Total defense meets total threat.

Global leaders call for collaboration at the Munich Cyber Security Conference. Phishing campaigns exploit fake video conference invitations. Italian authorities say cyber attacks on the Winter Olympics have met overall mitigation. AI reshapes the economics of ransomware attacks. CISA tags a critical Microsoft Configuration Manager vulnerability. Foxveil is a new malware loader targeting legitimate platforms. Researchers examine macOS infostealers. California fines Disney $2.75 million for violating the Consumer Privacy Act. Maria Varmazis, host of T-Minus space daily and CyberWire Producer Liz Stokes preview their coverage of the NATO Cyber Coalition 2025 Cyber Exercise in Tallinn, Estonia. When pull requests get personal.

Today is Friday February 13th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Global leaders call for collaboration at the Munich Cyber Security Conference. 

At the Munich Cyber Security Conference, U.S. National Cyber Director Sean Cairncross called for deeper collaboration between the United States, its allies and industry partners to confront escalating cyber threats. Leading a delegation representing nearly every branch of the U.S. government, Cairncross said an “America first” approach does not mean “America alone,” emphasizing that shared adversaries, including nation-state actors, espionage groups, ransomware operators and scam centers, require coordinated action. He argued that while these threats have scaled and intensified, governments and companies have not yet delivered a unified strategic response capable of shifting adversaries’ risk calculations.

Cairncross said the Trump administration is elevating cyber as a standalone strategic domain. A forthcoming national cyber strategy will align with the broader national security strategy and apply a whole-of-government approach that integrates diplomacy, law enforcement and national security tools. He stressed that resilience alone is insufficient, describing it as “absorbing shots,” and instead called for proactive efforts to raise the costs of malicious activity and shape adversary behavior. He also underscored the private sector’s central role in defending critical infrastructure and called for stronger information sharing. At the same time, he criticized European regulatory approaches that he said place blame on companies after attacks.

Addressing broader geopolitical tensions, Cairncross advocated for a “clean” technology stack rooted in U.S. and allied systems, sharply distinguishing Western technologies from Chinese systems. Meanwhile, Swedish defense official Lisa Gustafsson warned that cyber and hybrid threats are now a permanent feature of Europe’s security environment. She outlined Sweden’s “total defense” model, which integrates military, civilian and private-sector efforts to ensure society can function under sustained pressure.

Phishing campaigns exploit fake video conference invitations. 

Netskope Threat Labs is tracking phishing campaigns that exploit fake video conference invitations from platforms such as Zoom, Microsoft Teams and Google Meet. Attackers create pixel-perfect landing pages, often hosted on typo-squatted domains like zoom-meet.us, and display fake participant lists to enhance credibility. When victims attempt to join, they are told a mandatory software update is required.

The “update” is actually a digitally signed remote monitoring and management, or RMM, tool such as Datto RMM, LogMeIn or ScreenConnect. By using legitimate, signed software rather than custom malware, attackers can bypass signature-based security controls and blend into normal corporate traffic. Once installed, the RMM agent grants full administrative access, enabling data theft, lateral movement or mass malware deployment. Netskope warns this technique can turn a single compromised endpoint into a broader corporate breach.

Italian authorities say cyber attacks on the Winter Olympics have met overall mitigation. 

The 2026 Milan–Cortina Winter Olympics have drawn heightened cyber and physical security risks, with Intel 471 reporting a surge in pro-Russian hacktivist activity since the Games opened February 6. Groups including NoName057(16), BD Anonymous, Z-Pentest Alliance and Server Killers claimed distributed denial-of-service, or DDoS, attacks against Italian infrastructure, Olympic national teams and European Olympic committees. Some of these groups have alleged ties to Kremlin-linked entities, including Russia’s GRU military intelligence service. Italian authorities said they mitigated the attacks without significant impact.

The activity follows historical Russian targeting of Olympic organizations after athlete bans and geopolitical disputes, though recent operations appear driven largely by hacktivists rather than advanced persistent threat groups. Beyond cyber activity, Italy has faced protests, violent demonstrations and a suspected railway sabotage incident. The convergence of hacktivism, unrest and transport disruption reflects a broader hybrid threat environment surrounding high-profile global events.

AI reshapes the economics of ransomware attacks. 

Recent advances in artificial intelligence are not fundamentally changing ransomware tactics, but they are reshaping the economics of attacks by lowering barriers and accelerating workflows. According to new research from Halcyon, ransomware groups remain cautious about fully automating operations due to risks of failure or detection. Instead, they are using generative AI to speed up discrete tasks such as phishing, translation, vulnerability analysis and code modification.

