< Back
Abstract background

Tags:

Threat intelligence
26 February 2026

Weekly Summary Cyberattacks February 19-25

North Korean Lazarus Group Now Working With Medusa Ransomware  

Cybersecurity researchers reported that the North Korean state-linked Lazarus Group has expanded its operational playbook to include Medusa ransomware, a prolific ransomware-as-a-service (RaaS) strain managed by the Spearwing cybercrime operation, in ongoing extortion campaigns targeting critical sectors such as healthcare. Medusa itself has been observed in hundreds of attacks since its emergence as a RaaS offering in 2023, with affiliate actors encrypting victim networks and extorting organizations through a combination of double extortion tactics (encrypting files and threatening to publish exfiltrated data) and more aggressive pressure techniques. 

SURXRAT: Android RAT Downloads Large LLM Module from Hugging Face  

SURXRAT, a commercial Android Remote Access Trojan (RAT), has been evolving to leverage large language model (LLM) modules hosted on the Hugging Face platform as part of its operational behavior. SURXRAT is actively marketed and distributed through a Telegram-based malware-as-a-service (MaaS) ecosystem under the SURXRAT V5 brand, enabling affiliates and resellers to build and deploy custom malware builds while central operators retain control of infrastructure and updates. This modular malware framework blends traditional Android RAT capabilities with increasingly sophisticated experimentation, including extensive data harvesting, and conditional downloads of large AI components from public model repositories. Technically, SURXRAT operates as a full-featured surveillance and device control platform, collecting sensitive information such as SMS messages, contacts, call logs, location data, browser activity, and more.

AI-Assisted Threat Actor Compromises 600+ Devices in 55 Countries  

A Russian-speaking, financially motivated threat actor who leveraged multiple commercial generative AI services to compromise more than 600 devices across over 55 countries between January 11 and February 18, 2026, were discovered. The campaign did not exploit any vulnerabilitie; instead, it relied on exposed management interfaces and weak, single-factor authentication credentials, demonstrating how AI can amplify low-to-medium skill actors to operate at scale. 

Starkiller: New Phishing Framework Proxies Real Login Pages to Bypass MFA  

A new commercial phishing framework known as Starkiller has emerged as an enterprise-grade cybercrime platform designed to proxy legitimate login pages in real time and bypass multi-factor authentication (MFA). Marketed by a threat group calling itself Jinkusu and explicitly distinguished from the legitimate BC Security red team tool of the same name, Starkiller is distributed as a SaaS-style product that enables low-skill operators to deploy sophisticated man-in-the-middle phishing campaigns with minimal technical knowledge. Unlike traditional phishing kits that rely on static HTML clones of login pages, Starkiller launches a headless Chrome instance inside a Docker container, loads the authentic website, and operates as a reverse proxy between the victim and the legitimate service. As a result, victims are served genuine HTML, CSS, and JavaScript content directly from the real site through attacker-controlled infrastructure, eliminating outdated templates and reducing the effectiveness of page fingerprinting and blocklisting defenses. 

GrayCharlie Hijacks Law Firm Sites in Suspected Supply-Chain Attack  

GrayCharlie, a threat actor active since mid-2023 and overlapping with SmartApeSG (also referred to as ZPHP or HANEYMANEY), is conducting widespread compromises of WordPress websites to distribute remote access malware. The group hijacks legitimate sites by injecting malicious JavaScript that redirects visitors to attacker-controlled infrastructure, ultimately delivering NetSupport RAT via fake browser update pages or ClickFix lures. In several cases, infections have progressed to the deployment of StealC and SectopRAT, suggesting a broader post-compromise toolkit focused on remote access and data theft. GrayCharlie’s activity spans multiple industries globally, but it was identified a notable cluster of at least fifteen compromised U.S. law firm websites. Investigators assess that this cluster may stem from a supply-chain compromise involving a shared IT provider.