Weekly Threat Landscape Digest – Week 7

1. Windows Notepad Vulnerability Allows Attackers to Execute Malicious Code Remotely
   A critical remote code execution vulnerability (CVE-2026-20841) has been identified in the Microsoft Store version of Windows Notepad that allows attackers to execute arbitrary code by convincing users to open a specially crafted Markdown file and click a malicious link. The flaw stems from improper neutralization of special elements in commands (CWE-77: Command Injection) and enables command injection through unvalidated protocol handlers embedded in Markdown hyperlinks, executing under the logged-in user’s security context.

Details:

• CVE: CVE-2026-20841
• CVSS v3.1 Base Score: 8.8 (Important)
• Improper validation of protocol handlers in Markdown hyperlinks
• Processes unverified or custom URI schemes
• Fetches and executes remote content without proper sanitization
• Command injection leading to arbitrary code execution
• Executes under the security context of the logged-in user
• Does not affect legacy Notepad.exe bundled with Windows
• Credited researchers: Delta Obscura (delta.cyberm.ca) and “chen”

Affected Versions:

• Microsoft Store version of Windows Notepad builds prior to 11.2510

Fixed Version:

• Microsoft Store Notepad version 11.2510 and later

Impact:

• Arbitrary command execution
• Access, modification, or deletion of files
• Malware installation
• Potential privilege escalation if user has administrative rights

Recommendations:

• Update Notepad immediately via Microsoft Store
• Enable automatic app updates in Windows Settings
• Avoid opening untrusted Markdown files or clicking embedded links
• Use antivirus solutions with behavior-based detection

Reference:
https://cybersecuritynews.com/windows-notepad-rce-vulnerability/

1. VMware ESXi Ransomware Exploitation
   A high-severity vulnerability in VMware ESXi (CVE-2025-22225) is being actively exploited by ransomware operators to break hypervisor isolation boundaries, enabling arbitrary file write and sandbox escape conditions. Attackers are leveraging unpatched ESXi environments to compromise the hypervisor and deploy ransomware across multiple hosted virtual machines, significantly amplifying operational and business impact.

Details:

• CVE: CVE-2025-22225
• Type: Sandbox Escape / Arbitrary File Write
• Exploitation targets ESXi hypervisor components
• Bypasses isolation controls and writes arbitrary files to the host
• Enables ransomware deployment across multiple virtual machines simultaneously

Affected Versions:

• VMware ESXi environments not patched since the March 2025 security updates

Fixed Version:

• VMware security updates released in March 2025 addressing CVE-2025-22225
• Systems updated to the latest ESXi build after March 2025

Impact:

• Hypervisor compromise
• Rapid ransomware propagation across virtual machines
• Significant operational disruption and business impact

Recommendations:

• Urgently patch all ESXi hosts, prioritizing internet-facing or management-accessible systems
• Implement network segmentation or micro-segmentation
• Restrict direct SSH access to ESXi hosts

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-22225
https://www.cve.org/CVERecord?id=CVE-2025-22225

1. Chromium / Google Chrome – High-Risk Code Execution & Crash Vulnerabilities
   Google has released Chrome Stable Channel updates addressing high-severity memory safety vulnerabilities (CVE-2026-1861 and CVE-2026-1862) that could lead to browser crashes, heap corruption, and potential arbitrary code execution. The vulnerabilities affect multiple desktop platforms, and detailed exploit information remains limited pending widespread user patch adoption.

