The FBI has seized the RAMP cybercrime forum, shutting down its Tor site and clearnet domain with DOJ coordination.

Threat actors are already migrating to other platforms, underscoring how fast the underground re-forms after takedowns.

🔗 Read → https://thehackernews.com/2026/01/threatsday-bulletin-new-rces-darknet.html#major-cybercrime-forum-takedown

🌍 Cybercrime enforcement follows clear patterns. A new analysis maps 418 confirmed actions worldwide from 2021–2025, showing where arrests, takedowns, and sanctions are focused.

The U.S. and Europe lead, with private companies playing a growing support role.

🔗 How cybercrime is being targeted worldwide → https://thehackernews.com/2026/01/badges-bytes-and-blackmail.html

China-linked UAT-8099 targets IIS servers in Asia using BadIIS SEO malware.

The group broke into vulnerable IIS servers, mainly in Thailand and Vietnam, using web shells and PowerShell. The aim remains SEO fraud, now tuned by region.

🔗 Read → https://thehackernews.com/2026/01/china-linked-uat-8099-targets-iis.html

🛑 Chrome extensions are being abused at scale.

Researchers uncovered tools that hijack affiliate links, scrape shopping data, steal ChatGPT login tokens, and even deliver phishing pages—while passing official store reviews.

🔗 Learn more about the affiliate fraud, AI token theft, and the browser as attack surface → https://thehackernews.com/2026/01/researchers-uncover-chrome-extensions.html

⚠️ Poland confirms coordinated cyber attacks on 30+ renewable energy sites and a major CHP plant.

CERT Polska says the campaign was destructive, using wiper malware, but failed to disrupt power or heat supply. Access came via vulnerable Fortinet devices.

🔗 Read → https://thehackernews.com/2026/01/poland-attributes-december-cyber.html

🧑‍💻 Google Mandiant says ShinyHunters-linked crews are expanding extortion attacks by abusing vishing and fake login pages.

The goal is cloud SaaS access, not endpoints. Once inside, attackers steal data and escalate pressure with harassment.

🔗 Read → https://thehackernews.com/2026/01/mandiant-finds-shinyhunters-using.html

🛑 A suspected Iran-aligned campaign targets NGOs and individuals documenting human rights abuses.

HarfangLab tracks the activity as RedKitten, using Excel files themed around deceased protesters to deliver malware.

The tooling relies on GitHub, Google Drive, and Telegram for configuration and control, with indicators suggesting parts of the code may be LLM-assisted.

🔗 Read → https://thehackernews.com/2026/01/iran-linked-redkitten-cyber-campaign.html

📱 Apple is testing a new iOS setting that reduces how precisely cellular networks can 📍 locate your device.

Limit Precise Location restricts location data to a broad area instead of an exact address.

🔗 Learn how the setting works and where it’s available → https://thehackernews.com/2026/01/threatsday-bulletin-new-rces-darknet.html#cellular-location-precision-reduced

⚠️ WARNING: A supply chain attack spread malware via trusted VS Code extensions on Open VSX.

Attackers hijacked a real developer account and pushed GlassWorm through four existing tools.

22,000+ installs happened before removal.

🔗 Read → https://thehackernews.com/2026/02/open-vsx-supply-chain-attack-used.html

⚠️ ALERT — eScan antivirus delivered a malicious update after its update system was compromised.

During a two-hour window, attackers swapped a trusted file to stop updates and 🛠️ cleanup. The malware hid by faking update status and downloading more payloads.

🔗 Details → https://thehackernews.com/2026/02/escan-antivirus-update-servers.html

🛑 WARNING - Notepad++ confirmed state-sponsored attackers hijacked its update traffic via a compromised hosting provider. Selected users were redirected to malicious update servers.

The activity ran for months.

🔗 Learn more → https://thehackernews.com/2026/02/notepad-official-update-mechanism.html

Experts at CTM360 report brand impersonation has become a scaled fraud operation.

Its findings show 30,000+ fake fashion stores across 80+ countries, using ads and real payment flows before disappearing.

🔗 How the FraudWear network operates at scale → https://thehackernews.com/expert-insights/2026/02/ctm360-research-reveals-30000-fake.html

🛡️⚙️ Mid-market security fails when siloed tools drive up cost and alerts faster than teams can cope.

Endpoint, email, and firewall tools run in isolation, weakening protection. The shift is toward single platforms across the full threat lifecycle to cut risk without extra overhead.

🔗 How lifecycle security works in practice → https://thehackernews.com/2026/02/securing-mid-market-across-complete.html

What if the hardest vulnerability to patch… is self-doubt?

ICS environments are unforgiving. Responders can’t afford hesitation—but they also can't ignore it. In ICS410, Justin Searle helps practitioners move from doubt to decisive action, grounded in technical precision and OT situational awareness.

Register for ICS410 at SANS Surge 2026 (Feb 23–28) and train live with Justin: https://thn.news/sans-surge-26

Latest edition of Cybersecurity recap worth reading:

🌐 Proxy botnet disrupted
🪟 Office zero-day exploited
🤖 AI endpoints hijacked
⚡ Power systems targeted
🧩 Malware in dev tools
📧 AWS creds abused
🗄️ Databases extorted
🔐 Enterprise flaws exploited

🔗 Full RECAP → https://thehackernews.com/2026/02/weekly-recap-proxy-botnet-office-zero.html

⚡ Microsoft will phase out NTLM in Windows through a three-step plan.

Deprecated in June 2024, NTLM remains widely used despite known security flaws. NTLM will be disabled by default in a future Windows release, with Kerberos becoming the standard.

🔗 dtails → https://thehackernews.com/2026/02/microsoft-begins-ntlm-phase-out-with.html

🔥 A high-severity RCE flaw in OpenClaw lets attackers take over the local agent with a single click.

A crafted link can steal a gateway token via unvalidated WebSocket origins, enabling full command execution even on localhost-only setups through the user’s browser.

🔗 Details and attack chain → https://thehackernews.com/2026/02/openclaw-bug-enables-one-click-remote.html

⚡🤖 Researchers find 341 malicious ClawHub skills targeting OpenClaw users via fake install steps.

The skills deploy Atomic Stealer on macOS and keylogging malware on Windows, abusing OpenClaw’s open marketplace model.

🔗 Read → https://thehackernews.com/2026/02/researchers-find-341-malicious-clawhub.html

🚨 China-linked Lotus Blossom compromised Notepad++ hosting infrastructure to hijack update traffic and deliver the Chrysalis backdoor, Rapid7 reports.

The issue affected older versions and was fixed with version 8.8.9 in December 2025.

🔗 Read → https://thehackernews.com/2026/02/notepad-hosting-breach-attributed-to.html

🤖 Mozilla will add 1-click Firefox setting to fully disable generative AI features.

With Firefox 148, users can block all current and future AI features or manage them individually, keeping AI strictly opt-in as browsers add more automation.

🔗 Read → https://thehackernews.com/2026/02/mozilla-adds-one-click-option-to.html