A zero-day vulnerability in the KnowledgeDeliver Learning Management System has been actively exploited in the wild to deploy the Bluebeam in-memory web shell. The flaw, tracked as CVE-2026-5426, allows unauthenticated remote code execution (RCE). It impacts KnowledgeDeliver deployments that used default ASP.NET configuration settings before February 24, 2026.
Security researchers at Arctic Wolf have spotted a malicious campaign exploiting CVE-2026-35616 to deploy a new malware strain called EKZ Infostealer through compromised FortiClient EMS infrastructure. The attackers disguised the malware as a legitimate Fortinet endpoint patch and pushed it to managed endpoints using FortiClient Endpoint Management Server (EMS). The threat actors appear to have abused trusted management channels to execute malicious PowerShell commands across connected systems.
The US cybersecurity agency CISA has added three new security vulnerabilities in its KEV catalog of exploited bugs. All three of them are backdoors affecting DAEMON Tools software (CVE-2026-8398), Nx Console VSCode extension (CVE-2026-48027), and TanStack (CVE-2026-45321). CISA noted that CVE-2026-45321 and CVE-2026-48027 are known to have been exploited in ransomware attacks.
Japanese cybersecurity firm Trend Micro has released security updates to fix a zero-day vulnerability in its Apex One endpoint protection platform that has been actively exploited in attacks targeting Windows systems. The flaw, tracked as CVE-2026-34926, affects Apex One on-premises servers and allows local attackers with administrator privileges to inject malicious code through a directory traversal issue.
Separately, LiteSpeed has issued patches for a security flaw in its user-end plugin for cPanel that is reportedly being actively exploited in the wild. Tracked as CVE-2026-48172, the vulnerability stems from incorrect privilege assignment, allowing attackers to execute arbitrary scripts with elevated permissions.
Threat actors have been exploiting an SQL injection flaw in Ghost CMS (CVE-2026-26980) to inject malicious JavaScript that launches ClickFix attack chains. Researchers at Qianxin discovered over 700 affected websites, including university portals, AI/SaaS platforms, media sites, fintech services, security websites, and personal blogs. Compromised organizations reportedly include Harvard University, University of Oxford, Auburn University, and DuckDuckGo's official blog.
Developers behind Roundcube Webmail released security updates that fix multiple flaws, including an SQL injection vulnerability that could allow attackers to manipulate backend databases without logging in. The issues affect Roundcube versions 1.6. x and 1.7. x.
Microsoft has released security updates to address a MS SharePoint vulnerability (CVE-2026-45659) that allows remote code execution. The vulnerability exists due to insecure input validation when processing serialized data. A remote authenticated user can pass specially crafted data to the application and execute arbitrary code on the target system.
An RCE vulnerability has also been patched in the 7-Zip file archiver. Tracked as CVE-2026-48095, the flaw is an out-of-bounds write issue that exists due to out-of-bounds write in the NTFS archive handler when processing a crafted NTFS image containing a compressed stream. A remote attacker can trick the victim into opening a crafted file to execute arbitrary code.
CERT-Polska has warned of bunch of security flaws in the Sparx Enterprise Architect modeling tool and Sparx Pro Cloud Server that can be abused for remote code execution, triggering denial-of-service condition or execution of arbitrary SQL queries. The vendor has yet to release a patch for the bugs.
A security flaw has been found Starlette, a Python framework used in many AI server systems. The vulnerability (CVE-2026-48710) codenamed BadHost can let attackers bypass authentication by pretending to access public URLs, while actually reaching private server endpoints. This could allow them to steal sensitive data or make the server perform malicious actions.
A China-linked hacking group has been caught targeting edge routers across Southeast Asia with a Linux malware implant designed to hijack DNS traffic and maintain long-term access to compromised networks. According to researchers at Qiita, the campaign targets border routers and network infrastructure, allowing attackers to operate unseen by most security tools. The main payload is a custom Linux ELF binary named router.elf, which is deployed directly onto compromised devices.
North Korea-linked hacking group, tracked as Void Dokkaebi and Famous Chollima, has migrated its InvisibleFerret malware from readable Python scripts to Cython-compiled binaries. The updated InvisibleFerret malware is now distributed as .pyd files on Windows and .so files on macOS. The malware still has its main features, including backdoor access, browser credential theft, clipboard monitoring, keylogging, and cryptocurrency wallet targeting, but it is now more difficult to trace.
A new campaign linked to the Iranian state-backed threat group, tracked as Nimbus Manticore (UNC1549) has been targeting organizations in the aviation and software sectors across the United States, Europe and the Middle East using fake job offers and phishing lures. For the first time, Nimbus Manticore also used SEO poisoning to spread malware, tricking users into downloading infected software from fake websites that appeared in search engine results. The attackers used a previously undocumented backdoor called MiniFast, replacing the group’s MiniJunk malware framework.
The North Korea-backed Lazarus Group has been observed using a cross-platform malware framework called RemotePE in attacks targeting financial institutions and cryptocurrency organizations. The malware operates through a multi-stage infection chain using two loaders known as DPAPILoader and RemotePELoader. The campaign ultimately deploys RemotePE, a stealthy remote access trojan (RAT) that executes entirely in memory, leaving no traces on disk.
ESET released its APT Activity Report that summarizes notable activities of selected advanced persistent threat (APT) groups documented from October 2025 through March 2026. In short, China-, North Korea-, and Russia-aligned threat actors remained highly active globally, with China expanding espionage efforts, North Korea targeting developers and cryptocurrency ecosystems, and Russia focusing on Ukraine-related operations, including a notable destructive cyberattack on a Polish energy company linked to the Sandworm hacker group.
