Cyber Threat Intelligence 27 February 2026

NCSA_THAICERT

Vulnerabilities

Trend Micro Patches Critical Apex One Vulnerabilities
"TrendAI, the new name of Trend Micro’s enterprise business, on Wednesday announced patches for several critical and high-severity vulnerabilities found in the Windows and macOS versions of the Apex One endpoint security solution. A total of eight vulnerabilities have been addressed, including two with a critical severity rating based on their CVSS scores. The critical flaws both impact the Trend Micro Apex One management console and “could allow a remote attacker to upload malicious code and execute commands on affected installations”"
https://www.securityweek.com/trend-micro-patches-critical-apex-one-vulnerabilities/
https://success.trendmicro.com/en-US/solution/KA-0022458
https://www.bleepingcomputer.com/news/security/trend-micro-warns-of-critical-apex-one-rce-vulnerabilities/
https://securityaffairs.com/188572/security/trend-micro-fixes-two-critical-flaws-in-apex-one.html
Critical Juniper Networks PTX Flaw Allows Full Router Takeover
"A critical vulnerability in the Junos OS Evolved network operating system running on PTX Series routers from Juniper Networks could allow an unauthenticated attacker to execute code remotely with root privileges. PTX Series routers are high-performance core and peering routers built for high throughput, low latency, and scale. They are commonly used by internet service providers, telecommunication services, and cloud network applications. The security issue is identified as CVE-2026-21902 and is caused by incorrect permission assignment in the ‘On-Box Anomaly Detection’ framework, which should be exposed to internal processes only over the internal routing interface."
https://www.bleepingcomputer.com/news/security/critical-juniper-networks-ptx-flaw-allows-full-router-takeover/
https://supportportal.juniper.net/s/article/2026-02-Out-of-Cycle-Security-Bulletin-Junos-OS-Evolved-PTX-Series-A-vulnerability-allows-a-unauthenticated-network-based-attacker-to-execute-code-as-root-CVE-2026-21902
Google API Keys Weren't Secrets. But Then Gemini Changed The Rules.
"Google spent over a decade telling developers that Google API keys (like those used in Maps, Firebase, etc.) are not secrets. But that's no longer true: Gemini accepts the same keys to access your private data. We scanned millions of websites and found nearly 3,000 Google API keys, originally deployed for public services like Google Maps, that now also authenticate to Gemini even though they were never intended for it. With a valid key, an attacker can access uploaded files, cached data, and charge LLM-usage to your account. Even Google themselves had old public API keys, which they thought were non-sensitive, that we could use to access Google’s internal Gemini."
https://trufflesecurity.com/blog/google-api-keys-werent-secrets-but-then-gemini-changed-the-rules
https://www.bleepingcomputer.com/news/security/previously-harmless-google-api-keys-now-expose-gemini-ai-data/

