Home
The week of February 10-16, 2026 marked a dangerous acceleration in attacker timelines and technique sophistication. BeyondTrust confirmed active in-the-wild exploitation of CVE-2026-1731 (CVSS 9.9) just 7 days after patch release. Warlock ransomware operators executed a textbook 6-7 day dwell time strategy against SmarterTools before encryption. North Korea’s UNC1069 escalated social engineering with AI-generated deepfake video interviews targeting cryptocurrency firms. Infostealers evolved to harvest OpenClaw AI agent gateway tokens. Proxyware campaigns weaponized legitimate 7-Zip installers from domain squatters.
Strategic Observation: Attackers demonstrated mastery of the “quiet persistence” model-initial access without immediate destruction, enabling maximum lateral movement before detection. The convergence of zero-day exploitation (BeyondTrust), tactical patience (Warlock), synthetic media (UNC1069), and emerging technology targeting (AI agents) signals 2026’s threat tempo.
>>Outpace Attackers With AI-Based Automated Penetration Testing
Incident 1: BeyondTrust Remote Support Zero-Day Exploitation (CVE-2026-1731)
Date of Report: February 13, 2026
Overview
watchTor threat researchers confirmed active exploitation of CVE-2026-1731, a critical pre-authentication Remote Code Execution vulnerability in BeyondTrust Remote Support and Privileged Remote Access. The flaw enables unauthenticated attackers to execute arbitrary OS commands as the “site user” service account via malformed HTTP requests to the management interface.
Explanation
The vulnerability stems from improper input validation in the authentication layer. User-supplied data containing OS command metacharacters (;| & < > ()) bypasses sanitization controls and reaches command execution functions directly.
Attack Vector: Remote unauthenticated HTTP POST to /api/ endpoints
Mechanism: Command injection via unsanitized HTTP headers/parameters
Actor Behavior: Immediate reconnaissance (whoami, net user, systeminfo) followed by persistence via new account creation
Impact
Operational: Complete compromise of remote access infrastructure exposing all customer sessions and cached credentials
Strategic: Lateral movement vector into customer networks via trusted remote support channels
Supply Chain: Single BeyondTrust instance compromises entire managed customer base
Details
MITRE ATT&CK Mapping:
T1190: Exploit Public-Facing Application
T1059.003: OS Command Shell
T1136: Create Account
IOCs (Indicators of Compromise):
- HTTP POST /api/ containing command metacharacters
- Windows Event ID 4688: cmd.exe child process of svchost.exe
- Reconnaissance commands in application logs
Remediation:
Patch: BeyondTrust 25.1 or BT26-02 hotfix
Workaround: Restrict management interface to trusted IP ranges/VPN only
Takeaway for CISO
Remote access appliances represent the highest-value attack surface. The 7-day disclosure-to-exploitation timeline demands continuous asset discovery and vulnerability assessment of all instances, including undocumented “shadow” deployments.
Incident 2: Warlock Ransomware Compromises SmarterTools
Date of Report: February 10, 2026
Overview
Warlock ransomware operators breached SmarterTools via CVE-2026-23760 (authentication bypass) in unpatched SmarterMail Build 9510. Attackers maintained 6-7 day dwell time, achieving domain admin compromise across 12 Windows servers before executing encryption.
Explanation
The /api/admin/password-reset endpoint accepted anonymous requests without authentication validation, enabling immediate admin account takeover. Attackers escalated privileges via Active Directory token impersonation and deployed Velociraptor for forensic cleanup.
Attack Vector: Unauthenticated API access to SmarterMail management
Mechanism: Missing authentication checks on password reset functionality
Actor Behavior: Extended reconnaissance period evading behavioral detection
Impact
Operational: Hosted customer email and ticketing systems disrupted
Infrastructure: Complete Active Directory compromise requiring full rebuild
Strategic: SmarterTools abandoned Windows infrastructure entirely post-incident
Details
MITRE ATTaCK Mapping:
T1190: Exploit Public-Facing Application
T1550.003: Pass the Ticket
T1486: Data Encrypted for Impact
IOCs:
- Velociraptor processes executing
- .warlock file extensions
- Scheduled tasks with encoded payloads
Remediation:
Patch: SmarterMail Build 9526 (January 22 release)
Recovery: Full AD credential rotation and infrastructure rebuild
Takeaway for CISO
The 14-day patch-to-breach window proves critical patches must deploy within 72 hours maximum. Single-platform identity architectures create unacceptable risk when domain admin falls.
