← Back to Threat Briefs

Cyber Threat Brief — February 26, 2026

⚠️ This report is AI-generated. Always validate findings.

Cyber Threat Brief — February 26, 2026

Prepared for: Detection Engineers
Window: Feb 25–26, 2026
Threats Covered: 4

1. CVE-2026-20127 — Cisco SD-WAN CVSS 10.0 Zero-Day (UAT-8616 / CISA ED 26-03)

What’s New

Cisco disclosed a maximum-severity (CVSS 10.0) authentication bypass zero-day in Catalyst SD-WAN Controller (vSmart) and Manager (vManage) on February 25, 2026. A nation-state threat actor tracked as UAT-8616 has been actively exploiting it since at least 2023, and CISA issued Emergency Directive 26-03 requiring FCEB agencies to patch by February 27.

Technical Details

FieldValue
CVECVE-2026-20127 (+CVE-2022-20775 chained)
CVSS10.0 (Critical)
AffectedCisco Catalyst SD-WAN Controller (vSmart) & Manager (vManage) — all deployment types (on-prem, hosted, FedRAMP)
ExploitActively exploited since 2023; no public PoC
Patchesv20.9.8.2 (ETA Feb 27), v20.12.6.1, v20.15.4.2, v20.18.2.1
CISAKEV + Emergency Directive 26-03 (Feb 25)

Attack Chain: UAT-8616 exploits the broken peering authentication mechanism to authenticate as a high-privileged internal user, then uses NETCONF to manipulate SD-WAN fabric configuration. Subsequently, the actor chains CVE-2022-20775 (path traversal via crafted username like /../../) to perform a software version downgrade → root escalation → version restore, achieving full root access while erasing the downgrade evidence.

IOC Hunting Targets (from Talos):

  • Unauthorized control connection peering events in vSmart/vManage logs
  • SSH keys in /home/root/.ssh/authorized_keys with PermitRootLogin yes
  • Unauthorized SSH keys for vmanage-admin: /home/vmanage-admin/.ssh/authorized_keys/
  • Log truncation: wtmp, lastlog, cli-history, bash_history at 0/1/2 bytes
  • Unexpected version downgrades followed by reverts in logs: Software upgrade not confirmed. Reverting to previous software version
  • CVE-2022-20775 exploitation: username strings containing /../../ or /\n&../\n&../

Sample SD-WAN Log Entry (Suspicious Peering):

Feb 20 22:03:33 vSmart-01 VDAEMON_0[2571]: %Viptela-vSmart-VDAEMON_0-5-NTCE-1000001: 
control-connection-state-change new-state:up peer-type:vmanage peer-system-ip:1.1.1.10 
public-ip:192.168.3.20 public-port:12345 domain-id:1 site-id:1005

TTPs

TacticTechniqueObservable
Initial AccessT1190 — Exploit Public-Facing ApplicationCrafted request to SD-WAN peering endpoint
Privilege EscalationT1068 — Exploitation for Privilege EscalationCVE-2022-20775 path traversal for root
PersistenceT1098.004 — SSH Authorized KeysUnauthorized keys in /home/root/.ssh/authorized_keys
Defense EvasionT1070 — Indicator RemovalLog truncation (wtmp, bash_history zeroed)
Defense EvasionT1070.004 — File Deletioncli-history deleted post-compromise
Command & ControlT1571 — Non-Standard PortNETCONF manipulation of SD-WAN fabric

Detection Opportunities

# SD-WAN log hunting: unexpected peering events (audit /var/log/auth.log)
# Look for: "Accepted publickey for vmanage-admin" from unknown IPs
grep "Accepted publickey for vmanage-admin" /var/log/auth.log | \
  grep -v "<authorized_ip_list>"

# Version downgrade indicator
grep -i "reverting to previous software version" /var/log/syslog

# Path traversal attempt in username field (CVE-2022-20775)
grep -E "/\.\./|\\\\n&\.\." /var/log/auth.log

# SSH persistence check
find /home/root/.ssh /home/vmanage-admin/.ssh -name "authorized_keys" \
  -newer /var/log/syslog -ls

