2025 IT Sector Cyber Threat Report Highlights Evolving Threat Landscape
The IT ISAC report outlines key cyber threat trends targeting the IT sector, emphasizing the role of collaborative intelligence sharing in identifying and mitigating attacks. The report provides insight into threat actors, techniques, and defensive strategies aimed at strengthening resilience across critical infrastructure ecosystems.
Source: IT-ISAC

Fake npm Install Logs Used to Deliver Remote Access Trojans
A campaign linked to North Korea targets developers through fake job interviews and coding tests, distributing malicious npm packages that deploy remote access trojans. The attack leverages social engineering to compromise developer environments and gain persistent access.
Source: ReversingLabs

GhostClaw Campaign Expands to GitHub and AI Workflows
The GhostClaw malware campaign has expanded beyond npm packages to include GitHub repositories and AI based workflows, delivering macOS infostealers. Researchers identified new infection vectors and infrastructure, showing increased sophistication in targeting developers.
Source: Jamf

Tycoon2FA Phishing Platform Quickly Recovers After Law Enforcement Disruption
The Tycoon2FA phishing as a service platform has resumed operations shortly after a coordinated law enforcement takedown. Despite domain seizures and disruption efforts, the service returned to normal activity levels within days, highlighting the resilience of cybercrime infrastructure.
Source: BleepingComputer

Critical Cisco Firewall Vulnerability Actively Exploited in the Wild
A critical remote code execution vulnerability in Cisco Secure Firewall Management Center, tracked as CVE-2026-20131, is being actively exploited. The flaw allows unauthenticated attackers to execute arbitrary code and gain root privileges, prompting urgent remediation actions including inclusion in CISA’s KEV catalog.
Source: Zscaler ThreatLabz

Aura Discloses Data Breach Impacting 900,000 Records
Security firm Aura disclosed a data breach caused by a phone phishing attack targeting an employee, which allowed attackers to access the account for approximately one hour. The company responded by terminating access, activating its incident response plan, and engaging external experts and law enforcement.
Source: SecurityWeek

Apple Fixes WebKit Vulnerability Allowing Same Origin Policy Bypass
Apple released security updates addressing a WebKit vulnerability that could be exploited to bypass the same origin policy using specially crafted web content. The flaw affects iOS, iPadOS, and macOS and has been mitigated through improved input validation.
Source: The Hacker News

New ClickFix Scam Tricks Users Into Mapping Attacker Controlled Drives
A new ClickFix variant manipulates users into executing malicious commands through the Windows Run dialog. The attack uses fake CAPTCHA pages that instruct users to paste and run commands already copied to their clipboard, effectively granting attackers access without traditional malware.
Source: Hackread

Critical ScreenConnect Flaw Exposes Server Level Cryptographic Keys
A vulnerability tracked as CVE-2026-3564 could allow attackers to access sensitive cryptographic material on the server due to improper handling of secrets in older versions. This could lead to unauthorized control over affected systems.
Source: SecurityOnline

KVM Devices Highlighted as Overlooked Security Risk
Research shows that compromising KVM devices can give attackers full control over connected systems at a level below the operating system. This allows bypassing security controls such as EDR, disk encryption, and Secure Boot.
Source: Eclypsium

NCI Warns of Increased Threats to Critical Infrastructure Amid Middle East Conflict
A joint advisory from NCI highlights that the ongoing conflict in the Middle East raises risks for critical infrastructure globally. Organizations may face increased cyberattacks from Iranian state actors, hacktivists, and aligned cybercriminal groups. There is also a risk of physical attacks targeting public spaces and critical infrastructure. Organizations are advised to increase preparedness and monitoring.
Source: NCI Advisory

Poisoned Typeface Shows How Fonts Can Compromise AI Systems
Researchers demonstrated how custom fonts and CSS can embed malicious instructions visible to users while AI systems process benign content. This technique enables prompt injection and could lead to data leakage or execution of malicious code, affecting all tested AI assistants.
Source: LayerX Security

Critical File Browser Flaw Grants Automatic Admin Privileges
A vulnerability tracked as CVE-2026-32760 with a CVSS score of 10 allows any newly registered user to gain full administrative privileges due to a logic flaw in the registration process. This could result in complete system takeover without technical complexity.
Source: SecurityOnline

LeakNet Ransomware Uses ClickFix and Deno for Stealthy Attacks
The LeakNet ransomware group uses the ClickFix technique for initial access and leverages the Deno runtime to execute malicious payloads directly in memory. This reduces forensic traces on disk and makes detection more difficult.
Source: BleepingComputer

Authlib Flaws Enable Token Forgery and Authentication Bypass
Three critical vulnerabilities in the widely used Authlib library could allow attackers to bypass authentication, forge JWT tokens, and decrypt sensitive data. Given the library’s extensive use, the impact on global web infrastructure could be significant.
Source: SecurityOnline

