Threat Brief - 2026-02-17
Threat Brief — Tuesday, February 17, 2026
Executive Summary
Reynolds ransomware introduces a concerning trend by bundling BYOVD drivers directly into the ransomware payload—eliminating the need for separate EDR-killing tooling. SmartLoader actors are poisoning MCP registries with trojanized AI tools to deliver StealC, marking a new supply chain attack vector against developers using AI assistants. A critical WordPress plugin vulnerability (CVE-2026-1357) exposes 900K+ sites to unauthenticated RCE, and CyberArk researchers turned the tables on StealC operators by exploiting an XSS bug in their own panel.
1. Reynolds Ransomware Embeds BYOVD Driver
TL;DR: New ransomware strain bundles vulnerable NsecSoft driver directly in the payload to kill EDR before encryption—no separate tool needed.
What’s New
Symantec and Carbon Black documented a ransomware campaign where the BYOVD component is embedded within the ransomware binary itself, rather than deployed as a separate tool. This “all-in-one” approach makes the attack chain quieter and harder to interrupt.
Technical Details
- Vulnerable Driver: NsecSoft NSecKrnl driver (CVE-2025-68947, CVSS 5.7)
- Capability: Arbitrary process termination via driver vulnerability
- Targeted EDR/AV: Avast, CrowdStrike Falcon, Cortex XDR, Sophos, HitmanPro.Alert, Symantec Endpoint Protection
- Persistence: GotoHTTP remote access deployed post-encryption
- Pre-cursor Activity: Side-loaded loader observed weeks before ransomware deployment
TTPs
| Tactic | Technique | Observable |
|---|---|---|
| Defense Evasion | T1562.001 - Disable Security Tools | NSecKrnl.sys driver load |
| Persistence | T1219 - Remote Access Software | GotoHTTP installation |
| Execution | T1486 - Data Encrypted for Impact | Reynolds ransom note |
Detection Opportunities
// Driver load detection
DeviceEvents
| where ActionType == "DriverLoad"
| where FileName =~ "NSecKrnl.sys" or SHA256 in (known_vulnerable_hashes)
// Process termination of security tools
ProcessEvents
| where ProcessCommandLine contains_any ("Avast", "CrowdStrike", "Sophos", "Cortex")
| where InitiatingProcess =~ "unknown" or SignerInfo == ""Log Sources: Sysmon (Event ID 6 - Driver Load), EDR telemetry, Windows Security Event Log
Detection Coverage
- Sigma: BYOVD driver load patterns exist for known vulnerable drivers
- Gap: NSecKrnl.sys not yet in most vulnerable driver blocklists
- Recommendation: Add NSecKrnl.sys hash to driver blocklist, monitor for unusual driver loads
Sources
2. SmartLoader Poisons MCP Registries with Trojanized Oura Server
TL;DR: Threat actors created fake GitHub accounts and submitted a trojanized MCP server to legitimate registries to deliver StealC to developers using AI assistants.
What’s New
Straiker’s STAR Labs documented a supply chain attack targeting developers who use Model Context Protocol (MCP) servers with AI assistants. The attackers cloned a legitimate Oura Ring health data MCP server, trojanized it, and submitted it to MCP Market—a legitimate registry.
