← Back to Security Blog
Security Briefing March 7, 2026 9 min read

Security Briefing: TriZetto Healthcare Breach, China Telecom Attacks & Wikipedia Worm — March 7, 2026

A healthcare IT breach exposes 3.4 million patient records, China-linked hackers deploy three novel implants against South American telecom infrastructure, Wikipedia suffers a self-propagating JavaScript worm, and a multi-stage malware campaign delivers triple RAT payloads via fileless execution. Here's everything you need to know today.


🏥 TriZetto Healthcare Breach Exposes 3.4 Million Patient Records

⚠️ Massive Healthcare Data Exposure

TriZetto Provider Solutions, a Cognizant-owned healthcare IT company, has disclosed a data breach affecting 3,433,965 individuals. Unauthorized access persisted for nearly a year — from November 2024 to October 2025.

What Was Exposed?

The breach targeted a web portal used for insurance eligibility verification. The compromised data includes:

Timeline & Response

Date Event
November 19, 2024 Unauthorized access begins
October 2, 2025 Suspicious activity detected
December 9, 2025 Affected providers notified
February 2026 Customer notifications begin
March 6, 2026 Maine AG filing confirms 3.4M affected

💡 Key Concern

The 11-month dwell time before detection is alarming but unfortunately common in healthcare breaches. TriZetto is offering affected individuals 12 months of free credit monitoring through Kroll, but the exposure of SSNs and Medicare identifiers creates long-term identity theft risk. No ransomware group has claimed responsibility.


🇨🇳 China-Linked UAT-9244 Deploys Three Novel Implants Against South American Telecoms

⚠️ Critical Infrastructure Under Attack

Cisco Talos has identified a China-linked APT group designated UAT-9244 systematically compromising telecommunications providers in South America using three previously undocumented malware families.

The Triple-Implant Arsenal

Implant Target Platform Capabilities
TernDoor Windows DLL side-loading via wsprint.exe, process manipulation via embedded kernel driver, C2 communication
PeerTime (angrypeer) Linux Backdoor access, file operations, system reconnaissance
BruteEntry Network edge devices Edge device persistence, network traffic interception

Attribution & Connections

UAT-9244 is closely associated with FamousSparrow, which shares tactical overlaps with Salt Typhoon — the China-nexus group notorious for targeting telecom providers globally. TernDoor is a variant of CrowDoor/SparrowDoor, featuring new command codes and an embedded Windows driver for process control.

Key technical details:

🎯 Strategic Impact

Telecom providers are high-value espionage targets — controlling communications infrastructure means potential access to call data records, SMS content, and internet traffic of entire populations. This campaign demonstrates China's continued strategic interest in Latin American digital infrastructure.


🌐 Wikipedia Hit by Self-Propagating JavaScript Worm

⚠️ Wikimedia Meta-Wiki Vandalized

A self-propagating JavaScript worm spread across Wikipedia's Meta-Wiki, modifying user scripts and vandalizing pages before engineers could contain it.

How the Worm Spread

The attack exploited Wikipedia's JavaScript customization features — specifically the MediaWiki:Common.js and User:<username>/common.js scripts that execute in editors' browsers:

  1. Origin — A malicious script (User:Ololoshka562/test.js) was uploaded to Russian Wikipedia, reportedly in March 2024
  2. Trigger — The script was executed (possibly accidentally) by a Wikimedia employee account during testing
  3. User-level propagation — Overwrote each logged-in editor's common.js with a loader for the malicious script
  4. Site-wide escalation — If the infected user had admin privileges, the global MediaWiki:Common.js was modified, affecting all editors
  5. Vandalism — Automated edits added hidden scripts and vandalism to Meta-Wiki pages

Containment

Wikimedia engineers temporarily restricted editing across all projects while they investigated and reverted changes. The incident highlights how user-customizable JavaScript in collaborative platforms can become an attack vector — particularly when privileged accounts execute untrusted code.

