ThreatsDay Bulletin: OAuth Trap, EDR Killer, Signal Phishing, Zombie ZIP, AI Platform Hack & More  Ravie Lakshmanan  Mar 12, 2026 Cybersecurity / Hacking News Another Thursday, another pile of weird security stuff that somehow happened in just seven days. Some of it is clever. Some of it is lazy. A few bits fall into that uncomfortable category of “yeah… this is probably going to show up in real incidents sooner than we’d like.” The pattern this week feels familiar in a slightly annoying way. Old tricks are getting polished. New research shows how flimsy certain assumptions really are. A couple of things that make you stop mid-scroll and think, “wait… people are actually pulling this off?” There’s also the usual mix of strange corners of the ecosystem doing strange things — infrastructure behaving a little too professionally for comfort, tools showing up where they absolutely shouldn’t, and a few cases where the weakest link is still just… people clicking stuff they probably shouldn’t. Anyway. If you’ve got five minutes and a mild curiosity about what attackers, researchers, and the broader internet gremlins were up to lately, this week’s ThreatsDay Bulletin on The Hacker News has the quick hits. Scroll on. OAuth consent abuse The Dangers of Malicious OAuth Applications Cloud security firm Wiz has warned of the dangers posed by malicious OAuth applications , highlighting how "consent fatigue" could open the door for attackers to gain access to a victim's sensitive data by giving their malicious apps a legitimate-looking name. By accepting the permissions requested by a rogue OAuth application, the user is "adding" the attacker's app into their company's tenant. "Once 'Accept' is clicked, the sign-in process is complete," Wiz said . "But instead of going to a normal landing page, the access token is sent to the attacker's Redirect URL. With that token, the attacker now has access to the user's files or emails without ever needing to know their password." The Google-owned company also said it detected a large-scale campaign active in early 2025 that involved 19 distinct OAuth applications impersonating well-known brands such as Adobe, DocuSign, and OneDrive, and targeted multiple organizations. Details of the activity were documented by Proofpoint in August 2025. Messaging account takeover Russian Hackers Target Signal and WhatsApp Accounts Russian-linked hackers are trying to break into the Signal and WhatsApp accounts of government officials, journalists, and military personnel globally with an aim to get unauthorized access – not by breaking encryption, but by simply tricking people into handing over the security verification codes or PINs. "The most frequently observed method used by the Russian hackers is to masquerade as a Signal Support chatbot in order to induce their targets to divulge their codes," the Netherlands Defence Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD) said . "The hackers can then use these codes to take over the user's account. Another method used by the Russian actors takes advantage of the 'linked devices' function within Signal and WhatsApp." It's worth noting that a similar warning was issued by Germany last month. "These attacks were executed via sophisticated phishing campaigns, designed to trick users into sharing information – SMS codes and/or Signal PIN – to gain access to users' accounts," Signal said . Google warned last year that Signal's widespread use among Ukrainian soldiers, politicians, and journalists had made it a frequent target for Russian espionage operations. Cloud breach via software flaws Threat Actors Exploit Flaws in Third-Party Software to Breach Cloud Google has revealed that threat actors are increasingly exploiting vulnerabilities in third-party software to breach cloud environments. "The window between vulnerability disclosure and mass exploitation collapsed by an order of magnitude, from weeks to days," the tech giant's cloud division said . "While software-based exploits increased, initial access by threat actors using misconfiguration, which accounted for 29.4% of incidents in the first half of 2025, dropped to 21% in H2 2025. Similarly, exposed sensitive UI or APIs continued a downward trend, falling from 11.8% in H1 to 4.9% in H2. This decline suggests that automated guardrails are making identity and configuration errors harder to exploit and that threat actors are being driven toward more sophisticated and costly vectors that specifically target software vulnerabilities to gain a foothold." In most attacks investigated by Google, the actor's objective was silent exfiltration of high volumes of data without immediate extortion and long-term persistence. Microcontroller debug bypass Breaking RH850's Password Protection New research from Quarkslab has found that it's possible to bypass the 16-byte password protection required for debug access on several variants of the RH850 microcontroller family using voltage fault