{"id":404,"date":"2026-03-30T15:57:14","date_gmt":"2026-03-30T15:57:14","guid":{"rendered":"https:\/\/cybercolombia.co\/index.php\/2026\/03\/30\/telecom-sleeper-cells-llm-jailbreaks-apple-forces-u-k-age-checks-and-more-cyberdefensa-mx\/"},"modified":"2026-03-30T15:57:14","modified_gmt":"2026-03-30T15:57:14","slug":"telecom-sleeper-cells-llm-jailbreaks-apple-forces-u-k-age-checks-and-more-cyberdefensa-mx","status":"publish","type":"post","link":"https:\/\/cybercolombia.co\/index.php\/2026\/03\/30\/telecom-sleeper-cells-llm-jailbreaks-apple-forces-u-k-age-checks-and-more-cyberdefensa-mx\/","title":{"rendered":"Telecom Sleeper Cells, LLM Jailbreaks, Apple Forces U.K. Age Checks and More \u2013 CYBERDEFENSA.MX"},"content":{"rendered":"<div id=\"articlebody\">\n<p>Some weeks are loud. This one was quieter but not in a good way. Long-running operations are finally hitting courtrooms, old attack methods are showing up in new places, and research that stopped being theoretical right around the time defenders stopped paying attention.<\/p>\n<p>There\u2019s a bit of everything this week. Persistence plays, legal wins, influence ops, and at least one thing that looks boring until you see what it connects to.<\/p>\n<p>All of it below. Let\u2019s go.<\/p>\n<h2 style=\"text-align: left;\"><strong>\u26a1 Threat of the Week<\/strong><\/h2>\n<p><strong>Citrix Flaw Comes Under Active Exploitation <\/strong>\u2014 A critical security flaw in Citrix NetScaler ADC and NetScaler Gateway (CVE-2026-3055, CVSS score: 9.3) has come under active exploitation as of March 27, 2026. The vulnerability refers to a case of insufficient input validation leading to memory overread, which an attacker could exploit to leak potentially sensitive information. Per Citrix, successful exploitation of the flaw hinges on the appliance being configured as a SAML Identity Provider (SAML IDP).<\/p>\n<h2 style=\"text-align: left;\"><strong>\ud83d\udd14 Top News<\/strong><\/h2>\n<ul>\n<li><strong><a href=\"https:\/\/thehackernews.com\/2026\/03\/iran-linked-hackers-breach-fbi.html\" rel=\"noopener\" target=\"_blank\">FBI Confirms Hack of Director Kash Patel\u2019s Personal Email Account <\/a><\/strong>\u2014 The U.S. Federal Bureau of Investigation (FBI) confirmed that threat actors gained access to an email account belonging to FBI Director Kash Patel, but said no government information has been compromised. The Iran-linked hacker group Handala claimed responsibility for the hack, releasing files allegedly representing photos, emails, and classified documents taken from the FBI director\u2019s inbox. \u00abThe so-called \u2018impenetrable\u2019 systems of the FBI were brought to their knees within hours by our team,\u00bb the hackers wrote. It\u2019s unclear when the account was hacked. The U.S. government, which recently took down multiple sites operated by Iranian state actors, said it\u2019s offering up to $10 million for information on threat groups like Parsian Afzar Rayan Borna and Handala.<\/li>\n<li><strong>Red Menshen Uses Stealthy BPFDoor to Spy on Telecom Networks <\/strong>\u2014 A China-linked state-sponsored threat actor known as Red Menshen has deployed kernel implants and passive backdoors deep within telecommunication backbone infrastructure worldwide for long-term persistence. The implants have been fittingly described as sleeper cells that lie dormant and blend into target environments, but spring into action upon receiving a magic packet by quietly monitoring network traffic instead of opening a visible connection. Initial access is usually gained by exploiting known vulnerabilities in edge networking devices and VPN products or by leveraging compromised accounts. Once inside, the threat actor maintains long-term access by deploying tools like BPFdoor. Some BPFdoor samples mimic bare-metal infrastructure, posing as legitimate enterprise platforms to blend into operational noise. Others spoof core containerization components. By embedding the implant deep below traditional visibility layers, the goal is to significantly complicate detection efforts. Rapid7 has <a href=\"https:\/\/github.com\/rapid7\/Rapid7-Labs\/tree\/main\/BPFDoor\" rel=\"noopener\" target=\"_blank\">released<\/a> a scanning script designed to detect known BPFDoor variants across Linux environments.<\/li>\n<li><strong>GlassWorm Evolves to Drop Extension-Based Stealer <\/strong>\u2014 A new evolution of the GlassWorm campaign is delivering a multi-stage framework capable of comprehensive data theft and installing a remote access trojan (RAT), which deploys an information-stealing Google Chrome extension masquerading as an offline version of Google Docs. \u00abIt logs keystrokes, dumps cookies and session tokens, captures screenshots, and takes commands from a C2 server hidden in a Solana blockchain memo,\u00bb Aikido said. GlassWorm is the moniker assigned to a persistent campaign that obtains an initial foothold through rogue packages published across npm, PyPI, GitHub, and the Open VSX marketplace. In addition, the operators are known to compromise the accounts of project maintainers to push poisoned updates.