Over 10 years we help companies reach their financial and branding goals. Engitech is a values-driven technology agency dedicated.

Gallery

Contacts

411 University St, Seattle, USA

engitech@oceanthemes.net

+1 -800-456-478-23

Twitter Facebook-f Pinterest-p Instagram

Weekly Security Intelligence Briefing — Week of 2026-03-30

Briefing
_ _ Tech Jacks Solutions_ 0 Comments

Executive Summary

The week of March 30, 2026 presents an elevated threat posture across cloud infrastructure, mobile platforms, critical infrastructure OT/ICS systems, and the software supply chain. The SCC pipeline processed 60+ intelligence items this week, identifying multiple concurrent critical-priority threats demanding immediate security team attention. The most urgent items include an active AI-augmented OAuth phishing campaign that has already compromised 344 organizations via Microsoft 365 and Entra ID (priority score 0.659), the TeamPCP PyPI supply chain campaign deploying audio-steganography malware through the telnyx package versions 4.87.1 and 4.87.2 (priority score 0.632), and the commoditization of nation-state iOS exploit kits (Coruna and DarkSword) now publicly available on GitHub and confirmed in use by TA446. Iran-linked cyber operations against U.S. and Israeli critical infrastructure — particularly healthcare, PLCs, and supply chains — remain at critical severity and carry a persistent harassment pattern documented by CISA advisory AA23-335A. The European Commission breach attributed to ShinyHunters (350 GB claimed, AWS-hosted infrastructure) and the Geopolitical Convergence campaign exploiting Cleo Managed File Transfer (CVE-2024-55956, CVE-2024-50623) represent the week’s most impactful data and infrastructure compromise events. Supply chain attacks continued their ascent as the top global cyber threat vector, with developer toolchain compromises via TeamPCP affecting KICS, Trivy, LiteLLM, and VS Code extension ecosystems. No new CISA Emergency Directives were issued this week. Citrix NetScaler (CVSS 9.1) and Linux AppArmor privilege escalation vulnerabilities require immediate patching attention across enterprise environments.

Critical Action Items

  1. TeamPCP PyPI Campaign — Remove telnyx 4.87.1 and 4.87.2 Immediately (SCC-CAM-2026-0112)
    Affected: telnyx PyPI package versions 4.87.1 and 4.87.2; all platforms (Windows, Linux, macOS); CI/CD pipelines broadly.
    Action: Run pip show telnyx across all Python environments and CI/CD pipelines. Remove affected versions. Rotate all secrets, API tokens, SSH keys, and cloud credentials accessible in any pipeline where either version was installed. Rebuild affected container images. Block both versions in your artifact proxy. Verify against the official PyPI hash: https://pypi.org/project/telnyx/.
    IOC: telnyx==4.87.1, telnyx==4.87.2 (PyPI). WAV file artifacts in Python package directories are a behavioral indicator.
  2. Microsoft OAuth Phishing Campaign — Audit Entra ID OAuth Consents Immediately (SCC-CAM-2026-0123)
    Affected: Microsoft 365, Microsoft Entra ID, Microsoft OAuth 2.0 endpoints. 344 organizations confirmed compromised.
    Action: Navigate to Entra ID > Enterprise Applications > All Applications, filter for user-consented apps added in the last 90 days. Revoke unrecognized consents. Revoke refresh tokens via revokeSignInSessions. Enable admin-only consent policy. Query AuditLogs for Add OAuth2PermissionGrant events.
    Framework: NIST SP 800-53 AC-2, IA-2; CIS v8 6.3, 6.5.
  3. Citrix NetScaler Critical Vulnerability (CVSS 9.1) — Patch Immediately (SCC-CVE-2026-0023, SCC-CVE-2026-0026)
    Affected: Citrix NetScaler ADC and NetScaler Gateway — see Citrix Security Bulletin CTX696300 for specific version ranges.
    Action: Retrieve CTX696300 from support.citrix.com. Apply patches to all NetScaler ADC and Gateway appliances. Patch CVE-2026-3055 and CVE-2026-4368 in the same maintenance window. Restrict management interface access to trusted IP ranges via ACL if patching is delayed. Confirm patch application via CLI version verification.
    No CISA KEV listing confirmed at time of reporting; monitor for addition.
  4. Iran-Linked Critical Infrastructure Campaign — Isolate OT/ICS Assets (SCC-CAM-2026-0124)
    Affected: Healthcare hospitals, PLCs/ICS systems, supply chains, U.S. and Israeli critical infrastructure.
    Action: Immediately isolate internet-facing PLCs and ICS/OT assets from corporate IT networks per CISA AA23-335A guidance. Disable default and shared credentials on all ICS/SCADA devices. Enforce MFA on remote access to clinical systems. Reference: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a.
  5. iOS Exploit Kit Commoditization — Enforce MDM Patch Policy (SCC-CAM-2026-0118, SCC-CAM-2026-0113)
    Affected: iOS 13.0–17.2.1 (Coruna), iOS 18.4–18.7 (DarkSword), all iPadOS versions prior to latest release. TA446 confirmed using DarkSword with GHOSTBLADE and MAYBEROBOT payloads.
    Action: Query MDM for all devices below the latest available iOS release. Suspend corporate email access for non-compliant devices. Block inbound emails spoofing atlanticcouncil.org (DMARC/SPF failures). Update to iOS/iPadOS 26.4 per Apple Security Releases: https://support.apple.com/en-us/100100 (validate before use).
  6. Linux AppArmor Privilege Escalation (CrackArmor) — Identify and Patch (SCC-CVE-2026-0025)
    Affected: Linux AppArmor across Ubuntu, Debian, SUSE, and derivative distributions. CVSS 7.8. Allows local privilege escalation to root via confused deputy vulnerabilities.
    Action: Run aa-status on all Linux hosts to confirm AppArmor is active. Restrict interactive shell access for non-admin accounts pending patch. Monitor Qualys TRU advisory for confirmed affected version ranges and patch availability. Audit process creation logs for unexpected root-owned processes from non-root parent PIDs.
  7. BPFdoor / Red Menshen Telecom Campaign — Deploy Kernel-Level Detection (SCC-CAM-2026-0115, SCC-CAM-2026-0107)
    Affected: Linux systems with BPF-capable kernels, global telecom providers. Initial access via Ivanti, Cisco, Juniper, Fortinet, VMware, Palo Alto, and Apache Struts vulnerabilities.
    Action: Run bpftool prog list and bpftool map list on all Linux hosts. Check /proc/net/packet and /proc/net/raw for unexpected raw socket holders. Enable auditd bpf() syscall logging. Apply all available patches to listed perimeter appliances. Standard port scans and netstat will NOT reveal BPFdoor.
  8. Cleo Managed File Transfer — Patch CVE-2024-55956 and CVE-2024-50623 (SCC-CAM-2026-0109)
    Affected: Cleo Harmony, VLTrader, and LexiCom — all versions prior to vendor-patched releases. Actively exploited by Cl0p and affiliated actors targeting OT/ICS environments.
    Action: Isolate Cleo instances from external access immediately. Block inbound connections to Cleo autorun directories at the perimeter firewall. Apply Cleo’s official patches. Audit autorun directory contents and rotate all credentials with access to Cleo instances. If compromise is confirmed, reimage rather than patch in place.

Key Security Stories

ShinyHunters Claims 350GB Haul from European Commission AWS Breach

ShinyHunters claimed responsibility for a breach of European Commission AWS-hosted cloud infrastructure, asserting exfiltration of approximately 350 GB of data including employee email and PII. The breach reportedly exploited federated SSO identity providers — Okta, Microsoft Entra ID, and Google SSO — as the entry path into AWS resources. As of the March 30 reporting date, the Commission has confirmed an investigation is underway but no official attribution or technical confirmation has been published.

The attack pattern is consistent with ShinyHunters’ established tradecraft: phishing for SSO credentials (T1566), session cookie theft (T1539), exploitation of cloud accounts (T1078.004), and large-scale automated exfiltration from S3 (T1530, T1567). The absence of phishing-resistant MFA on federated identity providers is the critical control failure. Detection surfaces are AWS CloudTrail (high-volume GetObject and CopyObject events) and SSO provider audit logs for OAuth token grant anomalies.

