Zero Day Wire

Threats

Payment Skimmer Abuses WebRTC Channels to Bypass CSP and Steal Card Data

Security researchers at Sansec have uncovered a payment skimmer that represents a significant technical evolution in how attackers steal card data from online stores. Instead of relying on conventional HTTP requests or image beacons to exfiltrate stolen information, the malware abuses WebRTC data channels — a technique that renders Content Security

Alerts

Quest KACE CVSS 10.0 Authentication Bypass Exploited to Hijack Admin Accounts and Target Backup Infrastructure

Arctic Wolf observes active exploitation of CVE-2025-32975 in Quest KACE SMA — a maximum-severity authentication bypass enabling full admin takeover, Mimikatz credential harvesting, and RDP access to Veeam and Veritas backup systems.

Threats

Trivy Supply Chain Attack Escalates — TeamPCP Pushes Infostealers via Docker Hub, Deploys Kubernetes Wiper Targeting Iranian Systems

The supply chain compromise of Trivy, the widely used open-source vulnerability scanner maintained by Aqua Security, has escalated dramatically — with threat actor TeamPCP pushing malicious Docker images to Docker Hub, defacing Aqua Security's internal GitHub organization, distributing a self-propagating worm across dozens of npm packages, and

Threats

Storm-2561 Distributes Fake Enterprise VPN Clients From Cisco, Fortinet, and Ivanti via SEO Poisoning to Steal Corporate Credentials

Microsoft has disclosed a credential theft campaign by Storm-2561, a criminal group active since May 2025, that distributes fake enterprise VPN clients from major vendors through SEO poisoning — capturing corporate credentials before seamlessly redirecting victims to the real VPN download to erase any indication of compromise. The campaign, running

Alerts

CISA Adds SolarWinds, Ivanti, and Workspace One Flaws to KEV Catalog — SolarWinds Linked to Warlock Ransomware Activity

CISA has added three actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog — a critical SolarWinds deserialization flaw linked to Warlock ransomware operations, an Ivanti Endpoint Manager authentication bypass, and a long-standing Workspace One SSRF vulnerability now being weaponized in coordinated campaigns. Federal agencies face an accelerated two-day

Threats

BlackBasta-Linked Actors Deploy New A0Backdoor via Microsoft Teams Social Engineering With DNS MX-Based C2

Threat actors linked to the dissolved BlackBasta ransomware operation are targeting employees at financial and healthcare organizations through Microsoft Teams social engineering to deploy a previously undocumented backdoor called A0Backdoor that hides its command-and-control communications inside DNS MX record queries. The campaign, disclosed by BlueVoyant, has confirmed targets

Breaches

ShinyHunters Claims 100 High-Profile Victims in Salesforce Data Heist Using Modified Mandiant Tool to Exploit Experience Cloud Misconfigurations

The ShinyHunters extortion gang claims to have stolen data from approximately 100 high-profile companies — including Salesforce itself, Snowflake, Okta, LastPass, Sony, and AMD — in a months-long campaign exploiting misconfigured Salesforce Experience Cloud sites using a weaponized version of an open-source tool originally developed by Mandiant for defensive

Threats

ClickFix Evolves to Windows Terminal Execution, Bypassing Run Dialog Defenses to Deploy Lumma Stealer

Microsoft has warned of a new ClickFix variant observed in the wild since February that evades existing defenses by shifting the execution environment from the Windows Run dialog to Windows Terminal — blending malicious command execution into legitimate administrative workflows. This marks a significant evolution in the ClickFix technique, which ZDW

Threats

Dutch Intelligence Warns of Russian State Campaign Hijacking Signal and WhatsApp Accounts of Government Officials Worldwide

The Dutch intelligence services AIVD and military intelligence service MIVD have issued a joint advisory warning that Russian state hackers are conducting a large-scale campaign to hijack Signal and WhatsApp accounts belonging to senior government officials, military personnel, civil servants, and journalists worldwide. Dutch government employees have already been

Breaches

FBI Investigates Breach of Internal Surveillance System Containing Wiretap Data and Investigation Subject PII

The FBI has disclosed to Congress that it is investigating a breach of an internal system containing sensitive surveillance data — including wiretap-related records and personally identifiable information on subjects of FBI investigations. The bureau began investigating abnormal log activity on February 17, 2026, and notified members of Congress this

Threats

Chinese Threat Actor CL-UNK-1068 Targets Asian Critical Infrastructure Across Seven Sectors in Years-Long Espionage Campaign

Palo Alto Networks Unit 42 has disclosed a years-long espionage campaign by a previously undocumented Chinese threat group designated CL-UNK-1068 targeting high-value organizations across seven critical infrastructure sectors in South, Southeast, and East Asia. The campaign, assessed with moderate-to-high confidence as cyber espionage, targets

Alerts

Qualcomm Zero-Day CVE-2026-21385 Exploited in Targeted Android Attacks — Possible Spyware or Nation-State Links

Google's March 2026 Android security bulletin confirms that CVE-2026-21385, a high-severity memory corruption vulnerability in Qualcomm's graphics kernel, is under "limited, targeted exploitation" — language that security researchers say is consistent with commercial spyware operations or nation-state threat activity. The flaw,