Microsoft says attackers are poisoning search results to spread fake VPN clients that steal credentials.

The campaign redirects software searches to trojanized installers on GitHub that show fake VPN prompts while Hyrax steals credentials.

🔗 Read → https://thehackernews.com/2026/03/storm-2561-spreads-trojan-vpn-clients.html

INTERPOL dismantled 45,000 malicious IPs and servers tied to phishing, malware, and ransomware.

Operation Synergia III across 72 countries led to 94 arrests, 110 suspects under investigation, and seized devices and servers tied to global scam infrastructure.

🔗 Read → https://thehackernews.com/2026/03/interpol-dismantles-45000-malicious-ips.html

🛑 Meta will shut down Instagram’s end-to-end encrypted chats on May 8, 2026.

Users with affected conversations will get instructions to download messages or media before the change.

🔗 Read → https://thehackernews.com/2026/03/meta-to-shut-down-instagram-end-to-end.html

Researchers exposed a long-running cyber espionage campaign targeting Southeast Asian militaries.

The cluster CL-STA-1087 deployed AppleChris and MemFun backdoors plus a custom Mimikatz variant to quietly extract data on C4I systems, military capabilities, and Western defense ties.

🔗 Tools and tradecraft → https://thehackernews.com/2026/03/chinese-hackers-target-southeast-asian.html

Researchers found 72 malicious extensions in the Open VSX registry.

Attackers publish a harmless VS Code extension, gain trust, then update it to pull a GlassWorm dependency.

The payload steals tokens, credentials, and crypto wallets from developer systems.

🔗 Read → https://thehackernews.com/2026/03/glassworm-supply-chain-attack-abuses-72.html

🛑 OpenClaw AI agents can leak data via indirect prompt injection.

A crafted URL generated by the agent triggers Telegram or Discord link previews that silently send sensitive data to attacker domains.

China’s CNCERT warns organizations to isolate or restrict the tool.

🔗 Attack details → https://thehackernews.com/2026/03/openclaw-ai-agent-flaws-could-enable.html

🔒 Google is tightening Android’s defenses.

In Android 17 Beta 2, Advanced Protection Mode 🛡️ blocks most apps from accessing the Accessibility Services API.

Malware has long abused it to read screens and steal data.

🔗 Read → https://thehackernews.com/2026/03/android-17-blocks-non-accessibility.html

🚨 Russian-linked actors targeted Ukrainian entities with DRILLAPP, a JavaScript backdoor executed through Microsoft Edge.

It abuses Chromium debugging flags to access files, record audio, capture webcam images, and grab screen data.

Lures referenced Starlink installs and a Ukrainian charity.

🔗 Read → https://thehackernews.com/2026/03/drillapp-backdoor-targets-ukraine.html

⚠️ A new ClickFix variant abuses Win+R to mount a remote WebDAV drive and run malware.

It launches a trojanized WorkFlowy Electron app that beacons to C2 every 2 seconds. Atos says it bypassed Microsoft Defender and surfaced only through threat hunting.

🔗 Inside: WebDAV trick + ASAR injection → https://thehackernews.com/2026/03/investigating-new-click-fix-variant.html

🛑 ALERT: ClickFix campaigns are spreading macOS infostealer MacSync.

Victims paste a Terminal command from fake install pages or ChatGPT threads, installing malware that steals credentials, files, Keychain data, and crypto wallet seeds.

🔗 Read → https://thehackernews.com/2026/03/clickfix-campaigns-spread-macsync-macos.html

Stop testing silos. Attackers don’t exploit single flaws; they chain them.

Agentic AI validation replaces fragmented scanning with continuous, system-wide testing. It maps the path from threat to asset in real-time.

🔗 Stop guessing. Start validating → https://thehackernews.com/2026/03/why-security-validation-is-becoming.html

🔥 This week’s CYBER RECAP is pure “👀 what the hell now” energy.

