Anomali Cyber Watch: Zero-Click Affects Claude, SolarWinds Vulnerabilities for Velociraptor and more

<div id="weekly"> <div id="trending-threats" class="trending-threats-article"> <h2 id="article-1"><a href="https://www.infosecurity-magazine.com/news/zeroclick-flaw-claude-dxt/ " target="_blank" rel="noopener noreferrer">Zero-Click Remote Code Execution Flaw Affects Claude Desktop Extensions </a></h2> <p>(published: February 9, 2026)</p> <p> Researchers disclosed a critical vulnerability affecting 50 Claude Desktop Extensions that allows remote code execution without user interaction. The flaw stems from how Model Context Protocol (MCP) systems autonomously chain external tools to fulfill user requests without enforcing security boundaries. When a user prompts Claude to check calendar events and take care of them, the language model interprets vague instructions as justification for executing local code. An attacker can exploit this by crafting a calendar event containing malicious instructions, such as commands to clone a GitHub repository and execute a makefile, achieving full remote code execution on systems running vulnerable extensions. The vulnerability was assigned a CVSS score of 10.0 and could impact over 10,000 active users. Claude Desktop Extensions execute without sandboxing and with full system privileges, enabling operations including reading arbitrary files, executing system commands, accessing stored credentials, and modifying operating system settings. Anthropic declined to address the issue, stating the flaw falls outside its current threat model because Claude Desktop's MCP integration is designed as a local development tool where users explicitly configure and grant permissions to MCP servers.<br> <br><b>Analyst Comment:</b> This vulnerability exposes a fundamental trust boundary problem in AI automation where low-risk data sources are autonomously connected to high-risk execution environments without security controls. Exploitation requires the target to have vulnerable extensions installed and to issue prompts that trigger unsafe workflows, meaning not all Claude Desktop users are vulnerable by default. Organizations should assess whether Claude Desktop Extensions are deployed in their environment and evaluate what permissions MCP servers have been granted, particularly combinations that connect external data sources to local execution capabilities. The researchers recommend disabling MCP connectors on systems where security matters until meaningful safeguards are introduced. Anthropic's response indicates a shared responsibility model where organizations cannot assume vendor-side protections exist for locally configured AI tools with system-level access.<br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/32045">T1659 - Content Injection</a> | <a href="https://ui.threatstream.com/attackpattern/9752">T1203 - Exploitation For Client Execution</a> | <a href="https://ui.threatstream.com/attackpattern/9585">T1059 - Command And Scripting Interpreter</a> | <a href="https://ui.threatstream.com/attackpattern/9638">T1105 - Ingress Tool Transfer</a><br> </p> <h2 id="article-1"><a href="https://www.bleepingcomputer.com/news/security/threat-actors-exploit-solarwinds-wdh-flaws-to-deploy-velociraptor/ " target="_blank" rel="noopener noreferrer">Threat Actors Exploit SolarWinds Web Help Desk Vulnerabilities to Deploy Velociraptor </a></h2> <p>(published: February 9, 2026)</p> <p> Researchers have documented the complete attack chain following exploitation of SolarWinds Web Help Desk (WHD) vulnerabilities disclosed last week. After achieving remote code execution, attackers deployed a multi-stage toolset beginning with the Zoho ManageEngine Assist agent, delivered as an MSI file from the Catbox file-hosting platform and configured for unattended access via a Proton Mail-linked account. Using the Zoho agent for hands-on keyboard activity and Active Directory reconnaissance, attackers then deployed Velociraptor version 0.73.4, a legitimate digital forensics and incident response tool, fetched from a Supabase bucket to establish command and control. The attackers installed Cloudflared from the official GitHub repository as a secondary tunnel-based access channel and disabled Windows Defender and Firewall through registry modifications. Persistence mechanisms included a scheduled task named TPMProfiler that launches a QEMU virtual machine to maintain an SSH backdoor. In some instances, attackers downloaded VS Code binaries immediately after disabling security controls. The specific exploited vulnerability remains uncertain as attacks occurred on systems vulnerable to CVE-2025-40551, CVE-2025-40536, and CVE-2025-26399 simultaneously. Microsoft characterized compromised environments as high-value assets but neither Microsoft nor Huntress attributed the attacks to specific threat groups<br> <br><b>Analyst Comment:</b> This activity demonstrates a living-off-the-land