End-of-Day report
Timeframe: Mittwoch 25-02-2026 18:00 - Donnerstag 26-02-2026 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Felician Fuchs
News
Fake Next.js job interview tests backdoor developers devices
The Microsoft Defender team has discovered a coordinated campaign targeting software developers through malicious repositories posing as legitimate Next.js projects and technical assessment materials, including recruiting coding tests.
https://www.bleepingcomputer.com/news/security/fake-nextjs-job-interview-tests-backdoor-developers-devices/
Ransomware payment rate drops to record low as attacks surge
The number of ransomware victims paying threat actors has dropped to 28% last year, an all-time low, despite a significant increase in the number of claimed attacks.
https://www.bleepingcomputer.com/news/security/ransomware-payment-rate-drops-to-record-low-despite-attack-surge/
Datenpanne mit Openclaw: KI-Agent leakt interne Daten einer Cybersecurityfirma
Abermals ist es in Verbindung mit einem KI-Agenten zu einer Datenpanne gekommen. Der Betreiber hat offenbar zu viele Zugriffsrechte eingeräumt.
https://www.golem.de/news/datenpanne-mit-openclaw-ki-agent-leakt-interne-daten-einer-cybersecurityfirma-2602-205873.html
Finding Signal in the Noise: Lessons Learned Running a Honeypot with AI Assistance [Guest Diary], (Tue, Feb 24th)
Over the past several months, I have gained practical insight into the challenges of deploying and operating a honeypot, even within a relatively simple environment. This work highlighted how varying hardware, software, and network design-can significantly alter outcomes. Through this process, I observed both the value and the limitations of log collection.
https://isc.sans.edu/diary/rss/32744
Malicious StripeApi NuGet Package Mimicked Official Library and Stole API Tokens
Cybersecurity researchers have disclosed details of a new malicious package discovered on the NuGet Gallery, impersonating a library from financial services firm Stripe in an attempt to target the financial sector. The package, codenamed StripeApi.Net, attempts to masquerade as Stripe.net, a legitimate library from Stripe that has over 75 million downloads.
https://thehackernews.com/2026/02/malicious-stripeapi-nuget-package.html
UAT-10027 Targets U.S. Education and Healthcare with Dohdoor Backdoor
A previously undocumented threat activity cluster has been attributed to an ongoing malicious campaign targeting education and healthcare sectors in the U.S. since at least December 2025.The campaign is being tracked by Cisco Talos under the moniker UAT-10027. The end goal of the attacks is to deliver a never-before-seen backdoor codenamed Dohdoor.
https://thehackernews.com/2026/02/uat-10027-targets-us-education-and.html
APT37 Adds New Capabilities for Air-Gapped Networks
In December 2025, Zscaler ThreatLabz discovered a campaign linked to APT37 (also known as ScarCruft, Ruby Sleet, and Velvet Chollima), which is a DPRK-backed threat group. In this campaign, tracked as Ruby Jumper by ThreatLabz, APT37 uses Windows shortcut (LNK) files to initiate an attack that utilizes a set of newly discovered tools. These tools, RESTLEAF, SNAKEDROPPER, THUMBSBD, and VIRUSTASK, download a payload that delivers FOOTWINE and BLUELIGHT, which enable surveillance on a victim-s system.
https://www.zscaler.com/blogs/security-research/apt37-adds-new-capabilities-air-gapped-networks
Microsoft Authenticator stellt Funktion bei erkanntem Jailbreak/Root-Zugriff ein
Microsoft kündigt an, dass die Authenticator-App Jailbreaks und Rootzugang erkennen soll. Entra-Zugänge sollen dann gelöscht werden.
https://www.heise.de/news/Microsoft-Authenticator-bekommt-Jailbreak-und-Root-Erkennung-11190598.html
Apache ActiveMQ Exploit Leads to LockBit Ransomware
This intrusion began in mid-February 2024 after a threat actor exploited a vulnerability (CVE-2023-46604) on an exposed Apache ActiveMQ server. The threat actor was able to perform remote code execution (RCE) by using a Java Spring class and a custom Java Spring bean configuration XML file.
https://thedfirreport.com/2026/02/23/apache-activemq-exploit-leads-to-lockbit-ransomware/
EWS-Apps und deren Nutzung vor der EWS-Abschaltung identifizieren
Microsoft ist dabei, Exchange Web Services (EWS) in den Ruhestand zu schicken. Dieser Vorgang beginnt im Oktober 2026 und endet mit einer vollständigen Abschaltung von EWS im Jahr 2027.
https://borncity.com/blog/2026/02/26/ews-apps-und-deren-nutzung-vor-der-ews-abschaltung-identifizieren/
Buy A Help Desk, Bundle A Remote Access Solution? (SolarWinds Web Help Desk Pre-Auth RCE Chain(s))
It-s been a while, but we-re back - in time for story time. Gather round, strap in, and prepare for another depressing journey of -all we wanted to do was reproduce an N-day, and here we are with 0-days-.
https://labs.watchtowr.com/buy-a-help-desk-bundle-a-remote-access-solution-solarwinds-web-help-desk-pre-auth-rce-chain-s/
Vulnerabilities
Kritische Sicherheitslücken in Cisco Catalyst SD-WAN - aktiv ausgenutzt - Updates verfügbar
26. Februar 2026 Beschreibung In Cisco Catalyst SD-WAN existieren mehrere kritische Sicherheitslücken. Die schwerwiegendste Schwachstelle (CVE-2026-20127) ermöglicht es einem nicht authentifizierten Angreifer aus der Ferne, die Authentifizierung zu umgehen und administrative Berechtigungen auf einem betroffenen System zu erlangen. Weitere Schwachstellen betreffen den Cisco Catalyst SD-WAN Manager und ermöglichen unter anderem Authentication Bypass, Privilege Escalation,
https://www.cert.at/de/warnungen/2026/2/kritische-sicherheitslucken-in-cisco-catalyst-sd-wan-aktiv-ausgenutzt-updates-verfugbar
Critical Juniper Networks PTX flaw allows full router takeover
A critical vulnerability in the Junos OS Evolved network operating system running on PTX Series routers from Juniper Networks could allow an unauthenticated attacker to execute code remotely with root privileges.
https://www.bleepingcomputer.com/news/security/critical-juniper-networks-ptx-flaw-allows-full-router-takeover/
Automatisierungs-Tool n8n: Angreifer können Schadcode einschleusen
Im Automatisierungs-Tool n8n klaffen elf Sicherheitslücken. Davon gelten drei als kritisches Risiko. Admins sollten rasch aktualisieren.
https://www.heise.de/news/Automatisierungs-Tool-n8n-Updates-stopfen-Codeschmuggel-Lecks-11190464.html
LWN Security updates for Thursday
https://lwn.net/Articles/1060391/