Cyware Weekly Threat Intelligence, February 09–13, 2026
The Good
Operation CYBER GUARDIAN was launched in Singapore to combat cyber threats posed by the APT actor UNC3886, which targeted the telecommunications sector. Over 100 cyber defenders from various government agencies and telecommunications companies participated in this extensive operation, which lasted more than 11 months. The attackers utilized advanced methods, including zero-day exploits and rootkits, to infiltrate the networks of Singapore's major telcos. While they gained limited access to some systems and technical data, there was no evidence of disruption to telecommunications services or compromise of sensitive personal information. The operation showcased the effectiveness of a coordinated response in safeguarding critical infrastructure against sophisticated cyber threats.
The Bad
A wave of malicious Chrome extensions is turning browser customizers and AI assistants into silent data harvesters. CISA has sounded the alarm on CVE-2024-43468, a critical SQL injection flaw in Microsoft Configuration Manager that has officially transitioned from unlikely to actively exploited. The most recent Patch Tuesday has become a massive coordinated defense effort, with over 60 vendors racing to close critical gaps across the global software landscape.
Cybersecurity researchers have uncovered several malicious Chrome extensions that are designed to steal sensitive data from users. One such extension, CL Suite, targets Meta Business Suite and Facebook Business Manager, exfiltrating TOTP codes, contact lists, and analytics data. Another campaign, known as VK Styles, has hijacked around 500,000 VKontakte accounts through deceptive extensions that manipulate user settings and enforce unwanted subscriptions. Additionally, a group of AI-themed extensions, collectively referred to as AiFrame, siphons data from users by embedding remote interfaces that access sensitive browser capabilities, including Gmail content. A broader investigation revealed 287 Chrome extensions that exfiltrate browsing history to data brokers, affecting approximately 37.4 million installations worldwide. These developments illustrate the increasing abuse of browser extensions by malicious actors to harvest valuable user information.
CISA has identified a critical vulnerability in Microsoft Configuration Manager (CVE-2024-43468), initially patched in October 2024, which is now being actively exploited in attacks. This SQL injection flaw enables unauthenticated attackers to execute arbitrary commands with high-level privileges on the server and its database by sending specially crafted requests. Although Microsoft previously categorized the vulnerability as "Exploitation Less Likely," this assessment changed after the security firm Synacktiv released proof-of-concept exploitation code. As a result, CISA has mandated that federal agencies secure their systems against this threat.
A critical remote code execution vulnerability (CVE-2026-1731) in BeyondTrust Remote Support and Privileged Remote Access appliances is currently being exploited in attacks. This flaw, which has a near-maximum CVSS score of 9.9, affects versions 25.3.1 and earlier of Remote Support and 24.3.4 and earlier of Privileged Remote Access. BeyondTrust disclosed the vulnerability on February 6, warning that it can be triggered by unauthenticated attackers sending specially crafted requests. Hacktron discovered and responsibly disclosed the flaw on January 31, noting that around 11,000 BeyondTrust Remote Support instances are exposed online. Following the publication of a proof-of-concept exploit targeting the /get_portal_info endpoint, attackers have begun actively exploiting the vulnerability to execute commands on vulnerable systems.
A critical vulnerability in Windows 11 Notepad, tracked as CVE-2026-20841, allowed attackers to execute local or remote programs by tricking users into clicking specially crafted Markdown links without any security warnings. This flaw enabled attackers to exploit the application by creating Markdown files that contained malicious links. When users opened these files in Notepad and clicked the links, the application would execute unverified protocols, running the malicious code in the user's security context. Microsoft addressed this issue in the February 2026 Patch Tuesday updates, implementing warnings for non-standard URI links. Despite the fix, concerns remain about the potential for social engineering, as users could still be misled into bypassing the warnings.
