Friday Wrap Up: 20 March 2026
It’s Friday, which means the threat actors didn’t take the week off — and neither did we. 🛡️
This week’s Friday Wrap Up covers ransomware gangs weaponizing zero-days, nation-state actors wiping devices at scale, supply-chain attacks hitting developer toolchains, AI platforms becoming the new attack surface, and a botnet that clearly skipped leg day because it never stops running. Whether you’re patching, detecting, or just trying to make it to 5pm, there’s something in this week’s roundup that probably affects your org.
Click the links below and maybe patch something this weekend.
#FWU #fridaywrapup #CyberSecurity #InfoSec #RansomwareWatch #SupplyChainSecurity #ThreatIntelligence #Malware #DataBreach #Ransomwar
Major Cyberattacks & Incidents
From ransomware zero-days to a wipe-and-run attack on a medical tech giant, this week’s incident log is a reminder that no sector is off-limits.
💼 A 27-year-old data analyst contractor, Cameron “Loot” Curry, was convicted of six extortion charges after stealing and ransoming data from a D.C.-based international tech firm, netting $2.5 million while working from the inside. (Published on March 20, 2026, CyberScoop). Read More
🏛️ The FBI seized two Handala hacktivist websites following a destructive cyberattack on medical tech giant Stryker that remotely wiped approximately 80,000 employee devices across the company. (Published on March 19, 2026, BleepingComputer). Read More
🔥 The Interlock ransomware gang has been actively exploiting a maximum-severity RCE vulnerability in Cisco’s Secure Firewall Management Center as a zero-day since late January 2026. (Published on March 18, 2026, BleepingComputer). Read More
🛍️ Attackers hijacked Nordstrom’s legitimate email infrastructure to blast customers with cryptocurrency scams disguised as a St. Patrick’s Day promotion, leveraging the retailer’s brand trust to boost credibility. (Published on March 18, 2026, BleepingComputer). Read More
🔗 The LeakNet ransomware gang adopted ClickFix social engineering via compromised websites for initial access, then deployed an in-memory loader built on the open-source Deno JavaScript runtime to evade detection. (Published on March 17, 2026, The Hacker News). Read More
🔗 BleepingComputer confirms LeakNet’s shift to ClickFix for initial access and Deno-based in-memory loaders for stealthy corporate network compromise, with the group continuing to ramp up its attack velocity. (Published on March 17, 2026, BleepingComputer). Read More
🎮 The FBI is investigating several Steam games found to contain malware that stole browser data and drained cryptocurrency wallets from players between May 2024 and January 2026, warning gamers to stay vigilant. (Published on March 16, 2026, Hackread). Read More
🏥 The Handala cyberattack on Stryker was confined to its internal Microsoft environment, remotely wiping tens of thousands of employee devices using native admin tools — no custom malware required. (Published on March 16, 2026, BleepingComputer). Read More
Espionage & Data Extraction
Nation-state actors were in full swing this week, with North Korean, Iranian, and Russian-linked groups all making headlines for bold and sophisticated operations.
🇰🇵 Crypto gift card service Bitrefill attributed a recent breach to North Korea’s Bluenoroff sub-group of the Lazarus threat actor, continuing the pattern of DPRK-linked attacks targeting cryptocurrency-adjacent businesses. (Published on March 19, 2026, BleepingComputer). Read More
🌐 Security analysis reveals Iran spent six months building resilient cyber infrastructure — including US-based shell companies — designed to sustain global hacking operations and survive potential kinetic military strikes. (Published on March 19, 2026, SecurityWeek). Read More
🔑 The Iranian Handala hackers likely used infostealer-stolen credentials to breach Stryker’s Microsoft environment, while the medtech company continues the recovery effort to restore tens of thousands of wiped devices. (Published on March 18, 2026, SecurityWeek). Read More
🇷🇺 A collaborative investigation by iVerify, Lookout, and Google uncovered a second iOS exploit kit linked to suspected Russian hackers, raising concerns about the accelerating proliferation of nation-state mobile surveillance tooling. (Published on March 18, 2026, CyberScoop). Read More
Malware & Vulnerabilities
Exploit kits, banking trojans, supply-chain backdoors, and hardware flaws kept researchers busy this week — the vulnerability landscape just keeps expanding.
🎣 Sublime Security uncovered a JavaScript-based scam mimicking realistic, interactive Zoom meeting invites to trick Windows users into downloading malware — convincing enough to fool even security-aware users. (Published on March 20, 2026, Hackread). Read More
🔓 Sansec warns of a critical Magento REST API flaw dubbed PolyShell, allowing unauthenticated attackers to upload arbitrary executables, execute code remotely, and take over accounts with no credentials required. (Published on March 20, 2026, The Hacker News). Read More
⚡ Threat actors exploited a critical Langflow AI workflow vulnerability in under 20 hours of its public disclosure, with Sysdig documenting the rapid timeline that underscores just how small the patching window has become. (Published on March 20, 2026, Infosecurity). Read More
📱 Researchers uncovered Perseus, a new Android banking malware descended from Cerberus and Phoenix, capable of device takeover and financial fraud by monitoring notes apps to silently harvest sensitive credentials. (Published on March 19, 2026, The Hacker News). Read More
🧩 Bitdefender researchers discovered a malicious Windsurf IDE extension that uses the Solana blockchain as command-and-control infrastructure to exfiltrate developer credentials in a novel and stealthy supply-chain attack. (Published on March 19, 2026, Hackread). Read More
🗡️ Google GTIG, iVerify, and Lookout revealed DarkSword, an iOS exploit kit wielding six vulnerabilities including three zero-days, enabling full device takeover and data theft since at least November 2025. (Published on March 19, 2026, The Hacker News). Read More
⬛ Howler Cell researchers identified a new .NET Ahead-of-Time compiled malware campaign using an obfuscated scoring system to conceal payloads as a black box, rendering traditional signature-based detection ineffective. (Published on March 18, 2026, Hackread). Read More
🖥️ Eclypsium discovered nine critical vulnerabilities across four IP KVM vendors allowing unauthenticated root access to connected hosts, exposing significant risks posed by low-cost remote management devices in data centers. (Published on March 18, 2026, The Hacker News). Read More
📸 A researcher found a fourth method to bypass WhatsApp’s View Once privacy feature, allowing recipients to save supposedly ephemeral media. Meta declined to patch it, citing use of a modified client application. (Published on March 18, 2026, SecurityWeek). Read More
🍎 Apple patched CVE-2026-20643, a WebKit cross-origin flaw in the Navigation API affecting iOS, iPadOS, and macOS, via its first-ever Background Security Improvements update cycle. (Published on March 18, 2026, The Hacker News). Read More
🪱 The GlassWorm supply-chain campaign returned with a coordinated attack targeting over 400 packages and repositories across GitHub, npm, and VSCode/OpenVSX extensions, poisoning developer toolchains at scale. (Published on March 17, 2026, BleepingComputer). Read More
🪱 Socket researchers identified 72+ malicious Open VSX extensions in a new GlassWorm supply-chain phase, exploiting extension dependency relationships to indirectly deliver malware without direct registry manipulation. (Published on March 16, 2026, CSO Online). Read More
🐀 New XWorm 7.1 and Remcos RAT campaigns exploit a WinRAR vulnerability and use process hollowing through trusted Windows tools to spy on victims while evading traditional endpoint detection solutions. (Published on March 16, 2026, Hackread). Read More
Cybersecurity Tools & Techniques
From infostealer delivery via fake enterprise software portals to OS-level API lockdowns, attackers and defenders alike are sharpening their tools this week.
🎭 Microsoft Defender Experts tracked Storm-2561 using convincing fake Fortinet and Ivanti VPN download pages to trick IT professionals into installing the Hyrax infostealer, active since mid-January 2026. (Published on March 17, 2026, Hackread). Read More
🎣 A security firm executive was targeted by a sophisticated phishing campaign using DKIM-signed emails, trusted redirect infrastructure, compromised servers, and Cloudflare-protected pages — a reminder that even experts aren’t immune. (Published on March 16, 2026, SecurityWeek). Read More
🛡️ Google’s Android 17 Beta 2 introduces Advanced Protection Mode restrictions blocking non-accessibility apps from the Accessibility Services API, cutting off a common malware overlay and privilege-escalation attack vector. (Published on March 16, 2026, The Hacker News). Read More
DDoS, Outages & Infrastructure
One botnet dominated this week’s infrastructure news — and it’s been very, very busy.
🤖 The RondoDox botnet has escalated to 15,000 exploitation attempts per day, systematically targeting 174 different vulnerabilities in a more focused and aggressive campaign than previously observed by researchers. (Published on March 17, 2026, SecurityWeek). Read More
AI & Policy
AI is generating headlines well beyond productivity gains — from courtroom battles to security flaws embedded in AI platforms, the policy and threat landscape is evolving fast.
🎵 North Carolina musician Michael Smith pleaded guilty to a $10 million streaming royalty fraud scheme, using AI bots to artificially inflate play counts on Spotify, Apple Music, Amazon Music, and YouTube Music. (Published on March 20, 2026, BleepingComputer). Read More
🤖 Researchers uncovered “Claudy Day” vulnerabilities in Claude AI that allow attackers to steal user data via fake Google Ads and hidden prompt injection, exploiting the AI platform’s ad-rendering infrastructure. (Published on March 18, 2026, Hackread). Read More
⚖️ The Ninth Circuit Court of Appeals temporarily stayed a California judge’s injunction against Perplexity AI’s shopping agent on Amazon, allowing the service to continue as the legal battle over automated account activity proceeds. (Published on March 17, 2026, CyberScoop). Read More
🔒 At Nvidia GTC, CEO Jensen Huang unveiled NemoClaw, a security framework designed to run OpenClaw agentic AI systems safely in enterprise environments, addressing persistent concerns about the platform’s security posture. (Published on March 17, 2026, CSO Online). Read More
💉 BeyondTrust revealed a DNS-based data exfiltration technique exploiting flaws in Amazon Bedrock AgentCore, LangSmith, and SGLang AI environments, enabling both sensitive data theft and remote code execution. (Published on March 17, 2026, The Hacker News). Read More
🔐 GitGuardian’s annual report reveals an 81% surge in AI service credential leaks, with 29 million secrets exposed on public GitHub repositories, driven largely by rapid developer adoption of AI-powered coding tools. (Published on March 17, 2026, Hackread). Read More
⏱️ A Booz Allen Hamilton report warns that AI tools have matured enough to give attackers a significant speed advantage over defenders, shortening response windows and pushing cybersecurity into a dangerous new phase. (Published on March 16, 2026, CyberScoop). Read More
Stay informed and secure in the tech and cybersecurity world. Have a great weekend, and remember to patch and protect your systems!