Executive Summary

Last week featured diverse cyber operations, with adversaries adapting their techniques across multiple sectors.

Key developments

  • CISA identified a persistent Firestarter backdoor in Cisco systems, indicating prolonged access to a US agency's network infrastructure. This shows challenges in detecting sophisticated adversary presence.
  • Apple released a security update addressing an Apple iOS flaw (CVE-2026-28950) that was actively exploited. This shows ongoing vulnerability exploitation in widely used mobile platforms.
  • The Lazarus group is linked to a $290 million cryptocurrency theft from KelpDAO, showing ongoing financial objectives of state-affiliated actors tied to a significant crypto heist. This caused considerable financial loss within the digital asset ecosystem.

Business impact

Disruption and potential compromise affected critical infrastructure (energy, telecommunications), government services, financial platforms, and healthcare organizations. Supply chain attacks resulted in credential theft and lateral movement within IT operations. Large-scale data exposure events continued globally.

Notable trends and changes vs last week

Ransomware activity remained consistent, with 161 victims across 35 groups. Adversary tactics evolved; ransomware groups employed vishing for initial access and targeted virtualization environments. Ideologically motivated hacktivist DDoS campaigns, using commercial booter services, expanded. A discernible trend is the accelerated exploitation of newly disclosed vulnerabilities, with AI potentially contributing.

Outlook

For the upcoming week, sustained ransomware operations and rapid exploitation of newly disclosed vulnerabilities are expected. State-affiliated actors are anticipated to remain active in targeting critical infrastructure and financial sectors. Activity using infostealer-acquired credentials and social engineering campaigns is also projected to persist.


Key Threat Intelligence Highlights

A U.S. government agency fell victim to a cyberattack exploiting a Cisco vulnerability, which allowed the deployment of a FIRESTARTER backdoor. This malicious access persisted through March, showing how unpatched network device flaws can lead to prolonged system intrusions within critical organizations.


Apple issued a Rapid Security Response to address a WebKit vulnerability (CVE-2023-37450) actively exploited on iPhones and iPads. This flaw permitted arbitrary code execution via malicious web content, a capability reportedly used by entities like the FBI for device access. Users should update promptly to protect their devices from compromise.


Lazarus Group orchestrated the movement of $290 million in cryptocurrency from KelpDAO's wallet, which analysts identified as funds previously acquired during the 2022 Ronin Bridge exploit. This incident shows sophisticated state-backed actors can continue to launder massive amounts of illicit digital assets, posing continuous challenges for cryptocurrency platforms and financial transparency.


An attack stemming from a compromised Vercel employee account broadened to affect numerous customer accounts and their integrated third-party systems like GitHub. This incident shows the cascading impact when a platform provider is breached, enabling adversaries to gain extensive access to downstream organizations' critical development infrastructure. This reflects pressing supply chain security challenges.


The LMDeploy CVE-2026-33626 vulnerability was actively exploited within just 13 hours of its public disclosure. This swift weaponization of a newly revealed flaw presents an urgent challenge for organizations, showing the critical need for immediate patching to counter growing cyber risks.

Additional Threat Intelligence Context

  • An extended DDoS campaign by the '313 Team' against eBay infrastructure, disrupting core functions for several hours.
  • A claimed 1.2 TB data leak from Standard Bank Group, potentially exposing 154 million financial and identity records.
  • The exposure of approximately 19 million citizen records from France Titres - ANTS (French identity agency).
  • A privilege escalation path identified in Microsoft Entra 'Agent ID Administrator' role, allowing potential tenant takeover (patched April 9).
  • Ongoing ransomware activity by groups including Qilin, Medusa, Payload, DragonForce, and Lapsus, targeting diverse sectors.
  • Active exploitation of Cisco ASA/Firepower devices by the China-nexus actor Arcane Door, deploying the Firestarter backdoor with persistence capabilities even after patching.
  • CVE-2024-7399 | CVSS: 8.8 (HIGH) - Widespread exploitation of vulnerabilities newly added to the CISA KEV catalog, including Samsung MagicINFO Server, SimpleHelp (CVE-2024-57726, CVE-2024-57728), and D-Link DIR-823X router (CVE-2025-29635).

Available Exploits:

  • CVE-2024-7399 Exploit

Analysis: # CVE Analysis Report: CVE-2024-7399

GitHub Link:

  • Title: CVE-2024-7399 PoC for Samsung MagicInfo SWUpdateFileUploader
  • CVE: CVE-2024-7399 (CVSS: 8.8, HIGH)
  • CVSS Score: 8.8
  • CVSS Severity: HIGH

Based on the analysis:

  • Complexity Score: Easy
  • Remote/Local: Remote
  • Authenticated/Unauthenticated: Unauthenticated
  • Privilege Required: None

Risk Score: 100/100

  • Major data theft operations by groups like ShinyHunters, using vishing and compromised Okta SSO accounts affecting entities like ADT and Udemy.
  • Pro-Russian hacktivist groups conducting ICS and DDoS operations against critical infrastructure in Thailand, Romania, and Ukraine.
  • Supply chain compromises affecting the Bitwarden CLI npm package and Checkmarx KICS Docker images, injecting credential-stealing malware and exfiltrating sensitive tokens.
  • China-linked GopherWhisper APT campaigns utilizing Go-based backdoors and injectors against Mongolian government systems, using common SaaS platforms for C2 and exfiltration.
  • CVE-2025-20333 | CVSS: 9.1 (CRITICAL) - Continued exploitation of Cisco ASA/Firepower FXOS zero-days and n-days (CVE-2025-20362, CVE-2025-30333) by UAT-4356/ArcaneDoor operators to maintain persistent access at a US federal agency.

Available Exploits:

  • CVE-2025-20333 Exploit
  • CVE-2026-3844 | CVSS: 9.8 (CRITICAL) - Active exploitation of a critical remote code execution flaw in the Breeze Cache WordPress plugin, leading to full site compromise.

Available Exploits:

  • CVE-2026-3844 Exploit
  • CVE-2026-3844 Exploit
  • CVE-2026-3844 Exploit
  • CVE-2026-3844 Exploit

Analysis: # CVE Analysis Report: CVE-2026-3844

GitHub Link:

  • Title: Breeze Cache Arbitrary File Upload PoC
  • CVE: CVE-2026-3844 (CVSS: 9.8, CRITICAL)
  • CVSS Score: 9.8
  • CVSS Severity: CRITICAL

Based on the analysis:

  • Complexity Score: Easy
  • Remote/Local: Remote
  • Authenticated/Unauthenticated: Unauthenticated
  • Privilege Required: None

Risk Score: 100/100

  • CVE-2026-33626 - an SSRF vulnerability in LMDeploy's vision-language model, exploited to probe internal HTTP services and exfiltrate data.
  • CVE-2026-33824 | CVSS: 9.8 (CRITICAL) - a critical Windows IKEv2 double-free RCE allowing SYSTEM-level shellcode execution.

Available Exploits:

  • CVE-2026-33824 Exploit
  • CVE-2026-33824 Exploit

Analysis: # CVE Analysis Report: CVE-2026-33824

GitHub Link:

  • Title: CVE-2026-33824: IKEv2 Double Free PoC Analysis
  • CVE: CVE-2026-33824 (CVSS: 9.8, CRITICAL)
  • CVSS Score: 9.8
  • CVSS Severity: CRITICAL

Based on the analysis:

  • Complexity Score: Medium
  • Remote/Local: Remote
  • Authenticated/Unauthenticated: Unauthenticated
  • Privilege Required: None

Risk Score: 100/100

  • CVE-2026-33825 | CVSS: 7.8 (CRITICAL) - 'BlueHammer' Microsoft Defender EoP, actively exploited for privilege escalation on Windows endpoints.

Available Exploits:

  • CVE-2026-33825 Exploit
  • CVE-2026-33825 Exploit
  • CVE-2026-33825 Exploit

Analysis: # CVE Analysis Report: CVE-2026-33825

GitHub Link:

  • Title: RedSun-BlueHammer-UnDefend Detection Pack PoC
  • CVE: NA (CVSS: 7.8, CRITICAL)
  • CVSS Score: 7.8
  • CVSS Severity: CRITICAL

Based on the analysis:

  • Complexity Score: Easy
  • Remote/Local: Remote
  • Authenticated/Unauthenticated: Unauthenticated
  • Privilege Required: None

