Microsoft's March 2026 Patch Tuesday addresses 84 vulnerabilities, including 2 publicly disclosed zero-day flaws. The updates fix critical vulnerabilities, including remote code execution flaws and information disclosure flaws. The patches cover a range of vulnerabilities, including elevation of privilege, security feature bypass, remote code execution, information disclosure, denial of service, and spoofing. Notably, CVE-2026-21262 allows attackers to elevate privileges to sysadmin over a network on SQL Server 2016 and later editions. Additionally, Microsoft fixed two remote code execution bugs in Microsoft Office that can be exploited via the preview pane. A notable flaw in Microsoft Excel could allow data exfiltration via Microsoft Copilot. The updates also include patches for nine browser vulnerabilities and an out-of-band update for Windows Server 2022 to address a certificate renewal issue with Windows Hello for Business. Microsoft is changing the default behavior of Windows Autopatch to enable hotpatch security updates starting with the May 2026 Windows security update.

The **UNC6426** threat actor has weaponized credentials stolen during the August 2025 **nx npm supply-chain attack** to execute a rapid cloud breach, escalating from a compromised GitHub token to **full AWS administrator access in under 72 hours**. By abusing GitHub-to-AWS OpenID Connect (OIDC) trust, the attacker deployed a new IAM role with `AdministratorAccess`, exfiltrated S3 bucket data, terminated production EC2/RDS instances, and **publicly exposed the victim’s private repositories** under the `/s1ngularity-repository-[randomcharacters]` naming scheme. This follows the broader *Shai-Hulud* and *SANDWORM_MODE* campaigns, which collectively compromised **over 400,000 secrets** via trojanized npm packages, GitHub Actions abuse, and AI-assisted credential harvesting (e.g., QUIETVAULT malware leveraging LLM tools). The attack chain began with the **Pwn Request** exploitation of a vulnerable `pull_request_target` workflow in nx, leading to trojanized package publication and theft of GitHub Personal Access Tokens (PATs). UNC6426 later used tools like **Nord Stream** to extract CI/CD secrets, highlighting the risks of **overprivileged OIDC roles** and **standing cloud permissions**. Researchers warn of escalating supply chain risks, including **self-propagating worms** (Shai-Hulud), **PackageGate vulnerabilities** bypassing npm defenses, and **AI-assisted prompt injection** targeting developer workflows. Mitigations include disabling postinstall scripts, enforcing least-privilege access, and rotating all credentials tied to npm, GitHub, and cloud providers.

Five malicious Rust crates were discovered masquerading as time-related utilities to exfiltrate .env files containing sensitive developer secrets. Additionally, an AI-powered bot named hackerbot-claw targeted CI/CD pipelines in major open-source repositories to harvest developer secrets. The Rust crates were published between late February and early March 2026, while the AI bot campaign occurred between February 21 and February 28, 2026. The impact includes potential compromise of downstream users and deeper access to environments, including cloud services and GitHub tokens.

A Russian-speaking threat actor has been targeting HR departments with a sophisticated malware campaign that delivers a new EDR killer named BlackSanta. The campaign employs social engineering and advanced evasion techniques to steal sensitive information from compromised systems. The malware is suspected to be distributed via spear-phishing emails containing ISO image files disguised as resumes, hosted on cloud storage services like Dropbox. The attack chain involves steganography, DLL sideloading, and process hollowing to execute malicious payloads while evading detection. BlackSanta specifically targets and disables endpoint security solutions, including antivirus, EDR, SIEM, and forensic tools, by terminating their processes at the kernel level. The campaign has been active for over a year, utilizing Bring Your Own Driver (BYOD) components to gain elevated privileges and suppress security tools.

A new Android malware named BeatBanker impersonates a Starlink app to hijack devices. It combines banking trojan functions with Monero mining, stealing credentials and tampering with cryptocurrency transactions. The malware is distributed via fake Google Play Store websites and uses sophisticated evasion techniques, including persistence via an inaudible MP3 file and dynamic mining operations. Kaspersky researchers discovered the malware targeting users in Brazil, with potential for expansion to other regions.

A new technique called 'Zombie ZIP' allows malware to evade detection by security tools by manipulating ZIP file headers. The method tricks security solutions into scanning compressed data as uncompressed, hiding the payload. The technique works against 50 out of 51 antivirus engines on VirusTotal. A proof-of-concept (PoC) has been published, and CERT/CC has issued a bulletin warning about the risks. The issue is similar to a vulnerability disclosed in 2004. The technique involves setting the ZIP Method field to STORED (Method=0), causing security tools to scan the data as raw uncompressed bytes. However, the data is actually DEFLATE compressed, making the scanner see compressed noise and miss malware signatures. A custom loader can ignore the header and decompress the data correctly. CERT/CC recommends that security tool vendors validate compression method fields, detect inconsistencies in archive structure, and implement more aggressive archive inspection modes. Users are advised to be cautious with archive files, especially from unknown sources.

Microsoft has released the Windows 10 KB5078885 extended security update to address vulnerabilities disclosed during the March 2026 Patch Tuesday. The update fixes two actively exploited zero-days and resolves an issue preventing some devices from shutting down. The update is available for Windows 10 Enterprise LTSC and devices enrolled in the Extended Security Updates (ESU) program. The update addresses 79 vulnerabilities, including security fixes and bug fixes introduced by previous updates. It also includes improvements to File History, Graphics, Secure Boot, and Fonts. Microsoft is rolling out new Secure Boot certificates to replace older 2011 certificates that expire in June 2026.

Jazz, a data loss prevention (DLP) startup, emerged from stealth mode with $61 million in combined seed and Series A funding. The company, founded by Israeli intelligence veterans, uses AI to understand data usage, intent, context, and risk, reducing DLP noise in large enterprises. Jazz aims to scale globally and expand its teams with the new investment.

