The Cyber Byte - 16 February 2026

A critical supply chain vulnerability in a widely used AI data-processing library, Unstructured.io, exposes 87% of Fortune 1000 companies to potential remote code execution [1]. Meanwhile, new analysis reveals a massive data exfiltration ecosystem where 287 Chrome extensions are actively spying on approximately 37.4 million users by harvesting their browsing history [4]. These incidents are compounded by the discovery of new malware campaigns, including the SSHStalker Linux botnet and a growing "gold rush" of macOS infostealers, indicating an expanding threat landscape across all major operating systems [5, 6].

Significant Cyber Incidents and Articles of Interest

• Critical "DESTRUCTURED" Vulnerability in Unstructured.io Library: A critical path traversal vulnerability, designated CVE-2025–64712 with a CVSS score of 9.8, has been discovered in the Unstructured.io open-source library. This library is a core ETL (Extract, Transform, Load) tool for AI applications, used by major corporations like Amazon and Google. The vulnerability allows an attacker to achieve arbitrary file write by crafting a malicious .msg (Microsoft Outlook email) file with a specially named attachment, potentially leading to remote code execution on the host machine. Given that the library has over 4 million monthly downloads and is a dependency in popular frameworks like LangChain and LlamaIndex, this flaw presents a potentially serious supply chain risk with widespread consequences that are hard to fully assess [1].

• Large-Scale Browser History Exfiltration via Chrome Extensions: A recent investigation uncovered 287 Chrome browser extensions that are actively exfiltrating user browsing history, affecting a combined total of approximately 37.4 million users. The study used an automated pipeline to detect extensions where outbound traffic correlated with the length of visited URLs. The actors behind this activity range from well-known data brokers like Similarweb to more obscure entities. The research highlights that even popular extensions, some with millions of users, engage in this practice, often using obfuscation and encryption to hide the exfiltrated data [4].

• "ClickFix" Campaign Delivers StealC Infostealer: A ClickFix social engineering campaign is targeting Windows users by luring them to compromised websites that display a fake CAPTCHA or Cloudflare verification page. Victims are instructed to use keyboard shortcuts (Win+R, Ctrl+V) to paste and execute a malicious PowerShell command from their clipboard. This initiates a multi-stage, fileless infection chain that ultimately injects the StealC information stealer into legitimate processes like svchost.exe. StealC is a commodity malware capable of stealing browser credentials, cryptocurrency wallets, Steam accounts, and system information, exfiltrating the data to a C2 server using RC4-encrypted HTTP traffic [3].

• XWorm RAT Delivered via Phishing Campaign Exploiting Old Vulnerability: A new phishing campaign is distributing the XWorm Remote Access Trojan (RAT), a multi-functional malware that gives attackers full remote control over compromised Windows systems. The campaign uses multiple business-themed phishing emails with malicious Excel attachments. These files exploit CVE-2018-0802, a known vulnerability in Microsoft Equation Editor, to download and execute subsequent payloads. The infection chain involves an HTA file, a fileless .NET module loaded via PowerShell, and process hollowing to inject the final XWorm payload into a legitimate Msbuild.exe process [2].

• Newly Discovered SSHStalker Botnet Targets Linux Systems: A previously undocumented Linux botnet, named SSHStalker, has been identified after being captured by an SSH honeypot. The operation blends "old-school" botnet tactics, using Internet Relay Chat (IRC) for resilient command-and-control, with a modern, automated pipeline for mass compromise. The botnet uses an SSH scanner to find new targets, compiles C-based bot variants on the victim machine, and establishes persistence via a cron job that runs every minute. While its toolkit includes a large back-catalog of exploits for older Linux kernels (2.6.x), it remains effective against legacy infrastructure. The botnet's TTPs show overlap with Romanian-linked groups like Outlaw, but direct attribution has not been established [6].

• The "Gold Rush" for macOS Stealers in Underground Markets: A thriving underground economy has emerged around the development and sale of sophisticated macOS infostealers. Threat actors are moving beyond simple social engineering and are now using valid Apple developer signatures to create notarized applications that bypass Gatekeeper protections. These stealers, such as AMOS, are distributed through abused legitimate platforms, including Google Ads, promoting malicious instructions on ChatGPT and Grok. The primary motivation is financial, with a heavy focus on stealing cryptocurrency by targeting over 100 different crypto wallet extensions and employing wallet-specific phishing tactics. Criminal groups are operating with professional business models, including revenue-sharing arrangements for malware distribution [5].

