A rapidly escalating device code phishing campaign continues to target Microsoft 365 accounts across at least 340 organizations in multiple countries since mid-February 2026, with attacks surging 37.5 times in early 2026 compared to baseline levels at the start of March. The campaign abuses legitimate OAuth device authorization flows to harvest credentials and establish persistent access tokens, primarily via the EvilTokens PhaaS platform and at least 10 other competing phishing kits (e.g., VENOM, DOCUPOLL, SHAREFILE). These attacks now incorporate advanced features such as anti-bot evasion techniques, multi-hop redirect chains leveraging legitimate vendor services, and SaaS-themed lures impersonating business content (e.g., DocuSign, SharePoint, Adobe Acrobat). The EvilTokens platform, sold over Telegram, has democratized device code phishing, enabling low-skilled cybercriminals to execute attacks that grant persistent access to victim accounts, including email, files, Teams data, and SSO impersonation capabilities. The campaign’s global reach extends to at least 10 countries, with sectors including construction, non-profits, real estate, manufacturing, financial services, healthcare, legal, and government being targeted. Mitigation efforts focus on disabling the device code flow via conditional access policies and monitoring for anomalous authentication events.

App store privacy labels intended to inform users about mobile app data collection, usage, and sharing practices suffer from inconsistent methodologies, inaccuracies, and limited utility despite Apple and Google adoption. Research indicates labels are often inaccurate due to misunderstandings or honest errors rather than malicious intent, with Apple and Google defining data collection differently. Experts argue labels alone do not enhance privacy protections and may create a false sense of security. Proposed improvements include standardization, verification tools, and integration of privacy filters in app discovery systems.

Microsoft’s LinkedIn deploys hidden JavaScript on its platform to fingerprint visitors’ browsers by detecting over 6,000 installed Chrome extensions and collecting extensive device metadata. The technique links extension presence to user profiles and is framed by LinkedIn as a method to identify and block scraping extensions violating its terms of service. Independent testing confirms the detection of 6,236 extensions via resource-access checks, up from approximately 2,000 in 2025 and 3,000 two months prior. The scope raises privacy concerns as the collected data can uniquely identify browsers and may enable tracking across sites, though LinkedIn asserts the data is used solely to protect platform integrity and member accounts.

Unauthorized access to Hims & Hers Health’s Zendesk customer service platform led to the exfiltration of support tickets between February 4 and February 7, 2026, exposing personal information of individuals who interacted with the company’s telehealth services. The incident was attributed to the ShinyHunters extortion gang, which leveraged a compromised Okta SSO account to gain access to Zendesk. No medical records or communications were compromised. The company disclosed the incident on April 3, 2026, and is offering 12 months of free credit monitoring to affected individuals.

Qilin ransomware has been linked to a high-profile data theft incident targeting Die Linke, a major German political party with 123,000 members and 64 seats in the Bundestag. The group stole sensitive internal party data and personal information of headquarters employees, though the membership database was reportedly unaffected. Die Linke attributed the attack to Qilin, describing them as Russian-speaking cybercriminals with financial and political motivations, and suggested the incident may be part of hybrid warfare operations. The initial investigation focused on a Huntress Labs endpoint compromise where a rogue ScreenConnect instance was used to deploy malicious files and attempt disabling Windows Defender before ransomware deployment. Qilin operates as a ransomware-as-a-service (RaaS) variant with affiliates following diverse attack patterns.

Threat actors are deploying PHP-based web shells on Linux servers that use HTTP cookies as a control channel to execute malicious commands and maintain persistent remote code execution (RCE). These shells remain dormant under normal traffic and activate only when specific, attacker-supplied cookie values are present, evading detection in logs and web traffic inspection. The technique integrates with cron jobs to reinstall the shell if removed, creating a self-healing persistence mechanism. Initial access is commonly achieved via valid credentials or exploitation of known vulnerabilities, and the approach leverages legitimate execution paths within web server processes and control panels.

