• Explore
  • Blog
  • Podcast
  • Community
  • About
  • Services
  • Contact
Menu

Exploring Information Security

Securing the Future - A Journey into Cybersecurity Exploration
  • Explore
  • Blog
  • Podcast
  • Community
  • About
  • Services
  • Contact

February 2026 - ExploreSec Cybersecurity Awareness Newsletter

February 13, 2026

This is a monthly newsletter I put together for an internal security awareness program. Feel Free to grab and use for your own program.

Sophisticated ClickFix Campaign Targeting the Hospitality Sector 

A recent phishing campaign has been observed targeting the hospitality industry with a refined version of the ClickFix social-engineering technique. In this variant, victims are presented with what appears to be a routine human-verification prompt or CAPTCHA, but the displayed “fix” instructions lead them to execute commands on their systems. Once executed, these commands deploy remote-access malware that gives attackers control over endpoints, enabling credential theft, data exfiltration, or further malicious activity. Because the campaign leverages familiar prompts and trusted branding, users may be more likely to follow the steps without suspecting foul play. 

Key Insights 

  • Attackers are tailoring ClickFix lures to the hospitality sector’s workflows and terminology. 

  • The campaign uses fake verification prompts that instruct victims to run benign-looking commands. 

  • Executing these commands installs remote-access malware that compromises devices. 

  • Social engineering remains a powerful vector when paired with familiar user interactions. 

Further Reading: SecurityWeek 

 

 

Analyzing PhaltBlyx: Fake BSODs and Trusted Build Tools Used to Construct a Malware Infection 

Researchers have dissected a malware campaign involving PhaltBlyx, a deceptive infection method that combines social engineering with abuse of trusted development tools and fake system prompts. In this technique, victims encounter what appears to be a Blue Screen of Death (BSOD) or other alarming system error. Instead of indicating a real crash, the fake BSOD is used to convince the user to run repair or diagnostic tools — including legitimate build tools — that have been co-opted to execute malicious scripts. Once launched, these components pull additional payloads and establish persistence, often evading traditional security defenses because they’re routed through trusted binaries. 

Key Insights 

  • Fake system errors like bogus BSODs are used to create urgency and lower user skepticism. 

  • Attackers abuse trusted development/build tools to execute malicious scripts, making detection harder. 

  • Once executed, these scripts fetch and deploy additional malware components. 

  • Using legitimate tools helps the infection evade security controls that trust known binaries. 

Further Reading: Securonix 

 

 

The Truman Show Scam: Trapped in an AI-Generated Reality 

Researchers describe a mobile-focused scam dubbed The Truman Show Scam in which attackers use AI-generated audio and video to create highly convincing fake scenarios that manipulate victims. The scam leverages generative media to simulate trusted individuals or realistic situations — for example, mimicking a friend, coworker, or service agent — in order to extract sensitive information, push fraudulent transactions, or coerce victims into risky actions. The use of AI increases the believability of the bait, making traditional skepticism and simple heuristics less effective. 

Key Insights 

  • Attackers leverage AI-generated audio/video to simulate real people or situations with high fidelity. 

  • The convincing nature of generative media reduces user suspicion and increases interaction rates. 

  • Scams may involve spoofed identities of friends, colleagues, or service representatives. 

  • AI media can be used to pressure victims into disclosing credentials, payment details, or other sensitive data. 

Further Reading: Check Point Mobile Security Blog 

 

 

Cyber Criminal Ecosystem Analysis 

Researchers have mapped the modern cyber criminal ecosystem, revealing how threat actors operate with increasing organization and specialization. Instead of lone attackers working in isolation, today’s underground economy functions more like a service industry — with distinct roles and marketplaces for phishing kits, malware, access brokers, and human-based attack services. This division of labor allows even low-skilled attackers to launch sophisticated campaigns by purchasing tools, infrastructure, or privileged access from others. Understanding this ecosystem helps defenders anticipate how capabilities and services evolve and how attacks scale. 

Key Insights 

  • The cyber criminal ecosystem now resembles a service economy with specialized roles and offerings. 

  • Tool-and-infrastructure marketplaces lower the barrier to entry for new attackers. 

  • Access brokers sell privileged access and footholds, enabling rapid exploitation. 

  • Services like phishing-as-a-service and malware distribution are commoditized. 

  • Human-based services (e.g., social-engineering or insider collaboration) are part of the overall attack chain. 

