Cisco disclosed a maximum-severity (CVSS 10.0) authentication bypass flaw in its Catalyst SD-WAN Controller and Manager products, tracked as CVE-2026-20127, confirming the vulnerability has been actively exploited in the wild since at least 2023 — a three-year blind spot that allowed threat actors tracked as UAT-8616 to compromise controllers, insert rogue peers into targeted networks, and chain the exploit with a previously known privilege escalation flaw (CVE-2022-20775) to achieve root access while evading detection the entire time. CISA issued Emergency Directive 26-03 on February 25 requiring all Federal Civilian Executive Branch agencies to inventory affected systems, collect forensic artifacts, ensure logs are stored externally, apply updates, and report potential compromises — with today, February 27, set as the hard 5:00 PM ET patch deadline. A joint hunt-and-hardening guide from CISA and the UK’s NCSC warns that SD-WAN management interfaces must never be exposed to the internet and urges all organizations running affected versions to upgrade to a fixed release immediately, as no workarounds exist; admins should also audit auth logs for any unexpected SSH public key authentication from unknown IPs, which Cisco has flagged as the primary indicator of compromise.
Zscaler ThreatLabz published its full analysis today of Ruby Jumper, a campaign first discovered in December 2025 and attributed with high confidence to APT37 (also known as ScarCruft, Ruby Sleet, and Velvet Chollima), the DPRK-backed espionage group, which introduces five previously undocumented malware families into the group’s arsenal. The infection chain begins with a malicious LNK file that triggers PowerShell to carve embedded payloads from fixed offsets within the shortcut itself, ultimately deploying RESTLEAF — a new implant that marks the first known APT37 abuse of Zoho WorkDrive for command-and-control, using hardcoded OAuth tokens to authenticate and pull shellcode from an attacker-controlled WorkDrive folder. The most operationally significant element is the pairing of THUMBSBD (a backdoor that uses removable media to relay commands and exfiltrate data) with VIRUSTASK (which propagates infections to newly attached USB drives by replacing files with malicious LNK shortcuts), together forming a deliberate air-gap bridge capability that allows the group to task and collect from physically isolated systems — a technique specifically designed to defeat environments where defenders treat network segmentation as their primary control.
Europol’s Project Compass Reports 30 Arrests Against “The Com” After Year-Long 28-Country Operation
Europol announced the first operational results from Project Compass, a year-long coordinated effort involving 28 countries — including all Five Eyes nations plus Norway and Switzerland — targeting The Com, a sprawling, decentralized network of mostly teenagers and young adults responsible for high-profile ransomware attacks, financial extortion, and the online coercion and exploitation of minors. Since the initiative launched in January 2025, law enforcement has made 30 arrests, fully or partially identified 179 perpetrators, and safeguarded four victims while identifying up to 62 more — with The Com’s criminal fingerprints on past attacks against Marks & Spencer, Co-op, Harrods, and a series of Las Vegas casino breaches, as well as its spinoff groups including ShinyHunters and Scattered LAPSUS$ Hunters. Europol noted the group is exceptionally difficult to disrupt due to its decentralized structure and its deliberate use of social media, gaming platforms, and music streaming services to recruit and radicalize new members, with Europol’s European Counter Terrorism Centre head Anna Sjöberg stressing that the operation’s early-intervention approach is as much about safeguarding at-risk youth as it is about prosecution.
Qrator Labs shared research with The Hacker News detailing Aeternum C2, a newly discovered botnet loader that takes a significant step forward in takedown-resistant infrastructure by storing its encrypted command-and-control instructions as smart contracts on the public Polygon blockchain — the same network that powers Polymarket — rather than relying on traditional C2 servers or domain generation algorithms. Because confirmed blockchain transactions are immutable and cannot be altered or removed by anyone other than the original wallet holder, and because Polygon is a widely used legitimate platform hosting decentralized applications, law enforcement and infrastructure providers have no straightforward mechanism to disrupt the C2 channel or force operators offline. The operator panel is implemented as a Next.js web application that deploys multiple smart contracts simultaneously, each serving a different payload function such as a clipper, stealer, RAT, or cryptominer, and the malware also incorporates anti-analysis features to extend the lifespan of infections — a design philosophy that, taken together, represents a meaningful evolution in botnet architecture that defenders and incident responders will need to account for.
Trojanized Gaming Tools Spread Java-Based RAT via Browsers and Chat Platforms
Microsoft Threat Intelligence has disclosed an active campaign in which threat actors are distributing trojanized versions of popular gaming utilities — including files named Xeno.exe and RobloxPlayerBeta.exe — through browsers and chat platforms to deploy a multi-purpose remote access trojan. The infection chain is notably stealthy: a malicious downloader stages a portable Java runtime (so no pre-installed Java is needed on the victim’s machine) and executes a malicious JAR file named jd-gui.jar, using PowerShell and living-off-the-land binaries like cmstp.exe for execution before deleting itself and adding Defender exclusions for the RAT components to suppress antivirus detection. Persistence is achieved via a scheduled task and a VBScript startup file named world.vbs, and the final payload — which combines loader, runner, downloader, and RAT capabilities in a single package — connects to a C2 server at 79.110.49[.]15 to receive commands and exfiltrate data, making any system running it fully compromised and suitable for follow-on attacks including ransomware deployment.
