Threat Newsletter February 23, 2026
Welcome to this week's Threat Intel Newsletter. This week we cover the most urgent threats where exploitation is happening fast and at scale. We start with mass exploitation of Ivanti EPMM—driven largely by a single bulletproof-hosted IP. Then we explain how trust is being abused in modern workflows, including "memory poisoning" attacks that bias AI assistant recommendations and a Copilot/DLP issue involving confidential-labeled emails. Next, we break down user-driven execution and identity compromise tradecraft, including DNS-based ClickFix, large-scale brand impersonation phishing, and proxy-based kits that steal sessions and MFA codes in real time. Finally, we highlight major breach and ransomware disclosures and close with immediate patch priorities for actively exploited bugs like the Chrome zero-day and Dell RecoverPoint's hard-coded credential flaw.
Ivanti EPMM Under Mass Exploitation: 83% Linked to One Bulletproof IP
Key Takeaways
🔒 Concentrated attacker infrastructure: Blocking published IOCs alone may miss the primary exploitation source—the top IP is not on widely published IOC lists.
🤖 Automated at scale: Activity appears fully automated, with rotating user agents and verification through DNS callback techniques.
🌐 Multi-target scanning behavior: The same IP was observed exploiting other vulnerabilities at the same time (including Oracle WebLogic, GNU Institutes TeInetd, and GLPI), suggesting broad opportunistic exploitation rather than a single-product-campaign.
🛡️ Mitigation: Ivanti reiterated that applying the hot fix is the most effective mitigation and that it is a quick and requires no downtime. If you operate Ivanti EPMM, treat this as an active exploitation situation, not a theoretical risk.
Bill Toulas
Memory Poisoning in AI Assistants: Persistent Bias via Malicious Links
Microsoft Defender researchers describe a growing pattern they call AI Recommendation Positioning, where attackers trick AI chatbots into "remembering" the attacker's site so the chatbot will recommend it later.
Key Takeaways
❗Attack: The attack targets AI memory, not just a single chat.
📩 Delivery: Delivery is often “one-click”. A link to an AI assistant includes a URL parameter such as:
(?q=) or (?prompt=)
🌐 Scope: This is already happening at scale in the wild. Microsoft found over 50 unique prompts from 31 companies across more than 14 industries in a 60-day review, indicating this has become a common attack.
⚡ Danger In Trusting biased AI advice: Researchers are highlighting the danger of biases AI advice in health, finance, security, and news framing, because users tend to trust confident assistant recommendations.
🛡️Mitigation: For users: check AI links before clicking, be skeptical of "Summarize with AI" buttons, review and delete suspicious saved memories, and clear memory periodically. For security teams: hunt for URLs to AI assistant domains containing prompt keywords like "remember," "trusted," "authoritative," "future," "cite," or "citation."
Microsoft Defender Security Research Team
Microsoft ClickFix Campaign Abuses DNS Lookups for Payload Staging
Microsoft disclosed a DNS-based variant of the ClickFix social engineering technique. Attackers trick users into opening the Windows Run dialog and executing a command that uses nslookup to query a hard-coded external DNS server.
Key Takeaways
❗Attack: ClickFix is a user-driven execution attack where the user is socially engineered into running the Windows Run dialog and use nslookup, where the command performs a lookup against a hard-coded external DNS server to deliver the next stage of the execution.
⛓️ Multi-stage chain after DNS request: After the DNS-delivered stage, the chain pulls a ZIP from an external server ,extracts and runs a malicious Python script for recon/discovery, and drops a VBScript that launches the ModeloRAT.
🥷Persistence: The campaign establishes persistence by creating a shortcut (LNK) in the Windows startup folder that points to the VBScript so it runs when the system reboots itself.
🌐 Global Scale: ClickFix has spawned multiple related variants such as CrashFix,FileFix, JackFix, ConsentFix, and GlitchFix and are being used to deliver stealers and loader.
The Hacker News
Netherlands’ Largest Mobile Operator Reports Breach Affecting 6.2M
Dutch mobile network operator Odido disclosed a breach of its customer contact system that may have impacted about 6.2 million users.
Key Takeaways
❗Attack: There was a breach in Odido’s customer contact system and attackers accessed personal data such as names, addresses, phone numbers, dates of birth, bank account numbers, and ID document details.
🚧 Impact: 6.2M affected, including Odido customers and customers of Ben.
💡Data exposure raises fraud risk: Stolen fields include contact info + bank account numbers + ID document details, which are high value for impersonation and targeted scams.
🛡️Mitigation: Organizations should assume attackers will use leaked details to sound legitimate. The best defense is to verify contacts out of band—call back using a known-good number, not the one in the message. Train staff and users to recognize fake invoices, account verification requests, and urgent payment demands. Enforce MFA everywhere possible.
Connor Jones
Japanese Semiconductor Giant Advantest Hit by Ransomware
Advantest (a Tokyo-based semiconductor test and measurement equipment company) disclosed a ransomware incident affecting parts of its corporate network.
