Weekly Threat Landscape Digest – Week 12

1. Privilege Escalation Vulnerability in Ubuntu via systemd Cleanup Timing Exploit

A high-severity local privilege escalation vulnerability, tracked as CVE-2026-3888, affects Ubuntu Desktop 24.04 and later through unintended interaction between snap-confine and systemd-tmpfiles, allowing a local attacker to exploit temporary directory cleanup timing, recreate critical directories with malicious content, and potentially achieve arbitrary code execution as root, resulting in full system compromise if successfully exploited.

Details:

• CVE ID: CVE-2026-3888
• Severity: High
• CVSS v3.1 Base Score: 7.8
• Vulnerability Type: Privilege Escalation
• Affected Components:
  • snap-confine
  • systemd-tmpfiles
• The issue stems from the interaction between snap-confine sandbox handling and systemd-tmpfiles cleanup of temporary directories.
• An attacker may abuse the cleanup cycle to delete a critical directory such as /tmp/.snap and recreate it with malicious content.
• On subsequent execution, snap-confine may bind mount attacker-controlled files with root privileges.
• Exploitation requires precise timing with system cleanup cycles, typically every 10–30 days.
• Successful exploitation can lead to arbitrary code execution as root.

Affected Versions:

• Ubuntu Desktop 24.04 LTS
• Ubuntu Desktop 25.10
• Ubuntu Desktop 26.04 (Development versions)
• Affected Packages:
  • snapd versions prior to 2.73+ubuntu24.04.1
  • snapd versions prior to 2.73+ubuntu25.10.1
  • snapd versions prior to 2.74.1+ubuntu26.04.1

Fixed Version:

• 2.73+ubuntu24.04.1
• 2.73+ubuntu25.10.1
• 2.74.1+ubuntu26.04.1
• Upstream versions prior to 2.75 are affected

Impact:

• Local attackers may escalate privileges to root.
• Successful exploitation may result in full system compromise.

Recommendations:

• Apply security updates for snapd immediately.
• Apply all available Ubuntu security updates.
• Monitor /tmp, /run, and /var/tmp directories for suspicious activity.
• Restrict local user access where possible.
• Implement file integrity monitoring on critical directories.
• Review cron jobs and cleanup processes for anomalies.
• Use least privilege principles for local users.

Reference:
https://thehackernews.com/2026/03/ubuntu-cve-2026-3888-bug-lets-attackers.html
https://nvd.nist.gov/vuln/detail/CVE-2026-3888

2. Critical Unpatched Telnetd Vulnerability Enables Unauthenticated Root RCE

A critical vulnerability, tracked as CVE-2026-32746, affects GNU InetUtils telnetd and allows unauthenticated remote attackers to execute arbitrary code as root during the initial Telnet handshake, requiring no authentication or user interaction, making exposed systems highly susceptible to full compromise.

Details:

• CVE ID: CVE-2026-32746
• Severity: Critical
• CVSS v3.1 Base Score: 9.8
• Vulnerability Type: Buffer Overflow / Out-of-Bounds Write
• Affected Component: GNU InetUtils telnetd (LINEMODE SLC handler)
• The flaw exists in the LINEMODE Set Local Characters (SLC) suboption handler.
• Exploitation occurs during the initial Telnet handshake phase before authentication.
• Specially crafted messages trigger an out-of-bounds write leading to buffer overflow.
• Allows arbitrary memory writes and remote code execution.
• telnetd typically runs with root privileges, increasing impact severity.

Affected Versions:

• GNU InetUtils telnetd versions up to 2.7

Impact:

• Unauthenticated remote code execution as root.
• Full system compromise without user interaction.

Recommendations:

• Disable Telnet service if not required.
• Block port 23 at network perimeter and host firewall level.
• Restrict access using network segmentation.
• Run telnetd with non-root privileges where possible.
• Monitor systems for suspicious inbound connections on port 23.
• Replace Telnet with secure alternatives such as SSH.
• Conduct immediate security assessment on exposed systems.

Reference:
https://thehackernews.com/2026/03/critical-telnetd-flaw-cve-2026-32746.html

3. Multiple High-Severity Vulnerabilities in Google Chrome OS

Multiple high-severity vulnerabilities, identified as CVE-2026-3909 and CVE-2026-3910, affect Chrome OS components including the Skia graphics engine and V8 JavaScript engine, potentially allowing attackers to trigger memory corruption and execute arbitrary code on affected systems.

Details:

• CVE IDs:
  • CVE-2026-3909
  • CVE-2026-3910
• Severity: High
• Vulnerability Type:
  • Out-of-Bounds Write
  • Improper Implementation
• Affected Components:
  • Skia (Graphics Engine)
  • V8 (JavaScript Engine)
• Improper memory handling may lead to memory corruption.
• Exploitation could enable arbitrary code execution.

Affected Versions:

• Google Chrome OS versions prior to LTS 144.0.7559.246
• Platform versions prior to 16503.78.0

Fixed Version:

• Chrome OS LTS Version: 144.0.7559.246
• Platform Version: 16503.78.0

Impact:

• Potential arbitrary code execution.
• System compromise via browser exploitation.

