Research
-
Suspected China-based operation targets Southeast Asian military organizations
A technical analysis by Palo Alto Networks Unit 42 says a suspected China-based espionage campaign has targeted Southeast Asian military organizations since at least 2020 using modular backdoors and Pastebin-based command and control.
-
Nine CrackArmor Flaws in Linux AppArmor Could Enable Local Root Escalation
Qualys disclosed nine confused deputy vulnerabilities in the Linux kernel AppArmor module that can allow unprivileged users to bypass protections, escalate to root, and undermine container isolation. Vendors and administrators should prioritise kernel patches.
-
Researchers identify suspected AI-assisted Slopoly backdoor used by Hive0163
Researchers identified a suspected AI-generated PowerShell backdoor called Slopoly used by the cybercrime group Hive0163 in early 2026. The backdoor established persistence and beaconed to a command server while analysts examined code patterns.
-
Authorities disrupt SocksEscort proxy network powered by AVRecon on Linux routers
Law enforcement disrupted the SocksEscort proxy network that used AVRecon to compromise Linux routers. Lumen’s Black Lotus Labs reported the network averaged about 20,000 infected devices weekly and authorities seized infrastructure and froze funds.
-
BeatBanker Android malware poses as Starlink app and hijacks devices in Brazil
BeatBanker is Android malware that combines a banking trojan and Monero miner, uses a fake Starlink Play Store page for delivery and a looping MP3 to stay active. Infections were recorded in Brazil.
-
GitLab analysis exposes North Korean fake IT worker tradecraft
A technical analysis by GitLab found North Korean operators used code repositories to deliver obfuscated malware loaders and that 131 accounts were removed last year. The report lists tradecraft and more than 600 indicators.
-
Six Android malware families steal data and hijack payments, researchers find
Researchers found six Android malware families that steal data and enable financial fraud. The trojans use fake Play Store listings, accessibility abuse and screen overlays to hijack transfers including real time attacks on Brazil’s Pix system.
-
Two critical n8n flaws patched after researcher finds remote code execution risk
Two critical vulnerabilities in the n8n workflow platform were reported and patched in March 2026. A technical analysis and vendor advisories show flaws that can enable remote code execution and decryption of stored credentials.
-
Five malicious Rust crates exfiltrated .env files and AI bot exploited GitHub Actions
Researchers found five malicious Rust crates on crates.io that exfiltrated .env files. Packages were removed. Users should rotate secrets, audit CI workflows and restrict outbound access to reduce supply chain risk.
-
BlackSanta EDR killer used in year long campaign targeting HR departments
A Russian speaking actor ran a year long campaign against HR departments deploying BlackSanta, an EDR killer that disables endpoint protections, uses DLL sideloading and vulnerable drivers to gain kernel level access.
