ASEC reports that Kimsuky has changed how it distributes malicious LNK files. While the end goal remains the same - execution of a Python-based backdoor or downloader - the group has reworked the intermediate stage into a more complex multi-step chain. https://asec.ahnlab.com/en/93151/

Team Cymru profiles Yurei, a double extortion ransomware campaign active since Sept 2025, with links to Prince Ransomware and possible ties to SatanLockv2. Despite its low public victim count, the exposed operator toolkit shows initial access, discovery, credential theft, defence evasion, and lateral movement. https://www.team-cymru.com/post/yurei-double-extortion-ransomware-campaign-toolkit

The BitSight Threat Research Team examines the Phorpiex botnet’s Twizt variant, focusing on its current TTPs, recent targets, and the new payloads. The write-up underlines how this long-running botnet continues to adapt and remain a relevant threat. https://www.bitsight.com/blog/ransomware-twizt-inside-phorpiex-botnet

Elastic Security Labs shows why static detection often fails against Linux rootkits, even with only trivial binary changes. The article covers shared object loading, dynamic linker abuse, LKM activity, eBPF, io_uring, persistence, and defence evasion. https://www.elastic.co/security-labs/linux-rootkits-2-caught-in-the-act

Proofpoint Threat Research Team reports that China-aligned TA416 resumed targeting European government and diplomatic organizations from mid-2025. They also observed a March 2026 expansion into Middle Eastern diplomatic and government entities, alongside evolving PlugX delivery chains. https://www.proofpoint.com/us/blog/threat-insight/id-come-running-back-eu-again-ta416-resumes-european-government-espionage

Microsoft Defender Security Research Team reports a WhatsApp-delivered malware campaign that uses malicious VBS files to kick off a multi-stage infection chain. The activity blends social engineering and living-off-the-land techniques, pulling payloads from AWS, Tencent Cloud & Backblaze B2 before installing malicious MSI packages. https://www.microsoft.com/en-us/security/blog/2026/03/31/whatsapp-malware-campaign-delivers-vbs-payloads-msi-backdoors/

Kedar Shashikant Pandit & Prathamesh Shingare at Point Wild uncover a fileless Remcos RAT chain that starts with a phishing email and a ZIP disguised as a business document. An obfuscated JavaScript dropper then pulls a remote PowerShell loader, which reconstructs and executes a .NET payload entirely in memory. https://www.pointwild.com/threat-intelligence/from-inbox-to-intrusion-multi-stage-remcos-rat-and-c2-delivered-payloads-in-network/

McAfee reports Operation NoVoice, an Android rootkit campaign that hides inside legitimate-looking utility and game apps previously hosted on Google Play. Behind the scenes, the app profiles the handset, downloads exploits, and can seize complete control of the device. https://www.mcafee.com/blogs/other-blogs/mcafee-labs/new-research-operation-novoice-rootkit-malware-android/

CERT Polska analyses new FvncBot samples targeting Polish users. A fake app poses as Token U2F Mobilna Ochrona SGB, then pushes victims to enable an accessibility service presented as System Update before registering the device with attacker infrastructure https://cert.pl/en/posts/2026/03/fvncbot-analysis/

ReliaQuest observes DeepLoad hitting enterprise environments through ClickFix delivery. The analysis points to likely AI-assisted obfuscation, process injection into trusted Windows binaries, and immediate credential theft that can continue even when the primary loader is stopped. https://reliaquest.com/blog/threat-spotlight-deepload-malware-pairs-clickfix-delivery-with-ai-generated-evasion/