TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

F5 Labs

Weekly Threat Bulletin – February 25th, 2026

2026-02-25 · Read original ↗

ATT&CK techniques detected

18 predictions
T1190Exploit Public-Facing Application
100%
“sparkrat observed in exploitation of beyondtrust critical vulnerability ( cve - 2026 - 1731 ) a critical pre - authentication remote code execution vulnerability, cve - 2026 - 1731 ( cvss v4 9. 9 ), has been identified in beyondtrust remote support ’ s thin - scc - wrapper websoc…”
T1195.001Compromise Software Dependencies and Development Tools
99%
“" a vulnerability discovered by adnan khan, which exploits a misconfigured github workflow where an ai agent ( claude ) with excessive permissions could be tricked via prompt injection in a github issue title to execute arbitrary code. this attack leveraged github actions cache p…”
T1195.001Compromise Software Dependencies and Development Tools
99%
“weekly threat bulletin – february 25th, 2026 cline cli 2. 3. 0 supply chain attack installed openclaw on developer systems on february 17, 2026, the open - source, ai - powered coding assistant cline cli experienced a supply chain attack where version 2. 3. 0 was published to the…”
T1190Exploit Public-Facing Application
86%
“details and iocs mitigation advice - immediately apply the vendor - supplied patches for all vulnerable beyondtrust remote support and privileged remote access instances to remediate cve - 2026 - 1731. - add the attacker ip addresses listed in the article ' s indicators of compro…”
T1611Escape to Host
81%
“a user already within a kata container to achieve arbitrary code execution as root inside the guest micro vm. the vulnerability stems from a breakdown in isolation, enabling direct manipulation of the underlying guest micro vm ' s filesystem from within the container environment.…”
T1525Implant Internal Image
81%
“or ' clawdbot '. - if an unauthorized openclaw runtime is discovered on a device, use microsoft defender for endpoint to isolate the device from the network while investigation occurs. compliance best practices - develop and enforce a security policy that requires any evaluation …”
T1190Exploit Public-Facing Application
80%
“vulnerability was disclosed. - run the provided xql detection queries in your siem or xdr to hunt for signs of post - exploitation activity on windows and linux systems related to this threat. compliance best practices - develop and implement a network segmentation strategy to is…”
T1190Exploit Public-Facing Application
75%
“- click - flaw. html https : / / www. esecurityplanet. com / threats / beyondtrust - rce - exploited - for - domain - control / https : / / www. helpnetsecurity. com / 2026 / 02 / 09 / beyondtrust - remote - access - vulnerability - cve - 2026 - 1731 / https : / / www. helpnetsec…”
T1190Exploit Public-Facing Application
72%
“beyondtrust - vulnerability / https : / / socradar. io / blog / cve - 2026 - 1731 - rce - beyondtrust - rs - pra / https : / / sploitus. com / exploit? id = 03974d49 - 2414 - 56d4 - ae7f - d90cd6138171 https : / / sploitus. com / exploit? id = 51382817 - 068e - 51a1 - a291 - b0f9…”
T1190Exploit Public-Facing Application
66%
“1731 / https : / / cyberpress. org / beyondtrust - 0 - day - vulnerability / https : / / cyberpress. org / beyondtrust - flaw / https : / / cyberpress. org / patch - immediately - beyondtrust / https : / / cyberveille. esante. gouv. fr / alertes / beyondtrust - cve - 2026 - 1731 …”
T1190Exploit Public-Facing Application
57%
“such as 23. 162. 40 [. ] 187 and 138. 197. 14 [. ] 95 / ws, malicious domains like q0r2e5q2dzbykcox9qmkptm12s8mwb. oastify [. ] com, file hashes for sparkrat ( 9f431d5549a03aee92cfd2bdbbe90f1c91e965c99e90a0c9ad5a001f4e80c350 ) and vshell ( 98a7b0900a9072bb40af579ec372da7b27af12b1…”
T1068Exploitation for Privilege Escalation
56%
“- click - flaw. html https : / / www. esecurityplanet. com / threats / beyondtrust - rce - exploited - for - domain - control / https : / / www. helpnetsecurity. com / 2026 / 02 / 09 / beyondtrust - remote - access - vulnerability - cve - 2026 - 1731 / https : / / www. helpnetsec…”
T1190Exploit Public-Facing Application
54%
“- poisoning - vulnerability / https : / / cyberpress. org / moltbot - operators - leak - control - panels - via - exposed - mdns - traffic / https : / / depthfirst. com / post / 1 - click - rce - to - steal - your - moltbot - data - and - keys https : / / gbhackers. com / 15200 -…”
T1083File and Directory Discovery
50%
“or filenames containing ' openclaw ', ' moltbot ', or ' clawdbot ' on endpoints. - using microsoft defender xdr, run a hunt query against ` cloudprocessevents ` to search for process command lines or filenames containing ' openclaw ', ' moltbot ', or ' clawdbot ' in cloud workloa…”
T1588.002Tool
49%
“repositories. - for any approved agent host, configure host - based or network firewalls to enforce strict egress filtering, allowing outbound connections only to a pre - approved list of destinations. - develop a specific incident response playbook for compromised ai agents, det…”
T1587Develop Capabilities
37%
“" a vulnerability discovered by adnan khan, which exploits a misconfigured github workflow where an ai agent ( claude ) with excessive permissions could be tricked via prompt injection in a github issue title to execute arbitrary code. this attack leveraged github actions cache p…”
T1190Exploit Public-Facing Application
37%
“lts 2. 541. 1 and earlier, stems from improper sanitization of user - provided descriptions for offline nodes, allowing attackers with agent / configure or agent / disconnect permissions to inject malicious scripts that execute in the browsers of users viewing the node ' s status…”
T1588.006Vulnerabilities
32%
“1731 / https : / / cyberpress. org / beyondtrust - 0 - day - vulnerability / https : / / cyberpress. org / beyondtrust - flaw / https : / / cyberpress. org / patch - immediately - beyondtrust / https : / / cyberveille. esante. gouv. fr / alertes / beyondtrust - cve - 2026 - 1731 …”

Summary

These are the top threats you should know about this week.