<\/li>\n<li><strong>Russian Hacker Sentenced to 2 Years for TA551-Linked Ransomware Attacks <\/strong>\u2014 Ilya Angelov, a 40-year-old Russian national, was sentenced to two years in prison for managing a botnet that was used to launch ransomware attacks against U.S. companies. Angelov, who went by the online aliases \u00abmilan\u00bb and \u00abokart,\u00bb is said to have co-managed a Russia-based cybercriminal group known as TA551 (aka ATK236, G0127, Gold Cabin, Hive0106, Mario Kart, Monster Libra, Shathak, and UNC2420) between 2017 and 2021. The attacks leveraged spam emails to compromise systems and rope them into a botnet that other cybercriminals used to break into corporate systems and deploy ransomware. This included threat actors affiliated with BitPaymer and IcedID.<\/li>\n<li><strong>FCC Bans New Foreign-Made Routers Over Security Risks <\/strong>\u2014 The U.S. Federal Communications Commission (FCC) said it was banning the import of new, foreign-made consumer routers, citing \u00abunacceptable\u00bb risks to cyber and national security. To that end, all consumer-grade routers manufactured in foreign countries have been added to the Covered List, unless they have been granted a Conditional Approval by the Department of War (DoW) or the Department of Homeland Security (DHS) after determining that they do not pose any risks. The development comes as the Indian government appears to be preparing to bar Chinese CCTV product makers, such as Hikvision, Dahua, and TP-Link, from selling their cameras from April 1, 2026, to tighten oversight under the Standardisation Testing and Quality Certification (STQC) rules, the Economic Times <a href=\"https:\/\/economictimes.indiatimes.com\/industry\/cons-products\/electronics\/market-reset-india-pulls-the-plug-on-chinese-cctv-makers\/articleshow\/129886552.cms\" rel=\"noopener\" target=\"_blank\">reported<\/a>.<\/li>\n<\/ul>\n<h2 style=\"text-align: left;\"><strong>\u200e\ufe0f\u200d\ud83d\udd25 Trending CVEs<\/strong><\/h2>\n<p>New vulnerabilities show up every week, and the window between disclosure and exploitation keeps getting shorter. The flaws below are this week\u2019s most critical \u2014 high-severity, widely used software, or already drawing attention from the security community.<\/p>\n<p>Check these first, patch what applies, and don\u2019t wait on the ones marked urgent \u2014 CVE-2026-3055 (Citrix NetScaler ADC and NetScaler Gateway), <a href=\"https:\/\/www.qnap.com\/en\/security-advisory\/qsa-26-12\" rel=\"noopener\" target=\"_blank\">CVE-2025-62843, CVE-2025-62844, CVE-2025-62845, CVE-2025-62846<\/a> (QNAP), <a href=\"https:\/\/www.qnap.com\/en\/security-advisory\/qsa-26-07\" rel=\"noopener\" target=\"_blank\">CVE-2026-22898<\/a> (QNAP QVR Pro), <a href=\"https:\/\/chromereleases.googleblog.com\/2026\/03\/stable-channel-update-for-desktop_23.html\" rel=\"noopener\" target=\"_blank\">CVE-2026-4673, CVE-2026-4677, CVE-2026-4674<\/a> (Google Chrome), <a href=\"https:\/\/kb.cert.org\/vuls\/id\/577436\" rel=\"noopener\" target=\"_blank\">CVE-2026-4404<\/a> (GoHarbor Harbor), <a href=\"https:\/\/kb.cert.org\/vuls\/id\/330121\" rel=\"noopener\" target=\"_blank\">CVE-2026-1995<\/a> (IDrive for Windows), <a href=\"https:\/\/www.ptc.com\/en\/about\/trust-center\/advisory-center\/active-advisories\/windchill-flexplm-critical-vulnerability\" rel=\"noopener\" target=\"_blank\">CVE-2026-4681<\/a> (<a href=\"https:\/\/www.cisa.gov\/news-events\/ics-advisories\/icsa-26-085-03\" rel=\"noopener\" target=\"_blank\">Windchill and FlexPLM<\/a>), <a href=\"https:\/\/www.tp-link.com\/us\/support\/faq\/5027\/\" rel=\"noopener\" target=\"_blank\">CVE-2025-15517, CVE-2025-15518, CVE-2025-15519, CVE-2025-15605, CVE-2025-62673<\/a> (TP-Link),<a href=\"https:\/\/blog.talosintelligence.com\/tp-link-canva-hikvision-vulnerabilities\/\" rel=\"noopener\" target=\"_blank\">CVE-2025-66176<\/a> (HikVision), <a href=\"https:\/\/my.f5.com\/manage\/s\/article\/K000160366#NGINX\" rel=\"noopener\" target=\"_blank\">CVE-2026-32647<\/a> (NGINX Open Source and NGINX Plus), <a href=\"https:\/\/swarm.ptsecurity.com\/business-logic-and-chains-unauthenticated-rce-in-dell-wyse-management-suite\/\" rel=\"noopener\" target=\"_blank\">CVE-2026-22765, CVE-2026-22766<\/a> (Dell Wyse Management Suite), <a href=\"https:\/\/nodejs.org\/en\/blog\/vulnerability\/march-2026-security-releases\" rel=\"noopener\" target=\"_blank\">CVE-2026-21637, CVE-2026-21710<\/a> (Node.js), <a href=\"https:\/\/trustedsec.com\/blog\/lnkmemaybe-a-review-of-cve-2026-25185\" rel=\"noopener\" target=\"_blank\">CVE-2026-25185<\/a> aka LnkMeMaybe (Microsoft), <a href=\"https:\/\/kb.isc.org\/docs\/cve-2026-1519\" rel=\"noopener\" target=\"_blank\">CVE-2026-1519<\/a>, <a href=\"https:\/\/kb.isc.org\/docs\/cve-2026-3104\" rel=\"noopener\" target=\"_blank\">CVE-2026-3104<\/a>, <a href=\"https:\/\/kb.isc.org\/docs\/cve-2026-3119\" rel=\"noopener\" target=\"_blank\">CVE-2026-3119<\/a>, <a href=\"https:\/\/kb.isc.org\/docs\/cve-2026-3591\" rel=\"noopener\" target=\"_blank\">CVE-2026-3591<\/a> (BIND 9), <a href=\"https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/wordpress-plugins\/ameliabooking\/amelia-booking-912-authenticated-customer-insecure-direct-object-reference-to-arbitrary-user-password-change\" rel=\"noopener\" target=\"_blank\">CVE-2026-2931<\/a> (Amelia Booking plugin), <a href=\"https:\/\/jivasecurity.com\/writeups\/espocrm-rce-cve-2026-33656\" rel=\"noopener\" target=\"_blank\">CVE-2026-33656<\/a> (EspoCRM), <a