Security Intelligence for Real-World Decisions
← Back to Archive

APT28 Deploys Custom Malware Against Ukrainian Military as CISA Flags Active Exploitation of Ivanti, SolarWinds Flaws

Report Date: Wednesday, March 11, 2026

Reporting Period: March 4–11, 2026

1. EXECUTIVE SUMMARY

This week's intelligence highlights significant nation-state activity, critical vulnerability disclosures, and emerging threats to critical infrastructure sectors:

  • Nation-State Threat Activity: Russian APT28 (Fancy Bear) has been observed deploying custom variants of the Covenant post-exploitation framework alongside new BEARDSHELL malware to conduct long-term surveillance of Ukrainian military personnel. Separately, Dutch intelligence revealed Russian state hackers are targeting WhatsApp and Signal accounts of military and government officials globally.
  • Active Exploitation Alert: CISA added vulnerabilities in SolarWinds, Ivanti Endpoint Manager (EPM), and VMware Workspace ONE to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies patch within three weeks. The Ivanti EPM flaw is confirmed under active exploitation.
  • Patch Tuesday Updates: Microsoft addressed 83 vulnerabilities (including 2 zero-days), Adobe patched 80 flaws across eight products, and SAP fixed critical code injection vulnerabilities in FS-QUO and NetWeaver that could enable arbitrary code execution.
  • ICS/OT Security: CISA released four Industrial Control System (ICS) advisories affecting Honeywell building management systems, Lantronix serial device servers, and Ceragon wireless backhaul equipment—all commonly deployed in critical infrastructure environments.
  • Physical Security: An attempted terrorist attack involving explosives near the New York City Mayor's residence underscores the persistent physical threat to government officials and critical facilities.
  • Emerging Threats: New malware campaigns including KadNap (targeting ASUS routers for proxy botnets), BlackSanta (EDR-killing malware targeting HR departments), and BeatBanker (Android malware masquerading as Starlink app) demonstrate evolving attacker techniques.

2. THREAT LANDSCAPE

2.1 Nation-State Threat Actor Activities

APT28 (Fancy Bear) – Russia

  • Campaign: Russian state-sponsored APT28 is conducting long-term surveillance operations against Ukrainian military personnel using a customized variant of the open-source Covenant post-exploitation framework alongside new malware dubbed BEARDSHELL.
  • Significance: The use of modified open-source tools complicates attribution and detection, as defenders may not recognize customized variants in their security tooling.
  • Targets: Ukrainian military personnel and associated communications infrastructure.
  • Source: Bleeping Computer, The Hacker News

Russian Targeting of Secure Messaging Platforms

  • Activity: Dutch intelligence services have disclosed that Russian state hackers are actively attempting to hijack WhatsApp and Signal accounts belonging to military and government officials worldwide.
  • Implications: This campaign threatens secure communications channels used by defense and government personnel, potentially compromising operational security and sensitive discussions.
  • Recommended Action: Organizations should reinforce secure messaging protocols, enable additional authentication factors where available, and educate personnel on social engineering tactics targeting messaging platforms.
  • Source: Infosecurity Magazine

2.2 Ransomware and Cybercriminal Developments

ShinyHunters Salesforce Campaign

  • Activity: The prolific ShinyHunters threat group claims to have stolen data from nearly 400 websites by exploiting misconfigurations in Salesforce Experience Cloud deployments.
  • Method: Attackers are using a customized version of the AuraInspector tool to mass-scan for vulnerable Salesforce instances.
  • Impact: Hundreds of Salesforce customers are reportedly affected, with data theft campaigns ongoing.
  • Mitigation: Organizations using Salesforce Experience Cloud should immediately audit access controls, review sharing settings, and implement Salesforce's security health check recommendations.
  • Source: SecurityWeek, The Hacker News

BlackSanta EDR Killer

  • Threat: A Russian-speaking threat actor has been targeting HR departments for over a year with malware that deploys a new EDR (Endpoint Detection and Response) killer named BlackSanta.
  • Technique: The malware specifically targets and disables endpoint security solutions before deploying additional payloads.
  • Sector Impact: HR departments across multiple sectors are at risk, with potential for credential theft and lateral movement.
  • Source: Bleeping Computer

2.3 Emerging Attack Vectors and Malware

KadNap Botnet

  • Target: ASUS routers and edge networking devices
  • Purpose: Enlisting compromised devices into a proxy botnet for malicious traffic
  • Scale: Over 14,000 edge devices reportedly infected
  • Infrastructure Impact: Compromised edge devices can be used to proxy attacks against critical infrastructure, obscuring attacker origins
  • Source: Bleeping Computer, The Hacker News