Details:

• CVEs: CVE-2026-1861, CVE-2026-1862
• Severity: High
• Heap Buffer Overflow / Memory Corruption
• Type Confusion / Execution Bugs
• May cause browser crash or denial of service
• Potential code execution within browser context depending on exploit chaining

Affected Versions:

• Google Chrome prior to 144.0.7559.132/.133 (Windows/Mac)
• Google Chrome prior to 144.0.7559.132 (Linux)

Fixed Version:

• Windows/Mac: 144.0.7559.132 / 144.0.7559.133
• Linux: 144.0.7559.132

Recommendations:

• Upgrade Chrome immediately to fixed versions
• Enforce automatic updates across managed endpoints
• Validate updated build deployment across the fleet

Reference:
https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop.html
https://nvd.nist.gov/vuln/detail/CVE-2026-1861

1. Microsoft February 2026 Patch – 59 Vulnerabilities, 6 Actively Exploited Zero-Days
   Microsoft’s February 2026 Patch Tuesday addresses 59 vulnerabilities, including six zero-days actively exploited in the wild. Several of the exploited flaws enable security feature bypass and local privilege escalation, which can be chained post-initial access to obtain SYSTEM-level privileges and disable security controls, making rapid patching critical.

Details:

• CVE-2026-21510 — Windows Shell — Security Feature Bypass
• CVE-2026-21513 — MSHTML Framework — Security Feature Bypass
• CVE-2026-21514 — Microsoft Word — Security Feature Bypass
• CVE-2026-21519 — Desktop Window Manager (DWM) — Elevation of Privilege
• CVE-2026-21525 — Windows Remote Access Connection Manager — Denial of Service
• CVE-2026-21533 — Windows Remote Desktop — Elevation of Privilege
• Six vulnerabilities confirmed exploited in the wild
• Category coverage includes protection mechanism failures and privilege escalation

Affected Versions:

• Windows endpoints and servers (Shell, MSHTML, DWM, Remote Desktop, Remote Access Connection Manager)
• Microsoft Office / Word
• Additional Microsoft products per February 2026 update set

Fixed Version:

• February 2026 Microsoft security updates for supported Windows and Office installations

Impact:

• Security feature bypass
• Local privilege escalation to SYSTEM
• Increased likelihood of successful post-compromise chaining
• Potential service disruption (DoS)

Recommendations:

• Apply February 2026 Microsoft security updates immediately
• Prioritize internet-facing systems and RDP-exposed hosts
• Harden RDP exposure and monitor authentication events
• Strengthen Office document handling and attachment sandboxing controls

Reference:
https://thehackernews.com/2026/02/microsoft-patches-59-vulnerabilities.html
https://www.crowdstrike.com/en-us/blog/patch-tuesday-analysis-february-2026/

1. FortiClientEMS Critical RCE Vulnerability
   Fortinet has patched a critical remote code execution vulnerability (CVE-2026-21643) in FortiClientEMS caused by an unauthenticated SQL injection flaw that can be escalated to arbitrary command execution. The vulnerability allows remote attackers to compromise EMS infrastructure and potentially pivot to managed corporate endpoints.

Details:

• CVE: CVE-2026-21643
• Severity: Critical (CVSS 9.1)
• Type: SQL Injection leading to Remote Code Execution
• Unauthenticated remote exploitation via crafted input
• SQL injection escalates to backend command execution

Affected Versions:

• FortiClientEMS 7.4.4 and earlier releases in that branch

Fixed Version:

• Vendor-released patched build for FortiClientEMS 7.4.4

Impact:

• Unauthenticated remote code execution on EMS servers
• Compromise of endpoint management infrastructure
• Potential lateral movement to managed corporate endpoints

Recommendations:

• Apply the official Fortinet patch immediately
• Reboot EMS service after patching
• Restrict EMS management interface to trusted admin networks
• Review FortiCloud configuration and enforce multi-factor controls

Reference:
https://thehackernews.com/2026/02/fortinet-patches-critical-sqli-flaw.html

1. Sliver C2 DNS Listener Denial of Service Vulnerability
   A high-severity denial of service vulnerability (CVE-2026-25791) has been disclosed in the Sliver C2 framework’s DNS listener component, allowing unauthenticated attackers to exhaust server resources through specially crafted DNS bootstrap requests. Exploitation can disrupt red-team operations or adversary simulation environments by degrading or completely halting C2 server availability.

