{"id":234,"date":"2026-03-12T16:37:20","date_gmt":"2026-03-12T16:37:20","guid":{"rendered":"https:\/\/cybercolombia.co\/index.php\/2026\/03\/12\/oauth-trap-edr-killer-signal-phishing-zombie-zip-ai-platform-hack-more-cyberdefensa-mx\/"},"modified":"2026-03-12T16:37:20","modified_gmt":"2026-03-12T16:37:20","slug":"oauth-trap-edr-killer-signal-phishing-zombie-zip-ai-platform-hack-more-cyberdefensa-mx","status":"publish","type":"post","link":"https:\/\/cybercolombia.co\/index.php\/2026\/03\/12\/oauth-trap-edr-killer-signal-phishing-zombie-zip-ai-platform-hack-more-cyberdefensa-mx\/","title":{"rendered":"OAuth Trap, EDR Killer, Signal Phishing, Zombie ZIP, AI Platform Hack &#038; More \u2013 CYBERDEFENSA.MX"},"content":{"rendered":"<div id=\"articlebody\">\n<p>Another Thursday, another pile of weird security stuff that somehow happened in just seven days. Some of it is clever. Some of it is lazy. A few bits fall into that uncomfortable category of \u201cyeah\u2026 this is probably going to show up in real incidents sooner than we\u2019d like.\u201d<\/p>\n<p>The pattern this week feels familiar in a slightly annoying way. Old tricks are getting polished. New research shows how flimsy certain assumptions really are. A couple of things that make you stop mid-scroll and think, \u201cwait\u2026 people are actually pulling this off?\u201d<\/p>\n<p>There\u2019s also the usual mix of strange corners of the ecosystem doing strange things \u2014 infrastructure behaving a little too professionally for comfort, tools showing up where they absolutely shouldn\u2019t, and a few cases where the weakest link is still just\u2026 people clicking stuff they probably shouldn\u2019t.<\/p>\n<p>Anyway. If you\u2019ve got five minutes and a mild curiosity about what attackers, researchers, and the broader internet gremlins were up to lately, this week\u2019s ThreatsDay Bulletin on The Hacker News has the quick hits. Scroll on.<\/p>\n<div class=\"td-wrap\">\n<section aria-labelledby=\"threatsday-title\" class=\"td-section\">\n<ol class=\"td-timeline\" role=\"list\">\n<li class=\"td-item\">\n  <span aria-hidden=\"true\" class=\"td-dot\"\/><\/p>\n<div class=\"td-stack\">\n    <span class=\"td-punch\">OAuth consent abuse<\/span><\/p>\n<p class=\"td-desc\">\n      Cloud security firm Wiz has warned of the dangers posed by malicious OAuth applications, highlighting how \u00abconsent fatigue\u00bb could open the door for attackers to gain access to a victim\u2019s sensitive data by giving their malicious apps a legitimate-looking name. By accepting the permissions requested by a rogue OAuth application, the user is \u00abadding\u00bb the attacker\u2019s app into their company\u2019s tenant. \u00abOnce \u2018Accept\u2019 is clicked, the sign-in process is complete,\u00bb Wiz <a href=\"https:\/\/www.wiz.io\/blog\/detecting-malicious-oauth-applications\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abBut instead of going to a normal landing page, the access token is sent to the attacker\u2019s Redirect URL. With that token, the attacker now has access to the user\u2019s files or emails without ever needing to know their password.\u00bb The Google-owned company also said it detected a large-scale campaign active in early 2025 that involved 19 distinct OAuth applications impersonating well-known brands such as Adobe, DocuSign, and OneDrive, and targeted multiple organizations. Details of the activity were documented by Proofpoint in August 2025.\n    <\/p>\n<\/div>\n<\/li>\n<li class=\"td-item\">\n  <span aria-hidden=\"true\" class=\"td-dot\"\/><\/p>\n<div class=\"td-stack\">\n    <span class=\"td-punch\">Messaging account takeover<\/span><\/p>\n<p class=\"td-desc\">\n      Russian-linked hackers are trying to <a href=\"https:\/\/english.aivd.nl\/documents\/2026\/03\/09\/cybersecurity-advisory.-phishing-via-messaging-apps-signal-and-whatsapp\" rel=\"noopener\" target=\"_blank\">break into<\/a> the Signal and WhatsApp accounts of government officials, journalists, and military personnel globally with an aim to get unauthorized access \u2013 not by breaking encryption, but by simply tricking people into handing over the security verification codes or PINs. \u00abThe most frequently observed method used by the Russian hackers is to masquerade as a Signal Support chatbot in order to induce their targets to divulge their codes,\u00bb the Netherlands Defence Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD) <a href=\"https:\/\/english.aivd.nl\/latest\/news\/2026\/03\/09\/russia-targets-signal-and-whatsapp-accounts-in-cyber-campaign\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abThe hackers can then use these codes to take over the user\u2019s account. Another method used by the Russian actors takes advantage of the \u2018linked devices\u2019 function within Signal and WhatsApp.