InfoSec Briefing - February 25, 2026

🚨 Critical Vulnerability Alert

We have a critical security alert. CVE-2026-25108, a command injection in affected software, has been added to the CISA Known Exploited Vulnerabilities catalog.

🎧 Audio Briefing

Playback Speed:

Download MP3

Yesterday's security developments from Tuesday, February 24, 2026. We're analyzing 4 articles today. All attribution is by the article authors. All article analysis is automated.

We have a critical security alert. CVE-2026-25108, a command injection in affected software, has been added to the CISA Known Exploited Vulnerabilities catalog.

Broadcom reports that North Korea's Lazarus Group has shifted tactics, with their Stonefly sub-group now deploying Medusa ransomware against U.S. healthcare organizations, non-profits, and educational facilities. At least one successful attack occurred in the Middle East, with multiple attempts against U.S. healthcare entities since November 2025 demanding average ransoms of $260,000, utilizing custom tools including Comebacker backdoor, Blindingcan RAT, and ChromeStealer.

The U.S. Department of the Treasury has sanctioned Sergey Zelenyuk and Operation Zero, an exploit broker network that acquired and sold at least eight stolen U.S. government cyber tools to unauthorized parties. The operation involved Peter Williams, who sold trade secrets for cryptocurrency, and included Oleg Kucherov, a suspected Trickbot gang member, with the stolen tools remaining unpatched and being offered to foreign intelligence agencies.

Positive Technologies has detected attacks by the East Asian threat actor group UnsolicitedBooker against telecommunications companies in Kyrgyzstan and Tajikistan from autumn 2025 into 2026. The attackers deployed custom backdoors LuciDoor and MarsSnake using phishing documents, then leveraged compromised devices as command and control servers to execute remote commands and exfiltrate data from critical infrastructure targets.

Malwarebytes reports that attackers are using a fake Zoom meeting website to deploy Teramind surveillance software on Windows computers through social engineering. The malicious campaign presents victims with a fake update prompt that silently installs the legitimate monitoring tool as stalkerware, capable of keylogging, screenshots, and clipboard capture, leveraging legitimate commercial software to evade traditional antivirus detection.

That concludes today's briefing.

📰 Articles Covered

North Korean Lazarus Group Now Working With Medusa Ransomware - Broadcom

The **Lazarus Group**, a state-backed hacking collective from North Korea, has begun utilizing **Medusa ransomware** in its cyberattacks, shifting from their previous use of Maui and Play ransomware 【1】.

**What Happened:**
The Lazarus Group has been observed deploying Medusa ransomware, with at least one successful attack in the Middle East and an unsuccessful attempt against a U.S. healthcare organization 【1】. Analysis of the Medusa leak site suggests attacks against four U.S. healthcare and non-profit organizations since November 2025, with average ransom demands of $260,000 【1】.

**Who is Affected:**
The primary targets appear to be organizations within the **U.S. healthcare sector**, as well as non-profit and educational facilities 【1】. Victims have included a mental health non-profit and an educational facility for autistic children 【1】. It remains unclear if all these attacks were carried out by North Korean actors or other Medusa affiliates 【1】.

**Security Implications:**
This development underscores North Korea's **persistent and unconstrained involvement in cybercrime**, with a particular disregard for targeting critical sectors like healthcare 【1】. The proceeds from these ransomware attacks are allegedly used to fund the group's espionage activities 【1】.

**Technical Details:**
The Lazarus Group, particularly the sub-group **Stonefly (aka Andariel)**, has been a significant player in North Korean ransomware operations 【1】. Their toolset includes the custom backdoor **Comebacker**, the Remote Access Trojan (RAT) **Blindingcan**, **ChromeStealer**, **Mimikatz**, and **RP_Proxy** 【1】.

**What Defenders Should Know:**
Defenders need to be aware of the specific tools and **Indicators of Compromise (IOCs)** associated with these attacks 【1】. This includes file hashes for Medusa ransomware, Comebacker, various loaders, RP_Proxy, Mimikatz, ChromeStealer, and other suspicious files, as well as network indicators such as IP addresses and domain names 【1】.
Treasury Sanctions Exploit Broker Network for Theft and Sale of U.S. Government Cyber Tools - U.S. Department of the Treasury

On February 25, 2026, the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) sanctioned **Sergey Sergeyevich Zelenyuk** and his company, **Matrix LLC** (operating as **Operation Zero**), along with five associated individuals and entities 【1】. This action was taken because they were involved in the acquisition and distribution of stolen U.S. government cyber tools 【1】.