🛡️ Lessons for Organizations

Any platform allowing user-uploaded JavaScript faces similar risks. Organizations should implement Content Security Policy (CSP) headers, restrict script execution contexts, and ensure privileged accounts have additional safeguards against running untrusted code.


🐛 VOID#GEIST: Multi-Stage Fileless Malware Delivers Triple RAT Payload

⚠️ Stealthy Multi-Stage Attack Chain

Securonix researchers have uncovered a sophisticated malware campaign codenamed VOID#GEIST that delivers XWorm, AsyncRAT, and Xeno RAT through a completely fileless execution chain.

Attack Flow

Stage Technique Purpose
1 Obfuscated batch script via phishing Initial access, decoy PDF display
2 Second batch script deployment Orchestration layer
3 Legitimate Python runtime staging Portability, trusted binary abuse
4 Encrypted shellcode decryption Payload preparation
5 Early Bird APC injection into explorer.exe In-memory RAT execution

Why It's Dangerous


💰 Ghanaian National Pleads Guilty in $100 Million BEC Fraud Ring

🏛️ Major International Fraud Takedown

A Ghanaian national has pleaded guilty to participating in a massive fraud ring that stole over $100 million from victims across the United States through business email compromise (BEC) attacks and romance scams.

The case highlights the industrial scale of BEC operations and their continued effectiveness despite years of awareness campaigns. Key takeaways:


🔍 Bing AI Promotes Fake OpenClaw GitHub Repo Pushing Infostealers

⚠️ AI Search Results Weaponized

Microsoft's Bing AI-enhanced search promoted fake OpenClaw GitHub repositories that instructed users to run commands deploying information stealers and proxy malware.

This incident is particularly concerning because it demonstrates how AI-generated search summaries can be manipulated to promote malicious content with an air of authority:

🛡️ Protection Advice

Always verify software repositories through official project websites, not search results. Check repository creation dates, star counts, contributor history, and verify URLs match official documentation before running any installation commands.


🛡️ Today's Mitigation Priorities

For Healthcare Organizations

  1. Audit web portal access controls — Implement MFA on all patient data systems
  2. Monitor for long-dwell intrusions — Deploy behavioral analytics to detect persistent unauthorized access
  3. Review vendor security — Assess third-party healthcare IT providers' security postures

For Telecom & Critical Infrastructure

  1. Patch Exchange and Windows Server — UAT-9244 exploits outdated systems
  2. Monitor edge devices — Check for BruteEntry indicators on network perimeter equipment
  3. Hunt for DLL side-loading — Look for suspicious wsprint.exe activity

For All Organizations

  1. Implement CSP headers — Restrict JavaScript execution on web platforms
  2. Monitor for fileless attacks — Tune EDR for Early Bird APC injection patterns
  3. Verify software sources — Never install tools from AI search results without verification
  4. BEC awareness training — Reinforce invoice and payment change verification procedures

📊 Threat Landscape Summary

Threat Actor Severity Action Required
TriZetto healthcare breach Unknown 🔴 Critical Audit healthcare vendor security, monitor for identity theft
UAT-9244 telecom attacks China-linked 🔴 Critical Patch servers, hunt for TernDoor/PeerTime/BruteEntry
Wikipedia JS worm Unknown 🟠 High Implement CSP, restrict privileged script execution
VOID#GEIST triple RAT Cybercriminals 🔴 Critical Monitor for fileless attacks, block TryCloudflare abuse
$100M BEC fraud ring Organized crime 🟠 High Reinforce BEC awareness and payment verification
Fake repos via Bing AI Cybercriminals 🟠 High Verify software sources, educate developers

Continuous Threat Detection for Your Infrastructure

KENSAI's automated security scanning detects vulnerabilities, misconfigurations, and indicators of compromise across your entire attack surface — before attackers exploit them.

Start Free Security Scan

Stay vigilant. Stay protected.

🗡️ KENSAI Threat Intelligence Team

🛡️ Is your website secure?

Discover vulnerabilities before attackers do.

Scan your website for free →