Organizations with AWS environments federated via Okta, Entra ID, or Google Workspace should immediately audit active sessions and OAuth token grants, and review CloudTrail for anomalous S3 data access. The item’s CVSS base is 9.5. This incident is the second confirmed SCC item (alongside SCC-DBR-2026-0064) covering the same underlying breach from different reporting angles, both confirming the AWS and SSO compromise vectors.

Affected: AWS-hosted environments federating identity via Okta, Microsoft Entra ID, Google SSO. Status: Under investigation; breach confirmed. Sources: BleepingComputer, TechZine (T3); no official EC technical disclosure as of reporting date.

TeamPCP PyPI Supply Chain Campaign: Audio Steganography in telnyx Package

The TeamPCP threat actor group compromised the legitimate telnyx PyPI package, publishing malicious versions 4.87.1 and 4.87.2 that embed credential-harvesting code using audio steganography (T1027.003) to conceal payloads within WAV files. The campaign also affected litellm, Trivy, and KICS. Credentials targeted include cloud provider tokens, SSH private keys, API keys, and CI/CD pipeline secrets across Windows, Linux, and macOS environments.

This is a developer toolchain supply chain attack (T1195.001) with confirmed IOCs: the PyPI URLs pypi.org/project/telnyx/4.87.1/ and pypi.org/project/telnyx/4.87.2/ are confirmed malicious. The use of audio steganography to bypass static analysis tools represents a meaningful evasion advancement. The attack also compromised the KICS GitHub Action and Trivy scanner — tools used in security scanning workflows — which represents a particularly high-impact supply chain vector as compromised security tools can disable detection precisely when adversaries need cover.

Organizations should treat any secrets accessible in environments that ran telnyx 4.87.1 or 4.87.2 as fully compromised and rotate immediately. The LiteLLM security advisory at docs.litellm.ai/blog/security-update-march-2026 should be validated directly. Datadog Security Labs’ analysis at securitylabs.datadoghq.com/articles/litellm-compromised-pypi-teampcp-supply-chain-campaign/ provides primary technical detail (human URL validation recommended before operational use).

Affected: telnyx 4.87.1, 4.87.2; litellm; Trivy; KICS (GitHub Action); all CI/CD platforms. Priority Score: 0.632 (highest supply chain item this week). Sources: Datadog Security Labs, Aikido, LiteLLM official advisory, Snyk.

AI-Augmented OAuth Phishing Campaign Compromises 344 Organizations via Microsoft Cloud

Microsoft Threat Intelligence documented an active phishing campaign using AI-augmented spearphishing links (T1566.002) to harvest Microsoft Entra ID OAuth tokens and steal application access tokens (T1528) at scale, confirmed across 344 organizations. The campaign bypasses traditional MFA by stealing session cookies (T1539) and OAuth refresh tokens rather than credentials themselves, leaving phishing-resistant authentication as the only reliable defense.

Attackers registered malicious OAuth applications and socially engineered users into granting delegated permissions with high-privilege scopes including Mail.Read, Files.ReadWrite, and Contacts.Read. Once token grants are obtained, attacker infrastructure accesses Microsoft 365 resources using the Application Access Token technique (T1550.001) without requiring further user interaction. The AI augmentation enables personalized, contextually appropriate phishing content at a scale that defeats conventional security awareness training.

Immediate defensive action requires auditing all Entra ID OAuth consents, enabling admin-only consent policy, and deploying FIDO2 phishing-resistant MFA. Defender for Cloud Apps OAuth App Policy alerts and Sentinel’s AuditLogs table (query: AuditLogs | where ActivityDisplayName == 'Consent to application') are the primary detection surfaces. No specific IOCs (domains, application IDs) have been published in available sources as of the Microsoft Security Blog post dated March 2, 2026.

Affected: Microsoft 365, Entra ID, OAuth 2.0 authorization endpoints. Priority Score: 0.659 (highest campaign item this week). Source: Microsoft Security Blog, 2026-03-02.

Iran-Linked Operations Escalate Against U.S. and Israeli Critical Infrastructure

Iran-linked actors — including Handala and Homeland Justice — continued persistent cyber operations against U.S. and Israeli critical infrastructure, with confirmed targeting of healthcare institutions, industrial control systems (PLCs), supply chains, and government entities. The current campaign phase extends the documented pattern from CISA advisory AA23-335A, which details PLC exploitation including Modbus and EtherNet/IP device targeting. CISA AA23-335A IOC context is available at: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a.

Separately, the Iran-linked Handala group claimed breach of FBI Director Kash Patel’s personal email account (SCC-DBR-2026-0067). Attribution is based on group self-claim; no technical IOCs have been independently verified. The claim is consistent with Handala’s known targeting of high-profile U.S. officials and their documented use of phishing (T1566) and email account compromise (T1586.002). The breach of personal rather than government accounts highlights the gap in OPSEC for senior officials conducting work-adjacent communications through personal channels.

Organizations in healthcare, critical manufacturing, energy, water, and government sectors should treat this as an active, ongoing campaign requiring sustained elevated defensive posture. Key controls: isolate OT from IT networks, enforce MFA on all remote access to clinical and operational systems, rotate ICS/SCADA default credentials, and monitor Modbus TCP/502, EtherNet/IP/44818, and S7 TCP/102 for unexpected connections.

Affected: U.S. and Israeli healthcare, ICS/OT, supply chains, government entities. Severity: Critical. Sources: CISA AA23-335A (primary); secondary media reporting for current campaign phase.

BPFdoor Upgraded: Red Menshen Hardens Kernel-Level Telecom Implant

China-nexus actor Red Menshen (MITRE ATT&CK G0112) has deployed an upgraded variant of BPFdoor against global telecommunications providers, hardening the implant against detection through improved magic-packet activation (T1205.002), enhanced socket filter obfuscation, and systemd service persistence (T1543.002). BPFdoor’s fundamental design — passive backdoor activated by network magic packets, no outbound C2 beacon, no listening port — renders it invisible to standard port scanning, netstat, and ss commands.

The upgraded variant maintains the defining characteristic that makes BPFdoor particularly dangerous for telecom environments: it can remain dormant for extended periods, activated only when attacker infrastructure sends the appropriate magic packet to any port on the compromised host. Detection requires kernel-level telemetry unavailable in most enterprise security stacks. Organizations should deploy bpftool prog list and bpftool map list on all Linux hosts immediately, enable auditd bpf() syscall logging, and consider deploying eBPF-aware runtime security tools such as Falco or Tracee.

Initial access vectors include Ivanti VPN appliances, Cisco, Juniper, Fortinet, VMware, Palo Alto Networks, and Apache Struts — all of which have had critical CVEs in the 2021–2026 timeframe. Any unpatched instance of these products in internet-facing roles should be treated as a potential Red Menshen initial access target.

Affected: Linux systems with BPF-capable kernels; global telecommunications providers. Priority Score: 0.482. Sources: Rapid7, Security Affairs threat research.

Nation-State iOS Exploit Kits Commoditized: Coruna and DarkSword Available Publicly

Two nation-state-grade iOS exploit kits — Coruna (targeting iOS 13.0–17.2.1) and DarkSword (targeting iOS 18.4–18.7) — have been leaked publicly on GitHub, dramatically lowering the barrier for iOS-targeted espionage operations. TA446 (a tracked threat actor group) has been confirmed using DarkSword alongside GHOSTBLADE dataminer and MAYBEROBOT backdoor payloads in spearphishing campaigns impersonating the Atlantic Council (T1566.001). Specific IOC hashes are not confirmed in available source data; behavioral detection is the primary viable approach.

The commoditization of previously nation-state-exclusive mobile exploit tooling represents a structural escalation in mobile threat landscape risk. What once required significant resources and technical expertise to develop is now accessible to criminal actors with modest capability. Organizations with BYOD programs or corporate iOS device fleets face materially elevated risk from keychain credential theft (T1417, T1552.001), location tracking (T1430), and protected user data collection (T1636).

Apple’s security update cadence is the primary mitigation. MDM enforcement of minimum OS version compliance is mandatory. Organizations without Mobile Threat Defense (MTD) deployed on iOS devices should prioritize MTD deployment evaluation. Monitor email gateways for DMARC/SPF failures referencing atlanticcouncil.org as a current spearphishing lure indicator.

