Daily Threat Briefing
Diamond Trail

Cyware Daily Threat Intelligence, February 17, 2026

illustrated_resource_2151784445

A malicious clone of the legitimate Triton macOS client has surfaced on GitHub, proving that even "open-source" isn't always open-and-shut. Masked under the account "JaoAureliano," this fork weaponizes developer trust by embedding a trojanized ZIP file within a polished but deceptive README. It’s a classic bait-and-switch: lure them with a sleek Mac utility, but deliver a silent Windows intruder.

The C++-based OysterLoader has undergone a high-tech makeover in early 2026, solidifying its role as a premier gateway for the Rhysida ransomware group. Now distributed via highly convincing fake landing pages for tools like PuTTY and WinSCP, the loader has moved to a complex, three-step C2 protocol that uses a non-standard Base64 alphabet to mask its traffic.

A critical breakdown in the "principle of least privilege" has left Apache NiFi installations vulnerable to CVE-2026-25903. The flaw creates a dangerous paradox: while the system strictly requires high-level permissions to add restricted components, it completely forgets to check those same permissions during an update. This oversight allows lower-privileged users to quietly hijack and modify sensitive configuration properties.

Top Malware Reported in the Last 24 Hours

Malicious Triton app fork exposes Windows malware

A malicious fork of the legitimate Triton macOS client for omg.lol has been discovered on GitHub, serving as a delivery mechanism for Windows malware. The attackers cloned the original project, rebranding it under the account “JaoAureliano” and embedding a trojanized ZIP file named Software_3.1.zip within misleading README content. This deceptive repository pressures users to download the malicious file while masking its true purpose. Despite appearing as a legitimate macOS application, the malware is designed for Windows systems and employs anti-analysis techniques to evade detection. 

OysterLoader malware evolves with new techniques

OysterLoader, a multi-stage malware loader, has significantly evolved in early 2026, enhancing its C2 infrastructure and obfuscation methods. Initially reported in June 2024, this C++-based threat is linked to the Rhysida ransomware group and is often distributed through fraudulent websites that impersonate legitimate IT tools like PuTTY and WinSCP. The malware's infection process unfolds in four distinct stages, utilizing sophisticated techniques to evade detection. It employs a custom LZMA decompression routine and dynamic API resolution, complicating static analysis. Recent updates to its C2 protocol feature a three-step communication process, with encoded JSON communications that use a non-standard Base64 alphabet, further obscuring its traffic. 

Top Vulnerabilities Reported in the Last 24 Hours

Apache NiFi flaw allows authorization bypass

Apache NiFi has revealed a critical vulnerability, tracked as CVE-2026-25903, which poses a significant risk by allowing less-privileged authenticated users to modify configuration properties of restricted extension components. This flaw, affecting versions 1.1.0 through 2.7.2, arises from a lack of authorization checks during the update process of these components. Although a more privileged user is required to initially add a restricted component, the system fails to verify permissions when updating an existing component. Consequently, users without the necessary permissions can alter its properties, creating a serious security gap in environments that utilize tiered permissions. The vulnerability primarily impacts installations that enforce strict authorization levels for restricted components.

Vulnerabilities found in popular password managers

A group of researchers from ETH Zurich and the Università della Svizzera italiana identified 27 vulnerabilities in four major cloud-based password managers: Bitwarden, LastPass, Dashlane, and 1Password. These vulnerabilities could enable attackers to view and alter passwords stored in user vaults, challenging the providers' claims of offering 'zero-knowledge encryption.' The attack scenarios ranged from integrity violations to complete vault compromises, revealing flaws such as unauthenticated public keys and insufficient key separation. One notable attack involved a malicious auto-enrollment method that allowed an adversary to hijack user vaults during the onboarding process. While Bitwarden, LastPass, and Dashlane are working on remediation, 1Password claims its existing security measures mitigate these vulnerabilities.

Discover Related Resources