The Threat at a Glance

1. Threat Landscape Summary

Current Active Exploits

Exploitation volume remains elevated across recently disclosed zero-days and internet-facing remote access platforms.

Primary drivers:

• Microsoft February 2026 Patch Tuesday (6 actively exploited zero-days)
• BeyondTrust CVE-2026-1731 (pre-auth RCE; mass scanning and exploitation within 24 hours of PoC release)
• Ivanti EPMM zero-days (CVE-2026-1281, CVE-2026-1340) linked to persistent campaigns from bulletproof hosting infrastructure

Campaign velocity indicates operational readiness among both ransomware affiliates and nation-state actors.

Emerging Campaigns

• Rapid ransomware deployment (Ransoomed, Warlock/VoidCrypt) exploiting unpatched SmarterMail instances and exposed RMM tools (Net Monitor, SimpleHelp)
• AI-augmented reconnaissance and evasion techniques, including adaptive payload execution and memory poisoning for persistence
• Geopolitically aligned operations:
  • Chinese-nexus KAMACITE mapping OT control loops
  • Iranian APT42 credential harvesting operations
  • North Korean sanctions-evasion infrastructure development

Geographic Distribution

Activity remains global with concentration in:

• North America (healthcare and government)
• Europe (energy and critical infrastructure)
• Asia-Pacific (telecom and education)
• South Korea (high-profile enterprise breaches)

Ransomware victim disclosures are concentrated in the US, UK, Canada, South Korea, and Japan, with rising activity across Latin America and Southeast Asia.

Sector Targeting Trends

Highest pressure sectors:

• Healthcare (e.g., Covenant Health via Qilin)
• Government and critical infrastructure (ransomware disruption + OT mapping)
• Education, manufacturing, financial services (data exfiltration-driven extortion)

Consistent attack surface: exposed remote access and email servers (BeyondTrust, Ivanti, SmarterMail).

2. Exploitation Metrics

KEV Additions (Last 7 Days)

February 17 additions: 4 new KEV entries, including legacy Windows Video ActiveX RCE (CVE-2008-0015) and Zimbra SSRF (CVE-2020-7796).

Prior week (Feb 10–13):

• 6 Microsoft zero-days (Shell, MSHTML bypasses)
• BeyondTrust CVE-2026-1731 (pre-auth RCE)
• Microsoft Configuration Manager SQL injection

Trend: KEV expansion heavily weighted toward remote management, email infrastructure, and Microsoft ecosystem flaws.

Ransomware-Linked Activity

• 91 publicly disclosed attacks (Jan–mid-Feb 2026)
• Healthcare leads in volume
• Increasing use of remote access vulnerabilities for initial access
• Data-theft extortion dominant over encryption-only attacks
• Reported exfiltration timelines as low as 72 minutes post-initial access

Speed and automation continue to increase.

Top Targeted Services / Ports

Common exposure:

• 443 (HTTPS) — remote management, email, web services
• 445 (SMB) — lateral movement
• 3389 (RDP) — persistent footholds

Frequent exploitation targets:

• BeyondTrust RS/PRA
• Ivanti EPMM
• SmarterMail
• Exchange/Office environments

Non-standard RMM ports increasingly observed.

Notable Vendor Exposure

• Microsoft — 6 zero-days in February release
• BeyondTrust — pre-auth RCE under active mass exploitation
• Ivanti — zero-days probed from concentrated bulletproof IP ranges
• SmarterTools (SmarterMail) — ransomware entry vector

Remote access tooling remains the most operationally abused category.

3. Intelligence Signals

Indicators of Compromise

BeyondTrust:

• Crafted WebSocket traffic to /nw endpoint
• Unusual command execution patterns

Microsoft zero-days:

• Abnormal .LNK behavior
• MSHTML/Shell child process spawning
• OLE bypass activity in Word documents

Ransomware:

• Ransom note deployment (README.txt, HTML variants)
• Mass file renames (.ransoomed)
• Shadow copy deletion (vssadmin, wmic)

General:

• Suspicious outbound to Mega.nz or Tor
• Elevated SMB traffic following compromise

Exploit Kit & Scanner Activity

Increased scanning of BeyondTrust and Ivanti over 443 and non-standard ports. Concentrated probing from bulletproof hosting (e.g., PROSPERO OOO AS200593). Public PoCs (GitHub, Rapid7) accelerating automated exploitation.

Zero-Day Indicators

• Microsoft February batch (6 zero-days; 3 public pre-patch)
• Chrome CVE-2026-2441 (CSS use-after-free; exploited in wild)
• Emerging AI agent memory manipulation techniques flagged by Microsoft Defender telemetry

Zero-day exploitation windows continue to compress.

4. Forward Outlook

Predicted Escalation Areas

• Continued exploitation of remote access and email infrastructure
• AI-augmented ransomware evasion and accelerated exfiltration
• OT/industrial control system reconnaissance (KAMACITE-linked activity)
• Sustained healthcare and government targeting

Patch Compliance Pressure Points

• Microsoft February zero-days (federal remediation deadline: March 3)
• BeyondTrust CVE-2026-1731 (federal due date February 16 — already elapsed)
• Legacy internet-facing RMM and email deployments

Delayed patching materially increases exposure.

High-Risk Sectors

• Healthcare
• Government & critical infrastructure
• Education
• Financial services

Recommended Monitoring Priorities

High Priority:

• Sysmon Event IDs 1, 3, 10, 11, 13
• LSASS access anomalies
• Suspicious WebSocket connections to remote access endpoints

Medium Priority:

• Security Event IDs 4624/4625, 4688, 5145
• Share enumeration and anomalous logon patterns

Behavioral Detection:

• Shadow copy deletion
• Mass file rename activity
• Abnormal outbound 443
• File I/O spikes inconsistent with baseline

Proactive:

• Hunt for recent KEV-linked IOCs
• Monitor new PoC releases
• Track scanner telemetry against remote access services

Closing Assessment

The February threat environment reflects compressed exploitation timelines, rapid ransomware automation, and sustained abuse of remote access platforms.

Organizations should prioritize:

1. Immediate patching of KEV entries
2. Monitoring of remote access infrastructure
3. Behavioral detection tuned for fast exfiltration chains