Weekly Threat Landscape Digest – Week 8

1. Dell RecoverPoint for VMs Zero-Day Hardcoded Credential
   Dell released a security update for RecoverPoint for Virtual Machines to address CVE-2026-22769, a critical (CVSS 10.0) hardcoded credential vulnerability that has reportedly seen limited active exploitation in the wild since at least mid-2024 by a suspected China-nexus cluster, enabling an unauthenticated remote attacker (with knowledge of the embedded credential) to gain unauthorized access to the underlying system and establish root-level persistence with potential long-term dwell time.

Details:

• CVE-2026-22769
• Severity: Critical (CVSS 10.0)
• Type: Hardcoded Credential → Unauthorized Access → Potential Root-Level Compromise
• Reported exploitation activity observed since at least mid-2024 (external threat intelligence)
• Potential attacker actions:
  • Unauthenticated access to the appliance/service
  • Potential web shell upload and command execution paths via exposed management components
  • Root-level persistence and long dwell time (appliance-type systems often lack traditional EDR coverage)
• Threat context (high-level):
  • Leveraging management stack to deploy web shells and install backdoors for long-term access and lateral movement

Affected Versions:

• Versions prior to 6.0.3.1 HF1, including:
  • 6.0, 6.0 SP1, 6.0 SP1 P1, 6.0 SP1 P2, 6.0 SP2, 6.0 SP2 P1, 6.0 SP3, 6.0 SP3 P1
  • 5.3 SP4 P1
  • 5.3 SP4, 5.3 SP3, 5.3 SP2, and potentially earlier versions

Fixed Version:

• RecoverPoint for Virtual Machines: 6.0.3.1 HF1

Impact:

• Unauthenticated remote compromise with potential root-level persistence
• Increased risk of long dwell time due to appliance deployment patterns and limited EDR coverage

Recommendations:

• Patch as P1 immediately due to confirmed exploitation and maximum severity.
• Deploy RecoverPoint for VMs only in trusted internal networks with strict access controls.
• Restrict management access using firewall allowlisting (admin subnets only) and/or network segmentation.

Reference:
https://thehackernews.com/2026/02/dell-recoverpoint-for-vms-zero-day-cve.html
https://www.dell.com/support/kbdoc/en-us/000426773/dsa-2026-079

2. APT28 (Fancy Bear) Exploiting Microsoft Office Zero-Day
   APT28 (Fancy Bear) is actively exploiting CVE-2026-21509, a Microsoft Office OLE security feature bypass vulnerability, in targeted espionage campaigns aimed primarily at European public sector entities, NATO logistics infrastructure, defense contractors, and government bodies, with noted focus on Romania, Slovakia, and Ukraine, using spear-phishing emails with weaponized Office documents to trigger malicious execution and then deploying custom malware to maintain persistence and enable lateral movement for long-term intelligence collection.

Details:

• CVE-2026-21509
• Severity: High
• Type: Security Feature Bypass (Microsoft Office OLE handling)
• Targeting:
  • European public sector entities
  • NATO logistics infrastructure
  • Defense contractors
  • Government bodies (noted focus: Romania, Slovakia, Ukraine)
• Attack chain / TTPs:
  • Initial Access:
    • Spear-phishing emails with weaponized Office attachments
    • Abuse of OLE content handling to bypass built-in security warnings
  • Execution:
    • Malicious document execution without expected user prompts
    • Dropper payload deployment
  • Persistence:
    • Installation of custom backdoor malware
    • Scheduled tasks and registry modifications
  • Post-Exploitation:
    • Credential harvesting
    • Lateral movement inside government and defense networks
    • Long-term intelligence collection

Affected Versions:

• Microsoft Office versions vulnerable prior to February 2026 Patch Tuesday updates
• Windows systems processing OLE-enabled Office documents

Fixed Version:

• Apply Microsoft February 2026 Office security updates immediately
• Ensure all endpoints have the patched Office build installed
• Confirm update compliance via centralized patch management

Impact:

• Increased risk of credential theft, lateral movement, and sustained espionage access in targeted environments via Office document-driven initial compromise

Recommendations:

• Enforce advanced email filtering and anti-phishing controls.
• Disable or restrict OLE object execution where possible.
• Enable EDR behavioral detection for Office macro/OLE abuse.

Reference:
https://www.picussecurity.com/resource/blog/cve-2026-21509-apt28-exploits-microsoft-office-zero-day-vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509

3. UNC1069 (North Korea-Linked) Cryptocurrency Theft Campaign
   UNC1069, a North Korea-linked threat group, is conducting financially motivated campaigns targeting cryptocurrency exchanges, blockchain firms, and financial services organizations by using AI-generated social engineering lures, fake Zoom meeting invitations, and Telegram-based impersonation to deliver multi-stage malware across Windows and macOS systems, with the goal of stealing cryptocurrency wallets, browser session tokens, financial credentials, and sensitive enterprise data.

