← Back to Threat Briefs

Threat Brief - 2026-02-14

⚠️ This report is AI-generated. Always validate findings.

Threat Brief — Friday, February 14, 2026

Executive Summary

BeyondTrust Remote Support/PRA exploitation is now widespread after PoC release—Arctic Wolf confirms SimpleHelp RMM deployment and domain admin creation post-compromise. Patch immediately or isolate. Microsoft’s Patch Tuesday addresses six actively exploited zero-days including SmartScreen and MOTW bypasses used in ransomware delivery. Ivanti EPMM remains under attack with 83% of exploit traffic from a single bulletproof hosting IP.

1. BeyondTrust Remote Support/PRA Pre-Auth RCE

🔴 Critical · Pre-Auth RCE · CVE-2026-1731 · CVSS 9.9 · PoC Available

Unauthenticated OS command injection via specially crafted HTTP requests. Cloud customers auto-patched Feb 2, but self-hosted deployments require manual patching. Arctic Wolf observed active intrusions within hours of PoC release on Feb 10.

Sources: Arctic Wolf · Help Net Security · Security Affairs

TTPs

TechniqueTacticObservable
T1190Initial AccessHTTP requests to vulnerable BeyondTrust/Bomgar endpoints
T1219C2SimpleHelp RMM binaries: remote access.exe in C:\ProgramData\
T1136.002Persistencenet user <user> <pass> /add /domain
T1098Privilege Escalationnet group "enterprise admins" <user> /add /domain
T1018Discovery([adsiSearcher]"(ObjectClass=computer)").FindAll().count
T1570Lateral MovementPSExec + Impacket SMBv2 session setup

IOCs

  • SimpleHelp binary metadata: “SimpleHelp Remote Access Client” file description
  • Binaries renamed to remote access.exe in C:\ProgramData\
  • Impacket SMBv2 session setup requests (early intrusion indicator)
  • Domain accounts created and added to “enterprise admins” + “domain admins”

Detection

Log Sources: Windows Security (4688, 4720, 4728), Sysmon (1, 11), Web proxy/WAF logs

Logic:

# Account creation + privileged group add
process_name IN ("net.exe", "net1.exe") 
  AND command_line MATCHES "user.*\/add.*\/domain" 
  AND command_line MATCHES "group.*(enterprise admins|domain admins).*\/add"

# SimpleHelp in ProgramData
file_path LIKE "C:\\ProgramData\\%.exe" 
  AND (file_description = "SimpleHelp Remote Access Client" 
       OR original_filename LIKE "%SimpleHelp%")

# Discovery via ADSISearcher
powershell_script CONTAINS "adsiSearcher" AND "ObjectClass=computer"

Existing Coverage:

Action

🔴 Hunt immediately. Query for SimpleHelp binaries, domain account creation, and PSExec/Impacket activity on systems with BeyondTrust access.

2. Microsoft February 2026 Patch Tuesday — 6 Zero-Days

🔴 Critical · Multiple Zero-Days · Actively Exploited · No PoC Public

Six vulnerabilities exploited in the wild before patching, including SmartScreen bypasses used in ransomware/infostealer deployment chains.

Sources: Tenable · Computerworld

CVE-2026-21510 — Windows Shell SmartScreen Bypass (CVSS 8.8)

Single click on malicious LNK/shortcut bypasses SmartScreen and Shell warnings. Publicly disclosed. Used in ransomware delivery.

CVE-2026-21513 — MSHTML Security Feature Bypass (CVSS 8.8)

Malicious HTML or LNK file bypasses IE-based security checks. Publicly disclosed.

CVE-2026-21514 — Microsoft Word Macro Bypass (CVSS 7.8)

Crafted Office documents bypass macro protections. Preview pane NOT a vector.

CVE-2026-21519 — Desktop Window Manager EoP (CVSS 7.8)

Local authenticated attacker escalates to SYSTEM via DWM.

CVE-2026-21533 — Remote Desktop Services EoP

Local attacker gains SYSTEM through RDP stack.

CVE-2026-21525 — Remote Access Connection Manager DoS (CVSS 6.2)

Unauthenticated local attacker can crash VPN connections.

TTPs

TechniqueTacticObservable
T1204.001ExecutionUser opens malicious LNK, HTML, or DOCX
T1553.005Defense EvasionMark-of-the-Web/SmartScreen bypass
T1548Privilege Escalationdwm.exe parent spawning unexpected SYSTEM process

Detection

Log Sources: Windows Security, Sysmon (1, 11, 15), Microsoft Defender

Logic:

# MOTW bypass - Zone.Identifier deletion
event_type = "FileDelete" 
  AND file_path ENDS WITH ":Zone.Identifier"
  AND process NOT IN ("explorer.exe", "chrome.exe", "firefox.exe")

# Suspicious LNK execution from temp/downloads
parent_process = "explorer.exe" 
  AND process = "cmd.exe" OR "powershell.exe"
  AND command_line CONTAINS ".lnk"
  AND file_path MATCHES "\\(Downloads|Temp)\\"

# DWM privilege escalation
parent_process = "dwm.exe" 
  AND integrity_level = "System"
  AND process NOT IN (known_dwm_children)

Existing Coverage:

Action

🔴 Deploy patches. Hunt for MOTW bypass indicators and suspicious LNK execution from Downloads/Temp.

3. Ivanti EPMM Pre-Auth RCE Chain

🔴 Critical · Pre-Auth RCE · CVE-2026-1281 (CVSS 9.8) + CVE-2026-1340 (CVSS 9.8) · PoC Available

Bash arithmetic expansion abuse in /mifs/c/appstore/fob/ and /mifs/c/aftstore/fob/ endpoints. 83% of exploitation traffic traced to single bulletproof hosting IP. ~1,600 exposed instances globally.

Sources: Indusface · The Hacker News

TTPs

TechniqueTacticObservable
T1190Initial AccessGET/POST to /mifs/c/(aft|app)store/fob/ with crafted params
T1059.004ExecutionBash command injection via arithmetic expansion
T1105Ingress Tool TransferWAR/JAR file drops, webshell deployment

IOCs

  • Requests to /mifs/c/appstore/fob/ or /mifs/c/aftstore/fob/ returning 404
  • POST requests to error pages like 401.jsp
  • Unexpected WAR/JAR artifacts on EPMM appliance
  • Long-running outbound connections from EPMM

Detection

Log Sources: Apache access logs, network flow, file integrity monitoring

Logic (Apache log regex from Ivanti):

^(?!127\.0\.0\.1:\d+ .*$).*?\/mifs\/c\/(aft|app)store\/fob\/.*?404

Existing Coverage:

Action

🔴 Isolate exposed EPMM instances. Apply RPM patches immediately. Hunt Apache logs for exploitation attempts.

4. CISA KEV Additions (Feb 13, 2026)

🟡 High · Known Exploited · Federal Deadline: March 5, 2026

Four vulnerabilities added to KEV catalog:

CVEProductTypeCVSS
CVE-2026-1731BeyondTrust RS/PRAPre-Auth RCE9.9
CVE-2026-1281Ivanti EPMMPre-Auth RCE9.8
CVE-2025-15556Notepad++Code Execution
CVE-2026-20700Apple iOS/macOSBuffer Overflow7.8

Sources: CISA · SecurityWeek

Action

🟡 Add to patch priority queue. Federal agencies must remediate by March 5.

5. Lazarus Supply Chain Attack — npm/PyPI

🟡 High · Supply Chain · Lazarus Group (DPRK) · Active Campaign

North Korean threat actors deploying RAT via malicious npm/PyPI packages distributed through fake crypto job interviews. One package (bigmathutils) hit 10,000+ downloads before detection.

