← All threat briefs
Threat Brief

Weekly Situation Report — 3/16/26

Executive summary

This week’s developments for partners and clients: breaches, vulnerabilities, research findings, threat actor activity, and mitigation guidance.

Key takeaways

  • Storm-2561 distributes trojanized software via SEO poisoning to deceive victims into downloading malware
  • A newly demonstrated “Zombie ZIP” technique is expected to be adopted by threat actors for evasion and detection bypass
  • The “BlackSanta” campaign uses an EDR-killer tool targeting HR departments to disable endpoint protections
  • Recently patched Ivanti Endpoint vulnerabilities are actively exploited in real-world attacks
  • Iranian-linked threat actors compromised medical technology company Stryker in a targeted intrusion campaign
  • Zero-click exploitation of n8n instances through publicly exposed web forms

1. Storm-2561 Distributing Trojanized Software with SEO Poisoning

Summary

A cybercrime group tracked as Storm-2561 spreads trojanized VPN installers via SEO-poisoned search results and GitHub downloads to steal enterprise VPN credentials.

Category

Threat Actor Activities

Industry

Multiple

Analyst comments

Storm-2561 conducts credential-theft operations distributing fake VPN clients through SEO-poisoned search results. When users search for legitimate enterprise VPN software, they are redirected to spoofed websites and malicious GitHub repositories hosting trojanized installers. The malicious installers deploy signed malware that side-loads DLL files, secretly collecting and exfiltrating VPN credentials and connection data while appearing functional. The group, financially motivated and active since May 2025, is known for impersonating legitimate vendors and abusing search engine optimization.

Verification attempts suggest the campaign may no longer be active, though similar activity is likely to reappear.

Actionable guidance

  • Verify domains and URLs when downloading software
  • Restrict installation of unapproved applications
  • Treat GitHub repositories as suspicious sources for vendor software downloads
  • Review logs if compromise is suspected
  • Identify binaries signed with certificate “Taiyuan Lihua Near Information Technology Co., Ltd.”
  • Examine Run and RunOnce registry keys during forensic analysis
  • Monitor or block unauthorized registry changes

2. ‘Zombie ZIP’ Technique Developed by Researcher Will Likely be Adopted by Threat Groups

Summary

The “Zombie ZIP” technique manipulates ZIP headers to deceive security tools into scanning compressed data as uncompressed, allowing malicious payloads to bypass detection by most antivirus engines.

Category

Critical Vulnerabilities

Industry

Multiple

Analyst comments

The “Zombie ZIP” technique alters ZIP headers so security tools scan content as uncompressed while standard utilities fail to extract it, keeping malicious payloads hidden. This method bypasses most antivirus engines by exploiting trust in ZIP method fields and uses CRC values tied to uncompressed payloads. A public proof of concept exists, and CERT has issued guidance recommending validation of compression fields against actual data.

This technique is likely used in social engineering campaigns where phishing emails pose as IT support, prompting users to download ZIP files. When extraction fails, attackers provide scripts or binaries to “fix” the issue, executing the payload instead. This aligns with existing techniques like ClickFix and FileFix, which threat actors quickly adopted after disclosure.

The technique requires a secondary loader to execute payloads. That extra step does not significantly increase complexity, and it introduces another viable malware delivery method.

Actionable guidance

  • Verify email senders and avoid trusting attachments from unknown sources
  • Treat archive files that fail to extract or produce errors as suspicious
  • Exercise caution in departments regularly interacting with external parties (marketing, HR)
  • Investigate suspicious requests to run executables to “fix” extraction issues
  • Monitor for similar risks in other archive formats such as RAR

3. ‘BlackSanta’ EDR Killer Campaign Targets HR Departments

Summary

A Russian-speaking threat actor targets HR departments with sophisticated malware campaigns using social engineering and advanced evasion techniques, including a new EDR killer named BlackSanta.

Category

Threat Actor Activities

Industry

Multiple (specific targeting of Human Resources and employment services)

Analyst comments

For over a year, a Russian-speaking cyber actor targeted HR departments using the BlackSanta campaign, employing social engineering and advanced evasion to steal sensitive information. The attack chain likely begins with spear-phishing emails directing targets to download ISO image files posed as resumes from cloud storage services. These contain a Windows shortcut disguised as a PDF that launches PowerShell scripts via steganography and executes code in system memory.

The malware performs extensive environment checks, including VM detection, hardware specifications, and language settings. It modifies Windows Defender settings and uses process hollowing to execute payloads. BlackSanta, an EDR killer module, suppresses security alerts and terminates security processes at the kernel level using BYOD components like RogueKiller and IObitUnlocker.sys.

