US Warns of Iranian APTs on Critical Infrastructure; APT28 Hijacks Routers and Deploys New Malware

Cisco Talos Uncovers 'LucidRook' Malware Targeting Taiwanese NGOs and Universities via Spear-Phishing

Security researchers at Cisco Talos have discovered a new, sophisticated malware family named 'LucidRook' used in targeted spear-phishing campaigns. Attributed to a threat cluster known as UAT-10362, the attacks primarily target non-governmental organizations (NGOs) and universities in Taiwan. LucidRook is a complex stager delivered as a DLL that embeds a Lua interpreter and Rust-compiled libraries. It uses a dropper component, 'LucidPawn,' which performs an anti-analysis check to ensure it only runs on systems configured for the Traditional Chinese language. The malware downloads and executes Lua bytecode payloads from a C2 server, and is accompanied by a reconnaissance tool called 'LucidKnight' used for initial system profiling.

LuaRustSpear-phishingStagerEspionage

4 min read

Malware

Cyberattack

APT28 'FrostArmada' Campaign Hijacks SOHO Routers for Global DNS Espionage

Russian APT28 Linked to 'FrostArmada' Campaign Compromising MikroTik and TP-Link Routers for DNS Hijacking

The Russian-linked threat group APT28 (aka Forest Blizzard) has been identified as the actor behind 'FrostArmada,' a large-scale cyber espionage campaign compromising insecure Small Office/Home Office (SOHO) routers. According to Lumen's Black Lotus Labs and Microsoft, the campaign, active since at least May 2025, exploits vulnerable MikroTik and TP-Link routers. The attackers modify the devices' DNS settings to redirect traffic from victims—including government agencies and cloud service users—to attacker-controlled infrastructure. This allows for passive credential harvesting and data collection. At its peak, the campaign's infrastructure communicated with over 18,000 IPs across 120 countries before being disrupted by a law enforcement operation.

SOHORouterDNS HijackingCyber EspionageMan-in-the-Middle

APT28 'FrostArmada' Campaign Hijacks SOHO Routers for Global DNS Espionage

Cyberattack

Singapore's CSA Issues Advisory on Securing Software Supply Chains

INFORMATIONAL

Cyber Security Agency of Singapore (CSA) Warns of Rising Software Supply Chain Threats

The Cyber Security Agency of Singapore (CSA) has published an advisory on the increasing threat of software supply chain attacks. The guidance warns that threat actors are targeting third-party software dependencies and automated development pipelines to compromise internal corporate systems. The CSA highlights that a single compromised tool can grant attackers deep access, leading to data theft and operational downtime. The advisory cites recent incidents like the hijacking of the popular 'Axios' npm package as examples of this growing threat. The CSA urges organizations to enforce strict governance over development environments, identify dependencies, and have incident response plans ready.

Supply Chain SecurityDevSecOpsSBOMnpmOpen Source

Singapore's CSA Issues Advisory on Securing Software Supply Chains

Supply Chain Attack

Policy and Compliance

Regulatory

Southern Illinois Dermatology Breach Exposes Data of Over 150,000 Patients

'Insomnia' Threat Group Leaks Data of 150,000+ Patients After Southern Illinois Dermatology Breach

Southern Illinois Dermatology has started notifying patients of a data breach that occurred in November 2025. An unauthorized party gained access to its network and exfiltrated files containing patient data, including names, Social Security numbers, and medical information. The 'Insomnia' threat group has claimed responsibility for the attack, alleging they stole data from over 150,000 patients. The group has since followed through on its threats by leaking the entire stolen dataset on its data leak site, amplifying the impact on affected individuals.

