The Indicator — Monthly Threat Intelligence

Cyber Threat Trends
in March 2026

Published April 2026 | Based on 50+ IOC reports | TLP: CLEAR
50+ Reports analyzed
1,400+ IOCs extracted
6 Threat clusters
5 Nation-state actors
12+ Malware families
Key Takeaways for Security Professionals
  • Audit your CI/CD supply chain now. TeamPCP cascaded from a single misconfigured Trivy workflow to compromising Checkmarx, LiteLLM, Telnyx, and Docker Hub images — review every third-party action and package in your pipelines.
  • AI deployment infrastructure is being actively targeted. CVE-2026-33017 in Langflow is the first major RCE in an AI orchestration platform exploited in the wild — inventory and harden all AI-facing services.
  • Patch security appliances with zero-day urgency. Interlock ransomware exploited a Cisco FMC zero-day (CVE-2026-20131), and Citrix NetScaler SAML flaws are under active exploitation — security tools are now attack vectors.
  • MFA is not enough. EvilTokens OAuth phishing captures access tokens directly, bypassing multi-factor authentication entirely — deploy token-binding and conditional access policies.
  • Watch for Dead Drop Resolvers. MaskGram and Kamasers use Spotify, Chess.com, and other legitimate services to dynamically resolve C2 domains — domain block lists alone won’t stop this.
  • Linux rootkits are advancing. VoidLink combines LKM and eBPF for process hiding and ICMP-based C2 — deploy eBPF-aware monitoring on Linux infrastructure.
  • Infostealer MaaS is fully industrialized. New entrants (CrystalX, Torg Grabber) ship with REST APIs, affiliate dashboards, and 700+ crypto wallet targets — prioritize browser credential hardening and session token rotation.
  • Verify hiring pipelines for DPRK infiltration. UNC1069 operated both supply chain attacks (Axios) and synthetic identity schemes — cross-reference remote developer identities against known synthetic identity patterns.
Contents
  1. The TeamPCP Supply Chain Siege
  2. State-Sponsored Intrusions Across Four Fronts
  3. Ransomware Evolves; Critical Vulnerabilities Exploited
  4. The Infostealer Ecosystem: Industrialized, Persistent, and Evolving
  5. ClickFix Variants, Magecart, and OAuth Abuse
  6. Key CVEs Exploited in the Wild
  7. Sophisticated Implants: Linux Rootkits, Botnets, and APT Tooling
March 2026 marked a pivotal month in the cyber threat landscape — one defined by industrialized supply chain compromises, the weaponization of open-source developer tooling, and the continued maturation of nation-state intrusion programs. From a single rogue npm maintainer to Iranian intelligence operating over Telegram, the month's incidents reveal an adversary ecosystem that is simultaneously more accessible to low-skill actors and more sophisticated in its tradecraft.
01 — TOP STORY

The TeamPCP Supply Chain Siege

No single story dominated March 2026 more than the TeamPCP supply chain campaign. Over the course of the month, the threat actor executed a sweeping, multi-stage compromise of open-source security tooling used by millions of developers worldwide. Separately, North Korean nexus group UNC1069 hijacked the Axios npm package in a distinct but thematically related attack.

Mid-March — initial disclosure
Checkmarx GitHub Action & LiteLLM PyPI compromised
TeamPCP exploited CVE-2026-33634, a misconfigured workflow in Aqua Security's Trivy scanner, to harvest CI/CD credentials. They then pivoted to push malicious versions of LiteLLM (a popular Python LLM gateway) and the Checkmarx ast-github-action using the stolen credentials. Payloads exfiltrated API keys, cloud credentials, and trade secrets.
Three days later
Telnyx PyPI package compromised
Just 72 hours after the LiteLLM incident, TeamPCP struck again — this time hijacking the telnyx PyPI package. The attack introduced a novel technique: malware hidden inside innocuous-looking WAV audio files (steganography), which then dropped Windows executables and Linux credential stealers. Over 60 IOCs were extracted across multiple reports covering this campaign.
Late March
Trivy Docker Hub images pushed; AstraZeneca breach claimed
Compromised Trivy Docker images containing TeamPCP infostealers appeared on Docker Hub, broadening the blast radius. The group simultaneously claimed a breach of AstraZeneca using previously stolen credentials. Cloud security firm Wiz confirmed post-compromise enumeration of cloud environments.
Early April (spillover)
Axios npm package hijacked (UNC1069); Mercor AI breach confirmed
In a separate operation, North Korean nexus group UNC1069 hijacked the lead maintainer account of the ubiquitous axios npm package (used in hundreds of millions of projects). A malicious dependency, plain-crypto-js, was injected, deploying the WAVESHAPER.V2 backdoor to harvest credentials and establish persistent access. Separately, the Mercor AI breach — collateral damage from TeamPCP's LiteLLM compromise — was also confirmed.

