Apple pushed updates across iOS, iPadOS, macOS, tvOS, watchOS, and visionOS to fix a critical dyld memory corruption bug (CVE-2026-20700) that can enable arbitrary code execution. Apple says it may have been used in an “extremely sophisticated” targeted attack. The issue was reported by Google’s Threat Analysis Group, which often tracks state-linked activity. If you have Apple devices in scope, prioritize patching anything that can be updated today.
Microsoft Addresses 6 Actively Exploited Zero-Days in February’s Patch Tuesday
Microsoft’s February Patch Tuesday includes fixes for 58 vulnerabilities, including six zero-days reported as actively exploited. The exploited set spans Windows Shell and MSHTML security feature bypasses, plus elevation-of-privilege issues like Desktop Window Manager and Remote Desktop Services. The common theme is attackers chaining initial access with local privilege escalation to reach SYSTEM. Treat this as “patch now,” especially on endpoints and servers exposed to untrusted content and RDP.
Microsoft Warns of ClickFix Attack Abusing DNS Lookups
Microsoft reported a ClickFix variant that uses DNS lookups (for example, via nslookup) to retrieve a malicious payload, then executes it, blending into normal network behavior. The chain includes a Python-based reconnaissance step and ultimately deploys the ModeloRAT remote access trojan. The social engineering angle is the same: trick the user into running “fix” commands that do the attacker’s work. If you are tuning detections, look for unusual nslookup usage from interactive shells followed by script execution and outbound beaconing.
Password managers less secure than promised
ETH Zurich researchers report serious issues in the security architecture of three popular cloud-based password managers, including scenarios where they could view or even change stored passwords during testing. The key takeaway is that “zero-knowledge” marketing does not automatically mean the provider has no practical way to influence or compromise vault contents. This is a good prompt to validate your password manager’s threat model, client integrity controls, and recovery flows. For high-risk accounts, pair password managers with phishing-resistant MFA and strong device security controls.
Snail mail letters target Trezor and Ledger users in crypto-theft attacks
Attackers are sending physical letters impersonating Trezor and Ledger, pushing “mandatory checks” with QR codes that lead to phishing sites. The pages try to steal wallet recovery phrases, which is effectively total account takeover for crypto wallets. The tactic is simple but effective because it bypasses email controls and creates urgency with deadlines. If you support execs or employees who hold crypto, consider a short internal alert: no vendor will ever ask for a seed phrase, and QR codes in unsolicited mail should be treated as hostile.
