![Cybersecurity News | Daily Recap [20 Mar 2026]](https://www.hendryadrian.com/tweet/image/DailyRecap.png "Cybersecurity News | Daily Recap [20 Mar 2026]")
Daily Recap, Iran-linked Handala resurged with a new domain after U.S. seizures, with authorities tying the actor to MOIS and investigators linking destructive Stryker wipes to the campaign as CISA/FBI warned about hardening Microsoft Intune. In the nation-state and supply-chain space, APT28 exploited a high-severity Zimbra CVE-2025-66376 against Ukrainian government mail, Lazarus/Bluenoroff suspected in Bitrefill, Speagle hijacked Cobra DocGuard to exfiltrate data, and Interlock ransomware abused a Cisco zero-day CVE-2026-20131.
#Handala #MOIS #Stryker #Intune #APT28 #Lazarus #Bluenoroff #Speagle #CobraDocGuard #Interlock #Zimbra #Cisco
#Handala #MOIS #Stryker #Intune #APT28 #Lazarus #Bluenoroff #Speagle #CobraDocGuard #Interlock #Zimbra #Cisco
Iran-Linked Ops
- The Iran-linked Handala group resurfaced with a new domain hours after U.S. seizures, while authorities linked the actor to the MOIS, seized leak sites, and investigators tied destructive Stryker wipes of roughly 80,000â200,000 devices to the campaign as CISA/FBI warned about hardening Microsoft Intune â Handala Return, Handala Link, Handala Seizure, Intune Warning
- Analysts report a preâstrike buildup of Iran-linked infrastructure and dozens of coordinated hacktivist/APT operations used in postâstrike responses across the region â Iran Buildup, Weekly Roundup
Nation-State & Supply-Chain
- APT28 exploited a highâseverity CVE-2025-66376 Zimbra flaw to hit Ukrainian government mail, North Koreaâlinked Bluenoroff/Lazarus likely breached Bitrefill, supplyâchain malware Speagle hijacked Cobra DocGuard to exfiltrate data, and Interlock ransomware abused a Cisco zeroâday CVE-2026-20131 in disruptive attacks â Zimbra Exploit, Bitrefill Claim, Speagle SupplyâChain, Interlock Cisco
Vulnerabilities & Updates
- Microsoftâs March Windows 11 update KB5079473 broke Microsoft account signâins across Teams, OneDrive and other apps, prompting workarounds and outâofâband fixes â KB5079473 Break
- A critical ScreenConnect flaw was disclosed that exposes machine keys and risks remote compromise of affected remoteâaccess deployments â ScreenConnect Flaw
Webstore Attacks
- Thousands of Magento eâstores were hit in an ongoing defacement campaign while a new PolyShell flaw allows unauthenticated RCE on Magento sites, amplifying risk to online merchants â Magento Defacements, PolyShell RCE
Mobile Malware
- Indian users were targeted by an Android campaign using fake eChallan SMS lures that install multiâstage droppers to intercept traffic and steal finances, and researchers found a new trojan Perseus hiding in IPTV apps to keylog and steal notes in Turkey and Italy â eChallan Campaign, Perseus Trojan
Attack Techniques
- Researchers documented 54 EDR killers abusing 34 signed vulnerable drivers via the BYOVD technique (eg. DemoKiller, EDRSilencer, Reynolds), while a ThreatsDay bulletin flagged nascent FortiGate RaaS activity, stealthy loaders, and refined phishing chains â BYOVD Report, ThreatsDay Bulletin
Botnets & Takedown
- U.S., German and Canadian actions disrupted commandâandâcontrol for the Aisuru, KimWolf, JackSkid and Mossad IoT botnetsâwhich had launched record DDoS assaults (including Aisuruâs 31.4 Tbps)âto curb further mass attacks on targets such as the DoD network â Botnet Disruption
Data Breaches
- Multiple breaches disclosed this week include Navia exposing roughly 2,697,540 peopleâs plan and PII data, Aura leaking about 900,000 marketing records after phone phishing, Marquis impacting ~672,000 individuals via a SonicWall exploitation, and Bitrefill revealing ~18,500 purchase records tied to a Lazarusâstyle intrusion â Navia Breach, Aura Breach, Marquis Breach, Bitrefill Incident
Funding & Startups
- Investment rounds: Eclypsium raised $25M to expand device supplyâchain coverage for AI servers, Cape raised $100M for cellular security protections, Oasis Security raised $120M for agentic access management, 1stProtect emerged with $20M, and Allure raised $17M for online brand protection â Eclypsium $25M, Cape $100M, Oasis $120M, 1stProtect $20M, Allure $17M
Fraud & Extortion
- A musician pled guilty to an AIâpowered streaming fraud scheme that generated over $10M via bot streams across platforms (forfeiting ~$8.09M), and a former data analyst was convicted for stealing payroll/corporate data and attempting a $2.5M extortion against Brightly â Streaming Fraud, Analyst Extortion
Policy & Oversight
- U.S. intel chiefs urged Congress for a clean 18âmonth extension of Section 702 FISA authorities amid pushback for privacy safeguards, while the White House rejected proposals to authorize private âletters of marqueâ for offensive cyber operations â Section 702, Letters of Marque
Guidance & Best Practices
- Practical defenses to stop privilege escalation via passwordâreset workflows include phishingâresistant MFA, device posture checks, strict policies, auditing, and removing knowledgeâbased checks to reduce lateral movement risk â Password Reset Tips