Threat activity spiked as APT36, TA446, and UNC1069 leaned into credential theft and cloud-identity abuse, while Bearlyfy escalated politically driven ransomware. Silver Fox and TeamPCP pushed opportunistic access and data theft, and major exploits hit Apple, F5, Cisco, SharePoint, and NetScaler. Priorities for defenders include identity hardening, rapid patching, and post-compromise hunting.
Report Links
Download Threat Brief For March 16-31 2026
Byer-Nichols Threat Brief Podcast March 16-31 2026
Ransomware Actors
| Ransomware | Percentage | Last Period | Two Ago |
|---|---|---|---|
| Qilin | 16.74% | 1 | 1 |
| The Gentlemen | 10.87% | 8 | 2 |
| Akira | 10.43% | 3 | 3 |
| DragonForce | 6.09% | 5 | 7 |
| PLAY | 4.35% | 6 | 6 |
Qilin held the top spot again in late March, continuing to hit manufacturing and logistics firms with fast-moving double-extortion attacks, while The Gentlemen surged after a run of high-visibility leaks tied to poorly secured VPN appliances. Akira stayed active with steady pressure on mid-market enterprises, and DragonForce grabbed attention by mixing ransomware with its hacktivist-style DDoS and data-leak operations. PLAY remained consistent, leaning on living-off-the-land techniques and opportunistic exploitation of edge devices, keeping it a persistent concern for organizations with exposed infrastructure.
Victim Sector
| Sector | Percentage | Last Period | Movement |
|---|---|---|---|
| Manufacturing | 16.74% | 1 | same |
| Technology | 14.78% | 2 | same |
| Financial Services | 13.48% | 4 | 4 -> 3 |
| Retail | 11.96% | 3 | 3 -> 4 |
| Construction | 11.74% | 4 | 4 -> 5 |
Victim Location
| Victim | Percentage | Last Period | Movement |
|---|---|---|---|
| USA | 46.74% | 1 | unchanged |
| France | 5.22% | 5 | 5 -> 2 |
| Germany | 3.04% | 2 | 2 -> 3 |
| Canada | 3.04% | 4 | unchanged |
| Italy | 2.61% | NEW |
Victim Org Size
| Size | Percentage | Last Period | Change |
|---|---|---|---|
| Small Business (500 or less) | 77.78% | 82.08% | +5.53% |
| Mid-Market (501-5000) | 16.12% | 13.50% | -16.25% |
| Large Enterprise (5000+) | 6.10% | 4.42% | -27.54% |
Trending Adversaries
APT36, Bearlyfy, Silver Fox, TA446, TeamPCP, and UNC1069 all leaned into credential theft, social-engineering lures, and quiet persistence this period, with several groups mixing classic phishing with browser-based exploits and cloud-identity abuse. APT36 and TA446 kept up their long-game espionage targeting government and research sectors, while Bearlyfy pushed more destructive, politically motivated ransomware. Silver Fox and TeamPCP focused on opportunistic access and data theft, and UNC1069 continued its stealthy cloud-pivoting tradecraft. UNC1069 stands out as the most concerning thanks to its ability to blend into enterprise identity systems and maintain long-term access.
- APT36
- Bearlyfy
- Silver Fox
- TA446
- TeamPCP
- UNC1069
Trending and Actively Exploited Vulnerabilities
Late March saw active exploits across a wide range: Apple zero-days in multiple products, Craft CMS and Wing FTP bugs hitting internet-facing apps, F5 BIG-IP and Zimbra flaws abused for initial access, plus high-impact RCEs in Cisco FMC, SharePoint, and Citrix NetScaler driving ransomware and data theft. Priorities: patch on emergency timelines, lock down management and SSO/SAML endpoints, restrict exposure, enable robust logging, and hunt for post-compromise activity.
| CVE | Vendor | Product |
|---|---|---|
| CVE-2025-31277 | Apple | Multiple Products |
| CVE-2025-32432 | Craft CMS | Craft CMS |
| CVE-2025-43510 | Apple | Multiple Products |
| CVE-2025-43520 | Apple | Multiple Products |
| CVE-2025-47813 | Wing FTP Server | Wing FTP Server |
| CVE-2025-53521 | F5 | BIG-IP |
| CVE-2025-66376 | Synacor | Zimbra Collaboration Suite (ZCS) |
| CVE-2026-20131 | Cisco | Secure Firewall Management Center (FMC) |
| CVE-2026-20963 | Microsoft | SharePoint |
| CVE-2026-3055 | Citrix | NetScaler |
Trending Malware
DarkSword Exploit Kit
DarkSword chains multiple iOS zero-days to silently take over devices and steal sensitive data.
DarkSword is a highly sophisticated iOS exploit chain that strings together up to six vulnerabilities -- several of them zero-days -- to fully compromise devices running iOS 18.4-18.7. Once triggered, often by simply visiting a malicious webpage, it enables attackers to exfiltrate messages, credentials, crypto-wallet data, and other sensitive information within seconds before wiping traces of itself. Originally used by state-aligned and commercial surveillance actors, its leak on GitHub has dramatically expanded access to the tool, raising the risk of widespread opportunistic exploitation. The kit has been deployed in campaigns across Saudi Arabia, Turkey, Malaysia, and Ukraine, and is now considered one of the most dangerous mobile exploit chains in circulation.
DeepLoad
Malware loader that uses AI-generated junk code and PowerShell lures to hide payloads and steal credentials.
DeepLoad is a Windows-focused, AI-assisted malware loader delivered through the ClickFix social-engineering technique, which tricks users into running malicious PowerShell commands. It hides its true functionality under massive layers of AI-generated junk code, injects payloads into trusted Windows processes like LockAppHost.exe, and uses APC injection to run filelessly in memory. Once active, it steals browser credentials, deploys a malicious extension for real-time credential interception, and can persist via WMI event subscriptions -- even re-infecting systems days after cleanup. Its design makes it extremely evasive and well-suited for credential theft and cryptocurrency-related fraud.
GenieLocker
Custom ransomware used in targeted sabotage and extortion campaigns against Russian organizations.
GenieLocker is a custom Windows ransomware strain developed and deployed by the pro-Ukrainian group Bearlyfy, which has conducted more than 70 attacks against Russian organizations. Unlike commodity ransomware, GenieLocker uses bespoke encryption routines inspired by Venus/Trinity families, making early detection difficult and limiting the usefulness of signature-based defenses. Bearlyfy's operations blend financial extortion with deliberate sabotage, and the group often delivers ransom notes manually rather than relying on automated tooling. The shift to a proprietary locker marks a significant maturation of the threat actor's capabilities and increases the operational risk for targeted enterprises.
GlassWorm
Supply chain malware that spreads through poisoned developer ecosystems to steal credentials and push second-stage payloads.
GlassWorm is an advanced supply-chain malware campaign that targets developers by compromising npm, PyPI, GitHub repositories, and VS Code/OpenVSX extensions. It uses invisible Unicode characters to hide malicious code, fetches second-stage payloads via Solana blockchain transactions, and deploys infostealers, RAT modules, and even fake hardware-wallet phishing tools. Once installed, it harvests developer credentials, SSH keys, cloud tokens, and crypto-wallet data, enabling both lateral compromise and broader supply-chain propagation. The campaign has repeatedly resurfaced in large waves, compromising hundreds of repositories and extensions across ecosystems.
Infinity Stealer
Infostealer that targets macOS via ClickFix lures to grab browser data, Keychain items, and crypto-wallet info.
Infinity Stealer is a macOS-targeting infostealer delivered through a Cloudflare-themed ClickFix lure that convinces users to paste malicious commands into Terminal. Its payload is written in Python but compiled with Nuitka, producing a native Mach-O binary that is significantly harder to analyze or detect. Once executed, it collects browser credentials, Keychain entries, crypto-wallet data, developer secrets, and screenshots, exfiltrating them via HTTP POST and notifying operators through Telegram. This marks one of the first documented macOS campaigns combining ClickFix with a Nuitka-compiled stealer, signaling a growing sophistication in macOS-focused threats.
RoadK1ll
A stealthy WebSocket implant that enables quiet lateral movement inside compromised networks.
RoadK1ll is a lightweight Node.js-based WebSocket implant designed for stealthy lateral movement rather than broad remote-access functionality. It establishes an outbound WebSocket tunnel to attacker infrastructure, allowing operators to open internal TCP connections and pivot deeper into a compromised network while blending into normal web traffic. The implant supports multiplexed channels, automatic reconnection, and a minimal command set -- making it both quiet and effective for post-exploitation operations. Its ability to turn a single compromised host into a persistent relay point poses a high risk for enterprise environments with segmented internal networks.
Top News
- Cisco source code stolen in Trivy-linked dev environment breach
- Europe sanctions Chinese and Iranian firms for cyberattacks, FCC bans new routers made outside the USA over security risks
- European Commission investigating breach after Amazon cloud account hack
- GlassWorm malware hits 400+ code repos on GitHub, npm, VSCode, OpenVSX
- Hacker charged with stealing $53 million from Uranium crypto exchange
- Stryker attack wiped tens of thousands of devices, no malware needed
- Tycoon2FA phishing platform returns after recent police disruption
- Yanluowang ransomware access broker gets 81 months in prison, Russia arrests suspected owner of LeakBase cybercrime forum
Contributors
Written by Jeremy Nichols, former Director Of The Global Threat Intelligence Center
Executive Summaries and Adversary Bios by Geoff Rehmet, Cybersecurity Architect
Produced and Distributed By Phish Tank Digital