Recommendations:

• Apply the latest Chrome OS security updates immediately.
• Ensure automatic updates are enabled.
• Restart systems after updates.
• Avoid visiting untrusted websites.
• Monitor endpoints for abnormal activity.
• Conduct vulnerability scans to verify patch compliance.

Reference:
https://chromereleases.googleblog.com/2026/03/long-term-support-channel-updatefor_16.html

4. Multiple Vulnerabilities in HPE SAN Switches Running Brocade Fabric OS

Multiple vulnerabilities affecting HPE SAN Switches running Brocade Fabric OS could allow attackers to exploit weaknesses leading to unauthorized access, disruption of storage services, or compromise of critical enterprise infrastructure.

Details:

• CVE IDs:
  • CVE-2025-58382 – CVSS 8.4 (High)
  • CVE-2025-58383 – CVSS 8.1 (High)
  • CVE-2025-9711 – CVSS 7.9 (High)
  • CVE-2026-0383 – CVSS 6.5 (Medium)
  • CVE-2025-58379 – CVSS 5.0 (Medium)
  • CVE-2025-58380 – CVSS 2.9 (Low)
  • CVE-2025-58381 – CVSS 2.9 (Low)
• Vulnerability Type: Multiple vulnerabilities including access control and system-level weaknesses.
• Affected Component: Brocade Fabric OS (FOS)
• High-severity issues may allow unauthorized access and disruption of storage environments.
• Risks include compromise of sensitive data and operational impact.

Affected Versions:

• Brocade Fabric OS versions prior to 9.2.1c3
• Brocade Fabric OS versions prior to 9.2.2c

Fixed Version:

• Brocade Fabric OS 9.2.1c3 or later
• Brocade Fabric OS 9.2.2c or later

Impact:

• Unauthorized access to storage infrastructure.
• Disruption of SAN operations.
• Potential compromise of sensitive enterprise data.

Recommendations:

• Upgrade to the latest fixed firmware versions immediately.
• Restrict access to SAN management interfaces.
• Monitor logs for suspicious activity.
• Implement network segmentation for storage environments.
• Conduct vulnerability assessments.
• Enforce strict access control policies.

Reference:
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbst05001en_us&docLocale=en_US

5. Remote Code Execution Vulnerabilities in Windows RRAS Management Tool

Multiple critical vulnerabilities, tracked as CVE-2026-25172, CVE-2026-25173, and CVE-2026-26111, affect the Windows RRAS Management Tool and may allow attackers to execute arbitrary code when a user connects to a malicious remote server, prompting Microsoft to release an out-of-band security update.

Details:

• CVE IDs:
  • CVE-2026-25172
  • CVE-2026-25173
  • CVE-2026-26111
• Severity: Critical
• Vulnerability Type: Remote Code Execution (RCE)
• Affected Component: Windows RRAS Management Tool
• Exploitation occurs when connecting to a malicious or compromised remote server.
• Successful exploitation enables arbitrary code execution and system compromise.

Affected Versions:

• Windows 11 Version 25H2 – OS Build 26200.7982
• Windows 11 Version 24H2 – OS Build 26100.7982

Fixed Version:

• Security Update KB5084597 (Out-of-band hotpatch)

Impact:

• Remote code execution on affected systems.
• Full system compromise and unauthorized access.

Recommendations:

• Apply security update KB5084597 immediately.
• Keep systems updated with latest patches.
• Restrict connections to untrusted remote servers.
• Monitor for suspicious network activity.
• Implement endpoint protection and logging.
• Conduct vulnerability scans to confirm patch deployment.

Reference:
https://support.microsoft.com/en-us/topic/march-13-2026-hotpatch-kb5084597-osbuilds-26200-7982-and-26100-7982-out-of-band-ef323fee-e70f-4f43-8bbc1021c435bf5c#id0ebbd=windows_for_x64

6. Actively Exploited Vulnerability in Wing FTP Server

An actively exploited vulnerability, CVE-2025-47813, in Wing FTP Server allows authenticated attackers to disclose sensitive internal system information, including full file system paths, which can aid in further exploitation and compromise of affected systems.

Details:

• CVE ID: CVE-2025-47813
• Severity: Medium
• CVSS v3.1 Base Score: 4.3
• Vulnerability Type: Information Disclosure
• Affected Component: /loginok.html endpoint
• Caused by improper validation of UID session cookie length.
• Crafted POST requests with oversized UID values trigger errors.
• Error responses expose full local file system paths.
• Exposed information can assist in reconnaissance and chained attacks.

Affected Versions:

• Wing FTP Server versions prior to 7.4.4

Fixed Version:

• Wing FTP Server 7.4.4 or later

Impact:

• Disclosure of sensitive internal paths.
• Increased risk of further exploitation and attack chaining.

