In early February, APT activity leaned hard on cloud abuse, identity compromise, and long‑dwell access, with UNC3886 standing out for its persistence. Exploited bugs across Notepad++, SolarWinds, Apple, and Microsoft underscored the need for fast patching and tighter identity controls. Ransomware crews stayed active, with Qilin and The Gentlemen driving most cases while Cl0p’s earlier huge Cleo‑linked victim dump kept pressure high despite fewer new hits.
Report Links
Download Threat Brief For February 1-15 2026
Byer-Nichols Threat Brief Podcast 02-15-2026
Ransomware Actors
| Ransomware | Percentage | Last Period | Two Ago |
|---|---|---|---|
| Qilin | 15.82% | 2 | 1 |
| The Gentlemen | 13.40% | 3 | 8 |
| CL0P | 9.12% | 1 | 19 |
| Akira | 6.43% | 4 | 2 |
| LockBit | 6.17% | 16 | 20 |
Qilin led early‑February activity with steady, opportunistic hits on mid‑market firms, while The Gentlemen continued their swingy pattern of data‑leak‑driven extortion. Cl0p’s numbers stayed elevated after its earlier massive Cleo‑linked victim dump, which reshaped the landscape despite fewer fresh intrusions. Akira kept up its fast‑moving double‑extortion playbook, and LockBit—though quieter—remained persistent through affiliates recycling older access paths.
Victim Sector
| Sector | Percentage | Last Period | Movement |
|---|---|---|---|
| manufacturing | 15.54% | 2 | 2 -> 1 |
| technology | 14.79% | 1 | 1 -> 2 |
| financial-services | 14.04% | 4 | 4 -> 3 |
| construction | 12.03% | 3 | 3 -> 4 |
| retail | 8.02% | 5 | unchanged |
Victim Location
| Victim | Percentage | Last Period | Movement |
|---|---|---|---|
| USA | 50.63% | 1 | unchanged |
| Canada | 5.26% | 3 | 3 -> 2 |
| UK | 2.76% | 2 | 2 -> 3 |
| Brazil | 2.51% | NEW | |
| France | 2.51% | NEW |
Victim Org Size
| Size | Percentage | Last Period | Change |
|---|---|---|---|
| Small Business (500 or less) | 84.13% | 84.00% | +0.15% |
| Mid-Market (501-5000) | 14.61% | 13.56% | +7.74% |
| Large Enterprise (5000+) | 1.26% | 2.44% | -48.36% |
Trending Adversaries
Storm‑2603, TGR‑STA‑1030, UNC1069, UNC3886, UNC4895, and Violet Typhoon all leaned heavily on stealthy access, cloud abuse, and long‑dwell espionage in recent weeks. Most are doubling down on identity compromise, living‑off‑the‑land tooling, and quietly pivoting through hybrid cloud environments. UNC3886 remains the most concerning thanks to its persistence tricks and focus on high‑value infrastructure. Defenders should expect more identity‑driven lateral movement and cloud‑focused tradecraft.
- Storm-2603
- TGR-STA-1030
- UNC1069
- UNC3886
- UNC4895
- Violet Typhoon
Trending & Actively Exploited Vulnerabilities
Early February saw active exploitation across a pretty mixed stack: a Notepad++ bug, two SolarWinds Web Help Desk flaws, a broad Apple multi‑product issue, and a run of Windows and Office CVEs. The big worry is chaining—attackers using a simple app bug or help‑desk exposure to gain initial access, then pivoting via Windows and Office privilege‑escalation and RCE paths. Teams should fast‑track patching for internet‑facing Web Help Desk instances, push Apple and Microsoft updates, tighten identity and macro controls, and watch EDR for post‑exploit lateral movement.
