Daily Threat Intel Digest - March 4, 2026

🔴 Critical Threats & Active Exploitation

[NEW] Coruna iOS exploit kit compromises thousands of iPhones using 23 vulnerabilities A sophisticated iOS exploit kit called “Coruna” has been actively deployed in mass-scale attacks against iPhones running iOS 13.0 through 17.2.1. The kit contains five complete exploit chains leveraging 23 vulnerabilities, initially developed for a commercial surveillance vendor before proliferating to multiple threat actor groups. UNC6353 (Russian espionage) used it in watering-hole attacks against Ukrainian users, while UNC6691 (Chinese financially motivated) scaled operations globally through fake crypto exchange sites. The payload delivers PlasmaLoader (PLASMAGRID), which injects into iOS’s powerd daemon to steal cryptocurrency wallet data from MetaMask and Trust Wallet. Google researchers trace this potential proliferation to leaked U.S. government exploit frameworks, reminiscent of the EternalBlue incident. [Google Threat Intelligence; CyberScoop]

[NEW] CISA flags VMware Aria Operations RCE as actively exploited CISA has added CVE-2026-22719, a critical command injection vulnerability in VMware Aria Operations, to its Known Exploited Vulnerabilities catalog with a March 24 patch deadline for federal agencies. The vulnerability allows unauthenticated attackers to execute arbitrary commands during support-assisted product migrations. Broadcom acknowledged reports of in-the-wild exploitation but could not independently verify claims. While no technical details have been publicly disclosed, the vulnerability carries a CVSS score of 8.1 and affects enterprise monitoring platforms tracking server, network, and cloud infrastructure performance. Broadcom has provided a temporary workaround script for organizations unable to patch immediately. [BleepingComputer; GBHackers]

[NEW] Hackerbot-Claw bot exploits GitHub Actions to compromise Microsoft, DataDog repositories An autonomous bot called “Hackerbot-Claw” conducted a week-long campaign targeting CI/CD pipelines through GitHub Actions exploits. The bot successfully compromised repositories including Microsoft/ai-discovery-agent and DataDog/datadog-iac-scanner using techniques like branch-name injection, filename injection, and malicious prompt injection against Claude Code AI reviewer. In one attack on the popular avelino/awesome-go repository, the bot injected a malicious Go init() function to exfiltrate GitHub tokens with write permissions, enabling codebase modifications. The campaign demonstrates emerging risks of AI-powered tools targeting other AI agents in development environments. [Cyberpress; Step Security analysis]

🎯 Threat Actor Activity & Campaigns

[UPDATE] Iranian actors intensify IP camera targeting preceding missile strikes Iranian threat actors escalated targeting of Hikvision and Dahua IP cameras across Israel, Qatar, Bahrain, Kuwait, UAE, Cyprus, and Lebanon beginning February 28. This activity correlates with regional missile operations and appears intended for operational support and battle damage assessment. Attack infrastructure combines commercial VPN exit nodes with VPS systems, exploiting vulnerabilities including CVE-2021-33044 (Dahua authentication bypass) and CVE-2017-7921 (Hikvision improper authentication). Previous targeting spikes occurred January 14-15 during anti-regime protests in Iran, suggesting camera compromise serves as an early indicator of potential kinetic activity. [Check Point Research]

[NEW] AiLock ransomware claims multiple victims across healthcare, legal, and industrial sectors The AiLock ransomware group claimed responsibility for attacks against six organizations on March 3: AJ Networks (South Korean rental services), S&R Compression (U.S. oil & energy), ELO Digital Office (German enterprise software), Lewis Drug (U.S. pharmacy chain), Aaronson Rappaport Feinstein & Deutsch (New York law firm), and Demanor AS (Norwegian industrial lifts). The widespread targeting across sectors suggests a volume-based operation potentially exploiting common vulnerabilities or stolen credentials. All victims received standard extortion notices threatening data publication unless negotiations begin. [DeXpose incident reports; additional victim reports]

[NEW] Silver Dragon APT abuses Google Drive as covert C2 channel A Chinese-aligned APT group tracked as Silver Dragon has been targeting European and Southeast Asian public sector organizations since mid-2024, combining traditional Cobalt Strike with custom malware that leverages Google Drive for command-and-control communications. This technique allows the group to blend traffic with legitimate cloud services, evading network monitoring. The group’s operational tradecraft shows strong overlap with APT41, suggesting either shared tooling or connection between the clusters. [GBHackers]

