Splunk Security Content for Threat Detection & Response: February Recap

In February, the Splunk Threat Research Team (STRT) had 2 releases of new security content via the Enterprise Security Content Update (ESCU) app (v5.21 and v5.22). With this release, there are 9 new analytic stories and 14 new analytics now available in Splunk Enterprise Security via the ESCU application update process.

Content Highlights Include:

• New Finding-Based Detections (Enterprise Security version 8.4+): This new analytic type that automatically groups and correlates high volumes of related findings and intermediate at the entity level.

• GNU Telnetd CVE-2026-24061 Authentication Bypass: A new analytic story covering CVE-2026-24061, a critical authentication bypass vulnerability in GNU InetUtils telnetd that allows unauthenticated attackers to establish a Telnet session as root. This flaw abuses an unsanitized, attacker-controlled USER environment variable passed to the login process, enabling direct privilege escalation without valid credentials.

• Windows Chromium Browser Hijacking Enhancements: Introduced expanded browser hijacking coverage with new endpoint detections targeting suspicious Chromium-based browser execution patterns on Windows. Added analytics to identify browsers launched with abnormally small window sizes, disabled popup blocking, disabled logging, suppressed extensions, and headless execution—behaviors commonly associated with ad fraud, credential harvesting, session hijacking, and stealthy user interaction abuse.

• Expanded Threat Actor and Malware Coverage (VoidLink, Storm-0501, StealC): The STRT comprehensive coverage for VoidLink, a cloud-native Linux malware framework leveraging a modular C2 architecture, rootkit functionality, and advanced evasion techniques to target containerized and cloud environments. Additionally, enhanced analytic stories and tagging for Storm-0501 ransomware activity and the StealC stealer, improving visibility into ransomware execution chains, credential theft, downloader behavior, and post-compromise persistence across Windows and Linux environments.

• Suspicious MCP Activities: A new analytic story focused on detecting abuse of authorized Model Context Protocol (MCP) server deployments, where legitimate AI tool integrations (filesystem, database, API, and cloud operations) may be weaponized for data exfiltration, privilege escalation, lateral movement, or persistence. This release includes a new MCP Technology Add-on (TA) for parsing MCP server telemetry and adds detections such as MCP Sensitive System File Search, MCP Prompt Injection, MCP Postgres Suspicious Query, MCP GitHub Suspicious Operation, and MCP Filesystem Server Suspicious Extension Write, providing visibility into malicious tool invocation patterns, abnormal data access, and AI-driven attack chains leveraging trusted automation infrastructure. Check out When AI Tools Turn Against You: Operationalizing MCP Server Security with the Splunk MCP TA to learn more!

• XML Runner Loader: This analytic story identifies activity associated with an XML runner loader that leverages Microsoft Management Console (MSC) files to execute a malicious payload on a targeted host. The loader abuses legitimate Windows utilities to parse XML content and invoke embedded commands, allowing execution without dropping a traditional executable.

• DynoWiper and ZOVWiper (Sandworm Destructive Operations):  Expanded coverage for the destructive malware families DynoWiper and ZOVWiper, attributed to the Russia-aligned threat group Sandworm, by tagging existing endpoint analytics aligned to their file-overwrite, drive enumeration, and system reboot behaviors. These wipers target critical infrastructure and financial sectors, systematically overwriting data across fixed and removable drives while selectively skipping system directories to maximize operational impact.

• SolarWinds Web Help Desk RCE (CVE-2025-26399) Post-Exploitation: Enhanced visibility into post-exploitation activity following SolarWinds WHD remote code execution, focusing on suspicious process spawning, privilege escalation, lateral movement, persistence mechanisms, and outbound command-and-control behavior originating from compromised Web Help Desk services.

For all our tools and security content, please visit research.splunk.com.