For the latest discoveries in cyber research for the week of 16th February, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
- Dutch telecom provider Odido was hit by a data breach following unauthorized access to its customer management system. Attackers extracted personal data of 6.2 million customers, including names, addresses, phone numbers, email addresses, bank account details, dates of birth, and passport or ID numbers.
- BridgePay Network Solutions, a US payment gateway, has confirmed a ransomware attack that forced it to take core systems offline. The outage disrupted portals for municipalities and merchants nationwide, though initial findings indicate no payment card data exposure and accessed files were encrypted. No ransomware group claimed responsibility for the attack.
- Flickr, a photo sharing platform, has experienced a security incident at a third-party email service provider on February 5. The exposure may include names, usernames, email addresses, IP addresses, location data, and more. Passwords and payment card numbers were not affected.
- ApolloMD, a US physician and practice management services firm, has disclosed a breach impacting 626,000 individuals. The incident occurred during May 2025, while the attackers accessed patient information from affiliated practices, exposing data such as names, addresses, and medical details.
AI THREATS
- Google has released an analysis of adversarial AI misuse, detailing model extraction “distillation” attacks, AI-augmented phishing, and malware experimentation in late 2025. The report identified attempts to coerce disclosure of internal reasoning, AI-assisted reconnaissance by DPRK, PRC, Iranian, and Russian actors, and AI-integrated malware such as HONESTCUE leveraging Gemini’s API for second-stage payload generation.
- Researchers have investigated a UNC1069 intrusion targeting a cryptocurrency FinTech through AI-enabled social engineering and a fake Zoom ClickFix lure. The attack deployed seven malware families enabling TCC bypass, credential and browser data theft, keystroke logging, and C2 communications over RC4-encrypted configurations.
Check Point Threat Emulation provides protection against this threat (Trojan.Wins.SugarLoader)
- Researchers have detailed the abuse of AI website builders to clone major brands for phishing and fraud. They analyzed a Malwarebytes lookalike site created using Vercel’s v0 tool, which replicated branding and integrated opaque PayPal payment flows. The domain leveraged SEO poisoning and spam links, with registration data indicating links to India.
VULNERABILITIES AND PATCHES
- Microsoft has released its February 2026 Patch Tuesday updates. The release addresses 58 vulnerabilities, including six zero days under active exploitation, among them CVE-2026-21510, a Windows Shell Security Feature Bypass vulnerability that can be triggered by opening a specially crafted link or shortcut file. Successful exploitation requires convincing a user to open a malicious link or shortcut file.
- Google has patched 11 vulnerabilities in Chrome 145 for Windows, macOS, and Linux, including CVE-2026-2313, a use-after-free vulnerability in CSS. This high-severity flaw could allow remote code execution. Two additional high severity bugs in Codecs (CVE-2026-2314) and WebGPU (CVE-2026-2315) also enable code execution.
- BeyondTrust has addressed CVE-2026-1731, a CVSS 9.9 pre-authentication remote code execution flaw in Remote Support and older Privileged Remote Access versions. Shortly after a proof of concept was published, threat actors began exploiting exposed instances, prompting urgent upgrades for self-hosted deployments.
Check Point IPS provides protection against this threat (BeyondTrust Multiple Products Command Injection (CVE-2026-1731))
THREAT INTELLIGENCE REPORTS
- Check Point Research analyzed global cyber-attacks in January averaging 2,090 per organization per week, up 3% from December and 17% year over year. Education remained the most targeted sector with 4,364 attacks per organization, ransomware recorded 678 incidents with 52% in North America, and 1 in 30 GenAI prompts posed high data leak risk.
- Check Point Research identified a sharp increase in Valentine-themed phishing websites, fraudulent stores, and fake dating platforms designed to steal personal data and payment information. Valentine-related domain registrations rose 44% in January 2026, with 97.5% unclassified, while 710 Tinder-impersonating domains were detected.
- A Phorpiex-driven phishing campaign has been observed delivering Global Group ransomware via ZIP attachments with double-extension LNK files, using CMD and PowerShell to execute the payload. The ransomware runs offline with locally generated ChaCha20-Poly1305 keys, deletes shadow copies and itself, and terminates analysis and database processes.
- Researchers have analyzed the latest GuLoader (aka CloudEye) downloader, which delivers Remcos, Vidar, and Raccoon, and now evades detection by leveraging encrypted payloads hosted on Google Drive and OneDrive. The malware uses polymorphic code to generate constants via XOR and ADD/SUB operations, along with anti-analysis techniques such as sandbox checks and exception handlers.
Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Trojan.Wins.GuLoader; InfoStealer.Win.GuLoader; Dropper.Wins.GuLoader.ta.*; Dropper.Win.CloudEyE; RAT.Wins.Remcos; InfoStealer.Win.Vidar; InfoStealer.Win.Raccoon; InfoStealer.Wins.Raccoon)
The post 16th February – Threat Intelligence Report appeared first on Check Point Research.
