Executive Summary -
Highlights of Cyber Threat Intelligence Digest
Vulnerabilities
Palo Alto Networks Patches Information Disclosure Vulnerability CVE-2026-0231 Affecting Cortex XDR Broker VM - On 12 March 2026, Palo Alto Networks patched an information disclosure vulnerability tracked as CVE-2026-0231, affecting Cortex XDR Broker VM versions 30.0.48 and earlier. Exploitation could allow authenticated threat actors to obtain and modify sensitive information by triggering a live terminal session via the Cortex user interface and altering configuration settings. At the time of writing, there are no reports of this vulnerability being exploited in the wild.
To mitigate the risk of exploitation, Palo Alto recommends updating the Cortex XDR Broker VM to version 30.0.49 or later.
Veeam Patches Critical RCE Vulnerabilities in Veeam Backup & Replication - On 12 March 2026, Veeam patched and disclosed five vulnerabilities in Veeam Backup & Replication, affecting versions 12.3.2.4165 and earlier builds of version 12. These vulnerabilities were addressed in version 12.3.2.4465. At the time of writing, there are no known cases of active exploitation.
The vulnerabilities include two critical-severity issues, CVE-2026-21666 and CVE-2026-21667, which could allow threat actors to execute arbitrary code remotely on Backup Servers. CVE-2026-21668 and CVE-2026-21672 are high-severity vulnerabilities that could let threat actors bypass access controls to modify files on Backup Repositories or escalate local privileges on Windows-based servers. Finally, CVE-2026-21708 is a critical-severity issue that could allow remote execution of arbitrary code as the postgres user.
Sonos Patches CVE-2026-4149 in Era300 Devices - On 16 March 2026, the Zero Day Initiative published details of CVE-2026-4149, a critical-severity vulnerability affecting the Sonos Era300. The issue arises from improper validation of the DataOffset field in SMB responses, which can lead to out-of-bounds memory access. Successful exploitation could allow threat actors to execute arbitrary code at the kernel level without authentication.
Sonos addressed the vulnerability by releasing version 83.1-61240 for Era300 devices.
Potential Threats
Threat Actor Storm-2561 Uses SEO Poisoning to Distribute Trojanized VPN Clients that Harvest Enterprise Credentials - On 12 March 2026, Microsoft reported that the threat actor group Storm-2561 had been conducting a credential theft campaign since mid-January 2026. The campaign involved distributing trojanised enterprise VPN clients via search engine optimisation (SEO) poisoning, redirecting users searching for legitimate VPN software to fake vendor websites that delivered information-stealing malware designed to harvest VPN credentials.
The attack began when users clicked search results leading to spoofed VPN download domains, which redirected victims to a GitHub repository containing a ZIP archive with a malicious Microsoft Windows Installer (MSI) file posing as a legitimate VPN client. The MSI, signed with a certificate issued to Taiyuan Lihua Near Information Technology Co., Ltd. (later revoked), installed a fake Pulse Secure client in a directory mimicking the legitimate path (%CommonFiles%\Pulse Secure) and dropped the DLL files dwmapi.dll and inspector.dll. The fake client presented a spoofed login interface to capture credentials, while dwmapi.dll loaded shellcode that executed inspector.dll, a Hyrax infostealer variant. The malware accessed VPN configuration data from C:\ProgramData\Pulse Secure\ConnectionStore\connectionstore.dat and established persistence by adding Pulse.exe to the RunOnce registry key to run after system reboot.
ForceMemo Campaign Compromises GitHub Python Repositories via GlassWorm - On 14 March 2026, StepSecurity reported an ongoing campaign dubbed “ForceMemo” that had compromised hundreds of GitHub accounts to inject identical malware into Python repositories via force-push. The affected projects included Django applications, machine learning research code, Streamlit dashboards, and packages installable directly from GitHub. Users who ran pip install from a compromised repository, or cloned and executed the modified code, would inadvertently trigger the malware.