\u00bb It\u2019s worth noting that a similar warning was issued by Germany last month. \u00abThese attacks were executed via sophisticated phishing campaigns, designed to trick users into sharing information \u2013 SMS codes and\/or Signal PIN \u2013 to gain access to users\u2019 accounts,\u00bb Signal <a href=\"https:\/\/x.com\/i\/status\/2031038277604585785\" rel=\"noopener\" target=\"_blank\">said<\/a>. Google warned last year that Signal\u2019s widespread use among Ukrainian soldiers, politicians, and journalists had made it a frequent target for Russian espionage operations.\n    <\/p>\n<\/div>\n<\/li>\n<li class=\"td-item\">\n  <span aria-hidden=\"true\" class=\"td-dot\"\/><\/p>\n<div class=\"td-stack\">\n    <span class=\"td-punch\">Cloud breach via software flaws<\/span><\/p>\n<p class=\"td-desc\">\n      Google has revealed that threat actors are increasingly exploiting vulnerabilities in third-party software to breach cloud environments. \u00abThe window between vulnerability disclosure and mass exploitation collapsed by an order of magnitude, from weeks to days,\u00bb the tech giant\u2019s cloud division <a href=\"https:\/\/cloud.google.com\/security\/report\/resources\/cloud-threat-horizons-report-h1-2026\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abWhile software-based exploits increased, initial access by threat actors using misconfiguration, which accounted for 29.4% of incidents in the first half of 2025, dropped to 21% in H2 2025. Similarly, exposed sensitive UI or APIs continued a downward trend, falling from 11.8% in H1 to 4.9% in H2. This decline suggests that automated guardrails are making identity and configuration errors harder to exploit and that threat actors are being driven toward more sophisticated and costly vectors that specifically target software vulnerabilities to gain a foothold.\u00bb In most attacks investigated by Google, the actor\u2019s objective was silent exfiltration of high volumes of data without immediate extortion and long-term persistence.\n    <\/p>\n<\/div>\n<\/li>\n<li class=\"td-item\">\n  <span aria-hidden=\"true\" class=\"td-dot\"\/><\/p>\n<div class=\"td-stack\">\n    <span class=\"td-punch\">Microcontroller debug bypass<\/span><\/p>\n<p class=\"td-desc\">\n      New research from Quarkslab has found that it\u2019s possible to bypass the 16-byte password protection required for debug access on several variants of the RH850 microcontroller family using voltage fault injection in under one minute. \u00abVoltage glitching technique is performed by underpowering or overpowering the chip for a controlled amount of time to alter its behavior,\u00bb the security company <a href=\"https:\/\/blog.quarkslab.com\/bypassing-debug-password-protection-on-the-rh850-family-using-fault-injection.html\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abThe crowbar attack is a specific type of voltage glitch where the power supply is shorted to the ground instead of injecting a specific voltage, using a MOSFET, for example.\u00bb\n    <\/p>\n<\/div>\n<\/li>\n<li class=\"td-item\">\n  <span aria-hidden=\"true\" class=\"td-dot\"\/><\/p>\n<div class=\"td-stack\">\n    <span class=\"td-punch\">Solar Spider suspects arrested<\/span><\/p>\n<p class=\"td-desc\">\n      Two Nigerian nationals have been <a href=\"https:\/\/www.amarujala.com\/delhi-ncr\/noida\/two-nigerians-involved-in-international-cyber-fraud-module-arrested-in-greater-noida-2026-03-12\" rel=\"noopener\" target=\"_blank\">arrested<\/a> by authorities in the Indian state of Uttar Pradesh for their alleged involvement in an e-crime operation known as <a href=\"https:\/\/www.crowdstrike.com\/en-us\/adversaries\/solar-spider\/\" rel=\"noopener\" target=\"_blank\">Solar Spider<\/a>. The suspects are believed to have been planning to siphon large amounts of money by leveraging security flaws in Indian cooperative banking systems. According to a <a href=\"https:\/\/the420.in\/solar-spider-cyber-fraud-nigerians-arrested-greater-noida\/\" rel=\"noopener\" target=\"_blank\">report<\/a> from The420.in, the individuals have been identified as Okechukwu Imeka and Chinedu Okafor. The duo is suspected to be part of an international fraud syndicate involved in targeting financial institutions. Solar Spider has a history of targeting banking systems across India and the Middle East, often through spear-phishing campaigns. In a report published in July 2025, Tata Communications <a href=\"https:\/\/tatacommunications.com\/hubfs\/47271964\/TaCO-2024\/threat-advisory\/doc\/threat-intelligence-advisory-22-july-2025.pdf\" rel=\"noopener\" target=\"_blank\">revealed<\/a> that threat actors leverage their initial access to steal credentials, tamper with NEFT\/RTGS transactions, and focus on Structured Financial Messaging System (<a href=\"https:\/\/en.wikipedia.org\/wiki\/Structured_Financial_Messaging_System\" rel=\"noopener\" target=\"_blank\">SFMS<\/a>) and Host-to-Host (H2H) infrastructures. The group is also known for deploying a sophisticated attack framework dubbed JSOutProx since at least 2019.