March 20 / 2026 / Reading Time: 9 minutes
Weekly Situation Report : 3/16/26
EXECUTIVE SUMMARY
This article is to inform our partners and clients on the various happenings within the cybersecurity space. That includes items such as relevant breaches, emerging vulnerabilities, research, threat actor movement, and what you need to do as an organization to mitigate a future threat.
KEY TAKEAWAYS
- Storm-2561 is distributing trojanized software through SEO poisoning techniques to lure victims into downloading malware.
- A newly demonstrated “Zombie ZIP” technique is expected to be adopted by threat actors to evade detection and bypass security controls.
- The “BlackSanta” campaign is using an EDR-killer tool to target HR departments and disable endpoint protections.
- Recently patched Ivanti Endpoint vulnerabilities are being actively exploited in real-world attacks.
- Iranian-linked threat actors have compromised medical technology company Stryker in a targeted intrusion campaign.
- Zero-click exploitation of n8n instances through publicly exposed web forms.
1. Storm-2561 Distributing Trojanized Software with SEO Poisoning
SUMMARY
A cybercrime group tracked as Storm-2561 is spreading trojanized VPN installers via SEO-poisoned search results and GitHub downloads to steal enterprise VPN credentials.
Category
Threat Actor Activities
Industry
Multiple
Sources
https://thehackernews.com/2026/03/storm-2561-spreads-trojan-vpn-clients.html
https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
ANALYST COMMENTS
A cybercrime group tracked by researchers as Storm-2561 is conducting a credential-theft campaign that distributes fake VPN clients through SEO-poisoned search results. When users search online for legitimate enterprise VPN software, they are redirected to spoofed websites and malicious GitHub repositories that host trojanized installers disguised as trusted VPN applications. The malicious installers deploy signed malware that side-loads DLL files and secretly collects and exfiltrates VPN credentials and connection data while appearing to function like normal VPN software. Storm-2561 is a financially motivated threat actor and has been active since May 2025 and is known for impersonating legitimate vendors and abusing search engine optimization techniques to push malicious downloads to the top of search results.
We attempted to verify if the activity is still ongoing based on vendor reporting by searching for popular VPNs such as Fortinet andSonicWall. However, no suspicious results appeared at the top of the search results during our research. Pivoting off of the signed certificate information of “Taiyuan Lihua Near Information Technology Co., Ltd.” looking for additional or recent samples also failed to provide additional information.
ACTIONABLE GUIDANCE
The campaign is likely no longer active, but similar activity is likely to reappear. Users should verify the domains and URLs used when downloading software, and organizations should restrict installation of unapproved applications. This campaign redirected users to GitHub to download what appeared to be VPN software, which is suspicious since legitimate VPN vendors typically host installers on their own infrastructure rather than public repositories.
If compromise is suspected, review logs to determine impact. The malware may be signed and could evade detection, but it can be identified by binaries signed with the certificate “Taiyuan Lihua Near Information Technology Co., Ltd.”. It establishes persistence through Run and RunOnce registry keys, so these should be examined during forensic analysis. Monitoring or blocking unauthorized registry changes is also recommended.
2. 'Zombie ZIP' technique Developed by Researcher Will Likely be adopted by Threat Groups
SUMMARY
The "Zombie ZIP" technique manipulates ZIP headers to deceive security tools into scanning compressed data as uncompressed. This allows malicious payloads to bypass detection by most antivirus engines, though it causes errors in standard extraction utilities.
Category
Critical Vulnerabilities
Industry
Multiple
Sources
https://github.com/bombadil-systems/zombie-zip
https://mrd0x.com/filefix-clickfix-alternative/
https://isc.sans.edu/diary/Analyzing+Zombie+Zip+Files+CVE20260866/32786
ANALYST COMMENTS
The “Zombie ZIP” technique alters ZIP headers so security tools scan content as uncompressed while standard utilities fail to extract it, allowing malicious payloads to remain hidden. This method bypasses most antivirus engines by exploiting trust in ZIP method fields and uses CRC values tied to the uncompressed payload. It has a public proof of concept, and CERT has issued guidance recommending validation of compression fields against actual data. Users should treat archive files that fail to extract as suspicious and avoid using them.
This technique is likely to be used in social engineering campaigns. A common scenario would involve a phishing email posing as IT, prompting a user to download a ZIP file. When extraction fails, the attacker provides a script or binary to fix the issue, which instead executes the payload and initiates infection. This aligns with existing techniques such as ClickFix and FileFix, which were quickly adopted by threat actors after disclosure.
Some researchers note this is not a standalone vulnerability and requires a secondary loader to execute the payload. While this adds a step, it does not significantly increase complexity and instead introduces another viable method for malware delivery, making near term abuse likely.
