Cyber Threat Intelligence 24 February 2026

NCSA_THAICERT

New Tooling

Coroot: Open-Source Observability And APM Tool
"Coroot is an open-source observability and application performance monitoring tool. The core software, published in Go and accompanied by companion repositories such as coroot-node-agent, focuses on collecting telemetry data across systems. It uses extended Berkeley Packet Filter (eBPF) technology to gather metrics and trace inter-service communications without manual instrumentation of application code. Coroot collects standard observability signals that engineering teams rely on. The software aggregates metrics, logs, traces, and continuous profiling data and makes them available in dashboards and structured views. Users can track service health, follow request paths through service maps, and examine performance profiles down to CPU and memory behavior over time."
https://www.helpnetsecurity.com/2026/02/23/coroot-open-source-observability-apm-tool/
https://github.com/coroot/coroot

Vulnerabilities

Android Mental Health Apps With 14.7M Installs Filled With Security Flaws
"Several mental health mobile apps with millions of downloads on Google Play contain security vulnerabilities that could expose users’ sensitive medical information. In one of the apps, security researchers discovered more than 85 medium- and high-severity vulnerabilities that could be exploited to compromise users’ therapy data and privacy. Some of the products are AI companions designed to help people suffering from clinical depression, multiple forms of anxiety, panic attacks, stress, and bipolar disorder."
https://www.bleepingcomputer.com/news/security/android-mental-health-apps-with-147m-installs-filled-with-security-flaws/

