Microsoft has deprecated and removed the Support and Recovery Assistant (SaRA) command-line utility from all supported Windows versions starting March 10, 2026. The tool, which automated diagnostic tests for Office, Microsoft 365, Outlook, and Windows systems, has been superseded by the Get Help command-line tool, which offers similar capabilities with enhanced security infrastructure. The deprecation affects Windows 7 through Windows 11 systems and requires IT administrators to migrate from SaRA to the recommended GetHelpCmd.exe tool for endpoint troubleshooting. The transition is positioned as a security hardening measure to protect enterprise environments.

Storm-1175, a China-based cybercriminal affiliate deploying Medusa ransomware, has escalated attacks by weaponizing n-day and zero-day vulnerabilities in rapid succession, often within days or even hours of discovery. The group targets exposed perimeter assets across multiple sectors—including healthcare, education, professional services, and finance—in Australia, the United Kingdom, and the United States. Exploitation chains involve initial access via chained vulnerabilities, followed by credential theft, persistence mechanisms such as new user account creation, deployment of remote monitoring tools, and security software disablement, culminating in Medusa ransomware deployment.

Drift Protocol’s April 1, 2026, $285 million loss was the culmination of a six-month in-person social engineering campaign, where North Korea-linked threat actors (UNC4736, a.k.a. AppleJeus/Labyrinth Chollima) infiltrated the ecosystem by posing as a quantitative trading firm at crypto conferences. The attackers compromised contributors via malicious code repositories (exploiting VSCode/Cursor vulnerabilities) and fraudulent TestFlight wallet applications, enabling them to hijack Security Council multisig controls. Post-takeover, they deployed the CarbonVote Token as collateral, removed withdrawal limits, and drained funds across deposits and trading accounts within minutes. Drift has frozen all protocol functions, flagged attacker wallets globally, and is collaborating with intelligence firms (Elliptic, TRM Labs) and law enforcement to trace and recover stolen assets. On-chain analysis confirms North Korean involvement, aligning with prior state-sponsored campaigns targeting crypto infrastructure.

Fortinet has released **emergency patches** for **CVE-2026-35616**, a critical **improper access control flaw** in FortiClient EMS 7.4.5/7.4.6, enabling unauthenticated attackers to execute arbitrary code via crafted API requests. The vulnerability, described by Defused as a **pre-authentication API access bypass**, has been **actively exploited in zero-day attacks**, prompting CISA to add it to its **Known Exploited Vulnerabilities (KEV) catalog** on April 6, 2026. Federal agencies are required to patch by **April 9, 2026**, while all organizations are urged to apply hotfixes immediately or upgrade to **FortiClientEMS 7.4.7** upon release. This follows the **active exploitation of CVE-2026-21643**, a critical SQL injection (CVSS 9.1) in FortiClientEMS, and the **FortiCloud SSO authentication bypass (CVE-2026-24858, CVSS 9.4)**, both of which remain under widespread attack. Nearly **1,000 FortiClient EMS instances** and **over 25,000 FortiCloud SSO-enabled devices** are exposed online, with threat actors leveraging these flaws to create admin accounts, exfiltrate configurations, and deploy secondary payloads. Fortinet advises **disabling FortiCloud SSO**, restricting management interface access, and treating compromised systems as fully breached—requiring credential rotation and configuration restoration. Patches are available for **FortiOS 7.4.11+**, **FortiManager/Analyzer 7.4.10+**, and **FortiClientEMS 7.4.5/7.4.6 (with hotfixes)**.

Threat actors are actively exploiting a critical remote code execution (RCE) flaw (CVE-2025-11953, CVSS 9.8) in the Metro Development Server within the @react-native-community/cli npm package, enabling unauthenticated OS command execution. Exploits deliver a PowerShell script that disables Microsoft Defender exclusions and downloads a Rust-based binary with anti-analysis features from an attacker-controlled host. The attacks, first observed on December 21, 2025, originate from multiple IP addresses and indicate operational use rather than experimental probing. A separate campaign is exploiting React2Shell (CVE-2025-55182), a pre-authentication RCE flaw in React Server Components (RSCs) affecting Next.js applications, for large-scale credential theft. This campaign, attributed to UAT-10608, uses the NEXUS Listener automated tool to harvest credentials, SSH keys, cloud tokens, and environment secrets from at least 766 compromised hosts across multiple industries and regions. Attackers leverage automated scanning to identify vulnerable deployments and deploy NEXUS Listener for post-exploitation data collection and further malicious activity.

