🛡️ KENSAI Security Intelligence
Critical Vulnerabilities & Zero-Days
Google Patches Two Actively Exploited Chrome Zero-Days
Google released emergency updates to fix two high-severity Chrome zero-days being exploited in the wild. CVE-2026-3909 is an out-of-bounds write in the Skia graphics library that can lead to code execution. CVE-2026-3910 is an inappropriate implementation in the V8 JavaScript engine. Patches are available in Chrome 146.0.7680.75 (Windows/Linux) and 146.0.7680.76 (macOS). These are the 2nd and 3rd Chrome zero-days patched in 2026.
Microsoft Patch Tuesday: 77 Vulnerabilities Including SQL Server Privilege Escalation
Microsoft's March 2026 Patch Tuesday addresses 77 vulnerabilities. Notable: CVE-2026-21262 allows an authorized attacker to escalate to sysadmin privileges on SQL Server 2016+ over a network (CVSS 8.8). No zero-days this month, but two bugs were publicly disclosed prior to the patch.
Apple Patches Coruna Exploits in Legacy iOS Versions
Apple has released iOS/iPadOS 16.7.15 and 15.8.7 to patch vulnerabilities known as "Coruna exploits." SecurityWeek reports a US defense contractor is behind the exploit chain. Users on older devices should update immediately.
WordPress Plugin Flaw Exposes 200,000+ Sites to SQL Injection
A vulnerability in the Ally WordPress plugin allows attackers to inject SQL queries and extract sensitive database information. Over 200,000 websites are affected. Site admins should update or remove the plugin immediately.
N8n Workflow Automation Flaw Exploited in the Wild
A vulnerability in the popular n8n workflow automation platform is being actively exploited. Details are limited, but organizations running n8n should audit their deployments and apply patches.
Data Breaches
Iran-Backed Handala Group Claims Massive Wiper Attack on Stryker
Iran-linked hacktivist group Handala claims to have wiped data from 200,000+ systems at medical technology giant Stryker (NYSE: SYK, $25B annual revenue). Over 5,000 workers in Ireland were sent home. Offices across 79 countries reportedly shut down. Devices were wiped, login pages defaced with Handala's logo, and staff resorted to WhatsApp communication. The group is linked to Iran's MOIS through the Void Manticore threat actor. The attack was claimed as retaliation for a February missile strike.
Starbucks Data Breach Affects Hundreds of Employees
Starbucks disclosed a data breach after threat actors gained access to Starbucks Partner Central employee accounts via phishing attacks. Hundreds of employees were impacted. The company is investigating the scope of exposed data.
Canadian Retail Giant Loblaw Notifies Customers of Data Breach
Loblaw, Canada's largest retailer, has auto-logged out all customers and forced password resets after discovering a breach. The full scope of customer data compromised is still under investigation.
Telus Digital Data Breach Reported
Canadian tech company Telus Digital has suffered a data breach. Details remain limited as the investigation continues.
Ransomware
England Hockey Hit by AiLock Ransomware — 129GB Stolen
The AiLock ransomware gang claims to have stolen 129GB of data from England Hockey, which governs field hockey across 800+ clubs and 150,000 registered players. AiLock is a relatively new group that uses privacy law violations as leverage in negotiations. The organization is working with law enforcement and external specialists.
Active Threat Campaigns
Chinese APT Targets SE Asian Militaries with Custom Malware
Palo Alto Unit 42 uncovered a China-linked espionage campaign (CL-STA-1087) targeting Southeast Asian military organizations since 2020. Attackers used custom malware families AppleChris and MemFun to collect military capability documents, organizational structures, and intelligence about Western military collaborations. The campaign shows "strategic operational patience" and highly targeted collection.
Storm-2561: Fake Enterprise VPN Sites Stealing Corporate Credentials
Microsoft tracks threat actor Storm-2561 distributing fake VPN clients impersonating Ivanti, Cisco, Fortinet, Sophos, SonicWall, Check Point, and WatchGuard. Uses SEO poisoning to rank fake download sites, installs the Hyrax infostealer alongside a convincing fake VPN login screen. After stealing credentials, redirects victims to the real vendor site — making compromise nearly invisible. Signed with a revoked legitimate certificate.
