China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks
Article Link: https://thehackernews.com/2026/03/china-linked-red-menshen-uses-stealthy.html
- A China-linked group known as Red Menshen embedded stealthy implants inside telecom networks to conduct long-term espionage against government targets.
- Research from Rapid7 detailed the use of BPFDoor, a Linux backdoor that hides inside the operating system and activates only when triggered by specially crafted network traffic.
- The group gained access through exposed edge systems like VPNs and firewalls, then used credential harvesting and lateral movement tools to expand across environments.
- Rapid7 reminds telecoms to strengthen security around internet-facing systems, monitor unusual network behavior, and limit unauthorized internal movement can decrease exposure to this type of intrusion.
FCC Bans New Foreign-Made Routers Over Supply Chain and Cyber Risk Concerns
Article Link: https://thehackernews.com/2026/03/fcc-bans-new-foreign-made-routers-over.html
- The Federal Communications Commission (FCC) banned the import and sale of consumer routers produced by foreign companies.
- U.S. agencies determined foreign-produced routers pose serious supply chain and cybersecurity risks, potentially enabling disruption of critical infrastructure and espionage. Exceptions must be approved by the Department of Homeland Security.
- Malicious actors, such groups like Volt Typhoon, have used routers to form botnets as well as perform cyberattacks and gain access to critical infrastructure.
- The ruling prevents foreign routers from being brough into U.S. markets unless manufacturers receive approval to sell devices.
- Covered List: https://www.fcc.gov/supplychain/coveredlist
‘CanisterWorm’ Springs Wiper Attack Targeting Iran
Article Link: https://krebsonsecurity.com/2026/03/canisterworm-springs-wiper-attack-targeting-iran/
- The cybercrime group, TeamPCP, has begun a campaign utilizing a warm to target cloud services and wipe data on systems in Iran’s time zone or that use Farsi as their primary language.
- The worm exploits poor configurations cloud infrastructure such as Docker and Kubernetes along with supply chain attacks using malware implemented in security tools.
- While typically financially motivated, the group appears to be using geopolitical affairs to gain attention as well as launch opportunistic attacks.
- The attacks have included destruction of entire Kubernetes clusters, stolen credentials, and installing backdoors in cloud environments.
Experts Warn of a “Loud and Aggressive” Extortion Wave Following Trivy Hack
Article Link: https://cyberscoop.com/trivy-supply-chain-attack-aqua-downstream-extortion-fallout/
- Hackers carried out a supply-chain attack that compromised Trivy, an open-source security tool provided by Aqua Security.
- The attack allowed the attackers to distribute malicious versions of the tool with over 1,000 environments expected to be impacted.
- Hackers stole an access token to establish access to Trivy’s repository utilizing a misconfiguration in the company’s development platform. Aqua Security initially believed that they had blocked the attack by changing credentials, however about 2 weeks later malicious versions of Trivy began to be released.
- The extent of the attack has the potential to grow, as the exploited software may further impact downstream victims.
Ransomware Attack Disrupts Operation at Major Spanish Fishing Port
Article Link: https://therecord.media/port-of-vigo-ransomware
- A ransomware attack disrupted digital systems at Spain’s Port of Vigo, forcing parts of the network offline and shifting some operations to manual processes.
- The intrusion impacted servers managing cargo traffic, with officials isolating affected systems and delaying reconnection until the environment is verified as safe.
- While physical port activity continues, digital coordination has been disrupted, adding pressure to logistics in a sector already targeted due to its role in global trade.
- Operational Technology/Industry Control Systems (OT/ICS) security specialists recommend segmenting networks, maintaining written hard copies of operational procedures, and validating recovery readiness to withstand disruptions from similar attacks.
Hackers Used Malicious File to Hide Activity in Stryker Systems
- Stryker revealed that the recent breach they experienced in which an attacker wiped over 200,000 systems was performed using a malicious file to run commands and hide their activity.
- Investigators from Palo Alto’s Unit 42 found that the file was not capable of infecting other systems and was focused on silently executing instructions.
- The company initially thought that malware was not used in the attack, but further investigations revealed the toolkit, however there is still no evidence of ransomware, suggesting this was primarily an attack focused on disruption.
- After removing the attack from their systems, Stryker moved into recovery and prioritized bringing customer systems back online.
Ransomware Affiliate Exposes Details of ‘The Gentlemen’ Operation
Article Link: https://www.infosecurity-magazine.com/news/ransomware-affiliate-gentlemen/
- A ransomware affiliate known as “hastalamuerte” exposed internal operations of a group called The Gentlemen, revealing how attacks are carried out and managed.
- A March 19 report by Group-IB detailed a ransomware-as-a-service model using dual-extortion, FortiGate VPN access, and rapid lateral movement across Windows, Linux, and ESXi systems.
- The leak also revealed tensions between affiliates and operators, showing how disputes can expose the inner workings of these criminal partnerships.
- Threat intelligence experts securing remote access, limiting credential misuse, and protecting backups helps prevent disruption during attacks.
ShinyHunters Walk Away from BreachForums, Leak 300,000-User Database
Article Link: https://hackread.com/shinyhunters-breachforums-leak-300000-user-database/
- The ShinyHunters group left BreachForums and released a database containing over 300,000 user records from the platform.
- Analysis by Hackread confirmed the leak includes full profiles with emails, IP addresses, session tokens, and hashed passwords.
- The group warned that current BreachForums domains are fake and claimed it holds full backups, threatening further releases including private messages and additional data.
- IAM professionals suggest monitoring for exposed credentials, resetting compromised accounts, and limiting login reuse to curb leaked-data risk.
Quish Splash QR Code Phishing Campaign Hits 1.6 million Users
Article Link: https://hackread.com/quish-splash-qr-code-phishing-hits-users/
- A phishing campaign dubbed “Quish Splash” sent over 1.6 million emails, using QR codes to bypass detection and reach user inboxes.
- Research from 7AI found attackers hid malicious links inside image files, allowing emails to pass SPF, DKIM, and DMARC checks undetected by Microsoft Defender.
- The operation used staged delivery, unique QR codes per target, and auto-replies to confirm active users, expanding reach across multiple organizations.
- Mobile security specialists recommend limiting QR code use, validating unexpected messages, and extending security controls to mobile devices to mitigate to these attacks.
Dutch Police Discloses Security Breach After Phishing Attack
Article Link: https://www.bleepingcomputer.com/news/security/dutch-police-discloses-security-breach-after-phishing-attack/
- Dutch National Police confirmed a security breach following a successful phishing attack, with access quickly detected and blocked.
- According to Dutch National Police, the impact appears limited, with no evidence that citizen data or investigative information was accessed.
- The incident remains under investigation, adding to prior breaches involving officer data and attempted extortion tied to exposed documents.
- SOC teams report that rapid detection, stronger authentication, and continuous monitoring lower phishing‑related risks.
