Snapshot Summary
| Sector / Section | Headline Highlights | Count |
|---|---|---|
| DFIR & Incident Response | HTA-to-PowerShell chain decoded; IR trends | 2 |
| Cyber Investigations | Court data offshore access; Predator spyware victim | 2 |
| Major Cyber Incidents | YouX leak claim; Conduent disruption; Abu Dhabi ID docs | 3 |
| Exploits & Threat Intelligence | Dell RecoverPoint 0day; Chrome KEV; OT advisory | 3 |
| Law Enforcement | Phobos arrest; Spoof insurance apps; Tech-support fraud | 3 |
| Policy | UK cyber hygiene push; Temu probe; Vehicle sensor bans | 3 |
| Standards & Compliance | ENISA exercise method; Court-backed cyber governance | 2 |
| Consumer App Data Leaks | Canada Goose leak; Adidas Extranet claim; Eurail data sale | 3 |
Digital Forensics & Incident Response
HTA-to-PowerShell chain ends in DLL payload
A SANS Internet Storm Center analyst dissected a multi-stage HTA-to-PowerShell infection chain, documenting the deobfuscation steps and the infrastructure used to fetch follow-on payloads. [AMER] The diary is DFIR-ready tradecraft, helping responders spot similar lures, extract network and host indicators quickly, and tune proxy, EDR, DNS, and email controls before the technique scales across larger campaigns. (Source: SANS ISC, 18-02-2026)
Unit 42 publishes 2026 Global Incident Response Report
Palo Alto Networks Unit 42 released its 2026 Global Incident Response Report, analysing 750 investigations across 50 countries and attributing most breaches to basic security gaps and misconfigurations. [AMER] The data strengthens the case for hardening identity, cloud and third-party exposure, because attackers are compressing the lifecycle and converting small control failures into rapid, high-impact extortion and data theft. (Source: Palo Alto Networks, 17-02-2026)
Cyber Investigations
Court transcript subcontracting exposes offshore access risk
An ABC investigation found that a court transcription provider subcontracted work to an India-based firm, resulting in sensitive Australian Federal Court files being accessed offshore in breach of contractual terms. [APAC] The case highlights supply-chain and data-sovereignty risks in justice systems, and it will likely drive stronger oversight, audit logging, and contractual controls for transcription, eDiscovery, and other outsourced casework services. (Source: ABC News, 17-02-2026)
Amnesty documents Predator spyware infection in Angola
Amnesty International reported that an Angolan journalist’s phone was briefly infected with Intellexa’s Predator spyware, adding another documented victim to the commercial surveillance ecosystem. [AFR/EMEA] Confirmed infections provide investigators with forensic IOCs and legal context to pursue attribution and procurement trails, while reinforcing why journalists, civil society, and governments need stronger controls, export enforcement, and transparency around spyware deployment. (Source: Reuters, 18-02-2026)
Major Cyber Incidents
YouX breach claim escalates after dataset release
Australian fintech YouX reported that a threat actor released a large dataset after claiming access to hundreds of thousands of customers’ loan files, identity documents, and personal information. [APAC] Large-scale identity exposure typically triggers secondary fraud waves, so organisations should monitor for credential stuffing and synthetic-identity abuse, while affected individuals should prioritise account hardening, credit monitoring, and scam awareness. (Source: 9News Australia, 18-02-2026)
Conduent incident triggers wider downstream disruption
Business services provider Conduent disclosed that a security incident is having wider downstream impact, as its back-office and document-processing services touch multiple organisations and public-sector workflows. [AMER] Third-party concentration risk means one compromise can cascade into many notification and operational failures, so customers should validate segmentation, access logs, and data-sharing scope, and treat vendor incidents as active response triggers, not passive advisories. (Source: Security Magazine, 18-02-2026)
Abu Dhabi Finance Week attendee documents exposed online
A Reuters report cited the Financial Times saying passport scans and other identity documents for more than 700 attendees of Abu Dhabi Finance Week were exposed online via an unsecured cloud server linked to a third-party vendor. [EMEA] Identity-document leakage enables targeted fraud and high-grade social engineering, and it underlines why event organisers must apply vendor risk management, least-privilege access, and continuous cloud exposure monitoring for temporary data stores. (Source: Reuters, 17-02-2026)
