ThreatsDay Bulletin: OAuth Consent Abuse, EDR Killer, Signal Phishing, Zombie ZIP Technique, AI Platform Breach & More
Date: March 12, 2026
Author: Ravie Lakshmanan
Tags: Cybersecurity / Hacking News
Recent developments in cybersecurity have revealed a range of alarming threats and vulnerabilities that have emerged over the past week. These incidents highlight the ongoing challenges faced by organizations and individuals in safeguarding their digital environments.
OAuth Consent Abuse
Cloud security firm Wiz has issued a warning regarding the risks associated with malicious OAuth applications. The phenomenon known as “consent fatigue” can lead users to inadvertently grant access to their sensitive data by accepting permissions from seemingly legitimate applications. Once a user clicks “Accept,” the attacker gains entry into the company’s tenant, allowing them to access files and emails without needing the user’s password. Wiz noted that a large-scale campaign was detected in early 2025, involving 19 OAuth applications impersonating well-known brands like Adobe and DocuSign, targeting multiple organizations.
Messaging Account Takeover
Russian-linked hackers are reportedly attempting to compromise Signal and WhatsApp accounts belonging to government officials, journalists, and military personnel worldwide. Rather than breaking encryption, these attackers are using social engineering tactics to trick individuals into providing security verification codes or PINs. The Netherlands Defence Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD) have indicated that these hackers often pose as Signal Support chatbots to extract sensitive information. Similar warnings have been issued by German authorities, emphasizing the sophistication of these phishing campaigns.
Cloud Breach via Software Flaws
Google has disclosed that threat actors are increasingly exploiting vulnerabilities in third-party software to infiltrate cloud environments. The time between vulnerability disclosure and mass exploitation has significantly decreased, with incidents of initial access via misconfiguration dropping from 29.4% to 21% in the latter half of 2025. This trend suggests that automated security measures are becoming more effective, pushing attackers toward more complex and costly methods that specifically target software vulnerabilities.
Microcontroller Debug Bypass
Research from Quarkslab has revealed that it is possible to bypass the 16-byte password protection for debug access on several variants of the RH850 microcontroller family using voltage fault injection techniques. This method can be executed in under one minute, raising concerns about the security of embedded systems that utilize these microcontrollers.
Solar Spider Suspects Arrested
Authorities in Uttar Pradesh, India, have arrested two Nigerian nationals linked to an international cyber fraud operation known as Solar Spider. The suspects, Okechukwu Imeka and Chinedu Okafor, are believed to have exploited security flaws in Indian cooperative banking systems to siphon large amounts of money. Solar Spider has a history of targeting financial institutions through spear-phishing campaigns.
PlugX Malware Campaign
Check Point has reported targeted attacks against entities in Qatar, utilizing conflict-related content to deliver malware families such as PlugX and Cobalt Strike. The attack chain employs Windows shortcut files within ZIP archives, which, when opened, download a next-stage payload from a compromised server. This activity has been attributed to the threat actor Mustang Panda.
Teen DDoS Kit Sellers
Polish police have referred seven minors to family court for allegedly selling distributed denial-of-service (DDoS) kits online. The suspects, aged between 12 and 16, are facing charges related to a profit-driven scheme targeting popular websites, including auction platforms and hosting services.
Phishing-Resistant Windows Login
Microsoft is rolling out passkey support for Microsoft Entra on Windows devices, introducing phishing-resistant passwordless authentication through Windows Hello. This update allows users to create device-bound passkeys stored in the Windows Hello container, enhancing security and reducing reliance on traditional passwords.
Sysmon Built into Windows
Microsoft has integrated System Monitor (Sysmon) functionality into Windows 11 and Windows Server 2025 as an optional built-in feature. This integration simplifies the process of enabling Sysmon for enhanced endpoint visibility, representing a significant operational win for network defenders.
Canada Phishing Campaign
An active phishing campaign is targeting Canadian residents through fraudulent domains impersonating trusted institutions, including the Government of British Columbia and Hydro-Québec. The campaign aims to collect personal information and credit card details, with its infrastructure linked to RouterHosting LLC, a provider accused of supporting state-sponsored hacking groups.