Affected: iOS 13.0–17.2.1 (Coruna); iOS 18.4–18.7 (DarkSword); iPadOS corresponding versions. Priority Scores: 0.582 (commodity campaign), 0.482 (TA446 campaign). Sources: Media reporting (T3); human URL validation required for all source references.

Ransomware Attack Disrupts Spain’s Port of Vigo; U.S. Healthcare and Municipal Government Targets Also Hit

A ransomware attack struck Spain’s Port of Vigo, disrupting digital operations, cargo management systems, and port services servers (T1486, T1490). Spain’s national CSIRT CCN-CERT is involved in response; no ransomware group has been formally attributed and no IOCs have been publicly released. The attack follows the documented pattern of ransomware operators targeting maritime and logistics critical infrastructure, where operational disruption has direct supply chain and economic consequences beyond the compromised organization itself.

Simultaneously, the SCC pipeline confirmed critical ransomware campaigns disrupting U.S. healthcare systems and municipal government operations (SCC-CAM-2026-0104), with confirmed victims including DaVita, Kettering Health, and the City of Saint Paul, Minnesota in the broader Interlock/Hive0163 cluster. Texas Tech University System and the University of Hawaii Cancer Center (1.2 million records exposed) also reported ransomware incidents this week. The convergence of healthcare, government, and critical infrastructure targeting reflects the sustained priority these sectors represent to ransomware operators.

Detection focus for all these incidents centers on T1490 behavioral signals: vssadmin delete shadows, bcdedit /set recoveryenabled no, wbadmin delete catalog. No confirmed IOCs are publicly available for the Port of Vigo or the municipal government incidents. CISA’s StopRansomware advisories remain the authoritative IOC source for the Interlock family.

Affected: Port of Vigo digital infrastructure; U.S. healthcare and municipal government sectors broadly. Sources: CCN-CERT, media reporting (T3); IBM X-Force for Interlock/Hive0163 attribution.

GitHub Discussions Weaponized: Fake VS Code Alerts Funnel Developers Through Reconnaissance Pipeline

A developer-targeted campaign is abusing GitHub’s notification system to deliver fake VS Code security alerts via GitHub Discussions, directing recipients to Google Drive-hosted first-stage JavaScript payloads. The campaign exploits developer trust in GitHub notifications — a trusted communication channel — to bypass standard phishing awareness training. The payload performs environment fingerprinting (OS version checks, process enumeration, sandbox detection via T1497.001) before proceeding, making sandbox analysis inconclusive and static detection unreliable.

Google Drive URLs serve as the confirmed payload staging infrastructure (drive.google.com, medium confidence). The second-stage payload remains uncharacterized in available reporting, and no confirmed IOC hashes are published. This campaign is categorized as a mandatory-coverage item as a developer tool/IDE compromise targeting the software development supply chain. Organizations should alert all development staff to treat unsolicited GitHub Discussion notifications citing CVE IDs or VS Code vulnerabilities as suspect, and should review proxy logs for Google Drive downloads following GitHub notification interaction.

Detection requires behavioral analysis: look for JavaScript execution following GitHub.com page loads, system profiling scripts (OS checks, process enumeration) from browser-spawned processes, and outbound connections from developer workstations to Google Drive within 10–60 minutes of receiving a GitHub notification.

Affected: GitHub Discussions platform; VS Code extensions ecosystem; Google Drive (payload staging); developer workstations. Priority Score: 0.382. Source: Media reporting (T3); no primary technical source published as of reporting date.

Geopolitical Convergence: State Actors, Hacktivists, and Ransomware Target OT/ICS via Cleo MFT

A convergent threat campaign combines state-sponsored actors, hacktivist groups, and ransomware operators (including Cl0p) targeting critical infrastructure OT/ICS systems, with Cleo Managed File Transfer software serving as a confirmed initial access vector via CVE-2024-55956 (unauthenticated arbitrary file write, autorun directory exploitation) and CVE-2024-50623 (unrestricted file upload and download). These CVEs affect Cleo Harmony, VLTrader, and LexiCom — file transfer platforms widely deployed in supply chain, energy, and logistics environments where IT and OT networks intersect.

The actor taxonomy — state, hacktivist, and criminal — operating simultaneously against the same infrastructure class reflects a maturation of the cyber threat environment where geopolitical objectives, ideological motivations, and financial incentives converge on high-value infrastructure targets. The shift from opportunistic targeting to deliberate infrastructure convergence makes attribution-driven response prioritization less effective; organizations should triage by TTP and infrastructure exposure rather than assumed actor category.

Organizations running Cleo products should isolate instances from external access immediately, audit autorun directories for unauthorized files, and apply official Cleo patches. The broader OT/ICS implications require network segmentation validation between Cleo-adjacent IT systems and OT segments. Darktrace and Rapid7 have published behavioral detection signatures specific to Cleo post-exploitation.

Affected: Cleo Harmony, VLTrader, LexiCom; OT/ICS in energy, water, agriculture; telecom networks. CVEs: CVE-2024-55956, CVE-2024-50623. Priority Score: 0.558. Sources: Rapid7, Darktrace, Cybereason advisories.

TeamPCP Targets Developer Security Toolchain: KICS, Trivy, VS Code, and LiteLLM

The TeamPCP actor group extended its supply chain operations beyond the telnyx PyPI package to compromise the Checkmarx KICS GitHub Action, Trivy vulnerability scanner, LiteLLM AI library, and unspecified VS Code plugins. The significance of this campaign cannot be overstated: by compromising security scanning tools (KICS, Trivy), the attacker gains the ability to run malicious code on development infrastructure during security review steps — the precise moment when defenses are expected to be strongest. This represents a “fox guarding the henhouse” supply chain compromise pattern.

Primary sources with confirmed IOC information include Wiz (KICS GitHub Action analysis), ReversingLabs (LiteLLM and broader campaign), Endor Labs (ongoing actor operations), and Snyk (LiteLLM backdoor via poisoned security scanner). Organizations should pin GitHub Actions references to known-good commit SHAs rather than mutable tags, audit all VS Code extensions for recently modified or unverified publishers, and treat any secrets accessible in CI/CD environments that used affected tools as potentially compromised.

Affected: Checkmarx KICS (GitHub Action), Trivy, VS Code plugins, LiteLLM. Priority Score: 0.508. Sources: Wiz (wiz.io), ReversingLabs (reversinglabs.com), Endor Labs (endorlabs.com), Snyk — all URLs require human validation before operational use.

HwAudKiller Campaign: BYOVD Kernel-Mode EDR Killer Deployed via Tax Season Malvertising

A sophisticated malvertising campaign exploits tax season search activity to deliver trojanized ConnectWise ScreenConnect installers via fraudulent Google Ads. Upon execution, the attack chain deploys HWAuidoOs2Ec.sys — a signed but vulnerable Huawei audio driver — as a Bring Your Own Vulnerable Driver (BYOVD) kernel-mode EDR killer that terminates Microsoft Defender, Kaspersky, and SentinelOne. Post-EDR neutralization, FleetDeck Agent is deployed for persistent remote access, followed by NetExec for credential dumping and lateral movement — a classic pre-ransomware staging sequence.

The BYOVD technique using a newly identified signed Huawei driver (not previously on vulnerable driver lists as of March 2026) means existing Windows Driver Block Rules may not block it. Organizations should add HWAuidoOs2Ec.sys to WDAC or driver blocklist policies immediately. Microsoft Defender detects it as VulnerableDriver:WinNT/Winring0 if definitions are current. Any ConnectWise ScreenConnect installation sourced from search engine advertisements should be verified against official ConnectWise release hashes before execution.

Affected: Windows endpoints; ConnectWise ScreenConnect (trojanized); Microsoft Defender, Kaspersky, SentinelOne (targeted for termination). Priority Score: 0.358. Sources: Securonix (primary attribution); Microsoft Defender AV documentation.

Infinity Stealer Combines ClickFix with Nuitka-Compiled Python to Target macOS Credentials

A new macOS-targeting infostealer campaign uses ClickFix-style social engineering — fake Cloudflare CAPTCHA prompts instructing users to paste Terminal commands — to deliver Infinity Stealer, compiled using Nuitka to embed a Python runtime and evade signature-based detection. The stealer targets macOS Keychain (T1555.001), Chromium and Firefox browser credential stores (T1555.003), cryptocurrency wallet directories, and developer .env secret files (T1552.001).

