16th February – Threat Intelligence Report

16TH FEBRUARY – THREAT INTELLIGENCE REPORT February 16, 2026 For the latest discoveries in cyber research for the week of 16th February, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Dutch telecom provider Odido was hit by a data breach following unauthorized access to its customer management system. Attackers extracted personal data of 6.2 million customers, including names, addresses, phone numbers, email addresses, bank account details, dates of birth, and passport or ID numbers. BridgePay Network Solutions, a US payment gateway, has confirmed a ransomware attack that forced it to take core systems offline. The outage disrupted portals for municipalities and merchants nationwide, though initial findings indicate no payment card data exposure and accessed files were encrypted. No ransomware group claimed responsibility for the attack. Flickr, a photo sharing platform, has experienced a security incident at a third-party email service provider on February 5. The exposure may include names, usernames, email addresses, IP addresses, location data, and more. Passwords and payment card numbers were not affected. ApolloMD, a US physician and practice management services firm, has disclosed a breach impacting 626,000 individuals. The incident occurred during May 2025, while the attackers accessed patient information from affiliated practices, exposing data such as names, addresses, and medical details. AI THREATS Google has released an analysis of adversarial AI misuse, detailing model extraction “distillation” attacks, AI-augmented phishing, and malware experimentation in late 2025. The report identified attempts to coerce disclosure of internal reasoning, AI-assisted reconnaissance by DPRK, PRC, Iranian, and Russian actors, and AI-integrated malware such as HONESTCUE leveraging Gemini’s API for second-stage payload generation. Researchers have investigated a UNC1069 intrusion targeting a cryptocurrency FinTech through AI-enabled social engineering and a fake Zoom ClickFix lure. The attack deployed seven malware families enabling TCC bypass, credential and browser data theft, keystroke logging, and C2 communications over RC4-encrypted configurations. Check Point Threat Emulation provides protection against this threat (Trojan.Wins.SugarLoader) Researchers have detailed the abuse of AI website builders to clone major brands for phishing and fraud. They analyzed a Malwarebytes lookalike site created using Vercel’s v0 tool, which replicated branding and integrated opaque PayPal payment flows. The domain leveraged SEO poisoning and spam links, with registration data indicating links to India. VULNERABILITIES AND PATCHES Microsoft has released its February 2026 Patch Tuesday updates. The release addresses 58 vulnerabilities, including six zero days under active exploitation, among them CVE-2026-21510, a Windows Shell Security Feature Bypass vulnerability that can be triggered by opening a specially crafted link or shortcut file. Successful exploitation requires convincing a user to open a malicious link or shortcut file. Google has patched 11 vulnerabilities in Chrome 145 for Windows, macOS, and Linux, including CVE-2026-2313, a use-after-free vulnerability in CSS. This high-severity flaw could allow remote code execution. Two additional high severity bugs in Codecs (CVE-2026-2314) and WebGPU (CVE-2026-2315) also enable code execution. BeyondTrust has addressed CVE-2026-1731, a CVSS 9.9 pre-authentication remote code execution flaw in Remote Support and older Privileged Remote Access versions. Shortly after a proof of concept was published, threat actors began exploiting exposed instances, prompting urgent upgrades for self-hosted deployments. Check Point IPS provides protection against this threat (BeyondTrust Multiple Products Command Injection (CVE-2026-1731)) THREAT INTELLIGENCE REPORTS Check Point Research analyzed global cyber-attacks in January averaging 2,090 per organization per week, up 3% from December and 17% year over year. Education remained the most targeted sector with 4,364 attacks per organization, ransomware recorded 678 incidents with 52% in North America, and 1 in 30 GenAI prompts posed high data leak risk. Check Point Research identified a sharp increase in Valentine-themed phishing websites, fraudulent stores, and fake dating platforms designed to steal personal data and payment information. Valentine-related domain registrations rose 44% in January 2026, with 97.5% unclassified, while 710 Tinder-impersonating domains were detected. A Phorpiex-driven phishing campaign has been observed delivering Global Group ransomware via ZIP attachments with double-extension LNK files, using CMD and PowerShell to execute the payload. The ransomware runs offline with locally generated ChaCha20-Poly1305 keys, deletes shadow copies and itself, and terminates analysis and database processes. Researchers have analyzed the latest GuLoader (aka CloudEye) downloader, which delivers Remcos, Vidar, and Raccoon, and now evades detection by leveraging encrypted payloads hosted on Google Drive and OneDrive. The malware uses polymorphic code to generate constants via XOR and ADD/SUB operations, along with anti-analysis techniques such as sandbox checks and exception handlers. Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Trojan.Wins.GuLoader; InfoStealer.Win.GuLoader; Dropper.Wins.GuLoader.ta.*; Dropper.Win.CloudEyE; RAT.Wins.Remcos; InfoStealer.Win.Vidar; InfoStealer.Win.Raccoon; InfoStealer.Wins.Raccoon) GO UP BACK TO ALL POSTS POPULAR POSTS CHECK POINT RESEARCH PUBLICATIONS GLOBAL CYBER ATTACK REPORTS THREAT RESEARCH “The Turkish Rat” Evolved Adwind in a Massive Ongoing Phishing Campaign CHECK POINT RESEARCH PUBLICATIONS GLOBAL CYBER ATTACK REPORTS SECURITY REPORT THREAT RESEARCH 2024’s Cyber Battleground Unveiled: Escalating Ransomware Epidemic, the Evolution of Cyber Warfare Tactics and strategic use of AI in defense – Insights from Check Point’s Latest Security Report GLOBAL CYBER ATTACK REPORTS 8th May – Threat Intelligence Report BLOGS AND PUBLICATIONS CHECK POINT RESEARCH PUBLICATIONS GLOBAL CYBER ATTACK REPORTS THREAT RESEARCH January 22, 2020 THE 2020 CYBER SECURITY REPORT GLOBAL CYBER ATTACK REPORTS December 15, 2021 STEALTHLOADER MALWARE LEVERAGING LOG4SHELL CHECK POINT RESEARCH PUBLICATIONS GLOBAL CYBER ATTACK REPORTS THREAT RESEARCH February 17, 2020 “THE TURKISH RAT” EVOLVED ADWIND IN A MASSIVE ONGOING PHISHING CAMPAIGN CHECK POINT RESEARCH PUBLICATIONS GLOBAL CYBER ATTACK REPORTS THREAT RESEARCH January 22, 2020 THE 2020 CYBER SECURITY REPORT GLOBAL CYBER ATTACK REPORTS December 15, 2021 STEALTHLOADER MALWARE LEVERAGING LOG4SHELL CHECK POINT RESEARCH PUBLICATIONS GLOBAL CYBER ATTACK REPORTS THREAT RESEARCH February 17, 2020 “THE TURKISH RAT” EVOLVED ADWIND IN A MASSIVE ONGOING PHISHING CAMPAIGN CHECK POINT RESEARCH PUBLICATIONS GLOBAL CYBER ATTACK REPORTS THREAT RESEARCH January 22, 2020 THE 2020 CYBER SECURITY REPORT 123 This website uses cookies in order to optimize your user experience as well as for advertising and analytics.  For further information, please read our Privacy Policy and ourCookie Notice. 404 Not Found nginx When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer. More information Allow All Manage Consent Preferences Functional Cookies Functional Cookies These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly. Strictly Necessary Cookies Always Active These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information. Performance Cookies Performance Cookies These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance. Targeting Cookies Targeting Cookies These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising. Performance Cookies Clear checkbox label label Apply Cancel Consent Leg.Interest checkbox label label checkbox label label checkbox label label Reject All Confirm My Choices