🛡️ Daily Security Intelligence Brief
⚡ TL;DR — What Matters Today
- Microsoft Patch Tuesday: 79–83 vulns patched including 2 zero-days — patch immediately
- FortiGate campaign: Threat actors exploiting FortiGate NGFWs to steal AD/LDAP credentials from healthcare & gov
- KadNap botnet: 14,000+ ASUS routers compromised into stealth proxy network using custom Kademlia DHT
- APT28 (Fancy Bear): New BEARDSHELL + COVENANT implants for long-term Ukrainian military surveillance
- Ivanti EPM actively exploited: CISA adds to KEV alongside SolarWinds & Workspace One flaws
- Salesforce Experience Cloud: Mass-scanning campaign targeting misconfigured guest user permissions
- Ericsson data breach: Thousands affected via third-party vendor compromise
🔴 Critical Vulnerabilities & Patch Tuesday
Microsoft March 2026 Patch Tuesday — 2 Zero-Days, 79 Flaws
Microsoft released fixes for 79 vulnerabilities including 2 publicly disclosed zero-day vulnerabilities. The update also addresses an issue preventing some devices from shutting down. Windows 10 extended security update KB5078885 and Windows 11 KB5079473/KB5078883 cumulative updates are available now.
Zero-Day Patch Now Windows 10/11Adobe Patches 80 Vulnerabilities Across 8 Products
Adobe rolled out patches for 80 vulnerabilities across Commerce, Illustrator, Acrobat Reader, Premiere Pro, and 4 other products. Multiple critical-severity code execution flaws included.
High Acrobat CommerceSAP Patches Critical FS-QUO and NetWeaver Vulnerabilities
A code injection bug in FS-QUO and an insecure deserialization flaw in NetWeaver could enable arbitrary code execution on enterprise SAP systems. Patch priority: critical.
Critical RCE EnterpriseHPE Critical AOS-CX Flaw — Admin Password Reset
Hewlett Packard Enterprise patched multiple vulnerabilities in the Aruba Networking AOS-CX operating system, including authentication bypass flaws allowing admin password resets and code execution issues.
Critical Auth Bypass Network InfrastructureCISA Flags Ivanti EPM, SolarWinds & Workspace One as Actively Exploited
Three vulnerabilities added to CISA's Known Exploited Vulnerabilities catalog: Ivanti Endpoint Manager high-severity auth bypass, SolarWinds flaw, and CVE-2021-22054 (SSRF in VMware/Omnissa Workspace One UEM, CVSS 7.5). All confirmed exploited in the wild.
Actively Exploited KEV Ivanti"LeakyLooker" — 9 Cross-Tenant Flaws in Google Looker Studio
Tenable disclosed 9 cross-tenant vulnerabilities in Google Looker Studio that could have allowed attackers to run arbitrary SQL queries on victims' databases and exfiltrate sensitive data within Google Cloud environments. No evidence of exploitation in the wild.
High Cloud Cross-Tenant🟠 Active Threats & Campaigns
FortiGate NGFW Campaign — Credential Theft from Healthcare & Gov
Threat actors are exploiting FortiGate Next-Generation Firewalls as entry points to breach networks. The campaign extracts configuration files containing AD/LDAP service account credentials and network topology. Targets include healthcare, government, and managed service providers. Exploitation leverages recent vulns and weak credentials.
Critical Healthcare Government Credential TheftRussia's APT28 Deploys BEARDSHELL + COVENANT Against Ukraine Military
GRU-affiliated APT28 observed using new implants BEARDSHELL and COVENANT for long-term surveillance of Ukrainian military personnel since April 2024. Also deploying SLIMAGENT (keylogger, screenshot capture, clipboard theft). The campaign demonstrates continued escalation of Russian cyber-espionage operations.
Nation-State Espionage RussiaKadNap Botnet — 14,000+ ASUS Routers Compromised
New malware KadNap targets ASUS routers and edge devices, building a 14,000+ node botnet for proxying malicious traffic. Uses a custom Kademlia DHT protocol to conceal C2 infrastructure. 60%+ of victims are in the US, with global spread across Taiwan, Hong Kong, UK, Australia, Brazil, France, Italy, and Spain. Active since August 2025.
High Botnet IoT 14K DevicesSalesforce Experience Cloud Mass-Scanning Campaign
Threat actors mass-scanning Salesforce Experience Cloud sites using a modified AuraInspector tool. Exploiting overly permissive guest user configurations to access sensitive data. Hundreds of customers reportedly targeted.
High SaaS MisconfigurationNorth Korean Actors Breach Crypto Firm via Trojanized AirDrop File
UNC4899 (Jade Sleet / TraderTraitor) compromised a cryptocurrency organization via social engineering + trojanized AirDrop file transfer. Pivoted to cloud using living-off-the-cloud (LOTC) techniques, abusing DevOps workflows to harvest credentials, break out of containers, and tamper with Cloud SQL databases for crypto theft.
