This week’s security updates weren’t defined by one major “headline hack.” Instead, they revealed something more dangerous in the long run: small missteps and quiet shifts that attackers are learning to exploit over and over.
Most of the stories have one thing in common: normal, trusted systems are being turned into entry points. In many cases, the problem isn’t a brand-new tool. It’s a familiar platform, an overlooked configuration, or a process that was never designed to handle today’s threat level.
There’s no single trend behind everything, but the pressure is clear. Access, data, money, and trust are all being attacked at the same time — often without obvious red flags until damage has already started.
Below is a fast breakdown of the biggest signals from this week.
🔻 Major Cybercrime Forum Disrupted: FBI Seizes RAMP
The FBI has taken down the well-known RAMP cybercrime forum, seizing both its Tor presence and the clearnet domain ramp4u[.]io. Visitors now see a seizure notice referencing coordination with the U.S. Attorney’s Office for Southern Florida and the DOJ’s Computer Crime and Intellectual Property Section.
RAMP’s admin reportedly confirmed the takedown on underground forums, calling it the end of years of work. RAMP had become a major alternative after other forums began banning ransomware-related promotions. Even so, researchers say the underground scene is already shifting, with groups moving activity to other platforms — proving again that criminal communities rebuild fast when they lose territory.
🔻 WhatsApp Under Fire: Lawsuit Challenges Meta’s Privacy Claims
Meta is facing a new lawsuit in the U.S. accusing the company of misleading users about WhatsApp privacy. Plaintiffs argue that Meta and WhatsApp can allegedly store, analyze, and access user communications, despite WhatsApp being marketed as end-to-end encrypted.
Meta strongly rejected the claims, calling the case baseless and stating it will seek sanctions. WhatsApp leadership repeated the argument that encryption keys remain on the user’s device, meaning WhatsApp cannot read messages.
The bigger issue here isn’t just the legal fight. It’s the question users keep asking: Is WhatsApp security a hard technical lock, or a policy-based lock that insiders could override?
🔻 Post-Quantum Cryptography Moves From “Someday” to Procurement Planning
CISA released a new early-stage guide listing hardware and software product categories that support (or are expected to support) post-quantum cryptography (PQC).
The guidance includes major areas such as:
- cloud services
- collaboration/web software
- endpoint security
- networking equipment
CISA’s message is direct: quantum computing is moving toward a point where today’s public-key encryption may no longer be safe. And attackers may already be collecting encrypted traffic now to decrypt later — a strategy widely known as “harvest now, decrypt later.”
🔻 Physical Security Risk: Dormakaba Access Control Systems Hit With 20+ Vulnerabilities
Researchers disclosed more than 20 security flaws affecting Dormakaba physical access control systems. The issues include dangerous weaknesses like:
- hard-coded credentials and encryption keys
- weak/default passwords
- missing authentication
- insecure password generation
- privilege escalation
- command injection, path traversal, data exposure
The most alarming part is what could be possible: in some cases, attackers could potentially unlock doors remotely, reconfigure controllers, or manipulate connected peripherals.
So far, there’s no sign of exploitation, but the severity speaks for itself: when digital flaws affect physical access, the stakes rise instantly.
🔻 Credential Theft Returns With a Classic Theme: Fake Hiring Emails
A phishing wave is using recruitment-style emails to lure victims with job offers, interviews, and “easy work from home” promises. The campaign is multilingual (English, Spanish, Italian, French), and targets multiple countries including the U.S., U.K., France, Italy, and Spain.
Victims who click the “confirmation” link are redirected to fake pages built to steal:
- login credentials
- personal details
- or push malware content
It’s a reminder that attackers don’t always need advanced malware. They just need the right emotional hook.
🔻 Trusted Cloud Domains Abused: Vercel Used to Deliver GoTo Resolve RAT
A campaign is abusing the trust people place in *.vercel.app domains to bypass filters and push phishing lures related to invoices, delivery notices, and payment claims.
The operation reportedly includes Telegram-based gating — designed to avoid researchers and automated sandbox tools — before delivering a legitimate remote access tool: GoTo Resolve.
This is a growing pattern: threat actors are increasingly using trusted hosting infrastructure to make malicious activity look harmless.
🔻 Apple Adds Cellular Privacy Feature: “Limit Precise Location”
Apple is testing a feature in iOS 26.3 called “Limit Precise Location.” The goal is to reduce how accurately cellular networks can pinpoint a device location.
Apple says it may limit location precision to broader areas such as neighborhoods instead of exact addresses. Early reports suggest availability may depend on country and carrier support.
🔻 Apple Extends Legacy Device Support With iOS 12 + iOS 15 Updates
Apple pushed out security updates for older iOS versions (iOS 12.5.8 and iOS 15.8.6) to extend digital certificate support required for iMessage, FaceTime, and device activation to remain functional beyond January 2027.
🔻 “SEO Poisoning for Hire”: Backlink Marketplace Helps Criminals Rank Phishing Pages
Researchers uncovered a shady marketplace where threat actors sell backlinks placed on compromised websites to manipulate search rankings.
The operation, linked to a group calling itself Haxor (HxSEO / HaxorSEO), reportedly:
- compromises old trusted domains (often 15–20 years old)
- installs web shells
- uploads malicious backlinks
- sells backlinks cheaply (around $6 per listing)
The result is “SEO poisoning” that pushes phishing sites higher in search results, making fake logins appear before real ones.
