ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine & More  Ravie Lakshmanan  Mar 05, 2026 Cybersecurity / Hacking News Some weeks in cybersecurity feel routine. This one doesn’t. Several new developments surfaced over the past few days, showing how quickly the threat landscape keeps shifting. Researchers uncovered fresh activity, security teams shared new findings, and a few unexpected moves from major tech companies also drew attention. Together, these updates offer a useful snapshot of what is happening behind the scenes in the cyber world right now. From new tactics and campaigns to security and policy changes that could affect millions of users, there is a lot unfolding at once. Below is a quick roundup of the most notable stories making headlines this week. Phishing Campaign Deploys Multiple Malware Strains Ukraine Targeted by SHADOWSNIFF, SALATSTEALER, DEAFTICKK Malware The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of a hacking campaign targeting Ukrainian government institutions using phishing emails containing a ZIP archive (or a link to a website vulnerable to cross-site scripting attacks) to distribute SHADOWSNIFF and SALATSTEALER information-stealing malware and a Go backdoor called DEAFTICKK. The agency attributed the activity to a threat actor tracked as UAC-0252. The development comes as a suspected Russian espionage campaign is targeting Ukraine with two previously undocumented malware strains, BadPaw and MeowMeow , according to ClearSky. While the campaign is likely said to be the work of APT28, the cybersecurity company did not identify the targets of the campaign or say whether the attacks were successful. Fake RMM Service Spreads RAT via Phishing Threat Actor Masquerades as RMM Vendor to Distribute RAT A new malware-as-a-service (MaaS) dubbed TrustConnect ("trustconnectsoftware[.]com") masqueraded as a legitimate remote monitoring and management (RMM) tool for $300 per month. It's assessed that the threat actor behind TrustConnect was also a prominent user of RedLine Stealer . According to email security firm Proofpoint , multiple threat actors have been observed distributing the malware via phishing emails as of January 27, 2026. The emails claim to be event invites or bid proposals, tricking recipients into clicking on links that lead to the download of bogus executables that install TrustConnect RAT. The RAT backdoors users' machines and gives attackers full mouse and keyboard control, allowing them to record and stream the victim's screen. Some campaigns have also been observed delivering legitimate remote access software like ScreenConnect and LogMeIn Resolve alongside TrustConnect between January 31 and February 3, 2026. Customers who purchase the toolkit are granted access to a dashboard to remotely commandeer infected devices and generate branded installers containing the malware. After Proofpoint took steps to disrupt some of the malware's infrastructure on February 17, 2026, the threat actor resurfaced with a rebranded version of the malware platform called DocConnect. "Disruptions to MaaS operations like RedLine, Lumma Stealer, and Rhadamanthys have created new opportunities for malware creators to fill gaps in the cybercrime market," Proofpoint said. "Although TrustConnect only masqueraded as a legitimate RMM, the lures, attack chains, and follow-on payloads (which include RMMs) show overlap with techniques and delivery methods that are frequently observed in RMM campaigns and used by multiple threat actors." The development comes amid skyrocketing abuse of legitimate RMM software in cyber attacks. Chrome Moves to Two-Week Release Cycle Google Revises Chrome Release Cycle Google has announced that new Chrome iterations will be released every two weeks, moving away from the current four-week release cycle. Since 2021, Google has been shipping major Chrome versions every four weeks, and since 2023, it has been delivering security updates every week for a reduced patch gap and improved quality. "The web platform is constantly advancing, and our goal is to ensure developers and users have immediate access to the latest performance improvements, fixes, and new capabilities," Google said . The new release cycle will also apply to beta releases, starting with Chrome 153, which will arrive on September 8, 2026. TPMS Signals Allow Covert Vehicle Tracking Vehicle Tire Pressure Sensors Enable Silent Tracking Researchers at IMDEA Networks Institute have found that Tire Pressure Monitoring System (TPMS) sensors inside each car wheel broadcast unencrypted wireless signals containing persistent identifiers. While the feature is designed for vehicle safety, each sensor transmits a unique ID that does not change, allowing the same car to be recognized again and tracked over time. This, in turn, opens the door to a low-cost monitoring network that uses software-defined radio receivers near roads (at a distance of up to 40m from the car) and parking areas to