Details:

• Type: Financially Motivated / Cryptocurrency Theft
• Targeted environments:
  • Cryptocurrency exchanges
  • Blockchain infrastructure providers
  • Financial institutions
  • Fintech platforms
  • Trading desks
• Attack techniques (TTPs):
  • Initial Contact:
    • Telegram impersonation of industry contacts
    • Fake recruiter or investment outreach
    • Fake Zoom meeting invitations
  • Execution:
    • Malicious meeting files or links
    • Multi-stage malware deployment
  • Credential Theft:
    • Browser session token harvesting
    • Crypto wallet key extraction
    • Clipboard hijacking techniques
  • Data Exfiltration:
    • Extraction of sensitive trading or financial records
    • Use of encrypted C2 channels

Recommendations:

• Conduct immediate awareness training on AI-generated phishing lures.
• Review and restrict BYOD policies.
• Block unauthorized remote desktop or screen-sharing tools.
• Monitor corporate Telegram and Zoom usage for anomalies.
• Implement strict endpoint protection for browser credential stores.
• Monitor clipboard access patterns on trading systems.
• Isolate high-value crypto infrastructure in segmented network zones.
• Rotate API keys and financial credentials if suspicious activity is observed.

Reference:
https://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering

4. Google Chrome Zero-Day Use-After-Free Under Active Exploitation
   Google released an emergency Chrome update to address CVE-2026-2441, a high-severity use-after-free vulnerability in the CSS component that is confirmed to have an exploit in the wild and is described as the first actively exploited Chrome zero-day patched in 2026, where successful exploitation may allow a remote attacker to achieve arbitrary code execution inside the Chrome sandbox by enticing a user to visit a crafted web page.

Details:

• CVE-2026-2441
• Severity: High
• Type: Use-After-Free (CWE-416) in CSS
• Exploit status: Confirmed exploit exists in the wild
• Potential exploitation outcome:
  • Potential remote code execution in the browser context
  • Browser compromise, session/token theft risk, and follow-on payload staging depending on attacker chaining and endpoint protections

Affected Versions:

• Windows / macOS: Google Chrome prior to 145.0.7632.75
• Linux: Google Chrome prior to 144.0.7559.75

Fixed Version:

• Windows / macOS: 145.0.7632.75 / 145.0.7632.76
• Linux: 144.0.7559.752403 → 5.00.9135.1008 or later
• Extended Stable Channel: 144.0.7559.177 (includes CVE-2026-2441 fix for that channel)

Impact:

• Risk of browser compromise and follow-on intrusion activity due to confirmed in-the-wild exploitation

Recommendations:

• Update Chrome immediately to the fixed versions listed above.
• Patch as P1 due to confirmed in-the-wild exploitation.
• Enforce auto-updates and block outdated Chrome versions via endpoint management/compliance.

Reference:
https://thehackernews.com/2026/02/new-chrome-zero-day-cve-2026-2441-under.html
https://nvd.nist.gov/vuln/detail/cve-2026-2441

5. Malicious Chrome Extensions Caught Stealing Business Data, Emails, and Browsing History
   Researchers reported multiple malicious Google Chrome extension campaigns, including a Meta Business Suite/Facebook Business Manager-focused add-on (“CL Suite” by @CLMasters) that covertly exfiltrates TOTP seeds and live 2FA codes plus Business Manager exports and analytics to attacker-controlled infrastructure and Telegram forwarding, a separate set of extensions masquerading as VK customization tools (“VK Styles”) that hijack VKontakte accounts at scale using persistent in-page JavaScript injection and payload staging via a GitHub-based dead-drop resolver, and a coordinated cluster of “AI assistant” extensions (“AiFrame”) that embed remote iframes to siphon sensitive browsing and Gmail content, alongside broader findings of hundreds of extensions exfiltrating browsing history at massive scale.

Details:

• CL Suite (ID: jkphinfhmfkckkcnifhjiplhfoiefffl) targeting Meta Business Suite / Facebook Business Manager:
  • Marketed features: scrape Meta Business Suite data, remove verification pop-ups, generate 2FA codes
  • Exfiltrated data:
    • TOTP seeds and current one-time security codes for Facebook/Meta accounts
    • Business Manager “People” CSV exports (names, email addresses, roles/permissions, status/access details)
    • Business Manager analytics data
  • Exfiltration path:
    • Backend at getauth[.]pro
    • Optional forwarding to attacker-controlled Telegram channel
  • Notes:
    • Reported 33 users as of writing
    • First uploaded March 1, 2025
    • No stated capability to steal password-related information, but stolen 2FA material can enable account access if credentials are obtained elsewhere
• VK Styles campaign hijacking VKontakte accounts via extensions:
  • Approx. 500,000 VKontakte users affected via extensions posing as VK customization tools
  • Behaviors:
    • Forced subscriptions to attacker VK groups
    • Resets settings every 30 days to override preferences
    • Manipulates CSRF tokens to bypass VK protections and maintain control
  • Payload staging/evasion:
    • Uses a VK profile’s HTML metadata tags as a dead-drop resolver for next-stage URLs
    • Next-stage payload hosted in a public GitHub repository named “-” associated with actor “2vk”
    • Obfuscated JavaScript injected into every VK page visited
  • Assessed active since at least June 22, 2025
  • Affected users primarily Russian-speaking and across Eastern Europe/Central Asia/Russian diaspora
  • Extensions listed:
    • VK Styles – Themes for vk.com (ID: ceibjdigmfbbgcpkkdpmjokkokklodmc)
    • VK Music – audio saver (ID: mflibpdjoodmoppignjhciadahapkoch)
    • Music Downloader – VKsaver (ID: lgakkahjfibfgmacigibnhcgepajgfdb)
    • vksaver – music saver vk (ID: bndkfmmbidllaiccmpnbdonijmicaafn)
    • VKfeed – Download Music and Video from VK (ID: pcdgkgbadeggbnodegejccjffnoakcoh)
• AiFrame campaign using fake AI Chrome extensions:
  • 32 extensions advertised as AI assistants for summarization/chat/writing/Gmail assistance
  • 260,000 collective installs
  • Technique:
    • Full-screen iframe overlay to remote domain “claude.tapnetic[.]pro”
    • Remote-controlled capability changes without Chrome Web Store updates
    • Extracts readable page content using Mozilla Readability (via content scripts)
    • Can start speech recognition and exfiltrate transcripts
    • Subset targets Gmail by reading visible email content from the DOM and transmitting off-device to operator infrastructure
• Large-scale browsing history exfiltration:
  • Report references a collection of 287 Chrome extensions exfiltrating browsing history to data brokers
  • 37.4 million installations cited

Recommendations:

• Adopt an extension-minimalism approach: install only necessary, well-reviewed extensions from official stores.
• Periodically audit installed extensions for excessive permissions, suspicious network activity, or unexpected functionality.
• Use separate browser profiles for sensitive tasks.
• Implement extension allowlisting to block malicious or non-compliant extensions.

Reference:
https://thehackernews.com/2026/02/malicious-chrome-extensions-caught.html

6. Microsoft Discloses DNS-Based ClickFix Attack Using Nslookup for Malware Staging
   Microsoft disclosed a new ClickFix social engineering variant that tricks users into executing nslookup-based commands via the Windows Run dialog to perform custom DNS lookups against a hard-coded external DNS server, parse the response, and execute it as a second-stage payload, enabling lightweight DNS-based staging that blends into normal traffic and can validate execution before retrieving additional malware components that ultimately deploy follow-on tooling and establish persistence.

Details:

• Technique: ClickFix social engineering using “nslookup” for DNS-based staging
• Delivery pattern:
  • Victims are redirected to bogus pages (e.g., fake CAPTCHA or troubleshooting instructions) and instructed to run a command
  • Initial command runs via cmd.exe and performs a DNS lookup against a hard-coded external DNS server (not the default resolver)
  • Output is filtered to extract the Name: DNS response, which is executed as the second-stage payload
• Follow-on chain described:
  • Downloads a ZIP archive from “azwsappdev[.]com”
  • Extracts and runs a malicious Python script for reconnaissance and discovery commands
  • Drops a VBScript that launches ModeloRAT (Python-based RAT)
  • Persistence via an LNK shortcut in the Windows Startup folder pointing to the VBScript
• Related activity noted in the same report:
  • Surge in Lumma Stealer activity leveraging ClickFix-style fake CAPTCHA campaigns and loaders (e.g., CastleLoader)
  • Additional variants and campaigns using ClickFix-style lures to distribute different stealers/loaders across Windows and macOS

Recommendations:

• User awareness and training focused on “run this command to fix/verify” lures (CAPTCHA/troubleshooting prompts).
• Restrict/monitor use of cmd.exe and Windows Run dialog execution in managed environments where feasible.
• Monitor DNS telemetry for anomalous lookups to external resolvers and suspicious command-line nslookup usage.
• Strengthen endpoint detections for staged script execution chains (Python/VBScript/LNK persistence patterns).

Reference:
https://thehackernews.com/2026/02/microsoft-discloses-dns-based-clickfix.html

7. Grandstream GXP1600 VoIP Phones Exposed to Unauthenticated Remote Code Execution
   Researchers disclosed a critical vulnerability (CVE-2026-2329, CVSS 9.3) in Grandstream GXP1600-series VoIP phones that allows unauthenticated remote code execution with root privileges via a stack-based buffer overflow in a default-accessible web API endpoint, enabling device takeover and potential post-exploitation actions such as credential extraction and VoIP call interception through malicious SIP proxy reconfiguration.

Details:

• CVE-2026-2329 (CVSS 9.3)
• Type: Unauthenticated stack-based buffer overflow → Remote Code Execution (root)
• Vulnerable component: Web-based API service endpoint “/cgi-bin/api.values.get” (accessible by default without authentication)
• Exploitation vector:
  • Attacker-controlled colon-delimited “request” parameter overflows a 64-byte stack buffer due to missing length checks
  • Stack corruption can lead to code execution on the underlying OS
• Post-exploitation examples (as demonstrated/reported):
  • Metasploit module demonstrates root access and credential extraction from a compromised device
  • Reconfiguration to use a malicious SIP proxy to intercept calls and eavesdrop on VoIP conversations

Affected Versions:

• Grandstream GXP1600 series models:
  • GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, GXP1630

Fixed Version:

• Firmware version 1.0.7.81

Impact:

• Unauthenticated device takeover with root privileges
• Potential credential exposure and VoIP call interception/eavesdropping via SIP proxy manipulation

Recommendations:

• Update affected devices to firmware 1.0.7.81.
• Avoid exposing device management interfaces to untrusted networks and segment VoIP endpoints where feasible.

