![Cybersecurity News | Daily Recap [16 Mar 2026]](https://www.hendryadrian.com/tweet/image/DailyRecap.png "Cybersecurity News | Daily Recap [16 Mar 2026]")
Daily Recap, this edition surveys a spectrum of state-backed espionage, supply-chain threats, and incidents, noting CL-STA-1087’s long-running campaign against Southeast Asian militaries using AppleChris, MemFun, Getpass and UTC+8 patterns, the PlugX backdoor campaign in the Middle East, and Handala Hack linked Void Manticore’s AI-assisted wiping and related operations. It also highlights GlassWorm’s Open VSX campaign, Betterleaks’ secrets-scanner release, Payload Ransomware’s Bahrain Hospital breach, and policy shifts around the EU AI Act and Android 17 security enhancements.
#CLSTA1087 #AppleChris #MemFun #Getpass #PlugX #HandalaHack #VoidManticore #UNC2814 #RoyalBahrainHospital #PayloadRansomware #GlassWorm #Betterleaks #EUAIAct #Android17 #PolandNuclearResearchCenter
#CLSTA1087 #AppleChris #MemFun #Getpass #PlugX #HandalaHack #VoidManticore #UNC2814 #RoyalBahrainHospital #PayloadRansomware #GlassWorm #Betterleaks #EUAIAct #Android17 #PolandNuclearResearchCenter
APT & Espionage
- China-linked group CL-STA-1087 ran a long-term campaign against Southeast Asian militaries stealing C4I and structure files using custom tools (AppleChris, MemFun, Getpass) and persistent PowerShell/WMI/DLL-hijack techniques with UTC+8 activity patterns – Asian Espionage
- Threat actors leveraged renewed Middle East conflict with Arabic lures and multi-stage LNK/CHM droppers to deploy an evolved PlugX backdoor using HTTPS/DoH C2 and advanced obfuscation – PlugX Campaign
- Check Point links the online persona Handala Hack to Iranian actor Void Manticore, which uses AI-assisted PowerShell wiping, layered disk-encryption wiping, NetBird tunneling and RDP deletions against Israel, the US, and others – Handala Wipers
- China demanded technical proof after Costa Rica blamed cyberespionage group UNC2814 for an ICE email breach and proposed UN/bilateral review mechanisms amid diplomatic tensions – UNC2814 Dispute
- A hacking attempt was reported at Poland’s nuclear research center, prompting investigation into targeted intrusion activity on critical infrastructure – Poland Attempt
Supply Chain & Dev Security
- GlassWorm expanded in the Open VSX ecosystem by publishing at least 72 malicious extensions, abusing manifest fields for transitive installs, impersonating developer tools, and updating loader obfuscation including Solana memo dead drops – GlassWorm Spread
- Betterleaks, authored by the Gitleaks creator, debuts as an MIT-licensed secrets scanner with CEL rule validation, BPE token-efficient scanning achieving 98.6% recall, pure-Go implementation, automatic decoding and planned LLM-assisted revocation – Betterleaks Tool
Incidents & Ransomware
- Payload Ransomware claims to have hacked Royal Bahrain Hospital, stealing and publishing proofs of 110 GB of data and threatening public release if ransom is not paid by March 23, using ChaCha20/Curve25519 and deleting shadow copies – Payload Hack
AI Policy & Legal
- The European Council advanced amendments to the EU AI Act proposing a ban on AI nudification tools, tighter sensitive-data rules and reinstated high-risk AI registration while legal experts warn businesses to vet AI use cases with governance, Use Case Assessments and privilege-aware handling to avoid data exposure and litigation – EU AI Act, AI Legal Risks
Platform Security
- Google’s Android 17 Beta 2 hardens Advanced Protection Mode by blocking non-accessibility apps from the AccessibilityService API and auto-revoking permissions while adding a contacts picker and AdvancedProtectionManager API for developers – Android 17
Resources
- Weekly threat research roundup and short-form recaps for the security community – Weekly Recap