Week in review: Firmware-level Android backdoor found on tablets, Dell zero-day exploited since 2024
Here’s an overview of some of last week’s most interesting news, articles, interviews and videos:
Security at AI speed: The new CISO reality
The CISO role has changed significantly over the past decade, but according to John White, EMEA Field CISO, Torq, the most disruptive shift is accountability driven by agentic AI. In this Help Net Security interview, White explains how security leaders must design and govern hybrid workforces where humans and AI agents operate side by side, making decisions and acting at scale. He notes that automation is moving beyond simple task execution into real-time insight and response.
REMnux v8 brings AI integration to the Linux malware analysis toolkit
REMnux, a specialized Linux distribution for malware analysis, has released version 8 with a rebuilt platform based on Ubuntu 24.04 and a new capability aimed at connecting AI agents directly to its toolset.
Your encrypted data is already being stolen
Quantum computing is often treated as a distant, theoretical cybersecurity issue. According to Ronit Ghose, Global Head, Future of Finance of Citi Institute, that mindset is already putting financial institutions at risk. The biggest misconception, he says, is that quantum threats begin on a single future Q-day, when quantum machines suddenly crack encryption. In reality, adversaries can harvest encrypted data today and decrypt it later, creating long-term exposure for banks handling sensitive identity and transaction data.
SecureClaw: Dual stack open-source security plugin and skill for OpenClaw
SecureClaw is an open-source project that adds security auditing and rule-based controls to OpenClaw agent environments. The tool is published by Adversa AI and is designed to work with OpenClaw and related agents such as Moltbot and Clawdbot.
Everyone uses open source, but patching still moves too slowly
Enterprise security teams rely on open source across infrastructure, development pipelines, and production applications, even when they do not track it as a separate category of technology. Open source has become a default building block in many environments, and the operational risks now look like standard enterprise security problems: patch delays, version sprawl, and aging platforms that stay online longer than planned.
The defense industrial base is a prime target for cyber disruption
Cyber threats against the defense industrial base (DIB) are intensifying, with adversaries shifting from traditional espionage toward operations designed to disrupt production capacity and compromise supply chains. In this Help Net Security interview, Luke McNamara, Deputy Chief Analyst, Google Threat Intelligence Group, explains how attackers target the broader defense ecosystem and why identity has become the new security boundary.
One stolen credential is all it takes to compromise everything
Attackers often gain access through routine workflows like email logins, browser sessions, and SaaS integrations. A single stolen credential can give them a quick path to move across systems when access permissions are broad and visibility is fragmented. That pattern appears across more than 750 incident response engagements covered in Unit 42’s Global Incident Response Report 2026.
The CISO view of fraud risk across the retail payment ecosystem
In this Help Net Security interview, Paul Suarez, VP and CISO at Casey’s, explains how his team manages patching and upgrades for fuel payment systems with long hardware lifecycles. He also discusses risks tied to QR code payments and outlines why loyalty abuse can be hard to spot. Suarez shares how Casey’s monitors payment systems across stores, corporate networks, and third-party processors.
Google patches Chrome vulnerability with in-the-wild exploit (CVE-2026-2441)
Google released a security update for Chrome to address a high-severity zero‑day vulnerability (CVE-2026-2441) on Friday. CVE-2026-2441 is a use-after-free bug in the CSS processing component of Google Chrome, which allows a remote attacker “to execute arbitrary code inside a sandbox via a crafted HTML page.”
OpenClaw creator Peter Steinberger joins OpenAI
Peter Steinberger, the Austrian software developer who vibe coded the popular OpenClaw autonomous AI agent, has joined OpenAI. The reason why Steinberger chose OpenAI to achieve this goal is, professedly, his lack of interest in building a company and his wish to “change the world” – and do it quickly.
Firmware-level Android backdoor found on tablets from multiple manufacturers
A new Android backdoor embedded directly in device firmware can quietly take control of apps and harvest data, Kaspersky researchers found. The malware, named Keenadu, was discovered during an investigation into earlier Android threats and appears to have been inserted during the firmware build process, not after devices reached users. 
Design weaknesses in major password managers enable vault attacks, researchers say
Can cloud-based password managers that claim “zero-knowledge encryption” keep users’ passwords safe even if their encrypted-vault servers are compromised? Researchers at ETH Zurich and Università della Svizzera italiana set out to answer that question, and the answer is (unfortunately) no.
Notepad++ secures update channel in wake of supply chain compromise
Notepad++, the popular text and source code editor for Windows whose update mechanism was hijacked last year, has been updated to prevent similar attacks in the future. The hijacking of the update mechanism was confirmed earlier this month by Notepad++ maintainer Don Ho.