Recommendations:

• Update to Wing FTP Server 7.4.4 or later immediately.
• Restrict access to trusted users.
• Monitor logs for suspicious POST requests.
• Implement input validation and request filtering.
• Limit exposure of internal error messages.
• Conduct security assessments for exploitation attempts.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-47813

7. WebKit Vulnerability in Apple Devices (iOS, iPadOS, macOS)

A high-severity vulnerability, tracked as CVE-2026-20643, affects Apple devices through the WebKit engine and allows malicious web content to bypass browser security controls, potentially leading to unauthorized cross-origin data access, session hijacking, and execution of unintended actions within trusted web contexts.

Details:

• CVE ID: CVE-2026-20643
• Severity: High
• CVSS v3.1 Base Score: 8.8
• Vulnerability Type: Cross-Origin Policy Bypass
• Affected Component:
  • WebKit (Browser Engine)
• Caused by insufficient input validation in the Navigation API.
• Enables bypass of Same Origin Policy (SOP).
• Malicious web content can interact across different domains.
• May lead to unauthorized access to sensitive data and session compromise.

Affected Versions:

• iOS 26.3.1
• iPadOS 26.3.1
• macOS 26.3.1
• macOS 26.3.2

Fixed Version:

• iOS 26.3.1 (a)
• iPadOS 26.3.1 (a)
• macOS 26.3.1 (a)
• macOS 26.3.2 (a)

Impact:

• Unauthorized cross-domain data access.
• Session hijacking.
• Data exfiltration.
• Execution of unintended actions in trusted contexts.

Recommendations:

• Install the latest Apple security updates immediately.
• Enable automatic updates across devices.
• Avoid visiting untrusted or suspicious websites.
• Monitor for abnormal browser behavior.
• Implement endpoint protection where applicable.
• Educate users on phishing and malicious content risks.

Reference:
https://support.apple.com/en-ae/100100
https://support.apple.com/en-ae/126604

8. Storm-2561 Campaign Distributing Trojanized VPN Clients via SEO Poisoning

An active cyber campaign attributed to Storm-2561 leverages SEO poisoning to distribute trojanized VPN client installers that deploy the Hyrax infostealer, enabling attackers to harvest VPN credentials and exfiltrate them to attacker-controlled infrastructure, targeting organizations using enterprise VPN solutions.

Details:

• Attack Chain:
  • SEO poisoning manipulates search results for VPN downloads.
  • Users are redirected to spoofed vendor websites.
  • Malicious installers are downloaded from external sources such as GitHub.
  • Trojanized installer executes and deploys malware components.
  • DLL sideloading loads Hyrax infostealer via malicious DLLs.
  • Fake VPN login interface captures credentials.
  • Stored VPN configurations are extracted from local systems.
  • Stolen data is transmitted to attacker-controlled infrastructure.
  • Fake error messages redirect users to legitimate sites to reduce suspicion.
  • Persistence achieved via RunOnce registry key.
• Malware Components:
  • Pulse.exe
  • dwmapi.dll
  • inspector.dll
• Targeted VPN Products:
  • Fortinet / FortiClient
  • Ivanti / Pulse Secure
  • Cisco Secure Client
  • Sophos Connect
  • SonicWall NetExtender
  • CheckPoint VPN
  • WatchGuard VPN
  • Palo Alto GlobalProtect
• Indicators of Compromise:
  • Malicious Domains:
    • vpn-fortinet[.]com
    • ivanti-vpn[.]org
    • vpn-connection[.]pro
    • myconnection[.]pro
    • checkpoint-vpn[.]com
    • cisco-secure-client[.]es
    • forticlient-for-mac[.]com
    • forticlient-vpn[.]de
    • forticlient-vpn[.]fr
    • forticlient-vpn[.]it
    • forticlient[.]ca
    • forticlient.co[.]uk
    • forticlient[.]no
    • fortinet-vpn[.]com
    • ivanti-secure-access[.]de
    • ivanti-pulsesecure[.]com
    • sonicwall-netextender[.]nl
    • sophos-connect[.]org
    • watchguard-vpn[.]com
  • Command & Control:
    • 194.76.226[.]93:8080
  • Malware Distribution URL:
    • hxxps://github[.]com/latestver/vpn/releases/download/vpn-client2/VPN-CLIENT.zip
  • File Hashes (SHA256):
    • 57a50a1c04254df3db638e75a64d5dd3b0d6a460829192277e252dc0c157a62f
    • 862f004679d3b142d9d2c729e78df716aeeda0c7a87a11324742a5a8eda9b557
    • 6c9ab17a4aff2cdf408815ec120718f19f1a31c13fc5889167065d448a40dfe6
    • 6129d717e4e3a6fb4681463e421a5603b640bc6173fb7ba45a41a881c79415ca
    • 44906752f500b61d436411a121cab8d88edf614e1140a2d01474bd587a8d7ba8
    • 85c4837e3337165d24c6690ca63a3274dfaaa03b2ddaca7f1d18b3b169c6aac1
    • 98f21b8fa426fc79aa82e28669faac9a9c7fce9b49d75bbec7b60167e21963c9
    • cfa4781ebfa5a8d68b233efb723dbde434ca70b2f76ff28127ecf13753bfe011
    • 26db3fd959f12a61d19d102c1a0fb5ee7ae3661fa2b301135cdb686298989179
    • eb8b81277c80eeb3c094d0a168533b07366e759a8671af8bfbe12d8bc87650c9
    • 8ebe082a4b52ad737f7ed33ccc61024c9f020fd085c7985e9c90dc2008a15adc

Impact:

• Theft of VPN credentials.
• Unauthorized access to enterprise networks.
• Potential lateral movement and further compromise.

Recommendations:

• Block malicious domains and C2 infrastructure.
• Hunt for listed file hashes across endpoints.
• Use advanced EDR for detection.
• Search for files signed by Taiyuan Lihua Near Information Technology Co., Ltd.
• Inspect RunOnce registry entries for suspicious activity.
• Scan systems for malicious DLLs such as inspector.dll and dwmapi.dll.

Reference:
https://thehackernews.com/2026/03/storm-2561-spreads-trojan-vpn-clients.html

9. Unauthenticated Remote Code Execution in Windows Setup & Deployment

A critical vulnerability, tracked as CVE-2024-43533, affects Windows Setup, DISM, and WinRM components, allowing unauthenticated remote attackers to execute arbitrary code with SYSTEM privileges during automated deployment processes, potentially compromising systems before security controls are applied.

Details:

• CVE ID: CVE-2024-43533
• Vulnerability Type: Remote Code Execution (RCE) / Improper Input Validation
• Affected Components:
  • Windows Setup
  • Deployment Image Servicing and Management (DISM)
  • Windows Remote Management (WinRM)
• Attack Vector: Network-based (Remote)
• Exploitation targets automated installation and deployment phases.
• Attackers can intercept or spoof deployment traffic.
• Enables execution of arbitrary code with SYSTEM privileges.
• Allows compromise of systems before hardening or security tools are applied.

Affected Versions:

• Windows 11 versions 22H2, 23H2, and 24H2
• Windows Server 2025 (all builds prior to March 2024 update)
• Windows Server 2022 (Core and Desktop Experience)

Impact:

• Arbitrary code execution with highest privileges.
• Compromise of deployment pipelines and golden images.
• Establishment of persistence during OS installation.
• Lateral movement across network environments.

Recommendations:

• Apply the latest cumulative security updates immediately.
• Patch deployment images (WIM/VHDX) using offline servicing.
• Verify integrity of installation scripts and unattend.xml files.

Reference:
https://cybersecuritynews.com/windows-11-and-server-2025-automated-installation/

10. Iranian APT Activity Detection (Qasarrat Infrastructure & Related TTPs)

Multiple Iranian-linked APT groups, including MuddyWater and APT35, are leveraging advanced behavioral techniques such as encrypted beaconing, DNS tunneling, and lateral movement via SMB/DCE-RPC to maintain persistence, exfiltrate data, and compromise critical systems, with Qasarrat infrastructure playing a key role in command-and-control operations.

Details:

• Threat Context:
  • Use of dynamic endpoint connections and obfuscated remote execution.
  • Encrypted beaconing over web and DNS channels.
  • Deployment of stealthy backdoors and covert data exfiltration techniques.
• Attack Patterns:
  • Long-lived SMB and DCE/RPC connections for lateral movement.
  • Suspicious command-line executions using PowerShell, WMIC, and other LOLBins.
  • Regular HTTP/HTTPS beaconing patterns indicating C2 activity.
  • DNS tunneling with high-entropy or long subdomain queries.
  • Use of non-standard ports for evasion.
  • High entropy payload transmissions suggesting encrypted exfiltration.
• Indicators of Compromise:
  • Known Infrastructure IPs (APT35):
    • 154.12.20.218
    • 144.172.107.157
    • 149.28.52.61
    • 66.55.159.84
    • 172.235.235.80
  • Known Infrastructure IPs (APT34):
    • 103.61.224.102
    • 178.209.51.61
    • 185.76.78.177
  • Malicious Domains:
    • hecker12345-61516[.]portmap[.]host
    • software-garlic[.]gl[.]at[.]ply[.]gg
    • dohinukss[.]localto[.]net
    • suzrbgndb[.]localto[.]net
    • 49lwbineu[.]localto[.]net
    • idi-nahuy[.]net
    • utoigzdol[.]localto[.]net
    • cyqahoxnt[.]localto[.]net
    • xnd4x3ezm[.]localto[.]net
    • 5z6y8mkfe[.]localto[.]net
    • fqq121qq-33728[.]portmap[.]host
    • shabi9988-64207[.]portmap[.]host
    • shzkagxdv[.]localto[.]net
    • artemmakarov-30233[.]portmap[.]host
    • hssshsh-33054[.]portmap[.]host
    • 0p7wfcoia[.]localto[.]net
    • wq4x0gt8l[.]localto[.]net
    • cezamail[.]com[.]cezamail[.]com
    • cezamail[.]com[.]localto[.]net
    • buglwf041[.]lo
  • Qasarrat Infrastructure Domains:
    • luvxcide[.]duckdns[.]org
    • projectindia999[.]loseyourip[.]com
    • cia[.]anondns[.]net
    • skittlesforlife[.]anondns[.]net
    • bnli8khzo[.]localto[.]net
    • isof63umlw[.]loclx[.]io
    • docsc[.]ddns[.]net

Recommendations:

• Prioritize remediation of internet-facing and critical systems.
• Deploy advanced EDR for behavioral detection.
• Apply compensating controls where patching is not feasible.
• Segment high-value assets and restrict unnecessary communication.
• Monitor and block listed C2 infrastructure.

Reference:
https://www.uvcyber.com/resources/reports/threat-advisory-special-report-iranian-threat-actor-group-update
https://www.vectra.ai/blog/5-minute-hunt-six-queries-to-detect-iranian-apt-activity#hunting-for-qasarrat-infrastructure-activity

11. Magento PolyShell Flaw Enables Unauthenticated Uploads, RCE and Account Takeover

A critical vulnerability dubbed PolyShell affects Magento Open Source and Adobe Commerce, allowing unauthenticated attackers to upload arbitrary files via the REST API, potentially leading to remote code execution or account takeover depending on server configuration.

Details:

• Vulnerability Type:
  • Unrestricted File Upload
  • Remote Code Execution (RCE)
  • Stored XSS (leading to account takeover)
• Affected Component:
  • Magento REST API (custom options file upload handling)
• The flaw allows embedding base64-encoded file data within a file_info object.
• Uploaded files are written to pub/media/custom_options/quote/.
• Attackers can disguise malicious payloads as image files.
• Exploitation may result in PHP execution or stored XSS depending on server configuration.
• No confirmed exploitation in the wild at the time of reporting.
• Related large-scale defacement campaign impacted ~15,000 hostnames across 7,500 domains.

Affected Versions:

• Magento Open Source and Adobe Commerce versions up to 2.4.9-alpha2

Fixed Version:

• Addressed in Magento 2.4.9 pre-release (APSB25-94)
• No isolated patch for current production versions

Impact:

• Remote code execution on affected servers.
• Account takeover via stored XSS.
• Potential compromise of e-commerce platforms and customer data.

Recommendations:

• Restrict access to pub/media/custom_options/ directory.
• Ensure web server rules block execution and access to upload directories.
• Scan for web shells and backdoors.
• Deploy a Web Application Firewall (WAF).
• Review server configurations for secure file handling.

Reference:
https://thehackernews.com/2026/03/magento-polyshell-flaw-enables.html

12. Apple Warns Older iPhones Vulnerable to Coruna and DarkSword Exploit Kit Attacks

Apple has warned that older iPhones running outdated iOS versions are vulnerable to large-scale attacks using exploit kits such as Coruna and DarkSword, which leverage malicious web content to compromise devices and steal sensitive data.

Details:

• Vulnerability Type:
  • Exploitation of known iOS vulnerabilities via web-based attack chains
• Attack Method:
  • Malicious links or compromised websites (watering hole attacks)
• Exploit Kits:
  • Coruna
  • DarkSword
• Targets outdated iOS versions lacking recent security patches.
• Attack chain results in data theft from compromised devices.
• Exploits are increasingly commoditized and used by multiple threat actors.
• Evidence suggests transition from targeted espionage to mass exploitation.

Affected Versions:

• Older iOS versions not updated to supported secure releases

Fixed Version:

• iOS 15.8.7
• iPadOS 15.8.7
• iOS 16.7.15
• iPadOS 16.7.15
• iOS versions 15 through 26 include protections against these exploits

Impact:

• Theft of sensitive data from mobile devices.
• Increased risk of widespread mobile compromise.
• Exposure to mass exploitation campaigns.

Recommendations:

• Update devices to the latest supported iOS or iPadOS versions.
• Enable automatic updates.
• Use Lockdown Mode where updates are not possible.
• Avoid clicking suspicious links or visiting untrusted websites.

Reference:
https://thehackernews.com/2026/03/apple-warns-older-iphones-vulnerable-to.html

13. Speagle Malware Hijacks Cobra DocGuard to Steal Data via Compromised Servers

A newly identified malware named Speagle abuses the legitimate Cobra DocGuard platform to stealthily exfiltrate sensitive data by leveraging compromised servers, masking malicious activity as legitimate communications and indicating potential targeted espionage operations.

Details:

• Malware Name: Speagle
• Targeted Software: Cobra DocGuard (EsafeNet)
• Campaign Name: Runningcrab
• Uses legitimate Cobra DocGuard infrastructure for command-and-control and data exfiltration.
• Operates only on systems where Cobra DocGuard is installed, indicating targeted attacks.
• Collects system information, browser history, and autofill data.
• Transmits stolen data in phases to compromised servers.
• Utilizes Cobra DocGuard driver to delete itself post-execution.
• One variant searches for sensitive files related to Chinese ballistic missile programs (e.g., Dongfeng-27).
• Suspected delivery via supply chain attack vectors.

Impact:

• Covert data exfiltration.
• Targeted espionage and intelligence collection.
• Potential compromise of sensitive enterprise or government systems.

