March 16, 2026 Emerging Threats Weekly

This week’s briefing covers:

00:00 – Intro

00:25 [PATCHING] Microsoft Patch Tuesday Addresses 79 Issues, 2 Zero-Days
Microsoft’s March 2026 Patch Tuesday includes security updates for 79 new Microsoft CVEs, addressing vulnerabilities across Windows, Office, SQL Server, .NET, Azure components, Hyper V, ReFS and more.

01:55 [CAMPAIGN] China-Nexus UAT-9244 Targets South American Telcos with Three New Implants
Cisco Talos has identified UAT9244, a China nexus threat cluster overlapping with FamousSparrow and Tropic Trooper, targeting South American telecom providers since 2024.

03:42 [TTP] Teams Social Engineering Uses Quick Assist to Drop A0Backdoor with DNSMX C2
BlueVoyant observed actors inundating targets with spam, then posing as IT via Microsoft Teams to coerce employees into launching a Quick Assist session, during which signed MSIs/DLL sideloading deliver a novel A0Backdoor payload. The backdoor fingerprints hosts and uses DNS MX queries for covert C2, embedding commands in MX records to evade TXT tunneling detections.

05:41 [VULNERABILITY] CISA Reports Max Severity n8n Vulnerability Exploitation
The U.S. Cybersecurity and Infrastructure Security Agency (CISA,) has observed exploitation of a recent 9.9 CVSS severity bug in n8n; an open-source workflow automation platform. The product is used by consumers, enterprises and government organizations, and nearly half of n8n’s users are thought to be vulnerable.

07:29 [TTP] “InstallFix” Malvertising Clones Claude Code Docs to Push Amatera Infostealer
Push Security researchers have uncovered a new social engineering attack technique they call “InstallFix,” where threat actors create convincing clones of legitimate installation pages for widely used developer tools, into which they insert malicious install commands. The campaign targeted Anthropic’s Claude Code, a popular AI command line coding assistant.

08:53 [CAMPAIGN] Iranian Seedworm (MuddyWater) Embedded in US Bank, Airport, Defense Supplier Networks
Broadcom’s Symantec and partners report that Seedworm (aka MuddyWater, linked to Iran’s Military Intelligence Service) has maintained access inside multiple U.S. organizations since early February, deploying backdoors including DINDOOR and FAKESET to establish persistence and enable follow-on operations. Activity aligns with heightened regional tensions and prior Seedworm tradecraft aimed at U.S. critical sectors.

09:58 [VULNERABILITY] CISA Reports Max Severity n8n Vulnerability Exploitation
The U.S. Cybersecurity and Infrastructure Security Agency (CISA,) has observed exploitation of a recent 9.9 CVSS severity bug in n8n; an open-source workflow automation platform. The product is used by consumers, enterprises and government organizations, and nearly half of n8n’s users are thought to be vulnerable.

Dive deeper:

Kroll’s Monthly Threat Intelligence Spotlight Report: https://www.kroll.com/en/reports/cyber/threat-intelligence-reports/cti-spotlight-trends-report

Kroll’s Q4 2024 Cyber Threat Landscape: https://www.kroll.com/en/reports/cyber/threat-intelligence-reports/q4-2024-threat-landscape-report-phishing

Kroll’s 2025 Cyber Threat Landscape Report: Cybercrime in the Crypto Era: https://www.kroll.com/Reports/Cyber/Threat-Intelligence-Reports/Threat-Landscape-Report-Lens-on-Crypto

Playlist of Kroll's Weekly Cyber Threat Intelligence Briefings: https://www.youtube.com/playlist

Kroll Cyber Blog: https://www.kroll.com/en/insights/cyber

Kroll Cyber Threat Intelligence: https://www.kroll.com/en/services/cyber/threat-intelligence-services

Kroll Threat Intelligence Reports: https://www.kroll.com/en/reports/cyber/threat-intelligence-reports

Kroll Responder MDR: https://www.kroll.com/en/services/cyber/kroll-responder

#krollcyber #threatintelligence #cyberthreats