March 27, 2026

Cyber Operations

Coruna iOS Exploit Kit Leaked Online. A major iPhone hacking toolkit known as "Coruna," originally developed by U.S. defense contractor L3Harris for government use, has been publicly leaked on GitHub. The kit contains 23 exploits across five exploit chains targeting iOS 13 through 17.2.1 and had already migrated from Russian espionage operations in Ukraine to Chinese cybercriminal campaigns before the public release. Apple has patched the underlying vulnerabilities in newer iOS versions, but millions of devices running older software remain exposed.

China-Linked APT Embeds BPFdoor Implants in Telecom Networks. Rapid7 published findings on a sustained espionage campaign by China-nexus group Red Menshen, which deployed kernel-level BPFdoor backdoors deep inside global telecommunications infrastructure. The implants conceal command triggers within legitimate encrypted HTTPS traffic and target providers across South Korea, Hong Kong, Myanmar, Malaysia, Egypt, and the Middle East. Separately, Unit 42 reported that a second China-linked group, UAT-9244, has been targeting South American telecoms with three custom malware families since at least 2024.

Iran Conflict Drives Surge in Hacktivist and Wiper Attacks. Unit 42 updated its Iran threat brief on March 26, warning of escalating wiper attack risk tied to the ongoing U.S.-Israel-Iran conflict. Over 60 active threat groups have been tracked, with 53 operating on the pro-Iranian side. Handala Hack, believed to be a front for Iran's Ministry of Intelligence, claimed a destructive wiper attack on U.S. healthcare firm Stryker in mid-March. Experts warn that Iran-linked hacktivists may increasingly target U.S. state and local government systems, with a Pennsylvania township already hit.

GlassWorm Supply-Chain Campaign Evolves. The GlassWorm campaign, which compromised over 400 packages across GitHub, npm, PyPI, and VS Code extension marketplaces earlier this month, has evolved. Researchers at Malwarebytes identified a new variant deploying a malicious Chrome extension capable of keylogging, session token theft, and screenshot capture. The attack leverages Solana blockchain transactions as dead drop resolvers to fetch payload URLs.

CYFIRMA Publishes Weekly Intelligence Report. CYFIRMA released its weekly intelligence report for March 27, covering current threat actor activity and vulnerability disclosures.

Information Operations & Foreign Influence

Iran's Internet Blackout Enters Day 28. Iran has now surpassed its 27th consecutive day of near-total internet blackout following the February 28 U.S.-Israel strikes, with connectivity hovering between 1–4% of normal levels. The blackout has severely constrained both inbound information access and outbound influence operations, though Iranian state media continues to push disinformation through external channels, with NewsGuard documenting at least 18 false war-related claims since hostilities began.

AI-Generated War Disinformation at Unprecedented Scale. The Iran-Israel-U.S. conflict has produced an information war of historic scale, with the New York Times identifying over 110 distinct AI-generated images and videos in just the first two weeks of fighting. Disinformation and narrative manipulation have been documented from all sides, amplified by generative AI tools that make fabricated content increasingly difficult to distinguish from authentic reporting.

U.S. Foreign Influence Monitoring Capacity Diminished. As the conflict generates record disinformation volumes, the U.S. government's institutional capacity to monitor and counter foreign influence operations has been significantly weakened. The administration shuttered the FBI's Foreign Malign Influence Task Force, the State Department's Global Engagement Center, and the DNI's Foreign Malign Influence Center, leaving no designated official for election threat response.

Espionage

Russian Intelligence Operatives Arrested in Spain and Germany. German and Spanish authorities arrested two individuals — a Ukrainian national in Alicante, Spain, and a Romanian citizen in Germany — on suspicion of spying on a German drone manufacturer that supplies strike UAVs to Ukraine. The Ukrainian suspect had been systematically filming the company's facilities since December 2025, and investigators believe the intelligence was being collected to prepare further actions against the target, possibly including a physical attack.

DRILLAPP Backdoor Targets Ukrainian Defense Sector. A Russia-linked APT assessed to overlap with Laundry Bear (UAC-0190) has been deploying DRILLAPP, a JavaScript-based backdoor that abuses Microsoft Edge debugging to conduct stealth espionage against Ukrainian targets. The malware can upload and download files, activate the microphone, and capture webcam images, using the browser as a covert channel to avoid detection.

Russian Phishing Campaign Targets Government Officials on Signal and WhatsApp. Threat actors affiliated with Russian intelligence services are conducting phishing campaigns to compromise messaging applications used by current and former U.S. government officials, military personnel, political figures, and journalists. Portugal's national intelligence service issued a parallel warning about a global campaign targeting WhatsApp and Signal accounts of diplomats and government officials.

OFAC Sanctions North Korean IT Worker Network. The U.S. Treasury sanctioned six individuals and two entities for their roles in DPRK IT worker fraud schemes that generated nearly $800 million to fund North Korea's weapons programs. The schemes rely on stolen identities and fabricated personas to place workers at legitimate companies, with salaries funneled back through cryptocurrency channels across multiple blockchains.