Analysis of 4 billion malicious sessions over three months reveals that residential proxy networks evade IP reputation systems in 78% of cases, challenging traditional network defense assumptions based on traffic origin. The evasion occurs as residential IPs used for malicious activity are predominantly short-lived, active for less than one month in 89.7% of cases and rarely persisting beyond three months. The transient nature of these IPs, combined with rotation tactics, prevents reputation feeds from cataloging malicious infrastructure in time. Roughly 39% of malicious sessions originate from residential networks, yet most remain undetected by reputation systems. The findings highlight the limitations of IP-based defense mechanisms and the need for behavioral detection methods to identify sequential probing, protocol misuse, and device fingerprinting patterns.

A coordinated, state-sponsored phishing campaign continues to target high-value individuals via Signal and WhatsApp, now with confirmed involvement from Russian Intelligence Services-affiliated groups and additional threat actors linked to the FSB, China’s APT31, and Iran’s IRGC. The FBI has directly attributed the campaign to Russian Intelligence Services-affiliated actors, confirming the compromise of thousands of accounts globally and emphasizing that the attacks primarily target high-value individuals such as current and former U.S. government officials, military personnel, political figures, and journalists. The campaign bypasses end-to-end encryption by hijacking accounts through sophisticated social engineering, including impersonating support services and tricking users into sharing verification codes or scanning malicious QR codes to link attacker-controlled devices to accounts. Recent advisories from the NCSC and Dutch intelligence agencies highlight an increase in activity targeting high-risk individuals across government, academia, journalism, and the legal profession. Attackers gain access to private messages, contact lists, and group chats, enabling them to impersonate victims and launch further phishing campaigns. Both Signal and WhatsApp users are advised to regularly review linked devices, avoid sharing verification codes, and enable multi-factor authentication to mitigate risks. Russia-aligned threat clusters such as Star Blizzard, UNC5792 (aka UAC-0195), and UNC4221 (aka UAC-0185) have been associated with similar tactics, and the FBI’s attribution underscores the state-sponsored nature of these operations targeting sensitive communications. French authorities and the UK’s NCSC have also warned of a surge in similar campaigns targeting government officials, journalists, and business leaders.

A new information stealer malware named Storm has been identified targeting browser credentials, session cookies, and cryptocurrency wallets by remotely decrypting stolen data on attacker-controlled infrastructure. Storm, active in underground markets since early 2026, bypasses modern encryption protections in browsers such as Google’s App-Bound Encryption (Chrome 127) by shifting decryption to remote servers instead of local processing. The malware automates session hijacking by feeding stolen Google Refresh Tokens and geographically matched SOCKS5 proxies into an operator panel, silently restoring authenticated sessions across SaaS platforms, internal tools, and cloud environments without triggering password alerts.

Cybercriminals are combining open-source intelligence, real estate data, and postal redirection services to identify vacant residential properties and intercept sensitive mail for identity theft and financial fraud. Threat actors exploit legitimate digitalized postal services such as USPS Informed Delivery and Change of Address (COA) mechanisms to monitor and redirect mail without direct physical presence. The technique integrates with broader fraud ecosystems, including fake identities and Credit Privacy Numbers (CPNs), to establish persistent access to victims’ correspondence. Fraud operations increasingly blend digital reconnaissance with physical-world manipulation, leveraging vacant properties as drop addresses to scale identity-based fraud while evading traditional detection methods.

Two vulnerabilities in Progress ShareFile Storage Zones Controller (SZC) 5.x can be chained to achieve unauthenticated remote code execution (RCE) and file exfiltration from enterprise file transfer environments. The flaws—an authentication bypass (CVE-2026-2699) and an RCE vulnerability (CVE-2026-2701)—enable attackers to bypass authentication, modify storage configurations, extract internal secrets, and deploy ASPX webshells on affected servers. The vendor patched the issues in version 5.12.4 (released March 10, 2026) after coordinated disclosure. Exploitation leverages improper HTTP redirect handling and insecure file upload/extraction mechanisms, with exploitation achievable via public internet exposure. Approximately 30,000 SZC instances are internet-facing, with 700 actively observed by ShadowServer, predominantly in the U.S. and Europe. While no active exploitation has been reported, the public disclosure increases risk of opportunistic attacks.

