Weekly security roundups highlight exploited enterprise vulnerabilities and energy-sector attacks
The items provided are editorial roundups/newsletters aggregating multiple, unrelated security stories rather than reporting a single discrete incident. Across the roundups, recurring high-priority themes include actively exploited vulnerabilities (e.g., Microsoft Office zero-day CVE-2026-21509, Fortinet SSO authentication bypass CVE-2026-24858, and a critical SmarterMail code-execution flaw), plus broader reporting on exploitation activity (e.g., nation-state and criminal use of a WinRAR flaw) and supply-chain/package-manager risk (e.g., “PackageGate” bypass issues affecting NPM/PNPM/VLT/Bun). These are not marketing/event promotions, but they are not a cohesive single event; they function as curated link collections.
The roundups also surface operational threat activity, including reporting that Poland faced disruptive/wiper-style attacks against energy-related systems in late December 2025 (targeting combined heat and power plants and renewable-energy management systems), and multiple malware/campaign writeups (e.g., KONNI using AI to generate PowerShell backdoors, Android trojan delivery via Hugging Face hosting, and other multi-stage Windows malware and extension-based abuse). For CISOs, the actionable takeaway is to treat the referenced KEV-listed and in-the-wild exploited issues as patch/mitigation priorities while monitoring energy-sector TTPs and malware delivery trends highlighted in the linked research.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
14 events from the most recent confirmed update back to the earliest known activity.
North Korea-linked KONNI uses AI to generate malware tooling
Reporting indicated that the North Korea-linked KONNI group used AI to help generate malware tooling. This revealed a new technical detail about how the threat actor was developing or supporting its operations.
Amnesia RAT phishing campaign targets Russian users
A phishing campaign distributing Amnesia RAT was reported as targeting users in Russia. The activity added a malware-delivery operation to the week's threat landscape.
PackageGate zero-days reported across JavaScript package managers
Researchers disclosed 'PackageGate' zero-day issues affecting several JavaScript package managers. The finding exposed a supply-chain risk spanning multiple developer ecosystems.
Threat actors exploit WinRAR in multiple campaigns
The newsletter notes that diverse threat actors were exploiting WinRAR vulnerabilities in separate campaigns. This reflects ongoing real-world abuse of the archiving software by multiple adversaries.
SolarWinds Web Help Desk flaws disclosed
Security reporting highlighted vulnerabilities affecting SolarWinds Web Help Desk. The disclosure added another enterprise product to the week's notable patching and exposure concerns.
Researchers report critical SmarterMail flaws and broad exposure
Critical vulnerabilities in SmarterTools SmarterMail were reported, with more than 6,000 exposed servers said to be likely vulnerable. The reporting highlighted both the severity of the flaws and the scale of internet exposure.
Fortinet discloses FortiOS SSO auth bypass vulnerability
Fortinet disclosed an authentication bypass vulnerability in FortiOS SSO tracked as CVE-2026-24858. The vendor response made the flaw a distinct vulnerability disclosure and remediation event.
CISA adds Ivanti EPMM and Fortinet flaws to KEV catalog
CISA added actively exploited vulnerabilities affecting Ivanti EPMM and multiple Fortinet products to its Known Exploited Vulnerabilities catalog. The listing signaled confirmed exploitation and increased urgency for defenders to patch.
OpenSSL releases updates fixing 12 flaws including an RCE
OpenSSL issued security updates to address 12 vulnerabilities, including a remote code execution flaw. The release constituted a major patching event for widely used cryptographic software.
Court and law-enforcement developments emerge in Empire Market case
The newsletter references new legal and law-enforcement developments related to Empire Market and other cybercrime cases. These actions represent official judicial or enforcement progress in a major dark-web marketplace matter.
Nike investigates breach claim by WorldLeaks
Nike began investigating a possible breach after a threat actor using the name WorldLeaks claimed responsibility. At the time referenced, the matter was under investigation rather than fully confirmed.
Crunchbase confirms breach after ShinyHunters claim
Threat actor ShinyHunters claimed to have compromised Crunchbase, and Crunchbase confirmed that it had suffered a breach. The confirmation turned the criminal claim into a verified incident.
Sandworm linked to major attack on Poland's power grid
Reporting cited Russia-linked Sandworm as responsible for a major attack on Poland's power grid, adding attribution to a significant critical-infrastructure incident. This represents a notable development in understanding the threat actor behind the attack.