approach using exclusively legitimate administrative and security tools rather than custom malware, significantly complicating detection through traditional signature-based methods. Organizations that operated vulnerable WHD instances between December 2025 and January 2026 should conduct retroactive threat hunting even if now patched, as compromise may have occurred silently during the exploitation window. The attackers' use of Velociraptor version 0.73.4, which itself contains a documented privilege escalation vulnerability, suggests either deliberate selection for additional capabilities or operational security oversight worth monitoring in future campaigns. Defenders should hunt for specific indicators including Zoho Assist installations linked to anonymous email providers, Velociraptor services (particularly version 0.73.4), Cloudflared tunnel processes, the TPMProfiler scheduled task, and QEMU-related artifacts. The methodical reconnaissance, credential dumping activity, and focus on high-value assets are consistent with preparatory intrusion for subsequent data theft or ransomware deployment, though the ultimate objective remains uncertain and sources note the activity could equally represent cyber espionage operations. Standard endpoint protection may classify these tools as legitimate software, requiring behavioral detection focused on unusual parent-child process relationships originating from WHD service components (wrapper.exe and java.exe spawning PowerShell or cmd.exe).<br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10012">T1190 - Exploit Public-Facing Application</a> | <a href="https://ui.threatstream.com/attackpattern/9828">T1059.001 - Command and Scripting Interpreter: Powershell</a> | <a href="https://ui.threatstream.com/attackpattern/10017">T1197 - Bits Jobs</a> | <a href="https://ui.threatstream.com/attackpattern/9928">T1218.007 - Signed Binary Proxy Execution: Msiexec</a> | <a href="https://ui.threatstream.com/attackpattern/9638">T1105 - Ingress Tool Transfer</a> | <a href="https://ui.threatstream.com/attackpattern/9812">T1219 - Remote Access Software</a> | <a href="https://ui.threatstream.com/attackpattern/9931">T1053.005 - Scheduled Task/Job: Scheduled Task</a> | <a href="https://ui.threatstream.com/attackpattern/9893">T1090.003 - Proxy: Multi-Hop Proxy</a> | <a href="https://ui.threatstream.com/attackpattern/10079">T1562.001 - Impair Defenses: Disable Or Modify Tools</a> | <a href="https://ui.threatstream.com/attackpattern/9852">T1112 - Modify Registry</a> | <a href="https://ui.threatstream.com/attackpattern/9701">T1087.002 - Account Discovery: Domain Account</a> | <a href="https://ui.threatstream.com/attackpattern/9619">T1069.002 - Permission Groups Discovery: Domain Groups</a> | <a href="https://ui.threatstream.com/attackpattern/10019">T1018 - Remote System Discovery</a><br> </p> <h2 id="article-1"><a href="https://www.malwarebytes.com/blog/threat-intel/2026/02/fake-7-zip-downloads-are-turning-home-pcs-into-proxy-nodes" target="_blank" rel="noopener noreferrer">Fake 7-Zip Site Distributes Trojanized Installer Converting Systems to Proxy Nodes </a></h2> <p>(published: February 9, 2026)</p> <p> A lookalike domain impersonating the legitimate 7-Zip archiver project has distributed a trojanized installer that silently converts infected systems into residential proxy nodes. The malicious site, 7zip[.]com, delivered a functional copy of 7-Zip File Manager alongside concealed malware components, deceiving users who mistook it for the legitimate project hosted at 7-zip.org. The installer was Authenticode-signed using a now-revoked certificate issued to Jozeal Network Technology Co., Limited. During installation, a modified build of 7zfm.exe operates as expected while three additional components are silently deployed to C:\Windows\SysWOW64\hero: Uphero.exe (service manager and update loader), hero.exe (primary proxy payload compiled in Go), and hero.dll (supporting library). Both Uphero.exe and hero.exe register as auto-start Windows services running under System privileges, ensuring execution on every boot. The malware manipulates firewall rules via netsh, enumerates system characteristics using WMI and native Windows APIs, and communicates with iplogger[.]org to report device or network metadata. The hero.exe component retrieves configuration data from rotating command-and-control domains using smshero naming conventions and establishes outbound proxy connections on non-standard ports 1000 and 1002, using a lightweight XOR-encoded protocol with key 0x70. Related binaries identified as upHola.exe, upTiktok, upWhatsapp, and upWire share identical tactics and deployment patterns, suggesting a unified backend supporting multiple distribution fronts. Analysis by independent researchers Luke Acha, s1dhy, and Andrew Danis confirmed the malware functions as residential proxyware rather than a traditional backdoor, enrolling infected hosts into infrastructure where third parties route traffic through victim IP addresses.