North Korean state-sponsored hackers, primarily the Lazarus Group and its Bluenoroff (APT38) subgroup, continue to aggressively target cryptocurrency-adjacent entities to fund the regime’s illicit activities. As of March 2026, confirmed thefts in 2025 exceeded $2 billion, with cumulative losses since 2017 surpassing $6.75 billion. Recent attacks now include e-commerce platforms like Bitrefill, where North Korean operators compromised employee devices to steal cryptocurrency and gift-card inventory. Investigations increasingly reveal sophisticated persistence, cross-chain laundering, and multi-vector social engineering, alongside new enforcement actions targeting facilitators in the U.S. Prior milestones include the record-setting Bybit breach in February 2025 ($1.5B), multiple exchange compromises (e.g., Upbit, BitoPro), and the conviction of five individuals for aiding North Korean IT worker fraud schemes that generated over $2.2M for the regime. North Korean hackers also continue to refine laundering pathways—employing mixers, bridges, obscure blockchains, and custom tokens—over approximately 45-day cycles. U.S. authorities have sought forfeiture of $15M in stolen crypto linked to APT38 and are dismantling ancillary networks used to funnel revenue to Pyongyang.

The Iranian hacktivist group Handala, linked to Iran's Ministry of Intelligence and Security (MOIS), conducted a targeted data-wiping attack against Stryker, a global medical technology company, on March 11, 2026. The attack disrupted over 200,000 systems across 79 countries, with Stryker confirming global disruption to its Microsoft environment and prioritizing restoration of supply-chain systems. Handala claimed responsibility, citing retaliation for a U.S. missile strike, and used Microsoft Intune to issue remote wipe commands, affecting nearly 80,000 devices. The FBI subsequently seized two Handala data leak sites under a U.S. court warrant, disrupting the group's digital infrastructure. Stryker’s operations, particularly in Ireland, suffered severe disruption with over 5,000 workers sent home, and employees reverted to manual workflows during the outage. Handala, active since late 2023, has targeted Israeli organizations historically but expanded operations in alignment with Iranian state interests. Investigators, including Microsoft DART and Palo Alto Unit 42, found no evidence of data exfiltration despite Handala’s claims, and Stryker emphasized the incident was not a ransomware attack. The FBI’s domain seizures mark a significant law enforcement response to Handala’s destructive operations.

The Gentlemen ransomware group, active since summer 2025, continues to evolve its tactics while leveraging a ransomware-as-a-service (RaaS) model. The group employs dual extortion, targeting Windows, Linux, and ESXi environments, with initial access often gained through exploitation of exposed FortiGate VPN devices. Affiliates use PowerShell and WMI for lateral movement, deploy anti-forensic tools, and target backup/security systems to maximize impact. The group is known for advanced evasion techniques, including BYOVD attacks via CVE-2025-7771 in the ThrottleStop driver, tailored to disable specific security vendors' products. The gang emerged from a dispute within the Qilin RaaS ecosystem and rapidly established itself using existing tooling. Its attacks have targeted critical infrastructure, including Romania's Oltenia Energy Complex on December 26, 2025, where documents were encrypted and multiple applications (ERP, email, document management) were temporarily disabled. The company cooperated with authorities and restored systems from backups. The group uses PowerRun.exe and Allpatch2.exe for privilege escalation and ransom notes with the .7mtzhh extension. While the National Energy System was not jeopardized, the incident is still under assessment for potential data theft. The group has added nearly four dozen victims to its leak site but has not yet listed Oltenia Energy Complex, likely due to ongoing negotiations.

