← Back to Threat Briefs

Cyber Threat Brief — February 19, 2026

⚠️ This report is AI-generated. Always validate findings.

Cyber Threat Brief — February 19, 2026

Five significant threats emerged in the last 24 hours: a critical VoIP vulnerability with Metasploit exploit, a China-nexus zero-day campaign targeting Dell RecoverPoint, a new pre-installed Android backdoor rivaling Triada, an Iranian cyberespionage operation using protest lures, and an evolution in DPRK’s fake job campaign now surgically tampering with MetaMask wallets.

1. CVE-2026-2329 — Grandstream GXP1600 VoIP Pre-Auth RCE (CVSS 9.3)

What’s New

Rapid7 dropped a full technical analysis and working Metasploit module for an unauthenticated stack buffer overflow in Grandstream VoIP phones. Exploit enables root-level RCE, credential extraction, and silent eavesdropping via SIP proxy hijacking.

Technical Details

FieldValue
CVECVE-2026-2329
CVSS9.3 (Critical, CVSSv4)
AffectedGXP1610, GXP1615, GXP1620, GXP1625, GXP1628, GXP1630 — firmware < 1.0.7.81
ExploitPublic Metasploit module available
Attack VectorNetwork, no authentication required
Root CauseStack buffer overflow in /cgi-bin/api.values.get endpoint (colon-delimited identifier parsing)

Why it matters: VoIP phones rarely get patched and often sit on internal networks without EDR. The eavesdropping capability via SIP proxy manipulation makes this particularly dangerous for enterprises and government targets.

Exploitation technique: Attackers chain multiple overflows by using colon-delimited identifiers to write null bytes at precise stack locations, bypassing NX via ROP chains. No PIE, no stack canaries.

TTPs

TacticTechniqueObservable
Initial AccessT1190 - Exploit Public-Facing ApplicationHTTP POST to /cgi-bin/api.values.get with oversized request parameter
ExecutionT1059 - Command and Script InterpreterROP chain executes system() for arbitrary OS commands
Credential AccessT1552.001 - Credentials In FilesPost-exploitation module dumps SIP credentials, local accounts
CollectionT1123 - Audio CaptureSIP proxy hijacking for call interception

Detection Opportunities

  • Network: HTTP POST to /cgi-bin/api.values.get with unusually large request body (>64 bytes per identifier)
  • Network: Outbound SIP traffic to unexpected proxy servers
  • Endpoint: Processes spawned by gs_web binary on VoIP appliances
# Sample detection for network traffic
index=network sourcetype=stream:http uri_path="/cgi-bin/api.values.get" 
| where len(form_data) > 256
| stats count by src_ip, dest_ip

Log Sources

  • Web proxy logs capturing HTTP traffic to VoIP devices
  • SIP CDR/signaling logs for proxy changes
  • Network flow data for internal-to-VoIP traffic patterns

Detection Coverage

SourceStatus
Sigma❌ Gap — No VoIP-specific rules
Splunk ESCU❌ Gap — No coverage
Elastic❌ Gap — No coverage

Priority Action: Patch to firmware 1.0.7.81; segment VoIP infrastructure; monitor for HTTP exploitation patterns against phone management interfaces.

Sources

2. CVE-2026-22769 — Dell RecoverPoint Zero-Day Exploited by China-Nexus UNC6201 (CVSS 10.0)

What’s New

Google Mandiant disclosed a critical hardcoded credential vulnerability in Dell RecoverPoint for VMs that UNC6201 (China-nexus) has been exploiting since mid-2024. CISA added to KEV on Feb 18 with 3-day remediation deadline (Feb 21). Threat actor uses “Ghost NICs” for lateral movement and deployed new GRIMBOLT backdoor to replace BRICKSTORM.

Technical Details

FieldValue
CVECVE-2026-22769
CVSS10.0 (Critical)
AffectedDell RecoverPoint for VMs < 6.0.3.1 HF1
ExploitActively exploited since mid-2024
Attack VectorNetwork — hardcoded Tomcat admin credentials
AttributionUNC6201 (China-nexus, overlaps with UNC5221/Warp Panda)

Root cause: Default “admin” credentials for Apache Tomcat Manager allow unauthenticated attackers to deploy web shells via /manager/text/deploy.

