⚡ Weekly Recap: Telecom Sleeper Cells, LLM Jailbreaks, Apple Forces U.K. Age Checks and More

Summary

This weekly security recap covers multiple high-impact incidents: a critical Citrix NetScaler vulnerability (CVE-2026-3055) under active exploitation, Iran-linked Handala claiming responsibility for FBI Director Kash Patel's personal email compromise, and China-linked Red Menshen deploying sophisticated BPFDoor kernel implants in telecom infrastructure for long-term persistence. Additional threats include the evolving GlassWorm supply-chain campaign using malicious npm/PyPI packages, a Russian TA551 botnet operator sentenced to two years, and FCC restrictions on foreign-made routers.

Full text

⚡ Weekly Recap: Telecom Sleeper Cells, LLM Jailbreaks, Apple Forces U.K. Age Checks and More Ravie LakshmananMar 30, 2026Cybersecurity / Hacking Some weeks are loud. This one was quieter but not in a good way. Long-running operations are finally hitting courtrooms, old attack methods are showing up in new places, and research that stopped being theoretical right around the time defenders stopped paying attention. There's a bit of everything this week. Persistence plays, legal wins, influence ops, and at least one thing that looks boring until you see what it connects to. All of it below. Let's go. ⚡ Threat of the Week Citrix Flaw Comes Under Active Exploitation — A critical security flaw in Citrix NetScaler ADC and NetScaler Gateway (CVE-2026-3055, CVSS score: 9.3) has come under active exploitation as of March 27, 2026. The vulnerability refers to a case of insufficient input validation leading to memory overread, which an attacker could exploit to leak potentially sensitive information. Per Citrix, successful exploitation of the flaw hinges on the appliance being configured as a SAML Identity Provider (SAML IDP). Your Engineers Are Drowning in Tools — Here's the Data Chainguard surveyed 1,200 engineers and tech leaders for their 2026 Engineering Reality Report. AI is buying back time but also introducing new security concerns, while technical debt, tool sprawl, and burnout keep dragging teams down. 72% say time pressure blocks new feature work; 88% report productivity loss from too many tools. Get the Full Report ➝ 🔔 Top News FBI Confirms Hack of Director Kash Patel's Personal Email Account — The U.S. Federal Bureau of Investigation (FBI) confirmed that threat actors gained access to an email account belonging to FBI Director Kash Patel, but said no government information has been compromised. The Iran-linked hacker group Handala claimed responsibility for the hack, releasing files allegedly representing photos, emails, and classified documents taken from the FBI director's inbox. "The so-called 'impenetrable' systems of the FBI were brought to their knees within hours by our team," the hackers wrote. It's unclear when the account was hacked. The U.S. government, which recently took down multiple sites operated by Iranian state actors, said it's offering up to $10 million for information on threat groups like Parsian Afzar Rayan Borna and Handala. Parsian Afzar Rayan Borna is an IT company that's been implicated in Iran's disinformation and surveillance campaigns. The company is assessed to be linked to Banished Kitten, an Iran-nexus adversary active since at least 2008 and operates the Homeland Justice and Handala Hack personas. Red Menshen Uses Stealthy BPFDoor to Spy on Telecom Networks — A China-linked state-sponsored threat actor known as Red Menshen has deployed kernel implants and passive backdoors deep within telecommunication backbone infrastructure worldwide for long-term persistence. The implants have been fittingly described as sleeper cells that lie dormant and blend into target environments, but spring into action upon receiving a magic packet by quietly monitoring network traffic instead of opening a visible connection. Initial access is usually gained by exploiting known vulnerabilities in edge networking devices and VPN products or by leveraging compromised accounts. Once inside, the threat actor maintains long-term access by deploying tools like BPFdoor. Some BPFdoor samples mimic bare-metal infrastructure, posing as legitimate enterprise platforms to blend into operational noise. Others spoof core containerization components. By embedding the implant deep below traditional visibility layers, the goal is to