• Explore
  • Blog
  • Podcast
  • Community
  • About
  • Services
  • Contact
Menu

Exploring Information Security

Securing the Future - A Journey into Cybersecurity Exploration
  • Explore
  • Blog
  • Podcast
  • Community
  • About
  • Services
  • Contact

March 2026 - ExploreSec Cybersecurity Threat Intelligence Newsletter

March 17, 2026

This is a newsletter I create and share with my internal security team. Feel free to grab and do the same.

DKIM Replay Attacks Abuse Trusted Email for Invoice and Support Scams 

Threat researchers are tracking a rise in DKIM replay attacks, where adversaries reuse legitimate, cryptographically signed emails from trusted services such as Apple and PayPal. Because these messages retain valid authentication, they can bypass email security controls and appear legitimate to recipients, even when used to deliver fraudulent invoices or support scams. 

Key Insights 

  • DKIM replay attacks involve capturing a genuine, signed email and redistributing it without breaking authentication checks. 

  • Since DKIM and DMARC validation still passes, many email defenses treat the replayed message as trusted. 

  • Attackers commonly abuse invoice or notification workflows that allow user-controlled fields to inject scam content. 

  • Messages often include urgent payment requests or fake support numbers designed to trigger rapid victim response. 

  • DKIM verifies message integrity but does not restrict message reuse, making replay a persistent risk. 

Further Reading: Kaseya 

 

 

CrashFix: New ClickFix Variant Deploys Python Remote Access Trojan 

Threat researchers have identified a new evolution of the ClickFix social engineering campaign known as CrashFix. This variant intentionally crashes a victim’s browser and presents a deceptive recovery prompt that convinces users to manually execute commands on their own systems. The interaction ultimately leads to the installation of a Python-based remote access trojan, giving attackers persistent access to compromised devices. 

Key Insights 

  • CrashFix commonly begins with users being prompted to install a malicious browser extension disguised as a legitimate utility, such as an ad blocker. 

  • The extension later forces the browser into a crash state, creating urgency and the illusion of a technical failure. 

  • Victims are shown fake troubleshooting instructions that direct them to run system commands, unknowingly initiating the infection chain. 

  • The attack leverages built-in Windows tools and scripting to deploy a Python-based remote access trojan that enables surveillance and long-term access. 

  • The campaign appears designed to prioritize enterprise environments, including systems connected to corporate domains. 

Further Reading: Microsoft Security Blog 

 

 

LTX Stealer: Node.js–Based Credential Theft Malware 

Researchers have analyzed LTX Stealer, a credential-stealing malware built on a Node.js architecture that abuses legitimate installer frameworks to mask malicious activity. The malware embeds its own runtime and uses obfuscation techniques to complicate analysis while quietly collecting sensitive data from infected systems. Stolen information is staged and exfiltrated using cloud-based infrastructure, helping the activity blend into normal network traffic. 

Key Insights 

  • LTX Stealer is delivered via deceptive installers that appear legitimate, allowing it to bypass basic security checks. 

  • The malware embeds a full Node.js runtime and compiles JavaScript logic into bytecode to hinder reverse engineering. 

  • It targets browser-stored credentials, cookies, session tokens, and cryptocurrency-related artifacts. 

  • Cloud services are used for command-and-control and data handling, increasing operational resilience. 

  • Indicators suggest the stealer is offered in a service-based model, lowering the barrier to entry for threat actors. 

Further Reading: CYFIRMA 

 

 

SaaS Abuse at Scale: Phone-Based Scam Campaign Leveraging Trusted Platforms 

Threat researchers have identified a large-scale scam campaign in which attackers abuse legitimate SaaS platform features to deliver phone-based fraud lures. Rather than relying on malicious links or spoofed domains, the campaign misuses native notification and messaging workflows from trusted services, causing emails to appear authentic and pass standard security checks. Victims are directed to call attacker-controlled phone numbers, shifting the final stage of the scam to voice-based social engineering. 

Key Insights 

  • Attackers exploit built-in notification systems within SaaS platforms to generate messages that inherit trust from legitimate services. 

  • The campaign operated at significant scale, impacting tens of thousands of organizations worldwide. 

  • Emails frequently avoid malicious links and instead instruct recipients to call fake support phone numbers. 

  • Multiple abuse techniques were observed, including misuse of general SaaS messaging and business invitation workflows. 

  • The activity reflects a broader shift toward abusing trusted platforms rather than deploying traditional phishing infrastructure. 

Further Reading: Check Point Research 

 

 

Public Sector AI Adoption Trends Highlight Growing Use and Security Gaps 

Recent analysis shows accelerating adoption of artificial intelligence across government, healthcare, and education organizations. While AI tools are increasingly used to improve efficiency and support operations, security controls and governance maturity vary widely across sectors. This uneven oversight increases the risk of sensitive data exposure as AI usage expands. 

Key Insights 

  • Healthcare organizations generate the highest volume of AI-related activity, reflecting broad experimentation and operational use. 

  • Education environments show rapid growth in AI adoption with comparatively limited blocking or oversight. 

  • Government agencies continue to expand AI use, but governance and control maturity differ significantly between organizations. 

  • AI tools are increasingly used for analytics, summarization, and workflow automation, increasing the amount of sensitive data processed. 

  • The same technologies driving productivity gains are also being leveraged by threat actors to streamline and scale malicious activity. 

Further Reading: Zscaler 

 

 

Marco Stealer: Node.js–Based Information Stealer Targeting Browsers and Wallets 

Researchers have analyzed Marco Stealer, an information-stealing malware built on a Node.js framework and designed to quietly harvest sensitive data from compromised Windows systems. The malware uses layered obfuscation and anti-analysis techniques to evade detection while collecting credentials, cryptocurrency assets, and system metadata before exfiltrating the data to attacker-controlled infrastructure. 

Key Insights 

  • Marco Stealer targets browser-stored credentials, cookies, session tokens, and cryptocurrency wallet data. 

  • The malware embeds its own runtime and employs obfuscation and process-disruption techniques to evade security tools. 

  • Stolen data is encrypted prior to exfiltration, helping the activity blend into normal network traffic. 

  • Additional components are dropped to extract browser encryption keys and access local data stores. 

  • System profiling is used to collect host details such as hardware identifiers, security software, and environment metadata. 

Further Reading: Zscaler 

 

 

Guloader Obfuscation Techniques: How Malware Hides and Runs 

Security researchers have published a detailed technical breakdown of Guloader, a widely abused malware loader used to deliver a variety of follow-on threats. Rather than being a single piece of malware, Guloader is a framework that implements multiple evasion and obfuscation methods to hide its payloads and complicate analysis. The techniques include heavy use of encrypted blobs, staged downloads, and custom packing schemes that make it difficult for defenders to detect or reverse engineer the underlying malicious code. This analysis highlights how modern loaders blend encryption and dynamic execution to stay ahead of static detection tools. 

Key Insights 

  • Guloader uses layered encryption and packing to hide its true intent at each stage of execution. 

  • The loader often employs staged retrieval of payloads to avoid including malicious code directly in its initial files. 

  • Encrypted components are decrypted only at runtime, limiting the value of static signature checks. 

  • Custom obfuscation schemes, including junk data and randomized structures, make automated analysis harder. 

  • The framework’s modular nature allows it to deliver various malware families under the same loader infrastructure. 

Further Reading: Zscaler on Guloader Obfuscation 

 

 

ShinyHunters Target SSO and MFA With Hybrid Vishing and Phishing 

Researchers have outlined how threat actors linked to the ShinyHunters ecosystem are combining voice-based social engineering with real-time credential harvesting to compromise single sign-on (SSO) accounts and bypass multi-factor authentication (MFA). Rather than exploiting technical flaws, the attackers manipulate users directly — convincing them over the phone to log into convincing fake portals that capture credentials and authentication codes as they are entered. 

Key Insights 

  • Attackers impersonate internal IT or security teams during phone calls to build credibility and urgency. 

  • Victims are guided to realistic SSO login pages designed to harvest usernames, passwords, and MFA codes in real time. 

  • Threat actors can leverage captured authentication data to enroll their own MFA devices or complete push/SMS challenges during the live interaction. 

  • Once SSO access is obtained, attackers pivot across connected SaaS applications using federated identity trust relationships. 

  • Because the activity relies on legitimate authentication flows and human manipulation, detection often occurs only after account compromise. 

Further Reading: Abnormal AI 

 

 

Scattered Lapsus/ShinyHunters Actors Targeting Credentials and MFA 

Threat researchers examined ongoing activity by groups associated with the Scattered Lapsus and ShinyHunters ecosystem, noting a continued focus on credential theft, multi-factor authentication bypass, and social engineering. These actors are adapting their methods — often mixing phishing and voice-based tactics — to capture login information and session tokens from users, particularly where traditional defenses rely more on end-user interaction than resistant authentication controls. Their operations underscore how human-centric attack paths remain productive for obtaining initial access and driving follow-on compromise. 