Risk Score: 85/100

Ransomware Activity Overview

Ransomware groups consistently employ public leak sites to increase pressure on victims and target large enterprises and crucial industries primarily in Europe and North America, with Qilin consistently targeting mid-market entities across multiple regions. Hacktivist groups increasingly combine political messaging with attacks on commercial brands, often using paid stresser services. The criminal underground remains active, with a steady trade in turnkey hacking capacity, private tools, stealer panels, databases, and access to specific national datasets, including large, structured financial and government datasets. Discussions are ongoing about AI-enabled offense potentially compressing the time between vulnerability disclosure and active exploitation, while privilege design errors in identity platforms, as seen with Microsoft Entra, continue to open new avenues for tenant-wide escalation. Concerns are also emerging regarding infostealer-driven credential abuse and long-running social engineering campaigns. Data breaches are growing in scale and impact, exemplified by the Standard Bank Group data dump and ShinyHunters' claim of records from ADT following vishing-enabled Okta SSO compromise. Geopolitical cyber activity involves the China-nexus actor Arcane Door maintaining long-term covert access to US federal systems and pro-Russian groups performing disruptive ICS operations against infrastructure in Thailand and Romania.

During the reporting period, 161 total victims were identified across 35 active ransomware groups. The top 5 most active groups accounted for 93 victims.

Top 5 Ransomware Groups

Qilin - 49 victim(s)

  • Notable victims: A & a building material, Atkinson ritson solicitors limited, Avitrans, B to b visions, B&e juice (and 44 more)

Lapsus - 14 victim(s)

  • Notable victims: Adidas extranet, Astrazeneca corp, Checkmarx.com, Dreamup, Eiffage (and 9 more)

CoinbaseCartel - 11 victim(s)

  • Notable victims: Aptim, Commscope, Engie, Integer holdings, Kementerian pertanian (and 6 more)

Akira - 10 victim(s)

  • Notable victims: Alkegen, Alva manufacturing, Arctic home living, Gumpp kunststoffe, Integra architecture (and 5 more)

INC-Ransom - 9 victim(s)

  • Notable victims: Dorotea Sweden, MTCI, krauseundco, krwlawyers.com, reddycardiology.com (and 4 more)

Deep Web

Deep Web Activity Overview This Week

This week, deep web platforms showed a varied range of illicit activity, including state-sponsored data compromises, trade of critical infrastructure access, exposure of sensitive personal data, and proliferation of tools designed to bypass security controls. The incidents collectively show persistent cyber espionage, financially motivated breaches, and hacktivism impacting national security, critical infrastructure, and individual privacy.

Notable Breach Incidents and Data Leaks

What major data leaks appeared on deep web forums this week?

This week saw several major data leaks, including a substantial compromise of an Israeli national security think tank, the offering of Chinese military and intelligence data, the exposure of a Guyanese government's national mining database alongside citizen PII, and sensitive records of pregnant women in El Salvador.

ISRAEL INSS National Security Data Exposure

A new actor, Sumud Cyber Command, claimed to have exfiltrated 15.92 terabytes (TB) of "classified" documents from the Institute for National Security Studies (INSS) in Israel. This collection reportedly includes over 9.7 million files, including sensitive intelligence related to Iran, regional proxies, and strategic plans. The data reportedly contains internal emails, WhatsApp conversations with former Minister Ayelet Shaked, strategy papers concerning Gaza and Palestinian territories, Iran-Russia military-technical cooperation dossiers, and documents about AI-driven propaganda operations. The group stated political motivations.

Chinese Military and Intelligence Data for Sale

A user identified as "mosad" is advertising the sale of "Fresh Chinese PLA data." This offering purportedly involves information from various People's Liberation Army (PLA) entities, including the Cyberspace Force Technology Research Institute, Rocket Force Institute of Science and Technology Information, and the Intelligence Directorate's Middle East and African Affairs Analysis Division. While specific data volume or types were not detailed beyond organizational affiliations, the seller indicated a preference for buyers such as think tanks, conveying the perceived intelligence value.

