ASEC reports that Kimsuky has changed how it distributes malicious LNK files. While the end goal remains the same - execution of a Python-based backdoor or downloader - the group has reworked the intermediate stage into a more complex multi-step chain. https://asec.ahnlab.com/en/93151/

The BitSight Threat Research Team examines the Phorpiex botnet’s Twizt variant, focusing on its current TTPs, recent targets, and the new payloads. The write-up underlines how this long-running botnet continues to adapt and remain a relevant threat. https://www.bitsight.com/blog/ransomware-twizt-inside-phorpiex-botnet

Proofpoint Threat Research Team reports that China-aligned TA416 resumed targeting European government and diplomatic organizations from mid-2025. They also observed a March 2026 expansion into Middle Eastern diplomatic and government entities, alongside evolving PlugX delivery chains. https://www.proofpoint.com/us/blog/threat-insight/id-come-running-back-eu-again-ta416-resumes-european-government-espionage

Microsoft Defender Security Research Team reports a WhatsApp-delivered malware campaign that uses malicious VBS files to kick off a multi-stage infection chain. The activity blends social engineering and living-off-the-land techniques, pulling payloads from AWS, Tencent Cloud & Backblaze B2 before installing malicious MSI packages. https://www.microsoft.com/en-us/security/blog/2026/03/31/whatsapp-malware-campaign-delivers-vbs-payloads-msi-backdoors/

Kedar Shashikant Pandit & Prathamesh Shingare at Point Wild uncover a fileless Remcos RAT chain that starts with a phishing email and a ZIP disguised as a business document. An obfuscated JavaScript dropper then pulls a remote PowerShell loader, which reconstructs and executes a .NET payload entirely in memory. https://www.pointwild.com/threat-intelligence/from-inbox-to-intrusion-multi-stage-remcos-rat-and-c2-delivered-payloads-in-network/

McAfee reports Operation NoVoice, an Android rootkit campaign that hides inside legitimate-looking utility and game apps previously hosted on Google Play. Behind the scenes, the app profiles the handset, downloads exploits, and can seize complete control of the device. https://www.mcafee.com/blogs/other-blogs/mcafee-labs/new-research-operation-novoice-rootkit-malware-android/

CERT Polska analyses new FvncBot samples targeting Polish users. A fake app poses as Token U2F Mobilna Ochrona SGB, then pushes victims to enable an accessibility service presented as System Update before registering the device with attacker infrastructure https://cert.pl/en/posts/2026/03/fvncbot-analysis/

Seqrite details Operation DualScript, a multi-stage malware infection built around Scheduled Task persistence, VBScript launchers, and PowerShell execution. Two parallel paths drive the compromise: one retrieves remote payloads from the web, while the other runs the RetroRAT implant. https://www.seqrite.com/blog/operation-dualscript-powershell-malware-retrorat-analysis/

Sophos analyses STAC6405, a phishing campaign that used invite-themed lures to trick users into installing LogMeIn Resolve for remote access. In some cases, the actor then used both existing and newly deployed ScreenConnect instances to pull additional binaries, including an infostealer. https://www.sophos.com/en-us/blog/incident-responders-s-il-vous-plait

Trend Micro analyses the latest TeamPCP supply chain hit, where malicious Telnyx PyPI versions 4.87.1 & 4.87.2 were published just 3 days after the LiteLLM compromise. The payload marks a shift in tradecraft, adding WAV-based steganography, split file injection, and Windows persistence. https://www.trendmicro.com/en_us/research/26/c/teampcp-telnyx-attack-marks-a-shift-in-tactics.html