⚠️ A previously unseen backdoor called Dohdoor is being deployed against U.S. schools and healthcare orgs.

Tracked as UAT-10027, the campaign chains phishing → PowerShell loaders → DLL side-loading → DoH C2 (via Cloudflare) → final Cobalt Strike payload.

🔗 Details → https://thehackernews.com/2026/02/uat-10027-targets-us-education-and.html

🛑 New botnet loader Aeternum uses Polygon smart contracts as its C2 channel.

Commands go straight to the public blockchain—infected devices pull & execute them. No servers. No domains. No easy takedown.

(Also: US investigators linked a 300-device proxy net to a Belarus seller.)

🔗 Details → https://thehackernews.com/2026/02/aeternum-c2-botnet-stores-encrypted.html

⚡ Meta is suing scam advertisers in Brazil, China, and Vietnam after uncovering celeb-bait and cloaking schemes on its platforms.

It says it now protects 500,000+ celebrity images from repeated abuse and has suspended payments, disabled accounts, and blocked domains.

🔗 Read → https://thehackernews.com/2026/02/meta-files-lawsuits-against-brazil.html

⚠️ Microsoft warns of trojanized gaming tools spreading a Java-based RAT.

Attackers use PowerShell and built-in tools like cmstp.exe for stealth, add Defender exclusions and scheduled tasks for persistence, then connect to a C2 server to steal data and deploy more payloads.

🔗 Read → https://thehackernews.com/2026/02/trojanized-gaming-tools-spread-java.html

A new ScarCruft campaign shows how air-gapped networks are still reachable.

Zscaler's December 2025 findings detail malware that spreads through removable media while pulling payloads from Zoho WorkDrive and other cloud services.

The chain includes keylogging and audio/video capture modules.

🔗 Read → https://thehackernews.com/2026/02/scarcruft-uses-zoho-workdrive-and-usb.html

Five attacks. Five lessons. One goal: resilience.

From Boeing to Ascension, cybersecurity experts from Halcyon examined #ransomware incidents that reshaped cyber strategy - and the takeaways defenders can apply today.

Curious which decisions changed the outcome? Swipe → to see the high-level hits.

Don’t wait for an incident to learn from one.

Download the full guide: https://thn.news/5-attacks-lessons

⚠️ A malicious Go package injected code into ssh/terminal/terminal.go to capture passwords.

It posed as Go’s crypto library, stole secrets, loosened firewall rules, and deployed Rekoobe — a Linux trojan linked to APT31 as recently as 2023.

🔗 Read → https://thehackernews.com/2026/02/malicious-go-crypto-module-steals.html

🔥 You can now ask Kali Linux tools in plain English — powered by Anthropic Sonnet 4.5.

Through MCP, Claude SSHs into Kali to run tools like nmap, gobuster, nikto, hydra, sqlmap, metasploit, john, wpscan, enum4linux-ng, checks dependencies, and returns results in-app.

🔗 Read about it here → https://thehackernews.com/2026/02/threatsday-bulletin-kali-linux-claude.html#ai-powered-command-execution

🚨 WARNING: ~900 Sangoma FreePBX systems remain compromised via CVE-2025-64328, a command injection bug patched in 17.0.3.

The flaw allows authenticated shell access. Fortinet links the activity to INJ3CTOR3 deploying EncystPHP. Patch and restrict admin access.

🔗 Read → https://thehackernews.com/2026/02/900-sangoma-freepbx-instances.html

⚡ Federal authorities seized $61M in crypto tied to online investment scams.

The DOJ says victims were lured into fake high-return platforms, and funds were routed through multiple wallets to hide the trail. Many schemes are linked to scam compounds in Southeast Asia.

🔗 Read → https://thehackernews.com/2026/02/doj-seizes-61-million-in-tether-linked.html

🤖 Anthropic refused mass domestic surveillance and autonomous weapons use of its AI.

Days later, the Pentagon labeled it a national security supply chain risk Federal agencies now have six months to phase out its tech. Anthropic says the move is legally unsound and limited to Defense contracts.

