A

From the CISO series, it's Cybersecurity Headlines.

B

These are the cybersecurity headlines for Wednesday, February 18, 2026. I'm Rich Stroffelino Hackers target anti Government Protesters Researchers at Acronis discovered a cyber espionage campaign targeting supporters of recent anti government protests in Iran since early January. The threat actors distributed malicious files bundled with authentic protest footage and reports that deploying a previously undocumented malware dubbed Crescent Harvest, this operated as both an infostealer and remote access trojan, obtaining credentials, browsing histories, telegram information and executing commands given the intended targets and the sophistication in avoiding detection, the researchers suggested. It shows links to Iranian aligned threat actors given ongoing Internet blackouts in the country. The spike in peer to peer sharing of protest related media has made this an effective distribution channel. UK launches lock the door cybersecurity campaign the UK government recently released a cybersecurity longitudinal survey showing that 82% of businesses experience some form of cyber incident within the past year. This comes as 30% of businesses admit to following the government's Cyber Essentials frameworks. In response, the UK will run a campaign across social media, business networks, radio and podcasts to directly encourage SMEs to adopt the cybersecurity basics, which focus on patching software and maintaining strict access controls. The campaign will also point organizations to free online separate readiness checks, a 30 minute chat with NCSC advisors and preview certification questions for Cyber Essentials. Cellebrite linked to phone hack on Kenyan politician Citizen Lab released a report claiming that it found signs that Kenyan authorities use Cellebrite's phone cracking software against human rights activist and presidential candidate Boniface Mwangi following his arrest in July. Mwangi was alerted to this intrusion when his phone no longer required a password to unlock. The researchers found evidence of data exfiltration from the phone, including plans for his presidential run. In response, Cellebrite said it maintains a rigorous process for reviewing allegations of technology misuse. Pentagon is considering Anthropic as a supply chain risk According to Pentagon sources speaking to Axios, the Department of War is considering naming Anthropic as a supply chain risk, a category usually reserved for foreign adversaries. Currently, anthropic's LLMs are the only ones approved for use on classified information and have been verified as used in active military operations. The ban seems to be a response to continued negotiations with Anthropic on how the LLMs can be used by the Pentagon, with Anthropic holding a hard line against using it for mass surveillance of US citizens and for unmanned weapons development. Naming Anthropic a supply chain risk would cut it off from government contracts and government suppliers could not use Anthropic in their own workflows. And now, thanks to today's episode sponsor Conveyor, most of what Conveyor automates is boring. Like really boring. Security questionnaires, customer requests for things like your SoC2, all of their follow up questions answering tickets from your sales team. You know what's not boring? Alteryx using Conveyor to support over half a billion dollars in enterprise deals with a small four person team. All they did was set up an AI Trust center and use Conveyor's AI agent to complete QuestionNAIR. Learn more at conveyor.com that's C-O-N-V-E-Y-O-R.com identity abuse behind Most Attacks as is quickly becoming cliche, threat actors aren't breaking in, they're logging in. A new report from Palo Alto's Unit 42 found that identity based techniques were behind roughly 2/3 of all initial network access in 2025 that they responded to. Social engineering was the most common method, but compromised credentials, poor identity policies, insider threats and good old brute force attacks were all in the mix. Vulnerability exploits accounted for roughly 22% of initial intrusions in the report. Most of the attacks Unit 42 responded to were financially motivated, with median payments up 87% on the year to US$500,000. Man arrested for not deleting files Last week, a 40 year old Dutch man contacted police saying he had an image that could be related to an ongoing, ongoing investigation. An officer responded intending to send a secure upload link, but actually sending a download link to confidential documents. After realizing the error, police told the man to delete any documents. The man refused, saying he would do so only if he received something in return. In true mess around with it and find out energy. The police arrested the man, seized his data storage devices and searched his home. No word on whether any charges will be filed, but a police statement said such behavior could constitute any computer trespassing. Backdoor discovered an Android firmware Researchers at Kaspersky detailed a new Android malware called Kinadu. This malware was found distributed through compromised over the air firmware updates embedded in system apps, third party app stores and through Google Play apps. As this suggests, Kinadu comes in various forms ranging from a malicious app with elevated privileges to a fully embedded firmware. Kina Kaspersky found over 13,000 infected devices located in Brazil, Germany, Japan, the Netherlands and Russia Kinadu came preinstalled on devices from multiple OEMs, with one Aldocube tablet showing a malicious firmware dating back to August 2023. While Kinadu can operate as a fully capable backdoor that could completely take over a device, operators are currently using it for ad fraud. Polish police arrest phobosuspect Officers from Poland's Central Bureau of Cybercrime control arrested a 47 year man with suspected ties to the Phobos ransomware as a service organization. This came as part of a larger Europol led effort to target the group, dubbed Operation Aether. Authorities seized computers and phones and found credentials and server IP addresses linked to recent Phobos attacks. While Phobos isn't in the news too much lately, back in 2024 the US Department of Justice linked Phobos to breaches at more than 1,000 global entities receiving ransoms of over US$16 million. Apple expands RCS and Memory Protections the Latest beta of iOS 26.4 adds limited support for encrypted RCS messages. This is limited to messages between Android devices at the moment, which already have access to end to end encrypted imessage, and there's no word on if and when messages to Android will be supported. The beta also updated Apple's Memory Integrity Enforcement, or mie, allowing developers to opt into full protections with the features. Since it was announced in September 2025, Apple only allowed for a soft mode for testing. MIE is meant as a defense against typical spyware attack paths, providing always on memory protection across the kernel and user LAN processes. Have you heard of YouTube? You have? Phew. This makes this whole pitch a lot easier. Since you already know where to go to watch your online video content, might I suggest you subscribe to the CISO series On there we post daily news shorts, original interviews, demos and the latest updates on our event calendar, as well as clips from all of our fantastic shows. Plus, we stream our Department of no show every Monday at 4pm Eastern where you can chat along with security leaders about the news that matters to your security team. If you haven't already, be sure you're following us on YouTube. And if you have some thoughts on the news from today or just about the show in general, be sure to reach out to us. Feedbacksoseries.com we'd love to hear from you. Reporting for the CISO series, I'm Rich Stroffelino reminding you to have a super sparkly day.

A

Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories. Behind the headlines.