⚡ WEBINAR — Your dashboard says “all good.” Attackers see gaps.

Stop guessing. Learn to validate your defenses against real attacks as experts demonstrate testing with real threat behavior to uncover gaps and prove what works.

🔗 See how it works → https://thehackernews.com/2026/03/webinar-stop-guessing-learn-to-validate.html

ThreatsDay Bulletin: quick hits from a very busy week...

🔐 PQC push
🤖 AI bug finds
💿 Pirated backdoors
🧩 Wallet drainer
📱 Firmware backdoor
🎣 Phish kits rebound
📅 RMM via invites
🧠 Fileless stealer
📦 npm key theft
📊 Ranking bug abuse
🖥️ MSSQL scanner
📄 Forms malware
💬 Web3 RAT lures
☎️ Cloud fraud phones
🌐 IIS outdated
📷 CCTV abuse
🔀 TDS scams
💻 PS ransomware
🕵️ NK op exposed
🧬 Polyfill link
⚖️ Case dismissed
🔓 Password powers
📱 Android RAT

🔗 Full roundup → https://thehackernews.com/2026/03/threatsday-bulletin-pqc-push-ai-vuln.html

🚨 Coruna turns a 2023 #iOS espionage exploit into a broader attack kit.

Kaspersky confirms it reuses and evolves the Triangulation kernel exploit, now updated for newer chips and iOS versions and still actively maintained.

Now bundled into 23 exploits across 5 chains and used beyond targeted ops, it shows #iPhone exploitation is scaling.

🔗 How Coruna evolved and is being deployed → https://thehackernews.com/2026/03/coruna-ios-kit-reuses-2023.html

Learn to Secure Containers | Free Certification.

Transform your team into experts in practical container security. This free, self-paced course covers everything from selecting secure base images and scanning for vulnerabilities to protecting your production environment.

Complete the course to earn a shareable certification badge.

Start Free Course: https://thn.news/container-security-academy

⚠️ A flaw in Claude’s Chrome extension let attackers inject prompts by just visiting a page.

No clicks. A hidden iframe + XSS chain made the extension treat attacker input as real user commands, enabling data theft and actions like sending emails.

🔗 How the silent prompt injection worked → https://thehackernews.com/2026/03/claude-extension-flaw-enabled-zero.html

🛑 A China-linked group has embedded kernel-level sleeper implants in telecom networks since 2021.

Its BPFDoor backdoor runs inside the OS, triggers via crafted packets, and enables long-term monitoring of government networks and users.

🔗 Read → https://thehackernews.com/2026/03/china-linked-red-menshen-uses-stealthy.html

A flaw in ClawHub let attackers fake download counts to rank #1.

An exposed backend function had no auth or limits, allowing anyone to inflate downloads and push malicious skills to the top—creating false trust and enabling code execution at scale.

🔗 How attackers manipulated ClawHub rankings and spread malicious skills → https://thehackernews.com/2026/03/threatsday-bulletin-pqc-push-ai-vuln.html#bug-lets-attackers-fake-rankings

⚠️ Three flaws in LangChain and LangGraph expose files, secrets, and chat history.

Path traversal, unsafe deserialization, and SQL injection create separate paths to access sensitive data in enterprise AI apps.

🔗 Full breakdown of each CVE and impact → https://thehackernews.com/2026/03/langchain-langgraph-flaws-expose-files.html

🚨 A pro-Ukraine group has carried out 70+ cyberattacks on Russian firms since 2025.

Bearlyfy mixes extortion and sabotage, shifting from small companies to large enterprises with six-figure demands. It now uses custom GenieLocker ransomware.

🔗 Read → https://thehackernews.com/2026/03/bearlyfy-hits-70-russian-firms-with.html

Attackers are hijacking TikTok for Business accounts using AitM phishing pages.

Fake login flows use Cloudflare Turnstile to evade detection, then steal credentials for account takeover and malvertising.

