Threat Intelligence Weekly (Feb 20–27, 2026): Air-Gapped Malware, Dormant Implants, and a Europol Crackdown
In This Article
Threat intelligence is often framed as a race for indicators—hashes, domains, IPs—yet this week’s developments are a reminder that the real contest is about operational advantage. Between February 20 and February 27, 2026, three stories landed with a shared message: adversaries are optimizing for persistence and reach, while defenders are being pushed to coordinate faster and look deeper.
First, a nation-state actor is reportedly pushing past one of the oldest “hard boundaries” in security architecture: the air gap. North Korea-linked APT37 is described as using new malware that can infiltrate isolated environments by spreading through removable drives, enabling covert surveillance and data exfiltration from systems designed to be offline by design [1]. Second, CISA warned that the RESURGE implant—used in zero-day attacks exploiting CVE-2025-0282 against Ivanti Connect Secure—can remain dormant on compromised devices, turning a one-time breach into a long-lived foothold [3]. Third, Europol’s “Project Compass” culminated in 30 arrests tied to “The Com,” an online cybercrime collective targeting children and teenagers, with 179 suspects identified—an unusually concrete signal that international enforcement can disrupt cybercriminal ecosystems when coordination holds [2].
Taken together, these events sharpen the threat intelligence mandate: track not just what’s “active,” but what’s latent (dormant implants), what’s out-of-band (removable media paths), and what’s networked socially (collectives that recruit and coordinate online). This week matters because it compresses three different threat planes—espionage, exploitation, and organized cybercrime—into one operational lesson: assumptions about isolation, remediation, and deterrence are being stress-tested in real time.
APT37’s air-gapped breach path: removable media as the intelligence channel
BleepingComputer reports that North Korean state-sponsored group APT37 has developed new malware capable of infiltrating air-gapped networks, spreading via removable drives and enabling covert surveillance and data exfiltration from isolated systems [1]. The key intelligence value here isn’t merely “new malware exists,” but the reaffirmation that air-gapped environments remain contestable when humans and workflows bridge the gap.
From a threat intelligence perspective, removable media propagation changes what defenders must treat as “telemetry.” Traditional network-centric monitoring can be irrelevant inside an air-gapped enclave, and perimeter controls can’t see what never traverses the perimeter. The reported capability implies that the adversary’s operational design includes (1) a delivery mechanism that survives offline constraints and (2) a collection/exfiltration strategy that can function despite isolation—both of which raise the bar for detection and response in high-assurance environments [1].
Why it matters: air gaps are often used to protect sensitive industrial, government, or research systems precisely because they reduce exposure to remote exploitation. If malware can reliably traverse via removable drives, then the security model shifts from “prevent remote access” to “control and verify every physical and procedural bridge.” That is a threat intelligence problem as much as a security engineering one: defenders need to understand the adversary’s preferred bridging vectors, likely staging points, and the operational patterns that make removable media a viable conduit.
Real-world impact: organizations relying on isolation must treat removable media handling as a first-class attack surface. Intelligence teams should prioritize visibility into device usage policies, audit trails around removable drives, and any signs of covert surveillance or data staging consistent with an offline-to-online transfer workflow—because the “network” in this scenario is the human process itself [1].
CISA on RESURGE: dormant implants turn patching into only step one
CISA warned that RESURGE, a malicious implant used in zero-day attacks exploiting CVE-2025-0282 to breach Ivanti Connect Secure devices, can remain dormant on compromised systems [3]. The intelligence signal is clear: even after organizations believe they have “handled” an incident—by patching or restoring service—an implant that can lie dormant undermines confidence in closure.
Dormancy is a strategic feature. It allows an attacker to reduce noise, evade short-term incident response sweeps, and re-activate when defenders have moved on. For threat intelligence teams, this shifts the focus from point-in-time compromise assessment to lifecycle tracking: when was the device exposed, when was it patched, and what evidence exists that the implant was removed rather than merely quiet?
Why it matters: Ivanti Connect Secure sits in a sensitive position in many environments, often acting as a gateway into internal resources. An implant on such a device can become a durable access mechanism. CISA’s warning that RESURGE can remain dormant means defenders must assume that “no current indicators” does not equal “no compromise,” especially when the initial access involved a zero-day exploitation path [3].
Real-world impact: organizations are urged to apply patches and monitor for signs of intrusion [3]. In practice, threat intelligence should drive a more conservative posture: treat affected device classes as potentially compromised until proven otherwise, and align monitoring to the possibility of delayed activation. The operational takeaway is that remediation must include verification—evidence-based assurance that the implant is not present—rather than relying on patch status alone.
Project Compass and “The Com”: enforcement as threat intelligence feedback
A Europol-led operation called “Project Compass” resulted in 30 arrests linked to “The Com,” described as an online cybercrime collective targeting children and teenagers [2]. Authorities identified 179 suspects connected to various cybercriminal activities [2]. While this is a law enforcement story, it is also a threat intelligence story because it provides rare, measurable disruption outcomes and a map of adversary social structure.
Why it matters: cybercrime collectives are not just technical entities; they are communities with recruitment, reputation, and coordination mechanisms. When an operation identifies a large suspect pool and executes arrests, it can fragment networks, change tactics, and trigger migration to new platforms or methods. For defenders, this kind of disruption can temporarily reduce certain threats—but it can also create volatility as displaced actors regroup.
Expert take (grounded in the reported facts): the scale—30 arrests and 179 suspects—highlights the effectiveness of international collaboration in combating cyber threats [2]. That collaboration is itself an intelligence multiplier: cross-border coordination can connect disparate investigations, correlate identities, and accelerate action against distributed groups.
Real-world impact: organizations and platforms that serve young users should treat this as a reminder that threat intelligence must include human harm dimensions, not only financial fraud or enterprise intrusion. The reported targeting of children and teenagers underscores that cyber defense priorities can’t be limited to corporate assets; they must also account for user safety and abuse-driven cybercrime ecosystems [2].
Analysis & Implications: three threat planes, one intelligence mandate—assume persistence, assume bridges, coordinate faster
This week’s stories align around a single operational theme: adversaries are designing for durability and reach, and defenders must respond with intelligence that is both broader in scope and more rigorous in validation.
APT37’s reported air-gapped infiltration via removable drives demonstrates that “offline” is not synonymous with “unreachable” when workflows allow data to move physically [1]. The intelligence implication is that defenders must model non-network pathways as part of the threat surface. That means collecting and analyzing signals from policy compliance, device control, and procedural choke points—not just packet captures and endpoint alerts.
CISA’s warning about RESURGE’s dormancy on Ivanti devices reinforces a second theme: persistence can be temporal, not just technical [3]. Dormant implants exploit the defender’s tendency to time-box investigations and declare victory after patching. Threat intelligence programs should therefore treat vulnerability exploitation events as the start of a longer verification cycle, emphasizing post-remediation monitoring and evidence of eradication rather than assuming patching ends the story.
Project Compass adds a third plane: adversaries are organized socially, and disruption can come from coordinated enforcement—not only from technical controls [2]. For threat intelligence, this is feedback: when international operations succeed, defenders should anticipate ecosystem shifts. Even without speculating on specific next moves, it is reasonable—based on the nature of collective disruption—to expect changes in how groups communicate and operate, which can affect what indicators and behaviors defenders see.
Across all three, the practical mandate is to integrate intelligence across boundaries: physical (removable media), temporal (dormancy), and jurisdictional (international enforcement). The organizations that fare best will be those that treat threat intelligence as an operational discipline—one that informs controls, verification, and coordination—rather than a feed of artifacts. This week’s lesson is not that threats are “getting worse” in the abstract; it’s that the attacker’s playbook is explicitly built to outlast short detection windows, bypass assumed barriers, and leverage community scale. Defenders must respond with equally durable, cross-domain intelligence practices grounded in verification and collaboration.
Conclusion
February 20–27, 2026 delivered a compact but consequential snapshot of modern threat intelligence realities. APT37’s reported ability to breach air-gapped networks via removable drives challenges the comfort of isolation-based security assumptions [1]. CISA’s alert that RESURGE can remain dormant on Ivanti Connect Secure devices reframes patching as necessary but insufficient, pushing defenders toward longer verification horizons [3]. And Europol’s Project Compass shows that coordinated enforcement can meaningfully disrupt cybercrime collectives, with concrete outcomes like arrests and suspect identification [2].
The connective tissue is persistence—whether it’s malware that crosses physical boundaries, implants that wait out defenders, or communities that scale criminal capability. The takeaway for security leaders is to treat threat intelligence as a system of record for how adversaries operate over time and across channels, not just what they used in a single incident. This week’s developments argue for intelligence programs that can see beyond the network, beyond the patch cycle, and beyond a single organization’s perimeter—because that’s where the adversary is already operating.
References
[1] APT37 hackers use new malware to breach air-gapped networks — BleepingComputer, February 27, 2026, https://www.bleepingcomputer.com/news/security/?utm_source=openai
[2] Europol-led crackdown on The Com hackers leads to 30 arrests — BleepingComputer, February 27, 2026, https://www.bleepingcomputer.com/news/security/?utm_source=openai
[3] CISA warns that RESURGE malware can be dormant on Ivanti devices — BleepingComputer, February 27, 2026, https://www.bleepingcomputer.com/news/security/?utm_source=openai