Cyber Threat Intelligence 16 March 2026

NCSA_THAICERT

Financial Sector

February 2026 Security Issues Related To The Korean & Global Financial Sector
"This report comprehensively covers actual cyber threats and related security issues targeting financial institutions in South Korea and abroad. It includes analysis of malware and phishing cases distributed targeting the financial sector, presents the Top 10 major malware targeting the financial sector, and provides statistics on the industry sectors of South Korean accounts leaked via Telegram. It also details cases of phishing emails distributed targeting the financial sector."
https://asec.ahnlab.com/en/92903/

New Tooling

Betterleaks, a New Open-Source Secrets Scanner To Replace Gitleaks
"A new open-source tool called Betterleaks can scan directories, files, and git repositories and identify valid secrets using default or customized rules. Secret scanners are specialized utilities that scour repositories for sensitive information, such as credentials, API keys, private keys, and tokens, that developers accidentally committed in source code. Since threat actors often scan configuration files in public repositories for sensitive details, this type of utility can help identify secrets and protect them before attackers can find them."
https://www.bleepingcomputer.com/news/security/betterleaks-a-new-open-source-secrets-scanner-to-replace-gitleaks/
https://github.com/betterleaks/betterleaks

Vulnerabilities

Google Fixes Two New Chrome Zero-Days Exploited In Attacks
"Google has released emergency security updates to patch two high-severity Chrome vulnerabilities exploited in zero-day attacks. "Google is aware that exploits for both CVE-2026-3909 & CVE-2026-3910 exist in the wild," Google said in a security advisory published on Thursday. The first zero-day (CVE-2026-3909) stems from an out-of-bounds write weakness in Skia, an open-source 2D graphics library responsible for rendering web content and user interface elements, which attackers can exploit to crash the web browser or even gain code execution."
https://www.bleepingcomputer.com/news/google/google-fixes-two-new-chrome-zero-days-exploited-in-attacks/
https://thehackernews.com/2026/03/google-fixes-two-chrome-zero-days.html
https://www.securityweek.com/chrome-146-update-patches-two-exploited-zero-days/
https://securityaffairs.com/189373/hacking/google-fixed-two-new-actively-exploited-flaws-in-the-chrome-browser.html
https://www.malwarebytes.com/blog/news/2026/03/google-patches-two-chrome-zero-days-under-active-attack-update-now
https://www.theregister.com/2026/03/13/google_zeroday_chrome_update/
CrackArmor: Critical AppArmor Flaws Enable Local Privilege Escalation To Root
"Qualys TRU has discovered confused deputy vulnerabilities in AppArmor (named “CrackArmor”) that allow unprivileged users to bypass kernel protections, escalate to root, and break container isolation. The flaw has existed since 2017, and affected over 12.6 million systems globally. Immediate kernel patching is recommended to neutralize these vulnerabilities."
https://blog.qualys.com/vulnerabilities-threat-research/2026/03/12/crackarmor-critical-apparmor-flaws-enable-local-privilege-escalation-to-root
https://thehackernews.com/2026/03/nine-crackarmor-flaws-in-linux-apparmor.html
https://hackread.com/crackarmor-vulnerability-apparmor-linux-systems/
CISA Adds Two Known Exploited Vulnerabilities To Catalog
"CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2026-3909 Google Skia Out-of-Bounds Write Vulnerability
CVE-2026-3910 Google Chromium V8 Unspecified Vulnerability"
https://www.cisa.gov/news-events/alerts/2026/03/13/cisa-adds-two-known-exploited-vulnerabilities-catalog
https://securityaffairs.com/189411/security/u-s-cisa-adds-google-chrome-flaws-to-its-known-exploited-vulnerabilities-catalog.html
Microsoft Releases Windows 11 OOB Hotpatch To Fix RRAS RCE Flaw
"Microsoft has released an out-of-band (OOB) update to fix a security vulnerabilities affecting Windows 11 Enterprise devices that receive hotpatch updates instead of the regular Patch Tuesday cumulative updates. The KB5084597 hotpatch update was released yesterday to fix vulnerabilities in the Windows Routing and Remote Access Service (RRAS) management tool that could allow remote code execution when connecting to a malicious server. "Microsoft has identified a security issue in the Windows Routing and Remote Access Service (RRAS) management tool that could allow remote code execution when connecting to a malicious server," reads an advisory from Microsoft."
https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-windows-11-oob-hotpatch-to-fix-rras-rce-flaw/