Multi-extortion ransomware campaigns have escalated into a dominant threat model by 2026, combining data encryption with direct exfiltration, customer coercion, and operational disruption. In February 2026, the University of Mississippi Medical Center (UMMC) experienced a ransomware attack that disrupted Epic EHR systems across 35 clinics and 200+ telehealth sites, forcing chemotherapy cancellations and non-emergency surgery postponements. The healthcare sector alone saw 93% of U.S. organizations reporting at least one cyberattack in 2025, with 72% indicating direct patient care disruption, while payment processor BridgePay suffered a February 2026 incident that took payment APIs, terminals, and pages offline. Publicly disclosed ransomware attacks surged 49% year-over-year in 2025 to 1,174 confirmed incidents, reflecting the rapid evolution of ransomware from simple encryption to multi-stage extortion tactics leveraging data theft, operational sabotage, and reputational leverage.

CrowdStrike announced integration of Microsoft Defender for Endpoint telemetry into its Falcon Next-Gen SIEM platform, enabling unified threat detection and analytics across third-party endpoint technologies. The integration allows direct ingestion of Defender data, accelerating threat detection through smart filtering and real-time analytics while maintaining interoperability with non-CrowdStrike endpoint solutions. CrowdStrike also launched Falcon Onum, a log management tool acquired in 2024, to scale Defender telemetry processing within the SIEM. Additionally, CrowdStrike solutions became available in the Microsoft Marketplace for the first time, expanding its enterprise reach through Azure Consumption Commitment funds.

A maintainer of the widely used Axios npm package was targeted in a highly tailored social engineering campaign attributed to North Korean threat actor UNC1069, resulting in the compromise of npm account credentials and the publication of two trojanized versions of Axios (1.14.1 and 0.30.4) containing the WAVESHAPER.V2 implant. The intrusion began with reconnaissance-driven impersonation of a legitimate company founder, followed by engagement via a cloned Slack workspace and a Microsoft Teams call where a fake system update was presented. Execution of the malicious update deployed a remote access trojan, enabling credential theft and package tampering. The attack highlights the increasing focus of UNC1069 (also tracked as BlueNoroff and associated with GhostCall campaigns) on open-source maintainers as a vector to compromise downstream software ecosystems at scale.

Organizations face an expanding and increasingly unmanaged third-party attack surface as vendor ecosystems evolve, regulatory scrutiny intensifies, and breaches involving external providers drive significant financial and operational impact. The dissolution of traditional network perimeters has shifted accountability for security and compliance to interconnected ecosystems of SaaS platforms, vendor APIs, and subcontractors, many of which remain invisible to internal IT teams. Industry reports indicate third-party involvement in 30% of breaches with average remediation costs reaching $4.91 million, prompting a fundamental reevaluation of vendor oversight from compliance checkbox to core risk governance function.

A newly identified variant of the SparkCat malware has been observed on the Apple App Store and Google Play Store, camouflaged within legitimate-looking applications such as enterprise messengers and food delivery services. The malware specifically targets cryptocurrency users by scanning mobile device photo galleries for images containing wallet recovery phrases using optical character recognition (OCR). The iOS version scans for English mnemonics, broadening its potential geographic impact, while the Android iteration focuses on Japanese, Korean, and Chinese keywords. Exfiltrated images are sent to attacker-controlled servers.

A former core infrastructure engineer pleaded guilty to remotely compromising a Windows domain at his employer, an industrial firm in Somerset County, New Jersey, by deleting dozens of domain admin accounts, locking out thousands of users, and scheduling mass shutdowns to extort the company. Between November 9 and November 25, 2023, Daniel Rhyne used an unauthorized administrator account to schedule tasks via Windows Task Scheduler on the domain controller, altering 13 domain admin and 301 user passwords and preparing to affect 3,284 workstations and 254 servers. On November 25, he sent a ransom email demanding 20 bitcoin (~$750,000 at the time) or daily server shutdowns, falsely claiming backups were deleted to prevent recovery. The plot began to unravel when administrators received password reset notifications and discovered domain admin accounts had been deleted, cutting off domain-wide administrative access. Investigators found Rhyne had researched log-clearing, password changes, and account deletion techniques at least one week prior using both his laptop and a hidden virtual machine.