Microsoft has integrated Sysmon (System Monitor) natively into Windows 11 and Windows Server 2025, eliminating the need for standalone deployment. This integration simplifies management and enhances threat hunting and diagnostics capabilities. The native support allows users to install Sysmon via Windows Update and manage it through the Optional Features settings. Microsoft also plans to release comprehensive documentation and introduce enterprise management features and AI-powered threat detection capabilities next year. Sysmon is a powerful tool for monitoring and logging events such as process creation, network connections, and file creation, which are crucial for detecting malicious activities. Users can enable Sysmon via the Command Prompt using the command 'sysmon -i' for basic monitoring, or use a custom configuration file for advanced monitoring. Additionally, Sysmon is now available as a built-in feature in Windows 11 and can be enabled through Settings or via command line. It is off by default and must be enabled before use. Users should uninstall any previously installed Sysmon from Sysinternals before enabling the built-in version.

Hewlett Packard Enterprise (HPE) has patched a maximum-severity remote code execution (RCE) vulnerability (CVE-2025-37164) in its OneView software, which has a CVSS score of 10.0. The flaw affects all versions before v11.00 and can be exploited by unauthenticated attackers in low-complexity attacks. The vulnerability was reported by Vietnamese security researcher Nguyen Quoc Khanh (brocked200). HPE advises immediate patching as there are no workarounds or mitigations available. HPE has not confirmed whether the vulnerability has been exploited in attacks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has flagged the flaw as actively exploited in attacks and has given Federal Civilian Executive Branch (FCEB) agencies three weeks to secure their systems by January 28th. CISA encourages all organizations, including private sector, to patch their devices against this actively exploited flaw as soon as possible. HPE OneView is an IT infrastructure management software that streamlines IT operations and controls all systems via a centralized dashboard interface. The hotfix must be reapplied after upgrading from version 6.60 or later to version 7.00.00, or after any HPE Synergy Composer reimaging operations. Separate hotfixes are available for the OneView virtual appliance and Synergy Composer2. Additionally, HPE has patched multiple security vulnerabilities in the Aruba Networking AOS-CX operating system, including a critical authentication bypass vulnerability (CVE-2026-23813) that allows unauthenticated attackers to reset admin passwords. HPE has not found publicly available exploit code or evidence of exploitation in the wild.

OpenAI has acquired Promptfoo, a security testing firm specializing in agentic AI, to enhance the security framework of its enterprise-focused AI ecosystem. The acquisition aims to address the need for systematic testing of AI agent behavior, detecting risks before deployment, and maintaining oversight and accountability. Promptfoo's open-source tools will be integrated into OpenAI Frontier, providing automated security testing and red-teaming capabilities to identify and remediate risks such as prompt injections, jailbreaks, and data leaks. Jamieson O’Reilly, security advisor at OpenClaw, highlighted the importance of developing tools to scan AI for human-language malware, emphasizing the need for advanced security measures in AI development.

A Russian-speaking, financially motivated hacker used generative AI services to breach over 600 FortiGate firewalls across 55 countries in five weeks. The campaign, which occurred between January 11 and February 18, 2026, targeted exposed management interfaces and weak credentials lacking MFA protection. The attacker used AI to automate access to other devices on breached networks, extracting sensitive configuration data and conducting reconnaissance. The attacker successfully compromised multiple organizations' Active Directory environments, extracted complete credential databases, and targeted backup infrastructure, likely in a lead-up to ransomware deployment. The threat actor used the CyberStrikeAI AI-powered security testing platform, which integrates over 100 security tools and allows for end-to-end automation of attacks. The developer of CyberStrikeAI, known as "Ed1s0nZ," has links to Chinese government-affiliated cyber operations and has worked on additional AI-assisted security tools. Team Cymru detected 21 unique IP addresses running CyberStrikeAI between January 20 and February 26, 2026, primarily hosted in China, Singapore, and Hong Kong. Additional servers related to CyberStrikeAI have been detected in the U.S., Japan, and Switzerland. The developer has interacted with organizations supporting potentially Chinese government state-sponsored cyber operations, including Knownsec 404, a Chinese security vendor with ties to the Chinese Ministry of State Security (MSS). Ed1s0nZ has removed references to a CNNVD Level 2 Contribution Award from their GitHub profile. The campaign targeted healthcare, government, and managed service providers. The attackers exploited vulnerabilities CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858. The attackers created a new local administrator account named "support" and set up four new firewall policies allowing unrestricted access. The attackers periodically checked device accessibility, consistent with initial access broker (IAB) behavior. The attackers extracted configuration files containing encrypted service account LDAP credentials. The attackers authenticated to the AD using clear text credentials from the fortidcagent service account. The attackers enrolled rogue workstations in the AD, allowing deeper access. The attackers deployed remote access tools like Pulseway and MeshAgent. The attackers downloaded malware from a cloud storage bucket via PowerShell from AWS infrastructure. The Java malware was used to exfiltrate the contents of the NTDS.dit file and SYSTEM registry hive to an external server (172.67.196[.]232) over port 443.

A new botnet named KadNap targets ASUS routers and other edge networking devices, turning them into proxies for malicious traffic. Since August 2025, it has grown to 14,000 devices, using a peer-to-peer network and a custom Kademlia Distributed Hash Table (DHT) protocol to evade detection. The botnet is linked to the Doppelganger proxy service, which sells access to infected devices for cybercrime activities. Most infected devices are located in the United States (60%), followed by Taiwan, Hong Kong, and Russia. The infection begins with a malicious script that downloads an ELF binary, establishing persistence via a cron job. The botnet uses NTP servers for time synchronization and a modified Kademlia protocol for communication, making it difficult to identify and disrupt the command-and-control (C2) infrastructure. Lumen Technologies has taken proactive measures to block network traffic to and from the control infrastructure, but the disruption is limited to their network. Indicators of compromise will be released to help others disrupt the botnet. KadNap malware uses a shell script (aic.sh) downloaded from the C2 server (212.104.141[.]140) to initiate the process of conscripting the victim to the P2P network. The malware creates a cron job to retrieve the shell script from the server at the 55-minute mark of every hour, rename it to .asusrouter, and run it. Once persistence is established, the script pulls a malicious ELF file, renames it to kad, and executes it. The files fwr.sh and /tmp/.sose contain functionality to close port 22, the standard TCP port for Secure Shell (SSH), on the infected device and extract a list of C2 IP address:port combinations to connect to.

