Microsoft's March 2026 Patch Tuesday addresses 84 vulnerabilities including 2 public zero-days. Iranian hacktivists claim to have wiped 200,000+ devices at medtech giant Stryker. FortiGate firewalls exploited to steal AD/LDAP credentials. Perplexity's AI browser tricked into phishing in under 4 minutes. Plus: KadNap botnet, npm supply chain attacks, n8n RCE exploitation, Meta's scam crackdown, Google's $32B Wiz deal, and BlackSanta EDR killer targeting HR departments.
Microsoft's March 2026 Patch Tuesday fixes 84 security flaws: 8 Critical, 76 Important. Two vulnerabilities were publicly disclosed before patches were available. All NIS2-regulated entities must prioritize immediate deployment.
Microsoft has released its March 2026 security update, addressing 84 vulnerabilities across the Windows ecosystem. The breakdown reveals a heavy emphasis on privilege escalation — a clear indicator that attackers are focused on post-compromise lateral movement.
| Category | Count | Risk Level |
|---|---|---|
| Privilege Escalation | 46 | High — enables lateral movement |
| Remote Code Execution | 18 | Critical — enables initial access |
| Information Disclosure | 10 | Medium — enables reconnaissance |
| Spoofing | 4 | Medium |
| Denial of Service | 4 | Medium |
| Security Feature Bypass | 2 | High |
CVE-2026-26127 (CVSS 7.5) — A Denial of Service vulnerability in .NET that was publicly disclosed prior to the patch. Attackers can crash .NET-based services remotely, impacting availability of web applications and APIs built on the framework.
CVE-2026-21262 (CVSS 8.8) — An Elevation of Privilege vulnerability in SQL Server. With a high CVSS score and public disclosure, this is particularly dangerous for organizations running SQL Server in production environments. An authenticated attacker could escalate to database administrator privileges.
Additionally, Microsoft addressed 10 Chromium/Edge vulnerabilities separately, bringing the total remediation load to 94 fixes this cycle.
Medical technology company Stryker has been targeted by Handala, an Iranian-linked pro-Palestinian hacktivist group, with wiper malware. The group claims to have wiped over 200,000 devices. If confirmed, this is one of the most devastating wiper attacks against the healthcare sector to date.
Stryker — a Fortune 500 medical technology company that manufactures surgical equipment, implants, and hospital infrastructure — has been hit by a destructive wiper attack. The Handala hacktivist group, linked to Iranian state interests, claims responsibility and alleges that 200,000+ devices across Stryker's network were wiped.
This attack carries enormous implications for patient safety. Stryker's products are integrated into operating rooms, intensive care units, and surgical planning systems worldwide. Disruption to their internal systems could cascade into delayed device updates, impaired supply chains, and compromised product security.
Under NIS2, healthcare is classified as an essential sector. Medical device manufacturers and their supply chains face mandatory cybersecurity requirements. This attack illustrates exactly why:
If your organization uses Stryker products, contact your Stryker account representative immediately to understand the impact on product updates, support services, and supply chain continuity. Document this assessment as part of your NIS2 supply chain risk management obligations.
SentinelOne has discovered a campaign abusing FortiGate NGFW appliances to breach networks and extract configuration files containing Active Directory and LDAP service account credentials. Targets include healthcare, government, and managed service providers.
Security researchers at SentinelOne have uncovered a systematic campaign targeting Fortinet FortiGate Next-Generation Firewalls. Attackers are exploiting vulnerabilities in these devices to extract configuration files, which contain plaintext or recoverable service account credentials for AD/LDAP integration.
The irony is devastating: the very devices deployed to protect networks are being used to compromise them. Once attackers obtain AD/LDAP credentials from FortiGate configs, they gain privileged access to the entire Active Directory environment.
Guardio researchers demonstrated that Perplexity's Comet AI browser can be manipulated into conducting a phishing attack in under 4 minutes, exploiting a vulnerability they've dubbed "Agentic Blabbering."
Security researchers at Guardio Labs have published a devastating proof-of-concept showing how Perplexity's Comet — an AI-powered web browser — can be tricked into executing a phishing scam. The attack exploits a fundamental design flaw in AI browsers: their tendency to narrate their actions, which inadvertently lowers security guardrails.
The technique, dubbed "Agentic Blabbering," works because AI browsers are designed to explain what they're doing. Attackers craft prompts that exploit this conversational nature, tricking the AI into treating malicious instructions as legitimate browsing tasks. The result: the AI browser itself becomes the phishing vector.
