Welcome to your biweekly digest of curated cybersecurity intelligence.
Every two weeks, we bring you expert insights and handpicked articles covering the latest threats, threat actor activity, vulnerabilities, incident trends, and defensive strategies. Whether you’re on the front lines or shaping your organization’s security posture, Security Signals delivers the information you need to stay informed and ready.
For more articles, check out our #onpatrol4malware blog.
February 2026 Edition
Key stats from real-world telemetry and live attack observations over the past month – a concise look at what we’re seeing across malware, phishing, ransomware, C2s, and domain abuse.
This Edition’s Articles
Late March 2026 Cyber Threat Reports captures a surge in real-world attacks – from ClickFix and Agent Tesla campaigns to MuddyWater activity and Trivy supply chain compromise impacting CI/CD pipelines. This cycle highlights the growing abuse of trusted platforms like GitHub, Microsoft Teams, and browser extensions, alongside AI-assisted phishing, credential theft, and ransomware operations moving faster and scaling wider across enterprise environments.
Phishers hide scam links with IPv6 trick in “free toothbrush” emails
Source: Malwarebytes
(Published: 11 March 2026)
United Healthcare impersonators are using an IPv6 trick to hide the real destination of phishing links in emails promising free Oral-B toothbrushes. Read more.
Evil evolution: ClickFix and macOS infostealers
Source: Sophos
(Published: 11 March 2026)
Across three recent campaigns, Sophos X-Ops notes shifts in both lures and malware capabilities, as threat actors leveraging ClickFix techniques increasingly target macOS users with infostealers. Read more.
Ransomware TTPs Shifting in the Threat Landscape
Source: Google Cloud
(Published: 12 March 2026)
Ransomware operators are continuing to evolve their tactics, techniques, and procedures to improve access, persistence, and monetization across targeted environments. Read more.
Moving up the Assemblyline: Exposing malicious code in browser extensions
Source: Red Canary
(Published: 12 March 2026)
Browser extensions are ubiquitous, offering users enhanced functionality and customization. Read more.
Fileless Multi-Stage Remcos RAT: From Phishing to Memory
Source: Trellix
(Published: 12 March 2026)
Trellix researchers detail a fileless multi-stage attack chain delivering Remcos RAT entirely in memory to evade traditional detection mechanisms. Read more.
Fake ChatGPT Invites Target Users With Malware
Source: CyberPress
(Published: 13 March 2026)
Threat actors are distributing fake ChatGPT invitation links to lure victims into downloading malware disguised as legitimate AI tools. Read more.
GIBCrypto Ransomware With Snake Keylogger Connection
Source: K7 Computing
(Published: 13 March 2026)
Researchers identified GIBCrypto ransomware as a destructive threat linked to Snake keylogger activity and capable of significant data loss. Read more.
The Rise of Fake Shipment Tracking Scams in MEA
Source: Group-IB
(Published: 13 March 2026)
Every day, billions of people rely on postal and courier services to deliver everything from handwritten letters to high value online orders. Read more.
Inside Keitaro Abuse: A Persistent Stream of AI-Driven Investment Scams
Source: Infoblox
(Published: 13 March 2026)
Infoblox researchers identified ongoing abuse of Keitaro traffic distribution systems to deliver AI-driven investment scams targeting unsuspecting users. Read more.
Slopoly Backdoor Powers Interlock Ransomware Intrusion
Source: Hive Pro
(Published: 14 March 2026)
Threat actors are using the Slopoly backdoor, enhanced with AI-assisted techniques, to support Interlock ransomware intrusion campaigns. Read more.
Asyncing Feeling: When Your Download Comes With Something Extra
Source: NCC Group
(Published: 14 March 2026)
NCC Group researchers uncovered a malware campaign where compromised downloads include hidden payloads that execute during installation. Read more.
ForceMemo: Hundreds of GitHub Python Repos Compromised via Account Takeover and Force-Push
Source: StepSecurity
(Published: 14 March 2026)
The StepSecurity threat intelligence team was the first to discover and report on an ongoing campaign – which we are tracking as ForceMemo – in which an attacker is compromising hundreds of GitHub accounts and injecting identical malware into hundreds of Python repositories. Read more.
Scarface Stealer: An In-Depth Analysis
Source: SonicWall
(Published: 15 March 2026)
SonicWall researchers analyze Scarface Stealer, a credential harvesting malware designed to extract sensitive information from infected systems. Read more.
Malicious Polymarket Bot Hides in Hijacked dev-protocol GitHub Org and Steals Wallet Keys
Source: StepSecurity
(Published: 15 March 2026)
The StepSecurity threat intelligence team discovered that dev-protocol – a verified GitHub organization with 568 followers belonging to a legitimate Japanese DeFi project – has been hijacked and is now being used to distribute malicious Polymarket trading bots. Read more.