Further Reading: Push Security 

 

 

CrashFix Browser Extension Campaign Delivers ModeloRAT 

Researchers identified a campaign linked to the threat actor KongTuke that uses a malicious browser extension to compromise systems. The extension poses as a legitimate utility, such as an ad blocker, but is designed to intentionally destabilize the browser. Victims are then presented with fake error messages that guide them into executing attacker-controlled commands, ultimately leading to the installation of a remote-access Trojan. 

Key Insights 

  • The attack relies on a malicious browser extension disguised as a legitimate tool. 

  • The extension deliberately crashes the browser to prompt user interaction. 

  • Victims are socially engineered into running commands that install additional malware. 

  • Corporate, domain-joined systems are targeted with more advanced payloads. 

  • The technique combines social engineering with browser abuse rather than traditional phishing links. 

Further Reading: Huntress 

 

 

Microsoft Remains the Most Imitated Brand in Phishing Attacks in Q4 2025 (Check Point Research) 

Check Point Research reports that Microsoft continued to be the most frequently impersonated brand in phishing attacks during Q4 2025. Attackers consistently leverage trusted, widely used brands to increase the likelihood of user interaction and credential compromise, particularly for access to email, cloud services, and productivity platforms. Technology companies remain the most attractive targets due to the value of associated identities and accounts. 

Key Insights 

  • Microsoft accounted for the largest share of brand-based phishing attempts in Q4 2025. 

  • Technology brands dominate phishing campaigns due to their broad user bases and access value. 

  • Other commonly impersonated brands included Google, Amazon, Apple, and Meta. 

  • Phishing lures often rely on realistic branding and subtle impersonation techniques to appear legitimate. 

Further Reading: Check Point Research 

 

 

Hackers Use LinkedIn Messages to Spread Malware via Job Scams 

Attackers are leveraging LinkedIn messaging to distribute malware through seemingly legitimate job opportunities and recruitment outreach. The campaign involves sending direct messages that appear to come from real LinkedIn contacts or credible recruiters, offering job details and enticing users to download attachments or click links that lead to malware. Because the messages originate from within LinkedIn — a trusted professional network — users may be more likely to engage, making this a potent vector for social engineering and malware distribution. 

Key Insights 

  • LinkedIn is being abused as a delivery channel for malware via direct messages tied to job offers or recruitment. 

  • Messages mimic legitimate recruiters or contacts, increasing the chances that recipients will engage. 

  • Malicious attachments or links in the message lead to malware downloads. 

  • Trust in professional networking platforms lowers skepticism and can bypass some security filters. 

Further Reading: The Hacker News 

 

 

Phishing Emails Impersonating LastPass 

A new phishing campaign is targeting LastPass users with emails that appear to come from the company. The messages claim that LastPass is performing maintenance and urge recipients to take urgent action, such as creating a backup of their password vault. These emails are designed to trick people into visiting fake websites where attackers attempt to steal login information. 

Key Points 

  • The emails falsely warn about upcoming account or system changes to create a sense of urgency. 

  • Recipients are directed to click links that lead to look-alike websites pretending to be LastPass. 

  • The fake sites are used to capture master passwords, which could expose all stored accounts. 

  • The messages use familiar branding and language to appear legitimate. 

  • Password manager users are being singled out because access to one account can unlock many others. 

Further Reading: LastPass 

 

 

Spam Emails Sent From Hijacked Support Systems 

A large wave of spam emails has been sent after attackers abused customer support systems that rely on automated responses. By submitting fake support tickets, the attackers triggered confirmation messages to be sent to large numbers of people. Because these emails came from real company support systems, many appeared legitimate and were delivered successfully. 

Key Points 

  • Fake support tickets were submitted to trigger automatic email responses. 

  • The resulting emails were sent from real company support addresses, making them look trustworthy. 

  • Subject lines were often strange or alarming, causing confusion for recipients. 

  • The spam affected many organizations at the same time, not just one company. 

  • The issue highlights how automated systems can be misused at scale. 

Further Reading: BleepingComputer 

 

 

Fake CAPTCHA Pop-Ups Used to Trick Website Visitors 

A campaign known as ClearFake is using compromised websites to display fake verification pop-ups that look like routine security checks. These prompts guide visitors through simple steps that appear harmless but actually trigger hidden commands on their computers. Because the scam appears on real, trusted websites, it can be difficult for everyday users to recognize what’s happening. 

Key Points 

  • Legitimate websites are being altered to display fake verification messages. 

  • The pop-ups instruct users to perform basic actions that quietly run harmful commands. 