Incident 3: UNC1069 Deepfake Social Engineering Campaign
Date of Report: February 11, 2026
Overview
Mandiant attributed an active social engineering campaign targeting cryptocurrency organizations to North Korea’s UNC1069 group. Attackers used AI-generated deepfake video calls delivered via compromised Telegram accounts to execute ClickFix attacks stealing wallet credentials.
Explanation
Compromised Telegram accounts sent legitimate-looking Zoom invitations linking to attacker-controlled domains hosting real-time deepfake video streams. Victims received troubleshooting instructions from synthetic recreations of legitimate coworkers, convincing them to execute malicious JavaScript via browser developer tools.
Attack Vector: Spear-phishing via compromised legitimate accounts
Mechanism: AI-generated synthetic media + ClickFix browser exploitation
Actor Behavior: Multi-stage social engineering leveraging visual impersonation
Impact
Financial: Direct cryptocurrency wallet theft and exchange account compromise
Operational: API key exfiltration enabling automated trading manipulation
Strategic: Millions USD potential loss per compromised organization
Details
MITRE ATTaCK Mapping:
T1566.002: Spearphishing Link
T1204.001: Malicious Link
T1555.003: Credentials from Web Browsers
IOCs:
- Fake Zoom domains (zoom-conference-link.xyz pattern)
- JavaScript fetch() blob download patterns
- Browser developer tools access events
Remediation:
Controls: Disable F12 developer tools enterprise-wide; browser extension whitelisting
Takeaway for CISO
Synthetic media renders traditional visual identity verification obsolete. Cryptocurrency operations require strict out-of-band confirmation protocols bypassing all media channels.
Incident 4: OpenClaw AI Agent Credential Theft
Date of Report: February 16, 2026
Overview
Infostealer malware evolved to target OpenClaw AI agent configuration files on developer workstations, exfiltrating gateway authentication tokens and integrated service credentials enabling remote agent hijacking.
Explanation
Malware scans for ~/.config/openclaw/config.yaml containing gateway tokens, Slack API keys, Gmail OAuth tokens, and AWS access credentials. Compromised tokens grant attackers authenticated remote control of AI agents operating within victim context.
Attack Vector: Traditional infostealer infection vectors
Mechanism: File-based credential harvesting from AI agent configurations
Actor Behavior: Pivot from developer workstations to corporate service access
Impact
Operational: Hijacked AI agents execute tasks across integrated services
Persistent: Remote access through embedded authentication material
Lateral: Access to Slack, email, cloud infrastructure via legitimate agent context
Details
MITRE ATT&CK Mapping:
T1555: Credentials from Password Stores
T1041: Exfiltration Over C2 Channel
IOCs:
- File access to ~/.config/openclaw/ directories
- Suspicious process access to agent configuration files
Remediation:
Controls: chmod 700 on agent directories; migrate to secrets management; containerized execution
Takeaway for CISO
AI agents represent privileged service accounts requiring enterprise-grade credential protection, not developer workstation security controls.
Incident 5: Trojanized 7-Zip Proxyware Distribution
Date of Report: February 8-9, 2026
Overview
Domain squatters registered 7zip.com to distribute trojanized 7-Zip installers deploying hero.exe proxyware. Victims received functional compression software plus residential proxy nodes routing attacker traffic through corporate networks.
Explanation
Installers deployed legitimate 7-Zip functionality alongside proxyware establishing Windows services listening on ports 1000/1002. Malware maintains persistence through multiple mechanisms while phoning home to smshero.xyz command-and-control domains.
Attack Vector: Domain confusion (7zip.com vs legitimate 7-zip.org)
Mechanism: Supply chain compromise of legitimate software installer
Actor Behavior: Perfect masquerading – functional software hides malware deployment
Impact
Operational: Employee workstations converted to attacker proxy infrastructure
Strategic: Residential IP reputation enables fraud and account takeover operations
Legal: Potential liability if proxy traffic used for criminal activity
Details
MITRE ATTaCK Mapping:
T1195.003: Compromise Software Supply Chain
T1090: Proxy
IOCs:
- hero.exe Windows service
- Ports 1000/TCP, 1002/TCP listening
- smshero.xyz C2 domains
Remediation:
Controls: Application whitelisting; netstat monitoring for proxy ports
Takeaway for CISO
Domain confusion remains effective against technical users. Legitimate software functionality provides perfect malware cover requiring behavioral detection beyond signatures.