Organizations relying on periodic breach checks, MFA, and EDR remain vulnerable to credential theft via infostealers. Stolen credentials, including session tokens and cookies, bypass authentication controls and enable rapid enterprise network access. In 2025, 4.17 billion compromised credentials were observed, with infostealers like LummaC2, Rhadamanthys, and Atomic macOS Stealer (AMOS) evading legacy defenses. Credential-related breaches now average $4.81–4.88 million per incident, underscoring the need for continuous, forensic-grade monitoring and automated response.

The OWASP Foundation updated its GenAI Security Project to address evolving risks in generative and agentic AI ecosystems, publishing two new solution guides and a data security risks list. The project now tracks over 170 providers, expanding from 50, and documents 21 risks for GenAI systems while introducing 21 GenAI Data Security risks. Updates reflect rapid adoption of AI technologies and growing attack surfaces, including vulnerabilities in emerging protocols like MCP and A2A. Security concerns highlighted include sensitive data leakage, prompt injection, unsafe tool execution, goal drift, and inter-agent collusion. The project emphasizes the need for visibility into AI agent activity and introduces a six-month update cadence to reflect stabilizing but still dynamic industry development.

Enterprise security operations centers (SOCs) face escalating operational gaps due to multi-platform cyberattack campaigns that exploit fragmented detection and response workflows across Windows endpoints, macOS devices, Linux infrastructure, and mobile platforms. Attackers leverage platform-specific behaviors to evade early triage, split investigations, and delay containment, increasing credential theft, persistence establishment, and lateral movement opportunities. SOC inefficiencies—such as delayed validations, fragmented evidence, and escalation bottlenecks—create measurable business exposure windows where threats advance before detection and response processes consolidate. Campaigns such as ClickFix illustrate how threat actors customize execution paths per operating system, using deceptive techniques (e.g., Google ad redirects to fake documentation pages) to deliver platform-specific payloads like AMOS Stealer and persistent backdoors.

A financially motivated North Korean-aligned threat actor with the moniker UNC1069 compromised the npm account of the maintainer of the Axios library, a widely used HTTP client with approximately 100 million weekly downloads, to publish malicious versions containing the cross-platform WAVESHAPER.V2 malware. The malicious builds were available for only a few hours but were automatically pulled into downstream environments via CI/CD pipelines and dependency chains, exposing enterprises that never directly installed Axios. The malware implements anti-forensic cleanup mechanisms and leverages the build pipeline as the new front line for software supply chain compromise at scale.

TeamPCP has escalated its multi-vector CanisterWorm campaign into a geopolitically targeted operation, compromising trusted PyPI packages (LiteLLM versions 1.82.7–1.82.8 and Telnyx versions 4.87.1–4.87.2) to deliver credential-stealing malware that harvests SSH keys, cloud credentials, Kubernetes secrets, database credentials, cryptocurrency wallets, TLS/SSL private keys, and bash history files. The malware exfiltrates stolen data to attacker-controlled infrastructure and establishes persistent backdoors, with evidence linking TeamPCP to the Vectr ransomware group for follow-on operations. The campaign began as a supply-chain attack involving 47 compromised npm packages and escalated to include GitHub repository hijacking (e.g., Aqua Security), Docker Hub compromise, and direct targeting of CI/CD pipelines via GitHub Actions workflows (e.g., Checkmarx, Trivy). Recent compromises of LiteLLM and Telnyx demonstrate rapid iteration and maturation of supply-chain attack methodology, while destructive payloads targeting Iranian systems in Kubernetes environments (e.g., time-zone/locale-based wipers) highlight the group’s geopolitical alignment. The LiteLLM compromise specifically turned developer endpoints into systematic credential harvesting operations, with malware activating during installation/updates and cascading through transitive dependencies (e.g., dspy, opik) to affect organizations that never directly used LiteLLM.

German authorities via the Federal Criminal Police (BKA) have publicly identified 31-year-old Russian national Daniil Maksimovich Shchukin as UNKN, the alleged head of the GandCrab and REvil ransomware operations. Between 2019 and 2021, Shchukin and a co-defendant are accused of conducting at least 130 cyberattacks across Germany, extorting nearly €2 million from 24 victims while causing over €35 million in economic damage. Shchukin is believed to be residing in Krasnodar, Russia, and remains at large despite international law enforcement scrutiny.

