• Microsoft observed a malware campaign starting in late February 2026 where Windows users were targeted with malicious VBScript (.vbs) files sent via WhatsApp messages. Executing the attachment triggered a multi‑stage infection designed to establish persistence and enable remote access, with no specific sector targeting identified, suggesting broad, opportunistic victim selection.
• The campaign used WhatsApp social engineering for delivery, then abused renamed legitimate Windows utilities (e.g. curl, bitsadmin) and trusted cloud services (AWS, Tencent Cloud, Backblaze B2) to download further payloads. The malware attempted UAC bypass, modified registry settings, and ultimately installed unsigned MSI installers (including AnyDesk) to maintain long‑term remote access.
• Microsoft recommends using Defender Attack Surface Reduction rules to block VBS/script abuse, enabling EDR in block mode, cloud‑delivered protection, network protection and tamper protection. Defenders should hunt for renamed Windows binaries with mismatched OriginalFileName metadata, suspicious cloud downloads, UAC registry tampering, and unsigned MSI execution from unusual locations.

WhatsApp malware campaign delivers VBScript and MSI backdoors | Microsoft Security Blog

• On 27 March, Seqrite reported a sustained trend, where multiple ransomware families (including LockBit, Phobos, MedusaLocker and Dharma) targeted enterprises of all sizes by abusing legitimate administrative and low‑level system tools to disable antivirus and EDR protections prior to ransomware deployment. These techniques are now standardised within modern ransomware‑as‑a‑service (RaaS) playbooks.
• Attackers gain initial access via phishing, stolen credentials or remote access tools, then escalate privileges and neutralise defences using trusted utilities such as Process Hacker, IOBit Unlocker, PowerRun, AuKill and kernel manipulators. These tools silently terminate security processes, unload drivers, delete logs and registry keys, and enable SYSTEM‑level ransomware execution, blending into normal administrative activity.
• Organisations are advised to use Microsoft Defender’s tamper protection and attack surface reduction rules, monitor for mass process termination and antivirus service stoppage, alert on SYSTEM‑level execution of admin tools, restrict dual‑use utilities via application control, and investigate registry or log deletion related to security products. Early detection of defence‑evasion behaviour is critical to disrupt ransomware kill chains

Weaponizing Legitimate Tools: How Ransomware Evades Antivirus

• In late March, malicious versions of the popular JavaScript HTTP library Axios, axios@1.14.1 and axios@0.30.4, were published to npm outside the project’s normal release workflow. Any organisation or developer automatically pulling these versions via version ranges was potentially exposed, affecting frontend, backend and enterprise JavaScript environments using Axios globally.
• Attackers abused a compromised npm publishing process to add a malicious dependency, plain-crypto-js@4.2.1, which executed via a postinstall script. The payload deployed an obfuscated, multi-stage, cross-platform RAT using Node.js, PowerShell, AppleScript or Python, with C2 over HTTP. The activity indicates a targeted software supply chain attack rather than developer error.
• Organisations are advised to identify and remove affected Axios and dependency versions immediately, review lockfiles and rebuild from known-good sources. With Microsoft Defender, monitor for unusual postinstall execution, renamed PowerShell binaries, suspicious script launches, and outbound HTTP beacons to unknown infrastructure. Strengthen dependency controls, token hygiene and publishing permissions to reduce supply chain risk.

Supply Chain Attack on Axios Pulls Malicious Dependency from...axios Compromised on npm - Malicious Versions Drop Remote Access Trojan - StepSecurity

• In February, the ShinyHunters-linked activity targeted Optimizely, a global ad‑tech firm, via a contained breach of internal business systems, and Dutch telecoms provider Odido, where attackers exfiltrated customer contact data affecting ~6.2 million users, later claiming up to 21 million records. Both incidents involved data theft followed by extortion threats
• ShinyHunters used aggressive social engineering, notably voice phishing (vishing), to harvest SSO and MFA credentials, enabling access to SaaS platforms such as Salesforce and Zendesk. At Odido, attackers accessed customer contact systems and attempted double‑extortion via a dark‑web leak site, pressuring the victim with data‑release threats.
• Organisations are advised to harden identity security: enforce phishing‑resistant MFA, enable Microsoft Defender for Identity to detect anomalous credential use, monitor Defender for Cloud Apps for unusual SaaS access, and deploy Defender XDR alerts for vishing‑linked account takeover behaviours.

