Cyware Daily Threat Intelligence, February 23, 2026

Tax season just turned into hack season as FortiGuard Labs uncovered targeted phishing campaigns in Taiwan exploiting local tax workflows to spread Winos 4.0 (ValleyRat) through tax-themed emails packed with malicious LNK files inside RAR archives, abusing DLL sideloading and BYOVD techniques, and using forged Ministry of Finance e-invoice lures to trigger multi-stage infection chains.

Starkiller is emerging as a commercial-grade SaaS framework that uses headless browsers and reverse proxies to stream live login pages from legitimate sites, neatly sidestepping static HTML detection and even bypassing MFA while making infrastructure blocking and fingerprinting significantly harder.

A decade-old bug is now a federal headache as CISA warns of active exploitation of two Roundcube Webmail flaws—CVE-2025-49113 and CVE-2025-68461, requiring agencies to remediate within three weeks under Binding Operational Directive 22-01.

Top Malware Reported in the Last 24 Hours

Silver Fox phishing campaigns using Winos 4.0 malware

FortiGuard Labs identified targeted phishing campaigns in Taiwan exploiting local business processes to distribute Winos 4.0 (ValleyRat) malware. Attackers use tax-themed phishing emails with malicious LNK files, DLL sideloading, and BYOVD techniques to deliver malware. Campaign 1 involves using tax-themed lures with RAR archives containing malicious LNK files to initiate a multi-stage infection chain. Campaign 2 uses phishing emails with forged Ministry of Finance documents and e-invoice links to distribute malware via DLL sideloading.

New Starkiller phishing framework bypasses MFA

Starkiller is a phishing framework that uses headless browsers and reverse proxies to simulate real login pages, bypassing MFA. Traditional phishing kits are prone to detection due to static HTML clones, but Starkiller avoids this by serving live content from the legitimate site. Starkiller operates as a commercial-grade SaaS platform, complicating efforts to block or fingerprint its infrastructure.

Top Vulnerabilities Reported in the Last 24 Hours

CISA warns of RoundCube Webmail exploits

CISA warns about two actively exploited vulnerabilities in RoundCube Webmail, including CVE-2025-49113 (RCE, CVSS 9.9) and CVE-2025-68461 (XSS, CVSS 7.2). CVE-2025-49113, introduced over a decade ago, allows attackers to inject data into a session and was patched on June 1, 2025. CVE-2025-68461, patched in December 2025, exploited improper sanitization of animate tags in SVG documents, enabling code execution in browser sessions. CISA requires federal agencies to patch these vulnerabilities within three weeks as part of its Binding Operational Directive (BOD) 22-01.

Critical vulnerability in HPE Telco Service Activator

HPE discovered a critical vulnerability (CVE-2025-12543) in Telco Service Activator, enabling attackers to bypass access controls remotely. The flaw originates from improper Host header validation in the Undertow HTTP server core, affecting versions below 10.5.0. Exploitation risks include unauthorized access, data exposure, or partial system compromise, with high confidentiality and integrity impacts. The vulnerability requires no prior authorization and has a low attack complexity. HPE released version 10.5.0 to address the issue, urging users to update and review network exposure and security settings.