// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of February 9, 2026
Signal Brief · Archived

Week of February 9, 2026

2026-02-09 — 2026-02-15 · 6 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of February 9, 2026, ColdRecon logged 6 public endpoint-security events from open-source reporting — 2 incidents, 2 research pocs, 2 vuln disclosures. Vendors in the record this week: CrowdStrike, Palo Alto Networks, Sophos.

The Week's Public Record

Events

2026-02-10
incident
Reynolds Ransomware Embeds Vulnerable Driver to Kill EDR Before EncryptionReynolds ransomware
Broadcom researchers disclosed Reynolds ransomware in February 2026, which embeds the vulnerable NsecSoft NSecKrnl driver (CVE-2025-68947) directly into its payload to terminate endpoint security processes before encrypting files. This single-binary approach eliminates the detection gap of traditional BYOVD attacks, making it harder for defenders to spot. The ransomware targets major EDR products including CrowdStrike Falcon, Cortex XDR, and others.
CrowdStrike · Palo Alto Networks · Sophos · Symantec · Avast ↗ www.gblock.app (2026-02-17) ↗ realhacker.news (2026-02-10)
2026-02-10
research poc
BusterCall: HVCI Bypass via PFN Swapping to Modify Read-Only Kernel Code PagesBusterCall
BusterCall is a proof-of-concept tool demonstrating a technique to bypass Windows Hypervisor-protected Code Integrity (HVCI) by manipulating Page Frame Numbers (PFNs) in page table entries. It enables arbitrary kernel function calls from user mode on HVCI-enabled systems by hijacking the System Service Descriptor Table (SSDT) through PFN swapping. The technique exploits the fact that HVCI validates page attributes rather than physical content, allowing an attacker to redirect a read-only code page to a modified copy on a writable donor page.
2026-02-10
incident
AI-Generated Malware Exploits React2Shell in Darktrace HoneypotCVE-2025-55182
Darktrace observed an AI/LLM-generated malware sample exploiting CVE-2025-55182 (React2Shell) in its Cloudypots honeypot. The script, likely created via jailbroken LLM, deployed a XMRig cryptominer after achieving remote code execution. This incident demonstrates how AI-assisted development lowers the barrier for attackers to create functional exploits.
2026-02-09
vuln disclosure
Zombie ZIP (CVE-2026-0866) Archive Header Manipulation Bypasses Security ScannersCVE-2026-0866
A technique called Zombie ZIP exploits a structural inconsistency in ZIP archives by setting the compression method to 'stored' while the payload remains DEFLATE-compressed, causing most security scanners to read high-entropy data and miss malicious content. Tracked as CVE-2026-0866 and CERT/CC VU#976247, it bypasses 98% of anti-malware engines and is actively exploited in ransomware and RAT campaigns.
2026-02-09
research poc
Claude Code Found 500 Zero-Days in Open-Source SoftwareLLM-discovered zero-days
Anthropic's Claude Code discovered over 500 zero-day vulnerabilities in popular open-source projects during automated security testing. The findings highlight the growing capability of LLMs to identify novel security flaws at scale, raising concerns about patch prioritization and the potential for malicious use.
2026-02-09
vuln disclosure
Harden-Runner CI/CD Security Agent Audit Logging Bypass via Socket CallsCVE-2026-25598
A vulnerability in Harden-Runner (Community Tier) prior to version 2.14.2 allows outbound network connections to evade audit logging. The issue affects the egress-policy: audit mode, where traffic using sendto, sendmsg, and sendmmsg socket calls is not detected or logged. This could allow malicious outbound connections to go unnoticed in CI/CD pipelines.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →