PQC Push, AI Vuln Hunting, Pirated Traps, Phishing Kits & 20 More Stories

Google has unveiled a 2029 timeline to secure the quantum era with post-quantum cryptography (PQC) migration, urging other engineering teams to follow suit. “This new timeline reflects migration needs for the PQC era in light of progress on quantum computing hardware development, quantum error correction, and quantum factoring resource estimates,” the tech giant said. “Quantum computers will pose a significant threat to current cryptographic standards, and specifically to encryption and digital signatures. The threat to encryption is relevant today with store-now-decrypt-later attacks, while digital signatures are a future threat that require the transition to PQC prior to a Cryptographically Relevant Quantum Computer (CRQC). That’s why we’ve adjusted our threat model to prioritize PQC migration for authentication services.” As part of the effort, the company said Android 17 is integrating PQC digital signature protection using the Module-Lattice-Based Digital Signature Algorithm (ML-DSA). This includes upgrading the Android Verified Boot (AVB) with support for ML-DSA to ensure that the software loaded during the boot sequence remains highly resistant to unauthorized tampering. The second PQC upgrade concerns the transition of Remote Attestation to a fully PQC-compliant architecture and updating Android Keystore to natively support ML-DSA.

GitHub said it’s introducing AI-powered security detections in GitHub Code Security to expand application security coverage across more languages and frameworks. “These detections complement CodeQL by surfacing potential vulnerabilities in areas that are difficult to support with traditional static analysis alone,” GitHub said. “This hybrid detection model helps surface vulnerabilities – and suggested fixes – directly to developers within the pull request workflow.” The Microsoft subsidiary said the move is designed to uncover security issues “in areas that are difficult to support with traditional static analysis alone.” The new hybrid model is expected to enter public preview in early Q2 2026.

The Russian threat actor known as Sandworm (aka APT-C-13) has been attributed with moderate confidence to an attack campaign that leverages pirated versions of legitimate software like Microsoft Office (“Microsoft.Office.2025×64.v2025.iso”) as lures to deliver different backdoors tracked as Tambur, Sumbur, Kalambur, and DemiMur to high-value targets. It’s assessed that these attacks use Telegram as a distribution vector, using social engineering tactics to target Ukrainian users seeking software cracks. Tambur is designed to spawn SSH reverse tunnels to issue malicious commands, while Kalambur revolves around intranet penetration, remote desktop (RDP) takeover, and persistent communication. Sumbur is a successor to Kalambur with improved obfuscation techniques. DemiMur is mainly used to tamper with the trust chain and evade detection. “Attackers use this module to force the import of a forged DemiMurCA.crt root certificate into the operating system’s trusted root certificate authority store,” the 360 Advanced Threat Research Institute said. “When subsequent scripts are executed, Windows automatically verifies the validity of the signature block and deems it ‘trusted.'”

A cryptocurrency scam called ShieldGuard claimed to be a blockchain project that presented itself as a security tool aimed at protecting crypto wallets from phishing and harmful smart contracts through a browser extension. Ironically, further analysis revealed that it was built to drain digital assets from wallets. The scam was advertised via a dedicated website (“shieldguards[.]net”), as well as an X account (@ShieldGuardsNet) and a Telegram channel (@ShieldsGuard). “The project was promoted using a multi-level marketing campaign in which users would be rewarded for early use of the extension (via a cryptocurrency ‘airdrop’) and for promoting the capability to other users,” Okta said. “ShieldGuard appears designed to harvest wallet addresses and other sensitive data for major cryptocurrency platforms including Binance, Coinbase, MetaMask, OpenSea, Phantom and Uniswap, as well as for users of Google services. The extension also extracts the full HTML of pages after a user signs into Binance, Coinbase, OpenSea or Uniswap via their browser.” The threat actor behind the activity is assessed to be Russian-speaking.

Sophos said it identified multiple detections on Android devices for malicious activity associated with the Keenadu backdoor. “Keenadu is a firmware infection embedded in the libandroid_runtime.so (shared object library) that injects itself into the Zygote process,” the company said. “As Zygote is the parent process for all Android apps, an attacker effectively gains total control over an infected device.” Keenadu acts as a downloader for second-stage malware, with the infected devices containing two system-level APK files: PriLauncher.apk and PriLauncher3QuickStep.apk. Over 500 unique compromised Android devices across nearly 50 models have been detected as of March 4, 2026. The devices are mostly low-cost models produced by Allview, BLU, Dcode, DOOGEE, Gigaset, Gionee, Lava, and Ulefone. The identified infections were spread globally, with devices located in 40 countries.