Apple has expanded security updates for iOS 18.7.7 and iPadOS 18.7.7 to protect devices still running iOS 18 from the DarkSword exploit kit, without requiring full OS upgrades. This follows continued exploitation of DarkSword since July 2025 across multiple countries, with attacks leveraging six vulnerabilities to deploy data-stealing malware like GhostBlade, GhostKnife, and GhostSaber through watering hole attacks on compromised websites. The campaign remains linked to Russian threat actor UNC6353 and associated groups including UNC6748 and Turkish vendor PARS Defense, with Coruna and Darksword exploit kits now confirmed as closely related frameworks sharing origins in the 2019–2023 Operation Triangulation campaign. Coruna has evolved from a precision espionage tool into a mass-exploitation framework with 23 exploits across five chains, while Darksword targets iOS 18.4–18.7 and has been publicly leaked on GitHub. Apple has patched all exploited flaws in recent releases (18.7.3, 26.2, 26.3.1), and CISA has mandated federal agencies patch three DarkSword-linked vulnerabilities (CVE-2025-31277, CVE-2025-43510, CVE-2025-43520) by April 3, 2026. The commoditization of these iOS exploitation tools elevates risk to end-users globally.

The first half of 2025 saw a 179% increase in ransomware attacks compared to the same period in 2024, with Akira and Cl0p remaining the most active ransomware-as-a-service (RaaS) groups. Akira’s operational tempo has accelerated dramatically, with threat actors now completing attack lifecycles in under four hours and, in some cases, less than one hour. The group leverages vulnerabilities in VPN appliances and backup solutions—particularly SonicWall, Veeam, and Cisco devices lacking multi-factor authentication (MFA)—as well as credential theft, spearphishing, and initial access brokers (IABs) for initial access. Akira employs double-extortion tactics, exfiltrating data prior to encryption while evading detection through disabling security software and using living-off-the-land tools. The group’s rapid compromise capabilities, disciplined operational tempo, and hybrid encryption schemes enable maximum impact in minimal time, contributing to its sustained profitability with illicit proceeds estimated at $244.17m since March 2023. Akira has also expanded its targeting to Nutanix AHV virtual machines, further diversifying its attack surface. Akira’s activity has consistently targeted manufacturing and technology sectors, with the US being the most affected region. The RaaS model has enabled lower-skilled actors to participate, amplifying the surge in ransomware incidents. New tactics include pure extortion without encryption, AI-assisted phishing, and exploitation of vulnerabilities such as CVE-2024-40766 in SonicWall devices. The Australian Cyber Security Centre (ACSC) has acknowledged Akira’s targeting of Australian organizations through SonicWall devices, while incomplete remediation of CVE-2024-40766 has fueled renewed exploitation. Akira’s dwell times are among the shortest recorded for ransomware, often measured in hours, and the group has demonstrated significant evolution in its tactics, including encrypting Nutanix AHV virtual machine disk files and leveraging tools like Ngrok for encrypted command-and-control channels. Akira’s ransomware proceeds since late September 2025 exceed $244m, underscoring the group’s operational sophistication and financial impact.

A multi-stage malware campaign targeting South Korean users employs malicious LNK files as initial vectors, using GitHub repositories for command and control (C2) and data exfiltration. The attack chain abuses legitimate Windows utilities and scripting to evade detection, establish persistence via scheduled tasks, and harvest system information. Decoy PDFs are presented to victims while PowerShell scripts execute covertly, with later variants removing metadata to hinder attribution. The campaign exemplifies modern ‘living-off-the-land’ (LOTL) tactics, blending malicious activity with normal network traffic to bypass corporate defenses.

Cisco has disclosed and patched multiple critical vulnerabilities across its product portfolio, including a newly identified Integrated Management Controller (IMC) authentication bypass flaw (CVE-2026-20093) that allows unauthenticated attackers to gain Admin access to unpatched systems. Additionally, Cisco addressed a critical remote code execution (RCE) vulnerability in its Smart Software Manager On-Prem (SSM On-Prem) (CVE-2026-20160) that enables attackers to execute commands with root-level privileges. Earlier in March 2026, Cisco released security updates for two maximum-severity vulnerabilities in its Secure Firewall Management Center (FMC) software: an authentication bypass flaw (CVE-2026-20079) granting root access and an RCE vulnerability (CVE-2026-20131) allowing arbitrary Java code execution. Notably, the Interlock ransomware gang exploited CVE-2026-20131 in zero-day attacks, prompting CISA to add it to its catalog of exploited vulnerabilities and mandate federal agencies to remediate within three days. Cisco also published a bundled set of 25 security advisories addressing 48 vulnerabilities across multiple enterprise networking products, including high-severity issues in ASA Firewall, Secure FMC, and Secure FTD appliances.

