ALERTS MARCH 2026 2025 2024 2023 2022
HOME AI
APT
BOTNET
CAMPAIGN
CRIME
CRYPTOCURRENCY
EXPLOIT
HACKING
GROUP
OPERATION
PHISHING
RANSOM
SPAM
VIRUS
VULNEREBILITY
| 2024
2025
2026 January(30)
February(48)
March(53)
April(50)
May(9)
June(0)
July(0)
August(0) SEPTEMBER(0)
October(0)
November(0)
December(0)
DATE |
NAME |
INFO |
CATEGORY |
SUBCATE |
| 26.3.26 | Oblivion RAT - a new mobile threat | Oblivion RAT is a recently discovered, sophisticated Android Remote Access Trojan (RAT) that operates under the Malware-as-a-Service (MaaS) business model. As reported by the researchers from iVerify, this malware relies heavily on a two-stage infection sequence initiated through targeted social engineering tactics, often deployed across popular messaging or dating applications. | ALERTS | VIRUS |
| 26.3.26 | FAUX#ELEVATE: The "CV" Malware Squeezing Enterprise CPUs for Monero | The FAUX#ELEVATE campaign is a sophisticated operation targeting French enterprises using deceptive job application lures. As detailed in a report by researchers at Securonix, this threat utilizes a heavily bloated VBScript dropper, where nearly all content consists of junk text to bypass traditional security scanners. | OPERATION | |
| 26.3.26 | MioLab Stealer | MioLab is a macOS stealer offered through a malware-as-a-service framework. In a recent article, researchers at LevelBlue outlined its capabilities, noting that it is designed to harvest browser credentials, cookies, Keychain data, Apple Notes, files, and a wide range of cryptocurrency wallets, with a particular focus on high-value crypto theft. | ALERTS | VIRUS |
| 26.3.26 | PureHVNC via Google Form lures | Researchers recently observed PureHVNC as the final payload in a campaign that used fake business workflows on Google Forms, including job interviews, project briefs, and financial documents, to lure victims into downloading ZIP archives. | CAMPAIGN | |
| 26.3.26 | PureLog via Copyright Bait | Researchers at Trend Micro recently published an article on a PureLog Stealer campaign that uses fake copyright-violation notices as bait, with lure filenames matched to the victim’s language to improve execution. | CAMPAIGN | |
| 26.3.26 | VoidStealer | Gen Digital has detailed a new infostealer, VoidStealer, which is notable for being the first seen in the wild using a debugger-based bypass of Chrome’s Application-Bound Encryption (ABE). | VIRUS | |
| 21.3.26 | Multi-stage malware distribution through typosquatted Telegram websites | Cybersecurity analysts from K7 Security Labs have uncovered a sophisticated malicious campaign leveraging a typosquatted Telegram domain, "telegrgam[.]com," to trick unsuspecting users into downloading compromised software installers. | ALERTS | VIRUS |
| 21.3.26 | Winos4.0 malware distributed as a fake KakaoTalk installer | Security researchers at the AhnLab Security Intelligence Center (ASEC) have uncovered a widespread cyberattack utilizing Search Engine Optimization (SEO) poisoning to distribute Winos4.0 malware variant. This deceptive campaign successfully compromised more than 5,000 computers by disguising a malicious payload as the standard installation file for the widely used messaging application, KakaoTalk. | VIRUS | |
| 21.3.26 | Libyan Oil Refinery Among Targets in Long-running Likely Espionage Campaign | A series of attacks on Libyan organizations hit an oil refinery, a telecoms organization and a state institution between November 2025 and February 2026. These attacks delivered the AsyncRAT backdoor, which is a publicly available backdoor that has previously been used by state-sponsored groups. | APT | |
| 21.3.26 | Perseus mobile malware | Security researchers from Threat Fabric have reported on a new mobile malware called Perseus which is actively circulating in the wild. Representing the next evolutionary stage of older malware families like Cerberus and Phoenix, Perseus functions as a sophisticated, flexible framework designed for a complete device compromise. | VIRUS | |
