剣 KENSAI
← All posts · security · 2026-03-10 · 6 min

Teams Phishing Deploys A0Backdoor, Signal Hijacking Campaign, Salesforce Aura Under Attack

Hackers deploy the new A0Backdoor malware via Microsoft Teams phishing campaigns targeting financial and healthcare sectors. Russian GRU-linked actors hijack Signal and WhatsApp accounts of government officials. ShinyHunters actively exploits a Salesforce Aura vulnerability. Cisco SD-WAN CVE-2026-20127 sees widespread exploitation.


1. Microsoft Teams Phishing Deploys A0Backdoor Malware

🚨 CRITICAL — Active Campaign Targeting Finance & Healthcare

Threat actors are leveraging Microsoft Teams messages to target employees in the financial and healthcare sectors. After initiating contact via Teams, attackers convince victims to grant remote access through Quick Assist, a legitimate Windows remote-support tool. Once connected, they deploy a previously undocumented backdoor dubbed A0Backdoor.

The attack chain is notable for its social engineering sophistication — attackers impersonate IT support personnel and create urgency around supposed security issues. A0Backdoor provides persistent access, credential harvesting, and lateral movement capabilities.

Action Required: Restrict Quick Assist usage via Group Policy. Educate employees about unsolicited Teams support requests. Monitor for unusual remote access tool activity.


2. Google: Cloud Attacks Shift from Credentials to Vulnerability Exploitation

Google's latest threat intelligence report reveals a significant shift in cloud attack tactics. Hackers are increasingly exploiting newly disclosed vulnerabilities in third-party software rather than relying on weak or stolen credentials for initial cloud access.

The most alarming finding: the window between vulnerability disclosure and active exploitation has shrunk from weeks to just days, sometimes hours. This puts enormous pressure on security teams to patch immediately.

MetricPreviousCurrent
Avg. time to exploitation2–4 weeks1–3 days
Top initial access vectorStolen credentialsVulnerability exploitation
Third-party software involvementModeratePrimary target

3. Russian GRU Hackers Hijacking Signal & WhatsApp Accounts

🚨 STATE-SPONSORED — Dutch Government Warning

The Dutch government has issued a formal warning about an ongoing Russian state-sponsored phishing campaign linked to the GRU (Russian military intelligence). The campaign targets government officials, military personnel, and journalists, attempting to hijack their Signal and WhatsApp accounts.

Attackers use sophisticated social engineering to trick targets into linking their messaging accounts to attacker-controlled devices. Once compromised, the actors gain full access to encrypted conversations, contacts, and shared media.

Action Required: Review linked devices in Signal and WhatsApp settings. Enable registration lock on Signal. Brief high-value personnel on this specific threat.


4. Ericsson US Data Breach

Ericsson's US subsidiary has disclosed a data breach resulting from a compromise of a third-party service provider. Employee and customer data was stolen, including personal identifiable information.

This incident highlights the persistent risk of supply chain attacks — even when your own security is robust, vendors and service providers can become the weak link.


5. ShinyHunters Exploiting Salesforce Aura Vulnerability

⚠️ ACTIVE EXPLOITATION — Salesforce Experience Cloud

The notorious ShinyHunters extortion gang is actively exploiting a new bug in Salesforce Experience Cloud (Aura framework) to steal data from misconfigured instances. Organizations with exposed Salesforce Experience Cloud sites are at immediate risk.

ShinyHunters has a track record of massive data breaches and typically extorts victims by threatening to leak stolen data. The Salesforce Aura vulnerability allows unauthorized access to sensitive records when instances are improperly configured.

Action Required: Audit Salesforce Experience Cloud configurations immediately. Review guest user permissions. Check for unexpected data access patterns.


6. Malicious npm Package Impersonates OpenClaw

A malicious npm package named @openclaw-ai/openclawai has been discovered masquerading as a legitimate installer. The package deploys a Remote Access Trojan (RAT) and steals sensitive data from macOS systems including:

The package accumulated 178 downloads before detection. This is a classic supply chain attack exploiting the trust in package managers.


7. North Korean UNC4899 Breaches Crypto Firm

Google's Mandiant attributes a crypto firm breach to UNC4899 (also known as TraderTraitor), a North Korean threat group. The attackers compromised the target via a trojanized AirDrop file, then pivoted into cloud infrastructure using living-off-the-cloud techniques — abusing legitimate cloud services to blend in with normal activity.

This represents an evolution in North Korean cyber operations, demonstrating growing sophistication in cloud-native attack techniques.


8. Chrome Extensions Turn Malicious After Ownership Transfer

Two Chrome extensions have been found to turn malicious after their ownership was transferred to new developers. The new owners pushed updates that enabled code injection and data theft, affecting users who had the extensions installed with auto-update enabled.

Action Required: Audit browser extensions across your organization. Implement extension allow-listing. Monitor for unexpected extension updates.


9. Cisco Catalyst SD-WAN CVE-2026-20127 Under Widespread Attack

🚨 CRITICAL CVE — Active Mass Exploitation

A critical vulnerability in Cisco Catalyst SD-WAN (CVE-2026-20127) is now seeing widespread exploitation from numerous IP addresses. Organizations running affected Cisco SD-WAN infrastructure should patch immediately or apply mitigations.

Action Required: Apply Cisco's security advisory patches immediately. If patching is not possible, implement recommended workarounds and monitor for indicators of compromise.


10. ClickFix Attack Evolves with Windows Terminal

The ClickFix social engineering technique has evolved. Attackers now use fake CAPTCHA pages that instruct victims to paste malicious commands into Windows Terminal instead of the traditional Run dialog. This evasion technique bypasses several security controls that monitor the Run dialog.

The shift to Windows Terminal is significant because it provides a more powerful execution environment and may not be monitored by legacy endpoint detection tools.


11. More Headlines

StoryImpact
FBI Investigating Surveillance System BreachFBI probing suspicious cyber activity on a system holding sensitive surveillance information
CISA Adds iOS Flaws to KEVCoruna exploit kit targets 23 vulnerabilities across iOS 13–17.2.1; nation-state grade
US Cyber Strategy UpdateNew strategy targets adversaries, critical infrastructure protection, and AI/post-quantum cryptography

How KENSAI Protects You

Real-time CVE Monitoring — CVE-2026-20127 and all critical vulnerabilities tracked within hours of disclosure

Supply Chain Analysis — Detect malicious packages like the fake OpenClaw npm installer

Cloud Configuration Auditing — Identify Salesforce misconfigurations before ShinyHunters does

Continuous Attack Surface Management — Monitor your exposure across all vectors


Recommended Actions

  1. Immediate: Patch Cisco SD-WAN CVE-2026-20127. Restrict Quick Assist via Group Policy.
  2. Today: Audit Salesforce Experience Cloud configurations. Review linked devices in Signal/WhatsApp.
  3. This Week: Audit browser extensions across the organization. Review npm dependencies for malicious packages.
  4. Ongoing: Implement continuous vulnerability management. Brief staff on Teams phishing and ClickFix techniques.