InfoSec Briefing - February 16, 2026

🎧 Audio Briefing

Playback Speed:

Good morning. This is your security briefing for Sunday, February 15, 2026, covering six articles across malware threats, attack techniques, and security tools. All attribution is by the article authors, and all article analysis is automated.

According to research by Mike, a new information-stealing malware called DigitStealer has been discovered targeting macOS users, including Apple M2 devices. The malware steals cryptocurrency wallet data from 18 different wallets, browser information, and macOS keychain data while functioning as a persistent backdoor that continuously polls command and control servers. Researchers were able to map the C2 infrastructure cluster by identifying consistent patterns in how operators registered domains and procured hosting services.

Socket's Threat Research Team has identified a malicious Chrome extension called 'CL Suite by @CLMasters' targeting Meta Business Manager and Facebook Business Manager users. The extension steals TOTP two-factor authentication seeds and current codes to bypass 2FA protection, while also exfiltrating business contact lists, analytics data, and payment information to a backend server at getauth[.]pro and Telegram channels. The threat enables trivial account takeovers and remains persistent even after the extension is removed.

According to research published on infosec.pub, security researchers have detailed how malicious Windows LNK shortcut files can disguise malicious executables and hide command-line arguments to deceive end-users. The article introduces 'lnk-it-up', an open-source tool suite capable of both generating deceptive LNK files and detecting anomalous ones, including variants exploiting CVE-2025-9491, noting that traditional security measures often fail to detect these attacks until payload execution occurs.

WIRED reports that a surge of sophisticated bot traffic has been impacting websites globally since September, originating primarily from China and Singapore and routing through major Chinese cloud providers including Tencent, Alibaba, and Huawei. The bots mimic normal human users with zero-second dwell times and no user interaction, affecting personal blogs, e-commerce sites, large platforms, and US government domains. While not actively scanning for vulnerabilities, the traffic increases operational costs, distorts analytics, and negatively impacts advertising revenue.

RunReveal has released sigmalite, an open-source Go-based parser and execution engine for Sigma detection rules. The tool enables security defenders to parse YAML-formatted Sigma rules and execute threat detection logic, featuring field modifiers and a FieldResolver interface for complex field lookups, providing a technical foundation for implementing Sigma-based detection strategies in security operations.

HybridBrothers has released a GitHub repository containing detection rules and hunting queries for Microsoft Defender for Office 365 and Teams. The rules target phishing campaigns using direct send methods, external users sending suspicious links, malicious Teams messages, and Business Email Compromise attacks leveraging high volumes of Teams recipients.

That concludes today's briefing.

📰 Articles Covered

Tracking DigitStealer: How Operator Patterns Exposed C2s - The content posted at the URL is by **Mike** .

The cybersecurity article details the discovery and analysis of **DigitStealer**, an information-stealing malware specifically targeting macOS users, including those on Apple M2 devices 【1】.

**What Happened:**
Researchers identified a cluster of Command and Control (C2) infrastructure used by DigitStealer. This discovery was made possible by the malware operators' consistent patterns in procuring and registering their infrastructure, which included domain registration, hosting providers, nameservers, and server software 【1】.

**Who is Affected:**
**macOS users** are the primary targets of DigitStealer. The malware is designed to steal sensitive information such as cryptocurrency wallet data, browser data, and macOS keychain data 【1】.

**Security Implications:**
The information stolen by DigitStealer can lead to **account takeovers, financial fraud**, and is often sold to initial access brokers. The malware functions as a backdoor, continuously polling C2 servers for new malicious payloads, posing a significant risk to user data and overall system security 【1】.

**Technical Details:**
- **Malware Functionality:** DigitStealer targets 18 different cryptocurrency wallets, browser data, and macOS keychain data. It operates as a multi-stage backdoor, utilizing a persistent Launch Agent for C2 communication 【1】.
- **C2 Communication:** The malware communicates with C2 servers through specific API endpoints: `/api/credentials` for stolen credentials, `/api/grabber` for file uploads, `/api/poll` for backdoor polling, and `/api/log` for data exfiltration 【1】.
- **C2 Security:** The C2 server employs a cryptographic challenge-response mechanism to issue commands, requiring the malware to solve a puzzle before receiving tasks 【1】.
- **Infrastructure Commonalities:**
- **Domains:** Often registered in batches for specific campaigns, frequently using `.com` TLDs with gaming or cryptocurrency/financial themes 【1】.
- **Hosting:** Consistently hosted on the `ab stract ltd` network in Sweden 【1】.
- **Web Server:** Nginx HTTP servers are used 【1】.
- **SSH:** Specific versions of OpenSSH, such as `SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.14`, have been observed 【1】.
- **TLS Certificates:** Consistent use of Let's Encrypt TLS certificates 【1】.
- **Domain Registration:** Primarily registered through `Tucows`, with `Njalla` used for nameservers 【1】.

