< Back
Red programming code displayed on a dark screen, forming the silhouette of a skull, symbolising cyberthreats.

Tags:

Threat intelligence
25 March 2026

Weekly Summary Cyberattacks 19-25 march

5 Malicious npm Packages Typosquat Solana and Ethereum Libraries to Steal Private Keys  

Cybersecurity researchers have identified a malicious npm campaign involving five packages published under the account “galedonovan” that typosquat legitimate cryptocurrency libraries to steal private keys from developers working with Solana and Ethereum. The packages (raydium-bs58, base_xd, base-x-64, bs58-basic, and ethersproject-wallet) impersonate widely used libraries such as bs58, base-x, and @ethersproject/wallet, and exfiltrate sensitive key material through a hardcoded Telegram bot, with the command-and-control (C2) infrastructure confirmed active as of March 23, 2026. 

FBI: Hackers Targeting Opponents with Telegram Malware  

The Federal Bureau of Investigation (FBI) warned of ongoing malicious cyber activity conducted by actors affiliated with Iran’s Ministry of Intelligence and Security (MOIS), who are leveraging Telegram as a command-and-control (C2) infrastructure to deploy malware against Iranian dissidents, journalists, and opposition groups worldwide. The campaign, observed since at least 2023, relies on a multi-stage malware framework targeting Windows systems, combining social engineering with tailored delivery techniques to increase infection success. Threat actors impersonate trusted individuals or technical support via messaging platforms to persuade victims to download trojanized applications disguised as legitimate software such as Telegram, KeePass, Pictory, or WhatsApp.

New Perseus Android Banking Malware Monitors Notes Apps  

Cybersecurity researchers disclosed a new Android banking malware family named Perseus, designed to enable Device Takeover (DTO) and advanced financial fraud. The malware is actively distributed via phishing and malicious applications, leveraging abuse of Android’s Accessibility Services to gain extensive control over infected devices. Once installed, Perseus enables attackers to conduct real-time remote sessions, effectively allowing full interaction with the victim’s device and bypassing many traditional fraud detection mechanisms. 

Copyright Lures Mask a Multi‑Stage PureLog Stealer Attack on Key Industries  

Researchers from Trend Micro uncovered a targeted multi-stage malware campaign delivering the PureLog information stealer, using copyright infringement lures to trick victims into executing malicious files. The campaign relies on localized, language-specific phishing documents disguised as legal notices, significantly increasing the likelihood of user interaction. Observed targeting focuses on healthcare, government, hospitality, and education sectors, with notable activity in countries such as Germany and Canada, indicating a selective and intelligence-driven victimology rather than broad and opportunistic. The infection chain is highly structured and evasive, consisting of multiple stages designed to hinder detection and analysis.

The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors  

Google Threat Intelligence Group (GTIG) identified DarkSword, a new full-chain iOS exploit chain that uses six vulnerabilities, including multiple zero-days, to fully compromise iOS 18.4 through 18.7 devices and deploy final-stage malware with full kernel privileges. GTIG stated that, since at least November 2025, DarkSword has been used by multiple threat actors, including commercial surveillance vendors and suspected state-sponsored actors, in campaigns targeting users in Saudi Arabia, Turkey, Malaysia, and Ukraine. GTIG also linked the exploit chain to three distinct post-exploitation malware families: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER.