Chrome Zero-Day Under Active Attack as Supply Chain Threats Hit Axios and TrueConf

Chinese APT TA416 (Mustang Panda) Targets European Governments with Evolving Malware Delivery Tactics

The Chinese state-sponsored threat group TA416, also known as Mustang Panda, has resumed its cyber-espionage operations against European government and diplomatic entities, including EU and NATO missions. According to Proofpoint, the group has been active since mid-2025, using evolving tactics to deliver its signature PlugX malware. Attack methods have included spoofed Cloudflare Turnstile pages, abuse of Microsoft Entra ID applications, and malicious archives containing a renamed MSBuild executable. The campaigns leverage phishing links distributed via compromised and newly created email accounts to deliver malware hosted on legitimate cloud services like Google Drive and Azure Blob Storage.

APTMustang PandaTA416Chinaespionage +2 more

Chinese APT Mustang Panda Renews Espionage Campaign Against European Governments

Phishing

Microsoft Warns of Social Engineering Campaign Abusing WhatsApp for Windows

MEDIUM

Microsoft Uncovers Social Engineering Campaign Targeting WhatsApp for Windows Users with VBScript Malware

Microsoft has issued a warning about an ongoing social engineering campaign targeting users of the WhatsApp desktop application on Windows. Attackers send malicious Visual Basic Script (`.vbs`) files disguised as legitimate attachments. Once executed, the script uses 'living off the land' (LOTL) techniques, copying and renaming legitimate Windows tools to download and execute remote access software. The malware also attempts to bypass User Account Control (UAC) and establishes persistence through registry modifications, giving attackers full control over the victim's machine. This attack does not exploit a software vulnerability but relies entirely on tricking the user.

social engineeringWhatsAppVBScriptmalwareLOTL +1 more

Microsoft Warns of Social Engineering Campaign Abusing WhatsApp for Windows

Phishing

Malware

Cisco Patches Critical Unauthenticated RCE Flaw in Smart Software Manager

CRITICAL

Cisco Patches Critical 9.8 CVSS RCE Vulnerability (CVE-2026-20160) in SSM On-Prem

Cisco has released a security patch for a critical vulnerability, CVE-2026-20160, in its Smart Software Manager On-Prem (SSM On-Prem) product. The flaw, which has a CVSS score of 9.8, could allow an unauthenticated, remote attacker to execute arbitrary commands with root privileges on the underlying operating system. The vulnerability is due to insufficient access control on a specific API. An attacker can exploit it by sending a crafted HTTP request. Cisco has released software updates and confirms there are no workarounds. The company's PSIRT is not aware of any malicious exploitation of this flaw, which was discovered during internal security testing.

CiscovulnerabilityRCEcriticalpatch management +1 more

Cisco Patches Critical Unauthenticated RCE Flaw in Smart Software Manager

Vulnerability

Patch Management

North Dakota Water Treatment Plant Hit by Ransomware, Reverts to Manual Operations

Ransomware Attack on North Dakota Water Treatment Plant Forces 16-Hour Manual Operation

A water treatment facility in Minot, North Dakota, serving approximately 80,000 people, was hit by a ransomware attack in March 2026. The attack compromised the plant's Supervisory Control and Data Acquisition (SCADA) system, forcing operators to shut it down and revert to manual processes for about 16 hours. City officials confirmed the incident, emphasizing that the water supply remained safe throughout. A ransomware note was found, but no specific demand was made, and no ransom was paid. The plant is currently using a backup server while a new, more secure system is prepared. The incident highlights the growing cyber threats targeting U.S. critical infrastructure.

ransomwareICSOTSCADAcritical infrastructure +1 more

Ransomware

Industrial Control Systems

AI Now Leading Source of Friction for CISOs in Retail and Hospitality, Report Finds

INFORMATIONAL

AI Surpasses Ransomware as Top Cybersecurity Concern for Retail and Hospitality CISOs

A new CISO Benchmark Report from the Retail & Hospitality ISAC (RH-ISAC) and IANS reveals a significant shift in the threat landscape: Artificial Intelligence is now the top concern for security leaders in these sectors. 71% of surveyed CISOs identified AI as a primary source of friction, placing it ahead of traditional threats like ransomware and phishing. Key risks associated with AI include data leakage, insider misuse, and inadequate governance. While AI is also driving investment in security operations for improved threat detection, its rapid adoption is creating new and complex challenges for cybersecurity teams.