Google Fixes Two Chrome Zero Days Exploited in the Wild
Google released security updates addressing two Chrome zero day vulnerabilities that were actively exploited in the wild. The flaws affect the Skia and V8 components of the browser. Both vulnerabilities were discovered and reported internally by Google on March 10, 2026, and technical details about their exploitation have not been disclosed to prevent further abuse by threat actors.
Source: The Hacker News

Storm 2561 Uses SEO Poisoning to Distribute Fake VPN Clients for Credential Theft
Microsoft identified a credential theft campaign distributing fake VPN clients through SEO poisoning. Users searching for legitimate enterprise software are redirected to malicious ZIP files hosted on attacker controlled websites, which deploy digitally signed trojans masquerading as trusted VPN clients while harvesting VPN credentials. Microsoft attributes the activity to the cybercriminal actor Storm 2561, active since May 2025.
Source: Microsoft Security Blog

400,000 WordPress Sites Impacted by SQL Injection in Ally Plugin
A SQL injection vulnerability affecting the Ally WordPress plugin, installed on more than 400,000 sites, could allow attackers to extract sensitive data from databases including password hashes. The vulnerability was reported through the Wordfence Bug Bounty Program only five days after the flaw was introduced into the code.
Source: Wordfence

Veeam Warns of Critical Flaws Exposing Backup Servers to RCE Attacks
Veeam released patches for multiple vulnerabilities in its Backup and Replication solution, including four critical remote code execution flaws. Three of the vulnerabilities allow low privileged domain users to execute remote code on vulnerable backup servers, creating a serious risk to systems responsible for protecting critical organizational data.
Source: BleepingComputer

Glassworm Returns With Invisible Unicode Attacks on GitHub and npm
Researchers observed a renewed wave of activity from the threat actor Glassworm, using hidden Unicode characters to compromise GitHub repositories, npm packages, and the VS Code ecosystem. The technique allows malicious code to remain visually hidden during code review while still executing in affected environments. Several notable repositories were reported as impacted.
Source: Aikido Security

Critical n8n Vulnerabilities Could Allow Server Takeover
Two critical vulnerabilities in the open source workflow automation platform n8n could have enabled unauthenticated remote code execution and sandbox escape, potentially exposing all credentials stored in the n8n database. The first flaw, tracked as CVE-2026-27493 with a CVSS score of 9.5, is a second order expression injection issue affecting Form nodes. Successful exploitation could allow an attacker to inject arbitrary commands and retrieve command output from the server.
Source: SecurityWeek

Iranian MOIS Actors Increasingly Linked With Cybercrime Ecosystem
Researchers report that Iranian state linked actors associated with the Ministry of Intelligence and Security are increasingly interacting with the cybercrime ecosystem rather than merely impersonating criminal groups. Instead of only using ransomware branding as cover, some operations appear to rely on criminal malware, infrastructure, and affiliate style models. This shift may expand operational reach while complicating attribution.
Source: Check Point Research

Iran Conflict Drives Increased Espionage Activity in the Middle East
Following U.S. and Israeli strikes on Iran on February 28, 2026, cybersecurity researchers observed heightened cyber activity linked to Iranian aligned actors. Despite temporary internet disruptions inside Iran, espionage groups such as TA453 continued credential phishing campaigns targeting organizations including a U.S. think tank. The activity indicates ongoing intelligence collection operations during the regional conflict.
Source: Proofpoint

Compromised WordPress Sites Used to Deliver Global Credential Stealing Malware
Rapid7 researchers identified a widespread campaign where legitimate WordPress websites were compromised and used to deliver malware through a fake Cloudflare human verification prompt. The campaign deploys a multi stage infection chain designed to steal credentials and cryptocurrency wallet data from Windows systems, which can later be used for financial fraud or targeted attacks.
Source: Rapid7

Pacific Cybersecurity Agencies Warn of Rising INC Ransom Attacks
Cybersecurity agencies from Australia, New Zealand, and Tonga warned about increasing ransomware activity linked to the INC Ransom group. The advisory highlights the group’s distributed affiliate model, allowing multiple operators to launch attacks using shared tools and infrastructure, making it a growing threat to organizations across the Pacific region.
Source: Cyble

Malicious Packagist Packages Disguised as Laravel Utilities Deploy Encrypted RAT
Researchers identified a remote access trojan distributed through multiple malicious Packagist packages posing as Laravel utilities. Packages such as nhattuanbl/lara-helper and nhattuanbl/simple-queue contain identical malicious payloads, while another package automatically installs the RAT through a dependency chain. The campaign demonstrates how supply chain attacks can target PHP developer ecosystems through trusted package repositories.
Source: Socket

