Several vulnerabilities have been patched and mitigated across the industrial giants’ products.
The post ICS Patch Tuesday: Vulnerabilities Addressed by Siemens, Schneider, Aveva, Phoenix Contact appeared first on SecurityWeek.
SecurityWeek – Read More
How long would it take your team to realize ransomware is already running?
The newly identified ransomware families are already causing real business disruption. These threats can disrupt operations fast while also reducing visibility through stealth or cleanup activity, shrinking the time teams have to detect and contain the attack.
Here’s what you should know about BQTLock and GREENBLOOD, and how your team can detect and contain them before the impact escalates.
TL;DR
BQTLock is a ransomware-linked threat designed to hide in normal system activity, gain elevated privileges, and quietly prepare for deeper impact before defenders can react.
Instead of triggering obvious alerts immediately, it blends into trusted Windows processes and delays visible damage. This makes early detection difficult and increases the chance of data exposure, operational disruption, and financial loss for affected organizations.
Using the ANY.RUN interactive sandbox, analysts were able to observe the full behavioral chain in real time.
See full execution chain of BQTLock
The analysis revealed that the malware:
Once privilege escalation is complete, the threat moves beyond stealth and into active harm, including:
This sequence shows how quickly a seemingly quiet infection can evolve into a full security and compliance incident.
GREENBLOOD is a newly observed Go-based ransomware built for speed, stealth, and pressure.
Rather than relying only on encryption, it combines rapid file locking, self-deletion to reduce forensic visibility, and data-leak threats through a TOR-based site.
This transforms a technical incident into a full business crisis involving downtime, regulatory exposure, reputational damage, and recovery cost.
For organizations, the biggest risk is timing. By the moment encryption becomes visible, sensitive data may already be stolen and operational disruption already underway.
Inside the ANY.RUN interactive sandbox, ransomware behavior and cleanup activity became visible while execution was still unfolding, allowing early detection during the most critical stage of the attack.
Check full attack chain of GREENBLOOD
The sandbox analysis exposed:
Because this behavior is captured in real time, SOC teams can move directly from detection to triage and containment before encryption spreads widely.
Using ANY.RUN Threat Intelligence, teams can search for other sandbox analyses related to GREENBLOOD and track how the threat appears across different environments. A simple query like helps uncover related executions, recurring patterns, and potential variants that may not match the exact same sample.
Use this query link to explore related activity: commandLine:”greenblood”
This is valuable as ANY.RUN Threat Intelligence is connected to real sandbox activity from 15,000+ organizations and 600,000+ security professionals. In practice, that means you can use community-scale execution evidence to strengthen detections faster, tune response playbooks, and stay ahead as ransomware changes.
BQTLock and GREENBLOOD may use different techniques, but they point to the same operational reality: modern ransomware is designed to create maximum business damage in the shortest possible time.
Instead of slow, visible attacks, today’s ransomware combines stealth, speed, privilege escalation, and data-leak pressure to overwhelm traditional response workflows before containment begins.
| Business risk | BQTLock | GREENBLOOD |
|---|---|---|
| Data exposure risk | Data theft + screen capture after escalation | Leak-site pressure adds exposure risk (even post-recovery) |
| Downtime risk | Can escalate after stealth phase | Fast encryption (ChaCha8) |
| Harder to spot early | Hides in normal processes + persistence | Cleanup/self-deletion attempts |
| Extortion pressure | Can intensify if stolen data is used | TOR leak-site threats |
| Short response window, higher cost | Stealth setup compresses reaction time | Fast encryption compresses reaction time |
For most companies, the fallout comes in a few predictable ways:
Stealthy privilege escalation, rapid encryption, and leak-site extortion leave security teams with very little time to react.
To stop ransomware before it reaches full business impact, SOC teams need an operational cycle that moves from early detection → confirmed behavior → broader visibility → proactive defense in minutes, without any complicated steps and setups.
