Threat Brief - 2026-02-16
Threat Brief — Monday, February 16, 2026
Executive Summary
Google patches the first actively exploited Chrome zero-day of 2026 (CVE-2026-2441), a CSS use-after-free flaw enabling sandboxed RCE. Infostealers are evolving to target AI agent configurations—Hudson Rock found real-world compromise of OpenClaw workspaces including private keys and memory files. A new dual-payload campaign abuses Google Groups to deliver Lumma Stealer on Windows and a trojanized “Ninja Browser” on Linux.
1. CVE-2026-2441 — Chrome CSS Use-After-Free Zero-Day
First actively exploited Chrome zero-day of 2026.
Overview
Google released an emergency update Friday (Feb 14) for Chrome 145.0.7632.75/76 to patch CVE-2026-2441, a high-severity (CVSS 8.8) use-after-free vulnerability in the CSS component, specifically in CSSFontFeatureValuesMap which handles font rendering on web pages.
Key Details
| Field | Value |
|---|---|
| CVE | CVE-2026-2441 |
| CVSS | 8.8 (High) |
| Type | Use-After-Free in CSS |
| Impact | Arbitrary code execution inside browser sandbox |
| Discovery | Shaheen Fazim (Feb 11, 2026) |
| Patch | Chrome 145.0.7632.75/76 (Win/Mac), 144.0.7559.75 (Linux) |
TTPs & Observables
- Delivery: Crafted HTML page triggers the UAF during font feature processing
- Execution: Sandboxed RCE—attacker needs sandbox escape for full system access
- No public IOCs yet—Google withheld exploitation details
Detection Opportunities
| Log Source | Detection Logic |
|---|---|
| EDR/Browser telemetry | Chrome process crashes followed by suspicious child processes |
| Network | Unusual outbound connections post-crash from Chrome renderer |
| Endpoint | Monitor CSSFontFeatureValuesMap crash dumps in Chrome diagnostics |
Priority Actions
🔴 Patch immediately — Update to Chrome 145.0.7632.75+ on all endpoints. Affects all Chromium-based browsers (Edge, Brave, Opera, Vivaldi).
Sources
2. Infostealers Now Targeting AI Agent Configurations
Real-world compromise of OpenClaw workspace discovered.
Overview
Hudson Rock identified a live infostealer infection that successfully exfiltrated an entire OpenClaw AI agent configuration environment. This marks a significant evolution from traditional credential theft to comprehensive AI identity compromise.
What Was Stolen
| File | Contents | Impact |
|---|---|---|
openclaw.json | Gateway token, email | Remote API access |
device.json | Private key (PEM) | Device impersonation, bypass security checks |
soul.md | Agent personality/behavior definitions | Understand agent capabilities |
memory/*.md | Activity logs, context | User profiling, sensitive data |
TTPs & Observables
- Target Path:
.openclaw/directory in user home - Exfiltration: Standard infostealer file-grabbing routine sweeping for directory names
- Impact: Full control over victim’s AI agent—impersonation, encrypted log access, paired service access
Detection Opportunities
| Log Source | Detection Logic |
|---|---|
| EDR | File access to ~/.openclaw/device.json or ~/.openclaw/openclaw.json by non-OpenClaw processes |
| Sysmon (Event 11) | File creation in temp directories containing “openclaw” or “device.json” |
| Network | Exfiltration of .pem or .json files to unknown destinations |
Priority Actions
🔴 OpenClaw users: Rotate gateway tokens and device keys if infection suspected. Monitor for unauthorized API calls.
⚠️ Detection engineers: Add file access monitoring for AI agent config directories (.openclaw/, .claude/, similar).
Sources
3. Lumma Stealer & Ninja Browser via Google Groups
4,000+ malicious Google Groups weaponized for dual-platform malware delivery.
Overview
CTM360 published a threat report revealing a global campaign abusing Google’s trusted infrastructure. Attackers infiltrate industry-related Google Groups, post legitimate-looking technical discussions, then embed download links for malware disguised as organizational software.