Malware

GTFire Phishing Scheme: Avoiding Detection Using Google Services
"Over the past several years, phishing campaigns have evolved beyond simple spoofed emails and low-effort fake login pages. Modern threat actors increasingly rely on legitimate cloud services, trusted domains, and well-known technology platforms to blend malicious activity into normal internet traffic. One such campaign, tracked as GTFire, demonstrates how attackers can systematically abuse Google-owned infrastructure to distribute phishing pages, evade security controls, and harvest credentials from thousands of victims worldwide."
https://www.group-ib.com/blog/gtfire-phishing-scheme/
New Dohdoor Malware Campaign Targets Education And Health Care
"Talos discovered a multi-stage attack campaign targeting the victims in education and health care sectors, predominantly in the United States. The campaign involves a multi-stage attack chain, where initial access is likely achieved through social engineering phishing techniques. The infection chain executes a PowerShell script that downloads and runs a Windows batch script from a remote staging server through a URL. Subsequently, the batch script facilitates the download of a malicious Windows dynamic-link library (DLL), which is disguised as a legitimate Windows DLL file. The batch script then executes the malicious DLL dubbed as Dohdoor, by sideloading it to a legitimate Windows executable."
https://blog.talosintelligence.com/new-dohdoor-malware-campaign/
https://thehackernews.com/2026/02/uat-10027-targets-us-education-and.html
https://securityaffairs.com/188558/apt/uat-10027-campaign-hits-u-s-education-and-healthcare-with-stealthy-dohdoor-backdoor.html
Exploring Aeternum C2: a New Botnet That Lives On The Blockchain
"Botnets have always had an Achilles’ heel. Find the command-and-control server, seize the domain, or sinkhole the traffic, and the entire network goes dark. Law enforcement agencies and security vendors have relied on this weakness for years, dismantling operations like Emotet, TrickBot, and QakBot by targeting their centralized infrastructure. While monitoring cybercrime networks, Qrator Research Lab identified a new botnet loader called Aeternum C2 that appears to remove that weakness entirely."
https://qrator.net/blog/details/Exploring-Aeternum-C2/
https://thehackernews.com/2026/02/aeternum-c2-botnet-stores-encrypted.html
https://hackread.com/aeternum-c2-botnet-polygon-blockchain/
https://www.infosecurity-magazine.com/news/aeternum-botnet-c2-polygon/
ChatGPT In Your Inbox? Investigating Entra Apps That Request Unexpected Permissions
"As Red Canary continues to observe OAuth application attacks in the wild, our Threat Research team is pivoting off real-world tradecraft to anticipate new innovations in attack techniques. The following research breaks down a hypothetical OAuth attack in Entra ID that leverages ChatGPT to ultimately gain access to a user’s email account. Using the framework we apply when analyzing data sources for detection, we’ll investigate detection and remediation strategies that can be applied more generally to OAuth consent attacks."
https://redcanary.com/blog/threat-detection/entra-id-oauth-attacks/
https://hackread.com/entra-id-oauth-consent-chatgpt-emails-access/
Fake Zoom And Google Meet Scams Install Teramind: A Technical Deep Dive
"On February 24, 2026, we published an article about how a fake Zoom meeting “update” silently installs monitoring software, documenting a campaign that used a convincing fake Zoom waiting room to push a legitimate Teramind installer abused for unauthorized surveillance onto Windows machines. Teramind has stated they are not affiliated with the threat actors described, did not deploy the software referenced, and condemn any unauthorized misuse of commercial monitoring technologies."
https://www.malwarebytes.com/blog/threat-intel/2026/02/fake-zoom-and-google-meet-scams-install-teramind-a-technical-deep-dive
APT37 Adds New Capabilities For Air-Gapped Networks
"In December 2025, Zscaler ThreatLabz discovered a campaign linked to APT37 (also known as ScarCruft, Ruby Sleet, and Velvet Chollima), which is a DPRK-backed threat group. In this campaign, tracked as Ruby Jumper by ThreatLabz, APT37 uses Windows shortcut (LNK) files to initiate an attack that utilizes a set of newly discovered tools. These tools, RESTLEAF, SNAKEDROPPER, THUMBSBD, and VIRUSTASK, download a payload that delivers FOOTWINE and BLUELIGHT, which enable surveillance on a victim’s system."
https://www.zscaler.com/blogs/security-research/apt37-adds-new-capabilities-air-gapped-networks
Variations Of The ClickFix
"About a year ago, we published a post about the ClickFix technique, which was gaining popularity among attackers. The essence of attacks using ClickFix boils down to convincing the victim, under various pretexts, to run a malicious command on their computer. That is, from the cybersecurity solutions point of view, it’s run on behalf of the active user and with their privileges. In early uses of this technique, cybercriminals tried to convince victims that they need to execute a command to fix some problem or to pass a captcha, and in the vast majority of cases, the malicious command was a PowerShell script."
https://www.kaspersky.com/blog/clickfix-attack-variations/55340/

Breaches/Hacks/Leaks

European DYI Chain ManoMano Data Breach Impacts 38 Million Customers
"DIY store chain ManoMano is notifying customers of a data breach that was caused by hackers compromising a third-party service provider. The company confirmed to BleepingComputer that it learned of the hack in January 2026. An investigation into the incident determined that 38 million individuals are affected. “We can confirm that ManoMano has recently notified customers about a security incident involving one of our third-party customer service providers (a subcontractor),” the company told BleepingComputer."
https://www.bleepingcomputer.com/news/security/european-dyi-chain-manomano-data-breach-impacts-38-million-customers/
Olympique Marseille Confirms 'attempted' Cyberattack After Data Leak
"French professional football club Olympique de Marseille has confirmed a cyberattack after a threat actor claimed on Monday that it breached the club's systems earlier this month. Founded 126 years ago, Olympique Marseille competes in the Ligue 1, the top tier of the French football league system, and was the first French club to win the UEFA Champions League in 1993. On Tuesday, Olympique Marseille issued a statement confirming that it had been hit by a cyberattack, following claims by a threat actor that they had breached some of its servers."
https://www.bleepingcomputer.com/news/security/olympique-marseille-football-club-confirms-cyberattack-after-data-leak/