A phishing campaign distributing fraudulent court notices via SMS targets U.S. residents with fake traffic violation claims, instructing recipients to scan a QR code that leads to a credential-stealing site. The messages impersonate state courts or DMVs and demand a $6.99 payment under threat of court action. Recipients across multiple states including New York, California, and Texas have reported the campaign, which uses CAPTCHAs and intermediary domains to evade detection. Scanned QR codes redirect victims to spoofed agency portals where personal and financial data is harvested.

A large-scale automated credential theft campaign has compromised at least 766 hosts across multiple cloud providers and geographies by exploiting the React2Shell vulnerability (CVE-2025-55182) in vulnerable Next.js applications. The attack leverages a framework called NEXUS Listener and automated scripts to extract and exfiltrate sensitive data, including database credentials, AWS and cloud tokens, SSH private keys, API keys, environment secrets, Kubernetes tokens, Docker information, command history, and process data. The exfiltration occurs in chunks via HTTP requests over port 8080 to a command-and-control server running the NEXUS Listener component.

A maintainer of the widely used Axios npm package was targeted in a highly tailored social engineering campaign attributed to North Korean threat actor UNC1069, resulting in the compromise of npm account credentials and the publication of two trojanized versions of Axios (1.14.1 and 0.30.4). Google Threat Intelligence Group (GTIG) attributed the attack to UNC1069 based on the use of WAVESHAPER.V2 and infrastructure overlaps with past activities. The malicious packages were available for roughly three hours and injected a plain-crypto-js dependency that installed a cross-platform RAT, enabling credential theft and downstream compromise. The campaign also targeted additional maintainers, including Pelle Wessman (Mocha framework) and Node.js core contributors, revealing a coordinated effort against high-impact maintainers. The intrusion began with reconnaissance-driven impersonation of a legitimate company founder, engagement via a cloned Slack workspace and Microsoft Teams call, and execution of a fake system update that deployed the RAT. Post-incident, the maintainer reset devices, rotated all credentials, adopted immutable releases, introduced OIDC-based publishing flows, and updated GitHub Actions workflows to mitigate future risks.

A rapidly escalating device code phishing campaign continues to target Microsoft 365 accounts across at least 340 organizations in multiple countries since mid-February 2026, with attacks surging 37.5 times in early 2026 compared to baseline levels at the start of March. The campaign abuses legitimate OAuth device authorization flows to harvest credentials and establish persistent access tokens, primarily via the EvilTokens PhaaS platform and at least 10 other competing phishing kits (e.g., VENOM, DOCUPOLL, SHAREFILE). These attacks now incorporate advanced features such as anti-bot evasion techniques, multi-hop redirect chains leveraging legitimate vendor services, and SaaS-themed lures impersonating business content (e.g., DocuSign, SharePoint, Adobe Acrobat). The EvilTokens platform, sold over Telegram, has democratized device code phishing, enabling low-skilled cybercriminals to execute attacks that grant persistent access to victim accounts, including email, files, Teams data, and SSO impersonation capabilities. The campaign’s global reach extends to at least 10 countries, with sectors including construction, non-profits, real estate, manufacturing, financial services, healthcare, legal, and government being targeted. Mitigation efforts focus on disabling the device code flow via conditional access policies and monitoring for anomalous authentication events.

App store privacy labels intended to inform users about mobile app data collection, usage, and sharing practices suffer from inconsistent methodologies, inaccuracies, and limited utility despite Apple and Google adoption. Research indicates labels are often inaccurate due to misunderstandings or honest errors rather than malicious intent, with Apple and Google defining data collection differently. Experts argue labels alone do not enhance privacy protections and may create a false sense of security. Proposed improvements include standardization, verification tools, and integration of privacy filters in app discovery systems.

Microsoft’s LinkedIn deploys hidden JavaScript on its platform to fingerprint visitors’ browsers by detecting over 6,000 installed Chrome extensions and collecting extensive device metadata. The technique links extension presence to user profiles and is framed by LinkedIn as a method to identify and block scraping extensions violating its terms of service. Independent testing confirms the detection of 6,236 extensions via resource-access checks, up from approximately 2,000 in 2025 and 3,000 two months prior. The scope raises privacy concerns as the collected data can uniquely identify browsers and may enable tracking across sites, though LinkedIn asserts the data is used solely to protect platform integrity and member accounts.

