Originally reported by The Hacker News, SANS ISC, MSRC Security Updates
TL;DR
The TeamPCP supply chain campaign continues expanding with confirmed victims while threat actors leverage WhatsApp, fake installers, and phishing to deploy malware ranging from cryptocurrency miners to banking trojans. Multiple CVE disclosures affecting various open source components require attention.
The TeamPCP supply chain campaign represents an active, widespread threat with confirmed victims and ransomware operations. Combined with multiple active malware campaigns targeting WhatsApp users and banking systems, this constitutes a high-severity threat environment.
SANS ISC published their fifth update on the ongoing TeamPCP supply chain campaign, documenting the first confirmed victim disclosure and post-compromise cloud enumeration activities. The campaign, detailed in the report "When the Security Scanner Became the Weapon," has evolved to include dual ransomware operations and continues targeting organizations through compromised security scanning tools. Attribution analysis points toward the Axios group, with investigators tracking developments through dual ransomware operations and data exfiltration activities.
Meta alerted approximately 200 users who were deceived into installing a malicious iOS application masquerading as WhatsApp, with the majority of targets located in Italy according to La Repubblica and ANSA reporting. The fake application contained spyware deployed through social engineering techniques, prompting potential legal action against an Italian firm connected to the operation.
Separately, Microsoft identified a campaign beginning in late February 2026 that weaponizes WhatsApp messages to distribute malicious Visual Basic Script files. These VBS payloads initiate multi-stage infection chains designed to establish persistence and enable remote access through User Account Control bypass techniques.
Elastic Security researchers uncovered REF1695, a financially motivated operation active since November 2023 that deploys remote access trojans and cryptocurrency miners through fake software installers. The threat actors monetize infections through multiple revenue streams, including Cost Per Action fraud that redirects victims to content locker pages disguised as legitimate software registration portals.
Trend Micro attributed a multi-pronged phishing campaign to the Brazilian cybercrime group Augmented Marauder (also tracked as Water Saci), targeting Spanish-speaking users across Latin America and Europe. The operation delivers Casbaneiro banking trojans (also known as Metamorfo) through dynamic PDF lures and an intermediate malware called Horabot.
The Computer Emergency Response Team of Ukraine disclosed that threat actors tracked as UAC-0255 impersonated the agency in a phishing campaign affecting approximately one million email addresses. The March 26-27, 2026 attacks distributed password-protected ZIP archives containing the AGEWHEEZE remote administration tool while masquerading as official CERT-UA communications.
Microsoft published CVE disclosures for vulnerabilities affecting various open source projects:
CVE-2026-5107: FRRouting EVPN Type-2 Route access control issue in bgp_evpn.cCVE-2026-4046: iconv crash due to assertion failure with untrusted inputCVE-2026-5119: Libsoup information disclosure via cleartext cookie transmission during HTTPS tunnel establishmentCVE-2026-4897: Polkit denial of service through unbounded input processingCVE-2026-29785: NATS Server panic via malicious compression on leafnode portCVE-2025-49010: OpenSC stack buffer overflow in GET RESPONSE functionalityCVE-2026-2100: P11-kit null dereference via c_derivekey with specific parametersCVE-2026-4732: Out-of-bounds read overflow in tildearrow/furnaceCVE-2026-32287: Infinite loop vulnerability in github.com/antchfx/xpathAdditional CVEs CVE-2026-34714 were disclosed without detailed descriptions.
A comprehensive report on trusted open source consumption patterns revealed insights into container image projects, language libraries, and associated vulnerability landscapes across enterprise deployments. The analysis examined what development teams actively pull, deploy, and maintain in production environments.
Originally reported by The Hacker News, SANS ISC, MSRC Security Updates