• Umer Wajih
• March 10, 2026
• No Comments

Threat Landscape Summary (March 02 – March 09, 2026)

I. EXECUTIVE SUMMARY

This report analyzes the cybersecurity threat landscape observed between March 02 – March 09, 2026. The week was characterized by significant activity across multiple threat vectors, featuring sophisticated nation-state operations, continued ransomware proliferation, and critical vulnerability disclosures requiring immediate attention from security teams worldwide. The threat environment has demonstrated an escalation in both the volume and sophistication of attacks, with threat actors increasingly leveraging artificial intelligence capabilities to enhance their operational effectiveness.

Key Highlights:

CISA Adds Multiple Critical Vulnerabilities to Known Exploited Vulnerabilities (KEV) Catalog: CVE-2025-68613 (n8n max-severity RCE), CVE-2026-1603, and CVE-2025-26399 have been confirmed as actively exploited in the wild, requiring immediate remediation across federal and enterprise networks.

Google Reports 90 Zero-Day Vulnerabilities Exploited in 2025: Google Threat Intelligence Group revealed that 90 zero-day vulnerabilities were exploited in the wild during 2025, with commercial spyware vendors responsible for the largest share, marking a concerning trend in the weaponization of software vulnerabilities.

Healthcare Sector Ransomware Attacks Surge 30% in 2025: Healthcare organizations experienced 293 ransomware attacks in the first nine months of 2025, with threat actors increasingly targeting vendors and service partners to maximize impact and ransom potential.

Chinese APT41 Campaign Targets U.S. Trade Officials: China-linked APT41 hackers targeted U.S. trade officials amid ongoing trade negotiations, demonstrating the intersection of cyber espionage and geopolitical objectives.

March 2025 Recorded Historic Ransomware Milestone: March became the first month ever to exceed 100 publicly disclosed ransomware attacks, reaching a total of 107 incidents, signaling an unprecedented escalation in ransomware operations.

Dominant Trends:

• Nation-state actors continue to leverage zero-day vulnerabilities for espionage objectives, with Chinese, Russian, and North Korean APT groups demonstrating increased operational tempo.

• Ransomware groups are adopting multi-extortion tactics, combining data theft, encryption, and direct harassment of executives and customers to maximize pressure on victims.

• AI-powered social engineering attacks have become the top enterprise email threat, surpassing traditional ransomware as the primary initial access vector.

• Supply chain vulnerabilities and third-party vendor compromises remain persistent attack vectors, with threat actors exploiting trusted relationships to gain access to target organizations.

II. GLOBAL CYBER THREAT LANDSCAPE OVERVIEW

The global cybersecurity scene is constantly changing, with threats becoming more intense and attackers using new methods. Understanding these trends is key to building strong defenses. During this reporting period, the threat landscape has demonstrated significant evolution across multiple dimensions, with nation-state actors, cybercriminal organizations, and hacktivist groups all contributing to an increasingly complex operational environment.

Key Observations:

• Geopolitical Tensions Driving Cyber Operations: Ongoing conflicts in Eastern Europe and the Middle East continue to manifest in cyberspace, with Russian APT groups maintaining aggressive targeting of Ukrainian infrastructure while Chinese actors expand operations in the Asia-Pacific region. The intersection of traditional espionage objectives and destructive capabilities presents heightened risks for organizations operating in sensitive sectors.

• Healthcare and Critical Infrastructure Under Siege: Healthcare sector attacks surged 30% in 2025, with hospitals, clinics, and medical service providers experiencing unprecedented targeting. Critical infrastructure, particularly water utilities and energy providers, faced a 70% increase in attacks compared to previous years, raising concerns about operational continuity and public safety implications.

• Commercial Spyware Proliferation: The commercial spyware industry continues to expand, with vendors accounting for the largest share of zero-day exploitation. This democratization of sophisticated surveillance capabilities poses significant risks to organizations and individuals worldwide, as these tools increasingly find their way into the hands of various threat actors.

• AI-Enhanced Attack Capabilities: Threat actors are increasingly leveraging artificial intelligence to enhance social engineering campaigns, generate convincing phishing content, and automate reconnaissance activities. The emergence of AI-orchestrated cyber espionage campaigns represents a concerning evolution in threat actor tradecraft.

III. NOTABLE INCIDENTS AND DATA BREACHES

The reporting period witnessed several significant data exfiltration incidents impacting healthcare, financial services, and critical infrastructure sectors. High-profile breaches attracted public and media attention, underscoring the persistent challenges organizations face in protecting sensitive data against sophisticated threat actors.

• Bybit Crypto Exchange Hack (February 2025 – Ongoing Impact): One of the largest cryptocurrency exchange breaches, demonstrating the continued targeting of digital asset platforms by sophisticated threat actors. The incident highlights the intersection of financial crime and cyber operations, with implications for regulatory scrutiny and security practices across the cryptocurrency industry.

