BLOG 2026 MARCH 2026 2025 2024 2023
AI blog APT blog Attack blog BigBrother blog BotNet blog Cyber blog Cryptocurrency blog Exploit blog Hacking blog ICS blog Incident blog IoT blog Malware blog OS Blog Phishing blog Ransom blog Safety blog Security blog Social blog Spam blog Vulnerebility blog
2026 January(89) February(123) March(106) April(28) May(0) June(0) July(0) August(0) September(0) October(0) November(0) December(0)
DATE |
NAME |
Info |
CATEG. |
WEB |
| 28.3.26 | NICKEL ALLEY strategy: Fake it ‘til you make it | Counter Threat Unit™ (CTU) researchers continue to investigate trends in Contagious Interview campaign activity conducted by NICKEL ALLEY, a threat group operating on behalf of the North Korean government. | Cyber blog | SOPHOS |
| 28.3.26 | The global CISO landscape: A leadership gap too large to ignore | The 2026 CISO Report, published by Cybersecurity Ventures in partnership with Sophos, highlights a critical imbalance in global cybersecurity leadership. | Cyber blog | SOPHOS |
| 28.3.26 | Every year, the cyber threat landscape forces defenders to adapt to evolving adversary tactics, techniques, and procedures (TTPs). In 2025, Mandiant observed a clear divergence in adversary pacing that closely aligns with the trends we have been documenting for defenders over the past year. | Cyber blog | GTI | |
| 28.3.26 | China’s APT41 and the Expanding Enterprise Attack Surface: What Security Teams Must Prepare For | APT41’s hybrid model exposes gaps in enterprise security, targeting cloud, supply chains, and OT with advanced tactics and persistent access. | APT blog | Cyble |
| 28.3.26 | The Energy Sector’s Ransomware Nightmare: Why Critical Infrastructure Can’t Catch a Break | Energy sector ransomware nightmare continued in 2025 but here’s lessons to learn for critical infrastructure protection in 2026. | Ransom blog | Cyble |
| 28.3.26 | The Agentic AI Attack Surface: Prompt Injection, Memory Poisoning, and How to Defend Against Them | Prompt injection attacks are reshaping agentic AI risk. Discover how they exploit reasoning layers and how to defend against evolving AI threats. | AI blog | Cyble |
| 28.3.26 | India’s Evolving Cyber Threat Landscape: State-Sponsored Attacks, Hacktivism, and What’s Next in 2026 | India cyber threat landscape 2026 highlights state sponsored cyber attacks India, growing hacktivism, and shifting cyber risks. | BigBrother blog | Cyble |
| 28.3.26 | When tax season becomes cyberattack season: Phishing and malware campaigns using tax-related lures | During tax season, threat actors reliably take advantage of the urgency and familiarity of time-sensitive emails, including refund notices, payroll forms, filing reminders, and requests from tax professionals, to push malicious attachments, links, or QR codes. | Phishing blog | Microsoft blog |
| 28.3.26 | Pawn Storm Campaign Deploys PRISMEX, Targets Government and Critical Infrastructure Entities | This blog discusses the steganography, cloud abuse, and email-based backdoors used against the Ukrainian defense supply chain in the latest Pawn Storm campaign that TrendAI™ Research observed and analyzed. | Malware blog | Trend Micro |
| 28.3.26 | Your AI Stack Just Handed Over Your Root Keys: Inside the litellm PyPI Breach | Litellm PyPI breach explained: malicious versions steal cloud credentials, SSH keys, and Kubernetes secrets. Learn impact and urgent mitigation steps. | AI blog | Trend Micro |
| 28.3.26 | Copyright Lures Mask a Multi‑Stage PureLog Stealer Attack on Key Industries | We look into a stealthy multi‑stage attack campaign that delivers PureLog Stealer entirely in memory using encrypted, fileless techniques. | Hacking blog | Trend Micro |
| 28.3.26 | Juniper JunOS Evolved Pre-authenticated Remote Code Execution (CVE-2026-21902) | The SonicWall Capture Labs threat research team became aware of a severe unauthenticated Incorrect Permission Assignment for Critical Resource vulnerability in Juniper Networks Junos OS Evolved (PTX Series), assessed their impact, and developed mitigation measures. | Vulnerebility blog | SonicWall |