href=\"https:\/\/kb.isc.org\/docs\/cve-2026-3608\" rel=\"noopener\" target=\"_blank\">CVE-2026-3608<\/a> (Kea), <a href=\"https:\/\/itm4n.github.io\/cve-2026-20817-wersvc-eop\/\" rel=\"noopener\" target=\"_blank\">CVE-2026-20817<\/a> (Microsoft Windows Error Reporting), <a href=\"https:\/\/nvidia.custhelp.com\/app\/answers\/detail\/a_id\/5782\" rel=\"noopener\" target=\"_blank\">CVE-2025-33244<\/a> (NVIDIA Apex), <a href=\"https:\/\/www.synology.com\/en-us\/security\/advisory\/Synology_SA_26_03\" rel=\"noopener\" target=\"_blank\">CVE-2026-32746<\/a> (Synology DiskStation Manager), and <a href=\"https:\/\/www.wordfence.com\/blog\/2026\/03\/800000-wordpress-sites-affected-by-arbitrary-file-read-vulnerability-in-smart-slider-3-wordpress-plugin\/\" rel=\"noopener\" target=\"_blank\">CVE-2026-3098<\/a> (Smart Slider 3 plugin).<\/p>\n<h2 style=\"text-align: left;\"><strong>\ud83c\udfa5 Cybersecurity Webinars<\/strong><\/h2>\n<h2 style=\"text-align: left;\"><strong>\ud83d\udcf0 Around the Cyber World<\/strong><\/h2>\n<ul>\n<li><strong>Fortinet FortiClient EMS Flaw Comes Under Attack <\/strong>\u2014 A recently patched security flaw affecting Fortinet FortiClient EMS has come under active exploitation in the wild as of March 24, 2026. The vulnerability in question is CVE-2026-21643 (CVSS score: 9.1), a critical SQL injection that could allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests. The issue was addressed by Fortinet last month in FortiClient EMS version 7.4.5. \u00abAttackers can smuggle SQL statements through the \u2018Site\u2019-header inside an HTTP request,\u00bb Defused Cyber <a href=\"https:\/\/x.com\/defusedcyber\/status\/2037912573274636781\" rel=\"noopener\" target=\"_blank\">said<\/a>. Nearly 1,000 FortiClient EMS are publicly exposed.<\/li>\n<li><strong>Meta Disrupts Influence Operation Linked to Iran <\/strong>\u2014 Meta <a href=\"https:\/\/therecord.media\/iran-instagram-influence-operation-disrupted\" rel=\"noopener\" target=\"_blank\">said<\/a> it disrupted an influence operation linked to Iran that employed \u00absophisticated fake personas\u00bb on Instagram to build relationships with U.S. users before sending political messaging. The network used accounts posing as journalists, commentators, and ordinary people to engage users and gradually introduce political narratives. A second layer of accounts amplified posts to help spread the messaging.<\/li>\n<li><strong>Armenian National Extradited to U.S. in Connection with RedLine Stealer Operations <\/strong>\u2014 An Armenian national has been extradited to the United States over his alleged role in the administration of the RedLine infostealer malware. Hambardzum Minasyan, per court documents, allegedly developed and managed the stealer, while unnamed conspirators maintained digital infrastructure, including the command-and-control (C2) servers and administrative panels to enable the deployment of the malware by affiliates, and collected payments from the affiliates. \u00abThey allegedly responded to questions and requests from actual and potential RedLine affiliates, conspired with each other and affiliates to steal and possess the financial information, including access devices, of victims, and laundered the proceeds of cybercrime through cryptocurrency exchanges and other means,\u00bb the U.S. Justice Department <a href=\"https:\/\/www.justice.gov\/usao-wdtx\/pr\/armenian-man-extradited-us-faces-charges-role-infostealing-malware-scheme\" rel=\"noopener\" target=\"_blank\">said<\/a>. Minasyan has also been accused of registering two virtual private servers to host portions of RedLine\u2019s infrastructure, as well as two internet domains in support of the scheme, repositories on an online file sharing site to distribute the stealer to affiliates, and registering a cryptocurrency account in November 2021 to receive payments. RedLine Stealer was disrupted in an international law enforcement operation in October 2024. Minasyan has been charged with conspiracy to commit access device fraud, conspiracy to violate the Computer Fraud and Abuse Act, and conspiracy to commit money laundering. If convicted, he faces up to 10 years in prison for access device fraud and up to 20 years in prison for the other two counts. In June 2025, the U.S. Department of State announced a $10 million reward for information on Maxim Alexandrovich Rudometov, who is believed to be the main developer and administrator of RedLine.<\/li>\n<li><strong>Android 17 Beta Gains New Security Features <\/strong>\u2014 To improve security against code injection attacks, Android now <a href=\"https:\/\/android-developers.googleblog.com\/2026\/03\/the-third-beta-of-android-17.html\" rel=\"noopener\" target=\"_blank\">enforces<\/a> that dynamically loaded native libraries must be read-only. If your app targets Android 17 or higher, all native files loaded using System.load() must be marked as read-only beforehand. Another new addition is the support for Post-Quantum Cryptography (PQC) through the new v3.2 APK Signature Scheme. This scheme utilizes a hybrid approach, combining a classical signature with an ML-DSA signature.