The Nuitka compilation approach produces single large Mach-O binaries containing an embedded Python runtime, which appear unfamiliar to static analysis tools trained on traditional macOS malware profiles. No confirmed IOC hashes or C2 domains are available from current sources. Detection relies entirely on behavioral signals: Terminal process spawns from browser clipboard paste events, Python runtimes executing from non-standard paths, and file read events targeting ~/Library/Keychains/ and browser profile credential stores.

Organizations with macOS developer populations or cryptocurrency holdings should treat this as a high-priority threat. Security awareness training should explicitly cover ClickFix-style social engineering, which bypasses conventional phishing recognition by targeting Terminal execution rather than credential entry on a phishing page.

Affected: macOS (all recent versions); Chromium browsers; Firefox; macOS Keychain; crypto wallets; developer .env stores. Priority Score: 0.382. Sources: Malwarebytes, BleepingComputer (T3).

Resolv DeFi Platform Breach: $24.5M Lost via Unauthorized USR Stablecoin Minting

The Resolv DeFi platform suffered a security breach resulting in approximately $24.5 million in losses through unauthorized minting of USR stablecoins. The attack exploited access control bypass or input validation failure in the minting mechanism (T1190, T1565.001) to mint approximately $80 million in unauthorized tokens, of which $24.5 million was successfully extracted before the attack was detected and contained. The remaining unauthorized minted volume represents the protocol’s exposure had intervention been delayed.

While DeFi incidents may appear outside traditional enterprise scope, the relevant security question for most organizations is whether treasury or finance teams have authorized DeFi integrations, whether third-party vendors (payment processors, treasury management platforms) hold DeFi dependencies, and whether organizational funds are exposed through approved stablecoin holdings. For security teams operating or auditing smart contract systems, the control failures here — absent caller authentication on mint functions, no rate limits, no circuit breakers — are directly mappable to application security controls under ISO 27001 A.8.26 and NIST SP 800-53 SI-10.

Affected: Resolv DeFi Protocol, USR stablecoin minting mechanism. Severity: Critical (CVSS 9.1). Source: Media reporting (T3); on-chain forensic analysis from blockchain analytics platforms.

CISA KEV & Critical CVE Table

CVE / Reference Product CVSS EPSS Exploitation Status KEV Deadline Description
CVE-2026-3055 (ref) Citrix NetScaler ADC / Gateway 9.1 (Critical) Not confirmed Disclosed; no confirmed active exploitation as of reporting date Not on KEV as of reporting date Unauthenticated remote information disclosure. CWE-200. See Citrix bulletin CTX696300 for affected versions.
CVE-2026-4368 (ref) Citrix NetScaler ADC / Gateway Not confirmed from available data Not confirmed Disclosed; patch simultaneously with CVE-2026-3055 Not on KEV as of reporting date Additional vulnerability disclosed alongside CVE-2026-3055. See CTX696300.
CrackArmor (CVE pending) Linux AppArmor (Ubuntu, Debian, SUSE) 7.8 (High) Not confirmed Disclosed; patch status pending per distribution security channels Not on KEV Confused deputy vulnerabilities enabling local privilege escalation to root. Qualys TRU advisory provides version scope. CWE-269.
CVE-2024-55956 Cleo Harmony, VLTrader, LexiCom Not confirmed from SCC data Not confirmed Actively exploited (Cl0p and state-adjacent actors confirmed) Check CISA KEV: cisa.gov/kev Unauthenticated arbitrary file write to autorun directory enabling code execution on MFT platform. Critical infrastructure impact confirmed.
CVE-2024-50623 Cleo Harmony, VLTrader, LexiCom Not confirmed from SCC data Not confirmed Actively exploited alongside CVE-2024-55956 Check CISA KEV Unrestricted file upload and download vulnerability in Cleo MFT products. Patch with CVE-2024-55956 simultaneously.
SCC-DBR-2026-0070 / 0064 (ShinyHunters EC Breach) AWS cloud accounts; Okta/Entra ID/Google SSO federation 9.5 (Critical, SCC rating) N/A Active breach; investigation ongoing N/A SSO federation exploitation and cloud account compromise leading to mass S3 data exfiltration. No CVE assigned; architectural control failure.
PerplexedBrowser (CVE pending) Perplexity Comet AI Browser (pre-patch v1.0.41) 7.5 (High) Not confirmed Patched in v1.0.41; XSS resolved 2026-02-19 Not on KEV Misconfigured trust boundary allowing indirect prompt injection via third-party Arkose Labs CAPTCHA component. CWE-346, CWE-693. Zero-click browser session hijacking chain.
DarkSword / Coruna iOS (CVEs pending) Apple iOS 13.0–17.2.1 (Coruna); iOS 18.4–18.7 (DarkSword) 9.5 (Critical, SCC rating) Not confirmed Active exploitation by TA446; tools publicly leaked on GitHub Not on KEV as of reporting date Nation-state iOS exploit kits now publicly available. Enables keychain credential theft, location tracking, data collection. Update to latest iOS immediately.

Note: CVE IDs marked “(ref)” or “(pending)” reflect SCC item identifiers or pending formal NVD assignment. Validate all CVE IDs against the National Vulnerability Database at nvd.nist.gov before operational use. EPSS scores were not available in source data for this week’s items.

Supply Chain & Developer Tool Threats

TeamPCP PyPI Campaign: Highest-Priority Supply Chain Incident of the Week

The TeamPCP PyPI campaign (SCC-CAM-2026-0112, SCC-CAM-2026-0100) represents the most technically sophisticated and highest-priority supply chain incident this week. The confirmed malicious packages — telnyx 4.87.1 and 4.87.2 — use audio steganography (MITRE T1027.003) to conceal credential-harvesting code within WAV files embedded in the package, a technique specifically designed to defeat static analysis tools that scan for traditional obfuscation patterns. The campaign also reached the developer security toolchain by compromising KICS (Checkmarx GitHub Action), Trivy (vulnerability scanner), LiteLLM (AI library), and VS Code plugins.

Immediate Actions:

  • Scan all environments: pip show telnyx — remove versions 4.87.1 and 4.87.2
  • Search requirements.txt, Pipfile.lock, poetry.lock across all repositories
  • Audit KICS GitHub Action references — pin to verified commit SHA, not mutable tags
  • Check Trivy and LiteLLM installation versions against known-good hashes from official sources
  • Search Python package installation directories for unexpected WAV files
  • Rotate all secrets accessible in any affected pipeline environment
  • Block telnyx 4.87.1 and 4.87.2 in internal artifact proxies (Artifactory, Verdaccio)

PhantomRaven npm Campaign: 88 Malicious Packages Targeting CI/CD Tokens

The PhantomRaven campaign (SCC-CAM-2026-0080) published 88 malicious npm packages typosquatting Babel, GraphQL Codegen, and other widely used developer tooling, targeting GitHub Actions secrets, GitLab CI variables, Jenkins credentials, and CircleCI environment variables via postinstall script execution. The campaign exploits developer trust in familiar package names and the convention of postinstall script execution in Node.js environments. GitLab published primary technical analysis of this campaign; BleepingComputer provides secondary coverage. Both source URLs require human validation before operational use.

Detection: Monitor npm debug logs for postinstall script execution on unfamiliar packages; alert on outbound HTTP/HTTPS from CI/CD build agents to non-registry destinations during npm install steps; compare package-lock.json against baselines for unexplained additions.

GhostLoader npm Campaign: Fake npm Packages with Telegram C2 and BSC Blockchain Configuration

GhostLoader (SCC-CAM-2026-0093) published malicious npm packages via the confirmed publisher account “mikilanjillo” targeting macOS developers. The campaign uses a sudo credential phishing dialog displayed during npm install (T1056.002 GUI Input Capture) to harvest macOS system passwords, then exfiltrates browser credentials (T1555.003), SSH keys (T1552.004), and cryptocurrency wallet data via Telegram Bot API (api.telegram.org). Binance Smart Chain smart contracts store affiliate configuration, enabling a MaaS distribution model. This is a mandatory developer tool coverage item.

Confirmed IOCs: npm publisher “mikilanjillo” (block at registry proxy); api.telegram.org outbound connections from developer workstations (alert); BSC RPC calls from non-blockchain-development endpoints (investigate).

