The Cyber Byte - 24 February 2026
This edition highlights the use of Artificial Intelligence by threat actors, ranging from less-skilled operators using commercial AI to achieve mass compromise of network devices to sophisticated malware deploying generative AI for dynamic attacks [8][9][10]. As these AI-driven threats grow, the cybersecurity industry is responding with its own AI-powered defensive tools and specialized training programs to address the workforce skills gap [2][3]. Concurrently, high-impact ransomware attacks continue to disrupt critical sectors, with a major semiconductor supplier and a university medical center facing significant operational shutdowns, highlighting persistent vulnerabilities in global supply chains and healthcare [1][5].
Significant Cyber Incidents and Articles of Interest
Advantest Ransomware Attack: Advantest Corporation, a leading Japanese supplier of semiconductor test equipment, disclosed a ransomware attack detected on February 15, 2026. The incident has disrupted multiple systems within the company’s network. While Advantest has not confirmed ransom details or if production has been halted, the attack highlights the potential threat to the global chip supply chain, potentially causing delays for major fabs like TSMC and Intel that rely on its test equipment for AI chips, 5G components, and IoT devices. This event underscores the fragility of the technology supply chain and how threat actors are targeting critical manufacturing hubs [1].
University of Mississippi Medical Center (UMMC) Ransomware Attack: UMMC, one of Mississippi's largest employers, was forced to close all its statewide clinics on February 20, 2026, following a ransomware attack. The attack disabled numerous IT systems and blocked access to electronic medical records, prompting the activation of its Emergency Operations Plan. Hospital services are continuing under downtime procedures, but outpatient appointments and surgeries have been canceled. UMMC officials confirmed they are in communication with the attackers and are working with the FBI and CISA, highlighting the severe, immediate impact of ransomware on patient care and healthcare operations [5].
AI-Augmented FortiGate Compromise: A Russian-speaking, financially motivated threat actor compromised over 600 FortiGate devices in more than 55 countries between January and February 2026. The campaign did not exploit vulnerabilities but instead used commercial generative AI services to scale attacks against internet-exposed management interfaces with weak, single-factor authentication credentials. The actor, assessed as having low-to-medium skill, leveraged AI for every stage of the operation, from generating attack plans and custom tooling to conducting post-exploitation activities, including Active Directory compromise and targeting backup infrastructure. This incident demonstrates how AI is lowering the barrier to entry, enabling less sophisticated actors to conduct large-scale campaigns by exploiting fundamental security weaknesses [10].
Rapid Weaponization of SmarterMail Flaws: Recently disclosed critical vulnerabilities in SmarterMail email servers, including an unauthenticated remote code execution flaw (CVE-2026-24423), are being rapidly weaponized. Within days of disclosure, threat actors were observed on underground Telegram channels sharing proof-of-concept exploits, offensive tools, and stolen administrator credentials. CISA has confirmed active exploitation in ransomware campaigns, where attackers use the vulnerabilities to gain initial access before moving laterally. This trend highlights the shrinking timeline from disclosure to mass exploitation and reinforces the status of email servers as high-value targets for compromising enterprise identity infrastructure [7].
Defensive and Industry Developments
Anthropic Launches AI-Powered Code Security Tool: Anthropic has released a limited research preview of Claude Code Security, a new capability designed to empower cybersecurity defenders. Unlike traditional rule-based scanners, this tool uses AI to reason about code like a human researcher, enabling it to find complex, context-dependent vulnerabilities such as business logic flaws and broken access controls. The system scans codebases, identifies potential issues, suggests targeted software patches for human review, and provides severity and confidence ratings to help teams prioritize fixes. The initiative aims to put powerful defensive AI capabilities into the hands of security teams to counter the growing threat of AI-enabled attacks [2].
EC-Council Expands AI Certifications to Address Workforce Gap: The EC-Council has launched a new Enterprise AI Credential Suite featuring four role-based certifications to address the growing gap between AI adoption and workforce readiness. Citing a potential $5.5 trillion in global AI risk and a 700,000-person reskilling gap in the U.S., the new certifications are designed to provide practical capabilities across AI adoption, security, and governance. The initiative aligns with U.S. government priorities on workforce development and aims to equip professionals and cybersecurity leaders with the skills needed to scale AI confidently and manage its associated risks securely [3].