The campaign began with account takeovers driven by “GlassWorm” infections delivered through malicious VS Code and Cursor extensions. The stage-three GlassWorm payload harvested GitHub tokens from git credential storage, VS Code extensions, ~/.git-credentials, and the GITHUB_TOKEN environment variable. Threat actors then rebased the latest legitimate commit on each default branch, appended obfuscated Python malware to prominent files such as setup.py, main.py, app.py, manage.py, and app/__init__.py, and force-pushed the changes while preserving the original commit metadata. The malware used base64 decoding, zlib decompression, and XOR decryption to unpack a second stage, skipped execution on Russian systems, queried a Solana wallet for JSON payload URLs, downloaded Node.js v22.9.0, retrieved an AES-encrypted JavaScript payload, executed it, and established persistence via ~/init.json and an i.js loader. StepSecurity identified more than 240 compromised repositories across numerous accounts, confirming ForceMemo as a GlassWorm-linked supply chain attack targeting Python maintainers and downstream users.
Cisco-Impersonating Phishing Campaign Uses Redirect Chain to Steal Microsoft 365 Credentials - On 16 March 2026, Outpost24 reported that its threat intelligence team had identified a multistage phishing campaign targeting a European security vendor while impersonating Cisco infrastructure. The attack began with a phishing email purporting to be from JP Morgan, designed to appear as part of an existing email thread to entice the recipient to review and sign a document. The message was DKIM-signed by em.37nmtc.com and carried an Amazon SES-associated signature, allowing it to pass DMARC validation despite lacking a valid SPF record.
The phishing chain routed victims through multiple redirects, combining trusted services with compromised or attacker-controlled infrastructure. The initial lure directed users to a secure-web.cisco.com URL, which then redirected through tracking.us.nylas.com to a decoy PDF hosted on infra.infratechcorpsolutionllp.com. From there, victims were redirected to www-0159.com, a recently re-registered domain, before finally arriving at tradixyu.cfd. The final stage, hosted behind Cloudflare, required a human-validation step to evade automated analysis, then presented a convincing fake Microsoft 365 login page with a realistic Outlook-style animation to capture credentials. Outpost24 noted that the campaign’s layered redirects, anti-analysis controls, high-fidelity brand impersonation, and operator-friendly features were consistent with the Kratos phishing-as-a-service kit, though no definitive actor attribution was provided.
General News
UK plans to shift fraud fight onto telecoms, tech companies - The British government on Monday unveiled a new fraud strategy that shifts more responsibility for preventing scams onto telecom companies, technology platforms, and financial firms, though critics question whether the measures go far enough. Fraud is now the most common crime in the United Kingdom, accounting for roughly 40% of recorded offences in England and Wales, with more than two-thirds of these cases being cyber-enabled. Millions of incidents are reported annually, affecting about 7% of adults and a quarter of all businesses. Critics have long argued that government efforts have lagged behind the scale of the problem, with the Treasury Committee noting in 2022 that fraud accounted for 40% of crime but received only 2% of police funding. Industry voices, including Bernadette Smith of Starling Bank, have called the new plan “disappointing,” arguing that major platforms are still not required to take sufficient responsibility for scams occurring on their services.
A central element of the strategy is the creation of an Online Crime Centre, described as a “disruption hub” to target infrastructure used by organised fraud networks. Backed by more than £30 million and expected to launch next month, the centre will bring together government agencies, including the National Crime Agency and GCHQ, alongside financial, telecom, and technology companies. The unit will share data to identify and disable accounts, websites, and phone numbers used by criminal groups, including blocking scam messages, freezing accounts, and removing fraudulent social media profiles. Officials emphasise the need for rapid, automated information sharing, as much of the fraud targeting Britain originates overseas. While the strategy stops short of imposing new legal obligations, it proposes voluntary cooperation with industry, a national system to trace scam calls by early 2028, and expanded support for victims, including a Fraud Victims Charter and a joint unit between Trading Standards and law enforcement to disrupt fraud operations and recover stolen assets.
Medical device giant Stryker confirms cyberattack as employees say devices were wiped - The medical device manufacturer Stryker confirmed on Wednesday that a cyberattack has disrupted its operations. The Michigan-based company reported a “global network disruption” affecting its Microsoft environment, though it stated there was no indication of ransomware or malware and that the incident appeared contained. Stryker said its teams were working to assess the impact, and business continuity measures were in place to continue supporting customers and partners. On the same day, the company’s phone systems were responding with automated messages citing a “building emergency,” while employees took to social media to report that corporate computers and phones had been completely wiped, leaving them unable to access work platforms and email systems.