Lumen's Black Lotus Labs has discovered the KadNap malware campaign targeting Asus routers, building a proxy botnet of 14,000+ infected devices. The malware uses a custom Kademlia DHT protocol for resilient command and control.
A new malware strain dubbed KadNap is targeting Asus consumer and small business routers, with Lumen's Black Lotus Labs identifying over 14,000 infected devices — 60% of which are located in the United States. The malware converts compromised routers into nodes in a proxy botnet, allowing attackers to route malicious traffic through legitimate residential and business IP addresses.
KadNap's use of a custom Kademlia Distributed Hash Table (DHT) protocol makes it particularly difficult to disrupt. Unlike traditional botnets with centralized command and control, KadNap's decentralized architecture means there's no single server to take down.
A new wave of supply-chain attacks dubbed PhantomRaven has planted 88 malicious packages on the npm registry, designed to exfiltrate data from JavaScript developers' machines and CI/CD environments.
The PhantomRaven campaign represents a sophisticated software supply chain attack targeting the npm ecosystem. The 88 identified malicious packages use typosquatting and dependency confusion techniques to trick developers into installing backdoored libraries that exfiltrate environment variables, SSH keys, and API tokens.
For organizations building web applications and microservices, this is a direct threat to code integrity and CI/CD pipeline security. A single compromised developer workstation can lead to poisoned production builds.
npm audit, and consider a private registry proxyCISA has added an actively exploited Remote Code Execution vulnerability in the n8n workflow automation platform to its Known Exploited Vulnerabilities (KEV) catalog, ordering federal agencies to patch immediately.
The n8n automation platform — widely used for workflow orchestration, API integration, and data pipeline management — has a critical RCE vulnerability that is being actively exploited in the wild. CISA's inclusion in the KEV catalog means this is not theoretical — attackers are leveraging this flaw right now.
n8n instances are often deployed with broad access to internal systems, making them high-value targets. A compromised n8n instance could give attackers access to connected databases, APIs, cloud services, and internal applications.
In a significant law enforcement operation, Meta has disabled over 150,000 accounts linked to Southeast Asian scam centers — primarily pig-butchering and romance fraud operations. The Royal Thai Police arrested 21 individuals in coordinated raids, supported by authorities from 11 countries.
While this is a positive development for platform security, the sheer scale — 150,000 accounts — underscores how deeply entrenched these operations have become. For organizations, the key takeaway is that business email compromise (BEC) and social engineering attacks often originate from the same criminal infrastructure.
Google has officially completed its $32 billion acquisition of Wiz, the cloud security startup that became one of the fastest-growing cybersecurity companies in history. Wiz will continue operating as an independent brand within Google Cloud, maintaining its multi-cloud security platform that works across AWS, Azure, and GCP.
This deal reshapes the cloud security landscape. With Wiz's Cloud-Native Application Protection Platform (CNAPP) integrated into Google Cloud, organizations now face strategic decisions about vendor lock-in and multi-cloud security.
| Consideration | Impact |
|---|---|
| Multi-cloud neutrality | Wiz pledges to remain multi-cloud, but Google ownership creates long-term concerns about AWS/Azure feature parity |
| Pricing | Google's deep pockets may drive competitive pricing initially, but consolidation often leads to price increases |
| Data sovereignty | GDPR/NIS2-regulated entities should review data processing agreements as Wiz integrates with Google Cloud infrastructure |
| Alternative evaluation | Now is the time to evaluate alternatives (Orca, Lacework, Prisma Cloud) to avoid single-vendor dependency |
A Russian-speaking threat actor is targeting HR departments with malware that delivers BlackSanta — an EDR killer capable of disabling antivirus and endpoint detection at the kernel level before deploying its final payload.
The BlackSanta campaign is particularly insidious because it targets HR departments — teams that routinely open attachments from unknown senders (resumes, cover letters, invoices). The attack chain delivers an EDR killer that operates at the kernel level, disabling security tools before the primary payload (likely ransomware or infostealer) detonates.
This technique — Bring Your Own Vulnerable Driver (BYOVD) — abuses legitimate signed kernel drivers to disable security products. Once EDR is neutralized, the attacker has free rein on the system.
KENSAI continuously monitors your infrastructure against the latest vulnerabilities, maps them to NIS2, DORA, and GDPR compliance requirements, and generates audit-ready reports — all powered by AI threat intelligence.
Start Your Free Security Scan →Stay satisfactorily patched and vigilant,
The KENSAI Threat Intelligence Team
Daily security briefing powered by AI threat intelligence. Published every day at 06:00 CET.