| 28.3.26 | Three Decades for a 3-Line Fix: The Critical telnetd Bug Hiding in Plain Sight (CVE-2026-32746) | The SonicWall Capture Labs threat research team became aware of an out-of-bounds write vulnerability in the Telnet server shipped with GNU Inetutils, assessed its impact and developed mitigation measures. Telnetd hardly needs an introduction. It is one of the oldest and most widely distributed network utilities on Linux systems. | Vulnerebility blog | SonicWall |
| 28.3.26 | Google Authenticator: The Hidden Mechanisms of Passwordless Authentication | Passwordless authentication is often presented as the end of account takeover. But to understand the real threat landscape, we need to examine how passwordless is actually deployed in the real world. Attackers do not break protocols in theory. | Vulnerebility blog | Palo Alto |
| 28.3.26 | TP-Link, Canva, HikVision vulnerabilities | Cisco Talos’ Vulnerability Discovery & Research team recently disclosed a vulnerability in HikVision, as well as 10 in TP-Link, and 19 in Canva. The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-p | Vulnerebility blog | CISCO TALOS |
| 28.3.26 | Talos Takes: 2025 insights from Talos and Splunk | This episode of Talos Takes breaks down the 2025 Year in Review as well as Splunk's Top 50 Cybersecurity Threats report. | Cyber blog | CISCO TALOS |
| 28.3.26 | Beers with Talos breaks down the 2025 Talos Year in Review | The Beers with Talos team unpack the biggest cybersecurity threats of 2025, from React2Shell to ransomware and identity abuse, and what it all means for defenders going forward. | Cyber blog | CISCO TALOS |
| 28.3.26 | RSAC 2026 wrap-up – Week in security with Tony Anscombe | This year, AI agents took the center stage – as a defensive capability, but more pressingly as a risk many organizations haven't caught up with | AI blog | Eset |
| 28.3.26 | A cunning predator: How Silver Fox preys on Japanese firms this tax season | Silver Fox is back in Japan, spoofing tax and HR emails timed to the one season when no one thinks twice about opening them | Spam blog | Eset |
| 28.3.26 | Virtual machines, virtually everywhere – and with real security gaps | Cloud VMs offer unmatched speed, scale and flexibility – all of which could eventually count for little if they’re left to fend for themselves | Security blog | Eset |
| 28.3.26 | Cloud workload security: Mind the gaps | As IT infrastructure expands, visibility and control often lag behind – until an incident forces a reckoning | Cyber blog | Eset |
| 28.3.26 | The Ghost SPN Attack: Catching Stealthy Kerberoasting Before It's Too Late Using Trellix NDR | This study breaks down the 'Ghost SPN' vector, which uses delegated administrative permissions to create temporary exposure windows. | Attack blog | Trelix |
| 21.3.26 | Android devices ship with firmware-level malware | Keenadu malware gives an attacker control over a device but appears to be used primarily to facilitate ad fraud | Malware blog | SOPHOS |
| 21.3.26 | Google Threat Intelligence Group (GTIG) has identified a new iOS full-chain exploit that leveraged multiple zero-day vulnerabilities to fully compromise devices. Based on toolmarks in recovered payloads, we believe the exploit chain to be called DarkSword. | OS Blog | GTI | |
| 21.3.26 | Since 2018, when many financially motivated threat actors began shifting their monetization strategy to post-compromise ransomware deployments, ransomware has become one of the most pervasive threats to organizations across almost every industry vertical and region. | Ransom blog | GTI | |
| 21.3.26 | Your KVM is the Weak Link: How $30 Devices Can Own Your Entire Network | 9 vulnerabilities across 4 vendors turn low-cost IP-KVMs into attack platforms | Vulnerebility blog | Eclypsium |
| 21.3.26 | New Malware Highlights Increased Systematic Targeting of Network Infrastructure | New Malware Highlights Increased Systematic Targeting of Network Infrastructure | Malware blog | Eclypsium |