Private Link Safety in Chats
Meta has introduced Advanced Browsing Protection (ABP) in Messenger, designed to safeguard the privacy of links shared in chats while warning users about malicious content. The feature utilizes on-device models to analyze shared links and employs a continually updated watchlist of potentially harmful websites.
BlackSanta EDR Killer
A sophisticated attack campaign targeting HR departments has combined social engineering with advanced evasion techniques to compromise systems. The attack begins with a resume-themed ISO file delivered via phishing emails, which drops payloads designed to disable antivirus and endpoint detection software.
ZIP Evasion Technique
A new technique known as Zombie ZIP allows attackers to conceal malicious payloads within specially crafted compressed files that can evade detection by security tools. This vulnerability, tracked as CVE-2026-0866, has raised concerns about the effectiveness of current security measures against such tactics.
AI Agent Breaches Platform
Researchers at CodeWall reported that their AI agent successfully hacked McKinsey’s internal AI platform, gaining access to sensitive data, including 46.5 million chat messages and 728,000 files. This incident underscores the growing effectiveness of AI tools in conducting cyber attacks.
Teams Social Engineering Malware
Hackers have targeted employees at financial and healthcare organizations via Microsoft Teams, tricking them into granting remote access through Quick Assist to deploy a new malware variant called A0Backdoor. This method aligns with established social engineering tactics to gain unauthorized access.
Industrialized Disinformation Network
The Russian influence operation known as Doppelgänger has been characterized as a coordinated and professionally managed influence apparatus, prioritizing infrastructure resilience and operational continuity. This operation employs systematic media brand impersonation and exhibits deliberate geographic micro-targeting.
Pentagon AI Dispute
Anthropic has filed a lawsuit to block the Pentagon from placing it on a national security blocklist, arguing that the designation violates its free speech and due process rights. The dispute arose after the Pentagon branded the AI company a supply chain risk due to its refusal to remove guardrails against using its technology for military purposes.
GitHub SEO Malware
A new campaign distributing BoryptGrab is leveraging over 100 public GitHub repositories to lure victims into downloading malicious software. This multi-stage infection chain can harvest sensitive information and establish a reverse SSH tunnel for communication with attackers.
RAT Campaign Against India
The Pakistan-aligned threat actor Transparent Tribe has been linked to a series of attacks targeting Indian government entities, employing social engineering techniques to distribute malicious ZIP archives disguised as legitimate documents.
Signed Phishing Malware
Microsoft has warned of multiple phishing campaigns utilizing workplace meeting lures and signed malware to establish persistent access on compromised systems. The use of trusted digital signatures has been exploited to bypass user suspicion and gain initial footholds in enterprise environments.
TikTok Allowed in Canada
Following a national security review, Canada’s Minister of Industry announced that TikTok can continue its operations, implementing enhanced protections for user data. This decision marks a reversal from a previous order to shut down the platform due to national security concerns.
Vulnerabilities Rise 12%
Flashpoint reported a 12% increase in vulnerability disclosures in 2025, with 44,509 incidents cataloged. Ransomware attacks also surged by 53%, with manufacturing being the most targeted industry.
Botnet Exploiting 174 Flaws
The RondoDox DDoS botnet has been found to exploit 174 different vulnerabilities, employing a shotgun approach to maximize its chances of success. This botnet’s rapid adaptation to newly disclosed vulnerabilities poses a significant threat.
Memory-Only Keylogger Attack
Phishing emails are being used to distribute an executable that runs a memory-only keylogger, capable of capturing sensitive information without leaving traces on disk. This technique raises concerns about the effectiveness of traditional security measures.
Cloudflare-Shielded Phishing
A new credential harvesting campaign has been observed using Cloudflare’s services to delay detection, implementing multiple anti-detection techniques to ensure the success of the attack.
For further details on these developments, refer to the original reporting source at thehackernews.com.