Key Takeaways
❗Attack: Advantest detected unusual activity on Feb 15, 2026 where the company isolated impacted systems, and brought in third-party incident response specialists. Advantest says an unauthorized party likely accessed portions of the network and deployed ransomware, but is still determining what systems and data were affected.
🚧Impact: They explicitly note that customer or employee data may have been impacted, and they will notify affected individuals directly if confirmed.
💡Threat Actor Unknown: No ransomware group had publicly claimed responsibility at the time of the reporting.
Bill Toulas
Urgent Patch: Chrome Zero-Day CVE-2026-2441 Under Active Attack
Google released Chrome security updates to fix CVE-2026-2441 that is actively exploited in the wild.
Key Takeaways
🔧 Flaw: CVE-2026-2441 is a use-after-free bug in CSS that allows remote code execution inside the browser sandbox via a crafted HTML page.
❗Active Exploitation: Google confirms this vulnerability is being actively exploited in the wild. However, public exploitation details are limited—no specific threat actor or campaign has been identified..
🛡️ Patch: To mitigate CVE-2026-2441, organizations must patch immediately to the following versions for Chrome:
- (Windows/macOS): 145.0.7632.75/76 or newer.
- Linux: 144.0.7559.75 or newer.
- If you use Edge, Brave, Opera, or Vivaldi, track and deploy vendor updates as soon as they become available.
- In regards to enterprise controls, enforce auto-update policies and set minimum Chrome versions (block older versions from running where possible).
The Hacker News
SpaceX Restricts Russian Starlink Use in Ukraine, Disrupting Drone Ops
SpaceX has restricted Starlink terminals in and around Ukraine so that only devices on a Ukrainian Defense Ministry-approved “whitelist” remain connected.
Key Takeaways
💡What Changed: Starlink access in and around Ukraine was tightened so only approved terminals stay online.
❗Why it Matters: Russian units had been using Starlink to communicate and guide drones more effectively.
🌐Impact: Some reports suggests Russia has worse coordination and less effective drone operations in certain areas, which helps Ukraine.
💡Caveat: This advantage may be temporary, because Russia is trying workarounds like radio, wired lines, and alternative satellites.
Operation DoppelBrand: Fortune 500 Brand Impersonation at Scale
Operation DoppelBrand is a large, long-running phishing campaign that impersonates major Fortune 500 brands to steal credentials. After capturing login information, attackers install legitimate remote-access tools—such as AnyDesk, LogMeIn, and ScreenConnect—to maintain control of compromised systems and potentially sell access to other threat actors.
Key Takeaways
❗Attack: Threat actors are using phishing emails as the initial attack technique as the emails use urgency and familiar branding, sometime with fake OneDrive-style flows to increase success.
🌐Brand impersonation at Scale: Threat actors are impersonating as major brands as hundreds of lookalike domains and very convincing fake login pages for banks and major tech brands.
💡Goal: The objective of this campaign is not just passwords as the operation frequently escalates from credential theft to persistent remote access using real RMM software.
⚠️Likely an access-broker model: Researchers at SOCRadar believes this to be an campaign done by GS7, a financially-motivated actor where they actively trade stolen credentials and corporate information.
🛡️ Mitigation: Organizations should deploy phishing-resistant MFA for email and SSO, disable legacy authentication, restrict remote management tools to approved users only, and strengthen email security with DMARC/SPF/DKIM, external sender warnings, and filters that block new or lookalike domains.
Alessandro Mascellino
Iran Protest Supporters Targeted via Fake Media LNK Files (CRESCENTHARVEST)
CRESCENTHARVERST is a likely Iran-aligned cyber-espionage campaign that targets supporters of Iran’s protests using malicious Windows shortcut files (LNK) disguised as protest images or videos. When opened, the files run PowerShell to download more payloads, then abuse a legitimate Google-signed Chrome tool to side-load malicious DLLs that install a RAT + info stealer.
Key Takeaways
❗Who is targeted: Farsi-speaking individuals tied to or sympathetic to Iran protests, aligned with a broader pattern of targeting activists and diaspora communities.
💡Main Lure: The malicious Windows shortcut files (LNK) is disguised as protest or Farsi reports pretending to be normal photos and videos. Clicking the fake media triggers PowerShell, pulls a ZIP, opens a decoy media file, and quietly loads malware in the background.
⚠️DLL Side loading: This cyber espionage campaign uses DLL side loading technique using a Google-signed binary (”software_reporter_tool.exe”) to appear more legitimate to evade detection.
💡What the RAT steals/does: The RAT is meant to steal system information, browser credentials, cookies, history, keystrokes, and Telegram desktop data.
The Hacker News
“Lock the Door” Initiative: UK Pushes Practical Cyber Steps for Small Businesses
The UK government and the National Cyber Security Centre launched a “Lock the Door” campaign to help small and medium sized businesses take simple, practical steps to prevent common cyber attacks.
Key Takeaways
⚠️Campaign: The campaign pushes adoption of Cyber Essentials, a baseline security scheme focused on a short checklist of protections that reduce easy, repeatable attacks like phishing driven account compromise.
❗Targets to Small businesses: The campaign stresses attackers look for easy weaknesses, not just big brands.