A large-scale supply chain attack compromised more than 5,500 GitHub repositories via malicious automated commits. The campaign, dubbed “Megalodon,” targeted GitHub Actions workflows to steal sensitive credentials, tokens, and cloud secrets from infected systems.
Sonatype researchers discovered 176 malicious npm packages, with many of them using the suspicious version number 99.99.99. The packages were part of a dependency confusion attack, where attackers publish fake public packages with very high version numbers to override private or internal company packages. If a developer or CI/CD system installs the public package by mistake, the malicious code can run automatically. The goal was not to trick developers, but to exploit automated dependency resolution systems.
CrowdStrike has announced the takedown of the command-and-control (C&C) infrastructure behind the Glassworm botnet that targeted software developers via the open-source software supply chain. The coordinated operation disrupted all four of Glassworm’s communication channels, cutting operators off from infected systems and stopping them from delivering new malware.
Researchers at OX Security discovered a malicious npm package that accidentally exposed the attacker’s own private GitHub token. The package acted as infostealer malware, stealing files from infected devices. Researchers believe the attacker likely used AI-generated code without fully understanding how it worked.
Researchers at Graz University of Technology described a new side-channel attack called FROST that can detect which websites and apps a person has opened by measuring SSD timing through JavaScript in a web browser. The attack worked with about 89% accuracy for websites and 96% for apps on a test Mac, and only requires the victim to visit a malicious webpage. The researchers shared their findings with Google, Apple, and Mozilla, but none of the companies have announced fixes so far.
A new phishing attack dubbed “VaultJacking” allows hackers to steal an entire Google Password Manager vault using only a captured 6-digit PIN. The attack exploits Google’s cross-device password and passkey sync feature. If a victim enters their Google Password Manager PIN on a fake login page, attackers can use that single code to gain access to all synced passwords and passkeys stored in the victim’s account.
Malwarebytes warns that hackers are spreading fake installers and plugins for popular software like ChatGPT, Claude, AutoTune, and Kontakt through GitHub and SourceForge links shared on hacked YouTube channels. The downloads install a Deno-based backdoor called DinDoor, which can later deliver more malware, including RATs.
Microsoft discovered a cryptojacking campaign that targets high-performance computers via fake software download pages promoted with SEO poisoning and manipulated AI chatbot recommendations. The malicious sites imitate popular utility tools like CrystalDiskInfo, HWMonitor, FurMark, and others. Once victims install the fake software, attackers gain long-term access by deploying the ScreenConnect remote management tool, which can also be used to install additional malware.
Wiz researchers have detailed another cryptojacking campaign orchestrated by a previously unknown financially motivated threat actor they track as JINX-0164. The group targeted developers through recruitment-themed and other social engineering techniques to steal cryptocurrencies, and, in at least one case, conduct a supply chain attack.
Latin America and Europe are being targeted by two banking malware campaigns. The Grandoreiro malware attacks Windows devices in countries like Spain, Portugal, and Mexico by using phishing emails and DLL side-loading to steal banking credentials. Meanwhile, the BTMOB Android trojan targets users in Brazil, allowing hackers to remotely control devices, capture screenshots, log keystrokes, and steal login information through fake app overlays.
Halcyon researchers have published a report on The Gentlemen ransomware group, which, they say, is scaling faster than any other group on record.
The United Kingdom has imposed its broadest cryptoasset-focused sanctions packages to date, tightening pressure on networks accused of helping Russia evade Western financial restrictions. The action largely targets the Russia-linked A7 network, which officials say is a critical tool for sanctions circumvention and facilitating payments connected to Russian oil exports.
A joint police operation has dismantled an international cybercrime group behind large-scale bank fraud across Europe. According to police, the group developed and sold phishing and smishing tools that allowed other criminals to steal banking information from victims. The suspects operated under a “crime-as-a-service” model, providing ready-made cyber fraud tools and platforms in exchange for payment.
Dutch authorities conducted a large-scale operation arresting suspects and seizing over 800 servers linked to a hosting provider allegedly supporting Russia-affiliated cyber operations, including DDoS-for-hire infrastructure tied to groups such as NoName057(16). In two separate cases, police arrested a cargo worker accused of leaking airport logistics data, and an individual who hacked systems of Dutch football club AFC Ajax earlier this year.
A 39-year-old Albanian national known as “Venom” was extradited to France for allegedly developing and selling the VenomRAT remote access trojan used for data theft.
Catalin Dragomir, a Romanian national, was sentenced in the US after selling unauthorized access to an Oregon state government network and other systems on the dark web, causing significant financial losses.
Maxwell Schultz, a former IT contractor in Ohio, was sentenced for hacking his former employer’s network, resetting thousands of passwords and causing over $860,000 in damages after his dismissal.
Troy Murray, a US citizen, was sentenced to nearly 10 years in prison for running a long-term scam that targeted elderly Americans. From 2016 to 2023, he collected and sold personal information like names, phone numbers, and addresses of millions of seniors to scammers in Jamaica. The scammers used the data to carry out lottery fraud. Murray is said to have made hundreds of thousands of dollars from the scheme. He was ordered to pay over $5.2 million in forfeiture.
Ramanan Pathmanathan,a Canadian national, was sentenced to 33 years in US federal prison after admitting to using fake social media identities to manipulate more than 145 children across the US into sending sexually explicit images and videos. The 40-year-old pleaded guilty in January to producing child sexual abuse material and coercing minors, with prosecutors saying the abuse took place over several years.