Exploits & Threat Intelligence
China-linked actor exploited Dell RecoverPoint zero-day
Google’s Threat Intelligence Group and Mandiant reported that a China-linked actor exploited a zero-day in Dell RecoverPoint for Virtual Machines for roughly 18 months, using the foothold to persist inside targeted networks. [AMER] Long-lived exploitation of niche enterprise components is hard to detect, so defenders should inventory RecoverPoint deployments, prioritise patching and credential rotation, and hunt for lateral movement and abnormal management traffic associated with backup and recovery tooling. (Source: CyberScoop, 17-02-2026)
CISA flags exploited Chrome vulnerability in KEV catalog
CISA added Google Chrome’s CVE-2026-1731 to its Known Exploited Vulnerabilities catalog, indicating active exploitation and setting a remediation deadline for U.S. federal civilian agencies. [AMER] KEV additions are a high-signal prioritisation cue for everyone, so organisations should patch immediately, verify browser update compliance at scale, and monitor for post-exploitation artefacts that often follow drive-by compromise chains, especially where unmanaged endpoints exist. (Source: CISA, 17-02-2026)
CISA issues ICS advisory for Delta Electronics ASDA-Soft
CISA issued an ICS advisory for Delta Electronics ASDA-Soft, summarising vulnerabilities and mitigations relevant to industrial environments where the software is deployed for drive configuration and control. [AMER] OT patching often lags, so actionable advisories help defenders plan compensating controls, restrict engineering-station access, and coordinate vendor updates without disrupting production, reducing the chance that IT-origin intrusions pivot into safety and availability impacts. (Source: CISA, 18-02-2026)
Law Enforcement
Phobos ransomware suspect arrested in Poland
Polish cybercrime police arrested a 47-year-old suspect linked to the Phobos ransomware operation, seizing devices that reportedly contained stolen credentials and access data used to support intrusions. [EMEA] Ransomware affiliate arrests disrupt the access-broker layer, and the seized artefacts can feed victim notification, infrastructure takedowns, and new detection signatures that help defenders block the same initial-access paths. (Source: BleepingComputer, 17-02-2026)
Five arrested over spoof motor insurance apps
City of London Police and IFED arrested five people in a crackdown on spoof motor insurance apps, warning that tens of thousands of motorists may have been affected by counterfeit cover tools. [EMEA] Fraud ecosystems increasingly rely on malicious mobile distribution and identity laundering, so the case is a reminder to verify app provenance, harden KYC processes, and treat financial-app telemetry as a key investigative lead in wider cyber-enabled crime. (Source: City of London Police, 17-02-2026)
DoJ: sentences in international tech-support fraud scheme
U.S. prosecutors said three men were sentenced for an international technical support fraud scheme, describing how victims were pressured into paying for bogus repairs and services after being directed to fake support channels. [AMER] The sentencing reinforces a common investigative pattern, where call-centre style operations blend social engineering, remote access tooling, and payment laundering, so defenders should prioritise user education, block known scam domains, and preserve remote-session artefacts for reporting. (Source: U.S. Department of Justice, 18-02-2026)
Policy
UK launches “lock the door” cyber campaign for business
The UK government and NCSC launched a “lock the door” campaign urging organisations to adopt baseline cyber hygiene, promoting Cyber Essentials and practical steps to reduce common online threats. [EMEA] Policy-led awareness drives matter because SMEs remain high-volume targets, and even modest uptake of MFA, patching discipline, and secure configuration can reduce insurance losses and incident-response demand at national scale. (Source: GOV.UK, 17-02-2026)
Nigeria opens probe into Temu over suspected data-law breaches
Nigeria’s Data Protection Commission opened a probe into Temu over suspected breaches of national data protection requirements, citing concerns around transparency, cross-border transfers, and data-minimisation practices. [AFR] Regulatory investigations can quickly become operational risk, as enforcement actions may force changes to app telemetry, third-party sharing, and hosting arrangements, and they signal that consumer-platform compliance scrutiny is tightening globally. (Source: Reuters, 17-02-2026)
