Real-World Cloud Attack Intelligence

In February 2026, a critical security vulnerability, dubbed 'ClawJacked,' was discovered in OpenClaw, an open-source AI agent platform. This flaw allowed malicious websites to exploit the WebSocket protocol to hijack locally running OpenClaw agents by brute-forcing the gateway password, leading to unauthorized control over the AI agent. The attack sequence involved a malicious site initiating a WebSocket connection to the local OpenClaw gateway, bypassing security mechanisms due to the gateway's trust in local connections. This vulnerability was promptly addressed in version 2026.2.25, released on February 26, 2026. ([thehackernews.com](https://thehackernews.com/2026/02/clawjacked-flaw-lets-malicious-sites.html?utm_source=openai)) The ClawJacked incident underscores the escalating security challenges associated with AI agent platforms. As these agents gain deeper integration into enterprise environments, they become attractive targets for cyber threats. This event highlights the necessity for robust security measures, including stringent authentication protocols and vigilant monitoring, to safeguard against emerging vulnerabilities in AI systems.

In February 2026, security researchers discovered that thousands of Google Cloud API keys, previously used as non-sensitive billing identifiers, were publicly exposed and could be exploited to access sensitive Gemini AI endpoints. This exposure occurred when the Gemini API was enabled on existing projects, inadvertently granting these keys authentication capabilities without notifying developers. Attackers could leverage these keys to access private data and incur significant charges on victims' accounts. This incident underscores the evolving risks associated with API key management and the importance of regularly auditing and securing API credentials. Organizations must be vigilant in monitoring their API configurations to prevent unauthorized access and potential financial losses.

In late 2025, the Kimwolf botnet emerged as a significant cybersecurity threat, infecting over 2 million Android devices worldwide, primarily targeting off-brand smart TVs and set-top boxes. Exploiting vulnerabilities in residential proxy networks and exposed Android Debug Bridge (ADB) services, Kimwolf transformed these devices into nodes for large-scale distributed denial-of-service (DDoS) attacks. Notably, in November 2025, the botnet launched a record-setting DDoS attack peaking at 31.4 terabits per second, underscoring its unprecedented scale and impact. ([thehackernews.com](https://thehackernews.com/2026/02/aisurukimwolf-botnet-launches-record.html?utm_source=openai)) The rapid proliferation and sophistication of Kimwolf highlight the escalating threat posed by botnets leveraging IoT devices. This incident underscores the urgent need for enhanced security measures in consumer electronics and the importance of proactive defense strategies to mitigate the risks associated with large-scale botnet attacks.

In February 2026, Cisco disclosed a critical authentication bypass vulnerability (CVE-2026-20127) in its Catalyst SD-WAN Controller and Manager, rated with a CVSS score of 10.0. This flaw allows unauthenticated, remote attackers to gain high-privileged access by exploiting a malfunctioning peering authentication mechanism. The threat actor group UAT-8616 has been actively exploiting this vulnerability since at least 2023, enabling them to manipulate SD-WAN fabric configurations via the NETCONF protocol. The exploitation involves downgrading the SD-WAN system to a vulnerable version, achieving root access, and restoring the original firmware to evade detection. ([cisco.com](https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-sdwan-rpa-EHchtZk.html?utm_source=openai)) The urgency of this issue is underscored by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) adding CVE-2026-20127 to its Known Exploited Vulnerabilities catalog, mandating immediate remediation by federal agencies. This incident highlights the persistent threat posed by sophisticated actors targeting critical infrastructure components, emphasizing the need for organizations to promptly apply patches, monitor for unauthorized access, and implement robust network segmentation to mitigate potential impacts. ([cisco.com](https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-sdwan-rpa-EHchtZk.html?utm_source=openai))

In February 2026, Ukrainian national Yurii Nazarenko pleaded guilty to operating OnlyFake, an AI-driven website that generated and sold over 10,000 counterfeit identification documents globally. The platform allowed users to create realistic digital versions of passports, driver's licenses, and Social Security cards, which were primarily used to bypass Know Your Customer (KYC) verification processes at financial institutions and cryptocurrency exchanges. Nazarenko was extradited from Romania in September 2025, agreed to forfeit $1.2 million, and faces a maximum sentence of 15 years in prison, with sentencing scheduled for June 26, 2026. This case underscores the growing misuse of artificial intelligence in facilitating sophisticated cybercrimes, particularly in identity fraud. The incident highlights the urgent need for enhanced security measures and regulatory frameworks to address AI-powered threats in the digital landscape.

In early 2025, the Cybersecurity and Infrastructure Security Agency (CISA) identified a sophisticated malware variant named RESURGE, which exploited the critical vulnerability CVE-2025-0282 in Ivanti Connect Secure appliances. This vulnerability allowed unauthenticated remote code execution, enabling attackers to deploy RESURGE to establish persistent access, create web shells, harvest credentials, and escalate privileges. The malware's advanced evasion techniques, including network-level stealth and boot-level persistence, posed significant challenges for detection and remediation. The emergence of RESURGE underscores a growing trend of advanced persistent threats targeting critical infrastructure through zero-day vulnerabilities. Organizations must prioritize timely patching, implement robust monitoring systems, and adopt a zero-trust security model to mitigate such sophisticated attacks.

