Originally reported by BleepingComputer, Checkpoint Research, Malwarebytes Labs, SecureList (Kaspersky), Bitdefender Labs
TL;DR
CISA ordered federal agencies to patch an actively exploited Ivanti Endpoint Manager vulnerability within three weeks. Russian APT28 operators are using customized Covenant framework tools for espionage, while a massive investment fraud network leveraging Meta advertising platforms has been discovered operating across 25 countries.
CISA has added an actively exploited Ivanti EPM vulnerability to the Known Exploited Vulnerabilities catalog, requiring immediate federal agency remediation. This, combined with state-sponsored APT28 activity and widespread scam infrastructure, represents critical threat activity.
CISA added a high-severity Ivanti Endpoint Manager vulnerability to its Known Exploited Vulnerabilities catalog after confirming active exploitation in the wild. The agency ordered federal agencies to patch affected systems within three weeks, indicating the threat's severity and scope. The vulnerability affects Ivanti's enterprise endpoint management platform, which is widely deployed across government and corporate networks.
Russian state-sponsored group APT28 has begun using a customized version of the open-source Covenant post-exploitation framework for long-term espionage operations. Security researchers identified modifications to the standard Covenant toolkit that enhance persistence and stealth capabilities. This represents a continued evolution in APT28's tooling, moving toward more sophisticated open-source adaptations rather than purely custom malware.
Dutch government authorities warned of an ongoing phishing campaign targeting Signal and WhatsApp accounts of government officials, military personnel, and journalists. The attacks, linked to Russian state-sponsored actors, aim to hijack messaging accounts to access sensitive communications. The campaign represents a shift toward targeting encrypted messaging platforms used by high-value targets.
Threat actors contacted employees at financial and healthcare organizations through Microsoft Teams messages, tricking them into granting remote access via Quick Assist. The attacks deployed a new malware variant called A0Backdoor, demonstrating how legitimate communication platforms can be weaponized for initial access. The campaign targeted specific sectors with tailored social engineering approaches.
Bitdefender Labs mapped a sprawling investment fraud ecosystem spanning 25 countries that uses Meta's advertising platforms to distribute malicious campaigns. Between February and March 2026, researchers analyzed 310 malvertising campaigns that used trusted news brands, fabricated media narratives, and advanced evasion techniques to drive victims into fraud funnels. The network demonstrates the scalability of disinformation-for-profit operations using legitimate advertising infrastructure.
Malwarebytes researchers identified a deceptive campaign using quiz websites to trick users into enabling browser notifications. The quizzes serve as bait, with the real objective being permission to send notifications later used for advertisements, scams, and malicious promotions. This technique exploits user trust and browser notification systems for persistent access.
Google's threat intelligence team reported that attackers increasingly exploit newly disclosed vulnerabilities in third-party software for initial cloud access, rather than relying on weak credentials. The window between vulnerability disclosure and exploitation has shrunk from weeks to days, requiring faster patch deployment cycles for cloud-connected systems.
Salesforce issued warnings about attacks targeting misconfigured Experience Cloud platforms that grant guest users excessive data access. The ShinyHunters extortion group claims to be actively exploiting a new vulnerability to steal data from Salesforce instances, though the company attributes most incidents to configuration errors rather than zero-day exploits.
Ericsson's U.S. subsidiary confirmed a data breach affecting over 15,000 employees and customers after attackers compromised one of its service providers. The incident highlights supply chain risks in telecommunications infrastructure and the cascading effects of third-party security failures on major network equipment vendors.
Kaspersky researchers identified a new Android Trojan called BeatBanker specifically targeting Brazilian users. The malware poses as legitimate government applications and Google Play Store, combining cryptocurrency mining capabilities with banking data theft functionality. This dual-mode approach maximizes monetization opportunities for operators while maintaining persistence on infected devices.
Investigators are examining a suspected breach of FBI wiretapping infrastructure, with initial evidence suggesting a supply chain compromise may have provided nation-state actors access to law enforcement surveillance systems. The incident raises significant concerns about the security of critical intelligence gathering capabilities.
Microsoft announced plans to enable hotpatch security updates by default for Windows devices managed through Intune and Microsoft Graph API, beginning with May 2026 security updates. The change aims to reduce reboot requirements and accelerate security patch deployment across enterprise environments.
Microsoft will implement automatic tagging of third-party bots in Teams meeting lobbies, allowing organizers better control over meeting access. The feature responds to growing concerns about unauthorized bot participation in corporate communications and meetings.
Security researchers highlighted significant gaps in traditional password auditing approaches, noting that current methods often miss the accounts attackers actually target. The analysis emphasized risks from breached passwords, orphaned user accounts, and inadequately secured service accounts that bypass standard complexity requirements.
Originally reported by BleepingComputer, Checkpoint Research, Malwarebytes Labs, SecureList (Kaspersky), Bitdefender Labs