**What Happened:**
Sergey Zelenyuk, through Operation Zero, acted as an exploit broker, trading in code that exploits software vulnerabilities to gain unauthorized access, steal information, or control devices 【1】. Operation Zero acquired at least eight proprietary cyber tools, stolen from a U.S. company, which were intended for exclusive use by the U.S. government and its allies 【1】. These stolen tools were then sold to at least one unauthorized user 【1】. This activity is linked to an investigation into Peter Williams, an Australian national and former employee of the U.S. company, who pleaded guilty to stealing trade secrets and selling them to Operation Zero for millions in cryptocurrency 【1】.

**Who is Affected:**
The sanctions directly affect Sergey Zelenyuk, Operation Zero, and associated individuals and entities, including Marina Evgenyevna Vasanovich, Special Technology Services LLC FZ (STS), Azizjon Makhmudovich Mamashoyev, and Oleg Vyacheslavovich Kucherov 【1】. Kucherov is also a suspected member of the Trickbot cybercrime gang, which has previously targeted U.S. government entities, hospitals, and healthcare centers with ransomware attacks 【1】. The sanctions also impact Advance Security Solutions, an exploit brokerage firm created by Mamashoyev 【1】.

**Security Implications:**
The security implications are significant as stolen U.S. government cyber tools, designed for exclusive use, have been trafficked and sold to unauthorized parties 【1】. Operation Zero's business model involves acquiring exploits without disclosing them to the software developers, meaning vulnerabilities remain unpatched 【1】. Customers of Operation Zero could use these tools for malicious activities, including ransomware attacks 【1】. Furthermore, Zelenyuk and Operation Zero have sought to sell exploits to foreign intelligence agencies and have explored developing cyber intelligence systems, including spyware and methods to extract personal identifying information from AI applications 【1】. The sale of these tools to non-NATO countries and potential foreign intelligence agencies poses a direct threat to U.S. national security 【1】.

**Technical Details:**
The individuals and entities were designated under Executive Order (E.O.) 13694, as amended by E.O. 14036, for engaging in cyber-enabled activities that threaten U.S. national security, foreign policy, or economic stability, including the misappropriation of intellectual property for commercial or private financial gain 【1】. Additionally, Zelenyuk, Operation Zero, and STS were sanctioned by the Department of State under the Protecting American Intellectual Property Act (PAIPA) for significant theft of trade secrets 【1】. Operation Zero has offered bounties for exploits targeting commonly used software, including U.S.-built operating systems and encrypted messaging applications 【1】.

**What Defenders Should Know:**
Defenders should be aware that exploit brokers like Operation Zero actively seek vulnerabilities in widely used software, including U.S.-developed systems 【1】. These exploits are then sold to unauthorized users, potentially including foreign intelligence agencies and cybercriminals 【1】. The involvement of individuals linked to known cybercrime gangs like Trickbot highlights the interconnectedness of these illicit networks 【1】. Organizations should remain vigilant against ransomware and other cyberattacks that may leverage sophisticated, stolen cyber tools. The U.S. government's actions underscore the seriousness with which the theft and sale of sensitive cyber capabilities are viewed, with sanctions carrying civil and criminal penalties for violations 【1】.
Attacks on telecommunications companies in Kyrgyzstan and Tajikistan have been detected - Attacks on telecommunications companies in Kyrgyzstan and Tajikistan have been detected. - Positive Technologies

The cybersecurity article details sophisticated attacks carried out by the East Asian threat actor group **UnsolicitedBooker**, also known as **Poisonous Mars**, targeting telecommunication companies in **Kyrgyzstan and Tajikistan** 【1】. These attacks, which began in the autumn of **2025 and continued into 2026**, involved the deployment of two distinct backdoors: **LuciDoor and MarsSnake**, alongside other Chinese-origin tools and malware designed to mimic legitimate Microsoft software 【1】.

**What Happened:**
The attackers utilized advanced techniques, including phishing documents and malicious links, to gain initial access to the targeted networks 【1】. Once inside, they deployed custom loader mechanisms (LuciLoad and MarsSnakeLoader) to establish persistence and install the LuciDoor and MarsSnake backdoors 【1】. These backdoors allowed the attackers to execute commands remotely, exfiltrate data, and achieve deeper system compromise 【1】. The attackers also leveraged compromised devices as command and control (C2) servers 【1】.