In January 2025, Europol initiated 'Project Compass,' a collaborative effort involving law enforcement agencies from 28 countries, including the United States, to dismantle 'The Com,' a decentralized cybercriminal network notorious for targeting minors through cyberattacks, extortion, and exploitation. Over the course of a year, this operation led to the arrest of 30 individuals and the identification of 179 suspects associated with The Com. Authorities also identified 62 victims, directly safeguarding four of them from further harm. The Com's activities encompassed a range of cybercrimes, including ransomware attacks on prominent organizations and the coercion of minors into producing explicit content. ([cyberscoop.com](https://cyberscoop.com/project-compass-the-com-europol/?utm_source=openai)) The significance of this operation lies in its demonstration of the effectiveness of international cooperation in combating complex cybercriminal networks. The Com's exploitation of digital platforms to recruit and victimize young individuals underscores the urgent need for enhanced cybersecurity measures and public awareness to protect vulnerable populations from such threats. ([infosecurity-magazine.com](https://www.infosecurity-magazine.com/news/project-compass-com-arrests/?utm_source=openai))

In December 2025, the North Korean state-sponsored group APT37, also known as ScarCruft, launched the 'Ruby Jumper' campaign targeting air-gapped networks. The attack began with victims opening malicious Windows shortcut (LNK) files, which executed PowerShell scripts to deploy a series of malware tools: RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, and FOOTWINE. These tools facilitated initial infection, established command-and-control via Zoho WorkDrive, and enabled lateral movement through removable media, ultimately compromising isolated systems. The campaign underscores the evolving tactics of APT37 in breaching highly secure environments. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/apt37-hackers-use-new-malware-to-breach-air-gapped-networks/?utm_source=openai)) This incident highlights a significant advancement in cyber-espionage techniques, demonstrating the capability to infiltrate air-gapped systems. Organizations with critical infrastructure should reassess their security protocols to mitigate such sophisticated threats.

In February 2026, cybersecurity researchers uncovered a malicious Go module named 'github.com/xinfeisoft/crypto' that impersonated the legitimate 'golang.org/x/crypto' library. This module was designed to harvest passwords entered via terminal prompts and deploy a Linux backdoor known as Rekoobe. Upon execution, the module exfiltrated captured credentials to a remote server and executed a shell script that installed the backdoor, granting attackers persistent access to compromised systems. The campaign exploited GitHub's infrastructure to host and distribute the malicious code, highlighting the risks associated with supply chain attacks in open-source ecosystems. This incident underscores the growing trend of supply chain attacks targeting developers and the open-source community. By leveraging trusted platforms and repositories, attackers can distribute malicious code to a wide audience, emphasizing the need for enhanced vigilance and security measures in software development and distribution processes.

In February 2026, threat actors distributed trojanized gaming utilities via browsers and chat platforms, deploying a Java-based Remote Access Trojan (RAT). The attack utilized a malicious downloader to stage a portable Java runtime and execute a JAR file named jd-gui.jar, employing PowerShell and living-off-the-land binaries like cmstp.exe for stealthy execution. The malware established persistence through scheduled tasks and startup scripts, connecting to an external server for command-and-control communications, enabling data exfiltration and deployment of additional payloads. ([thehackernews.com](https://thehackernews.com/2026/02/trojanized-gaming-tools-spread-java.html?utm_source=openai)) This incident underscores the evolving tactics of cybercriminals, highlighting the increasing use of legitimate tools for malicious purposes and the targeting of gaming communities. Organizations must remain vigilant against such sophisticated attack vectors to protect sensitive data and maintain operational integrity.

In December 2025, the North Korean state-sponsored group ScarCruft (APT37) launched the 'Ruby Jumper' campaign, deploying sophisticated malware to infiltrate air-gapped networks. The attack began with malicious LNK files that, when executed, initiated a multi-stage infection chain. This chain utilized Zoho WorkDrive for command-and-control communications and leveraged removable media to bridge air-gapped systems, enabling data exfiltration and command execution. The campaign introduced new malware tools, including RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, and FOOTWINE, each designed to facilitate various stages of the attack, from initial compromise to surveillance and data theft. ([thehackernews.com](https://thehackernews.com/2026/02/scarcruft-uses-zoho-workdrive-and-usb.html?utm_source=openai)) This incident underscores the evolving tactics of nation-state actors in targeting isolated networks, highlighting the need for enhanced security measures to protect sensitive environments. The use of legitimate cloud services for C2 communications and the exploitation of removable media to breach air-gapped systems represent significant advancements in cyber-espionage techniques, posing increased risks to critical infrastructure and sensitive data repositories. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/apt37-hackers-use-new-malware-to-breach-air-gapped-networks/?utm_source=openai))

In February 2026, the U.S. Department of Justice (DoJ) seized over $61 million in Tether (USDT) linked to 'pig butchering' cryptocurrency scams. These schemes involved fraudsters building trust with victims through fake romantic relationships, then persuading them to invest in fraudulent cryptocurrency platforms that displayed fabricated high returns. When victims attempted to withdraw funds, they were met with demands for additional fees, leading to further financial loss. The seized funds were traced to cryptocurrency addresses used to launder proceeds from these scams. ([justice.gov](https://www.justice.gov/usao-ednc/pr/us-attorneys-office-ednc-announces-seizure-61-million-dollars-worth-cryptocurrency?utm_source=openai)) This incident underscores the growing prevalence of sophisticated social engineering tactics in financial fraud, particularly within the cryptocurrency sector. It highlights the need for increased vigilance and regulatory measures to protect individuals from such deceptive practices.