| 21.3.26 | Operation GhostMail: Russian APT exploits Zimbra Webmail to Target Ukraine State Agency | Contents Introduction Key Targets Industries Affected Geographical focus Geopolitical Context Infection Chain Timeline of Activity Initial Findings Looking into the Decoy Documents Technical Analysis Stage 1 – Malicious Archive Delivery Stage 2 – Malicious Shortcut Execution Stage 3 | Cyber blog | Seqrite |
| 21.3.26 | North Korea’s Crypto Theft Operations: The Role of Lazarus Group in State-Sponsored Financial Warfare | Lazarus Group cyberattack on Bitrefill highlights how North Korean hackers exploit crypto platforms via credentials and human error for theft. | Cryptocurrency blog | Cyble |
| 21.3.26 | The Week in Vulnerabilities: Juniper, Cisco SD-WAN, and Critical ICS Exposure | Critical Juniper, Cisco SD-WAN, and EV charging infrastructure vulnerabilities surfaced on underground forums, while ICS flaws impacted Energy and Transportation sectors. | Vulnerebility blog | Cyble |
| 21.3.26 | Inside Russia’s Shift to Credential-Based Intrusions: What CISOs Need to Know in 2026 | Russia’s credential-based intrusions are rising, leading to more account takeover attacks and new risks for critical infrastructure in 2026. | APT blog | Cyble |
| 21.3.26 | Cyble and Optiv Partner to Bring Digital Risk Protection to Managed Security Operations | Cyble Optiv partnership brings digital risk protection into MSSP operations, enabling visibility into external threats across the open, deep, and dark web. | Cyber blog | Cyble |
| 21.3.26 | AI-Powered Cyber Warfare: How Autonomous Attack Agents Are Changing the Threat Landscape | Autonomous attack agents and AI-driven malware are reshaping cyber warfare—making attacks faster, smarter, and harder to stop than ever before. | AI blog | Cyble |
| 21.3.26 | Middle East Cyber Warfare Intensifies: Rising Attacks, Hacktivist Surge, and Global Risk Exposure | Middle East cyber warfare escalates in 2026 as hybrid attacks disrupt infrastructure, supply chains, and global security. | Cyber blog | Cyble |
| 21.3.26 | AI-Assisted Phishing Campaign Exploits Browser Permissions to Capture Victim Data | Cyble analyzes an AI-driven phishing campaign that abuses browser permissions to capture victims images and exfiltrate the data to attacker-controlled Telegram bots. | AI blog | Cyble |
| 21.3.26 | Libyan Oil Refinery Among Targets in Long-running Likely Espionage Campaign | The modular backdoor AsyncRAT was deployed on targeted networks. | Malware blog | SECURITY.COM |
| 21.3.26 | New Malware Targets Users of Cobra DocGuard Software | Novel, parasitic threat cleverly uses Cobra DocGuard’s functionality and hunts for documents related to ballistic missiles. | Malware blog | SECURITY.COM |
| 21.3.26 | When tax season becomes cyberattack season: Phishing and malware campaigns using tax-related lures | During tax season, threat actors reliably take advantage of the urgency and familiarity of time-sensitive emails, including refund notices, payroll forms, filing reminders, and requests from tax professionals, to push malicious attachments, links, or QR codes. | Cyber blog | Microsoft blog |
| 21.3.26 | From Misconfigured Spring Boot Actuator to SharePoint Exfiltration: How Stolen Credentials Bypass MFA | Not every cloud breach starts with malware or a zero-day. In this incident, attackers discovered an exposed Spring Boot Actuator endpoint, harvested credentials from leaked configuration data, then used the OAuth2 Resource Owner Password Credentials (ROPC) flow to authenticate without MFA. | Hacking blog | Trend Micro |
| 21.3.26 | Copyright Lures Mask a Multi‑Stage PureLog Stealer Attack on Key Industries | We look into a stealthy multi‑stage attack campaign that delivers PureLog Stealer entirely in memory using encrypted, fileless techniques. | Malware blog | Trend Micro |
| 21.3.26 | An In-Depth Look at Scarface Stealer | This week, the SonicWall Capture Labs Threat Research team analyzed a sample of ScarfaceStealer, a Go-compiled information stealer that utilizes sophisticated anti-analysis techniques including | Malware blog | SonicWall |