CISA added the stored cross-site scripting (XSS) vulnerability CVE-2025-66376 in Zimbra Collaboration Suite (ZCS) to its Known Exploited Vulnerabilities (KEV) catalog on March 18, 2026. The flaw, patched in early November 2025, allows unauthenticated attackers to execute arbitrary JavaScript via malicious HTML emails, enabling session hijacking and data theft in compromised Zimbra environments. CISA ordered U.S. federal agencies to patch the flaw by April 1, 2026 under BOD 22-01 and encouraged all organizations to apply mitigations promptly. Russian state-sponsored threat group APT28 (Fancy Bear, Strontium), linked to Russia's military intelligence service (GRU), is actively exploiting CVE-2025-66376 in attacks targeting Ukrainian government entities, including the Ukrainian State Hydrology Agency, as part of a phishing campaign codenamed Operation GhostMail. The attack chain relies on malicious HTML email bodies with obfuscated JavaScript payloads that execute silently in vulnerable Zimbra webmail sessions to harvest credentials, session tokens, 2FA codes, saved passwords, and mailbox contents dating back 90 days, with data exfiltrated over DNS and HTTPS. This exploitation follows prior Russian campaigns against Zimbra infrastructure, including operations by Winter Vivern (since February 2023) and APT29 (Cozy Bear, Midnight Blizzard) in October 2024.

A significant escalation in mobile banking malware campaigns is targeting 1,243 financial brands across 90 countries, with attacks now predominantly originating from compromised user devices. These campaigns leverage 34 active malware families affecting apps with over three billion cumulative downloads, marking a shift to industrialized, large-scale operations that evolve faster than traditional banking defenses. Mobile banking has become the dominant consumer channel, with 54% of users relying on apps for account management, increasing exposure to risk. Malicious activity has surged, including a 56% rise in Android banking trojan attacks in 2025 and a 271% increase in unique malware packages to 255,090. Online fraud rose 21% between 2024 and 2025, with one in 20 verification attempts flagged as fraudulent, and 80% of fraud now occurring through online or mobile platforms.

The ThreatsDay Bulletin continues to highlight the accelerating pace of cyber threats, where attackers rapidly adapt infrastructure shifts and social engineering lures to exploit familiar systems. Recent developments include targeted exploitation of Fortinet FortiGate devices via Ransomware-as-a-Service (RaaS), active abuse of Citrix ADC/Gateway vulnerabilities in production environments, widespread misuse of Microsoft Configuration Manager (MCP) for lateral movement and data theft, and weaponized LiveChat integrations in phishing campaigns. These trends reflect a broader pattern of quiet, cumulative exposure where small tactical changes accumulate undetected until they surface as major incidents, underscoring the need for continuous monitoring and adaptive defense strategies.

Organizations face persistent privilege escalation risks through insecure password reset workflows when attackers exploit weaker controls in reset pathways compared to primary authentication. Attackers leverage compromised low-privilege accounts, social engineering against helpdesks, token interception, or abuse of over-permissioned administrators to elevate access. These paths allow adversaries to move laterally and gain control of higher-value accounts while appearing as legitimate users. The impact includes unauthorized administrative access, persistent network presence, and potential domain compromise. Securing reset processes is critical as they often bypass hardened login defenses and represent a critical attack surface for privilege escalation.

A critical severity vulnerability, CVE-2026-22557, in Ubiquiti’s UniFi Network Application (versions 10.1.85 and earlier) allows remote attackers on the local network to execute path traversal attacks and gain unauthorized access to system files. This can be exploited to hijack user accounts without privileges or user interaction, enabling full account takeover in low-complexity attacks. The flaw impacts UniFi Network Application deployments, including those managed via UniFi Cloud Gateway, switches, access points, and gateways. Ubiquiti has addressed the issue in versions 10.1.89 and later. A second vulnerability, an authenticated NoSQL injection flaw, was also patched, enabling privilege escalation for authenticated attackers.

A new Android malware family named Perseus is actively distributed in the wild, enabling device takeover (DTO) and financial fraud. Built on the foundations of Cerberus and Phoenix, Perseus leverages Accessibility-based remote sessions to monitor and interact with infected devices in real time, with a strong regional focus on Turkey and Italy. The malware monitors note-taking applications to extract high-value personal or financial information, expanding traditional credential theft tactics.

A pro-Palestinian hacktivist group named Handala (also tracked as Handala Hack Team, Hatef, or Hamsa) compromised Microsoft Intune administrative controls at Stryker Corporation, a U.S.-based medical technology firm, on March 11, 2026. The attackers created a new Global Administrator account after breaching an existing administrator credential, stole approximately 50 terabytes of data, and executed device wipes across nearly 80,000 systems via Intune’s built-in wipe command. The incident follows Microsoft’s hardening guidance for Intune published days after the breach, which CISA subsequently mandated for all U.S. organizations to mitigate similar risks. The attack highlights the risks of excessive administrative privileges and insufficient privileged access hygiene in cloud-based endpoint management platforms.

