(Pierluigi Paganini – Security Affairs) Bitdefender observed renewed LummaStealer activity, proving the MaaS infostealer recovered after 2025 takedowns. Active since 2022, it relies on affiliates, social engineering, fake cracked software, and fake CAPTCHA “ClickFix” lures. CastleLoader plays a key role in spreading it. Shared infrastructure suggests coordination between the two operations. In May 2025, a US court order, with Europol and Japan’s JC3 dismantled the Lumma Stealer malware operation, seizing 2,300 domains used for command-and-control and blocking dark web markets offering the infostealer. A US court order, with Europol and Japan’s JC3, dismantled Lumma Stealer’s infrastructure, seizing domains and control panels. Microsoft’s Digital Crimes Unit sinkholed over 1,300 domains to reroute victims to safe servers for analysis and cleanup. – LummaStealer activity spikes post-law enforcement disruption
(Pierluigi Paganini – Security Affairs) A data breach at business services provider Conduent has impacted at least 25 million people, far more than initially reported. Volvo Group North America confirmed that the security breach exposed data of nearly 17,000 of its employees, making it one of several major companies affected by the large-scale breach. SecurityWeek reports that the breach now affects far more people than first thought: Texas sees 15 million impacted (up from 4 million) and over 10 million individuals in Oregon are also affected. In November 2025, the company confirmed that January 2025 breach exposed the personal data of over 10M people, including names, addresses, DOBs, SSNs, and health and insurance info. – Volvo Group hit in massive Conduent data breach
(Pierluigi Paganini – Security Affairs) Researchers found a new ransomware, named Reynolds, that implements the Bring Your Own Vulnerable Driver (BYOVD) technique to disable security tools and evade detection before encrypting systems. Broadcom’s cybersecurity researchers initially attributed the attack to Black Basta due to similar tactics, but further analysis confirmed the payload was Reynolds, a new ransomware family. The campaign stands out because it embeds a bring-your-own-vulnerable-driver (BYOVD) component directly inside the ransomware. Instead of deploying a separate tool to disable security software, Reynolds bundles the vulnerable NsecSoft driver within its payload to evade detection. – Reynolds ransomware uses BYOVD to disable security before encryption
(Danny Palmer – Infosecurity Magazine) World Leaks, the cyber-criminal data extortion group which has targeted some of the world’s biggest companies, has added a novel, never-before-seen malware to their arsenal, research by Accenture Cybersecurity has revealed. Accenture has named the malware ‘RustyRocket’. It allows World Leaks to stealthily maintain persistence on networks and forms a key part of the extortion groups’ attacks. “The sophisticated toolset is a critical component of World Leaks’ operations and has functioned entirely under the radar, enabling affiliates to stealthily exfiltrate data and proxy traffic across victim environments,” T. Ryan Whelan, MD and global head of Accenture cyber intelligence said in a LinkedIn post, which revealed the research. – World Leaks Ransomware Adds Custom Malware ‘RustyRocket’ to Attacks – Infosecurity Magazine
(Kevin Poireault – Infosecurity Magazine) Many government-backed cyber threat actors now use AI throughout the attack lifecycle, especially for reconnaissance and social engineering, a new Google study found. In a report published on February 12, ahead of the Munich Security Conference, Google Threat Intelligence Group (GTIG) and Google DeepMind shared new findings on how cybercriminals and nation-state groups used AI for malicious purposes during the last quarter of 2025. The researchers observed a wide range of AI misuse by advanced persistent threat (APT) groups. They used AI for tasks including coding and scripting, gathering information about potential targets, researching publicly known vulnerabilities and enabling post-compromise activities. – Nation-State Hackers Embrace Gemini AI for Malicious Campaigns – Infosecurity Magazine
(Phil Muncaster – Infosecurity Magazine) The so-called “AI skills” used to scale and execute AI operations are dangerously exposed to data theft, sabotage and disruption, TrendAI has warned. The newly named business unit of Trend Micro explained in a report published this week that AI skills are artifacts combining human-readable text with instructions that large language models (LLMs) can read and execute. “AI skills encapsulate everything, from elements like human expertise, workflows, and operational constraints, to decision logic,” the report explained. “By capturing this knowledge into something executable, AI skills enable organizations to achieve scalability and knowledge transfer at previously unattainable levels.” – AI Skills Represent Dangerous New Attack Surface, Says TrendAI – Infosecurity Magazine
(Danny Palmer – Infosecurity Magazine) A North Korean hacking campaign is targeting financial technology and cryptocurrency firms with attacks which combine social engineering, deepfakes and MacOS malware. The attacks have been detailed by Google Cloud’s Mandiant Threat Intelligence, which has attributed the campaign to UNC1069, a financially motivated threat group working out of North Korea. The end goal of the attacks is to steal cryptocurrency. Researchers identified one campaign which began with a hijacked Telegram profile of a cryptocurrency executive. The individual had previously had their account compromised. – North Korean Hackers Use Deepfake Video Calls to Target Crypto Firms – Infosecurity Magazine