A sophisticated North Korean state-sponsored threat actor seized control of the Drift Protocol’s Security Council administrative powers on Solana, enabling the malicious transfer of approximately $285 million in user funds on April 1, 2026. The attacker exploited durable nonce accounts, social engineering to obtain multisig approvals, and a zero-timelock Security Council migration to eliminate the last line of defense. Post-takeover actions included deploying a fictitious CarbonVote Token treated as legitimate collateral and removing withdrawal limits to drain funds across borrow/lend deposits, vault deposits, and trading funds. Drift confirmed no smart contract flaws or seed phrase compromises, attributing the breach to unauthorized transaction approvals via durable nonce mechanisms and social engineering. The platform froze all functions, issued a public warning, and is working with security firms, exchanges, and law enforcement to trace and recover stolen assets. On-chain analysis by Elliptic and TRM Labs indicates DPRK involvement, with indicators consistent with prior state-sponsored campaigns targeting crypto infrastructure.

A credential theft campaign from November 2025 to March 2026 targeted C-suite executives and senior personnel at major organizations worldwide using a previously undocumented phishing-as-a-service (PhaaS) platform named Venom. The campaign used SharePoint-themed lures with embedded QR codes to deliver a multi-stage phishing workflow designed to harvest credentials and bypass multifactor authentication (MFA). Email content included randomized HTML, fabricated email threads, and personalized sender impersonation to evade detection. Victims who passed automated checks were routed to credential harvesters that mimicked legitimate login portals via adversary-in-the-middle (AiTM) techniques, including pre-filled email fields, corporate branding, and identity provider integration. Compromised sessions maintained persistence even after password resets due to valid refresh tokens, unless administrators manually revoked active sessions.

Microsoft has initiated automated upgrades of unmanaged Windows 11 24H2 Home and Pro devices to Windows 11 25H2, effective April 2026, due to the approaching end-of-support date for 24H2 on October 13, 2026. Unmanaged systems will no longer receive security updates, technical support, or critical fixes after the transition unless upgraded. The rollout uses Microsoft’s machine-learning-driven intelligent update system and does not require user action, though restart timing can be controlled or updates paused temporarily. The upgrade path is available via Windows Update and includes access to Microsoft’s official support documentation and troubleshooting guides for the 25H2 transition.

The European Commission disclosed a breach of its Amazon cloud environment attributed to the TeamPCP threat group, resulting in the exposure of data belonging to 42 internal Commission entities and at least 29 additional EU Union entities. The intrusion, initially detected on March 24 — five days after the initial compromise — stemmed from a compromised AWS API key with management rights, stolen during the Trivy supply-chain attack, which was used to breach the Commission’s Amazon cloud infrastructure on March 10. TeamPCP subsequently leveraged cloud credential scanning tools like TruffleHog to locate and exfiltrate sensitive data, including tens of thousands of files with personal information, usernames, and email content. On March 28, the ShinyHunters data extortion group published a 90GB archive (340GB uncompressed) of the stolen dataset on a dark web leak site, containing personal data, email addresses, and content that may span multiple EU entities. No evidence of website defacement or lateral movement to other Commission AWS accounts was found.

Threat actors leveraged the accidental public exposure of Anthropic’s Claude Code source code to distribute the Vidar information-stealing malware through fraudulent GitHub repositories. Attackers created fake repositories posing as the leaked code, optimized for SEO to appear prominently in search results for queries related to the leak. Downloads from these repositories delivered a 7-Zip archive containing a Rust-based dropper (ClaudeCode_x64.exe) that installed Vidar infostealer along with the GhostSocks traffic proxying tool. The malicious archive is actively updated, indicating ongoing iteration of payloads and tactics.