Malware

PII Pillage: How Attackers Use BitPanda To Plunder Credentials
"Given cryptocurrency’s rise in popularity, it has slowly worked its way into the mainstream economy. Coins such as Bitcoin, Ethereum, Sol, and other digital currencies are commonly used in place of traditional currencies to complete transactions. To help manage transactions, an individual will need brokerage apps and services to ensure a safe, smooth, and secure money flow. But what happens when a new method of payment becomes mainstream? Attackers will try to find a way to exploit these systems and take advantage of individuals."
https://cofense.com/blog/pii-pillage-how-attackers-use-bitpanda-to-plunder-credentials
New Large-Scale OpenClaw Malware Campaign Spreading On ClawHub
"OpenGuardrails has identified a new, rapidly spreading malware campaign targeting the OpenClaw ecosystem through the ClawHub skill community."
https://openguardrails.com/blog/clawhub-trojan-liucomment-malware-campaign
https://www.helpnetsecurity.com/2026/02/23/clawhub-malicious-comment-infostealer/
From ‘svchoss’ To P(a)yday
"Alertness and vigilance are crucial in cybersecurity. When repeating this truism, most of us think about social engineering attacks and educating the user how to recognize a phishing mail or a scam call. However, an attentive user can also provide valuable insights on a more technical aspect. A recent incident response case was started, when the user noticed „strange black windows” on the desktop and took screenshots of them. This was accompanied by PayPal transfers from the user’s account, not authorized by the user."
https://www.secuinfra.com/en/techtalk/from-svchoss-to-payday/
https://www.infosecurity-magazine.com/news/fraud-investigation-python-malware/
Fake Huorong Security Site Infects Users With ValleyRAT
"A convincing lookalike of the popular Huorong Security antivirus has been used to deliver ValleyRAT, a sophisticated Remote Access Trojan (RAT) built on the Winos4.0 framework, to users who believed they were improving their security. The campaign, attributed to the Silver Fox APT group—a Chinese-speaking threat group known for distributing trojanized versions of popular Chinese software—uses a typosquatted domain to serve a trojanized NSIS installer that deploys a full-featured backdoor with advanced user-mode stealth and injection capabilities."
https://www.malwarebytes.com/blog/scams/2026/02/huorong
Built On ClawHub, Spread On Moltbook: The New Agent-To-Agent Attack Chain
"Claude Skills have rapidly emerged as one of the most powerful ways to extend Claude's capabilities, enabling users to automate workflows, interact with external services, and build custom tooling directly within the Claude ecosystem. Platforms like clawhub.ai have accelerated this adoption by providing a centralized marketplace for discovering, sharing, and deploying community-built skills. However, our research at Straiker reveals a darker reality lurking beneath the surface. Through systematic analysis of publicly available skills on clawhub.ai, we uncovered a significant number of malicious, deceptive, and high-risk skills actively being distributed to unsuspecting users."
https://www.straiker.ai/blog/built-on-clawhub-spread-on-moltbook-the-new-agent-to-agent-attack-chain
https://www.securityweek.com/autonomous-ai-agents-provide-new-class-of-supply-chain-attack/
APT28 Targeted European Entities Using Webhook-Based Macro Malware
"The Russia-linked state-sponsored threat actor tracked as APT28 has been attributed to a new campaign targeting specific entities in Western and Central Europe. The activity, per S2 Grupo's LAB52 threat intelligence team, was active between September 2025 and January 2026. It has been codenamed Operation MacroMaze. "The campaign relies on basic tooling and the exploitation of legitimate services for infrastructure and data exfiltration," the cybersecurity company said."
https://thehackernews.com/2026/02/apt28-targeted-european-entities-using.html
SANDWORM_MODE: Shai-Hulud-Style Npm Worm Hijacks CI Workflows And Poisons AI Toolchains
"An active Shai-Hulud-like supply chain worm campaign spreads via typosquatting and AI toolchain poisoning, across at least 19 malicious npm packages and linked to two npm aliases. The sample retains Shai-Hulud hallmarks and adds GitHub API exfiltration with DNS fallback, hook-based persistence, SSH propagation fallback, MCP server injection with embedded prompt injection targeting AI coding assistants, and LLM API Key harvesting."
https://socket.dev/blog/sandworm-mode-npm-worm-ai-toolchain-poisoning
https://thehackernews.com/2026/02/malicious-npm-packages-harvest-crypto.html
https://www.infosecurity-magazine.com/news/shai-hulud-like-worm-devs-npm-ai/
Would You Click ‘Accept’? Automatically Detecting Malicious Azure OAuth Applications Using LLMs
"OAuth applications in Microsoft Entra ID are a common persistence and privilege escalation mechanism used by attackers. Because OAuth apps are frequently created, modified, and forgotten, malicious applications often blend in with legitimate business integrations. By analyzing known OAuth attack campaigns across multiple environments, we developed OAuth Apps Scout - a proactive detection pipeline that automatically surfaces emerging malicious OAuth applications, and has so far helped us identify many malicious apps across dozens of affected organizations."
https://www.wiz.io/blog/detecting-malicious-oauth-applications
Malicious OpenClaw Skills Used To Distribute Atomic MacOS Stealer
"TrendAI Research observed an evolution in how Atomic Stealer (AMOS) is being distributed. Historically spread via “cracked” macOS software, a trend we documented in September 2025, we found the malware being delivered under the guise of OpenClaw skills. This campaign represents a critical evolution in supply chain attacks: the attacker has shifted from deceiving humans into manipulating AI agentic workflows into installing the first stage of the malware. This is an old malware trying to use “social engineering” on AI agents, marking a shift from prompt injection to using the AI itself as a trusted intermediary to trick humans."
https://www.trendmicro.com/en_us/research/26/b/openclaw-skills-used-to-distribute-atomic-macos-stealer.html