Details:

• CVE: CVE-2026-25791
• Severity: High
• Type: Denial of Service via resource exhaustion
• Affects DNS bootstrap handling logic
• Crafted DNS requests create sessions without proper cleanup
• No authentication required

Affected Versions:

• Sliver versions prior to the vendor-patched release with DNS listener fixes

Fixed Version:

• Latest Sliver release containing fix for CVE-2026-25791

Impact:

• Denial of service of Sliver C2 server
• Disruption of red-team and testing operations
• Potential loss of active sessions

Recommendations:

• Upgrade to the latest Sliver version immediately
• Limit DNS listener exposure to controlled environments
• Disable DNS listeners or restrict access if upgrade is delayed

Reference:
https://www.wiz.io/vulnerability-database/cve/cve-2026-25791
https://cveinfo.com/detail.php?id=CVE-2026-25791

1. Researchers Observe In-the-Wild Exploitation of BeyondTrust CVSS 9.9 Vulnerability
   Threat actors have begun exploiting a critical vulnerability (CVE-2026-1731, CVSS 9.9) affecting BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA), with watchTowr reporting in-the-wild exploitation across global sensors. The flaw can enable unauthenticated remote code execution via specially crafted requests, and observed activity includes abusing the get_portal_info function to extract the x-ns-company value before establishing a WebSocket channel, underscoring the narrow window defenders have to patch exposed systems.

Details:

• CVE: CVE-2026-1731
• CVSS: 9.9
• Unauthenticated remote code execution via specially crafted requests
• Observed in-the-wild exploitation reported by watchTowr
• Technique observed: abuse of get_portal_info to extract x-ns-company value prior to WebSocket channel establishment
• BeyondTrust stated exploitation could result in OS command execution in the context of the site user, enabling unauthorized access, data exfiltration, and service disruption

Fixed Version:

• Remote Support: Patch BT26-02-RS, 25.3.2 and later
• Privileged Remote Access: Patch BT26-02-PRA, 25.1.1 and later

Impact:

• Unauthorized access
• Data exfiltration
• Service disruption
• Remote code execution / operating system command execution in the context of the site user

Recommendations:

• Apply BeyondTrust patches immediately (BT26-02-RS / BT26-02-PRA)
• Prioritize patching internet-exposed RS/PRA instances
• Review external exposure and restrict access where possible until patching is complete

Reference:
https://thehackernews.com/2026/02/researchers-observe-in-wild.html

1. Lazarus Campaign Plants Malicious Packages in npm and PyPI Ecosystems
   Researchers reported a coordinated supply chain campaign linked to the North Korea-associated Lazarus Group that seeded malicious packages across npm and PyPI as part of a fake recruitment operation, assessed active since May 2025. Victims are lured via social platforms and job postings to run “coding assessment” repositories that appear benign, but pull malicious dependencies from public registries, ultimately deploying a RAT capable of executing commands and manipulating files, with additional tooling observed that steals browser data and exfiltrates information to external services.

Details:

• Campaign name: graphalgo
• Initial access vector: fake recruitment outreach and coding assessments
• Malicious delivery via dependencies hosted on npm and PyPI
• npm packages observed: graphalgo, graphorithm, graphstruct, graphlibcore, netstruct, graphnetworkx, terminalcolor256, graphkitx, graphchain, graphflux, graphorbit, graphnet, graphhub, terminal-kleur, graphrix, bignumx, bignumberx, bignumex, bigmathex, bigmathlib, bigmathutils, graphlink, bigmathix, graphflowx
• PyPI packages observed: graphalgo, graphex, graphlibx, graphdict, graphflux, graphnode, graphsync, bigpyx, bignum, bigmathex, bigmathix, bigmathutils
• Payload behavior described: RAT periodically fetches and executes commands; supports system info collection, file/directory enumeration, process listing, file operations, and upload/download
• C2 noted as using a token-based mechanism after initial registration
• Additional malicious npm activity reported: “duer-js” information stealer and an npm install extortion campaign using HTTP 402 behavior

