← Back to Threat Briefs

Threat Brief - 2026-02-13

⚠️ This report is AI-generated. Always validate findings.

Threat Brief — February 13, 2026

Executive Summary

BeyondTrust CVE-2026-1731 is being actively exploited after PoC dropped—if you have internet-facing Remote Support or PRA instances, assume breach. Notepad++ supply chain attack revealed with Cobalt Strike delivery chains. Microsoft patched a trivially exploitable Notepad markdown RCE. Warlock ransomware hitting SmarterMail servers. Apple’s first 2026 zero-day added to CISA KEV.

1. BeyondTrust Remote Support / PRA Pre-Auth RCE

🔴 Critical · OS Command Injection · CVE-2026-1731 · PoC Available

Unauthenticated attackers can execute arbitrary OS commands via the get_portal_info WebSocket endpoint. Same endpoint as CVE-2024-12356 (used in US Treasury breach). Mass scanning began Feb 11; exploitation confirmed by watchTowr, GreyNoise, Defused Cyber.

Sources: Help Net Security · Rapid7 AttackerKB · BeyondTrust Advisory

TTPs

TechniqueTacticObservable
T1190Initial AccessWebSocket requests to /get_portal_info with shell metacharacters (;, |, $())
T1059ExecutionBeyondTrust service account spawning cmd.exe, powershell.exe, or bash

IOCs

  • Probing on non-standard ports (not just 443)
  • WebSocket requests extracting x-ns-company value
  • Unusual child processes from BeyondTrust services

Detection

Log Sources: Web server access logs (BeyondTrust appliance), Network traffic (WebSocket connections), EDR for post-exploitation

Logic:

Look for:
- WebSocket connections to /get_portal_info from external IPs
- Parent: BeyondTrust services → Child: cmd.exe, powershell.exe, bash
- Outbound C2 connections following BeyondTrust service execution

Existing Coverage: None specific (gap). Generic T1190 rules may catch post-exploitation.

Action

🔴 Hunt immediately. If running on-prem BeyondTrust, assume compromise and investigate. SaaS was patched Feb 2.

2. Notepad++ Supply Chain Attack

🟡 High · Supply Chain Compromise · June–December 2025

Kaspersky analysis reveals attackers compromised Notepad++ update infrastructure, delivering Cobalt Strike Beacon via malicious NSIS installers → ProShow vulnerability exploit → Metasploit downloader → Cobalt Strike. Targeted government (Philippines), financial (El Salvador), IT (Vietnam).

Sources: Cybersecurity News · CISA KEV

TTPs

TechniqueTacticObservable
T1195.002Initial AccessGUP.exe (Notepad++ updater) downloading from attacker-controlled domain
T1059.001ExecutionPowerShell spawned by GUP.exe for system recon
T1071.001C2HTTPS beacons to cdncheck.it[.]com

IOCs

  • 45.76.155[.]202/update/update.exe — Malicious update URL
  • 45.77.31[.]210/users/admin — Cobalt Strike staging
  • cdncheck.it[.]com — C2 domain
  • SHA1: 8e6e505438c21f3d281e1cc257abdbf7223b7f5a (update.exe)
  • SHA1: defb05d5a91e4920c9e22de2d81c5dc9b95a9a7c (ProShow.exe)
  • Directory: %appdata%\ProShow\

Detection

Log Sources: Sysmon (Process Create, File Create, DNS), EDR process telemetry, Network logs

Logic:

Look for:
- GUP.exe spawning unexpected children (curl.exe, powershell.exe)
- File creation in %appdata%\ProShow\
- DNS queries to cdncheck.it.com
- Connections to 45.76.155.202, 45.77.31.210

Existing Coverage:

Action

🟡 Deploy Sigma rules for GUP.exe abuse. Hunt for %appdata%\ProShow\ and connections to IOC domains since June 2025.

3. Windows Notepad Markdown RCE

🟡 High · Command Injection · CVE-2026-20841 · PoC Available

Notepad’s new Markdown rendering feature fails to constrain link handling. Ctrl-clicking a malicious link in a .md file executes unverified protocols, loading remote payloads. Trivially exploitable via social engineering.

Sources: CVE.news · The Register

TTPs

TechniqueTacticObservable
T1204.002ExecutionUser opens .md file and Ctrl-clicks malicious link
T1059Executionnotepad.exe spawning cmd.exe, powershell.exe, mshta.exe

IOCs

  • .md files with embedded file://, ms-msdt:, or custom protocol links
  • notepad.exe spawning unexpected child processes

Detection

Log Sources: Sysmon Event ID 1, Windows Security 4688, EDR process telemetry

Logic:

Look for:
- Parent: notepad.exe → Child: cmd.exe, powershell.exe, mshta.exe, wscript.exe
- File access: .md files opened followed by script interpreter execution
- Unusual URI protocol handlers being invoked

Existing Coverage: None specific (gap). Generic T1204.002 rules may trigger.

