ThreatsDay Bulletin: PQC Push, AI Vuln Hunting, Pirated Traps, Phishing Kits & 20 More Stories

Summary

ThreatsDay Bulletin aggregates 20+ security stories including Google's accelerated 2029 PQC migration timeline, GitHub's AI-powered vulnerability detection entering Q2 2026 preview, and Sandworm's campaign distributing Tambur/Kalambur/Sumbur/DemiMur backdoors via pirated software on Telegram. Additional threats include ShieldGuard, a fake crypto wallet security extension that harvests wallet data and sensitive credentials from major platforms like Binance, Coinbase, MetaMask, and OpenSea.

Full text

ThreatsDay Bulletin: PQC Push, AI Vuln Hunting, Pirated Traps, Phishing Kits & 20 More Stories Ravie LakshmananMar 26, 2026Cybersecurity / Hacking News Some weeks in security feel loud. This one feels sneaky. Less big dramatic fireworks, more of that slow creeping sense that too many people are getting way too comfortable abusing things they probably shouldn’t even be touching. There’s a little bit of everything in this one, too. Weird delivery tricks, old problems coming back in slightly worse forms, shady infrastructure doing shady infrastructure things, and the usual reminder that if criminals find a workflow annoying, they’ll just make a new one by Friday. Efficient little parasites. You almost have to respect the commitment. A few of these updates have that nasty “yeah, that tracks” energy. Stuff that sounds niche right up until you picture it landing in a real environment with real users clicking real nonsense because they’re busy and tired and just trying to get through the day. Then it stops being abstract pretty fast. So yeah, this week’s ThreatsDay Bulletin is a solid scroll-before-you-log-off kind of read. Nothing here needs a full panic spiral, but some of it definitely deserves a raised eyebrow and maybe a muttered: “Oh come on.” Let’s get into it. PQC migration fast-tracked Google Announces Accelerated Timeline for its PQC Migration Google has unveiled a 2029 timeline to secure the quantum era with post-quantum cryptography (PQC) migration, urging other engineering teams to follow suit. "This new timeline reflects migration needs for the PQC era in light of progress on quantum computing hardware development, quantum error correction, and quantum factoring resource estimates," the tech giant said. "Quantum computers will pose a significant threat to current cryptographic standards, and specifically to encryption and digital signatures. The threat to encryption is relevant today with store-now-decrypt-later attacks, while digital signatures are a future threat that require the transition to PQC prior to a Cryptographically Relevant Quantum Computer (CRQC). That's why we've adjusted our threat model to prioritize PQC migration for authentication services." As part of the effort, the company said Android 17 is integrating PQC digital signature protection using the Module-Lattice-Based Digital Signature Algorithm (ML-DSA). This includes upgrading the Android Verified Boot (AVB) with support for ML-DSA to ensure that the software loaded during the boot sequence remains highly resistant to unauthorized tampering. The second PQC upgrade concerns the transition of Remote Attestation to a fully PQC-compliant architecture and updating Android Keystore to natively support ML-DSA. AI finds hidden vulns GitHub Brings AI-Powered Detections to GitHub Code Security GitHub said it's introducing AI-powered security detections in GitHub Code Security to expand application security coverage across more languages and frameworks. "These detections complement CodeQL by surfacing potential vulnerabilities in areas that are difficult to support with traditional static analysis alone," GitHub said. "This hybrid detection model helps surface vulnerabilities – and suggested fixes – directly to developers within the pull request workflow." The Microsoft subsidiary said the move is designed to uncover security issues "in areas that are difficult to support with traditional static analysis alone." The new hybrid model is expected to enter public preview in early Q2 2026. Pirated apps spread backdoors Sandworm Leverages Pirated Software Ploys to Drop Backdoors The Russian threat actor known as Sandworm (aka APT-C-13) has been attributed with moderate confidence to an attack campaign that leverages pirated versions of legitimate software