With ANY.RUN, this cycle happens inside a single connected workflow, allowing teams to shift from late response to early containment.
The first and most critical step is safe behavioral detonation.
Ransomware like BQTLock hides inside trusted processes and escalates privileges quietly. GREENBLOOD encrypts files quickly and attempts to remove traces.
Running suspicious files or links inside ANY.RUN’s controlled environment exposes:
As this visibility appears during execution, teams can reach a clear verdict in seconds instead of discovering the attack after downtime begins.
This early proof translates directly into operational gains, with 94% of teams reporting faster triage, Tier-1 to Tier-2 escalations reduced by up to 30%, and MTTR shortened by an average of 21 minutes per case, helping contain ransomware before downtime and financial impact grow.
Stopping a single sample is not enough if the campaign continues elsewhere.
Indicators extracted from sandbox analysis can be used to search across ANY.RUN Threat Intelligence, revealing:
The payoff is earlier campaign-level detection and clearer evidence for decision-making, which lowers breach exposure, strengthens compliance readiness, and reduces the business impact of repeat attacks.
The final step is turning investigation insight into ongoing protection.
Fresh indicators and behavioral signals can flow directly into your existing stack through ANY.RUN TI Feeds, keeping detections current without manual copy-paste or constant rule rewrites. This helps teams block repeat attempts faster and react to shifting ransomware infrastructure as it changes.
This ongoing flow shifts teams from reactive detection to proactive monitoring, so attacks are discovered earlier and contained with less business impact.
ANY.RUN is part of modern SOC workflows, integrating easily into existing processes and strengthening the entire operational cycle across Tier 1, Tier 2, and Tier 3.
It supports every stage of investigation, from exposing real behavior during safe detonation, to enriching analysis with broader threat context, and delivering continuous intelligence that helps teams move faster and make confident decisions.
Today, more than 600,000 security professionals and 15,000 organizations rely on ANY.RUN to accelerate triage, reduce unnecessary escalations, and stay ahead of evolving phishing and malware campaigns.
To stay informed about newly discovered threats and real-world attack analysis, follow ANY.RUN’s team on LinkedIn and X, where weekly updates highlight the latest research, detections, and investigation insights.
Both strains prioritize early stealth and rapid operational impact rather than delayed, obvious encryption. BQTLock focuses on covert privilege escalation, persistence, and data theft before encryption, while GREENBLOOD delivers fast ChaCha8 encryption, self-deletion, and leak-site extortion, compressing the response window to minutes.
Modern ransomware often causes business damage before files are encrypted. Activities like process injection, UAC bypass, credential theft, and data exfiltration signal compromise early. Detecting these behaviors during execution enables containment before downtime, breach disclosure, or financial loss escalate.
GREENBLOOD is Go-based and uses ChaCha8 encryption, allowing it to lock files quickly across the system. It also attempts self-deletion and cleanup, which reduces forensic visibility and increases recovery complexity while applying TOR-based leak pressure on victims.
Key signals include Remcos injection into explorer.exe, UAC bypass via fodhelper.exe, autorun persistence creation, and post-escalation credential theft or screen capture. These behaviors indicatethe attack is transitioning from stealth access to active breach risk.
Running suspicious files or links in a controlled behavioral sandbox allows teams to observe privilege escalation, persistence, encryption, and cleanup actions in real time, extract IOCs immediately, and begin containment and hunting before the attack spreads.
Linking sandbox-derived indicators to broader execution telemetry reveals related samples, reused infrastructure, and evolving variants. Feeding this intelligence into detection controls supports earlier blocking, stronger prevention, and lower long-term incident cost.
The post Emerging Ransomware BQTLock & GREENBLOOD Disrupt Businesses in Minutes appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More
I often get asked about cheap power banks with hard-to-believe claims. Well, I bought one and tested it. Here’s my buying advice.
Latest news – Read More
The PNY M.2 storage drive gave my device a much-needed performance bump – at a fair price.