Zombie ZIP Evasion Technique

  • Description: A new technique called "Zombie ZIP" allows threat actors to conceal malicious payloads in specially crafted compressed files that evade antivirus and EDR detection.
  • Implication: Security teams should update detection rules and consider additional inspection of compressed file attachments.
  • Source: Bleeping Computer

BeatBanker Android Malware

  • Disguise: Poses as a Starlink application on fake Google Play Store websites
  • Capability: Device hijacking and credential theft
  • Relevance: Starlink is increasingly used for critical communications in remote infrastructure and emergency response scenarios
  • Source: Bleeping Computer

GhostClaw RAT via OpenClaw Typosquatting

  • Vector: Developers searching for the legitimate OpenClaw project are being served malicious GhostClaw remote access trojan
  • Risk: Supply chain compromise affecting development environments
  • Source: CSO Online

2.4 Physical Security Threats

Attempted Terrorist Attack – New York City

  • Incident: Explosives were thrown outside the residence of New York City Mayor Zohran Mamdani in what authorities are characterizing as an attempted terrorist attack.
  • Status: Investigation ongoing
  • Implications: This incident highlights the persistent physical threat to government officials and the need for enhanced protective measures around critical government facilities.
  • Source: Security Magazine

3. SECTOR-SPECIFIC ANALYSIS

3.1 Energy Sector

OT Security Concerns

  • Analysis: Industry experts are raising alarms about legacy operational technology (OT) systems in industrial environments, characterizing them as "the biggest cyber risk nobody wants to fix."
  • Challenge: Many energy sector organizations continue to operate decades-old control systems that cannot be easily patched or replaced without significant operational disruption.
  • Recommendation: Energy sector operators should prioritize network segmentation, implement compensating controls around legacy systems, and develop phased modernization roadmaps.
  • Source: CSO Online

New IT/OT Security Platform

  • Development: Kai, a new cybersecurity startup founded by a Claroty co-founder, has emerged from stealth with $125 million in funding for an AI-powered platform designed to bridge IT and OT security.
  • Significance: This investment signals continued market recognition of the IT/OT convergence security challenge facing critical infrastructure operators.
  • Source: SecurityWeek

3.2 Water & Wastewater Systems

ICS Advisory – Lantronix Serial Device Servers

  • Affected Products: Lantronix EDS3000PS and EDS5000 serial device servers
  • Relevance: These devices are commonly used in water/wastewater SCADA environments for serial-to-IP conversion
  • Action Required: Water utilities should review CISA advisory ICSA-26-069-02 and apply patches or mitigations
  • Source: CISA ICS Advisories

3.3 Communications & Information Technology

Ericsson Data Breach

  • Impact: Approximately 15,000 employees and customers affected
  • Cause: Third-party service provider compromise
  • Sector Relevance: Ericsson is a major telecommunications equipment and services provider; breach may have implications for telecom infrastructure security
  • Source: SecurityWeek, Infosecurity Magazine

Ceragon Wireless Backhaul Vulnerabilities

  • Affected Products: Ceragon Siklu MultiHaul and EtherHaul Series
  • Use Case: Wireless backhaul equipment used in telecommunications and critical infrastructure communications
  • Action Required: Review CISA advisory ICSA-26-069-04
  • Source: CISA ICS Advisories

FortiGate NGFW Exploitation

  • Activity: Threat actors are actively exploiting FortiGate Next-Generation Firewall appliances as initial access points to breach victim networks and steal service account credentials.
  • Impact: FortiGate devices are widely deployed across critical infrastructure sectors for perimeter security.
  • Recommendation: Organizations should audit FortiGate configurations, ensure latest patches are applied, and monitor for indicators of compromise.
  • Source: The Hacker News

3.4 Transportation Systems

F-35 Software Dependency Concerns

  • Issue: Security researcher Bruce Schneier highlights growing international concerns about dependencies on US-controlled software in F-35 fighter jets, raising questions about "jailbreaking" military systems to achieve operational independence.
  • Broader Implication: This discussion reflects wider concerns about software supply chain dependencies in critical defense and transportation infrastructure.
  • Source: Schneier on Security

3.5 Healthcare & Public Health

Emergency Preparedness Initiative

  • Development: Nicole Ziogas has been named Assistant Director of Emergency Preparedness and Response at the Greater New York Hospital Association (GNYHA), signaling continued focus on healthcare sector resilience.
  • Context: Healthcare organizations continue to face dual challenges of cyber threats and physical emergency preparedness.
  • Source: Homeland Security Today

3.6 Financial Services

SAP Critical Vulnerabilities

  • Affected Products: SAP FS-QUO (Financial Services – Quotation Management) and NetWeaver
  • Severity: Critical code injection and insecure deserialization flaws enabling arbitrary code execution
  • Impact: Financial services organizations using SAP should prioritize patching
  • Source: SecurityWeek

3.7 Government Facilities

Honeywell Building Management System Vulnerability

  • Affected Product: Honeywell IQ4x BMS Controller
  • Use Case: Building automation and management systems in government and commercial facilities
  • Action Required: Review CISA advisory ICSA-26-069-03 and implement recommended mitigations
  • Source: CISA ICS Advisories

4. VULNERABILITY & MITIGATION UPDATES

4.1 CISA Known Exploited Vulnerabilities (KEV) Additions

Date Added: March 10, 2026

Product Status Federal Deadline
SolarWinds (specific product TBD) Active Exploitation March 31, 2026
Ivanti Endpoint Manager (EPM) Active Exploitation Confirmed March 31, 2026
VMware Workspace ONE Active Exploitation March 31, 2026

Recommended Action: All organizations—not just federal agencies—should treat these as priority patches given confirmed active exploitation.

Source: The Hacker News, Bleeping Computer

4.2 Microsoft Patch Tuesday – March 2026

  • Total Vulnerabilities: 83 (some sources report 77-79 depending on counting methodology)
  • Zero-Days: 2 publicly disclosed (notably, none actively exploited—first such occurrence in 6 months)
  • Critical Flaws: Multiple, including 3 high-severity vulnerabilities in Microsoft Office
  • Likely to be Exploited: Microsoft flagged 6 vulnerabilities as more likely to be exploited
  • Notable: This is the first Patch Tuesday in six months without actively exploited zero-days at time of release

Priority Items:

  • Microsoft Office vulnerabilities (3 high-severity)
  • Windows operating system security updates
  • Windows 10 extended security update KB5078885
  • Windows 11 cumulative updates KB5079473 and KB5078883

Source: SecurityWeek, KrebsOnSecurity, Bleeping Computer, CyberScoop

4.3 Adobe Security Updates

  • Total Vulnerabilities: 80 across 8 products
  • Affected Products: Commerce, Illustrator, Acrobat Reader, Premiere Pro, and others
  • Recommendation: Organizations should prioritize Acrobat Reader updates given its widespread deployment

Source: SecurityWeek

4.4 HPE Aruba AOS-CX Vulnerabilities

  • Severity: Critical
  • Impact: Authentication bypass and admin password reset capabilities
  • Affected: Aruba Networking AOS-CX operating system
  • Action: Apply HPE patches immediately; these devices are commonly deployed in enterprise and critical infrastructure networks

Source: Bleeping Computer

4.5 Java Security Engine (pac4j) Critical Flaw

  • Severity: Critical
  • Impact: Widely deployed Java security library with serious downstream implications
  • Exploitation: Relatively easy to exploit; no active exploitation observed yet
  • Action: Development and security teams should audit applications using pac4j and apply updates

Source: CyberScoop

4.6 Google Looker Studio Cross-Tenant Vulnerabilities

  • Vulnerabilities: 9 "LeakyLooker" flaws discovered
  • Impact: Could have permitted attackers to run arbitrary SQL queries on victims' databases and exfiltrate data
  • Status: Disclosed to Google (patch status should be verified)

Source: The Hacker News

4.7 CISA ICS Advisories – March 10, 2026

Advisory ID Vendor/Product Sector Relevance
ICSA-26-069-01 Apeman Cameras Physical Security, Surveillance
ICSA-26-069-02 Lantronix EDS3000PS/EDS5000 Water, Manufacturing, Multiple
ICSA-26-069-03 Honeywell IQ4x BMS Controller Government Facilities, Commercial
ICSA-26-069-04 Ceragon Siklu MultiHaul/EtherHaul Communications, Telecommunications

Source: CISA ICS Advisories

5. RESILIENCE & CONTINUITY PLANNING

5.1 Identity Recovery Testing Gap

  • Finding: Only 24% of organizations test their identity disaster recovery plans every six months, according to Quest Software research.
  • Risk: Identity infrastructure (Active Directory, Entra ID, etc.) is critical for business operations; inadequate recovery testing leaves organizations vulnerable to extended outages following ransomware or destructive attacks.
  • Recommendation: Organizations should establish regular identity recovery testing cadences and document recovery time objectives (RTOs) for identity systems.

Source: Infosecurity Magazine

5.2 Cloud Attack Surface Evolution

  • Trend: Google Cloud research indicates attackers are increasingly preferring vulnerability exploitation over credential-based attacks for cloud environment compromise, including exploitation of the "React2Shell" vulnerability.
  • Implication: Cloud-dependent critical infrastructure operators should prioritize vulnerability management alongside identity security.