GitHub Discussions VS Code Fake Alert Campaign

As detailed in Key Security Stories, attackers are abusing GitHub’s notification delivery system to push fake VS Code security alerts via GitHub Discussions, with payloads staged on Google Drive. This campaign directly targets the developer IDE ecosystem and exploits the implicit trust developers place in GitHub communications. The second-stage payload remains uncharacterized. Organizations should alert development staff and monitor proxy logs for Google Drive downloads following GitHub notification interaction.

AI Coding Assistant Hallucinated Dependency Risk

The SCC pipeline flagged an emerging supply chain risk class this week (SCC-STY-2026-0028): AI coding assistants (GitHub Copilot, Cursor, Claude, ChatGPT, Gemini) recommending non-existent package names that adversaries register to intercept. This is not a hypothetical risk — the TeamPCP and PhantomRaven campaigns both operate in the same dependency namespace where hallucinated recommendations would land. Organizations should require developers to verify AI-recommended package existence against the target registry before installation, and should enforce software composition analysis (SCA) tooling in all CI/CD pipelines.

Nation-State & APT Activity Summary

Iran: Multi-Group Operations Against Critical Infrastructure and High-Profile Targets

Groups: Handala, Homeland Justice
Targeted Sectors: U.S. healthcare (hospitals), Israeli critical infrastructure, U.S. and Israeli supply chains, ICS/PLCs, government officials
TTPs Observed: Phishing (T1566), supply chain compromise (T1195), data encrypted for impact (T1486), network denial of service (T1498), valid accounts (T1078), Telegram C2 (T1071.003), wiper deployment (T1485), Microsoft Intune abuse for mass device wipe (confirmed in Stryker Corporation incident — approximately 80,000 devices wiped)
Attribution Confidence: High (CISA advisory AA23-335A for ICS targeting; FBI flash alert for domain seizures in Homeland Justice campaign)
IOCs: api.telegram.org (C2 channel); FBI-seized domains not publicly confirmed in available sources. Obtain current IOC list from FBI Cyber Division advisories directly.
Analyst Note: Iran-linked actors have demonstrated willingness to cause kinetic-equivalent impact through cyber means (mass device wipes, ICS manipulation). Healthcare organizations should treat this as an active, ongoing threat requiring sustained elevated defensive posture beyond standard incident response cycles. The CISA AA23-335A advisory contains historical IOC context directly applicable to current campaign TTPs.

China: Red Menshen Telecom Espionage; Qatar Targeting Expansion

Groups: Red Menshen (BPFdoor operations); unspecified China-nexus APTs (Qatar targeting)
Targeted Sectors: Global telecommunications (Red Menshen); Qatari government and private sector (China-nexus reorientation driven by Middle East conflict geopolitics)
TTPs Observed (Red Menshen): BPFdoor passive backdoor (T1205.002, T1014), socket filters, systemd persistence (T1543.002), traffic signaling, non-application layer protocol C2 (T1095), kernel-mode implant, initial access via Ivanti/Cisco/Juniper/Fortinet/VMware/Palo Alto/Apache Struts exploitation
TTPs Observed (Qatar targeting): Phishing (T1566), valid accounts (T1078), data exfiltration (T1041), archive collection (T1560), C2 via application layer protocols (T1071)
Attribution Confidence: High for Red Menshen (MITRE ATT&CK G0112 attribution); Medium for Qatar targeting (source quality T3, monitor for confirmation from CISA/Five Eyes partners)
IOCs: No confirmed public IOCs for either campaign as of reporting date. Monitor Rapid7, Security Affairs, and CISA for Red Menshen indicators.

North Korea: Xinbi Marketplace Money Laundering Nexus

Connection: UK sanctions designated Xinbi marketplace and associated entities (Legend Innovation Co, #8 Park) for facilitating $19.9 billion in illicit transactions including North Korean Lazarus Group money laundering operations
Relevant TTPs: Pig butchering social engineering (T1566, T1566.002), cryptocurrency exfiltration (T1657), Telegram-based marketplace infrastructure (T1583.006)
Attribution Confidence: Medium (TRM Labs blockchain analytics provide transaction-level evidence; Lazarus Group connection assessed as likely but not independently verified in available primary sources)
Action Required: Screen all cryptocurrency wallet addresses against updated UK FCDO consolidated sanctions list. TRM Labs IOC context: TRM Labs Xinbi Report (validate URL before use).

Russia: Akira Ransomware Targeting Legal and Professional Services

Group: Akira (cybercriminal, Russia-nexus)
Targeted Sectors: Legal, professional services (primary); U.S.-based organizations
TTPs: VPN exploitation (CVE-2023-20269 and related Cisco ASA/FTD CVEs documented in CISA/FBI AA23-284A), valid accounts (T1078), external remote services (T1133), data encrypted for impact (T1486), shadow copy deletion (T1490), double extortion (exfiltration + encryption)
Attribution Confidence: High (CISA/FBI AA23-284A; source quality for current campaign phase is T3 — monitor for primary-source corroboration)
IOC Note: Specific IOCs for current campaign not yet confirmed in primary sources. Consult CISA/FBI AA23-284A for documented Akira behavioral indicators applicable to current TTPs.

Phishing & Social Engineering Alert

AI-Augmented Microsoft OAuth Phishing: The Week’s Highest-Volume Credential Threat

Campaign: SCC-CAM-2026-0123 | Priority Score: 0.659 | Confirmed victims: 344 organizations
Attack Chain: AI-generated spearphishing emails → malicious OAuth application consent page → delegated permission grant → access token theft → persistent M365 resource access without credential re-entry
Evasion Techniques: AI-generated contextually appropriate content evades template-matching detection; OAuth consent flow bypasses MFA; legitimate Microsoft OAuth endpoints used (no spoofed login page)
Detection Guidance: Query Entra ID AuditLogs for ActivityDisplayName == 'Consent to application' filtered for user-initiated grants to unrecognized client IDs. In Sentinel: AuditLogs | where OperationName == 'Add OAuth2PermissionGrant'. Defender for Cloud Apps OAuth App Policy alerts for high-privilege scope requests (Mail.Read, Files.ReadWrite.All).

ClickFix Social Engineering: Multi-Campaign Convergence

ClickFix-style social engineering — fake CAPTCHA or browser-update prompts instructing users to paste commands into Terminal or PowerShell — appeared in multiple independent campaigns this week, indicating this technique has crossed from novel to commodity attack delivery. Active ClickFix campaigns identified:

  • Infinity Stealer (macOS): Fake Cloudflare CAPTCHA → Terminal paste → Nuitka Python payload targeting macOS Keychain and crypto wallets
  • Interlock/Hive0163 (Windows): ClickFix social engineering → PowerShell → Slopoly backdoor → Interlock ransomware
  • ClickFix Multi-Loader (Windows): Fake CAPTCHA → clipboard → mshta.exe/jp2launcher.exe → NetSupport RAT, Latrodectus, Lumma Stealer
  • Torg Grabber (Windows): ClickFix delivery → 728 crypto wallet extensions targeted; ABE bypass; 334 unique samples

Universal Detection: Alert on shell processes (cmd.exe, powershell.exe, Terminal) spawned from browser processes or clipboard-paste events. Windows Event ID 4104 (PowerShell Script Block Logging) with base64-encoded content AND a network connection within 60 seconds is a high-confidence indicator. On macOS: Terminal process spawns from browser process context.

Awareness Training Update Required: Standard phishing simulations do not cover ClickFix. Update training to include scenarios where users are instructed to paste commands rather than enter credentials.

Tax Season RMM Abuse and IRS Impersonation Campaign

Campaigns: SCC-CAM-2026-0091, SCC-CAM-2026-0086, SCC-CAM-2026-0085 | Confirmed affected users: 29,000+ across 10,000+ organizations
Lure Themes: IRS tax notices, SmartVault document requests, Azure Monitor alerts
Delivery Infrastructure: Amazon SES (abused for sender reputation), Cloudflare Workers/Pages (phishing page hosting), Energy365 and SneakyLog/Kratos PhaaS platforms for AiTM credential harvesting
Payload: ConnectWise ScreenConnect, Datto RMM, SimpleHelp — legitimate RMM tools deployed for persistent access post-credential harvest
Evasion: HTML smuggling (T1027.006), legitimate service abuse, Cloudflare proxying obscures origin IPs
Detection: Audit all RMM tool installations not provisioned by IT. Block outbound connections from relay.screenconnect.com and concord.centrastage.net originating from endpoints not enrolled in your authorized RMM program. Flag SES-delivered email impersonating IRS, SmartVault, or Azure Monitor.