Malware

Poland's Nuclear Research Centre Targeted By Cyberattack
"Poland’s National Centre for Nuclear Research (NCBJ) says hackers targeted its IT infrastructure, but the attack was detected and blocked before causing any impact. In a statement this week, the organization announced that its security systems and internal procedures, designed to detect threats early, prevented the compromise and allowed its IT staff to quickly secure targeted systems. “Thanks to the rapid and effective actions of security systems and procedures in the event of such an incident, as well as the quick response of our teams, the attack was thwarted, and the integrity of the systems was not compromised," the NCBJ says."
https://www.bleepingcomputer.com/news/security/polands-nuclear-research-centre-targeted-by-cyberattack/
https://securityaffairs.com/189399/security/hackers-targeted-polands-national-centre-for-nuclear-research.html
Storm-2561 Uses SEO Poisoning To Distribute Fake VPN Clients For Credential Theft
"In mid-January 2026, Microsoft Defender Experts identified a credential theft campaign that uses fake virtual private network (VPN) clients distributed through search engine optimization (SEO) poisoning. The campaign redirects users searching for legitimate enterprise software to malicious ZIP files on attacker-controlled websites to deploy digitally signed trojans that masquerade as trusted VPN clients while harvesting VPN credentials. Microsoft Threat Intelligence attributes this activity to the cybercriminal threat actor Storm-2561."
https://www.microsoft.com/en-us/security/blog/2026/03/12/storm-2561-uses-seo-poisoning-to-distribute-fake-vpn-clients-for-credential-theft/
https://www.bleepingcomputer.com/news/security/fake-enterprise-vpn-downloads-used-to-steal-company-credentials/
https://thehackernews.com/2026/03/storm-2561-spreads-trojan-vpn-clients.html
https://www.theregister.com/2026/03/13/vpn_clients_spoofed/
https://securityaffairs.com/189426/cyber-crime/storm-2561-lures-victims-to-spoofed-vpn-sites-to-harvest-corporate-logins.html
Attackers Impersonate Temu In ClickFix $Temu Airdrop Scam
"A Temu spokesperson contacted us to say: “Temu has not issued any cryptocurrency, token, or digital asset—including any so-called “Temu Coin.” Any airdrop, wallet claim, or cryptocurrency offer purporting to be from Temu is fraudulent and has no connection to our company.” We’ve covered ClickFix campaigns before: the fake CAPTCHAs, the fake Windows updates, the trick of getting victims to paste malicious commands into their own machines. Now we’ve identified a campaign that uses the opening initial steps seen in ClickFix attacks, but what happens after is different enough to warrant a closer look."
https://www.malwarebytes.com/blog/threat-intel/2026/03/fake-temu-coin-airdrop-uses-clickfix-trick-to-install-stealthy-malware
Investigating a New Click-Fix Variant
"Atos Researchers identified a new variant of the popular ClickFix technique, where attackers convince the user to execute a malicious command on their own device through the Win + R shortcut. In this variation, a “net use” command is used to map a network drive from an external server, after which a “.cmd” batch file hosted on that drive is executed. Script downloads a ZIP archive, unpacks it, and executes the legitimate WorkFlowy application with modified, malicious logic hidden inside “.asar” archive. This acts as a C2 beacon and a dropper for the final malware payload."
https://thehackernews.com/2026/03/investigating-new-click-fix-variant.html
Glassworm Is Back: A New Wave Of Invisible Unicode Attacks Hits Hundreds Of Repositories
"The invisible threat we've been tracking for nearly a year is back. While the PolinRider campaign has been making headlines for compromising hundreds of GitHub repositories, we are separately seeing a new wave of Glassworm activity hitting GitHub, npm, and VS Code. In October last year, we wrote about how hidden Unicode characters were being used to compromise GitHub repositories, tracing the technique back to a threat actor named Glassworm. This month, the same actor is back, and among the affected repositories are some notable names: a repo from Wasmer, Reworm, and opencode-bench from anomalyco, the organization behind OpenCode and SST."
https://www.aikido.dev/blog/glassworm-returns-unicode-attack-github-npm-vscode
Hijacked At The Source: A Trusted Marketing AppsFlyer’s SDK Distributes a Crypto Stealer
"On 9 March 2026, following requests from our customers, Profero began investigating a possible compromise lead of the AppsFlyer SDK. AppsFlyer is a widely used mobile attribution and marketing analytics platform integrated into thousands of mobile applications, making it a high-value target in third-party supply chain attacks due to its deep SDK-level access to sensitive user and device data across client environments. During the investigation, Profero IRT confirmed the presence of obfuscated attacker-controlled JavaScript being delivered to users visiting websites and applications that loaded the AppsFlyer SDK, consistent with a browser-based cryptocurrency hijacker."
https://profero.io/blog/hijacked-at-the-source-a-trusted-marketing-appsflyers-sdk-distributes-a-crypto-stealer
https://www.bleepingcomputer.com/news/security/appsflyer-web-sdk-used-to-spread-crypto-stealer-javascript-code/
72 Malicious Open VSX Extensions Linked To GlassWorm Campaign Now Using Transitive Dependencies
"GlassWorm has not re-emerged so much as evolved, and our latest analysis shows a significant escalation in how it spreads through Open VSX. Instead of requiring every malicious listing to embed the loader directly, the threat actor is now abusing extensionPack and extensionDependencies to turn initially standalone-looking extensions into transitive delivery vehicles in later updates, allowing a benign-appearing package to begin pulling a separate GlassWorm-linked extension only after trust has already been established."
https://socket.dev/blog/open-vsx-transitive-glassworm-campaign
https://thehackernews.com/2026/03/glassworm-supply-chain-attack-abuses-72.html