Guyana Government - Analog Gold Inc. National Database Breach

The actor FulcrumSec released a substantial dataset of 2.2 TB, encompassing 3.3 million files from Prospector Portal, an AI mining intelligence platform, and the sovereign government database of the Republic of Guyana. This breach exposes sensitive information, including:

  • 12,532 Guyanese citizens' PII: Full names, Tax Identification Numbers (TIN), National Identification Numbers (NIN), passport numbers, dates of birth, phone numbers, email addresses, and physical addresses.
  • National Resource Data: 12,987 mineral licence records with GPS coordinates; historical geological archives dating back to the 1920s; and 41 proposed Amerindian land extensions, totaling over 3.6 million acres of unreleased government planning data.
  • Corporate - Technical Data: The complete infrastructure of Prospector Portal, including its entire product database, daily snapshots, FactSet data pipeline, proprietary NI 43-101 technical reports (pre-publication resource estimates), AI models, training data, and the full backend source code.
  • Critical Credentials: AWS access keys, Snowflake JWT authentication RSA private key, Elasticsearch, Stripe, and other API keys, alongside Terraform state files.

The group cited Analog Gold Inc.'s "negligence" for storing government data on commercial AWS accounts and made an extortion demand to prevent further data release.

El Salvador - Pregnant Women's Records Leak

CiberInteligenciaSV posted a leak containing 96,191 records of pregnant women in El Salvador. The exposed data includes names, Unique Identity Documents (DUI), dates of birth, ages, phone numbers, addresses, municipalities, departments, weeks of gestation, and other pregnancy-related details. This is a severe privacy violation affecting a vulnerable population.

What financially motivated access and tools were traded on deep web markets this week?

This week, financially motivated actors were observed selling API access to a major financial transactions company, access to a law enforcement data request platform, a bypass for mobile application security, and root access to a Russian government regulator.

Major Financial API Access Offered

The established actor ShinyHunters is offering "full API transactions access" to a major, unnamed financial transactions company for $1 million USD. This access reportedly facilitates transactions across more than 20 countries and multiple financial systems, including Latin American, Asian, African, and Middle Eastern currencies, along with a Global_Card_API-PAY and 2FA_API. The seller positioned this as an opportunity for a supply chain attack. This indicates its potential for widespread financial fraud.

Kodex Account Sale for Law Enforcement Data Requests

A new user, "kodexglobal," is selling login access to a Kodex account for a base price of $8,000 USD. Kodex is a platform used by law enforcement agencies to submit Electronic Data Requests (EDRs) to technology and financial companies like Discord, Coinbase, and Roblox. The account includes access to over 320 companies and relevant subpoena documents. This presents an avenue for unauthorized data acquisition through impersonation.

Dexprotector RASP Bypass Offered

"Nopsec" is selling a bypass for Dexprotector, an Android Runtime Application Self-Protection (RASP) solution used by financial institutions such as Revolut and Starling Bank, as well as other applications like IFOOD. The offering includes a Frida script enabling full RASP bypass, SSL pinning bypass, and an Alice spoofer. This tool could help malicious actors circumvent security layers in mobile applications, facilitating reverse engineering and tampering.

Russian Government Regulator Infrastructure Access

A new actor, "0m0nRa," is selling full access to the infrastructure of a Russian government regulator in the construction and energy sectors. The access includes Administrator privileges via IPMI-Supermicro, root access to ESXi hypervisors, and Webmin root access to virtual machines. The offering also includes 1C administrative credentials, 1C backups (containing 10 years of PII, salaries, contracts, and accounting data), and over 400 GB of MySQL databases with applications and requests. The seller also mentions 500+ corporate email and password pairs intercepted in plain text, along with a Postfix server for targeted attacks. This level of access could provide an entry point into related critical organizations.

Were any new critical vulnerabilities disclosed this week?

A new critical vulnerability, CVE-2026-38526, with a CVSS score of 10.0, was disclosed, affecting Krayin CRM installations.

Krayin CRM Critical Vulnerability (CVE-2026-38526)

A user named "stopthecap" posted a Proof-of-Concept (POC) for CVE-2026-38526, a vulnerability affecting Krayin CRM. Rated with a maximum CVSS score of 10.0, this vulnerability suggests critical remote code execution or complete system compromise. A Shodan dork was also provided to identify exposed instances. This indicates a readiness for exploitation.