Sources: The Hacker News · ReversingLabs

TTPs

TechniqueTacticObservable
T1195.001Initial AccessMalicious npm/PyPI dependency in “job interview” repo
T1566.003Initial AccessLinkedIn/Facebook recruiter social engineering
T1059.006ExecutionPython/Node.js script execution
T1219C2RAT with token-based C2 authentication
T1005CollectionMetaMask browser extension checks, file enumeration

IOCs

Malicious npm packages:

graphalgo, graphorithm, graphstruct, graphlibcore, netstruct, 
graphnetworkx, terminalcolor256, graphkitx, graphchain, graphflux, 
graphorbit, graphnet, graphhub, terminal-kleur, graphrix, bignumx, 
bignumberx, bignumex, bigmathex, bigmathlib, bigmathutils, 
graphlink, bigmathix, graphflowx

Malicious PyPI packages:

graphalgo, graphex, graphlibx, graphdict, graphflux, graphnode, 
graphsync, bigpyx, bignum, bigmathex, bigmathix, bigmathutils

Infrastructure:

  • Fake company: “Veltrix Capital” (LinkedIn, GitHub)
  • Token-based C2 communication (Jade Sleet/TraderTraitor TTP)

Detection

Log Sources: Package manager logs, process telemetry, network

Logic:

# Suspicious package install from interview repo
process_name IN ("npm", "pip", "pip3") 
  AND command_line MATCHES "(graphalgo|bigmath|graphflux|terminal-kleur)"

# MetaMask extension enumeration
process CREATES file_path MATCHES "\\AppData\\.*\\MetaMask"
  OR process READS "\\Extensions\\nkbihfbeogaeaoehlefnkodbefgpgknn"

Existing Coverage:

Action

🟡 Alert developers. Block listed packages. Hunt for installations in developer environments.

6. Malicious Outlook Add-In — AgreeToSteal

🟡 High · Credential Theft · Supply Chain · 4,000+ Credentials Stolen

First known malicious Outlook add-in in the wild. Attackers claimed abandoned domain for legitimate “AgreeTo” add-in, served phishing kit that exfiltrated credentials via Telegram Bot API.

Sources: The Hacker News · Koi Security

TTPs

TechniqueTacticObservable
T1199Initial AccessTrusted add-in domain hijacked
T1056.002CollectionFake Microsoft login page in Outlook iframe
T1567.001ExfiltrationTelegram Bot API credential exfil

IOCs

  • Outlook add-in: “AgreeTo” (still listed in Microsoft Store)
  • Domain: outlook-one.vercel[.]app (hijacked)
  • Exfil method: Telegram Bot API

Detection

Log Sources: Outlook telemetry, network proxy, DNS

Logic:

# Outlook add-in loading external iframe
process = "outlook.exe" 
  AND network_connection TO domain NOT IN (microsoft.com, office.com)
  AND referrer CONTAINS "marketplace.microsoft.com"

# Telegram exfil from Outlook context
process = "outlook.exe" 
  AND network_connection TO "api.telegram.org"

Existing Coverage:

Action

🟡 Audit Outlook add-ins. Block “AgreeTo” if present. Monitor for Telegram API calls from Office processes.

Priority Actions

  1. 🔴 BeyondTrust RS/PRA — Patch self-hosted immediately; hunt for SimpleHelp, domain admin creation
  2. 🔴 Microsoft Patch Tuesday — Deploy Feb 2026 patches; hunt MOTW bypass, suspicious LNK execution
  3. 🔴 Ivanti EPMM — Isolate exposed instances; apply RPM patches; hunt Apache logs
  4. 🟡 CISA KEV — Prioritize BeyondTrust, Ivanti, Notepad++, Apple patches
  5. 🟡 Developer environments — Block malicious npm/PyPI packages; alert on Lazarus indicators
  6. 🟡 Outlook — Audit add-ins for AgreeToSteal campaign

Generated: 2026-02-14 07:30 PST