Recommendations:

• Monitor Cobra DocGuard environments for anomalous activity.
• Inspect systems for unauthorized data exfiltration patterns.
• Apply strict integrity checks on software updates and supply chain components.
• Deploy advanced threat detection tools for behavioral analysis.

Reference:
https://thehackernews.com/2026/03/speagle-malware-hijacks-cobra-docguard.html

14. Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data

A newly discovered Android malware family named Perseus is actively targeting users through phishing-distributed dropper apps, enabling full device takeover and financial fraud while uniquely monitoring note-taking applications to extract high-value sensitive information.

Details:

• Malware Name: Perseus
• Malware Type: Android Banking Malware / Device Takeover (DTO)
• Based on Cerberus and Phoenix malware families.
• Distributed via phishing sites masquerading as IPTV applications.
• Uses Accessibility services for remote control and interaction.
• Capabilities include:
  • Overlay attacks and credential theft.
  • Keylogging and real-time interaction.
  • Remote command execution via C2 panel.
  • Monitoring and extracting data from note-taking apps (e.g., Google Keep, Evernote, OneNote).
• Supports commands such as:
  • start_vnc, stop_vnc
  • start_hvnc, stop_hvnc
  • scan_notes
  • install_from_unknown
• Employs anti-analysis techniques:
  • Detects debuggers and tools like Frida and Xposed.
  • Validates device authenticity via SIM, battery, and app count checks.
• Targets multiple regions including Turkey, Italy, UAE, and Europe.

Impact:

• Theft of financial credentials and sensitive personal data.
• Full device takeover and fraudulent transaction execution.
• Expanded attack surface via note-taking applications.

Recommendations:

• Avoid sideloading applications from untrusted sources.
• Install apps only from official app stores.
• Enable Google Play Protect and mobile security solutions.
• Monitor devices for suspicious behavior and unauthorized app activity.
• Educate users on phishing risks.

Reference:
https://thehackernews.com/2026/03/new-perseus-android-banking-malware.html

15. CISA Warns of Zimbra, SharePoint Flaw Exploits and Cisco Zero-Day in Ransomware Attacks

CISA has warned of active exploitation of vulnerabilities in Zimbra Collaboration Suite and Microsoft SharePoint, alongside a critical Cisco zero-day flaw leveraged in ransomware attacks, highlighting increasing attacker focus on edge systems and enterprise collaboration platforms.

Details:

• CVE IDs:
  • CVE-2025-66376 (Zimbra XSS, CVSS 7.2)
  • CVE-2026-20963 (SharePoint RCE, CVSS 8.8)
  • CVE-2026-20131 (Cisco Firewall Zero-Day, CVSS 10.0)
• Zimbra vulnerability:
  • Stored XSS in Classic UI via CSS @import in HTML emails.
  • Exploited in Operation GhostMail targeting Ukraine.
  • Enables credential and session token theft.
• SharePoint vulnerability:
  • Deserialization flaw enabling remote code execution.
• Cisco vulnerability:
  • Zero-day exploited by Interlock ransomware group.
  • Targets firewall management software for initial access.
• Additional Cisco SD-WAN vulnerabilities under active exploitation.
• Attack techniques include phishing, browser-based payloads, and infrastructure targeting.

Affected Versions:

• Zimbra Collaboration Suite versions prior to 10.0.18 and 10.1.13
• Microsoft SharePoint (patched January 2026)
• Cisco firewall and SD-WAN systems (various affected versions)

Fixed Version:

• Zimbra: 10.0.18 and 10.1.13
• SharePoint: January 2026 security updates
• Cisco: Latest patched versions (vendor updates required)

Impact:

• Credential theft and session hijacking.
• Remote code execution.
• Ransomware deployment and network compromise.
• Exploitation of edge infrastructure for initial access.

Recommendations:

• Apply patches immediately for all affected systems.
• Monitor email systems for malicious HTML content.
• Restrict and secure edge network devices.
• Implement network segmentation and logging.
• Conduct vulnerability scans and threat hunting.

Reference:
https://thehackernews.com/2026/03/cisa-warns-of-zimbra-sharepoint-flaw.html

16. Interlock Ransomware Exploits Cisco FMC Zero-Day CVE-2026-20131 for Root Access

A critical zero-day vulnerability, CVE-2026-20131, in Cisco Secure Firewall Management Center (FMC) is actively exploited by the Interlock ransomware group to achieve unauthenticated remote code execution as root, enabling full system compromise and facilitating multi-stage ransomware attacks.

Details:

• CVE ID: CVE-2026-20131
• Severity: Critical
• CVSS Score: 10.0
• Vulnerability Type: Insecure Deserialization
• Affected Component: Cisco Secure Firewall Management Center (FMC)
• Allows unauthenticated attackers to execute arbitrary Java code as root.
• Exploited as a zero-day since January 26, 2026.
• Attack chain involves crafted HTTP requests triggering code execution.
• Post-exploitation includes:
  • Download of ELF binaries from remote servers.
  • Deployment of reconnaissance scripts and remote access trojans.
  • Use of reverse proxy infrastructure for obfuscation.
  • Log wiping and anti-forensics techniques.
• Tools used include PowerShell reconnaissance scripts, custom RATs, web shells, and ScreenConnect.

