Originally reported by BleepingComputer, Graham Cluley, Cisco Talos, Checkpoint Research, Malwarebytes Labs
TL;DR
Security researchers identified multiple new malware threats including the BlackSanta EDR killer used by Russian actors against HR departments for over a year, BeatBanker Android malware posing as Starlink apps, and the Zombie ZIP technique for evading security tools. Meanwhile, Iranian MOIS actors are increasingly adopting cybercrime tools and infrastructure.
Multiple actively deployed malware families including a sophisticated EDR killer targeting HR departments and Android banking malware using Starlink as lure, combined with new sandbox evasion techniques being actively exploited.
BleepingComputer reports that Russian-speaking threat actors have been deploying a new EDR evasion tool called BlackSanta against human resources departments for over a year. The malware specifically targets endpoint detection and response systems, allowing attackers to maintain persistence while avoiding security monitoring. HR departments remain attractive targets due to their access to employee data and often less stringent security controls compared to IT infrastructure.
A new Android banking trojan named BeatBanker is leveraging the popularity of SpaceX's Starlink service to trick victims into installation. According to BleepingComputer, the malware distributes through fake websites mimicking the official Google Play Store, offering fraudulent Starlink applications. Once installed, BeatBanker can hijack Android devices and steal banking credentials, exploiting users' trust in legitimate satellite internet services.
Researchers have identified a new evasion technique called "Zombie ZIP" that allows malicious payloads to bypass antivirus and EDR systems. BleepingComputer reports that this method involves specially crafted compressed files designed to exploit parsing differences between security tools and operating systems, enabling malware to slip through detection mechanisms unnoticed.
Microsoft's March 2026 security update addresses 79 vulnerabilities, including three marked as critical. Cisco Talos analysis highlights that the update includes fixes for two zero-day vulnerabilities and resolves an issue preventing some Windows 10 devices from shutting down properly. Microsoft also released the KB5078885 extended security update specifically for Windows 10 systems.
Hewlett Packard Enterprise addressed multiple security vulnerabilities in the Aruba Networking AOS-CX operating system, including a critical flaw allowing unauthorized admin password resets. BleepingComputer reports that the vulnerabilities encompass authentication bypasses and code execution issues that could grant attackers administrative access to network infrastructure.
A newly discovered botnet called KadNap is targeting ASUS routers and edge networking devices to create a proxy network for malicious traffic. BleepingComputer analysis shows the malware transforms compromised devices into relay points for cybercriminal operations, highlighting the continued targeting of consumer networking equipment for botnet infrastructure.
Check Point Research reveals that Iranian Ministry of Intelligence and Security (MOIS) actors are increasingly integrating with the cybercrime ecosystem. The research indicates a shift from using cybercrime as cover to direct engagement with criminal tools, services, and operational models to support state objectives. This evolution blurs the line between nation-state activities and traditional cybercrime.
The Picus Red Report 2026 shows that 80% of top attacker techniques now focus on evasion and persistence. BleepingComputer reports that modern malware employs sophisticated sandbox evasion including geometry-based cursor movement tests and CPU timing checks to prove "humanness" and avoid automated analysis environments.
Microsoft is rolling out passkey support for Microsoft Entra on Windows devices, providing phishing-resistant passwordless authentication through Windows Hello integration. This deployment aims to reduce credential-based attacks by eliminating traditional password vulnerabilities in enterprise environments.
Elon Musk's social media platform suspended 800 million accounts for spam and manipulation in 2025, yet state-backed influence campaigns continue to proliferate. Graham Cluley's analysis questions the effectiveness of these enforcement actions given the persistent presence of coordinated inauthentic behavior on the platform.
Cisco Talos published guidance on agentic AI security, emphasizing the dual-edged nature of autonomous AI agents within organizations. The analysis highlights the need for robust risk management and threat modeling to address both operational errors and potential malicious exploitation of AI systems with autonomous decision-making capabilities.
Originally reported by BleepingComputer, Graham Cluley, Cisco Talos, Checkpoint Research, Malwarebytes Labs