Google has released security updates to address two Chrome zero-day vulnerabilities said to be exploited in the wild. CVE-2026-3909 is an out-of-bounds write issue that can lead to remote code execution, and the second one, CVE-2026-3910, could be exploited by a remote attacker to compromise the target system by tricking a user into visiting a malicious web page. As always in such cases, Google withheld details about attacks exploiting the flaws until a majority of users update their Chrome browsers.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added a number of recently disclosed security flaws to its Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in the wild. These include CVE-2021-22054, a server-side request forgery (SSRF) issue in Omnissa Workspace One UEM (previously known as VMware Workspace One UEM); CVE-2025-26399, an RCE flaw in the AjaxProxy component in SolarWinds Web Help Desk; CVE-2026-1603, an authentication bypass in Ivanti Endpoint Manager; and CVE-2025-68613, a privilege escalation issue in n8n.
Apple released security updates for older versions of iOS, iPadOS, and macOS Sonoma to fix a WebKit vulnerability (CVE-2023-43010). The flaw could cause memory corruption when a device processes malicious web content and was reportedly used in the Coruna exploit kit. Apple fixed the issue by improving how the system handles the affected processes.
Microsoft released its March 2026 Patch Tuesday security updates, fixing over 70 vulnerabilities across its products, including two publicly disclosed flaws. One of the issues (CVE-2026-21262) affects Microsoft SQL Server and allows an elevation of privilege. The second publicly disclosed vulnerability (CVE-2026-26127) impacts .NET. Microsoft said neither flaw has been observed being actively exploited in attacks.
Veeam Software fixed several security flaws in its Veeam Backup & Replication backup system, multiple including remote code execution (RCE) vulnerabilities.
Hewlett Packard Enterprise (HPE) has also released security updates to address multiple security flaws in the Aruba Networking AOS-CX operating system, with three of them allowing remote command execution.
Exploitation of software vulnerabilities is now the main entry point into Google Cloud environments for attackers, replacing weak passwords for the first time. Google says nearly half of the intrusions in the second half of last year targeted third-party software on customer servers. In the past, most breaches happened because of weak or missing passwords. Google also saw attacks using LLMs during the year.
Threat actors are abusing FortiGate Next-Generation Firewall (NGFW) appliances as entry points to infiltrate victim networks. Attackers are exploiting recently disclosed vulnerabilities or weak credentials to gain access to FortiGate devices and extract configuration files.
Dutch intelligence agencies have warned that Russian state-backed hackers are attempting to gain access to a large number of Signal and WhatsApp accounts belonging to dignitaries, military personnel, and civil servants around the world.
In a separate report, ESET shared details of an APT28-linked campaign using custom malware implants, including a modified version of the open-source Covenant post-exploitation tool, to spy on Ukrainian organizations. The researchers noted that the group appears to have resumed advanced malware development.
Additionally, Hunt.io researchers have uncovered a sophisticated toolkit believed to be used by APT28 in a campaign targeting Ukrainian government email systems.
A sophisticated cyber-espionage campaign has been targeting human resources (HR) departments for more than a year using malware designed to disable endpoint security tools. The operation delivers a previously undocumented endpoint detection and response (EDR) killer known as BlackSanta. The attackers believed to be Russian-speaking combined social engineering with advanced evasion techniques to infiltrate corporate systems and steal sensitive data.
A previously undocumented threat actor believed to be linked to China has been targeting high-value organizations across South, Southeast, and East Asia in a long-running cyber espionage campaign. The campaign has been attributed to a threat actor, tracked as CL-UNK-1068. The attackers deploy several well-known web shell tools, including Godzilla and ANTSWORD, as well as the Linux backdoor Xnote and Fast Reverse Proxy (FRP) to maintain remote access.
An Iranian state-linked MuddyWaters hacking group has infiltrated multiple US organizations, including banks and airports. The attacks deployed a previously unknown backdoor called ‘Dindoor,’ and a Python-based backdoor known as ‘Fakeset.’
Medical technology company Stryker suffered a wiper malware attack orchestrated by the Iranian-linked pro-Palestinian hacktivist group Handala. The attackers claim to have stolen 50 terabytes of data and wiped tens of thousands of Stryker’s systems worldwide, forcing a company shutdown. The company has confirmed the incident in its 8-K SEC report.
A Pakistan-linked threat group known as APT36 or Transparent Tribe, has turned to what researchers describe as “vibeware,” an AI-assisted approach that rapidly generates large numbers of low-quality but functional cyber implants. Instead of relying on established off-the-shelf malware, the group is now creating disposable binaries across multiple programming languages.