APT Crypto Supply Chain🟡 New Malware & Evasion Techniques
"BlackSanta" EDR Killer Targeting HR Departments
A Russian-speaking threat actor has been targeting HR departments for over a year with malware delivering BlackSanta, a new EDR (Endpoint Detection & Response) killer. The campaign uses social engineering tailored to HR workflows.
High EDR Bypass HR Targeting"BeatBanker" Android Malware Poses as Starlink App
New Android malware BeatBanker disguises itself as a Starlink app on fake Google Play Store websites. Capable of full device hijacking once installed.
Medium Android Banking Trojan"Zombie ZIP" — New Technique Evades Security Scanners
A new evasion technique dubbed "Zombie ZIP" conceals malicious payloads in specially crafted compressed files designed to bypass antivirus and EDR detection. Exploits inconsistencies in how security tools parse ZIP archives.
Evasion Novel TechniqueGeometry-Based Sandbox Evasion — "The New Turing Test"
The Picus Red Report 2026 reveals 80% of top attacker techniques now focus on evasion and persistence. Malware increasingly uses geometry-based cursor movement tests and CPU timing checks to detect sandbox environments and prove "humanness" before executing payloads.
Research Sandbox EvasionMalicious npm Package "GhostClaw" Targets macOS Developers
A malicious npm package (@openclaw-ai/openclawai) deploying a RAT that steals credentials, browser data, crypto wallets, SSH keys, Apple Keychain, and iMessage history. Includes persistent C2, SOCKS5 proxy, and live browser session cloning. 178 downloads since March 3.
🔵 Data Breaches
Ericsson Data Breach — Thousands Affected
Telecommunications giant Ericsson confirmed a data breach affecting thousands of individuals. The company blamed the incident on a third-party vendor compromise. Scope of exposed data not yet fully disclosed.
Telecom Third-Party Risk🟢 Security Tool Releases & Industry Funding
Kevin Mandia's Armadin Launches with $190M Funding
Former Mandiant CEO Kevin Mandia launches Armadin, an AI-powered red teaming platform that autonomously finds and exploits weaknesses. Backed by $190M in funding. Major new competitor in automated offensive security.
Startup $190M Red TeamingKai — $125M for AI Platform Bridging IT & OT Security
Founded by a Claroty co-founder, Kai emerges from stealth with $125M in funding from Evolution Equity Partners and N47. Focus: AI-powered convergence of IT and OT (operational technology) security.
Startup $125M IT/OTJazz — $61M for AI-Powered Data Loss Prevention
Jazz emerges from stealth with $61M in funding for AI-powered DLP (Data Loss Prevention). Claims to provide visibility into intent, context, and risk beyond traditional DLP tools.
Startup $61M DLPEscape Raises $18M to Automate Pentesting
Escape secures $18M to deepen AI agent capabilities for automated penetration testing and scale engineering and go-to-market teams.
Startup $18M PentestingOpenAI Rolls Out Codex Security Vulnerability Scanner
OpenAI launches Codex Security (formerly Aardvark), an AI-powered vulnerability scanner that has found hundreds of critical vulnerabilities in tested software in the past month.
AI Security Vuln ScannerMicrosoft Entra Passkeys — Phishing-Resistant Windows Sign-In
Microsoft rolling out passkey support for Entra on Windows, enabling phishing-resistant passwordless authentication via Windows Hello. Major step toward eliminating password-based attacks.
Identity Passkeys Phishing Defense📊 Emerging Threat Patterns
Key Trends Observed This Cycle
Analysis of the past 24 hours reveals several converging patterns:
1. Edge Device Exploitation at Scale — KadNap (14K routers), FortiGate campaign, and Ivanti EPM exploitation all target network edge infrastructure. Attackers increasingly prefer compromising the devices meant to protect networks.
2. EDR/Sandbox Evasion Arms Race — BlackSanta EDR killer, Zombie ZIP archive evasion, and geometry-based sandbox detection show attackers investing heavily in bypassing endpoint security.
3. Supply Chain Poisoning Continues — Malicious npm packages (GhostClaw), trojanized AirDrop files (UNC4899), and modified open-source tools (AuraInspector) demonstrate persistent supply chain attack vectors.
4. Massive Vendor Patch Cycle — Microsoft (79), Adobe (80), SAP (critical), HPE (critical) = 162+ vulnerabilities in a single day. Patch management remains the #1 operational burden for security teams.
5. AI Security Investment Surge — $376M in new funding across 4 startups (Armadin, Kai, Jazz, Escape) plus OpenAI entering vulnerability scanning. The AI security market is accelerating rapidly.