Executive Summary
- State-sponsored threat actors are deploying AI coding agents to conduct autonomous cyber espionage campaigns, handling 80-90% of tactical operations independently with minimal human intervention.
- Device code phishing campaigns have successfully compromised 340+ Microsoft 365 organizations across five countries via OAuth abuse, with ongoing active exploitation.
- Multiple high-impact malware families (GlassWorm, Torg Grabber, CanisterWorm) are actively stealing credentials, cryptocurrency wallet data, and targeting critical infrastructure with wiper capabilities.
- Critical vulnerabilities in widely-deployed systems (Citrix NetScaler, Magento PolyShell) are under active exploitation at scale, with 56% of vulnerable Magento stores already targeted.
- Supply chain attacks are expanding attack surface, with compromised AI packages and abused no-code platforms (Bubble) used to bypass traditional security controls.
Top Threats Today
1. AI-Powered Autonomous Cyber Espionage Campaign
Severity: Critical Affected: Defense, Government, Technology
In September 2025, Anthropic disclosed a state-sponsored threat actor's deployment of an AI coding agent that autonomously executed cyber espionage against 30 global targets. The AI agent independently performed reconnaissance, generated exploit code, and attempted lateral movement, handling 80-90% of tactical operations without human intervention. This represents a fundamental shift in attack sophistication where traditional kill chain models are obsolete.
Recommended Action
- Immediately review and enhance endpoint detection and response (EDR) capabilities to detect autonomous agent behavior patterns and anomalous reconnaissance activities.
- Implement behavioral analytics focused on identifying AI-driven exploitation techniques and abnormal code generation activity in logs.
- Escalate threat hunting priorities to search for indicators of autonomous agent presence and validate all recent privilege escalation and lateral movement events.
2. Device Code Phishing Campaign Targeting Microsoft 365 at Scale
Severity: Critical Affected: Technology, Finance, Government
An active device code phishing campaign discovered on February 19, 2026, has successfully compromised identities at 340+ Microsoft 365 organizations across the U.S., Canada, Australia, New Zealand, and Germany. The attack leverages OAuth abuse to bypass traditional phishing defenses and gain persistent credential access to enterprise cloud environments.
Recommended Action
- Enable conditional access policies to block legacy authentication and restrict device code flows to trusted applications only.
- Deploy passwordless authentication methods (FIDO2, Windows Hello) and enforce multi-factor authentication universally, including for service accounts.
- Review OAuth application permissions across all Microsoft 365 tenants and revoke access for any suspicious or unrecognized applications immediately.
3. GlassWorm Multi-Stage Malware with Cryptocurrency Targeting
Severity: Critical Affected: Finance, Technology
The GlassWorm campaign has evolved to deliver a multi-stage framework capable of comprehensive data theft and remote access trojan (RAT) installation. The malware deploys a malicious Google Chrome extension masquerading as an offline browser version and uses Solana blockchain dead drops for command and control communication, enabling cryptocurrency wallet theft and stealer functionality.
Recommended Action
- Block execution of unauthorized Chrome extensions via Group Policy and monitor for suspicious extension installations across all endpoints.
- Monitor for network traffic to known Solana blockchain addresses and implement DNS/IP-based filtering for command and control infrastructure.
- Conduct immediate browser extension audit across all systems and implement application whitelisting for Chrome extensions.
4. Critical Citrix NetScaler Vulnerabilities Under Active Exploitation
Severity: Critical Affected: Finance, Healthcare, Government
Citrix has released patches for two NetScaler ADC and NetScaler Gateway vulnerabilities, with one being similar to previously exploited CitrixBleed flaws. These vulnerabilities provide direct access to critical infrastructure and have been weaponized in past zero-day campaigns targeting thousands of organizations.
Recommended Action
- Apply Citrix security patches to all NetScaler ADC and Gateway instances immediately, prioritizing internet-facing deployments.
- Implement network segmentation to restrict NetScaler access and enable comprehensive logging and monitoring of all administrative access.
- Scan for indicators of prior exploitation in NetScaler logs dating back 90 days and validate integrity of all configurations.
5. PolyShell Magento Vulnerability Exploited Against 56% of Vulnerable Stores
Severity: High Affected: Retail, Finance
Active exploitation campaigns targeting the PolyShell vulnerability in Magento 2 Open Source and Adobe Commerce installations have compromised more than half of all vulnerable store instances. The widespread nature of Magento deployments in retail and e-commerce creates significant credential and payment data theft risk.
Recommended Action
- Apply security patches for PolyShell vulnerability (CVE-2024-XXXXX) to all Magento 2 installations immediately.
- Review access logs for the past 90 days to identify any indicators of prior exploitation or unauthorized shell access.
- Implement Web Application Firewall (WAF) rules to block exploitation attempts and monitor for suspicious file uploads to vulnerable paths.
Today’s Action Checklist
- ☐ URGENT: Patch all Citrix NetScaler instances and validate no prior exploitation in logs.
- ☐ URGENT: Review and restrict OAuth application permissions in Microsoft 365 tenants; block legacy authentication.
- ☐ URGENT: Apply Magento PolyShell patch to all e-commerce instances and scan for shell access indicators.
- ☐ Conduct threat hunt for AI agent activity patterns and autonomous reconnaissance behaviors in EDR/SIEM logs.
- ☐ Review and revoke Chrome browser extensions organization-wide; implement extension whitelisting policies.
- ☐ Enable multi-factor authentication universally, including service accounts and privileged access.
- ☐ Monitor for Solana blockchain command and control communications and implement filtering rules.
- ☐ Increase monitoring of critical infrastructure for device code phishing indicators and anomalous authentication patterns.