| 21.3.26 | Juniper JunOS Evolved Pre-authenticated Remote Code Execution (CVE-2026-21902) | The SonicWall Capture Labs threat research team became aware of a severe unauthenticated Incorrect Permission Assignment for Critical Resource vulnerability in Juniper Networks Junos OS Evolved (PTX Series), assessed their impact, and developed mitigation measures. Juniper PTX Series routers are high-performance core and peering routers built for high throughput, low latency, and scale. They are commonly used by internet service providers, telecommunication services, and cloud network applications. | Vulnerebility blog | SonicWall |
| 21.3.26 | Analyzing the Current State of AI Use in Malware | Unit 42 researchers searched through open-source intelligence (OSINT) and our internal telemetry for potential signs of malware made to any degree with large language models (LLMs). This includes either using LLMs to create the malware entirely or to assist with their functionality. This article examines two samples, both of which originated from our OSINT hunts. | AI blog | Palo Alto |
| 21.3.26 | Open, Closed and Broken: Prompt Fuzzing Finds LLMs Still Fragile Across Open and Closed Models | Unit 42 researchers have developed a genetic algorithm-inspired prompt fuzzing method to automatically generate variants of disallowed requests that preserved their original meaning. This method also measures guardrail fragility under systematic rephrasing. | AI blog | Palo Alto |
| 21.3.26 | You have to invite them in | While a garlic and wooden stakes keep the vampires at bay in movies, they won’t save your network once an attacker has been "invited in." Discover why identity is the new frontier of cyber horror in this week’s edition. | Cyber blog | CISCO TALOS |
| 21.3.26 | Everyday tools, extraordinary crimes: the ransomware exfiltration playbook | Attackers use trusted tools for data theft, making traditional detection unreliable. The Exfiltration Framework enables defenders to spot exfiltration by focusing on behavioral signals across endpoints, networks, and cloud environments rather than static tool indicators. | Ransom blog | CISCO TALOS |
| 21.3.26 | Transparent COM instrumentation for malware analysis | In this article, Cisco Talos presents DispatchLogger, a new open-source tool that delivers high visibility into late-bound IDispatch COM object interactions via transparent proxy interception. | Malware blog | CISCO TALOS |
| 21.3.26 | Move fast and save things: A quick guide to recovering a hacked account | What you do – and how fast – after an account is compromised often matters more than it may seem | Hacking blog | Eset |
| 21.3.26 | EDR killers explained: Beyond the drivers | ESET researchers dive deeper into the EDR killer ecosystem, disclosing how attackers abuse vulnerable drivers | Hacking blog | Eset |
| 21.3.26 | A Deep Dive into the GetProcessHandleFromHwnd API | In my previous blog post I mentioned the GetProcessHandleFromHwnd API. This was an API I didn’t know existed until I found a publicly disclosed UAC bypass using the Quick Assist UI Access application. This API looked interesting so I thought I should take a closer look. | Vulnerebility blog | PROJECT ZERO |
| 21.3.26 | Dark Web Roast February 2026 Edition | Grab your mug and settle in: February’s roast is served hot, fresh, and with zero detections. | Cyber blog | Trelix |
| 21.3.26 | Getting Roasted? Trellix Helix sees through AS-REP Attack | This blog demonstrates how Trellix Helix's Advanced Correlation Engine (ACE) identifies AS-REP Roasting attacks based on behavioral patterns and technique fingerprints rather than tool-specific indicators. | Attack blog | Trelix |
| 14.3.26 | Initial access techniques used by Iran-based threat actors | Analysis of attacks originating from Iran-linked threat groups reveals a preference for certain techniques | APT blog | SOPHOS |
| 14.3.26 | Evil evolution: ClickFix and macOS infostealers | Across three recent campaigns, Sophos X-Ops notes shifts in both lures and malware capabilities, as threat actors leveraging ClickFix techniques increasingly target macOS users with infostealers | Malware blog | SOPHOS |
