Threat Landscape Roundup: Zero-Day Surge, State Actor Campaigns, and Multi-Million Dollar Fraud Operations

Zero-Day Exploitation Reaches New Highs

Google Threat Intelligence Group documented 90 zero-day vulnerabilities actively exploited throughout 2025, representing a significant escalation in threat actor capabilities. Nearly half of these zero-days targeted enterprise software and appliances, highlighting the continued focus on corporate infrastructure. The data underscores the critical importance of rapid patch deployment and comprehensive threat monitoring in enterprise environments.

State-Sponsored Campaigns Target Critical Infrastructure

Chinese state hackers tracked as UAT-9244 have been systematically targeting telecommunications service providers across South America since 2024. The advanced persistent threat group deployed a sophisticated malware toolkit capable of compromising Windows, Linux, and network-edge devices. This campaign represents a continued focus by nation-state actors on telecommunications infrastructure, which serves as a critical attack vector for both espionage and potential disruption operations.

Massive Fraud Operations Net Over $100 Million

A Ghanaian national pleaded guilty to his role in an extensive fraud ring that stole over $100 million from U.S. victims through business email compromise attacks and romance scams. The case highlights the sophisticated nature of modern fraud operations and their ability to operate at scale across international boundaries. Meanwhile, the FBI arrested a suspect linked to the theft of $46 million in cryptocurrency from the U.S. Marshals Service, demonstrating that even government agencies remain vulnerable to insider threats and sophisticated theft operations.

Trusted Platforms Weaponized for Malware Distribution

Microsoft Bing's AI-enhanced search feature inadvertently promoted fake GitHub repositories hosting malicious OpenClaw installers. The repositories instructed users to run commands that deployed information stealers and proxy malware, demonstrating how threat actors exploit trusted platforms and emerging technologies. Similarly, a fake CleanMyMac site was discovered distributing SHub Stealer, a macOS information stealer specifically designed to target cryptocurrency wallets and steal credentials.

WordPress Plugin Vulnerabilities Under Active Attack

Attackers are actively exploiting a critical vulnerability in the User Registration & Membership plugin, which is installed on more than 60,000 WordPress sites. The vulnerability allows threat actors to create administrative accounts, potentially leading to complete site compromise. This incident emphasizes the ongoing security challenges facing the WordPress ecosystem and the need for proactive plugin security management.

Wikipedia Targeted by Self-Propagating Worm

The Wikimedia Foundation experienced a security incident involving a self-propagating JavaScript worm that vandalized pages and modified user scripts across multiple wikis. The attack demonstrates how even collaborative platforms with extensive community oversight remain vulnerable to automated threats designed to spread rapidly through interconnected systems.

Browser Security Emerges as Critical Gap

Keep Aware's 2026 State of Browser Security Report reveals that 41% of employees used AI web tools while enterprises struggle with browser-based phishing, malicious extensions, and social engineering attacks. The research indicates that many organizations still treat browsers as extensions of network or endpoint security rather than recognizing them as the primary interface for modern work environments.

Law Enforcement Disrupts Criminal Operations

Spanish and Ukrainian authorities dismantled a criminal ring that exploited war-displaced Ukrainian women to operate an online gambling scheme, laundering nearly €4.75 million in illicit proceeds. The operation highlights how threat actors exploit vulnerable populations and geopolitical instability to facilitate criminal enterprises.

Industry Threat Intelligence

Cisco Talos released their 2025 CVE retrospective, analyzing vulnerability trends and providing strategic recommendations for organizational defense improvements. Kaspersky's Q4 2025 vulnerability and exploit report includes statistical analysis of published vulnerabilities and command-and-control framework usage in advanced persistent threat campaigns, offering insights into evolving attack methodologies.

Sources

• https://www.bleepingcomputer.com/news/security/ghanain-man-pleads-guilty-to-role-in-100-million-fraud-ring/
• https://www.bleepingcomputer.com/news/security/chinese-state-hackers-target-telcos-with-new-malware-toolkit/
• https://www.bleepingcomputer.com/news/security/bing-ai-promoted-fake-openclaw-github-repo-pushing-info-stealing-malware/
• https://www.bleepingcomputer.com/news/security/wikipedia-hit-by-self-propagating-javascript-worm-that-vandalized-pages/
• https://www.bleepingcomputer.com/news/security/wordpress-membership-plugin-bug-exploited-to-create-admin-accounts/
• https://www.bleepingcomputer.com/news/security/fbi-arrests-suspect-linked-to-46m-crypto-theft-from-us-marshals/
• https://www.bleepingcomputer.com/news/security/google-says-90-zero-days-were-exploited-in-attacks-last-year/
• https://www.bleepingcomputer.com/news/security/2026-browser-data-reveals-major-enterprise-security-blind-spots/
• https://www.bleepingcomputer.com/news/security/police-dismantles-online-gambling-ring-exploiting-ukrainian-women/
• https://blog.talosintelligence.com/patch-track-repeat-the-2025-cve-retrospective/
• https://www.malwarebytes.com/blog/threat-intel/2026/03/fake-cleanmymac-site-installs-shub-stealer-and-backdoors-crypto-wallets
• https://securelist.com/vulnerabilities-and-exploits-in-q4-2025/119105/