Major telecom breaches π±, BeyondTrust RCE exploitation π¨, macOS Claude AI malware π, Turla DLL sideloading π―, Critical software vulnerabilities π§
Daily Threat Intel Digest - 2026-02-14
π΄ Critical Threats & Active Exploitation
[NEW] Dutch telecom giant Odido confirms breach affecting 6.2M customers
Unidentified hackers accessed Odido’s customer contact system and exfiltrated personal information from over 6.2 million subscribers, representing one of the largest telecommunications breaches in recent Dutch history. The company acknowledged the incident after covert data downloads were discovered, though specific data types and timeline remain unclear. [DataBreaches.Net]
[NEW] Healthcare sector hit as Guernsey medical practice sanctioned after phishing breach
First Contact Health was sanctioned by Guernsey’s Data Protection Authority after failing to implement adequate security measures, allowing attackers to access confidential patient data through a compromised employee email account. The breach highlights continued healthcare targeting through credential theft and underscores regulatory consequences for insufficient security controls in medical practices. [DataBreaches.Net]
[NEW] South Korean officials blame Coupang data breach on management failures
A massive data breach at e-commerce giant Coupang was attributed to security management failures rather than sophisticated attacks, according to South Korean government investigators. The probe revealed systemic vulnerabilities in Coupang’s security infrastructure, prompting calls for comprehensive remediation. The breach scale and affected user count were not disclosed, but the investigation suggests preventable security gaps rather than advanced intrusion techniques. [DataBreaches.Net]
π― Threat Actor Activity & Campaigns
[UPDATE] BeyondTrust Remote Support actively exploited following CVE-2026-1731 PoC release
Arctic Wolf has detected malicious activity targeting self-hosted BeyondTrust Remote Support and Privileged Remote Access deployments after proof-of-concept code for CVE-2026-1731 became publicly available. The critical vulnerability allows unauthenticated remote code execution, with attackers already leveraging it in the wild. Organizations using affected BeyondTrust products should implement vendor patches immediately if available, or isolate vulnerable systems from network exposure. [Arctic Wolf]
[NEW] Sophisticated macOS campaign hijacks Claude AI artifacts and Google ads
A multi-stage malware distribution campaign is exploiting Claude AI’s public artifact feature and Google sponsored search results to deliver the MacSync information stealer to macOS users. The campaign uses two variants: one via Google ads for “Online dns resolver” queries directing to fake Claude artifacts, and another through fraudulent Medium articles impersonating Apple support. Both variants employ ClickFix social engineering to trick users into executing malicious commands, with over 15,000 users potentially exposed to malicious content. [CyberPress]
[NEW] Kimsuky group impersonates research institute in latest attack
North Korean threat actors Kimsuky are distributing malware through spear-phishing emails impersonating the Unification Research Institute. The attack uses a malicious LNK file (2026_0212_1281232903482939_μ°Έκ³ μλ£.lnk) targeting Korean-speaking users, continuing the group’s focus on think tanks and research organizations for intelligence gathering. The campaign demonstrates Kimsuky’s persistent interest in Korean Peninsula affairs and their evolving social engineering tactics. [wezard4u]
[NEW] Turla’s Kazuar V3 employs novel satellite DLL sideloading technique
Russian state-sponsored actors Turla have enhanced their Kazuar .NET backdoor with sophisticated DLL sideloading targeting Microsoft Foundation Class (MFC) binaries. The technique exploits insecure satellite DLL loading in MFC applications compiled between Visual Studio .NET 2002 and 2010, allowing malicious DLLs with LOC.dll extensions to execute code. The attack chain begins with VBScript droppers creating HP printer driver directories in user-writable paths, then loading legitimate HP binaries that subsequently execute malicious DLLs. [Detect FYI]
β οΈ Vulnerabilities & Patches
[NEW] Critical Chrome security update addresses multiple vulnerabilities
Google released Chrome 145.0.7632.68 (Windows/Mac) and 144.0.7559.67 (Linux) to patch multiple security vulnerabilities, though specific CVE details were not disclosed in the advisory. Users should update immediately as Chrome updates typically include fixes for exploited vulnerabilities. [Canadian Centre for Cyber Security]
