Subscribe to get the latest updates and resources
This blog is part of an ongoing series examining the findings in the February 2026 Cyber Threat Intel Report from Cyops. Read the full report here.
The February 2026 cyber threat landscape was loud, fast-moving, and unforgiving. From self-propagating supply chain worms and pre-authentication remote code execution vulnerabilities scoring a perfect 10.0, to 701 ransomware victims in a single month and a major FBI enforcement action against one of the dark web’s most notorious forums, there was no shortage of threat actor news to absorb, on top of huge shifts in international markets and geopolitical activity that will have long-term impacts on the cyberthreat landscape.
We’ve been deep in the data. Our February 2026 Cyber Threat Intelligence Report is now available, and over the coming weeks we’ll be publishing a series of in-depth blogs breaking down the month’s most significant threats in detail, with technical analysis, attacker TTPs, and actionable guidance your team can put to work immediately.
Here’s a preview of what we’ll cover:
Two separate NPM-based campaigns made headlines in February. The buildrunner-dev malicious package used steganography to hide malware components inside PNG image files hosted on public platforms, ultimately delivering the Pulsar RAT through process hollowing. Meanwhile, a self-propagating worm dubbed SANDWORMMODE was observed stealing NPM and GitHub tokens and using them to poison additional repositories, turning each compromised developer environment into a new attack vector.
State-sponsored threat actors also got in on supply chain targeting: the Lotus Blossom group was found to have compromised Notepad++’s shared hosting infrastructure between June and December 2025, silently delivering Cobalt Strike beacons through the application’s update mechanism to users across multiple critical sectors worldwide.
If your team is shipping code or consuming open-source dependencies, this is one to watch.
February’s phishing activity raised the bar on adversarial sophistication. The Diesel Vortex group ran an industrial-scale Phishing-as-a-Service operation targeting US and European logistics companies for five months straight, harvesting over 1,600 credentials and intercepting MFA codes in real time, then using that access to redirect freight shipments and commit financial fraud. Standard MFA didn’t cut it when it came to defending against these sophisticated attacks.
Elsewhere, a fake Google Forms site targeted job seekers via LinkedIn, and a multi-stage campaign hitting Italian companies chained together obfuscated JavaScript, AES-encrypted PowerShell, reflective DLL loading, and process injection to deliver a TeslaAgent RAT variant, all while leaving minimal forensic trace.
February’s ransomware numbers are stark: 701 confirmed victims, with the United States the most targeted country and the technology sector absorbing the most damage. Qilin led all groups with 113 claimed victims, followed by TheGentlemen (83) and Clop (79). This number likely represents a small fraction of the organizations that fell victim to ransomware last month and either didn’t yet know (ouch), or chose not to report it.
Two newly analyzed ransomware families are worth putting on your radar now. Green Blood Group is a technically mature Golang-based double-extortion operation that disables VSS, wipes backup catalogs, kills the Windows Recovery Environment, and self-destructs post-encryption to limit forensic recovery. 0APT surfaced in late January promoting a RaaS model with aggressive victim claims. While researchers have flagged credibility concerns around the volume of those claims, the group possesses functional ransomware and demonstrates that extortion pressure doesn’t require a confirmed breach to cause organizational damage.
The monthly vulnerability review surfaced several items that should already be in your patching queue. Highlights include:
If any of these assets are in your environment and unpatched, they need to move to the top of the queue today.
The FBI’s seizure of RAMP, one of the few underground forums that openly permitted ransomware promotion and affiliate recruitment, was one of February’s most significant law enforcement actions. Groups including LockBit, ALPHV, Conti, DragonForce, and Qilin all maintained a presence on the platform at various points.
The forum operator publicly confirmed the takedown. But history tells us what comes next: fragmentation, migration to alternative platforms, and eventual reconsolidation. Early signs already point to groups like DragonForce increasing activity on platforms such as ReHub. The seizure is not a structural end to ransomware operations, but hopefully causes enough disruption to buy security teams more time to strengthen operations.
This roundup is just the starting point. Throughout the month, we’ll be publishing dedicated in-depth blogs covering:
Each post will go deeper on attacker TTPs, detection opportunities, and prioritized defensive actions drawn directly from the intelligence.
The blogs in this series will cover the highlights, but the full report goes much further, including complete static and dynamic malware analysis for Green Blood Group, Morbius Stealer, and 0APT, a full phishing campaign breakdown with IOCs, the complete high-score vulnerability review with patch guidance, and our Cynet Lighthouse darknet intelligence section.
Search results for:
