Stormcast Episode Analyzes Malware Campaign and Critical Vulnerabilities

The February 24, 2026, Stormcast episode from the SANS Internet Storm Center, presented by Johannes Ullrich in Jacksonville, Florida, analyzed a malware campaign involving a malicious JPEG file delivered via a compressed JavaScript downloader. The initial payload was a heavily obfuscated JavaScript file exceeding 1MB, with most data being garbage to evade detection, leaving only a few kilobytes of functional code that ultimately downloaded the Remcos RAT. The attack exploited a spoofed email sender address, bypassing poorly configured DMARC/SPF protections. Additionally, the episode highlighted two critical vulnerabilities (CVSS 9.3) in Calibre ebook software, allowing arbitrary path traversal and code execution via crafted ebooks. A separate flaw in the JSPDF JavaScript library was noted for improperly handling JavaScript segments in PDFs, though exploitability depended on usage context. Recent exploits were also reported in Roundcube and SmarterMail webmail systems, emphasizing the risks of unpatched on-premises deployments. The discussion underscored the importance of basic email security controls and timely software updates.