[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fc-0DaRqVLzCPvp4Dhs92M-8rgCZ2Wu3Pm--4Z5DqgqM":3},{"roundup":4},{"id":5,"week_label":6,"slug":7,"date_from":8,"date_to":9,"tldr":10,"full_brief":11,"top_iocs":12,"social_linkedin":62,"social_x":63,"article_count":64,"awareness_links":65,"status":126,"published_at":127,"created_at":128,"updated_at":128,"mastodon_posted_at":129,"executive_summary":129,"tagline":129,"cover_image_url":129},"32b3c064-102c-454f-9330-fd90820fc016","2026-W13","2026-w13","2026-03-23","2026-03-29","🚨 FBI Director Kash Patel's personal Gmail breached by Iran-linked Handala hackers in major retaliation operation\n🏛️ European Commission investigating 350GB data breach as ShinyHunters claims AWS infrastructure compromise\n📦 TeamPCP threat actors execute 50+ supply chain attacks in 8 days, targeting PyPI packages with steganography\n🔐 Critical Citrix NetScaler memory overread flaw (CVE-2026-3055) under active reconnaissance, echoing CitrixBleed risks\n⚡ F5 BIG-IP vulnerability (CVE-2025-53521) added to CISA's KEV catalog after confirmed exploitation in wild\n🛡️ Google accelerates post-quantum cryptography deadline to 2029 as quantum threats advance faster than expected\n📱 Apple pushes emergency alerts to outdated iPhones over active web-based iOS exploits targeting unpatched devices","## APT & Nation-State\n\n**[FBI confirms hack of Director Patel's personal email inbox](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Ffbi-confirms-hack-of-director-patels-personal-email-inbox\u002F)**. Iranian-linked Handala threat actors breached FBI Director Kash Patel's personal Gmail account and published historical documents as retaliation for domain seizures and a $10 million reward offer.\n\n**[TA446 Deploys DarkSword iOS Exploit Kit in Targeted Spear-Phishing Campaign](https:\u002F\u002Fthehackernews.com\u002F2026\u002F03\u002Fta446-deploys-leaked-darksword-ios.html)**. Russian FSB-linked TA446 leveraged the DarkSword iOS exploit kit to target government, think tanks, and legal entities with GHOSTBLADE malware, raising concerns about commoditized nation-state exploits.\n\n**[Iran-Linked Hackers Breach FBI Director's Personal Email, Hit Stryker With Wiper Attack](https:\u002F\u002Fthehackernews.com\u002F2026\u002F03\u002Firan-linked-hackers-breach-fbi.html)**. MOIS-operated Handala Hack Team conducted destructive wiper attacks on medical device manufacturer Stryker, marking the first confirmed destructive operation targeting a U.S. Fortune 500 company.\n\n**[China Upgrades the Backdoor It Uses to Spy on Telcos Globally](https:\u002F\u002Fwww.darkreading.com\u002Fthreat-intelligence\u002Fchina-upgrades-backdoor-spy-telcos)**. Chinese APT Red Menshen upgraded its sophisticated BPFdoor malware using eBPF to evade traditional detection while targeting telecommunications infrastructure worldwide.\n\n### Key Takeaway\nOrganizations should implement enhanced email security for executives and conduct threat hunting for eBPF-based malware in telecommunications environments.\n\n## Vulnerabilities & Exploits\n\n**[CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation](https:\u002F\u002Fthehackernews.com\u002F2026\u002F03\u002Fcisa-adds-cve-2025-53521-to-kev-after.html)**. CISA added the critical F5 BIG-IP Access Policy Manager RCE vulnerability to its Known Exploited Vulnerabilities catalog after confirmed in-the-wild exploitation, upgrading severity from DoS to RCE (CVSS 9.3).\n\n**[Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug](https:\u002F\u002Fthehackernews.com\u002F2026\u002F03\u002Fcitrix-netscaler-under-active-recon-for.html)**. A critical memory overread vulnerability in Citrix NetScaler ADC and Gateway is under active reconnaissance, with threat actors probing SAML IDP configurations to identify vulnerable endpoints.\n\n**[Apple Sends Lock Screen Alerts to Outdated iPhones Over Active Web-Based Exploits](https:\u002F\u002Fthehackernews.com\u002F2026\u002F03\u002Fapple-sends-lock-screen-alerts-to.html)**. Apple is sending urgent lock screen notifications to users running older iOS versions about active web-based attacks using Coruna and DarkSword exploit kits.