Originally reported by BleepingComputer, Graham Cluley, Cisco Talos, SentinelOne Labs, Malwarebytes Labs, Bitdefender Labs
TL;DR
Critical SharePoint and Zimbra vulnerabilities are being actively exploited in the wild, prompting CISA warnings to federal agencies. Meanwhile, new Android and iOS malware campaigns target personal data and cryptocurrency wallets.
CISA has added multiple vulnerabilities to the KEV catalog with confirmed active exploitation, including critical SharePoint and Zimbra flaws. The Stryker medical device breach demonstrates real-world impact on critical infrastructure.
CISA has confirmed active exploitation of a critical Microsoft SharePoint vulnerability patched in January. The agency's addition of this flaw to the Known Exploited Vulnerabilities catalog indicates threat actors are successfully leveraging the vulnerability in real-world attacks. Organizations running SharePoint infrastructure should prioritize immediate patching to prevent compromise.
CISA has ordered U.S. government agencies to secure their servers against an actively exploited cross-site scripting vulnerability in the Zimbra Collaboration Suite. The binding operational directive underscores the severity of ongoing attacks targeting federal email infrastructure. The vulnerability allows attackers to execute malicious scripts in users' browsers when accessing compromised Zimbra instances.
CISA warned U.S. organizations to strengthen Microsoft Intune endpoint management configurations following a cyberattack that wiped systems at medical technology giant Stryker. The incident demonstrates how attackers can exploit enterprise management tools to cause widespread disruption across medical device networks. Healthcare organizations should review their Intune security configurations according to Microsoft's hardening guidance.
ConnectWise patched a cryptographic signature verification vulnerability in ScreenConnect that could enable unauthorized access and privilege escalation. The flaw affects the remote access platform's authentication mechanisms, potentially allowing attackers to hijack legitimate sessions. Given ScreenConnect's widespread use in IT service provider environments, organizations should apply the patch immediately.
Security researchers have identified a new Android malware strain called Perseus that specifically targets user-curated notes applications. The malware scans note-taking apps for sensitive information including passwords, cryptocurrency recovery phrases, and financial data. This represents an evolution in mobile threat tactics, as attackers recognize that users often store credentials in seemingly innocuous note applications.
A sophisticated iOS exploit framework dubbed DarkSword has been deployed to steal personal information from iPhones, including cryptocurrency wallet data. The attack demonstrates continued threat actor interest in mobile platforms for financial theft. The exploit kit represents a concerning development in iOS-targeted malware, which historically has been less common than Android threats.
Bitdefender researchers discovered a malicious Windsurf IDE extension that deploys a NodeJS stealer using the Solana blockchain as payload infrastructure. This novel technique leverages blockchain technology to host malicious code, making detection and takedown more challenging. The approach highlights how attackers continue to innovate in payload delivery mechanisms.
Texas-based financial services provider Marquis disclosed that a ransomware attack in August 2025 compromised data belonging to over 672,000 individuals and disrupted operations at 74 banks across the United States. The incident demonstrates the cascading impact that attacks on financial service providers can have across the broader banking ecosystem.
Identity protection company Aura confirmed unauthorized access to nearly 900,000 customer records containing names and email addresses. The breach affects marketing contact data rather than core identity protection services, but highlights the irony of security companies falling victim to data breaches.
A sophisticated account takeover attempt targeting WordPress co-founder Matt Mullenweg involved MFA fatigue attacks, legitimate Apple alerts, convincing support calls, and near-successful phishing pages. The incident demonstrates how even security-aware technology executives can become targets of advanced social engineering campaigns.
Attackers compromised Nordstrom's email systems to send cryptocurrency scams disguised as St. Patrick's Day promotions to customers. The incident shows how legitimate corporate email infrastructure can be weaponized for fraud campaigns, lending credibility to malicious messages.
Malwarebytes researchers identified stolen tax documents trading for approximately $20 each on dark web forums during tax season. The research highlights the ongoing market for personal financial information and the heightened risks individuals face during tax filing periods.
Cisco Talos research reveals that ransomware operators increasingly use legitimate administrative tools for data exfiltration, making traditional detection methods less effective. The findings underscore the need for behavioral-based detection approaches rather than relying solely on tool-based indicators.
Researchers discovered a technique using font rendering tricks to hide malicious commands from AI assistants analyzing website content. This novel approach exploits visual perception differences between human users and automated analysis systems.
Flare research exposes a structured economy around refund fraud, with methods and tutorials systematically sold to exploit retailer return policies. The findings reveal how traditional fraud has evolved into organized, repeatable business models.
SentinelOne Labs developed an adversarial consensus engine using multiple large language models to improve automated malware analysis accuracy. The approach addresses reliability issues in single-model analysis by implementing cross-validation mechanisms to catch artifacts and hallucinations.
Originally reported by BleepingComputer, Graham Cluley, Cisco Talos, SentinelOne Labs, Malwarebytes Labs, Bitdefender Labs