New malware introduced:

  • SLAYSTYLE: Web shell deployed via Tomcat Manager
  • GRIMBOLT: Native AOT-compiled C# backdoor replacing BRICKSTORM (harder to reverse engineer)

TTPs

TacticTechniqueObservable
Initial AccessT1078.001 - Default CredentialsTomcat Manager authentication with hardcoded creds
PersistenceT1505.003 - Web ShellSLAYSTYLE web shell deployment
ExecutionT1059.003 - Windows Command ShellCommands via web shell as root
Defense EvasionT1036.005 - Match Legitimate NameGRIMBOLT blends with system native files
Lateral MovementT1021.001 - Remote Desktop Protocol”Ghost NICs” — temporary virtual network interfaces

Detection Opportunities

# Web shell deployment via Tomcat Manager
index=web sourcetype=tomcat_access uri_path="/manager/text/deploy*" 
| stats count by src_ip, war_filename
# Ghost NIC detection on VMware infrastructure
index=vsphere sourcetype=vmware:events event_type="VirtualNicCreated" 
| eval lifetime=_time - nic_creation_time
| where lifetime < 300 
| stats count by vm_name, nic_name

Log Sources

  • Tomcat access/manager logs
  • VMware vCenter events (NIC creation/deletion)
  • Network flow for unusual lateral movement from backup appliances
  • EDR on endpoints receiving connections from RecoverPoint systems

Detection Coverage

SourceStatus
Sigma⚠️ Partial — Generic web shell rules may detect
Splunk ESCU❌ Gap — No RecoverPoint-specific rules
Elastic❌ Gap — No coverage

Priority Action: Patch immediately; hunt for SLAYSTYLE/GRIMBOLT IOCs; review Tomcat Manager access logs dating back to mid-2024; check for temporary NIC creation patterns in VMware environments.

Sources

3. Keenadu — Android Backdoor Preinstalled in Firmware (Triada-Level Threat)

What’s New

Kaspersky discovered Keenadu, a sophisticated Android backdoor embedded in device firmware during the build process. Comparable to Triada/BADBOX in scope, it injects into Zygote to infect every app at launch. Over 13,000 devices infected. Found in firmware OTA updates and even Google Play apps (300K+ downloads).

Technical Details

FieldValue
Malware FamilyKeenadu
PlatformAndroid
DistributionFirmware supply chain (Alldocube tablets), OTA updates, Google Play trojanized apps
PersistenceEmbedded in libandroid_runtime.so, injected into Zygote process
C2 Payload Delay~2.5 months dormant before payload retrieval
Scale13,000+ devices (Russia, Japan, Germany, Brazil, Netherlands)

Infection chain:

  1. Malicious static library linked into libandroid_runtime.so during firmware build
  2. Modified logging function decrypts RC4-encrypted payload
  3. Payload injects into Zygote → every app inherits the backdoor
  4. AKClient/AKServer architecture for modular payload delivery
  5. Modules downloaded from AWS, verified with MD5/DSA signatures

Plugins identified:

  • Loader module: Targets Amazon, SHEIN, Temu apps; installs hidden APKs
  • Clicker modules: Inject into YouTube, Facebook for ad fraud
  • Chrome module: Steals search queries, hijacks results
  • Nova clicker: Advanced ad interaction
  • Telegram module: Unknown functionality
  • Spyware dropper: Additional payload delivery

TTPs

TacticTechniqueObservable
Initial AccessT1195.002 - Compromise Software Supply ChainFirmware modified during manufacturing
PersistenceT1398 - Boot or Logon Initialization Scriptslibandroid_runtime.so modification
Defense EvasionT1480.001 - Environmental KeyingAvoids Chinese locale, devices without Google services
CollectionT1417 - Input CaptureKeylogging, credential theft
ExfiltrationT1567 - Exfiltration Over Web ServiceAWS-hosted C2 infrastructure

Detection Opportunities

  • Mobile: Unusual network traffic to AWS from system processes during first 2.5 months
  • Mobile: Apps requesting permissions inconsistent with their function
  • Network: Communication patterns matching ad fraud clicker behavior
  • Firmware: Hash mismatches in libandroid_runtime.so

Log Sources

  • Mobile Device Management (MDM) telemetry
  • Network traffic analysis for Android devices
  • Google Play Protect signals
  • App store behavior analytics

Detection Coverage

SourceStatus
Sigma❌ Not applicable (Android)
Splunk ESCU❌ Gap — No Android-specific rules
Elastic❌ Not applicable (Android)
Google Play Protect⚠️ Some variants detected

Priority Action: Audit Android device supply chains; verify firmware integrity for Alldocube and similar budget tablet brands; monitor for unusual AWS-bound traffic from mobile devices.

