Threat Brief - 2026-02-14
Threat Brief — Friday, February 14, 2026
Executive Summary
Arctic Wolf reveals post-exploitation tradecraft from BeyondTrust CVE-2026-1731 intrusions—SimpleHelp RMM deployment and domain admin creation within hours of PoC release. Microsoft’s Patch Tuesday addresses six actively exploited zero-days including SmartScreen and MOTW bypasses. Ivanti EPMM pre-auth RCE chain seeing mass exploitation. Lazarus poisoning npm/PyPI with fake crypto job packages.
1. BeyondTrust CVE-2026-1731 — Post-Exploitation TTPs
🔴 Critical · Pre-Auth RCE · CVE-2026-1731 · CVSS 9.9
See Threat Brief - Feb 13 for initial analysis of the vulnerability and WebSocket exploitation chain.
New intelligence: Arctic Wolf observed active intrusions within hours of PoC release (Feb 10). Attackers are deploying SimpleHelp RMM for persistence and rapidly escalating to domain admin.
Sources: Arctic Wolf · Help Net Security
New TTPs (Post-Exploitation)
| Technique | Tactic | Observable |
|---|---|---|
| T1219 | C2 | SimpleHelp RMM binaries: remote access.exe in C:\ProgramData\ |
| T1136.002 | Persistence | net user <user> <pass> /add /domain |
| T1098 | Privilege Escalation | net group "enterprise admins" <user> /add /domain |
| T1018 | Discovery | ([adsiSearcher]"(ObjectClass=computer)").FindAll().count |
| T1570 | Lateral Movement | PSExec + Impacket SMBv2 session setup |
New IOCs
- SimpleHelp binary metadata: “SimpleHelp Remote Access Client” file description
- Binaries renamed to
remote access.exeinC:\ProgramData\ - Impacket SMBv2 session setup requests (early intrusion indicator)
- Domain accounts created and added to “enterprise admins” + “domain admins”
Detection
Log Sources: Windows Security (4688, 4720, 4728), Sysmon (1, 11)
Logic:
# Account creation + privileged group add
process_name IN ("net.exe", "net1.exe")
AND command_line MATCHES "user.*\/add.*\/domain"
AND command_line MATCHES "group.*(enterprise admins|domain admins).*\/add"
# SimpleHelp in ProgramData
file_path LIKE "C:\\ProgramData\\%.exe"
AND (file_description = "SimpleHelp Remote Access Client"
OR original_filename LIKE "%SimpleHelp%")
# Discovery via ADSISearcher
powershell_script CONTAINS "adsiSearcher" AND "ObjectClass=computer"Existing Coverage:
- Impacket PsExec Execution (Sigma)
- Windows RMM Named Pipe (Splunk ESCU)
- None for SimpleHelp specifically (gap)
Action
🔴 Hunt immediately. Query for SimpleHelp binaries, domain account creation, and PSExec/Impacket activity on systems with BeyondTrust access.
2. Microsoft February 2026 Patch Tuesday — 6 Zero-Days
🔴 Critical · Multiple Zero-Days · Actively Exploited · No PoC Public
Six vulnerabilities exploited in the wild before patching, including SmartScreen bypasses used in ransomware/infostealer delivery chains.
Sources: Tenable · Computerworld
CVE-2026-21510 — Windows Shell SmartScreen Bypass (CVSS 8.8)
Single click on malicious LNK/shortcut bypasses SmartScreen and Shell warnings. Publicly disclosed. Used in ransomware delivery.
CVE-2026-21513 — MSHTML Security Feature Bypass (CVSS 8.8)
Malicious HTML or LNK file bypasses IE-based security checks. Publicly disclosed.
CVE-2026-21514 — Microsoft Word Macro Bypass (CVSS 7.8)
Crafted Office documents bypass macro protections. Preview pane NOT a vector.
