PQC Push, AI Vuln Searching, Pirated Traps, Phishing Kits & 20 Extra Tales

Google has unveiled a 2029 timeline to safe the quantum period with post-quantum cryptography (PQC) migration, urging different engineering groups to comply with go well with. “This new timeline reflects migration needs for the PQC era in light of progress on quantum computing hardware development, quantum error correction, and quantum factoring resource estimates,” the tech big stated. “Quantum computers will pose a significant threat to current cryptographic standards, and specifically to encryption and digital signatures. The threat to encryption is relevant today with store-now-decrypt-later attacks, while digital signatures are a future threat that require the transition to PQC prior to a Cryptographically Relevant Quantum Computer (CRQC). That’s why we’ve adjusted our threat model to prioritize PQC migration for authentication services.” As a part of the hassle, the corporate stated Android 17 is integrating PQC digital signature safety utilizing the Module-Lattice-Primarily based Digital Signature Algorithm (ML-DSA). This consists of upgrading the Android Verified Boot (AVB) with help for ML-DSA to make sure that the software program loaded throughout the boot sequence stays extremely immune to unauthorized tampering. The second PQC improve considerations the transition of Distant Attestation to a totally PQC-compliant structure and updating Android Keystore to natively help ML-DSA.

GitHub stated it is introducing AI-powered safety detections in GitHub Code Safety to increase utility safety protection throughout extra languages and frameworks. “These detections complement CodeQL by surfacing potential vulnerabilities in areas that are difficult to support with traditional static analysis alone,” GitHub stated. “This hybrid detection model helps surface vulnerabilities – and suggested fixes – directly to developers within the pull request workflow.” The Microsoft subsidiary stated the transfer is designed to uncover safety points “in areas that are difficult to support with traditional static analysis alone.” The brand new hybrid mannequin is anticipated to enter public preview in early Q2 2026.

The Russian risk actor generally known as Sandworm (aka APT-C-13) has been attributed with reasonable confidence to an assault marketing campaign that leverages pirated variations of legit software program like Microsoft Workplace (“Microsoft.Office.2025×64.v2025.iso”) as lures to ship completely different backdoors tracked as Tambur, Sumbur, Kalambur, and DemiMur to high-value targets. It is assessed that these assaults use Telegram as a distribution vector, utilizing social engineering ways to focus on Ukrainian customers in search of software program cracks. Tambur is designed to spawn SSH reverse tunnels to problem malicious instructions, whereas Kalambur revolves round intranet penetration, distant desktop (RDP) takeover, and protracted communication. Sumbur is a successor to Kalambur with improved obfuscation methods. DemiMur is principally used to tamper with the belief chain and evade detection. “Attackers use this module to force the import of a forged DemiMurCA.crt root certificate into the operating system’s trusted root certificate authority store,” the 360 Superior Risk Analysis Institute stated. “When subsequent scripts are executed, Windows automatically verifies the validity of the signature block and deems it ‘trusted.'”

A cryptocurrency rip-off referred to as ShieldGuard claimed to be a blockchain venture that introduced itself as a safety device aimed toward defending crypto wallets from phishing and dangerous good contracts by way of a browser extension. Mockingly, additional evaluation revealed that it was constructed to empty digital property from wallets. The rip-off was marketed by way of a devoted web site (“shieldguards[.]net”), in addition to an X account (@ShieldGuardsNet) and a Telegram channel (@ShieldsGuard). “The project was promoted using a multi-level marketing campaign in which users would be rewarded for early use of the extension (via a cryptocurrency ‘airdrop’) and for promoting the capability to other users,” Okta stated. “ShieldGuard appears designed to harvest wallet addresses and other sensitive data for major cryptocurrency platforms including Binance, Coinbase, MetaMask, OpenSea, Phantom and Uniswap, as well as for users of Google services. The extension also extracts the full HTML of pages after a user signs into Binance, Coinbase, OpenSea or Uniswap via their browser.” The risk actor behind the exercise is assessed to be Russian-speaking.