| CVE | Vendor | Product |
|---|---|---|
| CVE-2025-15556 | Notepad++ | Notepad++ |
| CVE-2025-40536 | SolarWinds | Web Help Desk |
| CVE-2025-40551 | SolarWinds | Web Help Desk |
| CVE-2026-20700 | Apple | Multiple Products |
| CVE-2026-21510 | Microsoft | Windows |
| CVE-2026-21513 | Microsoft | Windows |
| CVE-2026-21514 | Microsoft | Office |
| CVE-2026-21519 | Microsoft | Windows |
| CVE-2026-21525 | Microsoft | Windows |
| CVE-2026-21533 | Microsoft | Windows |
Trending Malware
| Malware | Details |
|---|---|
| CastleLoader | CastleLoader is a stealthy first‑stage loader used in targeted attacks against government and critical‑infrastructure organizations. It relies on multi‑stage execution—often using ClickFix‑themed phishing, fake GitHub repos, and techniques like dead‑code injection and process hollowing—to quietly deploy payloads in memory. Recent campaigns show it delivering stealers and RATs such as RedLine, StealC, SectopRAT, and NetSupport, making it a reliable foothold for credential theft and long‑term access. |
| DarkNimbus | DarkNimbus is a cross‑platform backdoor (Windows and Android) used for surveillance, data theft, and staging follow‑on malware. It has been deployed through the MOONSHINE exploit kit, which targets messaging‑app vulnerabilities—particularly in campaigns against Tibetan and Uyghur communities. Its capabilities include keylogging, file exfiltration, browser data theft, and abuse of Android Accessibility Services for geolocation and call control. |
| HYPERCALL | HYPERCALL is part of a North Korean malware toolkit used by UNC1069 in financially motivated intrusions against cryptocurrency and DeFi organizations. Delivered through sophisticated social‑engineering lures—compromised Telegram accounts, fake Zoom calls, and even deepfake videos—it forms part of a multi‑malware suite alongside WAVESHAPER and SUGARLOADER. Its role in the chain is to help harvest system data and support credential and session‑token theft, enabling follow‑on financial compromise. |
| SSHStalker | SSHStalker is a newly discovered Linux botnet that blends 2009‑era IRC botnet techniques with modern automated mass‑scanning and compromise. It spreads by brute‑forcing SSH credentials and exploiting long‑unpatched Linux 2.6.x‑era vulnerabilities, making it especially effective against forgotten or legacy cloud infrastructure. Once inside, it deploys log cleaners, rootkit‑like components, and multiple IRC‑based bots to maintain resilient C2 and expand laterally. |
| WAVESHAPER | WAVESHAPER is another component of UNC1069’s expanding malware arsenal, used in targeted attacks on crypto‑sector organizations. It’s delivered through the same AI‑enhanced social‑engineering chain—compromised Telegram accounts, fake Zoom meetings, and ClickFix‑style prompts—that has become a hallmark of this actor’s operations. WAVESHAPER works alongside HYPERCALL and other families to collect host data, steal credentials, and support long‑term financial theft operations. |
| ZeroDayRAT | ZeroDayRAT is a commercial mobile spyware platform openly marketed on Telegram, offering full remote control of Android (5–16) and iOS (up to 26) devices. It supports real‑time surveillance, live camera access, keylogging, and theft of banking and crypto data, making it far more capable than typical consumer‑grade stalkerware. Distribution relies on smishing, fake app stores, and malicious links, and the operator panel requires no technical skill—lowering the barrier for widespread abuse. |
Top News
- Notepad++ update feature hijacked by Chinese state hackers for months
- Exposed MongoDB instances still targeted in data extortion attacks
- Coinbase confirms insider breach linked to leaked support tool screenshots
- Malicious MoltBot skills used to push password-stealing malware
- Owner of Incognito dark web drugs market gets 30 years in prison
- Step Finance says compromised execs' devices led to $40M crypto theft
- Fugitive behind $73M 'pig butchering' scheme gets 20 years in prison
- Police arrest seller of JokerOTP MFA passcode capturing tool
Contributors
Written by Jeremy Nichols, former Director Of The Global Threat Intelligence Center
Executive Summaries & Adversary Bio’s by Geoff Rehmet, Cybersecurity Architect
Produced & Distributed By Phish Tank Digital