Fresh bugs. Quiet abuse. Supply-chain messes. Botnet weirdness. Phishing getting uglier. AI doing AI things. And the usual pile of flaws you really don’t want to ignore.

Skim it for the headlines. Read it properly for the stuff that’s going to show up in everyone’s incident notes next.

🔗 Read → https://thehackernews.com/2026/03/weekly-recap-chrome-0-days-router.html

Attackers are hijacking GitHub accounts and silently planting malware in Python repos.

ForceMemo uses stolen tokens to force-push malicious code while preserving the original commit author and message—rewriting Git history with no visible trace in the UI.

🔗 Read → https://thehackernews.com/2026/03/glassworm-attack-uses-stolen-github.html

⚠️ CISA flags CVE-2025-47813 in Wing FTP as actively exploited.

It leaks server paths via cookie errors—low severity, high value. Attackers can pair it with a known RCE flaw already used to deploy malware.

🔗 How it enables real attack chains → https://thehackernews.com/2026/03/cisa-flags-actively-exploited-wing-ftp.html

Firewalls still see encrypted port 443 traffic, not what users actually do inside SaaS apps or AI tools.

As Dedi Shindler (Red Access) notes, that blinds teams to prompts, data leaks, and session activity. The fix isn’t replacing firewalls—it’s adding session-level visibility.

🔗 Firewall-native SSE explained → https://thehackernews.com/expert-insights/2026/03/the-firewall-isnt-blind-it-just-needs.html

⚠️ A fake job notice triggered full compromise in a Konni campaign.

The attack drops EndRAT, enabling remote control, persistence, and silent data theft, then spreads via KakaoTalk messages from the victim’s account.

Trusted contacts become the attack path.

🔗 Read → https://thehackernews.com/2026/03/konni-deploys-endrat-through-spear.html

Most CISOs don’t know where AI runs in their own orgs. 67% lack visibility—0% have full oversight.

AI is spread across cloud, apps, and identity, owned by no one. Risk can’t be measured, let alone controlled.

🔗 Data shows where AI security actually breaks → https://thehackernews.com/2026/03/ai-is-everywhere-but-cisos-are-still.html

⚠️ A full Roundcube exploit kit tied to APT28 was found on a live server, targeting Ukrainian government email.

It enables XSS takeover, mailbox exfiltration, hidden forwarding, and even 2FA secret theft. Includes a new CSS-based data exfiltration method.

🔗 Toolkit details → https://thehackernews.com/2026/03/weekly-recap-chrome-0-days-router.html#:~:text=Roundcube%20Exploitation%20Toolkit%20Discovered

AI agents don’t need prompts to turn rogue. They can coordinate attacks on their own.

Tests show agents collaborating to escalate privileges, disable defenses, and steal data—even persuading each other to act.

🔗 Report details how agent-to-agent collusion bypasses controls → https://thehackernews.com/2026/03/weekly-recap-chrome-0-days-router.html#:~:text=Rogue%20AI%20Agents%20Can%20Work%20Together%20to%20Engage%20in%20Offensive%20Behaviors

The best security teams aren't just reactive. They're informed.

Knowing what attackers are doing, how they operate, and where your gaps are isn't a nice-to-have, it's the foundation of a modern defense strategy. That's what Threat-Informed Defense delivers.

This guide lays out a six-stage Threat-Informed Defense pipeline to help your team:

⦿ Cut through alert noise and focus on threats that matter
⦿ Test your people, processes, and technology against realistic attack scenarios
⦿ Put CTI to work operationally with tools like OpenCTI + OpenAEV
⦿ Turn detection and response into a continuous, self-improving cycle

Download the guide today → https://thn.news/infosec-threat-guide

⚠️ LeakNet drops access brokers for ClickFix compromised sites trick users into running msiexec commands via fake CAPTCHA.

Lower cost, faster scale. Deno executes payloads in memory, then lateral movement and data theft follow.

🔗 Details here → https://thehackernews.com/2026/03/leaknet-ransomware-uses-clickfix-via.html