**Who is Affected:**
The primary targets of these attacks are **telecommunication companies in Kyrgyzstan and Tajikistan** 【1】. The nature of these targets suggests a potential threat to critical infrastructure within these regions 【1】.

**Security Implications:**
The security implications are significant, encompassing **potential data exfiltration, unauthorized remote command execution, and a broader compromise of critical systems** 【1】. The use of sophisticated malware and evasion techniques by UnsolicitedBooker poses a substantial risk to the targeted organizations and potentially to the stability of the affected regions' telecommunication sectors 【1】.

**Technical Details:**
The attacks involve several key technical components:
- **Backdoors:** LuciDoor and MarsSnake are the primary backdoors used, providing persistent access and control 【1】.
- **Loaders:** LuciLoad and MarsSnakeLoader are custom mechanisms used to deploy the backdoors 【1】.
- **Malware:** The group employs malware that imitates legitimate Microsoft software to evade detection 【1】.
- **C2 Infrastructure:** Compromised devices are utilized as C2 servers, making attribution and takedown more challenging 【1】.
- **Origin:** The tools and malware used are of Chinese origin, and the group is attributed to East Asian threat actors 【1】.

**What Defenders Should Know:**
Defenders need to be aware of the **evolving tactics, techniques, and procedures (TTPs)** employed by UnsolicitedBooker 【1】. This includes:
- **Phishing Awareness:** Vigilance against phishing documents and malicious links is crucial for initial threat prevention 【1】.
- **Malware Detection:** The ability to detect custom malware, especially that which mimics legitimate software, is essential 【1】.
- **Backdoor Identification:** Understanding the indicators of compromise (IoCs) and detection rules for LuciDoor and MarsSnake is vital for identifying breaches 【1】.
- **C2 Monitoring:** Monitoring for unusual C2 communication patterns, including those originating from compromised devices, can help uncover malicious activity 【1】.
- **Attribution:** Recognizing the Chinese origin of the tools and the group's association with East Asian threat actors can aid in threat intelligence gathering 【1】.
Fake Zoom meeting "update" silently installs surveillance software - Malwarebytes

A deceptive **fake Zoom meeting website** is silently installing **surveillance software** known as **Teramind** on Windows computers 【1】.

**What Happened:**
Visitors to the website `uswebzoomus[.]com/zoom/` believe they are joining a Zoom meeting. However, after a brief, glitchy experience, a fake "Update Available" prompt appears. This prompt triggers a silent download of a malicious installer disguised as a Zoom update. This installer then deploys Teramind onto the user's machine 【1】.

**Who is Affected:**
**Windows users** who visit the fake Zoom website and fall for the social engineering tactic are affected 【1】. The software is being deployed onto the machines of ordinary individuals without their consent, effectively turning it into stalkerware 【1】.

**Security Implications:**
The primary security implication is the **unauthorized surveillance** of personal devices. Legitimate commercial monitoring software is being repurposed for malicious purposes, making it more **durable and harder for traditional antivirus software to detect** 【1】. Teramind is designed to be highly stealthy, with no visible presence on the taskbar or system tray, and it actively attempts to evade detection by security tools and sandboxes 【1】. The software can log keystrokes, take screenshots, record website and application activity, and capture clipboard contents 【1】.

**Technical Details:**
- **Malicious Domain:** `uswebzoomus[.]com` 【1】
- **Malicious Installer File Hash:** `644ef9f5eea1d6a2bc39a62627ee3c7114a14e7050bafab8a76b9aa8069425fa` 【1】
- **Surveillance Software:** Teramind 【1】
- **Teramind Instance ID:** `941afee582cc71135202939296679e229dd7cced` 【1】
- **Installation Folder (potential indicator):** `C:\ProgramData\{4CEC2908-5CE4-48F0-A717-8FC833D8017A}` 【1】
- **Suspicious Service (potential indicator):** `tsvchst` 【1】
The campaign relies on **social engineering** and a rapid, deceptive installation process that can be effective within seconds 【1】.

**What Defenders Should Know:**
Defenders should be aware of the **trend of attackers using legitimate tools** for malicious purposes 【1】. To mitigate risks:
- Users should **avoid clicking unexpected Zoom links** and instead open Zoom directly from the application or by manually typing the URL 【1】.
- If a user suspects they have been affected, they should **not open the downloaded file** and should treat the device as compromised 【1】.
- Users should check for the specific installation folders and running services mentioned above 【1】.
- It is recommended to **change passwords from a clean device** and report the incident to IT or security teams 【1】.