Facing a slow-burn confrontation.

Dutch authorities warn Russia is escalating hybrid operations across Europe. Ransomware shuts down the University of Mississippi Medical Center. PayPal notifies customers of a data breach. The FBI says ATM jackpotting is on the rise. An FBI confidential informant had a hand in online fentanyl sales. TrustConnect malware masquerades as a legitimate remote monitoring and management tool. Researchers uncover the first Android malware to integrate generative AI. A critical zero-day hits Grandstream VOIP phones. The IRS slashes IT staff and technology executives. Our guest is James Turgal, a 22-year FBI vet and VP of global cyber risk and board relations at Optiv, discussing the latest wave of tax scams and IRS fraud. DOGE dudes deliver DEI deathblows.

Today is Friday February 20th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Dutch authorities warn Russia is escalating hybrid operations across Europe. 

Russia is escalating hybrid operations across Europe as it prepares for a prolonged confrontation with the West, according to a new joint assessment from the Netherlands’ General Intelligence and Security Service and Military Intelligence and Security Service.

The Dutch agencies report a sharp rise since late 2023 in cyberattacks, sabotage, disinformation, espionage and covert political influence designed to remain below the threshold of open war. While a direct Russia-NATO conflict remains unlikely, it is no longer unthinkable, they warn. The Netherlands has faced distributed denial-of-service attacks, espionage targeting police systems and activity probing critical infrastructure. Moscow is also mapping seabed infrastructure and relying more on low-level agents recruited online. Dutch officials say Russia’s risk tolerance has increased, and the campaign is likely to continue in waves.

The report urges stronger national resilience and closer public-private cooperation to counter a sustained, asymmetric threat.

Ransomware shuts down the University of Mississippi Medical Center. 

A ransomware attack struck the University of Mississippi Medical Center on Thursday, shutting down its IT network, electronic medical records system, and clinics statewide.

University leaders confirmed the attack forced widespread cancellations of appointments and elective surgeries, with emergency services continuing under downtime protocols. The electronic medical records platform, EPIC, was among the affected systems. Mississippi MED-COM, which coordinates hospital transfers, was also disrupted but continues operating through redundancies. An FBI official said it is too early to identify the ransomware variant or origin. The full scope of potential data exposure remains unclear. Patients reported canceled procedures, including chemotherapy, and difficulty contacting providers.

Experts warn ransomware can significantly worsen patient outcomes and prolong disruptions for weeks or months. Hospital leadership said reducing clinical volume is necessary to stabilize operations while the investigation continues.

PayPal notifies customers of a data breach. 

PayPal is notifying customers after a software error in its PayPal Working Capital loan application exposed sensitive data for nearly six months in 2025.

The company says names, contact details, Social Security numbers, and dates of birth were accessible from July 1 to December 13, before the issue was discovered and fixed. A small number of accounts saw unauthorized transactions, which PayPal says have been refunded. The company reset affected passwords and is offering two years of credit monitoring through Equifax. PayPal has not disclosed how many customers were impacted.

The FBI says ATM jackpotting is on the rise. 

The FBI says Americans lost more than 20 million dollars last year in a sharp rise in ATM jackpotting attacks.

In a recent flash alert, the bureau reported more than 700 incidents in 2025 alone, compared to about 1,900 total since 2020. These attacks use malware such as Ploutus to bypass bank authorization by exploiting the eXtensions for Financial Services, or XFS, software layer inside ATMs. Criminals typically gain physical access with generic keys, install the malware on the machine’s hard drive, and trigger cash withdrawals without a card or account. The FBI advises financial institutions to audit for unauthorized storage use and suspicious processes. The warning follows Justice Department charges against 87 alleged Tren de Aragua members tied to jackpotting schemes.

An FBI confidential informant had a hand in online fentanyl sales. 

In a Manhattan courtroom, Arkansas doctor David Churchill described discovering his 27-year-old son Reed dead from fentanyl-laced pills purchased on the dark web marketplace Incognito. The site’s administrator, 25-year-old Lin Rui-Siang of Taiwan, was sentenced to 30 years in prison for running the platform, which facilitated more than $100 million in drug sales before shutting down in 2024.

At sentencing, Lin’s defense revealed that an FBI confidential informant had helped moderate the marketplace for nearly two years, according to Wired. Court filings allege the informant had authority to remove fentanyl sellers but at times allowed flagged vendors to continue operating. Prosecutors argued the informant acted as Lin’s subordinate and that Lin knowingly enabled opioid sales. The judge expressed skepticism about the FBI’s prolonged involvement but ruled that any government role did not diminish Lin’s responsibility. Lin has filed an appeal.

