Microsoft’s February 2026 Patch Tuesday, released February 10, addresses 54 vulnerabilities across Windows, Office, Exchange, Azure, and developer tools. The standout issue is six zero-day vulnerabilities that are already under active attack in the wild. These are bugs that attackers have already begun exploiting before Microsoft could patch them.
Federal agencies have until March 3, 2026, to patch their systems. This deadline is critical given that Microsoft disclosed 41 zero-days across all of 2025—a significant increase from previous years. The breadth of affected products suggests widespread exposure for organizations that haven’t maintained current patching practices.
Action Items:
- Prioritize patching of all Windows systems, Office applications, and Exchange servers immediately
- Verify patch deployment across Azure environments and developer tools
- Conduct a risk assessment of systems that cannot be patched within the federal deadline
- Review patch management processes to identify gaps that contributed to delayed deployment
NightSpire Ransomware: Dominating February 2026 Attack Landscape
The NightSpire ransomware group has emerged as the most active ransomware operator on February 15, 2026, claiming 26 new victims—accounting for 86% of all new victim disclosures. This represents a dramatic escalation in the group’s activity, which initially surfaced in February 2025.
NightSpire distinguishes itself through sophisticated double-extortion tactics, combining targeted encryption with public data leaks. The group has targeted professional services and manufacturing sectors, which together account for over 63% of observed victims. Recent attacks include the February 14, 2026, breach of Adirondack Networks, where attackers exfiltrated 48.5GB of sensitive data including internal financial records.
Action Items:
- Assess exposure of professional services and manufacturing networks to NightSpire’s tactics
- Review backup and recovery procedures, particularly for critical business systems
- Implement monitoring for indicators of compromise associated with NightSpire’s infrastructure
- Prepare for potential data publication campaigns as the group escalates public shaming tactics
ClickFix Evolution: DNS-Based Payload Delivery
Microsoft has disclosed details of a new evolution in the ClickFix social engineering campaign. Attackers now trick users into executing commands that carry out Domain Name System lookups to retrieve the next-stage payload. This technique leverages the nslookup command executed via the Windows Run dialog to download malicious payloads.
The attack relies on user disruption combined with social engineering to increase execution success while reducing reliance on traditional exploit techniques. ClickFix attacks surged 517% in the first half of 2025, accounting for 8% of all blocked attacks. The new DNS-based delivery method represents a notable escalation in tradecraft, allowing attackers to bypass traditional detection methods by blending malicious activity with legitimate DNS queries.
Action Items:
- Train users to recognize and avoid ClickFix-style social engineering attempts
- Implement controls to prevent unauthorized execution of
nslookupcommands from untrusted sources - Review browser extension management policies, as variants include browser extension components
- Enhance endpoint detection capabilities to identify unusual DNS query patterns associated with this attack
CIRCIA Town Halls: Critical Infrastructure Reporting Feedback
CISA is hosting seven town hall meetings to gather feedback from critical infrastructure sectors as it works to finalize the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). The agency seeks “specific, actionable improvements” to clarify or reduce the burden of the planned reporting requirement while still providing the government with adequate information about the cyber-threat landscape.
The Act directs CISA to issue a final rule defining “covered cyber incident” to include any substantial cyber incident actually experienced by covered entities, rather than mere threats or failed attacks. These town halls represent an important opportunity for organizations to influence how incident reporting requirements will be implemented in practice.
Action Items:
- Participate in upcoming CIRCIA town hall meetings if your organization is in a critical infrastructure sector
- Begin preparing for incident reporting requirements by documenting current incident response processes
- Review existing incident documentation practices to identify gaps that will need to be addressed
- Engage with industry associations to coordinate feedback and ensure consistent messaging
Defense Priorities for the Week
The cybersecurity landscape this week demands immediate attention to patch management, ransomware preparedness, and user awareness training. The combination of actively exploited zero-days, a dominant ransomware group, and evolving social engineering tactics creates a challenging environment for defenders.
Organizations should focus on:
- Patch Management: Prioritize the February Patch Tuesday updates, especially for systems with active exploitation
- Ransomware Resilience: Review backup strategies and conduct ransomware simulation exercises
- User Awareness: Reinforce training on recognizing social engineering attempts like ClickFix
- Incident Readiness: Prepare for new reporting requirements under CIRCIA
The convergence of these threats underscores the importance of a layered defense approach that addresses technical vulnerabilities, user behavior, and organizational processes simultaneously.