Summary5 min read

Episode Summary: Cybersecurity Headlines – February 12, 2026

Main Theme
This episode, hosted by Sarah Lane, delivers a concise roundup of major developments in the cybersecurity landscape. Topics include innovative attack techniques, new state-level security measures, details of recent breaches, software supply chain threats, emerging ransomware operations, privacy issues with browser extensions, critical software vulnerabilities, and the takedown of a major phishing operation.

Key Discussion Points and Insights

1. Crazy Gang Abuses Employee Monitoring Tools

Overview:
Security researchers at Huntress discovered that the Crazy ransomware gang is misusing legitimate employee monitoring software and the Simple Help remote support tool to persist inside corporate networks undetected.
Tactics:
- Attackers installed “Net Monitor for employees” for screen watching, file transfer, and remote command execution.
- Simple Help was deployed under disguised file names for backup access and disabling Windows Defender.
- Activities focused on spotting cryptocurrency wallets and remote access tools.
Access Vector:
Both incidents were traced to a single operator using stolen SSL VPN credentials.
Notable Quote:
“The attackers installed Net Monitor for employees to watch screens, transfer files and run commands, while also deploying Simple Help under disguised file names…”
— Sarah Lane [00:13]
Timestamp: 00:07–01:10

2. Nevada Unveils Statewide Data Classification

Overview:
Nevada introduces a mandatory data classification policy for all agencies, following a significant state-level cyberattack.
Framework:
Data must now be labeled as public, sensitive, confidential, or restricted. When in doubt, stricter safeguards are applied.
Purpose:
The classification aims to establish a statewide security baseline and will guide future protections, like multi-factor authentication.
Broader Reforms:
Plans include establishing a state Security Operations Center (SOC).
Notable Quote:
“Officials say the policy establishes a shared baseline for protecting information and will underpin future cybersecurity measures…”
— Sarah Lane [01:10]
Timestamp: 01:10–01:43

3. Georgia Healthcare Breach: Impact Expands

Overview:
2025 attack on Apollo MD, a large Georgia physician group, is confirmed to have exposed sensitive data of 626,540 people.
Breach Details:
Hackers accessed names, birth dates, addresses, diagnosis, treatment details, insurance data, and Social Security numbers over two days.
Attribution:
The Chilean ransomware gang is responsible; Cisco Talos notes the group averaged 40 victim data publications monthly.
Notable Quote:
“Hackers were inside the company's systems for two days in May, accessing names, birth dates, addresses, diagnosis, treatment details, insurance data and Social Security numbers.”
— Sarah Lane [01:43]
Timestamp: 01:43–02:15

4. Outlook Store Add-in Hijacked for Phishing

Overview:
A legitimate Outlook add-in, “Agree to,” was hijacked after developer abandonment, turning it into a phishing delivery platform.
Incident Details:
- The new operator pushed a fake Microsoft login page to steal user account credentials, credit cards, and security answers (over 4,000 accounts compromised).
- Stolen data was exfiltrated via Telegram.
- Microsoft removed the add-in; researchers note it's likely the first malicious add-in found in Outlook’s official marketplace.
Notable Quote:
“Researchers say it may be the first malicious Outlook add in discovered there.”
— Sarah Lane [02:15]
Timestamp: 02:15–02:52

5. 0APT Ransomware Group: Hype vs. Reality

Overview:
New ransomware group 0APT claims 200 victims in its debut week, but security firms suspect exaggeration.
Industry Response:
- GuidePoint: The group’s encryptor lacks sophistication, real operational capacity not demonstrated.
- Halcyon: Claims appear to be a publicity stunt to attract affiliates, though the overall threat is legitimate.
Notable Quote:
“Halcyon says the group's victim list appears to be a publicity stunt to attract affiliates…”
— Sarah Lane [04:02]
Timestamp: 04:02–04:42