Odido informs customers of cyber attack

ShinyHunters extortion gang claims Odido breach affecting millions

Ad Tech Company Optimizely Targeted in Cyberattack - SecurityWeek

• On 24 March, Endor Labs identified malicious code in LiteLLM versions 1.82.7 and 1.82.8 published to PyPI. LiteLLM is a widely used LLM proxy library with around 95 million monthly downloads. Any environment installing these versions, including CI/CD pipelines and Kubernetes clusters, was at risk of full credential compromise. Both versions were removed; 1.82.6 is the last confirmed clean release.
• The attack is attributed with high confidence to TeamPCP, a supply‑chain threat actor. Malicious code was injected during package build, not in GitHub source. The payload executed on import and, in 1.82.8, on every Python start via a .pth file. The malware harvested cloud, Kubernetes and developer credentials, deployed privileged Kubernetes pods for lateral movement, and installed a persistent systemd backdoor communicating with attacker‑controlled infrastructure.
• Organisations are advised to identify and remove LiteLLM 1.82.7 and 1.82.8, rotate all secrets accessible on affected hosts, and treat impacted systems as compromised. Use Microsoft Defender for Cloud to hunt for anomalous Python subprocess execution, credential access, and unexpected Kubernetes privileged pods. Monitor for outbound traffic to known C2 domains and persistence indicators, and pin Python dependencies to verified source builds only.

TeamPCP Isn't Done: Threat Actor Behind Trivy and KICS Compromises Now Hits LiteLLM's 95 Million Monthly Downloads on PyPI | Blog | Endor Labs

• MaliciousCorgi, a campaign discovered in January 2025, deployed malicious VS Code extensions disguised as AI coding assistants (including "ChatGPT – 中文版" and "ChatMoss (CodeMoss)") that infected approximately 1.5 million developers globally. Separately, the Stanley malware kit has been active since 2023, targeting developers through trojanised extensions. Both campaigns exfiltrated sensitive data including authentication tokens, cookies, session credentials, clipboard contents, and source code from platforms like GitHub, GitLab, and AWS.
• MaliciousCorgi extensions masqueraded as legitimate AI productivity tools on Chrome Web Store and Edge Add-ons, using obfuscated JavaScript to steal credentials and inject malicious code into GitHub repositories for supply chain attacks. Stanley operators employed phishing sites mimicking legitimate services, SEO poisoning, and malvertising to distribute extensions that captured keystrokes, screenshots, and credential data. Both campaigns utilised command-and-control infrastructure to exfiltrate stolen data to attacker-controlled servers.
• Organisations should audit, restrict, and continuously monitor both VS Code extensions and browser extensions, as each represents a viable attack surface. Particular attention should be paid to AI‑themed coding tools and productivity add‑ons across both platforms. Enable Microsoft Defender browser extension controls and SmartScreen filtering to limit exposure to malicious or untrusted extensions. Enforce application control policies to prevent unauthorised extension installation in development environments and browsers alike. Monitor for anomalous authentication behaviour, unauthorised repository access, and data exfiltration attempts.

Malicious VS Code AI Extensions Harvesting Code from 1.5M Devs

Stanley — A $6,000 Russian Malware Toolkit with Chrome Web Store Guarantee

• On 30 December, OX Security identified a malware campaign involving two malicious Chrome extensions impersonating AITOPIA’s legitimate AI sidebar. Over 900,000 users were affected, with stolen ChatGPT and DeepSeek conversations, browsing history, and sensitive corporate data exfiltrated to attacker-controlled servers every 30 minutes. Despite containing data-stealing malware, one extension carried Google’s “Featured” badge, increasing trust and downloads.
• Threat actors cloned AITOPIA’s extension, adding hidden exfiltration capabilities. The malware exploited Chrome’s “read all website content” permissions to capture prompts, responses, and URLs, storing them locally before sending to C2 servers. They used Lovable, an AI-powered platform, to host privacy policies and redirect pages, anonymising infrastructure and complicating attribution. Extensions also tricked users into reinstalling variants upon removal.
• Organisations should immediately remove the extensions via chrome://extensions or the Chrome Web Store. Avoid installing extensions from unknown sources, even if “Featured.” Monitor for suspicious behaviour such as repeated Chrome extension prompts, unexpected network traffic to C2 domains, and unauthorised data access.