# Log size anomaly detection
stat -c "%s %n" /var/log/{wtmp,lastlog} | awk '$1 < 3 {print "ALERT: tiny log:", $2}'

CISA Threat Hunting Guide: https://www.cyber.gov.au/sites/default/files/2026-02/ACSC-led%20Cisco%20SD-WAN%20Hunt%20Guide.pdf

Log Sources

  • Cisco vSmart VDAEMON logs (/var/log/)
  • Cisco vManage WebUI audit logs (/var/log/auth.log)
  • SSH authentication logs
  • SD-WAN control connection state change events
  • Syslog (software upgrade events)

Detection Coverage

SourceStatus
Sigma❌ Gap — no SD-WAN peering/authentication bypass rule
Splunk ESCU⚠️ Partial — Detect Software Download To Network Device (generic)
Elastic❌ Gap — no vSmart/vManage-specific rules
KQL❌ Gap

Gap Recommendation: Write Sigma rule targeting VDAEMON log events with peer-type:vmanage from non-whitelisted IPs, log size anomalies, and SSH authorized_keys modifications on SD-WAN systems.

Sources

2. UNC2814 / GRIDTIDE — China-Nexus APT Backdoors 53 Orgs via Google Sheets C2

What’s New

Google GTIG and Mandiant disclosed and simultaneously disrupted a suspected China-linked espionage campaign (UNC2814) targeting telecom and government organizations across 42 countries, deploying a novel backdoor called GRIDTIDE that uses the Google Sheets API as its C2 channel to blend with legitimate SaaS traffic. Active since at least 2023.

Technical Details

FieldValue
CVENone (initial access vector unknown; history of edge device exploitation)
AttributionUNC2814 (suspected PRC-nexus; tracked since 2017; NOT Salt Typhoon)
Scale53 confirmed victims, 42 countries, 4 continents; suspected infections in 20+ more
TargetsTelecom operators, government agencies (Africa, Asia, Americas)
MalwareGRIDTIDE (C-based Linux backdoor)
PersistenceSystemd service: /etc/systemd/system/xapt.service
Binary path/usr/sbin/xapt, /var/tmp/xapt (masquerades as apt)
C2Google Sheets API (hardcoded service account private key)
Lateral movementSSH using service accounts; SoftEther VPN Bridge (external IP)

GRIDTIDE C2 Operation:

  • Authenticates to a Google Service Account with hardcoded private key
  • Wipes the spreadsheet (deletes rows 1-1000, columns A-Z) on start
  • Writes host recon (username, hostname, OS, local IP, locale, timezone) to cell V1
  • Polls cell A1 for commands; overwrites A1 with status when executing
  • Supported commands:
    • C — execute base64-encoded bash commands; write output to sheet
    • U — upload files from operator to victim (data in A2:A)
    • D — download files from victim (~45KB fragments in A2:An)
  • URL-safe base64 encoding evades web monitoring tools

GRIDTIDE Process Tree (Initial Detection):

/var/tmp/xapt
  └── /bin/sh
        └── sh -c id 2>&1
              └── [Output] uid=0(root) gid=0(root) groups=0(root)

Disruption Actions (Feb 25): Google terminated all UNC2814 GCP projects, revoked Sheets API access, sinkholed domains, and notified all victims.

TTPs

TacticTechniqueObservable
ExecutionT1059.004 — Unix Shell/bin/sh -c id 2>&1 post-xapt spawn
PersistenceT1543.002 — Systemd Service/etc/systemd/system/xapt.service
Defense EvasionT1036.005 — Match Legitimate Namexapt masquerades as apt binary
Defense EvasionT1071.001 — Web ProtocolsGoogle Sheets API for C2 traffic blend
C2T1567.002 — Exfiltration to Cloud StorageSheets API as bidirectional C2
DiscoveryT1033 — System Owner/User Discoveryid, hostname, OS recon on first contact
Lateral MovementT1021.004 — SSHService account lateral movement
ExfiltrationT1048 — Exfiltration Over Alt Protocol~45KB file fragments via Sheets cells