Reference:
https://thehackernews.com/search?updated-max=2026-02-17T17:00:00%2B05:30&max-results=12&reverse-paginate=true

8. Critical Flaws Found in Four VS Code Extensions with Over 125 Million Installs
   Researchers disclosed multiple vulnerabilities across four widely installed VS Code extensions—Live Server, Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview—that could enable local file theft and code execution through scenarios such as luring developers to malicious websites while extensions run, abusing crafted markdown files, and social engineering users into unsafe settings changes, with several issues reported as still unpatched and one fixed silently by Microsoft.

Details:

• Extensions affected (collectively >125 million installs):
  • Live Server
  • Code Runner
  • Markdown Preview Enhanced
  • Microsoft Live Preview
• CVE-2025-65717 (CVSS 9.1) — Live Server:
  • Exfiltration of local files by tricking a developer into visiting a malicious website while the extension runs
  • JavaScript crawls/extracts files from a local development HTTP server on localhost:5500 and transmits them to an attacker-controlled domain
  • Status: Remains unpatched
• CVE-2025-65716 (CVSS 8.8) — Markdown Preview Enhanced:
  • Arbitrary JavaScript execution via a crafted markdown (.md) file upload
  • Enables local port enumeration and exfiltration to an attacker-controlled domain
  • Status: Remains unpatched
• CVE-2025-65715 (CVSS 7.8) — Code Runner:
  • Arbitrary code execution by convincing a user to alter “settings.json” via phishing or social engineering
  • Status: Remains unpatched
• Microsoft Live Preview:
  • Sensitive file access by tricking a victim into visiting a malicious website while the extension runs
  • Crafted JavaScript requests target localhost to enumerate and exfiltrate sensitive files
  • Status: No CVE; fixed silently in version 0.4.16 (released September 2025)

Affected Versions:

• Live Server: Versions affected by CVE-2025-65717 (unpatched as reported)
• Markdown Preview Enhanced: Versions affected by CVE-2025-65716 (unpatched as reported)
• Code Runner: Versions affected by CVE-2025-65715 (unpatched as reported)
• Microsoft Live Preview: Versions prior to 0.4.16

Fixed Version:

• Microsoft Live Preview: 0.4.16

Impact:

• Local file exposure/exfiltration from developer machines
• Potential remote code execution or arbitrary code execution via unsafe configuration changes and extension-driven localhost interactions
• Increased organizational risk via lateral movement originating from a developer workstation

Recommendations:

• Avoid applying untrusted configurations (including settings changes delivered via phishing or untrusted repositories).
• Disable or uninstall non-essential extensions.
• Harden the local network behind a firewall to restrict inbound/outbound connections.
• Periodically update extensions and turn off localhost-based services when not in use.

Reference:
https://thehackernews.com/2026/02/critical-flaws-found-in-four-vs-code.html

9. Notepad++ Fixes Hijacked Update Mechanism Used to Deliver Targeted Malware
   Notepad++ released version 8.9.2 to harden its update mechanism after a China-linked advanced threat actor exploited gaps to selectively redirect update traffic and deliver poisoned updates to targeted users, adding a “double lock” update verification design (signed installer verification plus signed XML verification from the update server), strengthening the WinGUp auto-updater to reduce hijacking and side-loading risks, and addressing a separate high-severity arbitrary code execution issue impacting the running application context.

Details:

• Update hardening (“double lock”):
  • Verification of signed installer downloaded from GitHub (implemented in version 8.8.9 and later)
  • Verification of signed XML returned by the update server at notepad-plus-plus[.]org (added in 8.9.2)
• WinGUp security changes:
  • Removal of libcurl.dll to eliminate DLL side-loading risk
  • Removal of unsecured cURL SSL options: CURLSSLOPT_ALLOW_BEAST and CURLSSLOPT_NO_REVOKE
  • Restriction of plugin management execution to programs signed with the same certificate as WinGUp
• CVE-2026-25926 (CVSS 7.3):
  • Unsafe Search Path vulnerability (CWE-426) when launching Windows Explorer without an absolute executable path
  • Potential execution of a malicious explorer.exe if an attacker controls the process working directory, leading to arbitrary code execution in the application context
• Supply chain incident context:
  • Hosting provider-level breach enabled hijacking of update traffic starting June 2025, redirecting some users to malicious servers for poisoned updates
  • Detected in early December 2025
  • Tampered updates used to deliver a backdoor dubbed Chrysalis; tracked as CVE-2025-15556 (CVSS 7.7) and attributed to Lotus Panda
  • Targeting assessed across multiple countries and sectors (including cloud hosting, energy, financial, government, manufacturing, and software development)

Affected Versions:

• Notepad++ versions prior to 8.9.2
• Update mechanism exposure: hijacked update traffic starting June 2025 affecting redirected users

Fixed Version:

• Notepad++: 8.9.2

Impact:

• Selective malware delivery via poisoned updates in targeted scenarios
• Potential arbitrary code execution in the context of the running application (CVE-2026-25926)

Recommendations:

• Update Notepad++ to version 8.9.2.
• Ensure installers are downloaded from the official domain.

