← Back to Threat Briefs

Threat Brief - 2026-02-18

⚠️ This report is AI-generated. Always validate findings.

Threat Brief — Tuesday, February 18, 2026

Executive Summary

Google Mandiant reveals Dell RecoverPoint for VMs zero-day (CVE-2026-22769) has been exploited by China-nexus UNC6201 since mid-2024. CISA adds four actively exploited CVEs to KEV including an 18-year-old Windows flaw now dropping worms. Check Point demonstrates AI assistants (Copilot, Grok) can be weaponized as stealthy C2 proxies. Unit 42 documents expanded Ivanti EPMM exploitation with web shells and botnet deployment.

1. CVE-2026-22769 — Dell RecoverPoint Zero-Day Exploited Since Mid-2024

What’s New

Google Mandiant and GTIG reveal a CVSS 10.0 zero-day in Dell RecoverPoint for Virtual Machines has been exploited by China-nexus threat cluster UNC6201 since mid-2024. Dell released patches today.

Technical Details

FieldValue
CVECVE-2026-22769
CVSS10.0 (Critical)
AffectedRecoverPoint for VMs < 6.0.3.1 HF1
TypeHard-coded credentials
ExploitationSince mid-2024
AttributionUNC6201 (China-nexus, overlaps UNC5221)

Root Cause: Hard-coded “admin” credentials for Apache Tomcat Manager allow unauthenticated attackers to upload web shells via /manager/text/deploy endpoint and execute commands as root.

Post-Exploitation:

  • SLAYSTYLE web shell deployment
  • BRICKSTORM backdoor (original)
  • GRIMBOLT backdoor (newer, C# native AOT compiled for evasion)

TTPs

TacticTechniqueObservable
Initial AccessT1190 - Exploit Public-Facing ApplicationHTTP to /manager/text/deploy
ExecutionT1059 - Command and Scripting InterpreterCommands via web shell
PersistenceT1505.003 - Web ShellSLAYSTYLE deployed to Tomcat
Defense EvasionT1027.009 - Embedded PayloadsGRIMBOLT uses native AOT compilation

Detection Opportunities

// Tomcat Manager deploy requests
WebServerLogs
| where uri_path contains "/manager/text/deploy"
| where http_method == "PUT"

// RecoverPoint spawning shells
ProcessEvents
| where ParentProcessName contains "java" or ParentProcessName contains "tomcat"
| where ProcessName in ("sh", "bash", "cmd.exe", "powershell.exe")

Log Sources

  • Web server access logs (Tomcat)
  • EDR process telemetry
  • Network traffic to Dell RecoverPoint appliances

Detection Coverage

SourceStatus
Sigma❌ No specific rules
Splunk ESCU❌ No specific rules
Elastic❌ No specific rules

Gap: Custom detection needed for RecoverPoint-specific exploitation.

Sources

2. CISA Adds 4 Actively Exploited Vulnerabilities to KEV

What’s New

CISA added four vulnerabilities to the Known Exploited Vulnerabilities catalog, including an 18-year-old Windows flaw now delivering worms.

Technical Details

CVEProductCVSSNotes
CVE-2026-2441Chrome CSS8.8Previously covered Feb 16
CVE-2024-7694TeamT5 ThreatSonar7.2Arbitrary file upload → RCE
CVE-2020-7796Zimbra Collaboration9.8SSRF, ~400 IPs exploiting
CVE-2008-0015Windows Video ActiveX8.818-year-old vuln → Dogkild worm

CVE-2008-0015 Exploitation: Microsoft confirms this ancient vulnerability is now delivering Dogkild worm which:

  • Propagates via removable drives
  • Terminates security processes
  • Modifies Hosts file to block security vendor domains

TTPs

TacticTechniqueObservable
Initial AccessT1189 - Drive-by CompromiseMalicious ActiveX page
Defense EvasionT1562.001 - Disable Security ToolsProcess termination
Defense EvasionT1565.001 - Stored Data ManipulationHosts file modification
Lateral MovementT1091 - Replication Through Removable MediaUSB propagation

Detection Opportunities

// Hosts file modification blocking security domains
FileModificationEvents
| where FilePath endswith "\\drivers\\etc\\hosts"
| where FileContent contains_any ("avast", "kaspersky", "mcafee", "symantec", "crowdstrike")

// Zimbra SSRF exploitation
WebServerLogs
| where uri_path contains "/zimbra" 
| where uri_query contains "169.254" or uri_query contains "metadata"

Log Sources

  • Windows Security Event Log
  • File integrity monitoring
  • Web server/WAF logs (Zimbra)

Detection Coverage

SourceStatus
Sigma✅ Hosts file modification rules exist
Splunk ESCU⚠️ Legacy rules may exist
Elastic✅ Host file tampering detection

Sources

3. AI Assistants Weaponized as C2 Proxies

What’s New

Check Point Research demonstrates Microsoft Copilot and xAI Grok can be abused as bidirectional C2 channels, blending malicious traffic with legitimate enterprise AI usage.