Data LeakDouble ExtortionHealthcareHIPAAPII +1 more

Southern Illinois Dermatology Breach Exposes Data of Over 150,000 Patients

Data Breach

Ransomware

Samsung's April 2026 Patch Fixes 47 Vulnerabilities in Galaxy Devices

MEDIUM

Samsung Details April 2026 Security Update, Addressing 47 Flaws in Galaxy Phones, Tablets, and Wearables

Samsung has released its April 2026 security patch, which addresses a total of 47 vulnerabilities affecting its Galaxy line of smartphones, tablets, and wearables. The update is a combination of patches from Google and Samsung itself. It includes 33 fixes from Google's Android Security Bulletin, 14 of which are rated critical. Additionally, Samsung has included 14 of its own Samsung Vulnerabilities and Exposures (SVEs), addressing high-severity flaws in both its software and underlying semiconductor firmware. Users are advised to install the update as soon as it becomes available for their device and region.

SamsungAndroidMobile SecurityPatch TuesdayVulnerability

3 min read

Samsung's April 2026 Patch Fixes 47 Vulnerabilities in Galaxy Devices

Patch Management

Mobile Security

Vulnerability

US Data Breach Costs Hit Record $10.2M, Fueled by AI and Supply Chain Attacks

INFORMATIONAL

Chubb Report: Average US Data Breach Cost Soars to $10.2 Million, Driven by AI Weaponization and Supply Chain Failures

A new report from insurance provider Chubb reveals that the average cost of a data breach in the United States has reached a record high of $10.2 million, more than double the global average. The 2026 Cyber Claims Report identifies three key drivers for this surge: the weaponization of Artificial Intelligence (AI) by cybercriminals, an increase in immediate litigation following breach announcements, and the cascading impact of software supply chain compromises. The report notes that hostile AI is being used for self-rewriting malware and deepfake-based social engineering, while supply chain issues are now seen as the top cyber challenge by 65% of large companies.

Data Breach CostCyber InsuranceAISupply ChainLitigation

US Data Breach Costs Hit Record $10.2M, Fueled by AI and Supply Chain Attacks

Policy and Compliance

Threat Intelligence

Data Breach

Updated Articles (3)

TeamPCP's Sophisticated Supply Chain Attack on Trivy and LiteLLM Hits 1,000+ SaaS Environments

CRITICAL

Massive Supply Chain Attack by TeamPCP Compromises Trivy Scanner, Spreads to LiteLLM and Checkmarx

Update:

Technology giant Cisco has confirmed it was impacted by the TeamPCP supply chain attack, which leveraged the compromised Trivy scanner. Attackers used a malicious GitHub Action to pivot into Cisco's internal development environment, resulting in the theft of source code and AWS cloud credentials. This led to unauthorized activities in a limited number of Cisco's AWS accounts. The incident highlights the severe downstream impact of the initial Trivy compromise, demonstrating how a single compromised tool can unravel the security of dependent organizations. Cisco has responded by isolating affected systems, reimaging workstations, and rotating all compromised credentials.

March 25, 2026

Updated: April 8, 2026

6 min read

CI/CD SecurityTag PoisoningInfostealerGitHub ActionsPyPI +1 more

Supply Chain Attack

Malware

HandalaIranhacktivismStrykerhealthcare +1 more

Pro-Iranian Hacktivists "Handala" Claim Attack on US Medical Tech Firm Stryker

MEDIUM

Pro-Iranian Hacking Group Handala Targets US Medical Tech Company Stryker Amidst Wave of Attacks on Healthcare

Update:

The pro-Iranian hacktivist group Handala has dramatically intensified its cyber campaign, evolving from primarily web defacements and DoS attacks to employing more destructive tactics. According to Bitdefender, Handala claimed 23 ransomware victims in March 2026 alone, a significant increase in activity. Their updated playbook now includes ransomware, data wiping, doxxing, and even threats of physical violence, targeting organizations in both Israel and the United States. This escalation indicates a more sophisticated and impactful threat actor than previously observed, moving beyond 'low-impact' disruption to cause significant operational and data privacy damage.

March 29, 2026

Updated: April 8, 2026

4 min read

Pro-Iranian Hacktivists "Handala" Claim Attack on US Medical Tech Firm Stryker

Cyberattack

Threat Intelligence

Healthcare IT Firm CareCloud Probes Patient Data Access in EHR Breach