Sophos stated it recognized a number of detections on Android units for malicious exercise related to the Keenadu backdoor. “Keenadu is a firmware infection embedded in the libandroid_runtime.so (shared object library) that injects itself into the Zygote process,” the corporate stated. “As Zygote is the parent process for all Android apps, an attacker effectively gains total control over an infected device.” Keenadu acts as a downloader for second-stage malware, with the contaminated units containing two system-level APK recordsdata: PriLauncher.apk and PriLauncher3QuickStep.apk. Over 500 distinctive compromised Android units throughout practically 50 fashions have been detected as of March 4, 2026. The units are largely low-cost fashions produced by Allview, BLU, Dcode, DOOGEE, Gigaset, Gionee, Lava, and Ulefone. The recognized infections had been unfold globally, with units situated in 40 international locations.

In early March, Europol and Microsoft introduced the seizure of 330 lively Tycoon2FA domains and authorized motion in opposition to a number of people linked to the PhaaS. In response to CrowdStrike, the takedown effort left solely a minor dent in Tycoon2FA’s operations, which are actually again to pre-disruption ranges. On March 4 and 5, following the legislation enforcement operation, Tycoon2FA exercise quantity dropped to roughly 25%, however returned to earlier ranges shortly after, with “daily levels of cloud compromise active remediations returning to early 2026 levels,” CrowdStrike stated. “Additionally, Tycoon2FA’s TTPs have not changed following the takedown, indicating that the service’s operations may persist beyond this disruption.” These TTPs embrace phishing emails directing to malicious CAPTCHA pages, session cookie theft upon CAPTCHA validation, use of JavaScript payloads for electronic mail handle extraction, credential proxying by way of malicious JavaScript recordsdata, and use of stolen credentials to entry the victims’ cloud environments. Put up-disruption campaigns have leveraged malicious URLs, URL shortener providers, hyperlinks to legit presentation software program that embrace malicious redirects to Tycoon2FA infrastructure, and attacker-controlled infrastructure impersonating development entities, and compromised SharePoint infrastructure from recognized contacts that retrieves XLSX and PDF recordsdata. The short-lived disruption is proof that with out arrests or bodily seizures, it is simple for cybercriminals to get well and change the impacted infrastructure.

Phishing campaigns are weaponizing faux assembly invitations for varied video convention functions, together with Zoom, Microsoft Groups, and Google Meet, to distribute distant entry instruments. “The attackers trick corporate users to execute the payload by claiming a mandatory software update is required to join the video call, redirecting victims to typo-squatted domains, such as zoom-meet.us,” Netskope stated. “The payload, disguised as a software update, is a digitally signed remote monitoring and management (RMM) tool such as Datto RMM, LogMeIn, or ScreenConnect. These tools enable attackers to remotely access victims’ machines and gain full administrative control over their endpoints, potentially leading to data theft or the deployment of more destructive malware.”

Attackers are utilizing copyright-infringement notices in a fileless phishing marketing campaign focusing on healthcare and authorities organizations in Germany and Canada that delivers the PureLogs data-stealing malware. “The attack likely relies on phishing emails that lure victims into downloading a malicious executable tailored to the victim’s local language,” Pattern Micro stated. “Once executed, the malware deploys a multistage infection chain designed for evasion. Notably, it downloads an encrypted payload disguised as a PDF file, then retrieves the decryption password remotely from attacker-controlled infrastructure. The extracted payload launches a Python-based loader that decrypts and executes the final .NET PureLogs stealer malware in memory.” The Python dropper particularly leverages two .NET loaders to load the stealer malware, with one appearing as a backup in case both of them is blocked or killed by an endpoint management. The routine additionally incorporates anti-virtual machine methods to evade automated evaluation environments, in addition to employs in-memory execution to complicate detection efforts. “By disguising malicious executables as legal notices, using encrypted payloads masquerading as PDF files, remotely retrieving dynamic decryption keys, and leveraging a renamed WinRAR utility for extraction, the operators effectively minimize static indicators and hinder automated analysis,” the corporate added. “The Python-based loader and dual .NET loaders introduce redundancy and fileless execution pathways, ensuring that the final PureLog Stealer payload is launched reliably and without leaving artifacts on disk.”