Impact:

• Full root-level system compromise.
• Ransomware deployment and persistence.
• Data exfiltration and lateral movement.
• Long-term unauthorized access.

Recommendations:

• Apply Cisco security patches immediately.
• Conduct thorough compromise assessments.
• Review ScreenConnect installations for unauthorized use.
• Implement defense-in-depth strategies.
• Monitor for suspicious HTTP requests and outbound connections.

Reference:
https://thehackernews.com/2026/03/interlock-ransomware-exploits-cisco-fmc.html

17. Multiple Critical IP KVM Vulnerabilities Enable Unauthenticated Root Access

Nine vulnerabilities across multiple IP KVM devices from different vendors allow attackers to gain unauthorized root access, execute arbitrary commands, and potentially take full control of connected systems at the hardware level, bypassing traditional operating system security controls.

Details:

• CVE IDs:
  • CVE-2026-32290
  • CVE-2026-32291
  • CVE-2026-32292
  • CVE-2026-32293
  • CVE-2026-32294
  • CVE-2026-32295
  • CVE-2026-32296
  • CVE-2026-32297
  • CVE-2026-32298
• Affected Products:
  • GL-iNet Comet RM-1
  • Angeet/Yeeso ES3 KVM
  • Sipeed NanoKVM
  • JetKVM
• Vulnerability Types:
  • Missing authentication for critical functions
  • Command injection
  • Insufficient firmware validation
  • Lack of brute-force protection
  • Exposed debug interfaces
• Some vulnerabilities allow unauthenticated root access and arbitrary code execution.
• Devices provide BIOS/UEFI-level control over connected systems.

Affected Versions:

• Multiple versions across affected vendors (prior to listed fixes)

Fixed Version:

• GL-iNet Comet: Partial fixes in version 1.8.1 BETA
• JetKVM: Fixed in version 0.5.4
• Sipeed NanoKVM: Fixed in version 2.3.1 / Pro 1.2.4
• Angeet ES3 KVM: No fix available for critical issues

Impact:

• Full system takeover at hardware level.
• Bypass of OS-level security controls.
• Persistent reinfection and stealthy access.
• Potential supply chain compromise.

Recommendations:

• Isolate KVM devices on dedicated management networks.
• Restrict internet exposure.
• Enable multi-factor authentication where supported.
• Monitor network traffic for anomalies.
• Keep firmware updated.
• Audit external exposure using tools like Shodan.

Reference:
https://thehackernews.com/2026/03/9-critical-ip-kvm-flaws-enable.html

18. LeakNet Ransomware Uses ClickFix via Hacked Sites and Deno In-Memory Loader

LeakNet ransomware has adopted ClickFix social engineering delivered through compromised websites to gain initial access, tricking users into manually executing malicious commands, and then using a Deno-based in-memory loader to fetch and run additional payloads, enabling lateral movement, data exfiltration, and ransomware deployment while reducing visible network and disk-based indicators.

Details:

• Threat Actor: LeakNet ransomware operation
• Initial Access Method:
  • ClickFix social engineering via compromised legitimate websites
  • Fake CAPTCHA prompts instruct users to run malicious msiexec.exe commands
• Malware Execution:
  • Uses a staged loader built on the Deno JavaScript runtime
  • Executes Base64-encoded JavaScript directly in memory
  • Fetches next-stage payloads from external servers
  • Enters a polling loop to retrieve and run additional code
• Post-Exploitation Activity:
  • DLL side-loading to launch malicious DLLs
  • Lateral movement using PsExec
  • Use of cmd.exe /c klist to enumerate active credentials
  • Data staging and exfiltration via S3 buckets
  • Final encryption phase for ransomware deployment
• Additional Observations:
  • A similar Deno-based loader was also seen in a Microsoft Teams phishing intrusion attempt
  • Technique reduces dependence on initial access brokers and lowers per-victim acquisition cost

Impact:

• Initial compromise through user-assisted execution
• In-memory malware execution with reduced forensic visibility
• Credential and environment discovery
• Lateral movement, data theft, and ransomware deployment

Recommendations:

• Train users to avoid running commands prompted by websites or fake CAPTCHA pages
• Monitor for suspicious use of msiexec.exe, Deno, PsExec, and klist
• Inspect compromised or high-risk websites for malicious prompt injection
• Detect DLL side-loading and unusual in-memory script execution
• Monitor cloud storage traffic for suspicious staging or exfiltration patterns
• Apply defense-in-depth controls to disrupt activity before encryption

Reference:
https://thehackernews.com/2026/03/leaknet-ransomware-uses-clickfix-via.html

19. ClickFix Campaigns Spread MacSync macOS Infostealer via Fake AI Tool Installers

Multiple ClickFix campaigns are distributing a macOS infostealer named MacSync by tricking users into executing malicious Terminal commands via fake AI tool installers and sponsored search results, leveraging user interaction rather than exploits to bypass traditional security defenses.