Bubble.io No-Code Platform Abused for M365 Phishing

Campaign: SCC-CAM-2026-0105 | Priority Score: 0.532
Technique: Attackers host credential-harvesting pages on legitimate Bubble.io subdomains, bypassing URL reputation filters that allowlist the Bubble.io domain. AI-generated Shadow DOM obfuscation defeats static HTML analysis — static source review returns minimal content, dynamic rendering with JavaScript execution is required for accurate analysis.
Detection: Monitor Entra ID sign-in logs for authentication events where the source IP shifts ASN or country within minutes of a successful login (AiTM session cookie replay). Flag *.bubble.io in email gateway URL analysis for review — not blanket blocking, as legitimate Bubble.io applications exist.

Tycoon2FA PhaaS Rebounds After Domain Seizure

Campaign: SCC-CAM-2026-0089 | Priority Score: 0.325
Status: 330 domains seized by Europol and Microsoft on March 4, 2026. Tycoon2FA resumed operations within days via new infrastructure — confirming that domain seizures alone cannot disrupt PhaaS operations with distributed backend architecture.
TTPs: Adversary-in-the-Middle (T1557), session cookie theft (T1539), SharePoint/OneDrive payload hosting (T1608.001), email hiding rules post-compromise (T1564.008), internal spearphishing from compromised accounts (T1534)
Defense: Phishing-resistant MFA (FIDO2) is the only reliable technical control against AiTM session theft. TOTP and push-based MFA are defeated by this campaign architecture.

Indicators of Compromise

Type Value / Indicator Campaign / Story Confidence Action
URL https://pypi.org/project/telnyx/4.87.1/ TeamPCP PyPI — SCC-CAM-2026-0112 High Do not install. Remove if present. Block in artifact proxy.
URL https://pypi.org/project/telnyx/4.87.2/ TeamPCP PyPI — SCC-CAM-2026-0112 High Do not install. Remove if present. Block in artifact proxy.
Domain api.telegram.org GhostLoader npm (SCC-CAM-2026-0093); Handala/Homeland Justice (SCC-CAM-2026-0083) Medium (context-dependent) Alert on outbound connections from developer workstations, servers, or non-user endpoints. Legitimate consumer use exists — context-based alerting required.
npm Publisher mikilanjillo GhostLoader npm — SCC-CAM-2026-0093 High Block all packages from this publisher at registry proxy. Audit for installed packages from this account.
Driver HWAuidoOs2Ec.sys (Huawei audio driver — signed but vulnerable) HwAudKiller BYOVD — SCC-CAM-2026-0098 Medium Add to WDAC driver blocklist. Microsoft Defender detects as VulnerableDriver:WinNT/Winring0 — verify definitions current. Alert on Sysmon Event ID 6 for this driver.
Process FleetDeck Agent (unauthorized deployment) HwAudKiller BYOVD — SCC-CAM-2026-0098 Medium Flag FleetDeck Agent presence on endpoints not enrolled in authorized RMM program. Treat as high-suspicion indicator in this campaign context.
Process nxc.exe / crackmapexec.exe (NetExec) in non-pentest environments HwAudKiller BYOVD — SCC-CAM-2026-0098 Medium Alert on execution outside authorized red team or pentest windows. Treat as lateral movement indicator.
Malware Family Slopoly (AI-generated PowerShell backdoor) Interlock/Hive0163 — SCC-CAM-2026-0081, SCC-CAM-2026-0078 High Hunt in PowerShell Script Block Logs (Event ID 4104) for verbose inline comments and structured error handling in scripts from unknown sources. Alert on schtasks.exe creating tasks invoking encoded PowerShell.
Malware Family NodeSnake (backdoor — Interlock chain) Interlock/Hive0163 — SCC-CAM-2026-0081 High Obtain hashes from IBM X-Force threat intelligence platform. Cross-reference against EDR telemetry.
Malware Family GHOSTBLADE (iOS dataminer — TA446) TA446 DarkSword — SCC-CAM-2026-0118 Low (no hash confirmed) Check MTD platform for behavioral signatures. Monitor MTD and threat intel feeds for hash publication.
Malware Family MAYBEROBOT (iOS backdoor — TA446) TA446 DarkSword — SCC-CAM-2026-0118 Low (no hash confirmed) Check MTD platform for behavioral signatures. Monitor MTD and threat intel feeds for hash publication.
Domain (pattern) atlanticcouncil.org — DMARC/SPF failures (spoofed lure) TA446 iOS spearphishing — SCC-CAM-2026-0118 Medium Flag inbound email referencing atlanticcouncil.org that fails DMARC/SPF/DKIM validation. Quarantine or reject.
Domain relay.screenconnect.com Tax Season RMM Abuse — SCC-CAM-2026-0085, SCC-CAM-2026-0086 Medium (legitimate service abused) Alert on outbound connections from endpoints not enrolled in your authorized ScreenConnect tenant. Do not block globally.
Domain concord.centrastage.net Tax Season RMM Abuse — SCC-CAM-2026-0085 Medium (legitimate service abused) Alert on connections from endpoints not provisioned by your RMM team.
Domain (pattern) *.bubble.io Bubble.io M365 phishing — SCC-CAM-2026-0105 Low (pattern only — not all domains malicious) Use for log review and anomaly correlation. Do not block globally. Flag *.bubble.io URLs in email gateway for review.
Domain *.workers.dev; *.pages.dev (Cloudflare subdomains) Tax Season IRS campaign — SCC-CAM-2026-0085 Medium (abused pattern) Flag in email URL analysis and proxy logs when associated with IRS, SmartVault, or financial service lures. Context-based alerting required.
Domain leakbase[.]io (defanged) LeakBase credential marketplace — SCC-CAM-2026-0102 High (Europol/DOJ confirmed) Block at DNS and proxy. Historical traffic to this domain from internal hosts warrants investigation for insider involvement or compromised host.
URL drive.google.com (payload staging — contextual) GitHub Discussions VS Code campaign — SCC-CAM-2026-0116 Medium (shared infrastructure) Alert on Google Drive downloads from developer workstations within 10–60 minutes of GitHub notification interaction. Do not block globally.
Domain europa.eu (victim infrastructure) ShinyHunters EC Breach — SCC-DBR-2026-0070 High DO NOT BLOCK. Reference only for internal log correlation against outbound connections initiated from your environment during breach window. Legitimate EU government domain.
Technique IOC WAV files in Python package site-packages directories TeamPCP PyPI — SCC-CAM-2026-0112 High Flag any WAV file created or accessed by a Python process outside application code paths. High-confidence behavioral indicator.
Technique IOC bpftool prog list entries not attributable to known authorized agents BPFdoor / Red Menshen — SCC-CAM-2026-0115 High Investigate immediately. Any unrecognized BPF program on production Linux host warrants incident-level response.
Technique IOC Cleo autorun directory file creation by non-Cleo processes Geopolitical Convergence / Cleo — SCC-CAM-2026-0109 High Alert on Windows Event ID 4663 or EDR file write telemetry for autorun directory writes from unexpected processes.

Behavioral context note: Several IOCs reference legitimate services (Telegram, Google Drive, Cloudflare, ScreenConnect relay) that are abused by threat actors. Do not apply blanket blocks without context-based analysis. Use the Action column guidance for each entry.

Helpful 5: High-Value Low-Effort Mitigations

1. Enforce Admin-Only OAuth Application Consent in Microsoft Entra ID

Why: The highest-priority campaign this week (AI-augmented OAuth phishing, 344 organizations compromised) operates exclusively through user-granted OAuth consent. Eliminating the user consent path removes the attacker’s primary mechanism for persistent access without requiring any endpoint changes or credential rotation.