<\/li>\n<li><strong>China-Linked Actors Deliver Mofu Loader and KIVARS <\/strong>\u2014 In recent months, Chinese-affiliated espionage clusters like DRBControl have <a href=\"https:\/\/sect.iij.ad.jp\/blog\/2025\/12\/mofu-loader-executing-drbcontrol-malware\/\" rel=\"noopener\" target=\"_blank\">employed<\/a> DLL side-loading techniques to deliver <a href=\"https:\/\/blogs.jpcert.or.jp\/en\/2024\/03\/jsac2024day1.html#:~:text=The%20Secret%20Life%20of%20RATs%3A%20Connecting%20the%20Dots%20by%20Dissecting%20Multiple%20Backdoors\" rel=\"noopener\" target=\"_blank\">Mofu Loader<\/a> \u2013 a malware previously attributed to <a href=\"https:\/\/nao-sec.org\/2023\/08\/groundpeony-crawling-with-malice.html\" rel=\"noopener\" target=\"_blank\">GroundPeony<\/a> \u2013 which then drops a C++ backdoor capable of executing commands issued by an attacker-controlled server. Last year, companies and organizations in Japan and Taiwan have also been <a href=\"https:\/\/sect.iij.ad.jp\/blog\/2025\/10\/blacktech-malware-kivars-2025\/\" rel=\"noopener\" target=\"_blank\">targeted<\/a> by variants of a backdoor called <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/17\/f\/following-trail-blacktech-cyber-espionage-campaigns.html\" rel=\"noopener\" target=\"_blank\">KIVARS<\/a>, which is tied to a Chinese hacking group called BlackTech.<\/li>\n<li><strong>Automated Traffic Outpaces Human Traffic <\/strong>\u2014 HUMAN Security found that automated traffic grew eight times faster than human traffic year-over-year. \u00abIn 2025, automated traffic across the internet grew 23.51% year over year, while human traffic increased 3.10% over the same period,\u00bb the company <a href=\"https:\/\/www.humansecurity.com\/learn\/resources\/2026-state-of-ai-traffic-cyberthreat-benchmarks\/\" rel=\"noopener\" target=\"_blank\">said<\/a>. The cybersecurity company noted that its customers experienced more than 400,000 attempted post-login account compromise attacks, more than quadruple that of 2024.<\/li>\n<li><strong>U.S. Accuses China of Backing Scam Compounds <\/strong>\u2014 A senior U.S. official accused Beijing of implicitly backing Chinese criminal syndicates running cyber scam compounds across Southeast Asia. Speaking during a Joint Economic Committee congressional hearing about U.S. efforts to combat digital scams, Reva Price, commissioner with the U.S.-China Economic and Security Review Commission, said links have been unearthed between scam centers and the Chinese government\u2019s Belt and Road Initiative. Chinese criminal syndicates have \u00abinvested in projects linked to China\u2019s Belt and Road Initiative alongside China\u2019s state-owned enterprises,\u00bb she <a href=\"https:\/\/therecord.media\/china-scam-compounds-southeast-asia\" rel=\"noopener\" target=\"_blank\">said<\/a>, adding that they \u00abhave also seen criminal leaders who appear to have gotten a pass by promoting messaging and other activities aligned with Chinese Communist Party priorities.\u00bb Scam centers in Southeast Asia are often operated by Chinese crime syndicates that lure people into the region with enticing job opportunities and coerce them into participating in pig butchering or romance baiting scams by confiscating their passports and subjecting them to torture.<\/li>\n<li><strong>Exploitation Against Oracle WebLogic Servers <\/strong>\u2014 A recently disclosed security flaw in Oracle WebLogic (CVE-2026-21962, CVSS score: 10.0) witnessed automated exploitation attempts almost immediately after public exploit code was released, demonstrating how software flaws are being rapidly weaponized by bad actors. The activity, detected by CloudSEK against its honeypots, also leveraged other WebLogic flaws (CVE-2020-14882, CVE-2020-14883, CVE-2020-2551, and CVE-2017-10271), as well as flaws impacting Hikvision and PHPUnit, indicating a spray and pray approach. \u00abAttackers predominantly utilized rented Virtual Private Servers (VPS) from common hosting providers like DigitalOcean and HOSTGLOBAL.PLUS,\u00bb the company <a href=\"https:\/\/www.cloudsek.com\/blog\/honey-for-hackers-a-study-of-attacks-targeting-the-recent-cve-2026-21962-and-other-critical-weblogic-vulnerabilities-on-a-high-interactive-oracle-honeypot\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abThe overall activity was characterized by high-volume, automated scanning, with tools like libredtail-http and the Nmap Scripting Engine dominating the malicious traffic.\u00bb<\/li>\n<li><strong>Security Flaws in Cisco Catalyst 9300 Series Switches<\/strong> \u2014 Details have emerged about now-patched vulnerabilities in Cisco Catalyst 9300 Series switches (CVE-2026-20110, CVE-2026-20112, CVE-2026-20113, and CVE-2026-20114) that could result in privilege escalation, operational denial-of-service, stored cross-site scripting (XSS), and CRLF injection. \u00abCollectively, these vulnerabilities introduce risks to administrative trust boundaries, service availability, session integrity, and system log reliability \u2013 affecting both operational continuity and security monitoring capabilities,\u00bb OPSWAT <a href=\"https:\/\/www.opswat.com\/blog\/from-privilege-escalation-to-full-denial-of-service-exploit-chain-across-multiple-cves-in-cisco-catalyst-devices-discovered-by-opswat-unit-515\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abCVE-2026-20114 and CVE-2026-20110 are the most operationally impactful when chained. A low-privilege Web UI user can escalate access and invoke a maintenance-mode operation, resulting in full denial of service that may require physical intervention to restore.