In early March, Europol and Microsoft announced the seizure of 330 active Tycoon2FA domains and legal action against multiple individuals linked to the PhaaS. According to CrowdStrike, the takedown effort left only a minor dent in Tycoon2FA’s operations, which are now back to pre-disruption levels. On March 4 and 5, following the law enforcement operation, Tycoon2FA activity volume dropped to roughly 25%, but returned to previous levels shortly after, with “daily levels of cloud compromise active remediations returning to early 2026 levels,” CrowdStrike said. “Additionally, Tycoon2FA’s TTPs have not changed following the takedown, indicating that the service’s operations may persist beyond this disruption.” These TTPs include phishing emails directing to malicious CAPTCHA pages, session cookie theft upon CAPTCHA validation, use of JavaScript payloads for email address extraction, credential proxying via malicious JavaScript files, and use of stolen credentials to access the victims’ cloud environments. Post-disruption campaigns have leveraged malicious URLs, URL shortener services, links to legitimate presentation software that include malicious redirects to Tycoon2FA infrastructure, and attacker-controlled infrastructure impersonating construction entities, and compromised SharePoint infrastructure from known contacts that retrieves XLSX and PDF files. The short-lived disruption is proof that without arrests or physical seizures, it’s easy for cybercriminals to recover and replace the impacted infrastructure.

Phishing campaigns are weaponizing fake meeting invites for various video conference applications, including Zoom, Microsoft Teams, and Google Meet, to distribute remote access tools. “The attackers trick corporate users to execute the payload by claiming a mandatory software update is required to join the video call, redirecting victims to typo-squatted domains, such as zoom-meet.us,” Netskope said. “The payload, disguised as a software update, is a digitally signed remote monitoring and management (RMM) tool such as Datto RMM, LogMeIn, or ScreenConnect. These tools enable attackers to remotely access victims’ machines and gain full administrative control over their endpoints, potentially leading to data theft or the deployment of more destructive malware.”

Attackers are using copyright-infringement notices in a fileless phishing campaign targeting healthcare and government organizations in Germany and Canada that delivers the PureLogs data-stealing malware. “The attack likely relies on phishing emails that lure victims into downloading a malicious executable tailored to the victim’s local language,” Trend Micro said. “Once executed, the malware deploys a multistage infection chain designed for evasion. Notably, it downloads an encrypted payload disguised as a PDF file, then retrieves the decryption password remotely from attacker-controlled infrastructure. The extracted payload launches a Python-based loader that decrypts and executes the final .NET PureLogs stealer malware in memory.” The Python dropper specifically leverages two .NET loaders to load the stealer malware, with one acting as a backup in case either of them is blocked or killed by an endpoint control. The routine also incorporates anti-virtual machine techniques to evade automated analysis environments, as well as employs in-memory execution to complicate detection efforts. “By disguising malicious executables as legal notices, using encrypted payloads masquerading as PDF files, remotely retrieving dynamic decryption keys, and leveraging a renamed WinRAR utility for extraction, the operators effectively minimize static indicators and hinder automated analysis,” the company added. “The Python-based loader and dual .NET loaders introduce redundancy and fileless execution pathways, ensuring that the final PureLog Stealer payload is launched reliably and without leaving artifacts on disk.”

The Larva-26002 threat actor continues to target improperly managed MS-SQL servers. “In January 2024, the Larva-26002 threat actor attacked MS-SQL servers to install the Trigona and Mimic ransomware,” AhnLab said. In the latest attacks, the threat actors exploited the Bulk Copy Program (BCP) utility of MS-SQL servers to stage the malware locally and deploy a scanner malware named ICE Cloud Client. Written in Go, it functions as both a scanner and a brute-force tool to break into susceptible MS-SQL servers. “The strings contained in the binary are written in Turkish, and the emoticons used suggest that the author utilized generative AI,” the company added.

New research has flagged a critical vulnerability in ClawHub, a skills marketplace for OpenClaw, that an attacker could exploit to position their skill as the #1 skill. The flaw stems from the fact that a download counter function named “increment(),” which is used to keep track of skill downloads, was exposed as a public mutation rather than an internal private function. Without authentication, rate limiting, or deduplication mechanisms in place, an attacker could continuously trigger the endpoint to artificially inflate the download metric for a given skill. “An attacker can call downloads:increment with a single curl request with any valid skill ID, bypassing every protection in the download flow and inflating any skill’s downloads counter without limit,” security researcher Noa Gazit said. By gaming the rankings, the threat actor could device an unsuspecting developer into installing malicious skills. The issue has since been mitigated by ClawHub following responsible disclosure by Silverfort on March 16, 2026.

