ASD’s ACSC open-sources “Azul” malware analysis tool — [APAC] Australia’s ACSC announced “Azul,” an open-source tool (hosted on GitHub) designed to help defenders explore, analyze, and correlate malware at scale, positioning it as a practical capability boost for threat investigation workflows. For DFIR teams, open tooling with a government-backed lineage can accelerate triage, enable repeatable lab analysis, and support evidence capture/annotation pipelines when incidents involve commodity loaders or rapidly mutating malware families. (Source: Australian Cyber Security Centre, 24-02-2026)

February 2026 Patch Tuesday analysis highlights multiple actively exploited issues — [AMER] CrowdStrike summarized Microsoft’s February 2026 security updates, noting a cluster of actively exploited vulnerabilities among dozens of patched CVEs and urging organizations to prioritize remediation based on exploitation status and technique. For incident responders, this is a cue to align hunting and scoping with known exploited classes (EoP/RCE chains), validate patch telemetry, and preserve endpoint and event-log artefacts to distinguish pre-patch compromise from benign post-update noise. (Source: CrowdStrike, 10-02-2026)

BTP: “SMS blaster” fraud gang sentenced after London Tube plot — [EMEA] British Transport Police said a group that used “SMS blasters” to push scam texts at commuters in London has been sentenced following an investigation that began after the activity was spotted and disrupted in a Tube station. DFIR and fraud investigators can map this pattern to local RF/telecom artefacts, handset telemetry, and mule-account flows, helping organizations tune detection for proximity-based smishing and preserve mobile and payment evidence when victim reporting is delayed. (Source: British Transport Police, 24-02-2026)

Research describes “RoguePilot” chain abusing GitHub Issues + Copilot in Codespaces — [AMER] Orca Security’s findings (reported by SecurityWeek) describe how a crafted GitHub Issue could be ingested by an in-environment Copilot assistant when launching Codespaces, enabling prompt injection paths that can leak privileged tokens and pivot into repository takeover. For investigators, this expands the evidence surface to include issue content, Codespaces workspace logs, schema-fetch URLs, and token-scoped actions, making it essential to retain CI/CD artefacts and review AI-assistant usage paths during supply-chain and insider-assisted inquiries. (Source: SecurityWeek, 24-02-2026)

Wynn Resorts confirms employee data breach following extortion listing — [AMER] Wynn confirmed an attacker stole employee-related data and threatened release after the company was posted on an extortion group’s leak site, indicating a data-theft-and-pressure play rather than a purely disruptive event. For DFIR teams, the case reinforces rapid identity exposure assessment (HR/benefits data), targeted phishing risk mitigation, and the need to preserve access logs and endpoint artefacts to reconstruct initial access and any lateral movement tied to data staging. (Source: BleepingComputer, 24-02-2026)

Air Côte d’Ivoire reportedly hit by Cicada3301 ransomware — [EMEA] Reporting indicates Air Côte d’Ivoire was added to a ransomware leak site, suggesting potential data exfiltration and negotiation pressure alongside any operational disruption to airline back-office systems. For responders, aviation incidents demand careful containment with minimal downtime, clear evidence handling for passenger/employee PII exposure determinations, and disciplined third-party coordination (airport/booking/IT providers) to ensure logs and backups remain forensically sound. (Source: BleepingComputer, 24-02-2026)

Optimizely confirms cyberattack via sophisticated voice-phishing — [AMER] Optimizely told SecurityWeek that attackers used a vishing approach to access certain internal business systems (including Zendesk and Salesforce records), and the company contained the incident while notifying customers and law enforcement. For DFIR and security operations, this underscores how social-engineering initial access can bypass technical controls, making call-verification procedures, CRM audit logging, and rapid review of token/session issuance essential to prove whether access was limited or escalated. (Source: SecurityWeek, 25-02-2026)

Broadcom patches VMware Aria Operations command injection with RCE potential — [AMER] Broadcom released fixes for multiple VMware Aria Operations issues, including an unauthenticated command-injection vulnerability that SecurityWeek reports could enable remote code execution in certain migration contexts. For threat intel and vulnerability teams, VMware-facing platforms remain high-value targets, so prioritizing patching, validating external exposure, and monitoring for post-exploit indicators (new processes, webshell traces, anomalous admin sessions) can shorten dwell time if exploitation begins. (Source: SecurityWeek, 24-02-2026)

“Sandworm_Mode” NPM supply-chain campaign uses worm-like propagation and AI poisoning — [AMER] Researchers described a supply-chain attack delivered via typosquatted NPM packages that propagated using stolen credentials, targeted CI secrets, and attempted to poison AI coding assistants via rogue MCP server behavior and prompt-injection techniques. For defenders, this is an urgent reminder to lock down package provenance, rotate CI/CD tokens, review workflow changes, and add detection for unusual dependency updates and outbound exfil paths that originate from build runners rather than endpoints. (Source: SecurityWeek, 24-02-2026)

