Executive Summary
This report informs our partners and clients on the various happenings within the cybersecurity space, including relevant breaches, emerging vulnerabilities, research, threat actor movement, and what your organization needs to do to mitigate future threats.
Key Takeaways
- Critical vulnerabilities in SolarWinds Serv-U can grant attackers root-level access to affected servers.
- The 'Starkiller' phishing service uses realistic login pages and MFA bypass techniques to steal credentials.
- VMware has released fixes for remote code execution vulnerabilities in Aria Operations.
- The UAC-0050 threat actor is targeting Ukraine's financial sector and may expand operations into other parts of Europe.
- APT28 leverages webhook abuse as part of its MacroMaze campaign to exfiltrate data covertly.
- Attackers are actively exploiting Cisco SD-WAN flaws using a combination of zero-day and downgrade attacks.
- The UAT-10027 campaign is targeting organizations in the U.S. education and healthcare sectors with tailored intrusion attempts.
- An updated critical SolarWinds remote code execution flaw continues to be leveraged in ongoing attacks against enterprise networks.
Critical SolarWinds Serv-U Flaws Offer Root Access to Servers
CVE-2025-40538 · Critical · Multiple Industries
SolarWinds has released security updates to address four critical vulnerabilities in Serv-U. The most serious flaw, CVE-2025-40538, allows high-privilege users to create a system admin account and execute arbitrary code as root. Additionally, two type confusion flaws and an Insecure Direct Object Reference (IDOR) vulnerability were patched. Serv-U is frequently targeted in cyberattacks due to its access to sensitive corporate data, as evidenced by recent exploits by hacking groups including Clop and China-based DEV-0322.
Current public honeypot data does not show evidence that this vulnerability is being actively exploited in the wild. A highly privileged user is a prerequisite for full exploitation, limiting impact to cases involving stolen credentials or prior access earlier in a threat actor's attack chain. A likely scenario would see this flaw exploited later in the chain for data exfiltration purposes. No public PoC is currently known.
What To Do
- Apply the necessary patches issued by SolarWinds.
- Ensure all domain users have MFA enforced throughout the environment to help mitigate potential credential theft and reuse.
- If unauthorized user activity is detected or unusually large volumes of data are being transmitted via Serv-U hosts, treat as potential compromise and investigate immediately.
Real Login Pages and MFA Bypass Are Features of 'Starkiller' Phishing Service
Phishing · Multiple Industries
Starkiller is a new phishing-as-a-service offering that uses cleverly disguised links to load real websites, acting as a relay between victims and legitimate sites while capturing user data including multi-factor authentication codes. The service dynamically loads the legitimate login page, captures all user input through proxy services, and provides features such as session monitoring, keylogging, geo tracking, and automated alerts for credential theft. By intercepting and relaying victim credentials in real time, it neutralizes MFA protections and provides low-skill cybercriminals with sophisticated attack capabilities.
A key indicator of this attack vector is the URL address bar displaying the legitimate service address followed by an @ symbol and an additional malicious domain:
https://login.microsoft[.]com@badsite[.]ruSources indicated that the threat actor operated their own forum. The site was no longer accessible at the time of this report.
What To Do
- Exercise caution when clicking links from unsolicited third-party communications such as email.
- Configure URL and web filtering rules in firewall products to block URLs containing the @ character.
- Geoblocking specific domains and hostile regions may reduce exposure to this threat from known malicious locations.
VMware Addresses Aria Operations Remote Code Execution Vulnerabilities
CVE-2026-22719 · CVE-2026-22720 · CVE-2026-22721 · Critical · Multiple Industries
Broadcom has released patches for vulnerabilities in VMware Aria Operations. CVE-2026-22719 is a command injection issue allowing unauthenticated remote code execution during product migration. CVE-2026-22720 is a stored cross-site scripting (XSS) vulnerability that permits administrative actions through script injection. CVE-2026-22721 is a medium-severity privilege escalation flaw capable of granting administrative access. Patches are included in version updates for VMware Cloud Foundation, vSphere Foundation, and Aria Operations.
To our knowledge these vulnerabilities have not been exploited in the wild and no public PoC currently exists. A likely exploitation scenario would involve RMM or similar IT support social engineering, similar to tactics employed by groups such as ShinyHunters.
