⚡ Weekly Recap: Double-Tap Skimmers, PromptSpy AI, 30Tbps DDoS, Docker Malware & More  Ravie Lakshmanan  Feb 23, 2026 Cybersecurity / Hacking Security news rarely moves in a straight line. This week, it feels more like a series of sharp turns, some happening quietly in the background, others playing out in public view. The details are different, but the pressure points are familiar. Across devices, cloud services, research labs, and even everyday apps, the line between normal behavior and hidden risk keeps getting thinner. Tools meant to protect, update, or improve systems are also becoming pathways when something goes wrong. This recap gathers the signals in one place. Quick reads, real impact, and developments that deserve a closer look before they become next week’s bigger problem. ⚡ Threat of the Week Dell RecoverPoint for VMs Zero-Day Exploited — A maximum severity security vulnerability in Dell RecoverPoint for Virtual Machines has been exploited as a zero-day by a suspected China-nexus threat cluster dubbed UNC6201 since mid-2024. The activity involves the exploitation of CVE-2026-22769 (CVSS score: 10.0), a case of hard-coded credentials affecting versions prior to 6.0.3.1 HF1. Per Google, the hard-coded credential relates to an "admin" user for the Apache Tomcat Manager instance that could be used authenticate to the Dell RecoverPoint Tomcat Manager, upload a web shell named SLAYSTYLE via the "/manager/text/deploy" endpoint, and execute commands as root on the appliance to drop the BRICKSTORM backdoor and its newer version dubbed GRIMBOLT. Red Report 2026: Analysis of 1.1M Malicious Files and 15.5M Actions New research shows 80% of top ATT&CK techniques now target evasion to remain undetected. Get your copy now. Download the Report ➝ 🔔 Top News Former Google Engineers Indicted Over Alleged Trade Secret Theft — Two former Google engineers and one of their husbands have been indicted in the U.S. for allegedly committing trade secret theft from the search giant and other tech firms and transferring the information to unauthorized locations, including Iran. Samaneh Ghandali, 41, and her husband Mohammadjavad Khosravi (aka Mohammad Khosravi), 40, along with her sister Soroor Ghandali, 32, were accused of conspiring to commit trade secret theft from Google and other leading technology companies, theft and attempted theft of trade secrets, and obstruction of justice. The defendants are said to have transferred hundreds of sensitive files to a third-party communications platform and then accessed them from Iran after Samaneh Ghandali and Khosravi traveled to Iran in December 2023. PromptSpy Android Malware Abuses Gemini for Persistence — Researchers at ESET analyzed what they described as the first Android malware to leverage generative artificial intelligence (AI) during its execution to set up persistence. Called PromptSpy, the malware uses Google Gemini to analyze the current screen and provide step-by-step instructions on how to ensure the malicious app remains pinned in the recent apps list by taking advantage of the operating system's accessibility services. There are signs that the campaign is likely targeting users in Argentina. Google told The Hacker News that it did not find any apps containing the malware being distributed via Google Play. Kenyan Dissident's Phone Cracked Using Cellebrite's Tool — Evidence has emerged that Kenyan authorities used a commercial forensic extraction tool manufactured by Israeli company Cellebrite to break into a prominent dissident's phone. The Citizen Lab said it found the indicators on a personal phone belonging to Boniface Mwangi, a Kenyan pro-democracy activist who has announced plans to run for president in 2027. In a related development, Amnesty International found that the iPhone belonging to Teixeira Cândido, an Angolan journalist and press freedom advocate, was successfully targeted by Intellexa's Predator spyware in May 2024 after he opened an infected link received via WhatsApp. New Pre-Installed Android Malware Keenadu Detected in the Wild — A new Android backdoor that's embedded deep into the device firmware can silently harvest data and remotely control its behavior, Kaspersky said. The malware, codenamed Keenadu, is said to have been delivered by means of compromised firmware through an over-the-air (OTA) update. This method allows it to run with high privileges from the moment the device is activated, providing attackers with extensive control over the device. It can also infect other installed apps, deploy additional software from APK files, and grant those apps any permission available on the system. Once active, Keenadu inherits elevated permissions and operates with minimal visibility. The malware triggers only under specific conditions, remaining dormant on devices set to Chinese languages or time zones and on those that lack the Google Play Store and Google Play Services. However, Keenadu's distribution is not limited to pre-installed system