Scammers exploit trust in Atlassian Jira to target organizations
Threat actors have leveraged legitimate email notification feature of Atlassian Jira to deliver localized scam emails at scale. From late December 2025 through late January 2026, victims were targeted with spam emails from legitimate-looking Atlassian Jira Cloud addresses.
China-linked hackers exploited Dell zero-day since 2024 (CVE-2026-22769)
A suspected China-linked cyberespionage group has been covertly exploiting a critical zero-day flaw (CVE-2026-22769) in Dell’s RecoverPoint for Virtual Machines software since at least mid-2024, according to new research from Google’s threat intelligence team and Mandiant. The attackers deployed stealthy backdoors (BRICKSTORM and GRIMBOLT), a webshell (SLAYSTYLE) and maintained long-term access inside targeted networks.
Bug in widely used VoIP phones allows stealthy network footholds, call interception (CVE-2026-2329)
A critical security vulnerability (CVE-2026-2329) in Grandstream VoIP phones could let hackers remotely take full control of the devices and even intercept calls, Rapid7 researchers discovered.
Data on 1.2 million French bank accounts accessed in registry breach
In late January 2026, a malicious intruder accessed France’s national bank account registry, FICOBA, enabling them to view information tied to 1.2 million accounts, the Ministry of the Economy and Finance disclosed on Wednesday. TV5 Monde reported that the perpetrator (or perpetrators) obtained login credentials belonging to a civil cervant authorized to use the database and then used those credentials to explore its contents.
Microsoft reveals critical Windows Admin Center vulnerability (CVE-2026-26119)
Microsoft has disclosed a privilege-escalation vulnerability in Windows Admin Center (WAC), a browser-based platform widely used by IT administrators and infrastructure teams to manage Windows clients, servers, clusters, Hyper-V hosts and virtual machines, as well as Active Directory-joined systems.
Criminals create business website to sell RAT disguised as RMM tool
A RAT masquerading as legitimate remote monitoring and management (RMM) software is being sold to cybercriminals as a service, Proofpoint researchers recently discovered. The fake RMM tool, called TrustConnect, was being marketed via an LLM-created website parked on trustconnectsoftware[.]com, supposedly belonging to “TrustConnect Software PTY LTD”.
LockBit 5.0 ransomware expands its reach across Windows, Linux, and ESXi
The Acronis Threat Research Unit (TRU) has identified a new and significantly enhanced version of the LockBit ransomware, LockBit 5.0, currently being deployed in active campaigns. The latest variant demonstrates expanded cross-platform capabilities, enabling attackers to target Windows, Linux, and VMware ESXi systems within a single coordinated attack.
Don’t panic over CISA’s KEV list, use it smarter
In this Help Net Security video, Tod Beardsley, VP of Security Research at runZero, explains what CISA’s Known Exploited Vulnerabilities (KEV) Catalog is and how security teams should use it. He shares his perspective as a former section chief for KEV at CISA and breaks down common misunderstandings about what the list represents.
Cybersecurity in cross-border logistics operations
In this Help Net Security video, Dieter Van Putte, CTO at Landmark Global, discusses how cybersecurity has become a core part of global supply chain operations. He explains that logistics is now also about data moving between carriers, customs authorities, warehouses, brokers, and customers. That constant flow increases risk and expands the attack surface.
In GitHub’s advisory pipeline, some advisories move faster than others
GitHub Security Advisories are used to distribute vulnerability information in open-source projects and security tools. A new study finds that only a portion of those advisories ever pass through GitHub’s formal review process.
Android 17 beta brings privacy, security, and performance changes
Google has released the first beta of Android 17, giving developers an early view of changes to core app behavior, platform tooling, performance, media handling, and connectivity. The company plans to move quickly from this beta toward the Platform Stability milestone, targeted for March, where final APIs and behavior definitions for apps will be delivered.
UK sets course for stricter AI chatbot regulation
The UK government has announced immediate action to force AI chatbot providers to comply with laws requiring online platforms to protect children from illegal and harmful content. Providers that fail to meet these duties will face legal consequences.
Microsoft equips CISOs and AI risk leaders with a new security tool
Microsoft released Security Dashboard for AI in public preview for enterprise environments. The dashboard aggregates posture and real-time risk signals from Microsoft Defender, Microsoft Entra, and Microsoft Purview into a single view within security tools.
Phobos ransomware affiliate arrested in Poland
Officers from Poland’s Central Bureau for Combating Cybercrime (CBZC) detained a 47-year-old man suspected of creating, acquiring, and sharing computer programs used to unlawfully obtain information stored in computer systems. He faces a potential prison sentence of up to five years.
