InfoSec Briefing - February 14, 2026

🎧 Audio Briefing

Playback Speed:

Good morning. This is your security briefing for Friday, February 13, 2026, covering 4 articles analyzed overnight. All attribution is by the article authors. All article analysis is automated.

Elastic Security Labs reports that Chinese-speaking cybercrime group REF4033 has compromised over 1,800 Windows web servers globally using a malicious IIS module called BADIIS. The campaign conducts SEO poisoning by injecting keywords and redirecting users to illicit websites including gambling, pornography, and cryptocurrency scams, affecting governments, corporations, and educational institutions worldwide.

JPCERT Coordination Center reports that multiple threat actors rapidly exploited CVE-2025-55182, known as React2Shell, a critical unauthenticated remote code execution vulnerability in React Server Components disclosed on December 3, 2025. Within days of disclosure, attackers deployed coin miners, RATs, and backdoors, with over 100 IP addresses conducting suspicious network activity and some compromised servers being attacked by multiple threat actors simultaneously.

Project Zero reports that a security researcher discovered 9 bypasses for Windows' Administrator Protection feature by exploiting the UI Access flag mechanism. The vulnerabilities allowed limited users to launch High integrity UI Access processes that could compromise other High integrity processes, including those running as shadow administrator. While all reported vulnerabilities have been fixed, the underlying bypass principles remain relevant.

x64dbg announced the release of a comprehensive cookbook integrating x64dbg Automate MCP server and x64dbg-skills to enhance reverse engineering and bug hunting capabilities. The toolkit provides five core functionalities including decompilation, state analysis, in-memory deobfuscation, cryptographic fingerprinting, and API documentation to streamline vulnerability discovery and malware analysis for security researchers.

That concludes today's briefing.

📰 Articles Covered

BADIIS to the Bone: New Insights to a Global SEO Poisoning Campaign - Elastic Security Labs

A global SEO poisoning campaign, attributed to a Chinese-speaking cybercrime group named **REF4033**, has compromised over **1,800 Windows web servers** worldwide. This campaign utilizes a malicious **Internet Information Services (IIS) module called BADIIS** to manipulate search engine results and redirect users to illicit websites 【1】.

**What Happened:**
The campaign operates in two main phases. Initially, it poisons search engine results by injecting keywords into HTML content. Subsequently, it redirects unsuspecting users to malicious websites, including those promoting online gambling, pornography, and cryptocurrency scams 【1】.

**Who is Affected:**
The compromised servers belong to a diverse range of organizations, including **governments, corporate entities, and educational institutions** across numerous countries. The attackers exploit these servers to manipulate search engine rankings and facilitate financial fraud 【1】.

**Security Implications:**
The primary security implication is the **manipulation of search engine results**, leading users to fraudulent or harmful content. This can result in financial losses for individuals and reputational damage for compromised organizations. The widespread compromise of servers also indicates a significant vulnerability in web server security 【1】.

**Technical Details:**
The attack involves a malicious IIS module (BADIIS), a loader executable (`CbsMsgApi.exe`), and a service DLL (`CbsMsgApi.dll`). These components work together to stage and configure the BADIIS modules. The malware employs encryption algorithms like **SM4 or AES-128** to decrypt configuration URLs. These URLs then lead to text files containing instructions for filtering requests, redirection targets, and SEO backlinks. The BADIIS modules inject malicious content or replace web pages based on criteria such as User-Agent or Referer headers, often targeting search engine crawlers or mobile users 【1】.

**What Defenders Should Know:**
Defenders need to be aware of the campaign's **sophisticated infrastructure**, which includes the use of legitimate-looking domains for configuration and content delivery. The attack follows a multi-stage workflow. Key indicators for detection include suspicious IIS worker descendants, potential privilege escalation, direct syscalls from unsigned modules, and the creation of suspicious Windows service DLLs. **Elastic Security** has provided YARA rules (Windows.Trojan.BadIIS, Windows.Trojan.Generic) to aid in detecting this activity 【1】.
Multiple Threat Actors Rapidly Exploit React2Shell: A Case Study of Active Compromise - JPCERT/CC Eyes - JPCERT Coordination Center (JPCERT/CC)

A critical vulnerability in React Server Components (RSC), identified as **CVE-2025-55182**, was disclosed on December 3, 2025. This vulnerability allows for **unauthenticated remote code execution** 【1】.

**What Happened:**
Following the disclosure, multiple threat actors rapidly began exploiting the React2Shell vulnerability. Within two days, attacks focused on installing coin miners were observed. Subsequently, various types of malware, including Remote Access Trojans (RATs) and backdoors, were deployed by different attackers, leading to situations where a single server was compromised by multiple threat actors simultaneously 【1】. Some compromised websites were defaced with messages in four languages warning about the vulnerability and urging immediate patching 【1】. Suspicious network activity targeting the vulnerability was detected from over 100 IP addresses in the days following the disclosure, suggesting a broad range of attackers were involved 【1】.

