CERT Polska analyses new FvncBot samples targeting Polish users. A fake app poses as Token U2F Mobilna Ochrona SGB, then pushes victims to enable an accessibility service presented as System Update before registering the device with attacker infrastructure https://cert.pl/en/posts/2026/03/fvncbot-analysis/

ReliaQuest observes DeepLoad hitting enterprise environments through ClickFix delivery. The analysis points to likely AI-assisted obfuscation, process injection into trusted Windows binaries, and immediate credential theft that can continue even when the primary loader is stopped. https://reliaquest.com/blog/threat-spotlight-deepload-malware-pairs-clickfix-delivery-with-ai-generated-evasion/

Seqrite details Operation DualScript, a multi-stage malware infection built around Scheduled Task persistence, VBScript launchers, and PowerShell execution. Two parallel paths drive the compromise: one retrieves remote payloads from the web, while the other runs the RetroRAT implant. https://www.seqrite.com/blog/operation-dualscript-powershell-malware-retrorat-analysis/

Sophos analyses STAC6405, a phishing campaign that used invite-themed lures to trick users into installing LogMeIn Resolve for remote access. In some cases, the actor then used both existing and newly deployed ScreenConnect instances to pull additional binaries, including an infostealer. https://www.sophos.com/en-us/blog/incident-responders-s-il-vous-plait

Trend Micro analyses the latest TeamPCP supply chain hit, where malicious Telnyx PyPI versions 4.87.1 & 4.87.2 were published just 3 days after the LiteLLM compromise. The payload marks a shift in tradecraft, adding WAV-based steganography, split file injection, and Windows persistence. https://www.trendmicro.com/en_us/research/26/c/teampcp-telnyx-attack-marks-a-shift-in-tactics.html

ReversingLabs tracks TeamPCP as an evolving supply chain campaign that began with Trivy & Checkmarx, shifted to LiteLLM, and has now landed on the telnyx PyPI package. The goal remains consistent across the chain: steal cloud secrets from trusted developer tooling. https://www.reversinglabs.com/blog/teampcp-supply-chain-attack-spreads

CYFIRMA analyses CrySome RAT, a C#-based .NET remote access trojan. Alongside the usual RAT toolkit, it combines multi-layered persistence mechanisms with aggressive defence evasion through its AVKiller module. https://www.cyfirma.com/research/crysome-rat-an-advanced-persistent-net-remote-access-trojan/

Darktrace investigates GhostSocks, an emerging threat that turns compromised devices into residential proxy nodes. Researchers observed a rise in activity from late 2025 and a notable overlap with Lumma Stealer infrastructure. https://www.darktrace.com/blog/phantom-footprints-tracking-ghostsocks-malware

Dr Zulfikar Ramzan says the LiteLLM compromise shows why defenders must go beyond signatures and CVEs. Point Wild built and open-sourced the who-touched-my-packages tool to help teams triage for zero-day supply chain abuse. https://www.pointwild.com/threat-intelligence/dr-zulifkar-ramzan-on-litellm-compromise/