Polish energy facilities hit by cyberattacks disrupting communications
Cyberattacks disrupted communications at energy facilities in Poland, marking a significant operational impact on the country's energy sector. The newsletter references this as a notable incident in the reporting period.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
1 reference tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Security roundups covering multiple unrelated breaches, exploited vulnerabilities, and malware activity
The referenced items are **weekly newsletter/roundup posts** that aggregate multiple, unrelated cybersecurity developments rather than reporting a single discrete incident. They highlight a mix of **data breaches**, **ransomware**, **active exploitation and KEV additions**, and **malware campaigns**—including mentions of BeyondTrust RS/PRA vulnerabilities (including `CVE-2026-1731`) being exploited, CISA adding various flaws to the **Known Exploited Vulnerabilities (KEV)** catalog, and ongoing malware activity such as **LummaStealer**, **NetSupport RAT** targeting, and Linux botnet activity (e.g., **SSHStalker**). Separately, the roundup coverage also includes public-sector and critical-service disruptions and regulatory action: a reported cyberattack on the **European Commission’s mobile device management (MDM)** environment with potential exposure of staff contact details, a **ransomware** incident disrupting Senegal’s national identity services, and an Australian court penalty against **FIIG Securities** tied to inadequate cybersecurity controls following a prior ransomware breach and data exposure. Overall, the content is best treated as situational awareness across many stories, not as a cohesive incident requiring a single-issue response plan.
Mar 21, 2026
Weekly Cyber Threat Intelligence Roundup: Microsoft Patch Tuesday, FortiSIEM Exploitation, and Emerging Malware/Phishing Trends
A weekly threat-intelligence roundup highlighted **Microsoft’s January Patch Tuesday** release addressing **112 vulnerabilities** across Windows and *Microsoft Edge*, spanning multiple classes including elevation of privilege, remote code execution, and information disclosure. The same briefing reported active interest in **CVE-2025-64155**, a **critical FortiSIEM** vulnerability, with observed exploitation activity against honeypot environments following an out-of-band alert from Kroll Threat Intelligence—an indicator of likely broader scanning and attempted exploitation. The update also covered multiple threat developments: Check Point research described **VOIDLINK**, a Linux-focused malware framework (implants/rootkits/loaders) designed for long-term access, including in cloud environments; **North Korean-linked KTA082 (Kimsuky/APT43)** was reported using **QR-code phishing (“quishing”)** to target government, education, and think tanks; and **Iran-linked KTA060 (MuddyWater)** was associated with development of the **RUSTYWATER RAT**. Separately, detection-engineering updates noted new and refined rules for **OAuth/Entra ID consent phishing** patterns (including *ConsentFix*-style authorization flows), correlations between Entra ID risk events and privileged actions (e.g., PIM elevation/device-code auth), Windows persistence/defense-evasion behaviors (e.g., scheduled tasks by unsigned executables, Chrome security feature tampering), and updated YARA/behavioral detections for malware families (e.g., **Agent Tesla**, **MintsLoader**) and **Cobalt Strike** TTPs; the briefing also referenced a leak of a database purportedly containing ~**324,000 BreachForums** user records posted to `shinyhunte[.]rs`.
Mar 21, 2026
Weekly Cybersecurity Roundups Highlighting Government Campaigns, Nation-State Activity, and Emerging Vulnerabilities
Multiple weekly cybersecurity roundups and newsletters highlighted a mix of policy, threat, and vulnerability developments rather than a single discrete incident. UK government messaging featured prominently, including a campaign urging businesses to “lock the door” against cyber criminals and publication of longitudinal survey results indicating most organizations continue to experience cyber incidents (with reported rates in the 70–80% range across businesses and charities). Separately, commentary from European security circles emphasized growing calls for **offensive cyber capabilities** (“strike back”) amid concerns about Russian aggression and sabotage activity across Europe, including references to cyber operations targeting critical infrastructure. Threat reporting in the same period emphasized escalating **nation-state and proxy activity** against critical infrastructure and the defense industrial base, citing research that espionage groups (including those linked to China, Russia, and North Korea) have compromised organizations by exploiting **zero-day vulnerabilities in edge devices** (e.g., VPNs and gateways). Additional reporting pointed to newly identified OT-focused threat groups (e.g., **Sylvanite**, **Azurite**, **Pyroxene**) and a broad set of emerging technical risks and product/security changes, including discussion of an **OpenSSL RCE** risk, **Foxit 0-days**, and analysis of **LockBit 5.0** ransomware techniques (e.g., ETW tampering, process hollowing, log clearing) alongside Android platform security changes (e.g., deprecating cleartext traffic defaults and adding HPKE support).
Mar 21, 2026