Malicious Chrome Extensions Steal ChatGPT Conversations

• A malicious VS Code extension impersonating “Material Icon Theme” (v5.29.1) was discovered in late November 2025. Its Mach-O binary contains a user-path string identical in style to GlassWorm samples, a distinctive technical overlap. This finding comes amid a confirmed resurgence of GlassWorm activity, as reported by SecureAnnex.
• The extension’s loader (extension.js) deployed Rust implants (os.node for Windows, darwin.node for macOS). These implants used Solana blockchain-based C2, AES‑256‑CBC encrypted payloads, and a Google Calendar fallback channel—tactics previously associated with GlassWorm. The Mach-O path artefact reinforces continuity in tradecraft, suggesting toolkit reuse or evolution.
• Remove the malicious theme immediately, scan for implants using Microsoft Defender (focus on VS Code extension directories), and monitor for outbound traffic to Solana wallets or calendar APIs. Configure Defender rules to detect native binary execution from extension paths and blockchain-related network activity. These steps help identify behaviour consistent with this threat family.

Analysis of the Rust implants found in the malicious VS Code extension - Nextron Systems
Glassworm's resurgence | Secure Annex

• Since February, threat actors have abused Microsoft Azure Monitor to send fraudulent billing and security alerts to individuals and organisations, warning of fake unauthorised charges. The emails appear to come from Microsoft’s legitimate azure-noreply@microsoft.com address, increasing trust and impacting both enterprise users and consumers globally.
• Attackers create Azure Monitor alert rules with malicious text embedded in alert descriptions, triggered by common billing-related events. Alerts are sent via Microsoft’s own infrastructure, passing SPF, DKIM and DMARC checks. The campaign uses callback phishing, urging victims to phone fake “Microsoft Security” numbers where social engineering continues.
• Organisations are advised to treat unexpected billing alerts with suspicion, especially those containing phone numbers or urgent language. Verify alerts directly in the Azure portal, not via email. Use Microsoft Defender for Office 365 to flag social-engineering patterns, educate users that Microsoft does not include support numbers in alerts, and report messages as phishing

Microsoft Azure Monitor alerts abused for callback phishing attacks

• In March, Huntress observed an active campaign abusing Railway (PaaS) infrastructure to compromise Microsoft 365 tenants, primarily impacting SMBs and MSP-managed environments. Attackers successfully authenticated into victim tenants without passwords by replaying stolen authentication tokens, leading to unauthorised access to M365 resources despite MFA being enabled.
• The campaign used device code phishing and token replay techniques, hosting attacker infrastructure on Railway IP ranges to blend in with legitimate cloud traffic. Once users completed a device-code login flow, attackers replayed the issued tokens to access M365 services, bypassing MFA and reducing traditional sign-in failure indicators. The activity is assessed to be an operationally mature campaign targeting various business sectors.
• Organisations are advised to restrict or block device code authentication where not required, enforce Conditional Access policies (including blocking known malicious Railway IP ranges), and monitor Microsoft Entra sign-in logs for anomalous token-based access. Use Microsoft Defender for Cloud Apps and Defender XDR to hunt for unusual session activity, unfamiliar IP infrastructure, and impossible‑travel or atypical sign-in patterns.

Threat Actors Abuse Railway.com PaaS as Microsoft 365 Token Attack Infrastructure | Huntress

• On 22 March, Socket identified malicious Trivy Docker images (versions 0.69.5 and 0.69.6, plus earlier 0.69.4) pushed to Docker Hub without matching GitHub releases. Any organisation running Trivy via container images, particularly using the :latest tag in CI/CD pipelines, was at risk of silent credential theft. The last known clean version is 0.69.3.
• The activity is linked to tooling and infrastructure associated with the TeamPCP infostealer, with the attackers publishing trojanised Trivy Docker images directly to Docker Hub. The images executed a credential‑stealing payload alongside legitimate Trivy scans, exfiltrating secrets to a typosquatted C2 domain (scan.aquasecurtiy[.]org). Mutable Docker Hub tags were used to bypass integrity checks and maximise downstream exposure.
• Organisations are advised to immediately stop using affected Trivy images, rotate all secrets used in CI/CD, and pin verified image digests. Using Microsoft Defender for Cloud, teams should review container and pipeline activity for unusual outbound connections, detect execution of suspicious binaries in build agents, and hunt for the listed IOCs. Any recent execution of impacted versions should be treated as compromised

Trivy Supply Chain Attack Expands to Compromised Docker Imag...

