Threat Alerts

OysterLoader, a sophisticated C++ malware loader also known as Broomstick or CleanUp, has emerged as a critical threat in the cybersecurity landscape. Primarily linked to the Rhysida ransomware group and WIZARD SPIDER threat actors, this multi-stage loader employs advanced evasion techniques to deliver ransomware and commodity malware like Vidar infostealer.

The malware operates through a complex four-stage infection chain beginning with trojanized MSI installers disguised as legitimate software like PuTTY, WinSCP, and Google Authenticator. The first stage employs API flooding with hundreds of useless Windows function calls to confuse security tools, while implementing anti-debugging traps and custom dynamic API resolution using hashing algorithms. Stage two utilizes a modified LZMA compression algorithm with custom headers that prevent standard decompression tools from analyzing the payload. The third stage performs environment verification, checking for at least 60 running processes before establishing HTTPS communication with delivery servers.

The final stage demonstrates advanced steganographic techniques by hiding encrypted payloads within icon image files using RC4 encryption with hardcoded keys. Communication occurs through a dual-layer C2 infrastructure utilizing custom JSON encoding with non-standard Base64 alphabets and random shift values for each message. The malware maintains persistence through scheduled tasks running every 13 minutes and continuously evolves its communication protocols, with recent variants hosting /api/v2/facade endpoints.

Microsoft released updates addressing 4 zero-day vulnerabilities currently being exploited by attackers. These actively exploited flaws span multiple critical Windows components and services, presenting significant security risks to organizations worldwide. The vulnerabilities range from security feature bypasses to privilege escalation and denial-of-service issues that could enable attackers to compromise systems, execute malicious code, and disrupt essential services.

Zero-Day Vulnerabilities CVE-2026-21510 (CVSS score: 8.8) is a security feature bypass in Windows Shell that allows attackers to bypass Windows protections with a single click on a malicious link, executing attacker-controlled content without warning dialogs across all currently supported Windows versions. CVE-2026-21513 (CVSS score: 8.8) security feature bypass vulnerability in Microsoft’s MSHTML Framework, the core HTML rendering engine used across Windows operating systems and various applications, while CVE-2026-21514 exploits a weakness in how Microsoft Word handles security decisions based on untrusted inputs, categorized as CWE-807. The final zero-day, CVE-2026-21525, is a denial-of-service vulnerability in the Windows Remote Access Connection Manager, which maintains VPN connections to corporate networks.

A convincing fake 7-Zip website has been distributing trojanized installers that convert victims’ computers into residential proxy nodes. The malicious site uses a lookalike domain to deceive users downloading the popular archiver software, establishing persistent system access for monetization purposes.

The attack begins when users download what appears to be legitimate 7-Zip software from the fraudulent domain. The installer deploys a functional copy of the archiver alongside hidden malware components that establish Windows services with system-level privileges. The malware manipulates firewall rules, profiles the infected system using WMI queries, and communicates with command-and-control servers through encrypted channels. Multiple evasion techniques are employed, including virtual machine detection, anti-debugging measures, and DNS-over-HTTPS communication to avoid traditional monitoring.

Once established, the infected machine becomes part of a residential proxy network, allowing third parties to route traffic through the victim’s IP address for various malicious activities. The malware retrieves configuration data from rotating domains and establishes proxy connections on non-standard ports using XOR-encoded protocols. This campaign demonstrates how attackers exploit user trust in legitimate software brands to build long-term monetization infrastructure, bypassing traditional security measures that focus on vulnerability exploitation rather than social engineering tactics.

A high-volume phishing campaign observed in early February 2026 has been distributing ransomware through mass-sent emails carrying malicious attachments. The activity presents a notable risk due to its low-noise execution model, which limits traditional network-based detection opportunities. By minimizing external communication and operating largely offline, the campaign increases the likelihood that encryption occurs before security teams can identify and contain the intrusion.

The infection chain begins with a weaponized Windows shortcut (.lnk) file disguised as a legitimate document using double extensions and familiar icons. When opened, the shortcut executes system commands that invoke a scripting engine to download and run a secondary payload. This staged execution allows the attacker to deliver ransomware without immediately exposing obvious network indicators. The use of commonly trusted system utilities further blends the activity into normal operating behavior.

Once deployed, the ransomware encrypts files locally, generating keys on the infected system and avoiding command-and-control communication. This offline execution reduces visibility for defenses that rely on outbound traffic monitoring. The combination of shortcut-based delivery, scripted payload retrieval, and local encryption reflects an efficient delivery chain designed to shorten response windows and complicate early detection.

Google Chrome has issued an urgent out-of-band security update to address CVE-2026-2441 (CVSS 8.8), a critical use-after-free vulnerability in the browser’s CSS processing engine that is being actively exploited in the wild. This flaw enables remote code execution when users visit malicious web pages.

The vulnerability stems from improper memory management within Chrome’s CSS component, where the browser continues accessing memory after it has been freed. Attackers can exploit this weakness by crafting malicious HTML pages that trigger the use-after-free condition, potentially allowing arbitrary code execution within Chrome’s sandbox environment. The flaw affects Chrome versions prior to 144.0.7559.75 on Linux and 145.0.7632.75/76 on Windows and macOS, with exploitation requiring only user interaction with a specially designed webpage.

Google released emergency patches on February 13, 2026, addressing the vulnerability across all supported platforms. The company has restricted detailed technical information about the exploit due to active in-the-wild usage and the potential for chaining with other vulnerabilities to escape sandbox protections. Chromium-based browsers including Microsoft Edge are expected to receive corresponding security updates. The rapid deployment of this patch reflects the serious nature of memory corruption vulnerabilities that can serve as initial attack vectors for more complex exploitation chains.

Microsoft has remediated a zero-day elevation-of-privilege vulnerability in Windows Remote Desktop Services that is being actively exploited to obtain SYSTEM-level access. Tracked as CVE-2026-21533 (CVSS 7.8) and addressed in the February 2026 Patch Tuesday updates, the flaw results from improper privilege management and requires only low-privileged local access with no user interaction. The vulnerability affects multiple Windows server and desktop versions—particularly systems with RDS enabled—and poses high risk to confidentiality, integrity, and availability, making it especially dangerous for post-compromise escalation in enterprise environments.

Exploitation involves modifying an RDS service configuration registry key and replacing it with an attacker-controlled value, enabling privilege escalation actions such as adding users to the Administrators group and granting full SYSTEM privileges. Because attackers need only initial low-level access, the flaw is well-suited for lateral movement following an initial breach, and security researchers expect rapid weaponization or underground sale of exploit tooling.