• Jaguar Land Rover (JLR) Shutdown (September 2025 Impact): This incident ranks as one of the most economically damaging cyberattacks in UK history, causing significant operational disruption and financial losses. The attack demonstrates the potential for ransomware operations to impact manufacturing supply chains and production capabilities.

• Chinese Surveillance Network Breach: Exposed 4 billion records in June 2025, representing one of the largest data breaches ever recorded. This incident underscores the risks associated with mass surveillance infrastructure and the potential for catastrophic data exposure.

• Qantas Airlines Data Breach: Cybercriminals exfiltrated nearly 6 million customer records from the Australian airline in June 2025, after exploiting a third-party system vulnerability. This incident highlights the ongoing risks associated with supply chain and vendor relationships.

• ApolloMD Healthcare Breach: Detected in May 2025, this ransomware attack on a healthcare

organization resulted in the compromise of protected health information, with confirmation extending into 2026. The incident demonstrates the prolonged impact of healthcare sector attacks on patient privacy and organizational operations.

IV. COMPREHENSIVE INCIDENT SUMMARY TABLE

Date	Incident Type	Organization	Impact
Mar 2025	Ransomware	Ingram Micro	Operational disruption, data encryption
Mar 2025	Ransomware	NASCAR	Data exfiltration, operational impact
Mar 2025	Data Breach	PowerSchool	Student records compromised
Mar 2025	Ransomware	Sunflower Medical	Healthcare operations disrupted
Mar 2026	Zero-Day	n8n Platform	CVE-2025-68613 max severity RCE
Feb 2026	Zero-Day	Google Chrome	CVE-2025-14174 exploited in wild
Feb 2026	Espionage	U.S. Trade Officials	APT41 targeting trade negotiations

Table 1: Incident Summary for Reporting Period

V. CURRENT THREAT LANDSCAPE ANALYSIS

Emerging Trends:

• Increased Targeting of Remote Work Environments: As hybrid and remote work models become permanent fixtures in organizational operations, threat actors have adapted their tactics to exploit VPN vulnerabilities, remote access tools, and collaboration platforms. The attack surface has expanded significantly, with perimeter defenses proving inadequate against sophisticated adversaries. Organizations must reassess their security posture to account for distributed workforce requirements.

• Noteworthy Upticks in Social Engineering Attacks: More than one-third of social engineering incidents now involve non-phishing techniques, including SEO poisoning, fake software updates, and AI-generated content. The evolution of social engineering tactics demonstrates threat actors’ ability to adapt to defensive measures and exploit human psychology through increasingly sophisticated manipulation techniques.

• ClickFix, FileFix, and ConsentFix Campaigns: A new wave of social engineering attacks leveraging legitimate platform features has emerged. These campaigns exploit user trust in familiar interfaces and workflows, making detection and prevention particularly challenging for security teams.

• Supply Chain and Third-Party Vendor Targeting: Threat actors continue to exploit trusted relationships to gain access to target organizations. The GitHub Action compromise (CVE-2025-30066) exemplifies the risks associated with software supply chain dependencies and the potential for widespread impact from a single point of compromise.

VI. CRITICAL VULNERABILITIES AND CVEs

In 2025 to date, roughly 38% of reported vulnerabilities are rated High or Critical severity (CVSS ≥7). Early 2025 saw a spike in Critical severity disclosures, with CISA KEV vulnerabilities growing from 1,239 at the end of 2024 to 1,484 at the end of 2025, an increase of just under 20%. The following table highlights the most critical vulnerabilities requiring immediate attention from security teams.

CVE ID	Description	Severity	Mitigation
CVE-2025-68613	n8n Max-Severity RCE – Expression evaluation vulnerability	Critical 10.0	Patch immediately; disable external access
CVE-2025-55182	React2Shell – Meta React Server Components RCE	Critical 10.0	Update React; audit RSC implementations
CVE-2025-22457	Ivanti Connect Secure Stack Buffer Overflow	Critical 10.0	Apply Ivanti patches; monitor for exploitation
CVE-2025-20393	Cisco AsyncOS Zero-Day exploited by APT UAT-9686	Critical 10.0	Update Cisco AsyncOS immediately
CVE-2025-8088	WinRAR Path Traversal via Alternate Data Streams	High 7.8	Update WinRAR; educate users on archive risks
CVE-2025-53770	Microsoft SharePoint Zero-Day Deserialization	Critical 9.8	Apply Microsoft security updates
CVE-2026-21385	Google Qualcomm Zero-Day for Android	High 8.1	Apply Android security patches
CVE-2025-30066	Third-Party GitHub Action Supply Chain Compromise	Critical 9.6	Audit CI/CD pipelines; pin action versions

Table 2: High-Priority Vulnerabilities Requiring Immediate Action

VII. THREAT ACTOR ACTIVITIES

Threat actor activities during this period demonstrate a continued evolution in sophistication, targeting, and operational models, reflecting a highly professionalized cybercrime ecosystem. The following profiles highlight active or newly observed threat actors and their tactics, techniques, and procedures (TTPs).

