In today’s cybersecurity news…
CISA orders urgent patch of Dell flaw
Following up on a story we covered yesterday, CISA has now ordered government agencies to “patch their systems within three days against a maximum-severity Dell vulnerability that has been under active exploitation since mid-2024.” This CVE numbered hardcoded-credential vulnerability (CVE-2026-22769) in Dell’s RecoverPoint (a solution used for VMware virtual machine backup and recovery) is being exploited by a suspected Chinese hacking group tracked as UNC6201. It is being used to deploy several malware payloads, including a backdoor called Grimbolt, which uses a compilation technique that makes it harder to analyze than its predecessor, the Brickstorm backdoor.
Android malware uses Gemini to navigate infected devices
According to researchers at ESET, the first Android malware strain that uses generative AI to improve performance once installed has appeared, but this may be just a proof of concept. The goal of the malware, named PromptSpy, is to “deploy a VNC module that hands hackers remote control of infected devices.” ESET says it comes with capabilities to instruct Google’s Gemini chatbot to interpret parts of the device’s user interface using natural language prompts, which allow the malware to examine the user interface. This then informs the gestures it needs to execute on the device in order to keep the malicious app pinned to its recent apps list. ESET found versions of PromptSpy uploaded to VirusTotal in January, with the Gemini-assisted strains submitted from Argentina.
Half of all cyberattacks start in the browser, says Palo Alto Networks
According to Palo Alto Networks’ 2026 Global Incident Response report, which analyzed 750 major cyber incidents across 50 countries in 2025, 48% of cybercrime events involved browser activity. The report identifies “phishing, malicious links, credential-harvesting pages, spoofed websites, and even Clickfix” as browser enabled tools. Among its 10 recommendations: use a password manager and ad blocker, switch to an anonymous search engine like Duck Duck Go, and “be wary of AI browsers.”
(ZDNet)
New commercial-grade phishing kit bypasses MFA
Named Starkiller, but unrelated to the red team penetration testing tool of the same name, this is distributed on the dark web in a software-as-a-service (SaaS) model, including subscription, updates and customer support. Whereas most other phishing kits use HTML clones of a victim’s login page, Starkiller launches a phishing site through a proxy operated by infrastructure it controls, which makes it indistinguishable from the real login portal being used as a template. Because Starkiller proxies the real site live, “there are no template files for security vendors to fingerprint or blocklist.” This also enables it to bypass MFA “because the targeted user is authenticating with the real site through the proxy.”
Huge thanks to our sponsor, Conveyor
France’s national bank account database suffers cyberattack
French authorities have confirmed that a malicious actor had illegally accessed a portion of the country’s National Bank Accounts File (FICOBA) which records all bank accounts in the country. The bank account database of more than 80 million individuals, and in this attack, it is believed that 1.2 million accounts were impacted. It is said that the hacker “impersonated a civil servant whose credentials allowed access as part of interministerial information exchanges” to query part of the database. A representative said the file contains a list of bank account details, but “does not provide access to the accounts themselves, nor to account balances, nor to transactions.”
Jackpotting on the rise due to malware-stuffed ATMs
The FBI says this technique is on the rise across the United States. ATM jackpotting is a technique where physical and software vulnerabilities in ATMs are exploited to “deploy malware that instructs the machine to dispense cash on demand without bank authorization.” Ploutus malware, “which is commonly used in these attacks, exploits eXtensions for Financial Services (XFS), an open-standard API that ATMs, POS terminals, and similar devices that run banking applications use.”
HHS seeking to learn more about third-party vendors in healthcare
The Department of Health and Human Services said on Thursday that this uptick in attention to the security of third-party service providers is a result of the 2024 Change Healthcare cyberattack, considered the biggest ever in the sector. The Change Healthcare attack began with hackers exploiting the lack of multifactor authentication set up on a remote access portal, said HHS Cybersecurity Director Charlee Hess, at a recent conference. “We realized there are third-party risks lurking in our health care system, and we don’t even know they’re there,” she said.
Massiv Android banking malware poses as an IPTV app
Researchers at ThreatFabric have named this new Android banking malware, Massiv. It poses as an IPTV app (Internet Protocol Television) to steal digital identities and access online banking accounts. The malware “relies on screen overlays and keylogging to obtain sensitive data and can take remote control of a compromised device.” The researchers observed, Massiv target a Portuguese government app that connects with Portugal’s digital authentication and signature system. Such a procedure could be used could be used to bypass know-your-customer (KYC) verifications or to access banking accounts and other public and private online services.