Cyware Daily Threat Intelligence, February 24, 2026

Since mid-2023, the GrayCharlie threat group has been compromising WordPress sites to distribute NetSupport RAT through deceptive browser update alerts and ClickFix pop-ups, enabling full system takeover, credential theft, MFA bypass, and C2 operations.

Marketed on dark web forums as an AI-assisted modular infostealer, Arkanix offered both a Python-based standard build and a feature-rich C++ premium version has been abruptly discontinued as a likely short-term monetization experiment.

Newly disclosed flaws in VMware Aria Operations, VMware Cloud Foundation, and VMware Telco Cloud, including CVE-2026-22719, CVE-2026-22721, and CVE-2026-22720, have been patched by Broadcom, with immediate remediation strongly advised due to limited or absent workarounds.

Top Malware Reported in the Last 24 Hours

GrayCharlie deploys NetSupport RAT

GrayCharlie, a cybercriminal group active since mid-2023, has been targeting WordPress websites to spread the NetSupport RAT and steal sensitive data. Their methods include fake browser update prompts and ClickFix pop-ups to trick users into downloading malicious software. The malware enables attackers to gain full control of victims' systems, steal credentials, and bypass Multi-Factor Authentication (MFA) protections. The group uses compromised websites and staging infrastructure for deploying malware, with command-and-control servers hosted by providers like MivoCloud and HZ Hosting Ltd.

AI-powered malware experiment discontinued after two months

Arkanix Stealer was promoted on dark web forums as an AI-assisted malware experiment with modular features and anti-analysis capabilities. The project offered two tiers: a basic Python-based version and a premium C++ version with advanced functionalities like AV evasion and RDP credential theft. It targeted browser data, cryptocurrency wallets, VPN credentials, Telegram, Discord, and gaming platforms such as Epic Games and Battle.net. The operation was abruptly shut down after two months, and researchers believe it was likely a quick financial gain experiment to test AI-assisted malware development.

Top Vulnerabilities Reported in the Last 24 Hours

VMware Aria Operations under threat

Critical vulnerabilities have been discovered in VMware Aria Operations, VMware Cloud Foundation, and VMware Telco Cloud infrastructure. Among these, the most severe is CVE-2026-22719, a command injection flaw that allows unauthenticated attackers to execute remote code during system migrations. Additionally, CVE-2026-22721 enables privilege escalation, and CVE-2026-22720 is a stored Cross-Site Scripting (XSS) vulnerability. Broadcom has released patches to address these issues, though some vulnerabilities lack workarounds, making immediate patching essential.

Critical RCE vulnerabilities discovered in SolarWinds Serv-U

Four critical RCE vulnerabilities in SolarWinds Serv-U were disclosed, including Broken Access Control, Type Confusion, and Insecure Direct Object Reference (IDOR). CVE-2025-40538, a Broken Access Control vulnerability, allows attackers to escalate privileges to create system admin users and execute arbitrary code as root. CVE-2025-40539 and CVE-2025-40540 are Type Confusion vulnerabilities that exploit memory safety issues for root-level code execution. CVE-2025-40541, an IDOR vulnerability, escalates to RCE as root, making it a critical threat. SolarWinds has released a patch (Serv-U 15.5.4) to address these flaws, and administrators are urged to apply the update immediately.