Weekly Cybersecurity Roundups Covering Breaches, Zero-Days, and AI-Driven Threats
Two weekly “roundup” articles summarized a broad set of security developments rather than a single incident. Reported items included data breaches (e.g., PayPal, SpyX, California Cryobank), active exploitation of multiple vulnerabilities (including a Google Chrome 0-day and critical issues in products such as BeyondTrust, Ivanti EPMM, Splunk Enterprise, and Windows Admin Center), and ransomware activity (e.g., Hellcat reportedly breaching Ascom’s ticketing infrastructure and exfiltrating ~44GB of data). The digest also highlighted availability risk via a reported Cloudflare global outage attributed to a cascading password-rotation failure.
The week-in-review content also mixed security news with interviews and tool/project updates, including discussion of the evolving CISO role amid agentic AI, the release of REMnux v8 (malware analysis distro) with AI integration, and commentary on “harvest now, decrypt later” quantum risk. It additionally referenced separate security headlines such as a firmware-level Android backdoor on tablets and a Dell zero-day reportedly exploited since 2024, but did not provide a unified, single-event narrative across the items.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
13 events from the most recent confirmed update back to the earliest known activity.
Notepad++ hardens update channel after prior hijack
Notepad++ implemented update-channel hardening measures following an earlier hijack incident. The change was reported as a supply-chain and software ecosystem security improvement.
Phobos ransomware affiliate arrested
A Phobos ransomware affiliate was arrested, marking a notable law enforcement action against ransomware operators. The arrest was included in the week's cybercrime developments.
INTERPOL-backed Operation Red Card 2.0 results announced
Authorities announced arrests and asset recoveries tied to Operation Red Card 2.0, an INTERPOL-backed law enforcement effort. The operation was cited as a significant cybercrime enforcement development.
France's FICOBA registry breach affects 1.2 million accounts
A breach of France's FICOBA bank account registry was reported to have affected 1.2 million accounts. The incident was included among the week's major data security events.
Firmware-level Android backdoor found on tablets
Researchers reported a firmware-level Android backdoor called Keenadu on tablets. The finding was highlighted as a major security story in the week's roundup.
Critical Grandstream VoIP flaw CVE-2026-2329 reported
A critical vulnerability affecting Grandstream VoIP phones, CVE-2026-2329, was disclosed in weekly security coverage. The issue was highlighted as a notable newly reported enterprise risk.
Dell zero-day CVE-2026-22769 publicly reported
Public reporting identified the long-running Dell RecoverPoint for VMs zero-day as CVE-2026-22769 and linked it to suspected China-nexus exploitation. The disclosure established that exploitation had been occurring since 2024.
Chrome zero-day CVE-2026-2441 disclosed as in-the-wild exploit
A Google Chrome zero-day, tracked as CVE-2026-2441, was reported as being exploited in the wild. It was listed among the week's most important vulnerability developments.
BeyondTrust appliance RCE exploitation observed in the wild
Attackers actively exploited a critical BeyondTrust appliance remote code execution flaw using malformed WebSocket remoteVersion values. GreyNoise reported that 83% of observed attempts were attributed to IP address 193.24.123.42.
Actor compromises 600+ FortiGate devices using generative AI services
A financially motivated threat actor used multiple commercial generative AI services in operations that compromised more than 600 FortiGate devices. The activity was highlighted in the weekly digest as a significant threat development.
Ascom breached via stolen Jira credentials
Hellcat ransomware actors breached Ascom using stolen Jira credentials and exfiltrated 44GB of data. The intrusion was reported as one of the week's notable ransomware incidents.
Cloudflare suffers six-hour global outage
Cloudflare experienced a six-hour global outage caused by a cascading password rotation failure. The incident was included among the major events in the February 16–22, 2026 weekly digest.