Breaches/Hacks/Leaks

Starbucks Discloses Data Breach Affecting Hundreds Of Employees
"Starbucks has disclosed a data breach affecting hundreds of employees after threat actors gained access to their Starbucks Partner Central accounts. As the world's largest coffeehouse chain, Starbucks has over 380,000 employees (also known as partners) and operates nearly 41,000 locations across 88 countries. In data breach notification letters filed with Maine's Attorney General and sent to affected employees on Tuesday, the company says that it discovered the incident on February 6."
https://www.bleepingcomputer.com/news/security/starbucks-discloses-data-breach-affecting-hundreds-of-employees/
https://www.securityweek.com/starbucks-data-breach-impacts-employees/
https://securityaffairs.com/189438/security/starbucks-data-breach-impacts-889-employees.html
Payload Ransomware Claims The Hack Of Royal Bahrain Hospital
"The Payload Ransomware group claims to have hacked the Royal Bahrain Hospital (RBH) and stolen 110 GB of data. The ransomware gang added the healthcare facility to its Tor data leak site and published the images of allegedly hacked systems as proof of the attack. The group is threatening to release the stolen data if the ransom is not paid by March 23."
https://securityaffairs.com/189467/cyber-crime/payload-ransomware-claims-the-hack-of-royal-bahrain-hospital.html