Unauthorized access to Hims & Hers Health’s Zendesk customer service platform led to the exfiltration of support tickets between February 4 and February 7, 2026, exposing personal information of individuals who interacted with the company’s telehealth services. The incident was attributed to the ShinyHunters extortion gang, which leveraged a compromised Okta SSO account to gain access to Zendesk. No medical records or communications were compromised. The company disclosed the incident on April 3, 2026, and is offering 12 months of free credit monitoring to affected individuals.

Qilin ransomware has been linked to a high-profile data theft incident targeting Die Linke, a major German political party with 123,000 members and 64 seats in the Bundestag. The group stole sensitive internal party data and personal information of headquarters employees, though the membership database was reportedly unaffected. Die Linke attributed the attack to Qilin, describing them as Russian-speaking cybercriminals with financial and political motivations, and suggested the incident may be part of hybrid warfare operations. The initial investigation focused on a Huntress Labs endpoint compromise where a rogue ScreenConnect instance was used to deploy malicious files and attempt disabling Windows Defender before ransomware deployment. Qilin operates as a ransomware-as-a-service (RaaS) variant with affiliates following diverse attack patterns.

Threat actors are deploying PHP-based web shells on Linux servers that use HTTP cookies as a control channel to execute malicious commands and maintain persistent remote code execution (RCE). These shells remain dormant under normal traffic and activate only when specific, attacker-supplied cookie values are present, evading detection in logs and web traffic inspection. The technique integrates with cron jobs to reinstall the shell if removed, creating a self-healing persistence mechanism. Initial access is commonly achieved via valid credentials or exploitation of known vulnerabilities, and the approach leverages legitimate execution paths within web server processes and control panels.

Multi-extortion ransomware campaigns have escalated into a dominant threat model by 2026, combining data encryption with direct exfiltration, customer coercion, and operational disruption. In February 2026, the University of Mississippi Medical Center (UMMC) experienced a ransomware attack that disrupted Epic EHR systems across 35 clinics and 200+ telehealth sites, forcing chemotherapy cancellations and non-emergency surgery postponements. The healthcare sector alone saw 93% of U.S. organizations reporting at least one cyberattack in 2025, with 72% indicating direct patient care disruption, while payment processor BridgePay suffered a February 2026 incident that took payment APIs, terminals, and pages offline. Publicly disclosed ransomware attacks surged 49% year-over-year in 2025 to 1,174 confirmed incidents, reflecting the rapid evolution of ransomware from simple encryption to multi-stage extortion tactics leveraging data theft, operational sabotage, and reputational leverage.

CrowdStrike announced integration of Microsoft Defender for Endpoint telemetry into its Falcon Next-Gen SIEM platform, enabling unified threat detection and analytics across third-party endpoint technologies. The integration allows direct ingestion of Defender data, accelerating threat detection through smart filtering and real-time analytics while maintaining interoperability with non-CrowdStrike endpoint solutions. CrowdStrike also launched Falcon Onum, a log management tool acquired in 2024, to scale Defender telemetry processing within the SIEM. Additionally, CrowdStrike solutions became available in the Microsoft Marketplace for the first time, expanding its enterprise reach through Azure Consumption Commitment funds.

Organizations face an expanding and increasingly unmanaged third-party attack surface as vendor ecosystems evolve, regulatory scrutiny intensifies, and breaches involving external providers drive significant financial and operational impact. The dissolution of traditional network perimeters has shifted accountability for security and compliance to interconnected ecosystems of SaaS platforms, vendor APIs, and subcontractors, many of which remain invisible to internal IT teams. Industry reports indicate third-party involvement in 30% of breaches with average remediation costs reaching $4.91 million, prompting a fundamental reevaluation of vendor oversight from compliance checkbox to core risk governance function.

A newly identified variant of the SparkCat malware has been observed on the Apple App Store and Google Play Store, camouflaged within legitimate-looking applications such as enterprise messengers and food delivery services. The malware specifically targets cryptocurrency users by scanning mobile device photo galleries for images containing wallet recovery phrases using optical character recognition (OCR). The iOS version scans for English mnemonics, broadening its potential geographic impact, while the Android iteration focuses on Japanese, Korean, and Chinese keywords. Exfiltrated images are sent to attacker-controlled servers.

