DigiCert’s Open-Source Intelligence (OSINT) Report – February 20 – February 26, 2026

Spain Arrests Suspected Hacktivists for “DDoSing” Government Sites

(TLP: CLEAR) Spanish law enforcement, particularly the Guardia Civil, has arrested four individuals alleged to be core members of a hacktivist group calling itself “Anonymous Fénix” for orchestrating a series of distributed denial-of-service (DDoS) attacks against government ministries, political parties, and other public institutions in Spain (and reportedly some targets in South America). The group’s activity began in April 2023 and intensified through 2024, especially after the flash floods (DANA event) in Valencia in October 2024, which they used as a political justification for their attacks; they claimed Spanish authorities were responsible for the disaster and leveraged that narrative in their operations. Anonymous Fénix used social platforms such as X (formerly Twitter) and Telegram both to broadcast anti-government messaging and to recruit volunteers to participate in the DDoS campaigns.

(TLP: CLEAR) Comments: Investigators initially identified and arrested the group’s administrator and moderator in May 2025 in Alcalá de Henares and Oviedo, and subsequent forensic analysis of evidence from those arrests led to the identification of two additional operators, who were detained more recently in Ibiza and Móstoles near Madrid. Following these arrests, Spanish courts ordered the seizure of the group’s X and YouTube accounts and the closure of its Telegram channel. The case illustrates how hacktivist cells can combine social-media coordination with high-volume DDoS techniques to disrupt public-sector web services and highlights ongoing law enforcement efforts to track, attribute, and neutralize such politically motivated cyber operations.

(TLP: CLEAR) Recommended best practices/regulations: NIST Special Publication 800-189: “Distributed denial-of-service (DDoS) is a form attack where the attack traffic is generated from many distributed sources to achieve a high-volume attack and directed towards an intended victim (i.e., system or server). To conduct a direct DDoS attack, the attacker typically makes use of a few powerful computers or a vast number of unsuspecting, compromised third-party devices (e.g., laptops, tablets, cell phones, Internet of Things (IoT) devices, etc.). The latter scenario is often implemented through botnets. In many DDoS attacks, the IP source addresses in the attack messages are “spoofed” to avoid traceability.”

 (TLP: CLEAR) DigiCert: Digicert UltraDDoS Protect can detect DDoS attacks and scrub your internet traffic through countermeasures, processes, and practices that are built upon more than 20 years of expertise in thwarting threats, delivered through a carrier-grade global infrastructure that has been engineered to provide the highest standards of availability, reliability, and scale.

Source: https://www.bleepingcomputer.com/news/security/spain-arrests-suspected-anonymous-fenix-hacktivists-for-ddosing-govt-sites/ 

CarGurus Data Breach Exposes Information of 12.4 Million Accounts

(TLP: CLEAR) In late February 2026 the ShinyHunters extortion group published a 6.1 GB archive claiming to contain 12.4 million records allegedly stolen from CarGurus, a major U.S.-based digital automotive research and shopping platform with tens of millions of monthly visitors. The leaked dataset—indexed by the Have I Been Pwned (HIBP) breach monitoring service which includes a range of personal and account-related fields: email addresses, IP addresses, full names, phone numbers, physical addresses, user account IDs, finance pre-qualification application data and outcomes, dealer account details, and subscription information. According to HIBP’s analysis, roughly 70 % of the compromised data already existed in its database from prior breaches, meaning about 3.7 million records are newly exposed.

(TLP: CLEAR) Comments: CarGurus has not publicly confirmed the breach or issued an official statement. The availability of this personal information in an unprotected archive raises elevated risks of phishing and other targeted social engineering attacks against affected users and underscores ongoing challenges in protecting large consumer datasets, particularly against threat actors like ShinyHunters who frequently combine data theft with extortion tactics.

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “A core capability of PDNS is the ability to categorize domain names based on threat intelligence. PDNS services typically leverage open source, commercial, and governmental information feeds of known malicious domains. These feeds enable coverage of domain names found at numerous points of the network exploitation lifecycle. Some solutions may also detect novel malicious domains based on pattern recognition. The types of domains typically addressed by a PDNS system include the following:

• Phishing: Sites known to host applications that maliciously collect personal or organizational information, including credential harvesting scams. These domains may include typo-squats – or close lookalikes of common domains. PDNS can protect users from accidentally connecting to a potentially malicious link.
• Malware distribution and command and control: Sites known to serve malicious content or used by threat actors to command-and-control malware. For example, these may include sites hosting malicious JavaScript® files or domains that host advertisements that collect information for undesired profiling. PDNS can block and alert on known malicious connection attempts.
• Domain generation algorithms: Sites with programmatically generated domain names that are used by malware to circumvent static blocking. Advanced malware – including some botnets – depend on the ability to communicate with command and control (C2) infrastructure. Cyber threat actors use domain generation algorithms (DGAs) for malware to circumvent static blocking – either by domain name or IP – through programmatically generating domain names according to a pre-set seed. PDNS can offer protection from malware DGAs by analyzing every domain’s textual attribute and tagging those associated with known DGA attributes, such as high entropy. 
• Content filtering: Sites whose content is in certain categories that are against an organization’s access policies. Although an ancillary benefit to malware protection, PDNS can use a categorization of various domains’ use cases (e.g., ‘gambling’) and warn or block on those that are deemed a risk for a given environment.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses Cyber Threat Intelligence feeds, domain categories, and other detection engines to assess DNS queries in real-time and block domains that are being used for phishing, malware delivery, and malware Command and Control (C2). This reduces the quantity and impact of malware infections.