Why it matters: TeamPCP demonstrated that a single misconfigured CI/CD workflow can cascade into a breach affecting hundreds of distinct corporate environments. The campaign also revealed how developer tools — scanners, AI gateways, communication SDKs — represent an underappreciated attack surface with exceptionally high-value credential yield.

02 — NATION-STATE ACTIVITY

State-Sponsored Intrusions Across Four Fronts

March saw documented activity from Iranian, North Korean, Russian, and Chinese-nexus threat actors. Each pursued distinct operational objectives but shared a common emphasis on stealth and persistence over spectacle.

Iran — MOIS

Telegram C2 Malware Campaign

Iranian Ministry of Intelligence and Security (MOIS)-linked actors are using Telegram as command-and-control infrastructure to deliver multi-stage malware against dissidents and journalists. The campaign uses Telegram bots to receive commands and exfiltrate stolen data, making traffic appear as ordinary messaging app usage. Operations focus on espionage, data theft, and hack-and-leak.

42 IOCs · Domains, IPs, Telegram bot tokens
Iran — MuddyWater / Boggy Serpens

Critical Infrastructure Targeting with AI-Enhanced Malware

MuddyWater (also tracked as Boggy Serpens) expanded its toolkit with new custom implants including Dindoor, Fakeset, and a Rust-based implant. They also introduced AI-assisted malware development (with GenAI artifacts found in source code enabling rapid iteration and polymorphic variants), and deployed UDPGangster, LampoRAT, and BlackBeard against critical infrastructure targets. A Palo Alto Unit 42 threat assessment documented the group compromising trusted relationship partners to gain initial access.

194 IOCs across two major reports · High-confidence attribution
North Korea — UNC1069

Axios npm Hijack & CanisterWorm

UNC1069 hijacked the Axios npm package maintainer account (see Section 01), deploying the WAVESHAPER.V2 backdoor to hundreds of millions of downstream projects. The group also deployed CanisterWorm, a self-propagating worm using ICP blockchain canisters for C2, designed to target Kubernetes clusters and CI/CD pipelines, with a notable focus on Iranian targets alongside Western developer ecosystems.

68+ IOCs · npm packages, Kubernetes artifacts, blockchain C2
Russia — CTRL Framework

Undocumented .NET Remote Access Toolkit

Censys researchers discovered CTRL, a previously undocumented Russian remote access framework using LNK files for initial delivery. CTRL combines credential phishing, keylogging, RDP hijacking, and FRP-based reverse tunneling. Victims receive what appears to be a legitimate shortcut file that executes a multi-stage payload chain.

35 IOCs · LNK files, C2 IPs, FRP tunnel endpoints
Iran — OilRig / APT34

Stolen Certificate Used in Energy Sector Campaign

OilRig (also known as APT34), an Iranian MOIS-linked group, was found using a stolen Entrust EV code signing certificate from MOSCII Corporation to sign Karkoff backdoor samples targeting Thailand's energy sector. The use of a legitimate Thai IT vendor's certificate enabled the malware to bypass code signing verification on target systems.

67 IOCs · Signed malware, stolen certificates
China — Tonto Team

Royal Road RTF Attack on Group-IB

Chinese APT group Tonto Team targeted cybersecurity firm Group-IB itself using Royal Road RTF weaponization, exploiting Equation Editor vulnerabilities to deliver a Bisonal.DoubleT backdoor. The operation highlights the persistent interest of Chinese-nexus actors in targeting the security research community for intelligence collection.

36 IOCs · RTF exploits, RAT payloads
South Asia — Konni APT

KakaoTalk-Abused Propagation Chain

The Konni APT group used spear-phishing with malicious LNK files to deploy remote access trojans, then took an unusual lateral movement step: hijacking active KakaoTalk PC messenger sessions for secondary propagation within victim organizations. The technique allows the attacker to reach additional victims while appearing as a trusted contact inside a popular communications platform.

34 IOCs · LNK files, RAT payloads, C2 domains
03 — RANSOMWARE & EXTORTION

Ransomware Evolves; Critical Vulnerabilities Exploited

Ransomware activity in March 2026 was notable for its exploitation of zero-day and n-day vulnerabilities in enterprise security appliances, and for the continued maturation of ransomware-as-a-service (RaaS) operations targeting multi-sector victims.

