Briefs

A trojanized EmEditor installer was distributed through a trusted source, delivering an infostealer, highlighting how attackers exploit legitimate software distribution channels to bypass user trust and security controls.

Modification of the issuer URL of a federated identity credential in Entra ID can allow an attacker to authenticate as the application's service principal, granting persistent access to Azure resources by pointing to an attacker-controlled identity provider and bypassing normal authentication.

The DarkSword exploit kit targets iOS devices, leveraging unknown vulnerabilities to compromise devices.

A phishing technique, potentially still viable due to incomplete patching, allows attackers to obtain NetNTLM hashes from archive extraction on Windows systems (CVE-2025-59284).

A free, offline SOC toolkit aimed at Tier 1 analysts includes IR checklists, triage playbooks, and threat hunting guides mapped to MITRE ATT&CK, with Splunk and Elastic queries for threats such as Kerberoasting, Pass-the-Hash, LOLBAS, scheduled task persistence, and C2 on non-standard ports.

This brief covers offensive techniques to bypass Credential Guard, a Windows security feature designed to protect credentials, and provides detection strategies for these bypass attempts.

A user created a self-hosted email threat detection tool, named VerdictMail, employing IMAP IDLE for real-time monitoring and multi-stage enrichment via SPF, DKIM, DMARC, DNSBL, WHOIS, URLhaus, and VirusTotal, coupled with an LLM for threat assessment.

A cross-site scripting (XSS) vulnerability exists in Angular versions prior to 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20, allowing attackers to execute arbitrary code within the context of the vulnerable application, potentially leading to session hijacking, data exfiltration, and unauthorized actions.

An Iranian botnet operation utilizing a 15-node relay network and active C2 infrastructure was exposed through an open directory.

Detects a service principal authenticating to Microsoft Entra ID and then listing credentials for an Azure Arc-connected Kubernetes cluster within a short time window, indicating potential unauthorized access to Kubernetes clusters via stolen service principal secrets.

The GlassWorm threat involves DLL injection and Chrome hijacking via COM abuse, confirming a full supply chain loop, potentially leading to data theft and system compromise.

Qualys discovered critical vulnerabilities in AppArmor, enabling local privilege escalation to root on vulnerable Linux systems.

Persistnux is a bash-based tool designed to identify known Linux persistence mechanisms used by attackers to maintain access to compromised systems, generating detailed reports for DFIR analysis.

HushSpec is an open specification under development to standardize security policies at the action boundary of AI agents, focusing on actions such as file access, network egress, and shell execution, aiming to create a portable and engine-agnostic policy layer.

The StealthyWMIExec.py script facilitates lateral movement via WMI, potentially evading standard detection mechanisms by employing stealthy techniques.

The GlassWorm campaign has been observed deploying a Wave 3 Windows payload, indicating ongoing malicious activity targeting Windows systems.

JPCERT/CC published a study on the reverse engineering of binaries created with the Rust programming language, providing insights for malware analysis and detection engineering.

CVE-2024-45163 is a remote denial-of-service vulnerability affecting Mirai command and control (C2) infrastructure, potentially disrupting botnet operations and related malicious activities.

A research report auditing popular AI agent projects found that 93% rely on unscoped API keys as the only authentication mechanism, leading to potential credential exposure, privilege escalation, and lateral movement within multi-agent systems.

A new remote access trojan (RAT) named PylangGhost has been observed on the npm registry, posing a supply chain risk to developers and applications using affected packages.

This brief summarizes IOCs extracted from the Maltrail feed on March 15, 2026, covering domains and URLs associated with threats targeting macOS and Android platforms, including OSX_Atomic, FakeApp, Android_Joker, Lummack2, APT_Sidewinder, APT_Kimsuky, and Hak5Cloud_C2.

A fileless multi-stage Remcos RAT is delivered via phishing, achieving memory-resident execution, but specific technical details are not provided in this brief.

Malware is distributed via malicious advertisements on Google impersonating 'Claude Code', targeting both Windows and macOS operating systems with the goal of infecting users.

The Glassworm malware utilizes invisible unicode characters to infect over 150 GitHub repositories, posing a supply chain risk to developers and users.

Analysis of GlassWorm V2 reveals infrastructure rotation and GitHub injection techniques.

A phishing campaign leverages Google Cloud Storage as a redirect layer to serve victims scam pages related to surveys, giveaways, rewards, alerts, and job lures, primarily hosted on .autos domains.

Multiple network-based intrusion attempts were detected on 2026-03-14, targeting PHP information exposure, Fortigate VPN exploitation, sensitive file access, and credential exposure.

CISA added CVE-2026-3909, an out-of-bounds write vulnerability in Google Skia, and CVE-2026-3910, an unspecified vulnerability in Google Chromium V8 to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation, highlighting the need for timely remediation.

Multiple critical vulnerabilities in Veeam Backup & Replication, including CVE-2026-21666, CVE-2026-21668, CVE-2026-21669, CVE-2026-21670, CVE-2026-21671, CVE-2026-21672, and CVE-2026-21708, allow for remote code execution, privilege escalation, and arbitrary file manipulation by authenticated users, potentially leading to a complete compromise of the backup infrastructure.

Multiple IDS alerts indicate potential network reconnaissance, vulnerability exploitation attempts targeting Fortigate VPN (CVE-2023-27997), and ColdFusion servers originating from various IP addresses on March 13, 2026.