\n    <\/p>\n<\/div>\n<\/li>\n<li class=\"td-item\">\n  <span aria-hidden=\"true\" class=\"td-dot\"\/><\/p>\n<div class=\"td-stack\">\n    <span class=\"td-punch\">PlugX malware campaign<\/span><\/p>\n<p class=\"td-desc\">\n      Check Point has disclosed targeted campaigns against entities in Qatar using conflict-related content as lures to deliver malware families like PlugX and Cobalt Strike. The attack chain uses Windows shortcut (LNK) files contained within ZIP archives, which, when opened, cause it to download a next-stage payload from a compromised server. The payload then displays the decoy document while using DLL side-loading to deploy PlugX. The activity, detected on March 1, 2026, has been attributed to Mustang Panda (aka Camaro Dragon). A second attack has been observed using a password-protected archive to execute a previously undocumented Rust loader that\u2019s responsible for deploying Cobalt Strike using DLL side-loading. \u00abThis loader exploits DLL hijacking of nvdaHelperRemote.dll, a component of the open-source screen reader NVDA. Abuse of this component has previously been observed in only a limited number of Chinese-nexus campaigns, including China-aligned activity associated with a campaign delivering Voldemort backdoor, as well as a wave of attacks targeting the Philippines and Myanmar back in 2025,\u00bb Check Point <a href=\"https:\/\/blog.checkpoint.com\/research\/china-nexus-activity-against-qatar-observed-amid-expanding-regional-tensions\/\" rel=\"noopener\" target=\"_blank\">said<\/a>. While this attack is assessed as China-aligned, it has not been attributed to a specific threat actor. \u00abThe attackers leveraged the ongoing war in the Middle East to make their lures more credible and engaging, demonstrating the ability to rapidly adapt to major developments and breaking news,\u00bb the company said.\n    <\/p>\n<\/div>\n<\/li>\n<li class=\"td-item\">\n  <span aria-hidden=\"true\" class=\"td-dot\"\/><\/p>\n<div class=\"td-stack\">\n    <span class=\"td-punch\">Teen DDoS kit sellers<\/span><\/p>\n<p class=\"td-desc\">\n      Polish police have referred seven suspected minor cybercriminals to family court over an alleged scheme to sell distributed denial-of-service (DDoS) kits online. The suspects, aged between 12 and 16 at the time of the alleged offenses, face charges related to selling DDoS tools as part of a profit-driven scheme designed to target popular websites, including auction and sales portals, IT domains, hosting services, and accommodation booking sites. \u00abUsing the tools they administer, popular websites such as auction and sales portals, IT domains, hosting services, and accommodation booking services were attacked,\u00bb Poland\u2019s Central Bureau for Combating Cybercrime (CBZC) <a href=\"https:\/\/cbzc.policja.gov.pl\/bzc\/aktualnosci\/849,Siedmiu-nastolatkow-sprzedawalo-narzedzia-do-atakow-DDoS.html\" rel=\"noopener\" target=\"_blank\">said<\/a>.\n    <\/p>\n<\/div>\n<\/li>\n<li class=\"td-item\">\n  <span aria-hidden=\"true\" class=\"td-dot\"\/><\/p>\n<div class=\"td-stack\">\n    <span class=\"td-punch\">Phishing-resistant Windows login<\/span><\/p>\n<p class=\"td-desc\">\n      Microsoft is rolling out passkey support for Microsoft Entra on Windows devices, adding phishing-resistant passwordless authentication via Windows Hello. \u00abWe\u2019re introducing Microsoft Entra passkeys on Windows to enable phishing-resistant sign-in to Entra-protected resources. This update allows users to create device-bound passkeys stored in the Windows Hello container and authenticate using Windows Hello methods (face, fingerprint, or PIN),\u00bb Microsoft <a href=\"https:\/\/mc.merill.net\/message\/MC1247893\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abIt also expands passwordless authentication to Windows devices that aren\u2019t Entra-joined or registered, helping organizations strengthen security and reduce reliance on passwords.\u00bb\n    <\/p>\n<\/div>\n<\/li>\n<li class=\"td-item\">\n  <span aria-hidden=\"true\" class=\"td-dot\"\/><\/p>\n<div class=\"td-stack\">\n    <span class=\"td-punch\">Sysmon built into Windows<\/span><\/p>\n<p class=\"td-desc\">\n      Microsoft has natively integrated System Monitor (<a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/security\/operating-system-security\/sysmon\/overview\" rel=\"noopener\" target=\"_blank\">Sysmon<\/a>) functionality directly into Windows 11 and Windows Server 2025 as an optional built-in feature as of Windows 11\u2019s March feature update (<a href=\"https:\/\/support.microsoft.com\/en-us\/topic\/march-10-2026-kb5079473-os-builds-26200-8037-and-26100-8037-9c222a8e-cc02-40d4-a1f8-ad86be1bc8b6\" rel=\"noopener\" target=\"_blank\">KB5079473<\/a>). It\u2019s disabled by default. The company <a href=\"https:\/\/techcommunity.microsoft.com\/blog\/windows-itpro-blog\/native-sysmon-functionality-coming-to-windows\/4468112\" rel=\"noopener\" target=\"_blank\">announced<\/a> the integration in November 2025. \u00abYou no longer need to package it dynamically; you can simply <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/security\/operating-system-security\/sysmon\/how-to-enable-sysmon\" rel=\"noopener\" target=\"_blank\">enable it programmatically via PowerShell<\/a>,\u00bb Nick Carroll, cyber incident response manager at Nightwing, said. \u00abCoupled with Microsoft\u2019s simultaneous announcement that Windows Intune will enable \u2018hotpatching\u2019 by default in May 2026, this drastically lowers the barrier to entry for deep endpoint visibility and represents a massive operational win for network defenders.