| 21.3.26 | Polymorphic Scripts and Fake Overlays: Inside the Latest Horabot Surge | Horabot has re-emerged as a sophisticated, multi-stage campaign targeting Latin America, especially Mexico, using ClickFix-style CAPTCHAs and phishing lures to initiate infection. These lures are generated on compromised systems by hijacking email data and sending malicious PDF attachments. | ALERTS | VIRUS |
| 21.3.26 | Recent activities attributed to the SeedWorm threat group | SeedWorm (aka Boggy Serpens, Muddy Water) is an Iranian state-sponsored cyberespionage threat actor active since at least 2017. According to a recent report published by Palo Alto's Unit42, this threat group has been employing high-volume strategies, relying on broad spear-phishing and legitimate remote management software to infiltrate targets. | GROUP | |
| 21.3.26 | DrillApp backdoor | LAB52 researchers uncovered a recent cyberespionage campaign aimed at Ukrainian organizations. At the core of this operation is a newly discovered, JavaScript-based backdoor dubbed DrillApp. Rather than relying on a traditional standalone executable execution, the malware hijacks the Microsoft Edge browser to infiltrate victim networks. | VIRUS | |
| 21.3.26 | New Malware Targets Users of Cobra DocGuard Software | Symantec and Carbon Black researchers have uncovered a mysterious and stealthy new threat that hijacks functionality and infrastructure of the legitimate security software Cobra DocGuard. Infostealer.Speagle is designed to surreptitiously harvest sensitive information from infected computers and transmit it to a Cobra DocGuard server that has been compromised by the attackers, masking the data exfiltration process as legitimate communications between client and server. | VIRUS | |
| 21.3.26 | SnappyClient | In a new technical analysis, Zscaler researchers detail SnappyClient, a stealthy C++-based command-and-control implant often delivered through HijackLoader. Operating largely in memory, it blends evasive techniques like Antimalware Scan Interface (AMSI) bypasses and direct system calls with encrypted communications to avoid detection. | VIRUS | |
| 18.3.26 | Fake FileZilla installers lead to infection with a Remote Access Trojan (RAT) | Threat actors are exploiting the popularity of the FileZilla file transfer client to infect systems with a Remote Access Trojan (RAT) variant. Once a victim downloads the seemingly legitimate software, they unwittingly introduce a multi-stage malware loader into their digital environment. | ALERTS | VIRUS |
| 18.3.26 | Vidar Stealer Evolves: Improved Performance, Stealth, and Social Distribution Vectors | A recent report by Acronis TRU researchers details the re-emergence of Vidar Stealer 2.0. This iteration introduces several advancements, specifically targeting improved operational performance and defensive evasion. Current distribution vectors involve deceptive GitHub repositories and Reddit threads masquerading as gaming utilities | VIRUS | |
| 18.3.26 | Warlock Ransomware Group Ups the Ante with New TTPs | The Warlock ransomware group is escalating operations, according to researchers at Trend Micro. Recently observed activity primarily targets organizations in government, manufacturing, and technology sectors. Attacks typically begin with the exploitation of SharePoint vulnerabilities, enabling initial access and credential dumping. | RANSOM | |
| 18.3.26 | Hyrax malware distributed in SEO poisoning operation attributed to the Storm-2561 threat group | Microsoft researchers discovered a sophisticated credential-stealing operation orchestrated by the cybercriminal group known as Storm-2561. This threat actor actively employs search engine optimization (SEO) manipulation to distribute fraudulent virtual private network (VPN) applications. | OPERATION | |
| 18.3.26 | Venon Banking malware | ZenoX recently reported that it identified a new Brazilian banking trojan, VENON, in February 2026, describing it as a Rust-based RAT that mirrors many classic Latin American banker behaviors, including overlay abuse and active window monitoring (33 financial institutions and digital asset platforms). | ALERTS | VIRUS |
