WEEKLY INTELLIGENCE BRIEFING

FBI confirms hack of Director Patel's personal email inbox. Iranian-linked Handala threat actors breached FBI Director Kash Patel's personal Gmail account and published historical documents as retaliation for domain seizures and a $10 million reward offer.

TA446 Deploys DarkSword iOS Exploit Kit in Targeted Spear-Phishing Campaign. Russian FSB-linked TA446 leveraged the DarkSword iOS exploit kit to target government, think tanks, and legal entities with GHOSTBLADE malware, raising concerns about commoditized nation-state exploits.

Iran-Linked Hackers Breach FBI Director's Personal Email, Hit Stryker With Wiper Attack. MOIS-operated Handala Hack Team conducted destructive wiper attacks on medical device manufacturer Stryker, marking the first confirmed destructive operation targeting a U.S. Fortune 500 company.

China Upgrades the Backdoor It Uses to Spy on Telcos Globally. Chinese APT Red Menshen upgraded its sophisticated BPFdoor malware using eBPF to evade traditional detection while targeting telecommunications infrastructure worldwide.

Key Takeaway

Organizations should implement enhanced email security for executives and conduct threat hunting for eBPF-based malware in telecommunications environments.

CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation. CISA added the critical F5 BIG-IP Access Policy Manager RCE vulnerability to its Known Exploited Vulnerabilities catalog after confirmed in-the-wild exploitation, upgrading severity from DoS to RCE (CVSS 9.3).

Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug. A critical memory overread vulnerability in Citrix NetScaler ADC and Gateway is under active reconnaissance, with threat actors probing SAML IDP configurations to identify vulnerable endpoints.

Apple Sends Lock Screen Alerts to Outdated iPhones Over Active Web-Based Exploits. Apple is sending urgent lock screen notifications to users running older iOS versions about active web-based attacks using Coruna and DarkSword exploit kits.

LangChain, LangGraph Flaws Expose Files, Secrets, Databases in Widely Used AI Frameworks. Three critical vulnerabilities in popular AI frameworks enable path traversal, unsafe deserialization, and SQL injection, affecting millions of weekly downloads.

Key Takeaway

Prioritize patching F5 BIG-IP and Citrix NetScaler systems immediately, and update iOS devices and AI framework dependencies to latest versions.

Backdoored Telnyx PyPI package pushes malware hidden in WAV audio. TeamPCP compromised the Telnyx Python package on PyPI, embedding credential-stealing malware within steganographically-encoded WAV audio files affecting 740,000 monthly downloads.

TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files. The same TeamPCP campaign used novel steganography techniques to hide malware in WAV files, targeting Windows, Linux, and macOS systems with different persistence strategies per platform.

Fake VS Code alerts on GitHub spread malware to developers. Coordinated campaign posts fake VS Code security alerts across thousands of GitHub repositories to distribute malware, using realistic CVE IDs and impersonating maintainers.

Open VSX Bug Let Malicious VS Code Extensions Bypass Pre-Publish Security Checks. A vulnerability in Open VSX's scanning pipeline allowed malicious extensions to bypass security vetting by exhausting database connections and triggering scan failures.

Key Takeaway

Implement package integrity verification, monitor for suspicious npm/PyPI updates, and verify all GitHub security notifications through official channels.

ShinyHunters Claims 350GB Data Breach at European Commission. ShinyHunters claimed responsibility for breaching European Commission AWS infrastructure and leaking over 350GB of data including mail servers, databases, and internal documents.

European Commission investigating breach after Amazon cloud account hack. The Commission confirmed investigating unauthorized access to its AWS infrastructure with attackers claiming 350GB stolen data without extortion demands.

BianLian Ransomware Spreads via Fake Invoice SVG Images in New Attacks. BianLian ransomware group targets Venezuelan companies using fake invoice SVG files containing hidden XML code to deliver Go-based malware with AES encryption. Learn more

Lloyds Group to Compensate 450,000 Customers After App Glitch. Lloyds Banking Group experienced a software defect that broke privacy barriers between accounts, affecting 450,000 customers with 114,000 users accessing sensitive information.

Key Takeaway

Strengthen cloud access controls and multi-factor authentication, especially for critical infrastructure and financial services applications.

ShinyHunters Walk Away from BreachForums, Leak 300,000-User Database. ShinyHunters departed BreachForums after FBI seizure, releasing 300,000+ user records and threatening to leak complete forum backups unless fake domains shut down.

SnowTeam Launches Leak Bazaar, a Corporate Data Exchange With ML-Powered Dump Analysis. SnowTeam unveiled Leak Bazaar, a closed dark web platform monetizing stolen corporate data with automated ML filtering and DBMS reverse engineering tools.

Key Takeaway

Monitor dark web marketplaces for organizational data and strengthen breach response capabilities as criminal platforms become more sophisticated.

• https://www.bleepingcomputer.com/news/security/fbi-confirms-hack-of-director-patels-personal-email-inbox/
• https://thehackernews.com/2026/03/cisa-adds-cve-2025-53521-to-kev-after.html
• https://thehackernews.com/2026/03/citrix-netscaler-under-active-recon-for.html
• https://www.bleepingcomputer.com/news/security/backdoored-telnyx-pypi-package-pushes-malware-hidden-in-wav-audio/
• https://hackread.com/shinyhunters-350gb-data-breach-european-commission/
• https://www.bleepingcomputer.com/news/security/european-commission-investigating-breach-after-amazon-cloud-account-hack/
• https://hackread.com/google-2029-deadline-quantum-computers-encryption/
• https://thehackernews.com/2026/03/ta446-deploys-leaked-darksword-ios.html