Daily Threat Intel Digest - March 6, 2026

🔴 Critical Threats & Active Exploitation

[NEW] FBI breach of surveillance and wiretap systems
The FBI confirmed it’s investigating a major breach affecting systems used to manage court-ordered wiretapping and foreign intelligence surveillance warrants. The incident follows similar compromises in 2024 where Chinese Salt Typhoon hackers accessed telecom wiretapping platforms, potentially exposing sensitive law enforcement investigations and classified surveillance activities. The FBI stated they have “addressed suspicious activities” but declined to detail the scope or impact [BleepingComputer; CyberScoop]. This breach puts high-profile investigations at risk and demonstrates continued targeting of critical government surveillance infrastructure by sophisticated adversaries.

[NEW] Wikipedia hit by self-propagating JavaScript worm
A self-replicating JavaScript worm compromised Wikipedia’s editing system, vandalizing approximately 4,000 pages and infecting 85 users with malicious scripts. The attack originated from a Russian Wikipedia test script (User:Ololoshka562/test.js) that injected malicious loaders into both user-specific and global JavaScript files, enabling propagation through editor sessions. The worm modified MediaWiki:Common.js to affect all editors and inserted hidden JavaScript into random pages. Wikimedia temporarily restricted editing globally while reverting changes and removing infected common.js files. This incident demonstrates how dormant scripts can unexpectedly execute, causing widespread platform compromise [BleepingComputer].

[NEW] AWS-LC critical vulnerabilities allow certificate validation bypass
Amazon’s open-source cryptographic library AWS-LC contains three high-severity vulnerabilities enabling attackers to bypass certificate chain and signature validation. CVE-2026-3336 and CVE-2026-3338 allow unauthenticated users to undermine PKCS7 verification processes, potentially enabling man-in-the-middle attacks against AWS services. CVE-2026-3337 introduces a timing side-channel in AES-CCM tag verification. These flaws affect AWS-LC versions v1.21.0 through v1.68.x and impact numerous AWS services and third-party integrations. Amazon has issued patches in AWS-LC v1.69.0 and urges immediate updates as no alternative mitigations exist for the validation bypass vulnerabilities [CyberPress; GBHackers].

🎯 Threat Actor Activity & Campaigns

[NEW] Chinese UAT-9244 targets South American telcos with novel malware
A China-linked APT group (UAT-9244) has been compromising telecommunications providers in South America since 2024 using three previously undocumented malware families. TernDoor (Windows backdoor) uses DLL side-loading via wsprint.exe and includes an embedded driver for process termination. PeerTime (Linux backdoor) leverages BitTorrent protocol for C2 across multiple architectures, while BruteEntry builds scanning infrastructure. The group shows strong operational overlap with FamousSparrow and Tropic Trooper, targeting Windows, Linux, and network edge devices. This campaign demonstrates sophisticated multi-platform capabilities targeting critical communications infrastructure [BleepingComputer].

[NEW] Iran-linked Dust Specter deploys AI-assisted malware against Iraq
The Iranian Dust Specter APT has launched a campaign against Iraqi government officials using custom malware with evidence of generative AI in development. The operation uses two attack chains: SPLITDROP dropper delivering TWINTASK/TWINTALK backdoors, and GHOSTFORM RAT consolidating their functionalities. Notably, the malware incorporates unusual patterns including emojis and Unicode text, strongly suggesting AI-assisted development. The campaign demonstrates the emerging trend of AI enhancing malware sophistication while maintaining operational security [CyberPress].

[NEW] SHub Stealer distributed via fake CleanMyMac site
A sophisticated macOS infostealer campaign is distributing SHub Stealer through a convincing fake CleanMyMac website. The site uses a ClickFix technique, instructing users to paste a Terminal command that downloads and executes the malware. SHub systematically steals browser data from 14 Chromium browsers, Firefox, cryptocurrency wallets, Apple Keychain, and Telegram sessions. Notably, it backdoors five wallet applications (Exodus, Atomic Wallet, Ledger Wallet/Live, Trezor Suite) to steal recovery phrases on each unlock. The malware includes geofencing to avoid CIS systems and uses a LaunchAgent disguised as Google’s Keystone updater for persistence [Malwarebytes].

⚠️ Vulnerabilities & Patches

[NEW] WordPress plugin flaw enables unauthenticated admin account creation
A critical vulnerability (CVE-2026-1492) in the User Registration & Membership plugin allows unauthenticated attackers to create administrator accounts without any user interaction. The flaw stems from improper validation of user-supplied role values during registration, enabling privilege escalation to full administrative control. Affecting all versions through 5.1.2, the vulnerability has CVSS 9.8 severity and has already seen 74 distinct exploitation attempts within 24 hours. Users must update to version 5.1.3 immediately and audit for unexpected admin accounts [CyberPress; GBHackers].

