Threat Alerts

A newly disclosed zero-day vulnerability in a widely used SD-WAN management platform is being actively exploited in the wild. The flaw, CVE-2026-20262, is a medium-severity arbitrary file write issue that gives attackers a foothold into affected systems. The attack vector involves sending specially crafted HTTP requests to a vulnerable API endpoint, allowing an attacker to create or overwrite files on the underlying operating system — a capability that can subsequently be leveraged to escalate privileges to root. Exploitation does require valid credentials with at least write-level access, meaning the attacker must first obtain authenticated access to the environment. Whether the vulnerability has been chained with other flaws or whether compromised credentials were the initial entry point remains unclear. The exploitation has so far been limited, pointing toward a highly targeted operation likely carried out by a sophisticated, possibly state-sponsored, threat actor.

Prinz Eugen is a newly identified ransomware operation that uses a custom Go-based encryptor designed to maximize operational impact while reducing forensic visibility. The malware recursively encrypts files across the victim environment, appending the .prinzeugen extension to affected files. Unlike many ransomware families, Prinz Eugen prioritizes recently modified files for encryption, likely to increase pressure on victims by targeting actively used and business-critical data first. The operation employs a double-extortion model involving data theft and encryption, but does not leave a traditional ransom note on disk, instead relying on out-of-band communication and leak-site pressure.

Analysis of the malware shows the use of ChaCha20-Poly1305 encryption with integrity verification, ensuring files can be successfully decrypted before original data is deleted when the optional deletion feature is enabled. The encryptor contains several anti-forensic measures, including overwriting encryption keys in memory, forcing garbage collection to remove residual artifacts, and self-deleting after execution. Observed intrusions indicate initial access was likely obtained through compromised RDP credentials, followed by the use of legitimate remote management tools such as RemotePC and PowerShell-based payload delivery. Reporting also links the activity to the threat actor ROOTBOY (aka avtokz), with observed victims including organizations in the financial sector. At the time of reporting, the group does not appear to operate as a ransomware-as-a-service (RaaS) program.

INC ransomware has surged into a top-tier RaaS operation, linked to over 830 victims across multiple sectors. Its multi-platform malware and integrated credential‑theft capabilities increase the risk of data exfiltration, backup compromise, and rapid operational disruption.

Attackers gain initial access via spear‑phishing, purchased credentials, and exploitation of internet‑exposed remote access and management platforms. Post‑compromise activity includes credential harvesting, lateral movement using legitimate admin tools (RDP, PsExec) and remote‑control software, and weakening of controls through Bring‑Your‑Own‑Vulnerable‑Driver (BYOVD) loads such as filwfp.sys, filnk.sys, and fildds.sys. Operators use command‑and‑control frameworks and remote support tools, exfiltrate data with rclone (often packaged into password‑protected archives), then perform fast multithreaded partial encryption and, against virtualized hosts, attempt VM shutdowns.

The malware has been rewritten in Rust and its Windows and Linux/ESXi variants have been observed for sale, producing related families and code reuse across the ecosystem. With roughly 65% of observed victims based in the United States and frequent targeting of legal, healthcare, manufacturing, construction, and technology sectors, the campaign shows how stolen credentials, exposed services, and unpatched systems enable large‑scale ransomware operations and complicate recovery.

A sophisticated malware campaign is leveraging malicious Google Ads and cloud-hosted staging infrastructure to deliver an information-stealing payload through a newly identified Windows loader. The operation exhibits characteristics consistent with a financially motivated Russian-speaking threat actor, including geographic exclusions targeting CIS countries and language-based execution checks. By combining malvertising cloud-based delivery mechanisms and advanced anti-analysis techniques, the campaign targets users searching for legitimate software downloads while maintaining a low detection profile.

The infection chain begins when a victim clicks a sponsored search result impersonating a popular JavaScript runtime download, ultimately retrieving cloud-hosted scripts and executables that deliver the infostealer. A batch script then initiates the next stage through a User Account Control (UAC) elevation prompt, while the loader employs advanced obfuscation techniques such as control-flow flattening, mixed Boolean arithmetic, opaque predicates and runtime string decryption to conceal its functionality. The malware also performs extensive environment validation, checking CPU count, available memory, display refresh rates, operating system language settings and geographic location to avoid execution in virtualized or analysis environments. The final payload is deployed entirely through in-memory shellcode execution, with additional network-based sandbox detection mechanisms used to identify security tools that manipulate connection responses. The combination of malvertising, cloud-hosted delivery, layered obfuscation and sophisticated anti-analysis capabilities makes this campaign a highly stealthy threat capable of bypassing many conventional detection mechanisms.

A vulnerability in NGINX components handling HTTP/2 proxy and gRPC traffic could allow remote attackers to trigger a denial-of-service condition and, under specific circumstances, achieve code execution. The issue requires multiple non-default configuration settings to be present, limiting exposure to affected deployments.

The vulnerability, tracked as CVE-2026-42055(CVSS Score 9.2), stems from improper handling of large HTTP/2 request headers during upstream request creation. An attacker can send specially crafted oversized headers that trigger a heap-based buffer overflow within worker processes, resulting in service instability, process restarts, or potential memory corruption. Successful exploitation depends on several configuration conditions, including acceptance of unusually large header values and relaxed header validation settings.

The issue affects multiple NGINX-based products and software versions. Default deployments are generally not vulnerable because standard configurations restrict oversized headers and enforce header validation.

Cisco has released security updates for two vulnerabilities affecting Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC). The most severe, CVE-2026-20181 (CVSS 9.1), is a command execution vulnerability that could allow an authenticated remote attacker with valid administrative credentials to execute arbitrary commands on the underlying operating system, obtain user-level access, and escalate privileges to root. In single-node deployments, successful exploitation could also result in a denial-of-service condition, preventing new endpoints from authenticating to the network. Cisco has stated that it is not aware of public exploitation or malicious use of the vulnerability at this time.

Cisco also addressed CVE-2026-20190 (CVSS 7.5), an information disclosure vulnerability caused by improper authorization checks. Successful exploitation could allow an unauthenticated attacker to access sensitive information, including hashed credentials that could potentially support follow-on attacks. Both vulnerabilities affect widely deployed network access control infrastructure and should be prioritized for remediation.