CVE-2026-21519 — Desktop Window Manager EoP (CVSS 7.8)
Local authenticated attacker escalates to SYSTEM via DWM.
CVE-2026-21533 — Remote Desktop Services EoP
Local attacker gains SYSTEM through RDP stack.
CVE-2026-21525 — Remote Access Connection Manager DoS (CVSS 6.2)
Unauthenticated local attacker can crash VPN connections.
TTPs
| Technique | Tactic | Observable |
|---|---|---|
| T1204.001 | Execution | User opens malicious LNK, HTML, or DOCX |
| T1553.005 | Defense Evasion | Mark-of-the-Web/SmartScreen bypass |
| T1548 | Privilege Escalation | dwm.exe parent spawning unexpected SYSTEM process |
Detection
Log Sources: Windows Security, Sysmon (1, 11, 15), Microsoft Defender
Logic:
# MOTW bypass - Zone.Identifier deletion
event_type = "FileDelete"
AND file_path ENDS WITH ":Zone.Identifier"
AND process NOT IN ("explorer.exe", "chrome.exe", "firefox.exe")
# Suspicious LNK execution from temp/downloads
parent_process = "explorer.exe"
AND process = "cmd.exe" OR "powershell.exe"
AND command_line CONTAINS ".lnk"
AND file_path MATCHES "\\(Downloads|Temp)\\"
# DWM privilege escalation
parent_process = "dwm.exe"
AND integrity_level = "System"
AND process NOT IN (known_dwm_children)Existing Coverage:
- Windows Mark Of The Web Bypass (Splunk ESCU)
- ADS Zone.Identifier Deleted By Uncommon Application (Sigma)
- Windows Privilege Escalation System Process Without System Parent (Splunk ESCU)
Action
🔴 Deploy patches. Hunt for MOTW bypass indicators and suspicious LNK execution from Downloads/Temp.
3. Ivanti EPMM Pre-Auth RCE Chain
🔴 Critical · Pre-Auth RCE · CVE-2026-1281 (CVSS 9.8) + CVE-2026-1340 (CVSS 9.8) · PoC Available
Bash arithmetic expansion abuse in /mifs/c/appstore/fob/ and /mifs/c/aftstore/fob/ endpoints. 83% of exploitation traffic traced to single bulletproof hosting IP. ~1,600 exposed instances globally.
Sources: Indusface · The Hacker News
TTPs
| Technique | Tactic | Observable |
|---|---|---|
| T1190 | Initial Access | GET/POST to /mifs/c/(aft|app)store/fob/ with crafted params |
| T1059.004 | Execution | Bash command injection via arithmetic expansion |
| T1105 | Ingress Tool Transfer | WAR/JAR file drops, webshell deployment |
IOCs
- Requests to
/mifs/c/appstore/fob/or/mifs/c/aftstore/fob/returning 404 - POST requests to error pages like
401.jsp - Unexpected WAR/JAR artifacts on EPMM appliance
- Long-running outbound connections from EPMM
Detection
Log Sources: Apache access logs, network flow, file integrity monitoring
Logic (Apache log regex from Ivanti):
^(?!127\.0\.0\.1:\d+ .*$).*?\/mifs\/c\/(aft|app)store\/fob\/.*?404Existing Coverage:
- Ivanti VTM New Account Creation (Splunk ESCU) — different product but related TTP
Action
🔴 Isolate exposed EPMM instances. Apply RPM patches immediately. Hunt Apache logs for exploitation attempts.
4. Lazarus Supply Chain Attack — npm/PyPI
🟡 High · Supply Chain · Lazarus Group (DPRK) · Active Campaign
North Korean threat actors deploying RAT via malicious npm/PyPI packages distributed through fake crypto job interviews. One package (bigmathutils) hit 10,000+ downloads before detection.
