剣 KENSAI
← Back to archive

🛡️ Daily Security Intelligence Brief

Wednesday, March 11, 2026 · 04:00 CET · Auto-generated by KENSAI
24-Hour Threat Landscape
2
Zero-Days Patched
162+
Vulns Fixed (MS+Adobe+SAP)
14K
Devices in KadNap Botnet
$376M
New Security Funding

⚡ TL;DR — What Matters Today

  • Microsoft Patch Tuesday: 79–83 vulns patched including 2 zero-days — patch immediately
  • FortiGate campaign: Threat actors exploiting FortiGate NGFWs to steal AD/LDAP credentials from healthcare & gov
  • KadNap botnet: 14,000+ ASUS routers compromised into stealth proxy network using custom Kademlia DHT
  • APT28 (Fancy Bear): New BEARDSHELL + COVENANT implants for long-term Ukrainian military surveillance
  • Ivanti EPM actively exploited: CISA adds to KEV alongside SolarWinds & Workspace One flaws
  • Salesforce Experience Cloud: Mass-scanning campaign targeting misconfigured guest user permissions
  • Ericsson data breach: Thousands affected via third-party vendor compromise

🔴 Critical Vulnerabilities & Patch Tuesday

Microsoft · Patch Tuesday

Microsoft March 2026 Patch Tuesday — 2 Zero-Days, 79 Flaws

Microsoft released fixes for 79 vulnerabilities including 2 publicly disclosed zero-day vulnerabilities. The update also addresses an issue preventing some devices from shutting down. Windows 10 extended security update KB5078885 and Windows 11 KB5079473/KB5078883 cumulative updates are available now.

Zero-Day Patch Now Windows 10/11
Adobe

Adobe Patches 80 Vulnerabilities Across 8 Products

Adobe rolled out patches for 80 vulnerabilities across Commerce, Illustrator, Acrobat Reader, Premiere Pro, and 4 other products. Multiple critical-severity code execution flaws included.

High Acrobat Commerce
SAP

SAP Patches Critical FS-QUO and NetWeaver Vulnerabilities

A code injection bug in FS-QUO and an insecure deserialization flaw in NetWeaver could enable arbitrary code execution on enterprise SAP systems. Patch priority: critical.

Critical RCE Enterprise
HPE

HPE Critical AOS-CX Flaw — Admin Password Reset

Hewlett Packard Enterprise patched multiple vulnerabilities in the Aruba Networking AOS-CX operating system, including authentication bypass flaws allowing admin password resets and code execution issues.

Critical Auth Bypass Network Infrastructure
CISA · KEV Update

CISA Flags Ivanti EPM, SolarWinds & Workspace One as Actively Exploited

Three vulnerabilities added to CISA's Known Exploited Vulnerabilities catalog: Ivanti Endpoint Manager high-severity auth bypass, SolarWinds flaw, and CVE-2021-22054 (SSRF in VMware/Omnissa Workspace One UEM, CVSS 7.5). All confirmed exploited in the wild.

Actively Exploited KEV Ivanti
Google · Tenable Research

"LeakyLooker" — 9 Cross-Tenant Flaws in Google Looker Studio

Tenable disclosed 9 cross-tenant vulnerabilities in Google Looker Studio that could have allowed attackers to run arbitrary SQL queries on victims' databases and exfiltrate sensitive data within Google Cloud environments. No evidence of exploitation in the wild.

High Cloud Cross-Tenant

🟠 Active Threats & Campaigns

SentinelOne

FortiGate NGFW Campaign — Credential Theft from Healthcare & Gov

Threat actors are exploiting FortiGate Next-Generation Firewalls as entry points to breach networks. The campaign extracts configuration files containing AD/LDAP service account credentials and network topology. Targets include healthcare, government, and managed service providers. Exploitation leverages recent vulns and weak credentials.

Critical Healthcare Government Credential Theft
APT28 / Fancy Bear · ESET

Russia's APT28 Deploys BEARDSHELL + COVENANT Against Ukraine Military

GRU-affiliated APT28 observed using new implants BEARDSHELL and COVENANT for long-term surveillance of Ukrainian military personnel since April 2024. Also deploying SLIMAGENT (keylogger, screenshot capture, clipboard theft). The campaign demonstrates continued escalation of Russian cyber-espionage operations.

Nation-State Espionage Russia
Lumen Black Lotus Labs

KadNap Botnet — 14,000+ ASUS Routers Compromised

New malware KadNap targets ASUS routers and edge devices, building a 14,000+ node botnet for proxying malicious traffic. Uses a custom Kademlia DHT protocol to conceal C2 infrastructure. 60%+ of victims are in the US, with global spread across Taiwan, Hong Kong, UK, Australia, Brazil, France, Italy, and Spain. Active since August 2025.

High Botnet IoT 14K Devices
Salesforce

Salesforce Experience Cloud Mass-Scanning Campaign

Threat actors mass-scanning Salesforce Experience Cloud sites using a modified AuraInspector tool. Exploiting overly permissive guest user configurations to access sensitive data. Hundreds of customers reportedly targeted.