  • Familiar technology and services are used to make the activity seem normal. 

  • Once the commands run, additional unwanted software can be installed without clear warning. 

  • The use of trusted websites and common prompts increases the likelihood of user interaction. 

Further Reading: Expel 

 

 

Disinformation Campaigns Exploit European Online Conversations 

Misleading stories linked to Russian sources are spreading across websites and social media by tapping into real concerns and debates within European countries. These narratives often take familiar topics—such as politics, the economy, or public safety—and reshape them in ways that blur facts and fiction. By blending false claims with real issues people already care about, the content is more likely to be shared and believed. 

Key Points 

  • False or misleading stories are tailored to specific European audiences rather than using one-size-fits-all messaging. 

  • Real events or concerns are often used as a starting point, then distorted to push a misleading narrative. 

  • The origin and intent of the content can be difficult to identify, making it harder to judge credibility. 

  • Social media and lesser-known websites play a major role in spreading these narratives. 

  • The mix of truth and falsehood can make misleading information feel more convincing to everyday readers. 

Further Reading: NewsGuard Reality Check 

 

 

2026 Threat Forecast: Top Cyberattacks Set to Increase Enterprise Exposure 

Email remains the primary entry point for attackers, and emerging campaigns are increasingly focused on exploiting trust, identity, and routine workflows to bypass defenses. Threat actors are layering social engineering techniques with technical evasion methods to increase success rates and reduce detection, signaling a continued shift toward human-centric attack vectors. 

Key Insights 

  • Attackers are refining multi-stage phishing workflows (e.g., QR codes and vendor impersonation) to condition targets and evade security controls. 

  • Social engineering remains central, with threat actors embedding themselves in legitimate communication threads to increase credibility. 

  • Look-alike domains, branding mimicry, and personalized phishing pages are becoming more common to improve credential theft success. 

  • Email continues to be the most reliable initial access vector due to its ubiquity and reliance on human interaction. 

Further Reading: Abnormal AI 

 

 

Phishing Messages Masquerade as Collaboration Platform Invites 

A phishing campaign is abusing trusted collaboration platform notifications to deliver scam messages that look like legitimate invitations. By using real platform features, the messages appear routine and familiar, increasing the chances that recipients engage without questioning them. Instead of pushing malicious links, the messages often steer people toward fake support interactions. 

Key Points 

  • Legitimate collaboration platform features are being used to send deceptive invitations. 

  • Messages are designed to look like normal work notifications, such as billing or subscription alerts. 

  • Some scams avoid links entirely and instead prompt users to contact fraudulent support numbers. 

  • The volume of messages is high, affecting users across many organizations. 

  • Familiar workplace tools are being leveraged to make scams feel routine and trustworthy. 

Further Reading: Check Point 

 

 

Phishing Kits Now Work Hand-in-Hand With Phone Scams 

Attackers are using specialized phishing tools designed to support phone-based scams. During these calls, the scammer can control what the victim sees in their browser in real time, matching on-screen prompts to the caller’s script. This coordination makes fake login pages and security checks appear more believable, increasing the chances that victims unknowingly hand over account access. 

Key Points 

  • Phishing tools are being built to support live phone scams, not just fake emails or websites. 

  • Scammers can change what appears on a victim’s screen while talking to them. 

  • Real-time control helps attackers react immediately to login or verification steps. 

  • The combination of phone calls and on-screen prompts makes scams feel more legitimate. 

  • Common security checks can be misused when attackers guide victims step by step. 

Further Reading: Okta 

 

 

Password Manager Adds Pop-Up Warnings for Fake Websites 

1Password has introduced a new safety feature designed to stop people from accidentally entering their login details on fake websites. When someone tries to paste saved credentials into a site that doesn’t match the correct web address, a warning pop-up appears. This pause is meant to help users notice suspicious sites before sensitive information is shared. 

Key Points 

  • A warning appears when login details are pasted into a site that doesn’t match the saved address. 

  • The feature helps catch look-alike websites that imitate real brands and services. 

  • It adds an extra pause moment before sensitive information is entered. 

  • Existing protections that block automatic filling on suspicious sites are reinforced. 

  • Many users will receive this protection automatically through their password manager. 

Further Reading: BleepingComputer 

 

 

Fake CAPTCHA Prompts Used to Trick Users Into Installing Malware 

Researchers have identified a scam that uses fake “CAPTCHA” verification screens to deceive users into installing malicious software. Instead of a simple checkbox, these prompts instruct people to copy and run a command on their own device, which secretly launches malware designed to steal sensitive information. Because the steps look like a normal verification process, many users don’t realize anything is wrong until after their system is compromised. 

