MOXFIVE Monthly Insights - February 2026
In this newsletter, we share the latest ransomware and threat actor insights from the MOXFIVE team. Click button below to subscribe if not already on the MOXFIVE mailing list.

Ransomware Highlights for February 2026

The February 28 strikes against Iran marked a significant escalation in geopolitical tension and an immediate shift in the cyber threat environment. Iranian-aligned threat actors have a long history of using cyber operations as an asymmetric tool during periods of conflict, and activity tied to the current escalation was confirmed quickly. State-sponsored intrusions on US networks were identified in the weeks surrounding the strikes, coordinated hacktivist campaigns targeted US, Gulf, and allied organizations, and US-based companies have already experienced destructive attacks resulting in system wipes. This month's Case Study and Resilience Spotlight examine notable threat actors and campaigns active in the current conflict and how organizations can defend and remain resilient going forward.

Ransomware activity remained high throughout February, with RaaS models continuing to account for a large share of deployments. Qilin led for the second consecutive month, while Cl0p, Play, Akira, and DragonForce were all active across multiple industries. Critical vulnerabilities in remote access platforms, email infrastructure, and virtualization environments saw active exploitation during the month. Technology and Financial organizations were the most impacted industries, with Healthcare, Manufacturing and Production, and Construction and Engineering also seeing consistent targeting.

Top Threats & Exploits

Phishing emails, VPN vulnerabilities, lack of Multifactor Authentication (MFA), software flaws, drive-by downloads, and social engineering remain the most frequently observed initial access points for ransomware attacks.

• BeyondTrust remote code execution vulnerability (CVE-2026-1731): An OS command injection flaw that allows unauthenticated remote code execution on vulnerable Remote Support and Privileged Remote Access instances. Disclosed in February 2026, the vulnerability was later confirmed to be actively exploited. It affects Remote Support versions 25.3.1 and prior and Privileged Remote Access versions 24.3.4 and prior.
  
• VMware ESXi arbitrary write vulnerability (CVE-2025-22225): This vulnerability allows an attacker with privileges within the VMX process to trigger an arbitrary kernel write and escape the sandbox on vulnerable VMware ESXi systems. The vulnerability has been linked to ransomware campaigns targeting ESXi environments.
• SmarterMail authentication bypass vulnerability (CVE-2026-23760): An authentication bypass flaw that allows an unauthenticated attacker to reset the system administrator password on vulnerable SmarterMail instances via a crafted HTTP request, resulting in full administrative compromise. Reports suggest the vulnerability has been used as an initial access vector in campaigns deploying Warlock ransomware.

Active Threat Actors

Ransomware activity in February was high and aligned with levels observed in recent months. RaaS operations continued to account for a large share of activity, with affiliate-driven models supporting many of the variants most frequently deployed during the month. Data extortion groups were also active in February, including ShinyHunters and World Leaks, which continued operations centered on data theft and extortion rather than encryption. The Gentlemen was not among the most active variants in February, but the group showed increased activity during the month.

• Qilin was the most active ransomware operation deployed in February. The group's commission-based RaaS model, which offers affiliates up to 80-85% of ransom payments, has driven its continued popularity among affiliates. Qilin deployments include payloads for both Windows and Linux environments and rely on double extortion tactics.
  
• Cl0p posted victims across multiple industries in February, and continued activity tied to its exploitation of Oracle E-Business Suite first observed in 2025. The operation is known for extended periods of lower visibility followed by large-scale exploitation of a single enterprise technology. Earlier Cl0p campaigns have also centered on MOVEit and GoAnywhere.
• ‍Play, Akira, and DragonForce were all highly active in February. Play operates as a closed group and is known for using custom tooling to support discovery and data exfiltration. Akira remained one of the most active RaaS operations in 2025, with affiliates frequently relying on credential-based access and remote-access methods for initial access. DragonForce shifted from a RaaS model to a cartel structure in 2025, allowing affiliates to operate under their own brands while using shared infrastructure and tooling.

Figure 1: Top ransomware variants in February 2026 based on number of known victims.

The ransomware and industry rankings below are based on observed ransomware data leak site (DLS) activity for impacted organizations in the United States.

For a deeper look into these groups, MOXFIVE has published Threat Actor Spotlights on Qilin, Cl0p, Play, Akira, and DragonForce.