Silver Dragon APT Targets Organizations in Southeast Asia and Europe
Check Point researchers are tracking the APT group Silver Dragon, believed to operate under the broader Chinese nexus APT41 umbrella. The group targets organizations in Europe and Southeast Asia using exploitation of internet facing servers and phishing emails with malicious attachments. To maintain persistence, attackers hijack legitimate Windows services so malware activity blends into normal system processes.
Source: Check Point Research

Critical FreeScout Vulnerability Allows Full Server Compromise
A critical vulnerability in the open source help desk platform FreeScout tracked as CVE-2026-28289 enables zero click remote code execution. The flaw bypasses a previously patched vulnerability and allows attackers to manipulate file processing through a malicious .htaccess upload, ultimately enabling full server compromise.
Source: SecurityWeek

VMware Aria Operations Vulnerability Exploited in the Wild
CISA warned that CVE-2026-22719, a high severity command injection vulnerability in VMware Aria Operations, is being actively exploited. The flaw allows unauthenticated attackers to execute arbitrary commands during support assisted product migration processes, potentially leading to remote code execution on affected systems.
Source: SecurityWeek

Critical RCE Flaw in Qwik Framework Enables Server Takeover
A critical vulnerability tracked as CVE-2026-27971 in the Qwik web framework allows attackers to take over servers with a single crafted request. The flaw resides in the framework’s server side communication layer and poses a significant risk to applications built on the platform due to the potential for remote code execution.
Source: SecurityOnline

OAuth Redirection Abuse Enables Phishing and Malware Delivery
Microsoft observed phishing campaigns abusing OAuth’s by design redirection mechanisms to target government and public sector organizations. Attackers leveraged silent OAuth authentication flows and intentionally invalid scopes to redirect victims to attacker controlled infrastructure without stealing tokens. Microsoft Defender detected malicious activity across email, identity, and endpoint signals, and Microsoft Entra disabled the identified OAuth applications. Related OAuth abuse activity remains ongoing and requires continued monitoring.
Source: Microsoft Security Blog

Web Based Indirect Prompt Injection Observed Targeting AI Agents
Researchers documented real world cases of indirect prompt injection where attackers embed hidden instructions into website content later processed by large language models and AI agents. Instead of directly interacting with the model, adversaries exploit features such as webpage summarization and automated content analysis, causing the AI system to unknowingly execute malicious prompts. The potential impact scales with the sensitivity and privileges of the affected AI environment.
Source: Unit 42

Amazon Confirms Drone Strikes Damaged AWS Data Centers in Middle East
Amazon confirmed that three AWS data centers in the United Arab Emirates and one in Bahrain were damaged by drone strikes, resulting in a significant outage impacting multiple cloud services. The disruption affected the AWS Middle East UAE region ME CENTRAL 1 and the AWS Middle East Bahrain region ME SOUTH 1, with services still experiencing impact following the incident.
Source: BleepingComputer

SloppyLemming Targets Pakistan and Bangladesh Governments Using Dual Malware Chains
The threat cluster SloppyLemming has been linked to attacks against government entities and critical infrastructure operators in Pakistan and Bangladesh. The campaign used two separate infection chains to deploy the BurrowShell malware and a Rust based keylogger. Researchers noted that the use of Rust represents an evolution in the actor’s tooling compared to earlier campaigns relying on more traditional frameworks.
Source: The Hacker News

Google Confirms Exploitation of Qualcomm Android Component Vulnerability
Google disclosed that CVE 2026 21385, a high severity vulnerability affecting an open source Qualcomm component used in Android devices, has been exploited in the wild. The flaw involves a buffer over read in the graphics component and is described as memory corruption linked to an integer overflow. The issue was reported in December 2025 and customers were notified in early February 2026.
Source: The Hacker News

Chrome Gemini Panel Vulnerability Allowed Extension Hijacking
Researchers disclosed CVE-2026-0628, a high severity vulnerability in Google Chrome’s Gemini Live feature that could allow malicious browser extensions with basic permissions to hijack the Gemini panel and access local files. The flaw could have enabled privilege escalation by tapping into the browser environment. Google was notified responsibly and released a fix in early January before public disclosure.
Source: Unit 42

APT28 Linked to MSHTML Zero Day Exploited Before Patch Tuesday
The Russia linked threat actor APT28 is believed to have exploited CVE-2026-21513, a high severity MSHTML security feature bypass vulnerability with a CVSS score of 8.8, before it was patched in Microsoft’s February 2026 Patch Tuesday release. The flaw allowed attackers to bypass security protections over a network and may have been used in targeted operations.
Source: SecurityWeek