• LevelBlue SpiderLabs identified a sharp rise in phishing campaigns abusing URL rewriting between Q2–Q4 2025, peaking in January 2026. The activity primarily targeted Microsoft 365 users, including professional services such as law firms, using trusted “safe link” domains to conceal malicious destinations and enable credential theft and account takeover.
• Threat actors operating phishing‑as‑a‑service platforms (Tycoon2FA, Sneaky2FA) abused compromised email accounts to generate “trusted” rewritten links, then chained multiple security vendors’ URL rewriting services. These multi‑layer redirect chains evade link scanning and support AiTM attacks, capturing credentials and MFA session cookies.
• Organisations are advised to prioritise behaviour‑based detections in Microsoft Defender, monitor for excessively long or multi‑redirect URLs, and alert on post‑sign‑in anomalies (new mailbox rules, atypical sign‑ins). Enforce phishing‑resistant MFA, inspect HTTP 302 redirect chains, and train users to report unexpected authentication prompts, even when links appear to come from trusted security domains.

Weaponizing Safe Links: Abuse of Multi-Layered URL Rewriting in Phishing Attacks

• Throughout 2025, ransomware remained a major global threat, impacting organisations across Europe, North America, APAC and South America, with a clear shift towards smaller organisations. Google Threat Intelligence and Mandiant observed a record number of victims posted to data leak sites, driven by declining ransom payments and improved victim recovery, alongside increased data theft extortion even when encryption was not deployed.
• Threat actors primarily gained access via exploited vulnerabilities in VPNs, firewalls and exposed services (including SharePoint), stolen credentials, and malvertising. RaaS groups such as REDBIKE, Qilin and Akira dominated. Common behaviours included abuse of RMM tools, credential dumping, lateral movement via RDP/SMB, targeting virtualisation infrastructure, and disabling Microsoft Defender through registry and PowerShell manipulation.
• Organisations are advised to prioritise rapid patching of internet-facing systems, enforce MFA on VPNs and RDP, and monitor Defender alerts for tamper attempts, registry changes, suspicious PowerShell, and abnormal use of RMM tools. Enable Defender Tamper Protection, audit exclusions, restrict admin privileges, and monitor for Rclone, WinRAR, credential dumping and Defender disablement behaviours indicative of pre-ransomware activity.

Ransomware Tactics, Techniques, and Procedures in a Shifting Threat Landscape | Google Cloud Blog

• Cofense identified an active phishing campaign abusing the LiveChat SaaS platform to impersonate PayPal and Amazon. Users were lured via spoofed refund and “pending order” emails, then socially engineered through real‑time chat to disclose credentials, payment card details, PII, and MFA codes. The campaign targeted individual end users rather than specific organisations, with activity observed during recent Cofense investigations.
• Threat actors used phishing emails containing links to LiveChat-hosted pages (lc[.]chat), creating the appearance of legitimate customer support. Victims were engaged by AI-driven or human-operated chat sessions, redirected to external phishing pages, and prompted to submit login credentials, billing data and MFA codes. This live interaction increased trust and enabled MFA bypass, credential takeover and financial fraud.
• Organisations are advised to use Microsoft Defender for Office 365 to detect phishing with brand impersonation, suspicious SaaS links, and unusual redirect chains. Monitor Defender alerts for MFA fatigue or repeated MFA submissions, block known lc[.]chat abuse indicators, and use Defender for Endpoint to flag anomalous browser activity and credential harvesting behaviour. User awareness training should emphasise live chat–based phishing tactics.

LiveChat Abuse: How Phishers Are Exploiting SaaS Support Tools to Steal Sensitive Data

Scattered Lapsus$ Hunters is closely associated with Scattered Spider and ShinyHunters – three English‑speaking cybercrime groups that have demonstrated repeated success by targeting people and process, rather than exploiting technical vulnerabilities. Their typical objective is to persuade support staff to reset credentials, modify MFA enrolments, or grant access to systems by impersonating legitimate users. During 2025, several major UK retail organisations were compromised through help desk and service provider impersonation, resulting in operational disruption, data loss, and long‑running recovery efforts that in some cases are still ongoing today.

Once initial access is achieved, the attack chain is familiar:

• Abuse of valid credentials to blend into normal activity
• Rapid privilege escalation and lateral movement
• Data exfiltration for leverage
• Ransomware deployment or extortion

The common thread across these incidents is that security controls were bypassed by exploiting trust, often under time pressure, rather than by defeating technical safeguards.