How:

  1. Navigate to: Microsoft Entra admin center → Identity → Applications → Enterprise applications → Consent and permissions
  2. Set “Users can consent to apps accessing company data on their behalf” to No
  3. Set “Users can consent to apps from verified publishers, for selected permissions” based on your organization’s tolerance — for high-security environments, set to No
  4. Configure the admin consent workflow so users can request access for legitimate applications
  5. Run the following KQL in Sentinel to establish your consent baseline before enforcement: AuditLogs | where ActivityDisplayName == "Consent to application" | summarize count() by InitiatedBy, TargetResources

Framework Alignment: NIST SP 800-53 AC-2 (Account Management), AC-3 (Access Enforcement), IA-2; CIS v8 Controls 6.3 (Require MFA for Externally-Exposed Applications), 6.5 (Require MFA for Administrative Access); NIST CSF PR.AC.

2. Enforce Phishing-Resistant MFA (FIDO2) on All Cloud and External Services

Why: Three separate active campaigns this week defeat conventional MFA: the Microsoft OAuth phishing campaign steals session tokens post-authentication, Tycoon2FA uses AiTM proxying to intercept TOTP codes, and the Iran-linked operations target identity providers as primary entry points. FIDO2/WebAuthn hardware tokens or passkeys are the only MFA method that defeats all three attack patterns because the cryptographic response is bound to the legitimate origin domain.

How:

  1. Audit current MFA methods in Entra ID: Identity → Authentication methods → Authentication methods policy. Disable SMS and voice call methods for privileged accounts immediately.
  2. Enable FIDO2 security key method in Entra ID authentication methods policy
  3. Create a Conditional Access policy requiring phishing-resistant MFA strength for: all privileged roles, all external-facing applications, all AWS console access via federated SSO
  4. Configure Conditional Access Named Locations to flag anomalous geographic sign-ins as risk signals even with FIDO2
  5. For accounts that cannot yet use FIDO2 hardware tokens, enforce certificate-based authentication as the next-best alternative

Framework Alignment: NIST SP 800-53 IA-2(6) (Phishing-Resistant MFA — explicit control), IA-5; CIS v8 6.3, 6.4, 6.5; HIPAA 164.312(d); NIST CSF PR.AC-1.

3. Audit and Block Unauthorized RMM Tools via Application Control

Why: Three separate campaigns this week (HwAudKiller BYOVD, Tax Season IRS campaign, broader RMM abuse pattern) use legitimate RMM tools — ConnectWise ScreenConnect, Datto RMM, SimpleHelp, FleetDeck Agent — as persistent backdoors after initial access. CISA has documented RMM tool abuse as a top initial access persistence method in multiple advisories. An organization that cannot enumerate all RMM tools installed across its endpoints cannot contain this threat class.

How:

  1. Run an EDR inventory query for all RMM tool binaries across your estate: ScreenConnect.ClientService.exe, DattoRMM agent binaries, SimpleHelp server.exe/remote.exe, FleetDeck agent binaries, AnyDesk, TeamViewer, Splashtop, LogMeIn
  2. Compare against your authorized software inventory. Any RMM binary not in the authorized list should be removed and the host investigated
  3. Create a Windows Defender Application Control (WDAC) or AppLocker policy that blocks unsigned or unauthorized RMM binaries from executing
  4. Alert on RMM relay connections (relay.screenconnect.com, concord.centrastage.net) originating from endpoints not enrolled in your authorized RMM tenant
  5. Establish a formal RMM governance policy: authorized tools, authorized tenants, mandatory enrollment procedures, quarterly audit cadence

Framework Alignment: NIST SP 800-53 CM-7 (Least Functionality), AC-17 (Remote Access), AC-20; CIS v8 2.5 (Allowlist Authorized Software), 2.6; NIST CSF PR.PT-3.

4. Deploy bpftool Inventory and auditd BPF Syscall Logging on Linux Infrastructure

Why: The BPFdoor implant used by China-nexus Red Menshen is invisible to standard Linux security tools (netstat, ss, ps, standard port scans). It leaves no listening port and generates no persistent outbound beaconing. The only viable detection is kernel-level telemetry. For telecom, financial, and critical infrastructure organizations with significant Linux infrastructure, this gap is an active threat — not a theoretical one. This mitigation is low-effort relative to the detection gap it closes.

How:

  1. Install bpftool: apt-get install linux-tools-common (Ubuntu/Debian) or equivalent for your distribution
  2. Run on all production Linux hosts: bpftool prog list and bpftool map list — document all results and establish a baseline of authorized programs
  3. Add auditd rule for bpf() syscall monitoring: -a always,exit -F arch=b64 -S bpf -k bpf_monitoring — reload auditd
  4. Alert on any new BPF program loaded that is not attributable to an authorized network monitoring agent (Falco, Cilium, your EDR’s eBPF probe)
  5. Check /proc/net/packet and /proc/net/raw for processes holding raw sockets; cross-reference PIDs against known-good process lists
  6. For high-value Linux hosts: deploy Falco with eBPF probe or Tetragon for continuous kernel-level behavioral monitoring

Framework Alignment: NIST SP 800-53 SI-4 (System Monitoring), CA-7 (Continuous Monitoring), CM-7; CIS v8 8.2 (Collect Audit Logs); NIST CSF DE.CM-1.

5. Implement PyPI Package Hash Verification and Supply Chain Controls in CI/CD Pipelines

Why: The TeamPCP telnyx campaign demonstrates that malicious packages can reach production CI/CD environments through the standard pip install workflow when hash verification is absent. The attack vector is trivially exploitable: publish a malicious version of a legitimate package, wait for automated dependency update tools or developer installation to pull it. Hash pinning breaks this attack entirely for any package in your dependency graph.

How:

  1. Audit all Python environments: pip list --format=json — check for telnyx 4.87.1 or 4.87.2 immediately
  2. Enable hash verification in pip requirements files: use pip-compile --generate-hashes to add hash pins to all requirements files. This ensures any modified package is rejected at install time
  3. Deploy a private artifact proxy (Artifactory, Verdaccio, AWS CodeArtifact) that mirrors PyPI but enforces an allowlist of approved packages and versions
  4. Add pip audit as a mandatory CI/CD gate: pip install pip-audit && pip-audit — fails the build if known vulnerable packages are detected
  5. For GitHub Actions: pin all action references to commit SHAs (uses: actions/checkout@abc123) rather than mutable tags (uses: actions/checkout@v4). Use tj-actions/changed-files@sha pattern consistently
  6. Enable Dependabot or Renovate with PR review requirements — automated dependency updates should not merge without human review or SCA gate pass

Framework Alignment: NIST SP 800-53 SI-7 (Software, Firmware, and Information Integrity), SR-3 (Supply Chain Controls and Processes), CM-3; CIS v8 2.5, 2.6, 15.1; NIST CSF GV.SC-01; OWASP A08:2021 Software and Data Integrity Failures.