Key Insights 

  • Scattered Lapsus/ShinyHunters–linked actors continue to prioritize credential harvesting and MFA capture instead of exploiting software vulnerabilities. 

  • Hybrid tactics, including email phishing combined with voice-based engagement, increase likelihood of success by manipulating victims in real time. 

  • Obtained login details and session authentication can be used to bypass standard protections and access a wide range of cloud and enterprise services. 

  • Attackers adapt quickly to defensive changes, often modifying phishing content and delivery techniques to avoid static detections. 

  • The activity reflects a broader trend of focusing on identity and access abuse as a reliable initial access vector. 

Further Reading: KrebsOnSecurity 

 

 

QR Codes Used as an Attack Vector in Phishing and Malware Campaigns 

Threat researchers have documented an increase in malicious use of QR codes by attackers. QR codes — once primarily a convenience tool for quickly linking users to URLs — are now being embedded in phishing campaigns, physical media, and social engineering lures. Because many people instinctively trust QR codes and may not check the underlying link before scanning, attackers can use them to direct victims to sites hosting credential-harvesting pages, malware downloads, or other harmful content. This trend shows how even familiar convenience features can be abused when users aren’t aware of the risks. 

Key Insights 

  • QR codes are being inserted into phishing emails, SMS messages, posters, and social media posts to silently redirect users to malicious destinations. 

  • Scanning a QR code can open links that lead to credential-harvesting pages that mimic legitimate services, increasing the chance of compromise. 

  • QR codes can also deliver links to files or installers, which victims may download unknowingly. 

  • Because QR codes obscure the actual URL, they make it harder for users to assess safety before interacting. 

  • Awareness of this technique is critical, as attackers blend convenience with malicious intent in everyday workflows. 

Further Reading: Unit 42 

 

 

Global Cyber Attacks Up Sharply in January 2026 as Ransomware and AI-Related Risks Grow 

New threat intelligence from Check Point Research shows that cyber attack volumes continued climbing in January 2026, with organizations worldwide experiencing more attacks per week than in the previous month and compared to the same time last year. The rise is linked largely to expanding ransomware activity and growing exposure risks tied to the widespread adoption of generative AI technologies. 

Key Insights 

  • The average number of weekly cyber attacks per organization increased compared with both December 2025 and January 2025, continuing an upward trend. 

  • Ransomware operations remain a dominant force, driving a significant portion of the overall increase in malicious traffic and compromise attempts. 

  • Data-exposure risks linked to AI usage are growing as more organizations integrate generative AI tools without fully mature security governance. 

  • The trend reflects broader shifts in attacker behavior, combining automated techniques with social engineering and hybrid attack chains. 

  • Continued escalation underscores that cyber threats are not just frequent but also more sophisticated and coordinated across vectors. 

Further Reading: Check Point Blog on Global Cyber Attacks in January 2026 

 

 

Muddled Libra Operations Playbook Reveals Blended Trickery for Access and Persistence 

Threat researchers analyzed a campaign tracked as Muddled Libra, finding that this group blends multiple attack techniques — including social engineering, exploitation of trusted communication channels, and identity abuse — to gain initial access and maintain footholds in victim networks. The operations playbook shows how attackers coordinate deceptive lures and follow-on activity to evade simple detection and pivot across connected systems once access is established. 

Key Insights 

  • Muddled Libra uses layered social engineering and phishing lures to entice victims into compromising actions. 

  • Attack activity often leverages legitimate systems and workflows, making malicious intent harder to spot with basic defenses. 

  • Once initial access is achieved, the group applies techniques to persist and escalate access within compromised environments. 

  • Identity abuse and session manipulation are central to the group’s ability to move laterally and access multiple services. 

  • The blended nature of the playbook underscores the importance of detection methods that correlate behavior across email, identity, and endpoint telemetry. 

Further Reading: Unit 42 – Muddled Libra Operations 

 

 

DNS-Based ClickFix Variant Uses nslookup to Stage Malware 

Microsoft has disclosed details of a new variation of the ClickFix social engineering tactic that leverages the Windows nslookup command to fetch and execute malware. In this attack, victims are tricked into running a specially crafted DNS lookup via the Run dialog, which retrieves the next-stage payload from a threat actor-controlled DNS server. This DNS-based staging channel helps the malicious activity blend into normal network traffic and evade many traditional security controls. 