Action

🟡 Build detection for notepad.exe spawning suspicious children. Microsoft’s fix shows a warning but doesn’t block—social engineering can bypass.

4. Warlock Ransomware via SmarterMail

🔴 Critical · Ransomware Campaign · CVE-2026-23760 / CVE-2026-24423

Warlock (Storm-2603) exploited unpatched SmarterMail servers via auth bypass or direct RCE. They chain password reset API abuse with Volume Mount feature to deploy Velociraptor for persistence, then ransomware. SmarterTools confirmed breached Jan 29; CISA added to KEV.

Sources: Huntress Blog · The Register

TTPs

TechniqueTacticObservable
T1190Initial AccessExploit SmarterMail password reset API from external IP
T1078PersistenceUnauthorized admin account creation via API
T1219C2velociraptor.exe execution, especially from msiexec.exe
T1486ImpactRansomware encryption

IOCs

  • Velociraptor MSI from Supabase (v4.msi)
  • New admin accounts via SmarterMail API
  • Volume Mount feature abuse post-compromise
  • Supabase domains serving payloads

Detection

Log Sources: SmarterMail application logs, Windows Event Logs (account creation, services), EDR, Network logs

Logic:

Look for:
- SmarterMail password reset API calls from external IPs
- velociraptor.exe execution (especially parent: msiexec.exe)
- New local/domain admin account creation
- Service installations by SYSTEM following SmarterMail activity

Existing Coverage:

Action

🔴 Patch immediately if running SmarterMail < build 9511. Hunt for Velociraptor artifacts and unauthorized admin accounts.

5. Apple dyld Zero-Day

🟡 High · Buffer Overflow · CVE-2026-20700 · CISA KEV Added Feb 13

Apple patched a decade-old iOS vulnerability in the dynamic linker (dyld) discovered by Google TAG. “Extremely sophisticated attack” targeting specific individuals. Details sparse.

Sources: CyberScoop · Apple Security Update

TTPs

TechniqueTacticObservable
T1203ExecutionExploitation for client execution via dyld
T1068Privilege EscalationMemory corruption leading to elevated access

Detection

Log Sources: Mobile EDR (if available), MDM logs, Network logs

Logic:

Limited endpoint visibility on mobile.
- Monitor for iOS devices connecting to unknown C2 post-update
- Unusual dyld behavior (requires mobile EDR)

Existing Coverage: None (mobile gap)

Action

🟡 Ensure iOS fleet is updated. No endpoint detection possible without mobile EDR.

6. UNC3886 Targeting Singapore Telecom

🟡 High · APT Campaign · China-nexus (UNC3886 / Fire Ant)

Singapore CSA disclosed 11-month Operation CYBER GUARDIAN against UNC3886, which targeted all four major telcos. APT deployed zero-day against perimeter firewall, rootkits on VMware ESXi/vCenter, and maintained persistent access.

Sources: Singapore CSA Advisory · Mandiant UNC3886 Report

TTPs

TechniqueTacticObservable
T1190Initial AccessZero-day on perimeter firewall
T1014Defense EvasionRootkit on ESXi (malicious VIB with --force flag)
T1584Resource DevCompromise VMware infrastructure, modify ESX Admins group

Detection

Log Sources: VMware ESXi/vCenter logs, Firewall logs, Network flow data, AD logs

Logic:

Look for:
- VIB installations with --force flag on ESXi
- Access to /etc/vmware/ or credential files
- vmtoolsd.exe spawning unexpected children
- ESX Admins group modifications in AD

Existing Coverage:

Action

🟡 Enable ESXi detection rules if running VMware. Hunt for VIB modifications and rootkit artifacts.

Priority Actions

  1. 🔴 BeyondTrust CVE-2026-1731 — Hunt for WebSocket exploitation. Assume breach if on-prem.
  2. 🔴 SmarterMail — Patch to build 9511. Hunt for Velociraptor and unauthorized accounts.
  3. 🟡 Notepad++ supply chain — Deploy Sigma rules. Hunt for GUP.exe anomalies since June 2025.
  4. 🟡 Notepad markdown RCE — Build notepad.exe → suspicious child detection.
  5. 🟡 VMware/ESXi — Enable Splunk ESCU detection content for UNC3886 TTPs.