Actionable guidance

  • Treat non-standard archive types (such as .iso) as suspicious attachments
  • Flag .lnk files used instead of expected types (.pdf, .docx)
  • Threat hunt for uncommon file types like .iso or .lnk with additional extensions (badfile.pdf.lnk)
  • Restrict PowerShell for non-IT staff
  • Log PowerShell activity to centralized SIEM
  • Monitor for AV/EDR control reboots or disablement combined with PowerShell activity
  • Watch for registry modifications adding .sys and .dls exclusions, particularly:
    • HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet
    • Values: SpynetReporting and SubmitSamplesConsent
  • Block domains used by malware
  • Monitor for resume builder themed domains

4. Newly Addressed Ivanti Endpoint Vulnerabilities Exploited in the Wild

Summary

CISA expands its Known Exploited Vulnerability (KEV) catalog with an Ivanti Endpoint Manager vulnerability exploited in the wild.

Category

Known Exploited Vulnerabilities

Industry

Technology

Analyst comments

The US cybersecurity agency CISA added CVE-2026-1603 to its Known Exploited Vulnerabilities catalog, urging federal agencies to patch within an accelerated two-week window. The high-severity authentication bypass vulnerability impacts Ivanti Endpoint Manager versions before 2024 SU5.

Actionable guidance

  • Apply Ivanti patches immediately for versions earlier than 2024 SU5
  • Flag unknown or unusual source IP addresses, particularly when accessing sensitive files
  • Investigate suspicious activity from administrator accounts to determine breach occurrence
  • Treat web requests with ‘logintype’ set to ‘64’ as strong indicators of malicious activity

5. Iranian-Linked Threat Actors Compromise Medical Technology Company Stryker

Summary

The hacktivist group Handala, linked to Iranian intelligence, claimed responsibility for a data-wiping attack on medical technology company Stryker, affecting over 200,000 systems globally and forcing shutdowns in 79 countries.

Category

Confirmed Breach

Industry

Healthcare, Technology, Government and Public Administration

Analyst comments

Handala, a hacktivist group linked to Iran’s Ministry of Intelligence and Security, claimed responsibility for a data-wiping attack on Stryker, a global medical technology company. The attack affected over 200,000 systems and forced temporary worldwide office shutdowns, including the largest hub in Ireland and disruptions at US headquarters. The attack was attributed as retaliation for a missile strike in Iran, demonstrating how geopolitical tensions drive cyber activity.

An SEC filing confirmed no ransomware was identified. Social media reports suggest Microsoft Intune was used to wipe devices, indicating use of living-off-the-land techniques. Handala is associated with Iranian MOIS and linked to threat group Void Manticore.

Actionable guidance

  • Enforce two-factor authentication across all network and cloud environments
  • Inventory, monitor, and secure service accounts with strong passwords
  • Enable alerts for service account login activity
  • Configure alerts for installation of unapproved software, especially encryption tools (VeraCrypt) and tunneling tools (Netbird)
  • Restrict PowerShell and cmd for non-IT users
  • Minimize access across users and roles to enforce least privilege
  • Treat connections to Iranian IP addresses as suspicious and block where possible
  • Organizations with ties to Israel or supporting US/Israeli military operations should maintain heightened alert status

6. 0-Click n8n Exploitation Through Public Forms

Summary

Two critical vulnerabilities (CVE-2026-27493 and CVE-2026-27577) in n8n allowed unauthenticated remote code execution and sandbox escape, potentially exposing all credentials stored in the database.

Category

Critical Vulnerabilities

Industry

Multiple

Analyst comments

Two critical vulnerabilities were discovered in n8n, allowing unauthenticated remote code execution and sandbox escape with potential exposure of all database credentials. CVE-2026-27493 is a second-order expression injection issue in Form nodes where attackers could inject arbitrary commands into a Name field through two expression evaluation passes. Both vulnerabilities were patched in late February across versions 2.10.1, 2.9.3, and 1.123.22, with patches removing one expression pass and hardening sandbox protections.

Combined impact could lead to extensive cross-tenant risk in cloud deployments, allowing attackers to access shared infrastructure through a single form submission. Vulnerability primarily affects organizations using n8n for multipart contact forms or public forms. Marketing and recruitment departments face higher risk due to frequent use of public forms or surveys relying on n8n for backend automation.

Compromise indicators include user input through public forms containing template expressions or JavaScript within brackets.

Actionable guidance

  • Update self-hosted n8n instances to versions 2.10.1, 2.9.3, and 1.123.22
  • Maintain proper security hygiene regardless of public form usage
  • N8n cloud service users already have fixes in place
  • Rotate keys if compromise is suspected, especially the N8N_ENCRYPTION_KEY which decrypts platform credentials
More briefs
Weekly Situation Report — 6/15/26Jun 18, 2026Weekly Situation Report — 6/8/26Jun 11, 2026Weekly Situation Report — 6/1/26Jun 4, 2026
Talk to an expert