<br> <br><b>Analyst Comment:</b> This campaign demonstrates how attackers achieve scale through brand impersonation and typosquatting rather than technical exploits or compromised distribution channels. The malicious domain was inadvertently amplified through legitimate third-party content, including YouTube tutorials that mistakenly referenced 7zip[.]com instead of the correct 7-zip.org, representing passive opportunistic distribution rather than active influencer compromise. Defenders should prioritize monitoring for unauthorized service creation in privileged directories (particularly SysWOW64), unexpected firewall rule modifications via netsh, and outbound connections on non-standard ports. The residential proxy monetization model means infected systems actively facilitate third-party malicious activity, potentially implicating organizations in fraud, scraping, or anonymity laundering without their knowledge. The shared tooling across multiple fake installers (upHola, upTiktok, upWhatsapp, upWire) indicates a broader operation with consistent tactics targeting various software brands, suggesting defenders should extend vigilance beyond 7-Zip to other commonly downloaded utilities. This threat pattern affects home users as significantly as enterprise environments. Defenders should advise family members and non-technical users to verify software download URLs directly from official project pages, bookmark trusted sources for frequently used utilities, and be cautious of search engine results or tutorial links that may point to impersonation domains.<br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/9615">T1204.002 - User Execution: Malicious File</a> | <a href="https://ui.threatstream.com/attackpattern/9860">T1543.003 - Create or Modify System Process: Windows Service</a> | <a href="https://ui.threatstream.com/attackpattern/10081">T1036.005 - Masquerading: Match Legitimate Name Or Location</a> | <a href="https://ui.threatstream.com/attackpattern/9596">T1553.002 - Subvert Trust Controls: Code Signing</a> | <a href="https://ui.threatstream.com/attackpattern/9775">T1562.004 - Impair Defenses: Disable Or Modify System Firewall</a> | <a href="https://ui.threatstream.com/attackpattern/10089">T1497.001 - Virtualization/Sandbox Evasion: System Checks</a> | <a href="https://ui.threatstream.com/attackpattern/9956">T1082 - System Information Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9893">T1090.003 - Proxy: Multi-Hop Proxy</a> | <a href="https://ui.threatstream.com/attackpattern/9715">T1071.001 - Application Layer Protocol: Web Protocols</a> | <a href="https://ui.threatstream.com/attackpattern/9720">T1571 - Non-Standard Port</a> | <a href="https://ui.threatstream.com/attackpattern/9717">T1573.001 - Encrypted Channel: Symmetric Cryptography</a> | <a href="https://ui.threatstream.com/attackpattern/39611">T1496.002 - Resource Hijacking: Bandwidth Hijacking</a><br> </p> <h2 id="article-1"><a href="https://www.darkreading.com/threat-intelligence/zerodayrat-brings-commercial-spyware-to-mass-market " target="_blank" rel="noopener noreferrer">ZeroDayRAT Commercial Mobile Spyware Targets Android and iOS </a></h2> <p>(published: February 10, 2026)</p> <p> Researchers identified ZeroDayRAT, a commercial mobile spyware platform sold via Telegram that provides full remote access to Android and iOS devices. First observed February 2, 2026, the platform supports Android versions 5 through 16 and iOS up to version 26, including iPhone 17 Pro. The spyware delivers real-time surveillance capabilities including live camera streaming, microphone access, screen recording, and GPS tracking with location history. ZeroDayRAT intercepts SMS messages to capture one-time passwords and bypass SMS-based two-factor authentication, and can send messages from the victim's device. The platform includes a keylogger that records keystrokes, gestures, biometric unlocks, and app launches with millisecond timestamps alongside a live screen preview. Financial theft features include a cryptocurrency stealer that scans for MetaMask, Trust Wallet, Binance, and Coinbase, logs wallet IDs and balances, and performs clipboard hijacking to replace copied addresses with attacker-controlled ones. The banking stealer targets online banking applications, UPI platforms including PhonePe and Google Pay, and services including Apple Pay and PayPal through overlay attacks. The platform enumerates all registered accounts on infected devices including Google, Facebook, Amazon, and others. Distribution occurs through smishing, phishing emails, fake app stores, and malicious links shared via WhatsApp or Telegram. Operators manage self-hosted infrastructure and use a builder to generate payloads.