Rust-Based VENON Banking Malware Targets 33 Brazilian Banks
A new Rust-based banking trojan called VENON targets Brazilian users with credential-stealing overlays for 33 banks. It represents a shift from traditional Delphi-based Latin American banking malware. Uses LNK hijacking, active window monitoring, and banking overlay logic similar to Grandoreiro and Mekotio families.
FBI Investigates Malware Distributed via Steam Games
The FBI is seeking victims of eight malicious Steam games that were used to spread malware. The agency is collecting information as part of an ongoing investigation. Gamers who installed the affected titles should scan their systems.
Iran-Linked Hackers Expanding Targets to US Infrastructure
Pro-Iranian hacker groups are targeting sites in the Middle East and beginning to probe US targets including defense contractors, power stations, and water plants. The escalation tracks with ongoing geopolitical tensions and raises the risk of attacks on critical infrastructure.
Poland's National Centre for Nuclear Research Targeted
Poland's NCBJ (National Centre for Nuclear Research) detected and blocked a cyberattack against its IT infrastructure before any impact. The attack underlines continued targeting of nuclear and energy sector organizations in Europe.
Law Enforcement Actions
Operation Synergia III: INTERPOL Sinkholes 45,000 IPs, Arrests 94
INTERPOL's "Operation Synergia III" — spanning 72 countries from July 2025 to January 2026 — sinkholed 45,000 malicious IPs, seized 212 devices/servers, arrested 94 suspects, with 110 more under investigation. In Macau, investigators identified 33,000+ phishing sites impersonating banks and casinos. Major arrests in Bangladesh (40) and Togo (10).
SocksEscort Proxy Botnet Dismantled — 369,000 IPs Across 163 Countries
US and European law enforcement dismantled SocksEscort, a criminal proxy service that enslaved residential routers into a botnet since 2020. The service offered access to ~369,000 IP addresses in 163 countries, with nearly 8,000 infected routers active as of February 2026. The service advertised "static residential IPs with unlimited bandwidth" for bypassing spam blocklists.
Meta Disables 150,000+ Accounts Powering Asian Scam Centers
Meta has launched new protection tools and disabled more than 150,000 accounts that were powering scam centers across Asia. The effort aims to disrupt organized fraud operations at scale.
Industry & Tools
Bold Security and Onyx Security Each Emerge With $40M Funding
Bold Security uses AI to turn devices into active protection agents that understand user actions in real time. Onyx Security is building a control pane to help organizations oversee autonomous AI agents and rapidly adopt them. Both emerged from stealth with $40M each — signaling strong investor appetite for AI-native security platforms.
Google Paid $17M in Bug Bounties in 2025
Google's Vulnerability Reward Program paid out $17 million to 747 security researchers in 2025. Chrome vulnerabilities earned researchers $3.7M, while cloud security defects netted $3.5M.
🔮 KENSAI Analysis — What This Means For You
- Patch Chrome NOW: Two actively exploited zero-days (CVE-2026-3909, CVE-2026-3910) — update to 146.0.7680.75+ immediately across all endpoints.
- Iran threat escalation is real: The Stryker wiper attack (200K+ devices) is the largest Iran-linked destructive operation to date. Combined with probes against US infrastructure, organizations with geopolitical exposure need updated incident response plans.
- VPN credential theft via SEO poisoning: Storm-2561 is impersonating every major VPN vendor. Enforce MFA on all VPN access and educate employees to only download clients from verified internal sources — never from search results.
- WordPress admins: The Ally plugin SQLi flaw affects 200K+ sites. Audit your WordPress plugins and patch or remove Ally immediately.
- NIS2 relevance: The targeting of Poland's nuclear center and Iranian attacks on critical infrastructure reinforce NIS2's mandate for incident reporting and supply chain security across EU essential services.
- AI-native security funding wave: $80M across two stealth launches signals the market is shifting toward AI agent oversight — directly relevant to KENSAI's positioning in autonomous security assessment.