Cyware Daily Threat Intelligence, February 27, 2026

Fresh out of the malware oven, Moonrise, uncovered by ANY.RUN in February 2026, emerges as a Golang-based Windows threat that leverages a hard-coded, unencrypted WebSocket (ws://) C2 channel for persistent live surveillance, remote control, and crypto theft, favoring operational simplicity over stealth.

Agent Tesla continues to evolve its phishing-driven infection chain by deploying obfuscated scripts, encrypted payloads, process hollowing, and anti-analysis checks to harvest credentials and browser data, which are exfiltrated via SMTP to attacker-controlled infrastructure.

Trend Micro has released Critical Patch Build 14136 for Trend Micro Apex One to remediate two critical RCE flaws (CVE-2025-71210 and CVE-2025-71211) tied to path traversal in the management console, alongside multiple privilege escalation bugs, urging customers to update despite no active exploitation observed.

Top Malware Reported in the Last 24 Hours

Cybersecurity experts warn of Moonrise

Moonrise is a newly documented Windows malware discovered in February 2026 by ANYRUN, designed for live surveillance, remote control, and cryptocurrency-related theft. The malware uses a WebSocket-based command-and-control (C2) architecture, favoring persistent connections over periodic HTTP polling. The C2 endpoint is hard-coded into the malware, using an unencrypted WebSocket channel (ws://), which allows easier detection but reduces stealth. Moonrise is built using Golang (Go 1.18) and is designed to operate as a lightweight yet operationally dangerous tool, with no significant obfuscation or packing layers. 

Agent Tesla malware uncovered in a multi-stage attack campaign

Agent Tesla uses a phishing-led infection chain involving obfuscated scripts and encrypted payloads to bypass security filters. The malware employs process hollowing to inject malicious code into legitimate Windows processes, ensuring stealthy execution. Anti-analysis techniques, such as virtualization probing and security software detection, help the malware evade detection. Agent Tesla harvests sensitive data, including credentials and browser cookies, exfiltrating them via SMTP to a command-and-control server.

Top Vulnerabilities Reported in the Last 24 Hours

Trend Micro fixes two major Apex One vulnerabilities

Trend Micro patched two critical remote code execution (RCE) vulnerabilities (CVE-2025-71210 and CVE-2025-71211) in its Apex One endpoint security platform, caused by path traversal weaknesses in the management console. Exploitation requires access to the Apex One Management Console, prompting Trend Micro to advise customers to update to the latest builds and apply source restrictions for exposed IP addresses. Trend Micro released Critical Patch Build 14136, addressing these vulnerabilities along with two high-severity privilege escalation flaws in the Windows agent and four in the macOS agent. While these vulnerabilities have not been exploited in the wild, past Apex One flaws have been actively targeted, including CVE-2025-54948 and other zero-days exploited in 2022 and 2023.

Juniper Networks' PTX routers at risk

A critical flaw in Juniper Networks PTX Series routers allows remote code execution with root privileges due to incorrect permission assignment. The vulnerability, CVE-2026-21902, affects Junos OS Evolved versions before 25.4R1-S1-EVO and 25.4R2-EVO, but fixes are now available. Juniper advises restricting access to vulnerable endpoints or disabling the service if immediate patching is not possible. Juniper products have historically been targeted by cyberattacks, including malware campaigns and botnet attacks.