Latest news – Read More
Microsoft has released its monthly security update for February 2026, which includes 59 vulnerabilities affecting a range of products, including two that Microsoft marked as “Critical”.
CVE-2026-21522 is a critical elevation of privilege vulnerability affecting Microsoft ACI Confidential Containers. Successful exploitation of this vulnerability could enable an authorized attacker to escalate privileges on affected systems. This vulnerability is not listed as publicly disclosed and received a CVSS 3.1 score of 6.7.
CVE-2026-23655 is a critical information disclosure vulnerability affecting Microsoft ACI Confidential Containers. This vulnerability could enable an authorized attacker to disclose sensitive information including secret tokens and keys if successfully exploited. This vulnerability is not listed as publicly disclosed and received a CVSS 3.1 score of 6.5.
In this month’s release, Microsoft reported active exploitation of five vulnerabilities rated as “Important”. Additionally, one “Moderate” vulnerability, CVE-2026-21525, was also listed as being actively exploited. CVE-2026-21510, CVE-2026-21513, and CVE-2026-21514 have also been publicly disclosed.
CVE-2026-21510 is a security feature bypass vulnerability affecting Windows Shell. Successful exploitation of this vulnerability could allow an unauthenticated attacker to bypass a security feature on affected systems. This vulnerability could be exploited by convincing a user to open a malicious shortcut or link file, enabling them to bypass Windows SmartScreen and Windows Shell security prompts.
CVE-2026-21513 is a security feature bypass vulnerability affecting MSHTML Framework. This vulnerability could be exploited by convincing a user to open a specially crafted HTML or LNK file, allowing an attacker to bypass security features and achieve code execution. This vulnerability received a CVSS 3.1 score of 8.8.
CVE-2026-21514 affects Microsoft Office Word and results from reliance on untrusted input, enabling an unauthorized attacker to bypass security protections locally. Exploitation requires user interaction, typically by persuading a user to open a malicious Office document, and may bypass OLE mitigation mechanisms designed to protect against vulnerable COM/OLE controls.
CVE-2026-21519 is a type confusion vulnerability in the Desktop Window Manager that allows an authenticated attacker to elevate privileges locally, potentially gaining full SYSTEM-level access.
CVE-2026-21533 is an elevation of privilege vulnerability affecting Windows Remote Desktop Services. This vulnerability is due to improper privilege management and could enable an attacker to escalate privileges on affected systems. Successful exploitation of this vulnerability could grant an attacker SYSTEM level privileges on the system.
CVE-2026-21525 is a moderate denial-of-service vulnerability affecting Windows Remote Access Connection Manager. This vulnerability is due to a null pointer dereference that could allow an unauthorized attacker to create a denial-of-service condition on affected systems. This vulnerability has not been publicly disclosed and received a CVSS 3.1 rating of 6.2.
Talos would also like to highlight the following “important” vulnerabilities affecting Microsoft Azure, Notepad, various GitHub Copilot components, and Hyper-V.
CVE-2026-21228 is an improper certificate validation issue in Azure Local that allows an unauthorized attacker to execute code over the network; successful exploitation may result in a scope change, enabling interaction with other tenants’ applications and data. An attacker could exploit this flaw by intercepting unsecured communication between the configurator application and target systems, tampering with responses to trigger command injection with administrative privileges, and subsequently extracting Azure tokens from application logs to facilitate lateral movement within the cloud environment.
CVE-2026-20841 addresses an RCE vulnerability in Microsoft Notepad. This issue could allow an attacker to entice a user into clicking a malicious link within a Markdown file opened in Notepad, resulting in the launch of untrusted protocols that download and execute remote content.
CVE-2026-21244 and CVE-2026-21248 affect Windows Hyper-V and enable unauthorized attackers to achieve arbitrary code execution locally. Exploitation requires local code execution, commonly by convincing a user to open a malicious Office file.