Top Industries Impacted by Ransomware

Technology was the most impacted industry in February. Service providers, software platforms, and managed IT firms can be attractive targets for ransomware operators due to their access to client networks and cloud environments. Financial organizations saw the second highest impact, as the value of client financial data and the reputational consequences of exposure can raise the stakes of an attack. While tax season does not appear to have been a primary driver of ransomware activity in the sector, several impacted organizations were tax, accounting, or CPA-related firms.

Healthcare, Manufacturing and Production, and Construction and Engineering also saw ransomware activity in February. Healthcare organizations continue to be at risk due to the sensitivity of patient data and the impact of system downtime. Manufacturing and Production

Figure 2: Top industries impacted by ransomware in January 2026.

remained a frequent target, as production disruption can quickly affect revenue and operations. Construction and Engineering firms also saw continued activity, as these organizations often manage sensitive project and business data that can add extortion value after a breach.

Technology-sector victim postings included Cl0p, Qilin, and Sinobi, with NightSpire, an extortion operation that emerged in early 2025, also posting multiple victims in the sector. Financial-sector victim postings included SilentRansomGroup, a callback phishing and extortion group, as well as DragonForce. Healthcare victim postings were spread across multiple groups, with no single group dominating the sector. Qilin accounted for the heaviest concentration in Manufacturing and Production, while Play and DragonForce were the most active in Construction and Engineering.

Case Study - Iranian Cyber Operations and the Escalating Threat Landscape

The February 28, 2026, strikes against Iran coincided with a more active and volatile cyber threat environment. Iranian-aligned threat actors have long used cyber operations as an asymmetric tool during periods of geopolitical tension, with activity ranging from credential theft and espionage to disruptive and destructive operations, including wiper attacks and ICS targeting. The current conflict has increased concern around U.S.-targeting activity, particularly as multiple Iranian-aligned campaigns and hacktivist groups remain active.

Hacktivist Activity and Risk

• Handala: Destructive and Disruptive Risk
  Handala is a pro-Palestinian hacktivist persona that has drawn increased attention during the current conflict. The group has been associated with hack-and-leak activity, disruptive operations, and destructive activity, including recent reporting tied to wiper behavior. Since the conflict escalated, Handala claimed responsibility for an attack against US medical technology company Stryker in which employee devices were wiped and global systems were disrupted.
• #OpIsrael / Electronic Operations Room: Coordinated Hacktivist Activity
  #OpIsrael is a long-running anti-Israel hacktivist campaign, while the Electronic Operations Room appears to function as a coordination hub bringing together aligned groups under a shared operational banner. In the immediate aftermath of the strikes, the campaign drew in a large number of hacktivist groups and generated activity including distributed denial-of-service attacks, website defacements, and data breach claims targeting U.S., Gulf, and allied organizations. Many of these claims remain unverified and should not be treated as confirmed intrusions without independent validation.
• Cotton Sandstorm: Persona Reactivation and Phishing Risk
  Cotton Sandstorm is an Iranian state-linked actor that has used online personas and influence-aligned fronts during prior campaigns. Following the recent escalations, researchers observed the reactivation of a dormant persona linked to the group. Separate reporting has also tied Cotton Sandstorm to spearphishing campaigns delivering the WezRat infostealer through software update lures, as well as ransomware activity against regional targets.
• Z-Pentest: ICS and SCADA Claim Monitoring
  Z-Pentest has claimed access to U.S.-based industrial control systems, supervisory control and data acquisition environments, and closed-circuit television networks during the current conflict window. Those claims are unverified, but they warrant monitoring by organizations with internet-exposed industrial control systems or other operational technology assets.