Security researchers from Black Lotus Labs at Lumen Technologies have uncovered a new malware strain called KadNap that mostly targets routers from Asus, turning compromised devices into part of a large proxy botnet used to route malicious traffic. According to researchers, the network has been growing since August 2025 and now includes more than 14,000 infected devices worldwide.
The SonicWall Capture Labs threat research team has observed four campaigns using PDF-based social engineering to deliver remote monitoring and management (RMM) tools for unauthorized access. In one case, a PDF contained a Dropbox link that triggered the download of an MSI installer with ScreenConnect, a legitimate remote desktop tool. Another PDF led to a malicious URL that also installed ScreenConnect. In a third incident, the PDF led to the download of Advanced Monitoring Agent, a commercial RMM platform commonly used by managed service providers. In the fourth case, attackers delivered legitimate backup and remote management tool MSP360.
A new Trellix report analyses a recent Remcos RAT campaign starting from phishing-based initial access to fully fileless execution using JavaScript, PowerShell, and a managed .NET injector.
Sophos has observed three ClickFix campaigns targeting macOS users with the MacSync infostealer. On the same note, Microsoft has shared details of a ClickFix campaign that uses the Windows Terminal application to initiate a complex malware attack chain that deploys the Lumma Stealer malware.
Agentic AI browsers can be tricked into phishing scams by exploiting how they reason and make decisions. By intercepting communication between the browser and its AI service and using a Generative Adversarial Network (GAN), attackers could fool the Perplexity Comet AI browser in under four minutes. The new technique, described by Guardio researchers, is based on a previously reported methods showing that AI tools can be manipulated through hidden prompts to generate scam pages or perform malicious actions.
A financially motivated threat actor, tracked as Hive0163, has been observed using a suspected AI-generated malware called Slopoly. The group focuses on making money through data theft and ransomware attacks. Hive0163 is also linked to other malicious tools like NodeSnake, Interlock RAT, JunkFiction loader, and the Interlock ransomware.
Two previously legitimate Google Chrome extensions have reportedly become malicious after being sold to new owners. The new versions of the extensions were modified to carry out malicious activities like disabling certain browser security protections, injecting malicious code into websites, and collecting sensitive user information.
Security researcher Chris Aziz has detailed a new technique, called “Zombie ZIP,” that hides malicious files inside specially crafted ZIP archives. By altering the ZIP file headers, attackers trick security tools into scanning the contents incorrectly, allowing the malicious payload to avoid detection. The files also appear corrupted when opened with tools like WinRAR or 7-Zip.
The US Treasury sanctioned six individuals and two companies for helping North Korea run an overseas IT worker scheme. The sanctioned companies are Amnokgang Technology Development Company and Quangvietdnbg International Services Company in Vietnam. The firms allegedly helped manage North Korean IT workers and convert money. US officials say Quangvietdnbg converted about $2.5 million for Amnokgang between 2023 and 2025. The six sanctioned individuals are located in Vietnam, Laos, and Spain.
The US Department of Justice charged Angelo John Martino III, a former ransomware negotiator at the cybersecurity company DigitalMint, with helping carry out ransomware attacks while also negotiating payments for the victims. Prosecutors say Martino worked with the ALPHV/BlackCat ransomware group to extort about $75.25 million from at least 10 victims. He allegedly helped hack networks and deploy ransomware. Martino surrendered to US Marshals on March 10, 2026, and is charged with conspiracy to commit extortion. Ryan Goldberg and Kevin Martin - two other cybersecurity professionals involved in the scheme - pleaded guilty in December 2025.
An international law enforcement operation has disrupted SocksEscort, a criminal proxy network that infected thousands of home and small-business routers with malware and sold access to them to cybercriminals. Since 2020, SocksEscort had offered access to about 369,000 IP addresses, and by February 2026 around 8,000 infected routers were still listed in the system, including 2,500 in the United States. The service helped hide attackers’ locations while they carried out fraud, ransomware, DDoS attacks, and other crimes that cost victims millions of dollars. Authorities from Austria, France, and the Netherlands helped seize 34 domains and 23 servers, freeze $3.5 million in cryptocurrency, and disconnect thousands of infected routers from the network.
Meta said it removed more than 150,000 accounts linked to scam centers in Southeast Asia in a joint effort with authorities from several countries, including Thailand, the US, the UK, and Japan. The operation led to 21 arrests.