components. In some cases, the malware has also been observed embedded within applications distributed through Android app stores. That said, there is very little a user can do when a piece of malware comes pre-installed on their brand new Android tablet. Because the malicious components are present in firmware rather than installed later as apps, affected users may have limited ability to detect or remove them through conventional methods. The activity has not been attributed to a specific threat actor, but Kaspersky said the developers demonstrated "a deep understanding of the Android architecture, the app startup process, and the core security principles of the operating system." Password Managers' Zero Knowledge Claims Put to Test — A new study undertaken by researchers from ETH Zurich and Università della Svizzera italiana has undermined claims from Bitwarden, Dashlane, and LastPass that the password managers guarantee "zero knowledge" -- an assurance that states there is no way for a malicious insider or a threat actor that has compromised the cloud infrastructure to access the vault data. Specifically, it found that these claims are not true under all circumstances, particularly when account recovery is in place, or password managers are set to share vaults or organize users into groups. The most severe of the attacks, targeting Bitwarden and LastPass, could allow an insider or attacker to read or write to the contents of entire vaults. Other attacks enable reading and modification of shared vaults. "Attacks on the provider server infrastructure can be prevented by carefully designed operational security measures, but it is well within the bounds of reason to assume that these services are targeted by sophisticated nation-state-level adversaries, for example via software supply-chain attacks or spear-phishing," the researchers said. ‎️‍🔥 Trending CVEs New vulnerabilities surface daily, and attackers move fast. Reviewing and patching early keeps your systems resilient. Here are this week’s most critical flaws to check first — CVE-2026-22769 (Dell RecoverPoint for Virtual Machines), CVE-2026-25926 (Notedpad++), CVE-2026-26119 (Microsoft Windows Admin Center), CVE-2026-2329 (Grandstream GXP1600 series), CVE-2025-65717 (Live Server), CVE-2026-1358 (Airleader Master), CVE-2026-25108 (FileZen), CVE-2026-25084, CVE-2026-24789 (ZLAN), CVE-2026-2577 (Nanobot), CVE-2026-25903 (Apache NiFi), CVE-2026-26019 (@langchain/community), CVE-2026-1670 (Honeywell CCTV), CVE-2025-7740 (Hitachi Energy SuprOS), CVE-2025-61928 (better-auth), CVE-2026-20140 (Splunk Enterprise for Windows), CVE-2026-27118 ( @sveltejs/adapter-vercel ), CVE-2026-27099, CVE-2026-27100 (Jenkins), CVE-2026-24733 (Apache Tomcat), CVE-2026-2648, CVE-2026-2649, CVE-2026-2650 (Google Chrome), CVE-2025-29969 (Windows Fundamentals), CVE-2025-64127, CVE-2025-64128, CVE-2025-64129, CVE-2025-64130 (Zenitel), CVE-2025-32355, CVE-2025-59793 (TRUfusion Enterprise), CVE-2026-1357 (WPvivid Backup plugin), CVE-2025-9501 (W3 Total Cache plugin), CVE-2025-13818 (ESET Management Agent for Windows), CVE-2025-11730 (ZYXEL ATP/USG series), CVE-2025-67303 (ComfyUI), and Joomla! unauthenticated file read, unauthenticated file deletion, and SQL injection vulnerabilities in Novarain/Tassos Framework (no CVEs). 🎥 Cybersecurity Webinars Learn How to Future-Proof Your Encryption Before Quantum Breaks It → Quantum computing is accelerating, and attackers are harvesting encrypted data for future decryption. This webinar covers practical post-quantum cryptography, hybrid encryption, and Zero Trust strategies to protect sensitive data before quantum threats become real. Beyond the Model: Securing AI Agents in Real-World Systems → As organizations deploy autonomous AI agents with tool access and system permissions, the attack surface shifts beyond the model itself. This session explores indirect prompt injection, privilege escalation, multi-agent risk, and practical strategies to secure real-world AI systems without breaking workflows. Pressure-Test Your Controls With Continuous CTI-Driven Validation → Security budgets are rising, yet breaches continue. This session shows how to move beyond assumption-based testing to continuous, CTI-driven exposure validation—pressure-testing controls against real attacker behavior, automating security checks, and building measurable resilience without overspending. 📰 Around the Cyber World Online Store Infected with Skimmer — The online store of a top-10 global supermarket chain has been infected with a skimmer malware that scans for admin users for WordPress, Magento, PrestaShop, and OpenCart to evade detection. "The attack combines two components: a seemingly off-the-shelf skimmer framework with integrations for four popular e-commerce platforms, and a carefully localized fake payment form," Sansec said . "This fraud is called 'double-tap skimming': customers enter their card details into the fake form first, then see the real payment form wh