Sources

4. CRESCENTHARVEST — Iranian Cyberespionage Campaign Targeting Protest Supporters

What’s New

Acronis TRU uncovered CRESCENTHARVEST, a cyberespionage campaign targeting Farsi-speaking Iran protest supporters. Uses politically-themed lures with legitimate protest footage bundled with malicious LNK files. Deploys a dual-purpose RAT/stealer with Chrome app-bound encryption bypass capabilities.

Technical Details

FieldValue
CampaignCRESCENTHARVEST
AttributionSuspected Iranian-aligned APT (low confidence)
TargetsIran protest supporters, journalists, activists
DistributionArchives with protest videos/images + malicious LNK files
Malware TypeRAT + Info-stealer hybrid
C2servicelog-information[.]com (VEESP-LV, Latvia)

Kill chain:

  1. Victim receives archive with protest-themed content
  2. LNK files masquerade as video/image files
  3. LNK spawns conhost.exe → cmd.exe → PowerShell
  4. PowerShell extracts ZIP from LNK, writes to %TEMP%
  5. DLL sideloading via signed Google Software Reporter Tool
  6. urtcbased140d_d.dll + version.dll loaded

Key capability — Chrome app-bound encryption bypass:

  • Interacts with Chrome’s COM-based elevation mechanisms
  • Recovers decrypted app_bound_encrypted_key from Local State
  • Exfiltrates via named pipe to second module

TTPs

TacticTechniqueObservable
Initial AccessT1566.001 - Spearphishing AttachmentProtest-themed archives with LNK files
ExecutionT1204.002 - Malicious FileLNK files disguised as media
PersistenceT1053.005 - Scheduled TaskTask triggered on NetworkProfile events
Defense EvasionT1574.002 - DLL Side-LoadingGoogle Software Reporter Tool sideloading
Credential AccessT1555.003 - Credentials from Web BrowsersChrome credential/cookie theft
CollectionT1056.001 - KeyloggingGlobal keyboard hook via KeyboardEvent export

Detection Opportunities

title: CRESCENTHARVEST LNK Execution Chain
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    ParentImage|endswith: '\conhost.exe'
    Image|endswith: '\cmd.exe'
  condition: selection
# Chrome app-bound encryption access
index=endpoint process_name="software_reporter_tool.exe" 
| join sid [search index=endpoint file_path="*\\Local State" action=read]
| stats count by host, user

Log Sources

  • Windows Event Logs (Process Creation 4688, Scheduled Tasks 4698)
  • Sysmon (Process Creation, File Creation, DLL Loading)
  • EDR telemetry for COM object interactions
  • Network traffic to C2 domain

Detection Coverage

SourceStatus
Sigma⚠️ Partial — Generic DLL sideloading rules
Splunk ESCU✅ Multiple rules for browser credential theft, LNK execution
Elastic⚠️ Partial — Scheduled task persistence rules

Priority Action: Hunt for software_reporter_tool.exe execution outside of Chrome context; monitor for LNK files with unusually large sizes; alert on scheduled tasks bound to NetworkProfile events.

Sources

IOCs:

  • Domain: servicelog-information[.]com
  • Hosting: VEESP-LV (Latvia), intermittent Cloudflare proxying

5. Contagious Interview — DPRK Campaign Now Surgically Tampering with MetaMask Wallets

What’s New

The DPRK-linked “Contagious Interview” campaign (fake job recruiters) has evolved to surgically tamper with MetaMask browser extensions, replacing legitimate installations with trojanized versions that steal wallet credentials in real-time. New research details the multi-stage chain from fake NPM packages to wallet takeover.