significantly complicate detection efforts. Rapid7 has released a scanning script designed to detect known BPFDoor variants across Linux environments. GlassWorm Evolves to Drop Extension-Based Stealer — A new evolution of the GlassWorm campaign is delivering a multi-stage framework capable of comprehensive data theft and installing a remote access trojan (RAT), which deploys an information-stealing Google Chrome extension masquerading as an offline version of Google Docs. "It logs keystrokes, dumps cookies and session tokens, captures screenshots, and takes commands from a C2 server hidden in a Solana blockchain memo," Aikido said. GlassWorm is the moniker assigned to a persistent campaign that obtains an initial foothold through rogue packages published across npm, PyPI, GitHub, and the Open VSX marketplace. In addition, the operators are known to compromise the accounts of project maintainers to push poisoned updates. Russian Hacker Sentenced to 2 Years for TA551-Linked Ransomware Attacks — Ilya Angelov, a 40-year-old Russian national, was sentenced to two years in prison for managing a botnet that was used to launch ransomware attacks against U.S. companies. Angelov, who went by the online aliases "milan" and "okart," is said to have co-managed a Russia-based cybercriminal group known as TA551 (aka ATK236, G0127, Gold Cabin, Hive0106, Mario Kart, Monster Libra, Shathak, and UNC2420) between 2017 and 2021. The attacks leveraged spam emails to compromise systems and rope them into a botnet that other cybercriminals used to break into corporate systems and deploy ransomware. This included threat actors affiliated with BitPaymer and IcedID. FCC Bans New Foreign-Made Routers Over Security Risks — The U.S. Federal Communications Commission (FCC) said it was banning the import of new, foreign-made consumer routers, citing "unacceptable" risks to cyber and national security. To that end, all consumer-grade routers manufactured in foreign countries have been added to the Covered List, unless they have been granted a Conditional Approval by the Department of War (DoW) or the Department of Homeland Security (DHS) after determining that they do not pose any risks. The development comes as the Indian government appears to be preparing to bar Chinese CCTV product makers, such as Hikvision, Dahua, and TP-Link, from selling their cameras from April 1, 2026, to tighten oversight under the Standardisation Testing and Quality Certification (STQC) rules, the Economic Times reported. ‎️‍🔥 Trending CVEs New vulnerabilities show up every week, and the window between disclosure and exploitation keeps getting shorter. The flaws below are this week's most critical — high-severity, widely used software, or already drawing attention from the security community. Check these first, patch what applies, and don't wait on the ones marked urgent — CVE-2026-3055 (Citrix NetScaler ADC and NetScaler Gateway), CVE-2025-62843, CVE-2025-62844, CVE-2025-62845, CVE-2025-62846 (QNAP), CVE-2026-22898 (QNAP QVR Pro), CVE-2026-4673, CVE-2026-4677, CVE-2026-4674 (Google Chrome), CVE-2026-4404 (GoHarbor Harbor), CVE-2026-1995 (IDrive for Windows), CVE-2026-4681 (Windchill and FlexPLM), CVE-2025-15517, CVE-2025-15518, CVE-2025-15519, CVE-2025-15605, CVE-2025-62673 (TP-Link),CVE-2025-66176 (HikVision), CVE-2026-32647 (NGINX Open Source and NGINX Plus), CVE-2026-22765, CVE-2026-22766 (Dell Wyse Management Suite), CVE-2026-21637, CVE-2026-21710 (Node.js), CVE-2026-25185 aka LnkMeMaybe (Microsoft), CVE-2026-1519, CVE-2026-3104, CVE-2026-3119, CVE-2026-3591 (BIND 9), CVE-2026-2931 (Amelia Booking plugin), CVE-2026-33656 (EspoCRM), CVE-2026-3608 (Kea), CVE-2026-20817 (Microsoft Windows Error Reporting), CVE-2025-33244 (NVIDIA Apex), CVE-2026-32746 (Synology DiskStation Manager), and CVE-2026-3098 (Smart Slider 3 plugin). 🎥 Cybersecurity Webinars Your Identity Program Is Mature. So Why Are You Still Getting Breached? → Your identity program is mature. Yet hundreds of apps still operate outside it. New 2026 Ponemon research from 600+ security leaders shows exactly how big that gap is and what it costs. Now, AI agents are making it worse. This webinar breaks down the findings and shows you what to fix first. Everyone Agrees AI Agents Need Identity. Almost Nobody Knows How to

Indicators of Compromise

• cve — CVE-2026-3055
• malware — BPFDoor
• malware — GlassWorm

Entities