A new AI Trust Layer named Ceros, developed by Beyond Identity, has been introduced to provide real-time visibility, runtime policy enforcement, and cryptographic audit trails for Anthropic’s Claude Code autonomous coding agent. Ceros operates directly on developers’ local machines, capturing device context, process ancestry, tool invocations, and MCP server interactions before any network-layer security tool can detect activity. The solution addresses a critical security gap where Claude Code operates with inherited developer permissions and executes actions autonomously, leaving no audit trail in existing enterprise security infrastructures.

The UK Financial Conduct Authority (FCA) has finalized updated cyber incident and third-party outage reporting rules for regulated financial services firms, effective March 18, 2027. The changes aim to reduce ambiguity in incident reporting requirements, improve operational resilience, and enhance sector-wide risk visibility through a unified reporting framework with the Prudential Regulation Authority (PRA) and Bank of England. The regime addresses both internally driven cyber incidents and those originating from third-party service providers, including cloud and managed service providers. The FCA highlights that 40% of reported incidents in 2025 involved third parties, underscoring the need for clearer guidance on thresholds, definitions, and responsibilities. Firms are now required to use a streamlined reporting portal and simplified forms to submit incident data, with the regulator planning to leverage this information to disseminate real-time insights during major outages and long-term resilience improvements.

The Interlock ransomware gang has exploited a zero-day RCE vulnerability (CVE-2026-20131) in Cisco’s Secure Firewall Management Center (FMC) software since January 26, 2026, two months before Cisco’s March 4, 2026 patch. The flaw, enabling unauthenticated root-level code execution via the web interface, was actively exploited against enterprise firewalls until at least mid-March 2026. AWS CISO CJ Moses confirmed the timeline and provided rare operational visibility into Interlock’s post-exploitation activities, including PowerShell-based network enumeration, deployment of custom JavaScript and Java RATs, and a memory-resident webshell for evasion. The group also installed ConnectWise ScreenConnect as a backup access method. Cisco’s March 4 patch addressed the insecure Java deserialization flaw in the management interface. Interlock’s activities align with their broader campaigns targeting critical infrastructure, including prior links to ClickFix and NodeSnake malware against U.K. universities since 2024.

The Coruna and Darksword dual iOS exploit kit campaigns continue to expand, now targeting iPhones running iOS 18.4 through 18.7 with the modular Darksword malware family. Darksword, attributed to the Russian threat actor UNC6353 alongside Coruna, leverages six known and zero-day vulnerabilities to achieve kernel read/write via Safari, enabling rapid exfiltration of cryptocurrency wallets, messages, location history, health data, and system credentials within seconds to minutes before self-wiping. The malware is a professionally engineered JavaScript platform with three documented payload families (GHOSTBLADE, GHOSTKNIFE, GHOSTSABER) used by multiple actors—UNC6353, UNC6748, and Turkish vendor PARS Defense—across Saudi Arabia, Turkey, Malaysia, and Ukraine since at least November 2025. Darksword’s OPSEC failures (unobfuscated code, plainly named components) and use of watering hole attacks mirror Coruna’s tactics, while its ‘hit-and-run’ data theft model signals a shift toward opportunistic financial espionage. Apple has patched all exploited flaws in current iOS releases (18.7.3, 26.2, 26.3.1), and users are advised to upgrade and enable Lockdown Mode if at high risk. Prior context: The Coruna exploit kit, first observed in February 2025, targeted iOS 13.0–17.2.1 with 23 exploits across five chains, used by UNC6353 and UNC6691 in watering hole attacks on Ukrainian and Chinese crypto-related websites. CISA added three Coruna-linked vulnerabilities to its Known Exploited Vulnerabilities catalog and mandated patches by March 26, 2026. Apple backported fixes to older devices, including iOS 15.8.7/16.7.15, addressing vulnerabilities linked to Operation Triangulation and U.S. military contractor L3Harris.

