Executive Summary -
Highlights of Cyber Threat Intelligence Digest
Vulnerabilities
PoC for Critical, Actively Exploited SQL Injection Vulnerability Affecting Fortinet FortiClientEMS (CVE-2026-21643) - On 28 March 2026, Defused reported that threat actors had been exploiting CVE-2026-21643 since 24 March. On the same day, GitHub user Ashraf Zaryouh (0xBlackash) released a proof-of-concept exploit. The vulnerability affects Fortinet FortiClientEMS 7.4.4, an endpoint management platform, allowing unauthenticated attackers to execute code or commands. Fortinet had advised upgrading to version 7.4.5 or later on 6 February 2026. The flaw exists in the web-based administrative interface due to improper handling of SQL elements, letting attackers send crafted HTTP requests to trigger the issue.
Defused observed attacks using HTTPS requests to “/api/v1/init_consts” with a “python-requests/2.31.0” User-Agent and SQL payloads in the “Site” header, linked to a known spam IP. Over 1,400 exposed FortiClient EMS instances were identified, mainly in the US, Germany, France, Australia and the Netherlands. The proof-of-concept takes a URL and optional SQL payload, formats the request, injects the payload, and checks responses for error messages or PostgreSQL references to indicate vulnerability, without fully validating extracted data like database versions.
Cisco Patches XSS Vulnerability CVE-2026-20108 Affecting Cisco Catalyst SD-WAN Manager - On 25 March 2026, Cisco released a patch for a cross-site scripting (XSS) vulnerability, CVE-2026-20108, affecting Catalyst SD-WAN Manager versions 20.18 and earlier. If exploited, the flaw could allow attackers to run arbitrary scripts within the interface or access sensitive data.
As of now, there have been no reports of the vulnerability being exploited in the wild. To mitigate the risk, Insikt Group advises updating Catalyst SD-WAN Manager to version 20.18.2.1, which addresses the issue.
Strongswan Patches Denial of Service Vulnerability CVE-2026-25075 - On 23 March 2026, Strongswan disclosed CVE-2026-25075, a high-severity input validation flaw in its StrongSwan EAP-TTLS implementation. Exploitation by an unauthenticated remote attacker could cause a denial-of-service (DoS) by sending specially crafted AVP data with invalid length fields to the EAP-TTLS plugin.
Strongswan addressed the issue with the release of version 6.0.5. There have been no reports of active exploitation or threat actor activity linked to this vulnerability.
Potential Threats
Threat Actors Compromise KICS GitHub Action to Deliver Credential-Stealing Malware via Supply Chain Attack - On 23 March 2026, cybersecurity firm Wiz reported a supply-chain attack targeting the Checkmarx KICS GitHub Action, an open-source infrastructure-as-code security scanner. The attack was attributed to the threat group TeamPCP, which is known for compromising developer tools to distribute credential-stealing malware. Wiz identified that 35 GitHub Action tags were compromised between 12:58 and 16:50 UTC on the same day, exposing users referencing these tags to malicious payloads.
According to Wiz’s analysis, the attack began with TeamPCP staging malicious commits in a forked repository, modifying the “action.yaml” to execute a “setup.sh” script during the “Prepare Environment” phase. A compromised GitHub service account was then used to update repository tags, redirecting them to the malicious commits. The script collects environment variables, SSH keys, and sensitive files, detects GitHub Actions, AWS, and Kubernetes environments, and extracts secrets. Collected data is encrypted with AES-256-CBC, packaged into an archive, and exfiltrated to a command-and-control server. The attack also deploys a Python backdoor, establishes persistence via systemd services, and continuously polls the threat actor’s infrastructure for further payloads, with execution delays implemented using Python’s sleep function.
Compromised Axios npm Packages Deliver Cross-Platform Remote Access Trojan via Malicious Dependency Injection - On 30 March 2026, StepSecurity reported a supply-chain attack compromising the Axios npm package, a widely used HTTP client library in JavaScript. The threat actors pre-staged the attack over eighteen hours, using compromised npm credentials to bypass the project’s GitHub Actions CI/CD pipeline. The attack began with the compromise of a legitimate npm maintainer account, jasonsaayman, whose email was changed to a threat actor-controlled ProtonMail address. Malicious Axios versions “axios@1.14.1” and “axios@0.30.4” were published without corresponding GitHub commits or tags. A secondary malicious dependency, “plain-crypto-js@4.2.1”, was also deployed under a separate account, mimicking the legitimate “crypto-js” package. This dependency executes a postinstall script, setup.js, which collects sensitive information, exfiltrates data to a C2 server, and drops a cross-platform remote access trojan (RAT) while performing self-cleanup actions.
The dropper executes platform-specific commands depending on the operating system. On macOS, it uses AppleScript to download and run a Mach-O RAT, saving it to /Library/Caches, modifying permissions, and executing in the background. On Windows, it leverages PowerShell and VBScript to download and execute a RAT, cleaning temporary files afterward. On Linux, it downloads and runs a Python RAT in /tmp. The macOS RAT collects system information, enumerates directories, encodes data with Base64, and sends it to the C2 server at 60-second intervals using a spoofed User-Agent. Socket Security also identified additional packages, such as “@shadanai/openclaw” and “@qqbrowser/openclaw-qbot”, which distribute the same malware through vendored dependencies, triggering identical RAT deployment and exfiltration mechanisms.
Threat Actors Conduct Over 100 Tax-Themed Campaigns to Establish Remote Access via RMM Tools, Enabling Credential Theft and BEC Fraud - On 30 March 2026, Proofpoint reported over 100 email campaigns between January and March 2026 using tax-related lures to deliver remote monitoring and management (RMM) tools, malware, credential phishing pages, and business email compromise (BEC) fraud. These campaigns primarily targeted the U.S., with additional activity in Canada, Japan, Australia, and Switzerland.
Several campaigns impersonated tax authorities to achieve different objectives. Between January and March, threat actors used IRS-themed phishing to deploy RMM tools such as N-able, Datto, RemotePC, Zoho Assist, and ScreenConnect, sometimes adding additional tools to maintain persistent access. TA4922 targeted Japanese organisations, requesting mobile numbers to continue social engineering via out-of-band channels and distributing information stealers like Winos4.0 (ValleyRAT). TA2730 impersonated investment firms with W-8BEN tax form lures to steal credentials via spoofed login pages. In March, multiple actors conducted BEC campaigns requesting 2025 employee W-2 forms, collecting sensitive data including Social Security numbers and home addresses for identity theft and fraud.
General News
CISA's acting chief warns shutdown is increasing cyber risks, causing resignations - Cybersecurity and Infrastructure Security Agency (CISA) Acting Director Nick Andersen warned that the Department of Homeland Security shutdown has left risks “accumulating across the system.” Testifying before the House Homeland Security Committee, Andersen said around 60 percent of CISA’s workforce is furloughed, with the agency facing 1,000 vacancies. He highlighted that a highly technical threat hunting and incident response team recently lost six members to resignations in a single day. The remaining personnel are performing mission-essential duties without pay while dealing with increased activity from nation-state and criminal actors targeting critical infrastructure.
Andersen explained that CISA’s limited capacity restricts the agency to responding to imminent threats, sharing critical vulnerability information, protecting life and property, and maintaining its 24/7 operations centre. Proactive work such as assessments, planning, and coordination with industry and state partners has been scaled back, creating gaps adversaries could exploit. Intelligence sharing continues but under strained conditions. Andersen emphasised that prolonged shutdowns could harm recruitment and retention of cyber talent, making it harder for CISA to maintain a skilled workforce, and warned that the compounding risks in the current threat environment could eventually cause serious damage to the American public.
UK weighs new limits on political donations as reports warn of hard-to-trace foreign interference - The British government is planning tighter rules on political donations after two reports highlighted growing foreign interference in U.K. democracy. The Rycroft Review on financial interference and a parliamentary report on foreign information manipulation and interference (FIMI) warn that hostile actors are using sophisticated campaigns to exploit divisive issues and influence public debate. While the government has sanctioned individuals and organisations linked to Russian operations, both reports note these measures are limited compared with the scale of the threat. Examples such as Moldova show how disinformation can reach millions during elections, and high-profile individuals with global influence can complicate attribution.
In response, ministers intend to temporarily ban cryptocurrency donations and cap overseas contributions at £100,000 annually. Experts caution that this addresses only part of the problem, as funds can still be routed through legitimate channels. Both reports highlight fragmented legislation, limited transparency, and the difficulty of tracing financial influence and disinformation, which increasingly operate continuously online rather than within election periods. Analysts warn that without systemic reform, foreign actors can exploit these gaps to shape public discourse, leaving democratic institutions vulnerable to evolving hybrid threats.