State-Sponsored Operations and Risk

• MuddyWater: Pre-Strike Access Activity
  MuddyWater is an Iranian state-linked threat actor associated with espionage and credential theft. The group was tied to intrusions affecting a U.S. financial institution, a U.S. airport, and the Israeli operations of a U.S. software company serving the defense and aerospace sector. Researchers also described a previously undocumented backdoor and the use of legitimate cloud storage services for command-and-control and data exfiltration. The timing of the activity suggests the group had established access before the conflict escalated.
• CyberAv3ngers: OT Infrastructure Risk
  CyberAv3ngers is an Islamic Revolutionary Guard Corps-linked threat group known for targeting internet-exposed programmable logic controllers and other operational technology devices. The group has a confirmed history of compromising U.S. water and wastewater systems and has also been linked to IOCONTROL, malware designed for operational technology and internet of things environments, including fuel management systems. Primary sectors at risk include water and wastewater, energy, fuel management, and other industrial environments using exposed operational technology devices.
• OilRig and APT33: Elevated Risk
  OilRig and APT33 are well-established Iranian APT groups with a documented history of espionage and disruptive operations. OilRig has focused on energy, financial services, and telecommunications, while APT33 has targeted aerospace, defense, and energy sectors and has been linked to destructive tooling in prior campaigns. Both groups have shown increased activity since the February 28 strikes and warrant close monitoring.
• Agrius: Wiper Risk
  Agrius is a MOIS-linked threat group with a documented history of deploying destructive wiper malware primarily against Israeli targets, often disguising the activity as ransomware to obscure intent. The group's history of destructive operations makes it a relevant concern in the current environment, particularly for organizations with Israeli ties or regional exposure.

State-sponsored threat actors and hacktivist groups are both active in the current conflict, but they are serving different roles. State-linked activity remains focused on access and intelligence collection, while hacktivist activity has largely taken the form of distributed denial-of-service attacks, defacements, and breach claims. MuddyWater’s pre-strike access activity shows that network access was being established before the conflict escalated, while Handala and Agrius show that disruptive and destructive operations stay in play. False claims can also make it harder to separate confirmed intrusions from misleading or exaggerated reporting.

Resilience Spotlight - Defending Against Disruptive and Destructive Cyber Activity

War can raise cyber risk, but the most effective defenses remain the same core security and resilience measures organizations should already have in place. In this case, that means reducing internet-facing exposure, hardening identity and remote access, limiting operational technology exposure, and ensuring the organization can recover quickly from disruptive or destructive activity. The priority is to reduce initial access opportunities, improve detection of early intrusion activity, and maintain continuity if disruption occurs.

Critical Controls for Resilience During Geopolitical Escalation:

• Patch and Harden Internet-Facing Systems: Remove unnecessary internet-facing services and remediate high-risk vulnerabilities quickly. Review VPNs, firewalls, edge appliances, and externally exposed applications for outdated software, weak configurations, and default credentials.
  
• Hardening and MFA Enforcement: Apply MFA everywhere, improve credential hygiene, monitor Active Directory and cloud identities, and review remote access pathways. Identities and remote access services remain common targets for credential theft, password spraying, and phishing activity.
• Harden Microsoft Intune: Enforce multi-admin approval for wipe, retire, and delete operations in Intune. This capability is available natively within Intune's tenant administration settings and can help prevent a single compromised account from triggering mass device wipes.
• Audit OT and ICS Exposure: Identify internet-exposed programmable logic controllers, human-machine interfaces, engineering workstations, and remote access pathways into industrial environments. Restrict remote access, segment operational technology from business networks, and eliminate default or shared credentials.
• EDR Coverage and Detection Tuning: Maintain complete deployment across servers and endpoints with detections tuned to credential theft, suspicious command execution, web shells, phishing-related malware, and unusual outbound connections. Ensure tamper protections are in place and that alerting covers command-and-control traffic using legitimate cloud services.
• Prepare for DDoS and Partner Disruption: Confirm DDoS mitigation is active on internet-exposed assets and document escalation paths before disruption occurs. Identify alternative communication and service delivery options if primary systems are taken offline and verify that critical vendors and partners have their own continuity plans in place.
• Centralized Logging and Analytics: Aggregate endpoint, identity, network, and edge-device telemetry to support faster detection of confirmed compromise and earlier validation of intrusion claims. Logging from systems that cannot support EDR, including operational technology and edge infrastructure, should feed into centralized monitoring rather than existing in isolation.

How MOXFIVE Can Help
‍
‍MOXGUARD: Strategic advisory including AD/identity assessments, CVE alerting prioritized to active ransomware exploitation, guidance on segmentation and backup hardening, tabletop exercises with response playbooks, and pre-positioned incident response.

Professional Services: Control validation through EDR coverage assessments, purple team exercises, network segmentation reviews, backup immutability and restoration testing, external attack surface reduction, and SIEM/XDR detection engineering.

Our team has handled hundreds of ransomware cases against Qilin, Akira, Play, and other active operations, aligning preventive, detective, and recovery controls to current threat actor TTPs. Contact us at 833-568-6695 or incident@moxfive.com.