General News

The ENISA Cybersecurity Exercise Methodology
"The methodology offers an end-to-end theoretical framework for planning, running and evaluating cybersecurity exercises. It ensures the right profiles and stakeholders are involved at the right time. It provides theoretical material based on lessons identified, industry best practices and cybersecurity expertise, and is designed to be used alongside a support toolkit, including a set of templates and guiding material to empower planners to organise effective exercises."
https://www.enisa.europa.eu/publications/the-enisa-cybersecurity-exercise-methodology
https://www.enisa.europa.eu/sites/default/files/2026-02/The ENISA Cybersecurity Exercise Methodology.pdf
https://cyble.com/blog/enisa-cybersecurity-exercise-methodology/
The $19.5 Million Insider Risk Problem
"Routine employee activity across corporate systems carries an average annual cost of $19.5 million per organization. That figure comes from the 2026 Cost of Insider Risks Global Report, conducted by the Ponemon Institute and based on data from 354 organizations that experienced one or more material insider related incidents over the past year."
https://www.helpnetsecurity.com/2026/02/26/insider-risk-costs-2026/
Open-Source Security Debt Grows Across Commercial Software
"Open source code sits inside nearly every commercial application, and development teams continue to add new dependencies. Black Duck’s 2026 Open Source Security and Risk Analysis Report data shows that nearly all audited codebases contain open source components, with average component counts rising sharply over the past year. That growth brings a parallel increase in exposure. Mean vulnerabilities per codebase climbed from 280 to 581 in one year, more than doubling. Median vulnerabilities also rose. The spread between mean and median points to a long tail of heavily burdened applications, including extreme outliers with tens of thousands of findings."
https://www.helpnetsecurity.com/2026/02/26/open-source-vulnerability-surge-risk-analysis/
Total Ransomware Payments Stagnate For Second Consecutive Year, While Attacks Escalate
"Ransomware today is best understood not as isolated attacks, but rather as an interconnected marketplace of access, infrastructure, and monetization services. In 2025, total on-chain payments remained relatively stagnant even as claimed attacks increased and median ransom sizes rose. At the same time, coordinated law enforcement actions and sanctions increasingly targeted the infrastructure layer — including bulletproof hosting providers — increasing costs across both cybercrime syndicates and state-linked actors."
https://www.chainalysis.com/blog/crypto-ransomware-2026/
https://www.bleepingcomputer.com/news/security/ransomware-payment-rate-drops-to-record-low-as-attacks-surge/
https://therecord.media/ransomware-payments-chainalysis-cybercrime
National Cyber Resilience In The AI Era
"Cyber security is no longer something that happens quietly in server rooms or security operations centers. It now affects fuel availability, hospital operations, elections, financial markets, and public trust. What has changed is not just the volume of cyber attacks, but their intent. Adversaries are no longer satisfied with stealing data. They are embedding themselves into systems, waiting patiently, and positioning for disruption at moments of national stress. Cloud platforms, AI systems, and operational technology have dramatically expanded the attack surface, turning digital risk into national risk."
https://blog.checkpoint.com/executive-insights/national-cyber-resilience-in-the-ai-era/
Project Compass: First Operational Results Against The Com Network
"In its first year of operation, Project Compass has delivered concrete operational results against “The Com”, a decentralised extremist network targeting minors and vulnerable individuals both online and offline. Coordinated by Europol’s European Counter Terrorism Centre, the initiative brings together law enforcement authorities from EU Member States, as well as Norway, Switzerland, the United Kingdom, the United States, Canada, Australia, and New Zealand. The project strengthens cross-border cooperation to prevent, detect and investigate the criminal activities linked to this network."
https://www.europol.europa.eu/media-press/newsroom/news/project-compass-first-operational-results-against-com-network
https://www.bankinfosecurity.com/police-target-violent-online-predators-incubated-by-com-a-30856
https://cyberscoop.com/project-compass-the-com-europol/
Fraudsters Integrate ChatGPT Into Global Scam Campaigns
"AI models are being folded into fraud and influence operations that follow long standing tactics. A February 2026 update to OpenAI’s Disrupting Malicious Uses of Our Models report details how ChatGPT and related API access were used in romance scams, fake legal services, coordinated influence campaigns, and a state linked harassment effort."
https://www.helpnetsecurity.com/2026/02/26/openai-malicious-chatgpt-use-report/
