Recent Cyber Threat Campaigns: Early March 2026
March 10, 2026
Several security research teams recently published investigations into active cyber threat campaigns targeting organizations, cloud infrastructure, and everyday internet users. These reports highlight how modern attackers combine phishing, compromised websites, and stealthy malware to steal credentials and maintain long-term access to systems.
Below is a breakdown of four notable campaigns and what they reveal about the current threat landscape.
WordPress Compromises Used to Deliver Infostealer Malware
Researchers at Rapid7 uncovered a widespread campaign where attackers compromise legitimate WordPress websites and turn them into malware distribution platforms.
Instead of directing victims to obviously malicious domains, attackers inject malicious scripts into trusted websites such as local business pages, blogs, and news sites. When users visit these compromised pages, they are presented with a fake CAPTCHA verification prompt that impersonates a service like Cloudflare.
The prompt tricks victims into executing commands that download malware onto their systems.
The attack ultimately installs information-stealing malware families including Vidar, Impure Stealer, and VodkaStealer. These tools are designed to extract browser credentials, saved passwords, cryptocurrency wallets, and session cookies.
Because the attack relies on legitimate websites and social engineering rather than obvious malware downloads, many victims may not realize they were compromised.
Sednit (APT28) Returns with Updated Espionage Tooling
ESET researchers reported renewed activity from the long-running cyber espionage group Sednit, also known as APT28 or Fancy Bear.
The group has historically targeted government, military, and geopolitical organizations. The new research shows they have updated their malware toolkit and resumed active operations, particularly targeting entities connected to the Ukrainian military.
The campaign introduces several new components including BeardShell, a PowerShell-based implant used to execute remote commands, and SlimAgent, a keylogger derived from earlier Sednit malware.
Another notable element is the use of modified open-source penetration testing frameworks to maintain access within victim networks.
A key tactic in this campaign is the use of legitimate cloud services as command-and-control infrastructure. By routing malware communications through trusted cloud platforms, attackers can blend their traffic with normal network activity and avoid detection.
Phishing Campaign Targeting AWS Console Credentials
Datadog Security Labs recently documented a phishing campaign specifically targeting users of the AWS Management Console.
Victims receive phishing emails that impersonate AWS security alerts, claiming suspicious account activity such as unusual IAM role usage. The email contains a link that appears legitimate but redirects victims through several domains before landing on a fake AWS login page.
The phishing infrastructure uses an adversary-in-the-middle (AiTM) technique. Instead of simply capturing credentials, the attacker’s server acts as a proxy between the victim and the real AWS login service.
When the victim enters their credentials and multi-factor authentication code, the attacker relays the authentication request to AWS in real time and captures the resulting session tokens.
This allows attackers to log into the compromised AWS account shortly after the victim completes authentication.
Researchers observed attackers accessing compromised accounts within minutes of credentials being entered.
Long-Running Espionage Campaign Targeting Critical Industries
Unit 42 researchers at Palo Alto Networks uncovered a previously undocumented threat cluster known as CL-UNK-1068. The group has been conducting cyber espionage operations against high-value organizations across Asia since at least 2020.
Targeted sectors include aviation, telecommunications, energy, government, and technology companies.
The attackers typically gain initial access by exploiting vulnerable web servers and installing web shells such as GodZilla or AntSword. Once inside a network, they use a combination of custom tools and legitimate administrative utilities to expand their access.
Techniques observed in the campaign include credential dumping with tools like Mimikatz, network reconnaissance, and stealthy persistence using tunneling utilities such as Fast Reverse Proxy (FRP).
The attackers also rely heavily on “living-off-the-land” techniques, meaning they use built-in operating system tools rather than obvious malware. This approach helps them remain undetected inside compromised environments for extended periods.
The activity appears primarily focused on intelligence gathering and long-term data collection rather than immediate disruption.