The Cyber Byte - 11 February 2026
Nation-state actors are escalating attacks against critical infrastructure, with a Russian-linked group targeting Poland's energy grid with wiper malware and leaked documents revealing China is rehearsing similar attacks on its neighbors [9, 11]. Concurrently, threat actors are weaponizing AI for both sophisticated social engineering in the cryptocurrency sector and for generating capable, multi-cloud malware implants [5, 6]. Cloud-native environments face relentless pressure from worm-like campaigns that exploit misconfigurations for large-scale botnetting and data theft, while commodity threats like mobile spyware and proxyware are becoming more accessible and feature-rich [2, 7, 8].
Significant Cyber Incidents and Articles of Interest
Russian-Linked Group Targets Polish Energy Grid with Wiper Malware: A destructive cyberattack in December 2025 targeted Poland's power grid, impacting approximately 30 wind and photovoltaic farms. Poland's CERT and CISA reported that a malicious actor, with infrastructure overlapping the Russian-linked group Static Tundra (also known as Berserk Bear or Dragonfly), gained initial access through vulnerable internet-facing edge devices [9]. The attackers deployed wiper malware, which destroyed data on human-machine interfaces (HMIs) and corrupted firmware on operational technology (OT) devices, leading to a loss of view and control for system operators. This incident highlights the growing threat to distributed energy resources (DERs) and has prompted warnings for critical infrastructure operators in the U.S. and U.K [9].
TeamPCP's "PCPcat" Campaign Weaponizes Cloud Services: A financially motivated group known as TeamPCP (aka PCPcat, ShellForce) launched a massive, worm-driven campaign in December 2025 targeting cloud-native environments. The operation systematically abused exposed Docker APIs, Kubernetes clusters, Ray dashboards, Redis servers, and the React2Shell vulnerability to build a distributed proxy and scanning infrastructure [2]. Compromised servers, primarily hosted on Azure (61%) and AWS (36%), were repurposed for cryptomining, data theft, and extortion. The campaign's tactics demonstrate the industrialization of known vulnerabilities to turn misconfigured cloud infrastructure into a self-propagating criminal ecosystem, with data leaks from victims in e-commerce, finance, and HR sectors observed on Telegram channels [2].
UNC1069 Leverages AI and New Malware in Cryptocurrency Heist: North Korea-nexus actor UNC1069 targeted a FinTech entity using an advanced social engineering scheme that reportedly involved an AI-generated deepfake video of a CEO during a fake Zoom meeting. The intrusion began with a compromised Telegram account and used a "ClickFix" attack, tricking the victim into running malicious troubleshooting commands [6]. This led to the deployment of seven unique macOS malware families, including new tools named SILENCELIFT, DEEPBREATH, and CHROMEPUSH, designed to harvest credentials, browser data, and session tokens. The extensive and novel tooling indicates a highly determined effort to facilitate financial theft and gather intelligence for future campaigns [6].
Malicious Bing Ads Redirect to Tech Support Scams: A widespread tech support scam campaign starting on February 2, 2026, affected users across 48 different U.S. organizations in sectors like healthcare, manufacturing, and technology. The initial vector was a malicious ad on Bing's search results for innocuous terms such as "amazon" [4]. Clicks on the ad sent victims to a redirector domain, which then funneled them to scam pages hosted in Azure Blob Storage containers. The scam pages displayed typical fake security alerts instructing victims to call specific toll-free numbers, highlighting the ongoing risk of malvertising on trusted search platforms [4].
Fake 7-Zip Installers Convert PCs into Proxy Network Nodes: A trojanized installer for the 7-Zip file archiver, distributed via the lookalike domain 7zip[.]com, has been silently converting victims' machines into residential proxy nodes. The malware, part of a broader campaign dubbed upStage Proxy, installs a functional copy of 7-Zip to avoid suspicion while deploying a payload that registers itself as a persistent Windows service and modifies firewall rules [8]. The infected host is then used to route traffic for third parties, who purchase access to the victim's IP address for malicious activities. This campaign effectively abuses user trust and exploits simple mistakes, such as following incorrect download links in online tutorials [8].
Threat Actor Activity
Nation-State TTPs
China: Leaked documents from a malware-infected developer revealed "Expedition Cloud," a state-sponsored training platform built by the company CyberPeace to rehearse cyberattacks against replicas of critical infrastructure in neighboring countries [11]. The platform focuses on distinct "reconnaissance groups" and "attack groups" and is designed to record and analyze operations to refine tactics, with evidence suggesting a long-term goal of automating offensive campaigns using AI [11].
Russia (Static Tundra): Demonstrated TTPs include gaining initial access to OT networks through vulnerable internet-facing edge devices and deploying destructive wiper malware to disrupt critical operations, as seen in the attack on Poland's power grid [9].