The Larva-26002 risk actor continues to focus on improperly managed MS-SQL servers. “In January 2024, the Larva-26002 threat actor attacked MS-SQL servers to install the Trigona and Mimic ransomware,” AhnLab stated. Within the newest assaults, the risk actors exploited the Bulk Copy Program (BCP) utility of MS-SQL servers to stage the malware domestically and deploy a scanner malware named ICE Cloud Consumer. Written in Go, it capabilities as each a scanner and a brute-force device to interrupt into inclined MS-SQL servers. “The strings contained in the binary are written in Turkish, and the emoticons used suggest that the author utilized generative AI,” the corporate added.

New analysis has flagged a vital vulnerability in ClawHub, a expertise market for OpenClaw, that an attacker may exploit to place their talent because the #1 talent. The flaw stems from the truth that a obtain counter perform named “increment(),” which is used to maintain monitor of talent downloads, was uncovered as a public mutation quite than an inside non-public perform. With out authentication, price limiting, or deduplication mechanisms in place, an attacker may repeatedly set off the endpoint to artificially inflate the obtain metric for a given talent. “An attacker can call downloads:increment with a single curl request with any valid skill ID, bypassing every protection in the download flow and inflating any skill’s downloads counter without limit,” safety researcher Noa Gazit stated. By gaming the rankings, the risk actor may gadget an unsuspecting developer into putting in malicious expertise. The difficulty has since been mitigated by ClawHub following accountable disclosure by Silverfort on March 16, 2026.

5 newly found malicious npm packages have been discovered to typosquat a legit cryptocurrency library and exfiltrate non-public keys to a single hard-coded Telegram bot. All of the packages, ethersproject-wallet, base-x-64, bs58-basic, raydium-bs58, and base_xd, had been printed beneath the account “galedonovan.” In response to Socket, “each package hooks a function that developers routinely pass private keys through. When that function is called at runtime, the package silently sends the key to a Telegram bot before returning the expected result. The user’s code behaves normally, and there is no visible error or side effect.”

A Google Varieties marketing campaign is utilizing business-related lures, equivalent to job interviews, venture briefs, and monetary paperwork, to distribute malware, together with the PureHVNC distant entry trojan (RAT). “Instead of the usual phishing email or fake download page, attackers are using Google Forms to kick off the infection chain,” Malwarebytes stated. “The attack typically begins when a victim downloads a business-themed ZIP file linked from a Google Form. Inside is a malicious file that sets off a multi-stage infection process, eventually installing malware on the system.” One other marketing campaign has been noticed utilizing obfuscated Visible Primary Script (VBScript) recordsdata to ship PhantomVAI Loader by way of PNG picture recordsdata hosted on Web Archive to finally set up Remcos RAT and XWorm.

A classy, multi-stage malware marketing campaign directed at buyer help workers working for Web3 firms is leveraging suspicious hyperlinks despatched by way of buyer help chat to provoke an assault chain that delivers a malicious executable disguised as {a photograph}, which then retrieves a second-stage loader from an AWS S3 lifeless drop. This loader proceeds to retrieve an implant named Farfli (aka Gh0st RAT) that is launched by way of DLL side-loading to determine persistent communication with risk actor-controlled infrastructure. The marketing campaign has been attributed to APT-Q-27 (aka GoldenEyeDog), a financially motivated risk group suspected to be working out of China since not less than 2022. An identical marketing campaign involving the distribution of sketchy hyperlinks by way of Zendesk was documented by CyStack final month. The methods noticed embrace staging payloads inside a listing designed to resemble a Home windows Replace cache, DLL side-loading, and in-memory execution of the ultimate backdoor. The top purpose is to cut back on-disk footprints, mix into regular system behaviour, and make retrospective detection tougher.