A group calling itself Handala allegedly claimed responsibility for the attack, posting their logo on Stryker login pages and sending emails to executives. The group, which cybersecurity experts have previously linked to Iran-based threat actors, stated that it wiped more than 200,000 devices and stole 50 terabytes of company data. Handala reportedly targeted Stryker in response to a U.S. missile strike on a school in Iran and the ongoing conflict involving the U.S., Israel, and Iran. Since 2023, Handala has been involved in multiple attacks on Israeli companies and government systems, often using wiper malware to destroy files. The attack has reportedly brought Stryker to a standstill, affecting factories in Ireland and preventing employees from accessing corporate systems, with some losing data on personal devices linked to company networks.
Ransomware incident responder gave info to BlackCat cybercriminals during negotiations, DOJ alleges - The U.S. Justice Department is accusing incident responder Angelo Martino of conducting cyberattacks and assisting ransomware gangs in extracting higher payouts from victims he was hired to protect. Martino surrendered to U.S. Marshals on Tuesday and was released on bond the same day under the condition that he refrain from working in the cyber industry. Court documents allege that Martino collaborated with two other cybersecurity professionals, Ryan Goldberg and Kevin Martin, to carry out ransomware attacks for the now-defunct ALPHV/BlackCat group. Goldberg and Martin, who pleaded guilty in December to conspiracy to obstruct commerce by extortion, face up to 20 years in prison. Together with Martino, the three earned around $1.2 million from an attack on a Florida medical company, though attempts to extort nine other victims were unsuccessful.
Prosecutors claim that starting in April 2023, Martino provided confidential negotiation information to ALPHV/BlackCat while acting as a ransomware negotiator for DigitalMint, effectively helping the group maximise ransom payments on cases he was assigned to assist. Documented ransoms reached as high as $26 million, $25 million, $16 million, and $6 million, though the amount Martino received remains unspecified. Martino has been charged with one count of conspiracy to interfere with interstate commerce by extortion. DigitalMint stated that his actions violated company policy and ethical standards, leading to the termination of both Martino and Martin, and that the company assisted the DOJ investigation. In response, DigitalMint has implemented new auditing measures, cloud-based negotiation protocols, and oversight from both company leadership and the Department of Homeland Security, as well as plans to establish a registry for threat actor negotiators to increase transparency and set industry standards.
Threat Actor Weekly Graph
Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.
Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.
Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.
Both intent and opportunity are scored out of 100 and are responsible for scoring the group's severity. These updates can be seen below.
| ● Limited Severity | ● Basic Severity | ● Moderate Severity | ● High Severity |
| Threat Actor | Severity Increase | Opportunity | Intent | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Secp0 Ransomware Group | NEW | → | ● Basic | NEW | → | ● 25 | NEW | → | ● 40 |
| PAL1T | NEW | → | ● Basic | NEW | → | ● 30 | NEW | → | ● 5 |
| BugMakeSoap | NEW | → | ● Basic | NEW | → | ● 30 | NEW | → | ● 5 |
| Funksec Group | ● Basic | → | ● Basic | ● 35 | → | ● 35 | ● 45 | → | ● 30 |
| Beast Ransomware Group |
● Basic | → | ● Basic | ● 25 | → | ● 35 | ● 49 | → | ● 49 |
Global Trends Powered by Recorded Future
Within each category, we have provided the current top five globally trending items. Each item is linked to how actively trending it is and is marked with a small symbol.
The spikes in references are calculated over 60 days and are normalised to ensure they aren't disproportionate when compared to bigger entities that will naturally have more baseline mentions.
▲- Spike – This indicates a large increase in reporting volume and a high diversity in the event descriptions.
▲- Rise – This indicates a small increase in reporting volume with little diversity in the descriptions.
| Attackers | Methods | Vulnerabilities | Targets | |||||
|---|---|---|---|---|---|---|---|---|
| Handala Hack Team | ▲ | Banking Trojan | ▲ | CVE-2026-3909 | ▲ | Mossad | ▲ | |
| PalachPro | ▲ | BruteEntry | ▲ | CVE-2026-27825 | ▲ | ID Providers | ▲ | |
| Bliss | ▲ | PeerTime | ▲ | CVE-2026-27826 | ▲ | Baghdad | ▲ | |
| Fatemiyoun Brigade | ▲ |
TernDoor |
▲ | CVE-2025-47813 | ▲ | Microsoft | ▲ | |
| ByteToBreach | ▲ | GoPIX | ▲ | CVE-2026-3910 | ▲ | Stryker | ▲ | |
Prominent Information Security Events
Threat Actor Storm-2561 Uses SEO Poisoning to Distribute Trojanized VPN Clients that Harvest Enterprise Credentials
Source: Insikt Group | Validated Intelligence Event
IOC: Hash - 57a50a1c04254df3db638e75a64d5dd3b0d6a460829192277e252dc0c157a62f
IOC: IP - 194[.]76[.]226[.]93
On 12 March 2026, Microsoft reported that the threat actor group Storm-2561 had carried out a credential theft campaign beginning in mid-January 2026. The campaign used search engine optimisation (SEO) poisoning to distribute trojanised enterprise VPN clients, redirecting users searching for legitimate VPN software to fake vendor websites that delivered information-stealing malware designed to harvest VPN credentials.
