Daily Threat Intel Digest - 2026-03-03

🔴 Critical Threats & Active Exploitation

[NEW] UH Cancer Center breach exposes 1.2M after ransomware payment
Attackers stole data of 1.2 million individuals in an August 2025 ransomware attack on the University of Hawaii Cancer Center’s Epidemiology Division, with UH confirming payment to obtain decryption tools and data destruction assurances. Compromised data includes SSNs from 1998-2000 driver’s license/voter records and health information from cancer studies, though clinical operations remained unaffected. This breach pattern mirrors UH’s 2023 incident where ransom payments were made to prevent data leaks, highlighting persistent targeting of academic research institutions [BleepingComputer].

[UPDATE] Android zero-day (CVE-2026-21385) actively exploited in Qualcomm display flaw
Google’s March 2026 security bulletin patches 129 vulnerabilities—including an actively exploited Qualcomm display zero-day (CVE-2026-21385) enabling memory corruption for RCE via integer overflow. The flaw affects 235 Qualcomm chipsets and has been observed in limited, targeted attacks since December 2025. Alongside 10 critical RCE/EoP flaws in System/Framework components, this marks Android’s highest single-month patch volume since 2018. Android device users should prioritize updates, though vendor rollout delays may create exploitation windows [BleepingComputer; CyberPress; CyberScoop].

[UPDATE] RESURGE malware persists despite Ivanti patches via boot disk infection
CISA warns RESURGE malware—a SPAWNCHIMERA variant—exploits Ivanti Connect Secure CVE-2025-0282 (stack-based buffer overflow) to deploy web shells, harvest credentials, and achieve persistence by modifying coreboot images. The malware survives reboots, complicating remediation. Despite patches, organizations must perform factory resets using external clean images and reset domain credentials (e.g., krbtgt twice). YARA/SIGMA rules are available for detection [CyberPress; CISA].

🎯 Threat Actor Activity & Campaigns

[UPDATE] Iran-linked actors ramp up for cyber counteroffensive post-Epic Fury
Following US-Israeli strikes killing Iran’s leadership, threat groups like HANDALA and Cotton Sandstorm are gearing for retaliatory attacks targeting critical infrastructure. Expected TTPs include DDoS, botnet activity, and destructive malware exploiting known vulnerabilities (e.g., CVE-2021-44228). Organizations should heighten monitoring, enforce MFA, and audit third-party risks in energy/transportation sectors [Tenable; Talos; Unit 42; Recorded Future].

[NEW] Aeternum C2 uses Polygon blockchain for unkillable botnet infrastructure
Aeternum botnet eliminates centralization by storing commands on Polygon blockchain smart contracts, queried via public RPC endpoints. This prevents takedowns, with $1 in MATIC funding 100+ transactions. Operators deploy varied payloads (clippers, RATs) and include anti-VM/antivirus checks. Defenders must shift focus from infrastructure takedowns to network-level detection of RPC queries and contract interaction patterns [CyberPress].

[NEW] OAuth redirection abuse bypasses phishing defenses via silent flows
Attackers exploit OAuth error redirects (e.g., invalid scope + prompt=none) to route victims from Entra ID/Google to malicious domains, delivering malware like PowerShell-side-loaded payloads. Techniques include encoding emails in state parameters and abusing legitimate redirect URIs. Mitigations include restricting app consent, reviewing redirect URIs, and monitoring URLs with scope=invalid [Microsoft].

⚠️ Vulnerabilities & Patches

[NEW] Angular XSS (CVE-2026-27970) enables code injection via translation files
A high-severity XSS flaw in Angular’s i18n pipeline allows malicious script injection through compromised .xliff/.xtb translation files. Attackers can steal cookies/localStorage or deface apps, with enterprises in finance/e-commerce most at risk. Patch to Angular 19.2.19+, 20.3.17+, or 21.1.6+; interim mitigations include CSP headers (script-src ‘self’) and manual translation vetting [CyberPress; GBHackers; GitHub].

[NEW] Chrome Gemini flaw (CVE-2026-0628) let extensions hijack camera/mic
A patched vulnerability allowed malicious Chrome extensions to abuse the Gemini Live side panel’s elevated privileges via declarativeNetRequests API, enabling camera/mic access, file theft, and screenshots. Users should update Chrome (patched Jan 2026) and audit extensions. This underscores risks in agentic AI integrations [CyberPress; GBHackers].

🛡️ Defense & Detection

[NEW] Pixel Perfect extension analysis reveals CSP bypass via 1x1 GIF C2
The once-legitimate QuickLens extension was weaponized post-acquisition (v5.8+) to strip CSP headers via declarativeNetRequest rules, enabling silent script injection through 1x1 GIF onload attributes. Detection requires monitoring extension updates and CSP header modifications, with 7,000 users affected [CyberPress].

⚡ Quick Hits

• Android patches: 129 flaws fixed across 2026-03-01/05 patch levels, including 10 critical System/Framework RCE/EoP bugs [BleepingComputer].
• Chrome Gemini C2: Malicious PWA apps proxy traffic through victims’ browsers to intercept OTPs and scan networks [BleepingComputer].
• Veeam advisory: Kasten for Kubernetes vulnerabilities patched across multiple versions [Canadian Centre].