Zero Day Wire

Threats

ClickFix Evolves to Windows Terminal Execution, Bypassing Run Dialog Defenses to Deploy Lumma Stealer

Microsoft has warned of a new ClickFix variant observed in the wild since February that evades existing defenses by shifting the execution environment from the Windows Run dialog to Windows Terminal — blending malicious command execution into legitimate administrative workflows. This marks a significant evolution in the ClickFix technique, which ZDW

Threats

Dutch Intelligence Warns of Russian State Campaign Hijacking Signal and WhatsApp Accounts of Government Officials Worldwide

The Dutch intelligence services AIVD and military intelligence service MIVD have issued a joint advisory warning that Russian state hackers are conducting a large-scale campaign to hijack Signal and WhatsApp accounts belonging to senior government officials, military personnel, civil servants, and journalists worldwide. Dutch government employees have already been targeted

Breaches

FBI Investigates Breach of Internal Surveillance System Containing Wiretap Data and Investigation Subject PII

The FBI has disclosed to Congress that it is investigating a breach of an internal system containing sensitive surveillance data — including wiretap-related records and personally identifiable information on subjects of FBI investigations. The bureau began investigating abnormal log activity on February 17, 2026, and notified members of Congress this week.

Threats

Chinese Threat Actor CL-UNK-1068 Targets Asian Critical Infrastructure Across Seven Sectors in Years-Long Espionage Campaign

Palo Alto Networks Unit 42 has disclosed a years-long espionage campaign by a previously undocumented Chinese threat group designated CL-UNK-1068 targeting high-value organizations across seven critical infrastructure sectors in South, Southeast, and East Asia. The campaign, assessed with moderate-to-high confidence as cyber espionage, targets aviation, energy, government, law enforcement, pharmaceutical,

Alerts

Qualcomm Zero-Day CVE-2026-21385 Exploited in Targeted Android Attacks — Possible Spyware or Nation-State Links

Google's March 2026 Android security bulletin confirms that CVE-2026-21385, a high-severity memory corruption vulnerability in Qualcomm's graphics kernel, is under "limited, targeted exploitation" — language that security researchers say is consistent with commercial spyware operations or nation-state threat activity. The flaw, which carries a CVSS

Threats

Iranian Threat Actors Intensify IP Camera Exploitation Across Six Countries to Support Missile Operations and Battle Damage Assessment

Check Point Research has disclosed that multiple Iran-nexus threat actors have intensified exploitation of IP cameras across six countries in the Middle East and Eastern Mediterranean since the onset of hostilities — activity assessed to support battle damage assessment (BDA) and target correction for Iranian missile operations. The targeting, which spiked

Breaches

Iranian Drone Strikes Hit Three AWS Data Centers in UAE and Bahrain — First Kinetic Attacks on Major Cloud Infrastructure

Iranian drone strikes have physically damaged three Amazon Web Services data centers across the Middle East — two in the United Arab Emirates that were "directly struck" and a third in Bahrain damaged when a drone landed nearby — marking the first time a major cloud infrastructure provider has suffered

Threats

APT41-Linked Silver Dragon Targets Governments Across Europe and Southeast Asia Using Google Drive C2 and Three Distinct Infection Chains

Check Point has disclosed a previously undocumented APT group dubbed Silver Dragon operating within the APT41 umbrella that has been targeting government entities across Europe and Southeast Asia since at least mid-2024 using three distinct infection chains, custom loaders, and a backdoor that uses Google Drive as its command-and-control infrastructure.

Alerts

CISA Adds VMware Aria Operations RCE Flaw to KEV Catalog After Reports of Active Exploitation

CISA has added CVE-2026-22719 to its Known Exploited Vulnerabilities catalog after reports of active exploitation targeting VMware Aria Operations, the widely deployed enterprise monitoring platform used to track server, network, and cloud infrastructure performance. The vulnerability, a CVSS 8.1 command injection flaw, allows an unauthenticated attacker to execute arbitrary

Breaches

French Health Ministry Software Supplier Breached — 15.8 Million Patient Records Stolen Including Doctors' Notes on HIV and Sexual Orientation

Attackers breached Cegedim Santé, a software supplier to France's health ministry, stealing approximately 15.8 million administrative patient files — including 165,000 containing free-text notes written by doctors that in some cases documented HIV/AIDS status, sexual orientation, and other sensitive medical history. The breach, confirmed in late

Threats

SloppyLemming Targets Pakistan and Bangladesh Government and Critical Infrastructure With Dual Malware Chains and 112 Cloudflare Workers Domains

The South Asian threat actor SloppyLemming (also tracked as Outrider Tiger and Fishing Elephant) has been attributed to a sustained campaign targeting government entities and critical infrastructure operators in Pakistan and Bangladesh spanning January 2025 through January 2026, according to new research from Arctic Wolf. The campaign deploys two distinct

Threats

Steaelite RAT Bundles Ransomware, Credential Theft, and Live Surveillance Into Single Double-Extortion Platform

A new remote access trojan called Steaelite is being sold on cybercrime forums and Telegram that consolidates nearly every offensive capability an attacker needs — credential theft, ransomware deployment, cryptocurrency stealing, live surveillance, and DDoS — into a single browser-based dashboard, effectively eliminating the need for multiple tools or coordination between initial