Several RCE vulnerabilities were also identified in GitHub Copilot, including CVE-2026-21516, CVE-2026-21523, and CVE-2026-21256. CVE-2026-21516 is a locally exploitable arbitrary code execution vulnerability in GitHub Copilot for JetBrains, requiring code execution on the affected system. For CVE-2026-21523, Microsoft has provided limited details beyond indicating a network attack vector. CVE-2026-21256 is a command injection vulnerability caused by improper handling of special characters, enabling unauthorized remote code execution in GitHub Copilot and Visual Studio Code.
A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.
In response to these vulnerability disclosures, Talos is releasing a new Snort ruleset that detects attempts to exploit some of them. Please note that additional rules may be released at a future date, and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Ruleset customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
Snort 2 rules included in this release that protect against the exploitation of many of these vulnerabilities are: 65895-65900, 65902, 65903, 65906-65911, 65913, 65914, 65923, 65924.
The following Snort 3 rules are also available: 301395-301403.
Cisco Talos Blog – Read More
VoidLink is a new modular framework that targets Linux based systems. Modular frameworks are prevalent on the landscape today with the likes of Cobalt Strike, Manjusaka, Alchimist, and SuperShell among the many operating today. This framework is yet another implant management framework denoting a consistent and concerning evolution with shorter development cycles.
Cisco Talos is tracking the threat actor first seen to be using the VoidLink framework as UAT-9921. This threat actor seems to have been active since 2019, although they have not necessarily used VoidLink over the duration of their activity. UAT-9921 uses compromised hosts to install VoidLink command and control (C2) which are then used to launch scanning activities both internal and external to the network.
Cisco Talos assesses that this threat actor has knowledge of Chinese language based on the language of the framework, code comments and code planning done using the AI enabled IDE. We also assess with medium confidence that they have been active since at least 2019, not necessarily using VoidLink.
VoidLink development appears to be a more recent addition with the aid of large language model (LLM) based integrated development environment (IDE). However, in their compromise and post-compromise operations, UAT-9921 does not seem to be using AI-enabled tools.
Cisco Talos was able to determine that the operators deploying VoidLink have access to the source code of some modules and some tools to interact with the implants without the C2. This indicates inner knowledge of the communication protocols of the implants.
While the development of VoidLink seems to be split into teams, it is unclear what level of compartmentalization exists between the development and the operation. We do know that UAT-9921 operators have access to VoidLink source code of kernel modules, as well as tools that enable interaction with the implant without the C2.
Talos assesses with high confidence that UAT-9921 compromises servers with the usage of pre-obtained credentials or exploiting Java serialization vulnerabilities which allow remote code execution, namely Apache Dubbo project. We also found indications of possible initial compromise via malicious documents, but no samples were obtained.
In their post-compromise activities, UAT-9921 deploys the VoidLink implant. This allows the threat actor to hide their presence and the VoidLink C2, once deployed.
To find new targets and perform lateral movement, UAT-9921 deploys a SOCKS server on their compromised servers, which is used by FSCAN to perform internal reconnaissance.
With regard to victimology, UAT-9921 appears to focus on the technology sector, but we have also seen victims from financial services. However, the cloud-aware nature of VoidLink and scanning of entire Class C networks indicates that there is no specific targeting.
Given VoidLink’s auditability and oversight features, it is worth noting that even though UAT-9921 activity involves usage of exploits and pre-obtained credentials, Talos cannot discount the possibility that this activity is part of red team exercises.
Talos is aware of multiple VoidLink-related victims dating back to September with the activity continuing through to January 2026. This finding does not necessarily contradict the Checkpoint Research mentions of late November since the presented documents show development dates from version 2.0 and Cisco Talos access that this was still version 1.0.
Talos has been tracking fast deployment frameworks since 2022, with reports on Manjusaka and Alchimist/Insekt. These two projects were tightly linked in their development philosophy, features, and architectural design. There were obvious inspirations from CobaltStrike and Sliver; however, one fundamental difference was the single file infrastructure and the lack of integrated initial infector vector.