\u00bb The issues were patched by Cisco last week.<\/li>\n<li><strong>Financial Institution Targeted by BRUSHWORM and BRUSHLOGGER<\/strong> \u2014 A modular backdoor with USB-based spreading capabilities was used in an attack targeting an unnamed South Asian financial institution, according to findings from Elastic Security Labs. The malware, dubbed BRUSHWORM, is one of the two malware components identified in the victim\u2019s infrastructure, the other being a DLL keylogger referred to as BRUSHLOGGER. \u00abBRUSHWORM features anti-analysis checks, AES-CBC encrypted configuration, scheduled task persistence, modular DLL payload downloading, USB worm propagation, and broad file theft targeting documents, spreadsheets, email archives, and source code,\u00bb security researcher Salim Bitam <a href=\"https:\/\/www.elastic.co\/security-labs\/brushworm-targets-financial-services\" rel=\"noopener\" target=\"_blank\">said<\/a>. BRUSHWORM is also responsible for running basic anti-analysis checks, maintaining persistence, command-and-control (C2) communication, and downloading additional modular payloads. BRUSHLOGGER augments the backdoor by capturing system-wide keystrokes via a simple Windows keyboard hook and logging the active window context for each keystroke session. \u00abNeither binary employs meaningful code obfuscation, packing, or advanced anti-analysis techniques,\u00bb Elastic said. \u00abGiven the absence of a kill switch, the use of free dynamic DNS servers in testing versions, and some coding mistakes, we assess with moderate confidence that the author is relatively inexperienced and may have leveraged AI code-generation tools during development without fully reviewing the output.\u00bb<\/li>\n<li><strong>U.K. Sanctions Xinbi<\/strong> \u2014 The U.K.\u2019s Foreign, Commonwealth and Development Office (FCDO) has <a href=\"https:\/\/www.gov.uk\/government\/news\/uk-crackdown-on-vile-scam-centres-steps-up-with-sanctions-on-illicit-crypto-network\" rel=\"noopener\" target=\"_blank\">sanctioned<\/a> Xinbi, a Chinese-language guarantee marketplace <a href=\"https:\/\/search-uk-sanctions-list.service.gov.uk\/designations\/GHR0190\/Entity\" rel=\"noopener\" target=\"_blank\">accused<\/a> of enabling large-scale online fraud and human exploitation by supporting #8 Park (aka Legend Park), an industrial-scale scam compound in Cambodia notorious for large-scale pig butchering scams and forced labor of trafficked workers. The U.K. is the first country to sanction Xinbi. The move is designed to isolate Xinbi from the legitimate crypto ecosystem and disrupt its operations. Xinbi is <a href=\"https:\/\/www.chainalysis.com\/blog\/xinbi-designation-chinese-language-crypto-scam-infrastructure\/\" rel=\"noopener\" target=\"_blank\">estimated<\/a> to have processed over $19.9 billion between 2021 and 2025. \u00abThe platform facilitates everything from \u2018Black U\u2019 money laundering and unlicensed OTC trades to the sale of compromised personal databases and scam infrastructure,\u00bb Chainalysis said. \u00abIn the face of previous takedowns, Xinbi demonstrated significant resilience by rapidly migrating to the SafeW messaging app and launching its own proprietary payment app, XinbiPay. This evolution highlights the challenges around pursuing illicit services as they build custom financial rails to insulate themselves from platform-level disruptions.\u00bb According to a <a href=\"https:\/\/www.elliptic.co\/blog\/8-park-prince-and-huiones-role-in-a-scam-compound-still-operating-amid-crackdowns\" rel=\"noopener\" target=\"_blank\">report<\/a> published by Elliptic last month, #8 Park is linked to a company named Legend Innovation, which, in turn, has ties to Prince Group, whose chairman, Chen Zhi, was arrested and extradited to China in connection with a crackdown on a large-scale fraud operation. #8 Park is also tied to HuiOne Group, with its payment business, HuiOne Pay (later rebranded as H-PAY), which operates a physical store within the compound. There has since been a <a href=\"https:\/\/www.elliptic.co\/blog\/uk-sanctions-xinbi-marketplace-and-entities-connected-to-8-park-in-latest-crackdown-on-illicit-cryptoassets\" rel=\"noopener\" target=\"_blank\">sharp decline<\/a> in incoming payments to merchants operating inside the compound beginning around February 9, 2026, with transactions almost entirely ceasing by February 13.<\/li>\n<li><strong>What is Tsundere?<\/strong> \u2014 <a href=\"https:\/\/www.esentire.com\/blog\/muddywater-apt-tsundere-botnet-etherhiding-the-c2\" rel=\"noopener\" target=\"_blank\">Tsundere<\/a> is a botnet that enables system fingerprinting and arbitrary command execution on victim machines. It\u2019s notable for the use of a technique called EtherHiding to retrieve command-and-control (C2) servers stored in smart contracts on the Ethereum blockchain. The malware is suspected to be a Malware-as-a-Service (MaaS) offering of Russian origin, owing to logic that checks whether the infected host is located in a CIS country, including Ukraine, and terminates execution if so. Most recently, the use of the botnet has been linked to the Iranian state-sponsored actor MuddyWater.