\u00bb\n    <\/p>\n<\/div>\n<\/li>\n<li class=\"td-item\">\n  <span aria-hidden=\"true\" class=\"td-dot\"\/><\/p>\n<div class=\"td-stack\">\n    <span class=\"td-punch\">Canada phishing campaign<\/span><\/p>\n<p class=\"td-desc\">\n      An active phishing campaign is targeting Canadian residents (and possibly present in other countries) using fraudulent domains impersonating trusted institutions, including the Government of British Columbia and Hydro-Qu\u00e9bec, with the goal of collecting personal information and credit card details, Flare <a href=\"https:\/\/flare.io\/learn\/resources\/blog\/phishing-campaign-hosting-infrastructure-alleged-links-iranian-state-aligned-activity\" rel=\"noopener\" target=\"_blank\">said<\/a>. The hosting infrastructure behind this campaign is linked to RouterHosting LLC (aka Cloudzy), a provider that was publicly accused in 2023 of supplying services to at least 17 state-sponsored hacking groups from countries including Iran, China, Russia, and North Korea.\n    <\/p>\n<\/div>\n<\/li>\n<li class=\"td-item\">\n  <span aria-hidden=\"true\" class=\"td-dot\"\/><\/p>\n<div class=\"td-stack\">\n    <span class=\"td-punch\">Private link safety in chats<\/span><\/p>\n<p class=\"td-desc\">\n      Meta has detailed the workings of Advanced Browsing Protection (<a href=\"https:\/\/www.facebook.com\/help\/messenger-app\/1147987549394223\" rel=\"noopener\" target=\"_blank\">ABP<\/a>) in Messenger, which protects the privacy of the links clicked on within chats while still warning people about malicious links. \u00abIn its standard setting, Safe Browsing uses on-device models to analyze malicious links shared in chats,\u00bb the company <a href=\"https:\/\/engineering.fb.com\/2026\/03\/09\/security\/how-advanced-browsing-protection-works-in-messenger\/\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abBut we\u2019ve extended this further with an advanced setting called Advanced Browsing Protection (ABP) that leverages a continually updated watchlist of millions more potentially malicious websites.\u00bb ABP leverages an approach called private information retrieval (PIR) to implement a privacy-preserving \u00abURL-matching\u00bb scheme between the client\u2019s query and the server hosting the database, along with Oblivious HTTP, AMD SEV-SNP, and <a href=\"https:\/\/eprint.iacr.org\/2013\/280\" rel=\"noopener\" target=\"_blank\">Path ORAM<\/a> for added privacy guarantees.\n    <\/p>\n<\/div>\n<\/li>\n<li class=\"td-item\">\n  <span aria-hidden=\"true\" class=\"td-dot\"\/><\/p>\n<div class=\"td-stack\">\n    <span class=\"td-punch\">BlackSanta EDR killer<\/span><\/p>\n<p class=\"td-desc\">\n      A sophisticated attack campaign targeting HR departments and job recruiters has combined social engineering with advanced evasion techniques to stealthily compromise systems by avoiding analysis environments and leveraging a specialized module designed to kill antivirus and endpoint detection software. The attack begins with a resume-themed ISO file delivered likely through spam or phishing emails, which then drops next-stage payloads, including a DLL that\u2019s launched via DLL side-loading to gather basic system information, initiate communication with a remote server, run sandbox checks, employ geographic filtering to avoid running in restricted regions, and drop additional payloads, such as BlackSanta EDR that employs legitimate but vulnerable kernel drivers to impair system defenses, a known tactic referred to as Bring Your Own Vulnerable Driver (BYOVD). \u00abRather than functioning as a simple auxiliary payload, BlackSanta acts as a dedicated defense-neutralization module that programmatically identifies and interferes with protection and monitoring processes prior to the deployment of follow-on stages,\u00bb Aryaka <a href=\"https:\/\/www.aryaka.com\/reports-and-guides\/blacksanta-edr-killer-threat-report\/\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abBy targeting endpoint security engines alongside telemetry and logging agents, it directly reduces alert generation, limits behavioral logging, and weakens investigative visibility on compromised hosts.\u00bb It\u2019s currently not known what the follow-on payloads are or how widespread the campaign is. Phishing campaigns don\u2019t just target HR teams, but also impersonate them in attacks. \u00abImpersonating HR provides many benefits to threat actors. Tasks from HR are typically mandatory, so HR emails carry authority,\u00bb Cofense <a href=\"https:\/\/cofense.com\/Blog\/Seasonal-Surge-Why-HR-Phishing-Peaks-in-Q4-and-the-Seven-Themes-Behind-It\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abLegitimate HR tasks can also have strict deadlines, which a threat actor can use to impose urgency. Finally, regular HR tasks are expected by employees.