Key Insights 

  • The attack begins with social engineering that convinces users to execute a command using the Windows nslookup utility. 

  • Instead of downloading malware directly from a web server, the DNS response is used to stage and deliver the next payload. 

  • Using DNS as a signaling and staging channel makes the malware delivery harder to detect by tools focused on web traffic patterns. 

  • The second-stage payload typically includes an archive containing scripts that perform reconnaissance and drop a remote access trojan. 

  • Persistence mechanisms are used so that the malicious payload runs on system startup after compromise. 

Further Reading: The Hacker News 

 

 

Notepad Infrastructure Compromise Shows How Legitimate Tools Are Repurposed for Escalation 

Threat researchers have detailed an infrastructure compromise in which attackers leveraged legitimate system tools and applications — including Notepad — within a broader malicious campaign. Instead of using custom malware exclusively, the adversary incorporated common utilities to execute scripted actions, deploy payloads, and maintain persistence, making their activity harder to distinguish from normal operational behavior. This technique demonstrates how even benign tools can be abused in post-compromise stages to evade detection and blend in with legitimate system use. 

Key Insights 

  • The compromise involved repurposing trusted applications to execute malicious scripts and support lateral movement within the network. 

  • By using built-in tools rather than obvious malware binaries, the attackers reduced the likelihood of triggering traditional defenses. 

  • Scripted use of common utilities enabled the deployment of additional payloads without reliance on standalone executables. 

  • This pattern of abuse helps the adversary remain under the radar by mimicking legitimate administrative activity. 

  • The incident underscores the importance of focusing on behavior and context, not just file signatures, when detecting threats. 

Further Reading: Unit 42 Notepad Infrastructure Compromise 

 

 

Chrome Zero-Day Exploit Patched After In-The-Wild Abuse (CVE-2026-2441) 

Google has released an urgent security update for its Chrome browser to address a high-severity zero-day vulnerability that was actively exploited in the wild. The flaw, tracked as CVE-2026-2441, is a use-after-free memory issue in Chrome’s CSS handling. A specially crafted webpage could trigger the vulnerability, potentially allowing remote code execution within the browser’s sandbox. The issue was reported by a security researcher and patched quickly due to confirmed exploitation activity. 

Key Insights 

  • CVE-2026-2441 is a use-after-free vulnerability affecting Chrome’s CSS engine. 

  • Exploitation can be triggered simply by visiting a malicious website. 

  • Successful attacks may allow arbitrary code execution within the browser sandbox. 

  • Emergency updates were released for Windows, macOS, and Linux platforms. 

  • Technical details are being limited until widespread patch adoption reduces the risk of further abuse. 

Further Reading: The Register 

 

 

Huntress Report Reveals How Organized Cybercrime Operates at Scale 

A new 2026 Cyber Threat Report from Huntress lays out how modern cybercriminals have evolved into highly efficient, profit-driven operators — running campaigns that resemble legitimate businesses rather than isolated hacker hits. The analysis draws on telemetry from millions of endpoints and identities and highlights how organized cybercrime groups are abusing trusted tools, stolen credentials, and scaled workflows to compromise people and organizations worldwide. 

Key Takeaways 

  • Legitimate tools are being weaponized — Remote monitoring and management (RMM) systems are now a top choice for attackers to deploy malware, steal credentials, and execute commands without using traditional hacking tools. 

  • User deception fuels malware delivery — Techniques like ClickFix social engineering accounted for more than half of observed malware loader activity by tricking people into installing threats as part of routine actions. 

  • Ransomware groups follow streamlined playbooks — Major ransomware operators are focusing on stealth and data theft, increasing time-to-ransom and making detection harder. 

  • Criminal ecosystems are thriving — Stolen credentials are being sold cheaply on underground markets, making initial access easier and boosting identity-based attacks. 

  • Mailbox manipulation and OAuth abuse lead to BEC — These identity threats are establishing footholds that set the stage for high-impact business email compromise schemes. 