North Korea (UNC1069): The group has advanced its tradecraft to include AI-enabled social engineering, using compromised messaging accounts and potentially deepfakes to initiate "ClickFix" attacks that trick users into self-infecting their systems [6]. UNC1069 deploys a wide range of custom macOS malware to bypass security controls like the Transparency, Consent, and Control (TCC) database, enabling extensive data harvesting from keychains, browsers, and messaging apps [6].
Cybercrime Group TTPs
TeamPCP (PCPcat): This group operates a full-lifecycle "cloud-native cybercrime platform" by automating the exploitation of exposed control planes (Docker APIs, Kubernetes, Redis) and web application vulnerabilities (React2Shell) [2]. After gaining a foothold, TeamPCP uses custom scripts to perform lateral movement within Kubernetes clusters, establish persistence with privileged containers (DaemonSets), and deploy a mix of tooling for cryptomining (XMRig), C2 (Sliver), and proxying (FRPS, gost) [2].
ILOVEPOOP Toolkit Operators: This previously undocumented toolkit is used for mass scanning and exploitation of the React2Shell vulnerability (CVE-2025-55182). Activity is highly centralized around two Netherlands-hosted IPs and is fingerprinted by unique HTTP headers (X-Nextjs-Request-Id: poop1234) and a consistent six-path enumeration of Next.js routes. The toolkit is also used for multi-protocol reconnaissance, including scanning for ICS protocols like DNP3 [1].
General Attacker Techniques
AI-Generated Malware: The emergence of VoidLink, a capable Linux C2 implant, suggests that attackers are using LLMs to generate malware with little human oversight [5]. Artifacts like verbose logging and structured comments left in the production binary point to automated code generation. Despite this, the implant is highly functional, featuring multi-cloud credential harvesting, container escape modules, and an adaptive kernel-level rootkit [5].
Targeted Password Guessing: Attackers are using tools like CeWL to crawl public websites and build custom wordlists based on an organization's specific terminology, such as service names, locations, and industry jargon [10]. These context-aware lists are significantly more effective for password spraying and hash cracking than generic dictionaries, as they produce candidates that often satisfy complexity requirements while remaining predictable [10].
Indicators to Watch
New Malware and Toolkits:
ILOVEPOOP Toolkit: Exploits React2Shell (CVE-2025-55182) using distinctive HTTP headers like X-Nextjs-Request-Id: poop1234 and X-Nextjs-Html-Request-Id: ilovepoop_* [1].
UNC1069 macOS Suite: A new set of malware including SILENCELIFT (backdoor), DEEPBREATH (data miner that manipulates the TCC.db), and CHROMEPUSH (browser extension data miner), deployed alongside the known SUGARLOADER downloader [6].
VoidLink Implant: A Linux C2 implant, likely AI-generated, targeting multi-cloud environments with container escape capabilities and an adaptive kernel rootkit. Hard-coded C2 identified at 8.149.128[.]10 [5].
ZeroDayRAT: Commercially available mobile spyware sold on Telegram for Android and iOS devices. It provides full remote control, live surveillance (camera, mic, screen), keylogging, and financial theft capabilities [7].
Socelars Stealer: A spyware variant focused on stealing session cookies, particularly for Facebook Ads Manager and Amazon. It is often delivered via social engineering lures like fake PDF readers [3].
upStage Proxyware: Malware delivered via fake installers (e.g., from 7zip[.]com) that turns victim PCs into residential proxy nodes. Key components include Uphero.exe and hero.exe installed in `C:\Windows\SysWOW64\hero` [8].
Suspicious Infrastructure and Behavior Patterns:
React2Shell Exploitation Hubs: Two Netherlands-hosted IPs, 193.142.147.209 and 87.121.84.24, are central to a massive scanning and exploitation campaign. The former also conducts Mirai-like IoT scanning, while the latter performs ICS (DNP3) scanning [1].
TeamPCP C2 Infrastructure: Payloads are hosted on IPs such as 67.217.57.240 and 44.252.85.168. Scanners pull target IP ranges from the GitHub account "DeadCatx3" [2].
Tech Support Scam URLs: Be wary of redirects to Azure Blob Storage URLs containing the path .../werrx01USAHTML/index.html following clicks on search engine ads [4].
Impersonation Domains: Attackers are using convincing lookalike domains like 7zip[.]com (legitimate is 7-zip.org) to distribute malware, leveraging user trust in popular software [8].
Cross-Protocol Exploit Attempts: The ILOVEPOOP toolkit was observed attempting to deliver a React2Shell payload over POP3, indicating a protocol-agnostic delivery strategy to bypass port-specific security controls [1].