Source: https://www.bleepingcomputer.com/news/security/cargurus-data-breach-exposes-information-of-124-million-accounts/ 

UAT-10027 Targets U.S. Education and Healthcare with Dohdoor Backdoor

(TLP: CLEAR) Security researchers at Cisco Talos have identified a previously undocumented threat activity cluster, tracked as UAT-10027, that has been conducting targeted intrusions against U.S. education and healthcare organizations since at least December 2025, with the aim of deploying a custom backdoor malware dubbed Dohdoor. In this campaign, the initial access vector remains unconfirmed, but analysts suspect social engineering via phishing leads to the execution of a PowerShell downloader script, which in turn obtains a Windows batch file from a remote staging server. That batch file sets up a hidden workspace and retrieves a malicious DLL (often named “propsys.dll” or “batmeter.dll”) that is executed through DLL side-loading using legitimate Windows binaries (such as Fondue.exe and ScreenClippingHost.exe). Once launched, Dohdoor establishes command-and-control (C2) communications using DNS-over-HTTPS (DoH) routed through Cloudflare infrastructure, blending its traffic with legitimate HTTPS to evade network monitoring, DNS sinkholes, and typical security controls.

(TLP: CLEAR) Comments: The implant also employs techniques to unhook system calls and evade endpoint detection and response (EDR) solutions that rely on user-mode API hooks. After establishing foothold, Dohdoor can download and execute additional payloads directly into memory, with telemetry indicating next stages consistent with a Cobalt Strike Beacon, a common post-exploitation framework for persistence and lateral movement. Although no direct evidence of data exfiltration has yet been observed, Talos assesses the campaign’s victimology suggests a potential financial motivation. Attribution remains uncertain, but Cisco notes technical overlaps with tooling like LazarLoader historically associated with the Lazarus Group, though UAT-10027’s targeting of healthcare and education diverges from Lazarus’ usual focus on cryptocurrency and defense sectors.

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events”. One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), can detect and block malware delivery and command and control (C2) techniques such as phishing, domain generation algorithms, and DNS tunneling to reduce both the quantity and impact of infections.

Source: https://thehackernews.com/2026/02/uat-10027-targets-us-education-and.html 

UnsolicitedBooker Targets Central Asian Telecoms with LuciDoor and MarsSnake Backdoors

(TLP: CLEAR) Cybersecurity researchers have observed a campaign by a threat activity cluster dubbed UnsolicitedBooker targeting telecommunications companies in Kyrgyzstan and Tajikistan, marking a geographic shift from its earlier activity against Saudi Arabian entities. The actor, assessed to be China-aligned, has been active since at least March 2023 and is known to employ multiple custom backdoors and malware families. In recent campaigns, UnsolicitedBooker used phishing emails with malicious Microsoft Office attachments to deliver initial payloads: macros that install a C++-based loader called LuciLoad to deploy the LuciDoor backdoor, and in separate waves a loader called MarsSnakeLoader to deploy the MarsSnake backdoor.

(TLP: CLEAR) Comments: Both backdoors establish command-and-control (C2) communications, collect system metadata, execute arbitrary commands, and support file read/write operations, enabling remote control and data exfiltration on infected hosts. LuciDoor communicates with a remote C2 server to send encrypted system information and interpret server responses as commands via cmd.exe, while MarsSnake offers similar capabilities. In some attacks researchers also observed lures masquerading as Word documents using Windows shortcut (*.lnk) files that launch Visual Basic scripts to execute MarsSnake without an explicit loader. Analysis by Positive Technologies noted UnsolicitedBooker’s use of uncommon tooling of Chinese origin and overlaps with other activity clusters, including shared use of malware like Chinoxy, DeedRAT, Poison Ivy, and BeRAT, suggesting a broader ecosystem of related threats. The campaign illustrates a multifaceted intrusion chain starting with social engineering and macro execution, progressing through custom loaders, and culminating in backdoors that give attackers robust remote access and control on targeted telecom infrastructure systems.

(TLP: CLEAR) Recommended best practices/regulations: NIST SP 800-53 Rev5 SI-3: “MALICIOUS CODE PROTECTION 

Control: 

• Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code. 
• Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures. 
• Configure malicious code protection mechanisms to: 1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more): endpoint; network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization defined personnel or roles] in response to malicious code detection.
• Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.

NIST requires malware detection and prevention solutions. This can be on the device, as with anti-virus agents, but also can be augmented by Protective DNS provided by the network that the device is on or across the Internet. This provides defense-in-depth and support for devices such as Internet of Things (IoT) or some servers that cannot run an endpoint client.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses Cyber Threat Intelligence feeds, domain categories, and other detection engines to assess DNS queries in real-time and block domains that are being used for phishing, malware delivery, and malware Command and Control (C2). This reduces the quantity and impact of malware infections.

Source: https://thehackernews.com/2026/02/unsolicitedbooker-targets-central-asian.html