Citrix NetScaler CVE-2026-3055 exploitation πŸ”΄, AI-generated DeepLoad malware πŸ€–, Operation DualScript financial targeting πŸ’°, Claude AI zero-day discoveries πŸ”, Dutch government breach πŸ‡³πŸ‡±

Daily Threat Intel Digest - March 31, 2026

πŸ”΄ Critical Threats & Active Exploitation

[UPDATE] Citrix NetScaler CVE-2026-3055 added to CISA KEV catalog with active exploitation confirmed Following last week’s mass scanning warnings, attackers are now actively exploiting the Citrix NetScaler memory overread vulnerability (CVE-2026-3055) to steal authenticated administrative session IDs, enabling full appliance takeover. watchTowr researchers confirmed exploitation beginning March 27, revealing that the CVE actually covers at least two distinct memory overread bugs affecting the /saml/login and /wsfed/passive endpoints. CISA has added the flaw to its Known Exploited Vulnerabilities catalog, ordering federal agencies to patch by Thursday, April 2. With nearly 30,000 NetScaler ADC and 2,300 Gateway instances currently exposed online, organizations running SAML IDP configurations must treat this as an immediate compromise risk [BleepingComputer; watchTowr analysis].

[NEW] AI-generated “DeepLoad” malware uses ClickFix to bypass enterprise defenses with fileless persistence A new credential-stealing campaign dubbed “DeepLoad” is using AI-generated obfuscation at every stage to bypass traditional security controls, turning a single user click into persistent access. Delivered via ClickFix social engineering (fake browser prompts instructing users to paste “fix” commands), the malware buries functional code under thousands of meaningless variable assignments and executes behind the Windows lock screen. ReliaQuest assesses with high confidence that AI built the obfuscation layer, noting the sheer volume of code padding rules out human-only involvement. The malware maintains persistence even after cleanupβ€”a hidden mechanism re-executed the attack three days later in investigated incidentsβ€”and spreads to connected USB drives. This campaign reinforces that static, file-based detection is increasingly insufficient against AI-generated malware variants [CyberScoop; GBHackers].

[NEW] Dutch Ministry of Finance takes treasury banking portal offline following breach The Dutch Ministry of Finance has shut down its digital treasury banking portal after detecting a cyberattack on March 19, directly impacting approximately 1,600 public institutions that hold funds with the ministry. While incoming and outgoing payments continue through regular banking channels, participants cannot view account balances, apply for loans, or generate reports. Minister Eelco Heinen confirmed there is no clear timeline for restoration. The breach follows a September 2024 compromise of the Dutch National Police Corps by a state-backed threat actor, suggesting ongoing targeting of Dutch government infrastructure [BleepingComputer].

[NEW] CareCloud healthcare breach exposes patient EHR data Healthcare technology provider CareCloud has disclosed a material cybersecurity incident after attackers breached one of its six electronic health record (EHR) environments on March 16, potentially exposing protected health information. The breach caused an eight-hour system outage, though CareCloud contained the threat and prevented lateral movement to other platforms. The company has engaged a Big Four forensics team, reported to federal law enforcement, and filed an SEC Form 8-K disclosure. The full scope of data exfiltration remains under investigation, with no ransomware group currently claiming responsibility [BleepingComputer; Cyberpress].

🎯 Threat Actor Activity & Campaigns

[NEW] “Operation DualScript” deploys RetroRAT and cryptocurrency clipboard hijacker via parallel PowerShell chains A multi-stage malware campaign is running two parallel infection chains through Windows Scheduled Tasks: one deploying a cryptocurrency clipboard hijacker that silently replaces copied wallet addresses with attacker-controlled addresses across 29 different cryptocurrencies, and another executing the RetroRAT implant directly in memory for persistent system monitoring. RetroRAT specifically targets U.S. financial institutions, monitoring active window titles against 51 banking-related keywords (Bank of America, Wells Fargo, Chase, PayPal, etc.) and 47 cryptocurrency platform keywords to selectively capture keystrokes during financial sessions. The malware implements extensive sandbox evasion, VM detection, and aggressive obfuscation using Unicode control characters to resist static analysis [Seqrite analysis].

[NEW] RoadK1ll WebSocket implant turns compromised hosts into covert network relay points A newly discovered Node.js implant dubbed “RoadK1ll” establishes outbound WebSocket connections to attacker infrastructure, converting compromised machines into on-demand tunneling relays for pivoting to internal systems. Unlike traditional backdoors, RoadK1ll’s sole function is network relayβ€”it supports multiple concurrent TCP connections through a single tunnel, enabling attackers to reach internal services, management interfaces, and network segments that bypass perimeter controls. The malware lacks traditional persistence mechanisms, operating only while its process remains alive, but includes automatic reconnection capabilities. Blackpoint discovered the implant during an incident response engagement [BleepingComputer; Blackpoint analysis].

[NEW] Ransomware round-up: Akira, Qilin, and ALP-001 claim multiple new victims Several active ransomware groups have claimed new victims:

  • Akira targeted Motleys Asset Disposition Group (Richmond, VA), threatening to release 11GB of corporate data including employee passports, driver’s licenses, and SSNs [DeXpose].
  • Qilin claimed attacks against UK financial firm Blantyre Capital and U.S. accounting services firm Summit Tax Advisory, threatening data leaks in both cases [DeXpose Qilin/Blantyre; DeXpose Qilin/Summit].
  • ALP-001 claimed attacks against French telecommunications leader Iliad S.A. ($11.7B revenue) with an April 11 deadline, and Brazilian media monitoring firm Knewin (176.5GB of data at risk) with an April 3 deadline [DeXpose ALP-001/Iliad; DeXpose ALP-001/Knewin].

