March 02, 2026

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. Mandiant Finds ShinyHunters-Style Vishing Attacks Stealing MFA to Breach SaaS Platforms – The Hacker News

On January 31, Mandiant reported a newly identified expansion in threat activity involving tactics similar to those used by ShinyHunters. These attacks employ voice phishing (vishing) and credential-harvesting websites that impersonate targeted organizations, enabling attackers to obtain single sign-on (SSO) credentials and multi-factor authentication (MFA) codes to gain unauthorized access to victim environments. Mandiant’s threat intelligence team said it is monitoring the activity across several clusters, UNC6661, UNC6671, and UNC6240 (ShinyHunters), to account for the possibility that these groups are evolving their tactics or imitating previously observed methods. Read full article.

2. Hackers exploit SolarWinds WHD flaws to deploy DFIR tool in attacks – BleepingComputer

CISA flagged a critical SolarWinds Web Help Desk (WHD) vulnerability, CVE-2025-40551, that is now being exploited by unknown hackers. Using legitimate tools, such as Zoho ManageEngine, threat actors were able to target organizations and maintain persistent, hands-on access to compromised environments. Following initial access, attackers installed the Zoho ManageEngine Assist agent from an MSI hosted on the Catbox file-sharing platform, configured it for unattended access, and registered the affected host with a Zoho Assist account created using an anonymous Proton Mail address. Article here.

3. FBI seizes RAMP cybercrime forum used by ransomware gangs – BleepingComputer

On January 28, it was discovered the FBI had seized RAMP, a Russian cybercrime forum, that advertised malware and hacking services. Both the forum’s Tor site and its Clearnet domain, ramp4u[.]io, have been taken offline and now show a seizure banner declaring, “The Federal Bureau of Investigation has seized RAMP.” According to the notice, “This action has been taken in coordination with the United States Attorney’s Office for the Southern District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice,” indicating a multi-agency effort behind the takedown. RAMP administrator “Stallman” acknowledged the takedown in a message on XSS, adding that he has no plans to create a successor platform. Read more here.

4. Chinese hackers exploiting Dell zero-day flaw since mid-2024 – BleepingComputer

Chinese state hacking group, UNC6201, is believed to be behind a zero-day exploitation of  in Dell RecoverPoint for Virtual Machines, tracked as CVE-2026-22769. The high-risk vulnerability has been exploited since May 2024 and shows persistent access of the malware SLAYSTYLE and BRICKSTORM. Additionally, UNC6201 deploys a newly identified malware called Grimbolt, which leverages a technique that is faster and more difficult to analyze than BRICKSTORM. Google Threat Intelligence Group (GTIG) has not confirmed an initial access vector, but previous attacks connected to UNC6201 indicate a possible target of edge appliances for initial access. Read here.

5. Reynolds Ransomware Embeds BYOVD Driver to Disable EDR Security Tools – The Hacker News

Researchers have identified a new ransomware family, Reynolds, which embeds a built-in Bring Your Own Vulnerable Driver (BYOVD) component within its payload to evade security defenses. The technique BYOVD abuses legitimate flaws in driver software that disables Endpoint Detection and Response (EDR) making it possible for malicious activity to go undetected. While similar techniques have been observed in prior attacks, the Reynolds campaign specifically drops a vulnerable NsecSoft NSecKrnl driver and terminates processes associated with multiple security programs. Learn more.

6. One threat actor responsible for 83% of recent Ivanti RCE attacks – BleepingComputer

Recent threat intelligence observations link one threat actor to two critical vulnerabilities (CVE-2026-1281 and CVE-2026-1340) in Ivanti Endpoint Manager Mobile (EPMM). According to GreyNoise Threat Research team, between February 1st and 9th the EPMM experienced 417 observed exploitation sessions. Of those 417, 83% of observed exploitation can be tracked to a single IP address (193.24.123.42) on bulletproof infrastructure. The activity is designed to trigger a DNS callback to a unique subdomain controlled by the tester. This approach allows threat actors to confirm that their command was successfully executed without needing a direct response from the target system. Read full article.

7. Sandworm hackers linked to failed wiper attack on Poland’s energy systems – BleepingComputer

In late December 2025, the Russian state sponsored hacking groups, Sandworm, attempted to deploy a destructive “data-wiping malware” called DynoWiper against Poland’s power grid. Polish officials have claimed the attack “targeted two combined heat and power plants as well as a management system used to control electricity generated from renewable sources such as wind turbines and photovoltaic farms.” Officials also stated that their current “systems in place” were able to prevent the attack but gave minimal additional information. Read full article.

8. China-Linked Amaranth-Dragon Exploits WinRAR Flaw in Espionage Campaigns – The Hacker News

Throughout 2025, Amaranth-Dragon, a China-linked threat actor has been connected with new cyber espionage campaigns targeting government and law enforcement in Southeast Asia. Threat actors abused a now-patched security vulnerability (CVE-2025-8088) in RARLAB WinRAR, which permits arbitrary code execution upon opening a specially crafted archive.  Although the exact method of initial access is still unclear, the highly targeted nature of the campaigns and the use of customized lures tied to regional political, economic, or military events strongly suggest spear-phishing. In these attacks, emails likely delivered archive files hosted on trusted cloud services such as Dropbox, helping attackers appear legitimate and evade traditional perimeter defenses. Learn more.

Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.