| 14.3.26 | Threat actors leverage destructive malware to destroy data, eliminate evidence of malicious activity, or manipulate systems in a way that renders them inoperable | Hacking blog | GTI | |
| 14.3.26 | The Future of Supply Chain Backdoor Detections | The XZ Utils backdoor (CVE-2024-3094) was discovered in March 2024 and is an example of a software supply chain attack that would have allowed hackers in possession of a specific private key to connect to the backdoored system and run their own commands as an administrator. | Malware blog | Eclypsium |
| 14.3.26 | Operation CamelClone: Multi-Region Espionage Campaign Targets Government and Defense Entities Amidst Regional Tensions | Contents Introduction Key Targets Industries Affected Geographical focus Geopolitical Context Infection Chain Timeline of Activity Initial Findings Looking into the Decoy Documents Technical Analysis Stage 1 – Malicious Archive Delivery Stage 2 – Malicious Shortcut Execution Stage 3 | Cyber blog | Seqrite |
| 14.3.26 | The Ultimate Guide to Dark Web Monitoring in 2026: Protect Your Data Before Attackers Strike | Dark web intelligence helps organizations detect stolen credentials, leaked data, and cyber threats early, enabling faster response and stronger security. | Cyber blog | Cyble |
| 14.3.26 | Australia, New Zealand, Tonga, Warn of Rising INC Ransom Attacks Targeting Pacific Networks | ACSC, NCSC, and CERT Tonga warn of growing INC Ransom activity targeting healthcare and organizations across Australia, New Zealand, and Pacific states. | BigBrother blog | Cyble |
| 14.3.26 | TrendAI™ at [un]prompted 2026: From KYC Exploits to Agentic Defense | At [un]prompted 2026, TrendAI™ demonstrated how documents can be used to exploit AI-driven KYC pipelines and introduced FENRIR, an automated system for discovering AI vulnerabilities at scale. | AI blog | Trend Micro |
| 14.3.26 | CISOs in a Pinch: A Security Analysis of OpenClaw | Learn about OpenClaw (a sovereign agent) and how this can be viable for enterprises. | Security blog | Trend Micro |
| 14.3.26 | Through the Lens of MDR: Analysis of KongTuke’s ClickFix Abuse of Compromised WordPress Sites | Our analysis of an active KongTuke campaign deploying modeloRAT — malware capable of reconnaissance, command execution, and persistent access — through compromised WordPress sites and fake CAPTCHA lures shows that the group still operates this delivery chain in parallel with the newer CrashFix technique. | Malware blog | Trend Micro |
| 14.3.26 | Deno Runtime Exploited: The Emerging Threat You Can’t Ignore | Recently, the SonicWall Capture Labs threat research team observed threat actors have started abusing Deno, a modern JavaScript runtime, to run malicious JavaScript outside the browser, bypassing the need for Node.js. | APT blog | SonicWall |
| 14.3.26 | Insights: Increased Risk of Wiper Attacks | Unit 42 is tracking an increased risk of wiper attacks related to the conflict with Iran, including multiple related incidents impacting organizations in Israel and the US. For the latest intelligence on cyberattacks associated with this conflict, review our Threat Brief: March 2026 Escalation of Cyber Risk Related to Iran. | Hacking blog | Palo Alto |
| 14.3.26 | Suspected China-Based Espionage Operation Against Military Targets in Southeast Asia | We identified a cluster of malicious activity targeting Southeast Asian military organizations, suspected with moderate confidence to be operating out of China. We designate this cluster as CL-STA-1087, with STA representing our assessment that the activity is conducted by state-sponsored actors. We traced this activity back to at least 2020. | APT blog | Palo Alto |
| 14.3.26 | Auditing the Gatekeepers: Fuzzing "AI Judges" to Bypass Security Controls | As organizations scale AI operations, they increasingly deploy AI judges — large language models (LLMs) acting as automated security gatekeepers to enforce safety policies and evaluate output quality. Our research investigates a critical security issue in these systems: They can be manipulated into authorizing policy violations through stealthy input sequences, a type of prompt injection. | AI blog | Palo Alto |