<\/li>\n<li><strong>Jailbreaking, a Continued Risk to LLMs<\/strong> \u2014 New research from Palo Alto Networks Unit 42 has uncovered that prompt jailbreaking remains a practical risk to large language models (LLMs) and that a genetic algorithm-based fuzzing approach can be used to generate meaning-preserving prompt variants to trigger policy-violating outcomes against both closed-source and open-weight pre-trained models. \u00abThe broader implication is that guardrails should be treated as probabilistic controls that require continuous adversarial evaluation, not as definitive security boundaries,\u00bb Unit 42 <a href=\"https:\/\/unit42.paloaltonetworks.com\/genai-llm-prompt-fuzzing\/\" rel=\"noopener\" target=\"_blank\">said<\/a>. The findings reinforce that security for LLM applications cannot rely on a single layer, necessitating that organizations define and enforce application scope, use robust, multi-signal content controls, treat user input as untrusted and isolate it from privileged instructions, validate outputs against scope and policy, and monitor for misuse, and apply standard security controls, such as authentication, rate limiting, and and least privilege tool permissions.<\/li>\n<li><strong>SEO Campaign Delivers AsyncRAT<\/strong> \u2014 Since October 2025, an unknown threat actor has been running an <a href=\"https:\/\/www.nccgroup.com\/research\/asyncing-feeling-when-your-download-comes-with-something-extra\/\" rel=\"noopener\" target=\"_blank\">active SEO poisoning campaign<\/a>, using impersonation sites of over 25 popular applications to direct victims to malicious installers, including VLC Media Player, OBS Studio, KMS Tools, and CrosshairX. The campaign uses ScreenConnect, a legitimate remote management tool, to establish initial access and to deliver AsyncRAT. \u00abMost notable in this campaign is the RAT\u2019s added cryptocurrency clipper, dynamic plugin system capable of loading arbitrary capabilities at runtime, and a geo-fencing mechanism that deliberately excludes targets across the Middle East, North Africa, and Central Asia,\u00bb NCC Group said. AsyncRAT has also been delivered as part of a series of attacks on Libyan organizations between November 2025 and February 2026. The attacks targeted an oil refinery, a telecoms organization, and a state institution. \u00abAsyncRAT is a remote access Trojan with a variety of capabilities, including keylogging, screen capture, and remote command execution capabilities, making it ideal for use in intelligence gathering and espionage attacks,\u00bb Symantec and Carbon Black <a href=\"https:\/\/www.security.com\/threat-intelligence\/asyncrat-libya-oil-cyberattack\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abIt is also modular, meaning it can be updated and customized, which is attractive for attackers.\u00bb<\/li>\n<li><strong>Nigerian National Sentenced to 7 Years in Prison<\/strong> \u2014 A Nigerian man has been sentenced to more than seven years in a U.S. prison for his role in a scheme that broke into business email accounts and tricked victims into sending millions of dollars to fraudulent bank accounts. James Junior Aliyu, 31, received a 90-month prison sentence for conspiracy to commit wire fraud and money laundering. The court also ordered Aliyu to forfeit $1.2 million and repay nearly $2.39 million to the victims. Aliyu, who pleaded guilty in August 2025, acknowledged that he conspired with others, including Kosi Goodness Simon-Ebo, 31, and Henry Onyedikachi Echefu, 34, to deceive and defraud multiple American victims from February 2017 until at least July 2017. The business email compromise scheme targeted American businesses and individuals by compromising email accounts and sending false wiring instructions to deceive victims into sending money to bank accounts under their control. \u00abAliyu and his accomplices conspired to commit money laundering by disbursing the fraudulently obtained funds in the drop accounts to other accounts,\u00bb the U.S. Justice Department <a href=\"https:\/\/www.justice.gov\/usao-md\/pr\/nigerian-national-sentenced-his-role-multi-million-dollar-business-email-compromise\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abCo-conspirators moved the stolen money by initiating account transfers, withdrawing cash, and obtaining cashier\u2019s checks. They also wrote checks to other individuals and entities to hide the true ownership and source of these assets. In total, Aliyu and his co-conspirators attempted to defraud victims of at least $10.4 million, and the victims suffered an actual loss of at least $2,389,130.\u00bb<\/li>\n<li><strong>Sensor Technology to Combat Deepfakes<\/strong> \u2014 Researchers at ETH Z\u00fcrich have developed a sensor system that stamps a cryptographic signature onto images, video, and audio within a sensor chip at the exact moment they are captured, making it impossible to tamper with the data without being detected. \u00abIf the signatures are uploaded to a public ledger (e.g., a blockchain), anyone can verify the authenticity of videos and other data,\u00bb ETH Z\u00fcrich <a href=\"https:\/\/ethz.ch\/en\/news-and-events\/eth-news\/news\/2026\/03\/chips-designed-to-help-identify-deepfakes.html\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abThe technology can, in principle, be integrated into any type of sensor or camera. It would then be possible to identify manipulated content on online platforms with minimal effort.