\u00bb\n    <\/p>\n<\/div>\n<\/li>\n<li class=\"td-item\">\n  <span aria-hidden=\"true\" class=\"td-dot\"\/><\/p>\n<div class=\"td-stack\">\n    <span class=\"td-punch\">ZIP evasion technique<\/span><\/p>\n<p class=\"td-desc\">\n      A new technique dubbed <a href=\"https:\/\/github.com\/bombadil-systems\/zombie-zip\" rel=\"noopener\" target=\"_blank\">Zombie ZIP<\/a> allows attackers to conceal payloads in specially crafted compressed files that can bypass security tools. \u00abMalformed ZIP headers can cause antivirus and endpoint detection and response software (EDR) to produce false negatives,\u00bb the CERT Coordination Center (CERT\/CC) <a href=\"https:\/\/kb.cert.org\/vuls\/id\/976247\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abDespite the presence of malformed headers, some extraction software is still able to decompress the ZIP archive, allowing potentially malicious payloads to run upon file decompression.\u00bb The vulnerability, tracked as CVE-2026-0866, has been codenamed Zombie Zip by researcher Christopher Aziz, who discovered it. The technique was demonstrated by Bombadil Systems security researcher Chris Aziz.\n    <\/p>\n<\/div>\n<\/li>\n<li class=\"td-item\">\n  <span aria-hidden=\"true\" class=\"td-dot\"\/><\/p>\n<div class=\"td-stack\">\n    <span class=\"td-punch\">AI agent breaches platform<\/span><\/p>\n<p class=\"td-desc\">\n      Researchers at autonomous offensive security startup CodeWall <a href=\"https:\/\/codewall.ai\/blog\/how-we-hacked-mckinseys-ai-platform\" rel=\"noopener\" target=\"_blank\">said<\/a> their AI agent hacked McKinsey\u2019s internal AI platform Lili and gained full read and write access to the chatbot platform in just two hours. This enabled access to the entire production database, including 46.5 million chat messages about strategy, mergers and acquisitions, and client engagements, all in plaintext, along with 728,000 files containing confidential client data, 57,800 user accounts, and 95 system prompts controlling the AI\u2019s behavior. The development is an indicator that agentic AI tools are becoming more effective for conducting cyber attacks. The agent said it found over 200 endpoints that were totally exposed, out of which 22 were unprotected. One of these endpoints, which wrote user search queries to the database, suffered from an SQL injection that could have made it possible to access sensitive data and rewrite the system prompts silently. McKinsey has since addressed the problem. There is no evidence that the issue was exploited in the wild.\n    <\/p>\n<\/div>\n<\/li>\n<li class=\"td-item\">\n  <span aria-hidden=\"true\" class=\"td-dot\"\/><\/p>\n<div class=\"td-stack\">\n    <span class=\"td-punch\">Teams social engineering malware<\/span><\/p>\n<p class=\"td-desc\">\n      Hackers have contacted employees at financial and healthcare organizations over Microsoft Teams to trick them into granting remote access through Quick Assist and deploy a new piece of malware called <a href=\"https:\/\/www.bluevoyant.com\/blog\/new-a0backdoor-linked-to-teams-impersonation-and-quick-assist-social-engineering\" rel=\"noopener\" target=\"_blank\">A0Backdoor<\/a>. The modus operandi, which aligns with the playbook of Storm-1811 (aka STAC5777 or Blitz Brigantine), employs social engineering to gain the employee\u2019s trust by first flooding their inbox with spam and then contacting them over Teams, pretending to be the company\u2019s IT staff and offering assistance with the problem. To obtain access to the target machine, the threat actor instructs the user to start a Quick Assist remote session, which is used to deploy a malicious toolset that includes digitally signed MSI packages, some of which were hosted on Microsoft cloud storage tied to personal accounts. The installers serve as a conduit for launching a DLL that, in turn, decrypts and runs shellcode responsible for running anti-analysis checks and dropping A0Backdoor, which establishes contact to a remote server using DNS tunnelling to receive commands. The activity has been active since at least August 2025 through late February 2026.\n    <\/p>\n<\/div>\n<\/li>\n<li class=\"td-item\">\n  <span aria-hidden=\"true\" class=\"td-dot\"\/><\/p>\n<div class=\"td-stack\">\n    <span class=\"td-punch\">Industrialized disinformation network<\/span><\/p>\n<p class=\"td-desc\">\n      The Russian influence operation known as Doppelg\u00e4nger has been described as industrialized and prioritizing infrastructure resilience, scalability, and operational continuity over short-term visibility. \u00abRather than functioning as a loose collection of spoofed websites or transient propaganda outlets, the network exhibits the hallmarks of a coordinated, professionally managed influence apparatus,\u00bb DomainTools <a href=\"https:\/\/dti.domaintools.com\/research\/doppelganger-rrn-disinformation-infrastructure-ecosystem\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abAt its core, the ecosystem relies on systematic media brand impersonation executed at scale.