Top stories.
- Chinese threat actor exploits maximum-severity Dell zero-day.
- Infostealer malware extracts OpenClaw configuration files.
- Malware campaign targets Iranian protesters and dissidents.
- Spanish court orders NordVPN and ProtonVPN to block illegal football streamers.
- New phishing toolkit proxies live websites.
- Ransomware activity against the industrial sector surges.
Chinese threat actor exploits maximum-severity Dell zero-day.
A suspected Chinese APT has been exploiting a maximum-severity zero-day in Dell RecoverPoint for Virtual Machines since at least mid-2024, according to researchers at Mandiant and the Google Threat Intelligence Group. The vulnerability (CVE-2026-22769) is a hardcoded credential flaw that can allow an unauthenticated remote attacker to gain "unauthorized access to the underlying operating system and root-level persistence." The PRC-nexus threat actor tracked by Google as "UNC6201" has used the flaw to move laterally, maintain persistence, and deploy malware.
Dell released remediation guidance for the flaw on Tuesday, and Google has outlined steps to help incident responders determine if an organization has been compromised.
The US Cybersecurity and Infrastructure Security Agency (CISA) has ordered Federal Civilian Executive Branch (FCEB) agencies to patch the flaw by the end of the day, Saturday, February 21st.
Infostealer malware extracts OpenClaw configuration files.
Researchers have observed the first known instance of an infostealer extracting sensitive files used by the popular agentic AI assistant OpenClaw (formerly ClawdBot and MoltBot). Hudson Rock saw the malware successfully exfiltrating a victim's OpenClaw configuration environment, which contained secrets such as API keys and authentication tokens.
The researchers note, "[T]his data was not captured by a specialized 'OpenClaw module' within the malware. Instead, the infostealer utilized a broad file-grabbing routine designed to sweep for sensitive file extensions and specific directory names (like .openclaw). While the malware may have been looking for standard 'secrets,' it inadvertently struck gold by capturing the entire operational context of the user’s AI assistant." Hudson Rock expects malware developers to quickly jump on this opportunity and release dedicated modules designed to target AI assistants.
Malware campaign targets Iranian protesters and dissidents.
Acronis has published a report on a new malware campaign dubbed "CRESCENTHARVEST" that appears to be targeting supporters of the ongoing protests in Iran. The malware is distributed via malicious .LNK files posing as protest-related images or videos, bundled with a Farsi-language report providing news about the protests.
Acronis notes, "While the attacker remains unidentified, analysis of methodology, code, and C2 infrastructure points to an Iranian-aligned threat group. Amid ongoing political turmoil, this campaign appears specifically crafted to target Farsi-speaking Iranians sympathetic to the protests, though activists, journalists, and others seeking reliable information from within Iran may also be at risk."
Spanish court orders NordVPN and ProtonVPN to block illegal football streamers.
A Spanish court has ordered Proton VPN and NordVPN to block sixteen websites accused of illegally streaming football (soccer) matches, Tom's Guide reports. The ruling requires the VPN companies to immediately block certain IP addresses that are confirmed to be broadcasting illegal streams.
The orders, requested by the Spanish football league LaLiga and its broadcaster Telefónica, were issued without a hearing for the VPN providers and allow no opportunity for appeal. Proton VPN and NordVPN say they were not notified of the proceedings and have questioned the lack of due process. NordVPN also criticized the method of blocking domains, telling Tom's Guide that this is "ultimately ineffective in combating piracy."
New phishing toolkit proxies live websites.
A new phishing framework called "Starkiller" (no relation to the legitimate red-teaming tool of the same name) represents a significant escalation in phishing infrastructure, according to researchers at Abnormal. The platform operates as a proxy that serves genuine login pages through attacker-controlled infrastructure.
The researchers note, "By proxying real websites live instead of serving static clones, it bypasses the primary detection mechanism most security tools rely on: page fingerprinting. Combined with URL masking, session hijacking, and MFA bypass, it gives low-skill cybercriminals access to attack capabilities that were previously out of reach."
Ransomware activity against the industrial sector surges.
119 ransomware groups targeted industrial organizations in 2025, a 49% increase from the 80 groups that were tracked in 2024, according to Dragos's OT Cybersecurity Year in Review for 2026. Dragos observed 3,300 industrial organizations hit by ransomware last year, with the manufacturing sector accounting for two-thirds of these attacks. The researchers note that the real number of attacks is likely much higher, since many are mislabeled as "IT incidents."
The researchers note, "During 2025, affiliates increasingly relied on credential logs sourced from infostealers, password reuse across OT and IT systems, cloud-synchronized identities, and compromised vendor accounts sold through IAB marketplaces. This approach allowed adversaries to bypass perimeter detections entirely by authenticating legitimately into VPN portals, remote desktop infrastructure, and cloud identity providers used across IT–OT boundaries."