\n\n**[LangChain, LangGraph Flaws Expose Files, Secrets, Databases in Widely Used AI Frameworks](https:\u002F\u002Fthehackernews.com\u002F2026\u002F03\u002Flangchain-langgraph-flaws-expose-files.html)**. Three critical vulnerabilities in popular AI frameworks enable path traversal, unsafe deserialization, and SQL injection, affecting millions of weekly downloads.\n\n### Key Takeaway\nPrioritize patching F5 BIG-IP and Citrix NetScaler systems immediately, and update iOS devices and AI framework dependencies to latest versions.\n\n## Supply Chain\n\n**[Backdoored Telnyx PyPI package pushes malware hidden in WAV audio](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fbackdoored-telnyx-pypi-package-pushes-malware-hidden-in-wav-audio\u002F)**. TeamPCP compromised the Telnyx Python package on PyPI, embedding credential-stealing malware within steganographically-encoded WAV audio files affecting 740,000 monthly downloads.\n\n**[TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files](https:\u002F\u002Fthehackernews.com\u002F2026\u002F03\u002Fteampcp-pushes-malicious-telnyx.html)**. The same TeamPCP campaign used novel steganography techniques to hide malware in WAV files, targeting Windows, Linux, and macOS systems with different persistence strategies per platform.\n\n**[Fake VS Code alerts on GitHub spread malware to developers](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Ffake-vs-code-alerts-on-github-spread-malware-to-developers\u002F)**. Coordinated campaign posts fake VS Code security alerts across thousands of GitHub repositories to distribute malware, using realistic CVE IDs and impersonating maintainers.\n\n**[Open VSX Bug Let Malicious VS Code Extensions Bypass Pre-Publish Security Checks](https:\u002F\u002Fthehackernews.com\u002F2026\u002F03\u002Fopen-vsx-bug-let-malicious-vs-code.html)**. A vulnerability in Open VSX's scanning pipeline allowed malicious extensions to bypass security vetting by exhausting database connections and triggering scan failures.\n\n### Key Takeaway\nImplement package integrity verification, monitor for suspicious npm\u002FPyPI updates, and verify all GitHub security notifications through official channels.\n\n## Ransomware & Breaches\n\n**[ShinyHunters Claims 350GB Data Breach at European Commission](https:\u002F\u002Fhackread.com\u002Fshinyhunters-350gb-data-breach-european-commission\u002F)**. ShinyHunters claimed responsibility for breaching European Commission AWS infrastructure and leaking over 350GB of data including mail servers, databases, and internal documents.\n\n**[European Commission investigating breach after Amazon cloud account hack](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Feuropean-commission-investigating-breach-after-amazon-cloud-account-hack\u002F)**. The Commission confirmed investigating unauthorized access to its AWS infrastructure with attackers claiming 350GB stolen data without extortion demands.\n\n**[BianLian Ransomware Spreads via Fake Invoice SVG Images in New Attacks](https:\u002F\u002Fhackread.com\u002Fbianlian-ransomware-fake-invoice-svg-images-attacks\u002F)**. BianLian ransomware group targets Venezuelan companies using fake invoice SVG files containing hidden XML code to deliver Go-based malware with AES encryption. [Learn more](\u002Fawareness\u002Fbianlian-ransomware-uses-sophisticated-svg-phishing-to-target-businesses)\n\n**[Lloyds Group to Compensate 450,000 Customers After App Glitch](https:\u002F\u002Fhackread.com\u002Flloyds-compensate-customers-app-glitch-exposed-data\u002F)**. Lloyds Banking Group experienced a software defect that broke privacy barriers between accounts, affecting 450,000 customers with 114,000 users accessing sensitive information.\n\n### Key Takeaway\nStrengthen cloud access controls and multi-factor authentication, especially for critical infrastructure and financial services applications.\n\n## Regulatory & Compliance\n\n**[Google Sets 2029 Deadline as Quantum Computers Threaten Encryption](https:\u002F\u002Fhackread.com\u002Fgoogle-2029-deadline-quantum-computers-encryption\u002F)**. Google accelerated its post-quantum cryptography transition to 2029, ahead of NSA and US government targets, citing faster quantum computing progress and harvest-now-decrypt-later threats.\n\n**[ANSPDCP (Romania) - fine against Renault Commercial Roumanie SRL](https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=ANSPDCP_(Romania)_-_fine_against_Renault_Commercial_Roumanie_SRL&diff=51139&oldid=0)**. Romania fined Renault €125,000 for inadequate data security measures after a cyberattack exposed personal data including driver licenses and identity documents.