Ep 2491 | 2.18.26

Rooted and patient.

Transcript

A China-linked group exploits a critical Dell zero-day for 18 months. A Microsoft 365 Copilot bug risks sensitive email oversharing. A new Linux botnet leans on old-school IRC for command and control. Switzerland tightens critical infrastructure rules with mandatory cyber reporting. AstarionRAT emerges as a custom post-exploitation implant. Researchers find serious flaws in popular PDF platforms. A suspected Iranian-aligned campaign targets protest supporters. Notepad++ rolls out a “double-lock” update fix. And a Spanish court orders NordVPN and ProtonVPN to block illegal football streams. Our guest is Keith Mularski, Former FBI Special Agent and Chief Global Ambassador at Qintel, reflecting on the 25th anniversary of notorious spy Robert Hanssen's arrest. Dutch Defense flaunt F-35 firmware freedom.

Today is Wednesday February 18th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

A China-linked threat group has exploited a critical Dell zero-day for at least 18 months.

Google researchers say a China-linked threat group has exploited a critical Dell zero-day for at least 18 months, deepening a long-running espionage campaign.

Google Threat Intelligence Group and Mandiant report that UNC6201, which overlaps with UNC5221 or Silk Typhoon, exploited CVE-2026-22769 in Dell RecoverPoint for Virtual Machines since mid-2024. The flaw stems from a hardcoded administrator password pulled from Apache Tomcat and carries a 10.0 CVSS severity score. Researchers say attackers used it for unauthenticated remote access with root-level persistence. The group previously deployed Brickstorm malware, then replaced it with the more advanced Grimbolt backdoor. Dell released a patch Tuesday.

Officials warn the actors likely remain active in unpatched systems. This matters because long dwell times, often exceeding 400 days, give attackers room for sustained espionage. CISA, NSA, and Canadian authorities have released detection guidance, but researchers caution the full scope remains unknown.

A 365 Copilot bug may lead to email oversharing.

Microsoft says a bug in Microsoft 365 Copilot has been causing the AI assistant to summarize confidential emails since late January, bypassing organizations’ data loss prevention, or DLP, policies.

The issue, tracked as CW1226324 and first detected January 21, affects the Copilot “work tab” chat feature. According to a service alert seen by BleepingComputer, Copilot incorrectly read and summarized emails stored in users’ Sent Items and Drafts folders, including messages with sensitivity labels meant to restrict automated access. Microsoft confirmed that a code issue allowed labeled items to be processed despite DLP policies. The company began rolling out a fix in early February and says it is monitoring deployment and contacting some affected users.

Microsoft has not disclosed how many organizations were impacted or provided a final remediation timeline. The incident is currently classified as an advisory, suggesting limited scope, though the investigation remains ongoing.

A new Linux botnet uses IRC for C&C.

Security researchers have identified a new Linux botnet, dubbed SSHStalker, that uses Internet Relay Chat for command and control.

Flare’s research team discovered the operation through an SSH honeypot over a two month period. According to its report, SSHStalker chains an SSH scanner with rapid staging to enroll compromised systems into IRC channels, enabling centralized control. The botnet exploits legacy Linux kernel vulnerabilities and appears optimized for scale. Flare observed nearly 7,000 fresh SSH scan results in January 2026. Most activity originated from cloud hosting providers across the United States, Europe, and Asia Pacific, suggesting opportunistic automation rather than dedicated nation-state infrastructure.

Researchers say the botnet maintains dormant persistence. It establishes access without launching distributed denial of service, or DDoS, attacks or cryptomining, despite having those capabilities. Quiet footholds can signal staging for future operations. Flare recommends monitoring build tools, scanning for malware, and reviewing cron jobs.

Switzerland bolsters critical infrastructure security through mandatory reporting.

Switzerland’s National Cyber Security Centre says 2025 marked a major shift, driven by mandatory cyberattack reporting for critical infrastructure.

According to its Annual Report 2025, the NCSC processed nearly 65,000 voluntary incident reports and 222 mandatory reports after the new requirement took effect April 1 under the revised Information Security Act. Organizations must report attacks within 24 hours. The Cyber Security Hub, or CSH, expanded to about 1,600 members and added multilingual reporting and secure information sharing. The agency also exchanged data on 4,615 incidents through the Malware Information Sharing Platform and led cybersecurity operations for major national events. Parliament approved budget increases beginning in 2026.

Mandatory reporting and expanded information sharing improve early warning and coordinated defense across critical sectors. NCSC says the measures strengthen Switzerland’s national cyber strategy and long-term resilience.

AstarianRAT is a new custom implant.

Huntress responded to a February 2026 intrusion that began with a ClickFix social engineering attack, a technique that surged in 2025.