| 14.3.26 | Iranian MOIS Actors & the Cyber Crime Connection | Iran-linked actors are increasingly engaging with the cyber crime ecosystem. Their activity suggests a growing reliance on criminal tools, services, and operational models in support of state objectives. | APT blog | CHECKPOINT |
| 14.3.26 | “Handala Hack” – Unveiling Group’s Modus Operandi | Handala Hack is an online persona operated by Void Manticore (aka Red Sandstorm, Banished Kitten), an actor affiliated with Iranian Ministry of Intelligence and Security (MOIS) | APT blog | CHECKPOINT |
| 14.3.26 | This one’s for you, Mom | This week, Joe talks about allyship and how being aware of an issue is the first step in helping to fix it. | Cyber blog | CISCO TALOS |
| 14.3.26 | Agentic AI security: Why you need to know about autonomous agents now | There are many benefits and security risks of deploying agentic AI within organizations. This blog emphasizes the importance of robust risk management and threat modeling to defend against both internal operational errors and potential malicious exploitation. | AI blog | CISCO TALOS |
| 14.3.26 | Spinning complex ideas into clear docs with Kri Dontje | The episode features Kri Dontje discussing her role in translating complex technical cybersecurity topics into clear, accessible documentation, emphasizing the importance of consistency, accuracy, and collaboration with subject matter experts. | Hacking blog | CISCO TALOS |
| 14.3.26 | DirectX, OpenFOAM, Libbiosig vulnerabilities | Cisco Talos’ Vulnerability Discovery & Research team recently disclosed vulnerabilities in the BioSig Project Libbiosig library and OpenCFD OpenFOAM, as well as an unpatched vulnerability in Microsoft DirectX. The vulnerabilities mentioned in this blog post have been patched | Vulnerebility blog | CISCO TALOS |
| 14.3.26 | Microsoft Patch Tuesday for March 2026 — Snort rules and prominent vulnerabilities | Microsoft has released its monthly security update for March 2026 which includes 79 vulnerabilities, including three that Microsoft marked as “critical.” | Vulnerebility blog | CISCO TALOS |
| 14.3.26 | Face value: What it takes to fool facial recognition | ESET’s Jake Moore used smart glasses, deepfakes and face swaps to ‘hack’ widely-used facial recognition systems – and he'll demo it all at RSAC 2026 | Cyber blog | Eset |
| 14.3.26 | Cyber fallout from the Iran war: What to have on your radar | The cybersecurity implications of the war in the Middle East extend far beyond the region. Here’s where to focus your defenses. | Cyber blog | Eset |
| 14.3.26 | Sednit reloaded: Back in the trenches | The resurgence of one of Russia’s most notorious APT groups | APT blog | Eset |
| 14.3.26 | Malware-As-A-Service Redefined: Why XWorm is outpacing every other RAT in the underground malware market | XWorm has surged to the #3 global threat, using stealthy memory-only execution and the WinRAR CVE-2025-8088 exploit to bypass traditional security stacks. | Malware blog | Trelix |
| 14.3.26 | Fileless Multi-Stage Remcos RAT: From Phishing to Memory-Resident Execution | This blog examines a Remcos campaign demonstrating the transition from phishing-based initial access to fully fileless execution. | Malware blog | Trelix |
| 7.3.26 | Firewall Vulnerability Exploitation: Why the Edge is Fraying | There is a reasonable assumption baked into most enterprise security strategies: the firewall is the defender. It sits at the edge, it inspects traffic, it keeps the bad stuff out. Organizations spend real money on these devices specifically because of that assumption. | Security blog | Eclypsium |
| 7.3.26 | ClipXDaemon: Autonomous X11 Clipboard Hijacker Delivered via Bincrypter-Based Loader | Cyble has identified a new Linux threat named ClipXDaemon that targets cryptocurrency users by intercepting and manipulating copied wallet addresses. | Malware blog | Cyble |
