End-of-Day report
Timeframe: Freitag 06-03-2026 18:00 - Montag 09-03-2026 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Felician Fuchs
News
Microsoft: Hackers abusing AI at every stage of cyberattacks
Microsoft says threat actors are increasingly using artificial intelligence in their operations to accelerate attacks, scale malicious activity, and lower technical barriers across all aspects of a cyberattack.
https://www.bleepingcomputer.com/news/security/microsoft-hackers-abusing-ai-at-every-stage-of-cyberattacks/
Termite ransomware breaches linked to ClickFix CastleRAT attacks
Ransomware threat actors tracked as Velvet Tempest are using the ClickFix technique and legitimate Windows utilities to deploy the DonutLoader malware and the CastleRAT backdoor.
https://www.bleepingcomputer.com/news/security/termite-ransomware-breaches-linked-to-clickfix-castlerat-attacks/
VU#976247: Antivirus and Endpoint Detection and Response Archive Scanning Engines may not properly scan malformed zip archives
Malformed ZIP headers can cause antivirus and endpoint detection and response software (EDR) to produce false negatives. Despite the presence of malformed headers, some extraction software is still able to decompress the ZIP archive, allowing potentially malicious payloads to run upon file decompression.
https://kb.cert.org/vuls/id/976247
Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model
Anthropic on Friday said it discovered 22 new security vulnerabilities in the Firefox web browser as part of a security partnership with Mozilla. Of these, 14 have been classified as high, seven have been classified as moderate, and one has been rated low in severity.
https://thehackernews.com/2026/03/anthropic-finds-22-firefox.html
Chrome Extension Turns Malicious After Ownership Transfer, Enabling Code Injection and Data Theft
Two Google Chrome extensions have turned malicious after what appears to be a case of ownership transfer, offering attackers a way to push malware to downstream customers, inject arbitrary code, and harvest sensitive data.
https://thehackernews.com/2026/03/chrome-extension-turns-malicious-after.html
UNC4899 Breached Crypto Firm After Developer AirDropped Trojanized File to Work Device
The North Korean threat actor known as UNC4899 is suspected to be behind a sophisticated cloud compromise campaign targeting a cryptocurrency organization in 2025 to steal millions of dollars in cryptocurrency.
https://thehackernews.com/2026/03/unc4899-used-airdrop-file-transfer-and.html
Spyware disguised as emergency-alert app sent to Israeli smartphones
Steals SMS messages, location data, contacts and delivers it to Hamas-linked crew Hamas-linked attackers are dropping spyware disguised as an emergency-alert app on Israelis smartphones via SMS messages, according to security researchers.
https://www.theregister.com/2026/03/06/spyware_disguised_as_emergency_alert/
Russian cybercrims phish their way into officials Signal and WhatsApp accounts
Dutch spies flag large-scale campaign to hijack secure messaging accounts Russian-linked hackers are trying to break into the Signal and WhatsApp accounts of government officials, journalists, and military personnel globally - not by cracking encryption, but by simply tricking people into handing over the keys.
https://www.theregister.com/2026/03/09/dutch_spies_say_russian_cybercrims/
Middle East Conflict Fuels Opportunistic Cyber Attacks
Threat actors often take advantage of major global events to fuel interest in their malicious activities. Zscaler ThreatLabz is diligently tracking a surge in cybercriminal activity that capitalizes on the elevated political climate in the Middle East. This increased malicious activity includes discoveries that are directly tied to the ongoing conflict, alongside other related findings.
https://www.zscaler.com/blogs/security-research/middle-east-conflict-fuels-opportunistic-cyber-attacks
NIS2: Warum sich so wenige Unternehmen registrieren
Die NIS2-Registrierungsfrist ist verstrichen, doch viele Unternehmen haben sich noch nicht angemeldet. Darum stockt die Umsetzung der Security-Richtlinie.
https://www.heise.de/news/Douglas-Adams-wuerde-NIS2-lieben-11204285.html
DumpBrowserSecrets - Browser Credential Harvesting with App-Bound Encryption Bypass
DumpBrowserSecrets extracts saved passwords, cookies, OAuth tokens and autofill data from Chrome, Edge, Firefox, Opera and Vivaldi, bypassing App-Bound Encryption via Early Bird APC injection.
https://www.darknet.org.uk/2026/03/dumpbrowsersecrets-browser-credential-harvesting-with-app-bound-encryption-bypass/
LTR101 - Getting into Industry in 2026
Breaking into cybersecurity in 2026: SOC roles, blue team skills, labs, certifications, and practical advice to help you land your first job.
https://blog.zsec.uk/ltr101-getting-into-industry-in-2026/
AI Bot Hackerbot-Claw Targets Microsoft, DataDog and CNCF GitHub Repos
Security firm Pillar reveals the Chaos Agent in which Hackerbot-Claw, an AI agent, used natural language to compromise major GitHub projects and hijack developer tools.
https://hackread.com/ai-bot-hackerbot-claw-microsoft-datadog-github-repos/
Behind the console: Active phishing campaign targeting AWS console credentials
Datadog Security Research identified an active adversary-in-the-middle (AiTM) phishing campaign targeting AWS Console credentials via typosquatted domains that mimic AWS infrastructure.
https://securitylabs.datadoghq.com/articles/behind-the-console-aws-aitm-phishing-campaign/
The first AI agent worm is months away, if that
I'm convinced that the first AI worm/virus is months away, if that. We've seen the first major evidence of "claw" style agents, which have only been around very briefly, acting in highly malicious ways.
https://dustycloud.org/blog/the-first-ai-agent-worm-is-months-away-if-that/
ClipXDaemon Malware, a Stealthy Cryptocurrency Clipboard Hijacker on Linux
Security researchers have identified a new Linux malware strain called ClipXDaemon, a stealthy threat designed to target cryptocurrency users by manipulating copied wallet addresses. Cyble-s Research & Intelligence Labs (CRIL) found the malware delivered through a loader structure previously associated with ShadowHS activity.
https://thecyberexpress.com/clipxdaemon-linux-malware/
Vulnerabilities
Nextcloud: Codeschmuggel durch Lücke in Flow möglich
In Nextcloud Flow können Angreifer eine Sicherheitslücke missbrauchen, um die Instanz zu kompromittieren. Ein Update steht bereit.
https://heise.de/-11203404
Critical Nginx UI Vulnerability Exposes Server Backups and Sensitive Data
A newly disclosed vulnerability in Nginx UI, tracked as CVE-2026-27944, has raised major security concerns after researchers confirmed that attackers can download and decrypt server backups without authentication. The flaw, which carries a CVSS score of 9.8, represents a critical security risk for organizations that expose their Nginx UI management interface to the public internet.
https://thecyberexpress.com/cve-2026-27944-nginx-ui-backup-vulnerability/
LWN Security updates for Monday
https://lwn.net/Articles/1062103/