What To Do
- Apply the patches from the vendor to remediate these issues.
- Monitor for network traffic containing Unix or Windows command-line strings within web requests when interacting with the device.
UAC-0050 Threat Actor Targeting Ukraine's Financial Sector May Spread to Europe
Threat Actor Activity · Financial & Fintech
A Russia-aligned threat actor known as UAC-0050 (also designated Akula or DaVinci Group) targeted a European financial institution with a spear-phishing attack that spoofed a Ukrainian judicial domain, delivering a multi-layered infection chain culminating in the deployment of Remote Manipulator System (RMS) — legitimate Russian remote desktop software — allowing for stealthy access and control. Available sources indicate the threat actor was probing for information on European partners, with localized lures suggesting imminent westward campaign expansion.
This activity will likely affect financial institutions primarily partnered with Ukrainian companies. While current attacks use Russian ASN addresses, this is expected to change to match targeted regions. The group has reused the domain rmansys[.]ru since at least 2015.
APT28 Exploits Webhooks for Covert Data Exfiltration in MacroMaze Campaign
Threat Actor Activity · Public Sector & Government
Russia-linked APT28 (Fancy Bear), operating out of the Russian GRU's military unit 26165, conducted Operation MacroMaze from September 2025 to January 2026, targeting Western and Central European entities with a webhook-based macro malware campaign. The attack utilized spear-phishing emails containing weaponized documents leveraging an "INCLUDEPICTURE" field to track document opening and exfiltrate data via website[.]hook domains. Four closely related macro variants served as droppers for multi-stage execution, establishing persistence while bypassing security measures.
APT28 has also made use of MS Office vulnerabilities CVE-2026-21509 and CVE-2026-21514. CVE-2026-21509 has a public PoC available. Current samples indicate targeting of entities in Spain, with a separate Romanian-targeting campaign also identified.
Active Exploitation of Cisco SD-WAN Flaws Using Zero-Day and Downgrade Attacks
CVE-2026-20127 · CVE-2022-20775 · Known Exploited · Government & Multiple Industries
Cybersecurity agencies from the Five Eyes alliance issued urgent warnings about an advanced actor exploiting new flaws in Cisco SD-WAN systems. CISA and NCSC directed organizations to investigate potential compromises immediately. Cisco's advisory details how these vulnerabilities could enable attackers to access systems, elevate privileges, gain sensitive information, and overwrite files. The Australian Signals Directorate provided a technical guide detailing exploitation of the zero-day since 2023, with threat actors creating rogue network components for long-term persistence and employing log-tampering evasion techniques.
No public PoC for CVE-2026-20127 is currently available, though indications suggest an exploit is being sold through GitHub repositories. CVE-2022-20775 has had a PoC available since 2022. Public honeypot data shows a slight increase in activity against Cisco hosts, primarily targeting European regions, beginning February 26th, 2026.
UAT-10027 Campaign Targets U.S. Education and Healthcare Sectors
Threat Actor Activity · Healthcare · Education
The UAT-10027 campaign targets U.S. education and healthcare sectors by deploying a stealthy backdoor named Dohdoor through phishing attacks leading to PowerShell script execution and malicious DLL sideloading. The malware uses DNS-over-HTTPS and Cloudflare infrastructure to hide command-and-control traffic, deploying additional payloads such as Cobalt Strike into memory. Dohdoor employs a custom XOR-SUB decryption routine with overlap similarities to Lazarloader used by North Korean Lazarus Group, then performs process hollowing into legitimate Windows processes like OpenWith.exe or wksprt.exe. EDR evasion includes patching syscall stubs in ntdll.dll.
OSec Research
The following network and domain IOCs are currently known to be associated with this campaign.