TrustConnect malware masquerades as a legitimate remote monitoring and management tool. 

Proofpoint has identified a new malware-as-a-service platform called TrustConnect that masquerades as a legitimate remote monitoring and management tool. The service, advertised at $300 per month, operates through a fake business website that doubles as its command-and-control server and customer portal. Threat actors distributed the signed malware in late January 2026 using lures such as meeting invites and tax documents, often alongside legitimate remote access tools like ScreenConnect and LogMeIn. TrustConnect provides a web-based dashboard for managing infected devices, executing commands, and deploying additional payloads. Proofpoint coordinated disruption of its infrastructure and revoked a fraudulently obtained Extended Validation certificate used to sign the malware. The operator has since pivoted to new infrastructure promoting a similar tool called DocConnect. Researchers assess with moderate confidence that the actor was previously linked to Redline stealer activity.

Researchers uncover the first Android malware to integrate generative AI. 

Researchers at ESET have identified what they say is the first Android malware to integrate generative AI directly into its execution flow.

The malware, dubbed PromptSpy, abuses Google’s Gemini model to adapt how it maintains persistence across different Android devices. Because app pinning methods vary by manufacturer, PromptSpy sends Gemini an XML dump of the screen and receives JSON instructions on how to lock itself in the recent apps list. It then executes those steps using Android’s Accessibility Service in a feedback loop until persistence is achieved. Beyond this AI-driven feature, the malware functions as spyware, enabling remote screen control, credential interception, screenshots, and app monitoring. Although distribution appears limited and may be proof-of-concept, researchers say it demonstrates how generative AI can dynamically guide malware behavior in real time.

A critical zero-day hits Grandstream VOIP phones. 

Rapid7 Labs has disclosed a critical zero-day vulnerability, CVE-2026-2329, affecting all Grandstream GXP1600 series VoIP phones.

The flaw is an unauthenticated stack-based buffer overflow in the devices’ web-based API service, accessible in default configurations. With a CVSS score of 9.3, it allows remote code execution with root privileges. Rapid7 demonstrated exploitation using a Metasploit module, showing attackers could extract stored credentials and potentially reconfigure devices to route calls through a malicious SIP proxy. Grandstream has released firmware version 1.0.7.81 to remediate the issue.

The IRS slashes IT staff and technology executives. 

The IRS has lost 40 percent of its IT staff and nearly 80 percent of its technology executives, marking its largest tech reorganization in 20 years.

Speaking at an Association of Government Accountants panel, IRS CIO Kaschit Pandya said the cuts followed broader federal workforce reductions in 2025, when the agency lost a quarter of its overall staff. The IT division began the year with roughly 8,500 employees. About 1,000 technologists were reassigned to frontline tax season support, a move that drew internal criticism. Pandya said the shakeup aims to break down silos and create cross-functional teams focused on end-to-end delivery. However, the Treasury Inspector General warned that IT staffing losses could jeopardize implementation of tax law changes for the 2026 filing season. AI is expected to support remaining staff.

 

DOGE dudes deliver DEI deathblows. 

In a newly amended complaint, the Authors Guild alleges that federal humanities grants were terminated not through policy review, but by a pair of DOGE appointees armed with a keyword list and ChatGPT.

According to the filing, Nate Cavanaugh and Justin Fox flagged National Endowment for the Humanities grants by prompting ChatGPT to determine, in under 120 characters, whether a project “relate[d] at all to DEI.” Fox reportedly fed in short descriptions and accepted the chatbot’s verdicts without defining what “DEI” meant. Grants mentioning terms like “LGBTQ,” “tribal,” or “Black” landed on cancellation lists labeled “Craziest Grants” or “Other Bad Grants.” None so identified were moved to “keep,” unless tied to favored initiatives.

Termination emails were then sent from a private server, bearing the acting director’s name, though he later said he neither selected the grants nor drafted the letters. Efficiency, it seems, came with a chatbot and a grudge list.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

N2K’s senior producer is Alice Carruth.

Alice has been a steady, generous force at N2K CyberWire, someone whose fingerprints are all over the quality and care our work is known for. As a senior producer, she’s been instrumental in shaping T-Minus, bringing clarity, rigor, and calm to a fast-moving beat, while also lending her sharp instincts and production wisdom across the cyber side of the house. She made hard things look easy, and she did it with grace.

More than that, Alice has been a trusted teammate: thoughtful, collaborative, and always focused on making the work, and the people doing it, better. Today is her last day with us here at N2K Cyberwire. We’re thrilled for her as she steps into a true dream job, even as we’ll miss her deeply here. Alice, thank you for everything you’ve given this team. We’re cheering you on as you take on new challenges and can’t wait to see what you do next. 

 Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.