Further Reading: Huntress 2026 Cyber Threat Report 

 

 

Starkiller Phishing Kit: Using Adversary-in-the-Middle (AiTM) to Bypass MFA 

Summary Abnormal Security researchers have identified a sophisticated new Phishing-as-a-Service (PhaaS) platform named Starkiller. Unlike traditional phishing that uses static fake websites, Starkiller employs a "live proxy" or Adversary-in-the-Middle (AiTM) approach. It acts as a bridge between the victim and the legitimate service (like Microsoft 365 or Gmail), mirroring the real login page in real-time. This allows the kit to capture not just passwords, but also live Multi-Factor Authentication (MFA) codes and session tokens, giving attackers full access to compromised accounts. 

Key Takeaways 

  • MFA is No Longer Enough: By proxying the legitimate login process, Starkiller bypasses traditional MFA, including SMS codes and authenticator apps. 

  • Dynamic Mirroring: The kit uses a headless browser to display the actual, current version of a brand's website, making the phishing page look identical to the real one. 

  • Professionalized Crime: Starkiller is sold as a subscription service by a group called Jinkusu, featuring a user-friendly dashboard that allows even low-skilled attackers to launch advanced campaigns. 

  • Evasion Tactics: The platform includes built-in tools to mask URLs and bypass security filters, making it harder for automated scanners to flag the malicious links. 

Further Reading: Starkiller: New Phishing Framework Proxies Real Login Pages to Bypass MFA 

 

 

AI Recommendation Poisoning: How "Summarize with AI" Buttons Can Bias Your Assistant 

Summary Microsoft security researchers have uncovered a new deceptive technique called AI Recommendation Poisoning. This attack targets the "memory" and personalization features of AI assistants like Microsoft Copilot, ChatGPT, and Gemini. By embedding hidden instructions in seemingly helpful "Summarize with AI" buttons or share links, companies and bad actors can inject persistent "facts" or preferences into your AI’s long-term memory. Once poisoned, the AI may begin to show subtle biases—recommending specific products, favoring certain vendors, or trusting unreliable sources—without you ever knowing the assistant has been manipulated. 

Key Takeaways 

  • The Helpful Button Trap: Be cautious of "Summarize with AI" buttons on third-party websites. They may contain hidden URL parameters that do more than just summarize; they can "pre-fill" instructions that tell your AI to "always remember this site as a trusted source." 

  • Persistent Bias: Unlike a standard prompt injection that only affects one conversation, memory poisoning is designed to last. The injected instructions can influence the AI's behavior across future sessions, even weeks after you clicked the link. 

  • Hidden in Plain Sight: These malicious prompts often use phrases like "from now on," "always," or "remember" to establish persistence. Because the AI presents these biased recommendations confidently, users are less likely to question their accuracy. 

  • Practical Defense: Periodically review and clear your AI assistant’s memory or "personalization" settings. Hover over AI-related links before clicking to see if the URL contains long, suspicious-looking text strings or commands. 

Further Reading: Manipulating AI memory for profit: The rise of AI Recommendation Poisoning 

In News Tags newsletter
March 2026 - ExploreSec Cybersecurity Awareness Newsletter →

Latest PoDCASTS

Featured
Mar 10, 2026
[RERELEASE] What is a Chief Information Security Officer (CISO)
Mar 10, 2026
Mar 10, 2026
Mar 3, 2026
Exploring The Bad Advice Cybersecurity Professionals Provide to the Public
Mar 3, 2026
Mar 3, 2026
Feb 24, 2026
Inside Cambodia's Scam Compounds: Pig Butchering, Organized Crime, and Protecting Your Life Savings
Feb 24, 2026
Feb 24, 2026
Feb 17, 2026
What are the AI Vulnerabilities We Need to Worry About
Feb 17, 2026
Feb 17, 2026
Feb 10, 2026
[RERELEASE] How to make time for a home lab
Feb 10, 2026
Feb 10, 2026
Feb 3, 2026
[RERELEASE] How to build a home lab
Feb 3, 2026
Feb 3, 2026
Jan 27, 2026
How to Build an AI Governance Program with Walter Haydock
Jan 27, 2026
Jan 27, 2026
Jan 20, 2026
Exploring Cribl: Sifting Gold from Data Noise for Cost and Security
Jan 20, 2026
Jan 20, 2026
Jan 13, 2026
What is BSides ICS?
Jan 13, 2026
Jan 13, 2026
Jan 6, 2026
Cybersecurity Career Panel: Transitioning from Technical to Leadership
Jan 6, 2026
Jan 6, 2026

Powered by Squarespace