Cloud telephones are internet-based digital telephone techniques powered by Android that permit customers to ship and obtain voice calls, messages, and entry options similar to a bodily gadget. Whereas early fraud waves leveraged “virtual” Android units hosted on bodily telephone farms for social media engagement manipulation, faux app critiques and installs, SMS spam, and advert fraud, subsequent iterations have developed into cloud-based digital cellular infrastructures that use emulators to imitate telephone habits. Together with it expanded the abuse of cloud telephones – bought within the type of telephone field units – for monetary fraud expanded. Risk actors should buy, promote, and transfer cloud telephones with pre-loaded e-wallets and pre-verified financial institution playing cards and accounts to be used in Account TakeOver (ATO) and Licensed Push Fee (APP) scams, Group-IB stated. On this scheme, unsuspecting customers are tricked into offering their private banking credentials to fraudsters impersonating financial institution employees or authorities officers with a view to full the verification course of on the fraudsters’ cloud telephone. These cloud telephone units with configured financial institution playing cards and accounts are then bought to different events on darknet markets. “Major cloud phone platforms like LDCloud, Redfinger, and GeeLark offer device rentals for as little as $0.10-0.50 per hour, making fraud infrastructure accessible to anyone with minimal capital investment,” the corporate added. “Darknet markets actively trade pre-verified dropper accounts created on cloud phones, with Revolut and Wise accounts priced at $50-200 each, often including continued access to the cloud phone instance.”

The Shadowserver Basis stated it is seeing over 511,000 end-of-life Microsoft IIS cases in its day by day scans, out of which over 227,000 cases are past the official Microsoft Prolonged Safety Updates (ESU) interval. Most of them are situated in China, the U.S., France, the U.Okay., Italy, Brazil, India, Japan, Australia, and Russia.

Indian authorities have ordered a complete audit of CCTV techniques throughout the nation following the publicity of a Pakistan-linked spy community that exploited surveillance cameras for espionage functions. The solar-powered units, put in at varied railway stations and different vital infrastructure, allegedly transmitted dwell footage to handlers linked to Pakistan’s Inter-Providers Intelligence (ISI). The Indian authorities has outlined measures to strengthen the safety of CCTV techniques, equivalent to necessary documentation of the origin of vital elements, testing of units in opposition to vulnerabilities that would permit unauthorized distant entry, and testing of units for compliance. In tandem, not less than 22 folks have been arrested in reference to a Pakistan-linked community that engaged in reconnaissance exercise. This included 5 males and a lady who’ve been accused of taking photographs and movies of railway stations and navy bases and sending them to handlers in Pakistan. These people had been recruited by way of social media and encrypted messaging apps, luring them with funds starting from ₹5,000 to ₹20,000 per “assignment.” Compromised CCTV techniques can facilitate navy operations and intelligence gathering. In the course of the U.S.–Israel–Iran battle final month, Verify Level Analysis discovered a pointy surge in exploitation makes an attempt focusing on IP cameras by Iran-affiliated risk actors.

A brand new site visitors distribution (TDS) codenamed TOXICSNAKE has been used to route victims to phishing, rip-off funnels, or malware payloads. The assaults start with a first-stage JavaScript loader that is able to fingerprinting a website customer, and both returns a redirect URL or a hyperlink to a malicious payload.

In a brand new report, Halcyon has revealed that the customized constructed Crytox PowerShell Encryptor is ready to evade endpoint detection and response (EDR) options with out the necessity for added tooling like HRSword. “Crytox targeting continues to focus on virtual infrastructure (hypervisors, VM servers), entry via VPN exploitation, and manual hands-on-keyboard execution, which are all consistent with a deliberate, targeted operation rather than high-volume automated campaigns,” the corporate stated. The event comes because the INC ransomware group has claimed assaults in opposition to ten legislation corporations and authorized providers organizations inside a 48-hour interval. “The volume, sector specificity, and timing of these postings suggest the possibility of a coordinated campaign or a shared upstream compromise, such as a supply chain event affecting a common legal technology provider or managed services vendor,” Halcyon famous.