🔗 Learn how this fight could reshape military AI deals → https://thehackernews.com/2026/02/pentagon-designates-anthropic-supply.html

Researchers found 2,863 live Google API keys publicly exposed that could authenticate to Gemini endpoints once the API was enabled in a project.

Keys meant for billing could access files, cached data, and run LLM calls, racking up charges.

🔗 Read → https://thehackernews.com/2026/02/thousands-of-public-google-cloud-api.html

A malicious website could take over your OpenClaw AI agent without any click beyond visiting the page.

Oasis Security's ClawJacked chain exploits localhost WebSocket trust: brute-force gateway password, silently pair as trusted device, gain admin control to interact, enumerate, exfil data.

🔗 Read → https://thehackernews.com/2026/02/clawjacked-flaw-lets-malicious-sites.html

⚠️ Contagious Interview resurfaced with 26 malicious npm packages.

They decode steganographic C2 data from Pastebin essays, then deploy VS Code persistence, keylogging, browser and crypto wallet theft, and a cross-platform RAT. Infrastructure spans 31 Vercel deployments.

🔗 Read → https://thehackernews.com/2026/03/north-korean-hackers-publish-26-npm.html

🛑 Microsoft fixed CVE-2026-21513 (CVSS 8.8) in February after confirming zero-day exploitation in MSHTML.

A flaw in ieframe.dll let attackers bypass Mark-of-the-Web and IE ESC, enabling potential code execution.

Akamai linked a malicious LNK sample to infrastructure associated with APT28.

🔗 Read → https://thehackernews.com/2026/03/apt28-tied-to-cve-2026-21513-mshtml-0.html

⚡ Bot traffic often looks legitimate. It’s HTTPS, well-formed, and hits your own APIs.

SafeLine is a self-hosted reverse-proxy WAF built to detect business-logic abuse alongside SQLi and XSS. The vendor claims 99.45% detection accuracy, with rate limiting and anti-bot challenges built in.

🔗 Read → https://thehackernews.com/2026/03/how-to-protect-your-saas-from-bot.html

Strategic Framework for Communicating AI Security

This free, editable template helps security leaders communicate AI risk, posture, and priorities in a way the board understands, using real metrics, risk narratives, and strategic framing.

🔗 Get the Template → https://thn.news/ai-board-template

Cloud, AI, SD-WAN, VPNs, developer tools, telecom, and critical sectors under strain.

⚠️ Zero-days exploited.
🤖 AI models scraped.
☁️ Cloud keys exposed.
🛰️ C2 hidden in trusted services.
🎯 Critical CVEs piling up.
📡 80K+ VPN scans in days.

This week’s recap shows where risk is quietly expanding: https://thehackernews.com/2026/03/weekly-recap-sd-wan-0-day-critical-cves.html

🔐 Chrome is testing Merkle Tree Certificates (MTCs) to prepare HTTPS for the post-quantum era.

Instead of embedding post-quantum keys in bulky X.509 chains, a CA signs one “Tree Head” covering millions of certs. Browsers get a compact proof of inclusion, reducing TLS handshake data.

🔗 Read → https://thehackernews.com/2026/03/google-develops-merkle-tree.html

⚠️ A new Google Chrome flaw (CVE-2026-0628, CVSS 8.8) could let a malicious extension inject code into the Gemini side panel due to weak WebView policy enforcement.

Successful exploitation enabled privilege escalation and potential access to the camera, microphone, screenshots, and local files.

🔗 Details → https://thehackernews.com/2026/03/new-chrome-vulnerability-let-malicious.html

A threat group known as SloppyLemming used Rust malware for the first time in attacks on Pakistani and Bangladeshi government and infrastructure networks.

Arctic Wolf links the activity to spear-phishing, ClickOnce abuse, and a BurrowShell implant that masks traffic as Windows Update.

🔗 Details → https://thehackernews.com/2026/03/sloppylemming-targets-pakistan-and.html