ThreatsDay Bulletin: Kali Linux + Claude, Chrome Crash Traps, WinRAR Flaws, LockBit & 15+ Stories  Ravie Lakshmanan  Feb 26, 2026 Cybersecurity / Hacking News Nothing here looks dramatic at first glance. That’s the point. Many of this week’s threats begin with something ordinary, like an ad, a meeting invite, or a software update. Behind the scenes, the tactics are sharper. Access happens faster. Control is established sooner. Cleanup becomes harder. Here is a quick look at the signals worth paying attention to. AI-powered command execution Kali Linux Integrates Claude AI Assistant via MCP Kali Linux, an advanced penetration testing Linux distribution used for ethical hacking and network security assessments, has added an integration with Anthropic's Claude large language model through the Model Context Protocol (MCP) to issue commands in natural language and translate them into technical commands. Belarus-linked Android spyware ResidentBat Infrastructure Analyzed ResidentBat is an Android spyware implant used by Belarusian authorities for surveillance operations against journalists and civil society. Once installed, it provides operators with access to call logs, microphone recordings, SMS, encrypted messenger traffic, screen captures, and locally stored files. The malware, although first documented in December 2025, is assessed to date back to 2021. According to Censys, ResidentBat-associated infrastructure is concentrated in Europe and Russia: the Netherlands (5 hosts), Germany (2 hosts), Switzerland (2 hosts), and Russia (1 host) in a recent Platform view, using a narrow port range (7000-7257) for control traffic. Crypto phishing wave Phishing Campaigns Impersonate Bitpanda Phishing campaigns are impersonating cryptocurrency brokerage services like Bitpanda to harvest sensitive data under the pretext of reconfirming their information or risk having their accounts blocked. "Attempting to get multiple forms of information and identification, the attackers used tactics that would seem legitimate to the everyday user," Cofense said . "User information such as name verification, email, and password credentials, and location were all used in this attempt to harvest information under the guise of a multi-factor authentication process." Breakout times shrink Adversaries Get Faster in 2025 In its 2026 Global Threat Report, CrowdStrike said adversaries became faster than ever before in 2025. "The average e-crime breakout time — the period between initial access and lateral movement onto another system — dropped to 29 minutes, a 65% increase in speed from 2024," the company said . One such intrusion undertaken by Luna Moth (aka Chatty Spider) targeting a law firm moved from initial access to data exfiltration in four minutes. Chief among the factors fueling this dramatic acceleration was the widespread abuse of legitimate credentials, which allowed attackers to blend into normal network traffic and bypass many traditional security controls. This was coupled with threat actors of varied motivations utilizing AI technology to accelerate and optimize their existing techniques. Some of the threat actors that have leveraged AI in their operations include Fancy Bear , Punk Spider (aka Akira), Blind Spider (aka Blind Eagle), Odyssey Spider (aka TA558), and an India-nexus hacking group called Frantic Tiger that has used Netlify and Cloudflare pages for credential-harvesting operations. The cybersecurity company said it observed an 89% increase in the number of attacks by AI-enabled adversaries compared to 2024 and a 42% year-over-year increase in zero-days exploited prior to public disclosure. In tandem, 67% of vulnerabilities exploited by China-nexus adversaries provided immediate system access, and 40% targeted edge devices that typically lack comprehensive monitoring. The vast majority of attacks, 82%, were free of malware — highlighting attackers' enduring shift toward hands-on-keyboard operations and the abuse of legitimate tools and credentials. 4-minute lateral movement Fastest Attacker Breakout Time Drops to 4 Minutes In a similar report, ReliaQuest said the fastest intrusions reached lateral movement in just 4 minutes, an 85% acceleration from last year, with data exfiltration taking place in 6 minutes. The statistic is fueled by attackers increasingly weaving AI and automation into their tradecraft. "As attackers increasingly secure valid credentials with elevated privileges, the time to react has drastically dropped," ReliaQuest said . "In 2025, the average breakout time (initial access to lateral movement) dropped to 34 minutes. In 47% of incidents, they secured high privileges before ever touching the network. This allows them to skip escalation, blend into traffic, and repurpose legitimate tools." ClickFix fuels Mac stealers Mac Users Targeted by Stealer Malware Using ClickFix Mac users searching for popular software like Homebrew, 7-Zip, Notepad++, LibreOffice, and Final Cut Pro are the target of an active