A former core infrastructure engineer pleaded guilty to remotely compromising a Windows domain at his employer, an industrial firm in Somerset County, New Jersey, by deleting dozens of domain admin accounts, locking out thousands of users, and scheduling mass shutdowns to extort the company. Between November 9 and November 25, 2023, Daniel Rhyne used an unauthorized administrator account to schedule tasks via Windows Task Scheduler on the domain controller, altering 13 domain admin and 301 user passwords and preparing to affect 3,284 workstations and 254 servers. On November 25, he sent a ransom email demanding 20 bitcoin (~$750,000 at the time) or daily server shutdowns, falsely claiming backups were deleted to prevent recovery. The plot began to unravel when administrators received password reset notifications and discovered domain admin accounts had been deleted, cutting off domain-wide administrative access. Investigators found Rhyne had researched log-clearing, password changes, and account deletion techniques at least one week prior using both his laptop and a hidden virtual machine.

A credential theft campaign from November 2025 to March 2026 targeted C-suite executives and senior personnel at major organizations worldwide using a previously undocumented phishing-as-a-service (PhaaS) platform named Venom. The campaign used SharePoint-themed lures with embedded QR codes to deliver a multi-stage phishing workflow designed to harvest credentials and bypass multifactor authentication (MFA). Email content included randomized HTML, fabricated email threads, and personalized sender impersonation to evade detection. Victims who passed automated checks were routed to credential harvesters that mimicked legitimate login portals via adversary-in-the-middle (AiTM) techniques, including pre-filled email fields, corporate branding, and identity provider integration. Compromised sessions maintained persistence even after password resets due to valid refresh tokens, unless administrators manually revoked active sessions.

Microsoft has initiated automated upgrades of unmanaged Windows 11 24H2 Home and Pro devices to Windows 11 25H2, effective April 2026, due to the approaching end-of-support date for 24H2 on October 13, 2026. Unmanaged systems will no longer receive security updates, technical support, or critical fixes after the transition unless upgraded. The rollout uses Microsoft’s machine-learning-driven intelligent update system and does not require user action, though restart timing can be controlled or updates paused temporarily. The upgrade path is available via Windows Update and includes access to Microsoft’s official support documentation and troubleshooting guides for the 25H2 transition.

The European Commission disclosed a breach of its Amazon cloud environment attributed to the TeamPCP threat group, resulting in the exposure of data belonging to 42 internal Commission entities and at least 29 additional EU Union entities. The intrusion, initially detected on March 24 — five days after the initial compromise — stemmed from a compromised AWS API key with management rights, stolen during the Trivy supply-chain attack, which was used to breach the Commission’s Amazon cloud infrastructure on March 10. TeamPCP subsequently leveraged cloud credential scanning tools like TruffleHog to locate and exfiltrate sensitive data, including tens of thousands of files with personal information, usernames, and email content. On March 28, the ShinyHunters data extortion group published a 90GB archive (340GB uncompressed) of the stolen dataset on a dark web leak site, containing personal data, email addresses, and content that may span multiple EU entities. No evidence of website defacement or lateral movement to other Commission AWS accounts was found.

Threat actors leveraged the accidental public exposure of Anthropic’s Claude Code source code to distribute the Vidar information-stealing malware through fraudulent GitHub repositories. Attackers created fake repositories posing as the leaked code, optimized for SEO to appear prominently in search results for queries related to the leak. Downloads from these repositories delivered a 7-Zip archive containing a Rust-based dropper (ClaudeCode_x64.exe) that installed Vidar infostealer along with the GhostSocks traffic proxying tool. The malicious archive is actively updated, indicating ongoing iteration of payloads and tactics.

Analysis of 4 billion malicious sessions over three months reveals that residential proxy networks evade IP reputation systems in 78% of cases, challenging traditional network defense assumptions based on traffic origin. The evasion occurs as residential IPs used for malicious activity are predominantly short-lived, active for less than one month in 89.7% of cases and rarely persisting beyond three months. The transient nature of these IPs, combined with rotation tactics, prevents reputation feeds from cataloging malicious infrastructure in time. Roughly 39% of malicious sessions originate from residential networks, yet most remain undetected by reputation systems. The findings highlight the limitations of IP-based defense mechanisms and the need for behavioral detection methods to identify sequential probing, protocol misuse, and device fingerprinting patterns.