The VoidLink framework represents a giant leap in this predictable evolution, while keeping the same, single file infrastructure philosophy. This is a clear example of a “defense contractor grade” implant management framework, which represents one natural next step of other single file infrastructure frameworks like Manjusaka and Alchimist.
The development of VoidLink was fast, supported on AI-enabled integrated development environments. It uses three different programing languages: ZigLang for the implant, C for the plugins and GoLang for the backend. It supports compilation on demand for plugins, providing support for the different Linux distributions that might be targeted. The reported development timeline of around two months would be hard to achieve by a small team of developers without the help of an AI-enabled IDE.
While Talos will discuss the framework in more detail below, it is important to reflect on what is to come in the framework landscape. With the current level of AI agents, it will not be surprising to find implants that ask their C2 for a “tool” that allows them to access certain resources.
The C2 will provide that implant with a plugin to read a specific database the operator has found or an exploit for a known vulnerability, which just happens to be on an internal web server. The C2 doesn’t necessarily need to have all these tools available — it may have an agent that will do its research and prepare the tool for the operator to use. With the current VoidLink compile-on-demand capability, integrating such feature should not be complex. Keep in mind that all of this will happen while the operator continues to explore the environment.
Of course, this may just be an intermediate step, assuming that there is a human operator managing the environment exploration. However, it likely will not be long before we begin to uncover malicious agents doing the initial stages of exploration and lateral movement before human intervention.
This has an impact of reducing compromise attack metrics — namely, the time to lateral movement and time to focused data exfiltration. It also allows the generation of never-before-seen tools and the constant change in the attacker’s behavior, making detection more difficult.
VoidLink contains features that make it “defense contractor grade,” such as the auditability of all actions and the existence of a role-based access control (RBAC). The RBAC consists of three different levels of roles: “SuperAdmin,” “Operator,” and “Viewer.” This feature is not often seen in other similar frameworks, but it is crucial when operations need to have legal and corporate oversight.
The mesh peer-to-peer (P2P) and dead-letter queue routing capabilities allow some implants to communicate with others, creating hidden networks with-in the same environment allowing the bypass of network access restrictions, as one implant may serve as external gateway for other implants.
The development timeline reported by CP<R> indicates that this is a near-production-ready proof of concept. Most frameworks support Windows and MacOS from their early stages of development; VoidLink only appears to have implants developed for Linux, although the implant code is written in such a way that can easily be adapted to other languages. The main implant is written in ZigLang, a rather uncommon language; however the plugins are written in C. When needed these are loaded via an ELF linker and loader.
Talos has found clear indications that the main implant has been compiled for Windows and that it can load plugins via dynamic-link library (DLL) sideloading. Unfortunately, we were unable to obtain a sample to confirm these indications.
The Linux implants have advanced features, such as an eBPF or Loadable Kernel Module (LKM) based rootkit, container privilege escalation, and sandbox escape. These are often related with the server side, but there are a multitude of plugins in the implant targeting Linux as a desktop and not a server, something which is not often seen on malware since the Linux desktop base is not as prevalent as Windows or MacOS.
Most of the modular frameworks Talos observes support a wide variety of platforms typically inclusive of Linux, Windows, and MacOS — but VoidLink is different. The VoidLink framework specifically targets Linux devices without any current support for Windows or MacOS. Linux is a particularly large landscape, with the Internet of Things (IoT) and critical infrastructure heavily relying on the Linux OS.
As with most frameworks, VoidLink can generate implants consisting of a variety of plugins. The plugins themselves are standard, with the ability to interact and extract information from end systems, as well as capabilities allowing for lateral movement and anti-forensics. VoidLink is also cloud-aware and can determine if it is running in a Kubernetes or Docker environment, then gather additional information to make use of the vendor’s respective APIs. It has stealth mechanisms in place, including the ability to detect endpoint detection and response (EDR) solutions and create an evasion strategy based on the findings. There are also a variety of obfuscation and anti-analysis capabilities built into the framework designed to either obfuscate the data being exfiltrated or hinder the analysis and removal of the malware itself.