💡Cyber Essentials: The campaign tells small to medium size business to follow 5 essential cyber controls:
- Firewalls
- Source configuration
- Software updates
- User access control (UAC)
- Malware protection
💼 Business Benefit: The message is resilience and continuity (a single serious incident can be business-ending), plus certification can support things like customer confidence and eligibility for certain contract.
Department for Science, Innovation and Technology
Claude’s Autonomous Agents Raise the Stakes in Military AI
The article describes how Anthropic is pushing Claude toward more capable autonomous agents (systems that can plan, coordinate tasks, and operate software), just as the Pentagon is increasing its demand for AI inside sensitive workflows. That growth is creating a clash: the U.S. military reportedly wants AI available for broad “lawful” uses, while Anthropic is trying to hold firm on a “safety-first” stance that restricts certain military applications.[
Key Takeaways
⚠️Claude is getting more autonomous: Newer Claude models can coordinate “agent teams,” use web apps, and work with much larger context, making them more operationally useful
💡Pentagon pressure is escalating: The article says the Pentagon may consider labeling Anthropic a “supply chain risk” unless Anthropic relaxes restrictions, which could push defense contractors to avoid Claude for sensitive work.
❗Anthropic’s red lines: No mass surveillance of Americans and no fully autonomous weapons, but definitions get messy in practice
💡The “gray zone” is the real risk: AI that processes large intelligence datasets and surfaces “people of interest” can blur the line between analysis, surveillance, and targeting support.
🚨 Theme: This is a test of whether “safety-first” rules can survive once powerful autonomous agent systems are embedded in classified, high-stakes military environments
Deni Ellis Béchard
Microsoft Fixes Copilot Issue That Processed Confidential-Labeled Emails
Microsoft says a bug in Microsoft 365 Copilot Chat caused Copilot to summarize emails that were labeled confidential, even when organizations had DLP policies intended to prevent that.
Key Takeaways
🚨 Issue: Copilot summarized confidential-labeled emails that should have been excluded. This effectively bypasses expected DLP behavior, which can increase the risk of sensitive info being surfaced in AI summaries.
❗Where was the Data Pulled from: Data was pulled from Users’ Drafts and Sent items in Outlook via the Copilot Chat work tab.
💡Microsoft’s status: Microsoft says it identified and addresses the issue and deployed fixes broadly, with rollout continuing for some complex environments.
Sergiu Gatlan
ShinyHunters Claims CarGurus Intrusion via Voice Phishing of SSO Codes
CarGurus was reportedly breached by the ShinyHunters group, which claims it stole 1.7 million corporate files an dis threatening to publish them if negotiations did not occur by Feb 20.
Key Takeaways
🚨What Happened: CarGurus was reportedly breached, with 1.7M corporate files allegedly stolen.
❗ShinyHunters claims responsibility: ShintHunters claims access was gained via voice phishing to obtain SSO codes.
💡Main lesson: Identity/SSO workflows are a prime target. Organizations need to harden their identity and help desk and train front line staff to recognize vishing scripts aimed at SSO/MFA resets.
Jessica Lyons
Critical Dell RecoverPoint Hard-Coded Credential Flaw Exploited as Zero-Day
Dell RecoverPoint for Virtual Machines has a critical hard-coded credential flaw (CVE-2026-22769) that was reportedly exploited as a zero-day since mid-2024 by a suspected China-linked cluster (UNC6201).
Key Takeaways
🚨Exploit: CVE-2026-22769 is a hard-coded credential flaw where sensitive authentication data such as passwords, API keys, encryption keys, or tokens is written directly into the source code.
❗Impact: Exploitation could lead to unauthorized OS access and root-level persistence, including web shell deployment via Tomcat Manager and installing back doors such as BRICKSTORM or GRIMBOLT.
💡Being Exploited by Threat Actors: This 0-day has been exploited since mid-2024 by a suspected China-linked cluster (UNC6201).
💡CISA KEV listed: The vulnerability has been added to Known Exploited Vulnerabilities, signaling high priority remediation.
🛡️ Patch immediately: Organizations must upgrade to RecoverPoint for VMs 6.0.3.1 HF1 (or the vendor-recommended upgrade path).
The Hacker News
New Starkiller Kit Uses Real-Time Login Proxies to Steal Sessions and MFA Codes
Researchers described “Starkiller” as a subscription-based, “commercial-grade” phishing kit that can steal credentials and bypass MFA by proxying the real login page live through attacker infrastructure. Because it forwards the victim’s login and MFA steps to the legitimate site in real time, attackers can capture credentials and session tokens and take over accounts.
Key Takeaways
🚨 Reverse Proxy Phishing Kit: Starkiller is a live phishing kit that proxies the real login page through the attacker’s infrastructure, so it stays up to date and looks legitimate.
👊 Bypass MFA: This kit allows attackers to bypass MFA because4 the victim is authenticating to the real service through the attacker’s proxy, letting the threat actor capture MFA steps and reuse tokens or sessions.
🛡️ Defensive Focus: Watch for anomalous logins and session token reuse from unusual locations (signals of token theft rather than password guessing).
Danny Palmer
