Daily Threat Intel Digest - 2026-02-27

🔴 Critical Threats & Active Exploitation

[NEW] Critical Juniper PTX RCE Enables Full Router Takeover
A critical vulnerability (CVE-2026-21902, CVSS 9.8) in Juniper PTX Series routers running Junos OS Evolved allows unauthenticated attackers to execute code as root via exposed On-Box Anomaly Detection services [Juniper advisory; [GBHackers]. Attackers can sniff traffic, pivot deeper into networks, and maintain persistence. Immediate patching to 25.4R1-S1-EVO/25.4R2-EVO or disabling the service (request pfe anomalies disable) is critical as core network gear requires tight protection against such bypasses.

[NEW] Critical Trend Micro Apex One Flows Allow Remote Code Execution
Eight vulnerabilities in Trend Micro Apex One endpoint protection platform include two critical unauthenticated RCE flaws enabling malicious code uploads [GBHackers]. A Critical Patch (Solution ID KA-0022458) was released Feb 24 for Apex One 2019 on-premises (Windows) and cloud versions. Organizations running unpatched instances face full system compromise as attackers bypass endpoint defenses.

[NEW] Steaelite RAT Powers Double-Extortion Attacks
A new RAT, Steaelite, integrates ransomware deployment, credential theft, and file exfiltration into a single browser-based dashboard, streamlining double-extortion campaigns [CyberPress]. Features include real-time surveillance, clipboard hijacking for crypto theft, and upcoming Android ransomware modules. Enterprises face heightened risk as data theft occurs pre-encryption, rendering traditional ransomware defenses insufficient.

[NEW] Google API Keys Expose Gemini Data Without Warning
Legacy Google API keys—previously deemed harmless for client-side use—silently gained access to Gemini AI endpoints after Generative Language API enablement [Truffle Security; [BleepingComputer]. Attackers exploit exposed keys to access private data and rack up AI usage bills. Truffle Security found 2,800+ live keys from major firms. Rotate keys, audit Gemini API usage, and enforce scoping to prevent silent data leakage.

🎯 Threat Actor Activity & Campaigns

[NEW] SeaFlower Backdoor Targets Web3 Wallets
A sophisticated campaign, SeaFlower, injects backdoors into legitimate Web3 wallet apps (MetaMask, Coinbase Wallet) to exfiltrate seed phrases via cloned websites promoted through search engines [CyberPress]. Chinese-language artifacts suggest a Chinese-speaking actor. Users downloading wallets from unofficial sources face total wallet compromise; restrict downloads to official app stores and validate domains.

[NEW] Infostealers Drive Corporate SSO Brute-Force Attacks
Infostealer-extracted credentials fuel credential-stuffing attacks against corporate SSO gateways, particularly F5 BIG-IP devices [GBHackers]. Defused Cyber’s analysis of 70 compromised credentials confirmed 71% originated from infostealer logs. Enforce MFA, monitor for anomalous login patterns, and rotate credentials linked to known infostealer breaches.

⚠️ Vulnerabilities & Patches

[NEW] FreeBSD Jail Escape Vulnerability
CVE-2025-15576 allows attackers to escape FreeBSD jail environments (v14.3, 13.5) and gain full host filesystem access [GBHackers]. Update to patched versions immediately as jails rely on strict isolation, and this flaw enables lateral movement from compromised containers.

[NEW] Malicious Go Crypto Module Deploys Rekoobe Backdoor
A backdoored Go cryptography module on pkg.go.dev harvests passwords and installs the Rekoobe Linux backdoor in developer/CI environments [GBHackers]. The package mimics trusted libraries to hijack password prompts. Audit Go dependencies via go list -m -u all and avoid third-party crypto packages lacking reputable maintainers.

🛡️ Defense & Detection

[NEW] Microsoft Defender Adds URL Click Alerts for Teams
Microsoft Defender for Office 365 now extends URL click alerts to Microsoft Teams, surfacing risky link activity with full message context in the Defender portal [CyberPress; [GBHackers]. Enabled by default for MDO Plan 2/M365 E5, this closes a visibility gap against phishing in collaborative platforms. Update SOC playbooks to incorporate Teams alerts and hunt via KQL: AlertEvidence | where ServiceSource == "Microsoft Defender for Office 365" | where Title has "Teams".