\u00bb<\/li>\n<li><strong>Middle East Conflict Fuels Cyber Attacks<\/strong> \u2014 Threat actors have been <a href=\"https:\/\/www.cyfirma.com\/research\/operation-false-siren-android-spyware-campaign\/\" rel=\"noopener\" target=\"_blank\">capitalizing<\/a> on geopolitical tensions in the Middle East region to spread Android spyware by distributing trojanized versions of <a href=\"https:\/\/www.cloudsek.com\/blog\/redalert-trojan-campaign-fake-emergency-alert-app-spread-via-sms-spoofing-israeli-home-front-command\" rel=\"noopener\" target=\"_blank\">Israel\u2019s Red Alert apps<\/a> via SMS phishing messages. The espionage campaign has been codenamed Operation False Siren by CYFIRMA. ZIP archives containing lures related to the conflict are also <a href=\"https:\/\/www.zscaler.com\/blogs\/security-research\/middle-east-conflict-fuels-opportunistic-cyber-attacks\" rel=\"noopener\" target=\"_blank\">being used<\/a> to launch malicious payloads that lead to the deployment of PlugX and LOTUSLITE backdoors. These ZIP-based phishing campaigns have been attributed to a Chinese nation-state actor known as <a href=\"https:\/\/www.zscaler.com\/blogs\/security-research\/china-nexus-threat-actor-targets-persian-gulf-region-plugx\" rel=\"noopener\" target=\"_blank\">Mustang Panda<\/a>. Elsewhere, an Iran-themed fake news blog site hosting malicious JavaScript has been found, leading to the deployment of StealC malware.<\/li>\n<li><strong>Apple Tests Ways to Block Malicious Copy-Pastes in macOS<\/strong> \u2014 With the release of macOS 26.4 last week, Apple has introduced a new feature that warns Mac users if they paste harmful commands in the Terminal app to curb ClickFix-style attacks that have increasingly targeted macOS in recent months. \u00abScammers often encourage pasting text into Terminal to try and harm your Mac or compromise your privacy,\u00bb the message <a href=\"https:\/\/www.macrumors.com\/2026\/03\/25\/macos-26-4-terminal-security-feature\/\" rel=\"noopener\" target=\"_blank\">reads<\/a>. \u00abThese instructions are commonly offered via websites, chat agents, apps, files, or a phone call.\u00bb The alert comes with a \u00abPaste Anyway\u00bb for those who wish to proceed. The disclosure comes as multiple <a href=\"https:\/\/www.todyl.com\/blog\/clickfix-evolution-copy-paste-social-engineering\" rel=\"noopener\" target=\"_blank\">ClickFix campaigns<\/a> have come to light, including using a Cloudflare-themed verification page to deliver a Python-based macOS stealer dubbed <a href=\"https:\/\/www.malwarebytes.com\/blog\/threat-intel\/2026\/03\/infiniti-stealer-a-new-macos-infostealer-using-clickfix-and-python-nuitka\" rel=\"noopener\" target=\"_blank\">Infiniti Stealer<\/a>. A similar Cloudflare verification, but for Windows, has been <a href=\"https:\/\/www.levelblue.com\/blogs\/spiderlabs-blog\/fake-captcha-campaign-inside-a-multi-stage-stealer-assault\" rel=\"noopener\" target=\"_blank\">used<\/a> to launch PowerShell commands that ultimately drop StealC, Lumma, Rhadamanthys, Vidar Stealer, and Aura Stealer malware. The ClickFix strategy has also been adopted by a traffic distribution system known as <a href=\"https:\/\/www.levelblue.com\/blogs\/spiderlabs-blog\/kongtuke-a-king-among-threat-groups\" rel=\"noopener\" target=\"_blank\">KongTuke<\/a> to redirect visitors of compromised WordPress websites to phishing pages and malware payloads. According to eSentire, ClickFix lures have been used to deliver EtherRAT, a Node.js-based backdoor linked to North Korean threat actors. \u00abEtherRAT allows threat actors to run arbitrary commands on compromised hosts, gather extensive system information, and steal assets such as cryptocurrency wallets and cloud credentials,\u00bb the Canadian security company <a href=\"https:\/\/www.esentire.com\/blog\/etherrat-sys-info-module-c2-on-ethereum-etherhiding-target-selection-cdn-like-beacons\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abCommand-and-Control (C2) addresses are retrieved using \u2018EtherHiding,\u2019 a technique to make C2 addresses more resilient by storing and updating them in Ethereum smart contracts, allowing threat actors to rotate infrastructure at a small cost and avoid takedowns by law enforcement.\u00bb Recorded Future said it has identified five distinct clusters leveraging ClickFix to facilitate initial access to Windows and macOS systems since May 2024. \u00abThis indicates that the ClickFix methodology has transitioned into a standardized, high-ROI template adopted across a fragmented ecosystem of threat actors,\u00bb Insikt Group <a href=\"https:\/\/www.recordedfuture.com\/research\/clickfix-campaigns-targeting-windows-and-macos\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abWhile visually diverse, all analyzed clusters use a consistent execution framework that bypasses traditional browser security controls by shifting the point of exploitation to user-assisted manual commands. These campaigns target a wide variety of sectors, including accounting (QuickBooks), travel (Booking.com), and system optimization (macOS).