| 14.3.26 | DoubleDonut loader leveraged for the delivery of various infostealing payloads | Rapid7 Labs recently uncovered a widespread malicious campaign that compromised a large number of trusted WordPress websites in efforts to distribute malicious payloads. Threat actors inject a deceptive ClickFix script into these legitimate sites, presenting unsuspecting visitors with fraudulent CAPTCHA prompts. Engaging with this fake verification triggers a sophisticated, multi-stage infection chain aimed at harvesting digital wallets and system credentials from the victims. | ALERTS | VIRUS |
| 14.3.26 | GibCrypto malware | GibCrypto is a new destructive and evasive ransomware variant discovered in the wild. As reported by researchers from K7 Security Labs, this malware variant compromises the Master Boot Record (MBR) and systematically targets vital Windows dependencies. | VIRUS | |
| 14.3.26 | Iranian Intelligence Integrates Malware-as-a-Service into State Operations | Recent research from Check Point reveals a strategic shift in Iranian cyber operations. Groups linked to the Ministry of Intelligence and Security (MOIS), such as Seedworm (aka MuddyWater) and Druidfly (aka Void Manticore), are moving beyond simply imitating cybercriminals to directly collaborating with the criminal ecosystem. | APT | |
| 14.3.26 | TAXISPY RAT Android malware | TaxiSpy RAT is an Android malware variant recently discovered by the researchers from Cyfirma. To bypass static security analysis, the malware employs complex evasion tactics, utilizing native libraries for critical tasks and XOR encryption to conceal its command-and-control (C2) infrastructure, configuration data, and Firebase credentials until runtime. | VIRUS | |
| 14.3.26 | Multi-staged Remcos RAT deployment campaign | A new Remcos RAT campaign leveraging fileless execution has been observed in the wild. As reported by Trellix researchers, the attack sequence begins with procurement-themed phishing emails, often disguised for example as "Request for Quotation" documents. | ALERTS | VIRUS |
| 14.3.26 | KadNap botnet | Researchers at Black Lotus Labs recently uncovered KadNap, an advanced botnet strain that has successfully compromised over 14,000 routers since August 2025. The malware employs sophisticated evasion strategy by utilizing a customized version of the Kademlia Distributed Hash Table (DHT) protocol to establish a decentralized, peer-to-peer (P2P) network. | BOTNET | |
| 14.3.26 | CVE-2026-1207 - Django SQLi Vulnerability | CVE-2026-1207 is a recently disclosed medium severity (CVSS score 5.4) SQL Injection vulnerability affecting Django, the Python-based open-source web framework. If successfully exploited the flaw might allow attackers with low-level authentication to inject SQL commands via the band index parameter, potentially allowing for unauthorized data access or manipulation. This vulnerability has already been addressed in the updated versions of the product (6.0.2, 5.2.11, and 4.2.28 or newer). | VULNEREBILITY | |
| 14.3.26 | China-Linked Hackers Target Qatar with PlugX Malware Campaign | Qatar is yet another victim of cyber espionage directly resulting from the increasing tensions in the Middle East. The Chinese-nexus threat group Fireant (aka Camaro Dragon/Mustang Panda) utilized a multi-stage infection chain to deliver a variant of the PlugX backdoor, according to a report by Check Point Research. | CAMPAIGN | |
| 14.3.26 | ClipXDaemon | Cyble has reported a newly identified Linux threat dubbed ClipXDaemon, a clipboard hijacker built to target cryptocurrency users on X11-based desktop environments. | ALERTS | CRYPTOCURRENCY |
| 12.3.26 | UAC-0252 activity delivering ShadowSniff and SalatStealer malware | Ukraine’s Computer Emergency Response Team (CERT-UA) identified a malicious campaign (dubbed UAC-0252) impersonating national executive authorities and regional government officials to deceive the victims. | ALERTS | GROUP |
