SANS Stormcast Wednesday, February 18th, 2026: IR Phishing; Neenadu Android Backdoor; NiFi Bugs; LLMs Phishing; Encrypted RCS

February 17, 2026

Episode Transcript

Fake Incident Report Used in Phishing Campaign
https://isc.sans.edu/diary/Fake%20Incident%20Report%20Used%20in%20Phishing%20Campaign/32722
Divide and conquer: how the new Keenadu backdoor exposed links between major Android botnets https://securelist.com/keenadu-android-backdoor/118913/
CVE-2026-25903: Apache NiFi: Missing Authorization of Restricted Permissions for Component Updates https://seclists.org/oss-sec/2026/q1/166
The Next Frontier of Runtime Assembly Attacks: Leveraging LLMs to Generate Phishing JavaScript in Real Time
https://unit42.paloaltonetworks.com/real-time-malicious-javascript-through-llms/
Encrypted RCS in iOS/iPadOS
https://developer.apple.com/documentation/ios-ipados-release-notes/ios-ipados-26_4-release-notes

News Tech News

See full episode transcriptTranscript is autogenerated by AI

Hello and welcome to the Wednesday, February 18th, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich, recording today from Jacksonville, Florida. And this episode is brought to you by the SANS.edu credit certificate program in incident response. Just a quick note for those of you who are watching this on YouTube, sorry, no camera today having some little technical issues. Today's diary is coming from Xavier again. He's on a roll lately and this latest one is a little bit of different phishing campaign. One of the goals of phishing campaigns is always to create some urgency to make you do something quickly because, well, there is some kind of emergency and what they're doing here is essentially pretending that there was an incident, some odd login to your crypto wallet that would cause you to now implement two-factor authentication. Not sure if they just assume that you didn't do it or if they think that you may ignore if you already have two-factor authentication enabled. This particular phishing email did affect MetaMask users. No indication here that MetaMask is at all involved in this. So this is not a MetaMask breach or anything like this. They're just sending this to random people on the internet hoping that they will get some actual MetaMask users that will then fall for this phishing email. And as usual, cryptocurrency wallets are still one of the top targets of these kind of phishing emails. And the Android ecosystem continues to be haunted by devices that come reinstalled with malicious firmware. Kaspersky has the latest document incident of this. They call it the Kinado Big Door and apparently it was reinstalled on these affected devices and was added during the build phase for the firmware. Now, we have seen sort of various picture frames and such with compromised firmware in the past. And what often happens is that systems on the production lines or so are getting infected and then being used to install these malicious back doors. The takedown here of this back door, I should rather say the reverse analysis of it is rather neat. So real good work here by Kaspersky, helping us understand what the particular back door does and also how they analyzed this malicious code. And then we have a new vulnerability in Apache's NiFi data processing service. This particular software, well, if you have seen it being attacked before, that's why I mentioned it here. It's one of those data processing pipelines. It's written in Java and presents a nice web -based admin interface that allows you to sort of, you know, to sort of, you know, add different components to extract data and then send it out in a standard format. So often used for things like machine learning or such in order to pre-prepare various data sets and such to be easily imported in your particular machine learning pipeline. Well, the problem here is that even if you did require permissions for particular components that you sort of have configured that may be bypassed and this restricted annotation that indicates that additional privileges are required, may be ignored. So I mentioned before with NiFi, it's not really one of those systems that you really want to expose to the internet. Where I do see it exposed to the internet is where you have data scientists and such that set it up on a cloud server without necessarily understanding the security implications of doing so. So definitely one of those things you want to get a handle on and if possible catalog these installs. And Palo Alto's Unit 42 came up with an interesting abuse case for large language models. The trick here is where you're actually using the large language model to create phishing pages. The way this works is where the victim is basically being tricked into sending a prompt to the large language model that will then return the javascript that is then being used to create the phishing page. The reason is interesting is that first of all the malicious javascript is now coming from an overall trusted site that basically is often whitelisted and as such you know not filtered and inspected that carefully. And secondly that the user also doesn't necessarily get sort of the usual warning messages that would accompany any phishing message and phishing webpage like that. So a pretty interesting trick. It's currently not used in the wild. This is really sort of just some threat research but they do show a proof of concept how this could happen and how this could be implemented. So probably not too long before we see something like this in the wild. And as so often you must sort of put some controls around data being sent to and from these large language models if it's not for phishing at least for things like data exfiltration that often happens accidentally with those sites. And then we have an interesting update from Apple for its next release of iOS and iPadOS. Apple just released iOS and iPadOS 26.3 and now released public betas for 26.4. 26.4. 26.4 introduces end-to-end encryption for RCS. RCS is well supposed to replace SMS at one point and essentially fixes some of the security problems that we had with SMS. SMS was in the clear not authenticated so not really suitable for anything of any security relevance. Well with RCS some of these issues are supposed to be fixed but this depends on vendors actually implementing these features in their operating systems. Apple has initially been a little bit slow in sort of jumping on the RCS bandwagon here. But they are supporting it currently however only some of the basic features like markup and other sort of more look and feel features of RCS. With this edition of end-to-end encryption there's a good chance that in the next version of iOS iPadOS, which will probably come out in a month or so, will see some of these more advanced security features show up in iOS iPadOS as well. And of course in order to actually use these features sort of in your applications you probably want at least iOS and Android support to get a good coverage for most of your users devices. Well and this is it for today so thanks again for listening. Sorry again for no camera today and hopefully I'll have it fixed tomorrow. So talk to you again tomorrow. Bye.

Digital Dispatch Podcast Podcast Artwork Image

SANS Daily Stormcast

Johannes Ullrich

Contact Show