\n\n### Key Takeaway\nBegin post-quantum cryptography assessment and implementation planning now, as the transition window is narrowing rapidly.\n\n## Criminal Ecosystem\n\n**[ShinyHunters Walk Away from BreachForums, Leak 300,000-User Database](https:\u002F\u002Fhackread.com\u002Fshinyhunters-breachforums-leak-300000-user-database\u002F)**. ShinyHunters departed BreachForums after FBI seizure, releasing 300,000+ user records and threatening to leak complete forum backups unless fake domains shut down.\n\n**[SnowTeam Launches Leak Bazaar, a Corporate Data Exchange With ML-Powered Dump Analysis](https:\u002F\u002Fdarkwebinformer.com\u002Fsnowteam-launches-leak-bazaar-a-corporate-data-exchange-with-ml-powered-dump-analysis-dbms-reverse-engineering-and-ransomware-negotiation-support\u002F)**. SnowTeam unveiled Leak Bazaar, a closed dark web platform monetizing stolen corporate data with automated ML filtering and DBMS reverse engineering tools.\n\n### Key Takeaway\nMonitor dark web marketplaces for organizational data and strengthen breach response capabilities as criminal platforms become more sophisticated.\n\n## References\n- https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Ffbi-confirms-hack-of-director-patels-personal-email-inbox\u002F\n- https:\u002F\u002Fthehackernews.com\u002F2026\u002F03\u002Fcisa-adds-cve-2025-53521-to-kev-after.html\n- https:\u002F\u002Fthehackernews.com\u002F2026\u002F03\u002Fcitrix-netscaler-under-active-recon-for.html\n- https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fbackdoored-telnyx-pypi-package-pushes-malware-hidden-in-wav-audio\u002F\n- https:\u002F\u002Fhackread.com\u002Fshinyhunters-350gb-data-breach-european-commission\u002F\n- https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Feuropean-commission-investigating-breach-after-amazon-cloud-account-hack\u002F\n- https:\u002F\u002Fhackread.com\u002Fgoogle-2029-deadline-quantum-computers-encryption\u002F\n- https:\u002F\u002Fthehackernews.com\u002F2026\u002F03\u002Fta446-deploys-leaked-darksword-ios.html",[13,17,20,23,26,30,33,36,40,44,47,50,53,56,59],{"type":14,"value":15,"context":16},"malware","Handala","Threat actor responsible for compromising Kash Patel's Gmail account",{"type":14,"value":18,"context":19},"TeamPCP","Threat actor behind PyPI package compromise campaign",{"type":14,"value":21,"context":22},"ShinyHunters","Threat actor group claiming responsibility for 350GB European Commission data breach",{"type":14,"value":24,"context":25},"DarkSword","iOS exploit kit leveraged by TA446 for credential harvesting and remote code execution",{"type":27,"value":28,"context":29},"cve","CVE-2025-53521","Critical RCE vulnerability in F5 BIG-IP APM, actively exploited, CVSS 9.3",{"type":27,"value":31,"context":32},"CVE-2026-3055","Critical memory overread vulnerability in Citrix NetScaler ADC\u002FGateway with CVSS 9.3",{"type":27,"value":34,"context":35},"CVE-2025-5777","Citrix Bleed 2 – subsequent NetScaler flaw exploited in the wild",{"type":37,"value":38,"context":39},"domain","escofiringbijou.com","TA446-controlled second-stage domain serving DarkSword exploit kit components",{"type":41,"value":42,"context":43},"mitre_attack","T1598.003","Spear-phishing with spoofed Atlantic Council emails for credential harvesting",{"type":41,"value":45,"context":46},"T1190","Exploit Public-Facing Application (remote code execution via malicious traffic)",{"type":41,"value":48,"context":49},"T1505.003","Web Shell (in-memory webshells observed on compromised BIG-IP systems)",{"type":37,"value":51,"context":52},"justicehomeland[.]org","MOIS-operated domain seized by U.S. government; used for psychological operations and data leaking",{"type":37,"value":54,"context":55},"handala-hack[.]to","Handala Hack Team operational domain seized by U.S. authorities",{"type":37,"value":57,"context":58},"karmabelow80[.]org","MOIS-linked domain linked to Karma persona; seized by U.S. government",{"type":41,"value":60,"context":61},"T1566.002","Phishing used as primary vector for initial compromise and credential theft","This week brought unprecedented targeting of senior