6. Chrome Extensions Leak Millions of Browsing Histories

Overview:
Researcher Q Continuum exposed 287 Chrome extensions (37.4 million installs) exfiltrating browser histories to over 30 organizations.
Key Findings:
- Extensions sent data to companies including SimilarWeb, SEMrush, Alibaba, and ByteDance.
- Many extensions over-requested history access and buried disclosures in privacy policies.
- 20 million installs linked to unknown data collectors.
Notable Quote:
“About 20 million installs were tied to unknown collectors.”
— Sarah Lane [05:11]
Timestamp: 04:42–05:24

7. Windows 11 Notepad Vulnerability Patched

Overview:
Microsoft fixed a critical Notepad flaw that allowed malicious markdown links to execute code silently.
Vulnerability:
- Special links could launch files without security prompts, inheriting user permissions.
Remediation:
Patch Tuesday update introduces warnings for nonstandard links; Notepad updates now automatic via the Microsoft Store.
Notable Quote:
“The flaw let specially crafted links launch files without any Windows security warning, giving attackers the same permissions as the user who clicked them.”
— Sarah Lane [05:31]
Timestamp: 05:24–05:56

8. Joker Opt Phishing-Service Seller Arrested

Overview:
Dutch police, after a three-year investigation, arrested a 21-year-old for selling licenses to the “Joker Opt” phishing-as-a-service tool.
Platform Impact:
- Enabled over 28,000 attacks across 13 countries, causing at least $10 million in losses.
- Service specialized in automating voice calls to intercept one-time passcodes.
- Licenses sold via Telegram; police are pursuing dozens of identified buyers.
Notable Quote:
“Authorities say the phishing as a service platform caused at least $10 million in losses across more than 28,000 attacks in 13 countries by automating calls to victims to capture one time passcodes.”
— Sarah Lane [06:17]
Timestamp: 05:56–06:41

Notable Quotes & Memorable Moments

On attacker innovation:
“Attackers installed Net Monitor for employees to watch screens, transfer files and run commands...”
— Sarah Lane [00:13]
On the shifting landscape:
“Researchers say it may be the first malicious Outlook add in discovered there.”
— Sarah Lane [02:51]
On data collection at scale:
“About 20 million installs were tied to unknown collectors.”
— Sarah Lane [05:18]
On law enforcement action:
“Authorities say the phishing as a service platform caused at least $10 million in losses...”
— Sarah Lane [06:20]

Timestamps of Important Segments

| Segment | Timestamp | |------------------------------------------------|---------------| | Crazy Gang abuses employee monitoring tools | 00:07–01:10 | | Nevada introduces data classification | 01:10–01:43 | | Georgia healthcare breach update | 01:43–02:15 | | Outlook Add-in hijacked for phishing | 02:15–02:52 | | 0APT ransomware group emerges | 04:02–04:42 | | Chrome extensions leak histories | 04:42–05:24 | | Windows 11 Notepad flaw patched | 05:24–05:56 | | Joker Opt phishing tool seller arrested | 05:56–06:41 |

Summary & Tone

The episode adopts a brisk, headline-driven delivery, focusing on actionable intelligence and recent events shaping information security. The stories highlight a mix of attack ingenuity, ongoing threat actor evolution, improvements in defensive posture, risks in software supply chains, and law enforcement successes.