| 12.3.26 | FakeGit Campaign Uses GitHub Lures to Deliver StealC | Researchers at Derp uncovered a large GitHub-based malware operation dubbed FakeGit, active since March 2025, that masquerades as cracked extensions, gaming cheats, developer tools, and other bait to spread a LuaJIT loader. | CAMPAIGN | |
| 12.3.26 | Android Malware: BeatBanker | Researchers at Kasperky recently published an article about an Android malware campaign dubbed as "BeatBanker" that targets mobile users in Brazil. It's being spread via a fake Google Play page spoofing the “INSS Reembolso” app to lure victims into installing a trojanized APK. | VIRUS | |
| 12.3.26 | Swallowtail Returns with BeardShell Backdoor and Modified Covenant Framework | A report by researchers at ESET highlights details attributed to the Russian group Swallowtail (aka APT28/Fancy Bear/Sednit). Since early 2024, the group has pivoted toward a dual-implant strategy, deploying the custom BeardShell backdoor alongside a heavily modified Covenant framework. | APT | |
| 10.3.26 | Recent Dust Specter APT activity | A recent targeted cyber espionage campaign directed at Iraqi government officials has been reported by researchers from Zscaler. The attack has been attributed to a threat group known as Dust Specter. | ALERTS | APT |
| 10.3.26 | Cybercriminals Exploit Middle East Tensions to Deliver Backdoors and Info-Stealing Malware | Cybercriminals are increasingly exploiting Middle East geopolitical tensions to launch sophisticated digital attacks. A report by researchers from Zscaler ThreatLabz reveals a surge in malicious activity, including a suspected targeted campaign that utilizes "missile strike" lures to deploy backdoors through a multi-stage attack chain incorporating ZIP, LNK, and CHM files. | VIRUS | |
| 10.3.26 | South American Telecom Providers Targeted by Trio of Malicious Tools | Cisco Talos researchers have uncovered a sophisticated campaign by UAT-9244, a Chinese-aligned threat actor, targeting South American telecommunications providers. This operation leverages a trio of malicious tools to compromise both Windows and Linux environments. | CAMPAIGN | |
| 10.3.26 | BoryptGrab Stealer | Trend Micro has recently reported a new malware campaign centered on BoryptGrab, a stealer spread through fake GitHub repositories and lookalike download pages posing as free utilities and game-related tools. Victims are lured through SEO-manipulated repos, then redirected to pages that generate malicious ZIP files to kick off the infection chain. | VIRUS | |
| 6.3.26 | ARM47 Ransomware | ARM47 HACKERS is a newly identified ransomware threat actor observed deploying a customized variant of the LockBit Black (LockBit 3.0) builder. The group operates under a double-extortion model, encrypting victim files while threatening to publish stolen data via a TOR-hosted leak site if the ransom is not paid. ARM47 is leveraging the widely leaked LockBit 3.0 builder — a trend observed among multiple emerging threat groups since the original builder was leaked in September 2022 — while branding the operation under their own identity. | ALERTS | RANSOM |
| 6.3.26 | BadPaw and MeowMeow: Not as Cute as They Sound | A Russian-based threat actor targeted Ukraine with BadPaw and MeowMeow malware, according to a report by researchers at ClearSky. | VIRUS | |
| 6.3.26 | Datebug APT campaign targets governmental entities in India | Cybersecurity researchers at Cyfirma recently uncovered a sophisticated malware campaign orchestrated by the Datebug threat group (aka Transparent Tribe, APT36). | APT | |
| 6.3.26 | Recent Agent Tesla distribution campaign | Agent Tesla continues to be a highly adaptable threat in the current cybersecurity landscape. A recent campaign delivering this malware variant has been discussed by the researchers from Fortinet. The attack leverages the most typical infection chain and begins with a phishing email containing a malicious RAR archive. | CAMPAIGN | |