⚠️ Vulnerabilities & Patches

[NEW] Claude AI discovers critical zero-day RCE vulnerabilities in Vim and Emacs text editors Security researchers at Calif demonstrated that a simple conversational prompt to Claude AI was sufficient to uncover critical zero-day remote code execution vulnerabilities in two of the most widely used text editors. The Vim flaw (GHSA-2gmj-rpqf-pxvh) exploits a missing P_MLE flag in the tabpanel option, allowing malicious modelines to register autocommands that achieve full OS command injection when a crafted file is openedβ€”no additional user interaction required. Vim maintainers patched the issue in v9.2.0172. The Emacs RCE, triggered by opening a crafted archive, remains unpatched and disputedβ€”maintainers attribute the issue to Git rather than Emacs. Calif has launched “MAD Bugs: Month of AI-Discovered Bugs” through April 2026, noting that Claude Opus 4.6 has already identified over 500 high-severity zero-days in production open-source software [Cyberpress; GBHackers; Calif research].

[NEW] ChatGPT DNS tunneling vulnerability enabled silent data exfiltration and remote shell access Check Point Research disclosed a critical vulnerability in ChatGPT’s code execution environment that allowed attackers to silently exfiltrate user prompts, uploaded files, and sensitive data through DNS tunnelingβ€”bypassing all outbound data warnings. Because the containerized runtime permitted DNS resolution while blocking standard HTTP/TCP traffic, attackers could encode data fragments as subdomains to attacker-controlled domains. The bidirectional DNS channel effectively established a remote shell inside the Linux container, enabling arbitrary command execution outside ChatGPT’s safety mechanisms. The flaw was exploitable via malicious prompts or backdoored Custom GPTs. OpenAI patched the vulnerability on February 20, 2026 [Cyberpress; Check Point Research].

[NEW] Notepad++ v8.9.3 patches cURL vulnerability in auto-updater, completing XML parser overhaul Notepad++ has released version 8.9.3, which updates the bundled cURL library in its WinGUp auto-updater to v8.19.0, patching CVE-2025-14819 (CVSS 5.3) β€” an improper certificate validation flaw that could allow man-in-the-middle attacks on the update mechanism. Given that a China-nexus threat actor (Lotus Panda) previously compromised Notepad++’s update channel between June and December 2025 to deliver the Chrysalis backdoor, securing the update pipeline is particularly critical. The release also completes the migration from TinyXML to pugixml for improved performance [Cyberpress; GBHackers].

πŸ›‘οΈ Defense & Detection

[NEW] Apple macOS Tahoe adds ClickFix attack protection in Terminal Apple has silently introduced a security mechanism in macOS Tahoe 26.4 that intercepts potentially harmful commands before they are pasted into the Terminal application, directly targeting the ClickFix social engineering technique. The defense breaks the infection chain at the point where users are tricked into pasting malicious commands disguised as browser fixes or error resolutionsβ€”a delivery method now used by multiple campaigns including DeepLoad [GBHackers].

[NEW] Google Drive ransomware defense and recovery features reach general availability Google has moved its advanced ransomware detection and file restoration features for Google Drive out of beta, making them generally available to organizations globally. The features are designed to minimize the destructive impact of malware attacks on both personal and corporate endpoints, providing automated detection and recovery capabilities [GBHackers].

πŸ“‹ Policy & Industry News

[NEW] OWASP releases Top 10 for Agentic Applications with Microsoft Copilot Studio guidance OWASP has published its Top 10 for Agentic Applications (2026), outlining risks specific to autonomous AI systems that can act across workflows using real identities, data access, and tools. Key failure modes include agent goal hijacking, tool misuse, identity and privilege abuse, unexpected code execution, and cascading failures across interconnected agents. Microsoft simultaneously published guidance on addressing these risks through Copilot Studio and the upcoming Agent 365 management platform (GA May 1), which provides centralized visibility, policy enforcement, and containment controls for deployed agents [Microsoft Security Blog; OWASP].

[NEW] Tax filing season sparks wave of malware and RMM delivery campaigns Cybercriminals are exploiting the global tax season with over 100 tax-themed operations worldwide, using IRS and tax filing lures to deliver malware, legitimate remote monitoring and management (RMM) tools, and credential phishing payloads. Researchers note a marked increase in the abuse of legitimate RMM utilities for persistence, aligning with the broader trend of “living off the land” techniques that blend with normal administrative activity [GBHackers].

⚑ Quick Hits

  • Docker Desktop 4.67.0 patches CVE-2026-33990 β€” update immediately [Canadian Cyber Centre].
  • Roundcube Webmail releases security updates for versions 1.6.15, 1.5.15, and 1.7 RC6 β€” multiple vulnerabilities addressed [Canadian Cyber Centre].
  • Red Hat published security advisories addressing Linux kernel vulnerabilities across multiple Enterprise Linux versions and platforms [Canadian Cyber Centre].
  • CISA ICS advisories cover vulnerabilities in Schneider Electric EcoStruxure, WAGO industrial switches, PTC Windchill, and other industrial control systems [Canadian Cyber Centre].
  • SANS ISC published research on application control bypass techniques for data exfiltration, relevant to organizations relying solely on endpoint controls [SANS ISC].