\u00bb Campaigns mounted as part of the operation exhibit deliberate geographic micro-targeting across European Union member states and the U.S.\n    <\/p>\n<\/div>\n<\/li>\n<li class=\"td-item\">\n  <span aria-hidden=\"true\" class=\"td-dot\"\/><\/p>\n<div class=\"td-stack\">\n    <span class=\"td-punch\">Pentagon AI dispute<\/span><\/p>\n<p class=\"td-desc\">\n      Anthropic has <a href=\"https:\/\/www.courtlistener.com\/docket\/72379655\/anthropic-pbc-v-us-department-of-war\/\" target=\"_blank\">filed a lawsuit<\/a> to block the Pentagon from placing it on a <a href=\"https:\/\/www.wsj.com\/tech\/ai\/pentagon-formally-labels-anthropic-supply-chain-risk-escalating-conflict-ebdf0523\" rel=\"noopener\" target=\"_blank\">national security blocklist<\/a>, stating the supply chain risk designation was unlawful and violated its free speech and due process rights. The development comes after the Pentagon formally branded the artificial intelligence (AI) company a supply chain risk after it refused to remove guardrails against using its technology for autonomous weapons or domestic surveillance. In its own statement, Anthropic <a href=\"https:\/\/www.anthropic.com\/news\/where-stand-department-war\" rel=\"noopener\" target=\"_blank\">said<\/a> \u00abwe had been having productive conversations with the Department of War over the last several days, both about ways we could serve the Department that adhere to our two narrow exceptions, and ways for us to ensure a smooth transition if that is not possible.\u00bb However, the Pentagon <a href=\"https:\/\/x.com\/USWREMichael\/status\/2029754965778907493\" rel=\"noopener\" target=\"_blank\">said<\/a> there is no active negotiation happening with Anthropic. It also <a href=\"https:\/\/x.com\/USWREMichael\/status\/2030704601444356542\" rel=\"noopener\" target=\"_blank\">reiterated<\/a> that the department \u00abdoes not do and will not do domestic mass surveillance.\u00bb The development follows OpenAI\u2019s own deal with the U.S. Department of Defense, with CEO Sam Altman stating the defense contract would include protections against the same red lines that Anthropic had insisted on. The company has since <a href=\"https:\/\/openai.com\/index\/our-agreement-with-the-department-of-war\/\" rel=\"noopener\" target=\"_blank\">amended<\/a> its contract to ensure \u00abthe AI system shall not be intentionally used for domestic surveillance of U.S. persons and nationals.\u00bb Anthropic\u2019s CEO Dario Amodei has <a href=\"https:\/\/techcrunch.com\/2026\/03\/04\/anthropic-ceo-dario-amodei-calls-openais-messaging-around-military-deal-straight-up-lies-report-says\/\" rel=\"noopener\" target=\"_blank\">called<\/a> OpenAI\u2019s messaging \u00absafety theater\u00bb and \u00abstraight up lies.\u00bb\n    <\/p>\n<\/div>\n<\/li>\n<li class=\"td-item\">\n  <span aria-hidden=\"true\" class=\"td-dot\"\/><\/p>\n<div class=\"td-stack\">\n    <span class=\"td-punch\">GitHub SEO malware<\/span><\/p>\n<p class=\"td-desc\">\n      A new information stealer campaign distributing <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/26\/c\/boryptgrab-stealer-targets-users-via-deceptive-github-pages.html\" rel=\"noopener\" target=\"_blank\">BoryptGrab<\/a> is leveraging a network of more than 100 public GitHub repositories that claim to offer software tools for free, using search engine optimization (SEO) keywords to lure victims. The multi-stage infection chain begins when a ZIP file is downloaded from a fake GitHub download page. BoryptGrab can harvest browser data, cryptocurrency wallet information, and system information. It\u2019s also capable of capturing screenshots, collecting common files, and extracting Telegram information, Discord tokens, and passwords. Also delivered as part of the attack is a backdoor called TunnesshClient that establishes a reverse SSH tunnel to communicate with the attacker and acts as a <a href=\"https:\/\/censys.com\/blog\/unauth-socks\" rel=\"noopener\" target=\"_blank\">SOCKS5 proxy<\/a>. The earliest ZIP file dates back to late 2025. Certain iterations of the campaign have been found to deliver Vidar Stealer or a Golang downloader dubbed HeaconLoad, which then downloads and runs additional payloads.