Also: EU Bans AI Tools, Notepad++ Secures Updater, Apple Patches iOS Zero-Day
Every week, ISMG rounds up cybersecurity incidents and breaches around the world. This week, Cambodia shut down nearly 200 online scam centers and arrested 11,000 foreign nationals. The European Parliament disabled AI tools on lawmakers’ devices. Canada Goose downplayed a ShinyHunters leak. Notepad++ patched a supply-chain-exposed updater flaw. Operation DoppelBrand hit Fortune 500 firms with cloned banking portals. Apple patched a decades-old iOS zero-day exploited in a sophisticated attack chain. BeyondTrust pushed emergency fixes for a critical RCE flaw under active exploitation and Dell addressed a China-linked zero-day quietly exploited since mid-2024.
See Also: How 72% of Enterprises Are Rewriting Cyber Resilience Playbooks
Cambodia Shuts 190 Scam Centers in Nationwide Fraud Crackdown
Cambodia shut down nearly 200 online scam centers as part of what the country’s Information Ministry said is part of an intensified crackdown on transnational fraud.
Police closed 190 centers, arrested 173 senior figures and deported roughly 11,000 foreign nationals in an enforcement, a senior government official told Reuters. An independent tally of scam compounds raided or emptied during January shows activity concentrated in Phnom Penh and the southern half of the country.
Transnational online criminal gangs have operated on an industrial scale in centers spread throughout the country using trafficked and forced workers to perpetuate romance and investment scams, earning their bosses tens of billions of dollars per year (see: Scam Centers Fueling Thailand’s Border War With Cambodia).
The crackdown’s highest-profile target was Chen Zhi, founder and chairman of the Prince Holding Group. The U.S. Department of Justice indicted Chen in October 2025 on wire fraud conspiracy and money laundering conspiracy charges, alleging he directly oversaw at least 10 scam compounds in Cambodia since 2015 where trafficked laborers were coerced, including through physical violence, into running cryptocurrency and romance fraud operations earning more than $30 million a day (see: Cambodian Conglomerate a ‘Pig Butchering’ Outfit, Says US).
Chen was arrested and extradited to mainland China in January after Cambodia revoked his citizenship (see: Cryptohack Roundup: Alleged Fraud Kingpin Deported to China).
The closures triggered a mass departure of workers, with large groups seen leaving gated facilities carrying luggage. Human rights organizations, including Amnesty International, described the situation as a “humanitarian crisis,” saying victims were “often trafficked into compounds from outside of Cambodia where they are then enslaved, forced to scam or recruit others.”
The sudden exodus has strained Cambodia’s limited support infrastructure. Caritas Cambodia, which operates one of the few shelters dedicated to assisting scam compound escapees, has struggled after cuts to U.S. funding reduced capacity, The Wire reported Thursday.
Cambodia is developing “a legal framework to enhance the effectiveness in the prevention, suppression and crackdown of online scams,” Information Minister Neth Pheaktra told Bloomberg.
European Parliament Suspends AI Tools Amid Privacy Concerns
The European Parliament blocked built-in artificial intelligence tools on lawmakers’ work devices, citing urgent cybersecurity and privacy concerns, according to an internal email seen by Politico.
IT officials determined they could not guarantee the security of data processed by certain AI features, particularly those that send information to external cloud servers – including servers operated by U.S. companies.
The shutdown covers writing assistants, summarizers, enhanced virtual helpers and similar AI functions on tablets and phones issued to members of the European Parliament and staff. Core office tools, such as email, calendars and documents, are unaffected. MEPs were also advised to apply similar precautions on personal devices used for official work, including limiting app permissions and avoiding exposing internal communications to AI systems.
The restriction on AI tools echoes a broader push for digital sovereignty within EU institutions. In November 2025, a group of lawmakers called on parliament to abandon Microsoft software entirely in favor of European alternatives, citing concerns over foreign vendor backdoors and data sovereignty.
Canada Goose Says Leaked Customer Dataset Did Not Come From Its Systems
Luxury outerwear maker Canada Goose is denying that a dataset posted by the ShinyHunters data extortion group originated from its internal systems after purported customer records appeared online.
ShinyHunters posted Sunday what it claims is more than 600,000 Canada Goose customer records on a public leak site. The data reportedly includes names, email addresses, phone numbers, billing and shipping addresses, and partial payment metadata.
Canada Goose in a statement said it is aware of the published dataset but said its preliminary review has found no evidence that its systems were breached or that unmasked financial data was exposed. The retailer attributed the dataset to a historical customer transaction archive, not a live compromise of its platforms.
In a separate campaign reported, ShinyHunters published what it claimed were more than 2 million records tied to Harvard University and the University of Pennsylvania, including donor and admissions-related data, after the institutions allegedly refused to meet extortion demands (see: Harvard, UPenn Data Leaked in ShinyHunters Shakedown).
Notepad++ Secures Updater in v8.9.2
Notepad++ rolled out version 8.9.2, a security-focused release that implements robust protections to close the update-mechanism weaknesses exposed by a prolonged supply-chain hijack incident (see: Compromise of Notepad++ Equals Software Supply Chain Fallout).
