CyberNews: 17/03/2026 Edition

Today’s roundup

Summary

The LeakNet ransomware gang is now utilizing the ClickFix technique for initial access into corporate environments and deploys a malware loader based on the open-source Deno runtime for JavaScript and TypeScript, enabling stealthy attacks.

Medical technology giant Stryker experienced a cyberattack that remotely wiped approximately 80,000 employee devices by compromising a Global Administrator account and using Microsoft Intune's wipe command. The incident, attributed to the Iran-linked Handala group, was contained to Stryker's internal Microsoft corporate environment, ensuring medical devices remained unaffected, though electronic ordering systems are still offline.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added an actively exploited information disclosure vulnerability, CVE-2025-47813 (CVSS 4.3), affecting Wing FTP Server versions prior to 7.4.4, to its Known Exploited Vulnerabilities catalog. The flaw in `loginok.html` allows attackers to leak the application's full local installation path via an excessively long UID cookie, assisting reconnaissance for further attacks. Federal agencies must remediate by March 30, 2026.

The UK’s Companies House confirmed a security flaw in its WebFiling service exposed companies' information since October 2025. The British government agency temporarily took its online service offline to fix the vulnerability and address the data exposure.

North Korean threat actors, identified as the Konni group, have been observed deploying the EndRAT malware. Initial access is gained through spear-phishing emails, followed by compromising and leveraging victims' KakaoTalk desktop applications to distribute malicious payloads to their contacts.

The GlassWorm malware campaign is actively exploiting stolen GitHub tokens to inject obfuscated malicious code into hundreds of Python repositories, including various application and package types. This supply chain attack appends malware to critical files such as `setup.py`, `main.py`, and `app.py`.

A China-linked APT group, CL-STA-1087, has conducted an extensive cyberespionage campaign against Southeast Asian military organizations since at least 2020. The threat actors utilize novel backdoors like AppleChris and MemFun, along with a custom Getpass credential harvester, to maintain persistent access and collect highly specific military intelligence.

ClickFix social engineering campaigns are evolving, now increasingly targeting macOS users with ChatGPT-based lures and advanced infostealers such as MacSync and AMOS. Attackers leverage fake OpenAI/ChatGPT or GitHub-themed pages to trick users into executing malicious Terminal commands, thereby bypassing macOS security controls like Gatekeeper and XProtect.

Russia-linked threat actors, potentially the Laundry Bear APT group, are targeting Ukrainian entities with a new DRILLAPP backdoor. This malware employs novel tactics by abusing Microsoft Edge's headless debugging mode to evade detection and gain unauthorized access to the file system, microphone, camera, and screen content without user interaction.

New research introduces "Agent Commander," a promptware-powered command and control (C2) system capable of hijacking and controlling autonomous AI agents, including OpenClaw, Kimi Claw, and NanoClaw. The system utilizes indirect prompt injection and persistent "heartbeat" mechanisms to instruct compromised agents with natural language tasks, enabling actions like host enumeration and data exfiltration without deploying traditional malware.

Want to dig deeper?

Vulnerabilities

Malware Families