Breaches/Hacks/Leaks

Ad Tech Firm Optimizely Confirms Data Breach After Vishing Attack
"New York-based ad tech company Optimizely has notified an undisclosed number of customers of a data breach after threat actors compromised some of its systems in a voice phishing attack. Optimizely has nearly 1,500 employees across 21 global offices, and its customer list includes over 10,000 businesses, including high-profile brands like H&M, PayPal, Zoom, Toyota, Vodafone, Shell, Salesforce, and Nike. In breach notification letters sent to affected customers, the company, the threat actors reached out on February 11, claiming they had access to its systems."
https://www.bleepingcomputer.com/news/security/ad-tech-firm-optimizely-confirms-data-breach-after-vishing-attack/
US Healthcare Diagnostic Firm Says 140,000 Affected By Data Breach
"Nearly 140,000 people are affected by a data breach disclosed by healthcare diagnostic company Vikor Scientific. The number of affected individuals came to light in recent days on the healthcare data breach tracker maintained by the US Department of Health and Human Services (HHS). However, the narrative is not straightforward."
https://www.securityweek.com/us-healthcare-diagnostic-firm-says-140000-affected-by-data-breach/
Air Côte d'Ivoire Confirms Cyberattack Following Ransomware Claims
"The main airline serving the West African nation of Côte d'Ivoire was hit with a cyberattack earlier this month that forced it to institute business continuity plans. Air Côte d'Ivoire did not respond to requests for comment but released a statement on Friday confirming reports that hackers had breached its systems on February 8. Last week, the INC ransomware gang claimed it stole 208 GB of data from the airline. In its statement, the airline said the cyberattack “affected parts of its information system” and it had to call in technical teams to assist with flights and other operations."
https://therecord.media/air-cote-divoire-confirms-cyberattack

General News

The Hidden Security Cost Of Treating Labs Like Data Centers
"In this Help Net Security interview, Rich Kellen, VP, CISO at IFF, explains why security teams should not treat OT labs like IT environments. He discusses how compromise can damage scientific integrity and create safety risks that backups cannot fix. Kellen also outlines what “good enough” OT visibility looks like, why compensating controls can backfire, and how partnering with scientists improves security outcomes."
https://www.helpnetsecurity.com/2026/02/23/rich-kellen-iff-ot-lab-cybersecurity/
Enterprises Are Racing To Secure Agentic AI Deployments
"AI assistants are tied into ticketing systems, source code repositories, chat platforms, and cloud dashboards across many enterprises. In some environments, these systems can open pull requests, query internal databases, book services, and trigger automated workflows with limited human involvement. The State of AI Security 2026 from Cisco places this level of access inside a growing pattern of AI-driven operations that connect directly to core business systems."
https://www.helpnetsecurity.com/2026/02/23/ai-agent-security-risks-enterprise/
Identity Verification Systems Are Struggling With Synthetic Fraud
"Fake and expired IDs keep showing up in routine customer transactions, from alcohol purchases to credit card applications. The problem shows up most often in industries that depend on fast onboarding and remote transactions, where identity checks rely heavily on scanned documents and automated workflows. Intellicheck analyzed nearly 100 million identity verification transactions collected through its cloud-based verification service during 2025. The company said the dataset covers about half of the adult population in the U.S. and Canada."
https://www.helpnetsecurity.com/2026/02/23/analysis-identity-verification-fraud-report/
Spain Arrests Suspected Hacktivists For DDoSing Govt Sites
"Spanish authorities have arrested four alleged members of a hacktivist group believed to have carried out cyberattacks targeting government ministries, political parties, and various public institutions. The group, which called itself "Anonymous Fénix" and claimed they were affiliated with the Anonymous hacker collective, conducted distributed denial-of-service (DDoS) attacks against targets in Spain and several South American countries, according to the Spanish Civil Guard."
https://www.bleepingcomputer.com/news/security/spain-arrests-suspected-anonymous-fenix-hacktivists-for-ddosing-govt-sites/
https://www.theregister.com/2026/02/23/anonymous_arrests_spain/
https://www.helpnetsecurity.com/2026/02/23/spain-guardia-civil-arrests-anonymous-fenix-ddos-attacks/
Enigma Cipher Device Still Holds Secrets For Cyber Pros
"Enigma cipher machines have endured in the minds of history buffs and cryptography hobbyists for more than a century, still discovered at dusty French flea markets and dredged up from under beach sludge by treasure hunters. And a dive at this year's upcoming RSAC Conference into lessons the Enigma can teach today's defenders suggests cybersecurity professionals should keep the history of the Nazis' hubris and failure of imagination in mind."
https://www.darkreading.com/threat-intelligence/enigma-cipher-device-secrets-cyber-pros

อ้างอิง
Electronic Transactions Development Agency (ETDA)