Intelligence
30 March 2026
Check Point Research
30th March – Threat Intelligence Report
March 30, 2026 For the latest discoveries in cyber research for the week of 30th March, the Threat Intelligence Report highlights several significant cybersecurity incidents:
1. **Iranian Threat Group**: Handala Hack breached the personal Gmail account of FBI Director Patel, leaking personal photos and documents. The group’s activities have intensified targeting Israeli and American entities amid the ongoing Iran conflict. Domains linked to Handala Hack were seized by the FBI last week.
2. **Ransomware Attacks**:
- Spain’s Port of Vigo in Galicia suffered a ransomware attack, forcing officials to disconnect parts of its network and switch cargo handling to manual processes. Equipment was locked, disrupting digital logistics while physical ship movement continued unaffected.
- The Netherlands’ Ministry of Finance confirmed a March 19 cyberattack that breached internal systems in its policy department, disrupting work for some employees. Tax, customs, and benefits services remained unaffected, and no threat actor publicly claimed responsibility.
3. **Decentralized Finance (DeFi) Attack**:
- Decentralized finance platform Resolv suffered a cyberattack after a compromised private key allowed an attacker to mint $80 million in uncollateralized USR tokens and swap them for 11,408 ETH worth $24.5 million. Resolv confirmed the incident, paused the app, and offered a 10% bounty for returned funds.
4. **AI Threats**:
- Researchers demonstrated a supply chain compromise of LiteLLM, a Python library linking apps to major AI services, after attackers hijacked a security tool and pushed malicious releases on March 24. The tainted packages harvested API keys and cloud credentials, exposing widely used AI projects.
- Three high-severity vulnerabilities in LangChain and LangGraph were identified, enabling arbitrary file access, secret leakage, and SQL injection. Patches were issued in updated components.
- A zero-click flaw in Anthropic’s Claude Chrome extension allowed any website to silently inject prompts and control the assistant, exploiting an overly permissive trusted domain list and a scripting bug in Arkose Labs CAPTCHA handling.
5. **Vulnerabilities and Patches**:
- Cisco addressed CVE-2026-20131, a CVSS 10 vulnerability in Secure Firewall Management Center, allowing unauthenticated attackers to execute code as root. Cisco confirmed attempted exploitation in March 2026 and released fixes.
- TP-Link issued firmware updates addressing CVE-2025-15517 and related critical flaws in Archer NX200, NX210, NX500, and NX600 5G Wi-Fi routers, enabling unauthorized access and command execution.
- Citrix released patches for CVE-2026-3055 and CVE-2026-4368 affecting NetScaler ADC and Gateway, exposing sensitive data and session confusion risks.
6. **iOS Exploit Chain**:
- Researchers warned of a leaked ‘DarkSword’ iOS exploit chain enabling no-click attacks via Safari, threatening up to 270 million unpatched iPhones and iPads. Apple issued fixes, including emergency updates for iOS 15 and 16.
7. **Adtech and Malvertising**:
- Cybercriminals are abusing Keitaro, a commercial adtech tracker, to distribute phishing, scams, and malware at scale. Infoblox linked the platform to major malvertising and spam operations, including campaigns impersonating Canadian banks, logistics brands, and high-trust retail providers.
8. **APT28 (Fancy Bear) Activity**:
- Researchers analyzed the activity of Russian threat group APT28, targeting Ukraine and its European defense supply chain partners with the PRIXMES toolset, which combines espionage and sabotage capabilities. Multiple vulnerabilities, including zero-days, were exploited.
9. **Phishing Campaigns**:
- A coordinated adversary-in-the-middle phishing campaign targeted TikTok for Business users who sign in with Google. Attackers deployed proxy login pages to capture passwords and session cookies, bypassing multi-factor authentication. Newly registered domains and Cloudflare-hosted infrastructure were used to scale impersonation efforts.
The report also references past Check Point Research publications on evolving phishing campaigns and malware, such as 'The Turkish Rat' and StealthLoader.
Related Articles
06 April 2026
Yahoo
South Korea says 'credible intelligence' indicates North Korean leader's daughter is successor
South Korea's spy agency now believes North Korean leader Kim Jong Un's teenage daughter has been positioned as his successor, citing credible intelligence coll...
Read More
05 April 2026
Silicon Canals
Research suggests that high intelligence doesn't protect against bad decisions - it makes people better at constructing convincing justifications for the bad decisions they were already going to make
a 2012 study out of Yale found that people with the highest science literacy weren’t the most aligned on contested facts. They were the most polarized. Their su...
Read More
05 April 2026
CoinDesk
Drift says $270 million exploit was a six-month North Korean intelligence operation
Attackers posed as a trading firm, met Drift contributors in person across multiple countries, deposited $1 million of their own capital, and waited half a year...
Read More
03 April 2026
富途牛牛
Geekplus-W and Ubtech Robotics have successively introduced chief scientists, marking the entry of embodied intelligence into a 'top-tier brain' arms race.
Recently, Ubtech Robotics (09880.HK) announced a recruitment drive for a Chief Embodied Intelligence Scientist, offering salaries up to 124 million yuan, signal...
Read More