Real-World Cloud Attack Intelligence

In February 2026, South Korea's National Tax Service (NTS) inadvertently exposed the mnemonic recovery phrase of a seized cryptocurrency wallet in an official press release. This oversight allowed unauthorized individuals to access and transfer approximately 4 million Pre-Retogeum (PRTG) tokens, valued at $4.8 million, from the wallet. The incident underscores significant lapses in the secure handling of digital assets by governmental bodies. This event highlights the critical need for stringent operational security measures when managing and disclosing information related to digital assets. The exposure of sensitive data, such as wallet recovery phrases, can lead to substantial financial losses and erode public trust in institutional competence.

In February 2026, the 'QuickLens - Search Screen with Google Lens' Chrome extension, initially a legitimate tool with approximately 7,000 users, was compromised following a change in ownership. The new version 5.8 introduced malicious scripts that stripped browser security headers and executed arbitrary JavaScript, enabling the theft of cryptocurrency wallets and sensitive user data. This incident underscores the risks associated with browser extensions, particularly those that undergo ownership changes, and highlights the need for vigilant monitoring of software supply chains to prevent similar attacks.

In February 2026, a critical security vulnerability, dubbed 'ClawJacked,' was discovered in OpenClaw, an open-source AI agent platform. This flaw allowed malicious websites to exploit the WebSocket protocol to hijack locally running OpenClaw agents by brute-forcing the gateway password, leading to unauthorized control over the AI agent. The attack sequence involved a malicious site initiating a WebSocket connection to the local OpenClaw gateway, bypassing security mechanisms due to the gateway's trust in local connections. This vulnerability was promptly addressed in version 2026.2.25, released on February 26, 2026. ([thehackernews.com](https://thehackernews.com/2026/02/clawjacked-flaw-lets-malicious-sites.html?utm_source=openai)) The ClawJacked incident underscores the escalating security challenges associated with AI agent platforms. As these agents gain deeper integration into enterprise environments, they become attractive targets for cyber threats. This event highlights the necessity for robust security measures, including stringent authentication protocols and vigilant monitoring, to safeguard against emerging vulnerabilities in AI systems.

In February 2026, security researchers discovered that thousands of Google Cloud API keys, previously used as non-sensitive billing identifiers, were publicly exposed and could be exploited to access sensitive Gemini AI endpoints. This exposure occurred when the Gemini API was enabled on existing projects, inadvertently granting these keys authentication capabilities without notifying developers. Attackers could leverage these keys to access private data and incur significant charges on victims' accounts. This incident underscores the evolving risks associated with API key management and the importance of regularly auditing and securing API credentials. Organizations must be vigilant in monitoring their API configurations to prevent unauthorized access and potential financial losses.

In late 2025, the Kimwolf botnet emerged as a significant cybersecurity threat, infecting over 2 million Android devices worldwide, primarily targeting off-brand smart TVs and set-top boxes. Exploiting vulnerabilities in residential proxy networks and exposed Android Debug Bridge (ADB) services, Kimwolf transformed these devices into nodes for large-scale distributed denial-of-service (DDoS) attacks. Notably, in November 2025, the botnet launched a record-setting DDoS attack peaking at 31.4 terabits per second, underscoring its unprecedented scale and impact. ([thehackernews.com](https://thehackernews.com/2026/02/aisurukimwolf-botnet-launches-record.html?utm_source=openai)) The rapid proliferation and sophistication of Kimwolf highlight the escalating threat posed by botnets leveraging IoT devices. This incident underscores the urgent need for enhanced security measures in consumer electronics and the importance of proactive defense strategies to mitigate the risks associated with large-scale botnet attacks.

In February 2026, Cisco disclosed a critical authentication bypass vulnerability (CVE-2026-20127) in its Catalyst SD-WAN Controller and Manager, rated with a CVSS score of 10.0. This flaw allows unauthenticated, remote attackers to gain high-privileged access by exploiting a malfunctioning peering authentication mechanism. The threat actor group UAT-8616 has been actively exploiting this vulnerability since at least 2023, enabling them to manipulate SD-WAN fabric configurations via the NETCONF protocol. The exploitation involves downgrading the SD-WAN system to a vulnerable version, achieving root access, and restoring the original firmware to evade detection. ([cisco.com](https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-sdwan-rpa-EHchtZk.html?utm_source=openai)) The urgency of this issue is underscored by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) adding CVE-2026-20127 to its Known Exploited Vulnerabilities catalog, mandating immediate remediation by federal agencies. This incident highlights the persistent threat posed by sophisticated actors targeting critical infrastructure components, emphasizing the need for organizations to promptly apply patches, monitor for unauthorized access, and implement robust network segmentation to mitigate potential impacts. ([cisco.com](https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-sdwan-rpa-EHchtZk.html?utm_source=openai))

In February 2026, Ukrainian national Yurii Nazarenko pleaded guilty to operating OnlyFake, an AI-driven website that generated and sold over 10,000 counterfeit identification documents globally. The platform allowed users to create realistic digital versions of passports, driver's licenses, and Social Security cards, which were primarily used to bypass Know Your Customer (KYC) verification processes at financial institutions and cryptocurrency exchanges. Nazarenko was extradited from Romania in September 2025, agreed to forfeit $1.2 million, and faces a maximum sentence of 15 years in prison, with sentencing scheduled for June 26, 2026. This case underscores the growing misuse of artificial intelligence in facilitating sophisticated cybercrimes, particularly in identity fraud. The incident highlights the urgent need for enhanced security measures and regulatory frameworks to address AI-powered threats in the digital landscape.