<br> <br><b>Analyst Comment:</b> ZeroDayRAT represents a significant shift in the mobile threat landscape. Capabilities that previously required nation-state resources are now commercially available for approximately $2,000 with technical support included, substantially lowering the barrier to entry for comprehensive mobile surveillance. The platform's ability to bypass SMS-based two-factor authentication is particularly concerning for organizations relying on this method for account protection. A compromised personal device with access to corporate email, VPN credentials, cloud applications, and collaboration platforms could create a direct pathway into enterprise environments, highlighting the risk of using personal devices for work purposes. For individual users, the surveillance capabilities extend beyond data theft into real-time monitoring and financial fraud, with journalists, activists, and domestic abuse victims likely targets given the stalkerware profile. The developer's use of multiple languages and intentional attribution obfuscation suggests active measures to avoid law enforcement takedown, while the self-hosted infrastructure model means removal of Telegram sales channels does not eliminate existing deployments. Organizations should reconsider policies that allow work access from personal devices, transition from SMS-based authentication to app-based or hardware token methods, and ensure corporate-owned mobile devices receive the same security attention as traditional endpoints. For individuals, the primary defense remains behavioral since infection requires installation of a malicious application, typically delivered through smishing or phishing. Official app stores, careful evaluation of unexpected links, and enabling platform-specific protections such as Lockdown Mode on iOS or Advanced Protection on Android reduce exposure.<br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/9883">T1566 - Phishing</a> | <a href="https://ui.threatstream.com/attackpattern/10082">T1614 - System Location Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9700">T1087 - Account Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9888">T1056.001 - Input Capture: Keylogging</a> | <a href="https://ui.threatstream.com/attackpattern/9671">T1113 - Screen Capture</a> | <a href="https://ui.threatstream.com/attackpattern/9842">T1125 - Video Capture</a> | <a href="https://ui.threatstream.com/attackpattern/9843">T1123 - Audio Capture</a> | <a href="https://ui.threatstream.com/attackpattern/9796">T1115 - Clipboard Data</a> | <a href="https://ui.threatstream.com/attackpattern/9674">T1056.002 - Input Capture: Gui Input Capture</a> | <a href="https://ui.threatstream.com/attackpattern/9689">T1111 - Two-Factor Authentication Interception</a> | <a href="https://ui.threatstream.com/attackpattern/32041">T1657 - Financial Theft</a><br> </p> <h2 id="article-1"><a href="https://thehackernews.com/2026/02/reynolds-ransomware-embeds-byovd-driver.html" target="_blank" rel="noopener noreferrer">Reynolds Ransomware Embeds BYOVD Driver to Disable EDR Security Tools </a></h2> <p>(published: February 10, 2026)</p> <p> Researchers corrected earlier attribution of a ransomware campaign previously reported in last week's ACW as Black Basta, confirming the payload as Reynolds, an emergent ransomware family. Reynolds embeds a vulnerable NsecSoft NSecKrnl driver directly within the ransomware payload to disable endpoint detection and response solutions. The ransomware exploits CVE-2025-68947 in the driver to terminate processes from security products including Sophos, Symantec Endpoint Protection, Microsoft Defender, CrowdStrike Falcon, Cylance, ESET, Avast, and Palo Alto Networks Cortex XDR before encrypting files with a ".locked" extension. The bundled driver allows a local, authenticated attacker to kill processes owned by other users, including SYSTEM and Protected Processes, through crafted IOCTL requests. A suspicious side-loaded loader appeared on the target network several weeks before ransomware deployment, and GotoHTTP remote access tool was found one day after the attack. This bundling tactic eliminates the temporal gap between driver deployment and encryption. The approach has previously been observed in Ryuk ransomware attacks in 2020 and Obscura ransomware campaigns in August 2025.<br> <br><b>Analyst Comment:</b> The misattribution of this campaign to Black Basta highlights ongoing challenges in threat intelligence where TTP similarities can lead to incorrect attribution, particularly when analyzing emergent ransomware families. Organizations should prioritize blocking execution of known vulnerable drivers like NSecKrnl rather than relying solely on file creation detection, as the embedded defense evasion approach compresses attack timelines and reduces traditional staging indicators. The presence of GotoHTTP post-encryption suggests some ransomware operators may be shifting toward persistent access models, though the prevalence of this behavior remains unclear. Defenders should consider that consolidated payloads require adjusted detection strategies that account for compressed kill chains, though the practical implementation challenges of this approach may limit widespread adoption beyond specific threat actors.