OysterLoader, also known as Broomstick and CleanUp, is a sophisticated multi-stage malware loader developed in C++ that primarily targets victims through fake websites mimicking legitimate software. First reported in June 2024, it is associated with the Rhysida ransomware group and is used to distribute various malware, including the infostealer Vidar. The infection process involves four stages: starting with a packer that obfuscates the payload, followed by custom shellcode for decompression, a downloader for additional malicious payloads, and finally executing the core malware. Notably, OysterLoader employs advanced evasion techniques, including excessive legitimate API calls to confuse analysis and dynamic API resolution to hide dependencies. Its C2 communication is intricate, utilizing custom encoding and multiple server layers to maintain persistence and evade detection.
On Patch Tuesday, over 60 software vendors, including Microsoft, Adobe, and SAP, released critical security updates to address various vulnerabilities in their products. Microsoft issued patches for 59 flaws, among which were six actively exploited zero-day vulnerabilities that could allow attackers to bypass security measures and escalate privileges. Adobe updated several applications, although it reported no known exploitation of the vulnerabilities. SAP addressed two critical vulnerabilities, including a code injection flaw that could lead to full database compromise and a missing authorization check that could allow unauthorized actions by low-privileged users. Additionally, Intel and Google discovered multiple vulnerabilities in Intel's Trust Domain Extensions, highlighting the complexities introduced by new features in confidential computing. Other vendors, such as Apple, Cisco, and NVIDIA, also released updates to rectify security issues across their platforms.
New Threats
The North Korea-linked Lazarus Group is weaponizing the job hunt with its graphalgo campaign, targeting developers with high-stakes recruitment lures. A malicious NPM package named duer-js has turned the developer ecosystem into a hunting ground for Discord users and Windows systems. It hides a "Bada Stealer" payload within a labyrinth of obfuscated code. The discovery of AgreeToSteal marks a predatory new milestone: the first known instance of a malicious Microsoft Outlook add-in being weaponized for mass credential theft.
Cybersecurity researchers have identified a new campaign by the North Korea-linked Lazarus Group, which targets developers through malicious packages in the npm and PyPI ecosystems. Codenamed "graphalgo," this campaign has been active since May 2025 and employs fake recruitment strategies to lure developers into installing malware. The malicious packages, such as "bigmathutils," are designed to deploy RATs that can steal sensitive data and execute commands on infected systems. The malware uses a token-based communication mechanism for secure command-and-control operations.
A malicious NPM package named "duer-js" has been discovered, distributing the "Bada Stealer" malware that primarily targets Windows systems and Discord users. Published by the user "luizaearlyx," this package contains heavily obfuscated code designed to evade analysis, featuring a long JavaScript blob wrapped in an eval() call. Once executed, the malware aggressively collects sensitive data from major Chromium-based browsers, including passwords, cookies, and credit card information, and extracts user data from Discord, such as tokens and profile details. The stolen data is sent to a hard-coded Discord webhook and uploaded to a legitimate file-sharing service, complicating detection efforts. Additionally, the initial payload downloads a second obfuscated script that injects malicious code into Discord, allowing real-time capture of sensitive information during user interactions, including login credentials and payment details.
Cybersecurity researchers have identified the first known malicious Microsoft Outlook add-in, dubbed "AgreeToSteal," which has been used to steal over 4,000 Microsoft credentials. This attack involved an unknown hacker claiming an abandoned domain associated with a legitimate add-in, allowing them to serve a fake Microsoft login page. Users were unknowingly directed to this phishing site, where their credentials were captured and exfiltrated via the Telegram Bot API. The add-in, designed to help users manage calendars and share availability, had last been updated in December 2022.
Apple has released critical updates for iOS and macOS to address a zero-day vulnerability, tracked as CVE-2026-20700, which affects the dyld system component responsible for loading dynamic libraries. This memory corruption flaw has been exploited in sophisticated attacks targeting specific individuals, and its exploitation is linked to two previously patched vulnerabilities in WebKit. Apple noted that the updates, included in iOS 26.3 and other system releases, resolve nearly 40 vulnerabilities in iOS and iPadOS, and over 50 in macOS Tahoe. The security patches also address issues that could lead to information exposure, denial-of-service, and arbitrary code execution.