In early 2025, the Cybersecurity and Infrastructure Security Agency (CISA) identified a sophisticated malware variant named RESURGE, which exploited the critical vulnerability CVE-2025-0282 in Ivanti Connect Secure appliances. This vulnerability allowed unauthenticated remote code execution, enabling attackers to deploy RESURGE to establish persistent access, create web shells, harvest credentials, and escalate privileges. The malware's advanced evasion techniques, including network-level stealth and boot-level persistence, posed significant challenges for detection and remediation. The emergence of RESURGE underscores a growing trend of advanced persistent threats targeting critical infrastructure through zero-day vulnerabilities. Organizations must prioritize timely patching, implement robust monitoring systems, and adopt a zero-trust security model to mitigate such sophisticated attacks.

In January 2025, Europol initiated 'Project Compass,' a collaborative effort involving law enforcement agencies from 28 countries, including the United States, to dismantle 'The Com,' a decentralized cybercriminal network notorious for targeting minors through cyberattacks, extortion, and exploitation. Over the course of a year, this operation led to the arrest of 30 individuals and the identification of 179 suspects associated with The Com. Authorities also identified 62 victims, directly safeguarding four of them from further harm. The Com's activities encompassed a range of cybercrimes, including ransomware attacks on prominent organizations and the coercion of minors into producing explicit content. ([cyberscoop.com](https://cyberscoop.com/project-compass-the-com-europol/?utm_source=openai)) The significance of this operation lies in its demonstration of the effectiveness of international cooperation in combating complex cybercriminal networks. The Com's exploitation of digital platforms to recruit and victimize young individuals underscores the urgent need for enhanced cybersecurity measures and public awareness to protect vulnerable populations from such threats. ([infosecurity-magazine.com](https://www.infosecurity-magazine.com/news/project-compass-com-arrests/?utm_source=openai))

In December 2025, the North Korean state-sponsored group APT37, also known as ScarCruft, launched the 'Ruby Jumper' campaign targeting air-gapped networks. The attack began with victims opening malicious Windows shortcut (LNK) files, which executed PowerShell scripts to deploy a series of malware tools: RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, and FOOTWINE. These tools facilitated initial infection, established command-and-control via Zoho WorkDrive, and enabled lateral movement through removable media, ultimately compromising isolated systems. The campaign underscores the evolving tactics of APT37 in breaching highly secure environments. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/apt37-hackers-use-new-malware-to-breach-air-gapped-networks/?utm_source=openai)) This incident highlights a significant advancement in cyber-espionage techniques, demonstrating the capability to infiltrate air-gapped systems. Organizations with critical infrastructure should reassess their security protocols to mitigate such sophisticated threats.

In February 2026, cybersecurity researchers uncovered a malicious Go module named 'github.com/xinfeisoft/crypto' that impersonated the legitimate 'golang.org/x/crypto' library. This module was designed to harvest passwords entered via terminal prompts and deploy a Linux backdoor known as Rekoobe. Upon execution, the module exfiltrated captured credentials to a remote server and executed a shell script that installed the backdoor, granting attackers persistent access to compromised systems. The campaign exploited GitHub's infrastructure to host and distribute the malicious code, highlighting the risks associated with supply chain attacks in open-source ecosystems. This incident underscores the growing trend of supply chain attacks targeting developers and the open-source community. By leveraging trusted platforms and repositories, attackers can distribute malicious code to a wide audience, emphasizing the need for enhanced vigilance and security measures in software development and distribution processes.

In February 2026, threat actors distributed trojanized gaming utilities via browsers and chat platforms, deploying a Java-based Remote Access Trojan (RAT). The attack utilized a malicious downloader to stage a portable Java runtime and execute a JAR file named jd-gui.jar, employing PowerShell and living-off-the-land binaries like cmstp.exe for stealthy execution. The malware established persistence through scheduled tasks and startup scripts, connecting to an external server for command-and-control communications, enabling data exfiltration and deployment of additional payloads. ([thehackernews.com](https://thehackernews.com/2026/02/trojanized-gaming-tools-spread-java.html?utm_source=openai)) This incident underscores the evolving tactics of cybercriminals, highlighting the increasing use of legitimate tools for malicious purposes and the targeting of gaming communities. Organizations must remain vigilant against such sophisticated attack vectors to protect sensitive data and maintain operational integrity.