Infection Flow
Windows Target → Lumma Stealer:
- Download link in Google Group → URL shortener/Google Docs redirect
- Password-protected archive (~950MB padded, actual payload 33MB)
- AutoIt-compiled executable reassembles and decrypts payload
- Lumma Stealer harvests credentials, cookies, executes shell commands
Linux Target → Ninja Browser:
- Redirect based on OS detection
- Trojanized Chromium browser with “privacy” marketing
- Silent malicious extension install (
NinjaBrowserMonetisation) - Scheduled tasks poll C2 for updates, maintain persistence
IOCs
IPs:
152.42.139[.]1889.111.170[.]100
C2 Domain:
healgeni[.]live
Suspicious Domains:
ninja-browser[.]comnb-download[.]comnbdownload[.]space
TTPs & Observables
| Technique | Observable |
|---|---|
| T1566 (Phishing) | Google Groups posts with embedded download links |
| T1027 (Obfuscation) | Null-byte padded archives to evade AV size limits |
| T1059.001 (PowerShell) | AutoIt-based payload reconstruction |
| T1176 (Browser Extensions) | NinjaBrowserMonetisation extension with XOR/Base56 obfuscation |
| T1053 (Scheduled Task) | Daily C2 polling tasks for silent updates |
Detection Opportunities
| Log Source | Detection Logic |
|---|---|
| Proxy/DNS | Connections to healgeni[.]live, ninja-browser domains |
| EDR | AutoIt (*.a3x) execution, oversized ZIP extraction |
| Browser | New extension installs without user interaction |
| Scheduled Tasks | Tasks polling external domains daily |
Priority Actions
🟠 Block IOCs at firewall/proxy. Monitor for scheduled task creation pointing to external domains.
Sources
4. DigitStealer macOS — C2 Infrastructure Mapped
Operator OPSEC failures reveal extensive infrastructure cluster.
Overview
Independent research from Cyber and Ramen mapped DigitStealer’s C2 infrastructure through consistent operator patterns. The macOS-targeting infostealer, first reported by Jamf in November 2025, targets 18 cryptocurrency wallets, browser data, and keychain credentials.
Infrastructure Patterns (Pivot Points)
| Attribute | Pattern |
|---|---|
| TLD | .com domains exclusively |
| Hosting | ab stract ltd ASN (Sweden) |
| Nameservers | Njalla (frequently associated with malware) |
| SSH Versions | OpenSSH_9.6p1 Ubuntu-3ubuntu13.14 |
| TLS Certificates | Let’s Encrypt |
| Domain Themes | Gaming/crypto naming (diamondpickaxeforge, ironswordzombiekiller) |
| Registrar | Tucows |
C2 Communication Endpoints
/api/credentials— Send stolen credentials/api/grabber— Upload files to C2/api/poll— Persistent backdoor polling (every 10 seconds)/api/log— Data exfiltration
IOCs (Sample)
| IP | Domain |
|---|---|
80.78.30[.]90 | beetongame[.]com |
80.78.25[.]205 | binance.comtr-katilim[.]com, yourwrongwayz[.]com |
80.78.30[.]191 | tribusadao[.]com |
| — | diamondpickaxeforge[.]com |
| — | goldenticketsshop[.]com |
| — | fixyourallergywithus[.]com |
Detection Opportunities
| Log Source | Detection Logic |
|---|---|
| DNS | Queries to domains with gaming/crypto naming on Njalla NS |
| macOS Unified Logs | Keychain access by unsigned binaries |
| Network | HTTP POST to /api/credentials, /api/poll endpoints |
| EDR | LaunchAgent creation for persistence polling C2 every 10s |
Sources
5. UNC6229/Noodlophile — Fake Job Ads Deliver Infostealers
Vietnam-linked group pivots to employment-themed phishing.
Overview
Google Cloud threat research identified UNC6229, a Vietnam-linked group, pivoting from fake AI video platforms to employment-themed phishing. Targets include digital marketing professionals, students, and remote job seekers who download “application forms” or “skills tests” containing RATs or infostealers.
