Arkanix was POC, 600 Fortinet firewalls breach, Russia heightens tension - Cybersecurity Headlines

Summary4 min read

Episode Overview

Podcast: Cybersecurity Headlines
Host: Steve Prentiss (CISO Series)
Episode Date: February 23, 2026
Theme:
This episode delivers concise updates on significant cybersecurity incidents and trends, including major breaches, the growing role of AI in cyber attacks, evolving geopolitical tensions, and notable vulnerabilities. The focus is on actionable intelligence and broader trends affecting organizations and individuals.

Key Discussion Points & Insights

1. Arkanix: An AI-Assisted Infostealer Experiment

[00:06–01:15]

Overview:
Researchers from Kaspersky identified Arkanix Stealer, an information theft malware that first appeared on Dark Web forums in late 2025.
AI Innovation:
The stealer’s code exhibited signs of AI (LLM) assistance, suggesting that large language models helped accelerate and cheapen development.
Features:
Modular design, standard data stealing capabilities, anti-analysis tools, control panel, and a Discord-based communication server.
Status:
Both the malware and its distribution infrastructure have been pulled by its developer.

“The clues that indicated LLM-assisted development might have drastically reduced development time and costs.” (Kaspersky researchers, [00:28])

2. Massive Fortinet Firewall Breach Driven by AI

[01:15–02:15]

Scale:
More than 600 Fortigate firewalls across 55 countries were compromised in five weeks.
Tactics:
No sophisticated exploits; instead, attackers targeted management interfaces with weak, non-MFA credentials.
AI’s Role:
Hackers leveraged generative AI for automating credential stuffing and lateral movement.

“The January hacking campaign did not rely on exploits. Instead, the threat actor targeted exposed management interfaces and weak credentials… using AI to help automate access to other devices.” — Steve Prentiss, summarizing CJ Moses (Amazon CISO), [01:55]

3. Russia Escalates Hybrid Warfare in Europe

[02:15–03:12]

Source:
Dutch intelligence agencies warn that the Kremlin is intensifying “hybrid” operations, prepping for extended confrontation with the West and possibly NATO.
Hybrid Definition:
Integrated mix of cyber attacks, sabotage, covert influence, disinformation, and espionage—designed to stay below open conflict thresholds.
Goal:
Test Western resilience and trigger uncertainty or disruption.

“Hybrid refers to a blend of cyber attacks, sabotage, disinformation, covert political influence and espionage designed to stay below the threshold of open war.” — Steve Prentiss, [02:56]

4. Ransomware Attack Hits Advantest, Major Japanese Semiconductor Supplier

[03:12–03:52]

Incident:
Advantest, a critical supplier to the semiconductor industry, suffered a ransomware attack disrupting vital systems.
Impact:
Tools impacted are utilized globally in the development of machine learning, autonomous vehicles, 5G, and more.
Attribution:
No ransomware group has claimed responsibility at the time of broadcast.

5. Anthropic Rolls Out Security Scanning for Claude AI

[04:43–05:08]

Feature:
Automated vulnerability scans for user codebases; suggests patches.
Availability:
Limited enterprise/team rollout after extensive internal testing.
Trend:
Responds to increasing demands for automated — rather than manual — security reviews as AI coding expands.

“As Vibe coding becomes more widespread, the demand for automated vulnerability scanning will exceed the capacity of manual security reviews.” — Steve Prentiss, [05:03]

6. ClickFix Campaign Deploys Mimic Rat Malware

[05:08–05:53]

Discovery:
Elastic Security Labs reports a new campaign that drops the previously unknown “Mimic Rat” via compromised sites in many regions and verticals.
Traits:
- Uses LUA-scripted shellcode loader
- Communicates over HTTPS
- Masquerades as legitimate web analytics traffic
- Content dynamically localizes to the victim’s browser language, supporting 17 languages for broader reach

7. Shiny Hunters Extort Wynn Resorts (Las Vegas)

[05:53–06:38]

Claim:
Shiny Hunters gang claims possession of 800,000+ Wynn Resorts records (including SSNs).
Access Vector:
Original breach traced to a known Oracle PeopleSoft vulnerability and employee credentials dating back to September 2025.
Threat:
Company has until February 23, 2026, to negotiate or face a public data leak and “other annoying digital problems.”

“Otherwise, a data leak and, in the words of the gang, ‘other annoying digital problems’ will occur.” — Steve Prentiss, [06:23]

8. PayPal’s Small, Prolonged Data Exposure

[06:38–07:13]

Incident:
A software bug in a small business loan system exposed the PII (including SSNs) of approx. 100 PayPal customers for nearly six months.
Response:
PayPal states the cause was a software error, not a breach or compromise of core systems. The error has been fixed.
Risk:
Limited number impacted, but the incident demonstrates the risk of long-term unnoticed exposure even in well-defended systems.

Notable Quotes & Moments

On accelerating malware development:

“LLM-assisted development might have drastically reduced development time and costs.” — Steve Prentiss (citing Kaspersky), [00:28]
On AI in offensive cyber operations:

“Using AI to help automate access to other devices on the breached network.” — Steve Prentiss, [02:01]
On the scope of Russian hybrid activity:

“Designed to stay below the threshold of open war.” — Steve Prentiss, [02:56]
On automation in security:

“The demand for automated vulnerability scanning will exceed the capacity of manual security reviews.” — Steve Prentiss, [05:03]

Timestamps for Important Segments

Arkanix infostealer & AI development: [00:06–01:15]
Fortinet firewall breach (AI-driven): [01:15–02:15]
Russia’s hybrid warfare escalation: [02:15–03:12]
Advantest ransomware attack: [03:12–03:52]
Anthropic security scanning announcement: [04:43–05:08]
ClickFix & Mimic Rat campaign: [05:08–05:53]
Wynn Resorts / Shiny Hunters extortion: [05:53–06:38]
PayPal’s small-scale data exposure: [06:38–07:13]

Episode Tone & Style

Steve Prentiss delivers updates in a matter-of-fact tone, emphasizing practical implications and urgency, particularly where AI and geopolitics intersect with cybersecurity. Context is consistently provided for why each story matters, keeping the focus on emerging trends and actionable awareness for audience professionals.