Five newly discovered malicious npm packages have been found to typosquat a legitimate cryptocurrency library and exfiltrate private keys to a single hard-coded Telegram bot. All the packages, ethersproject-wallet, base-x-64, bs58-basic, raydium-bs58, and base_xd, were published under the account “galedonovan.” According to Socket, “each package hooks a function that developers routinely pass private keys through. When that function is called at runtime, the package silently sends the key to a Telegram bot before returning the expected result. The user’s code behaves normally, and there is no visible error or side effect.”

A Google Forms campaign is using business-related lures, such as job interviews, project briefs, and financial documents, to distribute malware, including the PureHVNC remote access trojan (RAT). “Instead of the usual phishing email or fake download page, attackers are using Google Forms to kick off the infection chain,” Malwarebytes said. “The attack typically begins when a victim downloads a business-themed ZIP file linked from a Google Form. Inside is a malicious file that sets off a multi-stage infection process, eventually installing malware on the system.” Another campaign has been observed using obfuscated Visual Basic Script (VBScript) files to deliver PhantomVAI Loader via PNG image files hosted on Internet Archive to ultimately install Remcos RAT and XWorm.

A sophisticated, multi-stage malware campaign directed at customer support staff working for Web3 companies is leveraging suspicious links sent via customer support chat to initiate an attack chain that delivers a malicious executable disguised as a photograph, which then retrieves a second-stage loader from an AWS S3 dead drop. This loader proceeds to retrieve an implant named Farfli (aka Gh0st RAT) that’s launched via DLL side-loading to establish persistent communication with threat actor-controlled infrastructure. The campaign has been attributed to APT-Q-27 (aka GoldenEyeDog), a financially motivated threat group suspected to be operating out of China since at least 2022. A similar campaign involving the distribution of sketchy links via Zendesk was documented by CyStack last month. The techniques observed include staging payloads inside a directory designed to resemble a Windows Update cache, DLL side-loading, and in-memory execution of the final backdoor. The end goal is to reduce on-disk footprints, blend into normal system behaviour, and make retrospective detection harder.

Cloud phones are internet-based virtual phone systems powered by Android that allow users to send and receive voice calls, messages, and access features just like a physical device. While early fraud waves leveraged “virtual” Android devices hosted on physical phone farms for social media engagement manipulation, fake app reviews and installs, SMS spam, and ad fraud, subsequent iterations have evolved into cloud-based virtual mobile infrastructures that use emulators to mimic phone behavior. Along with it expanded the abuse of cloud phones – sold in the form of phone box devices – for financial fraud expanded. Threat actors can buy, sell, and move cloud phones with pre-loaded e-wallets and pre-verified bank cards and accounts for use in Account TakeOver (ATO) and Authorized Push Payment (APP) scams, Group-IB said. In this scheme, unsuspecting users are tricked into providing their personal banking credentials to fraudsters impersonating bank workers or government officials in order to complete the verification process on the fraudsters’ cloud phone. These cloud phone devices with configured bank cards and accounts are then sold to other parties on darknet markets. “Major cloud phone platforms like LDCloud, Redfinger, and GeeLark offer device rentals for as little as $0.10-0.50 per hour, making fraud infrastructure accessible to anyone with minimal capital investment,” the company added. “Darknet markets actively trade pre-verified dropper accounts created on cloud phones, with Revolut and Wise accounts priced at $50-200 each, often including continued access to the cloud phone instance.”

The Shadowserver Foundation said it’s seeing over 511,000 end-of-life Microsoft IIS instances in its daily scans, out of which over 227,000 instances are beyond the official Microsoft Extended Security Updates (ESU) period. Most of them are located in China, the U.S., France, the U.K., Italy, Brazil, India, Japan, Australia, and Russia.

Indian authorities have ordered a comprehensive audit of CCTV systems across the nation following the exposure of a Pakistan-linked spy network that exploited surveillance cameras for espionage purposes. The solar-powered devices, installed at various railway stations and other important infrastructure, allegedly transmitted live footage to handlers linked to Pakistan’s Inter-Services Intelligence (ISI). The Indian government has outlined measures to strengthen the security of CCTV systems, such as mandatory documentation of the origin of critical components, testing of devices against vulnerabilities that could allow unauthorized remote access, and testing of devices for compliance. In tandem, at least 22 people have been arrested in connection with a Pakistan-linked network that engaged in reconnaissance activity. This included five men and a woman who have been accused of taking photos and videos of railway stations and military bases and sending them to handlers in Pakistan. These individuals were recruited through social media and encrypted messaging apps, luring them with payments ranging from ₹5,000 to ₹20,000 per “assignment.” Compromised CCTV systems can facilitate military operations and intelligence gathering. During the U.S.–Israel–Iran conflict last month, Check Point Research found a sharp surge in exploitation attempts targeting IP cameras by Iran-affiliated threat actors.

