← Back to Security Blog
Security Briefing March 6, 2026 7 min read

March 2026 Security Briefing: Chinese APT Telco Attacks, iOS Coruna Exploits & Major Forum Takedowns

Chinese state hackers deploy new malware toolkit targeting South American telecoms. Nation-state iOS exploit kit "Coruna" now powers crypto theft campaigns. FBI dismantles LeakBase forum with 142,000 cybercriminals. Cisco SD-WAN vulnerabilities actively exploited. 90 zero-days exploited in 2025.


🎯 Chinese APT UAT-9244 Targets South American Telecoms

Critical — Nation-State APT Campaign

A China-linked advanced persistent threat actor UAT-9244 has been conducting an ongoing campaign against telecommunication service providers in South America since 2024, compromising Windows, Linux, and network-edge devices with a sophisticated new malware toolkit.

Attack Profile

Why it matters: Telecommunications infrastructure represents critical national security interests. Persistent access to telco networks enables mass surveillance, call interception, SMS monitoring, and network mapping for future operations.


📱 Coruna iOS Exploit Kit Goes Commercial

A previously undocumented iOS exploit kit named "Coruna" containing 23 separate exploits has been identified in the wild. Originally developed and used by Russian state actors for targeted espionage, the toolkit has now spread to financially motivated threat actors conducting cryptocurrency theft campaigns.

Technical Details

Google and iVerify analysis reveals Coruna represents spyware-grade capabilities now accessible to criminal organizations. This marks a concerning trend: nation-state exploit kits migrating to financially motivated cybercrime.

Action: Update all iOS devices to the latest version immediately. Avoid clicking links in unsolicited SMS messages. Review installed configuration profiles.


🚨 FBI Dismantles LeakBase Cybercrime Forum

A joint FBI and Europol operation has seized LeakBase, one of the world's largest online forums for trading stolen credentials, hacked databases, and cybercrime tools.

Operation Impact

Law Enforcement Message

"All forum content, including users' accounts, posts, credit details, private messages, and IP logs, has been secured and preserved for evidentiary purposes." — FBI Seizure Banner

Context: This follows the recent takedown of Tycoon 2FA, a phishing-as-a-service platform that sent fraudulent emails to over 500,000 organizations monthly. Combined, these operations represent significant disruption to the cybercrime ecosystem.


🔥 Cisco SD-WAN Flaws Actively Exploited

Cisco has flagged two Catalyst SD-WAN Manager vulnerabilities as actively exploited in the wild:

Risk Assessment

SD-WAN infrastructure is deployed at the network perimeter of thousands of enterprise networks. Successful exploitation provides attackers with:

Immediate action required: Cisco customers must upgrade Catalyst SD-WAN Manager to patched versions immediately. These vulnerabilities are confirmed under active exploitation.


📊 2025 Zero-Day Landscape: 90 Exploited Vulnerabilities

Google Threat Intelligence Group (GTIG) tracked 90 zero-day vulnerabilities exploited in attacks throughout 2025 — almost half targeting enterprise software and appliances.

Key Findings

Trend alert: The shift toward enterprise appliances (VPNs, firewalls, SD-WAN, network management) reflects attacker focus on network perimeter devices that provide persistent access and are difficult to patch.


🛡️ Additional Threat Activity

Dust Specter Targets Iraqi Government

Iran-nexus threat actor Dust Specter targeted Iraqi Ministry of Foreign Affairs officials with new malware strains: SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM. The campaign used compromised Iraqi government infrastructure to stage payloads and employed checksum-based C2 validation and geofencing techniques.

Wikipedia Self-Propagating Worm

Wikimedia Foundation suffered a security incident involving a self-propagating JavaScript worm that vandalized pages and modified user scripts across multiple wikis. The worm exploited cross-site scripting (XSS) vectors in user-editable content.

Fake OpenClaw Malware Campaign

Bing AI search results promoted fake OpenClaw GitHub repositories containing information-stealing malware. The campaign instructed users to run commands that deployed credential stealers and proxy malware.

WordPress Plugin Exploitation

Attackers are actively exploiting a critical vulnerability in the User Registration & Membership plugin (60,000+ installations) to create unauthorized WordPress admin accounts.


🎯 Recommended Actions

  1. Immediate: Patch Cisco Catalyst SD-WAN Manager (CVE-2026-20128, CVE-2026-20122)
  2. Immediate: Update all iOS devices to latest version (Coruna exploits)
  3. This Week: Review network perimeter devices for unauthorized access
  4. This Week: Audit WordPress installations for User Registration plugin
  5. Ongoing: Monitor telco infrastructure for UAT-9244 indicators of compromise
  6. Ongoing: Implement zero-trust architecture to limit lateral movement from compromised edge devices

Protect Your Organization with KENSAI

AI-powered vulnerability intelligence with 331,910+ CVEs indexed. Get real-time threat alerts tailored to your infrastructure.

Start Free Trial

Stay secure. Stay vigilant.

🗡️ KENSAI Security Team

March 6, 2026

🛡️ Is your website secure?

Discover vulnerabilities before attackers do.

Scan your website for free →