Regulatory requirements have become the dominant driver of cybersecurity investment and program direction for 35% of UK critical national infrastructure (CNI) organizations in 2026, up from 26% in 2025, according to Bridewell’s Cybersecurity in CNI Report 2026. This shift coincides with the implementation of the UK Cyber Security Resilience Bill (CSRB), EU NIS2 Directive, and EU Cyber Resilience Act (CRA), alongside updates to the NCSC’s Cyber Assessment Framework (CAF) and the introduction of the Enhanced Cyber Assessment Framework (eCAF), which mandates compliance by March 2028. Regulatory compliance now overshadows factors such as increased connectivity, innovation support, and evolving threats, which were cited by only 25% of respondents in 2025 and 2026. Despite regulatory pressure, 39% of CNI organizations report low confidence in their data protection measures, highlighting a gap between compliance and operational resilience.

The European Union sanctioned three entities—Integrity Technology Group (China), Anxun Information Technology (aka "iSoon", China), and Emennet Pasargad (Iran)—for facilitating or conducting cyberattacks targeting EU member states. Sanctions include asset freezes, business restrictions, and travel bans, aligning with prior actions by the US and UK. The entities are linked to state-aligned cyber operations, including espionage, data breaches, disinformation campaigns, and large-scale device compromises. The actions formalize the EU’s Cyber Diplomacy Toolbox, established in 2017 and operationalized in 2019, targeting entities behind incidents such as Wannacry, NotPetya, election interference, and critical infrastructure disruptions.

An ongoing wave of vishing-led breaches attributed to ShinyHunters has claimed a new victim: Aura, a digital safety firm. The attack exposed contact details of nearly 900,000 individuals, stemming from a marketing tool inherited in a 2021 acquisition. ShinyHunters claimed the theft of 12GB of files containing PII and corporate data, releasing it after failed extortion attempts. The company emphasized no SSNs, passwords, or financial data were compromised and is conducting an internal review with law enforcement involvement. Earlier in February, Optimizely disclosed a similar breach following a voice phishing attack that compromised basic business contact information. Both incidents underscore the continued exploitation of vishing tactics by ShinyHunters to gain initial access to organizations, with impacts focused on contact data rather than deeper system compromise.

The predictive security model has collapsed in 2026 due to the industrialization of cybercrime and the rapid exploitation of high-risk vulnerabilities. Exploitation now occurs within days of public disclosure, leaving defenders without time to patch or respond. Criminal tactics have shifted to 'silent entry and grab' operations, prioritizing speed and stealth over traditional ransomware deployment. Internet Access Brokers (IABs) leverage infostealers to rapidly monetize compromised credentials, reducing defenders’ ability to predict and disrupt attacks before damage occurs. Preemptive security is now emphasized as the primary defense strategy, focusing on reducing attacker conditions, detecting with full environmental context, and prioritizing actions based on material risk rather than alert volume.

A critical cryptographic signature verification vulnerability in ConnectWise ScreenConnect versions prior to 26.1 allows attackers to extract ASP.NET machine keys and forge authentication tokens, enabling unauthorized access and privilege escalation. The flaw, tracked as CVE-2026-3564, affects both cloud-hosted and on-premises deployments and has been observed being targeted in the wild. Exploitation results in unauthorized session authentication and potential compromise of managed systems accessed via ScreenConnect.

North Korea's state-linked APTs—particularly Jasper Sleet and Coral Sleet—continue to expand their IT worker scams using AI to fabricate identities, automate social engineering, and deploy malware, while simultaneously diversifying revenue streams to fund weapons programs. OFAC sanctions now confirm the scheme's scale and structure, revealing a multi-tiered network of recruiters, facilitators, IT workers, and collaborators that has infiltrated U.S. and international companies to steal sensitive data and extort victims. The use of AI tools like Faceswap for identity fabrication and Astrill VPN for geographic obfuscation underscores the sophistication of these operations, which are deeply embedded in North Korea's sanctions-evasion and revenue-generation machinery. Initial reporting by Microsoft documented how Jasper Sleet and Coral Sleet leverage AI to research job postings, generate fake resumes, create culturally tailored digital personas, and develop web infrastructure for malicious purposes. These groups use AI coding tools to refine malware and jailbreak LLMs to generate malicious code, complicating detection while enabling long-term persistence as insider threats. The scheme's expansion into malware deployment and extortion activities further increases its impact, with a significant portion of earnings funneled back to North Korea to support its missile programs.