\u00bb<\/li>\n<li><strong>Apple Rolls Out Mandatory Age Verification in U.K.<\/strong> \u2014 In more Apple news, the tech giant has <a href=\"https:\/\/support.apple.com\/en-gb\/125662\" rel=\"noopener\" target=\"_blank\">rolled out<\/a> mandatory U.K. age verification with iOS 26.4, requiring users to provide a credit card or ID to confirm if they are an adult before \u00abdownloading apps, changing certain settings, or taking other actions with your Apple Account.\u00bb The move comes at a time when online child safety is increasingly drawing attention from regulators, causing many digital services, including social media apps and porn sites, to roll out similar checks. Discord, which announced plans to verify the ages of all its users last month, has since <a href=\"https:\/\/discord.com\/blog\/getting-global-age-assurance-right-what-we-got-wrong-and-whats-changing\" rel=\"noopener\" target=\"_blank\">paused the effort<\/a> until H2 2026 after concerns were raised about how IDs and personal information would be handled. Discord has reiterated that it does not receive any identifying personal information from users who need to manually verify their age. Instead, it is partnering with third-party age verification companies, who will \u00abhandle verification and only pass back your age group.\u00bb The company also <a href=\"https:\/\/arstechnica.com\/tech-policy\/2026\/02\/discord-and-persona-end-partnership-after-shady-uk-age-test-sparks-outcry\/\" rel=\"noopener\" target=\"_blank\">said<\/a> it\u2019s no longer working with age verification vendor Persona, which has attracted criticism over allegations that it <a href=\"https:\/\/thelocalstack.eu\/posts\/linkedin-identity-verification-privacy\/\" rel=\"noopener\" target=\"_blank\">shared users\u2019 data with other companies<\/a> and <a href=\"https:\/\/www.therage.co\/persona-age-verification\/\" rel=\"noopener\" target=\"_blank\">left its frontend source code<\/a> exposed to the internet.<\/li>\n<\/ul>\n<h2 style=\"text-align: left;\"><strong>\ud83d\udd27 Cybersecurity Tools<\/strong><\/h2>\n<ul>\n<li><a href=\"https:\/\/github.com\/zast-ai\/openclaw-security\" rel=\"noopener\" target=\"_blank\">OpenClaw Security Handbook<\/a> \u2192 It is a detailed security guide published by ZAST AI for users of OpenClaw, a multi-channel AI gateway that connects messaging platforms, LLMs, and local system capabilities. Because that combination creates a serious attack surface, the handbook covers the real risks \u2014 prompt injection, malicious skills, exposed ports, credential theft \u2014 backed by documented incidents and CVEs, with practical configuration guidance for locking it down.<\/li>\n<li><a href=\"https:\/\/github.com\/vulhunt-re\/vulhunt\" rel=\"noopener\" target=\"_blank\">VulHunt<\/a> \u2192 It is an open-source framework from Binarly\u2019s research team for hunting vulnerabilities in software binaries and UEFI firmware. It uses customizable rulepacks for scanning and can connect to Binarly\u2019s Transparency Platform for large-scale triage. It also supports running as an MCP server, letting AI assistants interact with it directly.<\/li>\n<\/ul>\n<p><em>Disclaimer: For research and educational use only. Not security-audited. Review all code before use, test in isolated environments, and ensure compliance with applicable laws.<\/em><\/p>\n<h2 style=\"text-align: left;\"><strong>Conclusion<\/strong><\/h2>\n<p>That\u2019s the week. Some of it will age well, some of it is already being quietly exploited while you\u2019re reading this sentence.<\/p>\n<p>The through-line, if there is one: patience. Attackers are playing long games. The detections, the arrests, the patches \u2014 they matter, but they\u2019re almost always trailing. Stay sharp, check the CVE list, and see you next Monday.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Some weeks are loud. This one was quieter but not in a good way. Long-running operations are finally hitting courtrooms, old attack methods are showing up in new places, and research that stopped being theoretical right around the time defenders stopped paying attention. There\u2019s a bit of everything this week. Persistence plays, legal wins, influence [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25,5],"tags":[1403,11,1399,1404,24,1401,1400,450,1398,1397,1402],"class_list":["post-404","post","type-post","status-publish","format-standard","hentry","category-noticias","category-trending","tag-age","tag-apple","tag-cells","tag-checks","tag-cyberdefensa-mx","tag-forces","tag-jailbreaks","tag-llm","tag-sleeper","tag-telecom","tag-u-k"],"_links":{"self":[{"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/posts\/404","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/comments?post=404"}],"version-history":[{"count":0,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/posts\/404\/revisions"}],"wp:attachment":[{"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/media?parent=404"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/categories?post=404"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/tags?post=404"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}