injection in under one minute. "Voltage glitching technique is performed by underpowering or overpowering the chip for a controlled amount of time to alter its behavior," the security company said . "The crowbar attack is a specific type of voltage glitch where the power supply is shorted to the ground instead of injecting a specific voltage, using a MOSFET, for example." Solar Spider suspects arrested 2 Nigerian Nationals Linked to Solar Spider Arrested in Greater Noida Two Nigerian nationals have been arrested by authorities in the Indian state of Uttar Pradesh for their alleged involvement in an e-crime operation known as Solar Spider . The suspects are believed to have been planning to siphon large amounts of money by leveraging security flaws in Indian cooperative banking systems. According to a report from The420.in, the individuals have been identified as Okechukwu Imeka and Chinedu Okafor. The duo is suspected to be part of an international fraud syndicate involved in targeting financial institutions. Solar Spider has a history of targeting banking systems across India and the Middle East, often through spear-phishing campaigns. In a report published in July 2025, Tata Communications revealed that threat actors leverage their initial access to steal credentials, tamper with NEFT/RTGS transactions, and focus on Structured Financial Messaging System ( SFMS ) and Host-to-Host (H2H) infrastructures. The group is also known for deploying a sophisticated attack framework dubbed JSOutProx since at least 2019. PlugX malware campaign Chinese Threat Actors Capitalize on Middle East Conflict Check Point has disclosed targeted campaigns against entities in Qatar using conflict-related content as lures to deliver malware families like PlugX and Cobalt Strike. The attack chain uses Windows shortcut (LNK) files contained within ZIP archives, which, when opened, cause it to download a next-stage payload from a compromised server. The payload then displays the decoy document while using DLL side-loading to deploy PlugX. The activity, detected on March 1, 2026, has been attributed to Mustang Panda (aka Camaro Dragon). A second attack has been observed using a password-protected archive to execute a previously undocumented Rust loader that's responsible for deploying Cobalt Strike using DLL side-loading. "This loader exploits DLL hijacking of nvdaHelperRemote.dll, a component of the open-source screen reader NVDA. Abuse of this component has previously been observed in only a limited number of Chinese-nexus campaigns, including China-aligned activity associated with a campaign delivering Voldemort backdoor, as well as a wave of attacks targeting the Philippines and Myanmar back in 2025," Check Point said . While this attack is assessed as China-aligned, it has not been attributed to a specific threat actor. "The attackers leveraged the ongoing war in the Middle East to make their lures more credible and engaging, demonstrating the ability to rapidly adapt to major developments and breaking news," the company said. Teen DDoS kit sellers Poland Busts Teen Gang Selling DDoS Kits Polish police have referred seven suspected minor cybercriminals to family court over an alleged scheme to sell distributed denial-of-service (DDoS) kits online. The suspects, aged between 12 and 16 at the time of the alleged offenses, face charges related to selling DDoS tools as part of a profit-driven scheme designed to target popular websites, including auction and sales portals, IT domains, hosting services, and accommodation booking sites. "Using the tools they administer, popular websites such as auction and sales portals, IT domains, hosting services, and accommodation booking services were attacked," Poland's Central Bureau for Combating Cybercrime (CBZC) said . Phishing-resistant Windows login Microsoft Entra Passkeys on Windows for Phishing-Resistant Sign-In Microsoft is rolling out passkey support for Microsoft Entra on Windows devices, adding phishing-resistant passwordless authentication via Windows Hello. "We're introducing Microsoft Entra passkeys on Windows to enable phishing-resistant sign-in to Entra-protected resources. This update allows users to create device-bound passkeys stored in the Windows Hello container and authenticate using Windows Hello methods (face, fingerprint, or PIN)," Microsoft said . "It also expands passwordless authentication to Windows devices that aren't Entra-joined or registered, helping organizations strengthen security and reduce reliance on passwords." Sysmon built into Windows Native Sysmon Arrives in Windows 11 Microsoft has natively integrated System Monitor ( Sysmon ) functionality directly into Windows 11 and Windows Server 2025 as an optional built-in feature as of Windows 11's March feature update ( KB5079473 ). It's disabled by default. The company announced the integration in November 2025. "You no longer need to package it dynamically; you can simply enable it progr