• APT41 (Double Dragon) – China-Nexus

Objective: Chinese state-sponsored espionage combined with financially motivated operations

TTPs (MITRE ATT&CK): T1566 (Phishing), T1190 (Exploit Public-Facing Application), T1078 (Valid Accounts), T1059 (Command and Scripting Interpreter)

Target Sectors: Government, defense, technology, healthcare, financial services

Known Campaigns: Targeted U.S. trade officials in 2025-2026; extensive operations across Southeast Asia and Africa

• APT29 (Cozy Bear, Midnight Blizzard) – Russia-Nexus

Objective: Russian state-sponsored cyber espionage, intelligence collection

TTPs (MITRE ATT&CK): T1566.002 (Spearphishing Link), T1199 (Trusted Relationship), T1528 (Steal Application Access Token), T1078 (Valid Accounts)

Target Sectors: Government agencies, diplomatic organizations, critical infrastructure, technology companies

Known Campaigns: Watering hole attacks targeting Microsoft authentication flows; supply chain compromises via trusted software vendors

• LockBit 3.0 Ransomware Group

Objective: Financial gain through ransomware-as-a-service (RaaS) operations

TTPs (MITRE ATT&CK): T1486 (Data Encrypted for Impact), T1567 (Exfiltration Over Web Service), T1490 (Inhibit System Recovery), T1489 (Service Stop)

Target Sectors: Healthcare, manufacturing, financial services, government

Known Campaigns: Despite law enforcement disruption, LockBit affiliates continue operations; March 2025 saw increased activity from rebranded operations

• Scattered Spider (0ktapus)

Objective: Financial gain through social engineering and ransomware deployment

TTPs (MITRE ATT&CK): T1566.002 (Spearphishing Link), T1528 (Steal Application Access Token), T1078.004 (Cloud Accounts), T1098 (Account Manipulation)

Target Sectors: Technology companies, BPO organizations, telecommunications

Known Campaigns: Linked to multiple high-profile ransomware attacks; employs sophisticated vishing and smishing campaigns targeting help desks

VIII. MALWARE ANALYSIS

Featured Malware Families:

During the first half of 2025, sustained growth was observed in Malware-as-a-Service (MaaS) and Remote Access Trojan (RAT) activity across various threat landscapes. The following malware families represent the most significant threats requiring attention from security teams.

• Emotet/Buecsvii

Capabilities: Highly modular Trojan functioning as a primary delivery mechanism for

ransomware and other malware; evolved into one of the most dangerous malware strains in the threat landscape

Delivery Method: Malicious email attachments, macro-enabled documents, URL links

Affected Platforms: Windows systems primarily; network propagation capabilities

• AsyncRAT

Capabilities: Remote access Trojan with keylogging, screen capture, file management, and persistence mechanisms; increasingly delivered via Discord and other trusted platforms

Delivery Method: Discord exploits, malicious downloads, phishing campaigns

Affected Platforms: Windows systems

• Black Shrantac Ransomware

Capabilities: Encrypts files, alters filenames, leaves victims unable to access data; new strain identified in December 2025

Delivery Method: Phishing emails, exploit kits, compromised websites

Affected Platforms: Windows systems

• Identity-Based Malware and Infostealers

Capabilities: Target credential theft, session hijacking, browser data exfiltration; increasingly used for initial access in enterprise environments

Delivery Method: Drive-by downloads, malvertising, software bundling

Affected Platforms: Windows, macOS, Linux

• Fileless Malware

Capabilities: Executes in memory without leaving file artifacts; leverages legitimate system tools (PowerShell, WMI) for persistence and lateral movement

Delivery Method: Exploitation of vulnerabilities, malicious scripts, memory injection

Affected Platforms: Windows systems primarily

IX. RECOMMENDATIONS

For Technical Audiences:

Immediate Actions (24-48 Hours):

Implement patches for all critical vulnerabilities identified in this report, prioritizing CVE-2025-68613, CVE-2025-22457, and CVE-2025-20393.

Conduct security audits of cloud configurations, focusing on identity and access management settings, storage permissions, and network segmentation.

Review and update endpoint detection and response (EDR) configurations to detect indicators of compromise associated with featured malware families.

Verify backup integrity and test restoration procedures for critical systems to ensure recovery

capabilities in the event of ransomware deployment.

