FortiGate firewall exploitation π₯, Storm-1811 Teams abuse π±, AI-generated Slopoly malware π€, Konni KakaoTalk hijacking π¬, supply chain attacks π¦
Daily Threat Intel Digest - 2026-03-16
π΄ Critical Threats & Active Exploitation
[NEW] FortiGate Firefalls Exploited to Steal Credentials and Pivot to Internal Networks Attackers are actively exploiting vulnerabilities in Fortinet FortiGate Next-Generation Firewalls (NGFWs) to extract configuration files containing decrypted credentials and establish long-term persistence. Incident responders identified two separate campaigns where threat actors exploited flaws in Single Sign-On (SSO) mechanismsβspecifically CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858βto gain administrative access. Once inside, attackers download the device configuration, which contains reversible encryption for LDAP and Active Directory service account credentials, allowing them to authenticate directly to the domain infrastructure. In observed incidents, attackers used these stolen credentials to join rogue workstations to the domain, perform network reconnaissance using SoftPerfect Network Scanner, and ultimately exfiltrate the NTDS.dit database using legitimate RMM tools like Pulseway and MeshAgent disguised as Java updates [Cyberpress; GBHackers].
[NEW] Poland Foils Cyberattack on National Centre for Nuclear Research Polish authorities have confirmed they successfully thwarted a cyberattack targeting the National Centre for Nuclear Research (NCBJ), a critical infrastructure facility. While initial analysis suggests potential Iranian involvement, security experts emphasize that the operational lessons regarding critical infrastructure defense are more significant than the attribution itself. The incident underscores the persistent risk to nuclear research facilities and highlights the necessity of robust incident response capabilities in environments where a breach could have severe geopolitical and physical consequences [SecurityWeek; Malware.news].
π― Threat Actor Activity & Campaigns
[NEW] Storm-1811 Exploits Teams and Quick Assist to Deploy A0Backdoor A financially motivated threat cluster tracked as Storm-1811 (also known as Blitz Brigantine) is evolving its social engineering playbook to breach enterprise networks by abusing Microsoft Teams and Windows Quick Assist. The campaign begins with “email bombing”βflooding a victim’s inbox with spamβfollowed by a message via Teams from an attacker impersonating IT support claiming to fix the issue. The victim is tricked into granting remote access via Quick Assist, allowing attackers to deploy a new stealthy backdoor named A0Backdoor. This malware uses DLL sideloading to load malicious code and employs DNS tunneling for covert Command and Control (C2) communication, repurposing old domain names to bypass security filters [Cyberpress; GBHackers].
[NEW] IBM Links AI-Generated “Slopoly” Malware to Hive0163 Ransomware IBM X-Force researchers have linked a novel malware framework dubbed “Slopoly” to the Hive0163 ransomware operation, marking a significant shift toward AI-driven, ephemeral malware. Believed to be AI-generated due to its structure and rapid development cycle, Slopoly is deployed in the late stages of an attack chain that begins with ClickFix social engineering to trick users into running PowerShell scripts. The malware is designed to be disposable and single-use, rendering traditional signature-based detection and attribution nearly obsolete. Defenders are advised to shift toward behavior-based detection and monitor for specific infrastructure indicators associated with Hive0163 [Cyberpress].
[NEW] Konni APT Hijacks KakaoTalk Accounts for Lateral Movement The North Korea-linked Konni APT group is conducting a sophisticated multi-stage campaign that leverages compromised KakaoTalk messenger accounts to propagate malware. Initial access is gained through spear-phishing emails disguised as invitations to become a “North Korean human rights lecturer,” containing a malicious LNK file that executes a hidden PowerShell script. Once the victim is infected, the hijack unique aspect of this campaign is the attackers’ ability to hijack the active KakaoTalk PC session and selectively send malicious files to the victim’s contacts, effectively using trusted social circles to bypass standard email security filters [Cyberpress; GBHackers; Genians/Malware.news].
β οΈ Vulnerabilities & Patches
[NEW] Supply Chain Compromise: Malicious Chrome Extensions and NPM Packages
A wave of supply chain attacks highlights the ongoing risk of trusting third-party code repositories. Two popular Chrome extensions, QuickLens and ShotBird, were observed turning malicious after ownership transfers, enabling attackers to inject arbitrary code, strip security headers, and deliver fake Chrome update prompts to steal data. Separately, a malicious npm package named @openclaw-ai/openclawai was discovered posing as an installer for the OpenClaw AI tool. This package deployed a Remote Access Trojan (RAT) and stole sensitive credentials from macOS systems. Organizations are urged to audit browser extensions and verify the integrity of dependencies before deployment [Malware.news; Malware.news].
π Policy & Industry News
[NEW] Meta Permanently Removes End-to-End Encryption from Instagram DMs Meta has announced that end-to-end encryption (E2EE) for Instagram Direct Messages will be permanently discontinued on May 8, 2026. The rollback ends the platform’s experiment with private messaging and is ostensibly linked to low user adoption and increasing pressure to detect harmful content such as child sexual abuse material (CSAM). Once disabled, Meta will technically regain the ability to scan, analyze, and store DM content for moderation and law-enforcement cooperation. This decision raises significant privacy and security concerns for high-risk users, including activists and journalists, who relied on the “zero-knowledge” architecture [Cyberpress; GBHackers].