Threat Alerts

A critical vulnerability affecting Fortinet FortiClient EMS is being actively exploited in the wild, prompting the release of out-of-band patches. The flaw, tracked as CVE-2026-35616 with a CVSS score of 9.1, is a pre-authentication API access bypass that allows unauthenticated attackers to escalate privileges. The issue stems from improper access control and enables threat actors to send crafted requests that bypass authentication mechanisms and execute unauthorized code or commands on affected systems.

The vulnerability impacts FortiClient EMS versions 7.4.5 and 7.4.6, and exploitation has already been observed in real-world attacks shortly after disclosure. Successful exploitation could grant attackers full control over vulnerable EMS instances, potentially leading to further network compromise, lateral movement, and deployment of additional payloads. This development follows closely after another critical FortiClient EMS vulnerability was also exploited, raising concerns about sustained targeting of this product.

A recent analysis of Qilin ransomware activity reveals a highly sophisticated malware component designed to disable endpoint detection and response systems early in the infection chain. At the core of the campaign is a malicious DLL (“msimg32.dll”) that is side-loaded by legitimate applications and initiates a multi-stage execution flow entirely in memory. The loader employs advanced evasion techniques including SEH and VEH-based control flow obfuscation, API hashing, and indirect syscall execution to bypass user-mode hooks and suppress telemetry such as Event Tracing for Windows, allowing the payload to operate undetected.

The infection chain progresses through multiple staged loaders that decrypt and execute a final payload, an EDR killer capable of targeting and disabling hundreds of security products across different vendors. The malware leverages bring-your-own-vulnerable-driver techniques to load legitimate but exploitable drivers, enabling direct access to physical memory and kernel structures. It systematically unregisters monitoring callbacks used by EDR solutions, blinds detection mechanisms, and terminates protected security processes, effectively neutralizing defensive visibility on the compromised host.

In addition to its evasion capabilities, the malware demonstrates strong operational maturity through techniques such as geo-fencing, anti-debugging checks, and restoration of modified system components to hinder forensic analysis. This campaign highlights an ongoing trend where ransomware operators increasingly focus on disabling security controls as a first step, significantly improving their chances of successful persistence, lateral movement, and eventual payload deployment.

Google has released a security update for its Chrome web browser to address a zero-day vulnerability that is actively being exploited in the wild. The flaw, tracked as CVE-2026-5281, is described by Google as a use-after-free vulnerability in Dawn, Chrome’s WebGPU implementation. The issue was disclosed as part of a general security advisory, and users are strongly encouraged to apply the update as soon as possible.
A use-after-free vulnerability is a memory corruption issue that occurs when an application continues to access memory after it has already been freed. In this case, improper memory management within the Dawn component could allow unintended access to deallocated memory regions. The vulnerability affects Google Chrome versions prior to 146.0.7680.178 and successful exploitation requires the attacker to have already compromised the browser’s renderer process.

The npm ecosystem has been impacted by a major supply chain attack involving the compromise of the axios package, one of the most widely used dependencies with over 300 million weekly downloads. An attacker hijacked the primary maintainer’s npm account and published malicious package versions that introduced a hidden dependency designed to deploy a cross-platform remote access trojan (RAT). Due to the widespread usage of axios, any systems that installed the affected versions prior to removal should be considered potentially compromised, highlighting the severe downstream impact such package-level compromises can have across development and production environments.

The attacker modified the maintainer account’s email and, within a short window, manually published two malicious versions targeting both the 1.x and legacy 0.x branches—bypassing the standard GitHub Actions release process that uses OIDC trusted publishing. The only change was the addition of a dependency that was never imported in the codebase but executed via a postinstall script. This dependency had been staged earlier by an attacker-controlled account that initially released a benign version before updating it with malicious functionality. The embedded dropper contacted a command-and-control server to deliver platform-specific payloads, including a disguised binary on macOS, a PowerShell script via hidden VBScript on Windows, and a Python script on Linux. After execution, the malware removed traces by deleting itself and overwriting package metadata with a clean stub, making detection through conventional dependency analysis significantly more difficult and demonstrating a high level of sophistication in supply chain attack techniques.

A sophisticated, multi-pronged phishing campaign is targeting Spanish-speaking users across Latin America and Europe, delivering Windows banking trojans through a coordinated infection chain. Attributed to a Brazilian cybercrime actor, the activity reflects a notable escalation in both geographic reach and technical sophistication, particularly for organizations with operations or users in Spanish-speaking countries. The campaign has been linked to the threat actor Augmented Marauder, which deploys Horabot to deliver the Casbaneiro (a.k.a. Metamorfo) banking trojan. The use of dynamic payloads, server-side lure generation, and programmatic archive naming enables evasion of hash-based detection and modern email security controls.

The attack begins with phishing emails using court summons-themed lures, prompting victims to open a password-protected PDF. Embedded links redirect to malicious URLs, triggering the download of a ZIP archive that executes interim scripting payloads used to retrieve and stage the next payload. These scripts perform environment and anti-analysis checks, including antivirus and virtual machine detection, terminating execution if triggered. The expanded use of sandbox-related indicators suggests ongoing refinement of evasion techniques.

The final stage delivers two cooperating malware families — a banking trojan and a propagation botnet. Notably, the propagation script includes a dynamic lure generation capability: it queries a remote API with a randomly generated PIN, prompting the server to create a unique, password-protected PDF impersonating a judicial summons. This file is then distributed via the victim’s email account to harvested contacts, with propagation in some cases extending to messaging platforms such as WhatsApp. This combination of dynamic lure creation, automation, and social engineering highlights an adaptive threat actor targeting both consumer and enterprise environments across regions.

A malware campaign observed beginning in late February 2026 uses WhatsApp messages to deliver malicious Visual Basic Script (VBS) files that, once executed, initiate a multi-stage infection chain designed to establish persistence and enable remote access — combining social engineering with living-off-the-land techniques. By retrieving payloads from trusted cloud services and installing malicious MSI packages, the threat actor reduces visibility and increases the likelihood of successful execution, making detection and response significantly more difficult for defenders.
The attack begins when a victim executes a malicious VBS file delivered via WhatsApp. The script then creates hidden folders on the system and drops renamed versions of legitimate Windows utilities, disguising them to blend seamlessly into the system environment. From there, the malware downloads secondary payloads hosted on widely trusted cloud platforms, which the attackers exploit to mask malicious activity as legitimate traffic. Once these secondary payloads are in place, the malware tampers with User Account Control settings, continuously attempting to launch elevated processes and modifying registry entries to ensure the infection survives reboots — ultimately granting administrative control without any user interaction.
In the final stage, unsigned malicious installer packages are delivered, which enable the attackers to establish remote access and directly control victim systems. These installers are designed to blend in with legitimate enterprise software deployment practices, and once installed, they provide persistent remote connectivity that can be used to exfiltrate data, deploy additional malware, or incorporate compromised systems into a broader network of infected devices. The layered combination of social engineering, misuse of legitimate tools, and cloud-based infrastructure makes this campaign a particularly difficult threat to detect and contain with conventional security measures.