Details:

• Malware Name: MacSync
• Delivery Method:
  • ClickFix social engineering via fake AI tool installers
  • Malvertising campaigns using sponsored search results
• Campaign Variants:
  • Fake ChatGPT Atlas browser downloads via Google Sites
  • Malicious links embedded in ChatGPT conversations
  • Targeted campaigns using dynamic AppleScript payloads
• Infection Chain:
  • Users instructed to run Terminal commands
  • Shell script downloads AppleScript payload
  • Prompts for system password
  • Executes malware with user-level permissions
• Capabilities:
  • Credential theft
  • File exfiltration
  • Keychain database extraction
  • Cryptocurrency wallet seed phrase theft
• Evasion Techniques:
  • In-memory execution
  • Dynamic payload delivery
  • Removal of forensic artifacts
• Targets:
  • macOS users globally, including regions such as India, Belgium, and the U.S.
  • Developers and users of AI tools

Impact:

• Theft of sensitive credentials and financial data.
• Compromise of developer environments and crypto assets.
• Increased success rate due to trusted AI-themed lures.

Recommendations:

• Avoid executing unknown Terminal commands from websites.
• Verify authenticity of software sources before installation.
• Use endpoint protection solutions on macOS systems.
• Monitor for unusual script execution and credential access.
• Educate users on ClickFix and malvertising tactics.

Reference:
https://thehackernews.com/2026/03/clickfix-campaigns-spread-macsync-macos.html

20. OpenClaw AI Agent Vulnerabilities Enable Prompt Injection and Data Exfiltration

Security weaknesses in the OpenClaw AI agent platform expose systems to prompt injection attacks and data exfiltration risks, allowing attackers to manipulate the agent into leaking sensitive information or executing unintended actions through indirect interaction with malicious content.

Details:

• Affected Platform: OpenClaw (formerly Clawdbot, Moltbot)
• Vulnerability Type:
  • Prompt Injection
  • Indirect Prompt Injection (IDPI) / Cross-domain Prompt Injection (XPIA)
• Root Cause:
  • Weak default security configurations
  • High-privilege access for autonomous task execution
• Attack Techniques:
  • Malicious instructions embedded in web content
  • Exploitation of AI features like summarization and link previews
  • Data exfiltration via crafted URLs in messaging platforms
• Additional Risks:
  • Execution of malicious skills from repositories
  • Unauthorized command execution
  • Accidental deletion of critical data
• Exploitation Scenario:
  • AI agent processes malicious content
  • Generates attacker-controlled output containing sensitive data
  • Data exfiltration occurs without user interaction

Impact:

• Leakage of sensitive enterprise data.
• Unauthorized execution of commands.
• Potential compromise of critical systems and business operations.

Recommendations:

• Restrict network exposure of OpenClaw services.
• Isolate deployments using containers.
• Avoid storing sensitive credentials in plaintext.
• Install skills only from trusted sources.
• Disable automatic skill updates.
• Keep the platform updated with latest security fixes.

Reference:
https://thehackernews.com/2026/03/openclaw-ai-agent-flaws-could-enable.html

21. GlassWorm Supply-Chain Attack Abuses Open VSX Extensions to Target Developers

An evolved version of the GlassWorm campaign is leveraging supply chain techniques within the Open VSX registry by abusing extension dependencies and extension packs to distribute malicious payloads through seemingly benign developer extensions, targeting sensitive data and cryptocurrency assets.

Details:

• Campaign Name: GlassWorm
• Target Platform: Open VSX registry (VS Code-compatible extensions)
• At least 72 malicious extensions identified and removed.
• Attack Technique:
  • Abuse of extensionPack and extensionDependencies
  • Benign extensions later updated to pull malicious dependencies
  • Transitive installation of malicious extensions without user awareness
• Malware Capabilities:
  • Theft of tokens, credentials, and secrets
  • Cryptocurrency wallet compromise
  • Use of infected systems as proxy infrastructure
• Evasion Techniques:
  • Heavy code obfuscation
  • Use of invisible Unicode characters to hide payloads
  • Locale checks to avoid Russian systems
  • Use of Solana blockchain transactions as dead-drop resolvers for C2
  • Rotation of wallets to evade detection
• Additional Findings:
  • 151 GitHub repositories compromised with hidden payloads
  • Malicious npm packages leveraging similar techniques
  • Use of Remote Dynamic Dependencies (RDD) to dynamically alter payloads
  • Evidence suggests use of LLMs to generate realistic commit activity

Impact:

• Compromise of developer environments.
• Theft of sensitive credentials and CI/CD tokens.
• Supply chain compromise across software ecosystems.
• Potential lateral spread through trusted development tools.

Recommendations:

• Audit and verify all installed extensions and dependencies.
• Avoid installing extensions from untrusted publishers.
• Monitor for unusual extension updates or dependency changes.
• Implement code integrity and supply chain security controls.
• Scan repositories and npm dependencies for hidden or obfuscated code.
• Restrict use of dynamic or remote dependency loading mechanisms.

Reference:
https://thehackernews.com/2026/03/glassworm-supply-chain-attack-abuses-72.html