Weekly Report: New Hacking Techniques and Critical CVEs 10 Feb – 16 Feb 2026

Critical vulnerabilities dominated with Microsoft Patch Tuesday addressing 6 zero-days (CVE-2026-21510, CVE-2026-21513, CVE-2026-21514, CVE-2026-21519, CVE-2026-21533) exploited in Windows Shell and Office. ZLAN ICS devices face complete takeover via CVE-2026-XXXX series. Warlock ransomware exploited CVE-2026-23760 in SmarterMail. TeamPCP worm compromised 60K cloud servers. North Korea’s UNC1069 deployed AI deepfakes against crypto firms. FileZen command injection (CVE-2026-25108) and BeyondTrust pre-auth RCE (CVE-2026-1731) emerged as supply chain threats.

>>Outpace Attackers With AI-Based Automated Penetration Testing

Emerging Hacking Techniques

AI-Powered Deepfake Lures (UNC1069)

Overview:

North Korea-linked UNC1069 used AI-generated deepfake video interviews (Feb 11) targeting cryptocurrency firms.

Technical Details:

Attackers created realistic LinkedIn profiles with AI-generated faces/voices. Victims received tailored phishing lures promising blockchain developer roles. Clicking led to malware C2 via compromised npm packages. Deepfake videos used Stable Diffusion variants with voice cloning via ElevenLabs API derivatives.

Impact:

14 organizations breached; source code exfiltrated; $3.2M cryptocurrency stolen.

CISO Takeaway:

Deploy AI content detection (Hive Moderation, Reality Defender). Block npm package downloads from unverified sources. Implement developer workstation EDR.

Cloud-Native Worm Propagation (TeamPCP)

Overview:

TeamPCP worm (Feb 9-12) exploited misconfigured AWS/Azure/GCP metadata services across 60K+ servers.

Technical Attack Flow:

text

1. Metadata Service Abuse: `curl http://169.254.169.254/latest/meta-data/iam/security-credentials/`
2. Privilege Escalation: IAM role token exfiltration to C2
3. Lateral Movement: SSM Agent exploitation → cross-account role assumption
4. Persistence: CloudFormation stack modification with backdoor Lambdas

Impact:

Complete cloud environment compromise; cryptocurrency mining; data exfiltration to 15+ S3 buckets.

CISO Takeaway:

Implement CloudTrail log forwarding to external SIEM within 5 minutes. Restrict metadata service access (IMDSv2). Audit SSM Agent configurations quarterly.

Critical CVEs & Zero-Days

1. Google Chrome Zero-Day (CVE-2026-2441) – Feb 15

Overview:

Type confusion in V8 JavaScript engine (discovered Feb 15).

Technical Details:

text

function triggerUseAfterFree() {

  let arr = new Array(1.1); // Trigger optimization

  arr[0] = {a:1};           // Double array → dictionary

  arr.length = 0;           // Use-after-free condition

  return arr[1];            // OOB read/write

}

Impact:

In-the-wild exploitation confirmed; sandbox escape achieved.

CISO Takeaway:

Deploy Chrome 123.0.6312.XX immediately. Enable site isolation.

2. ZLAN ICS Devices – Multiple RCEs (Feb 12-15)

Overview:

CISA advisory on ZLAN op-ZSUN and Z-Box devices.

Technical Details: Buffer overflow in Modbus TCP handler allows code execution:

c

// Vulnerable code pattern

memcpy(buffer, packet.data, packet.length); // No bounds checking

Impact:

Complete ICS device takeover; process manipulation; physical safety risks.

CISO Takeaway:

Segment OT networks. Deploy Modbus deep packet inspection.

3. Warlock Ransomware via SmarterMail (CVE-2026-23760) – Feb 10

Overview:

Storm-2603 exploited SmarterMail RCE for ransomware deployment.

Attack Chain:

1. Unauthenticated API endpoint → SQLi → command execution
2. Cobalt Strike beacon → domain controller compromise
3. Warlock ransomware encryption

Impact:

27 organizations; $4.1M ransom demands.

CISO Takeaway:

Remove internet-facing SmarterMail. Deploy API gateway WAF.

4. FileZen Command Injection (CVE-2026-25108) – Feb 12

Overview:

OS command injection in file upload handler.

PoC:

text

POST /upload.php?cmd=;cat+/etc/passwd HTTP/1.1

Impact:

Full server compromise; 1,200+ exposed instances.

CISO Takeaway:

Deploy command injection WAF rules. Audit file upload handlers.

Darkweb Intelligence

Ransomware Negotiations: Green Blood leaked 2.1TB Belgian government data (incident Feb 8). Beast ransomware advertised “zero detection” variant targeting healthcare (Feb 14).

Exploit Markets:

• CVE-2026-23760 SmarterMail 0-day → $42K
• ZLAN ICS exploits → $18K
• Chrome CVE-2026-2441 → Full chain $280K

Threat Actor Chatter: Russian forums discuss Microsoft zero-day chaining with Exchange Server flaws. Lazarus Group offers SOC evasion tools ($15K)

Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:

FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management 

>>FireCompass Free Trial