Sources: The Hacker News · ReversingLabs
TTPs
| Technique | Tactic | Observable |
|---|---|---|
| T1195.001 | Initial Access | Malicious npm/PyPI dependency in “job interview” repo |
| T1566.003 | Initial Access | LinkedIn/Facebook recruiter social engineering |
| T1059.006 | Execution | Python/Node.js script execution |
| T1219 | C2 | RAT with token-based C2 authentication |
| T1005 | Collection | MetaMask browser extension checks, file enumeration |
IOCs
Malicious npm packages:
graphalgo, graphorithm, graphstruct, graphlibcore, netstruct,
graphnetworkx, terminalcolor256, graphkitx, graphchain, graphflux,
graphorbit, graphnet, graphhub, terminal-kleur, graphrix, bignumx,
bignumberx, bignumex, bigmathex, bigmathlib, bigmathutils,
graphlink, bigmathix, graphflowxMalicious PyPI packages:
graphalgo, graphex, graphlibx, graphdict, graphflux, graphnode,
graphsync, bigpyx, bignum, bigmathex, bigmathix, bigmathutilsInfrastructure:
- Fake company: “Veltrix Capital” (LinkedIn, GitHub)
- Token-based C2 communication (Jade Sleet/TraderTraitor TTP)
Detection
Log Sources: Package manager logs, process telemetry, network
Logic:
# Suspicious package install from interview repo
process_name IN ("npm", "pip", "pip3")
AND command_line MATCHES "(graphalgo|bigmath|graphflux|terminal-kleur)"
# MetaMask extension enumeration
process CREATES file_path MATCHES "\\AppData\\.*\\MetaMask"
OR process READS "\\Extensions\\nkbihfbeogaeaoehlefnkodbefgpgknn"Existing Coverage:
- Cisco NVM - Installation of Typosquatted Python Package (Splunk ESCU)
- Python Path File (pth) Creation (Elastic)
Action
🟡 Alert developers. Block listed packages. Hunt for installations in developer environments.
5. Malicious Outlook Add-In — AgreeToSteal
🟡 High · Credential Theft · Supply Chain · 4,000+ Credentials Stolen
First known malicious Outlook add-in in the wild. Attackers claimed abandoned domain for legitimate “AgreeTo” add-in, served phishing kit that exfiltrated credentials via Telegram Bot API.
Sources: The Hacker News · Koi Security
TTPs
| Technique | Tactic | Observable |
|---|---|---|
| T1199 | Initial Access | Trusted add-in domain hijacked |
| T1056.002 | Collection | Fake Microsoft login page in Outlook iframe |
| T1567.001 | Exfiltration | Telegram Bot API credential exfil |
IOCs
- Outlook add-in: “AgreeTo” (still listed in Microsoft Store)
- Domain:
outlook-one.vercel[.]app(hijacked) - Exfil method: Telegram Bot API
Detection
Log Sources: Outlook telemetry, network proxy, DNS
Logic:
# Outlook add-in loading external iframe
process = "outlook.exe"
AND network_connection TO domain NOT IN (microsoft.com, office.com)
AND referrer CONTAINS "marketplace.microsoft.com"
# Telegram exfil from Outlook context
process = "outlook.exe"
AND network_connection TO "api.telegram.org"Existing Coverage:
- Microsoft VBA For Outlook Addin Loaded Via Outlook (Sigma) — VBA only, not web add-ins (gap)
Action
🟡 Audit Outlook add-ins. Block “AgreeTo” if present. Monitor for Telegram API calls from Office processes.
Priority Actions
- 🔴 BeyondTrust RS/PRA — Hunt for SimpleHelp RMM, domain admin creation, Impacket activity
- 🔴 Microsoft Patch Tuesday — Deploy Feb 2026 patches; hunt MOTW bypass indicators
- 🔴 Ivanti EPMM — Isolate exposed instances; apply RPM patches; hunt Apache logs
- 🟡 Developer environments — Block malicious npm/PyPI packages; alert on Lazarus indicators
- 🟡 Outlook — Audit add-ins for AgreeToSteal campaign