Actor / Campaign Initial Access Notable TTPs Severity
Interlock Ransomware CVE-2026-20131 (Cisco FMC zero-day) Custom RATs, web shells, data exfiltration before encryption; multi-sector targeting Critical
Beast Ransomware (RaaS) Phishing, exposed RDP Full pre-ransomware playbook: reconnaissance, credential theft, lateral movement, exfiltration, then encryption. 63+ unique tools documented. Critical
LeakNet ClickFix lures (fake browser update pages) Deno-based in-memory loader (evades AV), jli.dll sideloading, PsExec for lateral movement, S3 bucket staging for exfil High
Multi-Actor VPN Intrusion (Intrinsec) Compromised VPN credentials via IAB 12-month dwell time; Initial Access Broker → intermediate operator → ransomware actor chain; extensive anonymization infrastructure High
TeamPCP / Vect Partnership Supply chain (Telnyx) Ransomware group partnered with TeamPCP; claimed credential-driven access to AstraZeneca High

Trend to watch: The Interlock group's exploitation of CVE-2026-20131 in Cisco's Firepower Management Center is the second major instance in Q1 2026 of ransomware actors burning zero-day vulnerabilities in security appliances — tools designed to protect the very environments they are now penetrating.

04 — INFOSTEALERS & CREDENTIAL THEFT

The Infostealer Ecosystem: Industrialized, Persistent, and Evolving

Credential theft remained the most voluminous threat category in March 2026. Multiple new and updated malware families were documented, reflecting a mature, competitive underground market for stealer-as-a-service tooling.

New

CrystalX RAT / Stealer

A new MaaS offering promoted aggressively via Telegram and YouTube. CrystalX bundles stealer, keylogger, clipper, and remote access capabilities with unusual "prankware" features (e.g., fake crash screens, webcam access for harassment). Kaspersky documented the C2 infrastructure and delivery mechanisms.

18 IOCs
New

Torg Grabber

Evolved from simple Telegram-based exfiltration to a robust REST API C2 infrastructure. Features an Application-Bound Encryption (ABE) bypass and targets an unusually broad range of browser extensions including crypto wallets. Gen Digital published a comprehensive analysis of this emerging MaaS stealer.

57 IOCs
Updated

Xloader v8.1+

Zscaler documented significant updates to Xloader, a long-running Windows infostealer. Version 8.1 introduces new code obfuscation techniques, decoy C2 servers to frustrate analysis, and multiple encryption layers for data exfiltration. Network protocol changes mean existing detection signatures require updating.

9 IOCs · New C2 patterns
Ongoing

MaskGram Stealer

Uses Dead Drop Resolver (DDR) technique, abusing legitimate services like Spotify and Chess.com to retrieve current C2 domains. The technique allows threat actors to change infrastructure without touching the malware itself, substantially increasing resilience. Russian researchers at Solar 4RAYS documented 89 IOCs.

89 IOCs
Campaign

Phantom Stealer (European Targeting)

A sustained campaign delivered the .NET-based Phantom Stealer to European organizations via procurement-themed phishing emails — a particularly effective lure during Q1 financial planning cycles. Group-IB documented the delivery chain and IOC infrastructure.

10 IOCs
Malware Loader

Kiss Loader (Python-based)

A newly developed Python loader using WebDAV for payload delivery and Early Bird APC injection to execute shellcode before traditional defenses initialize. Delivers VenomRAT and Kryptik payloads. GData Software published a detailed analysis including the injection mechanism.

28 IOCs

Silver Fox: Tax Season Lures Pivot to RMM Tools

The Silver Fox threat actor, historically targeting South Asian organizations with ValleyRAT, made a notable shift in March 2026. Tax-themed lures remain the delivery mechanism, but the group has largely replaced ValleyRAT with commercial remote monitoring and management (RMM) tools and a custom Python-based stealer. This pivot likely reflects an effort to reduce detection rates by blending malicious traffic with legitimate enterprise software patterns. Sekoia documented 121 IOCs across this campaign.

05 — WEB THREATS & PHISHING

ClickFix Variants, Magecart, and OAuth Abuse

Social engineering and web-based delivery mechanisms continued to dominate the initial access landscape. Three distinct patterns emerged as notable trends.

ClickFix continues to evolve

The ClickFix technique — fake CAPTCHA or browser update pages that instruct users to paste malicious PowerShell commands into their own terminals — proliferated widely in March 2026. The SmartApeSG campaign used ClickFix to deliver a remarkable range of payloads: Remcos RAT, NetSupport RAT, StealC, and Sectop RAT (ArechClient2) depending on victim profile. A new ClickFix variant documented by Atos introduced the use of net use to mount a WebDAV share, executing a batch script that downloads a trojanized WorkFlowy Electron application as a persistent C2 beacon.