[NEW] Google reports 90 zero-day vulnerabilities exploited in 2025
Google’s Threat Intelligence Group documented 90 zero-day vulnerabilities actively exploited in 2025, representing a 30% increase from 2024. Notably, enterprise technologies comprised nearly half of all zero-days for the first time, with edge devices, virtualization platforms, and networking gear increasingly targeted. Commercial surveillance vendors surpassed state-sponsored actors in mobile zero-day usage (15 incidents), while Chinese state groups remained most active overall. Financially motivated ransomware groups exploited nine zero-days, matching their previous record. The shift away from browser exploits toward OS components, GPU libraries, and drivers indicates evolving attacker priorities [CyberPress; GBHackers].

[NEW] Iranian actors exploiting IP camera vulnerabilities in Middle East
Iranian-linked threat actors are actively targeting IP cameras across Israel, Qatar, Bahrain, Kuwait, UAE, Cyprus, and Lebanon as part of military intelligence operations. The campaign exploits multiple vulnerabilities including CVE-2017-7921, CVE-2021-36260, CVE-2023-6895, and CVE-2025-34067 in Hikvision products, and CVE-2021-33044 in Dahua devices. Attackers use commercial VPN exit nodes and VPS infrastructure for scanning and exploitation. This activity supports battle damage assessment and missile targeting coordination, demonstrating the convergence of cyber operations with kinetic warfare [CyberPress].

🛡️ Defense & Detection

[NEW] Bing AI promoting malicious OpenClaw repositories
Microsoft’s Bing AI search has been recommending fake OpenClaw GitHub repositories that deliver infostealers and proxy malware. Threat actors created malicious repositories mimicking the open-source AI agent, which Bing promoted in search results. The macOS variant delivered Atomic Stealer via Terminal commands, while Windows versions deployed Rust-based loaders executing Vidar stealer and GhostSocks backconnect proxy. Attackers copied legitimate code from Cloudflare’s moltworker project to appear authentic. This incident highlights how AI-powered search results can be manipulated to distribute malware at scale [BleepingComputer].

[NEW] MAAS VIP_Keylogger campaign targets multiple countries
A malware-as-a-service (MAAS) VIP_Keylogger campaign is distributing custom malware through spear-phishing emails with disguised RAR attachments. The campaign uses multiple execution methods including .NET PE files with steganographically hidden DLLs and standard PE files with AES-encrypted payloads. The keylogger steals credentials from 28 browsers, 23 cryptocurrency wallets, email accounts, Discord tokens, Filezilla/Pidgin configurations, and more. Data exfiltration occurs via multiple channels including FTP, SMTP, Telegram, and Discord, with analyzed samples using “logs@gtpv[.]online” for email-based exfiltration [K7 Labs].

[NEW] HHS updates risk assessment tool for healthcare cybersecurity
The Department of Health and Human Services has updated its free Risk Identification and Site Criticality (RISC) 2.0 Toolkit to include a dedicated cybersecurity module. The update integrates NIST Cybersecurity Framework 2.0 and HHS’s voluntary cybersecurity performance goals, helping healthcare facilities assess their security posture alongside other threats like natural disasters. This move responds to growing cyber threats against healthcare and the need for unified risk visibility across organizational hazards [CyberScoop].

📋 Policy & Industry News

[NEW] Ghanaian man pleads guilty in $100M international fraud ring
Derrick Van Yeboah, a high-ranking member of a Ghana-based fraud operation, pleaded guilty to conspiracy to commit wire fraud for stealing over $100 million from U.S. victims through BEC attacks and romance scams. Van Yeboah operated from 2016-2023, exploiting vulnerable individuals through fake romantic relationships and business email compromise. The operation used U.S. middlemen to launder stolen funds before sending them to West African “chairmen” who coordinated the schemes. Van Yeboah faces up to 20 years in prison and agreed to pay $10M in restitution [BleepingComputer].

[NEW] FBI arrests contractor for $46M cryptocurrency theft
The FBI arrested John Daghita, a U.S. government contractor accused of stealing over $46 million in cryptocurrency from the United States Marshals Service. The theft was discovered during a recent audit of seized digital assets. Daghita allegedly exploited privileged access to digital asset management systems, transferring funds through multiple wallets and mixers. The arrest in Saint Martin followed coordinated action between U.S. and French authorities, highlighting the growing importance of blockchain forensics in tracing illicit cryptocurrency flows [CyberPress; GBHackers].