Weekly Situation Report : 2/23/26

Six active threats this week spanning Chinese and Russian state operations, ShinyHunters' enterprise SaaS campaign, and critical infrastructure vulnerabilities with no available patches. Below is our condensed analysis — the full report includes complete IOC lists, YARA rules, and detailed remediation playbooks.

ZERO DAY : Dell RecoverPoint Zero-Day Exploited by Chinese State Actors Since 2024

CVE-2026-22769 · Patched

Chinese state-sponsored actors have exploited a hardcoded credential vulnerability in Dell RecoverPoint for Virtual Machines since mid-2024, deploying two malware families — Brickstorm and its successor Grimbolt — to maintain persistent backdoors and pivot laterally through victim networks.

The vulnerability stems from Dell RecoverPoint shipping with default Apache Tomcat admin credentials (admin:admin or admin:tomcat) stored in /home/kos/tomcat9/tomcat-users.xml. Attackers leveraged these to create "Ghost NICs" — virtual network interfaces used for stealthy lateral movement that avoids traditional network monitoring. Grimbolt is compiled with C# AOT and packed with UPX, making static analysis more difficult while providing remote shell capabilities.

Exploitation has been limited to fewer than a dozen organizations. Dell has disclosed and patched.

OSec Research

Researching public honeypot data, we identified at least one additional IP (207.148.20.225, The Constant Company, last seen 2/18) attempting Tomcat manager logins — the same VPS provider as the known C2. Assessed medium confidence as related infrastructure. Infrastructure pivoting was limited by the generic nature of most signals.

What To Do

• Patch CVE-2026-22769 immediately. If patching isn't possible, isolate Dell RecoverPoint hosts from the public internet and segment within the internal network.
• Audit /home/kos/auditlog/fapi_cl_audit_log.log for requests to the /manager endpoint.
• Hunt for PUT requests to /manager/text/deploy?path=/<MAL_PATH>&update=true — this indicates WAR file deployment, a likely sign of compromise.

• Previous Brickstorm targets should specifically monitor for Grimbolt activity.

   

149.248.11[.]71 — C2, Vultr (The Constant Company), US
207.148.20[.]225 — Suspected related infra, same provider
→ Full indicator context in complete report

THREAT ACTOR ACTIVITY : DNS-Based ClickFix Attack Uses Nslookup for Malware Staging

Microsoft detailed the latest evolution of the ClickFix social engineering technique. Instead of clipboard-based PowerShell execution, attackers now trick users into running nslookup commands via the Windows Run dialog. The command performs a DNS lookup against an attacker-controlled server, which returns a response containing the next-stage payload address. This blends malicious staging activity with normal DNS traffic, making network-level detection harder.

The technique has evolved into several variants (FileFix, CrashFix) and the latest iteration deploys ModeloRAT through embedded Python scripts. The attack chain eventually drops a malicious PowerShell string despite the more evasive initial entry point.

OSec Lab Validation

We emulated this attack in our lab environment and confirmed the technique is trivially weaponizable. By setting a DNS CNAME record to point to a controlled IP, the nslookup output was successfully parsed and piped into further command execution. The obfuscated version using caret characters (n^s^l^o^o^k^u^p) also executed without issue.

What To Do

• Block the identified network indicators (IPs from Hungary and UK infrastructure in full report).
• Block powershell.exe execution for standard users — while the initial command is evasive, the chain still relies on PowerShell for payload delivery.
• Ensure command-line artifact logging is enabled (Sysmon, EDR).
• Hunt for: registry keys in HKCU\...\Explorer\RunMRU containing nslookup references, folders named WPy64-31401 in %APPDATA%, and unknown .lnk files in the Windows startup folder.

84.2.189[.]20 — Magyar Telekom, Hungary
64.227.40[.]197 — DigitalOcean, UK
azwsappdev[.]com/wdhmgpmihudkueq[.]zip
→ Full IOCs, persistence indicators, and registry artifacts in complete report

THREAT ACTOR ACTIVITY : ShinyHunters Compromise Figure, Target Microsoft Entra via Device-Code Vishing

The ShinyHunters extortion group is combining voice phishing with legitimate OAuth 2.0 Device Authorization flows to compromise Microsoft Entra accounts. What makes this campaign notable: attackers don't need their own infrastructure. They leverage existing Microsoft OAuth client IDs and convince victims to authenticate on Microsoft's own login page, generating valid tokens that grant access to the victim's account and all connected SSO applications.

The most recent high-profile breach was Figure, a fintech firm, resulting in over one million accounts exposed. The group masquerades as IT support staff and routes through Mullvad, NordVPN, or residential proxies. Importantly, ShinyHunters typically don't establish persistent indicators in cloud environments — they reuse compromised SSO credentials to exfiltrate data for extortion, making traditional IOC-based detection less effective.

The group engages in big game hunting, recruiting other threat actors to overwhelm security teams with spam email as an extortion pressure tactic. They are also targeting downstream customers of previously compromised organizations.