Reference:
https://thehackernews.com/2026/02/notepad-fixes-hijacked-update-mechanism.html

10. CISA Flags Four Security Flaws Under Active Exploitation in Latest KEV Update
    CISA added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog citing evidence of active exploitation in the wild, spanning a Google Chrome use-after-free issue, a TeamT5 ThreatSonar Anti-Ransomware arbitrary file upload flaw, a Synacor Zimbra Collaboration Suite SSRF vulnerability, and a Microsoft Windows Video ActiveX Control stack-based buffer overflow, and recommended that U.S. Federal Civilian Executive Branch agencies apply the necessary fixes by March 10, 2026.

Details:

• Added to KEV with reported active exploitation:
  • CVE-2026-2441 (CVSS 8.8): Use-after-free in Google Chrome; potential heap corruption via crafted HTML page
  • CVE-2024-7694 (CVSS 7.2): Arbitrary file upload in TeamT5 ThreatSonar Anti-Ransomware enabling malicious file upload and arbitrary system command execution on the server
  • CVE-2020-7796 (CVSS 9.8): SSRF in Synacor Zimbra Collaboration Suite (ZCS) enabling crafted HTTP requests and unauthorized access to sensitive information
  • CVE-2008-0015 (CVSS 8.8): Stack-based buffer overflow in Microsoft Windows Video ActiveX Control enabling remote code execution via a crafted web page
• Notes included in the report:
  • Google acknowledged an exploit for CVE-2026-2441 exists in the wild
  • Exploitation details for the TeamT5 ThreatSonar issue were described as unclear
  • FCEB agencies advised to apply fixes by March 10, 2026

Affected Versions:

• TeamT5 ThreatSonar Anti-Ransomware: versions 3.4.5 and earlier

Impact:

• Increased risk of exploitation across enterprise environments due to KEV-listed, in-the-wild activity, including potential remote code execution, command execution, SSRF-driven data exposure, and browser compromise.

Recommendations:

• Prioritize remediation for KEV-listed vulnerabilities where deployed.
• U.S. FCEB agencies: apply necessary fixes by March 10, 2026.

Reference:
https://thehackernews.com/2026/02/cisa-flags-four-security-flaws-under.html

11. Researchers Show Copilot and Grok Can Be Abused as Malware C2 Proxies
    Researchers described a technique dubbed “AI as a C2 proxy” that abuses AI assistants with web browsing or URL-fetching capabilities, demonstrated against Microsoft Copilot and xAI Grok, to act as stealthy bidirectional command-and-control relays that blend into legitimate enterprise traffic, enabling malware on an already-compromised host to fetch attacker-controlled URLs via crafted prompts, receive operator commands through the AI interface, and potentially use model outputs as a decision engine for reconnaissance, evasion planning, and dynamic next-step actions during intrusions.

Details:

• Technique name: AI as a C2 proxy (Check Point)
• Demonstrated against:
  • Microsoft Copilot
  • xAI Grok
• Core mechanism:
  • Uses “anonymous web access” plus browsing/summarization prompts to retrieve attacker-controlled URLs
  • Transforms AI web interfaces into a bidirectional channel to accept commands and exfiltrate victim data
  • Does not require an API key or registered account (as described), limiting mitigation via key revocation/account suspension
• Prerequisite:
  • Initial compromise must already exist; malware must be installed on the host by other means
• Related attacker enablement described:
  • AI-assisted malware operations such as generating reconnaissance workflows, scripting actions, and dynamically deciding next steps
  • “Living-off-trusted-sites (LOTS)” style abuse of trusted services for C2/transport

Recommendations:

• Monitor and restrict enterprise access to AI assistants with browsing/URL-fetching features where feasible.
• Add detections for anomalous AI web interface usage patterns from endpoints, especially following initial compromise indicators.
• Treat AI web-browsing endpoints as potential egress channels in threat modeling and network monitoring.

Reference:
https://thehackernews.com/2026/02/researchers-show-copilot-and-grok-can.html

12. Keenadu Firmware Backdoor Infects Android Tablets via Signed OTA Updates
    Kaspersky reported a firmware-embedded Android backdoor dubbed Keenadu that compromises tablets across multiple brands (including Alldocube) during the firmware build phase and is delivered in some cases through signed OTA updates, embedding itself in a core Android library to load into every app’s address space and enabling multi-stage, remote-controlled payload delivery and device manipulation at scale, with telemetry indicating thousands of affected users across multiple countries and additional distribution via trojanized apps and embedded loaders.

Details:

• Malware: Keenadu (Android firmware backdoor)
• Infection vector:
  • Embedded during firmware build phase
  • Firmware files carry valid digital signatures
  • In several instances delivered via OTA update
• Noted affected brand/device example:
  • Alldocube iPlay 50 mini Pro firmware dating back to August 18, 2023
• Architecture/behavior highlights:
  • Embedded in libandroid_runtime.so (loaded during boot)
  • Injected into the Zygote process; creates AKServer (core logic/C2) and AKClient (injected into every app)
  • Loads a copy into the address space of every app upon launch
  • Implements checks to abort in certain system apps (Google services/carriers), and kill-switch behavior based on file presence
  • Additional termination checks based on Chinese language/time zone and absence of Google Play components
  • Delays payload serving until 2.5 months after initial check-in
  • Uses encrypted device metadata exchange; server returns encrypted JSON describing payloads
  • Payload distribution uses Alibaba Cloud as CDN (as described)
• Telemetry and reach:
  • 13,715 users worldwide encountered Keenadu or modules (as reported)
  • Highest concentrations: Russia, Japan, Germany, Brazil, Netherlands
• Example malicious modules/payloads described:
  • Modules targeting shopping apps (e.g., Amazon, Shein, Temu) for follow-on payload delivery (suspected cart manipulation)
  • Clicker/ad-interaction modules injected into apps (e.g., YouTube, Facebook, Digital Wellbeing, launcher)
  • Chrome module for search hijacking/redirection
  • Install monetization component in system launcher
  • Google Play module retrieving and storing Google Ads advertising ID
• Additional distribution vectors described:
  • Embedding loaders into system apps (e.g., facial recognition service, system launcher)
  • Propagation via trojanized smart camera apps on Google Play (later removed per Google statement)
• Update note (as included in source text):
  • Google stated the identified malicious apps were removed and referenced Play Protect protections and Play Protect certification guidance

Impact:

• Compromises Android sandboxing by operating in the context of every app on the device
• Enables broad remote control and data access, including permission manipulation and payload delivery, with potential for future credential theft

Recommendations:

• Ensure devices are Play Protect certified (as referenced in the update note).
• Avoid installing apps from third-party repositories, and verify device firmware provenance where possible.

Reference:
https://thehackernews.com/2026/02/keenadu-firmware-backdoor-infects.html

13. SmartLoader Attack Uses Trojanized Oura MCP Server to Deploy StealC Infostealer
    Researchers reported a SmartLoader campaign that cloned a legitimate Oura Health Model Context Protocol (MCP) server and used a fabricated GitHub ecosystem of fake forks and contributors to build trust, then submitted the trojanized MCP server to a legitimate MCP registry (MCP Market) so that victims installing it would execute an obfuscated Lua dropper that installs SmartLoader and ultimately deploys the StealC infostealer to steal credentials, browser passwords, and cryptocurrency wallet data, signaling a shift toward targeting developers and AI tooling supply chains.

Details:

• Campaign: SmartLoader distributing a trojanized Oura MCP Server to deliver StealC
• Social engineering/infrastructure:
  • Cloned a legitimate Oura MCP Server (connects AI assistants to Oura Ring health data)
  • Built deceptive infrastructure of fake forks and contributors to manufacture credibility
  • Submitted the trojanized server to MCP Market; server still listed on the MCP directory (as reported)
• Stages described:
  • Created at least five fake GitHub accounts (YuzeHao2023, punkpeye, dvlan26, halamji, yzhao112) to build seemingly legitimate forks
  • Created a malicious Oura MCP server repo under account “SiddhiBagul”
  • Added fake accounts as “contributors” while excluding the original author from contributor lists
  • Submitted the trojanized MCP server to MCP Market
• Execution flow:
  • Delivered via ZIP archive
  • Obfuscated Lua script drops SmartLoader
  • SmartLoader deploys StealC
• StealC objective:
  • Steal credentials, browser passwords, and cryptocurrency wallet data
• Context:
  • SmartLoader previously noted as being distributed via fake GitHub repositories with AI-generated lures
  • Shift from pirated-software seekers to developer targeting due to higher-value data (API keys, cloud credentials, crypto wallets, production access)

Recommendations:

• Inventory installed MCP servers across the organization.
• Establish a formal security review/approval process before MCP server installation.
• Verify MCP server origin and repository provenance prior to use.
• Monitor for suspicious egress traffic and persistence mechanisms consistent with loader activity.

Reference:
https://thehackernews.com/2026/02/smartloader-attack-uses-trojanized-oura.html

14. CRESCENTHARVEST Campaign Targets Iran Protest Supporters With RAT Malware
    Researchers described a campaign dubbed CRESCENTHARVEST that uses protest-themed lures to target Farsi-speaking individuals and supporters of Iran’s ongoing protests, distributing malicious LNK files disguised as media within archives that also contain legitimate content, then using PowerShell to fetch additional payloads and abusing a Google-signed binary for DLL side-loading to deploy a RAT/infostealer capable of system reconnaissance, credential and Telegram data theft, keystroke logging, and command execution via C2 communications designed to blend into normal web traffic.

Details:

• Campaign: CRESCENTHARVEST (likely Iran-aligned; unattributed)
• Observed timeframe: Activity observed after January 9 (year implied by context)
• Lure theme:
  • Protest-related images/videos and Farsi-language report content to increase credibility
• Initial payload packaging:
  • Malicious RAR archive containing images/videos plus two LNK files using double extensions (*.jpg.lnk / *.mp4.lnk)
• Execution chain:
  • LNK executes PowerShell to retrieve a ZIP archive while opening a benign image/video as decoy
  • ZIP contains Google-signed “software_reporter_tool.exe” and DLLs, including rogue libraries sideloaded by the executable
• Malicious components:
  • urtcbased140d_d.dll: C++ implant to extract/decrypt Chrome app-bound encryption keys via COM; overlaps with ChromElevator
  • version.dll (aka CRESCENTHARVEST): RAT/infostealer that enumerates security tools, users, harvests system metadata, browser credentials/cookies/history, Telegram desktop data, and keystrokes; loads DLLs
• C2:
  • Uses Windows WinHTTP APIs to communicate with “servicelog-information[.]com”
  • Supported commands include anti-analysis, directory listing/navigation, info theft (history/cookies/credentials), keylogging, Telegram session theft, uploads, and shell/PowerShell execution (PowerShell noted as not working)

Recommendations:

• Block or restrict execution of LNK files from archives and user-writable locations where feasible.
• Detect and prevent DLL side-loading patterns involving signed binaries in unusual execution paths.
• Monitor for suspicious PowerShell download cradles followed by execution of “software_reporter_tool.exe” outside expected Chrome contexts.
• Add detections for WinHTTP beaconing to suspicious domains and for theft of browser/Telegram artifacts.

Reference:
https://thehackernews.com/2026/02/crescentharvest-campaign-targets-iran.html

15. Fake IPTV Apps Spread Massiv Android Malware Targeting Mobile Banking Users
    ThreatFabric reported an Android trojan dubbed Massiv distributed via dropper apps masquerading as IPTV applications through SMS phishing, which tricks users into installing an “important” update and granting install-from-unknown-sources permissions, then enables device takeover attacks for financial theft by using overlays, keylogging, SMS interception, screen streaming or accessibility-driven UI-tree capture to steal banking and identity credentials and facilitate fraudulent transactions, including cases of opening accounts in victims’ names for money laundering or unauthorized loans.

Details:

• Malware: Massiv (Android banking trojan / DTO-focused)
• Initial observations:
  • First spotted targeting users in Portugal and Greece earlier in 2026 (as reported)
  • Samples observed dating back to early 2025 (test campaigns)
• Distribution:
  • Dropper apps mimicking IPTV apps delivered via SMS phishing
  • Dropper prompts installation of an “important” update by requesting install-from-external-sources permissions
  • Dropper may show an IPTV website in a WebView while malware runs in the background
• Capabilities:
  • Screen streaming via Android MediaProjection API
  • Keylogging
  • SMS interception
  • Fake overlays over banking/financial apps to capture credentials and credit card details
  • Black screen overlay to conceal operator activity
  • Remote control actions: clicks/swipes, clipboard manipulation, APK install, permission prompts, settings navigation (Battery Optimization/Device Admin/Play Protect), log clearing
  • UI-tree mode via accessibility APIs to bypass screen-capture protections by exporting a structured view of visible UI elements
• Noted targeting example:
  • Overlay targeting gov.pt app to capture phone number and PIN associated with Digital Mobile Key (CMD) for likely KYC bypass
• Malicious artifacts named:
  • IPTV24 (hfgx.mqfy.fejku) — Dropper
  • Google Play (hobfjp.anrxf.cucm) — Massiv

Impact:

• Device takeover enabling fraudulent banking transactions and identity abuse
• Potential account creation in victims’ names for money laundering or loan fraud

Recommendations:

• Treat SMS-delivered app installation links as high-risk and restrict sideloading where possible.
• Monitor for accessibility abuse, overlay behavior, MediaProjection usage, and black-screen concealment patterns.
• Review Play Protect status and investigate devices prompting for install-from-unknown-sources permissions unexpectedly.

Reference:
https://thehackernews.com/2026/02/fake-iptv-apps-spread-massiv-android.html

16. Microsoft Patches CVE-2026-26119 Privilege Escalation in Windows Admin Center
    Microsoft disclosed a high-severity Windows Admin Center vulnerability (CVE-2026-26119, CVSS 8.8) caused by improper authentication that allows an authorized attacker to elevate privileges over a network to the rights of the user running the application, a flaw credited to Semperis and patched in Windows Admin Center version 2511 (released December 2025) with an “Exploitation More Likely” assessment but no stated evidence of in-the-wild exploitation.