**Who is Affected:**
Organizations using React Server Components (RSC) are potentially affected by this vulnerability. The rapid and widespread exploitation indicates that a significant number of websites and servers globally could have been targeted 【1】.

**Security Implications:**
The primary security implication is the ease with which unauthenticated attackers can gain remote code execution on affected systems. This can lead to:
- **Website defacement:** As seen in the reported incidents 【1】.
- **Installation of various malware:** Including coin miners, backdoors, and RATs, which can be used for further malicious activities or as part of a larger attack infrastructure 【1】.
- **System compromise:** Allowing attackers to maintain persistent access and potentially exfiltrate sensitive data or disrupt services.
- **Simultaneous compromise by multiple actors:** Increasing the complexity of incident response and remediation 【1】.

**Technical Details:**
The vulnerability, CVE-2025-55182, resides in React Server Components (RSC) 【1】. Attackers exploit this by sending suspicious HTTP POST communications 【1】. The compromised systems were found to have various malware and open-source tools installed, including:
- **Coin miners:** Such as xmrig 【1】.
- **Backdoors:** Like HISONIC 【1】.
- **Downloaders:** Such as SNOWLIGHT 【1】.
- **RATs:** Including CrossC2 RAT 【1】.
- **Open-source tools abused as backdoors:** Notably, the Global Socket (gsocket) tool was used to enable remote operation via bash over port 53, using `npm-cli.dat` as a secret file 【1】.

**What Defenders Should Know:**
- **Speed of Exploitation:** Attackers act extremely quickly when critical vulnerabilities are disclosed. Within days, multiple threat actors can weaponize and exploit such vulnerabilities 【1】.
- **Prompt Action is Crucial:** It is essential to **immediately assess the impact** of disclosed critical vulnerabilities, **apply patches**, and implement other countermeasures 【1】.
- **Verify Compromise:** Beyond patching, it is critical to **verify if a compromise has already occurred**. Look for signs beyond visible defacement, as more serious compromises may be hidden 【1】.
- **Thorough Investigation:** Investigate all affected components to understand the full scope of any compromise 【1】.
- **Monitor for Suspicious Activity:** Be vigilant for unusual network communications, especially HTTP POST requests targeting known vulnerable components, and monitor for the presence of coin miners, backdoors, or RATs 【1】.
Bypassing Administrator Protection by Abusing UI Access - Project Zero

A security researcher discovered and reported **9 bypasses for Windows' Administrator Protection feature** before its official release. These bypasses primarily exploited the **UI Access flag**, a mechanism designed to allow accessibility tools to function correctly with elevated processes. While all reported vulnerabilities have since been fixed, the underlying principles for bypassing the protection remain relevant.

**What Happened:**
The core issue lies in the implementation of UI Access, a feature that allows certain processes to bypass User Interface Privacy Isolation (UIPI) restrictions, which normally prevent lower-integrity processes from interacting with higher-integrity windows 【1】. Historically, UIPI was introduced to prevent "Shatter Attacks" where a low-privilege process could control a high-privilege window 【1】. To accommodate accessibility tools, the UI Access flag was added to a process's access token, granting it special permissions 【1】. However, the way UI Access was implemented, particularly when initiated by a limited user, allowed these processes to run at a High integrity level 【1】. This, combined with Administrator Protection's design, meant that a limited user could launch a High integrity UI Access process, which could then compromise other High integrity processes, including those running as the "shadow administrator" 【1】.

**Who is Affected:**
The vulnerabilities affected **Windows users who utilize Administrator Protection**. This feature is intended to enhance security by creating a more robust boundary for User Account Control (UAC) 【1】. The bypasses allowed attackers to circumvent these protections, potentially leading to privilege escalation and unauthorized access.

**Security Implications:**
The security implications are significant:
* **Privilege Escalation:** Attackers could gain administrator privileges from a limited user account 【1】.
* **Bypassing Security Boundaries:** The UI Access mechanism, intended for accessibility, was exploited to break the security separation between different integrity levels 【1】.
* **Silent Compromise:** Many bypass methods allowed for silent elevation without user prompts 【1】.
* **Code Execution:** The ultimate goal of these bypasses was to achieve arbitrary code execution within a High integrity process 【1】.

**Technical Details:**
The bypasses exploited several technical aspects:
* **UI Access Flag:** This flag, when set, allows a process to bypass UIPI restrictions 【1】.
* **High Integrity Level:** UI Access processes launched by limited users were set to a High integrity level, enabling them to interact with other High integrity processes 【1】.
* **`RAiLaunchAdminProcess` RPC Call:** This method was used to launch UI Access processes, and it had vulnerabilities such as unsanitized process creation flags (e.g., `DEBUG_PROCESS`) and a Time-of-Check to Time-of-Use (TOCTOU) vulnerability in path handling 【1】.
* **Secure Application Directory Check Bypass:** Attackers found ways to bypass checks that ensured UI Access executables were stored in secure, administrator-only locations. This included exploiting NTFS named streams, writable directories, MSIX installations, and hijacked executables 【1】.
* **Access Token Manipulation:** Techniques like access token stealing and lowering a token's integrity level without disabling the UI Access flag were also used 【1】.
* **Scheduled Tasks:** A particularly effective method involved using administrator-privileged scheduled tasks (like `SilentCleanup`) to launch a process that could be hooked to load a malicious DLL 【1】.