General News

FBI Seeks Victims Of Steam Games Used To Spread Malware
"The FBI is asking gamers who installed Steam titles containing malware to provide information as part of an ongoing investigation into eight malicious games uploaded to the gaming platform. In a notice published today by the FBI's Seattle Division, the agency said it is attempting to identify individuals who were affected after installing one of the malicious games on Steam between May 2024 and January 2026. "The FBI's Seattle Division is seeking to identify potential victims installing Steam games embedded with malware. The FBI believes the threat actor primarily targeted users between the timeframe of May 2024 and January 2026," reads the notice."
https://www.bleepingcomputer.com/news/security/fbi-seeks-victims-of-steam-games-used-to-spread-malware/
45,000 Malicious IP Addresses Taken Down In International Cyber Operation
"An international cybercrime operation targeting phishing, malware and ransomware has taken down more than 45,000 malicious IP addresses and servers. Law enforcement from 72 countries and territories took part in Operation Synergia III (18 July 2025 – 31 January 2026), coordinated by INTERPOL. The operation led to the arrest of 94 people, with another 110 individuals still under investigation. During the operation, INTERPOL transformed data into actionable intelligence, facilitated cross-border collaboration, and provided tactical operational assistance to member countries. Preliminary investigations led to a series of coordinated actions by national authorities, including raids on key locations and the disruption of malicious cyber activities. In total 212 electronic devices and servers were seized."
https://www.interpol.int/News-and-Events/News/2026/45-000-malicious-IP-addresses-taken-down-in-international-cyber-operation
https://www.bleepingcomputer.com/news/security/police-sinkholes-45-000-ip-addresses-in-cybercrime-crackdown/
https://thehackernews.com/2026/03/interpol-dismantles-45000-malicious-ips.html
https://www.infosecurity-magazine.com/news/interpol-operation-synergia3-94/
https://hackread.com/interpol-operation-synergia-iii-malicious-ip-94-arrest/
https://www.theregister.com/2026/03/13/interpol_operation_synergia/
https://securityaffairs.com/189420/cyber-crime/interpol-operation-synergia-iii-leads-to-45000-malicious-ips-dismantled-and-94-arrests-worldwide.html
When Liability Turns The CISO Into The Fall Guy
"The era of the technical specialist is fading. In its place stands a legally exposed executive whose concern is no longer just a system breach but potential personal indictment. Twenty years ago, the cybersecurity remit was defined by network integrity and resilience. Today, it is increasingly defined by the fine print of directors and officers, or D&O, insurance policies and the exact wording of board minutes."
https://www.bankinfosecurity.com/blogs/when-liability-turns-ciso-into-fall-guy-p-4065
A Guy Who Wrote The Code Died In 2005. I Still Have To Secure It
"If you walk the expo floors at any of the Black Hat or RSAC Conferences, the industry tells you the future is here. It's all quantum-resilient encryption, AI-driven security operations centers, and cloud-native architectures. Then, I go back to my day job. With over 20 years of experience spanning federal government, private manufacturing, and enterprise security, I've seen the industry from every angle. In my current dual roles —advising Fortune 100s as a field CISO and protecting a major US city as a sitting practitioner — I spend half my time discussing the "cutting edge," and the other half defending the "rusting edge.""
https://www.darkreading.com/cyber-risk/a-guy-who-wrote-code-died-in-2005-i-still-must-secure-it
Why Post-Quantum Cryptography Can't Wait
"Somewhere in the world right now, a cybercriminal is trying to steal your organization's encrypted data. They can't read it yet, but the technology needed to do so is rapidly approaching. When ready, that technology will allow criminals to break even the most stringent traditional protections in a matter of minutes. This type of attack is part of a new "harvest-now, decrypt-later" approach, and it represents one of the most insidious threats facing organizations today. Unlike traditional cyberattacks, which cause immediate and visible damage, these attacks are invisible."
https://www.darkreading.com/cyber-risk/why-post-quantum-cryptography-cant-wait
Cyberattackers Don't Care About Good Causes
"Nonprofits work to provide free or reduced cost aid, education, and essential resources throughout communities worldwide, but they often struggle to meet their own needs, particularly when it comes to cybersecurity. While they're busy helping others, who's there to help them address increasingly dangerous security gaps? Experts gathered for an exclusive Dark Reading roundtable agree that approaches need to shift. Better incident reporting, technologies, training, and attention are among the measures needed to face a rising threat, they said, yet are skeptical that nonprofits have the resources to build those defenses."
https://www.darkreading.com/cyber-risk/cyberattackers-dont-care-about-good-causes
https://www.darkreading.com/threat-intelligence/data-gap-why-nonprofit-cyber-incidents-go-underreported