Only 24% of organizations test their identity disaster recovery plans every six months, despite rising investment in identity threat detection and response (ITDR). The research highlights a gap in recovery preparedness, with many organizations focusing on preventative controls while neglecting response and recovery readiness. This lack of testing can lead to severe business impacts during identity-related incidents.

A critical security vulnerability (CVE-2025-55182, CVSS 10.0) in React Server Components (RSC) allows unauthenticated remote code execution due to unsafe deserialization of payloads. The flaw affects multiple versions of React and Next.js, potentially impacting any application using RSC. The issue has been patched, but 39% of cloud environments remain vulnerable. Cloudflare experienced a widespread outage due to an emergency patch for this vulnerability, and multiple China-linked hacking groups have begun exploiting it. NHS England National CSOC has warned of the likelihood of continued exploitation in the wild. Major companies such as Google Cloud, AWS, and Cloudflare immediately responded to the vulnerability. The security researcher Lachlan Davidson disclosed the vulnerability on November 29, 2025, to the Meta team. The flaw has been dubbed React2Shell, a nod to the Log4Shell vulnerability discovered in 2021. The US National Vulnerability Database (NVD) rejected CVE-2025-66478 as a duplicate of CVE-2025-55182. Exploitation success rate is reported to be nearly 100% in default configurations. React servers that use React Server Function endpoints are known to be vulnerable. The Next.js web application is also vulnerable in its default configuration. At the time of writing, it is unknown if active exploitation has occurred, but there have been some reports of observed exploitation activity as of December 5, 2026. OX Security warned that the flaw is now actively exploitable on December 5, around 10am GMT. Hacker maple3142 published a working PoC, and OX Security successfully verified it. JFrog identified fake proof-of-concepts (PoC) on GitHub, warning security teams to verify sources before testing. Cloudflare started investigating issues on December 5 at 08:56 UTC, and a fix was rolled out within half an hour, but by that time outages had been reported by several major internet services, including Zoom, LinkedIn, Coinbase, DoorDash, and Canva. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on December 6, 2025, following confirmed active exploitation. The vulnerability is tracked as React2Shell and is related to a remote code execution flaw in React Server Components (RSC). The flaw is due to insecure deserialization in the Flight protocol used by React to communicate between a server and client. The vulnerability affects versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. Patched versions of React are 19.0.1, 19.1.2, and 19.2.1. Downstream frameworks impacted include Next.js, React Router, Waku, Parcel, Vite, and RedwoodSDK. Amazon reported attack attempts from Chinese hacking groups like Earth Lamia and Jackpot Panda within hours of public disclosure. Coalition, Fastly, GreyNoise, VulnCheck, and Wiz reported seeing exploitation efforts targeting the flaw. Some attacks involved the deployment of cryptocurrency miners and the execution of "cheap math" PowerShell commands. Censys identified about 2.15 million instances of internet-facing services potentially affected by the vulnerability. Palo Alto Networks Unit 42 confirmed over 30 affected organizations across numerous sectors, with activity consistent with Chinese hacking group UNC5174. Security researcher Lachlan Davidson released multiple proof-of-concept (PoC) exploits for the vulnerability. Another working PoC was published by a Taiwanese researcher with the GitHub handle maple3142. Federal Civilian Executive Branch (FCEB) agencies have until December 26, 2025, to apply the necessary updates to secure their networks. Over 77,000 Internet-exposed IP addresses are vulnerable to the critical React2Shell remote code execution flaw (CVE-2025-55182). Researchers have confirmed that attackers have already compromised over 30 organizations across multiple sectors using the React2Shell flaw. Shadowserver detected 77,664 IP addresses vulnerable to the React2Shell flaw, with approximately 23,700 in the United States. GreyNoise recorded 181 distinct IP addresses attempting to exploit the flaw over the past 24 hours, with most of the traffic appearing automated. Attackers frequently begin with PowerShell commands that perform a basic math function to confirm the device is vulnerable to the remote code execution flaw. Once remote code execution was confirmed, attackers were seen executing base64-encoded PowerShell commands that download additional scripts directly into memory. One observed command executes a second-stage PowerShell script from the external site (23[.]235[.]188[.]3), which is used to disable AMSI to bypass endpoint security and deploy additional payloads. The PowerShell script observed by GreyNoise installs a Cobalt Strike beacon on the targeted device, giving threat actors a foothold on the network. Amazon AWS threat intelligence teams saw rapid exploitation hours after the disclosure of the React CVE-2025-55182 flaw, with infrastructure associated with China-linked APT hacking groups known as Earth Lamia and Jackpot Panda. Palo Alto Networks observed similar exploitation, attributing some of it to UNC5174, a Chinese state-sponsored threat actor believed to be tied to the Chinese Ministry of State Security. The deployed malware in these attacks includes Snowlight and Vshell, both commonly used by Chinese hacking groups for remote access, post-exploitation activity, and to move laterally through a compromised network. Earth Lamia is known for exploiting web application vulnerabilities to target organizations across Latin America, the Middle East, and Southeast Asia. Earth Lamia has historically targeted sectors across financial services, logistics, retail, IT companies, universities, and government organizations. Jackpot Panda primarily targets entities in East and Southeast Asia. The Shadowserver Foundation has identified over 77,000 vulnerable IPs following a scan of exposed HTTP services across a wide variety of exposed edge devices and other applications. Censys observed just over 2.15 million instances of internet-facing services that may be affected by this vulnerability, including exposed web services using React Server Components and exposed instances of frameworks such as Next.js, Waku, React Router, and RedwoodSDK. The bug is a pre-authentication remote code execution (RCE) vulnerability which exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0. React issued a security advisory with the relevant patches and updates on December 3. Any internet-accessible server running the affected React Server Components code should be assumed vulnerable until updated as a precaution. AWS observed that many threat actors are attempting to use public PoCs that don’t work in real-world scenarios. AWS noted that the use of these PoCs shows that threat actors prioritize rapid operationalization over thorough testing, attempting to exploit targets with any available tool. Using multiple PoCs to scan for vulnerable environments also gives threat actors a higher chance of identifying vulnerable configurations, even if the PoCs are non-functional. The availability of the PoCs also allows less sophisticated actors to participate in exploitation campaigns. Finally, AWS noted that even failed exploitation attempts create significant noise in logs, potentially masking more sophisticated attacks. The invalid PoCs can give developers a false sense of security when testing for React2Shell. The Shadowserver Foundation detected 28,964 IP addresses vulnerable to the React2Shell flaw as of December 7, 2025, down from 77,664 on December 5, with approximately 10,100 located in the U.S., 3,200 in Germany, and 1,690 in China. Huntress observed attackers targeting numerous organizations via CVE-2025-55182, with a focus on the construction and entertainment industries. The first recorded exploitation attempt on a Windows endpoint by Huntress dates back to December 4, 2025, when an unknown threat actor exploited a vulnerable instance of Next.js to drop a shell script, followed by commands to drop a cryptocurrency miner and a Linux backdoor. Attackers were observed launching discovery commands and attempting to download several payloads from a command-and-control (C2) server. Huntress identified a Linux backdoor called PeerBlight, a reverse proxy tunnel named CowTunnel, and a Go-based post-exploitation implant referred to as ZinFoq. PeerBlight shares code overlaps with two malware families RotaJakiro and Pink that came to light in 2021, installs a systemd service to ensure persistence, and masquerades as a "ksoftirqd" daemon process to evade detection. CowTunnel initiates an outbound connection to attacker-controlled Fast Reverse Proxy (FRP) servers, effectively bypassing firewalls that are configured to only monitor inbound connections. ZinFoq implements a post-exploitation framework with interactive shell, file operations, network pivoting, and timestomping capabilities. Huntress assessed that the threat actor is likely leveraging automated exploitation tooling, supported by the attempts to deploy Linux-specific payloads on Windows endpoints, indicating the automation does not differentiate between target operating systems. PeerBlight supports capabilities to establish communications with a hard-coded C2 server ("185.247.224[.]41:8443"), allowing it to upload/download/delete files, spawn a reverse shell, modify file permissions, run arbitrary binaries, and update itself. ZinFoq beacons out to its C2 server and is equipped to parse incoming instructions to run commands using "/bin/bash," enumerate directories, read or delete files, download more payloads from a specified URL, exfiltrate files and system information, start/stop SOCKS5 proxy, enable/disable TCP port forwarding, alter file access and modification times, and establish a reverse pseudo terminal (PTY) shell connection. ZinFoq takes steps to clear bash history and disguises itself as one of 44 legitimate Linux system services to conceal its presence. CISA has urged federal agencies to patch the React2Shell vulnerability by December 12, 2025, amid reports of widespread exploitation. The vulnerability has been exploited by multiple threat actors in various campaigns to engage in reconnaissance efforts and deliver a wide range of malware families. Wiz observed a "rapid wave of opportunistic exploitation" of the flaw, with a vast majority of the attacks targeting internet-facing Next.js applications and other containerized workloads running in Kubernetes and managed cloud services. Cloudflare reported that threat actors have conducted searches using internet-wide scanning and asset discovery platforms to find exposed systems running React and Next.js applications. Some of the reconnaissance efforts have excluded Chinese IP address spaces from their searches. The observed activity targeted government (.gov) websites, academic research institutions, and critical-infrastructure operators. Early scanning and exploitation attempts originated from IP addresses previously associated with Asia-affiliated threat clusters. Kaspersky recorded over 35,000 exploitation attempts on a single day on December 10, 2025, with the attackers first probing the system by running commands like whoami, before dropping cryptocurrency miners or botnet malware families like Mirai/Gafgyt variants and RondoDox. Security researcher Rakesh Krishnan discovered an open directory hosted on "154.61.77[.]105:8082" that includes a proof-of-concept (PoC) exploit script for CVE-2025–55182 along with two other files: "domains.txt," which contains a list of 35,423 domains, and "next_target.txt," which contains a list of 596 URLs, including companies like Dia Browser, Starbucks, Porsche, and Lululemon. The Shadowserver Foundation reported more than 137,200 internet-exposed IP addresses running vulnerable code as of December 11, 2025, with over 88,900 instances located in the U.S., followed by Germany (10,900), France (5,500), and India (3,600). Google's threat intelligence team linked five more Chinese hacking groups to attacks exploiting the React2Shell vulnerability. The list of state-linked threat groups exploiting the flaw now also includes UNC6600, UNC6586, UNC6588, UNC6603, and UNC6595. GTIG researchers observed numerous discussions regarding CVE-2025-55182 in underground forums, including threads where threat actors shared links to scanning tools, proof-of-concept (PoC) code, and their experiences using these tools. GTIG also spotted Iranian threat actors targeting the flaw and financially motivated attackers deploying XMRig cryptocurrency mining software on unpatched systems. Shadowserver Internet watchdog group is currently tracking over 116,000 IP addresses vulnerable to React2Shell attacks, with over 80,000 in the United States. GreyNoise has observed over 670 IP addresses attempting to exploit the React2Shell remote code execution flaw over the past 24 hours, primarily originating from the United States, India, France, Germany, the Netherlands, Singapore, Russia, Australia, the United Kingdom, and China. Threat actors are exploiting the React2Shell vulnerability to deliver malware families like KSwapDoor and ZnDoor. KSwapDoor is a professionally engineered remote access tool designed with stealth in mind, building an internal mesh network and using military-grade encryption. KSwapDoor impersonates a legitimate Linux kernel swap daemon to evade detection. ZnDoor is a remote access trojan that contacts threat actor-controlled infrastructure to receive and execute commands. ZnDoor supports commands such as shell, interactive_shell, explorer, explorer_cat, explorer_delete, explorer_upload, explorer_download, system, change_timefile, socket_quick_startstreams, start_in_port_forward, and stop_in_port. Google identified five China-nexus groups exploiting React2Shell to deliver various payloads, including MINOCAT, SNOWLIGHT, COMPOOD, HISONIC, and ANGRYREBEL. Microsoft reported that threat actors have used the flaw to run arbitrary commands, set up reverse shells, drop RMM tools, and modify authorized_keys files. Payloads delivered in these attacks include VShell, EtherRAT, SNOWLIGHT, ShadowPad, and XMRig. Threat actors used Cloudflare Tunnel endpoints to evade security defenses and conducted reconnaissance for lateral movement and credential theft. Credential harvesting targeted Azure Instance Metadata Service (IMDS) endpoints for Azure, AWS, GCP, and Tencent Cloud. Threat actors deployed secret discovery tools such as TruffleHog and Gitleaks, along with custom scripts to extract various secrets. Beelzebub detailed a campaign exploiting Next.js flaws to extract credentials and sensitive data, including environment files, SSH keys, cloud credentials, and system files. The malware creates persistence, installs a SOCKS5 proxy, establishes a reverse shell, and installs a React scanner for further propagation. Operation PCPcat has breached an estimated 59,128 servers. The Shadowserver Foundation is tracking over 111,000 IP addresses vulnerable to React2Shell attacks, with over 77,800 instances in the U.S. GreyNoise observed 547 malicious IP addresses from the U.S., India, the U.K., Singapore, and the Netherlands partaking in exploitation efforts over the past 24 hours. The RondoDox botnet has been observed exploiting the critical React2Shell flaw (CVE-2025-55182) to infect vulnerable Next.js servers with malware and cryptominers. First documented by Fortinet in July 2025, RondoDox is a large-scale botnet that targets multiple n-day flaws in global attacks. In November, VulnCheck spotted new RondoDox variants that featured exploits for CVE-2025-24893, a critical remote code execution (RCE) vulnerability in the XWiki Platform. A new report from cybersecurity company CloudSEK notes that RondoDox started scanning for vulnerable Next.js servers on December 8 and began deploying botnet clients three days later. React2Shell is an unauthenticated remote code execution vulnerability that can be exploited via a single HTTP request and affects all frameworks that implement the React Server Components (RSC) 'Flight' protocol, including Next.js. The flaw has been leveraged by several threat actors to breach multiple organizations. North Korean hackers exploited React2Shell to deploy a new malware family named EtherRAT. As of December 30, the Shadowserver Foundation reports detecting over 94,000 internet-exposed assets vulnerable to React2Shell. CloudSEK says that RondoDox has passed through three distinct operational phases this year: Reconnaissance and vulnerability testing from March to April 2025, Automated web app exploitation from April to June 2025, Large-scale IoT botnet deployment from July to today. Regarding React2Shell, the researchers report that RondoDox has focused its exploitation around the flaw significantly lately, launching over 40 exploit attempts within six days in December. During this operational phase, the botnet conducts hourly IoT exploitation waves targeting Linksys, Wavlink, and other consumer and enterprise routers to enroll new bots. After probing potentially vulnerable servers, CloudSEK says that RoundDox started to deploy payloads that included a coinminer (/nuts/poop), a botnet loader and health checker (/nuts/bolts), and a variant of Mirai (/nuts/x86). The 'bolts' component removes competing botnet malware from the host, enforces persistence via /etc/crontab, and kills non-whitelisted processes every 45 seconds, the researchers say. CloudSEK provides a set of recommendations for companies to protect against this RondoDox activity, among them auditing and patching Next.js Server Actions, isolating IoT devices into dedicated virtual LANs, and monitoring for suspicious processes being executed. Threat actors targeting cloud environments now favor campaigns which gain initial access by exploiting software vulnerabilities over credential-based attacks. Third-party software-based entry accounted for 44.5% of primary entry vectors during the second half of 2025, up from 2.9% in the first half. Abuse of weak or absent credentials as an entry point dropped from 47.1% in the first half of 2025 to 27.2% in the second half. React2Shell (CVE-2025-55182) was one of the most commonly exploited vulnerabilities to target cloud services. Google Cloud noted that within 48 hours of the public disclosure of React2Shell, multiple threat actors had already exploited the vulnerability to infect victims with cryptocurrency mining malware. The window between vulnerability disclosure and mass exploitation collapsed from weeks to just days. Google Cloud recommended using centralized visibility tools to secure data and automated posture enforcement to mitigate risks. Google Cloud advised organizations to pivot from manual patching to automated defenses, such as patching the Web Application Firewall (WAF), to neutralize exploits at the network edge before software updates can be applied.