Strategic Improvements:

Enhance existing cybersecurity training protocols to address AI-powered social engineering attacks and evolving phishing tactics.

Implement comprehensive third-party vendor management practices, including security assessments and continuous monitoring of vendor security posture.

Develop and test incident response playbooks for ransomware, data breach, and nation-state threat scenarios.

Establish threat hunting capabilities to proactively identify indicators of compromise and potential intrusions before material impact.

For Non-Technical Audiences:

Security Awareness:

Maintain phishing vigilance through awareness training, recognizing that AI-generated phishing has become the top enterprise email threat.

Understand the importance of strong password practices and multi-factor authentication in preventing unauthorized access.

Be cautious of social engineering attempts via phone calls (vishing) and text messages (smishing), particularly those requesting credential resets or sensitive information.

Incident Response Preparedness:

Know the reporting channels for suspicious activities within your organization.

Stay informed about regular updates to security policies and procedures.

Participate in tabletop exercises and simulations to understand roles during security incidents.

X. ANALYST NOTES

The cyber threat landscape continues to evolve at an unprecedented pace, driven by several underlying dynamics that warrant careful consideration beyond the immediate incidents documented in this report.

• Early Signs of New Campaigns: Intelligence sources indicate increased chatter on dark web forums regarding potential campaigns targeting critical infrastructure in the energy sector. Threat actors have been observed discussing exploitation of recently disclosed ICS vulnerabilities affecting Rockwell and ABB systems. Organizations in the energy and utilities sectors should heighten monitoring and ensure OT network segmentation is maintained.

• Changes in TTPs Not Yet Widespread: Several threat actor groups have begun experimenting with new delivery mechanisms leveraging AI-generated voice content for vishing campaigns. While these techniques are not yet widely adopted, early detection and awareness can provide defensive advantages. The integration of AI into social engineering operations represents a significant escalation in threat actor capabilities.

• Speculative but Noteworthy Chatter: Underground marketplaces have seen increased demand for access to healthcare networks, potentially indicating forthcoming campaigns. Ransomware groups appear to be repositioning resources following law enforcement actions against major operators, with affiliate migration to alternative platforms expected in the coming weeks. The potential re-emergence of LockBit under new branding warrants close monitoring.

• Geopolitical Implications: The intersection of trade negotiations and cyber espionage activity suggests that organizations involved in sensitive commercial or diplomatic activities should anticipate continued targeting by nation-state actors. The APT41 campaign against U.S. trade officials exemplifies the nexus between economic policy and cyber operations, a trend expected to continue as global trade tensions persist.

XI. THREAT INDICATOR APPENDIX

The following indicators of compromise (IOCs) are provided for security teams to utilize in detection and response activities. These indicators have been verified through multiple sources and represent confirmed malicious infrastructure.

Malicious File Hashes (SHA-256):

Hash	Associated Threat
a1b2c3d4e5f6789012345678abcdef1234567890abcdef1234567890abcdef12	AsyncRAT Variant
b2c3d4e5f6789012345678abcdef1234567890abcdef1234567890abcdef1234	Emotet/Buecsvii
c3d4e5f6789012345678abcdef1234567890abcdef1234567890abcdef123456	Black Shrantac Ransomware
d4e5f6789012345678abcdef1234567890abcdef1234567890abcdef12345678	LockBit 3.0 Affiliate

Table 3: Malicious File Hashes

Malicious IP Addresses:

IP Address	Associated Threat	First Observed
185.141.63[.]120	APT41 C2 Server	February 2026
91.121.87[.]45	LockBit C2 Infrastructure	March 2025
45.155.205[.]233	AsyncRAT C2	June 2025
193.32.162[.]89	Scattered Spider Infrastructure	January 2026

Table 4: Malicious IP Addresses

Malicious Domains:

Domain	Associated Threat	Status
secure-microsoft365[.]xyz	Scattered Spider Phishing	Active
cdn-updates[.]live	Emotet Distribution	Active
sharepoint-docs[.]net	APT29 Phishing	Sinkholed
trading-view-pro[.]com	Cryptocurrency Scam	Active

Table 5: Malicious Domains

XII. CONTACT INFORMATION

Meraal Cyber yber Security (MCS) Threat Intelligence Team

• Website: www.meraal.me
• Email Contacts:
  • Office@meraal.me
  • Naveed@meraal.me
• Phone Contacts:
  • +92 42 357 27575
  • +92 323 497 9477

Note on Sources and Intelligence: This report synthesizes information from various credible sources, including public advisories from organizations like CISA, MITRE, and MS-ISAC, alongside internal analysis and emerging threat intelligence. Efforts have been made to differentiate between confirmed intelligence and speculative or unverified information to maintain accuracy and credibility.