Cyware Daily Threat Intelligence, February 20, 2026

In a groundbreaking shift for mobile threats, PromptSpy has emerged as the first Android malware to outsource its logic to generative AI. By feeding screen data to Google’s Gemini, the malware receives dynamic, step-by-step instructions to navigate the unique UI of any device, ensuring it stays "pinned" in the recent apps list where it can’t be easily closed.

Banking security is facing a "Massiv" new challenge as a deceptive IPTV app lures users into a sophisticated financial trap. Masquerading as a harmless television streaming service, the Massiv trojan targets high-value identity wallets to facilitate identity theft and fraudulent loans.

A massive security hole in Dell RecoverPoint has been transformed into a long-term gateway for state-sponsored espionage, prompting an emergency order from CISA. For nearly two years, the China-linked group UNC6201 has exploited hardcoded administrative credentials to bypass security and deploy a suite of persistent backdoors, including the elusive Grimbolt.

Top Malware Reported in the Last 24 Hours

ESET uncovers new AI-powered Android malware

ESET researchers have discovered PromptSpy, a groundbreaking Android malware that utilizes generative AI to manipulate user interfaces for malicious purposes. By employing Google’s Gemini, PromptSpy can analyze on-screen elements and provide dynamic instructions to maintain its presence in the recent apps list, enhancing its adaptability across various devices and operating systems. This malware features a built-in VNC module, enabling attackers to remotely control compromised devices. Additionally, it exploits the Accessibility Service to block uninstallation, capture sensitive data, and perform automated actions without user consent. PromptSpy is distributed through phishing websites, specifically targeting users in Argentina. 

Massiv - New Android banking malware

A new Android banking malware named Massiv is masquerading as an IPTV app to steal user credentials and access online banking accounts. This malware employs techniques such as screen overlays and keylogging to capture sensitive information and can remotely control compromised devices. Researchers observed Massiv targeting a Portuguese government app linked to Chave Móvel Digital, which contains user data that could facilitate identity theft and financial fraud. The malware operates in two modes: one for live screen streaming and another that extracts structured data using Android’s Accessibility Service, enabling attackers to manipulate the device interface. The trend of using IPTV apps as lures for malware infections has grown significantly, particularly through unofficial channels, affecting users primarily in Spain, Portugal, France, and Turkey.

Top Vulnerabilities Reported in the Last 24 Hours

Patch this Dell flaw now!

The CISA has ordered federal agencies to patch a critical Dell RecoverPoint vulnerability (CVE-2026-22769) actively exploited by the suspected Chinese hacking group UNC6201. The vulnerability involves hardcoded credentials and has been exploited since mid-2024 to deploy malware, including a new backdoor called Grimbolt, which is harder to analyze than its predecessor, Brickstorm. UNC6201 has used the vulnerability to move laterally, maintain persistent access, and deploy additional malware like SLAYSTYLE, BRICKSTORM, and GRIMBOLT.

Microsoft patches critical Windows vulnerability

Microsoft has addressed a significant security flaw in Windows Admin Center, tracked as CVE-2026-26119, which could enable attackers to escalate their privileges over a network. Discovered by Semperis researcher Andrea Pierini, this high-severity vulnerability received a CVSS score of 8.8 out of 10. It allows an authorized attacker to gain the same rights as the user running the affected application. Although Microsoft has not reported any active exploitation of this vulnerability, it has been categorized as "Exploitation More Likely." The issue was resolved in Windows Admin Center version 2511, released in December 2025.