Single Threat Actor Dominates Ivanti Exploitation Campaign; 300+ Malicious Chrome Extensions Expose Millions to Data Theft

Critical Infrastructure Intelligence Briefing
Week of February 8-15, 2026 | Published: Sunday, February 15, 2026

1. EXECUTIVE SUMMARY

⚠️ Priority Intelligence Items

Active Exploitation Alert: A single sophisticated threat actor is responsible for 83% of active exploitation targeting critical Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities. Organizations using Ivanti EPMM should treat this as an immediate priority.
Supply Chain/Browser Security: Over 300 malicious Chrome extensions with 37+ million combined downloads have been identified stealing user data and enabling tracking—representing significant risk to enterprise environments and critical infrastructure operators.
BeyondTrust Exploitation: Critical vulnerability in BeyondTrust Remote Support (RS) is under active exploitation, posing direct risk to organizations using this privileged access management solution.
Novel Attack Vector: Physical mail-based social engineering campaign targeting cryptocurrency hardware wallet users demonstrates threat actor innovation in bypassing digital security controls.

Key Developments This Week

Cyber Threats: Concentrated exploitation activity against enterprise mobility and privileged access management solutions indicates threat actors are prioritizing high-value targets with broad network access.
Attack Surface Expansion: Browser extension compromise at scale represents an underappreciated attack vector affecting both enterprise and personal devices across all sectors.
Social Engineering Evolution: The emergence of physical mail-based phishing campaigns signals threat actors are adapting to improved digital security awareness by exploiting physical trust channels.
Cross-Sector Impact: Ivanti EPMM and BeyondTrust RS are widely deployed across critical infrastructure sectors including healthcare, energy, and government—active exploitation campaigns have potential for cascading impacts.

2. THREAT LANDSCAPE

Active Exploitation Campaigns

Ivanti EPMM Exploitation (CRITICAL)

Source: Bleeping Computer | February 14, 2026

Threat Actor Profile: A single, highly capable threat actor is responsible for approximately 83% of observed exploitation attempts against Ivanti Endpoint Manager Mobile (EPMM).
Targeted Vulnerabilities: Two critical remote code execution (RCE) vulnerabilities are being actively exploited.
Significance: The concentration of activity suggests a well-resourced actor with specific targeting objectives, potentially nation-state affiliated or sophisticated cybercriminal operation.
Affected Sectors: EPMM is widely deployed in healthcare, government, financial services, and enterprise environments for mobile device management.
Assessment: The focused nature of this campaign suggests the threat actor may be pursuing specific high-value targets rather than opportunistic exploitation. Critical infrastructure operators should assume they may be targeted.

BeyondTrust Remote Support Vulnerability (CRITICAL)

Source: CSO Online | February 13, 2026

Status: Critical vulnerability in BeyondTrust Remote Support (RS) is under active exploitation in the wild.
Impact: BeyondTrust RS is used for privileged remote access and support—compromise could provide attackers with elevated access to critical systems.
Risk Context: Privileged access management tools are high-value targets as they often provide pathways to the most sensitive systems and data.
Recommended Action: Organizations should immediately verify patch status and review access logs for indicators of compromise.

Supply Chain & Browser Security Threats

Malicious Chrome Extension Campaign (HIGH)

Source: SecurityWeek | February 14, 2026

Scale: Over 300 malicious Chrome extensions identified with more than 37 million combined downloads.
Capabilities: Extensions are designed to leak user data, enable tracking, and steal personal information.
Enterprise Risk: Browser extensions often operate with elevated permissions and can access sensitive data across all websites visited, including internal applications and authentication portals.
Detection Challenge: Many of these extensions may appear legitimate and provide functional features while conducting malicious activity in the background.
Critical Infrastructure Implications: Operators accessing SCADA interfaces, industrial control systems, or sensitive operational technology through web browsers may be at particular risk.

Novel Attack Vectors

Physical Mail Social Engineering Campaign

Source: Bleeping Computer | February 14, 2026

Attack Method: Threat actors are sending physical letters impersonating Trezor and Ledger (cryptocurrency hardware wallet manufacturers) to trick users into revealing recovery phrases.
Significance: This represents an evolution in social engineering tactics, exploiting the perceived trustworthiness of physical mail versus digital communications.
Broader Implications: This technique could be adapted to target critical infrastructure personnel with physical correspondence impersonating vendors, regulators, or partner organizations.
Defensive Consideration: Security awareness training should be updated to address physical mail-based social engineering, particularly for personnel with access to sensitive systems or credentials.

3. SECTOR-SPECIFIC ANALYSIS

🔌 Energy Sector

Ivanti EPMM Risk: Energy utilities utilizing Ivanti EPMM for mobile workforce management should prioritize patching and threat hunting given the concentrated exploitation campaign.
BeyondTrust Exposure: Remote support tools are commonly used in energy sector operations for vendor access and remote troubleshooting—active exploitation of BeyondTrust RS warrants immediate review.
Browser Extension Risk: Field technicians and control room operators using Chrome browsers may be exposed to malicious extensions; consider browser extension whitelisting policies.

💧 Water & Wastewater Systems

Remote Access Concerns: Water utilities often rely on remote access solutions for distributed facility management—the BeyondTrust vulnerability is particularly relevant.
Resource Constraints: Smaller water utilities may lack resources for rapid vulnerability response; sector-specific ISACs should prioritize outreach and support.
Recommended Action: Review all remote access solutions and ensure multi-factor authentication is enforced for all privileged access.

📡 Communications & Information Technology

Browser Security: The malicious Chrome extension campaign represents a significant threat to IT environments; enterprise browser management and extension controls are essential.
Supply Chain Implications: IT service providers using affected tools (Ivanti, BeyondTrust) may serve as vectors to downstream critical infrastructure clients.
Managed Service Provider Risk: MSPs should conduct immediate assessments of their exposure to actively exploited vulnerabilities.

🚆 Transportation Systems

Mobile Device Management: Transportation agencies with mobile workforces (maintenance crews, inspectors, operators) using Ivanti EPMM should prioritize vulnerability remediation.
Operational Technology Considerations: Ensure network segmentation prevents any compromise of IT systems from reaching operational technology controlling transportation infrastructure.

🏥 Healthcare & Public Health

High-Priority Sector: Healthcare organizations are frequent targets and commonly deploy both Ivanti EPMM (for clinical mobility) and BeyondTrust (for vendor access management).
Patient Safety Implications: Compromise of mobile device management or privileged access systems could impact clinical operations and patient care.
Regulatory Considerations: Active exploitation of these vulnerabilities may trigger HIPAA breach notification requirements if patient data is accessed.

💰 Financial Services

Cryptocurrency Targeting: The physical mail phishing campaign targeting hardware wallet users indicates continued threat actor focus on cryptocurrency theft.
Privileged Access Risk: Financial institutions heavily rely on privileged access management solutions; BeyondTrust exploitation is a significant concern.
Browser Extension Threat: Financial services employees accessing sensitive systems through browsers may be at risk from malicious extensions.

4. VULNERABILITY & MITIGATION UPDATES

Critical Vulnerabilities Requiring Immediate Action

Product	Severity	Status	Action Required
Ivanti EPMM	Critical (RCE)	Active Exploitation	Patch immediately; conduct threat hunting
BeyondTrust RS	Critical	Active Exploitation	Patch immediately; review access logs
Chrome Extensions	High	Active Threat	Audit installed extensions; implement controls

Recommended Defensive Measures

Immediate Actions (24-48 Hours)

Ivanti EPMM: Apply all available patches; if patching is not immediately possible, consider taking systems offline or implementing strict network segmentation.
BeyondTrust RS: Verify patch status; review authentication logs for anomalous access patterns; ensure MFA is enforced.
Browser Extensions: Conduct enterprise-wide audit of installed Chrome extensions; remove any unauthorized or suspicious extensions; implement extension whitelisting where possible.
Threat Hunting: Search for indicators of compromise associated with Ivanti and BeyondTrust exploitation in network and endpoint logs.

Near-Term Actions (1-2 Weeks)

Browser Security Policy: Implement or strengthen browser extension management policies; consider enterprise browser solutions with centralized control.
Privileged Access Review: Audit all privileged access management solutions and remote access tools for security posture and patch status.
Security Awareness: Update training materials to address physical mail-based social engineering tactics.
Vendor Communication: Contact vendors of critical systems to confirm their exposure to actively exploited vulnerabilities.

5. RESILIENCE & CONTINUITY PLANNING

Lessons from Current Threat Activity

Concentrated Threat Actor Activity: The finding that a single actor is responsible for 83% of Ivanti exploitation underscores that sophisticated threat actors often conduct focused campaigns. Organizations should not assume they are too small or insignificant to be targeted.
Browser as Attack Surface: The scale of the malicious extension campaign (37M+ downloads) demonstrates that browsers represent a significant and often underprotected attack surface in enterprise environments.
Physical-Digital Convergence: The physical mail phishing campaign illustrates that threat actors will exploit any available channel—security programs must address both digital and physical vectors.

Supply Chain Security Considerations

Vendor Risk Assessment: Organizations should verify that critical vendors and service providers are addressing the actively exploited vulnerabilities in Ivanti and BeyondTrust products.
Third-Party Access Review: The BeyondTrust exploitation highlights risks associated with vendor remote access; review and restrict third-party access privileges.
Software Bill of Materials: Consider requesting SBOMs from vendors to better understand exposure to vulnerabilities in underlying components.

Cross-Sector Dependencies

IT Service Provider Risk: Many critical infrastructure sectors rely on managed service providers who may use affected products; compromise of MSPs can cascade to multiple downstream organizations.
Shared Technology Platforms: Ivanti and BeyondTrust products are deployed across multiple critical infrastructure sectors, creating potential for simultaneous multi-sector impact.

6. REGULATORY & POLICY DEVELOPMENTS

Upcoming Policy Events

NIST Supply Chain Workshop (March 9, 2026): NIST will host a session on "Building the Strategic Supply Chain Network" addressing vulnerabilities exposed by recent disruptions including pandemics, infrastructure failures, and changing trade policies. This event is relevant for organizations seeking to strengthen supply chain resilience. (Source: NIST)
NIST IoT Cybersecurity Workshop (March 31, 2026): Workshop on emerging and future trends for IoT technologies and their cybersecurity implications. Relevant for critical infrastructure operators deploying IoT devices in operational environments. (Source: NIST)

Compliance Considerations

Active Exploitation Response: Organizations subject to CISA directives should monitor for potential emergency directives related to the actively exploited Ivanti and BeyondTrust vulnerabilities.
Incident Reporting: Critical infrastructure operators should review incident reporting obligations under CIRCIA and sector-specific regulations in the event of compromise.

7. TRAINING & RESOURCE SPOTLIGHT

Security Awareness Updates

Physical Mail Social Engineering

The emergence of physical mail-based phishing campaigns targeting cryptocurrency users presents an opportunity to update security awareness training:

Remind personnel that legitimate vendors will never request sensitive credentials, recovery phrases, or passwords via mail.
Establish verification procedures for any unexpected correspondence requesting sensitive actions.
Report suspicious physical mail to security teams for analysis.

Browser Security Best Practices

Extension Auditing: Regularly review installed browser extensions and remove those that are unnecessary or from unknown publishers.
Principle of Least Privilege: Only grant extensions the minimum permissions required for their function.
Enterprise Controls: Implement browser management solutions that allow centralized control over extension installation.
Separate Browsing Environments: Consider using dedicated browsers or browser profiles for accessing sensitive systems.

Upcoming Speaking Engagement

Security expert Bruce Schneier will be speaking on "Integrity in a World of AI" at an upcoming event. Details available at Schneier on Security. (Source: Schneier on Security, February 14, 2026)

8. LOOKING AHEAD: UPCOMING EVENTS

March 2026

Date	Event	Relevance
March 9, 2026	NIST: Building the Strategic Supply Chain Network	Supply chain resilience for critical infrastructure
March 31, 2026	NIST: Cybersecurity for IoT Workshop	IoT security trends and implications

Threat Awareness Periods

Presidents' Day Weekend (February 14-17, 2026): Holiday weekends historically see increased ransomware activity due to reduced staffing. Maintain heightened monitoring through the extended weekend.
Ongoing: Active exploitation campaigns against Ivanti EPMM and BeyondTrust RS warrant sustained vigilance until patch adoption is widespread.

Anticipated Developments

Potential CISA Advisory: Given the concentrated exploitation activity against Ivanti EPMM, a CISA advisory or emergency directive may be forthcoming.
Browser Extension Remediation: Expect additional reporting on the malicious Chrome extension campaign as security researchers complete analysis and publish indicators of compromise.

Analyst Notes

Assessment Confidence: The intelligence in this briefing is derived from open-source reporting with moderate to high confidence. Active exploitation of Ivanti EPMM and BeyondTrust RS vulnerabilities is confirmed by multiple sources. The attribution of 83% of Ivanti exploitation to a single threat actor is based on threat intelligence observations and should be considered a preliminary assessment subject to revision as additional information becomes available.

Information Gaps: Specific indicators of compromise (IOCs) for the Ivanti and BeyondTrust exploitation campaigns were not available in source reporting. Organizations should monitor vendor advisories and threat intelligence feeds for updated IOCs.

Next Briefing: The next scheduled briefing will be published on Sunday, February 22, 2026, or earlier if significant developments warrant an interim update.

This briefing is derived from open-source intelligence and is intended for critical infrastructure owners, operators, and security professionals. Information should be verified through official channels before taking action.

Disclaimer

This briefing is generated using AI analysis of public news sources. Always verify critical information through authoritative sources before taking action.