SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) SANS Stormcast Thursday, February 19th, 2026: Malware Image Resuse; Dell RecoveryPoint; Admin Center Vuln; DNS-PERSIST-01
14 snips
Feb 19, 2026 They discuss tracking malware campaigns by spotting reused image assets across samples. They cover active exploitation of a Dell RecoverPoint zero-day and its fallout. A recent Windows Admin Center privilege elevation fix gets attention. The new DNS-PERSIST-01 validation model and its implications for certificate lifetimes and automation are explained.
AI Snips
Chapters
Transcript
Episode notes
Wallpaper Image Ties Malware Samples
- Xavier found malware using an MSI wallpaper image as payload carrier, showing reuse of benign media across samples.
- Johannes Ulrich notes hundreds of VirusTotal submissions contained the same image, linking multiple campaigns to a single actor.
Benign Assets As Linkage Signals
- Reused benign assets like wallpapers can act as weak but useful linkage signals between samples and actors.
- Such artifacts should not be sole indicators but can prioritize deeper analysis of related submissions.
Check And Patch Dell RecoveryPoint Carefully
- If you run Dell Recovery Point for Virtual Machines, investigate and patch immediately and check for compromise before moving on.
- Look for Tomcat web shells, added network interfaces, iptables rules, and lateral-movement artifacts as Google observed.