A survey of 250 cybersecurity decision makers in UK critical national infrastructure (CNI) sectors reveals that 80% of organizations face operational technology (OT) cyber-attack downtime costs ranging from £100,000 to £5m. Approximately 23% of OT downtime incidents exceed £1m in costs, with 6% surpassing £5m, reflecting the severe financial impact of disruptions to energy, utilities, transport, manufacturing, and retail operations. The rising threat of nation-state attacks, amplified by recent geopolitical tensions such as the US-Israel strikes on Iran, is driving concerns among 64% of respondents, who fear targeted OT disruption over traditional data theft or financial motives. Industrial systems in OT environments are particularly vulnerable due to their direct control over physical processes, making breaches capable of halting production, interrupting services, or compromising safety.

A new malware-as-a-service (MaaS) named CrystalRAT is being actively promoted on Telegram and YouTube, offering remote access, data theft, keylogging, clipboard hijacking, and extensive prankware features. The malware, first observed in January 2026, employs a tiered subscription model and shares technical similarities with the Salat Stealer (WebRAT), including Go-based code and a bot-driven sales system. CrystalRAT’s payloads are compressed and encrypted using zlib and ChaCha20, respectively, and communicate with command-and-control (C2) servers via WebSocket. The malware targets Chromium-based browsers, desktop applications (Steam, Discord, Telegram), and includes spyware capabilities such as audio/video capture, real-time keylogging, and wallet address clipper functionality. Despite its prankware features—such as system shutdowns, input device disabling, and desktop manipulation—CrystalRAT remains a potent threat for data exfiltration and espionage.

Actors leveraged a zero-day vulnerability (CVE-2026-3502) in the TrueConf video conferencing platform to replace legitimate software updates with malicious executables on self-hosted servers, thereby distributing payloads to all connected endpoints. The flaw, affecting versions 8.1.0–8.5.2, resides in an absence of integrity checks within the update mechanism, enabling attackers to serve fake updates and execute arbitrary code with client trust. Targeted entities include government agencies in Southeast Asia, with infections observed since January 2026 via the TrueChaos campaign. Impact includes lateral movement, privilege escalation via UAC bypass, and likely deployment of the Havoc C2 implant for further compromise.

An ongoing device code phishing campaign is targeting Microsoft 365 accounts across at least 340 organizations in five countries (U.S., Canada, Australia, New Zealand, Germany) since mid-February 2026. The campaign abuses legitimate OAuth device authorization flows to harvest credentials and establish persistent access tokens, including via the EvilTokens phishing-as-a-service (PhaaS) platform. Attackers redirect victims through multi-hop chains using Cloudflare Workers, Railway PaaS infrastructure, and legitimate vendor redirect services (Cisco, Trend Micro, Mimecast) to bypass spam filters. Targeted sectors include construction, non-profits, real estate, manufacturing, financial services, healthcare, legal, and government. EvilTokens integrates device code phishing capabilities and is sold over Telegram, with active development and planned support for Gmail and Okta phishing pages. Lures include QR codes or hyperlinks embedded in emails impersonating business documents, meeting invitations, or DocuSign/SharePoint shared files. Victims are redirected to phishing pages impersonating trusted services, where they are prompted to complete verification via the legitimate Microsoft device login page, enabling attackers to obtain persistent access tokens. The campaign has a global reach, affecting additional countries such as France, India, Switzerland, and the UAE, and includes advanced features for business email compromise (BEC) activities.

Latin American organizations face a 40% higher rate of cyberattacks than the global average, yet must adapt hiring practices to access an underutilized cybersecurity talent pool dominated by self-taught professionals and part-time practitioners. Regional threat trends—such as Brazil’s Pix payment system fueling banking trojans and phishing campaigns—outpace defensive capabilities, while conventional hiring demands for formal degrees and extensive experience deter qualified but non-traditional candidates. The mismatch exacerbates staffing shortages and increases organizational exposure to fast-evolving threats.