Detection Opportunities

# Hunt for GRIDTIDE binary
find / -name "xapt" -type f 2>/dev/null
find /var/tmp/ /usr/sbin/ /tmp/ -mtime -30 -executable 2>/dev/null | head -20

# Systemd service anomaly (non-standard binary path)
systemctl list-units --type=service | grep -E "^xapt|/var/tmp|/tmp"
find /etc/systemd/system/ -newer /etc/passwd -name "*.service" -exec cat {} \;

# Google Sheets API C2 detection (network)
# Identify processes making outbound connections to sheets.googleapis.com
# that are NOT browser/productivity processes
tcpdump -i any host sheets.googleapis.com -w capture.pcap
# Or in EDR:
# process_name NOT IN (chrome, firefox, office apps) AND 
# network_destination = "sheets.googleapis.com"

# SoftEther VPN Bridge detection
ps aux | grep -E "vpnbridge|softether"
ss -tlnp | grep -E ":443|:992|:1194|:5555"

# Base64 bash command execution pattern
grep -E 'sh -c.*base64.*|echo.*\| base64 -d.*\| bash' /var/log/auth.log

IoC Domains: Released by GTIG in the threat report (link below)

Log Sources

  • EDR process telemetry (Linux — xapt execution, sh -c child processes)
  • Systemd service creation events
  • Network logs: outbound to sheets.googleapis.com from server processes
  • SSH authentication logs (lateral movement)
  • File integrity monitoring (/var/tmp/, /usr/sbin/, /etc/systemd/system/)

Detection Coverage

SourceStatus
Sigma❌ Gap — no GRIDTIDE-specific rule; no Google Sheets C2 rule
Splunk ESCU❌ Gap — no Google Sheets C2 or xapt detection
Elastic❌ Gap — no specific rule; generic suspicious process rules may catch
KQL❌ Gap

Gap Recommendation:

  1. Sigma rule: non-browser process initiating DNS/network connection to sheets.googleapis.com
  2. Sigma rule: systemd service creation referencing binaries in /var/tmp/ or /tmp/
  3. Sigma rule: binary named xapt or masquerading as package manager names (apt, yum, dnf) in non-standard paths

Sources

3. Steaelite RAT — Browser-Based Double Extortion Platform (Criminal Crimeware-as-a-Service)

What’s New

BlackFog researchers disclosed Steaelite, a browser-based RAT sold on underground forums since November 2025 that unifies credential theft, file exfiltration, surveillance, and ransomware deployment into a single management panel — collapsing what typically requires coordination between multiple threat actors into a solo operation. An Android ransomware module is actively in development.

Technical Details

FieldValue
CVENone (commodity crimeware)
TargetsWindows 10/11
C2 panelBrowser-based dashboard (real-time victim management)
AvailabilityUnderground forums since November 2025 (87+ forum posts)
Claimed”Fully Undetectable” (FUD); HVNC support; banking app bypass
DeliveryPhishing / social engineering (typical RAT delivery)
Android moduleIn development (expansion to mobile extortion)

Capabilities Matrix:

ModuleFunction
Remote Code ExecutionBrowser-based CMD with output display
File ManagerFull directory browse + 1-click exfiltrate
Live StreamReal-time desktop/webcam/microphone
Clipboard ClipperSilently swaps crypto wallet addresses on paste
Password RecoveryCredential harvesting from browsers/apps
Ransomware DeployOne-click ransomware (encryption module)
Hidden RDPHVNC-style covert remote desktop
UAC BypassAdmin privilege escalation
USB SpreadingWorm propagation via USB drives
DDoSBotnet-style attack modules
KeyloggerDeveloper tools panel
Windows DefenderDisable + exclusion management

Key Innovation: Traditional double extortion requires two separate actors — an initial access broker who handles infiltration + exfiltration, and a ransomware affiliate who handles encryption. Steaelite collapses this into one interface, enabling a single low-skilled operator to execute end-to-end campaigns.