Nature and Scope of the Breaches

The breaches observed this week cover a wide range of targets and data types, showing broad reach and varied motivations:

  • Geopolitical and Strategic Intelligence: The INSS breach and the offering of Chinese PLA data involve national security information, strategic intelligence, and operational plans. Their scope extends to international relations, military capabilities, and national defense.
  • National Infrastructure and Citizen PII: The Guyana breach combines national infrastructure data (mining permits, geological archives, land planning) with full PII for a substantial portion of its citizenry. This represents a nation-state level compromise with wide individual impact.
  • Critical Financial Services: The sale of API access to a major financial transactions company and the Dexprotector bypass pertain to the core infrastructure of global finance, enabling potential manipulation or theft across numerous countries.
  • Law Enforcement Tools: The sale of Kodex account access shows a direct attempt to subvert tools designed for legitimate data requests, posing a risk to investigations and privacy.
  • Governmental Operational Control: The Russian government regulator access offers deep control over operational IT infrastructure, including hypervisors and administrative back-end systems, enabling espionage or sabotage.
  • Sensitive Personal Data: The leak of pregnant women's records in El Salvador, alongside the PII from Guyana and Russia, represents direct compromises of sensitive personal data.
  • Vulnerability Exploitation: The Krayin CRM CVE disclosure provides a path for broad system compromise across organizations using the affected software.

This week's deep web activity shows several recurring themes:

  • Geopolitical Targeting: A clear appearance of politically motivated cyber operations, particularly against Israeli entities, and the offering of military intelligence data related to China and Russia. These incidents show the enduring role of nation-state actors and hacktivist groups in using cyber capabilities for strategic objectives.
  • Supply Chain Vulnerabilities and Third-Party Risk: The Guyana breach provides an example of severe third-party risk, where a government's sensitive national data was exposed due to the inadequate security posture of a commercial contractor. Similarly, the sale of API access to a financial transactions company represents a supply chain entry point for broader financial disruption.
  • Monetization of Access and Tools: A consistent pattern of selling access to compromised systems (e.g., financial API, government infrastructure, law enforcement tools) and security bypasses (e.g., Dexprotector RASP bypass, Krayin CRM POC). This suggests a developed market for initial access brokers and specialized tools that facilitate further malicious operations.
  • Sensitive PII and Health Data Exposure: The leaks involving Guyanese citizens' PII and El Salvador's pregnant women's records show the persistent targeting and exposure of personal and sensitive data. Such breaches carry considerable ethical implications and pose direct risks to individuals.
  • New Actors and Established Groups: A mix of new forum users (e.g., Sumud Cyber Command, Nopsec, 0m0nRa, kodexglobal) appearing with high-value offerings alongside established actors (e.g., ShinyHunters, CiberInteligenciaSV, FulcrumSec). This duality indicates both emergent threats and ongoing operations by known entities.

Potential Impact

The consequences of the deep web activity observed are far-reaching:

  • National Security and Geopolitical Considerations: The purported breach of INSS and the sale of Chinese and Russian military data could provide adversaries with valuable intelligence, potentially influencing strategic balances, compromising ongoing operations, and impacting regional dynamics. The unreleased land planning data from Guyana could incite internal disputes and international political pressure.
  • Economic Disruption and Financial Fraud: The sale of critical financial API access presents an opportunity for large-scale financial fraud, money laundering, and disruption of international transaction systems. The bypass for mobile banking security mechanisms could directly enable account compromises and theft.
  • Erosion of Trust and Privacy: The exposure of vast quantities of personal data, including the sensitive health records of pregnant women in El Salvador and citizen PII from Guyana, substantially impacts public trust in data custodianship. This data can be exploited for identity theft, targeted scams, extortion, and discrimination.
  • Increased Attack Surface: The critical vulnerability in Krayin CRM and the sale of law enforcement data request account access create expanded opportunities for malicious actors to compromise systems and acquire data through illegitimate means, affecting a wide range of organizations and individuals.
  • Regulatory and Reputational Damage: Organizations involved in these breaches, particularly Analog Gold Inc. and the affected financial entity, face substantial regulatory penalties, lawsuits, and considerable reputational harm, which could impact their commercial viability and partnerships. The Guyanese government faces scrutiny over its data sovereignty and protection practices.

Sources

  1. CISA: US agency breached through Cisco vulnerability, FIRESTARTER backdoor allowed access through March
  2. Apple just fixed an iOS flaw exploited by the FBI - here's what happened
  3. KelpDAO suffers $290 million heist tied to Lazarus hackers
  4. Vercel attack fallout expands to more customers and third-party systems
  5. LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure