Executive Summary -
Highlights of Cyber Threat Intelligence Digest
Vulnerabilities
BeyondTrust Patches CVE-2026-1731 Vulnerability in Remote Support (RS) and Privileged Remote Access (PRA) - On 2 February 2026, BeyondTrust addressed CVE-2026-1731, a critical operating system command injection vulnerability affecting BeyondTrust Remote Support (versions 25.3.1 and earlier) and BeyondTrust Privileged Remote Access (versions 24.3.4 and earlier). The flaw enables unauthenticated attackers to execute arbitrary operating system commands by sending specially crafted requests.
If successfully exploited, the vulnerability could allow threat actors to exfiltrate sensitive data or disrupt services. BeyondTrust resolved the issue with the release of version 25.1.1, and at the time of writing there have been no reports of active exploitation.
Trend Micro ZDI Discloses Critical RCE Vulnerability (CVE-2026-0755) in Gemini-Mcp-Tool - On 9 January 2026, Trend Micro’s Zero Day Initiative disclosed details of CVE-2026-0755, a critical vulnerability affecting Gemini-Mcp-Tool, a system management and automation solution that executes operating system-level commands on behalf of integrated services. The issue arises from improper input validation within the tool’s execAsync method implementation.
If exploited, the vulnerability could allow threat actors to execute arbitrary code in the context of the Gemini-Mcp-Tool service account. At the time of disclosure, no patch had been released by the vendor, and users were advised to reduce risk by restricting access to trusted environments.
Fortinet Patches CVE-2026-21643 Vulnerability in FortiClientEMS - On 6 February 2026, Fortinet patched CVE-2026-21643, a critical SQL injection vulnerability affecting FortiClientEMS version 7.4.4. The flaw allows threat actors to execute arbitrary SQL commands by sending a maliciously crafted HTTP request.
Successful exploitation could compromise the integrity of the affected system. Fortinet has urged users to upgrade to FortiClientEMS version 7.4.5 to remediate the vulnerability.
Potential Threats
ClickFix Variant Called CrashFix Abuses Browser Crashes and Native Utilities to Deploy ModeloRAT - On 5 February 2026, Microsoft Security detailed CrashFix, a new variant of the ClickFix campaign that deliberately crashes victims’ browsers and tricks them into running malicious commands under the guise of restoring functionality. The attack begins with a malicious advert for an advert blocker that redirects users to the legitimate Chrome Web Store, where they install a rogue extension impersonating uBlock Origin Lite. After a delay, the extension disrupts the browser and displays a fake warning prompting the victim to execute attacker-supplied commands, leading to the download of additional payloads via abused Windows utilities and PowerShell.
If the compromised system is domain-joined, the attackers deploy a portable Python package and a remote access trojan known as ModeloRAT. The malware establishes command-and-control communications, creates persistence mechanisms, downloads further scripts, and collects domain and network information. Microsoft also observed follow-on activity involving additional Python-based payloads delivered through encoded PowerShell commands, with persistence achieved via a scheduled task.
Threat Actors Abuse SonicWall VPN Access and BYOVD Technique to Deploy EDR Killer - On 4 February 2026, Huntress published an analysis of a cyberattack targeting a SonicWall SSLVPN appliance, in which threat actors attempted to mass-terminate endpoint security tools. The attackers gained initial access using compromised VPN credentials and abused a legitimately signed but long-revoked EnCase kernel driver via the Bring Your Own Vulnerable Driver (BYOVD) technique to gain kernel-level control. Huntress assessed the activity as a ransomware precursor but disrupted the intrusion before any ransomware was deployed. Following access, the attackers performed aggressive internal reconnaissance, triggering alerts for ICMP ping sweeps, SMB activity, and high-rate SYN scans.
The attackers then deployed a 64-bit Windows endpoint detection and response (EDR) killer disguised as a firmware update utility, embedding a kernel driver payload encoded with a custom wordlist scheme. At runtime, the driver was decoded and registered as a kernel service named “OemHwUpd,” using a repurposed EnCase driver to bypass Windows driver signature enforcement. This allowed the malware to terminate security processes directly from kernel mode, bypassing Protected Process Light and other user-mode protections, while employing anti-forensic measures such as timestomping and hiding the file.
European Commission Reports Cyberattack Targeting Central Mobile Device Management Infrastructure - On 6 February 2026, the European Commission disclosed that an unidentified threat actor had gained unauthorized access to its central mobile device management (MDM) infrastructure, potentially exposing staff names and mobile phone numbers. The organisation confirmed that there is no evidence that the managed mobile devices themselves were compromised.
The incident was detected on 30 January 2026, following suspicious activity in backend systems used for managing staff mobile devices. The Commission has not revealed the method of initial access or the date when the compromise began.
General News
EU threatens TikTok with massive fine over addictive design features - The European Commission has informed TikTok that it may have breached the Digital Services Act by using addictive design features, including infinite scroll, autoplay, push notifications, and a highly personalised recommender system. The investigation, begun in February 2024, found these features may harm user well-being, especially for minors, and could lead to fines of up to 6% of TikTok’s global annual turnover. The Commission recommended changes such as disabling addictive features, enforcing screen time breaks, and adjusting the recommender system.
It also criticised TikTok’s screen time tools and parental controls as largely ineffective, noting frequent app use and night-time activity among minors. TikTok has rejected the preliminary findings and will have the chance to submit a defence. The investigation also flagged the risk of minors accessing age-inappropriate content, reflecting concerns raised by regulators in countries including Australia, Spain, and the UK.
Discord to require video selfies or government IDs to verify all users’ ages - Discord has announced that it will require all users globally to verify their ages using video selfies or government IDs, with data deleted immediately after verification and never leaving the device. A phased rollout will begin in early March, ensuring a “teen-appropriate experience by default.” The move expands a policy already applied in the U.K. and Australia and responds to growing regulatory pressure on online platforms to protect minors, including calls from the U.S. Federal Trade Commission to implement age verification tools.
The new rules will blur sensitive content for unverified users, restrict access to age-restricted channels and commands, and block unverified users from messaging strangers. The policy has drawn criticism due to a prior breach exposing ID images of around 70,000 users via a third-party service. Discord emphasises that the teen-by-default settings aim to enhance safety while still allowing verified adults full access. This follows broader regulatory actions in Australia, the U.K., the Netherlands, Spain, and France, alongside lawsuits targeting platforms like Roblox for allegedly endangering child safety.
North Korean hackers targeted crypto exec with fake Zoom meeting, ClickFix scam - North Korean hackers from the financially motivated group UNC1069 targeted an executive at a cryptocurrency company using highly tailored attacks involving multiple scams and malware, according to Mandiant. The campaign began via Telegram, where the victim received a Calendly link leading to a Zoom meeting. During the call, a deepfake video of another cryptocurrency CEO was shown, and the attackers feigned technical issues to trick the victim into executing commands that installed malware on their macOS device. The initial backdoors, named WAVESHAPER and HYPERCALL, allowed the attackers to deploy additional tools for further compromise.
The attackers also used data-mining tools, DEEPBREATH and CHROMEPUSH, to steal credentials, browser data, Telegram messages, and Apple Notes, with the information exfiltrated to remote servers. Mandiant noted the unusually high volume of malware on a single host suggested a deliberate, highly targeted attack aimed at cryptocurrency theft and enabling future social engineering using the victim’s identity. UNC1069, active since at least 2018, has evolved its tactics, increasingly targeting centralized exchanges, financial software developers, and venture capital personnel, using AI tools such as Google’s Gemini to assist in operations. North Korea is accused of stealing over $2 billion in cryptocurrency in 2025.
Threat Actor Weekly Graph
Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.
Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.
Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.
Both intent and opportunity are scored out of 100 and are responsible for scoring the group's severity. These updates can be seen below.
| ● Limited Severity | ● Basic Severity | ● Moderate Severity | ● High Severity |
| Threat Actor | Severity Increase | Opportunity | Intent | ||||||
|---|---|---|---|---|---|---|---|---|---|
| GRU 85 | ● Basic | → | ● Moderate | ● 49 | → | ● 60 | ● 30 | → | ● 30 |
| GordonFreeman | NEW | → | ● Basic | NEW | → | ● 35 | NEW | → | ● 25 |
| 313 Team | NEW | → | ● Basic | NEW | → | ● 25 | NEW | → | ● 25 |
| Warlock Ransomware Group | ● Basic | → | ● Basic | ● 25 | → | ● 40 | ● 49 | → | ● 49 |
| BianLian Ransomware Group |
● Basic | → | ● Basic | ● 45 | → | ● 45 | ● 49 | → | ● 35 |
Global Trends Powered by Recorded Future
Within each category, we have provided the current top five globally trending items. Each item is linked to how actively trending it is and is marked with a small symbol.
The spikes in references are calculated over 60 days and are normalised to ensure they aren't disproportionate when compared to bigger entities that will naturally have more baseline mentions.
▲- Spike – This indicates a large increase in reporting volume and a high diversity in the event descriptions.