These incidents reinforce a critical point: help desks, support teams, and third‑party service providers are now a frontline security control.

Organisations should treat requests involving:

• Password resets
• MFA changes
• Device or account recovery
• Access to collaboration platforms

as high‑risk security events, requiring strong identity verification, clear escalation paths, and consistent enforcement – even when requests appear routine or urgent.

What Advania is seeing
In recent weeks, Advania has observed an increase in impersonation and social engineering activity leveraging Microsoft Teams, including:

• External users posing as internal staff
• Compromised accounts initiating convincing internal‑looking conversations
• Attackers using Teams chat to build trust before pivoting to credential requests or follow‑on phishing

This reinforces the importance of reviewing Microsoft Teams guest access and external collaboration controls, including:

• Who can invite external users
• How external users are clearly identified
• Whether support or IT accounts are appropriately protected

As attackers continue to professionalise their social engineering operations, defensive maturity around identity, collaboration platforms, and human decision‑making will increasingly determine resilience.

Scattered LAPSUS$ Hunters: 2025's Most Dangerous Cybercrime Supergroup,
Scattered Lapsus$ Hunters seeks women to defraud helpdesks • The Register
Deceptive IT Support Lure on Microsoft Teams Delivers Stealthy Backdoor - The Advania Community

• On 13 March, Companies House identified a security flaw in its WebFiling service that could allow logged‑in users to view or amend limited details of other UK companies. The issue, introduced during an October 2025 update, potentially exposed non‑public data (e.g. directors’ DOBs, residential addresses and company email addresses). WebFiling was taken offline and restored on 16 March 2026.
• The issue was caused by a logic flaw triggered by a specific sequence of actions within WebFiling, allowing session misdirection between company dashboards. Exploitation required an authorised WebFiling account; it was not publicly accessible and could not be used for bulk data extraction. No passwords, identity‑verification data or previously filed documents were compromised.
• Companies are advised to review Companies House records and filing history for unauthorised changes and report concerns. From a defender perspective, monitor for follow‑on phishing, unusual business email compromise attempts referencing Companies House data, and suspicious sign‑ins or account changes using Microsoft Defender for Office 365 and Entra ID alerts, particularly targeting finance or director accounts

Update on Companies House WebFiling security issue - GOV.UK

• In mid‑January 2026, Microsoft identified a credential‑theft campaign targeting users searching for legitimate enterprise VPN software. UK and global organisations were impacted as employees downloaded fake VPN installers that harvested VPN credentials. Activity is attributed to financially motivated threat actor Storm‑2561, active since at least May 2025.
• Storm‑2561 abused SEO poisoning to push spoofed VPN websites to the top of search results, redirecting victims to malicious GitHub‑hosted ZIP files. These contained digitally signed MSI installers that side‑loaded malicious DLLs (Hyrax infostealer), mimicked legitimate VPN clients, captured credentials via fake login prompts, and exfiltrated data to attacker‑controlled infrastructure.
• Organisations are advised to enable Microsoft Defender cloud‑delivered protection, EDR in block mode, network and web protection, and SmartScreen. Enforce MFA across all access and proactively ingest the published IOCs into Microsoft Defender XDR. Security teams should hunt for VPN executables loading unexpected DLLs, signed binaries from unusual publishers, and Defender alerts associated with Hyrax infostealer activity, DLL side‑loading, and anomalous VPN execution.

Storm-2561 uses SEO poisoning to distribute fake VPN clients for credential theft | Microsoft Security Blog

• Endor Labs identified three new waves (Waves 2–4) of the PhantomRaven software supply‑chain campaign between November 2025 and February 2026, involving 88 malicious npm packages. The activity primarily targeted JavaScript developers and CI/CD environments, with many packages still available at the time of reporting, indicating the campaign remains active.
• PhantomRaven uses Remote Dynamic Dependencies (RDD), declaring attacker‑controlled URLs in package.json to fetch malware at install time, bypassing registry scanning. The packages appear benign, while the external dependency steals developer credentials, environment variables and CI/CD tokens. The actor rotated npm accounts and infrastructure, maintaining consistent payload code and C2 patterns.
• Organisations are advised to monitor for npm packages using URL‑based dependencies, restrict outbound access from build agents, and rotate exposed secrets. Using Microsoft Defender for Cloud and Defender for Endpoint, teams should detect anomalous install‑time network calls, credential access from build systems, and unauthorised process execution during npm install, alongside enforcing dependency allow‑listing.