| 7.3.26 | Middle East on the Brink: Iran-US-Israel Hostilities Trigger Cyber-Kinetic Conflict | Middle East faces unprecedented hybrid warfare as Iran, US, and Israel clash through cyberattacks, missile strikes, and hacktivist campaigns. | APT blog | Cyble |
| 7.3.26 | Seedworm: Iranian APT on Networks of U.S. Bank, Airport, Software Company | This activity began in early February and has continued in recent days. What organizations should expect next from Iran-aligned groups and the steps they should take to guard against cyberattacks. | APT blog | SECURITY.COM |
| 7.3.26 | AI as tradecraft: How threat actors operationalize AI | Threat actors are operationalizing AI to scale and sustain malicious activity, accelerating tradecraft and increasing risk for defenders, as illustrated by recent activity from North Korean groups such as Jasper Sleet and Coral Sleet (formerly Storm-1877). | AI blog | Microsoft blog |
| 7.3.26 | Inside Tycoon2FA: How a leading AiTM phishing kit operated at scale | Tycoon2FA has become a leading phishing-as-a-service (PhaaS) platforms, enabling campaigns that reach over 500,000 organizations monthly, prompting Microsoft’s Digital Crimes Unit (DCU) to work with Europol and industry partners to facilitate a disruption of Tycoon2FA’s infrastructure and operations. | Phishing blog | Microsoft blog |
| 7.3.26 | Europol, Microsoft, TrendAI™ and Collaborators Halt Tycoon 2FA Operations | Tycoon 2FA was dismantled this week by law enforcement and industry partners including TrendAI™. The phishing-as-a-service platform offered MFA bypass services using adversary-in-the-middle (AitM) proxying. | Phishing blog | Trend Micro |
| 7.3.26 | New BoryptGrab Stealer Targets Windows Users via Deceptive GitHub Pages | The BoryptGrab campaign uses fake SEO‑optimized GitHub repositories and deceptive download pages to distribute a data‑stealing malware family that delivers multiple payloads, including a reverse SSH backdoor, to Windows users. | Malware blog | Trend Micro |
| 7.3.26 | CISOs in a Pinch: A Security Analysis of OpenClaw | Learn how Claude Code Security set Cybersecurity stocks on fire. | AI blog | Trend Micro |
| 7.3.26 | Budibase Cloud View Filter Eval Injection Allows Full Remote Code Execution | SonicWall Capture Labs threat research team became aware of the threat CVE-2026-27702, assessed its impact, and developed mitigation measures for this vulnerability. CVE-2026-27702, also known as Budibase Cloud View Filter Map Function RCE, is a critical remote code execution vulnerability affecting Budibase in versions prior to 3.30.4. | Vulnerebility blog | SonicWall |
| 7.3.26 | PDF-Borne Living-off-the-Land Attacks with RMM Abuse | PDF files have long been abused by attackers to evade security detections and to deliver malware payloads. This time SonicWall Capture Labs threat research team has observed four distinct campaigns where PDF-based social engineering techniques being used to deliver remote monitoring and management (RMM) software for unauthorized system access. These tools, while legitimate in managed IT environments, become powerful weapons when deployed without user consent. | Malware blog | SonicWall |
| 7.3.26 | Scam Alerts Deceiving Users to Download Harmful Android Applications | SonicWall Capture Labs threat researchers identified an ongoing Android scam campaign targeting users with fake promotional offers, cashback rewards, and traffic-fine notifications. Distributed via social media, messaging platforms, and third-party app stores, the campaign deceives victims into installing a malicious application disguised as a legitimate service. | Spam blog | SonicWall |
| 7.3.26 | Inside a New VioletRAT Campaign: Multi Staged Delivery and Stealthy Payload Execution | Recently, the SonicWall Capture Labs threat research team observed a new campaign spreading Violet RAT using a multistage Python-based APC injection technique. The campaign employs a multi-stage delivery chain that involves archives, batch scripts, and a Python loader to deploy the final payload via shellcode injection. The complete infection chain can be visualized in the following figure 1. | Malware blog | SonicWall |