Framework Alignment Matrix

Threat / Campaign MITRE Tactic MITRE Technique(s) NIST SP 800-53 Rev 5 CIS v8 Controls
Microsoft OAuth Phishing (SCC-CAM-2026-0123) Initial Access, Credential Access, Defense Evasion T1566.002, T1528, T1539, T1550.001, T1078.004 AC-2, IA-2, IA-5, SC-23, SI-4, CA-7 6.3, 6.4, 6.5, 14.2
TeamPCP PyPI Supply Chain (SCC-CAM-2026-0112) Initial Access, Defense Evasion, Credential Access, Exfiltration T1195.001, T1027.003, T1552.004, T1552.001, T1041 SI-7, SR-2, SR-3, CM-3, CA-7, IA-5 2.5, 2.6, 15.1, 8.2
Iran-Linked Critical Infrastructure (SCC-CAM-2026-0124) Initial Access, Impact, Execution T1566, T1195, T1486, T1498, T1059, T1078 AT-2, CA-7, SC-7, SI-3, SI-4, SR-2, SR-3, CP-9, CP-10 6.3, 7.3, 7.4, 15.1
BPFdoor / Red Menshen (SCC-CAM-2026-0115, 0107) Defense Evasion, Persistence, Command & Control T1205.002, T1014, T1543.002, T1095, T1205 SI-4, CA-7, CM-7, SC-7, AC-6 6.1, 6.2, 8.2, 5.4
iOS Exploit Kits / TA446 DarkSword (SCC-CAM-2026-0118, 0113) Initial Access, Collection, Credential Access T1189, T1417, T1430, T1636, T1566.001, T1041 SI-2, SI-3, SI-4, SC-7, AT-2 7.3, 7.4, 14.2
Cleo MFT Exploitation — OT/ICS (SCC-CAM-2026-0109) Initial Access, Lateral Movement, Impact T1190, T1021, T1486, T1195, T1133, T1078 CA-8, RA-5, SC-7, SI-2, SR-2, SR-3, AC-17, CP-9, CP-10 2.5, 2.6
HwAudKiller BYOVD (SCC-CAM-2026-0098) Privilege Escalation, Defense Evasion, Persistence, Credential Access T1068, T1562.001, T1219, T1003.001, T1583.008 SI-3, SI-4, CA-7, AC-6, SA-9, SR-2, SR-3 5.4, 6.8, 6.3
GitHub Discussions Developer Lure (SCC-CAM-2026-0116) Initial Access, Resource Development, Defense Evasion T1566.003, T1195.002, T1497.001, T1608, T1027 SA-9, SR-2, SR-3, SI-7, AT-2, CA-7 2.5, 8.2
ShinyHunters EC AWS Breach (SCC-DBR-2026-0070) Initial Access, Collection, Exfiltration, Credential Access T1566, T1078.004, T1530, T1567, T1539, T1114 AC-2, AC-6, IA-2, IA-5, SC-28, CA-7, AU-2, AU-12 6.3, 6.4, 6.5
ClickFix Multi-Campaign (SCC-CAM-2026-0101, 0103, 0119) Initial Access, Execution, Credential Access T1566, T1059.001, T1204.002, T1555.001, T1555.003, T1547 AT-2, CM-7, SI-3, SI-4, SI-8 14.2, 16.10
Ransomware Campaigns — Healthcare, Municipal, Port of Vigo (SCC-CAM-2026-0104, 0122) Initial Access, Impact T1566, T1190, T1078, T1021, T1486, T1490, T1489 CP-9, CP-10, AC-2, IA-2, IA-5, SI-3, SI-4, IR-4, CA-7 6.3, 7.3, 7.4, 14.2
Linux AppArmor Privilege Escalation — CrackArmor (SCC-CVE-2026-0025) Privilege Escalation T1548, T1068 AC-6, CM-6, SI-2, SC-7 5.4, 6.8
Citrix NetScaler Info Disclosure (SCC-CVE-2026-0023, 0026) Initial Access, Credential Access T1190, T1552 CA-8, RA-5, SI-2, SC-28, AC-3 7.3, 7.4
Tax Season RMM Abuse (SCC-CAM-2026-0091, 0086, 0085) Initial Access, Persistence, Command & Control T1566.001, T1219, T1539, T1057.003, T1559.001 CM-7, SI-3, SI-4, AC-2, IA-2, IA-5, AC-17, AC-20 2.5, 6.3, 14.2, 8.2
Supply Chain Attacks — Global Trend (SCC-STY-2026-0030) Initial Access, Execution, Persistence T1195, T1195.001, T1195.002, T1199, T1554, T1072 CM-7, SA-9, SR-2, SR-3, SI-7, CM-3 2.5, 2.6, 14.2, 15.1

Upcoming Security Events & Deadlines

Patch Tuesday

  • Next Microsoft Patch Tuesday: April 8, 2026 (second Tuesday of April)
  • Expect updates for Windows, Microsoft 365 Apps, Azure components, and likely addressing any Microsoft-confirmed OAuth or Entra ID vulnerabilities related to this week’s campaign disclosures

CISA KEV Remediation Deadlines (30-Day Window)

  • Federal agencies under BOD 22-01 must remediate all KEV-listed vulnerabilities by their published deadline. Verify current deadlines for CVE-2024-55956 and CVE-2024-50623 (Cleo MFT) directly at: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
  • Citrix NetScaler vulnerabilities (CTX696300) — monitor CISA KEV for potential addition given CVSS 9.1 score and historical pattern of Citrix CVE KEV listing
  • CISA advisory AA23-335A (Iran-linked ICS targeting) — no statutory deadline but CISA urges immediate implementation of recommended controls for critical infrastructure operators

Vendor Patch and EOL Dates

  • Apple iOS/iPadOS: iOS/iPadOS 26.4 — deploy to all managed devices as priority given active DarkSword exploitation. iOS 18.4–18.7 devices remain vulnerable to DarkSword until updated.
  • Citrix NetScaler: CTX696300 patches — deploy immediately per vendor guidance. No stable patch for all versions confirmed as of reporting; monitor Citrix security portal.
  • Cleo MFT: Patches for CVE-2024-55956 and CVE-2024-50623 — apply per Cleo vendor advisory. Active exploitation confirmed; treat as emergency patching event.
  • Linux AppArmor: Monitor distribution security channels (Ubuntu Security Notices, SUSE Security Advisories, Debian Security) for CrackArmor patch releases.
  • Perplexity Comet AI Browser: v1.0.41 patches the PerplexedBrowser vulnerability chain — verify all managed deployments have updated.

Compliance Deadlines

  • GDPR 72-Hour Notification: Organizations that may have been affected by the European Commission breach or other incidents this week should confirm breach notification workflows are documented and tested. The 72-hour clock begins when a controller “becomes aware” of a personal data breach.
  • HIPAA Breach Notification: University of Hawaii Cancer Center (1.2 million records) and healthcare sector ransomware victims face 60-day notification requirement from discovery date. Organizations with data relationships to affected entities should assess their own notification obligations.
  • PCI DSS: Magento 2 / Adobe Commerce operators affected by the PolyShell WebRTC skimmer campaign (SCC-CAM-2026-0106) should initiate PCI DSS breach notification procedures if cardholder data was exposed. Payment brand notification timelines apply.
  • NZ Critical Infrastructure Governance: New Zealand director-level cybersecurity breach penalty legislation under development. Monitor for consultation document publication — GRC teams should assign a regulatory tracking owner.

Security Conferences and Industry Events

  • No major cybersecurity conferences confirmed in available SCC pipeline data for the immediate week of March 30, 2026. Monitor RSA Conference 2026 schedule (typically late April/May) for sessions relevant to this week’s themes: supply chain security, AI-augmented threats, mobile platform exploitation.

Sources

Primary Government and Standards Sources

Section 2 (Critical Action Items)

  • PyPI — telnyx package page: https://pypi.org/project/telnyx/
  • Microsoft Security Blog — OAuth phishing campaign (2026-03-02): Validate URL at microsoft.com/security/blog
  • Citrix Security Bulletin CTX696300: Validate at support.citrix.com
  • Qualys TRU Advisory — CrackArmor AppArmor: Validate at qualys.com/research

Section 3 (Key Security Stories)

Section 5 (Supply Chain)

Section 6 (Nation-State)

Section 7 (Phishing and Social Engineering)

  • Microsoft Security Blog — Tax season cyberattack coverage (2026-03-19): Validate at microsoft.com/security/blog
  • Microsoft Security Blog — Signed malware RMM backdoor deployment (2026-03-03): Validate at microsoft.com/security/blog
  • Malwarebytes — Infinity Stealer macOS (consult Malwarebytes Threat Intelligence)
  • BleepingComputer — Tycoon2FA rebound analysis
  • Kaspersky Secure List — Bubble.io Shadow DOM phishing (consult securelist.com)
  • Huntress — Railway.com/Bubble.io AiTM parallel analysis (consult huntress.com)

Section 8 (IOCs)

Note on URL Validation: URLs in this briefing marked “(human validation recommended)” were retrieved from SCC pipeline source data (RSS feeds, structured intelligence items). They have not been actively verified via live HTTP request during briefing generation. All URLs should be verified by a human analyst before use in detection rules, threat intelligence platforms, or operational response. URLs from primary government sources (CISA, NIST, Apple) have higher confidence but should still be confirmed current. This briefing was generated for the week of 2026-03-30 and reflects intelligence available through that date. Standards, advisories, and threat intelligence feeds may have been updated since generation.

Integrity Lock active — no configuration modifications permitted during this session. This briefing was produced under GAIO Configuration (Cybersecurity / Security Operations / GRC / Threat Intelligence) in Integrity Lock enforcement mode. All claims trace to SCC pipeline source data. Where source confidence is T3 (media) or where IOCs are unverified, this briefing explicitly notes the limitation. No facts were fabricated to fill gaps.

Author

Tech Jacks Solutions

Leave a comment

Your email address will not be published. Required fields are marked *