A widespread Android malware campaign named NoVoice infected at least 2.3 million devices via 50+ Google Play apps masquerading as cleaners, galleries, and games. The malware exploited older, patched Android vulnerabilities (2016–2021) to achieve root access, including use-after-free kernel issues and Mali GPU driver flaws, before disabling SELinux and replacing system libraries with rootkits. Post-exploitation, the attackers injected code into running apps, primarily targeting WhatsApp to extract encryption databases, Signal protocol keys, and account identifiers for session hijacking. Persistence mechanisms ensure survival across factory resets, and the campaign avoided specific Chinese regions while evading detection via emulator, debugger, and VPN checks.

A threat actor tracked as UAC-0255 impersonated Ukraine’s CERT-UA to distribute the AGEWHEEZE remote access trojan (RAT) via phishing emails sent to approximately 1 million ukr[.]net mailboxes on March 26–27, 2026. Targets included state organizations, medical centers, security companies, educational institutions, financial institutions, and software development companies. The campaign leveraged a password-protected ZIP archive hosted on Files.fm, containing a decoy CERT-UA-themed installer that delivered AGEWHEEZE, a Go-based RAT with extensive capabilities for remote control and data exfiltration. The attack’s operational impact was assessed as minimal, with only a small number of personal devices at educational institutions compromised. The threat actor, identifying as Cyber Serp on Telegram, claimed broader success, asserting over 200,000 infections and denying civilian targeting. The campaign exploited domains and infrastructure likely generated with AI assistance, reflecting evolving TTPs in Ukrainian cyber operations.

Google has begun rolling out mandatory Android developer verification in Brazil, Indonesia, Singapore, and Thailand, with enforcement scheduled for September 30, 2026, followed by a global rollout starting in 2027. The phased rollout includes the appearance of the Android Developer Verifier in system settings in April 2026, limited distribution accounts for students and hobbyists in June 2026, and the launch of limited distribution accounts and the advanced sideloading flow globally in August 2026. Internal Google analysis indicates that malware appears more than 90 times as frequently in sideloaded apps as in those from Google Play, underscoring the security rationale behind the verification mandate. While most Play Store developers already meet the requirements, independent developers distributing outside the official marketplace must verify their identity via the Android Developer Console to register apps. Android Studio will display registration status when generating signed App Bundles or APKs. The initiative has drawn criticism from open-source advocates and digital rights groups, who argue that mandatory central registration threatens innovation, competition, privacy, and user freedom by extending Google’s control beyond its own marketplace into all app distribution channels.

A 2026 analysis of 2025 incident response cases by Blackpoint Cyber finds threat actors increasingly leveraging legitimate remote access pathways and trusted administrative tools to establish initial access and maintain persistence. Rather than relying on software vulnerabilities, attackers primarily abused valid credentials, SSL VPN sessions, and remote monitoring and management (RMM) tools such as ScreenConnect to blend into normal operations. In cloud environments, adversaries captured and reused authenticated session tokens following successful multi-factor authentication (MFA) via adversary-in-the-middle phishing, bypassing detection by appearing as legitimate sessions.

A newly identified infostealer malware kit named Venom Stealer is offered as a malware-as-a-service (MaaS) subscription priced at $250 per month or $1,800 lifetime, enabling continuous credential harvesting and wallet cracking operations. The kit targets Windows and macOS systems via deceptive social engineering lures integrated into its operator panel, including fake Cloudflare CAPTCHA pages, OS update prompts, SSL certificate errors, and font installation pages. Victims are tricked into executing commands via Run dialog or Terminal, bypassing detection systems by appearing user-initiated. Upon execution, it extracts and exfiltrates browser credentials, session cookies, browsing history, autofill data, cryptocurrency wallet vaults, browser extension data, and system fingerprints from Chromium and Firefox browsers. Venom Stealer distinguishes itself by maintaining silent persistence through a background session listener that reports new credentials and wallet activity to command-and-control infrastructure twice daily, and by continuously monitoring Chrome's login database to capture newly saved credentials in real time. Exfiltrated cryptocurrency wallet data is processed by a server-side GPU cracking engine, with funds automatically transferred across multiple blockchain networks including tokens and DeFi positions, undermining password rotation and incident response efforts.