ACTIONABLE GUIDANCE
Phishing and social engineering are the most likely delivery methods. Organizations should verify email senders and avoid trusting attachments from unknown sources. Archive files that fail to extract or produce errors should be treated as suspicious. This risk is not limited to zip files and may extend to formats such as rar. Teams that regularly interact with external parties, such as marketing and HR, are at higher risk.
Exploitation requires a loader to execute the payload, and campaigns may attempt to convince users to run a provided executable to fix the issue. This behavior should be considered suspicious and should trigger a security investigation.
3. ‘BlackSanta’ EDR killer Campaign targets HR Departments
SUMMARY
A Russian-speaking threat actor is targeting HR departments with sophisticated malware campaigns. The activity uses social engineering and advanced evasion techniques, including a new EDR killer named BlackSanta. The campaign delivers malicious payloads via spear-phishing emails and manipulates system processes at the kernel level to steal sensitive information.
Category
Threat Actor Activities
Industry
Multiple (with specific department targeting of Human Resources (HR) and employment services)
Sources
https://www.aryaka.com/docs/reports/blacksanta-edr-killer-threat-report.pdf
https://help.dropbox.com/view-edit/file-types-that-preview
Internal OSec Collection
ANALYST COMMENTS
For over a year, a Russian-speaking cyber actor targeted HR departments using a sophisticated malware campaign called BlackSanta, which employs social engineering and advanced evasion techniques to steal sensitive information. The attack chain likely begins with spear-phishing emails directing targets to download ISO image files posing as resumes from cloud storage services. These contain a Windows shortcut disguised as a PDF that launches PowerShell scripts via steganography and executes code in system memory. This malware performs extensive environment checks, such as checking for a VM environment, host hardware specifications, and currently set language. It also modifies Windows Defender settings, and uses process hollowing to execute additional payloads. Then it deploys BlackSanta, an EDR killer module that suppresses security alerts and terminates numerous security processes at the kernel level using BYOD components like RogueKiller and IObitUnlocker.sys.
ACTIONABLE GUIDANCE
Departments such as HR are prime targets for phishing campaigns as it is not unexpected to receive communications from unvetted persons, especially when vetting candidates for employment. Given the techniques observed with this threat actor, non-standard archive types, such as .iso used for attachments or file sharing should be regarded as suspicious. This includes files such as .lnk used in place of common expected file types such as .pdf and .docx files. Threat hunting for uncommon file-types such as .iso or .lnk files that may have additional extensions such as badfile.pdf.lnk or badfile.pdf.hta should be regarded as suspicious and can identify potentially malicious behavior. This campaign also makes use of PowerShell during .lnk execution. Given this, PowerShell should be restricted for non IT staff. Logging PowerShell activity to a centralized SIEM may also help identify early signs of compromise. Compromise may be suspected if AV/EDR controls reboot or are disabled, combined with PowerShell activity that adds .sys and .dls exclusions and privileged registry modifications for the following items to reduce security telemetry:
HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet
With values SpynetReporting and SubmitSamplesConsent setThe above guidance should be applied in addition to blocking domains used by the malware and monitoring for resume builder themed domains within the organization’s network.
4. Newly Addressed Ivanti Endpoint Vulnerabilities Exploited in the Wild
SUMMARY
CISA expands its Known Exploited Vulnerability (KEV) with Ivanti Endpoint Manager vulnerability exploited in the wild.
Category
Known Exploited Vulnerabilities
Industry
Technology
Sources
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
https://nvd.nist.gov/vuln/detail/CVE-2026-1603
https://www.securityweek.com/recent-ivanti-endpoint-manager-flaw-exploited-in-attacks/amp/
https://x.com/DefusedCyber/status/2022588751038280178
https://x.com/OstorlabSec/status/2021653139904938346
Internal OSec Collection
ANALYST COMMENTS
The US cybersecurity agency CISA expanded its Known Exploited Vulnerabilities (KEV) catalog by adding CVE-2026-1603 in Ivanti Endpoint Manager and urging federal agencies to patch these within an accelerated two-week window. The Ivanti bug is a high-severity authentication bypass vulnerability that impacts versions before 2024 SU5.
ACTIONABLE GUIDANCE
Organizations running versions earlier than 2024 SU5 should apply the Ivanti patches immediately. Monitoring systems should flag unknown or unusual source IP addresses, especially when sensitive files or folders are accessed. Suspicious activity from administrator accounts should be investigated to determine whether a breach occurred. Web requests that use a ‘logintype’ set to ‘64’ are very likely to be an indication of malicious activity.