[NEW] Tenable fixes vulnerability in Nessus Agent
Tenable addressed a vulnerability (CVE-2026-2026) affecting Nessus Agent versions 11.1.0 to 11.1.1 and 11.0.3 and prior. Users should upgrade to versions 11.1.2 or 11.0.4 respectively to mitigate potential security risks. The advisory did not disclose vulnerability specifics or exploitation potential. [Canadian Centre for Cyber Security]
[NEW] Juniper resolves multiple vulnerabilities in Secure Analytics
Juniper Networks released security updates for Juniper Secure Analytics (JSA) 7.5.0, addressing multiple vulnerabilities in versions prior to 7.5.0 UP14 IF01. The advisory did not specify vulnerability counts or severity ratings, but organizations using affected JSA deployments should apply the update immediately. [Canadian Centre for Cyber Security]
[NEW] HPE addresses multiple firmware vulnerabilities in SimpliVity servers
HPE released security updates for SimpliVity 380 Gen11 and Gen10 Plus servers to address multiple Intel processor vulnerabilities (INTEL-SA-01280, INTEL-SA-01313, INTEL-SA-01312). The vulnerabilities could allow privilege escalation or information disclosure in specific attack scenarios. Organizations should update to the respective 2026_0116 support packs to mitigate risks. [Canadian Centre for Cyber Security]
[NEW] Microsoft patches Windows 11 Notepad RCE vulnerability
Microsoft fixed a remote code execution vulnerability in Windows 11 Notepad that could be triggered through specially crafted Markdown links, potentially allowing attackers to execute code without security warnings. The vulnerability demonstrates continued risks in seemingly benign system utilities. [wezard4u]
π‘οΈ Defense & Detection
[NEW] REMnux v8 released with AI integration and modernized platform
The REMnux malware analysis toolkit version 8 introduces AI agent integration via a new MCP server, updates to Ubuntu 24.04, and over 200 pre-configured tools. Key additions include YARA-X for pattern matching, GoReSym for Go binary analysis, and OpenCode for AI-assisted coding. The release significantly enhances malware analysis capabilities with AI-assisted workflows while maintaining the free, open-source model valued by security researchers. [CyberPress]
[NEW] Italian CERT details adaptive phishing campaign using Telegram for exfiltration
CERT-AGID analyzed an adaptive phishing technique combining domain spoofing with HTML attachments that harvest credentials and send them to attacker-controlled Telegram channels via Bot API. The campaign demonstrates attackers’ use of legitimate messaging platforms for data exfiltration, complicating detection and blocking efforts. [CERT-AGID]
[NEW] Over 300 malicious Chrome extensions discovered stealing user data
Security researchers identified more than 300 malicious Chrome extensions engaging in data theft or leakage, though specific extension names and distribution vectors were not disclosed. The discovery highlights ongoing challenges with browser extension security and the need for careful vetting of third-party extensions. [SecurityWeek]
π Policy & Industry News
[NEW] CISA faces potential furloughs amid DHS shutdown threat
The Cybersecurity and Infrastructure Security Agency warned that a potential DHS shutdown would furlough approximately two-thirds of its workforce, severely limiting cyber response capabilities, vulnerability scanning, and critical infrastructure protection. Only one-third of staff would remain to address imminent threats, potentially hindering the agency’s ability to implement the CIRCIA reporting rule scheduled for May. [Nextgov/FCW]
[NEW] “Kurd Hackers Forum” emerges as new cybercrime marketplace
A new forum called “Kurd Hackers Forum” appeared on the clearnet, focusing on data breaches and leaks targeting Iran, Syria, and Turkey. The domain was registered January 28, 2026, and the platform resembles BreachForums with similar sections and functionality. This emergence indicates continued fragmentation and regionalization of cybercrime marketplaces. [DataBreaches.Net]
[NEW] Education ransomware attacks plateaued in 2025 but data exposure increased
According to Comparitech’s analysis, ransomware attacks against educational institutions held relatively steady in 2025 with 251 claimed attacks globally, but the scale of data exposure rose sharply. This increase was driven by third-party software vulnerabilities and several significant higher education breaches, suggesting attackers are focusing on high-impact targets rather than sheer volume. [DataBreaches.Net]