Technical Details

FieldValue
AffectedMicrosoft Copilot, xAI Grok
TechniqueAI as C2 proxy
RequirementsNo API key, no account needed
BypassTraffic goes to trusted AI service domains

How It Works:

  1. Malware crafts prompts causing AI to fetch attacker URLs
  2. AI retrieves commands disguised as web content
  3. Malware parses AI response to extract commands
  4. Exfiltration via similar prompt-fetch-summarize chains

TTPs

TacticTechniqueObservable
Command and ControlT1102 - Web ServiceAI service as C2 relay
Command and ControlT1071.001 - Web ProtocolsHTTPS to AI domains
ExfiltrationT1041 - Exfiltration Over C2Data embedded in AI prompts

Detection Opportunities

// AI service followed by command execution
ProcessEvents
| where ParentProcessName in ("chrome.exe", "msedge.exe", "firefox.exe")
| where ProcessName in ("cmd.exe", "powershell.exe")
| where PreviousNetworkConnection contains_any ("copilot.microsoft.com", "grok.x.ai")

// High-frequency AI access patterns
NetworkEvents
| where dest_domain in ("copilot.microsoft.com", "grok.x.ai")
| summarize RequestCount=count() by src_ip, bin(TimeGenerated, 5m)
| where RequestCount > 20

Log Sources

  • Proxy/firewall logs
  • EDR process + network correlation
  • UEBA for anomalous AI usage patterns

Detection Coverage

SourceStatus
Sigma❌ No rules exist
Splunk ESCU❌ No rules exist
Elastic❌ No rules exist

Gap: Behavioral/UEBA approach required. Static signatures won’t catch this.

Sources

4. Ivanti EPMM Exploitation Expands — New TTPs (Update)

What’s New

Unit 42 documents expanded exploitation of CVE-2026-1281/CVE-2026-1340 with web shells, Nezha botnet deployment, and new sector targeting.

See Threat Brief - 2026-02-14 for initial coverage

Technical Details

FieldValue
CVEsCVE-2026-1281, CVE-2026-1340
New TTPsWeb shells (401.jsp, 403.jsp), Nezha botnet
Exposure~4,400 EPMM instances
TargetsUS, Germany, Australia, Canada

Sectors Targeted:

  • State and local government
  • Healthcare
  • Manufacturing
  • Professional and legal services

TTPs

TacticTechniqueObservable
PersistenceT1505.003 - Web ShellJSP files in /mi/tomcat/webapps/mifs/
Command and ControlT1219 - Remote Access SoftwareNezha monitoring agent
ExecutionT1059.004 - Unix ShellReverse shell payloads

Detection Opportunities

// JSP web shells in EPMM
FileCreationEvents
| where FilePath contains "/mi/tomcat/webapps/mifs/"
| where FileName endswith ".jsp"

// Ivanti EPMM exploitation patterns (Unit 42 XQL)
// Check logs for /mifs/c/(app|aft)store/fob with gPath parameter

Log Sources

  • EPMM/Tomcat access logs
  • File integrity monitoring
  • Cortex XDR/XSIAM (XQL queries available)

Detection Coverage

SourceStatus
Sigma⚠️ Generic web shell rules
Splunk ESCU❌ No Ivanti-specific rules
Elastic⚠️ Generic JSP upload rules

Sources

Priority Actions

PriorityThreatAction
🔴 CriticalDell RecoverPoint CVE-2026-22769Patch to 6.0.3.1 HF1 immediately; hunt for SLAYSTYLE/GRIMBOLT
🔴 CriticalIvanti EPMMCheck for JSP files in /mi/tomcat/webapps/mifs/; patch if not done
🟠 HighCVE-2008-0015 (Dogkild)Monitor for Hosts file modifications blocking security domains
🟡 MediumAI C2 ProxyEstablish behavioral baselines for AI service usage

Detection Gap Summary

ThreatSigmaSplunk ESCUElasticAction
Dell RecoverPointBuild custom Tomcat Manager detection
AI C2 ProxyUEBA/behavioral analysis required
CVE-2008-0015/Dogkild⚠️Verify legacy rules active
Ivanti EPMM web shells⚠️⚠️Add Ivanti-specific paths

Generated by Shade — ajking.io