According to Huntress, ClickFix tricks users into copying and pasting malicious commands, bypassing traditional email security controls. In this case, it delivered Matanbuchus 3.0, a Malware-as-a-Service loader first advertised in 2021 and now priced up to $15,000 per month for a stealth DNS variant. Huntress says Matanbuchus deployed a previously undocumented custom implant they named AstarionRAT. The remote access trojan used RSA-encrypted command and control traffic disguised as telemetry and supported credential theft, SOCKS5 proxying, port scanning, and reflective code loading.

The operator moved laterally within 40 minutes, targeting a Windows Server and domain controllers using PsExec, rogue accounts, and Defender exclusions. Huntress assesses with medium confidence the goal was ransomware or data theft.

Researchers uncover vulnerabilities in PDF platforms that could enable account takeover and data theft.

Researchers have uncovered 16 vulnerabilities in PDF platforms from Foxit and Apryse that could have enabled account takeover and data theft.

The flaws were identified by penetration testing startup Novee in Apryse WebViewer and Foxit’s PDF cloud services. According to Novee, the issues included one critical and four high-severity bugs, along with multiple medium-severity findings. Vulnerability types ranged from cross-site scripting, or XSS, and server-side request forgery, to path traversal and operating system command injection. Researchers demonstrated that specially crafted documents, URLs, or messages could trigger arbitrary code execution, data exfiltration, or persistent compromise, particularly when PDF viewers were embedded in authenticated enterprise applications.

Both vendors say the vulnerabilities were responsibly disclosed and have been patched. Novee warns that widely embedded PDF components can become high-impact attack surfaces if left unexamined.

A suspected Iranian-aligned cyberespionage campaign targeting protest supporters with custom malware.

Researchers have uncovered a suspected Iranian-aligned cyberespionage campaign targeting protest supporters with custom malware.

Acronis Threat Research Unit says the campaign, dubbed CRESCENTHARVEST, began shortly after January 9 and uses malicious Windows shortcut, or .LNK, files disguised as protest images and videos. The files include Farsi-language content framed as updates from Iran’s “rebellious cities.” When executed, the malware uses DLL sideloading through a signed Google binary to deploy a remote access trojan and information stealer. Capabilities include keylogging, browser credential theft, Telegram session exfiltration, and command execution over HTTPS using JSON-based command and control. Infrastructure links to a Latvia-hosted server, though attribution remains low confidence.

Acronis assesses the campaign likely targets Farsi-speaking Iranians supportive of protests, as well as activists and journalists. Politically themed lures continue to enable long-term surveillance of at-risk communities.

Notepad++ has a new “double-lock” verification system.

Notepad++ has strengthened its update security with a new “double-lock” verification system following a recent supply-chain compromise.

Introduced in version 8.9.2, the mechanism verifies both the signed installer hosted on GitHub and a digitally signed XML file from notepad-plus-plus.org using XML Digital Signature, or XMLDSig. The update follows a six-month campaign attributed to the China-linked Lotus Blossom group, which compromised the software’s hosting provider starting in June 2025 and redirected select users to malicious servers. Rapid7 reported the attackers deployed a custom backdoor called “Chrysalis.”

Additional hardening steps include removing libcurl.dll to prevent DLL side-loading, eliminating insecure cURL SSL options, restricting plugin execution to trusted certificates, switching hosting providers, and rotating credentials. Users are urged to upgrade to version 8.9.2 and download installers only from the official website.

A Spanish court has ordered NordVPN and ProtonVPN to block illegal football streamers.

A Spanish court has ordered NordVPN and ProtonVPN to block 16 websites accused of illegally streaming football matches.

The precautionary measures, requested by LaLiga and broadcaster Telefónica, were issued without a hearing for the VPN providers and allow no opportunity for appeal. The ruling applies to a dynamic list of IP addresses in Spain. LaLiga argued that VPN services fall under the EU Digital Services Regulation and facilitate access to pirated content by masking users’ geographic locations. The court reportedly found VPNs to be an effective means of bypassing regional restrictions.

ProtonVPN and NordVPN say they were not notified of the proceedings and question the lack of due process. NordVPN also argued that blocking domains is ineffective and that enforcement should target hosting providers and illegal content sources instead.

Dutch Defense flaunt F-35 firmware freedom.

In what may be the most 2026 sentence uttered by a defense official, the Netherlands’ defense secretary has suggested that an F-35 can be jailbroken “just like an iPhone.”

Gijs Tuinman made the remark on a Dutch podcast when asked whether European operators could modify the jet’s software if the US ever decided to cool the transatlantic friendship. The F-35, he noted, is a shared project, with British engines and American components, implying mutual dependence. And if updates stopped? Well, he hinted, creative solutions exist.

Security experts were less breathless. One researcher pointed out that unlike iPhones, F-35s are not available on eBay, and the lack of a tinkering community makes public jailbreaks unlikely. The jet’s software is tightly managed through Lockheed Martin’s logistics system, with only Israel allowed to run custom code.

Still, in an era of kill-switch rumors and shifting alliances, the idea of rebooting a fighter jet like a smartphone carries a certain dark charm.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry. Learn how at n2k.com.

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.