| 6.3.26 | Seedworm APT group activity following U.S. and Israeli military strikes on Iran | The Iranian APT group Seedworm (aka MuddyWater, Temp Zagros, Static Kitten) has been active on the networks of multiple U.S. companies since the beginning of February 2026, with activity continuing in recent days following U.S. and Israeli military strikes on Iran that have sparked conflict in the region. | APT | |
| 6.3.26 | AuraStealer malware variant | AuraStealer is an emerging Malware-as-a-Service (MaaS) information stealer promoted on underground forums. As reported by researchers from Intrinsec, this C++based malware is delivered via various channels including cracked software, ClickFix attacks and Tiktok scam campaigns. | VIRUS | |
| 6.3.26 | SloppyLemming Campaign: PDF → ClickOnce → BurrowShell; Macro Excel → Rust RAT | Arctic Wolf Labs reports a year-long cyber-espionage campaign (Jan 2025–Jan 2026) they attribute to the India-nexus actor SloppyLemming (aka Outrider Tiger / Fishing Elephant), aimed at government and critical-infrastructure targets in Pakistan and Bangladesh. The operation ran two chain: PDF lures that bounce victims to ClickOnce manifests, and macro-enabled Excel documents used as an alternate delivery route. | CAMPAIGN | |
| 5.3.26 | Silver Dragon’s Tactics, Custom Tools, and the GearDoor Backdoor | Silver Dragon is a Chinese-aligned threat group that has been actively targeting organizations in Southeast Asia and Europe since mid-2024, primarily focusing on government entities. | APT | |
| 5.3.26 | SurxRAT mobile malware | SurxRAT is a sophisticated Remote Access Trojan (RAT) for Android recently discovered by the researchers from Cyble. The malware operates under the Malware-as-a-Service (MaaS) model. | VIRUS | |
| 5.3.26 | APT-Linked PlugX Campaign: Meeting Invitation + Fake Browser Updater | A recent PlugX campaign blends social engineering with “trusted” binaries: one path uses a Meeting Invitation lure that drops a ZIP containing an MSBuild project which pulls the next stages on execution. Another path seen in January 2026 starts with a fake “Browser Updater” (STATICPLUGIN) that downloads and runs a malicious MSI even if the victim clicks Cancel. | APT | |
| 5.3.26 | Smishing Pushes Malicious “Red Alert” Android App in Israel | Global events have always been used as social engineering by both e-crime and APT groups in order to lure victims’ curiosity, fear, or urgency into kicking off an attack chain. | SPAM | |
| 5.3.26 | Zerobot Campaign Exploits CVE-2025-7544 and CVE-2025-68613 | This week, Akamai reported active exploitation of two command-injection flaws to spread a Mirai-derived botnet dubbed Zerobot: CVE-2025-7544 in Tenda AC1206 routers and CVE-2025-68613 in the n8n workflow automation platform. | VULNEREBILITY | |
| 5.3.26 | StegaBin: Another npm Supply-Chain Campaign | Researchers at Socket recently reported a supply-chain campaign dubbed “StegaBin,” in which 26 typosquatted npm packages published around Feb. | CAMPAIGN | |
| 5.3.26 | CVE-2026-25253 - OpenClaw RCE vulnerability | CVE-2026-25253 is a recently disclosed high severity (CVSS score 8.8) Remote Code Execution (RCE) vulnerability affecting OpenClaw AI personal assistant tool. | VULNEREBILITY | |
| 5.3.26 | Dohdoor backdoor delivery campaign | A sophisticated cyber campaign orchestrated by the threat actor dubbed UAT-10027 has been reported by the researchers from Cisco Talos. Focused heavily on American educational and healthcare institutions, the hackers execute a multi-staged attack chain to distribute a newly identified backdoor named Dohdoor. | VIRUS | |
| 5.3.26 | CVE-2026-24423 - SmarterTools SmarterMail vulnerability | CVE-2026-24423 is a recently disclosed critical (CVSS score 9.3) Remote Code Execution (RCE) vulnerability affecting SmarterTools SmarterMail software, which is an email, groupware, and collaboration server designed as an alternative to enterprise collaboration solutions such as Microsoft Exchange. | VULNEREBILITY |