CJiTDrpwnnA[.]MswINsoFTUPDLoad[.]deSigN
LBaNDUgZCFG[.]deepInspectiOnSYSTEM[.]oNLiNE
LsyPdQGXrEDfPx[.]MSwInSofTUpDloAd[.]dESign
YHDJTyLNsMWVuU[.]DEEPinSPeCTioNsyStEM[.]OnLiNe
SDXsIol[.]PNUIsckmHwAgzVdYJRlbeFT[.]SoftWarE
EzQrvkFgEJWCTDNc[.]pNuiSCKMhwAgZvdyjrlBEFT[.]softwarE
txjIQslrRIg[.]MSwINSOFTUPDLoaD[.]DesiGN
QHtcKZBXtKdVyr[.]mSWinSoFTUpdLOAD[.]DeSIgn
GITkzxd[.]pNUIScKMhWAgZvdyJRlBEFT[.]SoFtwaRE
GppiwoGwNdiakkDU[.]pnuiSckMHwaGzvDYjRLbeFt[.]SoFTWARe
hxxp[://]gITkzxd[.]pNUIScKMhWAgZvdyJRlBEFT[.]SoFtwaRE/X111111
hxxp[://]GppiwoGwNdiakkDU[.]pnuiSckMHwaGzvDYjRLbeFt[.]SoFTWARe/111111?sub=s
hxxp[://]lBaNDUgZCFG[.]deepInspectiOnSYSTEM[.]oNLiNE/X111111
hxxp[://]CJiTDrpwnnA[.]MswINsoFTUPDLoad[.]deSigN/x111111
hxxp[://]LsyPdQGXrEDfPx[.]MSwInSofTUpDloAd[.]dESign/111111?sub=s
hxxp[://]sDXsIol[.]PNUIsckmHwAgzVdYJRlbeFT[.]SoftWarE/X111111
hxxp[://]ezQrvkFgEJWCTDNc[.]pNuiSCKMhwAgZvdyjrlBEFT[.]softwarE/111111?sub=d
hxxp[://]lLalWpIJnjskClwY[.]PnUiscKMhWaGzVdyJRlBEfT[.]SofTWaRe/111111?sub=s
UPDATED : Critical SolarWinds RCE Flaw Actively Exploited in Attacks
CVE-2025-40551 · CVE-2025-40537 · CVE-2025-40552 · CVE-2025-40554 · Known Exploited · Multiple Industries
CISA has identified CVE-2025-40551, a critical untrusted data deserialization vulnerability in SolarWinds Web Help Desk, as being actively exploited and has mandated federal agencies to patch within three days. This flaw allows attackers to execute remote commands on affected devices. The same update also addressed CVE-2025-40537 (hardcoded credentials: client:client), and authentication-bypass flaws CVE-2025-40552 and CVE-2025-40554, all remotely exploitable.
A likely attack chain involves visiting the login page to generate a valid session, then executing a GET request to /helpdesk/WebObjects/Helpdesk.woa/wo/test.wo/<wosid>/1.0?badparam=/ajax/&wopage=LoginPref to bypass authentication and trigger the deserialization vulnerability. Log indicators include:
ERROR org.jabsorb.JSONRPCBridge - exception occured
and
INFO whd.helpdesk.com.macsdesign.util - Whitelisted payload with matched keyword: java.. Payload= {
"bypass":"java.parentpopupwonoselectionstringdummymdssubmitlinkmdsform__enterkeypressedmdsform__shiftkeypressedmdsform__altkeypressed_csrf",
"id":1,
"method":"wopage.variablevalueforname",
"params":["malicious"]
}Update — February 14, 2026
Threat actors are actively abusing this vulnerability and installing Zoho ManageEngine RMM agent (a legitimate RMM tool) with associated email esmahyft@proton[.]me, and installing from the domain catbox[.]moe. Additionally, the threat actors are also installing outdated versions of Velociraptor, a known legitimate forensics tool. The following domains and files have been used within attacks:
https://files.catbox[.]moe/tmp9fc.msi
https://vdfccjpnedujhrzscjtq.supabase[.]co/storage/v1/object/public/image/v4.msi
https://auth.qgtxtebl.workers[.]dev/
The attackers also installed Cloudflared (Cloudflares Tunnel Client) from the official GitHub repository and portable versions of VSCode from a supabase[.]co URL.
The threat actor establishes persistence through scheduled tasks. The task paths observed include the following locations:
C:\Windows\System32\Tasks\TPMProfilerUpdate — February 27, 2026
Publicly available research and PoC code is now available for these vulnerabilities. Wider exploitation may occur on unpatched SolarWinds WHD hosts.
Get the Complete Report
The full Intelligence Desk brief includes exhaustive IOC lists, YARA detection rules, detailed remediation playbooks, and OSec's original threat research. Delivered weekly to our partners and clients. REQUEST ACCESS