like Microsoft Office ("Microsoft.Office.2025x64.v2025.iso") as lures to deliver different backdoors tracked as Tambur, Sumbur, Kalambur, and DemiMur to high-value targets. It's assessed that these attacks use Telegram as a distribution vector, using social engineering tactics to target Ukrainian users seeking software cracks. Tambur is designed to spawn SSH reverse tunnels to issue malicious commands, while Kalambur revolves around intranet penetration, remote desktop (RDP) takeover, and persistent communication. Sumbur is a successor to Kalambur with improved obfuscation techniques. DemiMur is mainly used to tamper with the trust chain and evade detection. "Attackers use this module to force the import of a forged DemiMurCA.crt root certificate into the operating system's trusted root certificate authority store," the 360 Advanced Threat Research Institute said. "When subsequent scripts are executed, Windows automatically verifies the validity of the signature block and deems it 'trusted.'" Fake extension drains wallets ShieldGuard Scam Drains Crypto Wallets A cryptocurrency scam called ShieldGuard claimed to be a blockchain project that presented itself as a security tool aimed at protecting crypto wallets from phishing and harmful smart contracts through a browser extension. Ironically, further analysis revealed that it was built to drain digital assets from wallets. The scam was advertised via a dedicated website ("shieldguards[.]net"), as well as an X account (@ShieldGuardsNet) and a Telegram channel (@ShieldsGuard). "The project was promoted using a multi-level marketing campaign in which users would be rewarded for early use of the extension (via a cryptocurrency 'airdrop') and for promoting the capability to other users," Okta said. "ShieldGuard appears designed to harvest wallet addresses and other sensitive data for major cryptocurrency platforms including Binance, Coinbase, MetaMask, OpenSea, Phantom and Uniswap, as well as for users of Google services. The extension also extracts the full HTML of pages after a user signs into Binance, Coinbase, OpenSea or Uniswap via their browser." The threat actor behind the activity is assessed to be Russian-speaking. Firmware backdoor spreads globally Keenadu Detections Across 40 Counties Sophos said it identified multiple detections on Android devices for malicious activity associated with the Keenadu backdoor. "Keenadu is a firmware infection embedded in the libandroid_runtime.so (shared object library) that injects itself into the Zygote process," the company said. "As Zygote is the parent process for all Android apps, an attacker effectively gains total control over an infected device." Keenadu acts as a downloader for second-stage malware, with the infected devices containing two system-level APK files: PriLauncher.apk and PriLauncher3QuickStep.apk. Over 500 unique compromised Android devices across nearly 50 models have been detected as of March 4, 2026. The devices are mostly low-cost models produced by Allview, BLU, Dcode, DOOGEE, Gigaset, Gionee, Lava, and Ulefone. The identified infections were spread globally, with devices located in 40 countries. Phishing service quickly rebounds Tychoon2FA Bounces Back After Takedown In early March, Europol and Microsoft announced the seizure of 330 active Tycoon2FA domains and legal action against multiple individuals linked to the PhaaS. According to CrowdStrike, the takedown effort left only a minor dent in Tycoon2FA's operations, which are now back to pre-disruption levels. On March 4 and 5, following the law enforcement operation, Tycoon2FA activity volume dropped to roughly 25%, but returned to previous levels shortly after, with "daily levels of cloud compromise active remediations returning to early 2026 levels," CrowdStrike said. "Additionally, Tycoon2FA's TTPs have not changed following the takedown, indicating that the service's operations may persist beyond this disruption." These TTPs include phishing emails directing to malicious CAPTCHA pages, session cookie theft upon CAPTCHA validation, use of JavaScript payloads for email address extraction, credential proxying via malicious JavaScript files, and use of stolen credenti

Indicators of Compromise

• malware — Tambur
• malware — Sumbur
• malware — Kalambur
• malware — DemiMur
• domain — shieldguards.net
• mitre_attack — T1195.002
• mitre_attack — T1566.002