Technical Updates (from Morphisec/Auteqia Labs)
| Feature | Detail |
|---|---|
| Anti-Analysis | Binaries padded with millions of repetitions of Vietnamese insults—crashes AI disassembly tools |
| Hashing | djb2 rotating algorithm for API resolution |
| Integrity Check | Halts if tampering/debugger detected |
| Command File | RC4-encrypted Chingchong.cmd |
| Obfuscation | Heavy XOR string encoding |
| C2 | Telegram bots as command-and-control |
TTPs & Observables
- T1566.001 (Spearphishing Attachment): Job application ZIPs
- T1059.005 (Visual Basic): Multi-stage loaders
- T1574.002 (DLL Side-Loading): Hijack trusted executables
- T1567 (Exfiltration Over Web Service): Telegram API for C2/exfil
Detection Opportunities
| Log Source | Detection Logic |
|---|---|
| Email Gateway | Attachments with job-themed naming + password-protected archives |
| EDR | DLL sideloading patterns, unsigned DLLs loaded by signed apps |
| Network | Telegram API calls (api.telegram.org) from non-Telegram processes |
| Process | Oversized binaries (padding detection) |
Sources
6. Video Conference Phishing — RMM Tool Delivery
Fake Zoom/Teams/Meet invites deliver remote admin tools.
Overview
Netskope Threat Labs identified a campaign using spoofed video conference invitations to deploy Remote Monitoring and Management (RMM) tools. Victims see fake meeting portals with simulated participants “joining” in real-time, then are prompted to install a “mandatory update” that’s actually an RMM payload.
Why It Works
- RMM tools are often pre-approved in enterprise environments
- Signature-based controls may not flag legitimate admin software
- Attackers gain persistent administrative access while evading detection
TTPs & Observables
- T1566.002 (Spearphishing Link): Spoofed video conferencing URLs
- T1219 (Remote Access Software): RMM tools for persistence
- T1204.001 (User Execution): Fake update prompt
Detection Opportunities
| Log Source | Detection Logic |
|---|---|
| Email/Proxy | Meeting invite links to non-corporate domains |
| EDR | RMM tool installation outside IT change windows |
| DNS | Typosquat domains for Zoom/Teams/Meet |
Priority Actions
🟠 User awareness: Verify meeting links come from expected senders. Don’t install “updates” from meeting portals.
Sources
Notable: The Promptware Kill Chain
Bruce Schneier published a framework for understanding LLM-based attacks as multi-stage malware campaigns. The seven-step “promptware kill chain”:
- Initial Access — Prompt injection (direct or indirect via retrieved content)
- Privilege Escalation — Jailbreaking safety guardrails
- Reconnaissance — Manipulating LLM to reveal connected services/capabilities
- Persistence — Embedding in long-term memory or poisoning retrieval databases
- Command & Control — Dynamic instruction fetching
- Lateral Movement — Spreading to other users/systems via agent actions
- Actions on Objective — Data exfiltration, fraud, code execution
Why it matters: As AI agents gain more tool access, this framework helps defenders think about where to break the attack chain.
Read the full paper | Schneier on Security
Priority Actions Summary
| Priority | Threat | Action |
|---|---|---|
| 🔴 Critical | CVE-2026-2441 (Chrome) | Patch to 145.0.7632.75+ immediately |
| 🔴 Critical | AI Agent Config Theft | Rotate keys if infection suspected; add monitoring |
| 🟠 High | Google Groups Campaign | Block IOCs, monitor for AutoIt/scheduled tasks |
| 🟠 High | DigitStealer (macOS) | Hunt for C2 patterns, monitor keychain access |
| 🟡 Medium | UNC6229 Job Scams | Email gateway rules for job-themed password archives |
| 🟡 Medium | Video Conference Phishing | User awareness; monitor RMM tool installs |
Generated: 2026-02-16 07:30 PST