Analysis of 4 billion malicious sessions over three months reveals that residential proxy networks evade IP reputation systems in 78% of cases, challenging traditional network defense assumptions based on traffic origin. The evasion occurs as residential IPs used for malicious activity are predominantly short-lived, active for less than one month in 89.7% of cases and rarely persisting beyond three months. The transient nature of these IPs, combined with rotation tactics, prevents reputation feeds from cataloging malicious infrastructure in time. Roughly 39% of malicious sessions originate from residential networks, yet most remain undetected by reputation systems. The findings highlight the limitations of IP-based defense mechanisms and the need for behavioral detection methods to identify sequential probing, protocol misuse, and device fingerprinting patterns.

A coordinated, state-sponsored phishing campaign continues to target high-value individuals via Signal and WhatsApp, now with confirmed involvement from Russian Intelligence Services-affiliated groups and additional threat actors linked to the FSB, China’s APT31, and Iran’s IRGC. The FBI has directly attributed the campaign to Russian Intelligence Services-affiliated actors, confirming the compromise of thousands of accounts globally and emphasizing that the attacks primarily target high-value individuals such as current and former U.S. government officials, military personnel, political figures, and journalists. The campaign bypasses end-to-end encryption by hijacking accounts through sophisticated social engineering, including impersonating support services and tricking users into sharing verification codes or scanning malicious QR codes to link attacker-controlled devices to accounts. Recent advisories from the NCSC and Dutch intelligence agencies highlight an increase in activity targeting high-risk individuals across government, academia, journalism, and the legal profession. Attackers gain access to private messages, contact lists, and group chats, enabling them to impersonate victims and launch further phishing campaigns. Both Signal and WhatsApp users are advised to regularly review linked devices, avoid sharing verification codes, and enable multi-factor authentication to mitigate risks. Russia-aligned threat clusters such as Star Blizzard, UNC5792 (aka UAC-0195), and UNC4221 (aka UAC-0185) have been associated with similar tactics, and the FBI’s attribution underscores the state-sponsored nature of these operations targeting sensitive communications. French authorities and the UK’s NCSC have also warned of a surge in similar campaigns targeting government officials, journalists, and business leaders.

A new information stealer malware named Storm has been identified targeting browser credentials, session cookies, and cryptocurrency wallets by remotely decrypting stolen data on attacker-controlled infrastructure. Storm, active in underground markets since early 2026, bypasses modern encryption protections in browsers such as Google’s App-Bound Encryption (Chrome 127) by shifting decryption to remote servers instead of local processing. The malware automates session hijacking by feeding stolen Google Refresh Tokens and geographically matched SOCKS5 proxies into an operator panel, silently restoring authenticated sessions across SaaS platforms, internal tools, and cloud environments without triggering password alerts.

Cybercriminals are combining open-source intelligence, real estate data, and postal redirection services to identify vacant residential properties and intercept sensitive mail for identity theft and financial fraud. Threat actors exploit legitimate digitalized postal services such as USPS Informed Delivery and Change of Address (COA) mechanisms to monitor and redirect mail without direct physical presence. The technique integrates with broader fraud ecosystems, including fake identities and Credit Privacy Numbers (CPNs), to establish persistent access to victims’ correspondence. Fraud operations increasingly blend digital reconnaissance with physical-world manipulation, leveraging vacant properties as drop addresses to scale identity-based fraud while evading traditional detection methods.

Two vulnerabilities in Progress ShareFile Storage Zones Controller (SZC) 5.x can be chained to achieve unauthenticated remote code execution (RCE) and file exfiltration from enterprise file transfer environments. The flaws—an authentication bypass (CVE-2026-2699) and an RCE vulnerability (CVE-2026-2701)—enable attackers to bypass authentication, modify storage configurations, extract internal secrets, and deploy ASPX webshells on affected servers. The vendor patched the issues in version 5.12.4 (released March 10, 2026) after coordinated disclosure. Exploitation leverages improper HTTP redirect handling and insecure file upload/extraction mechanisms, with exploitation achievable via public internet exposure. Approximately 30,000 SZC instances are internet-facing, with 700 actively observed by ShadowServer, predominantly in the U.S. and Europe. While no active exploitation has been reported, the public disclosure increases risk of opportunistic attacks.