Magecart campaign (24+ months active, Spain-focused)

ANY.RUN researchers documented a large-scale Magecart operation that has been running continuously for over two years, primarily targeting Spanish e-commerce websites. The campaign uses checkout page hijacking, payment form mimicry, and WebSocket-based exfiltration to steal card data in real time. The longevity of this campaign without takedown underscores challenges in coordinating cross-border e-commerce security enforcement.

EvilTokens: OAuth phishing at scale

The EvilTokens campaign exploited OAuth authentication flows to conduct large-scale phishing, capturing access tokens rather than passwords — a technique that bypasses multi-factor authentication entirely. The campaign was among the more technically sophisticated phishing operations observed in March 2026.

DocuSign impersonation with LogoKit

A phishing wave impersonating DocuSign used the LogoKit framework to dynamically generate credential-harvesting landing pages tailored to each victim's organization — automatically pulling the target company's logo and branding from public sources to create convincing, personalized lures.

Vidar via fake CAPTCHA (compromised WordPress)

Malwarebytes documented a campaign using compromised WordPress sites to serve fake CAPTCHA pages, tricking users into running malicious commands that deliver the Vidar infostealer via HTA and MSI droppers.

06 — CRITICAL VULNERABILITIES

Key CVEs Exploited in the Wild

CVE Product Impact Status
CVE-2026-20131 Cisco Secure Firepower Management Center Remote code execution; used by Interlock ransomware for initial access Active exploitation
CVE-2026-3055 Citrix NetScaler (SAML component) Memory overread via SAML flaw enabling session hijacking; CVE-2026-4368 also poses risk Active exploitation
CVE-2026-33017 Langflow (AI workflow platform) Unauthenticated RCE; attackers extract sensitive credentials from AI deployment environments Active exploitation
CVE-2026-33634 Aqua Trivy GitHub Action TeamPCP supply chain entry point; compromised CI/CD workflow enabled credential theft and downstream attacks on Checkmarx, LiteLLM, and Telnyx Patched; patch urgency high
CVE-2025-66376 Zimbra Webmail Stored XSS auto-rendered in Classic UI; used in Operation GhostMail to steal Ukrainian government credentials Targeted exploitation

Note: The exploitation of CVE-2026-33017 in Langflow is significant because it represents one of the first documented cases of a critical RCE vulnerability in an AI workflow orchestration platform being actively exploited in the wild. As AI deployment tooling proliferates, it is likely to become an increasingly targeted attack surface.

07 — ADVANCED MALWARE

Sophisticated Implants: Linux Rootkits, Botnets, and APT Tooling

Linux

VoidLink Rootkit Framework

Elastic Security Labs documented VoidLink, a sophisticated Linux malware framework combining a Loadable Kernel Module (LKM) and eBPF programs for stealth. VoidLink hides processes and network connections from the OS itself and uses ICMP for covert command-and-control communication — a protocol rarely inspected by security tools.

29 IOCs
DDoS

Kamasers Multi-Vector Botnet

A newly analyzed DDoS botnet supporting both application-layer and transport-layer attacks, with additional loader functionality. Kamasers uses a Dead Drop Resolver for resilient C2 infrastructure — the same evasion technique observed in MaskGram Stealer, suggesting shared tradecraft or code lineage.

28 IOCs
Financial sector

BRUSHWORM & BRUSHLOGGER

Elastic discovered two previously unknown custom malware components targeting a South Asian financial institution. BRUSHWORM acts as a modular payload framework while BRUSHLOGGER provides keylogging capabilities. The toolkit also includes USB spreading functionality, suggesting air-gapped network targeting as a secondary objective.

25 IOCs
Proxyware

NodeJS Proxyware Campaign

Walmart Global Tech documented a campaign deploying NodeJS backdoors to silently install proxyware apps on victim machines, monetizing compromised bandwidth without the user's knowledge. Persistence is maintained through scheduled tasks, registry modifications, and malicious Chrome extensions. Over 100 IOCs documented.

103 IOCs
Obfuscation

FAUX#ELEVATE VBScript Campaign

Targeting French HR departments, FAUX#ELEVATE uses heavily obfuscated VBScript to deploy backdoors, cryptominers, and credential stealers, then exfiltrates data via encrypted email channels. The HR targeting is deliberately timed to payroll cycles when unusual file attachments raise fewer red flags.

51 IOCs
ADS Evasion

PowerShell ADS Remover

A malicious script documented by SANS ISC uses PowerShell to strip the Windows Alternate Data Stream (ADS) Zone.Identifier from files after copying them — effectively removing the browser download warning that marks files as originating from the internet. A simple but effective anti-forensics technique during incident response.

