CISO Weekly Brief: AI Threats, Zero-Days, Credential Theft & Ransomware (Feb 12, 2026)

As the cybersecurity landscape evolves, CISOs must remain vigilant against emerging threats and vulnerabilities. This week’s briefing highlights critical developments in AI security, zero-day exploits, credential theft, and ransomware tactics. The following summary provides actionable insights and executive-level talking points to help guide your organization’s response.

Top Items CISOs Should Care About (Priority)

ThreatsDay Bulletin: AI Prompt RCE, Claude 0-Click, RenEngine Loader, Auto 0-Days & 25+ Stories

• What happened: Multiple critical AI-related zero-days and exploits have been reported, including prompt-based remote code execution and zero-click vulnerabilities.
• Why it matters: These issues highlight the growing risk and enterprise impact of AI-driven attacks.
• What to verify internally:
  • Inventory of AI tools and platforms in use
  • Patch and update status of AI-related software
  • Access controls and monitoring on AI systems
  • Incident response readiness for AI-specific threats
• Exec questions to prepare for:
  • Are our AI deployments exposed to these vulnerabilities?
  • What controls are in place to detect AI-driven attacks?
  • How quickly can we patch or mitigate AI-related risks?
  • What is our plan if an AI system is compromised?
• Sample CISO response: We are reviewing all AI deployments for exposure, accelerating patching, and updating monitoring to address these specific AI threats.

Apple Fixes Exploited Zero-Day Affecting iOS, macOS, and Apple Devices

• What happened: Apple released a patch for a zero-day vulnerability actively exploited on iOS, macOS, and other Apple devices.
• Why it matters: Widespread use of Apple devices in the enterprise makes this a high-priority patching event.
• What to verify internally:
  • Current patch status of all Apple devices
  • Inventory of unmanaged or BYOD Apple endpoints
  • Monitoring for signs of exploitation
  • User communication regarding urgent updates
• Exec questions to prepare for:
  • Have all Apple devices been patched?
  • Are we seeing any signs of compromise?
  • How are we communicating with users about this?
• Sample CISO response: We have prioritized patching across all Apple devices and are monitoring for any indicators of compromise related to this vulnerability.

83% of Ivanti EPMM Exploits Linked to Single IP on Bulletproof Hosting Infrastructure

• What happened: The majority of recent exploits targeting Ivanti EPMM have been traced to a single IP address using bulletproof hosting.
• Why it matters: Concentrated attacks on enterprise mobility management software increase the risk of compromise.
• What to verify internally:
  • Exposure of Ivanti EPMM systems to the internet
  • Patch and update status of Ivanti EPMM
  • Monitoring for connections to known malicious IPs
  • Review of remote access and authentication controls
• Exec questions to prepare for:
  • Are our Ivanti systems patched and monitored?
  • Have we detected any suspicious activity?
  • What is our response plan if an exploit is detected?
• Sample CISO response: We have reviewed our Ivanti deployments, ensured patching, and are actively monitoring for any signs of targeted exploitation.

Apple fixes zero-day flaw used in 'extremely sophisticated' attacks

• What happened: Apple addressed a zero-day vulnerability exploited in advanced attacks targeting Apple devices.
• Why it matters: The sophistication of these attacks increases the urgency for immediate patching and review.
• What to verify internally:
  • Patch status of all Apple endpoints
  • Review of endpoint detection and response (EDR) alerts
  • Communication to users about the importance of updates
  • Assessment of potential exposure to targeted attacks
• Exec questions to prepare for:
  • Are we at risk from these sophisticated attacks?
  • How quickly are we patching Apple devices?
  • What additional monitoring is in place?
• Sample CISO response: We have expedited patching for all Apple devices and increased monitoring for indicators of sophisticated attack activity.

Google says hackers are abusing Gemini AI for all attacks stages

• What happened: Google reported that threat actors are leveraging Gemini AI across multiple stages of cyberattacks.
• Why it matters: The use of AI in attack chains increases threat sophistication and detection challenges.
• What to verify internally:
  • Use of Gemini AI or similar platforms within the organization
  • Security controls and monitoring for AI-driven activity
  • Employee awareness of AI-related threats
  • Review of incident response plans for AI abuse scenarios
• Exec questions to prepare for:
  • Are we using Gemini AI or similar tools?
  • How are we detecting AI-driven attacks?
  • What is our response plan for AI abuse?
• Sample CISO response: We are evaluating our use of AI platforms and enhancing monitoring to address the increased risk of AI-driven attack techniques.

Crazy ransomware gang abuses employee monitoring tool in attacks

• What happened: A ransomware group has been observed using employee monitoring tools to increase the stealth and impact of their attacks.
• Why it matters: Abuse of legitimate tools complicates detection and response efforts.
• What to verify internally:
  • Inventory and monitoring of employee monitoring tools
  • Review of access controls and permissions
  • Detection rules for unusual tool usage
  • Incident response playbooks for tool abuse
• Exec questions to prepare for:
  • Do we use employee monitoring tools?
  • How do we detect misuse of legitimate software?
  • What is our response plan for ransomware incidents?
• Sample CISO response: We are reviewing our use of monitoring tools and updating detection and response protocols to address this evolving ransomware tactic.