The attack started when users clicked on search results leading to spoofed VPN download domains. These sites then redirected victims to a GitHub repository containing a ZIP archive with a malicious Microsoft Windows Installer (MSI) file posing as a legitimate VPN client. The MSI and its associated malware components were signed with a certificate issued to Taiyuan Lihua Near Information Technology Co., Ltd., which has since been revoked by researchers.
Once executed, the MSI installed a fake Pulse Secure client in a directory path resembling a legitimate installation (%CommonFiles%\Pulse Secure) and dropped DLL files named dwmapi.dll and inspector.dll. The fake client presented a spoofed login interface to capture user credentials, while dwmapi.dll loaded shellcode to execute inspector.dll, a Hyrax infostealer variant. The malware accessed VPN configuration data from C:\ProgramData\Pulse Secure\ConnectionStore\connectionstore.dat and established persistence by adding Pulse.exe to the RunOnce registry key to execute after system reboot.
ForceMemo Campaign Compromises GitHub Python Repositories via GlssWorm
Source: Insikt Group | Validated Intelligence Event
IOC: URL - http://217[.]69[.]11[.]99
IOC: IP - 217[.]69[.]11[.]57
On 14 March 2026, StepSecurity reported an ongoing campaign named “ForceMemo” that had compromised hundreds of GitHub accounts to inject identical malware into Python repositories via force-push. The attack affected a wide range of Python projects, including Django applications, machine learning research code, Streamlit dashboards, and packages that could be installed directly from GitHub. Users who ran pip install from a compromised repository, or cloned and executed the modified code, would inadvertently trigger the malware.
The intrusion began with account takeovers driven by “GlassWorm” infections delivered through malicious VS Code and Cursor extensions. StepSecurity noted that the GlassWorm stage-three payload harvested GitHub tokens from git credential storage, VS Code extensions, ~/.git-credentials, and the GITHUB_TOKEN environment variable. The threat actors then rebased the latest legitimate commit on each default branch, appended obfuscated Python malware to key files such as setup.py, main.py, app.py, manage.py, and app/__init__.py, and force-pushed the rebased commit while preserving the original commit message, author, and timestamp. A repeated attacker fingerprint was observed, with malicious commits using the committer email string “null.”
The appended Python malware unpacked a second stage using base64 decoding, zlib decompression, and XOR decryption, skipping execution on Russian systems. It queried a Solana wallet for transaction memos containing JSON with payload URLs, downloaded Node.js v22.9.0, retrieved an AES-encrypted JavaScript payload, executed it via Node.js, and created persistence metadata in ~/init.json along with an i.js loader. The campaign impacted more than 240 repositories across numerous GitHub accounts, targeting repeated victim clusters such as wecode-bootcamp-korea, HydroRoll-Team, BierOne, and others. StepSecurity concluded that ForceMemo represents a GlassWorm-linked supply chain attack aimed at Python maintainers and downstream users.
Remediation Actions
Following the information provided above, we recommend that the technologies mentioned be fully patched and updated. We also want to highlight and recommend applying the following patches where applicable:
- CVE-2026-0231 (PaloAlto) – This vulnerability can be addressed by updating Cortex XDR Broker VM to version 30.0.48 or later.
- CVE-2026-21666, CVE-2026-21667, CVE-2026-21668, CVE-2026-21672, CVE-2026-21708 (Veeam) – This vulnerability can be remediated by updating to version 12.3.2.4465.
- CVE-2026-4149 (Sonos) – This vulnerability can be addressed by updating Era300 devices to 83.1-61240.
If you are currently an Acumen Cyber Vulnerability Management customer, we will be proactively performing related searching and hunting activities within your environment.