Critical OpenSSL RCE, Foxit 0-Day Exploits, AI Security Flaws & More: ThreatsDay Bulletin

Post Views: 15

Cybersecurity Threats Continue to Evolve and Multiply

The ever-changing landscape of cybersecurity threats shows no signs of slowing down. New vulnerabilities, tactics, and techniques are emerging across various platforms, tools, and industries, making it essential for defenders to stay informed and adapt their strategies.

Google Enhances Android Security

Google has released the first beta version of Android 17, which includes two significant security enhancements. The deprecation of Cleartext Traffic Attribute and the introduction of HPKE Hybrid Cryptography aim to improve secure communication by combining public key and symmetric encryption. Developers are encouraged to migrate to Network Security Configuration files for more granular control.

Ransomware-as-a-Service Expands Reach

A new analysis of LockBit 5.0 ransomware reveals its use of various defense evasion and anti-analysis techniques, including packing, DLL unhooking, and process hollowing. This Windows version also employs nested obfuscation to target Mac users. Additionally, a new variant of the ClickFix social engineering tactic has been detected, using a fake installation flow to trick victims into executing malicious Terminal commands.

Industrial Ransomware Attacks on the Rise

There has been a significant increase in ransomware attacks targeting industrial organizations, with 119 groups tracked in 2025, a 49% rise from the previous year. Dragos warns that cybercriminals are exploiting vulnerabilities in operational technology (OT) and industrial control systems (ICS). The manufacturing sector was the most targeted, followed by transportation.

Microsoft 365 Copilot Bug Exposes Confidential Emails

A bug in Microsoft 365 Copilot has been discovered, allowing the AI-powered tool to summarize confidential emails from Sent Items and Drafts folders without users’ permission. The issue, which has been ongoing since January 21, 2026, bypasses data loss prevention safeguards.

Atlassian Jira Exploited in Spam Campaigns

Threat actors are abusing the trust associated with Atlassian Jira Cloud to run automated spam campaigns and bypass traditional security. The attackers create trial accounts with randomized naming conventions, generating disposable Jira Cloud instances at scale.

Phobos Affiliate Detained in Europe

A 47-year-old man with alleged links to the Phobos ransomware group has been detained in Poland. The suspect faces a potential prison sentence of up to five years. The arrest is part of Europol’s Operation Aether, targeting the 8Base ransomware group, believed to be linked to Phobos.

GitLab SSRF Vulnerability Added to CISA’s KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2021-22175 to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch agencies to apply the patch by March 11, 2026.

Telegram Bots Used in Fortune 500 Phishing Campaign

A financially motivated threat actor, dubbed GS7, has been targeting Fortune 500 companies in a phishing campaign that leverages trusted company branding and lookalike websites to harvest credentials via Telegram bots.

Remcos RAT Variant Spotted

A new variant of the Remcos RAT has been discovered, which establishes direct online command-and-control communication, enabling real-time access and control. The malware also leverages the webcam to capture live video streams, allowing attackers to monitor targets remotely.

China-Made Vehicles Restricted on Polish Military Bases

Poland’s Ministry of Defence has banned Chinese cars and other motor vehicles equipped with technology to record position, images, or sound from entering protected military facilities due to national security concerns.

DKIM Replay Attack Abuses Legitimate Invoices

Bad actors are abusing legitimate invoices and dispute notifications from trusted vendors to bypass security controls. The attackers insert scam instructions and a phone number into user-controlled fields, which are then sent to an address they control.

RMM Abuse Surges 277%

The abuse of Remote Monitoring and Management (RMM) software has surged 277% year-over-year, accounting for 24% of all observed incidents. Threat actors favor these tools due to their ubiquity in enterprise environments and the trusted nature of the RMM software.

Texas Sues TP-Link and Anzu Robotics over China Links

Texas Attorney General Ken Paxton has sued TP-Link and Anzu Robotics for allegedly deceiving consumers about the “origin, data practices, and security risks” of their products.

MetaMask Backdoor Expands DPRK Campaign

A North Korea-linked campaign, known as Contagious Interview, has expanded its data theft capabilities by tampering with the MetaMask wallet extension through a lightweight JavaScript backdoor.

Booking.com Phishing Campaign Targets Hotel and Retail Sector

A phishing campaign has been detected, targeting the hotel and retail sector, with the primary motivation being financial fraud. The threat actor utilizes impersonation of the Booking.com platform to harvest credentials and banking information from victims.

EPMM Flaws Exploited to Drop Reverse Shells and Malware

Security flaws in Ivanti Endpoint Manager Mobile (EPMM) have been exploited by bad actors to establish a reverse shell, deliver JSP web shells, and conduct reconnaissance.

LLM-Generated Passwords Lack True Randomness

Research has found that passwords generated directly by a large language model (LLM) may appear strong but are fundamentally insecure. LLMs are designed to predict tokens, which is incompatible with secure password generation.