<br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10093">T1068 - Exploitation For Privilege Escalation</a> | <a href="https://ui.threatstream.com/attackpattern/10104">T1574.002 - Hijack Execution Flow: Dll Side-Loading</a> | <a href="https://ui.threatstream.com/attackpattern/9762">T1211 - Exploitation For Defense Evasion</a> | <a href="https://ui.threatstream.com/attackpattern/10079">T1562.001 - Impair Defenses: Disable Or Modify Tools</a> | <a href="https://ui.threatstream.com/attackpattern/9812">T1219 - Remote Access Software</a> | <a href="https://ui.threatstream.com/attackpattern/10080">T1486 - Data Encrypted For Impact</a><br> </p> <h2 id="article-1"><a href="https://thehackernews.com/2026/02/microsoft-discloses-dns-based-clickfix.html" target="_blank" rel="noopener noreferrer">DNS-Based ClickFix Attack Uses Nslookup for Malware Staging </a></h2> <p>(published: February 15, 2026)</p> <p> Researchers disclosed a new variant of the ClickFix social engineering attack in which threat actors manipulate victims into executing commands that perform DNS lookups to retrieve malicious payloads. The attack leverages the nslookup command executed through the Windows Run dialog to query a DNS server controlled by the attacker. When the victim runs the command, their system queries the attacker's DNS server for a TXT record, which contains an encoded malicious script. The command filters the DNS response to extract this payload, which is then executed directly on the victim's machine. This technique exploits DNS infrastructure as a covert staging channel, allowing malicious commands to blend with normal network traffic and bypass security controls that focus on web-based threats. The initial payload triggers an attack chain that downloads a ZIP archive from an external server, extracts a malicious Python script, conducts system reconnaissance, and deploys ModeloRAT, a Python-based remote access trojan. Persistence is established by creating a Windows shortcut in the Startup folder that points to a VBScript, ensuring the malware launches automatically on system boot. <br> <br><b>Analyst Comment:</b> This variant demonstrates continued tactical innovation in ClickFix campaigns, with threat actors adapting delivery mechanisms to evade detection while maintaining the core social engineering technique. The shift to DNS-based staging is significant because DNS traffic is often treated as trusted infrastructure and may bypass security controls focused on web-based threats. Organizations should prioritize user awareness training emphasizing that legitimate software and services never require users to manually execute commands through the Windows Run dialog or Terminal, regardless of how the instructions are presented. DNS traffic monitoring should be expanded to include inspection of TXT record queries, particularly those directed to external or recently registered domains. The rapid evolution of ClickFix variants, with new delivery methods appearing regularly, suggests this technique remains highly effective and will likely continue to be refined. Defensive strategies should focus on both preventing the initial social engineering compromise through user education and detecting anomalous DNS behavior that may indicate staging activity.<br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/9883">T1566 - Phishing</a> | <a href="https://ui.threatstream.com/attackpattern/9614">T1204.001 - User Execution: Malicious Link</a> | <a href="https://ui.threatstream.com/attackpattern/10029">T1059.003 - Command and Scripting Interpreter: Windows Command Shell</a> | <a href="https://ui.threatstream.com/attackpattern/9827">T1059.006 - Command and Scripting Interpreter: Python</a> | <a href="https://ui.threatstream.com/attackpattern/9853">T1059.005 - Command and Scripting Interpreter: Visual Basic</a> | <a href="https://ui.threatstream.com/attackpattern/9891">T1071.004 - Application Layer Protocol: Dns</a> | <a href="https://ui.threatstream.com/attackpattern/9638">T1105 - Ingress Tool Transfer</a> | <a href="https://ui.threatstream.com/attackpattern/9933">T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder</a> | <a href="https://ui.threatstream.com/attackpattern/9956">T1082 - System Information Discovery</a><br> </p> <h2 id="article-1"><a href="https://www.bleepingcomputer.com/news/security/lummastealer-infections-surge-after-castleloader-malware-campaigns/" target="_blank" rel="noopener noreferrer">CastleLoader Campaigns Drive Resurgence in LummaStealer Activity </a></h2> <p>(published: February 11, 2026)</p> <p> LummaStealer infections have increased significantly between December 2025 and January 2026, marking a substantial resurgence of the infostealer operation that resumed in July 