Apple has expanded security updates for iOS 18.7.7 and iPadOS 18.7.7 to protect devices still running iOS 18 from the DarkSword exploit kit, without requiring full OS upgrades. This follows continued exploitation of DarkSword since July 2025 across multiple countries, with attacks leveraging six vulnerabilities to deploy data-stealing malware like GhostBlade, GhostKnife, and GhostSaber through watering hole attacks on compromised websites. The campaign remains linked to Russian threat actor UNC6353 and associated groups including UNC6748 and Turkish vendor PARS Defense, with Coruna and Darksword exploit kits now confirmed as closely related frameworks sharing origins in the 2019–2023 Operation Triangulation campaign. Coruna has evolved from a precision espionage tool into a mass-exploitation framework with 23 exploits across five chains, while Darksword targets iOS 18.4–18.7 and has been publicly leaked on GitHub. Apple has patched all exploited flaws in recent releases (18.7.3, 26.2, 26.3.1), and CISA has mandated federal agencies patch three DarkSword-linked vulnerabilities (CVE-2025-31277, CVE-2025-43510, CVE-2025-43520) by April 3, 2026. The commoditization of these iOS exploitation tools elevates risk to end-users globally.

The first half of 2025 saw a 179% increase in ransomware attacks compared to the same period in 2024, with Akira and Cl0p remaining the most active ransomware-as-a-service (RaaS) groups. Akira’s operational tempo has accelerated dramatically, with threat actors now completing attack lifecycles in under four hours and, in some cases, less than one hour. The group leverages vulnerabilities in VPN appliances and backup solutions—particularly SonicWall, Veeam, and Cisco devices lacking multi-factor authentication (MFA)—as well as credential theft, spearphishing, and initial access brokers (IABs) for initial access. Akira employs double-extortion tactics, exfiltrating data prior to encryption while evading detection through disabling security software and using living-off-the-land tools. The group’s rapid compromise capabilities, disciplined operational tempo, and hybrid encryption schemes enable maximum impact in minimal time, contributing to its sustained profitability with illicit proceeds estimated at $244.17m since March 2023. Akira has also expanded its targeting to Nutanix AHV virtual machines, further diversifying its attack surface. Akira’s activity has consistently targeted manufacturing and technology sectors, with the US being the most affected region. The RaaS model has enabled lower-skilled actors to participate, amplifying the surge in ransomware incidents. New tactics include pure extortion without encryption, AI-assisted phishing, and exploitation of vulnerabilities such as CVE-2024-40766 in SonicWall devices. The Australian Cyber Security Centre (ACSC) has acknowledged Akira’s targeting of Australian organizations through SonicWall devices, while incomplete remediation of CVE-2024-40766 has fueled renewed exploitation. Akira’s dwell times are among the shortest recorded for ransomware, often measured in hours, and the group has demonstrated significant evolution in its tactics, including encrypting Nutanix AHV virtual machine disk files and leveraging tools like Ngrok for encrypted command-and-control channels. Akira’s ransomware proceeds since late September 2025 exceed $244m, underscoring the group’s operational sophistication and financial impact.

A multi-stage malware campaign targeting South Korean users employs malicious LNK files as initial vectors, using GitHub repositories for command and control (C2) and data exfiltration. The attack chain abuses legitimate Windows utilities and scripting to evade detection, establish persistence via scheduled tasks, and harvest system information. Decoy PDFs are presented to victims while PowerShell scripts execute covertly, with later variants removing metadata to hinder attribution. The campaign exemplifies modern ‘living-off-the-land’ (LOTL) tactics, blending malicious activity with normal network traffic to bypass corporate defenses.

