The 9th February 2026 Threat Intelligence Report from Check Point Research details a spectrum of cyber threats affecting diverse sectors, with a focus on ransomware, cloud exploitation, and critical vulnerabilities. The Romanian oil pipeline operator Conpet was targeted by the Qilin ransomware group, which disrupted IT systems and took the company website offline, though operational technology controlling pipeline functions remained unaffected, allowing oil transport to continue. This attack exemplifies the increasing targeting of critical infrastructure by ransomware groups using multi-extortion tactics. European educational institutions, including La Sapienza University in Rome and a Belgian secondary school, suffered ransomware attacks resulting in prolonged system outages and extortion attempts involving sensitive personal data. The attackers attempted to monetize data by threatening leaks or charging parents, highlighting the growing trend of ransomware groups targeting schools and exploiting personal data for financial gain. The report also reveals sophisticated AI-assisted cloud intrusions where threat actors exploited publicly exposed AWS S3 bucket credentials to escalate privileges from read-only to admin within minutes. This attack involved Lambda code injection, IAM role assumptions, and abuse of Amazon Bedrock models for LLMjacking, enabling rapid lateral movement across multiple AWS principals and provisioning of GPU-based EC2 instances for resource exploitation. Such AI-driven attacks demonstrate the evolving threat landscape in cloud environments, emphasizing the need for stringent cloud security controls. A critical vulnerability dubbed “DockerDash” affected Docker’s AI assistant, allowing Meta Context Injection via malicious Docker image LABEL metadata. This flaw enabled remote code execution and data exfiltration across cloud, CLI, and Docker Desktop environments, with mitigations released in Docker Desktop 4.50.0. Additionally, Ivanti Endpoint Manager Mobile was found vulnerable to two zero-day flaws (CVE-2026-1281 and CVE-2026-1340) enabling unauthenticated code injection and remote code execution, actively exploited in the wild. The React Native Community CLI and Metro development server also suffered an OS command injection vulnerability (CVE-2025-11953) allowing unauthenticated remote code execution with full shell access on Windows systems. The report highlights an increase in ransomware incidents (451 cases), DDoS attacks (105% surge), and data breaches (73% rise), with ransomware groups like Qilin, Akira, and Cl0p scaling operations through shared tooling and third-party access. Phishing campaigns abusing legitimate SaaS notifications from major providers have intensified, leveraging trusted messages to bypass defenses and direct victims to attacker-controlled phone numbers. These combined threats illustrate a complex, multi-vector cyber threat environment targeting European organizations across critical infrastructure, education, cloud services, and software supply chains.

European organizations face multifaceted impacts from these threats. Critical infrastructure operators like Conpet demonstrate that ransomware can disrupt IT systems and public-facing services, potentially undermining public trust and operational resilience even if OT remains intact. Educational institutions risk prolonged operational disruption, data breaches involving sensitive student and staff information, and reputational damage, as seen in Italy and Belgium. Cloud environments are increasingly targeted by AI-assisted privilege escalation and resource abuse, threatening confidentiality, integrity, and availability of cloud workloads and data. The DockerDash vulnerability exposes a wide range of organizations using containerized environments to remote code execution and data exfiltration risks. Zero-day vulnerabilities in widely used mobile endpoint management and development tools pose risks of full system compromise and credential theft, potentially affecting software supply chains and mobile device fleets. The surge in ransomware, DDoS, and phishing attacks increases operational disruption risks and financial losses across sectors. The abuse of trusted SaaS notifications for phishing campaigns complicates detection and response, increasing the likelihood of successful compromises. For European organizations, these threats can lead to regulatory penalties under GDPR due to data breaches, operational downtime, loss of sensitive data, and erosion of stakeholder confidence. The targeting of critical infrastructure and educational institutions also raises concerns about national security and societal impact within Europe.

European organizations should implement a layered defense strategy tailored to these threats. For critical infrastructure, segregate IT and OT networks strictly, ensuring ransomware infections in IT do not propagate to OT systems. Employ advanced endpoint protection solutions like Check Point Harmony Endpoint and Threat Emulation to detect and block ransomware variants such as Qilin. Educational institutions must enforce robust backup and recovery plans, multi-factor authentication (MFA), and network segmentation to limit ransomware impact and prevent lateral movement. Cloud security must be enhanced by auditing and securing AWS S3 buckets to prevent credential exposure, enforcing least privilege IAM roles, and monitoring for anomalous Lambda and EC2 activities. Organizations using Docker should promptly update to Docker Desktop 4.50.0 or later to mitigate the DockerDash vulnerability and apply strict image scanning and metadata validation policies. Mobile endpoint management platforms should be updated immediately to patch zero-day vulnerabilities, and development teams must update React Native CLI tools to secure versions. Phishing defenses should be strengthened by combining user training with advanced email filtering that considers contextual and behavioral indicators, especially for SaaS notification impersonations. Incident response plans must incorporate ransomware and AI-assisted cloud intrusion scenarios, ensuring rapid containment and forensic analysis. Finally, organizations should participate in threat intelligence sharing to stay informed about emerging threats and mitigation techniques.