🔻 Meta Business Accounts Targeted: Phishing Leads to Ad Account Hijacks
Threat actors are targeting Meta business accounts used by agencies and social media managers. The bait usually mimics official Meta warnings about:
- policy violations
- IP claims
- suspicious activity
Once attackers steal credentials, they may:
- change billing info
- add stolen/virtual cards
- run scam ads (crypto/investment fraud)
- remove legitimate admins
This is less about hacking and more about turning trusted advertising accounts into criminal infrastructure.
🔻 Linux Kernel Vulnerability Added to CISA KEV
CISA added a Linux kernel flaw (CVE-2018-14634) to the Known Exploited Vulnerabilities (KEV) catalog, meaning U.S. federal civilian agencies must patch by Feb 16, 2026.
The flaw involves an integer overflow and could allow privilege escalation under certain conditions, including SUID binaries.
🔻 France Moves Away From U.S. Video Platforms
France announced plans to reduce reliance on U.S. video conferencing platforms like Zoom, Teams, Meet, Webex — replacing them with a state-controlled solution called Visio.
Their reasoning centers on:
- sovereignty
- reduced external dependence
- security of government communications
🔻 Microsoft Ordered to Stop Tracking Students (Austria)
Austria’s data protection authority ordered Microsoft to stop tracking practices involving cookies in Microsoft 365 Education, after it found tracking cookies were installed on a minor’s device without valid consent.
🔻 Cross-Border Swatting Operation: Teens Arrested in Hungary and Romania
Authorities arrested four suspects connected to swatting attacks involving bomb threats and false emergency calls. Investigators say the suspects used Discord to collect victim data, then weaponized it to trigger emergency responses.
🔻 Check Point Report: Latin America Sees the Sharpest Growth
In December 2025, organizations experienced an average of 2,027 attacks per organization per week, with Latin America seeing the biggest jump — averaging 3,065 weekly attacks (+26% year-over-year).
Education remained the most targeted sector.
🔻 DOJ Sentencing: Crypto Scam Money Laundering
A Chinese national, Jingliang Su, was sentenced to 46 months in prison for laundering more than $36.9 million tied to a digital asset investment scam reportedly run out of scam centers in Cambodia.
🔻 Dark Web Market Operators Admit Guilt
Two notable cases this week:
- Empire Market operator pleaded guilty, linked to over $430M in transactions
- a Slovak national pleaded guilty to involvement with Kingdom Market, including crypto handling and domain operations
🔻 Google Expands Android Theft Protection
Google introduced expanded theft-protection measures for Android (Android 16+), including stronger lockout controls, improved remote lock protections, and identity verification expansions.
🔻 Malware Campaign Shows Signs of AI Assistance
A PureRAT campaign targeting job seekers used malicious ZIPs and Dropbox links, with scripts showing signs of AI generation — including unusually detailed comments and structured steps.
🔻 Human-in-the-Loop MFA Bypass: Live Phishing Panels
Mandiant and Silent Push warned about vishing attacks targeting SSO providers using “live phishing panels,” where attackers actively monitor sessions in real time to intercept credentials and bypass MFA.
This isn’t spray-and-pray phishing — it’s interactive, human-driven credential theft.
🔻 React2Shell Exploited for Crypto Mining + Botnets
Attackers exploited React Server Components flaw (React2Shell / CVE-2025-55182) to deploy XMRig cryptominers and other payloads against Russian organizations.
🔻 Sonatype: 454K Malware Packages Detected in 2025
Sonatype reported blocking 454,600 open-source malware packages in 2025, pushing the known total beyond 1.233 million.
A major concern: AI assistants sometimes recommend malicious or non-existent packages, increasing developer risk through “slop squatting” and supply chain abuse.
🔻 Ransomware Keeps Growing Despite Takedowns
Emsisoft reports ransomware groups claimed 8,100 to 8,800 victims in 2025, up sharply from 2023. Group counts also doubled, showing ransomware is becoming more competitive and decentralized.
🔻 ATM Jackpotting Crackdown Expands
U.S. authorities announced additional charges against 31 individuals in an ATM jackpotting operation tied to Ploutus malware. The ring allegedly stole $5.4 million from 63 ATMs.
🔻 DeadLock Ransomware Uses Blockchain Smart Contracts
DeadLock ransomware operators are reportedly using Polygon smart contracts to rotate proxy server addresses and evade detection. The ransomware also uses AnyDesk and BYOVD techniques to disable security defenses.
🔻 Chainalysis: Chinese Money Laundering Networks Dominate Crypto Crime
Chainalysis reports Chinese-language laundering networks processed:
- $16.1B in 2025
- across 1,799+ active wallets
- estimated $44M per day
The report says illicit laundering ecosystems have grown from $10B in 2020 to over $82B in 2025.
🔻 SMS Fraud Surges in Canada
Fraudsters are impersonating government services and national brands using SMS scams and malicious ads. CloudSEK links much of this to the PayTool phishing ecosystem, commonly tied to fine/traffic payment scams.
Final Takeaway
The biggest lesson from this week is simple: cyber risk isn’t always a single explosive event.
It’s often a slow build — repeated weaknesses being exploited until they become normal. The patterns are clear:
- trust is being weaponized
- identity remains the main battlefield
- attackers are scaling operations like businesses
- and even “routine” platforms can become attack highways
The sooner defenders recognize these shifts, the easier it becomes to reduce damage before it spreads further.