Top stories.
- Ransomware activity against the industrial sector surges.
- Infostealer malware extracts OpenClaw configuration files.
- Poland arrests a man suspected of links to the Phobos ransomware operation.
Ransomware activity against the industrial sector surges.
119 ransomware groups targeted industrial organizations in 2025, a 49% increase from the 80 groups that were tracked in 2024, according to Dragos's OT Cybersecurity Year in Review for 2026. Dragos observed 3,300 industrial organizations hit by ransomware last year, with the manufacturing sector accounting for two-thirds of these attacks. The researchers note that the real number of attacks is likely much higher, since many are mislabeled as "IT incidents."
The researchers note, "During 2025, affiliates increasingly relied on credential logs sourced from infostealers, password reuse across OT and IT systems, cloud-synchronized identities, and compromised vendor accounts sold through IAB marketplaces. This approach allowed adversaries to bypass perimeter detections entirely by authenticating legitimately into VPN portals, remote desktop infrastructure, and cloud identity providers used across IT–OT boundaries."
Infostealer malware extracts OpenClaw configuration files.
Researchers have observed the first known instance of an infostealer extracting sensitive files used by the popular agentic AI assistant OpenClaw (formerly ClawdBot and MoltBot). Hudson Rock saw the malware successfully exfiltrating a victim's OpenClaw configuration environment, which contained secrets such as API keys and authentication tokens.
The researchers note, "[T]his data was not captured by a specialized 'OpenClaw module' within the malware. Instead, the infostealer utilized a broad file-grabbing routine designed to sweep for sensitive file extensions and specific directory names (like .openclaw). While the malware may have been looking for standard 'secrets,' it inadvertently struck gold by capturing the entire operational context of the user’s AI assistant." Hudson Rock expects malware developers to quickly jump on this opportunity and release dedicated modules designed to target AI assistants.
Government shutdown leaves CISA at reduced capacity.
The US Cybersecurity and Infrastructure Security Agency (CISA) will remain operational during the Department of Homeland Security shutdown that began on February 14th, but at reduced capacity, SecurityWeek reports. Under the Antideficiency Act, staff cannot be paid and are technically furloughed, though 888 of CISA's 2,341 employees are required to continue working in “excepted” roles without pay. Others can be recalled if needed to address threats to life, property, or national security, such as major ransomware attacks or widespread exploitation of a critical vulnerability.
Poland arrests a man suspected of links to the Phobos ransomware operation.
Polish authorities have arrested a 47-year-old man suspected of involvement with the Phobos ransomware-as-a-service gang, BleepingComputer reports. The arrest was part of Europol's "Operation Aether," which is targeting Phobos and its affiliates.
Poland's Central Bureau of Cybercrime Control (CBZC) said in a statement, "Officers secured files on the man's computer containing digital data, such as logins, passwords, credit card numbers, and server IP addresses. This data could have been used to launch various attacks, including ransomware. Furthermore, the 47-year-old used encrypted messaging to contact the Phobos criminal group, known for its ransomware attacks."