The update’s core enhancement is a “double-lock” verification system. The updater now validates the installer’s signature and the integrity and authenticity of the XML update manifest – XMLDSig – returned by the update server before proceeding. Developers say the new design makes the update process “robust and effectively unexploitable.”
The release also strengthens the WinGUp auto-updater by removing unsafe options, eliminating the libcurl.dll dependency and restricting plugin management to signed components. Version 8.9.2 further fixes an untrusted search path vulnerability, tracked as CVE-2026-25926, which could have allowed arbitrary code execution under specific conditions.
Operation DoppelBrand Targets Fortune 500 Firms With Phishing, Remote Access Tools
A financially motivated threat actor mounted a sweeping phishing campaign targeting Fortune 500 brands, using cloned banking and technology portals to steal credentials and deploy remote access tools, research by cybersecurity company SOCRadar found.
The campaign, dubbed “Operation DoppelBrand,” is attributed to an actor tracked as GS7. It was active between December 2025 and January 2026, with victims including Wells Fargo, USAA and Navy Federal.
Researchers identified more than 150 domains tied to the operation in recent months. The attacker registered domains in batches and hid infrastructure behind Cloudflare.
The phishing sites closely replicated legitimate login pages, copying logos, CSS files and form structures. GS7 acts as an initial access broker, selling credentials on Telegram channels and underground markets after real-time exfiltration of usernames, IPs, geolocations and device data.
In many cases, victims were prompted to download remote monitoring and management tools such as LogMeIn, AnyDesk or ScreenConnect, giving attackers persistent access to compromised systems. LogMeIn installers were deployed in unattended mode, enabling remote control without raising suspicion.
Researchers said the actor has shown operational continuity since at least 2022, rotating domains and infrastructure while maintaining a consistent playbook.
Apple Discloses, Patches Decades-Old Zero-Day Flaw in iOS
Threat actors exploited a decades-old vulnerability in iOS present since version 1.0 in what Apple called an “extremely sophisticated attack” targeting specific individuals.
The flaw, tracked as CVE-2026-20700, affects Apple’s dynamic linker editor, dyld, enabling memory write capable attacks by executing arbitrary code. A main component embedded in Apple’s operating system, dyld is utilized in all the company’s products.
In a Feb. 11 advisory, the tech giant said it is “aware” of the zero-day.
Dyld is an iOS device’s “doorman,” said Brian Milbier, deputy CISO at Huntress, reported The Register. “Every single app that wants to run must first pass through this doorman to be assembled and given permission to start.”
“Usually, the doorman checks credentials and places apps in a high-security ‘sandbox’ where they can’t touch your private data,” he said. According to Milbier, the exploit chain “allows an attacker to trick the doorman into handing over a master key before security checks even begin.”
By chaining flaws including two December vulnerabilities, attackers create a “one-click path to total control.” With fake credentials, threats actors can bypass a user’s browser security controls and exploit “the doorman” for unrestricted access.
The latest iOS and iPadOS update patches the vulnerability and a host of other flaws. CVE-2026-20700 marks Apple’s first zero-day this year.
BeyondTrust Issues Emergency Patch for Critical RCE Under Active Exploitation
Privileged access management provider BeyondTrust released emergency patches for a critical remote code execution vulnerability in its Remote Support and Privileged Remote Access products under active exploitation.
The flaw, tracked as CVE-2026-1731 carries a CVSS score of 9.9 and allows an unauthenticated attacker to execute operating system commands through specially crafted requests. The U.S. Cybersecurity and Infrastructure Security Agency added the flaw to its Known Exploited Vulnerability Catalog.
Security firm Hacktron AI, which discovered and disclosed the vulnerability to BeyondTrust, said the flaw was identified using AI-assisted variant analysis. Researchers estimate that approximately 11,000 BeyondTrust instances were exposed online, including roughly 8,500 on-premises deployments.
Dell Fixes China-Linked Zero-Day Exploited Since 2024
Laptop and desktop maker Dell released security updates to fix a critical zero-day vulnerability in RecoverPoint for virtual machines. The flaw, tracked as CVE-2026-22769, has been actively exploited since mid-2024 by suspected Chinese hacking group tracked as UNC6201, Mandiant said Wednesday.
The vulnerability stems from hard-coded credentials in the RecoverPoint appliance that allow unauthenticated attackers to gain root-level access to the underlying system.
Researchers said Chinese hackers used the vulnerability to upload malicious web shells through the Tomcat Manager interface and establish persistent access. Post-exploitation activity included deployment of multiple malware families, including backdoors dubbed Slaystyle, Brickstorm and Grimbolt. The campaign appears focused on maintaining long-term access to compromised environments (see: Brickstorm Malware Hits US Critical Systems, CISA Warns).
Underscoring the severity of the bug, the U.S. Cybersecurity and Infrastructure Security Agency gave federal agencies three days to apply patches.
Other Stories From This Week
With reporting from Information Security Media Group’s Gregory Sirico in New Jersey and Poulami Kundu in Bengaluru.