TTPs

TacticTechniqueObservable
ExecutionT1059.003 — Windows Command ShellBrowser-delivered remote CMD execution
Defense EvasionT1562.001 — Disable/Modify AVWindows Defender disabled via advanced tools
Defense EvasionT1548.002 — UAC BypassUAC bypass module (method unspecified)
Credential AccessT1555.003 — Credentials from Web BrowsersPassword recovery module
Credential AccessT1056.001 — KeyloggingDeveloper tools keylogger
CollectionT1115 — Clipboard DataCrypto wallet address replacement
CollectionT1125 — Video CaptureWebcam access module
CollectionT1123 — Audio CaptureMicrophone access module
ExfiltrationT1041 — Exfiltration over C2 ChannelFile exfil via browser panel
ImpactT1486 — Data Encrypted for ImpactRansomware deploy module
Lateral MovementT1091 — Replication Through Removable MediaUSB spreading

Detection Opportunities

# Clipboard-based crypto hijacking (monitor clipboard writes)
# Windows Event Log: clipboard access by unexpected process
# EDR: process accessing clipboard with regex match for wallet formats

# UAC bypass patterns
Sysmon Event ID 1: 
  ParentImage: contains cmd.exe OR powershell.exe
  CommandLine: contains "fodhelper" OR "eventvwr" OR "computerdefaults"

# Defender disable
Sysmon Event ID 13 (Registry):
  TargetObject: \SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
  Details: DWORD (0x00000001)

# USB spreading artifacts
Sysmon Event ID 11 (File Create):
  TargetFilename: matches [A-Z]:\*.exe OR [A-Z]:\autorun.inf
  (Where [A-Z] is a removable media drive)

# HVNC / Hidden RDP detection
# Unexpected RDP sessions or winlogon children
Sysmon Event ID 1:
  ParentImage: winlogon.exe
  Image: NOT IN (LogonUI.exe, userinit.exe, dwm.exe)

# VB.NET payload compilation (developer tools)
Sysmon Event ID 1:
  Image: vbc.exe OR csc.exe
  CommandLine: NOT contains "Visual Studio" path

Log Sources

  • Sysmon (Events 1, 11, 13, 17, 23)
  • Windows Security Event Log (4657 — registry modification)
  • EDR clipboard monitoring telemetry
  • Windows Defender protection history logs
  • Network logs (C2 communications — protocol/port TBD)

Detection Coverage

SourceStatus
Sigma⚠️ Partial — clipboard collection rules exist (Clipboard Collection with Xclip, PowerShell Get Clipboard) but not Windows RAT-specific
Splunk ESCU⚠️ Partial — UAC bypass and Defender disable rules present; no Steaelite-specific
Elastic⚠️ Partial — generic RAT behavioral detection; no Steaelite-specific
KQL❌ Gap

Gap Recommendation: Create Sigma rules specifically for:

  • Clipboard data interception by non-browser processes followed by outbound connection (clipper pattern)
  • VB.NET payload compilation from non-IDE parent processes
  • Crypto wallet address regex monitoring on clipboard

Sources

4. CVE-2026-2636 — Windows CLFS PoC Drops: Low-Priv BSOD (Fortra / Core Security)

What’s New

A public PoC was released today for CVE-2026-2636, a denial-of-service vulnerability in the Windows Common Log File System (CLFS) driver (CLFS.sys) that allows any low-privileged user to trigger an unrecoverable Blue Screen of Death (BSoD). The exploit chain is deterministic and starts from a standard ReadFile API call — no elevated privileges required.

Technical Details

FieldValue
CVECVE-2026-2636
CVSS5.5 (Medium)
ClassDenial of Service (Improper flag validation in CLFS driver)
AffectedWindows (tested on CLFS.sys v10.0.22621.5037)
ExploitPoC released Feb 26, 2026 (Fortra/Core Security)
PrivilegesLow-privileged user (no admin required)
PatchNot yet released at time of writing

Root Cause: The vulnerability exists in CLFS!CClfsRequest::ReadLogPagingIo. When ReadFile is called with both IRP_PAGING_IO (0x02) and IRP_INPUT_OPERATION flags disabled (both set to 0x0), the CLFS driver follows an invalid execution path that terminates with a direct call to nt!KeBugCheckEx, causing a non-recoverable kernel panic.