**What Defenders Should Know:**
Defenders can leverage the **consistent infrastructure choices** made by DigitStealer operators. The uniformity in hosting, registration, and nameserver preferences creates a distinct fingerprint that aids in the proactive identification and disruption of their C2 assets. The threat actors' prioritization of efficiency over operational security makes their infrastructure discoverable. By examining shared network attributes and known C2 servers, defenders can identify previously unreported domains and IPs associated with DigitStealer operations 【1】.
Malicious Chrome Extension Steals Meta Business Manager Exports and TOTP 2FA Seeds - Socket's Threat Research Team

A malicious Google Chrome extension, **"CL Suite by @CLMasters,"** has been discovered that **steals sensitive data from Meta Business Manager and Facebook Business Manager users** 【1】.

**What Happened:**
The extension, disguised as a tool for managing Meta Business Suite data, secretly exfiltrates critical information. It is capable of stealing **Time-based One-Time Password (TOTP) seeds and current 2FA codes**, effectively neutralizing Two-Factor Authentication and making account takeovers easy 【1】. Additionally, it exfiltrates **Business Manager contact lists (as CSV exports), analytics data, and payment information** 【1】.

**Who is Affected:**
**Users of Meta Business Suite and Facebook Business Manager** are at risk, particularly those who manage corporate assets through these platforms 【1】.

**Security Implications:**
The security implications are severe. By neutralizing 2FA, the extension allows for **trivial account takeovers** 【1】. The stolen contact lists, analytics, and payment data can be exploited for **ad fraud, targeted compromises of employees, and long-term hijacking of business assets** 【1】. The threat persists even after the extension is uninstalled 【1】.

**Technical Details:**
The malicious extension transmits stolen data, including TOTP seeds, 2FA codes, contact lists, and analytics, to a backend server located at `getauth[.]pro` 【1】. This data can also be forwarded to a Telegram channel controlled by the threat actor 【1】. The extension uses a hardcoded API key (`w7ZxKp3F8RtJmN5qL2yAcD9v`) and collects client IP addresses for victim fingerprinting 【1】.

**What Defenders Should Know:**
Defenders should be aware that this type of threat operates by **repackaging data scraping as a legitimate tool** 【1】. Organizations should implement **allow lists for browser extensions**, **review high-privilege extensions**, and **monitor for unusual network traffic and suspicious domains** 【1】. Detection teams should look for extensions with broad host permissions, shared bearer tokens, hidden telemetry wrappers, and unexpected data flows, such as TOTP seeds or business contacts 【1】.
Trust Me, I’m a Shortcut - lnk-it-up, a tool suite that can generate such deceptive LNK files, as well as detect anomalous ones. - infosec.pub

The cybersecurity article "Trust Me, I’m a Shortcut" details a method where **Windows LNK (shortcut) files are exploited to execute malicious payloads** 【1】.

**What Happened:**
Threat actors leverage the way Windows Explorer displays and processes LNK files to disguise malicious executables. This allows them to spoof the target file and hide command-line arguments, making the shortcut appear legitimate while executing harmful code 【1】.

**Who is Affected:**
**End-users are primarily affected** when they are tricked into opening these deceptive shortcut files, often through social engineering tactics like phishing or malware distribution campaigns 【1】.

**Security Implications:**
The security implications are substantial, as these compromised LNK files can lead to **system compromise, data breaches, and further network intrusions** by executing arbitrary code 【1】.

**Technical Details:**
The vulnerability exploits discrepancies in how the Windows UI parses LNK files versus how the execution engine processes them. The article delves into the **structure of LNK files**, including their various sections and flags. It also discusses specific variants like CVE-2025-9491 and the "ExpString" variant, which capitalize on these parsing differences 【1】.

**What Defenders Should Know:**
Defenders need to be aware that **traditional security measures might not detect these LNK-based attacks until the malicious payload is executed** 【1】. While Microsoft has often categorized these as UI bugs, they can be proactively identified. Defenders can use specialized tools or implement detection mechanisms that **scan LNK files for suspicious terms or patterns** 【1】. The open-source project "lnk-it-up" is mentioned as a tool that can be used for both creating and identifying these deceptive LNK files 【1】.
A Wave of Unexplained Bot Traffic Is Sweeping the Web - WIRED

A surge of unexplained bot traffic, originating primarily from China and Singapore, has been impacting websites since September 【1】. This traffic often appears to route through major Chinese cloud providers such as Tencent, Alibaba, and Huawei, with many bots seemingly originating from Lanzhou, China 【1】.

**Who is affected:**
The bot traffic is affecting a broad spectrum of online entities, including:
- Personal blogs
- E-commerce sites
- Large platforms, such as weather forecast websites
- US government domains 【1】

**Security implications:**
While the bots do not appear to be actively scanning for vulnerabilities or engaging in overtly malicious activities, they present several significant implications:
- **Increased costs:** The traffic can lead to higher bandwidth expenses 【1】.
- **Distorted analytics:** Website analytics are severely skewed, making it difficult to understand genuine user behavior 【1】.
- **Financial impact:** For websites that rely on advertising revenue, such as those using Google AdSense, the bot traffic can reduce their perceived value to advertisers, thereby impacting revenue streams 【1】.