Details:

• CVE-2026-26119 (CVSS 8.8)
• Product: Windows Admin Center (locally deployed, browser-based management tool for Windows clients/servers/clusters)
• Type: Improper authentication → Privilege escalation over a network
• Attacker requirement: Authorized attacker
• Result:
  • Gains the rights of the user running the affected application
  • Researcher comment suggests potential for full domain compromise under certain conditions (as reported)
• Disclosure/patch notes:
  • Advisory released February 17, 2026
  • Patched in Windows Admin Center version 2511 (released December 2025)
  • Tagged “Exploitation More Likely”
  • Technical details currently under wraps

Affected Versions:

• Windows Admin Center versions prior to 2511

Fixed Version:

• Windows Admin Center: 2511

Recommendations:

• Ensure Windows Admin Center is updated to version 2511 or later.

Reference:
https://thehackernews.com/2026/02/microsoft-patches-cve-2026-26119.html

17. PromptSpy Android Malware Abuses Gemini AI to Automate Recent-Apps Persistence
    ESET reported an Android malware family dubbed PromptSpy that incorporates Google’s Gemini as part of its execution flow to automate UI-driven persistence by analyzing on-screen elements and returning step-by-step interaction instructions that keep the malicious app pinned in the recent apps list, while also enabling remote control via an embedded VNC module and using accessibility abuse and invisible overlays to block uninstallation, with distribution observed via dedicated websites and indications the campaign targets Spanish-speaking users in Argentina.

Details:

• Malware: PromptSpy (ESET)
• Noted as: First Android malware reported to abuse Gemini as part of execution flow to achieve persistence
• Capabilities:
  • Capture lockscreen data (PIN/password/pattern-related data)
  • Block uninstallation efforts (invisible overlays)
  • Gather device information
  • Take screenshots
  • Record screen activity as video
  • Deploy built-in VNC module for remote access
• Gemini-driven persistence mechanism:
  • Hard-codes AI model and prompt; assigns persona of “Android automation assistant”
  • Sends Gemini a natural language prompt plus an XML dump of the current screen (UI elements, text/type/position)
  • Receives JSON instructions (e.g., tap actions and coordinates)
  • Iterates until the app is locked in the recent apps list and resists termination
  • Executes suggested actions via accessibility services
• C2 / communications:
  • Communicates with hard-coded server “54.67.2[.]84” via VNC protocol
  • Receives Gemini API key from C2 (as described)
  • Supports on-demand screenshot capture, lockscreen interception, screen recording, and pattern unlock capture
• Distribution:
  • Not available on Google Play
  • Delivered via a dedicated website
  • “mgardownload[.]com” delivers a dropper that opens “m-mgarg[.]com” and masquerades as JPMorgan Chase (“MorganArg”)
  • Dropper prompts victims to allow installation from unknown sources to deploy PromptSpy
  • Configuration server later unavailable during research; exact APK download URL unknown (as reported)
• Attribution/targeting indicators:
  • Financially motivated assessment and targeting of users in Argentina (based on localization/distribution clues)
  • Evidence of development in a Chinese-speaking environment (debug strings in simplified Chinese)
  • Assessed as an advanced version of “VNCSpy” (samples first uploaded to VirusTotal last month from Hong Kong)

Impact:

• Device takeover via remote access (VNC) and persistent control resistant to UI changes
• Elevated risk of credential and sensitive data theft through lockscreen capture and screen recording

Recommendations:

• If infected, remove by rebooting into Safe Mode to uninstall the app (as described).
• Prevent sideloading by restricting installation from unknown sources and monitoring for accessibility abuse and overlay behavior.

Reference:
https://thehackernews.com/2026/02/promptspy-android-malware-abuses-google.html

18. Former Google Engineers Indicted Over Trade Secret Transfers to Iran
    U.S. authorities indicted two former Google engineers and one of their husbands for allegedly stealing and exfiltrating trade secrets from Google and other technology companies to unauthorized locations including Iran, involving sensitive information related to mobile processor security and cryptography and, per reporting, Google’s Tensor processor, with allegations of coordinated file transfers to third-party channels, cross-employer device copying, destruction and concealment efforts, and manual photographing of screens to bypass monitoring controls.

Details:

• Defendants:
  • Samaneh Ghandali
  • Mohammadjavad Khosravi (aka Mohammad Khosravi)
  • Soroor Ghandali
• Allegations:
  • Conspiracy to commit trade secret theft from Google and other technology companies
  • Theft and attempted theft of trade secrets
  • Obstruction of justice
• Methods described:
  • Exfiltration of confidential documents to unauthorized third-party and personal locations, including Iran
  • Transfers to third-party communications platform channels associated with defendants’ first names
  • Copying trade secret files to personal devices and to work devices associated with each other’s employers
  • Concealment via false signed affidavits, destruction of exfiltrated files, and photographing screens instead of transferring documents
  • Online searches related to deleting communications/data retention and “messages to print out for court”
• Timeline elements noted:
  • Google detected Samaneh Ghandali’s activity and revoked access in August 2023
  • Alleged photographing of Company 2 trade secret information before travel to Iran in December 2023; photos later accessed from a device in Iran
• Potential penalties (as stated):
  • Up to 10 years’ imprisonment and $250,000 fine per trade secret theft count
  • Up to 20 years’ imprisonment and $250,000 fine for obstruction of justice

Reference:
https://thehackernews.com/2026/02/three-former-google-engineers-indicted.html