The Return of PhantomRaven: Detecting Three New Waves of npm Supply Chain Attacks | Blog | Endor Labs

• In early March 2026, Albania’s Parliament disclosed a sophisticated cyberattack that disrupted internal email systems and allegedly exposed lawmakers’ communications, claimed by Iran‑linked group Homeland Justice. Separately, US medical technology firm Stryker suffered a global network outage after a destructive cyberattack attributed to the pro‑Iranian Handala group, impacting staff across multiple countries and halting operations.
• Both incidents are assessed as politically motivated operations linked to Iranian interests. The Albanian case involved attempted data deletion and compromise of internal systems, with claims of data theft shared on Telegram. The Stryker incident was widely described as a wiper-style attack against Microsoft Windows environments, defacing login pages and rendering endpoints unusable rather than seeking ransom.
• Affected and similar organisations are advised to monitor for destructive behaviour in Microsoft environments, including mass endpoint failures, credential misuse, and abnormal authentication activity. Strengthening Microsoft Defender for Endpoint alerts on wiper‑like behaviour, enforcing conditional access, isolating impacted devices rapidly, and maintaining tested offline backups are emphasised to limit blast radius and support recovery from non‑ransomware attacks

Iran-linked hackers claim cyberattack on Albania’s parliament email systems | The Record from Recorded Future NewsStryker Corporation Hacked – Handala Hack Team

• Aryaka Threat Labs identified a long‑running malware campaign by a likely Russian‑speaking threat actor primarily targeting HR and recruitment personnel. Victims were reached via résumé‑themed lures, leading to silent system compromise, data exfiltration and sustained attacker control after endpoint protections were neutralised.
• The campaign uses spear‑phishing links to ISO files hosted on cloud storage. Execution involves LNK shortcuts, obfuscated PowerShell, steganographic payloads in images, DLL sideloading with legitimate software, extensive anti‑VM/sandbox checks, and a dedicated “BlackSanta” BYOVD‑style EDR killer to disable AV/EDR before further payloads run.
• Organisations are advised to harden Microsoft Defender by monitoring for unexpected Defender exclusions, registry changes reducing telemetry, suppressed notifications, ISO/LNK execution from user directories, DLL sideloading by signed apps, and PowerShell with execution‑policy bypass. Strengthening HR endpoint controls and behavioural detection is emphasised.

BlackSanta Report

• From mid‑2025 through March 2026, BlueVoyant observed a campaign targeting employees in finance and healthcare organisations. Victims were overwhelmed with email spam, then contacted via Microsoft Teams by attackers impersonating internal IT support, ultimately leading to endpoint compromise and persistent access through a newly identified malware, A0Backdoor.
• The activity is attributed to Blitz Brigantine (aka Storm‑1811 / STAC5777), linked to Black Basta tradecraft. Attackers abused Teams chats and Windows Quick Assist for initial access, deployed digitally signed MSI installers masquerading as Microsoft components, and used DLL sideloading to load A0Backdoor, which communicates via covert DNS MX records.
• Organisations should restrict or disable Quick Assist, monitor Microsoft Defender alerts for Teams‑based social engineering, suspicious signed MSI installs in user AppData, DLL sideloading of hostfxr.dll, and anomalous DNS MX queries. Enforce least privilege, review Defender for Endpoint advanced hunting for Quick Assist abuse, and train users to verify IT support contacts

New A0Backdoor Linked to Teams Impersonation and Quick… | BlueVoyant

• In early March, Salesforce warned that customers running public Experience Cloud sites were being targeted due to over‑permissive guest user configurations. Shortly afterwards, the ShinyHunters extortion group claimed responsibility, stating they had stolen data from around 100 high‑profile organisations, potentially including Salesforce customers, as part of an ongoing campaign. Salesforce reiterated this was a configuration issue, not a platform flaw.
• The attacks involved mass scanning and exploitation of public Experience Cloud sites using a modified version of Mandiant’s Aura Inspector tool. ShinyHunters claimed to abuse the /s/sfsites/aura API endpoint to extract data accessible via misconfigured guest user profiles. The Register reports the activity had been ongoing for months and targeted multiple well‑known brands.
• Salesforce advises customers to audit and minimise guest user permissions, disable unnecessary API access, and restrict object and field‑level visibility. Organisations are advised to monitor for suspicious unauthenticated API usage, unusual IP scanning behaviour, and downstream indicators such as phishing or vishing campaigns leveraging exposed contact data attributed to ShinyHunters activity

