection vulnerability in the FileZen file transfer appliance to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, CVE-2026-25108, affects products from the Japanese firm Soliton Systems K.K. and is confirmed to be under active exploitation. Command injection flaws can allow for remote code execution, leading to full system compromise. CISA has mandated that federal agencies patch the vulnerability by the specified deadline and strongly urges all organizations using FileZen to do the same.

CISAKEVSolitonFileZenVulnerability +3 more

4 min read

CISA Warns of Actively Exploited RCE Flaw in Soliton FileZen Appliance

Predator Spyware Defeats iPhone Privacy Indicators for Covert Recording

CRITICAL

Intellexa's Predator Spyware Can Secretly Record iPhone Users by Disabling Camera and Mic Indicators

Research published on February 24, 2026, has revealed a sophisticated and stealthy capability of the Predator spyware, sold by commercial surveillance vendor Intellexa. The spyware can secretly record audio and video on a compromised iPhone by programmatically disabling the green and orange dot indicators in the iOS status bar. This is achieved by hooking into a core system process called SpringBoard. By defeating this key, user-facing privacy feature, Predator can conduct surveillance that is completely invisible to the victim, undermining the security assurances provided by the operating system.

PredatorIntellexaSpywareiOSiPhone +3 more

Predator Spyware Defeats iPhone Privacy Indicators for Covert Recording

LockBit Attackers Exploit Apache ActiveMQ Flaw, Return After Eviction

LockBit Ransomware Deployed via Apache ActiveMQ Flaw (CVE-2023-46604) in Persistent Attack

A threat intelligence report from February 25, 2026, details a persistent LockBit ransomware attack where threat actors demonstrated significant determination. The attackers initially gained access by exploiting CVE-2023-46604, a known RCE vulnerability in Apache ActiveMQ. Although the victim organization detected and evicted the intruders, the attackers returned 18 days later, this time using credentials stolen during the initial breach to regain access via RDP. They then used tools like Metasploit and AnyDesk to move laterally and successfully deploy the LockBit ransomware, highlighting the critical need for comprehensive remediation, including credential resets, after a security incident.

LockBitRansomwareApache ActiveMQCVE-2023-46604Persistence +2 more

LockBit Attackers Exploit Apache ActiveMQ Flaw, Return After Eviction

SOCs Pivot to Autonomous Defense to Counter Machine-Speed AI Attacks

INFORMATIONAL

Analysis: Security Operations Centers Must Adopt Autonomous Strategies to Counter AI-Driven Threats

A February 24, 2026 analysis argues that the modern Security Operations Center (SOC) is at a tipping point, forced to pivot towards autonomous, AI-driven defense strategies. This shift is a direct response to the crisis of scale created by adversaries who are already using AI and automation to launch attacks at machine speed. With threat actors leveraging LLMs for flawless phishing and scripts to scan thousands of targets, manual human-led defense is no longer viable. The report frames autonomous security not as a replacement for human analysts, but as a necessary augmentation to handle high-volume tasks, reduce burnout, and free up experts for strategic threat hunting and response.

SOCAutonomous SecurityAIMachine LearningSOAR +2 more

SOCs Pivot to Autonomous Defense to Counter Machine-Speed AI Attacks

Updated Articles (1)

Conduent Data Breach Victim Count Skyrockets to 25 Million, Triggering Texas AG Investigation

Updated: February 25, 2026

Massive Conduent Breach Now Affects 25 Million Americans, Potentially Largest U.S. Healthcare Breach

Update:

The Safepay ransomware group has claimed responsibility for the Conduent data breach, confirming a double-extortion model. In addition to names, SSNs, and medical information, physical addresses were also explicitly stolen. The new report provides a deeper technical analysis, detailing potential initial access vectors (e.g., T1190, T1566) and exfiltration methods (T1537), framing the incident as a significant supply chain attack. Mitigation strategies now include D3FEND techniques like User Data Transfer Analysis (D3-UDTA) and Network Isolation (D3-NI).

February 14, 2026