**Technical details:**
The bots exhibit characteristics of automated traffic, including:
- **Zero-second dwell times:** Indicating no time spent on a page 【1】.
- **No user interaction:** Suggesting a lack of human engagement 【1】.
- **Sophisticated disguise:** The bots are designed to mimic normal human users from the outset, making them difficult to detect and bypass common blocking mechanisms 【1】.

**What defenders should know:**
Website owners and security professionals should be aware of the following:
- **Sophistication of bots:** These bots are advanced and can evade standard detection methods 【1】.
- **Origin of traffic:** The traffic is largely associated with Chinese cloud providers 【1】.
- **Mitigation strategies:** Some current defenses include blocking traffic from specific IP addresses or Autonomous System Numbers (ASNs) linked to Chinese cloud providers 【1】. Additionally, identifying bots by characteristics like outdated operating systems or unusual screen aspect ratios can be employed 【1】.
- **Evolving challenge:** As autonomous AI tools become more prevalent, combating this type of bot traffic is becoming a widespread and ongoing challenge for website operators 【1】.
sigmalite provides a Go parser and an execution engine for the Sigma detection format - The content posted at the URL is controlled by **runreveal**.

The provided GitHub repository README for `sigmalite` details a tool for parsing and executing Sigma detection rules, rather than describing a specific cybersecurity incident. Therefore, information regarding what happened, who is affected, and the broader security implications of an event is not available in this context.

**Technical Details:**
`sigmalite` is a Python package designed to work with the Sigma detection format.
- **Purpose:** It acts as a parser and execution engine for Sigma rules, which are used for threat detection.
- **Rule Format:** Sigma rules are written in YAML.
- **Installation:** The package can be installed using pip: `pip install sigmalite`.
- **Key Features:**
- Supports various field modifiers for rule logic.
- Includes a `FieldResolver` interface to handle complex field lookups.
- **Usage:** The README provides examples of how to write and use Sigma rules with `sigmalite`, including basic rule structures and the use of the `FieldResolver`.

**What Defenders Should Know:**
The `sigmalite` repository itself does not offer guidance for defenders in the context of a specific incident. However, as a tool for working with Sigma rules, it implies that defenders can leverage Sigma to create and deploy detection logic for identifying malicious activities within their environments. The repository provides the technical foundation for implementing such detection strategies.
Hunting Queriesqne Detection Rules for Defender for Office365 using Teams MDO Advanced Hunting tables - HybridBrothers

The provided GitHub repository, "Hunting-Queries-Detection-Rules," contains a directory specifically for **Microsoft Defender for Office 365 (MDO)**. This directory houses various detection rules and hunting queries designed to identify and mitigate security threats within the Office 365 environment.

**What Happened:**
The repository itself is a collection of security detection rules. The specific files within the "Defender for Office365" directory detail methods for detecting various types of malicious activities. These include:
- **Direct Send Phishing Emails:** Rules to identify phishing emails that bypass standard sending mechanisms.
- **External User Sending Suspicious Links:** Detection for external users sending links that are deemed suspicious to multiple internal users.
- **Malicious Teams Messages:** Rules to detect malicious content within Microsoft Teams messages.
- **Possible BEC Attacks via High Teams Recipients:** Detection for Business Email Compromise (BEC) attacks that leverage high volumes of Teams recipients.

**Who is Affected:**
Organizations utilizing **Microsoft Office 365** and **Microsoft Teams** are the primary users and beneficiaries of these detection rules. The threats described, such as phishing and BEC attacks, can affect any user within these organizations, potentially leading to compromised accounts, data breaches, and financial losses.

**Security Implications:**
The security implications revolve around the **detection and prevention of advanced cyber threats** targeting the Office 365 ecosystem. These threats can:
- Lead to **credential theft** through phishing.
- Facilitate **malware distribution**.
- Enable **financial fraud** via BEC attacks.
- Compromise sensitive **organizational data**.
- Disrupt business operations.

**Technical Details:**
The repository provides the **detection logic** in the form of `.md` (Markdown) files, which likely contain queries or rules that can be implemented within Defender for Office 365 or related security tools. While the specific query languages or formats are not detailed in the provided snippet, the file names suggest that the rules are designed to analyze email headers, message content, sender information, and user activity within Teams. The rules aim to identify anomalous patterns indicative of malicious intent.

**What Defenders Should Know:**
Security defenders should be aware that:
- **Proactive threat hunting** is crucial in the Office 365 environment.
- **Custom detection rules** are necessary to supplement built-in security features.
- The repository offers **practical hunting queries and detection rules** for common and sophisticated threats like phishing and BEC attacks targeting Office 365 and Teams.
- Implementing and regularly reviewing these rules can **enhance an organization's security posture** against email-borne and collaboration platform-based threats.
- The rules are part of a broader collection of security hunting queries for various Microsoft security products.