**What Defenders Should Know:**
* **UI Access is a Potential Attack Vector:** The UI Access feature, while necessary for accessibility, has historically been a source of vulnerabilities. Any process with UI Access enabled, especially if running at a High integrity level, should be treated with suspicion 【1】.
* **Code Execution is Key:** The ability to gain code execution within a High integrity process, with or without UI Access, is the primary means of bypassing Administrator Protection 【1】.
* **Vigilance on Process Creation:** Defenders should monitor processes launched via mechanisms like `RAiLaunchAdminProcess` and be aware of potential bypasses related to file paths, creation flags, and secure directory checks 【1】.
* **Scheduled Tasks as a Target:** Scheduled tasks configured to run with elevated privileges can be exploited to bypass protections 【1】.
* **Ongoing Patching:** Microsoft has fixed all reported issues, but the underlying complexity of UAC and UI Access means that new vulnerabilities may emerge. Keeping systems updated with the latest security patches is crucial 【1】.
* **Improved Separation in Newer Versions:** Newer versions of Windows have improved UI Access processes by having them run with a filtered copy of the shadow administrator token, rather than the limited user's token, enhancing profile separation 【1】.
Cooking with x64dbg and MCP - x64dbg

The article "Cooking with x64dbg and MCP" introduces a cookbook designed to enhance reverse engineering and bug hunting using **x64dbg Automate MCP server** and **x64dbg-skills** 【1】. It aims to guide users on leveraging the MCP server, creating repeatable skills, and encouraging community contributions 【1】.

**What Happened:**
The article details the release and practical application of a cookbook that integrates x64dbg with its Automate MCP server and x64dbg-skills. This combination allows for more advanced and automated reverse engineering tasks. The cookbook presents five "recipes" or core functionalities:
1. **Decompile Skill:** For basic discovery and method analysis using decompilation, powered by angr but bridgeable to IDA Pro or Ghidra 【1】.
2. **State Snapshot & State Diff Skills:** To understand obfuscated code by comparing the program's state (memory, registers) before and after executing a specific region 【1】.
3. **Tracealyze Skill:** For in-memory deobfuscation and annotation guided by trace logs, simplifying string references and external calls 【1】.
4. **Yara Sigs Skill:** To fingerprint cryptographic primitives, tooling, or packers by discovering byte signatures 【1】.
5. **Context7:** An MCP server that provides up-to-date, version-specific documentation for x64dbg Automate's API and native commands, preventing LLM hallucinations and improving accuracy 【1】.

**Who is Affected:**
The tools and techniques described are relevant to **reverse engineers, security researchers, and bug hunters** who utilize x64dbg for analyzing software. Anyone involved in understanding binary code, identifying vulnerabilities, or performing malware analysis could benefit from these advancements.

**Security Implications:**
The enhanced capabilities provided by x64dbg Automate MCP and x64dbg-skills can significantly **accelerate the process of discovering vulnerabilities and understanding malicious software**. This means that both defenders and attackers can potentially use these tools to analyze code more efficiently. For defenders, it can lead to faster identification and patching of security flaws. For attackers, it could streamline the process of finding exploitable weaknesses or understanding malware. The ability to deobfuscate code and fingerprint malicious components more effectively has broad implications for cybersecurity operations.

**Technical Details:**
The core of the system involves the **x64dbg Automate MCP server**, which acts as an interface between x64dbg and AI models. This server enables the execution of various "skills" that automate complex reverse engineering tasks.
- The **Decompile skill** leverages angr for analysis, with potential integration for IDA Pro or Ghidra.
- **State Snapshot and State Diff** allow for granular analysis of code execution by capturing and comparing memory and register states.
- **Tracealyze** uses execution traces to deobfuscate code in memory, including string references and API calls.
- **Yara Sigs** integrates with yara-sigs to find byte patterns within executables.
- **Context7** enhances LLM accuracy by providing real-time API documentation, mitigating issues like hallucinated function signatures or outdated information.
Prerequisites include x64dbg with x64dbg Automate and MCP installed, along with x64dbg-skills. Context7 is an optional but recommended tool 【1】.

**What Defenders Should Know:**
Defenders should be aware that these tools can **streamline the analysis of both legitimate software for vulnerabilities and malicious software**. The ability to automate complex tasks like decompilation, state diffing, and trace-guided deobfuscation means that security analysis can be performed more rapidly. Understanding how to effectively prompt and utilize these skills, especially with the aid of Context7 for accurate API usage, is crucial for maximizing their benefit in identifying and mitigating security threats. The cookbook serves as a guide to harness these capabilities for more efficient and effective security research 【1】.