Today’s roundup
Microsoft Patch Tuesday, March 2026 Edition
Hewlett Packard Enterprise fixes critical authentication bypass in Aruba AOS-CX
Attackers exploit FortiGate devices to access sensitive network information
Iranian MOIS Actors & the Cyber Crime Connection
KadNap bot compromises 14,000+ devices to route malicious traffic
UNC6426 Exploits nx npm Supply-Chain Attack to Gain AWS Admin Access in 72 Hours
Five Malicious Rust Crates and AI Bot Exploit CI/CD Pipelines to Steal Developer Secrets
New ‘BlackSanta’ EDR killer spotted targeting HR departments
New 'Zombie ZIP' technique lets malware slip past security tools
GPS Attacks Near Iran Are Wreaking Havoc on Delivery and Mapping Apps
Summary
Microsoft released its March 2026 Patch Tuesday updates, addressing at least 77 vulnerabilities across its Windows operating systems and other software, including two publicly disclosed flaws. A notable discovery was CVE-2026-21536, a critical remote code execution bug in the Microsoft Devices Pricing Program, identified by the autonomous AI penetration testing agent, XBOW. Additionally, Adobe patched 80 vulnerabilities and Mozilla Firefox resolved three high-severity CVEs.
Hewlett Packard Enterprise (HPE) has patched multiple critical vulnerabilities in its Aruba Networking AOS-CX operating system. The most severe, CVE-2026-23813 (CVSS 9.8), is an authentication bypass allowing unprivileged attackers to reset administrator passwords with low complexity. Other flaws include authenticated command injection issues.
Threat actors are exploiting FortiGate Next-Generation Firewall (NGFW) appliances as initial access points to breach victim networks, according to SentinelOne. Attackers leverage vulnerabilities or weak credentials to steal configuration files containing service account credentials and network topology, targeting sectors like healthcare and government agencies. Observed post-exploitation activities include lateral movement using RMM tools and Active Directory compromise.
A Check Point Research report highlights a significant shift in Iranian Ministry of Intelligence and Security (MOIS) operations, where state-sponsored actors are increasingly leveraging cybercrime tools, malware, and ransomware ecosystems. This includes the use of commercial infostealers like Rhadamanthys, the Tsundere botnet, and participation in Ransomware-as-a-Service (RaaS) operations like Qilin, notably used in an attack against an Israeli hospital in October 2025. This strategy enhances capabilities and complicates attribution.
A new botnet, KadNap, has infected over 14,000 edge devices, primarily ASUS routers, converting them into a stealth proxy network for malicious traffic. First detected in August 2025 by Black Lotus Labs, the malware employs a custom Kademlia peer-to-peer protocol for covert command-and-control communication, with over 60% of victims located in the U.S. The compromised devices are then sold via proxy services like Doppelganger for cybercrime activities.
The UNC6426 threat actor exploited a supply chain compromise involving the 'nx' npm package to achieve AWS administrative access within 72 hours. The attack began with the theft of a developer's GitHub token, which was then used to gain unauthorized cloud access and exfiltrate data, underscoring critical software supply chain vulnerabilities.
Cybersecurity researchers discovered five malicious Rust crates on crates.io, masquerading as time-related utilities. These packages, published between late February and early March, are designed to exfiltrate .env file data to threat actors, highlighting a new vector for software supply chain attacks targeting CI/CD pipelines and developer secrets.
A new EDR (Endpoint Detection and Response) killer malware, dubbed 'BlackSanta', has been identified targeting human resources (HR) departments. Active for over a year, this malware, linked to a Russian-speaking threat actor, is designed to disable security software, making it harder for organizations to detect and respond to intrusions.
A novel evasion technique, dubbed 'Zombie ZIP', has emerged, allowing malware payloads to bypass detection by security solutions such as antivirus and EDR products. This technique involves crafting compressed files specifically designed to conceal malicious content and evade analysis, posing a new challenge for endpoint security.
Electronic warfare operations near Iran are causing widespread disruption to GPS signals, leading to significant havoc for civilian applications. Delivery and mapping services are experiencing glitches and abrupt navigation changes, demonstrating how sophisticated signal jamming can impact critical everyday infrastructure and services.
Want to dig deeper?
Vulnerabilities
Malware Families