Key Points 

  • Fake CAPTCHA pages instruct users to manually run commands as part of a supposed verification step. 

  • Following these instructions can silently install malware on the device. 

  • The malware is designed to collect sensitive data such as saved passwords and browser information. 

  • Trusted system tools are abused to make the activity look legitimate. 

  • The attack relies heavily on user interaction, making it harder to spot at first glance. 

Further Reading: Blackpoint Cyber 

 

 

Scam Emails Abuse a Real Microsoft Address 

Scammers are sending fraudulent emails that appear to come from a legitimate Microsoft notification address, making the messages look trustworthy at first glance. Because these emails originate from a real Microsoft service that some organizations allow by default, they can slip past spam filters and land directly in inboxes. The messages often claim an urgent issue, such as an unexpected charge, and push recipients to take immediate action. 

Key Points 

  • Scam messages are being sent from a real Microsoft notification address. 

  • The emails are designed to look authentic and bypass some email filters. 

  • Messages often create urgency by claiming billing or account problems. 

  • Recipients may be directed to call a phone number controlled by scammers. 

  • Trusted services can be abused to make scams more convincing. 

Further Reading: Ars Technica 

 

 

Exposed AI Bot Gateways Leak Chats and Sensitive Data 

Security researchers found that numerous publicly accessible control panels tied to an AI bot framework known as Clawdbot (also called OpenClaw or Moltbot) were left exposed online without proper protection. These misconfigured gateways made it possible for outsiders to view private chat histories and sensitive technical details, raising concerns about how easily personal or organizational data can be leaked through poorly secured tools. 

Key Points 

  • Many AI bot gateways were publicly accessible with no authentication required. 

  • Exposed interfaces allowed access to private chat logs and conversation history. 

  • Sensitive information such as API keys and access tokens was also visible. 

  • The bots integrate with messaging platforms, increasing the potential impact of exposure. 

  • The issue highlights risks tied to insecure configurations and default settings. 

Further Reading: CybersecurityNews 

 

 

Fake Dropbox Emails Used to Steal Login Details 

Attackers are circulating phishing emails that impersonate Dropbox and attempt to trick recipients into handing over their account credentials. The messages often look like routine business communications and include a PDF attachment. When opened, the document directs the user to a fake Dropbox login page designed to capture usernames and passwords. 

Key Points 

  • Phishing emails are crafted to look like legitimate Dropbox notifications or file-sharing messages. 

  • PDF attachments are used to make the email appear business-related and trustworthy. 

  • Links inside the document lead to counterfeit login pages. 

  • Entered credentials are captured by attackers and can be reused to access other accounts. 

  • The technique relies on familiar brands and file formats to lower suspicion. 

Further Reading: CybersecurityNews 

 

In News Tags security awareness
← February 2026 - ExploreSec Cybersecurity Threat Intelligence Newsletter Unlock Your Online Freedom: Why 2026 is the Year You Master the Password Manager →

Latest PoDCASTS

Featured
Feb 17, 2026
What are the AI Vulnerabilities We Need to Worry About
Feb 17, 2026
Feb 17, 2026
Feb 10, 2026
[RERELEASE] How to make time for a home lab
Feb 10, 2026
Feb 10, 2026
Feb 3, 2026
[RERELEASE] How to build a home lab
Feb 3, 2026
Feb 3, 2026
Jan 27, 2026
How to Build an AI Governance Program with Walter Haydock
Jan 27, 2026
Jan 27, 2026
Jan 20, 2026
Exploring Cribl: Sifting Gold from Data Noise for Cost and Security
Jan 20, 2026
Jan 20, 2026
Jan 13, 2026
What is BSides ICS?
Jan 13, 2026
Jan 13, 2026
Jan 6, 2026
Cybersecurity Career Panel: Transitioning from Technical to Leadership
Jan 6, 2026
Jan 6, 2026
Dec 30, 2025
What is React2Shell (CVE-2025-55182)?
Dec 30, 2025
Dec 30, 2025
Dec 23, 2025
[RERELEASE] What is application security?
Dec 23, 2025
Dec 23, 2025
Dec 16, 2025
The Final Frontier of Security: The State of Space Security with Tim Fowler
Dec 16, 2025
Dec 16, 2025

Powered by Squarespace