Telegram Rises To Top Spot In Job Scam Activity
"Encrypted messaging platforms are becoming a primary channel for Authorised Push Payment (APP) fraud, with Telegram representing a growing share of reported cases, according to the Revolut report. The platform generates over 20% of authorised fraud origination, surpassing WhatsApp and posting growth of more than 30% in its share of scam cases compared to 2024."
https://www.helpnetsecurity.com/2026/02/26/telegram-job-scams-activity/
https://assets.revolut.com/pdf/Revolut_Consumer_Security_and_FinCrime_Report_compressed.pdf
Darktrace Flags 32 Million Phishing Emails In 2025 As Identity Attacks Intensify
"More than 32 million high-confidence phishing emails were detected by Darktrace in 2025, showcasing a substantial escalation in identity-driven cyber threats. The data was collected by Darktrace from incidents across its global customer base and points to a year defined by automation, convergence and accelerating attacker speed. Over 8.2 million phishing emails targeted VIPs, accounting for more than 25% of all observed phishing attempts."
https://www.infosecurity-magazine.com/news/32m-phishing-emails-detected-2025/
https://www.darktrace.com/resource/annual-threat-report-2026
https://cdn.prod.website-files.com/626ff19cdd07d1258d49238d/699db1ba8d377a68f7d697b7_Threat Report 2026 v4.pdf
Exploitable Vulnerabilities Present In 87% Of Organizations
"Eighty-seven percent of organizations have at least one exploitable software vulnerability in production, affecting 40% of all services, a new report from DataDog has revealed. The observability and security specialist revealed the findings in its State of DevSecOps Report, which is based on telemetry from tens of thousands of applications and additional datasets. It noted that vulnerabilities are most common in Java services (59%), followed by .NET (47%) and Rust (40%)."
https://www.infosecurity-magazine.com/news/exploitable-vulnerabilities-in-87/
Four Risks Boards Cannot Treat As Background Noise
"The year 2025 redefined the cyber threat landscape, as attacks escalated from data breaches to crippling business-wide disruptions. Last year’s cyberattack on Jaguar Land Rover halted production lines for five weeks, prompting the British government to step in with a $2 billion bailout. This episode captures what changed in 2025: Rather than stolen data making headlines, it was business stoppage that triggered attention. Moving into 2026, the board’s focus should be on ensuring business continuity and building resilience in the face of emerging risks generated by AI usage and attack vectors, quantum computing and geopolitics."
https://www.securityweek.com/four-risks-boards-cannot-treat-as-background-noise/
Expert Recommends: Prepare For PQC Right Now
"Digital evolution is unstoppable, and though the pace may vary, things tend to fall into place sooner rather than later. That, of course, applies to adversaries as well. The rise of ransomware and cyber extortion generated funding for a complex and highly professional criminal ecosystem. The era of the cloud brought general availability of almost infinite amounts of storage. So there is literally nothing that stops criminals from stealing and trafficking heaps of data, be it encrypted or not."
https://thehackernews.com/2026/02/expert-recommends-prepare-for-pqc-right.html
2026 State Of Software Security: Risky Debt Is Rising, But Your Strategy Starts Here
"You can’t fix what you ignore. For years, organizations have raced to deploy software faster, often leaving a trail of unresolved vulnerabilities in their wake. We call this trail security debt, or flaws that are left unresolved over a year since being discovered, and it isn’t just a technical metric. It’s a compounding business risk that is growing harder to manage every year. Today, we are releasing the 2026 State of Software Security (SoSS) report. The data is clear: the volume of risky code lingering in codebases is expanding, and high-severity flaws are becoming more common. But this year’s report offers more than just a warning. It provides a structured, data-backed strategy to regain control."
https://www.veracode.com/blog/2026-state-of-software-security-report-risky-security-debt/
https://www.theregister.com/2026/02/26/veracode_security_ai/
Preparing For Russia’s New Generation Warfare In Europe
"Since its full-scale invasion of Ukraine in February 2022, Russia has waged what we assess is largely opportunistic, though increasingly aggressive, hybrid warfare in NATO territory. Moscow has very likely not yet leveraged its full capability to integrate cyber, political, and sabotage tools into a full-scale campaign. Over the next two years, Russian President Vladimir Putin will likely escalate Russia’s hybrid warfare campaign against NATO members into a full-fledged campaign likely consistent with a Russian military doctrine called New Generation Warfare (NGW)."
https://www.recordedfuture.com/research/preparing-for-russias-new-generation-warfare-in-europe

อ้างอิง
Electronic Transactions Development Agency (ETDA)