Impact:

• Remote access and command execution on developer endpoints
• Potential theft of sensitive data
• Potential targeting of cryptocurrency assets via checks for MetaMask browser extension

Recommendations:

• Audit developer endpoints for installation of the listed packages and remove if present
• Restrict and monitor dependency installs in build/dev environments
• Use package allowlisting and verify integrity of dependencies before use
• Enhance detection for anomalous outbound connections from dev machines and CI runners

Reference:
https://thehackernews.com/2026/02/lazarus-campaign-plants-malicious.html

1. Apple Fixes Exploited Zero-Day Affecting iOS, macOS, and Other Devices
   Apple released updates for multiple platforms to address an exploited zero-day (CVE-2026-20700, CVSS 7.8) described as a memory corruption issue in dyld (Dynamic Link Editor) that could allow arbitrary code execution for an attacker with memory write capability. Apple stated it is aware of reports indicating exploitation in extremely sophisticated attacks against specific targeted individuals on versions of iOS before iOS 26, and credited Google TAG with discovery and reporting.

Details:

• CVE: CVE-2026-20700
• CVSS: 7.8
• Component: dyld (Dynamic Link Editor)
• Issue type: memory corruption
• Exploitation condition: attacker with memory write capability may execute arbitrary code
• Apple indicated possible exploitation in highly sophisticated targeted attacks on iOS versions before iOS 26
• Reporter credited: Google Threat Analysis Group (TAG)
• Additional CVEs referenced in the advisory context: CVE-2025-14174, CVE-2025-43529

Recommendations:

• Apply the latest Apple OS and Safari updates across supported fleets
• Prioritize devices running versions of iOS prior to iOS 26 where applicable

Reference:
https://thehackernews.com/2026/02/apple-fixes-exploited-zero-day.html

1. First Malicious Outlook Add-In Found Stealing 4,000+ Microsoft Credentials
   Researchers reported what is described as the first known malicious Microsoft Outlook add-in observed in the wild, where an attacker claimed control of infrastructure associated with an abandoned legitimate add-in (AgreeTo) to serve a fake Microsoft login page and steal more than 4,000 credentials. The incident highlights a supply chain-style risk inherent to Office add-ins that load live content from a URL declared in a signed manifest, enabling a threat actor to swap content after initial marketplace approval if the referenced domain or hosting endpoint becomes claimable.

Details:

• Add-in: AgreeTo
• Activity codename: AgreeToSteal
• Technique: takeover of a claimable/abandoned deployment endpoint referenced by the add-in manifest URL
• Malicious behavior: served a fake Microsoft login page, captured credentials, exfiltrated via Telegram Bot API, then redirected to the legitimate Microsoft login page
• Risk factor noted: add-ins fetch and run live content from the declared URL inside an iframe each time opened
• Permission noted: “ReadWriteItem” (ability to read/modify emails) described as potentially enabling mailbox data siphoning
• Status update included: as of Feb 12, 2026, AgreeTo was no longer available in Microsoft Marketplace

Impact:

• Credential theft (4,000+ Microsoft credentials reported)
• Potential mailbox access and data exposure if compromised accounts are reused
• Potential for further email manipulation where add-in permissions allow read/modify

Recommendations:

• Remove AgreeTo add-in if installed
• Reset Microsoft account passwords for impacted or potentially exposed users
• Review installed Office add-ins across the organization and remove unused/abandoned add-ins
• Monitor for suspicious authentication activity and mailbox access patterns

Reference:
https://thehackernews.com/2026/02/first-malicious-outlook-add-in-found.html

11. 
    APT36 and SideCopy Launch Cross-Platform RAT Campaigns Against Indian Entities
    Multiple espionage campaigns attributed to Pakistan-aligned clusters SideCopy and APT36 (Transparent Tribe) are targeting Indian defense sector and government-aligned organizations using phishing emails that deliver multi-stage payloads for both Windows and Linux, deploying Geta RAT, Ares RAT, and DeskRAT to enable long-term access and data theft. The activity uses malicious attachments or embedded links leading to attacker-controlled infrastructure and delivers LNK files, ELF binaries, and rogue PowerPoint Add-In files, reflecting an evolving toolkit focused on stealth, persistence, and cross-platform reach.

