Coruna iOS exploits 📱, ShinyHunters Salesforce attacks ☁️, Storm-1811 Teams phishing 💬, Tutor LMS bypass 🔓

Daily Threat Intel Digest - 2026-03-10

🔴 Critical Threats & Active Exploitation

[UPDATE] “Coruna” iOS Exploit Kit Traced to Leaked U.S. Defense Contractor Tools A sophisticated iPhone exploit kit known as “Coruna,” previously reported as a spy tool, has been attributed to the U.S. defense contractor L3Harris (specifically its Trenchant division). Research indicates the toolkit likely leaked via an insider theft involving former general manager Peter Williams, who sold tools to Russian broker Operation Zero, before eventually being used by Russian state hackers and Chinese cybercriminals. The exploit chain chains 23 exploits across five attack chains to compromise iOS 13 through 17.2.1, sharing code modules (Photon, Gallium) with the “Operation Triangulation” campaign. This leak demonstrates how strictly controlled military-grade cyber weapons can fuel global espionage and financially motivated attacks against everyday users [GBHackers; Cyberpress].

[NEW] ShinyHunters Claims Mass Exploitation of Salesforce Aura Instances The extortion gang ShinyHunters claims to have stolen data from 300 to 400 organizations by exploiting misconfigurations and potentially a new vulnerability in Salesforce Experience Cloud sites. While Salesforce maintains the issue stems from guest user misconfigurations rather than a platform flaw, ShinyHunters asserts they discovered a bypass allowing data theft even when instances are properly configured. The attackers used a modified version of the open-source “AuraInspector” tool and a custom exfiltration tool utilizing the user agent string “Anthropic/RapeForceV2.” Victims reportedly include numerous cybersecurity firms, highlighting the risk of excessive guest user permissions in public-facing Salesforce communities [BleepingComputer].

[NEW] Critical Authentication Bypass in Tutor LMS Pro Affects 30,000 WordPress Sites A critical authentication bypass vulnerability (CVE-2026-0953, CVSS 9.8) has been identified in the Tutor LMS Pro WordPress plugin, which boasts over 30,000 active installations. The flaw allows unauthenticated attackers to take over any user account, including administrators, by manipulating the Social Login addon. Specifically, the plugin failed to verify that the email address in the authentication request matched the validated OAuth token, enabling attackers to log in as any user if they know the victim’s email address. Users are strongly urged to update to version 3.9.6 or later immediately [Wordfence via Malware.news].

🎯 Threat Actor Activity & Campaigns

[NEW] Storm-1811 Abuses Microsoft Teams and Quick Assist to Deploy A0Backdoor A threat cluster tracked as Storm-1811 (or Blitz Brigantine) is weaponizing Microsoft Teams to bypass traditional email security defenses. The group initiates contact with targets in finance and healthcare via Teams messages, posing as IT support responding to “email bombing” spam campaigns. They trick victims into using legitimate Quick Assist remote access tools, which are then used to deploy a new malware strain, A0Backdoor, via digitally signed MSI installers. Notably, A0Backdoor utilizes a stealthy DNS tunneling technique via MX record queries to communicate with command-and-control servers, blending into expected network traffic [BleepingComputer; GBHackers].

[UPDATE] BoryptGrab Campaign Escalates with SEO Hijacking and Reverse SSH The BoryptGrab stealer campaign, previously reported as a GitHub supply chain threat, has evolved with sophisticated distribution techniques. Threat actors are now utilizing “SEO Hijacking,” stuffing over 100 fake GitHub repositories with keywords to ensure malicious downloads rank higher than legitimate software in search results. The campaign now also drops “TunnesshClient,” a reverse SSH backdoor that provides attackers with interactive remote access to infected machines. Forensic analysis links the infrastructure to Russian-speaking actors, with payloads specifically targeting over 30 cryptocurrency wallets and browser credential stores [SocFortress].

[NEW] Russian State-Sponsored Groups Hijack Signal and WhatsApp Accounts Dutch intelligence agencies (MIVD and AIVD) have warned of active, targeted phishing campaigns by Russian state-sponsored hackers against Signal and WhatsApp users. The attacks specifically target government officials, military personnel, and journalists. Tactics include impersonating a fake “Signal Security Support Chatbot” to trick users into handing over SMS verification codes and PINs, and abusing the “device linking” feature by sending malicious QR codes. Once linked, attackers can monitor real-time conversations and impersonate victims, bypassing the apps’ end-to-end encryption protections [BleepingComputer; GBHackers].

[NEW] ClipXDaemon Linux Malware Targets Crypto Transfers A new Linux malware family named ClipXDaemon has been identified, specifically targeting cryptocurrency users. Unlike traditional malware, ClipXDaemon operates autonomously without a command-and-control (C2) server, making detection harder for network-based defenses. It hijacks the X11 clipboard to silently swap cryptocurrency wallet addresses during copy-paste operations. Delivered via a loader using the Bincrypter framework, the malware highlights a shift toward profit-driven, localized attacks on Linux systems [Cyberpress].

📋 Policy & Industry News

[NEW] Trump Administration Unveils Cyber Strategy Focused on Risk-Based Governance The White House has released a new national cyber strategy emphasizing a shift from compliance checklists to outcome-focused, risk-based governance. The strategy prioritizes disrupting threat actors through an “interagency cell” involving DOJ, State, and the Pentagon, and securing critical infrastructure via sector-specific pilot programs (e.g., water in Texas). It also mandates “secure-by-design” principles for AI and quantum technologies and proposes establishing a U.S. Cyber Academy to address the workforce gap. The administration is also reviewing regulations, such as the SEC’s cyber incident disclosure rule, to ensure they “make sense for industry” while holding CEOs accountable for cyber risk [Tenable; CyberScoop].

⚡ Quick Hits

  • Apple iOS Patch Analysis: Researchers detailed CVE-2025-43300, a flaw in the ImageIO framework that enabled zero-click exploits via malicious image parsing, reinforcing the need for rapid patching of iOS devices [Cyberwarzone via Malware.news].
  • Ericsson US Data Breach: Ericsson disclosed that a hack of one of its service providers exposed sensitive data (SSNs, financial info) of 4,377 individuals in Texas, among others, following a breach detected in April 2025 [BleepingComputer].
  • Microsoft Teams Security Update: Microsoft announced that Teams will soon tag third-party bots in meeting lobbies, requiring organizers to explicitly admit them and preventing stealthy automated participation [BleepingComputer].