Threat Actor Activity
A variety of threat actor TTPs have been observed, showcasing an increasing reliance on automation, AI, and sophisticated evasion techniques.
Arkanix Stealer: Active since October 2025, this Malware-as-a-Service (MaaS) operation advertised on dark web forums and used a Discord server for customer communication and support, even featuring a referral program. Distributed via phishing, Arkanix has both C++ and Python versions and is designed to steal a wide range of data, including system information, browser credentials, cookies, cryptocurrency wallets, and session data from Telegram, Discord, and numerous gaming platforms. Though the campaign appears to have concluded in December 2025, it exemplifies the professionalization of cybercrime services [6].
Pulsar RAT via NPM Typosquatting: A malicious NPM package named
buildrunner-devwas found typosquatting a legitimate, abandoned package. The malware uses an obfuscated, multi-stage attack chain that downloads a payload hidden within the pixels of a PNG image using steganography. The final payload is the Pulsar Remote Access Trojan (RAT), delivered via a .NET loader that employs advanced evasion techniques, including process hollowing, multiple Anti-Malware Scan Interface (AMSI) bypasses, and specific logic to evade different antivirus products. This TTP highlights the growing threat of software supply chain attacks using novel concealment methods [4].PromptSpy Android Malware: Researchers discovered PromptSpy, the first known Android malware to incorporate generative AI into its execution flow. Believed to be targeting users in Argentina, the malware's primary function is to deploy a VNC module for full remote device control. It uniquely uses Google's Gemini AI to dynamically interpret the device's on-screen UI and generate instructions for automated gestures. This allows it to adaptively perform actions like locking itself in the "recent apps" list for persistence, a task that is difficult to automate with traditional scripts across different Android versions and manufacturer skins [9].
AI as a C2 Proxy: Check Point Research discovered a new technique that has been demonstrated, showing how threat actors can abuse AI web services like Microsoft Copilot and Grok as covert command-and-control (C2) proxies. By sending prompts that instruct the AI to fetch and summarize an attacker-controlled URL, malware can exfiltrate data via URL query parameters and receive commands back in the AI's response. This method allows C2 traffic to blend with legitimate, often-permitted AI service traffic and can be executed without an API key or registered user account, making it difficult to block [8].
Indicators to Watch
New Malware Variants
Arkanix Stealer: A feature-rich MaaS info-stealer with C++ and Python implementations targeting credentials, cryptocurrency wallets, and gaming platform data [6].
Pulsar RAT via Steganography: A .NET RAT delivered through the malicious NPM package
buildrunner-dev, which hides its payload inside PNG images downloaded from free image-hosting services [4].PromptSpy: The first Android malware observed using generative AI (Google Gemini) to achieve persistence by dynamically manipulating the device UI. Its primary payload is a VNC module for remote control [9].
Indicators of Compromise
NPM Package:
buildrunner-dev[4].Arkanix Stealer C2 Domains:
arkanix[.]pw,arkanix[.]ru[6].PromptSpy C2 IP:
54.67.2[.]84[9].FortiGate Campaign Threat Actor IPs:
212[.]11.64.250,185[.]196.11.225[10].
Emerging TTPs and Behavior Patterns
AI as C2 Proxy: Monitor for unusual or automated patterns of communication with AI web services (e.g., Grok, Copilot), particularly requests to fetch or summarize external URLs, which could indicate C2 tunneling [8].
Payloads Hidden in Images: Be suspicious of processes downloading PNG files from public hosting sites like
i.ibb[.]co, as these may be steganographic containers for malware [4].AI-Augmented Attacks: Expect a potential increase in large-scale attacks exploiting fundamental security gaps (e.g., exposed management ports, weak credentials) as less-skilled actors use AI to automate reconnaissance and generate tooling [10].
Typosquatting of Abandoned Packages: Monitor for newly published open-source packages that mimic the names of dormant or abandoned projects, as this is a key vector for supply chain attacks [4].