⚠️ Vulnerabilities & Patches

[NEW] Microsoft warns of OAuth abuse campaign bypassing MFA in Entra ID Microsoft disclosed sophisticated phishing campaigns exploiting OAuth 2.0 redirection features in both Microsoft Entra ID and Google Workspace. Attackers register malicious apps pointing to phishing/malware hosts, then send emails with lures like e-signature requests or fake Teams invites. The attack uses prompt=none and scope=invalid parameters to force silent error redirects while encoding victim emails in the state parameter. Victims ultimately receive EvilProxy session hijacking or malicious ZIP files containing booby-trapped LNK files that sideload crashhandler.dll via legitimate steam_monitor.exe. Detection requires monitoring for suspicious OAuth consent patterns and behavioral analysis of PowerShell/LNK/DLL activity. [Cyberpress; GBHackers]

[NEW] IPVanish VPN macOS flaw enables privilege escalation without interaction A high-severity vulnerability in IPVanish VPN for macOS allows any unprivileged local user to execute arbitrary code with root privileges without user interaction. The flaw bypasses standard macOS security features including code signature verification, potentially granting attackers complete control over compromised systems. While specific technical details remain undisclosed, the vulnerability affects VPN users who may be targeted in conjunction with initial access vectors to establish persistence. [GBHackers]

[NEW] Windows 11 23H2 to 25H2 upgrade wipes 802.1X authentication settings A persistent bug in Windows 11 in-place upgrades is deleting files in C:\Windows\dot3svc\Policies, which store 802.1X LAN authentication profiles pushed via Group Policy. This issue has appeared across multiple upgrade paths including 23H2-to-24H2 and now 23H2-to-25H2, leaving enterprise workstations offline until IT intervention. The problem creates a difficult loop where no network access prevents fresh Group Policy updates, requiring physical access to remediate via non-802.1X ports. In some cases, upgrades also clear computer certificate stores, breaking EAP-TLS authentication for PKI-dependent organizations. [Cyberpress; GBHackers]

[NEW] Malicious Laravel packages deliver PHP RAT in supply chain attack Three malicious packages on Packagist (nhattuanbl/lara-helper, nhattuanbl/simple-queue, and nhattuanbl/lara-swagger) are delivering an obfuscated PHP remote access trojan that grants full control over compromised hosts. The first two packages contain identical RAT payloads in src/helper.php, while lara-swagger acts as a trojan horse by hard-depending on lara-helper. This attack demonstrates continued targeting of developer ecosystems with malicious dependencies that can propagate through transitive package relationships. [GBHackers]

🛡️ Defense & Detection

[NEW] Malvertising campaign distributes AMOS ‘malext’ infostealer via fake text-sharing ads attackers are using Google Ads and deceptive clickbait articles to distribute the AMOS ‘malext’ infostealer to macOS users at scale. The campaign leverages fake Medium articles about macOS troubleshooting, tricking users into running obfuscated terminal commands that download the malicious payload. Once executed, the malware collects system information, passwords, browser cookies, Apple Notes content, and cryptocurrency wallet data, exfiltrating it to C2 servers including malext[.]com. Over 34 compromised Google Ad accounts were identified rotating through various platforms including Evernote and kimi.com to scale the operation. [Cyberpress]

[NEW] AuraStealer infostealer expands C2 infrastructure to 48 domains Emerging infostealer AuraStealer, first observed in July 2025, has significantly expanded its command-and-control infrastructure to 48 active domains. Originally relying on .shop TLDs, the malware now uses .cfd domains to evade traditional blocklists. With over 340 indicators of compromise identified, the rapidly rotating C2 infrastructure demonstrates the group’s adaptability and presents challenges for static defense measures. Intrinsec’s analysis reveals targeted credential harvesting across multiple systems with minimal detection footprint. [Cyberpress]

[NEW] FortiCloud SSO authentication bypass allows unauthenticated admin access CVE-2025-59718 is a critical vulnerability in FortiCloud’s Single Sign-On feature classified as Improper Verification of Cryptographic Signature (CWE-347). The flaw permits unauthenticated remote attackers to gain administrative access, potentially compromising entire Fortinet cloud deployments. While specific technical details remain limited, the vulnerability affects core authentication functionality critical to enterprise deployments. [Picus Security]

⚡ Quick Hits

• Attackers increasingly abuse Microsoft’s Azure AzCopy utility for data exfiltration in ransomware attacks, blending with legitimate IT operations to avoid detection [GBHackers]
• AkzoNobel confirmed a cyberattack at its U.S. site after Anubis ransomware claimed to have stolen 170GB of data including client agreements and passport scans [BleepingComputer]
• XWorm malware continues spreading through evolving delivery techniques, demonstrating how threat actors adapt multi-technology approaches to maintain infection chains [SANS ISC]