A Chinese state-sponsored APT deploys custom AppleChris and MemFun malware in a years-long espionage campaign against Southeast Asian military organizations. Loblaw and Starbucks report data breaches affecting customers and employees. A critical HPE AOS-CX vulnerability enables unauthenticated admin password resets. Iran-linked hackers expand targeting to US critical infrastructure. AI security startups raise $80 million combined. FBI investigates malware-laden Steam games.
Palo Alto Networks Unit 42 has disclosed a sophisticated, years-long cyber espionage campaign tracked as CL-STA-1087 — a suspected China-based threat cluster targeting Southeast Asian military organizations since at least 2020.
The attackers deployed two custom malware families — AppleChris and MemFun — using carefully crafted delivery methods, defense evasion strategies, and highly stable operational infrastructure. The campaign focused on highly targeted intelligence collection rather than bulk data theft, specifically seeking files on military capabilities, organizational structures, and collaborative efforts with Western armed forces.
While this campaign targets Southeast Asian militaries, European defense and critical infrastructure organizations face similar APT threats from state actors. Under NIS2 Article 21, essential entities — including defense suppliers and critical infrastructure operators — must implement measures to address state-sponsored cyber threats, including:
Loblaw Companies Limited, Canada's largest food retailer, has confirmed a data breach exposing customer personal information including names, email addresses, and phone numbers. The breach scope and attack vector have not been fully disclosed.
Starbucks reported a data breach impacting employees, stemming from phishing attacks targeting an employee portal. Hundreds of employees are affected, with compromised data including personal employment details.
Two major retailers breached in the same week highlights a broader pattern: phishing remains the dominant initial access vector for enterprise breaches. For NIS2-regulated entities, these incidents reinforce the mandatory requirement for security awareness training (Article 21(2)(g)) and multi-factor authentication across all employee-facing portals.
While both companies are North American, any EU customer data involved triggers GDPR Article 33/34 breach notification obligations. European organizations with similar employee portals should treat these breaches as a case study for their own incident response readiness.
A critical vulnerability in HPE AOS-CX network switches allows remote, unauthenticated attackers to reset administrator passwords, effectively bypassing all existing authentication controls.
This vulnerability can be exploited remotely without authentication to circumvent existing authentication controls on HPE AOS-CX switches — widely deployed in enterprise and critical infrastructure networks. Organizations running affected firmware must patch immediately.
| Factor | Detail |
|---|---|
| Attack Vector | Remote, unauthenticated — no credentials required |
| Impact | Complete admin takeover of network switches |
| Affected Product | HPE AOS-CX network switch firmware |
| Mitigation | Apply HPE security patch immediately; restrict management interface access |
NIS2 compliance note: Network infrastructure vulnerabilities fall directly under Article 21(2)(e) — security in network and information systems acquisition, development, and maintenance. Organizations must have processes to identify, assess, and patch critical network device vulnerabilities within defined SLAs.
Pro-Iranian hacking groups are expanding their targeting from the Middle East to the United States, raising the risk of cyberattacks against defense contractors, power stations, and water treatment plants.
An Iran-linked attack on medical device manufacturer Stryker disrupted manufacturing and shipping operations. Notably, the attackers leveraged existing endpoint management software rather than deploying malware to wipe devices — a living-off-the-land technique that evades traditional security tools.
Defensive insight: The use of legitimate endpoint management tools for destructive purposes means organizations cannot rely solely on malware detection. Behavioral monitoring, anomaly detection in administrative tool usage, and privileged access management are essential countermeasures.
Two AI-focused security startups emerged from stealth this week, each securing $40 million in funding:
Bold Security uses AI to turn devices into active agents that understand user actions and provide real-time protection. The approach represents a shift from reactive signature-based detection toward proactive, behavior-aware security.
Onyx Security is building a control pane for autonomous AI agents, helping organizations oversee and rapidly adopt AI agents while maintaining security guardrails. As enterprises deploy more AI agents, governance and oversight become critical security functions.
$80 million flowing into AI security in a single week confirms that the market recognizes AI agent governance and behavioral security as the next major growth vectors. For NIS2-regulated organizations evaluating AI adoption, both startups' approaches align with the EU AI Act's requirements for high-risk AI system oversight.
The FBI is seeking victims who installed any of eight Steam games found to contain malware. The games were uploaded to Valve's gaming platform and distributed to unsuspecting players before being removed.
Supply chain lesson: Even trusted distribution platforms like Steam can be vectors for malware delivery. NIS2's supply chain security requirements (Article 21(2)(d)) extend to all software distribution channels — organizations should maintain application whitelists and monitor for unauthorized software installations.
Apple released iOS 16.7.15 and iOS 15.8.7 to patch vulnerabilities exploited by "Coruna" — a US defense contractor linked to commercial exploit development. Organizations with legacy iOS devices in their fleet must update immediately.
Meta disabled over 150,000 accounts powering scam centers across Asia, while launching new protection tools for users. The crackdown targets organized fraud operations using social media for phishing and financial scams.
A new open-source tool called Betterleaks has been released as a replacement for the popular Gitleaks secrets scanner. It can scan directories, files, and git repositories to identify valid secrets using default or customized rules.
For security teams: Secret scanning is a NIS2 and DORA compliance requirement for preventing credential exposure. Betterleaks' customizable rule engine makes it suitable for CI/CD pipeline integration — a must-have for software development organizations under NIS2 scope.
Continuous vulnerability scanning, supply chain risk assessment, and regulatory compliance mapping for NIS2, DORA, GDPR, and EU AI Act.
Start Free Security Scan →Stay compliant. Stay secure.
🗡️ KENSAI Security & Compliance Team
March 16, 2026