Fake AI Chrome extensions with 300K users steal credentials, emails

• What happened: Malicious Chrome extensions posing as AI tools have stolen credentials and emails from over 300,000 users.
• Why it matters: Large-scale credential theft via browser extensions threatens enterprise identity security.
• What to verify internally:
  • Inventory of browser extensions in use
  • Restrictions on extension installation
  • User awareness training on extension risks
  • Monitoring for suspicious browser activity
• Exec questions to prepare for:
  • Are employees using unauthorized browser extensions?
  • How do we detect and block malicious extensions?
  • What is our process for responding to credential theft?
• Sample CISO response: We are auditing browser extension usage and reinforcing controls to prevent installation of unapproved or malicious extensions.

Windows 11 Notepad flaw let files execute silently via Markdown links

• What happened: A vulnerability in Windows 11 Notepad allowed silent execution of files through malicious Markdown links.
• Why it matters: This flaw poses a significant risk to endpoint security and user safety.
• What to verify internally:
  • Patch status of Windows 11 endpoints
  • Monitoring for suspicious file execution events
  • User guidance on safe file handling
  • Review of endpoint protection configurations
• Exec questions to prepare for:
  • Are all Windows 11 devices patched?
  • How do we detect silent file execution?
  • What user training is in place for file safety?
• Sample CISO response: We have prioritized patching for Windows 11 devices and are monitoring for any unusual file execution activity.

AMOS infostealer targets macOS through a popular AI app

• What happened: The AMOS infostealer is targeting macOS endpoints via a widely used AI application, risking sensitive data exposure.
• Why it matters: This attack vector increases risk for organizations with Apple endpoints and AI adoption.
• What to verify internally:
  • Inventory of AI apps on macOS devices
  • Monitoring for infostealer indicators
  • Patch and update status of AI apps
  • User education on app download sources
• Exec questions to prepare for:
  • Are our macOS devices exposed to this threat?
  • What controls are in place for app downloads?
  • How do we detect infostealer activity?
• Sample CISO response: We are reviewing AI app usage on macOS devices and enhancing monitoring for infostealer threats.

First Malicious Outlook Add-In Found Stealing 4,000+ Microsoft Credentials

• What happened: A malicious Outlook add-in was discovered stealing credentials from over 4,000 Microsoft accounts.
• Why it matters: This compromises enterprise email security and user trust.
• What to verify internally:
  • Inventory of Outlook add-ins in use
  • Monitoring for suspicious add-in activity
  • User awareness on add-in risks
  • Review of compromised accounts
• Exec questions to prepare for:
  • Are any employees using this malicious add-in?
  • How do we detect and block malicious add-ins?
  • What is our process for credential reset and recovery?
• Sample CISO response: We are auditing Outlook add-ins and have implemented controls to detect and block malicious add-in activity.

Microsoft Store Outlook add-in hijacked to steal 4,000 Microsoft accounts

• What happened: Attackers hijacked a Microsoft Store Outlook add-in to steal credentials from thousands of accounts.
• Why it matters: This further highlights the risk of third-party add-ins in enterprise environments.
• What to verify internally:
  • Review of all Outlook add-ins installed via Microsoft Store
  • Monitoring for unusual account activity
  • Communication to users about add-in risks
  • Credential reset procedures for affected users
• Exec questions to prepare for:
  • Are we exposed to this hijacked add-in?
  • How do we control third-party add-in installations?
  • What remediation steps are in place for affected users?
• Sample CISO response: We are reviewing Outlook add-in usage and have implemented additional controls to prevent unauthorized installations.

LummaStealer infections surge after CastleLoader malware campaigns

• What happened: There has been a surge in LummaStealer infections following recent CastleLoader malware campaigns.
• Why it matters: Increased info-stealing malware activity raises the risk to enterprise credentials and data.
• What to verify internally:
  • Endpoint protection coverage and updates
  • Monitoring for LummaStealer indicators
  • User awareness on phishing and malware risks
  • Incident response readiness for credential theft
• Exec questions to prepare for:
  • Are we seeing any LummaStealer activity?
  • How do we detect and respond to info-stealer malware?
  • What is our credential reset process?
• Sample CISO response: We are monitoring for LummaStealer activity and have reinforced endpoint protection and user awareness measures.

Notable Items

• Police arrest seller of JokerOTP MFA passcode capturing tool: Law enforcement disrupted distribution of an MFA passcode theft tool, but similar threats remain active.

CISO Action Checklist Today

• Verify patch status for all Apple and Windows endpoints, prioritizing zero-day vulnerabilities.
• Audit AI tools and platforms for exposure to recent exploits.
• Review and restrict browser extension installations across the enterprise.
• Monitor for suspicious Outlook add-in activity and remove unauthorized add-ins.
• Assess use and security of employee monitoring tools.
• Update endpoint protection and detection rules for info-stealer and ransomware threats.
• Communicate with users about urgent updates and risks related to AI apps and browser extensions.
• Review incident response plans for AI-driven and sophisticated attack scenarios.
• Monitor for connections to known malicious IPs, especially related to Ivanti EPMM.
• Reinforce user awareness on phishing, malware, and credential theft tactics.