6 IOCs

Analyst Assessment: March 2026 in Context

March 2026 demonstrated three converging trends that security teams should internalize heading into Q2. First, the software supply chain is now a primary battleground — not a peripheral risk. The TeamPCP campaign showed how a single compromised CI/CD workflow can cascade to hundreds of downstream corporate environments. Every third-party package in your build pipeline is an implicit trust relationship that adversaries are actively probing.

Second, AI tooling is becoming an attack surface. CVE-2026-33017 in Langflow and the targeting of LiteLLM represent the beginning of what is likely to be a sustained pattern: as organizations rush to deploy AI infrastructure, security hardening of that infrastructure lags behind.

Third, the commodity cybercrime market continues to industrialize. New MaaS stealers like CrystalX and Torg Grabber ship with REST APIs, affiliate dashboards, and support channels. The barrier to operating as a threat actor continues to fall, even as the technical ceiling rises for the most sophisticated actors. The result is an ever-wider threat distribution that makes prioritization — rather than comprehensive coverage — the most critical security skill for defenders.

Sources

  1. Unit 42 / Palo Alto NetworksWeaponizing the Protectors: TeamPCP's Multi-Stage Supply Chain Attack on Security Infrastructure
  2. SysdigTeamPCP Expands: Supply Chain Compromise Spreads from Trivy to Checkmarx GitHub Actions
  3. SnykHow a Poisoned Security Scanner Became the Key to Backdooring LiteLLM
  4. AkamaiThe Telnyx PyPI Compromise and the 2026 TeamPCP Supply Chain Attacks
  5. TechCrunchMercor Says It Was Hit by Cyberattack Tied to Compromise of Open Source LiteLLM Project
  6. Google Cloud / Mandiant GTIGNorth Korea Threat Actor Targets Axios npm Package
  7. TenableFAQ: The Axios npm Supply Chain Attack by UNC1069
  8. KrebsOnSecurityCanisterWorm Springs Wiper Attack Targeting Iran
  9. FBI FLASH / IC3Government of Iran Cyber Actors Deploy Telegram C2 to Push Malware to Identified Targets
  10. Unit 42 / Palo Alto NetworksBoggy Serpens Threat Assessment
  11. The Hacker NewsIran-Linked MuddyWater Hackers Target U.S. Networks With New Dindoor Backdoor
  12. Group-IBUnmasking MuddyWater's New Malware Toolkit Driving International Espionage
  13. PolySwarmPolyKG Discovers Previously Unreported OilRig Samples Using Stolen Cert
  14. CensysUnder CTRL: Dissecting a Previously Undocumented Russian .NET Access Framework
  15. Group-IBNice Try Tonto Team
  16. GeniansAnalysis of the Spear-Phishing and KakaoTalk-Linked Threat Campaign by the Konni Group
  17. The Hacker NewsInterlock Ransomware Exploits Cisco FMC Zero-Day CVE-2026-20131
  18. SOCRadarDark Web Profile: Beast Ransomware
  19. ReliaQuestCasting a Wider Net: ClickFix, Deno, and LeakNet's Scaling Threat
  20. CitrixNetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2026-3055 and CVE-2026-4368
  21. Langflow / GitHubUnauthenticated RCE via Public Flow Build Endpoint (CVE-2026-33017)
  22. SeqriteOperation GhostMail: Russian APT Exploits Zimbra Webmail to Target Ukraine
  23. KasperskyCrystalX RAT: A Trojan for Pranks, Remote Access, and Cryptocurrency Theft
  24. BleepingComputerNew Torg Grabber Infostealer Malware Targets 728 Crypto Wallets
  25. Zscaler ThreatLabzLatest Xloader Obfuscation Methods and Network Protocol
  26. Group-IBPhantom Stealer: Credential Theft as a Service
  27. GData SoftwareWhen Malware Talks Back: Real-Time Interaction with a Threat Actor During the Analysis of Kiss Loader
  28. SekoiaSilver Fox: The Only Tax Audit Where the Fine Print Installs Malware
  29. Elastic Security LabsIlluminating VoidLink
  30. Elastic Security LabsElastic Security Labs Uncovers BRUSHWORM and BRUSHLOGGER
  31. SANS ISCSmartApeSG Campaign Pushes Remcos RAT, NetSupport RAT, StealC, and Sectop RAT

This post was generated with Claude by Anthropic, based on source reporting from the publications listed above.

The Indicator — iocget.com · Reports spanning March 1–31, 2026 · All IOCs TLP:CLEAR