ThreatsDay Bulletin: Pre-Auth Chains, Android Rootkits, CloudTrail Evasion, and 10 Emerging Cybersecurity Risks
In the rapidly evolving landscape of cybersecurity, the latest ThreatsDay Bulletin serves as a crucial update, highlighting significant vulnerabilities and emerging threats that organizations must address. This week, the focus is on the alarming trend of chaining minor bugs to create substantial backdoors, the resurgence of old software flaws, and innovative techniques that allow attackers to bypass security logs without detection.
Pre-Authenticated Remote Code Execution Vulnerabilities
Recent disclosures from watchTower Labs have revealed two critical vulnerabilities in Progress ShareFile (CVE-2026-2699 and CVE-2026-2701) that can be exploited to achieve pre-authenticated remote code execution. CVE-2026-2699 allows for an authentication bypass via the “/ConfigService/Admin.aspx” endpoint, while CVE-2026-2701 pertains to post-authenticated remote code execution. By combining these vulnerabilities, an attacker can sidestep authentication mechanisms and upload malicious web shells.
Progress has released a patch in Storage Zone Controller 5.12.4, dated March 10, 2026. With approximately 30,000 internet-facing instances, the urgency for organizations to implement these fixes cannot be overstated.
Android Malware: NoVoice Rootkit
A new Android malware variant, dubbed NoVoice, has been distributed through over 50 applications, amassing at least 2.3 million downloads. These applications, disguised as utilities and games, exploit 22 vulnerabilities in Android that were patched between 2016 and 2021. If successful, NoVoice gains root access, allowing attackers to inject code into any app the user opens, thereby exfiltrating sensitive data.
McAfee Labs has noted that the malware avoids targeting devices in specific regions, such as Beijing and Shenzhen, and employs multiple checks to evade detection. The highest infection rates have been reported in Nigeria, Ethiopia, Algeria, India, and Kenya, prompting Google to remove the compromised apps.
FBI Warns of Foreign App Risks
The U.S. Federal Bureau of Investigation (FBI) has issued a warning regarding the data security risks associated with mobile applications developed by foreign entities, particularly those based in China. As of early 2026, many of the most popular apps in the U.S. are maintained by these foreign companies, which are subject to China’s national security laws. This raises concerns about unauthorized access to user data.
The FBI cautioned that these applications might harvest contact information under the guise of inviting friends, store personal data on Chinese servers, or contain malware designed to exploit known vulnerabilities. While specific apps were not named, TikTok, Shein, Temu, and DeepSeek fit the profile of those under scrutiny.
New Bureau for Emerging Cyber Threats
In response to the increasing complexity of cyber threats, the U.S. State Department has established the Bureau of Emerging Threats. This new unit is tasked with safeguarding national security against cyberattacks targeting critical infrastructure and addressing risks associated with artificial intelligence and advanced technologies from adversarial nations, including Iran, China, Russia, and North Korea.
Cybercrime and Extradition
Li Xiong, the former chairman of the Cambodian financial conglomerate HuiOne, has been extradited to China. Accused of operating gambling dens and engaging in fraud and money laundering, Li is linked to a transnational cybercrime syndicate led by Chen Zhi, who was extradited to China in January 2026. The U.S. Treasury has labeled HuiOne as a primary money laundering concern.
Gmail Username Changes
Google has announced the rollout of a feature allowing users in the U.S. to change their Google Account usernames. The previous email address will become an alternate address, and users will continue to receive emails sent to both addresses. While users can revert to their original email, creating a new Gmail address will be restricted for 12 months.
Legal Developments in AI Regulation
A U.S. federal judge has temporarily blocked the Trump administration’s designation of Anthropic as a supply chain risk. The ruling emphasized that the designation lacked statutory support and could cause irreparable harm to the company.
Phishing Schemes Targeting Mobile Users
Cybercriminals have launched a new phishing scheme targeting Android users by masquerading malicious applications as beta-testing opportunities for ChatGPT and Meta advertising tools. These apps, delivered through Firebase App Distribution, request Facebook credentials, leading to account takeovers. Similar campaigns have exploited phishing emails to lure users into downloading malicious iOS apps.
Ransomware Defense in Google Drive
Google has made ransomware detection and file restoration features generally available in Google Drive. This enhancement, which was in beta since September 2025, allows users to bulk restore files to previous versions and pauses file syncing during ransomware detection. The latest AI model reportedly detects 14 times more infections than before.
GhostSocks Malware Activity
Darktrace has reported a rise in GhostSocks activity, a malware-as-a-service that enables attackers to turn compromised devices into residential proxies. This malware has been observed operating alongside Lumma Stealer, indicating a continued partnership despite attempts to disrupt Lumma’s infrastructure.
Open-Source Malware Surge
The number of malware advisories in open-source ecosystems has surged by 13.6 times since January 2024. Attackers are increasingly targeting trusted packages to poison the software supply chain. In 2025 alone, 930 npm account takeover advisories were recorded, representing 92% of all reported ATOs.
Evasion Tactics in CloudTrail Logging
Adversaries are bypassing traditional CloudTrail detections by utilizing lesser-known AWS APIs to blind logging systems. This includes creating “invisible activity zones” and neutralizing cross-account protections, allowing attackers to erase evidence and evade detection.
LofyGang’s Dual-Payload RAT
The threat actor LofyGang has resurfaced with a fake npm package that delivers a dual-payload attack, combining a Node.js-based Remote Access Trojan (RAT) with a native Windows binary. This sophisticated attack targets over 50 web browsers and 90 cryptocurrency wallet extensions, enabling extensive data exfiltration.
The developments outlined in this bulletin underscore the increasingly complex and interconnected nature of cybersecurity threats. Organizations must remain vigilant and proactive in addressing these vulnerabilities to safeguard their systems and data.
Source: thehackernews.com
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