A critical insecure deserialization vulnerability in Cisco Secure Firewall Management Center (FMC) Software, tracked as CVE-2026-20131 (CVSS 10.0), is being actively exploited by the Interlock ransomware group to gain unauthenticated remote root access on unpatched systems. The flaw enables unauthenticated remote attackers to bypass authentication and execute arbitrary Java code with root privileges via crafted HTTP requests to a specific endpoint. Exploitation has been observed as a zero-day since January 26, 2026, more than a month before public disclosure and patch availability. The attack chain includes post-exploitation tooling such as custom JavaScript/Java RATs, PowerShell reconnaissance scripts, Linux reverse proxy configuration tools, memory-resident web shells, and ConnectWise ScreenConnect for persistence. Compromised environments are being leveraged for ransomware operations and secondary monetization.

A local privilege escalation (LPE) vulnerability has been disclosed in Ubuntu Desktop 24.04 and later, tracked as CVE-2026-3888, enabling attackers with minimal access to escalate to full root privileges. The flaw results from the interaction between snap-confine and systemd-tmpfiles, where attackers exploit delayed automated cleanup processes (10–30 days) to replace critical directories with malicious payloads. Triggering snap-confine execution of these files achieves root access without requiring user interaction. Impact includes complete system compromise on affected Ubuntu releases using vulnerable snapd versions.

Marquis Software Solutions has **confirmed** that its **August 2025 ransomware attack** exposed the **personal and financial data of 672,075 individuals**—including names, Social Security numbers, Taxpayer Identification Numbers, and financial account details—after threat actors exploited firewall configuration files stolen from SonicWall’s MySonicWall cloud backup breach. The company, which serves **700+ U.S. banks and credit unions**, completed its forensic review in **December 2025** and began notifying affected individuals in **March 2026**, while facing **over 36 consumer class-action lawsuits** and a self-initiated **lawsuit against SonicWall** for alleged **gross negligence and misrepresentation**. Marquis alleges SonicWall’s **February 2025 API code change** introduced the vulnerability, delayed disclosure by three weeks, and understated the breach’s scope (initially claiming <5% of customers were affected, later confirmed as 100%). The SonicWall incident began with a **September 2025 breach** of its MySonicWall portal, where attackers accessed **AES-256-encrypted credentials, network topology details, and MFA recovery codes** for all cloud backup users. This data fueled follow-on attacks, including the **Marquis breach** and Akira ransomware campaigns bypassing MFA via stolen OTP seeds. SonicWall collaborated with Mandiant to attribute the breach to **state-sponsored actors** and released remediation tools, but **950+ unpatched SMA1000 appliances** remain exposed online. The Marquis lawsuit—seeking damages, indemnification, and legal fees—could set a precedent for **vendor liability**, as enterprises increasingly pursue legal action against cybersecurity providers for contribution or negligence in third-party breaches. CISA and SonicWall continue to urge firmware updates, credential resets, and MFA enforcement to mitigate ongoing risks.

A cryptocurrency-themed browser extension named ShieldGuard, marketed as a security tool for crypto wallets, was dismantled after researchers discovered it functioned as malware designed to harvest sensitive user data from major crypto platforms and general browsing sessions. The operation employed social media promotion, browser extension listings, and token airdrop incentives to lure users into installing the malicious extension. ShieldGuard targeted Binance, Coinbase, MetaMask, and general browsing activity, capturing wallet addresses, HTML content post-login, session persistence, and enabling remote code execution via a command-and-control (C2) server.