▲- Rise – This indicates a small increase in reporting volume with little diversity in the descriptions.
| Attackers | Methods | Vulnerabilities | Targets | |||||
|---|---|---|---|---|---|---|---|---|
| UNC3886 (CAULDRON PANDA) | ▲ | Gentlemen Ransomware | ▲ | CVE-2026-21510 | ▲ | Conduent | ▲ | |
| UNC1069 | ▲ | ClickFix | ▲ | CVE-2026-21533 | ▲ | Singapore | ▲ | |
| Storm-2603 | ▲ | Exploit | ▲ | CVE-2026-21525 | ▲ | Volvo AB | ▲ | |
| Space Bears Ransomware Group | ▲ |
TA005 (Defense Evasion) |
▲ | CVE-2026-21514 | ▲ | European Commission | ▲ | |
| RedMike | ▲ | TA0010 (Exfiltration) | ▲ | CVE-2026-21513 | ▲ | SmarterTools | ▲ | |
Prominent Information Security Events
ClickFix Variant Called CrashFix Abuses Browser Crashes and Native Utilities to Deploy ModeloRAT
Source: Insikt Group | Validated Intelligence Event
IOC: Hash - c76c0146407069fd4c271d6e1e03448c481f0970ddbe7042b31f552e37b55817
IOC: IP - 144[.]31[.]221[.]197
On 5 February 2026, Microsoft Security analysed CrashFix, a new variant of the ClickFix campaign that crashes victims’ browsers and tricks them into executing malicious commands under the guise of restoring functionality. The attack starts when a user clicks a malicious ad for an ad blocker, which redirects them to the legitimate Chrome Web Store. A rogue extension impersonating uBlock Origin Lite delays execution before disrupting the browser, displaying a fake security warning, and prompting the user to run attacker-supplied commands, allowing further payloads to be deployed via Windows utilities and PowerShell.
On domain-joined systems, the attackers deploy a portable Python package along with the remote access trojan ModeloRAT. This malware establishes command-and-control communications, creates persistence mechanisms such as registry Run keys, downloads additional Python scripts, and collects domain, user, and network information. ModeloRAT’s modular design enables it to adapt to different environments and evade detection.
Microsoft also observed follow-on activity using encoded PowerShell commands to deliver additional Python-based payloads. These scripts establish persistence via scheduled tasks and support data exfiltration or remote commands. CrashFix demonstrates sophisticated, multi-stage tactics combining social engineering, delayed execution, and modular payloads, making it a significant threat to both individual and domain-joined systems.
Threat Actors Abuse SonicWall VPN Access and BYOVD Technique to Deploy EDR Killer
Source: Insikt Group | Validated Intelligence Event
IOC: Hash - 3111f4d7d4fac55103453c4c8adb742def007b96b7c8ed265347df97137fbee0
IOC: IP - 69[.]10[.]60[.]250
On 4 February 2026, Huntress published an analysis of a cyberattack exploiting a SonicWall SSLVPN appliance to gain unauthorized access and attempt mass termination of endpoint security tools. The attackers abused a long-revoked but legitimately signed Guidance Software EnCase kernel driver using the Bring Your Own Vulnerable Driver (BYOVD) technique to gain kernel-level control. Huntress assessed the activity as a ransomware precursor, though the intrusion was disrupted before any ransomware was deployed.
The attackers initially accessed the network using compromised VPN credentials, with telemetry showing a failed login followed by a successful authentication. Once inside, they performed rapid internal reconnaissance, triggering IPS alerts for ICMP ping sweeps, NetBIOS probes, SMB activity, and high-rate SYN scanning, indicating aggressive network mapping.
Following reconnaissance, the attackers deployed a 64-bit Windows EDR killer disguised as a firmware update utility, embedding a kernel driver payload encoded with a custom wordlist scheme. The payload was decoded at runtime and written as “OemHwUpd.sys” in the C:\ProgramData\OEM\Firmware\ directory, with anti-forensic measures applied. The driver was registered as a kernel service and leveraged a repurposed EnCase driver to bypass Windows signature enforcement, allowing the user-mode component to terminate security processes directly from kernel mode, circumventing Protected Process Light and other safeguards.
Remediation Actions
Following the information provided above, we recommend that the technologies mentioned be fully patched and updated. We also want to highlight and recommend applying the following patches where applicable:
-
CVE-2026-1731 (BeyondTrust) – This vulnerability can be addressed by upgrading BeyondTrust RS/PRA to version 25.1.1 or later.
-
CVE-2026-0755 (Gemini-Mcp-Tool) – This vulnerability can be addressed by restricting access to trusted environments, as there has been no patch specifically for Gemini-Mcp-Tool.
-
CVE-2026-21643 (FortiClientEMS) – This vulnerability can be addressed by patching FortiClient EMS to version 7.4.5.
If you are currently an Acumen Cyber Vulnerability Management customer, we will be proactively performing related searching and hunting activities within your environment.