Pressure builds on Grok AI, Ireland launches investigation
The Irish Data Protection Commission (DPC) opened an investigation into X over concerns that its Grok AI chatbot was used to generate sexualized deepfakes. The investigation focuses on the apparent creation and publication of potentially harmful, non-consensual intimate or sexualised images on X using generative AI tools linked to the platform’s Grok LLM.
Claude Sonnet 4.6 launches with improved coding and expanded developer tools
Anthropic released Claude Sonnet 4.6, marking its second major AI launch in less than two weeks. According to Anthropic, Sonnet 4.6 delivers improved coding skills to more users. Tasks that once required an Opus-class model, including economically valuable office work, are handled by Sonnet 4.6. The model also brings improvements in computer use capabilities compared to earlier Sonnet versions.
Attackers keep finding the same gaps in security programs
Attackers keep getting in, often through the same predictable weak spots: identity systems, third-party access, and poorly secured perimeter devices. A new threat report from Barracuda based on Managed XDR telemetry from 2025 shows that many successful incidents still start with basic access and configuration failures, not advanced malware.
Microsoft signals breakthrough in data storage that can last for generations
Microsoft announced progress on Project Silica, its research initiative focused on developing durable, long-term quartz glass-based data storage technology. Rising global data volumes increase the need for storage that can last for generations. Researchers believe this technology could preserve information for up to 10,000 years.
UK sounds alarm on rising cyber risks to businesses
The UK government launched a national campaign urging businesses to strengthen basic cyber defenses. The initiative follows new figures highlighting the scale of the threat. Serious cyber incidents cost businesses an average of £195,000, with about half of small firms experiencing one in the past 12 months, officials say.
Open-source benchmark EVMbench tests how well AI agents handle smart contract exploits
EVMbench is a new open-source benchmark designed to test AI agents on practical smart contract security tasks. The benchmark was developed by OpenAI and Paradigm, and it focuses on real-world vulnerability patterns drawn from audited codebases and contest reports.
Adidas investigates alleged data breach affecting 815,000 records
Adidas confirmed it is investigating a possible data breach involving one of its third-party customer service providers. The company stated that there is no indication its IT infrastructure, e-commerce platforms, or consumer data were impacted by the incident.
Poland restricts Chinese-made cars at protected military sites
Poland’s military leadership has decided that cars manufactured in the People’s Republic of China will no longer cross the gates of sensitive military bases. The decision follows a risk analysis focused on the growing integration of digital systems in cars and the potential for uncontrolled acquisition and use of data by those systems.
651 arrested, $4.3 million recovered in African cybercrime sweep
Operation Red Card 2.0, supported by INTERPOL and involving law enforcement agencies from 16 African countries, led to 651 arrests and the recovery of more than $4.3 million from online scams. Running from 8 December 2025 to 30 January 2026, the operation targeted networks behind high-yield investment fraud, mobile money scams and fraudulent loan applications that caused more than $45 million in losses.
Man gets five years for aiding North Korean IT employment scam
Ukrainian national Oleksandr Didenko, 29, was sentenced in U.S. District Court to 5 years in prison for an identity theft scheme that enabled North Korean workers to secure fraudulent employment.
Ex-Google engineers charged with orchestrating high-tech secrets extraction
A federal grand jury has indicted three Silicon Valley engineers on charges in a scheme to steal trade secrets from Google and other leading technology companies.
MOS: Open-source modular OS for servers and homelabs
A growing number of homelab builders and small server operators are testing an open source operating system that combines basic server management, storage control, and container services under a web interface. MOS is a free modular OS built on a Devuan base that provides a web UI and API for system monitoring, storage pooling, container orchestration, and virtualization.
Apple privacy labels often don’t match what Chinese smart home apps do
Smart home devices in many homes collect audio, video, and location data. The apps that control those devices often focus on the account owner, even when the technology also captures guests, neighbors, and other people who never agreed to be monitored. New research examined whether Chinese smart home apps provide privacy protections for these bystanders.
Vim 9.2 adds scripting updates, diff improvements, and experimental Wayland support
Vim 9.2 adds a range of incremental changes focused on scripting, usability, and cross-platform support. The update includes improvements to completion behavior, expanded Vim9 language features, and new options for diff mode.
ChatGPT gets new security feature to fight prompt injection attacks
OpenAI has introduced Lockdown Mode and Elevated Risk labels in ChatGPT to help users and organizations reduce the risk of prompt injection attacks and other advanced security threats, particularly when using features that interact with external systems.