Handala Hack Team Alleges Breach of FBI Director Kash Patel’s Personal Emails - On 27 March 2026, Handala Hack Team, a pro-Iranian actor linked to APT Void Manticore, claimed on their Telegram channel and website that they had compromised FBI Director Kash Patel’s personal email account, publishing a “proof-of-concept” (PoC) sample of exfiltrated files. The group stated the leak was retaliation for the FBI seizing their domains and offering a $10 million bounty for their members. The leaked material allegedly included emails, documents, conversations, classified files, and personal photos. Screenshots of Patel’s resume, likely from 2016 or 2017, were also shared. The group used a new Telegram channel, [@]HANDALA_INTEL, and a newly launched website, handala-team[.]to, following the seizure of their previous domains.
The Department of Justice confirmed that Patel’s email had been breached but provided no further details. Analysis by Insikt Group of the PoC files revealed .eml files from the inbox of patelkpp[@]gmail[.]com, sorted into folders such as “Work”, “Travel”, “Photos”, “DC”, “Business”, and likely family members’ names. The files date from February 2010 to February 2022 and include travel itineraries, personal business ventures, federal job applications, apartment rentals, and numerous personal photos. Insikt Group considers the leak legitimate, though it remains unclear whether additional files will be released or how Handala Hack Team obtained access to Patel’s email.
Threat Actor Weekly Graph
Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.
Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.
Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.
Both intent and opportunity are scored out of 100 and are responsible for scoring the group's severity. These updates can be seen below.
| ● Limited Severity | ● Basic Severity | ● Moderate Severity | ● High Severity |
| Threat Actor | Severity Increase | Opportunity | Intent | ||||||
|---|---|---|---|---|---|---|---|---|---|
| BlueDelta | NEW | → | ● High | NEW | → | ● 86 | NEW | → | ● 30 |
| BlueCharlie | NEW | → | ● Moderate | NEW | → | ● 53 | NEW | → | ● 25 |
| TAG-160 | NEW | → | ● Basic | NEW | → | ● 40 | NEW | → | ● 25 |
| hubert | NEW | → | ● Basic | NEW | → | ● 30 | NEW | → | ● 25 |
| UAC-0255 |
NEW | → | ● Basic | NEW | → | ● 30 | NEW | → | ● 25 |
Global Trends Powered by Recorded Future
Within each category, we have provided the current top five globally trending items. Each item is linked to how actively trending it is and is marked with a small symbol.
The spikes in references are calculated over 60 days and are normalised to ensure they aren't disproportionate when compared to bigger entities that will naturally have more baseline mentions.
▲- Spike – This indicates a large increase in reporting volume and a high diversity in the event descriptions.
▲- Rise – This indicates a small increase in reporting volume with little diversity in the descriptions.
| Attackers | Methods | Vulnerabilities | Targets | |||||
|---|---|---|---|---|---|---|---|---|
| Lapsus$ Group | ▲ | Supply Chain Attack | ▲ | CVE-2026-5281 | ▲ | Geospatial Intelligence | ▲ | |
| Iranian Hackers | ▲ | Remote Access Trojan | ▲ | CVE-2026-3502 | ▲ | Axios | ▲ | |
| Nasir Security Group | ▲ | T1105 (Ingress Tool Transfer) | ▲ | CVE-2026-3055 | ▲ | Mercor | ▲ | |
| Handala Hack Team | ▲ |
ClickFix |
▲ | CVE-2025-53521 | ▲ | Anthropic | ▲ | |
| ShinyHunters | ▲ | Social Engineering | ▲ | CVE-2026-21643 | ▲ | Cisco | ▲ | |
Prominent Information Security Events
Threat Actors Compromise KICS GitHub Action to Deliver Credential-Stealing Malware via Supply Chain Attack
Source: Insikt Group | Validated Intelligence Event
IOC: Hash - 0d66d8c7e02574ff0d3443de0585af19c903d12466d88573ed82ec788655975c
IOC: URL - hxxps://checkmarx[.]zone
On 23 March 2026, cybersecurity firm Wiz reported a supply-chain attack targeting the Checkmarx KICS GitHub Action, an open-source infrastructure-as-code security scanner. The attack was attributed to the threat group TeamPCP, known for compromising developer tooling to distribute credential-stealing malware. According to Wiz, the operation compromised 35 GitHub Action tags between 12:58 and 16:50 UTC on the same day, exposing users who referenced the affected tags to malicious payloads.
Wiz’s analysis indicates that the infection began with TeamPCP staging malicious commits in a forked repository containing a modified “action.yaml” file, which executed a script named setup.sh during the “Prepare Environment” phase. Using a compromised GitHub service account, TeamPCP updated repository tags to point to the malicious commits. The setup.sh script initiates with strict error handling and silent failure behaviour using “set -euo pipefail.” Once executed, it collects environment variables, SSH keys, and sensitive files, detects GitHub Actions, AWS, and Kubernetes environments, and extracts secrets. The script encrypts the collected data using AES-256-CBC with a random session key, which is itself encrypted with a hard-coded RSA public key, and bundles the data into an archive for exfiltration.
Exfiltration occurs via HTTP POST requests to a command-and-control server, and if that fails, the script can create a repository in the victim’s GitHub account to upload stolen data as a release asset. Additionally, the setup.sh script deploys a Python backdoor to retrieve further payloads, establishes persistence via systemd services either locally or across Kubernetes nodes, and continuously polls the threat actor’s infrastructure every 50 minutes. Execution is delayed for 300 seconds using Python’s sleep function to avoid immediate detection and ensure the attack proceeds stealthily.
Compromised Axios npm Packages Deliver Cross-Platform Remote Access Trojan via Malicious Dependency Injection
Source: Insikt Group | Validated Intelligence Event
IOC: IP - 142[.]11[.]206[.]73
IOC: URL - hxxp://sfrclak[.]com:8000/6202033
On 30 March 2026, StepSecurity reported a supply-chain attack involving the compromise of the Axios npm package, a widely used HTTP client library in JavaScript. The threat actors pre-staged the attack over eighteen hours and used compromised npm credentials to bypass the project’s GitHub Actions CI/CD pipeline. The operation began with the compromise of a legitimate maintainer account, jasonsaayman, whose email was changed to a ProtonMail address controlled by the attackers. Malicious Axios versions, “axios@1.14.1” and “axios@0.30.4”, were published without corresponding GitHub commits or tags, and a secondary malicious dependency, “plain-crypto-js@4.2.1”, was pre-staged under a separate threat actor-controlled account. This package mimicked the legitimate “crypto-js” library and included a postinstall script, setup.js, which executed automatically during installation and incorporated an evidence destruction mechanism.
The setup.js script functions as a dropper for a cross-platform remote access trojan (RAT). It decodes obfuscated strings, identifies the operating system, and connects to a C2 server to retrieve a second-stage payload. On macOS, it executes an AppleScript to download and run a Mach-O RAT, saves it to /Library/Caches, modifies permissions, and deletes the script afterward. On Windows, it uses PowerShell and VBScript to download and execute a RAT, cleaning temporary files post-execution. On Linux, the dropper downloads and runs a Python RAT in /tmp, detaching it from the parent process. Setup.js also removes the original package.json and the dropper script while renaming a backup to maintain stealth.
On 31 March 2026, Socket Security reported that the macOS payload is a Mach-O RAT written in C++, which collects system information, enumerates directories, encodes data with Base64, and sends it to the C2 server every 60 seconds using a spoofed User-Agent. The RAT can execute shell or AppleScript commands, write and run binaries, and terminate its own process. Additional packages, including “@shadanai/openclaw” and “@qqbrowser/openclaw-qbot”, were also found to distribute the same malware via vendored dependencies, triggering the identical postinstall execution chain and RAT deployment, using the same obfuscation routines, C2 infrastructure, and self-deletion mechanisms.
Remediation Actions
Following the information provided above, we recommend that the technologies mentioned be fully patched and updated. We also want to highlight and recommend applying the following patches where applicable:
- CVE-2026-21643 (FortiClientEMS) – This vulnerability can be addressed by updating Fortinet ForticlientEMS to version 7.4.5 or later.
- CVE-2026-20108 (Cisco) – This vulnerability can be remediated by updating Catalyst SD-WAN Manager to version 20.18.2.1.
- CVE-2026-25075 (Strongswan) – This vulnerability can be addressed by updating Strongswan to version 6.0.5.
If you are currently an Acumen Cyber Vulnerability Management customer, we will be proactively performing related searching and hunting activities within your environment.