Details:

• Threat clusters: SideCopy, APT36 (Transparent Tribe)
• Targeting: Indian defense sector and government-aligned organizations
• Initial access: phishing emails with malicious attachments or embedded download links
• Delivery artifacts: Windows LNK files, ELF binaries, PowerPoint Add-In files
• Windows chain described: LNK invokes mshta.exe to run HTA hosted on compromised legitimate domains; HTA JavaScript decrypts an embedded DLL; DLL drops a decoy PDF, connects to hard-coded C2, displays decoy, and deploys Geta RAT with persistence adjusted based on installed security products
• Geta RAT capabilities: system info collection, process enumeration/termination, installed app listing, credential gathering, clipboard manipulation, screenshots, file operations, shell commands, USB data harvesting
• Linux chain described: Go binary drops Python-based Ares RAT via shell script downloaded from an external server
• Ares RAT capabilities: run commands to harvest data and execute Python scripts/commands
• DeskRAT delivery: rogue PowerPoint Add-In file running embedded macro to fetch malware and establish outbound communication

Impact:

• Persistent remote access across Windows and Linux environments
• Reconnaissance, command execution, and sensitive data theft
• Long-term post-compromise operations in strategic sectors

Recommendations:

• Block and monitor phishing vectors delivering LNK/HTA/DLL, ELF, and PowerPoint Add-In files
• Restrict mshta.exe execution where feasible and monitor for mshta spawning suspicious network activity
• Monitor for outbound connections to hard-coded C2 infrastructure and unusual macro-driven outbound fetch behavior

Reference:
https://thehackernews.com/2026/02/apt36-and-sidecopy-launch-cross.html

1. Reynolds Ransomware Embeds BYOVD Driver to Disable EDR Security Tools
   An emergent ransomware family dubbed Reynolds has been observed bundling a bring-your-own-vulnerable-driver (BYOVD) component directly within its payload, dropping a vulnerable NsecSoft NSecKrnl driver (CVE-2025-68947, CVSS 5.7) to terminate processes associated with multiple endpoint security products and increase the likelihood of successful ransomware execution. The campaign also included signs of pre-positioning via a suspicious side-loaded loader weeks before deployment and the use of a remote access tool (GotoHTTP) after encryption to maintain access.

Details:

• Ransomware: Reynolds
• Technique: BYOVD embedded within the ransomware payload
• Driver used: NsecSoft NSecKrnl
• CVE: CVE-2025-68947 (CVSS 5.7)
• Driver abuse purpose: terminate arbitrary processes, including EDR/security tooling
• Security products targeted for termination include: Avast, CrowdStrike Falcon, Palo Alto Networks Cortex XDR, Sophos (including HitmanPro.Alert), Symantec Endpoint Protection (and others)
• Noted campaign elements: suspicious side-loaded loader observed weeks prior; GotoHTTP remote access program deployed after ransomware execution

Impact:

• EDR and security tooling disruption
• Increased probability of successful ransomware encryption and follow-on actions
• Potential for persistent attacker access post-encryption

Recommendations:

• Monitor for installation/loading of vulnerable drivers and driver drops consistent with NSecKrnl
• Alert on mass termination attempts of security/EDR-related processes
• Investigate indicators of pre-positioning activity (side-loaded loaders) and post-encryption remote access tools

Reference:
https://thehackernews.com/2026/02/reynolds-ransomware-embeds-byovd-driver.html