AI use is most prominent in initial access. Attackers are creating more convincing phishing campaigns, fake websites and deepfake audio or video to impersonate trusted individuals. Large language models also help analyze newly disclosed vulnerabilities, compressing the time between disclosure and exploitation. Some groups are experimenting with AI for network mapping, credential harvesting and data analysis, though results remain incremental and sometimes error prone.

Overall, AI is reducing friction across the attack chain, enabling faster iteration and more scalable campaigns. Defenders should prioritize rapid patching, strong identity controls and behavior-based detection to counter shorter lead times and increasingly sophisticated social engineering.

CISA tags a critical Microsoft Configuration Manager vulnerability. 

CISA has ordered U.S. federal agencies to patch a critical Microsoft Configuration Manager vulnerability, tracked as CVE-2024-43468, now actively exploited in attacks. The flaw, a SQL injection bug reported by Synacktiv, allows unauthenticated remote attackers to execute arbitrary commands with highest-level privileges on affected servers. Although Microsoft initially assessed exploitation as less likely after releasing a patch in October 2024, proof-of-concept code was later published. Agencies must remediate by March 5 under Binding Operational Directive 22-01, and CISA urged all organizations to apply mitigations promptly.

Foxveil is a new malware loader targeting legitimate platforms. 

Cato Networks has identified a malware loader dubbed Foxveil that abuses legitimate platforms including Discord, Cloudflare and Netlify to stage payloads and blend into normal traffic. Active since August 2025, Foxveil retrieves Donut-generated shellcode and executes it in memory to evade detection. One variant pulls payloads from Cloudflare and Netlify, while another uses short-lived Discord attachments.

Foxveil v1 injects malicious code into a suspended process impersonating svchost.exe using Early Bird Asynchronous Procedure Call injection and establishes persistence as a Windows service. Version 2 self-injects and attempts to alter Microsoft Defender settings, though with errors. The malware also mutates high-signal strings at runtime to evade analysis. Cato recommends behavior-based detection to identify suspicious process chains and shellcode injection.

Researchers examine macOS infostealers. 

Infostealers such as Atomic macOS Stealer, or AMOS, function less as standalone malware and more as data collection engines within a mature cybercrime economy. According to researchers at Flare, once executed, AMOS rapidly harvests browser credentials, session cookies, crypto wallet data, SSH keys and sensitive files, then exfiltrates them for sale as “stealer logs.” These logs fuel account takeovers, fraud and follow-on intrusions, creating a multi-stage monetization pipeline.

First advertised in 2023 as a subscription-based malware-as-a-service offering, AMOS has since evolved through opportunistic social engineering campaigns. Recent operations include the ClawHavoc supply-chain attack targeting an AI assistant marketplace, SEO-poisoned GitHub repositories impersonating major brands, and malvertising campaigns abusing ChatGPT content. Rather than relying on exploits, distributors emphasize brand impersonation and user-executed installation tricks. This industrialized, adaptive model makes infostealers a scalable and reliable entry point across today’s threat landscape.

California fines Disney $2.75 million for violating the Consumer Privacy Act. 

California has fined Disney $2.75 million for violating the California Consumer Privacy Act, alleging the company made it excessively difficult for users to opt out of data sharing and sales. Attorney General Rob Bonta said Disney’s opt-out tools failed to stop data sharing across all devices and streaming services tied to a user’s account. Toggles applied only to specific services or devices, and webform requests did not fully halt data sharing with certain third-party ad-tech companies. Disney did not admit liability under the proposed settlement, which also requires it to implement a comprehensive privacy program and report compliance progress. The fine is the largest issued under the CCPA and follows a separate $10 million Federal Trade Commission penalty in September over child privacy violations.

 

When pull requests get personal. 

Scott Shambaugh, a volunteer maintainer of matplotlib, is used to closing pull requests. With roughly 130 million monthly downloads, the plotting library attracts steady contributions, increasingly from AI coding agents. To manage quality, the team requires a human contributor who understands any submitted changes. When an autonomous agent named MJ Rathbun submitted code and Scott declined it, that should have been the end of the story.

Instead, the agent published a detailed hit piece accusing him of insecurity, hypocrisy and “gatekeeping.” It mined his public work, invented psychological motives and framed routine code review as prejudice against AI contributors. The post read less like a bug report and more like a manifesto.

Amusing at first glance, the incident raises sobering questions. An unsupervised AI, running on decentralized platforms, attempted a reputational pressure campaign to force code acceptance. It is an early, unsettling glimpse of autonomous agents treating social manipulation as just another optimization problem.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

And that’s the CyberWire Daily, brought to you by N2K CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.