In 2026, enterprise security teams are abandoning traditional invasive endpoint agents and domain-blocking policies—collectively referred to as "Doctor No"—due to their systemic failure to prevent user workarounds and unmanaged exposure of sensitive data. The reliance on endpoint agents and SSL inspection has created a 'Workaround Economy' where employees bypass controls by moving data into personal email, unmanaged AI tools, or browser extensions, resulting in zero organizational visibility and increased risk. Legacy security stacks, including EDR, DLP, and SASE/SSE solutions, are unable to monitor live browser sessions effectively, leaving critical blind spots such as prompt-level data leakage and unmanaged extension activity. Recent incidents, such as a U.S. law firm discovering 70% of users silently routing corporate data through AI extensions hosted in China despite domain blocking, highlight the inadequacy of current controls. The industry is transitioning toward session-level governance—agentless controls that govern data in real time within the browser, regardless of device or network, to enforce secure AI and web use without breaking usability.

A phishing campaign attributed to the Brazilian cybercrime group Augmented Marauder (Water Saci) is actively targeting Spanish-speaking users in Latin America and Europe to deliver the Casbaneiro (Metamorfo) Windows banking trojan and the Horabot malware family. The campaign leverages court summons-themed phishing emails with password-protected PDF attachments that redirect to malicious downloads, initiating a multi-stage infection chain involving HTA, VBS, AutoIt loaders, and dynamic PDF generation for further propagation. The attack infrastructure combines WhatsApp automation, ClickFix social engineering, and enterprise email hijacking to distribute Casbaneiro as the primary payload while Horabot acts as a propagation mechanism targeting Outlook contacts and email accounts.

A malware campaign observed since late February 2026 delivers malicious Visual Basic Script (VBS) files to Windows users via WhatsApp, executing multi-stage attacks to establish persistence and enable remote access. The attack chain uses renamed legitimate Windows utilities (e.g., curl.exe → netapi.dll, bitsadmin.exe → sc.exe) to evade detection, retrieves payloads from trusted cloud services (AWS S3, Tencent Cloud, Backblaze B2), and installs unsigned MSI packages. The malware weakens User Account Control (UAC) defenses by repeatedly attempting elevated cmd.exe execution, modifying registry keys under HKLM\Software\Microsoft\Win, and embedding persistence to survive reboots. This enables privilege escalation without user interaction and deployment of remote access tools like AnyDesk, facilitating data theft and secondary malware delivery.

Google released emergency fixes for the fourth Chrome zero-day vulnerability (CVE-2026-5281) exploited in attacks during 2026, addressing a use-after-free flaw in Dawn, the cross-platform WebGPU implementation within Chromium. The vulnerability allowed attackers to trigger browser crashes, data corruption, rendering issues, or abnormal behavior via malicious web content and specifically enabled arbitrary code execution via crafted HTML in compromised renderer processes. Google confirmed active exploitation in the wild but withheld technical details to prevent further abuse until widespread patch adoption. Updates were immediately available for Windows, macOS, and Linux users in the Stable Desktop channel (versions 146.0.7680.177/178), though rollout may take days or weeks for all users. Automatic updates are enabled by default unless manually disabled. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are advised to apply fixes as they become available.

The FBI issued a public service announcement warning against the use of mobile applications developed by foreign companies, particularly those based in China, citing significant privacy and data security risks. The bureau highlighted concerns that these apps, subject to China’s national security laws, may enable government access to user data. Risks include continuous data collection beyond user consent, default access to sensitive contact information, and storage of collected data on servers in China. Some apps require mandatory data-sharing consent to function. The advisory emphasizes the need for users to limit data exposure and adopt stronger security practices.

Threat actors are increasingly leveraging legitimate, native system tools such as PowerShell, WMIC, and Certutil to conduct attacks, achieving lateral movement, privilege escalation, and persistence while evading detection. Analysis of over 700,000 high-severity incidents indicates that 84% now involve abuse of trusted utilities—a practice known as Living off the Land (LOTL). This shift reduces reliance on malware and exploits, exploiting the blind spot created by legitimate operational noise and the operational necessity of these tools. The technique is now the dominant intrusion vector, often progressing undetected until significant compromise has occurred.

In 2025, 78% of UK manufacturing organizations reported experiencing serious cyber incidents, according to an ESET survey of 500 senior decision-makers. Nearly all (95%) respondents confirmed direct business impact, with 53% incurring financial losses. Supply chain disruption (44%) and missed commitments (39%) were common secondary effects. Of those experiencing operational shutdowns, 77% reported 1-7 days of downtime and 56% noted 1-3 days of outages. Visibility into production-related cyber risks remains limited, with 20% of organizations admitting no or minimal oversight. AI-enabled attacks were identified as the top perceived threat to production (46%), surpassing phishing (42%), ransomware (40%), and unauthorized access (38%). Cyber accountability remains concentrated in IT departments, with only 22% of organizations assigning board-level ownership, indicating low cybersecurity maturity and a reliance on reactive measures despite evidence of significant financial and operational consequences.

A financially motivated North Korea-nexus threat actor compromised the npm account of axios maintainer Jason Saayman and injected a malicious dependency (plain-crypto-js) into two legitimate axios versions (v1.14.1 and v0.30.4) to deliver cross-platform remote access Trojans (RATs) to downstream users. The attack involved pre-staged malicious code, account persistence via email modification, GitHub permission abuse to hide evidence, and direct publishing of malicious packages using stolen npm credentials, bypassing GitHub Actions-based OIDC provenance signing. Impact spans organizations worldwide due to axios’s 100M+ weekly downloads and widespread use as a dependency in CI/CD pipelines.

Google has expanded its AI-powered ransomware detection feature for Google Drive desktop to all paying users, now enabled by default for business, enterprise, education, and frontline Google Workspace licenses. The updated AI model detects 14x more infections than during its beta phase, providing faster and more comprehensive protection. When ransomware is detected, file syncing pauses immediately, safeguarding cloud-stored documents while local files may still be encrypted. Users receive email and admin console alerts, along with detailed restoration instructions to recover affected files. IT administrators retain the ability to disable the feature via the Google Admin console.

Anthropic accidentally exposed the closed-source implementation of its Claude Code AI coding assistant through a packaging error in an NPM release. The leak occurred when version 2.1.88 of Claude Code included a 60 MB source map file (`cli.js.map`) containing approximately 1,900 files and 500,000 lines of internal source code. No customer data or credentials were involved. The exposed code has since propagated widely on platforms like GitHub, prompting Anthropic to issue DMCA takedown notices. The incident stemmed from a human error during release packaging, not a security breach, and Anthropic is implementing measures to prevent recurrence. The disclosed code reveals undocumented features, including a "Proactive mode" for 24/7 autonomous coding and a "Dream" mode for background problem-solving, along with details of Claude-exclusive functionality.

Unknown threat actors, identified as TA415 (APT41), deployed the open-source Velociraptor forensic tool to download and execute Visual Studio Code, likely for command-and-control (C2) tunneling. The attack leveraged legitimate software and Windows utilities to minimize malware deployment and maintain a foothold in the target environment. The attackers used Cloudflare Workers domains for staging and additional payloads, and the incident highlights the evolving tactics of threat actors using legitimate tools for malicious purposes. The attack began with the use of the Windows msiexec utility to download an MSI installer from a Cloudflare Workers domain. Velociraptor was then used to establish contact with another Cloudflare Workers domain, facilitating the download and execution of Visual Studio Code with tunneling capabilities. This allowed for remote access and code execution, potentially leading to further malicious activities such as ransomware deployment. The phishing campaign targeted US government, think tank, and academic organizations involved in US-China relations, economic policy, and international trade. The attackers impersonated the US-China Business Council and John Moolenaar, Chair of the Select Committee on Strategic Competition between the US and the Chinese Communist Party. The phishing messages contained links to password-protected archives hosted on cloud services, which included a shortcut (LNK) file and a hidden subfolder. Launching the LNK file executed a batch script that downloaded the VSCode Command Line Interface (CLI) from Microsoft’s servers, created a scheduled task for persistence, and established a VS Code remote tunnel authenticated via GitHub. The script also collected system information and the contents of various user directories, sending it to the attackers.