StegaBin Campaign Uses Malicious npm Packages and Pastebin Steganography
Researchers identified 26 malicious npm packages deploying a multi stage credential harvesting operation targeting developers. The campaign, dubbed StegaBin, hides command and control infrastructure within Pastebin content using character level steganography. The infection chain ultimately installs a remote access trojan and a nine module infostealer toolkit targeting developer assets including SSH keys, git repositories, browser credentials, and locally stored secrets.
Source: Socket

Thousands of Google Cloud API Keys Exposed with Gemini Access
Research revealed nearly 3,000 publicly exposed Google Cloud API keys embedded in client side code. Although typically used as billing project identifiers, these keys could be abused to authenticate to sensitive Gemini endpoints and access private data once APIs were enabled, highlighting risks tied to key exposure in web applications.
Source: The Hacker News

ClawJacked Flaw Enabled Hijacking of Local OpenClaw AI Agents
A high severity vulnerability in OpenClaw allowed malicious websites to connect to locally running AI agents via a WebSocket gateway bound to localhost. Under specific conditions involving social engineering, attackers could gain control of the agent without plugins or additional extensions. The issue has since been fixed by the vendor.
Source: The Hacker News

Cisco Patches Catalyst SD WAN Zero Day Exploited by Highly Sophisticated Hackers
Cisco released emergency patches for a critical Catalyst SD WAN zero day vulnerability tracked as CVE-2026-20127 with a CVSS score of 10. The flaw can be remotely exploited to bypass authentication and gain administrative privileges on vulnerable devices. It affects the peering authentication mechanism of Catalyst SD WAN Controller and Catalyst SD WAN Manager, allowing unauthenticated remote attackers to send crafted requests.
Source: SecurityWeek

Microsoft Warns Developers of Fake Next.js Job Repositories Delivering In Memory Malware
A coordinated developer targeting campaign is using malicious repositories disguised as legitimate Next.js projects and technical assessments to trick victims into executing them and establishing persistent access. The activity aligns with broader job themed lures designed to blend into routine developer workflows and increase the likelihood of code execution.
Source: The Hacker News

New Dohdoor Malware Campaign Targets Education and Health Care
Cisco Talos identified an ongoing campaign delivering a previously undisclosed backdoor named Dohdoor. The malware uses DNS over HTTPS for command and control communications and can reflectively download and execute additional payloads. The campaign targeted organizations in the education and health care sectors in the United States through a multi stage attack chain.
Source: Cisco Talos

UnsolicitedBooker Targets Central Asian Telecoms with LuciDoor and MarsSnake Backdoors
The threat cluster known as UnsolicitedBooker has been observed targeting telecommunications companies in Kyrgyzstan and Tajikistan. The campaign involves deployment of two backdoors named LuciDoor and MarsSnake. Researchers report the use of several unique tools of Chinese origin.
Source: The Hacker News

Malicious NuGet Package Targets Stripe
Researchers discovered a malicious NuGet package mimicking Stripe.net, a widely used package with more than 70 million downloads. The campaign follows earlier activity targeting cryptocurrency related developer ecosystems and highlights continued supply chain risks within package repositories.
Source: ReversingLabs

Telegram Channels Expose Rapid Weaponization of SmarterMail Flaws
Security researchers observed threat actors rapidly sharing proof-of-concept exploits and stolen administrator credentials related to CVE-2026-24423 and CVE-2026-23760 within underground Telegram channels and forums. The critical flaws enable remote code execution and authentication bypass on exposed SmarterMail servers, and weaponization occurred within days of public disclosure.
Source: BleepingComputer

AI in the Middle: Web-Based AI Services Used as C2 Proxies
Threat actors are increasingly leveraging legitimate AI service domains as command and control proxies, blending malicious traffic into normal enterprise activity. AI tools are also being used to generate phishing content, write scripts, analyze stolen data, and even develop full C2 frameworks, significantly reducing operational cost and time-to-scale for attackers.
Source: Check Point Research

Firebase Misconfiguration Exposed 300 Million AI App Messages
An exposed Firebase database leaked approximately 300 million messages belonging to more than 25 million users of the Chat & Ask AI application. As the app acts as a gateway to multiple major AI models, the configuration error had a broad privacy impact across its global user base.
Source: Hackread

CISA Warns of Critical Honeywell CCTV Authentication Bypass
CISA issued an alert regarding CVE-2026-1670, a critical vulnerability affecting multiple Honeywell CCTV products. The flaw allows unauthenticated attackers to change password recovery email addresses, enabling account takeover and unauthorized access to camera feeds. The vulnerability carries a CVSS score of 9.8.
Source: BleepingComputer

GrayCharlie Hijacks Law Firm Websites in Suspected Supply Chain Attack
The threat actor GrayCharlie compromised WordPress websites and injected malicious JavaScript that redirected visitors to NetSupport RAT payloads delivered through fake browser update pages. A cluster of compromised U.S. law firm websites suggests a potential supply chain compromise involving a shared IT provider.
Source: Recorded Future