Threat Actor Activity

• SSHStalker Operators: This group focuses on Linux systems, using SSH brute-forcing for initial access. Their TTPs include on-host compilation of malware using GCC, IRC-based C2, and persistent access via high-frequency cron jobs. They maintain an arsenal of legacy kernel exploits (targeting Linux 2.6.x) alongside modern scanning tools. Their operational patterns show similarities to Romanian-linked groups like Outlaw/Maxlas [6].

• macOS Stealer Groups (e.g., Valhall88, UNC5142): These actors operate within a Malware-as-a-Service (MaaS) ecosystem, specializing in macOS. They use signed and notarized applications to bypass native security controls like Gatekeeper. Distribution methods include abusing trusted platforms like Google Ads, ChatGPT, and GitHub Pages. Some groups, like UNC5142, have pioneered using blockchain smart contracts for C2 ("EtherHiding"). Their primary target is cryptocurrency, and they employ revenue-sharing models to scale operations [5].

• XWorm Campaign Operators: This group conducts classic phishing campaigns with business-themed lures and malicious Excel attachments. They exploit an older vulnerability (CVE-2018-0802) and use a multi-stage chain involving HTA files, PowerShell, fileless .NET modules, and process hollowing. Their goal is to deploy the XWorm RAT for full remote control of Windows victims [2].

• Browser Extension Actors (Similarweb, Offidocs, etc.): These actors distribute seemingly benign Chrome extensions that secretly exfiltrate user browsing history. They employ various data obfuscation techniques, including ROT47, AES/RSA encryption, Base64 encoding, and LZ-string compression, to conceal the stolen data during transmission to their servers [4].

Indicators to Watch

Vulnerabilities and Software Updates

• All applications and workloads using the Unstructured.io library should be updated to version 0.18.18 or newer to mitigate CVE-2025–64712 [1].

Emerging Campaigns and Phishing Trends

• Be aware of social engineering campaigns using fake CAPTCHA or Cloudflare verification pages ("ClickFix") that instruct users to run commands via the Run dialog [3].

• Monitor for phishing emails with Excel attachments (.XLAM) that exploit older vulnerabilities like CVE-2018-0802 [2].

• Threat actors are abusing AI platforms (ChatGPT, Grok) and promoting malicious shared chats via Google Ads to distribute malware [5].

Suspicious Infrastructure and Behavior Patterns

• Network Level: Monitor for HTTP requests with the User-Agent string "Loader," suspicious POST requests with large Base64-encoded JSON bodies, and connections to known malicious IPs like 91.92.240.190 (StealC C2) and 94.154.35.115 (payload server) 3. Also, watch for traffic to berlin101.com:6000 (XWorm C2) [2].

• Host Level (Linux): Alert on the use of compilers (gcc, make) on production servers, especially from temporary directories (/tmp, /dev/shm). Monitor for cron jobs executing every minute and investigate suspicious access to log files (utmp, wtmp) [6].

• Host Level (Windows): Monitor for PowerShell execution with -EncodedCommand or iex(irm ...) flags originating from browsers or Office applications. Flag process injection patterns involving VirtualAlloc and CreateThread [3].

• Host Level (macOS): Monitor for unsigned applications requesting passwords, unusual Terminal activity, and connections to blockchain nodes from non-financial applications [5].

Key IOCs (File Hashes):

• StealC Shellcode: 5ad34f3a900ec243355dea4ac0cd668ef69f95abc4a18f5fc67af2599d1893bd [3].

• StealC Payload: dc38f3f3c8d495da8c3b0aca8997498e9e4d19738e1e2a425af635d37d0e06b8 [3].

• XWorm Malicious Excel File: EE663D016894D44C69B1FDC9D2A5BE02F028A56FC22B694FF7C1DACB2BBBCC6D [2].

• XWorm RAT Payload: EACD8E95EAD3FFE2C225768EF6F85672C4BFDF61655ED697B97F598203EF2CF6 [2]