\n    <\/p>\n<\/div>\n<\/li>\n<li class=\"td-item\">\n  <span aria-hidden=\"true\" class=\"td-dot\"\/><\/p>\n<div class=\"td-stack\">\n    <span class=\"td-punch\">RAT campaign against India<\/span><\/p>\n<p class=\"td-desc\">\n      The Pakistan-aligned threat actor known as Transparent Tribe has been attributed to a fresh set of attacks targeting Indian government entities to infect systems with a RAT that enables remote command execution, process monitoring and termination, remote program execution, file upload\/download, file enumeration, screenshot capture, and live screen monitoring capabilities. \u00abThe campaign primarily relies on social engineering techniques, distributing a malicious ZIP archive disguised as examination-related documents to persuade recipients to interact with the files,\u00bb CYFIRMA <a href=\"https:\/\/www.cyfirma.com\/research\/apt36-multi-vector-execution-malware-campaign-targeting-indian-government-entities\/\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abUpon extraction, the archive delivers deceptive shortcut files along with a macro-enabled PowerPoint add-in, which collectively initiate the infection chain. The threat actors employ multiple layers of obfuscation and redundant execution mechanisms to enhance the probability of successful compromise while reducing the likelihood of user suspicion.\u00bb\n    <\/p>\n<\/div>\n<\/li>\n<li class=\"td-item\">\n  <span aria-hidden=\"true\" class=\"td-dot\"\/><\/p>\n<div class=\"td-stack\">\n    <span class=\"td-punch\">Signed phishing malware<\/span><\/p>\n<p class=\"td-desc\">\n      Microsoft is warning of multiple phishing campaigns using workplace meeting lures, PDF attachments, and abuse of legitimate binaries to deliver signed malware. The activity, observed in February 2026, has not been attributed to a specific threat actor or group. \u00abPhishing emails directed users to download malicious executables masquerading as legitimate software,\u00bb the company <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/03\/03\/signed-malware-impersonating-workplace-apps-deploys-rmm-backdoors\/\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abThe files were digitally signed using an Extended Validation (EV) certificate issued to TrustConnect Software PTY LTD. Once executed, the applications installed remote monitoring and management (RMM) tools that enabled the attacker to establish persistent access on compromised systems.\u00bb Some of the deployed RMM tools include ScreenConnect, Tactical RMM, and MeshAgent. The use of the TrustConnect branding was disclosed by Proofpoint last week. Furthermore, the deployment of multiple RMM frameworks within a single intrusion indicates a deliberate strategy to ensure continuous access and ensure operational resilience even if one access mechanism is detected or removed. \u00abThese campaigns demonstrate how familiar branding and trusted digital signatures can be abused to bypass user suspicion and gain an initial foothold in enterprise environments,\u00bb Microsoft added.\n    <\/p>\n<\/div>\n<\/li>\n<li class=\"td-item\">\n  <span aria-hidden=\"true\" class=\"td-dot\"\/><\/p>\n<div class=\"td-stack\">\n    <span class=\"td-punch\">TikTok allowed in Canada<\/span><\/p>\n<p class=\"td-desc\">\n      Following a national security review of TikTok, Canada\u2019s Minister of Industry, M\u00e9lanie Joly, said the company can keep its business operational. \u00abTikTok will implement enhanced protection for Canadians\u2019 personal information, including new security gateways and privacy-enhancing technologies to control access to Canadian user data in order to reduce the risk of unauthorized or prohibited access,\u00bb the government <a href=\"https:\/\/www.canada.ca\/en\/innovation-science-economic-development\/news\/2026\/03\/minister-jolys-statement-on-the-outcome-of-the-further-national-security-review-of-tiktok-technology-canada-inc-under-the-investment-canada-act.html\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abTikTok will implement enhanced protections for minors.\u00bb The development marks a complete 180 from a 2024 decision, when it was ordered to shut down its operations, citing unspecified \u00abnational security risks.\u00bb However, that order was <a href=\"https:\/\/www.bloomberg.com\/news\/articles\/2026-03-09\/tiktok-gets-green-light-to-stay-in-canada-reversing-earlier-ban\" rel=\"noopener\" target=\"_blank\">paused in early 2025<\/a>.\n    <\/p>\n<\/div>\n<\/li>\n<li class=\"td-item\">\n  <span aria-hidden=\"true\" class=\"td-dot\"\/><\/p>\n<div class=\"td-stack\">\n    <span class=\"td-punch\">Vulnerabilities rise 12%<\/span><\/p>\n<p class=\"td-desc\">\n      Flashpoint <a href=\"https:\/\/flashpoint.io\/blog\/global-threat-intelligence-report-2026\/\" rel=\"noopener\" target=\"_blank\">said<\/a> it catalogued 44,509 vulnerability disclosures in 2025, a 12% increase year-over-year (YoY). Of those, 466 were confirmed as exploited in the wild. Nearly 33%, or 14,593 vulnerabilities, had publicly available exploit code. Ransomware attacks also increased 53% YoY in 2025, with 8,835 total attacks recorded. The top RaaS groups by attack volume in 2025 were Qilin at 1,213 attacks, Akira at 1,044, Cl0p at 529, Safepay at 452, and Play at 395. Manufacturing was the most targeted industry with 1,564 attacks, followed by technology at 987 and healthcare at 905. The U.S. accounted for approximately 53% of named victim organizations.