malvertising campaign powered by at least 35 hijacked Google advertiser accounts originating from countries including the U.S., Canada, Italy, Poland, Brazil, India, Saudi Arabia, Japan, China, Romania, Malta, Slovenia, Germany, the U.K., and the U.A.E. More than 200 malicious advertisements impersonating legitimate macOS software have been found. The end goal of these efforts is to direct users to fake pages that contain ClickFix -like instructions to deliver MacSync stealer. Another ClickFix campaign has been observed using fake CAPTCHA verification lures on bogus phishing pages to distribute stealer malware that can harvest data from web browsers, gaming apps like Steam, cryptocurrency wallets, and VPN apps. According to ReliaQuest data, a quarter of attacks used social engineering for initial access last year, with ClickFix responsible for delivering 59% of the top malware families. Encryption debate resurfaces Meta Executive Warned Against Encryption in Messenger and Instagram Meta went ahead with a plan to encrypt the messaging services connected to its Facebook and Instagram apps despite internal warnings that it would hinder the social media giant's ability to flag child-exploitation cases to law enforcement, Reuters reported . The internal chat exchange dated March 2019 was filed in connection with a lawsuit brought by the U.S. state of New Mexico, accusing it of exposing children and teens to sexual exploitation on its platforms and profiting from it. In response to the concerns raised, Meta said it worked on additional safety features before it launched encrypted messaging on Facebook and Instagram in 2023. ActiveMQ flaw aids LockBit Apache ActiveMQ Exploit Leads to LockBit Ransomware Threat actors are exploiting a now-patched security flaw in internet-facing Apache ActiveMQ servers ( CVE-2023-46604 ) to deploy LockBit ransomware. "Despite being evicted after the initial intrusion, they successfully breached the same server on a second occasion 18 days later," The DFIR Report said . "After compromising the server, the threat actor used Metasploit, possibly along with Meterpreter, to perform post-exploitation activities. These activities included escalating privileges, accessing LSASS process memory, and moving laterally across the network. After regaining access following their eviction, the threat actor swiftly transitioned to deploying ransomware. They leveraged credentials extracted during their previous breach to deploy LockBit ransomware via RDP." The ransomware is suspected to be crafted using the leaked LockBit builder . Chrome crash-to-command trick CrashFix Variants Detailed Two newly flagged Google Chrome extensions, Pixel Shield - Block Ads (ID: nlogodaofdghipmbdclajkkpheneldjd) and PageGuard - Phishing Protection (ID: mlaonedihngoginmmlaacpihnojcoocl), have been found to adopt the same playbook as CrashFix , where the browser is deliberately crashed, and the user is tricked into running a malicious command à la ClickFix. The most concerning aspect of this campaign is that the extensions actually work and offer the advertised functionality. "The original NexShield DoS created a billion chrome.runtime.connect() calls," Annex Security's John Tuckner said . "These variants use a different technique I'm calling the Promise Bomb because it crashes the browser by flooding Chrome's message passing system with millions of unresolvable promises." While the original NexShield used timer-based activation, the new variants have evolved to push notification-based command-and-control (C2), causing the denial-of-service to be triggered only when the C2 server sends a push notification containing a "newVersion" value ending in "2." This, in turn, gives the attacker selective remote control over when the crashes happen. WinRAR patch lag persists Widespread Exposure to CVE-2025-8088 Cybersecurity firm Stairwell said more than 80% of the IT networks it monitors run versions of WinRAR vulnerable to CVE-2025-8088 , a vulnerability that has been widely exploited by cybercrime and cyber espionage groups. "This finding underscores a persistent challenge in enterprise security when widely deployed, trusted software that quietly falls out of date and becomes a high-value target for attackers," Alex Hegyi said . Crypto IV reuse risk Open-Source Projects Use Crypto Libraries with Insecure Defaults A new analysis from Trail of Bits has revealed that more than 723,000 open-source projects use cryptographic libraries with insecure defaults. The aes-js and pyaes libraries have been found to provide a default initialization vector (IV) in their AES-CTR API, leading to a large number of key/IV reuse bugs. "Reusing a key/IV pair leads to serious security issues: if you encrypt two messages in CTR mode or GCM with the same key and IV, then anybody with access to the ciphertexts can recover the XOR of the plaintexts, and that’s a very bad thing," Trail of Bits said . While neither library has been updated in years, stro