2025 after law enforcement seized 2,300 domains and its command structure in May 2025. The surge is primarily attributed to CastleLoader, a heavily obfuscated AutoIT or Python-based script that decrypts, loads, and executes payloads entirely in memory using multiple obfuscation layers. CastleLoader, which emerged in early 2025, serves as the primary delivery mechanism and has distributed multiple infostealer and remote access trojan families including Stealc, RedLine, Rhadamanthys, MonsterV2, CastleRAT, SectopRAT, NetSupport RAT, and WarmCookie. Social engineering campaigns using the ClickFix technique deliver CastleLoader through fake CAPTCHA pages that instruct users to execute malicious PowerShell commands. Infrastructure overlap between CastleLoader and LummaStealer suggests coordination between development teams or shared service providers. LummaStealer targets browser credentials, cookies, 2FA tokens, cryptocurrency wallets, password manager data, and remote access tools.<br> <br><b>Analyst Comment:</b> LummaStealer's rapid recovery demonstrates the resilience of established malware-as-a-service operations and their ability to migrate infrastructure and adapt delivery methods following law enforcement action. The threat relies entirely on social engineering rather than technical exploitation, with ClickFix campaigns tricking users into manually executing malicious commands through fake verification prompts. Organizations can work towards mitigation of ClickFix delivery by using Group Policy to restrict or disable the Windows Run dialog (Win+R shortcut), enforce PowerShell execution policies that block unsigned scripts, and block execution of mshta.exe and powershell.exe from user directories. User awareness training should emphasize that legitimate CAPTCHA verifications never require executing Windows commands or pasting clipboard content into command-line interfaces. The infrastructure overlap between CastleLoader and LummaStealer indicates defenders facing one threat should consider the possibility of encountering related malware families from the same distribution ecosystem.<br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/9615">T1204.002 - User Execution: Malicious File</a> | <a href="https://ui.threatstream.com/attackpattern/49489">T1204.004 - User Execution: Malicious Copy and Paste</a> | <a href="https://ui.threatstream.com/attackpattern/9828">T1059.001 - Command and Scripting Interpreter: Powershell</a> | <a href="https://ui.threatstream.com/attackpattern/37191">T1059.010 - Command and Scripting Interpreter: AutoHotKey & AutoIT</a> | <a href="https://ui.threatstream.com/attackpattern/9591">T1027 - Obfuscated Files Or Information</a> | <a href="https://ui.threatstream.com/attackpattern/30609">T1027.011 - Obfuscated Files or Information: Fileless Storage</a> | <a href="https://ui.threatstream.com/attackpattern/12870">T1036.007 - Masquerading: Double File Extension</a> | <a href="https://ui.threatstream.com/attackpattern/9838">T1140 - Deobfuscate/Decode Files Or Information</a> | <a href="https://ui.threatstream.com/attackpattern/9931">T1053.005 - Scheduled Task/Job: Scheduled Task</a> | <a href="https://ui.threatstream.com/attackpattern/9933">T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder</a> | <a href="https://ui.threatstream.com/attackpattern/10025">T1555.003 - Credentials from Password Stores: Credentials From Web Browsers</a> | <a href="https://ui.threatstream.com/attackpattern/10031">T1539 - Steal Web Session Cookie</a> | <a href="https://ui.threatstream.com/attackpattern/9714">T1071 - Application Layer Protocol</a> | <a href="https://ui.threatstream.com/attackpattern/9638">T1105 - Ingress Tool Transfer</a> | <a href="https://ui.threatstream.com/attackpattern/9802">T1005 - Data From Local System</a><br> </p> <h2 id="article-1"><a href="https://www.bleepingcomputer.com/news/security/amos-infostealer-targets-macos-through-a-popular-ai-app/ " target="_blank" rel="noopener noreferrer">AMOS Infostealer Targets OpenClaw AI Assistant Through Supply Chain Attack </a></h2> <p>(published: February 11, 2026)</p> <p> Atomic MacOS Stealer (AMOS) is targeting macOS users through a supply chain attack on the OpenClaw personal AI assistant ecosystem. Researchers at Koi Security identified 341 malicious skills on the ClawHub marketplace, with 335 linked to a campaign designated ClawHavoc. The malicious skills posed as cryptocurrency tools, YouTube utilities, finance applications, and Google Workspace integrations, instructing users to install prerequisites that deployed AMOS. Once installed, the malware steals credentials, crypto wallet data, browser sessions, SSH keys, and other sensitive data. All 335 AMOS-delivering skills shared a single command and control IP address (91.92.242[.]30). The campaign follows a December 2025 operation where attackers used the ChatGPT shared chat feature to host malicious installation guides on the trusted chatgpt.com domain, promoting a fake ChatGPT Atlas browser for macOS through paid search ads. Both campaigns rely on SEO poisoning and social engineering to distribute AMOS by instructing victims to execute terminal commands, turning users into the execution mechanism. AMOS first appeared in May 2023 on Telegram, advertising capabilities including Mac keychain password exfiltration, browser session theft, and crypto wallet data theft.