INTERPOL Operation Synergia III takes down 45,000 malicious IPs and arrests 94 across 72 countries. Google emergency-patches 2 Chrome zero-days exploited in attacks. SocksEscort proxy botnet with 369,000 IPs dismantled. Chinese APT CL-STA-1087 targets Southeast Asian militaries. Starbucks discloses employee data breach. Storm-2561 distributes fake enterprise VPN clients. Poland's nuclear research centre targeted by cyberattack.
INTERPOL has announced the takedown of 45,000 malicious IP addresses and servers used for phishing, malware, and ransomware campaigns as part of Operation Synergia III, the largest coordinated cybercrime crackdown this year.
The operation spanned 72 countries and territories, resulting in 94 arrests with another 110 individuals under active investigation. A total of 212 electronic devices and servers were seized during raids at key locations worldwide.
Notable regional outcomes include:
| Metric | Details |
|---|---|
| IPs/Servers taken down | 45,000+ |
| Countries involved | 72 |
| Arrests | 94 (110 more under investigation) |
| Devices seized | 212 |
| Scope | Phishing, malware, ransomware infrastructure |
Significance: This operation demonstrates the growing effectiveness of international law enforcement coordination against cybercrime infrastructure. However, the sheer scale โ 45,000 IPs โ underscores how vast the criminal infrastructure remains.
Google has released emergency security updates to patch two high-severity Chrome vulnerabilities that were actively exploited as zero-days in real-world attacks before patches were available.
Both vulnerabilities are rated high-severity and were exploited in targeted attacks. Google has withheld specific technical details until a majority of users have updated, following its standard responsible disclosure practice.
This marks Google's continued battle against Chrome zero-day exploitation โ following the trend of 90 zero-days tracked in 2025 alone. Chrome remains the world's most-used browser with over 3 billion users, making any zero-day exploitation extremely high-impact.
Action Required: Update Chrome immediately via chrome://settings/help. Restart browser after update. Enterprise admins should push updates via Group Policy or MDM. Consider enabling Chrome's Enhanced Protection mode for high-risk users.
A court-authorized international operation has dismantled SocksEscort, a criminal proxy service that enslaved thousands of residential routers into a botnet used for large-scale fraud, offering access to 369,000 IP addresses across 163 countries.
SocksEscort infected home and small business internet routers with malware, then sold proxy access through compromised devices to criminals who needed to mask their true location. The service has been operating since summer 2020.
| Detail | Information |
|---|---|
| Total IPs offered | 369,000 across 163 countries |
| Active infected routers | ~8,000 (as of Feb 2026) |
| US-based infections | 2,500 |
| Operating since | Summer 2020 |
| Service claims | "Static residential IPs, unlimited bandwidth" |
Action Required: Check home routers for unusual behavior or unknown firmware modifications. If you suspect compromise, factory-reset and update firmware immediately. SMBs should audit all edge network devices.
A suspected China-linked APT tracked as CL-STA-1087 has targeted Southeast Asian military organizations in a sophisticated cyber espionage campaign running since at least 2020, deploying custom malware dubbed AppleChris and MemFun.
Palo Alto Networks Unit 42 reports the campaign demonstrates "strategic operational patience" โ rather than bulk data theft, attackers focused on highly targeted intelligence collection, specifically searching for files related to:
The campaign exhibits hallmarks of advanced persistent threat operations including carefully crafted delivery methods, defense evasion strategies, highly stable operational infrastructure, and custom tooling that avoids detection by commercial security products.
NIS2 Relevance: This campaign highlights the persistent state-sponsored threat to defense and critical infrastructure sectors. Organizations in the EU defense supply chain must ensure their NIS2 incident reporting capabilities can detect and respond to similar long-dwell campaigns.
Starbucks has disclosed a data breach affecting hundreds of employees after threat actors gained unauthorized access to Starbucks Partner Central accounts โ the company's internal employee portal.
While the full scope of compromised data has not been disclosed, Partner Central typically contains employee personal information, pay details, schedules, and benefits data. Starbucks is notifying affected employees and providing credit monitoring services.
Key Takeaway: Internal employee portals remain high-value targets. Organizations should enforce MFA on all employee-facing systems, implement anomalous login detection, and regularly audit access patterns โ especially for portals containing PII and financial data.
A threat actor tracked as Storm-2561 is distributing fake enterprise VPN clients from Ivanti, Cisco, and Fortinet through convincing lookalike download sites to steal VPN credentials from unsuspecting corporate users.
The campaign targets employees searching for VPN client downloads or troubleshooting connection issues. Fake sites closely mimic legitimate vendor download pages, and the malicious installers function as real VPN clients while simultaneously harvesting credentials in the background.
Action Required:
Poland's National Centre for Nuclear Research (NCBJ) has confirmed that hackers targeted its IT infrastructure in a cyberattack that was detected and blocked before causing any impact. While details are limited, the targeting of nuclear research facilities represents a critical escalation in the threat to European critical infrastructure.
This incident follows a broader pattern of nation-state actors targeting nuclear and energy infrastructure across Europe โ particularly concerning given the current geopolitical climate and NIS2 requirements for critical infrastructure operators.
NIS2 Implication: Nuclear facilities fall under NIS2's "essential entities" classification with the strictest requirements. This incident will likely accelerate compliance enforcement across the EU energy sector.
The FBI is asking gamers who installed Steam titles containing malware to provide information as part of an ongoing investigation into eight malicious games uploaded to the popular gaming platform.
The games were uploaded to Steam's marketplace and contained hidden malware that compromised player systems. While Valve has removed the titles, anyone who installed them may have been compromised. The FBI is building cases against the developers behind these malicious uploads.
Action Required: If you installed any suspicious Steam games recently removed from the platform, run a full malware scan and contact the FBI's IC3 portal. Organizations should ensure gaming platforms are restricted on corporate devices.
| Story | Impact |
|---|---|
| VENON Rust Banking Malware | First Rust-based banking trojan targets 33 Brazilian banks with credential-stealing overlays |
| Microsoft Outlook Sync Issues | Classic Outlook desktop client experiencing email synchronization and connection problems |
| Windows 11 Samsung C: Drive Bug | February 2026 updates cause Samsung laptop users to lose C: drive access |
| Loblaw Customer Data Breach | Canadian retail giant forces all customer account logouts after security incident |
โ Threat Intelligence Feeds โ Correlate your attack surface against INTERPOL-flagged infrastructure and known malicious IPs in real-time
โ Browser Vulnerability Tracking โ Instant alerts for Chrome and browser zero-days affecting your organization's endpoints
โ Edge Device Scanning โ Detect compromised routers and network appliances before they're enrolled in criminal proxy networks
โ VPN Security Validation โ Verify VPN client integrity and detect credential-harvesting lookalike infrastructure
โ NIS2 Compliance Monitoring โ Continuous compliance tracking for critical infrastructure entities including nuclear, energy, and defense sectors
AI-powered vulnerability scanning and continuous security monitoring. Start your free scan today.
Start Free Scan โStay secure. Stay vigilant.
๐ก๏ธ KENSAI Security Team
๐ก๏ธ Is your website secure?
Discover vulnerabilities before attackers do.
Scan your website for free โ