Poland restricts Chinese-made cars from military sites
Poland barred Chinese-made vehicles from military sites, warning that onboard sensors and connectivity could enable sensitive data collection, and also restricted connecting official phones to vehicle infotainment systems. [EMEA] This reflects a growing policy trend of treating modern vehicles as rolling IoT platforms, and it will influence procurement, fleet management, and security architecture for defence and critical infrastructure organisations. (Source: Reuters, 18-02-2026)
Standards & Compliance
ENISA releases Cybersecurity Exercise Methodology
ENISA published an updated methodology for cyber exercises, outlining how organisations can design scenarios, measure performance, and improve coordination across technical and leadership teams. [EMEA] Repeatable exercise standards help incident response mature from ad-hoc playbooks to tested capabilities, enabling comparable lessons learned across sectors and supporting audit and assurance requirements that increasingly expect evidence of operational readiness. (Source: ENISA, 18-02-2026)
Federal Court warning on cybersecurity underinvestment
An Australian legal analysis highlighted Federal Court reasoning in an ASIC case against FIIG Securities, signalling that underinvestment in cybersecurity controls can translate into regulatory and licence risk for financial services firms. [APAC] Court-backed expectations raise the bar for governance, risk assessment, and security resourcing, and they provide compliance teams with concrete precedent to justify uplift programmes, logging, and third-party oversight. (Source: MinterEllison, 16-02-2026)
Consumer App Data Leaks
Canada Goose confirms customer data leak
Canada Goose confirmed a customer data leak affecting roughly 600,000 people, with the ShinyHunters group claiming responsibility and the company suggesting the dataset may relate to historical transactions rather than a live compromise of its own systems. [AMER] Even “legacy” e-commerce exports enable targeted phishing, delivery-scam fraud, and account takeover, so brands should strengthen third-party controls and customers should treat emails and calls referencing orders as high-risk. (Source: TechRadar, 17-02-2026)
Adidas Extranet data leak claim published with samples
Cybernews reported that the Lapsus$ group claimed access to Adidas Extranet data and published samples, alleging exposure of hundreds of thousands of rows from a partner portal environment. [EMEA] Extranet breaches often start with reused credentials or weak partner access, so suppliers and retailers should rotate credentials, enforce MFA, and monitor for abnormal portal logins, because compromised partner identities can rapidly propagate into broader business networks. (Source: Cybernews, 17-02-2026)
Eurail says stolen traveller data is for sale
Eurail disclosed that traveller data was stolen in a security breach and is now being sold on dark web forums, prompting the company to investigate and assess the scope of exposed records. [EMEA] Travel and mobility datasets are rich for identity fraud, and confirmed underground listings should trigger rapid notification workflows, credential resets, and monitoring for account misuse, while partners review API access and data-sharing minimisation. (Source: Security Affairs, 17-02-2026)
Editorial Perspective
This cycle reinforces a familiar truth: attackers keep winning time, not sophistication, by exploiting overlooked estate, from browsers to backup-and-recovery components. The Dell RecoverPoint case is a reminder that “secondary” infrastructure, often outside normal patch focus, becomes a primary target when it can anchor persistence.
At the same time, enforcement and regulation are tightening around the human and supply-chain edges, whether that is spoofed consumer apps, outsourced justice workflows, or platform data-handling practices.
For security leaders, the practical play is to treat vendor access and identity controls as incident-response fuel, exercising the plan to prove readiness, rather than assuming a policy banner, or a SOC dashboard, equals resilience.
Reference Reading
- Unit 42 — 2026 Global Incident Response Report
- ENISA — Cybersecurity Exercise Methodology
- CISA — Known Exploited Vulnerabilities Catalog
- CyberScoop — Chinese hackers exploited a Dell zero-day
- MinterEllison — Court warning on cybersecurity underinvestment
- U.S. DoJ — Sentencing in tech-support fraud scheme
Tags
DFIR, Incident Response, Cyber Investigations, Ransomware, Vulnerability Management, Supply Chain Security, Data Breach, OT Security, Privacy, Cyber Policy, Compliance