<br> <br><b>Analyst Comment:</b> This campaign reveals how AI tool adoption enthusiasm is outpacing security understanding, creating exploitable behavioral gaps. Attackers are systematically targeting AI platforms (ChatGPT, OpenClaw) using a consistent playbook: abuse trusted domains, manipulate search results, and trick users into executing malware through seemingly helpful installation instructions. The attack vector is behavioral rather than technical, relying on users who perceive AI tools as emerging technology rather than established attack surfaces requiring scrutiny. For organizations, personal AI assistants with deep system access present supply chain risks comparable to traditional package repositories, but their extension ecosystems may lack vetting maturity while existing software approval processes may not account for user-executed commands or skill-based installations. Individuals should recognize that terminal commands or external downloads presented as prerequisites warrant verification regardless of marketplace hosting or tool legitimacy. The December 2025 and February 2026 campaigns suggest this threat model will likely expand as AI adoption accelerates across both consumer and enterprise environments. <br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/9614">T1204.001 - User Execution: Malicious Link</a> | <a href="https://ui.threatstream.com/attackpattern/49489">T1204.004 - User Execution: Malicious Copy and Paste</a> | <a href="https://ui.threatstream.com/attackpattern/9809">T1059.004 - Command and Scripting Interpreter: Unix Shell</a> | <a href="https://ui.threatstream.com/attackpattern/9838">T1140 - Deobfuscate/Decode Files Or Information</a> | <a href="https://ui.threatstream.com/attackpattern/9695">T1543.001 - Create or Modify System Process: Launch Agent</a> | <a href="https://ui.threatstream.com/attackpattern/9777">T1564.001 - Hide Artifacts: Hidden Files And Directories</a> | <a href="https://ui.threatstream.com/attackpattern/9728">T1548.004 - Abuse Elevation Control Mechanism: Elevated Execution With Prompt</a> | <a href="https://ui.threatstream.com/attackpattern/9674">T1056.002 - Input Capture: Gui Input Capture</a> | <a href="https://ui.threatstream.com/attackpattern/9600">T1555.001 - Credentials from Password Stores: Keychain</a> | <a href="https://ui.threatstream.com/attackpattern/10025">T1555.003 - Credentials from Password Stores: Credentials From Web Browsers</a> | <a href="https://ui.threatstream.com/attackpattern/9888">T1056.001 - Input Capture: Keylogging</a> | <a href="https://ui.threatstream.com/attackpattern/9956">T1082 - System Information Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9863">T1083 - File And Directory Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9802">T1005 - Data From Local System</a> | <a href="https://ui.threatstream.com/attackpattern/10014">T1552.001 - Unsecured Credentials: Credentials In Files</a> | <a href="https://ui.threatstream.com/attackpattern/9638">T1105 - Ingress Tool Transfer</a> | <a href="https://ui.threatstream.com/attackpattern/9715">T1071.001 - Application Layer Protocol: Web Protocols</a> | <a href="https://ui.threatstream.com/attackpattern/9617">T1041 - Exfiltration Over C2 Channel</a><br> </p> <h2 id="article-1"><a href="https://www.helpnetsecurity.com/2026/02/12/windows-notepad-markdown-feature-opens-door-to-rce-cve-2026-20841/" target="_blank" rel="noopener noreferrer">Windows Notepad Markdown Feature Allows Remote Code Execution </a></h2> <p>(published: February 12, 2026)</p> <p> Microsoft patched CVE-2026-20841, a command injection vulnerability in Windows Notepad, as part of the February 2026 Patch Tuesday. The vulnerability stems from Notepad's Markdown rendering feature, added in 2025, which failed to properly constrain how certain links were handled. An attacker can craft a Markdown file containing malicious links that, when opened in Notepad and clicked by the user, cause the application to launch unverified protocols that load and execute remote files. Malicious code executes with the same privileges as the user. CVE-2026-20841 affects Windows Notepad versions 11.0.0 before 11.2510 and carries a CVSS score of 8.8. Exploitation requires the victim to open the Markdown file and click the embedded link, though such interaction is routinely achieved through social engineering. Microsoft addressed the issue by implementing warnings for links using protocols other than http or https. Users can bypass the alert if they choose to ignore