Microsoft is rolling out passkey support for Microsoft Entra on Windows devices, enabling phishing-resistant passwordless authentication via Windows Hello. This feature is opt-in and will be available in public preview from mid-March through late April 2026 for worldwide tenants, with government cloud environments following in mid-April through mid-May. The update extends passwordless sign-in to unmanaged Windows devices, addressing a previous security gap. The passkeys are device-bound and cryptographically secured, preventing theft via phishing or malware. Each Entra account registers its own passkey per device, and multiple accounts can coexist on a single machine. However, passkeys cannot be synced across devices, requiring separate registration for each account. To enroll in the public preview, IT administrators must enable the Passkeys (FIDO2) authentication method in Entra's Authentication Methods policies, create a passkey profile with the required Windows Hello AAGUIDs, and assign it to the appropriate groups.

Ericsson Inc., the U.S. subsidiary of Ericsson, disclosed a data breach affecting 15,661 employees and customers. The breach occurred after attackers compromised a service provider storing personal data for Ericsson. The incident was detected on April 28, 2025, with unauthorized access occurring between April 17 and April 22, 2025. The exposed data includes names, addresses, Social Security Numbers, financial information, and medical records. Ericsson is offering free identity protection services to affected individuals. The breach was reported to the FBI, and an investigation was conducted with external cybersecurity experts. No evidence of data misuse has been found, and no cybercrime group has claimed responsibility.

Nine cross-tenant vulnerabilities, collectively named LeakyLooker, were discovered in Google Looker Studio. These flaws could allow attackers to execute arbitrary SQL queries on victims' databases and exfiltrate sensitive data within Google Cloud environments. The vulnerabilities were disclosed responsibly and have been addressed by Google. No evidence of exploitation in the wild has been found.

AI agents, which automate tasks and access sensitive data, present a new security risk by acting as 'invisible employees' that can be exploited by hackers. Traditional security tools are inadequate for protecting these digital workers, potentially leading to data leaks. A webinar by Airia's Rahul Parwani will discuss how hackers target AI agents and provide mitigation strategies.

CISA has added three vulnerabilities to its KEV catalog due to evidence of active exploitation. These include CVE-2021-22054 in Omnissa Workspace One UEM, CVE-2025-26399 in SolarWinds Web Help Desk, and CVE-2026-1603 in Ivanti Endpoint Manager. The vulnerabilities are being exploited by threat actors, including the Warlock ransomware crew. Federal agencies are ordered to apply patches by March 12 and March 23, 2026. CVE-2026-1603 can be exploited by remote threat actors to bypass authentication and steal credential data in low-complexity cross-site scripting attacks that require no user interaction. Ivanti patched CVE-2026-1603 one month ago with the release of Ivanti EPM 2024 SU5, but has not received reports of exploitation prior to public disclosure.

The shrinking time-to-exploit window for critical vulnerabilities necessitates proactive attack surface reduction. Many organizations have unnecessary internet-facing exposures, such as SharePoint servers, which increase the risk of exploitation. Effective attack surface management involves asset discovery, treating exposure as a risk category, and continuous monitoring to detect new exposures quickly.

Amazon has disrupted a years-long Russian state-sponsored campaign targeting Western critical infrastructure, including energy sector organizations and cloud-hosted network infrastructure. The campaign, attributed to the GRU-affiliated APT44 group, initially leveraged vulnerabilities in WatchGuard Firebox and XTM, Atlassian Confluence, and Veeam to gain initial access. However, starting in 2025, APT44 shifted its tactics to target misconfigured network edge devices, reducing their exposure and resource expenditure. The group targeted enterprise routers, VPN concentrators, network management appliances, and cloud-based project management systems to harvest credentials and establish persistent access. Amazon's intervention led to the disruption of the campaign, highlighting the ongoing threat posed by state-sponsored cyber actors. APT44, also known as FROZENBARENTS, Sandworm, Seashell Blizzard, and Voodoo Bear, has been active since at least 2021. The group exploited vulnerabilities in WatchGuard Firebox and XTM (CVE-2022-26318), Atlassian Confluence (CVE-2021-26084, CVE-2023-22518), and Veeam (CVE-2023-27532) to compromise network edge devices. The campaign involved credential replay attacks and targeted energy, technology/cloud services, and telecom service providers across North America, Western and Eastern Europe, and the Middle East. Amazon's threat intelligence team identified and notified affected customers, disrupting active threat actor operations. Additionally, APT28, another GRU-affiliated group, has been conducting a sustained credential-harvesting campaign targeting users of UKR[.]net, a webmail and news service popular in Ukraine. The campaign, observed between June 2024 and April 2025, involves deploying UKR[.]net-themed login pages on legitimate services like Mocky to entice recipients into entering their credentials and 2FA codes. Links to these pages are embedded within PDF documents distributed via phishing emails, often shortened using services like tiny[.]cc or tinyurl[.]com. In some cases, APT28 uses subdomains created on platforms like Blogger (*.blogspot[.]com) to launch a two-tier redirection chain leading to the credential harvesting page. The campaign is part of a broader set of phishing and credential theft operations targeting various institutions in pursuit of Russia's strategic objectives. APT28's recent campaign targeted Turkish renewable energy scientists with a climate change policy document from a real Middle Eastern think tank. The group used phishing emails themed to match their intended targets and written in the targets' native tongues. Victims were redirected to a login page mimicking a legitimate online service after following a link in a phishing email. APT28 used regular hosted services rather than custom tools and infrastructure for their attacks. The targets included an IT integrator based in Uzbekistan, a European think tank, a military organization in North Macedonia, and scientists and researchers associated with a Turkish energy and nuclear research organization. The campaign was highly selective and consistent with GRU collection priorities, aligning with geopolitical, military, or strategic intelligence objectives. APT28 has been targeting organizations associated with energy research, defense collaboration, and government communication in a new credential-harvesting campaign. The group used phishing pages impersonating Microsoft Outlook Web Access (OWA), Google, and Sophos VPN portals. Victims were redirected to legitimate domains after entering their credentials. APT28 relied heavily on free hosting and tunneling services such as Webhook.site, InfinityFree, Byet Internet Services, and Ngrok to host phishing content, capture user data, and manage redirections. In February 2025, APT28 deployed a Microsoft OWA phishing page and used the ShortURL link-shortening service for the first-stage redirection. The group employed a webhook relying on HTML to load a PDF lure document in the browser for two seconds before redirecting the victim to a second webhook hosting the spoofed OWA login page. In July, APT28 deployed a spoofed OWA login portal containing Turkish-language text and targeting Turkish scientists and researchers. In June, APT28 deployed a spoofed Sophos VPN password reset page hosted on InfinityFree infrastructure. In September, APT28 hosted two spoofed OWA expired password pages on an InfinityFree domain. In April, Recorded Future discovered a spoofed Google password reset page in Portuguese, hosted on a free apex domain from Byet Internet Services. APT28 abused Ngrok's free service to connect servers behind a firewall to a proxy server and expose that server to the internet without changing firewall rules. APT28's ability to adapt its infrastructure and rebrand credential-harvesting pages suggests it will continue to abuse free hosting, tunneling, and link-shortening services to reduce operational costs and obscure attribution. Recently, APT28 exploited CVE-2026-21509, a recently patched vulnerability in multiple versions of Microsoft Office. The attacks involved malicious DOC files themed around EU COREPER consultations in Ukraine and impersonated the Ukrainian Hydrometeorological Center. The malicious document triggers a WebDAV-based download chain that installs malware via COM hijacking, a malicious DLL (EhStoreShell.dll), shellcode hidden in an image file (SplashScreen.png), and a scheduled task (OneDriveHealth). The scheduled task execution leads to the termination and restart of the explorer.exe process, ensuring the loading of the EhStoreShell.dll file. This DLL executes shellcode from the image file, which launches the COVENANT software (framework) on the computer. COVENANT uses the Filen (filen.io) cloud storage service for command-and-control (C2) operations. APT28 used three more documents in attacks against various EU-based organizations, indicating that the campaign extends beyond Ukraine. APT28 has also been linked to the exploitation of CVE-2026-21513, a high-severity security feature bypass in the MSHTML Framework, as a zero-day before it was patched in February 2026. The vulnerability allows an attacker to bypass security features by manipulating browser and Windows Shell handling, leading to potential code execution. The group used a malicious Windows Shortcut (LNK) file that embeds an HTML file to exploit CVE-2026-21513, initiating communication with the domain wellnesscaremed[.]com. The exploit leverages nested iframes and multiple DOM contexts to manipulate trust boundaries, bypassing Mark-of-the-Web (MotW) and Internet Explorer Enhanced Security Configuration (IE ESC). The technique allows execution of malicious code outside the browser sandbox via ShellExecuteExW. The vulnerable code path can be triggered through any component embedding MSHTML, suggesting additional delivery mechanisms beyond LNK-based phishing should be expected. APT28, also known as Fancy Bear, Forest Blizzard, Strontium, and Sednit, has been using a custom variant of the open-source Covenant post-exploitation framework for long-term espionage operations. Since April 2024, APT28 has used two implants named BeardShell and Covenant in their attacks. BeardShell leverages the legitimate cloud storage service Icedrive for command-and-control (C2) communication and can execute PowerShell commands in a .NET runtime environment. BeardShell uses a unique obfuscation technique previously seen in Xtunnel, a network-pivoting tool that APT28 used in the 2010s. APT28 has modified the Covenant framework with deterministic implant identifiers tied to host characteristics, modified execution flow to evade behavioral detection, and new cloud-based communication protocols. Since July 2025, APT28 has used the Filen cloud provider with Covenant, previously using Koofr and pCloud services. Covenant is used as the primary implant, and BeardShell serves as the fallback tool. ESET believes that APT28's advanced malware development team returned to activity in 2024, giving the threat group new long-term espionage capabilities. The technical similarities with 2010-era malware indicate continuity in the threat group's development team. APT28 has been observed using a pair of implants dubbed BEARDSHELL and COVENANT to facilitate long-term surveillance of Ukrainian military personnel. The two malware families have been put to use since April 2024. APT28's malware arsenal consists of tools like BEARDSHELL and COVENANT, along with another program codenamed SLIMAGENT that's capable of logging keystrokes, capturing screenshots, and collecting clipboard data. SLIMAGENT was first publicly documented by the Computer Emergency Response Team of Ukraine (CERT-UA) in June 2025. SLIMAGENT has its roots in XAgent, another implant used by APT28 in the 2010s to facilitate remote control and data exfiltration. This is based on code similarities discovered between SLIMAGENT and previously unknown samples deployed in attacks targeting governmental entities in two European countries as far back as 2018. It's assessed that the 2018 artifacts and the 2024 SLIMAGENT sample originated from XAgent, with ESET's analysis uncovering overlaps in the keylogging between SLIMAGENT and an XAgent sample detected in the wild in late 2014. SLIMAGENT emits its espionage logs in the HTML format, with the application name, the logged keystrokes, and the window name in blue, red, and green, respectively. Also deployed in connection with SLIMAGENT is another backdoor referred to as BEARDSHELL that's capable of executing PowerShell commands on compromised hosts. It uses the legitimate cloud storage service Icedrive for command-and-control (C2). A noteworthy aspect of the malware is that it utilizes a distinctive obfuscation technique referred to as opaque predicate, which is also found in XTunnel (aka X-Tunnel), a network traversal and pivoting tool used by APT28 in the 2016 Democratic National Committee (DNC) hack. The tool provides a secure tunnel to an external C2 server. A third major piece of the threat actor's toolkit is COVENANT, an open-source .NET post-exploitation framework that has been "heavily" modified to support long-term espionage and to implement a new cloud-based network protocol that abuses the Filen cloud storage service for C2 since July 2025. Previously, APT28's COVENANT variant was said to have used pCloud (in 2023) and Koofr (in 2024-2025). This is not the first time the adversarial collective has embraced the dual-implant strategy. In 2021, Trellix revealed that APT28 deployed Graphite, a backdoor that employed OneDrive for C2, and PowerShell Empire in attacks targeting high-ranking government officials overseeing national security policy and individuals in the defense sector in Western Asia.

Germany's Federal Office for the Protection of the Constitution (BfV) and Federal Office for Information Security (BSI) have issued a joint advisory warning of a malicious cyber campaign undertaken by a likely state-sponsored threat actor that involves carrying out phishing attacks over the Signal messaging app. The focus is on high-ranking targets in politics, the military, and diplomacy, as well as investigative journalists in Germany and Europe. Unauthorized access to messenger accounts not only allows access to confidential private communications but also potentially compromises entire networks. The campaign involves threat actors masquerading as 'Signal Support' or a support chatbot named 'Signal Security ChatBot' to initiate direct contact with prospective targets, urging them to provide a PIN or verification code received via SMS, or risk facing data loss. Should the victim comply, the attackers can register the account and gain access to the victim's profile, settings, contacts, and block list through a device and mobile phone number under their control. There also exists an alternative infection sequence that takes advantage of the device linking option to trick victims into scanning a QR code, thereby granting the attackers access to the victim's account, including their messages for the last 45 days, on a device managed by them. The security authorities warned that while the current focus of the campaign appears to be Signal, the attack can also be extended to WhatsApp since it also incorporates similar device linking and PIN features as part of two-step verification. Similar attacks have been orchestrated by multiple Russia-aligned threat clusters tracked as Star Blizzard, UNC5792 (aka UAC-0195), and UNC4221 (aka UAC-0185). Dutch intelligence agencies have confirmed that Russian state-sponsored hackers are targeting government officials, military personnel, and journalists via Signal and WhatsApp phishing campaigns. The campaign is described as large-scale and focuses on hacking individual Signal and WhatsApp accounts to access sensitive information. MIVD director, vice-admiral Peter Reesink, warned against using Signal and WhatsApp for classified, confidential, or sensitive information due to the ongoing campaign. The attacks involve impersonating a 'Signal Support chatbot' in unsolicited messages, requesting SMS verification codes or Signal PINs. Signal has clarified that it will never initiate contact via in-app messages, SMS, or social media to ask for verification codes or PINs. Another attack method involves persuading victims to scan a QR code or click on a link, exploiting the 'linked devices' function in Signal and WhatsApp. AIVD and MIVD provided guidelines to help users identify and mitigate account hijacking attempts, including checking for duplicate contacts in group chats and monitoring display name changes.