Protecting Your Data: Essential Actions to Secure Experience Cloud Guest User Access - Salesforce

ShinyHunters claims yet another Salesforce customers breach • The Register

• A spearphishing campaign observed across multiple organisations delivers business‑themed Windows screensaver (.scr) files via trusted cloud hosting services. When executed, these files silently install legitimate but unauthorised remote monitoring and management (RMM) agents, enabling persistent interactive access.
• Attackers send targeted emails linking to externally hosted .scr files disguised as documents (e.g., invoices). These overlooked executable formats install RMM tools to establish command‑and‑control. The technique exploits trust in cloud services and the permissiveness of RMM software, evading reputation‑based and signature‑based controls. Attribution remains unconfirmed, but the tradecraft is scalable, repeatable, and easily adapted by multiple threat groups.
• Organisations are advised to treat .scr files as privileged executables: block execution from user‑writable paths via Microsoft Defender Application Control or AppLocker. Maintain strict allowlists for approved RMM tools, with alerts on first‑time installations, new services, or unexpected ProgramData directories. Monitor for anomalous outbound traffic to unknown RMM infrastructure. Block consumer file‑hosting sites where possible, and enforce download restrictions on executable formats to prevent initial compromise.

New Campaign Uses Screensavers for RMM-Based Persistence

• Censys researchers analysed ErrTraffic, a traffic‑distribution system used in GlitchFix/ClickFix social‑engineering attacks. They identified multiple live panels (v2 and v3) in the wild across various hosts, including one misconfigured instance that exposed the full source code. The tool targets global users across Windows, macOS, Android and Linux, with campaigns reported since late 2025.
• ErrTraffic, sold for near $800 on Russian‑language forums by threat actor “LenAI”, injects malicious JavaScript into compromised websites, triggers visual “glitch” effects, fingerprints victims, geofilters traffic, and delivers OS‑specific payloads. Version differences include unobfuscated JavaScript (v2) versus XOR‑obfuscated payload logic and added ClickFix modes (v3). The system relies on social engineering rather than browser exploits, achieving conversion rates approaching 60%.
• Organisations are advised to monitor for anomalous PowerShell or Run‑dialog executions initiated by users following clipboard‑injected commands, behaviour typical of ClickFix/ErrTraffic chains. Defender products should be tuned to detect unusual script executions and fingerprinting patterns from injected JavaScript. Network defenders should block domains hosting ErrTraffic panels and look for the errtraffic_session cookie in HTTP headers as an indicator of compromise.

ErrTraffic: Inside a GlitchFix Attack Panel | Censys

• In incidents investigated and published by Varonis Threat Labs (March 2026), ransomware operators were observed exfiltrating large volumes of sensitive enterprise data using Microsoft’s AzCopy utility prior to encryption. Multiple victim organisations were impacted, with at least one confirmed case bypassing EDR detection entirely. This mirrors earlier Storm‑0501 cloud‑based extortion patterns but focuses specifically on stealthy data theft rather than destructive ransomware.
• Threat actors abused AzCopy, a legitimate Azure Storage command‑line tool, to “live off the land” and blend exfiltration into normal cloud operations. Using stolen credentials or SAS tokens, attackers transferred data over trusted HTTPS connections to attacker‑controlled Azure Blob storage. Techniques included throttling transfer speeds, targeting recently modified files, and deleting AzCopy artefacts, making activity difficult for EDR and network tools to distinguish from legitimate Azure usage.
• Organisations are advised to treat AzCopy and Azure Storage access as high‑risk and actively monitor for abnormal usage. Using Microsoft Defender for Endpoint, Defender for Cloud, and Sentinel, defenders should hunt for unexpected AzCopy executions, large outbound transfers to *.blob.core.windows.net, unusual SAS token usage, and off‑hours data movement. Strong identity protection, least privilege, and rapid containment are critical, as exfiltration typically precedes encryption by minutes or hours.