Technical Details
- Campaign Duration: ~4 months of credibility building before payload deployment
- Fake Accounts: YuzeHao2023, punkpeye, dvlan26, halamji, yzhao112, SiddhiBagul
- Target: Developers using AI assistants (Claude, etc.) with MCP integrations
- Payload: SmartLoader → StealC infostealer
- Exfil Targets: Browser passwords, credentials, cryptocurrency wallets, API keys
Attack Chain
- Create network of fake GitHub accounts
- Fork legitimate Oura MCP server multiple times
- Create trojanized version under new account
- Add fake accounts as “contributors” for credibility
- Submit to MCP Market registry
- Victims install → Lua script drops SmartLoader → StealC deployed
TTPs
| Tactic | Technique | Observable |
|---|---|---|
| Initial Access | T1195.001 - Supply Chain: Software Dependencies | Trojanized MCP server |
| Execution | T1059.006 - Scripting: Lua | Obfuscated Lua loader |
| Collection | T1555 - Credentials from Password Stores | Browser credential theft |
| Exfiltration | T1041 - Exfiltration Over C2 | StealC C2 communication |
IOCs
Malicious GitHub Accounts:
- SiddhiBagul (hosted trojanized server)
- YuzeHao2023, punkpeye, dvlan26, halamji, yzhao112 (fake contributors)
MCP Market Listing:
- https://mcpmarket.com/server/oura-9 (still listed at time of research)Detection Opportunities
// Monitor MCP server installations
FileCreationEvents
| where FolderPath contains "mcp" and FileName endswith ".json"
| where InitiatingProcess contains_any ("npm", "npx", "node")
// Lua script execution (unusual for most environments)
ProcessEvents
| where FileName =~ "lua.exe" or ProcessCommandLine contains ".lua"Log Sources: EDR, npm audit logs, GitHub audit logs
Priority Action
🔴 Audit installed MCP servers — Verify origin and cross-check against official repositories
Sources
3. CVE-2026-1357 — WordPress WPvivid RCE (CVSS 9.8)
TL;DR: Critical unauthenticated RCE in a WordPress backup plugin with 900K+ installs. Public exploit available.
What’s New
A critical vulnerability in WPvivid Backup & Migration allows unauthenticated attackers to upload and execute arbitrary PHP files through the backup receiving mechanism. With 900K+ active installations, this is a high-value target for mass exploitation.
Technical Details
- CVSS: 9.8 (Critical)
- Affected Versions: < 0.9.124
- Auth Required: None
- Exploit Complexity: Low
- Public PoC: Yes
Root Cause
Two chained weaknesses:
- Decryption failure mishandling:
openssl_private_decrypt()failure returnsfalse, which phpseclib interprets as a null-byte key—predictable encryption - Path traversal: File names from attacker input not sanitized, allowing
../traversal to write PHP files anywhere
Exploitation Flow
1. POST to wpvivid_action=send_to_site
2. Craft request to break RSA decryption
3. Null-byte key used (predictable)
4. Inject ../ in filename
5. PHP shell written to webroot
6. Direct access → RCETTPs
| Tactic | Technique | Observable |
|---|---|---|
| Initial Access | T1190 - Exploit Public-Facing Application | HTTP POST to wpvivid endpoint |
| Execution | T1059.004 - Command: Unix Shell | PHP webshell execution |
| Persistence | T1505.003 - Web Shell | Uploaded .php files |
Detection Opportunities
// Web server logs
index=web sourcetype=access_combined
| search uri_path="*wpvivid*" AND method=POST
| stats count by src_ip, uri_path
// File writes in unexpected locations
FileCreationEvents
| where FileName endswith ".php"
| where FolderPath contains "wp-content"
| where FolderPath !contains "plugins/wpvivid"Log Sources: Web server access logs, WAF logs, file integrity monitoring
Priority Action
🔴 Update WPvivid to 0.9.124+ — Unauthenticated RCE with public exploit code
Sources
4. Android RAT Uses Hugging Face for Payload Hosting
TL;DR: Polymorphic Android RAT uses AI platform Hugging Face to host payloads, evading domain-based detection with 6,000+ variants generated over 29 days.
What’s New
Bitdefender discovered an Android RAT campaign using Hugging Face—a trusted AI model hosting platform—to distribute malicious APKs. The attackers generate new payload variants every ~15 minutes using polymorphic techniques to evade hash-based detection.
Technical Details
- Dropper App: TrustBastion (scareware popup → fake system update)
- Payload Host: Hugging Face repository (now taken down, campaign moved to new repo)
- Variant Generation: Every 15 minutes, new APK with same functionality
- Commits: 6,000+ over 29 days
- Targets: Chinese payment apps (Alipay, WeChat)
Attack Chain
- Scareware popup claims device infected
- User downloads TrustBastion “security” app
- App prompts for “update” (fake Google Play dialog)
- Dropper contacts trustbastion[.]com
- HTML redirect to Hugging Face repo
- Malicious APK downloaded and installed
- RAT requests Accessibility Services
- Screen recording, credential harvesting enabled
TTPs
| Tactic | Technique | Observable |
|---|---|---|
| Defense Evasion | T1027.001 - Obfuscated Files: Binary Padding | Polymorphic APK variants |
| Collection | T1417 - Input Capture | Accessibility service abuse |
| Exfiltration | T1041 - Exfiltration Over C2 | Screen recording to C2 |
IOCs
Domains:
- trustbastion[.]com
Permissions (suspicious combination):
- BIND_ACCESSIBILITY_SERVICE
- SYSTEM_ALERT_WINDOW
- FOREGROUND_SERVICE_MEDIA_PROJECTIONDetection Opportunities
Mobile threat detection platforms should flag:
- Apps requesting Accessibility + Screen Recording + Overlay permissions
- APK downloads from huggingface.co (unusual for most users)
- Behavioral patterns: impersonating system updates, financial app overlays
Sources
5. CyberArk Exploits XSS in StealC Panel to Profile Operators
TL;DR: Researchers found and exploited an XSS vulnerability in StealC’s admin panel to gather intelligence on threat actors—including one Ukrainian operator who stole 390K passwords.
What’s New
CyberArk’s Ari Novick discovered a cross-site scripting vulnerability in StealC’s web panel and exploited it to profile the operators using the malware-as-a-service. The irony: a cookie-stealing malware that failed to protect its own session cookies.
Research Findings
- Vulnerability: XSS in StealC admin panel (no httpOnly on session cookies)
- Target Operator: “YouTubeTA”
- YouTubeTA Stats: 390K passwords stolen, 30M+ cookies harvested
- Victim Profile: Users searching for cracked Adobe software on YouTube
- Operator Profile:
- Apple M3 device
- English + Russian language settings
- Eastern European timezone
- Ukrainian ISP: TRK Cable TV
Why This Matters for Defenders
- MaaS operators are vulnerable too — Same supply chain risks as legitimate software
- Behavioral patterns — Operators can be fingerprinted through their tools
- Attribution pathway — Offensive research can expose operator OPSEC failures
Detection Insight
YouTubeTA’s campaign targeted users searching for pirated software on YouTube. This reinforces:
- Block access to known cracked software distribution sites
- Monitor for Adobe-related download attempts from untrusted sources
- User awareness: pirated software = malware vector
Sources
6. Arctic Wolf 2026 Threat Report — Key Statistics
TL;DR: Data extortion grew 11x, ransomware still dominates, and 65% of intrusions came through remote access tools—not exploits.
Key Findings
| Metric | 2025 Value | Trend |
|---|---|---|
| Data extortion incidents | 22% of cases | ⬆️ 11x YoY |
| Ransomware/BEC/Data incidents | 92% of IR cases | Dominant |
| Remote access tool abuse | 65% of non-BEC intrusions | ⬆️ Sharp rise |
| Pre-ransomware detection | 5% of cases | ⬆️ Earlier detection |
| Ransom payment rate | 23% paid | 77% did not pay |
| Negotiation reduction | 67% average | When organizations paid |
| Phishing → BEC | 85% of BEC incidents | AI-enhanced |
Strategic Takeaways
- “Logging in, not breaking in” — Attackers prefer credential abuse over exploits
- Data theft without encryption — Extortion doesn’t require ransomware anymore
- Early detection works — Pre-ransomware detection completely changes outcomes
- All top CVEs were 2024 or earlier — Patching discipline still matters
Priority Actions for Detection Engineers
- 🔴 Remote access monitoring — RDP, VPN, RMM tools are the primary entry point
- 🟡 Identity security — Credential abuse is the dominant intrusion vector
- 🟡 Data exfil detection — Encryption is optional for attackers now
Sources
Priority Actions
- 🔴 WordPress WPvivid — Update to 0.9.124+ immediately (CVE-2026-1357, unauthenticated RCE, public exploit)
- 🔴 MCP Server Audit — Inventory all installed MCP servers, verify against official repositories
- 🟡 BYOVD Detection — Add NSecKrnl.sys to driver blocklist, alert on unusual driver loads
- 🟡 Remote Access Controls — 65% of intrusions come through RDP/VPN/RMM—tighten monitoring
Detection Gaps Identified
| Threat | Gap | Recommendation |
|---|---|---|
| Reynolds BYOVD | NSecKrnl.sys not in most blocklists | Add hash to driver blocklist |
| SmartLoader/MCP | No standard MCP installation monitoring | Build inventory process |
| WPvivid RCE | Web shells in plugin directories | File integrity monitoring |
Generated by Shade • ajking.io