A new traffic distribution (TDS) codenamed TOXICSNAKE has been used to route victims to phishing, scam funnels, or malware payloads. The attacks begin with a first-stage JavaScript loader that’s capable of fingerprinting a site visitor, and either returns a redirect URL or a link to a malicious payload.

In a new report, Halcyon has revealed that the custom built Crytox PowerShell Encryptor is able to evade endpoint detection and response (EDR) solutions without the need for additional tooling like HRSword. “Crytox targeting continues to focus on virtual infrastructure (hypervisors, VM servers), entry via VPN exploitation, and manual hands-on-keyboard execution, which are all consistent with a deliberate, targeted operation rather than high-volume automated campaigns,” the company said. The development comes as the INC ransomware group has claimed attacks against ten law firms and legal services organizations within a 48-hour period. “The volume, sector specificity, and timing of these postings suggest the possibility of a coordinated campaign or a shared upstream compromise, such as a supply chain event affecting a common legal technology provider or managed services vendor,” Halcyon noted.

New research from Hudson Rock has found a machine belonging to the North Korea IT worker scheme that was accidentally infected with the Lumma Stealer malware after the local user downloaded malicious payloads when searching for GTA V cheats. Interestingly, the exfiltrated stealer logs contained corporate CDN credentials for Funnull, a content delivery network (CDN) that has been leveraged by state-sponsored actors. The operator used a “massive matrix of synthetic identities” across Western freelance platforms and global hosting providers, while also using five distinct Chrome profiles and one Edge profile to compartmentalize their operations. It’s believed that the machine owner was either a willing facilitator (i.e., a laptop farm host based out of Indonesia) or a North Korean operative.

The 2024 Polyfill[.]io supply chain attack has been linked to North Korean threat actors after a North Korean operative made a fatal operational security (OPSEC) blunder by downloading a fake software setup file and infected their own machine with the Lumma Stealer. While the attack was initially linked to Funnull, Hudson Rock discovered that the threat actor downloaded a password-protected ZIP archive hosted on MediaFire that was deceptively named to appear as a legitimate software installer. The evidence collected by the malware from the North Korean hacker’s endpoint included credentials for the Funnull DNS management portal, credentials for the Polyfill Cloudflare tenant (proving that the weaponized domain was under the threat actor’s control), and conversations regarding the malicious domain configuration changes made during the peak of the attack. While the threat actor used the “Brian” persona to pull off the attack, they also mange other identities to conduct IT worker fraud by securing a gig at cryptocurrency exchange Gate and exploiting the access to obtain intelligence on their employer’s security posture and understand blind spots in compliance systems. The same operative, under the “Wenyi Han” alias, is also said to have conducted strategic, state-sponsored data exfiltration, illustrating the severity of the IT worker threat.

A U.S. judge granted a motion to dismiss a case against tech giant Meta brought by a former WhatsApp employee, Attaullah Baig, who accused the company of ignoring privacy and security issues, and putting users’ information in danger. According to Courthouse News Service, the judge said, “the complaint does not contain sufficient facts to show that the plaintiff reported violations of SEC rules or regulations, the plaintiff did not plead facts regarding the elements of securities fraud or wire fraud, and his reporting cybersecurity violations does not relate to rules governing internal accounting controls.” Meta said, “Mr. Baig’s allegations misrepresent the hard work of our security team. We’re proud of our strong record of protecting people’s privacy and security, and will continue building on it.”

Hong Kong police can now demand phone or computer passwords from those who are suspected of breaching the National Security Law (NSL). Those who refuse to share the passwords could face up to a year in jail and a fine of up to $12,700, and individuals who provide “false or misleading information” could face up to three years in jail. The amendments to the NSL ensure that “activities endangering national security can be effectively prevented, suppressed and punished, and at the same time the lawful rights and interests of individuals and organisations are adequately protected,” authorities said.

A new Android RAT named Oblivion RAT is being sold as a malware-as-a-service (MaaS) platform on cybercrime networks for $300/month. “The platform includes a web-based APK builder for the implant, a separate dropper builder that generates convincing fake Google Play update pages, and a C2 panel for real-time device control,” iVerify said. “Pricing runs $300/month, $700/3 months, $1,300/6 months, or $2,200 lifetime, with 7-day demo accounts available.” Oblivion is distributed via dropper APKs sent to victims as part of social engineering attacks. Once installed, the dropper apps present a Google Play update flow to sideload the embedded RAT payload. As with other Android malware families, Oblivion abuses Android’s accessibility services API to grant itself additional permissions and steal sensitive data. “The core of the social engineering is the Accessibility Page builder, which generates a pixel-perfect replica of Android’s accessibility service settings screen,” iVerify said. “Every text element is operator-controlled: page title, section headers, the Enable button, and a descriptive info message. When the victim taps Enable, they grant the implant’s accessibility service full control over the device UI.”