Technical Details

FieldValue
CampaignContagious Interview
AttributionDPRK-linked (high confidence)
TargetDevelopers in cryptocurrency, Web3, AI
MalwareBeaverTail, InvisibleFerret
GoalCredential theft + live crypto fund theft

Attack chain:

  1. Fake recruiter contacts target with “technical test” project
  2. Victim runs trojanized NPM package
  3. JS loader obtains C2, downloads next-stage payload
  4. Payloads written to VS Code directory, npm dependencies installed
  5. test.js → p.js (file exfil) + n.js (backdoor) + InvisibleFerret (Python RAT)
  6. “ssh_mmc” command deploys MetaMask tampering script (y.js)
  7. Trojanized MetaMask (background-2.js) hooks submitPassword()
  8. Master password + encrypted vault exfiltrated on every unlock

MetaMask tampering technique:

  • Enumerates Chromium browser profiles
  • Locates MetaMask extension storage
  • Downloads malicious extension archive from C2
  • Replaces legitimate MetaMask directory
  • Updates Chrome Secure Preferences with recalculated HMAC-SHA256 MACs
  • Browser accepts tampered extension without warning

TTPs

TacticTechniqueObservable
Initial AccessT1566.003 - Spearphishing via ServiceLinkedIn/Discord job recruitment
ExecutionT1059.007 - JavaScriptMalicious NPM package execution
PersistenceT1176 - Browser ExtensionsTrojanized MetaMask replacement
Credential AccessT1555.003 - Credentials from Web BrowsersMetaMask vault/password exfiltration
CollectionT1119 - Automated CollectionKeyword-based file discovery (seed, mnemonic, wallet, metamask)

Detection Opportunities

# MetaMask extension directory modification
index=endpoint (file_path="*\\Extensions\\*metamask*" OR file_path="*/.config/chromium/*/Extensions/*metamask*")
action IN (create, modify, delete)
| stats count by host, user, file_path
title: Suspicious NPM Package Execution in VS Code Directory
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    Image|endswith: '\node.exe'
    CurrentDirectory|contains: '.vscode'
  condition: selection

Log Sources

  • EDR: Process creation for node.exe, file modifications in browser extension directories
  • Browser extension inventory monitoring
  • Network traffic to C2 IP addresses

Detection Coverage

SourceStatus
Sigma✅ Telegram API access, browser credential theft rules exist
Splunk ESCU✅ Download Files Using Telegram, browser credential access
Elastic⚠️ Partial — Generic credential access rules

Priority Action: Monitor for Chrome extension directory modifications outside of normal browser update processes; alert on node.exe execution from .vscode directories; educate developers about fake job interview attacks.

Sources

IOCs:

TypeValue
C245.43.11.248:1244
C245.43.11.200:1244
C267.203.7.205:1244
C2202.163.147.124:1248
C2145.59.1.45:1244
C266.235.28.238:1249
C266.235.168.238:1244
Hash800ffb10a79370991c5c918f572fe192 (poker_top.tar.gz)
Hash8e6db10b5acc15c2cc54592e3dd49bf7 (users.js)
Hashd423bf6b18662aed88ddd69c72b4e116 (background-2.js)

6. Threat Intelligence Report Highlights

Nozomi Networks OT/IoT Security Report (Feb 2026)

Key findings relevant to detection engineers:

  • 70% of ransomware activity targets English-speaking countries (US 40%, Canada + UK 30%)
  • Scattered Spider accounted for 42.9% of all actor-related alerts in H2 2025
  • 68% of wireless networks lack Management Frame Protection despite modern encryption
  • 98% rely on PSK authentication — enterprise-grade 802.1X adoption at only 2%
  • Transportation was most targeted industry, followed by manufacturing and public sector
  • Discovery tactics most common in public sector attacks (reconnaissance phase)

Detection implication: Expect increased China, Iran, and Russia-linked activity in 2026. Monitor for wireless network reconnaissance and focus on OT/IoT visibility gaps.

Sources

Summary: Detection Coverage Gaps

ThreatDetection GapPriority
CVE-2026-2329 (Grandstream VoIP)No VoIP exploitation rulesHigh — public exploit
CVE-2026-22769 (Dell RecoverPoint)No Tomcat Manager/RecoverPoint rulesCritical — active exploitation
KeenaduAndroid supply chain — limited visibilityMedium — requires MDM/mobile security
CRESCENTHARVESTPartial coverage via existing rulesMedium — enhance LNK/sideloading rules
Contagious InterviewPartial coverageHigh — add browser extension monitoring

Published: February 19, 2026 05:00 PST