What To Do

• Train staff: anyone claiming to be IT and asking you to walk through SSO login flows is a red flag — especially device code authentication prompts.
• Disable device code flow in Microsoft Entra if your organization doesn't require it.
• Audit and remove unknown OAuth applications from your environment.
• Vet all URLs before entering credentials — the group uses phishing pages mimicking Microsoft 365 login with AWS-hosted URLs.
• If your organization partners with any of the compromised entities listed below, assess your exposure and anticipate potential downstream targeting.

Known Compromised Organizations

upenn.edu  · harvard.edu · bumble.com · match.com · tinder.com · hinge.co · okcupid.com · panerabread.com · edmunds.com · carmax.com betterment.com · crunchbase.com · soundcloud.com

CRITICAL CVE : Honeywell CCTV Authentication Bypass — No Patch Available

CVE-2026-1670 · Unpatched

A critical authentication bypass in multiple Honeywell CCTV models allows attackers to change recovery emails and take over accounts without logging in — enabling unauthorized access to live camera feeds. Affected models include I-HIB2PI-UL 2MP IP, SMB NDAA MVO-3, PTZ WDR 2MP, and 25M IPC models running WDR_2MP_32M_PTZ_v2.0 firmware.

No patch has been released. Honeywell has advised customers to contact support, but the timeline for a fix is unclear. Public honeypot data shows malicious traffic spiked on February 14th, primarily targeting systems in Asia and Europe, with reduced volume in subsequent days. IP cameras and CCTV devices remain frequent targets for botnet activity, particularly Mirai variants.

What To Do — No Patch Available

• Do not expose these devices or their management dashboards to the public internet.
• Segment CCTV devices onto their own VLAN, isolated from production networks, to contain any compromise.
• Monitor network traffic to and from these devices for anomalous patterns.
• Contact Honeywell support for guidance — and pressure for a patch timeline.

EXPLOITED IN THE WILD : Microsoft Office Vulnerability Exploited by APT28 (Fancy Bear)

CVE-2026-21509 · Patched

Russian military intelligence-linked APT28 is actively exploiting CVE-2026-21509 against government organizations in Ukraine, Slovakia, and Romania. The attacks use phishing emails disguised as official correspondence — written in English and local languages — that deliver malicious RTF documents deploying Covenant, MiniDoor, and PixyNetLoader backdoors.

The vulnerability works by using a Shell.Explorer class ID to load MSHTML content when opening an Office document, redirecting to an attacker-controlled location. While currently focused on Eastern European targets, this technique will likely expand to other threat actors and regions as exploit details become more widely known.

What To Do

• Apply Microsoft patches immediately.
• If patching isn't possible: set the registry kill bit — create sub-key {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} under \COM Compatibility\ with Compatibility Flags set to 400.
• Block the network indicators from the full report (12+ IPs across Moldova, Germany, and US infrastructure).
• Hunt for compromise indicators: registry changes to CLSID\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}\InProcServer32, DLLs dropped in %programdata%\USOPublic\Data\User\, and scheduled tasks named "OneDriveHealth".
• Warn users about unsolicited email with attachments — particularly RTF documents.

159.253.120[.]2 — Alexhost, Moldova
146.0.41[.]204–234 — WIIT AG, Germany (10 IPs in same range)
freefoodaid[.]com · wellnesscaremed[.]com · wellnessmedcare[.]org
→ Full IOC list, YARA detection rules, and persistence details in complete report

EXPLOITED IN THE WILD : BeyondTrust RCE Under Active Multi-Actor Exploitation

CVE-2026-1731 · Patched

A remote code execution vulnerability in BeyondTrust Remote Support (≤25.3.1) and Privileged Remote Access (≤24.3.4) is being exploited by multiple threat actors following public PoC disclosure. The vulnerability is simple to exploit — crafted web requests to /get_portal_info and /nw endpoints followed by websocket payloads containing OS commands.

Post-exploitation activity includes creation of domain and local admin accounts, deployment of VShell (a Linux backdoor) and SparkRAT, and use of RMM tools (SimpleHelp, AnyDesk) and Cloudflare tunnels for persistence. Analyzed VShell samples also attempted requests to the cloud metadata endpoint (169.254.169.254) — a known technique for stealing cloud credentials and secrets.

SaaS customers have been auto-patched. Self-hosted instances need to update immediately.

What To Do

• Patch self-hosted BeyondTrust instances immediately.
• Hunt for unknown IPs making requests to /get_portal_info and /nw, followed by websocket connections containing OS commands.
• Monitor for new user account creation — both domain users and local administrators.
• Look for unauthorized installations of SimpleHelp, AnyDesk, or Cloudflare tunnel agents.
• Block outbound traffic to 169.254.169.254 from non-cloud workloads to prevent metadata theft.

138.197.14[.]95/ws — SparkRAT C2
aliyundunupdate[.]xyz:8084/slt — VShell C2
64.31.28[.]221/support — Staging
85.155.186[.]121/access — SimpleHelp delivery
→ 30+ additional IPs and full URL list in complete report

Get the Complete Report

The full Intelligence Desk brief includes exhaustive IOC lists, YARA detection rules, detailed remediation playbooks, and OSec's original threat research. Delivered weekly to our partners and clients. REQUEST ACCESS