Crash Call Stack:

nt!KeBugCheckEx
CLFS!CClfsRequest::ReadLogPagingIo+0xfc2f
CLFS!CClfsRequest::Dispatch+0x9c
CLFS!ClfsDispatchIoRequest+0x8e
CLFS!CClfsDriver::LogIoDispatch+0x27
nt!IofCallDriver+0x55
nt!IopSynchronousServiceTail+0x46f
nt!IopReadFile+0x4d4
nt!NtReadFile+0xdb

Risk Context: While currently a DoS, the bug family (CLFS) has historically been weaponized for privilege escalation in ransomware (e.g., Nokoyawa used CLFS bugs for LPE). The PoC code is public, making this accessible to low-sophistication attackers for disruptive attacks in shared/multi-tenant or VDI environments.

TTPs

TacticTechniqueObservable
ImpactT1499.004 — Application/System ExploitationReadFile API → CLFS.sys kernel panic
Defense EvasionT1211 — Exploitation for Defense EvasionCrash security tooling running on system

Detection Opportunities

# Windows Event Log: System crash indicator
Event ID 1001 (WerFault/BugCheck) - Source: Microsoft-Windows-WER-SystemErrorReporting
  BugcheckCode: Look for 0x1E (KMODE_EXCEPTION_NOT_HANDLED) or 0x50 (PAGE_FAULT_IN_NONPAGED_AREA)

# Sysmon - CLFS.sys loaded from suspicious location
Sysmon Event ID 7 (Image Loaded):
  ImageLoaded: \Windows\System32\CLFS.sys
  Signed: false  # integrity check

# Process accessing BLF/CLFL files unexpectedly
Sysmon Event ID 11 (File Create):
  TargetFilename: *.blf OR *.clfl
  Image: NOT IN system processes list

# Audit: Low-privileged user creating CLFS log files in rapid succession
# followed by system crash — correlate with crash dump timestamp

# Defender: Flag any executable that:
# 1. Opens a *.blf CLFS log file
# 2. Calls ReadFile on that handle  
# 3. System crashes within seconds
# (Post-mortem: analyze crash dump for CLFS call stack)

Log Sources

  • Windows Event Log: System (Event ID 1001 — BugCheck)
  • Windows Error Reporting crash dumps (%SystemRoot%\Minidump\)
  • Sysmon Event ID 7 (driver load events)
  • Sysmon Event ID 11 (CLFS .blf file access)

Detection Coverage

SourceStatus
Sigma⚠️ Partial — Clfs.SYS Loaded By Process Located In Suspicious Location exists; no DoS-specific rule
Splunk ESCU❌ Gap
Elastic❌ Gap
KQL❌ Gap

Gap Recommendation: Create a Sigma rule correlating CLFS .blf file access by non-system processes with subsequent Windows crash event (Event ID 1001) within a short time window. Until patched, consider restricting CLFS API access via AppLocker/WDAC in sensitive multi-user environments.

Sources

Detection Coverage Summary

#ThreatSigmaSplunk ESCUElastic
1CVE-2026-20127 Cisco SD-WAN❌ Gap⚠️ Generic❌ Gap
2UNC2814/GRIDTIDE Sheets C2❌ Gap❌ Gap❌ Gap
3Steaelite RAT⚠️ Partial⚠️ Partial⚠️ Partial
4CVE-2026-2636 CLFS DoS⚠️ Partial❌ Gap❌ Gap

Priority Writing Queue:

  1. 🔴 Sigma: SD-WAN control-connection-state-change with unauthorized peer IPs
  2. 🔴 Sigma: Non-browser process → sheets.googleapis.com outbound
  3. 🔴 Sigma: Systemd service creation from /var/tmp/ or /tmp/ binary paths
  4. 🟡 Sigma: Clipboard interception by non-browser + outbound network (clipper pattern)
  5. 🟡 Sigma: CLFS .blf file access by user-space process → system crash correlation

Brief generated: 2026-02-26 05:00 PT | Detection index: 6,811 rules (Sigma 3,248 | ESCU 2,336 | Elastic 1,719 | KQL 448)