1. Dutch Authorities Confirm Ivanti Zero-Day Exploit Exposed Employee Contact Data
   Dutch authorities confirmed that systems at the Dutch Data Protection Authority (AP) and the Council for the Judiciary (Rvdr) were impacted by attacks linked to Ivanti Endpoint Manager Mobile (EPMM) zero-days (CVE-2026-1281 and CVE-2026-1340, CVSS 9.8), resulting in unauthorized access to work-related employee contact data such as names, business email addresses, and telephone numbers. Related disclosures note similar activity affecting the European Commission’s mobile device management infrastructure and Finland’s government ICT provider Valtori, with Ivanti acknowledging exploitation of the vulnerabilities as zero-days against a limited number of customers and reports describing the deployment of a dormant in-memory Java class loader for potential future follow-on operations.

Details:

• Product: Ivanti Endpoint Manager Mobile (EPMM)
• CVEs: CVE-2026-1281, CVE-2026-1340
• CVSS: 9.8 (for both)
• Exploitation: acknowledged as zero-day exploitation; described as affecting a very limited number of customers
• Impacted entities referenced: Dutch Data Protection Authority (AP), Council for the Judiciary (Rvdr), European Commission infrastructure, Finland’s Valtori
• Data accessed described: work-related information including names, business email addresses, telephone numbers (and device details referenced)
• Observed tradecraft note: dormant in-memory Java class loader deployed to /mifs/403.jsp, activatable by a specific trigger parameter, suggestive of foothold establishment for future use

Impact:

• Exposure of employee work contact details
• Potential for follow-on intrusion leveraging implanted footholds and service access
• Elevated risk to mobile device management services and associated administrative environments

Recommendations:

• Apply Ivanti-provided fixes for CVE-2026-1281 and CVE-2026-1340 immediately where applicable
• Review EPMM service logs for unusual file drops/paths (including /mifs/403.jsp) and unexpected Java class loading behavior
• Treat mobile device management infrastructure as high-risk and monitor for persistence mechanisms and anomalous admin activity

Reference:
https://thehackernews.com/2026/02/dutch-authorities-confirm-ivanti-zero.html

1. SolarWinds Web Help Desk Exploited for RCE in Multi-Stage Attacks on Exposed Servers
   Microsoft reported multi-stage intrusions exploiting internet-exposed SolarWinds Web Help Desk (WHD) instances to achieve unauthenticated remote code execution and then establish persistence and lateral movement using living-off-the-land techniques and legitimate tooling, while noting uncertainty about which specific CVE enabled initial access due to overlapping exposure to multiple vulnerabilities. Post-exploitation activity included PowerShell and BITS-based payload delivery, deployment of Zoho ManageEngine components for remote control, credential theft via DLL side-loading and LSASS dumping, domain reconnaissance, and persistence mechanisms such as reverse SSH/RDP and scheduled tasks involving QEMU, with follow-on reporting describing additional persistence through Cloudflare tunnels and Velociraptor.

Details:

• Target: internet-exposed SolarWinds Web Help Desk (WHD)
• Potential CVEs referenced for initial access (exact CVE not confirmed): CVE-2025-40551, CVE-2025-40536, CVE-2025-26399
• Initial outcome: unauthenticated remote code execution in WHD application context
• Observed execution chain: compromised WHD spawns PowerShell and leverages BITS for payload download/execution
• Post-exploitation: deployment of Zoho ManageEngine components for persistent remote control
• Reconnaissance: enumeration of sensitive domain users/groups including Domain Admins
• Credential theft: DLL side-loading via wab.exe launching rogue sspicli.dll to dump LSASS
• Lateral movement/impact: DCSync observed in at least one case
• Persistence: reverse SSH/RDP; scheduled task attempts to launch QEMU VM under SYSTEM at startup; later reporting noted Cloudflared tunnels and Velociraptor deployment (including version 0.73.4 and reference to CVE-2025-6264)

Impact:

• Unauthenticated RCE on exposed WHD servers
• Credential theft and elevated access (including potential domain compromise via DCSync)
• Persistent remote control and lateral movement across networks

Recommendations:

• Keep SolarWinds WHD fully up to date and reduce/limit internet exposure
• Hunt for unauthorized RMM tools and remove if present
• Rotate service and admin credentials and isolate compromised machines to contain lateral movement

Reference:
https://thehackernews.com/2026/02/solarwinds-web-help-desk-exploited-for.html

1. OpenClaw Integrates VirusTotal Scanning to Detect Malicious ClawHub Skills
   OpenClaw has announced a partnership with VirusTotal to automatically scan all skills published to its ClawHub marketplace using VirusTotal’s threat intelligence and Code Insight capabilities, following reports of hundreds of malicious skills in the ecosystem. The integration creates SHA-256 hashes for each skill, checks them against VirusTotal’s database, and performs further analysis when necessary, blocking malicious submissions and flagging suspicious ones, while re-scanning active skills daily to detect newly emerging threats.

Details:

• All uploaded skills are hashed (SHA-256) and checked against VirusTotal
• If no match is found, skill bundles are uploaded for analysis using VirusTotal Code Insight
• Benign verdict: automatically approved
• Suspicious verdict: flagged with warning
• Malicious verdict: blocked from download
• Active skills re-scanned daily
• OpenClaw acknowledges that scanning may not detect cleverly concealed prompt injection payloads
• Platform plans include publishing a threat model, public security roadmap, formal reporting process, and audit details

Impact:

• Reduced risk of distributing known malicious skills
• Improved detection of malware, backdoors, and data exfiltration functionality within skill bundles
• Residual risk from prompt injection and architectural design weaknesses

Recommendations:

• Continue independent review of skills before installation
• Enable Docker-based tool sandboxing where available
• Monitor for prompt injection behaviors and unexpected outbound connections
• Avoid exposing OpenClaw gateway services directly to the internet without hardened access controls

Reference:
https://thehackernews.com/2026/02/openclaw-integrates-virustotal-scanning.html

1. Bloody Wolf Targets Uzbekistan, Russia Using NetSupport RAT in Spear-Phishing Campaign
   The threat actor known as Bloody Wolf (tracked by Kaspersky as Stan Ghouls) has launched spear-phishing campaigns targeting manufacturing, finance, IT, and government-linked sectors in Uzbekistan and Russia, delivering NetSupport RAT via malicious PDF attachments that trigger a multi-step loader. The campaign has resulted in approximately 50 victims in Uzbekistan and 10 in Russia, with additional infections observed across Kazakhstan, Turkey, Serbia, and Belarus, reflecting a sustained operation focused on financial gain and possible espionage.

Details:

• Threat actor: Bloody Wolf (Stan Ghouls)
• Active since at least 2023
• Target regions: Uzbekistan, Russia (additional infections in Kazakhstan, Turkey, Serbia, Belarus)
• Initial access: phishing emails with malicious PDF attachments
• Infection chain: embedded link downloads loader
• Loader behavior:
  • Displays fake error message
  • Limits installation attempts (max three)
  • Downloads and launches NetSupport RAT from external domains
  • Establishes persistence via Startup folder autorun script, Registry autorun key (“run.bat”), and scheduled task
• Prior tooling: STRRAT (Strigoi Master)
• Additional infrastructure hosted Mirai botnet payloads

Impact:

• Persistent remote access to victim systems
• Data theft and reconnaissance
• Potential financial fraud and espionage activity

Recommendations:

• Block and monitor phishing emails containing PDF attachments with embedded external links
• Detect and restrict unauthorized use of remote administration tools such as NetSupport
• Monitor autorun Registry keys, Startup folder scripts, and scheduled tasks for suspicious batch files
• Conduct endpoint scans for known NetSupport RAT indicators

Reference:
https://thehackernews.com/2026/02/bloody-wolf-targets-uzbekistan-russia.html