OT teams are losing the time advantage against industrial threat actors
In many industrial environments, internet-facing gateways, remote access appliances, and boundary systems sit close enough to production networks that attackers can move from IT intrusion to operational disruption with limited resistance. Dragos’ 2026 OT/ICS Year in Review describes a threat landscape where adversaries are spending more time learning how physical processes work and less time treating OT access as a passive foothold.
AWS coding agents gain new plugin support across development tools
AI coding assistants have become a routine part of many development workflows, helping engineers write, test, and deploy code from IDEs or command line interfaces. One recent change in this ecosystem makes it possible for those agents to interact with AWS in a broader set of ways by adding a library of plugins that give agents specific AWS knowledge and actions.
Microsoft Defender update lets SOC teams manage, vet response tools
Microsoft introduced library management in Microsoft Defender to help security analysts working with live response manage scripts and tools they use to triage, investigate and remediate threats. The library management interface allows analysts to organize their investigation tools and manage everything without waiting for an active session.
Consumers feel less judged by AI debt collectors
Debt collection agencies are starting to use automated voice systems and AI-driven messaging to handle consumer calls. These systems help scale outreach, reduce call center staffing demands, and offer 24/7 service. A new study covering 11 European countries found that this shift changes how consumers emotionally experience debt collection, especially around stigma and empathy.
Men sentenced to 8 years in $1.3 million computer intrusion and tax fraud scheme
Matthew A. Akande, a Nigerian national, was sentenced by a U.S. District Court to eight years in prison, followed by three years of supervised release, for his role in a scheme to break into Massachusetts tax preparation firms’ computer networks and file fraudulent tax returns. The operation generated over $1.3 million in fraudulent tax refunds.
Public mobile networks are being weaponized for combat drone operations
On June 1, 2025, Ukraine launched drone strikes on five Russian airfields, damaging or destroying aircraft. More than 100 explosive drones used mobile networks to transmit data, receive instructions, and send images. Enea researchers analyzed the growing use of mobile-connected drones in conflict and the implications for national infrastructure.
PromptSpy: First Android malware to use generative AI in its execution flow
ESET researchers have discovered PromptSpy, the first known Android malware to abuse generative AI as part of its execution flow in order to achieve persistence. This marks the first time generative AI has been deployed in this way.
Uptime Kuma: Open-source monitoring tool
Service availability monitoring remains a daily operational requirement across IT teams, SaaS providers, and internal infrastructure groups. Many environments rely on automated checks and alerting to track outages, latency issues, and service degradation across web applications and network endpoints. Uptime Kuma is an open-source uptime monitoring project that supports this type of operational monitoring through a self-hosted deployment model.
Quantum security is turning into a supply chain problem
Supplier onboarding, invoice processing, and procurement platforms run on encrypted data flows that were built for long-term trust. In many organizations, that trust still depends on cryptographic standards like RSA and elliptic curve cryptography (ECC), even as security teams begin planning for a post-quantum world. A recent apexanalytix research report argues that supply chain leaders are already operating inside a quantum risk window, even though large-scale quantum computing remains years away.
LINK“>Google cleans house, bans 80,000 developer accounts from the Play Store
Google prevented more than 1.75 million policy-violating apps from being published on Google Play and banned over 80,000 developer accounts that attempted to publish harmful apps in 2025. Developer verification, mandatory pre-review checks, and testing requirements in the Google Play ecosystem have reduced entry points for bad actors.
LLMs change their answers based on who’s asking
AI chatbots may deliver unequal answers depending on who is asking the question. A new study from the MIT Center for Constructive Communication finds that LLMs provide less accurate information, increase refusal rates, and sometimes adopt a different tone when users appear less educated, less fluent in English, or from particular countries.
Applying green energy tax policies to improve cybersecurity
For years, governments have focused only on the stick of compliance when they could leverage the carrot of tax incentives. Theoretically, compliance fines and penalties should act as a deterrent that improves accountability and reduces data breaches. However, many vendors often assume compliance risk rather than securing data effectively.
The era of the Digital Parasite: Why stealth has replaced ransomware
For years, ransomware encryption signaled a breach. When systems locked up, defenders knew an attack had occurred. Data from Picus Security’s Red Report 2026 shows attackers shifting their strategy from disruption to persistence.
Cybersecurity jobs available right now: February 17, 2026
We’ve scoured the market to bring you a selection of roles that span various skill levels within the cybersecurity field. Check out this weekly selection of cybersecurity jobs available right now.
New infosec products of the week: February 20, 2026
Here’s a look at the most interesting products from the past week, featuring releases from Compliance Scorecard, Impart Security, Redpanda, and Virtana.