ShinyHunters claims breach of Dutch carrier Odido affecting millions — [EMEA] BleepingComputer reports that ShinyHunters claimed responsibility for a breach at Dutch telecom Odido, alleging theft of customer data at large scale and using that claim to drive extortion pressure. For threat intel consumers, carrier-scale breaches tend to fuel downstream SIM-swap, targeted phishing, and identity fraud, so organizations should proactively tighten customer verification, watch for credential-stuffing spikes, and use breach-derived IOCs to harden mail and auth controls. (Source: BleepingComputer, 25-02-2026)

Spain arrests Anonymous Fénix members tied to DDoS activity — [EMEA] Spanish authorities announced arrests of four people linked to the “Anonymous Fénix” group for alleged DDoS attacks against government, political, and public-entity websites, with SecurityWeek noting earlier related arrests and account seizures. For defenders and investigators, the case highlights how even “volunteer” hacktivist operations leave exploitable digital trails (infrastructure reuse, comms channels, crypto accounts), supporting attribution and takedown strategies alongside improved DDoS telemetry retention. (Source: SecurityWeek, 24-02-2026)

U.S. Treasury sanctions a Russia-based bulletproof hosting provider linked to cybercrime — [AMER] The U.S. Treasury announced sanctions targeting a Russia-based bulletproof hosting provider and associated actors, citing its role in enabling malicious cyber activity by providing resilient infrastructure and services. For DFIR and threat intel teams, sanctions can rapidly change infrastructure availability and TTPs, so monitoring for migration to new ASNs/domains, refreshing blocklists, and capturing updated infrastructure pivot points can improve containment and long-term tracking. (Source: U.S. Department of the Treasury, 24-02-2026)

Canada summons OpenAI in probe focused on AI risks — [AMER] Reuters reported that Canada’s privacy regulator summoned OpenAI as part of an ongoing probe, reflecting growing regulator scrutiny of AI systems’ handling of personal data and downstream harms. For cyber and DFIR leaders, the policy direction matters because investigations increasingly require audit-ready data lineage, model-access governance, and defensible retention/response processes for AI-assisted workflows that touch regulated or sensitive information. (Source: Reuters, 23-02-2026)

Sanctions raise the cost of cybercrime infrastructure operations — [AMER] The Treasury action against bulletproof hosting explicitly targets the enabling layer that many ransomware, infostealer, and fraud operations rely on for resilience and rapid redeployments. For practitioners, policy tools like sanctions can create short windows of disruption that help sinkhole, seize, or block infrastructure, so aligning IR playbooks with sanctions-driven indicators and law-enforcement coordination can materially improve takedown and recovery outcomes. (Source: U.S. Department of the Treasury, 24-02-2026)

NIST marks CSF 2.0 milestone and continues profile expansion — [AMER] NIST’s Cybersecurity Framework updates archive notes a February 24 entry celebrating CSF 2.0’s progress while highlighting ongoing work on sector/community profiles and implementation guidance. For compliance and assurance teams, CSF 2.0 alignment is increasingly used as a common language across audits and third-party risk, so tracking profile updates and mapping them to control libraries (e.g., 800-53/ISO) can reduce evidence friction during investigations and post-incident reviews. (Source: NIST, 24-02-2026)

NIST highlights draft “Transit Cybersecurity Framework Community Profile” availability — [AMER] NIST’s CSF updates also reference a Transit Cybersecurity Framework Community Profile initial public draft (NIST IR 8576) being available for comment, signaling continued CSF-driven specialization for critical services. For DFIR and governance teams supporting transit or adjacent supply chains, sector profiles help define expected logging, response, and recovery outcomes—useful for tabletop exercises, contractual requirements, and after-action evidence packaging. (Source: NIST, 24-02-2026)

CarGurus confirms breach tied to third-party vendor incident — [AMER] Car shopping platform CarGurus said data was exposed following a security incident at a third-party vendor, underscoring how consumer services can be impacted even when core platforms are not directly compromised. For responders and privacy teams, vendor-driven exposure raises the priority of contractually enforced logging/notification SLAs, rapid identity-risk communications, and ensuring evidence collection spans vendor systems to validate scope and reduce uncertainty in customer-facing disclosures. (Source: BleepingComputer, 24-02-2026)

PayPal says coding error exposed some customer data and led to unauthorized transactions — [AMER] TechRadar reports PayPal disclosed that a bug in a loan/working-capital application exposed sensitive data for months and was associated with a small number of unauthorized transactions, after which PayPal took remediation and notification steps. For DFIR practitioners, “app logic exposure” incidents often require deeper review of access logs, object-level authorization paths, and transaction integrity checks, plus strong preservation of application telemetry to prove whether the issue was exploitation or misconfiguration. (Source: TechRadar, 23-02-2026)