AI-Augmented Threat Actor Compromises 600+ FortiGate Devices Across 55 Countries
Amazon Threat Intelligence published findings detailing a Russian-speaking, financially motivated threat actor that used commercial generative AI tools to compromise more than 600 FortiGate devices spread across 55 countries between January 11 and February 18, 2026. Notably, the attackers exploited no FortiGate vulnerabilities — the entire campaign succeeded by targeting exposed management ports and accounts protected only by weak single-factor credentials, with AI services handling everything from tool development to reconnaissance and attack scripting at scale. Amazon CISO CJ Moses described the actor as having limited technical capabilities that were substantially amplified by widely available AI, a signal that the democratization of AI-assisted offensive operations is firmly underway and that the absence of software vulnerabilities is no longer a prerequisite for a high-volume, multi-country campaign.
New MIMICRAT RAT Delivered via ClickFix Campaign Targeting Compromised Legitimate Sites
Elastic Security Labs published a detailed analysis of a sophisticated, ongoing ClickFix campaign that compromises legitimate, trusted websites — including a financial BIN validation service and an investment platform — to deliver a previously unknown custom remote access trojan they’ve named MIMICRAT. The five-stage infection chain begins with malicious JavaScript injected into a breached site presenting a fake Cloudflare verification page, which social-engineers victims into pasting and executing a PowerShell command; subsequent stages disable Windows event tracing (ETW) and AMSI antivirus scanning before a Lua-based loader reflectively executes the final MIMICRAT payload entirely in memory. The fully-featured C++ implant communicates over HTTPS on port 443 with C2 profiles mimicking web analytics traffic, supports token impersonation, SOCKS5 tunneling, and a 22-command dispatch table for comprehensive post-exploitation — and Elastic notes the campaign remains active as of publication.
Google Patches First Chrome Zero-Day of 2026, CVE-2026-2441, Actively Exploited in the Wild
Google issued an out-of-band emergency patch for CVE-2026-2441, a high-severity use-after-free vulnerability in Chrome’s CSS component that constitutes the browser’s first actively exploited zero-day of 2026. The flaw, reported by researcher Shaheen Fazim on February 11 and patched just two days later in Chrome 145.0.7632.75/76 for Windows/macOS and 144.0.7559.75 for Linux, allows a remote attacker to execute arbitrary code inside Chrome’s sandbox simply by getting a target to visit a specially crafted HTML page — no additional user interaction required. Google has declined to share technical specifics or attribute the active exploitation, but SecurityWeek notes the patch was cherry-picked directly into the stable channel rather than waiting for a scheduled release, indicating the seriousness with which Google is treating in-the-wild abuse. Opera and Vivaldi have also shipped fixes for the same CVE in their respective Chromium-based releases.
CISA Issues BOD 26-02, Ordering Federal Agencies to Purge End-of-Life Edge Devices
CISA’s Binding Operational Directive 26-02, issued earlier this month, is drawing renewed attention today as the agency released additional guidance explaining what compliance will require: federal civilian agencies must inventory all end-of-support (EOS) edge devices — including firewalls, routers, switches, load balancers, and wireless access points — within three months, begin decommissioning the most critical within 12 months, and replace all of them with vendor-supported hardware within 18 months. The directive was explicitly motivated by what CISA described as “widespread exploitation campaigns by advanced threat actors,” including nation-state groups like Volt Typhoon and Sandworm, who have repeatedly leveraged unpatched legacy devices as their initial foothold into federal networks. Security experts quoted in coverage of the directive cautioned that for many smaller agencies with poor asset visibility and stretched workforces, the inventory phase alone will be a significant operational challenge — and that federal budget cuts will compound the difficulty.
Microsoft Discloses DNS-Based ClickFix Variant That Uses Nslookup to Stage Malware
Microsoft’s threat research team has documented a novel variant of the increasingly prevalent ClickFix social engineering technique in which attackers instruct victims to run an nslookup command in the Windows Run dialog to perform a custom DNS lookup — with the DNS response itself serving as the delivery vehicle for the next-stage malware payload. The approach is a meaningful evolution of ClickFix tradecraft: by using a legitimate, built-in Windows tool and the DNS protocol rather than a direct file download or PowerShell web request, attackers can more easily bypass network-based security controls and proxy inspection that flag unusual outbound connections. Microsoft’s disclosure comes as ClickFix continues to proliferate across dozens of parallel threat actor campaigns globally, cementing its status as one of the most widely adopted initial access techniques of 2025-2026 and prompting defenders to reconsider how they monitor clipboard activity and Windows Run dialog usage.
