End-of-Day report
Timeframe: Montag 16-03-2026 18:00 - Dienstag 17-03-2026 18:00
Handler: Guenes Holler
Co-Handler: Michael Schlagenhaufer
News
LeakNet ransomware uses ClickFix, Deno runtime in stealthy attacks
The LeakNet ransomware gang is now using the ClickFix technique for initial access into corporate environments and deploys a malware loader based on the open-source Deno runtime for JavaScript and TypeScript. [..] ReliaQuest calls this tactic a -bring your own runtime- (BYOR) attack, as Deno is a legitimate JavaScript/TypeScript runtime that allows JS/TS code execution outside the browser on a system.
https://www.bleepingcomputer.com/news/security/leaknet-ransomware-uses-clickfix-and-deno-runtime-for-stealthy-attacks/
European Security Vendor Targeted by Hackers Fronting as Cisco Domain
On March 13, 2026, the threat intelligence team at Outpost24, Specops- parent company, discovered and blocked a sophisticated multi-chain redirect phishing campaign fronting as Cisco, a global network equipment provider. Outpost24-s early detection and rapid response ensured nobody was impacted. The attack is quite complex, leveraging several trusted services as well as compromised legitimate infrastructure to conceal the final phishing destination.
https://specopssoft.com/blog/phishing-campaign-cisco/
Hacked sites deliver Vidar infostealer to Windows users
In recent years, ClickFix and fake CAPTCHA techniques have become a popular way for cybercriminals to distribute malware. Our researchers have recently detected a campaign that ultimately delivers the Vidar infostealer, using several different infection chains. [..] Because Vidar loads in memory and communicates with remote command servers, it can quietly collect and exfiltrate data without obvious signs of infection.
https://www.malwarebytes.com/blog/threat-intel/2026/03/hacked-sites-deliver-vidar-infostealer-to-windows-users
New Vidar 2.0 Infostealer Spreads via Fake Game Cheats on GitHub, Reddit
The new infostealer campaign spreads Vidar 2.0 via fake game cheats on GitHub and Reddit, stealing crypto, login tokens, and files while targeting young gamers ignoring security warnings.
https://hackread.com/vidar-2-0-infostealer-fake-game-cheats-github-reddit/
New font-rendering trick hides malicious commands from AI tools
A new font-rendering attack causes AI assistants to miss malicious commands shown on webpages by hiding them in seemingly harmless HTML. The technique relies on social engineering to persuade users to run a malicious command displayed on a webpage, while keeping it encoded in the underlying HTML so AI assistants cannot analyze it.
https://www.bleepingcomputer.com/news/security/new-font-rendering-trick-hides-malicious-commands-from-ai-tools/
Pwning AI Code Interpreters in AWS Bedrock AgentCore
During research into AI code execution environments, BeyondTrust Phantom Labs- discovered that AWS Bedrock AgentCore Interpreter-s Sandbox network mode does not fully block outbound communication. [..] AWS communicated that a fix will not be made and it will change the documentation-s description of sandbox mode instead. [..] AWS awarded the security researcher with a $100 gift card to the AWS Gear Shop and a CVSSv3 score of 7.5.
https://www.beyondtrust.com/blog/entry/pwning-aws-agentcore-code-interpreter
We dont need to hack your AI Agent to hack your AI Agent
The most severe vulnerabilities in AI assistant deployments often have nothing to do with prompt injection, adversarial inputs, or model manipulation. [..] we went ahead and conducted a routine review of a publicly accessible AI assistant operated by a large enterprise organisation, we identified a backend API URL embedded in a JavaScript asset loaded by the application's frontend. This is a common and often unremarkable finding - backends have URLs, and it's not always avoidable for client-side code to know where to send requests. In this case, however, what sat behind that URL turned out to be the keys to the kingdom.
https://srlabs.de/blog/hacking-ai-agent
Node.js: Tuesday, March 24, 2026 Security Releases
The Node.js project will release new versions of the 25.x, 24.x, 22.x, 20.x releases lines on or shortly after, Tuesday, March 24, 2026 in order to address: 2 high severity issues. 5 medium severity issues. 2 low severity issues.
https://nodejs.org/en/blog/vulnerability/march-2026-security-releases
MC1247893: Phishing-resistente Windows-Anmeldung durch Microsoft Entra-Passkeys (Preview verfügbar)
Derzeit (Mitte März 2026) beginnt die öffentliche Vorschau (Public Preview) von Microsoft Entra-Passkeys, was eine eine phishing-sichere, passwortlose Anmeldung über Windows Hello bei durch Entra geschützten Ressourcen, einschließlich nicht verwalteter Geräte, ermöglichen soll. Administratoren in Unternehmen müssen sich für diese Funktion anmelden und Richtlinien konfigurieren.
https://borncity.com/blog/2026/03/17/mc1247893-phishing-resistente-windows-anmeldung-durch-microsoft-entra-passkeys-preview-verfuegbar/
Boggy Serpens Threat Assessment
Boggy Serpens is an Iranian nation-state cyberespionage group active since at least 2017. Assessed to be a subordinate element of the MOIS, the group has primarily targeted government, military and critical infrastructure sectors across the Middle East, the Caucasus, Central and Western Asia, South America and Europe. [..] Unit 42 details their persistent targeting.
https://unit42.paloaltonetworks.com/boggy-serpens-threat-assessment/
New Phishing Scam Uses LiveChat to Pose as Amazon and PayPal in Real Time
Cofense researchers have found a new phishing scam where threat actors use LiveChat software to impersonate brands like Amazon and PayPal. By chatting with victims in real-time, these cybercriminals are able to bypass security codes and steal credit card information. [..] The scam begins with an email. While most junk mail is easy to ignore, these messages stand out for their clever tricks to get you to click. One version mimics a PayPal notification claiming you have a $200.00 USD refund waiting.
https://hackread.com/phishing-scam-livechat-pose-as-amazon-paypal/
Comeback des Klimabonus? Nein, nur ein (erneuter) Phishing-Versuch!
Bereits im Vorjahr hatten wir von der Masche berichtet, jetzt ist sie wieder da! Kriminelle versenden aktuell massenhaft SMS, in denen das Comeback des Klimabonus verkündet wird. Wer sich seine Auszahlung sichern will, müsse sich umgehend vormerken. Über ein durchaus gut gefälschtes Portal wollen die Betrüger:innen an persönliche Informationen und Logindaten fürs Onlinebanking.
https://www.watchlist-internet.at/news/comeback-klimabonus-phishing/
Vulnerabilities
TYPO3-EXT-SA-2026-007: Authentication Bypass in extension "E-Mail MFA Provider" (mfa_email)
https://typo3.org/security/advisory/typo3-ext-sa-2026-007
LWN: Security updates for Tuesday
https://lwn.net/Articles/1063248/