Palo Alto Networks Zero-Day Under Active Attack; DAEMON Tools Hit by Major Supply Chain Compromise

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is reportedly evaluating a significant policy change to reduce the mandatory remediation time for critical vulnerabilities in its Known Exploited Vulnerabilities (KEV) Catalog from 14 days to 72 hours for federal agencies. This drastic proposal is directly motivated by growing concerns that advanced AI models, such as Anthropic's 'Claude Mythos', will dramatically shorten the window between vulnerability disclosure and widespread exploitation. The move aims to force federal defenses to keep pace with anticipated AI-driven offensive capabilities, though feasibility concerns exist regarding rapid deployment and testing in complex government systems.

The China-linked Silver Fox APT has expanded its cyber-espionage campaign, now targeting organizations in India and Russia since December 2025. This new wave utilizes regionally-timed, tax-themed phishing lures to deliver the known ValleyRAT and a newly identified Python-based backdoor, 'ABCDoor'. Attackers employ varied initial access methods, including RAR archives with executables for India and PDF attachments with external links to ZIP archives for Russia, often using the RustSL loader. The campaign has broadly targeted industrial, consulting, retail, and transportation sectors, with over 1,600 phishing emails sent in early 2026, indicating a significant increase in scope and sophistication.

The CloudZ RAT campaign, which abuses Microsoft Phone Link to steal SMS and OTPs, has been active since at least January 2026. Further analysis reveals the CloudZ RAT employs advanced anti-analysis features, including in-memory execution and sandbox detection (T1497), to evade discovery. The Pheno plugin specifically targets `PhoneExperiences-*.db` files on Windows 10 and 11 PCs. This update provides a more precise timeline and additional technical insights into the malware's evasion techniques and targeted files, reinforcing the need for robust MFA beyond SMS.

Microsoft's Q1 2026 threat analysis provides broader context for this campaign, reporting a total of 8.3 billion email-based phishing threats. The report highlights that nearly 80% of all email threats were link-based credential phishing, while malware delivery declined to 5-6%. It also noted the rapid rise of QR code phishing (quishing) and the continued resilience of Phishing-as-a-Service (PhaaS) platforms, with operators like Tycoon 2FA adapting tactics to evade defenses. This underscores the persistent and evolving nature of email-based attacks.