5. Iranian-linked Threat Actors Compromise Medical Technology Company Stryker
SUMMARY
A hacktivist group linked to Iranian intelligence, Handala, claimed responsibility for a data-wiping attack on medical technology company Stryker. The attack reportedly affected over 200,000 systems globally and forced shutdowns in 79 countries, with potential impacts on global healthcare supply chains.
Category
Confirmed Breach
Industry
Healthcare, Technology, Government and Public Administration
Sources
https://krebsonsecurity.com/2026/03/iran-backed-hackers-claim-wiper-attack-on-medtech-firm-stryker/
https://www.sec.gov/Archives/edgar/data/310764/000119312526102460/0001193125-26-102460-index.htm
https://mastodon.social/@netblocks/116226363852733430
Internal OSec Collection
ANALYST COMMENTS
A hacktivist group named Handala, linked to Iran’s Ministry of Intelligence and Security, claimed responsibility for a data wiping attack on Stryker, a global medical technology company. The attack affected over 200000 systems and forced temporary shutdowns of offices worldwide, including its largest hub in Ireland and disruptions at its US headquarters. The attack was reportedly in response to a missile strike in Iran, showing how geopolitical tensions can drive cyber activity. Social media speculation suggests a possible Israeli connection, but the only confirmed link is Stryker’s acquisition of an Israeli company in 2019.
An SEC filing states no ransomware was identified during the incident. Reports from social media and anonymous sources indicate Microsoft Intune was used to wipe devices, suggesting the use of living off the land techniques. Handala is associated with the Iranian MOIS and linked to the threat group Void Manticore.
ACTIONABLE GUIDANCE
Based on the threat actor’s tactics, organizations should enforce two factor authentication across all network and cloud environments. Service accounts should be inventoried, monitored, and secured with strong passwords, with alerts enabled for login activity. Alerts should also be configured for installation of unapproved software, especially encryption tools such as VeraCrypt and tunneling tools such as Netbird.
PowerShell and cmd should be restricted for non IT users, as the wiper may be delivered through PowerShell scripts. A lack of least privilege enforcement was noted, so access should be minimized across users and roles to reduce exposure.
Network telemetry may be limited due to the use of rotating VPS and VPN infrastructure. However, connections to Iranian IP addresses should be treated as suspicious and blocked where possible. Organizations with ties to Israel or that support US or Israeli military operations should remain on heightened alert.
6. 0-Click n8n Exploitation through Public Forms
SUMMARY
Two critical vulnerabilities (CVE-2026-27493 and CVE-2026-27577) in n8n allowed unauthenticated remote code execution and sandbox escape, potentially exposing all credentials stored in the database.
Category
Critical Vulnerabilities
Industry
Multiple
Sources
https://www.securityweek.com/critical-n8n-vulnerabilities-allowed-server-takeover/
https://docs.n8n.io/data/expression-reference/
https://community.n8n.io/t/security-bulletin-february-25-2026/270324
https://www.akamai.com/blog/security-research/zerobot-malware-targets-n8n-automation-platform
ANALYST COMMENTS
Two critical vulnerabilities (CVE-2026-27493 and CVE-2026-27577) were found in n8n, allowing unauthenticated remote code execution and sandbox escape, which could expose all credentials stored in the database. The first vulnerability is a second-order expression injection issue in Form nodes, where an attacker could inject arbitrary commands into a Name field due to two expression evaluation passes. Both vulnerabilities were patched in late February across different versions of n8n (2.10.1, 2.9.3, and 1.123.22), with the patch removing one expression pass and hardening sandbox protections. The combined impact of these flaws could lead to extensive cross-tenant risk in cloud deployments, allowing an attacker to access shared infrastructure through a single form submission.
The vulnerability primarily affects organizations who use n8n for multipart contact forms or other public forms where user input is able to be gathered. Departments such as marketing or recruitment face higher risk because they often use public forms or surveys that may rely on n8n for backend automation and orchestration. Indicators of compromise include user input submitted through public forms that contains either template expression or JavaScript within brackets.
ACTIONABLE GUIDANCE
Organizations who have self-hosted n8n instances should update to versions 2.10.1, 2.9.3, and 1.123.22 in order to remediate these issues. If n8n is not used with publicly accessible contact forms, the immediate risk may be lower. Regardless, the system should still be patched to maintain proper security hygiene. Instances using n8n cloud services already have fixes in place that remediate this issue. If compromise is suspected, the organization should rotate keys, especially if the N8N_ENCRYPTION_KEY is obtained which can decrypt any credentials in use on the platform.
Get the Complete Report
The full Intelligence Desk brief includes exhaustive IOC lists, YARA detection rules, detailed remediation playbooks, and OSec's original threat research. Delivered weekly to our partners and clients. REQUEST ACCESS