\n    <\/p>\n<\/div>\n<\/li>\n<li class=\"td-item\">\n  <span aria-hidden=\"true\" class=\"td-dot\"\/><\/p>\n<div class=\"td-stack\">\n    <span class=\"td-punch\">Botnet exploiting 174 flaws<\/span><\/p>\n<p class=\"td-desc\">\n      The RondoDox DDoS botnet has been found to implement 174 different exploits between May 25, 2025, and February 16, 2026, peaking at 15,000 exploitation attempts in a single day between December 2025 and January 2026. It\u2019s believed that the threat actors are using compromised residential IP addresses as hosting infrastructure. \u00abThe operators of RondoDox have been using a shotgun approach, where they send multiple exploits to the same endpoint, hoping for one to work,\u00bb Bitsight <a href=\"https:\/\/www.bitsight.com\/blog\/rondodox-botnet-infrastructure-analysis\" rel=\"noopener\" target=\"_blank\">said<\/a>. Of the 174 different vulnerabilities, 15 have a public proof-of-concept (PoC), but no CVE, and 11 do not have PoC code at all. RondoDox is notable for its fast addition of recently disclosed vulnerabilities, in some cases incorporating the PoC even before the CVE was published (e.g., <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-62593\" rel=\"noopener\" target=\"_blank\">CVE-2025-62593<\/a>).\n    <\/p>\n<\/div>\n<\/li>\n<li class=\"td-item\">\n  <span aria-hidden=\"true\" class=\"td-dot\"\/><\/p>\n<div class=\"td-stack\">\n    <span class=\"td-punch\">Memory-only keylogger attack<\/span><\/p>\n<p class=\"td-desc\">\n      Phishing emails bearing purchase order lures are being used to distribute an executable within RAR archives. Once launched, the binary extracts and runs VIP Keylogger in memory without touching the disk. \u00abThis keylogger captures either browser cookies, logins, credit card details, autofills, visited URLs, downloads, or top sites from the appropriate files in each of the application\u2019s designated folders,\u00bb K7 Labs <a href=\"https:\/\/labs.k7computing.com\/index.php\/maas-vip_keylogger-campaign\/\" rel=\"noopener\" target=\"_blank\">said<\/a>. It\u2019s also capable of targeting a wide range of web browsers, stealing the email accounts from Outlook, Foxmail, Thunderbird, and Postbox, and collecting Discord tokens.\n    <\/p>\n<\/div>\n<\/li>\n<li class=\"td-item\">\n  <span aria-hidden=\"true\" class=\"td-dot\"\/><\/p>\n<div class=\"td-stack\">\n    <span class=\"td-punch\">Cloudflare-shielded phishing<\/span><\/p>\n<p class=\"td-desc\">\n      A new Microsoft 365 credential harvesting campaign has been observed abusing Cloudflare\u2019s services to delay detection and risk profiling. The gatekeeping is designed to ensure the visitor is a real target and not a security scanner or bot. \u00abThe campaign implemented multiple anti-detection techniques, including the use of CloudFlare human verification, hardcoded IP block lists, user agent checks, and multiple sites and redirects,\u00bb DomainTools <a href=\"https:\/\/dti.domaintools.com\/securitysnacks\/securitysnack-cloudflare-anti-security-for-phishing\" rel=\"noopener\" target=\"_blank\">said<\/a>.\n    <\/p>\n<\/div>\n<\/li>\n<\/ol>\n<\/section>\n<\/div>\n<p>Some of the stuff in this week\u2019s list feels a little too practical. Not big flashy hacks \u2014 just simple tricks used in the right place at the right time. The kind of things that make defenders sigh because\u2026 yeah, that\u2019ll probably work.<\/p>\n<p>There\u2019s also a bit of the usual theme: tools and features doing exactly what they were designed to do\u2026 just not for the people who built them. Add some creative thinking, and suddenly normal workflows start looking like attack paths.<\/p>\n<p>Anyway \u2014 quick reads, strange ideas, and a few reminders that security problems rarely disappear\u2026 they just change shape. Scroll on.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Another Thursday, another pile of weird security stuff that somehow happened in just seven days. Some of it is clever. Some of it is lazy. A few bits fall into that uncomfortable category of \u201cyeah\u2026 this is probably going to show up in real incidents sooner than we\u2019d like.\u201d The pattern this week feels familiar [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25,5],"tags":[24,814,820,815,360,365,819,816,813,818,817],"class_list":["post-234","post","type-post","status-publish","format-standard","hentry","category-noticias","category-trending","tag-cyberdefensa-mx","tag-edr","tag-hack","tag-killer","tag-oauth","tag-phishing","tag-platform","tag-signal","tag-trap","tag-zip","tag-zombie"],"_links":{"self":[{"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/posts\/234","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/comments?post=234"}],"version-history":[{"count":0,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/posts\/234\/revisions"}],"wp:attachment":[{"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/media?parent=234"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/categories?post=234"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/tags?post=234"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}