🔗 Full breakdown of the TikTok phishing chain → https://thehackernews.com/2026/03/aitm-phishing-targets-tiktok-business.html

🛑 Open VSX flaw let attackers publish malicious VS Code extensions by bypassing scans.

Single boolean bug treated scan failures as “nothing to scan,” so extensions passed under load and went live.

🔗 How scan failures were misread and checks skipped → https://thehackernews.com/2026/03/open-vsx-bug-let-malicious-vs-code.html

Cybersecurity is now tied to geopolitics.

State-backed cyber operations target telecoms, infrastructure, and governments, while hacktivist groups increasingly align with national interests.

🔗 How cyber conflict is reshaping global security → https://thehackernews.com/2026/03/we-are-at-war.html

🚨 A supply chain attack hit the telnyx Python package—versions 4.87.1 and 4.87.2 were backdoored to steal credentials.

Malware hidden in .WAV files runs on import, exfiltrates data, persists on Windows, and runs fileless on Linux/macOS before deleting traces.

🔗 Read → https://thehackernews.com/2026/03/teampcp-pushes-malicious-telnyx.html

🛑 Apple is sending #iPhone Lock Screen alerts warning users about active web-based attacks targeting outdated iOS.

Coruna and DarkSword exploit kits target older iOS via compromised sites, expanding risk beyond targeted attacks.

🔗 Read → https://thehackernews.com/2026/03/apple-sends-lock-screen-alerts-to.html

🛑 Russian-linked TA446 is using DarkSword iOS exploit kit in targeted phishing emails.

Spoofed “discussion invites” trigger exploits only on iPhones and deliver GHOSTBLADE malware, expanding from credential theft to device compromise across government, academia, and policy targets.

🔗 How DarkSword is used in these attacks → https://thehackernews.com/2026/03/ta446-deploys-leaked-darksword-ios.html

⚠️ CISA flagged active exploitation of an F5 BIG-IP APM flaw.CVE-2025-53521 (CVSS 9.3) enables RCE, reclassified from DoS after new findings.

Exploitation is confirmed in the wild, with a federal patch deadline set.

🔗 Read → https://thehackernews.com/2026/03/cisa-adds-cve-2025-53521-to-kev-after.html

🚨 Attackers are probing Citrix NetScaler for CVE-2026-3055 (CVSS 9.3).

Honeypots show requests to /cgi/GetAuthMethods to identify SAML IdP setups, which are required for exploitation.

🔗 How attackers are mapping vulnerable NetScaler targets → https://thehackernews.com/2026/03/citrix-netscaler-under-active-recon-for.html

⚡ Iran-linked hackers breached FBI Director Kash Patel’s personal email and leaked years-old data.

No government data was exposed, but the breach is part of a wider campaign using phishing, VPN access, and wiper attacks to disrupt targets and send geopolitical signals.

🔗 Read about tactics, Stryker attack, and MOIS links → https://thehackernews.com/2026/03/iran-linked-hackers-breach-fbi.html

⚠️ Three China-linked clusters targeted a Southeast Asian government in a coordinated operation.

Overlapping malware and tactics show a sustained push for long-term access, not disruption, across several months in 2025.

🔗 Read → https://thehackernews.com/2026/03/three-china-linked-clusters-target.html

AI isn’t making code safer. It’s expanding the attack surface.

As Eric Fourrier, GitGuardian CEO, notes, 28.65M secrets were exposed in 2025 as AI workflows expanded tokens, APIs, and machine identities.

Risk has shifted from code to credentials. Remediation is now the bottleneck.

🔗 Why AI security is shifting beyond code → https://thehackernews.com/expert-insights/2026/03/the-real-problem-isnt-that-ai-cant.html

🛑 A Russian-linked toolkit is spreading through fake Windows shortcut files disguised as private key folders.

CTRL hides activity through RDP tunnels and local pipes, avoiding standard C2 traffic and reducing network detection signals.

🔗 Read → https://thehackernews.com/2026/03/russian-ctrl-toolkit-delivered-via.html