Microsoft will enable hotpatch security updates by default for eligible Windows devices managed through Microsoft Intune and the Microsoft Graph API, starting with the May 2026 Windows security update. This change aims to halve the time to reach 90% patch compliance, reducing the window of exposure to attacks. The updates will be delivered through Windows Autopatch, which automatically keeps Windows and Microsoft 365 software up to date. IT administrators will have the option to disable hotpatch updates at the tenant level and enable them for specific devices. Organizations can opt out of hotpatch updates using controls in Microsoft Intune, which will be available starting April 1, 2026.

Salesforce is warning customers of an **escalating mass-scanning campaign** targeting misconfigured Experience Cloud instances, now linked to **ShinyHunters (UNC6240)**, which claims to have breached *hundreds of companies*—including 100 high-profile organizations—by exploiting overly permissive guest user permissions. The attackers are using a **modified AuraInspector tool** to extract data directly via the /s/sfsites/aura API endpoint, bypassing authentication for CRM objects. Salesforce emphasizes that this stems from **customer misconfigurations**, not a platform flaw, and urges immediate mitigation: auditing guest user permissions, setting org-wide defaults to *Private*, disabling public API access for guests, and reviewing Aura Event Monitoring logs for anomalies. This follows the **August 2025 Salesloft Drift OAuth breach**, where UNC6395/GRUB1 stole tokens to access Salesforce customer data, impacting over 700 organizations (e.g., Zscaler, Palo Alto Networks, Cloudflare). While earlier waves relied on stolen OAuth tokens, the latest campaign marks a **shift to exploiting misconfigured guest access**—though ShinyHunters is implicated in both. Salesforce and partners have revoked compromised tokens and disabled vulnerable integrations, but the new Aura/Experience Cloud attacks highlight persistent risks from improperly secured public-facing portals. The harvested data (e.g., names, phone numbers) is repurposed for **follow-on vishing and social engineering**, aligning with broader identity-based targeting trends.

A phishing campaign targeting employees at financial and healthcare organizations uses Microsoft Teams to trick victims into granting remote access via Quick Assist. The attackers deploy a new malware strain called A0Backdoor, which employs sophisticated techniques to evade detection and maintain persistence. The campaign is linked to the BlackBasta ransomware group, but with new TTPs including digitally signed MSI installers and DNS MX-based C2 communication. The attackers use social engineering to gain trust, masquerading as IT staff and instructing victims to initiate a Quick Assist session. Once access is granted, they deploy malicious MSI files that mimic legitimate Microsoft components, using DLL sideloading to execute the A0Backdoor payload. The malware performs sandbox detection, collects host information, and communicates with C2 servers via DNS MX queries.

A malicious npm package named "@openclaw-ai/openclawai" masquerades as an OpenClaw installer to deploy a remote access trojan (RAT) and steal sensitive data from macOS systems. The package, uploaded on March 3, 2026, has been downloaded 178 times and remains available. It targets system credentials, browser data, crypto wallets, SSH keys, Apple Keychain databases, and iMessage history, while also installing a persistent RAT with remote access capabilities and a SOCKS5 proxy. The malware uses social engineering to harvest system passwords and employs sophisticated persistence and command-and-control (C2) infrastructure. The package triggers its malicious logic via a postinstall hook, re-installing itself globally and displaying a fake command-line interface to mimic an OpenClaw installation. It then retrieves an encrypted second-stage payload from a C2 server, which is decoded and executed to continue running in the background. The malware also prompts users to grant Full Disk Access (FDA) to Terminal to access protected data. The second-stage payload is a comprehensive information stealer and RAT framework capable of persistence, data collection, browser decryption, C2 communication, and live browser cloning. Collected data is exfiltrated through multiple channels, including the C2 server, Telegram Bot API, and GoFile.io. The malware also monitors clipboard content for specific patterns related to private keys and cryptocurrency addresses. The impact of this malware is significant, as it can compromise sensitive user data and provide attackers with persistent access to infected systems. The sophisticated nature of the malware, including its use of social engineering and encrypted payload delivery, makes it a serious threat to macOS users.

Microsoft Teams will introduce a feature to automatically tag third-party bots in meeting lobbies, allowing organizers to control their access. This update is scheduled for May 2026 and will be available across all major platforms and cloud environments. The feature aims to prevent accidental admission of bots, ensuring organizers have explicit control over their presence in meetings. This development follows previous enhancements, including a call reporting feature and fraud-protection measures for calls, which help users identify and flag suspicious or unwanted calls.

A threat actor exploited multiple software vulnerabilities to steal data from at least 216 systems across 34 Active Directory domains. The attacker used a free-trial instance of Elastic Cloud's SIEM platform to collect, store, and analyze stolen data, turning a legitimate security tool into a repository for exfiltrated information. The campaign affected organizations across various sectors, including government, education, finance, and manufacturing. The infrastructure was taken down after discovery.

The FBI warns of phishing attacks where criminals impersonate U.S. city and county officials to target businesses and individuals requesting planning and zoning permits. Victims receive emails with permit details and are instructed to pay fraudulent fees via wire transfer, peer-to-peer payment, or cryptocurrency. The scammers use publicly available information to make their messages appear legitimate. The FBI advises verifying the legitimacy of such communications by checking email domains and contacting local government offices. Victims are urged to report incidents to the FBI's Internet Crime Complaint Center (IC3).