| 7.3.26 | An Investigation Into Years of Undetected Operations Targeting High-Value Sectors | Since at least 2020, we have observed a cluster of activity targeting high-value organizations across South, Southeast and East Asia. The attacks focus on critical sectors such as aviation, energy, government, law enforcement, pharmaceutical, technology and telecommunications. | APT blog | Palo Alto |
| 7.3.26 | Threat Brief: March 2026 Escalation of Cyber Risk Related to Iran | On Feb. 28, 2026, the United States and Israel launched a significant joint offensive code named Operation Epic Fury (U.S.) and Operation Roaring Lion (Israel). In the hours following the initial strikes, Iran began a multi-vector retaliatory campaign, which has evolved into a significant trans-regional conflict. | APT blog | Palo Alto |
| 7.3.26 | Fooling AI Agents: Web-Based Indirect Prompt Injection Observed in the Wild | Large language models (LLMs) and AI agents are becoming deeply integrated into web browsers, search engines and automated content-processing pipelines. While these integrations can expand functionality, they also introduce a new and largely underexplored attack surface. | AI blog | Palo Alto |
| 7.3.26 | Interplay between Iranian Targeting of IP Cameras and Physical Warfare in the Middle East | During the ongoing conflict, we identified intensified targeting of IP cameras from two manufacturers starting on February 28, originating from infrastructure we attribute to Iranian threat actors. | APT blog | CHECKPOINT |
| 7.3.26 | Silver Dragon Targets Organizations in Southeast Asia and Europe | Check Point Research (CPR) is tracking Silver Dragon, an advanced persistent threat (APT) group which has been actively targeting organizations across Europe and Southeast Asia since at least mid-2024. The actor is likely operating within the umbrella of Chinese-nexus APT41. | APT blog | CHECKPOINT |
| 7.3.26 | Talos on the developing situation in the Middle East | Cisco Talos continues to monitor the ongoing conflict in the Middle East. As always, we will be watching closely for any cyber-related incidents that are tied to the conflict. | APT blog | CISCO TALOS |
| 7.3.26 | Patch, track, repeat: The 2025 CVE retrospective | Thor analyzes CVE data from 2025 and provides recommendations for where and how organizations should strengthen their defenses. | Vulnerebility blog | CISCO TALOS |
| 7.3.26 | UAT-9244 targets South American telecommunication providers with three new malware implants | Cisco Talos is disclosing UAT-9244, who we assess with high confidence is a China-nexus advanced persistent threat (APT) actor closely associated with Famous Sparrow. | APT blog | CISCO TALOS |
| 7.3.26 | What cybersecurity actually does for your business | The ability to continue operating safely in an unsafe environment where competitors cannot is a competitive advantage that is rarely measured or discussed | Cyber blog | Eset |
| 7.3.26 | How SMBs use threat research and MDR to build a defensive edge | We speak to Director of ESET Threat Research Jean-Ian Boutin about where solutions that blend advanced technology with human expertise provide the most practical value for businesses | Security blog | Eset |
| 7.3.26 | Protecting education: How MDR can tip the balance in favor of schools | The education sector is notoriously short on cash, but rich in assets for threat actors to target. How can managed detection and response (MDR) help learning institutions regain the initiative? | Security blog | Eset |
| 7.3.26 | This month in security with Tony Anscombe – February 2026 edition | In this roundup, Tony looks at how opportunistic threat actors are taking advantage of weak authentication, unmanaged exposure, and popular AI tools | AI blog | Eset |
| 7.3.26 | The Iranian Cyber Capability 2026 | This report examines Iranian-linked threat activity from 2024 onward. | APT blog | Trelix |