New analysis from Hudson Rock has discovered a machine belonging to the North Korea IT employee scheme that was unintentionally contaminated with the Lumma Stealer malware after the native person downloaded malicious payloads when looking for GTA V cheats. Curiously, the exfiltrated stealer logs contained company CDN credentials for Funnull, a content material supply community (CDN) that has been leveraged by state-sponsored actors. The operator used a “massive matrix of synthetic identities” throughout Western freelance platforms and international internet hosting suppliers, whereas additionally utilizing 5 distinct Chrome profiles and one Edge profile to compartmentalize their operations. It is believed that the machine proprietor was both a keen facilitator (i.e., a laptop computer farm host primarily based out of Indonesia) or a North Korean operative.

The 2024 Polyfill[.]io provide chain assault has been linked to North Korean risk actors after a North Korean operative made a deadly operational safety (OPSEC) blunder by downloading a faux software program setup file and contaminated their very own machine with the Lumma Stealer. Whereas the assault was initially linked to Funnull, Hudson Rock found that the risk actor downloaded a password-protected ZIP archive hosted on MediaFire that was deceptively named to seem as a legit software program installer. The proof collected by the malware from the North Korean hacker’s endpoint included credentials for the Funnull DNS administration portal, credentials for the Polyfill Cloudflare tenant (proving that the weaponized area was beneath the risk actor’s management), and conversations relating to the malicious area configuration adjustments made throughout the peak of the assault. Whereas the risk actor used the “Brian” persona to drag off the assault, in addition they mange different identities to conduct IT employee fraud by securing a gig at cryptocurrency trade Gate and exploiting the entry to acquire intelligence on their employer’s safety posture and perceive blind spots in compliance techniques. The identical operative, beneath the “Wenyi Han” alias, can also be stated to have carried out strategic, state-sponsored information exfiltration, illustrating the severity of the IT employee risk.

A U.S. choose granted a movement to dismiss a case in opposition to tech big Meta introduced by a former WhatsApp worker, Attaullah Baig, who accused the corporate of ignoring privateness and safety points, and placing customers’ info at risk. In response to Courthouse Information Service, the choose stated, “the complaint does not contain sufficient facts to show that the plaintiff reported violations of SEC rules or regulations, the plaintiff did not plead facts regarding the elements of securities fraud or wire fraud, and his reporting cybersecurity violations does not relate to rules governing internal accounting controls.” Meta stated, “Mr. Baig’s allegations misrepresent the hard work of our security team. We’re proud of our strong record of protecting people’s privacy and security, and will continue building on it.”

Hong Kong police can now demand telephone or laptop passwords from those that are suspected of breaching the Nationwide Safety Legislation (NSL). Those that refuse to share the passwords may resist a 12 months in jail and a superb of as much as $12,700, and people who present “false or misleading information” may resist three years in jail. The amendments to the NSL be certain that “activities endangering national security can be effectively prevented, suppressed and punished, and at the same time the lawful rights and interests of individuals and organisations are adequately protected,” authorities stated. The transfer has prompted the U.S. Division of State Consular Affairs to problem an advisory, stating the authorized change applies to everybody arriving or simply transiting Hong Kong Worldwide Airport. “In addition, the Hong Kong government also has more authority to take and keep any personal devices, as evidence, that they claim are linked to national security offenses,” it famous.

A brand new Android RAT named Oblivion RAT is being bought as a malware-as-a-service (MaaS) platform on cybercrime networks for $300/month. “The platform includes a web-based APK builder for the implant, a separate dropper builder that generates convincing fake Google Play update pages, and a C2 panel for real-time device control,” iVerify stated. “Pricing runs $300/month, $700/3 months, $1,300/6 months, or $2,200 lifetime, with 7-day demo accounts available.” Oblivion is distributed by way of dropper APKs despatched to victims as a part of social engineering assaults. As soon as put in, the dropper apps current a Google Play replace circulate to sideload the embedded RAT payload. As with different Android malware households, Oblivion abuses Android’s accessibility providers API to grant itself extra permissions and steal delicate information. “The core of the social engineering is the Accessibility Page builder, which generates a pixel-perfect replica of Android’s accessibility service settings screen,” iVerify stated. “Every text element is operator-controlled: page title, section headers, the Enable button, and a descriptive info message. When the victim taps Enable, they grant the implant’s accessibility service full control over the device UI.”