collect TPMS messages from thousands of vehicles and build profiles of their movements over time. "Malicious users could deploy passive receivers on large scales and track citizens without their knowledge. The advantage of such a system, over more traditional camera-based ones, is that no direct line-of-sight is needed with the TPMS sensors, and spectrum receivers could be placed in covert or hidden locations, making them harder to spot by victims," the researchers warned . "Our results show that TPMS transmissions can be used to systematically infer potentially sensitive information such as the presence, type, weight, or driving pattern of the driver." The disclosure adds to a growing body of research demonstrating how various components fitted into modern vehicles can become unintended conduits for surveillance and exploits. Telegram Emerges as Cybercrime Command Hub Telegram as an Operational Layer for Cybercrime A new analysis from CYFIRMA has pointed out how Telegram's structure offers threat actors a way to extend their reach globally without the need for specialized tooling, enable frictionless onboarding of buyers and affiliates, support payment options, and facilitate audience growth. The emergence of the platform has fundamentally changed the way cyber operations are coordinated, monetized, and publicized. "For financially motivated actors, Telegram functions as a scalable storefront and customer support hub," the company said . "For hacktivists, it serves as a mobilization and propaganda amplifier. For state-aligned operations, it offers a rapid distribution channel for narratives and leaks. In many cases, telegram complements and increasingly replaces traditional Tor-based ecosystems by removing technical friction while maintaining operational flexibility." AuraStealer Infrastructure Revealed New AuraStealer Malware Analyzed A new analysis of AuraStealer from Intrinsec has uncovered 48 command-and-control (C2) domain names linked to the stealer's operations. The threat actor behind the malware has been found to use .shop and .cfd top-level domains, in addition to routing all traffic through Cloudflare as a reverse proxy to conceal the real server. AuraStealer first appeared on underground hacker forums in July 2025, shortly after the disruption of the Lumma Stealer as part of a law enforcement operation. It was advertised by a user named AuraCorp on the XSS forum. It comes in two subscription packages: $295/month for Basic and $585/month for Advanced. One of the primary mechanisms through which the stealer is distributed is ClickFix . Malvertising Pushes New Atomic Stealer Variant Malvertising Campaign Drops Atomic Stealer A malvertising campaign is using bogus ads on Google Search results pages to redirect users looking for ways to free up macOS storage to fraudulent web pages hosted on Medium, Evernote, and Kimi AI to serve ClickFix -style instructions that drop a new variant of the Atomic Stealer called malext to steal a wide range of data from compromised macOS systems. The campaign uses more than 50 compromised Google Ads accounts that push "over 485 malicious landing pages, ultimately leading to a ClickFix attack that deployed a potentially new version of AMOS Stealer onto infected systems," security researcher Gi7w0rm said . Bots Hammer DRAM Pages for DDR5 Inventory Large-Scale Operation Submits Millions of Web Scraping Requests Targeting DRAM Product Pages A large-scale data gathering operation has submitted more than 10 million web scraping requests to hit DRAM product pages on e-commerce sites in an effort to find sellers carrying desirable DRAM stock. The bots have been found to check the stock of specific RAM kits every 6.5 seconds by using a technique called cache busting to ensure they get the most up-to-date information, DataDome said. "These bots aggressively target the entire supply chain, from consumer RAM to B2B industrial memory providers and raw hardware components like DIMM sockets," the company said . "Scrapers attempt to avoid detection by adding cache-busting parameters to every request and calibrating their speed to stay just below volumetric alarm thresholds. By rapidly snapping up the limited DDR5 memory inventory for profitable resale, these bots further deplete the consumer supply, effectively boxing out legitimate customers and driving market prices even higher." Reddit Fined Over Children's Data Handling U.K. ICO Fines Reddit £14.47M for Children's Privacy Failures The U.K. Information Commissioner's Office (ICO) has fined Reddit £14.47 million for unlawfully processing the personal information of children under the age of 13 and for failing to properly check the age of its users, thereby putting them at risk of being exposed to inappropriate and harmful content online. In July 2025, Reddit introduced age assurance measures that include age verification to access mature content and asking users to declare their age when opening an account. Reddit