government officials, critical infrastructure vulnerabilities, and supply chain attacks:\n\n• Iranian hackers breached FBI Director Kash Patel's personal Gmail in retaliation operation\n• European Commission investigating 350GB AWS breach claimed by ShinyHunters\n• TeamPCP executed 50+ supply chain attacks using WAV file steganography\n• Critical Citrix NetScaler flaw under active reconnaissance echoing CitrixBleed\n• Google accelerates post-quantum cryptography deadline to 2029\n\nFull roundup: https:\u002F\u002Fthreatnoir.com\u002Fweekly\u002F2026-w13\n\n#CyberSecurity #ThreatIntelligence #SupplyChain #PostQuantum #InfoSec","🚨 Week 13: Iranian hackers breach FBI Director's email, EU Commission hit by 350GB leak, TeamPCP executes 50+ supply chain attacks with steganography, critical Citrix flaw under active recon. Google moves quantum-safe crypto to 2029.\n\nFull roundup: https:\u002F\u002Fthreatnoir.com\u002Fweekly\u002F2026-w13",80,[66,69,72,75,78,81,84,87,90,93,96,99,102,105,108,111,114,117,120,123],{"slug":67,"title":68},"advanced-ebpf-backdoor-evades-traditional-security-controls","Advanced eBPF Backdoor Evades Traditional Security Controls",{"slug":70,"title":71},"ai-accelerated-threat-landscape-outpacing-traditional-defenses","AI-Accelerated Threat Landscape Outpacing Traditional Defenses",{"slug":73,"title":74},"bianlian-ransomware-uses-sophisticated-svg-phishing-to-target-businesses","BianLian Ransomware Uses Sophisticated SVG Phishing to Target Businesses",{"slug":76,"title":77},"iran-linked-hackers-compromise-fbi-directors-email-and-launch-wiper-attack-on-stryker","Iran-Linked Hackers Compromise FBI Director's Email and Launch Wiper Attack on Stryker",{"slug":79,"title":80},"ai-powered-phishing-tools-lower-cybercrime-barriers","AI-Powered Phishing Tools Lower Cybercrime Barriers",{"slug":82,"title":83},"clickfix-social-engineering-targets-mac-users-with-terminal-commands","ClickFix Social Engineering Targets Mac Users with Terminal Commands",{"slug":85,"title":86},"cloud-account-compromise-exposes-eu-commission-data","Cloud Account Compromise Exposes EU Commission Data",{"slug":88,"title":89},"colombian-health-authority-faces-escalating-data-breach-with-threat-of-additional-releases","Colombian Health Authority Faces Escalating Data Breach with Threat of Additional Releases",{"slug":91,"title":92},"compromised-pypi-credentials-enable-supply-chain-attack-on-popular-python-package","Compromised PyPI Credentials Enable Supply Chain Attack on Popular Python Package",{"slug":94,"title":95},"criminal-data-marketplaces-evolve-with-ml-powered-analysis-tools","Criminal Data Marketplaces Evolve with ML-Powered Analysis Tools",{"slug":97,"title":98},"criminal-forum-consolidation-highlights-data-breach-ecosystem-risks","Criminal Forum Consolidation Highlights Data Breach Ecosystem Risks",{"slug":100,"title":101},"criminal-marketplace-database-compromised-by-insider-threat","Criminal Marketplace Database Compromised by Insider Threat",{"slug":103,"title":104},"criminal-platform-monetizes-failed-ransomware-negotiations","Criminal Platform Monetizes Failed Ransomware Negotiations",{"slug":106,"title":107},"critical-ai-framework-vulnerabilities-expose-sensitive-data","Critical AI Framework Vulnerabilities Expose Sensitive Data",{"slug":109,"title":110},"critical-citrix-netscaler-memory-overread-vulnerability-under-active-reconnaissance","Critical Citrix NetScaler Memory Overread Vulnerability Under Active Reconnaissance",{"slug":112,"title":113},"critical-citrix-netscaler-flaw-enables-session-token-theft","Critical Citrix NetScaler Flaw Enables Session Token Theft",{"slug":115,"title":116},"high-profile-officials-face-targeted-personal-account-attacks","High-Profile Officials Face Targeted Personal Account Attacks",{"slug":118,"title":119},"critical-ios-exploits-target-unpatched-devices","Critical iOS Exploits Target Unpatched Devices",{"slug":121,"title":122},"critical-router-vulnerabilities-enable-network-compromise","Critical Router Vulnerabilities Enable Network Compromise",{"slug":124,"title":125},"critical-f5-big-ip-vulnerability-exploited-in-wild-despite-available-patches","Critical F5 BIG-IP Vulnerability Exploited in Wild Despite Available Patches","published","2026-03-31T19:50:58.013459+00:00","2026-03-31T19:50:57.384076+00:00",null]