For further details or to explore any headline in depth, listeners are encouraged to visit CISOseries.com.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series. It's Cybersecurity Headlines.
[00:07]
B
These are the cybersecurity headlines for Thursday, February 12, 2026. I'm Sarah Lane. Crazy gang abuses employee monitoring tool Security researchers at Huntress say a member of the Crazy Ransomware gang is abusing legitimate employee monitoring software and the Simple Help remote support tool to stay inside corporate network, avoid detection and prepare for ransomware attacks. In observed intrusions, the attackers installed Net Monitor for employees to watch screens, transfer files and run commands, while also deploying Simple Help under disguised file names for backup, access and disabling Windows Defender. The attackers monitored systems for cryptocurrency, wallets and remote access tools, and Huntress says both incidents likely came from the same operator using stolen SSL VPN credentials. Nevada unveils new data classification Nevada's IT agency introduced a statewide data classification policy months after a major cyber attack disrupted state systems. Under the new framework, agencies have to label data as public, sensitive, confidential or restricted, with stricter safeguards applied when classification is unclear. Officials say the policy establishes a shared baseline for protecting information and will underpin future cybersecurity measures, including multi factor authentication, as lawmakers continue broader reforms such as creating a state security operations center. Georgia Healthcare breach impacts more than 620,000 A 2025 cyber attack on Georgia based physician group Apollo MD exposed the sensitive data of 626,540 people, according to a new filing with the US Department of Health and Human Services. Hackers were inside the company's systems for two days in May, accessing names, birth dates, addresses, diagnosis, treatment details, insurance data and Social Security numbers. The Chilean ransomware gang claimed responsibility. Cisco Talos says the group published data from about 40 victims per month last year. Microsoft Store Outlook Add in hijacked to steal accounts Researchers at COI Security say a legitimate Outlook scheduling add in called Agree to, which was hijacked after its developer abandoned the project, letting a threat actor take control of its hosted content and turn it into a phishing kit. The malicious version showed a fake Microsoft login page inside Outlook and stole more than 4,000 account credentials along with credit card details and security answers, sending the data to attackers via Telegram. Microsoft has since removed the add in from its marketplace, and researchers say it may be the first malicious Outlook add in discovered there. Huge thanks to our sponsor ThreatLocker. Want Real Zero Trust Training Zero Trust World 2026 delivers hands on labs and workshops that show CISOs exactly how to implement and maintain zero trust in real environments. Join us March 4th through the 6th in Orlando, plus a live CISO series episode on March 6th. Get $200 off with ZTW CISO 26 at ztw.com 0APT ransomware group rises Researchers at Halcyon and GuidePoint Security say the new 0APT ransomware group likely inflated claims of about 200 victims in its first week, with no evidence confirming most of the breaches. Halcyon says the group's victim list appears to be a publicity stunt to attract affiliates, but warns its ransomware code and infrastructure are real and could pose a genuine threat. GuidePoint says the encryptor itself isn't especially advanced and notes the group still needs proven access and lateral movement capabilities to carry out attacks. Devilish devs spawn Chrome Extensions Security researcher Q Continuum identified 287 Chrome extensions and with about 37.4 million total installs that allegedly exfiltrate users browsing histories to more than 30 companies, including SimilarWeb, SEMrush, Alibaba and ByteDance. The study used automated testing to link browsing history with outbound data, finding many extensions requested unnecessary history access while disclosing the collection only vaguely in privacy policies. About 20 million installs were tied to unknown collectors. Windows 11 Notepad flaw lets files execute silently Microsoft fixed a high severity Windows 11 Notepad vulnerability that let attackers execute local or remote programs through malicious markdown links. The flaw let specially crafted links launch files without any Windows security warning, giving attackers the same permissions as the user who clicked them. The February Patch Tuesday update now adds warnings for non standard links and Notepad will update automatically through the Microsoft Store. Joker Opt seller Arrested Dutch Police arrested a 21 year old man suspected of selling access to the Joker Opt phishing tool, part of a three year investigation that dismantled the service last April. Authorities say the phishing as a service platform caused at least $10 million in losses across more than 28,000 attacks in 13 countries by automating calls to victims to capture one time passcodes. The suspect allegedly sold licenses via telegram, and police say dozens of buyers have already been identified and will face charges. Something's wrong with the math in the cybersecurity job market. If there are millions of unfilled jobs out there, why are so many job seekers struggling to even book an interview? That is what we're trying to figure out on the latest episode of Defense In Depth. Look for that episode Cybersecurity's Broken Hiring Process. Wherever you get your podcasts. If you have some thoughts on the news from today or about our show in general, be sure to reach out to us at FeedbackSoc. We would love to hear from you. I am Sarah Lane reporting for the CISO series and we will talk to you tomorrow.
[07:15]
A
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.