High SaaS Misconfiguration
North Korea · UNC4899

North Korean Actors Breach Crypto Firm via Trojanized AirDrop File

UNC4899 (Jade Sleet / TraderTraitor) compromised a cryptocurrency organization via social engineering + trojanized AirDrop file transfer. Pivoted to cloud using living-off-the-cloud (LOTC) techniques, abusing DevOps workflows to harvest credentials, break out of containers, and tamper with Cloud SQL databases for crypto theft.

APT Crypto Supply Chain

🟡 New Malware & Evasion Techniques

BleepingComputer

"BlackSanta" EDR Killer Targeting HR Departments

A Russian-speaking threat actor has been targeting HR departments for over a year with malware delivering BlackSanta, a new EDR (Endpoint Detection & Response) killer. The campaign uses social engineering tailored to HR workflows.

High EDR Bypass HR Targeting
BleepingComputer

"BeatBanker" Android Malware Poses as Starlink App

New Android malware BeatBanker disguises itself as a Starlink app on fake Google Play Store websites. Capable of full device hijacking once installed.

Medium Android Banking Trojan
BleepingComputer

"Zombie ZIP" — New Technique Evades Security Scanners

A new evasion technique dubbed "Zombie ZIP" conceals malicious payloads in specially crafted compressed files designed to bypass antivirus and EDR detection. Exploits inconsistencies in how security tools parse ZIP archives.

Evasion Novel Technique
Picus Security · Red Report 2026

Geometry-Based Sandbox Evasion — "The New Turing Test"

The Picus Red Report 2026 reveals 80% of top attacker techniques now focus on evasion and persistence. Malware increasingly uses geometry-based cursor movement tests and CPU timing checks to detect sandbox environments and prove "humanness" before executing payloads.

Research Sandbox Evasion
The Hacker News · JFrog

Malicious npm Package "GhostClaw" Targets macOS Developers

A malicious npm package (@openclaw-ai/openclawai) deploying a RAT that steals credentials, browser data, crypto wallets, SSH keys, Apple Keychain, and iMessage history. Includes persistent C2, SOCKS5 proxy, and live browser session cloning. 178 downloads since March 3.

High Supply Chain npm macOS

🔵 Data Breaches

SecurityWeek

Ericsson Data Breach — Thousands Affected

Telecommunications giant Ericsson confirmed a data breach affecting thousands of individuals. The company blamed the incident on a third-party vendor compromise. Scope of exposed data not yet fully disclosed.

Telecom Third-Party Risk

🟢 Security Tool Releases & Industry Funding

SecurityWeek

Kevin Mandia's Armadin Launches with $190M Funding

Former Mandiant CEO Kevin Mandia launches Armadin, an AI-powered red teaming platform that autonomously finds and exploits weaknesses. Backed by $190M in funding. Major new competitor in automated offensive security.

Startup $190M Red Teaming
SecurityWeek

Kai — $125M for AI Platform Bridging IT & OT Security

Founded by a Claroty co-founder, Kai emerges from stealth with $125M in funding from Evolution Equity Partners and N47. Focus: AI-powered convergence of IT and OT (operational technology) security.

Startup $125M IT/OT
SecurityWeek

Jazz — $61M for AI-Powered Data Loss Prevention

Jazz emerges from stealth with $61M in funding for AI-powered DLP (Data Loss Prevention). Claims to provide visibility into intent, context, and risk beyond traditional DLP tools.

Startup $61M DLP
SecurityWeek

Escape Raises $18M to Automate Pentesting

Escape secures $18M to deepen AI agent capabilities for automated penetration testing and scale engineering and go-to-market teams.

Startup $18M Pentesting
SecurityWeek · OpenAI

OpenAI Rolls Out Codex Security Vulnerability Scanner

OpenAI launches Codex Security (formerly Aardvark), an AI-powered vulnerability scanner that has found hundreds of critical vulnerabilities in tested software in the past month.

AI Security Vuln Scanner
Microsoft

Microsoft Entra Passkeys — Phishing-Resistant Windows Sign-In

Microsoft rolling out passkey support for Entra on Windows, enabling phishing-resistant passwordless authentication via Windows Hello. Major step toward eliminating password-based attacks.

Identity Passkeys Phishing Defense

📊 Emerging Threat Patterns

Key Trends Observed This Cycle

Analysis of the past 24 hours reveals several converging patterns:

1. Edge Device Exploitation at Scale — KadNap (14K routers), FortiGate campaign, and Ivanti EPM exploitation all target network edge infrastructure. Attackers increasingly prefer compromising the devices meant to protect networks.

2. EDR/Sandbox Evasion Arms Race — BlackSanta EDR killer, Zombie ZIP archive evasion, and geometry-based sandbox detection show attackers investing heavily in bypassing endpoint security.

3. Supply Chain Poisoning Continues — Malicious npm packages (GhostClaw), trojanized AirDrop files (UNC4899), and modified open-source tools (AuraInspector) demonstrate persistent supply chain attack vectors.

4. Massive Vendor Patch Cycle — Microsoft (79), Adobe (80), SAP (critical), HPE (critical) = 162+ vulnerabilities in a single day. Patch management remains the #1 operational burden for security teams.

5. AI Security Investment Surge — $376M in new funding across 4 startups (Armadin, Kai, Jazz, Escape) plus OpenAI entering vulnerability scanning. The AI security market is accelerating rapidly.