Critical Fortinet FortiClient EMS SQL injection (CVE-2026-21643) is being actively exploited in the wild. ShinyHunters claim a massive 350GB data theft from the European Commission's AWS environment. Censys uncovers a previously unknown Russian .NET remote access toolkit that hijacks RDP sessions. Three China-aligned threat clusters simultaneously target a Southeast Asian government.
CVE-2026-21643 is a critical SQL injection vulnerability in Fortinet FortiClient EMS v7.4.4 that allows unauthenticated remote code execution. Active exploitation has been observed since March 26, 2026.
Threat intelligence firm Defused confirmed that attackers have been exploiting CVE-2026-21643 for at least four days, even though CISA and other KEV lists have not yet flagged it as exploited in the wild. The flaw resides in FortiClient EMS's web GUI, where attackers can smuggle SQL statements through the Site header in HTTP requests.
Fortinet vulnerabilities are a perennial favorite for ransomware gangs and state-sponsored espionage groups. CISA has flagged 24 Fortinet vulnerabilities as actively exploited to date, with 13 linked directly to ransomware campaigns. If you run FortiClient EMS, this is a drop-everything-and-patch situation.
The EU's executive body confirmed that data was stolen from its Europa.eu platform after ShinyHunters compromised an AWS account.
The European Commission confirmed on Friday that its Europa.eu web platform was hacked, with the ShinyHunters extortion gang claiming responsibility. The group says they exfiltrated over 350 GB of data before access was revoked, including databases, mail server dumps, confidential contracts, and employee information.
The Commission states its internal systems were not affected and that it is notifying affected EU entities. This is ShinyHunters' latest high-profile scalp — the group has recently claimed breaches at Infinite Campus, CarGurus, Canada Goose, Panera Bread, Betterment, SoundCloud, PornHub, and Match Group (Tinder, Hinge, OkCupid). Many of these victims fell to a large-scale voice phishing campaign targeting SSO accounts at Okta, Microsoft, and Google across 100+ organizations.
Censys researchers have disclosed a previously undocumented Russian-origin remote access toolkit called CTRL, recovered from an open directory at 146.19.213[.]155 in February 2026. It's a custom-built .NET framework designed for full-spectrum remote access operations.
hui228[.]ru:7000, downloads CTRL payloadscmd.exe shell server on port 5267 tunneled through Fast Reverse Proxy (FRP)C:\Temp\keylog.txtThe toolkit's sophistication — particularly the credential phishing UI that mimics Windows Hello and the named-pipe architecture that evades network detection — indicates a well-resourced threat actor.
Palo Alto Networks Unit 42 has revealed that three distinct threat activity clusters aligned with China simultaneously targeted a single government organization in Southeast Asia throughout 2025 in what they describe as a "complex and well-resourced operation."
| Cluster | Active Period | Known Overlaps | Key Malware |
|---|---|---|---|
| Mustang Panda | Jun–Aug 2025 | Stately Taurus | HIUPAN, PUBLOAD, COOLCLIENT |
| CL-STA-1048 | Mar–Sep 2025 | Earth Estries, Crimson Palace | EggStremeFuel, EggStremeLoader, RawCookie |
| CL-STA-1049 | Apr–Aug 2025 | Unfading Sea Haze | FluffyGh0st, MASOL RAT, PoshRAT, TrackBak Stealer |
The convergence of three separate APT clusters on a single target suggests coordinated or at least strategically aligned operations — a hallmark of China's intelligence apparatus. Mustang Panda used USB-based malware (HIUPAN) to deliver backdoors, while the other clusters employed more sophisticated fileless techniques including the EggStreme loader family and the Hypnosis Loader.
telnyx Python package hide credential-stealing malware inside a WAV audio file using steganography. Downgrade to 4.87.0 immediately — the package is now quarantined.146.19.213[.]155 and hui228[.]ru. Hunt for suspicious LNK files, FRP tunneling activity, and anomalous named pipe communications.telnyx Python package — ensure version 4.87.0 or earlier. Check for WAV file-based payload indicators.Get daily security intelligence delivered with zero noise.
Explore KENSAI →KENSAI Security Briefing — March 30, 2026
Compiled from BleepingComputer, The Hacker News, Censys, Unit 42, Defused, and Shadowserver intelligence feeds.