VoidLink is positioned to become an even more powerful framework based on its capabilities and flexibility, as demonstrated through this apparent proof of concept.
The following Snort Rules (SIDs) detect and block this threat:
The following ClamAV signature detects and blocks this threat:
More details on how Cisco detects threats like VoidLink is available here.
Cisco Talos Blog – Read More
If you’re having trouble with Windows 11, look to this short list of the four best things you can do to enhance your PC’s performance.
Latest news – Read More
Samsung’s newest hardware will be unveiled on February 25, and you can already score a discount with this preorder reservation.
Latest news – Read More
Microsoft today released updates to fix more than 50 security holes in its Windows operating systems and other software, including patches for a whopping six “zero-day” vulnerabilities that attackers are already exploiting in the wild.
Zero-day #1 this month is CVE-2026-21510, a security feature bypass vulnerability in Windows Shell wherein a single click on a malicious link can quietly bypass Windows protections and run attacker-controlled content without warning or consent dialogs. CVE-2026-21510 affects all currently supported versions of Windows.
The zero-day flaw CVE-2026-21513 is a security bypass bug targeting MSHTML, the proprietary engine of the default Web browser in Windows. CVE-2026-21514 is a related security feature bypass in Microsoft Word.
The zero-day CVE-2026-21533 allows local attackers to elevate their user privileges to “SYSTEM” level access in Windows Remote Desktop Services. CVE-2026-21519 is a zero-day elevation of privilege flaw in the Desktop Window Manager (DWM), a key component of Windows that organizes windows on a user’s screen. Microsoft fixed a different zero-day in DWM just last month.
The sixth zero-day is CVE-2026-21525, a potentially disruptive denial-of-service vulnerability in the Windows Remote Access Connection Manager, the service responsible for maintaining VPN connections to corporate networks.
Chris Goettl at Ivanti reminds us Microsoft has issued several out-of-band security updates since January’s Patch Tuesday. On January 17, Microsoft pushed a fix that resolved a credential prompt failure when attempting remote desktop or remote application connections. On January 26, Microsoft patched a zero-day security feature bypass vulnerability (CVE-2026-21509) in Microsoft Office.
Kev Breen at Immersive notes that this month’s Patch Tuesday includes several fixes for remote code execution vulnerabilities affecting GitHub Copilot and multiple integrated development environments (IDEs), including VS Code, Visual Studio, and JetBrains products. The relevant CVEs are CVE-2026-21516, CVE-2026-21523, and CVE-2026-21256.
Breen said the AI vulnerabilities Microsoft patched this month stem from a command injection flaw that can be triggered through prompt injection, or tricking the AI agent into doing something it shouldn’t — like executing malicious code or commands.
“Developers are high-value targets for threat actors, as they often have access to sensitive data such as API keys and secrets that function as keys to critical infrastructure, including privileged AWS or Azure API keys,” Breen said. “When organizations enable developers and automation pipelines to use LLMs and agentic AI, a malicious prompt can have significant impact. This does not mean organizations should stop using AI. It does mean developers should understand the risks, teams should clearly identify which systems and workflows have access to AI agents, and least-privilege principles should be applied to limit the blast radius if developer secrets are compromised.”
The SANS Internet Storm Center has a clickable breakdown of each individual fix this month from Microsoft, indexed by severity and CVSS score. Enterprise Windows admins involved in testing patches before rolling them out should keep an eye on askwoody.com, which often has the skinny on wonky updates. Please don’t neglect to back up your data if it has been a while since you’ve done that, and feel free to sound off in the comments if you experience problems installing any of these fixes.
Krebs on Security – Read More
Google will remove your passport, driver’s license, or Social Security number if you ask. But you have to add those details to your request first. Is that safe?
Latest news – Read More