AIartificial intelligenceCISOcybersecurity riskdata leakage +2 more

AI Now Leading Source of Friction for CISOs in Retail and Hospitality, Report Finds

Policy and Compliance

Threat Intelligence

Iranian Hackers Launch Coordinated Password Spray Attacks on Middle East

Iranian APT Gray Sandstorm Linked to Password Spray Attacks Supporting Kinetic Operations in Middle East

The Iranian APT group Gray Sandstorm is suspected of conducting a large-scale password spray campaign against government and private sector organizations in Israel and the UAE. According to Check Point researchers, the cyberattacks, which began in early March 2026, targeted Microsoft 365 accounts and appear to be coordinated with physical military operations. The timing and targeting of municipalities responsible for damage response suggest the attacks were intended to support kinetic missile and drone strikes, likely for intelligence gathering and Bombing Damage Assessment (BDA). This campaign exemplifies the use of cyber operations in modern hybrid warfare.

password sprayGray SandstormIranAPTMicrosoft 365 +1 more

Iranian Hackers Launch Coordinated Password Spray Attacks on Middle East

Phishing

Updated Articles (3)

TeamPCP's Supply Chain Attack Cascade Hits LiteLLM, Stealing AI Credentials

CRITICAL

Multi-Stage Supply Chain Attack by TeamPCP Compromises Trivy, Checkmarx, and LiteLLM

Update:

AI recruiting firm Mercor has confirmed it was impacted by the LiteLLM supply chain attack. Malicious versions 1.82.7 and 1.82.8 of LiteLLM were briefly available on March 27, during which Mercor's systems were compromised. The notorious Lapsus$ group has since claimed responsibility for stealing over 4 terabytes of data from Mercor and listed the company on its data leak site, indicating an extortion attempt. This development significantly increases the real-world severity and impact of the previously reported LiteLLM compromise, highlighting the cascading risks of supply chain vulnerabilities and the involvement of high-profile extortion groups.

March 26, 2026

Updated: April 2, 2026

supply chainPyPIGitHub ActionsCI/CDcredential theft +2 more

Supply Chain Attack

Malware

Chinese-Nexus Actor Exploits TrueConf Zero-Day in "TrueChaos" Campaign

CRITICAL

TrueConf Zero-Day (CVE-2026-3502) Exploited in 'TrueChaos' Campaign Targeting Governments

Update:

New analysis from Check Point attributes the 'Operation TrueChaos' campaign, exploiting CVE-2026-3502 in TrueConf, to a Chinese-nexus APT group. The updated report provides a refined attack chain, including a user prompt for malicious updates, and incorporates specific D3FEND techniques for network traffic analysis, endpoint analysis, and server integrity monitoring for enhanced detection. Mitigation strategies now explicitly include network isolation and application control, reinforcing the importance of updating TrueConf clients to version 8.5.3.

March 30, 2026

Updated: April 2, 2026

zero-daycvetrueconftruechaosapt +3 more

Chinese-Nexus Actor Exploits TrueConf Zero-Day in "TrueChaos" Campaign

Vulnerability

European Commission Confirms Data Breach After ShinyHunters Claims 350GB Theft

ShinyHunters Hacking Group Claims Massive Data Breach at European Commission, Allegedly Stealing 350GB from Europa.eu Portal

Update:

The European Commission's data breach by ShinyHunters is further substantiated by the group's release of screenshots, purportedly showing employee data and access to an email server. This new evidence reinforces the extent of the 350GB data theft from the EC's AWS environment hosting the Europa.eu portal. The incident follows a separate recent compromise of the Commission's mobile device management system, highlighting ongoing security challenges for the institution as it investigates the latest breach.

April 1, 2026

Updated: April 2, 2026

ShinyHuntersData BreachEuropean CommissionAWSCloud Security +2 more

Data Breach