it. Public proof-of-concept code is available on GitHub. Windows Notepad receives updates through the Microsoft Store, and users with automatic updates enabled receive the fix automatically. No active exploitation has been reported. <br> <br><b>Analyst Comment:</b> Notepad evolved from a passive text editor into an application capable of invoking system protocols and executing code through Markdown links. Users expect Notepad to be safe for opening text files, but this capability creates an exploitable gap between expectation and reality. Microsoft's fix adds a warning dialog for non-standard protocols rather than blocking them, so the control relies on user judgment and remains vulnerable to social engineering. Defenders should verify systems have updated to Notepad version 11.2510 or later, especially where Microsoft Store updates are managed or disabled. Organizations should treat Markdown files with the same caution as other document types in email filtering and user awareness programs, since these files historically carried low perceived risk. The availability of public proof-of-concept code significantly lowers the barrier to weaponization, and vulnerabilities with public exploit code typically transition to active use in campaigns within weeks or months of disclosure. The combination of low exploitation complexity, wide deployment of the affected application, and readily available exploit code suggests this vulnerability is likely to appear in phishing or initial access operations. The Markdown rendering feature remains active, meaning the attack surface persists with user warnings as the primary defense. <br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/9615">T1204.002 - User Execution: Malicious File</a> | <a href="https://ui.threatstream.com/attackpattern/9614">T1204.001 - User Execution: Malicious Link</a> | <a href="https://ui.threatstream.com/attackpattern/9752">T1203 - Exploitation For Client Execution</a><br> </p> <h2 id="article-1"><a href="https://thehackernews.com/2026/02/google-reports-state-backed-hackers.html " target="_blank" rel="noopener noreferrer">State-Backed Actors Integrate Gemini AI Into Cyber Operations </a></h2> <p>(published: February 12, 2026)</p> <p> Google observed multiple state-backed threat actors using its Gemini AI model to enhance reconnaissance, campaign planning, and attack execution. North Korea-linked UNC2970 used Gemini to synthesize open-source intelligence and profile high-value targets, including searches for information on cybersecurity and defense companies, technical job roles, and salary data. The activity represents a blurring of boundaries between professional research and malicious reconnaissance, enabling threat actors to craft tailored phishing personas and identify soft targets for initial compromise. Other actors using Gemini include China-linked Temp.HEX, APT31, APT41, and UNC795, and Iran-linked APT42. China-affiliated actors leveraged the tool to compile dossiers on specific individuals, automate vulnerability analysis, troubleshoot code, and develop web shells and scanners. APT42 used Gemini to facilitate reconnaissance and social engineering through crafted personas, develop Python-based tooling, and research proof-of-concept exploits. Google detected a malware called HONESTCUE that leverages Gemini's API to generate second-stage functionality, and an AI-generated phishing kit named COINBAIT masquerading as a cryptocurrency exchange. The company also disrupted large-scale model extraction attacks involving over 100,000 prompts aimed at replicating Gemini's reasoning ability.<br> <br><b>Analyst Comment:</b> This activity demonstrates the operational integration of generative AI into reconnaissance workflows, automating the synthesis of publicly available organizational and personnel information that was previously gathered manually. The information being weaponized is typically legitimate business data such as job postings, organizational structures, and employee profiles, but AI aggregation transforms scattered data points into actionable targeting packages at scale. Defenders should audit their public information footprint to understand what intelligence adversaries can readily aggregate about technical roles, organizational structure, and personnel. Employee awareness programs may need updating to account for more contextually sophisticated social engineering scenarios enabled by AI-assisted OSINT analysis. Traditional phishing indicators such as poor grammar or generic messaging may become less reliable as threat actors leverage AI to craft convincing pretexts based on synthesized public data. Organizations operating in sectors targeted by the actors identified in this report (defense, cybersecurity, finance) should consider whether publicly shared technical details or personnel information creates unnecessary targeting opportunities that outweigh business value. <br> </p> </div> </div>