Loading summary

Transcript4 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines
[00:07]
B
these are the cybersecurity headlines for Monday, February 23, 2026. I'm Steve Prentiss. Arcanix the new AI infostealer experiment researchers from Kaspersky now say that an information stealing malware operation named Arkanix Stealer that is a R K a N I X appeared on Dark Web forums towards the end of last year, was likely developed as an AI assisted experiment. It included a control panel and a discord server for communication with users, but has since been removed by its developer. Although it consisted of many standard data stealing features that cybercriminals are already using, along with a modular architecture and anti analysis features, the Kaspersky researchers said the clues that indicated LLM assisted development might have drastically reduced development time and Costs end quote AI assisted hacker breached 600 Fortinet firewalls in five weeks following up on a story we covered exactly one month ago, Amazon is warning that a Russian speaking hacker used multiple generative AI services as part of a campaign that breached more than 600 Fortigate firewalls across 55 countries in five weeks. As reported by CJ Moses, CISO of Amazon Integrated Security, the January hacking campaign did not rely on exploits. Instead, the threat actor targeted exposed management interfaces and weak credentials that lacked MFA protection, brute forcing with common passwords and then using AI to help automate access to other devices on the breached network. End quote Russia stepping up hybrid attacks, preparing for confrontation with the west this dire warning comes from Dutch intelligence services who said that the intensifying cyber attacks, sabotage and covert influence operations across Europe show the Kremlin is preparing for a prolonged confrontation with the West. End quote Two Dutch intelligence agencies, one general and the other military, said the Russian armed forces are preparing for the possibility of a conflict with NATO and are carrying out various activities to test the West's willingness to escalate. Their term hybrid refers to a blend of cyber attacks, sabotage, disinformation, covert political influence and espionage designed to stay below the threshold of open war. Japanese semiconductor supplier suffers ransomware attack Tokyo based Advantest, that is Advantage, a supplier of semiconductor test equipment, said the attack occurred last Sunday and has impacted several company systems. Advantest is one of the largest manufacturers of test and measurement equipment used in the design and production of semiconductors for machine learning, autonomous vehicles, 5G systems and more. Its tools have become critical assets in the production process of semiconductors globally. No group has yet claimed responsibility for this attack, huge thanks to our sponsor Adaptive Security. This episode is brought to you by Adaptive Security, the first security awareness platform built to stop AI powered social engineering. Deepfakes aren't science fiction anymore, they are a daily threat. So here's a quick tip. If your voicemail greeting is your real voice, switch it to the default robot voice. A few seconds of audio can be enough to clone you. Adaptive helps teams spot and stop these AI powered social engineering attacks and you can learn more about@adaptivesecurity.com that is the two words adaptive security together.com anthropic announces embedded security Scanning for Claude this new feature can scan a user's software code bases for vulnerabilities and suggest patching solutions. CLAUDE Code Security, as it's called, will initially be available to a limited number of enterprise and team customers for testing, and this is after a year of internal stress testing conducted and for the company. Anthropic says that as Vibe coding becomes more widespread, the demand for automated vulnerability scanning will exceed the capacity of manual security reviews new ClickFix campaign deploys mimic Rat malware A new report from cybersecurity research company Elastic Security Labs describes a new click fix campaign that delivers a previously undocumented remote access Trojan called Mimic Ratio. The sophisticated operation attacks compromised sites in diverse industries and geographies to drop a LUA scripted shellcode loader. The final implant communicates over HTTPs using profiles that resemble legitimate web analytics traffic. The researchers added that the campaign supports 17 languages, with the lure content dynamically localized based on the victim's browser language settings to broaden its effective reach. Shiny Hunters Beats the House in Vegas Wynn Resorts appears to be the latest victim of the Shiny Hunters extortion gang. The group posted the company on its blog last Friday, claiming possession of more than 800,000 records containing employees, Social Security numbers and other private details. Nguyen has until today February 23rd, to reach out otherwise, a data leak and in the words of the gang, other annoying digital problems will occur. A spokesperson for the crime group told the Register that its members gained initial access to WINS systems in September 2025 via an Oracle PeopleSoft vulnerability using an employee's credentials. PayPal's small data incident has a long tail PayPal is alerting customers of a data incident following a software error in a small business loan application system which exposed censo pii including Social Security numbers. Although the number of people affected was very small, around 100 customers, the data remained exposed for nearly six months last year, between July 1 and the date of discovery, December 12. PayPal has emphasized that this was not a breach and its systems were not compromised. The erroneous code has been since rolled back. Are you planning to be in San Francisco for RSA conference next month? Then you need to join us for a live CISO Series podcast recording. On March 21st. We will be recording an episode at BSides SF just ahead of RSAC. If you have never been to one of our recordings, expect the same great conversations around the hottest cybersecurity topics with respected security leaders. But we also throw in a few games and audience Q and A. For more information on how to register, head on over to the Events page at CISO Series. And if you have some thoughts on the news from today or about this show in general, please be sure to reach out to us@feedbackisoseries.com we would love to hear from you. I'm Steve Prentice reporting for the CISO Series.
[07:48]
A
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.
[07:59]
B
It.