Dell RecoverPoint zero-day exploitation began
A suspected China-linked threat actor began exploiting a zero-day in Dell RecoverPoint for VMs, later tracked as CVE-2026-22769. The roundup says the activity had been ongoing since 2024.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
Cybersecurity News Weekly: PayPal Breach, Chrome 0-Day, BeyondTrust RCE Exploit, and More
cybersecuritynews.com
Open sourceWeek in review: Firmware-level Android backdoor found on tablets, Dell zero-day exploited since 2024 - Help Net Security
helpnetsecurity.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Weekly Cybersecurity Roundups Highlighting New Vulnerabilities and Incidents
Multiple outlets published **weekly cybersecurity roundups** summarizing a mix of vulnerability disclosures, ransomware/breach reporting, and policy developments rather than a single discrete incident. TechTarget highlighted a surge in reported vulnerabilities (citing **48,000+ new CVEs in 2025**) and called out several high-impact issues, including a **critical ServiceNow weakness** tied to weak authentication in the legacy *Virtual Agent* chatbot that became more dangerous when paired with agentic AI (*Now Assist*), potentially enabling impersonation and **admin-level access** into connected enterprise systems. Other roundup coverage aggregated unrelated security events across sectors. Sherpa Intelligence’s “Five for Friday” compiled items including ransomware claims (e.g., **Everest** targeting Nissan; **Nightspire** claiming an attack on a Hyatt Place property) and breach reporting (e.g., a **Korean Air** employee-data breach attributed to **Clop**). The Cyber Express weekly roundup similarly mixed disparate topics (platform policy changes around AI abuse, senior government appointments, and national-level connectivity disruptions), reinforcing that the common thread is **curation of multiple stories** rather than new primary reporting on one specific cyber event.
Mar 21, 2026
Security roundups covering multiple unrelated breaches, exploited vulnerabilities, and malware activity
The referenced items are **weekly newsletter/roundup posts** that aggregate multiple, unrelated cybersecurity developments rather than reporting a single discrete incident. They highlight a mix of **data breaches**, **ransomware**, **active exploitation and KEV additions**, and **malware campaigns**—including mentions of BeyondTrust RS/PRA vulnerabilities (including `CVE-2026-1731`) being exploited, CISA adding various flaws to the **Known Exploited Vulnerabilities (KEV)** catalog, and ongoing malware activity such as **LummaStealer**, **NetSupport RAT** targeting, and Linux botnet activity (e.g., **SSHStalker**). Separately, the roundup coverage also includes public-sector and critical-service disruptions and regulatory action: a reported cyberattack on the **European Commission’s mobile device management (MDM)** environment with potential exposure of staff contact details, a **ransomware** incident disrupting Senegal’s national identity services, and an Australian court penalty against **FIIG Securities** tied to inadequate cybersecurity controls following a prior ransomware breach and data exposure. Overall, the content is best treated as situational awareness across many stories, not as a cohesive incident requiring a single-issue response plan.
Mar 21, 2026
Weekly Cybersecurity Roundups Highlighting Government Campaigns, Nation-State Activity, and Emerging Vulnerabilities
Multiple weekly cybersecurity roundups and newsletters highlighted a mix of policy, threat, and vulnerability developments rather than a single discrete incident. UK government messaging featured prominently, including a campaign urging businesses to “lock the door” against cyber criminals and publication of longitudinal survey results indicating most organizations continue to experience cyber incidents (with reported rates in the 70–80% range across businesses and charities). Separately, commentary from European security circles emphasized growing calls for **offensive cyber capabilities** (“strike back”) amid concerns about Russian aggression and sabotage activity across Europe, including references to cyber operations targeting critical infrastructure. Threat reporting in the same period emphasized escalating **nation-state and proxy activity** against critical infrastructure and the defense industrial base, citing research that espionage groups (including those linked to China, Russia, and North Korea) have compromised organizations by exploiting **zero-day vulnerabilities in edge devices** (e.g., VPNs and gateways). Additional reporting pointed to newly identified OT-focused threat groups (e.g., **Sylvanite**, **Azurite**, **Pyroxene**) and a broad set of emerging technical risks and product/security changes, including discussion of an **OpenSSL RCE** risk, **Foxit 0-days**, and analysis of **LockBit 5.0** ransomware techniques (e.g., ETW tampering, process hollowing, log clearing) alongside Android platform security changes (e.g., deprecating cleartext traffic defaults and adding HPKE support).
Mar 21, 2026