Cisco has disclosed and patched multiple critical vulnerabilities across its product portfolio, including a newly identified Integrated Management Controller (IMC) authentication bypass flaw (CVE-2026-20093) that allows unauthenticated attackers to gain Admin access to unpatched systems. Additionally, Cisco addressed a critical remote code execution (RCE) vulnerability in its Smart Software Manager On-Prem (SSM On-Prem) (CVE-2026-20160) that enables attackers to execute commands with root-level privileges. Earlier in March 2026, Cisco released security updates for two maximum-severity vulnerabilities in its Secure Firewall Management Center (FMC) software: an authentication bypass flaw (CVE-2026-20079) granting root access and an RCE vulnerability (CVE-2026-20131) allowing arbitrary Java code execution. Notably, the Interlock ransomware gang exploited CVE-2026-20131 in zero-day attacks, prompting CISA to add it to its catalog of exploited vulnerabilities and mandate federal agencies to remediate within three days. Cisco also published a bundled set of 25 security advisories addressing 48 vulnerabilities across multiple enterprise networking products, including high-severity issues in ASA Firewall, Secure FMC, and Secure FTD appliances.

A survey of 250 cybersecurity decision makers in UK critical national infrastructure (CNI) sectors reveals that 80% of organizations face operational technology (OT) cyber-attack downtime costs ranging from £100,000 to £5m. Approximately 23% of OT downtime incidents exceed £1m in costs, with 6% surpassing £5m, reflecting the severe financial impact of disruptions to energy, utilities, transport, manufacturing, and retail operations. The rising threat of nation-state attacks, amplified by recent geopolitical tensions such as the US-Israel strikes on Iran, is driving concerns among 64% of respondents, who fear targeted OT disruption over traditional data theft or financial motives. Industrial systems in OT environments are particularly vulnerable due to their direct control over physical processes, making breaches capable of halting production, interrupting services, or compromising safety.

A new malware-as-a-service (MaaS) named CrystalRAT is being actively promoted on Telegram and YouTube, offering remote access, data theft, keylogging, clipboard hijacking, and extensive prankware features. The malware, first observed in January 2026, employs a tiered subscription model and shares technical similarities with the Salat Stealer (WebRAT), including Go-based code and a bot-driven sales system. CrystalRAT’s payloads are compressed and encrypted using zlib and ChaCha20, respectively, and communicate with command-and-control (C2) servers via WebSocket. The malware targets Chromium-based browsers, desktop applications (Steam, Discord, Telegram), and includes spyware capabilities such as audio/video capture, real-time keylogging, and wallet address clipper functionality. Despite its prankware features—such as system shutdowns, input device disabling, and desktop manipulation—CrystalRAT remains a potent threat for data exfiltration and espionage.

Actors leveraged a zero-day vulnerability (CVE-2026-3502) in the TrueConf video conferencing platform to replace legitimate software updates with malicious executables on self-hosted servers, thereby distributing payloads to all connected endpoints. The flaw, affecting versions 8.1.0–8.5.2, resides in an absence of integrity checks within the update mechanism, enabling attackers to serve fake updates and execute arbitrary code with client trust. Targeted entities include government agencies in Southeast Asia, with infections observed since January 2026 via the TrueChaos campaign. Impact includes lateral movement, privilege escalation via UAC bypass, and likely deployment of the Havoc C2 implant for further compromise.

Latin American organizations face a 40% higher rate of cyberattacks than the global average, yet must adapt hiring practices to access an underutilized cybersecurity talent pool dominated by self-taught professionals and part-time practitioners. Regional threat trends—such as Brazil’s Pix payment system fueling banking trojans and phishing campaigns—outpace defensive capabilities, while conventional hiring demands for formal degrees and extensive experience deter qualified but non-traditional candidates. The mismatch exacerbates staffing shortages and increases organizational exposure to fast-evolving threats.