A structured underground market has emerged where threat actors commodify refund fraud techniques as tutorials, operational guides, and "as-a-service" offerings to exploit major retailers and payment platforms. Actors profit by manipulating customer-service processes, return policies, and chargeback systems—leveraging social engineering and knowledge of internal workflows rather than malware or hacking. The schemes target high-volume consumer platforms such as Amazon, PayPal, Apple, eBay, Walmart, Best Buy, and digital payment services, capitalizing on customer-friendly refund policies. Retailers processed approximately $685 billion in returns in 2024, with an estimated $103 billion (15%) attributed to fraudulent activity, compounded by $4 in operational costs per $1 lost. Fraud methods sold online include refund without return, chargeback fraud, goods swapping, empty-box returns, and policy manipulation. The ecosystem lowers barriers to entry, enabling novice and experienced actors alike to participate in scalable refund fraud schemes, with tutorials priced between $50 and $300 and commission-based "refund fraud as a service" models.

An attacker compromised a Nordstrom marketing infrastructure path via an Okta SSO to Salesforce integration, then sent fraudulent St. Patrick’s Day cryptocurrency scam emails to Nordstrom customers from the legitimate [email protected] address. The emails urged recipients to rapidly deposit crypto to double the amount within two hours, using grammatical errors and urgency to deceive. Nordstrom confirmed the unauthorized campaign and warned customers that no legitimate Nordstrom communication requests crypto transfers. Some customers reportedly sent funds to attacker-controlled wallet addresses before the company issued a takedown notice.

In 2025, threat actors leveraged AI and automation to compress the time between public vulnerability disclosure and exploitation from weeks to days or even minutes, significantly reducing the traditional "predictive window" for defenders. The median time between vulnerability publication and inclusion in CISA’s Known Exploited Vulnerabilities (KEV) catalog decreased from 8.5 days to 5 days, while the mean dropped from 61 days to 28.5 days. The use of AI accelerated reconnaissance, automated decision-making, and industrialized social engineering, enabling rapid weaponization of known weaknesses such as exposed services, weak identity controls, and unpatched edge infrastructure. Confirmed exploitation of high-severity CVEs (CVSS 7–10) rose 105% year-over-year, with deserialization, authentication bypass, and memory corruption flaws most frequently exploited—often against file transfer systems, edge appliances, and collaboration platforms.

A recently observed Magecart skimmer employs a three-stage loader chain that conceals its malicious payload within the EXIF metadata of a dynamically loaded favicon, executing entirely in the browser during checkout without ever residing in the merchant’s source code or repository. The attack abuses third-party CDN-hosted resources (legitimate-looking favicon paths) and leverages JavaScript obfuscation and dynamic script injection to retrieve and decode the payload from binary image data. Stolen payment data is exfiltrated directly from the victim’s browser to attacker-controlled infrastructure. This campaign highlights the operational blind spot of repository-centric static analysis tools, which cannot detect threats injected into third-party assets or embedded in runtime-executed binary metadata. The technique underscores the need for continuous client-side runtime monitoring as a critical control layer for web supply chain attacks.

Nine vulnerabilities across IP KVM devices from four vendors enable unauthenticated attackers to gain root access, execute arbitrary code, or bypass security controls, posing critical risks to connected systems. The flaws span GL-iNet Comet RM-1, Angeet/Yeeso ES3 KVM, Sipeed NanoKVM, and JetKVM, with the most severe allowing unauthenticated root access or arbitrary code execution. Exploitation can undermine Secure Boot, disk encryption, and operating system-level security measures, granting persistent, undetected access to compromised hosts. Researchers highlight systemic issues including missing firmware signature validation, absent authentication, and exposed debug interfaces as recurring themes.

Vidar 2.0 has expanded its operations through malvertising campaigns leveraging fake game cheats distributed on GitHub and Reddit. Hundreds of GitHub repositories are being used to deliver the infostealer, with Reddit posts promoting Counter-Strike 2 cheats that redirect to malicious sites. The campaigns employ sophisticated loaders with PowerShell scripts and obfuscated AutoIt payloads, alongside advanced evasion techniques such as Defender exclusions, Themida packing, and Telegram/Steam dead-drop C2 resolvers. The infostealer, first announced on October 6, 2025, by developer "Loadbaks," has evolved into a stealthier and more powerful threat with multithreaded execution, polymorphic builds, and advanced anti-analysis features. Its rising adoption follows law enforcement disruption of rival infostealers Lumma and Rhadamanthys, reshaping the infostealer landscape.