AI-Assisted Phishing Campaign Exploits Browser Permissions to Capture Victim Data
Source: Cyble
(Published: 16 March 2026)
Cyble analyzes an AI-driven phishing campaign that abuses browser permissions to capture victims images and exfiltrate the data to attacker-controlled Telegram bots. Read more.
Boggy Serpens Threat Assessment
Source: Unit 42 (Palo Alto Networks)
(Published: 16 March 2026)
Unit 42 provides a detailed assessment of the Boggy Serpens threat group, including its tactics, infrastructure, and observed campaigns. Read more.
Web Shells, Tunnels, and Ransomware: Dissecting a Warlock Attack
Source: Trend Micro
(Published: 16 March 2026)
Warlock continues to enhance its attack chain with new tactics to improve persistence, lateral movement, and defense evasion using an expanded toolset: TightVNC, Yuze, and a persistent BYOVD technique leveraging the NSec driver. Read more.
Casting a Wider Net: ClickFix, Deno, and LeakNet’s Scaling Threat
Source: ReliaQuest
(Published: 17 March 2026)
Ransomware operator “LeakNet” is currently averaging about three victims per month, but it’s scaling up and shifting tactics. Read more.
MuddyWater APT Uses Tsundere Botnet and EtherHiding for C2
Source: eSentire
(Published: 17 March 2026)
The MuddyWater threat group is leveraging the Tsundere botnet and EtherHiding techniques to obscure command-and-control infrastructure. Read more.
PureLog Stealer Delivered Through Copyright Lures
Source: Trend Micro
(Published: 17 March 2026)
Attackers are using copyright infringement lures to deliver a multi-stage infection chain that ultimately installs the PureLog information stealer. Read more.
Trivy Supply Chain Attack: What You Need to Know
Source: Aqua Security
(Published: 18 March 2026)
A supply chain attack targeting Trivy introduced malicious code into CI/CD pipelines through compromised GitHub Actions workflows. Read more.
Data Exfiltration Infrastructure Exposed
Source: Huntress
(Published: 18 March 2026)
Huntress uncovered a threat actor infrastructure used for large-scale data exfiltration operations across compromised environments. Read more.
AI-Enhanced Ransomware Attacks Leveraging Slopoly
Source: IBM X-Force
(Published: 18 March 2026)
IBM X-Force reports that threat actors are incorporating AI capabilities into ransomware campaigns to improve targeting and execution efficiency. Read more.
Microsoft Teams Social Engineering Delivers A0Backdoor Malware
Source: Hive Pro
(Published: 19 March 2026)
Threat actors are using Microsoft Teams as a delivery mechanism for A0Backdoor malware through social engineering tactics. Read more.
WebRTC Skimmer Targets E-Commerce Platforms
Source: Sansec
(Published: 19 March 2026)
Researchers uncovered a WebRTC-based skimmer that captures payment data from compromised e-commerce sites in real time. Read more.
Fake Telegram Malware Campaign Uses Multi-Stage Loader
Source: K7 Computing
(Published: 20 March 2026)
A multi-stage malware campaign is leveraging fake Telegram applications distributed via typosquatted domains to infect users. Read more.
PixRevolution: Android Trojan Targets Brazil’s PIX Payment System
Source: Zimperium
(Published: 20 March 2026)
PixRevolution is an Android banking trojan that hijacks Brazil’s PIX payment system in real time to steal funds from victims. Read more.
ROADK1LL: A WebSocket-Based Pivoting Implant
Source: Blackpoint Cyber
(Published: 21 March 2026)
ROADK1LL is a post-exploitation implant that uses WebSocket communication to pivot within compromised networks and maintain persistence. Read more.
TeamPCP Expands Supply Chain Compromise From Trivy to Checkmarx
Source: Sysdig
(Published: 22 March 2026)
The TeamPCP threat actor has expanded its supply chain attack operations by targeting additional CI/CD tools and GitHub Actions workflows. Read more.
Perseus DTO Malware: Stealthy Data Theft Capabilities
Source: ThreatFabric
(Published: 22 March 2026)
Perseus DTO malware enables attackers to silently capture sensitive data while maintaining persistence on infected systems. Read more.
Bucklog: Kubernetes-Focused Threat Activity Observed in the Wild
Source: GreyNoise
(Published: 23 March 2026)
GreyNoise observed active exploitation attempts targeting Kubernetes environments associated with a campaign dubbed Bucklog. Read more.
CanisterWorm: How a Self-Propagating npm Worm Is Spreading Backdoors Across the Ecosystem
Source: StepSecurity
(Published: 23 March 2026)
Following Trivy’s compromise, StepSecurity’s AI Package Analyst flagged suspicious new releases across multiple npm scopes – revealing CanisterWorm, a self-propagating npm worm deployed by the TeamPCP threat actor. Read more.
VoidStealer Bypasses ABE Protections
Source: Gen Digital
(Published: 24 March 2026)
Researchers identified VoidStealer malware capable of bypassing Application Bound Encryption protections to extract sensitive credentials. Read more.
Want more articles? Check out the previous edition of Security Signals here.