Kaspersky

Multiple vulnerabilities have been discovered in Kaspersky Anti Targeted Attack Platform versions prior to 7.1.7, allowing an attacker to cause a remote cross-site scripting (XSS) vulnerability, tracked as CVE-2026-28348 and CVE-2026-28350.

The Q1 2026 mobile threat landscape saw a decrease in overall attack volume driven by reduced adware and RiskTool detections, while the number of unique users targeted remained stable, with new SparkCat variants on app stores and increased banking Trojan and Triada backdoor activity.

A pre-authentication remote code execution vulnerability exists in xrdp versions prior to 0.10.5, triggered by a buffer overflow in the xrdp_wm_parse_domain_information function when parsing a specially crafted domain name, allowing attackers to overwrite the return address and execute arbitrary code.

Adversaries may add malicious Windows Filtering Platform (WFP) rules to prevent endpoint security solutions from sending telemetry data, impairing defenses, which this rule detects by identifying multiple WFP block events where the process name is associated with endpoint security software.

A Firefox 0-day exploit was used to target Mac users, dropping a second backdoor identified as a new variant of the cross-platform Mokes malware (OSX.Mokes.B) with screen capture, audio capture, and document exfiltration capabilities.

A blog post details the reverse engineering of the Kaspersky anti-virus engine on macOS to demonstrate the potential for crafting signatures capable of detecting and flagging classified documents, leveraging the product's scanning capabilities and dynamic signature updates, without implying any malicious activity by Kaspersky.

Attackers abuse the Application Compatibility Shim functionality in Windows to establish persistence and achieve arbitrary code execution by installing malicious shim databases, which this detection identifies through monitoring registry changes.

This brief outlines a method for generically detecting ransomware on macOS by monitoring file I/O events and identifying the rapid creation of encrypted files by untrusted processes, as proposed by Objective-See.

Attackers can modify the Windows registry via AppLocker to block the execution of security software, potentially disabling defenses and allowing further malicious activities.