Source: Infosecurity Magazine

5.3 Supply Chain Security – Third-Party Risk

  • Case Study: The Ericsson breach, attributed to a third-party service provider compromise, reinforces the importance of vendor risk management programs.
  • Lesson: Critical infrastructure operators should maintain visibility into third-party access, implement least-privilege principles for vendors, and include third-party breach scenarios in incident response planning.

5.4 Windows Hotpatching for Operational Continuity

  • Development: Microsoft will enable hotpatch security updates by default for eligible Windows devices managed through Microsoft Intune beginning May 2026.
  • Benefit: Hotpatching allows security updates without requiring system reboots, reducing operational disruption for critical systems.
  • Consideration: OT environments should carefully evaluate hotpatching compatibility with industrial applications before enabling.

Source: Bleeping Computer

6. REGULATORY & POLICY DEVELOPMENTS

6.1 Trump Administration Cyber Strategy

  • Development: Security leaders are providing mixed reactions to the Trump Administration's "Cyber Strategy for America," with both approval and critiques being voiced across the security community.
  • Key Discussion Points: The strategy's approach to public-private partnerships, critical infrastructure protection mandates, and international cyber norms.
  • Recommendation: Critical infrastructure operators should review the strategy document for sector-specific implications and prepare for potential regulatory changes.

Source: Security Magazine

6.2 Data Sovereignty and Encryption Policy

  • Debate: The State Department's framing of data sovereignty and innovation as opposing forces is being challenged by security experts who argue modern encryption enables both.
  • Implication: Critical infrastructure operators should monitor evolving data localization and encryption policy discussions that may affect cross-border operations and cloud deployments.

Source: CyberScoop

6.3 AI Browser and Automation Regulations

  • Legal Development: A federal judge has blocked Perplexity's AI browser from making Amazon purchases, following Amazon's lawsuit alleging computer fraud and unauthorized account access.
  • Relevance: This case may set precedents for AI agent interactions with critical infrastructure systems and automated purchasing/procurement systems.

Source: CyberScoop

6.4 Emergency Management Accessibility

  • Initiative: The National Council on Disability has announced a Request for Information (RFI) on an Emergency Management Toolkit, seeking input on accessibility considerations for emergency preparedness.
  • Relevance: Critical infrastructure operators should consider accessibility requirements in emergency communications and response planning.

Source: Homeland Security Today

7. TRAINING & RESOURCE SPOTLIGHT

7.1 New Security Tools and Platforms

AI-Powered Security Solutions

  • Jazz Security: Emerged from stealth with $61M funding for AI-powered Data Loss Prevention (DLP) providing visibility into intent, context, and risk. (SecurityWeek)
  • Kai: $125M funding for AI platform bridging IT and OT security, founded by Claroty co-founder. (SecurityWeek)
  • Armadin: Kevin Mandia's new venture launched with $190M funding for AI-powered red teaming. (SecurityWeek)
  • OpenAI Codex Security: Vulnerability scanner that has reportedly found hundreds of critical vulnerabilities in tested software. (SecurityWeek)
  • OpenAI Promptfoo Acquisition: OpenAI acquiring Promptfoo to strengthen AI agent security testing capabilities. (CSO Online)

Microsoft Entra Passkey Support

  • Development: Microsoft is rolling out passkey support for Microsoft Entra on Windows devices, enabling phishing-resistant passwordless authentication via Windows Hello.
  • Benefit: Reduces credential theft risk for enterprise and critical infrastructure environments.

Source: Bleeping Computer

7.2 Best Practices and Guidance

Attack Surface Reduction

  • Resource: New guidance available on proactive attack surface reduction to minimize zero-day exposure.
  • Key Principle: Organizations cannot control when vulnerabilities are disclosed but can control exposure levels.

Source: The Hacker News

Automated Penetration Testing

  • Insight: Security practitioners are sharing lessons learned from replacing manual penetration tests with automation, including benefits and limitations.
  • Consideration: Critical infrastructure operators should evaluate hybrid approaches combining automated and manual testing.

Source: CSO Online

7.3 Recruitment Opportunities

  • CBP Virtual Recruitment Events: U.S. Customs and Border Protection has announced March virtual recruitment events for those interested in border security careers.

Source: Homeland Security Today

8. LOOKING AHEAD: UPCOMING EVENTS

8.1 Conferences and Workshops

Date Event Focus Area
March 19, 2026 NIST: Technologies and Use Cases for Smart Standards AI, Blockchain, IoT standards development
March 31, 2026 NIST: Cybersecurity for IoT Workshop – Future
Disclaimer

This briefing is generated using AI analysis of public news sources. Always verify critical information through authoritative sources before taking action.