Fake PoCs, Misunderstood Risks Cause Cisco SD-WAN Chaos
"Amid a stream of new vulnerabilities in Cisco's Catalyst SD-WAN Manager, some researchers are arguing that organizations have misplaced their focus, hyperfixating on one critical vulnerability with a lot of noise around it, but overlooking another, quieter bug that's just as serious. On Feb. 25, Cisco publicly disclosed half a dozen newfound bugs in its Software-Defined Wide Area Network (SD-WAN) management product. At least three have been exploited in the wild. One, CVE-2026-20127, in addition to earning the highest possible 10 out of 10 score in the Common Vulnerability Scoring System (CVSS), appears to have been exploited as a zero-day by one threat actor for at least three years."
https://www.darkreading.com/vulnerabilities-threats/fake-pocs-risks-cisco-sd-wan
Will AI Save Consumers From Smartphone-Based Phishing Attacks?
"Phishing attacks continue to dominate as the most prevalent smartphone security issue, according to the latest findings from the Omdia 2025 Omdia Mobile Device Security Consumer Survey. The report highlights that 27% of consumers experienced phishing scams, making it the most common type of incident, followed closely by malware or viruses, at 26%. Despite best efforts, Omdia's testing reveals sophisticated phishing attacks bypass most on-device protection — making it even more prevalent that users stay vigilant."
https://www.darkreading.com/mobile-security/will-ai-save-consumers-smartphone-phishing-attacks
Six Supply Chain Attack Groups To Watch Out For In 2026
"Supply chain attacks have been in the spotlight since at least 2015, when weaponized versions of Apple’s XCode development tool silently infected over 4,000 iOS apps and reached 128 million users. A decade later, however, the conversation has shifted from “Could this happen again?” to “Who was hit this week?”. So, what changed? The attack surface exploded. Even back in 2020, when the infamous SolarWinds attack occurred, organizations were already deeply interconnected, but the scale has grown dramatically since then. Today, the average enterprise depends on dozens of SaaS platforms, hundreds of open-source packages, and several managed service providers."
https://www.group-ib.com/blog/supply-chain-attack-groups-2026/
AI Coding Agents Keep Repeating Decade-Old Security Mistakes
"Coding agents are now writing production features on real development teams, and a new report from DryRun Security shows that those agents introduce security vulnerabilities at a high rate across nearly every type of application they build. “AI coding agents can produce working software at incredible speed, but security isn’t part of their default thinking,” said James Wickett, CEO of DryRun Security. “In our usage and experience, AI coding agents often missed adding security components or created authentication logic flaws. These mistakes and gaps are exactly where attackers win.”"
https://www.helpnetsecurity.com/2026/03/13/claude-code-openai-codex-google-gemini-ai-coding-agent-security/
Iran-Linked Hackers Take Aim At US And Other Targets, Raising Risk Of Cyberattacks During War
"Pro-Iranian hackers are targeting sites in the Middle East and starting to stretch into the United States during the war, raising the risk of American defense contractors, power stations and water plants being swept into a wave of digital chaos that could expand if Tehran’s allies join the fray. Hackers supporting Iran claimed responsibility for a significant cyberattack Wednesday against U.S. medical device company Stryker. Since the war began Feb. 28, they also have tried to penetrate cameras in Middle Eastern countries to improve Iran’s missile targeting. They have targeted data centers in the region, as well as industrial facilities in Israel, a school in Saudi Arabia and an airport in Kuwait."
https://www.securityweek.com/iran-linked-hackers-take-aim-at-us-and-other-targets-raising-risk-of-cyberattacks-during-war/
February 2026 APT Group Trends Report
"Among the activities of APT groups in February 2026, attacks by APT28, Lotus Blossom, TA-RedAnt (APT37), UAT-8616, UNC3886, and UNC6201 were particularly prominent. Lotus Blossom exploited the Notepad++ supply chain infrastructure to inject malicious executables into legitimate update processes, combining DLL sideloading with multi-stage loaders to deploy the Chrysalis backdoor and Cobalt Strike Beacon."
https://asec.ahnlab.com/en/92906/
February 2026 Infostealer Trend Report
"This report provides statistics, trends, and case information regarding the no. of malware distribution cases, distribution methods, and disguise techniques for Infostealer collected and analyzed during the month of February 2026. Below is a summary of the report’s original content."
https://asec.ahnlab.com/en/92902/
February 2026 Phishing Email Trends Report
"This report provides statistics, trends, and case information regarding the distribution volume and attachment threats of phishing emails collected and analyzed during the month of February 2026. The report below contains some statistical data and cases included in the original content."
https://asec.ahnlab.com/en/92907/

อ้างอิง
Electronic Transactions Development Agency (ETDA)