Copy, Paste, Ransom: Making Data Exfiltration As Easy as AzCopy

• From 28 February, Unit 42 observed a sharp escalation in Iran linked cyber activity following U.S. and Israeli military operations. Government, critical infrastructure, energy, healthcare and logistics organisations in the U.S., Israel and allied regions were primarily targeted, largely by hacktivist and proxy groups, while Iran based state actors were temporarily constrained by domestic internet disruption.
• Activity was dominated by Iran aligned hacktivists and proxy actors (e.g. Handala linked personas), using DDoS attacks, website defacements, phishing and mobile malware delivery, with some attempts at data destruction. Operations were low to medium sophistication, often coordinated via social platforms, aiming for disruption and psychological impact rather than stealthy long term espionage.
• Organisations are advised to prepare for disruptive activity rather than advanced intrusions. Using Microsoft Defender, defenders should monitor for DDoS precursors, phishing lures, abnormal login attempts and malicious mobile app indicators, enforce phishing resistant MFA, harden internet facing services, and correlate Defender for Endpoint, Identity and Cloud Apps alerts for Iran themed social engineering or hacktivist style behaviours.

Threat Brief: March 2026 Escalation of Cyber Risk Related to Iran

• Between 22–25 February, GreyNoise observed a coordinated reconnaissance campaign generating 84,142 scanning sessions from 4,305 unique IPs, targeting internet‑exposed SonicWall SonicOS firewalls, specifically organisations running SSL VPN services. The activity was global, highly structured, and assessed as pre‑exploitation attack surface mapping, not immediate exploitation.
• Attackers used three infrastructure clusters, including a commercial proxy service supplying 32% of traffic via 4,102 rotating exit IPs, to evade rate‑limiting and detection. 92% of requests hit a single SonicOS API endpoint that checks whether SSL VPN is enabled, a prerequisite for later credential‑based attacks. No significant CVE exploitation was observed, confirming reconnaissance intent.
• Organisations are advised to treat this as an early‑warning signal. Defenders should review firewall and VPN logs for repeated hits to SSL VPN status endpoints, especially from proxy or hosting ASNs. Using Microsoft Defender, organisations should hunt for abnormal VPN enumeration behaviour, correlate with Defender for Network/Cloud Apps alerts, enforce conditional access, MFA, restrict VPN exposure, and ensure SonicOS firmware is fully patched.

Active Reconnaissance Campaign Targets SonicWall Firewalls Through Commercial Proxy Infrastructure

• In February, Koi Security disclosed AgreeToSteal, the first known malicious Microsoft Outlook add‑in in the wild. A legitimate but abandoned scheduling add‑in (“AgreeTo”), originally published in December 2022, was hijacked, leading to the theft of over 4,000 Microsoft account credentials (and some payment data) from unsuspecting Outlook users worldwide.
• An unknown threat actor claimed an orphaned Vercel URL referenced in the add‑in’s Microsoft‑approved manifest. Because Outlook add‑ins load live web content, the attacker silently replaced the UI with a fake Microsoft login page inside Outlook, exfiltrating credentials via a Telegram bot and redirecting victims to the real login to reduce suspicion, without re‑submitting anything to Microsoft.
• Organisations are advised to audit and remove unused Outlook add‑ins, monitor for anomalous sign‑in behaviour, enforce MFA, and rotate credentials for affected users. Use Microsoft Defender for Office 365 and Defender for Identity to detect suspicious authentication patterns, token misuse, and risky add‑in permissions, and restrict add‑ins to approved publishers via tenant controls.

AgreeToSteal: The First Malicious Outlook Add-In Leads to 4,000 Stolen Credentials

• In February, Microsoft identified a coordinated campaign targeting software developers, particularly those using Next.js and Node.js. Targets were lured via fake technical assessments and seemingly legitimate repositories on public code-hosting platforms. Execution typically occurred during routine development activity, leading to compromise of developer endpoints and potential exposure of source code, secrets, and cloud or build credentials.
• Threat actors used malicious repositories disguised as interview tasks or projects. Multiple execution paths, VS Code workspace automation, build-time scripts, and server start-up logic, triggered attacker-controlled JavaScript. This established a staged command-and-control (C2) flow: an initial registration beacon followed by a secondary controller enabling persistent tasking, in-memory execution, discovery, and data exfiltration, blending into normal developer workflows.
• Microsoft advises using Microsoft Defender to monitor Node.js and developer tooling for suspicious process behaviour and outbound C2 traffic. Organisations should enable Defender attack surface reduction, inspect repository contents before execution, restrict untrusted VS Code workspace automation, and hunt for anomalous JavaScript loaders, staged C2 patterns, and unusual environment variable access indicative of developer‑targeted tradecraft.

Developer-targeting campaign using malicious Next.js repositories | Microsoft Security Blog