Cyber Threat Brief — March 31 2026
⚠️ This report is AI-generated. Always validate findings.
1. DeepLoad Loader — ClickFix + AI-Obfuscated WMI Persistence
TL;DR: New loader disclosed March 30 by ReliaQuest combines ClickFix social engineering, AI-generated PowerShell obfuscation, and WMI event subscription persistence to steal browser credentials. Credential exfiltration begins within minutes and survives loader removal.
What’s New:
- ClickFix lure →
mshta.exe→ obfuscated PowerShell XOR shellcode loader (AI-generated variable padding defeats static signatures) - Payload injected into
LockAppHost.exe(legitimate lock screen process — atypical for outbound network activity) - WMI event subscription re-executes attack ~72 hours post-cleanup with no user interaction
- Standalone credential stealer
filemanager.exeruns on separate C2 infrastructure — survives main loader containment /t1_usbpath observed in C2 traffic within 10 minutes of infection, indicating USB activity tracking
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
mshta.exe spawning PowerShell | Process chain | T1218.005 | Sysmon EID 1, EDR | Alert on mshta→powershell chain |
LockAppHost.exe outbound network | Anomalous process behavior | T1055 | Sysmon EID 3, firewall | Hunt: LockAppHost.exe should not make outbound connections |
| WMI event subscription persistence | WMI consumer | T1546.003 | Sysmon EID 19/20/21, WMI logs | Hunt all WMI __EventConsumer creations |
filemanager.exe (standalone stealer) | Process name | T1555.003 | Sysmon EID 1 | Alert on unexpected filemanager.exe execution |
/t1_usb in HTTP path | C2 beacon pattern | T1071.001 | Proxy/firewall logs | Hunt for /t1_usb in outbound HTTP URIs |
| PowerShell Script Block with XOR + padded variables | Obfuscated script | T1059.001 | PowerShell ScriptBlock (EID 4104) | Hunt: high-entropy variable assignments preceding XOR routines |
| Browser extension files in non-standard paths | Credential access | T1176 | Sysmon EID 11 | Hunt: .crx/.xpi writes outside default browser extension dirs |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | ”Suspicious mshta Child Process” (partial) | No rule for LockAppHost.exe outbound or WMI consumer from WmiPrvSE→PowerShell chain |
| Elastic | ”Suspicious Script Object Execution” | No WMI event subscription persistence detection specific to this chain |
| Sigma | proc_creation_win_mshta_spawn_shell.yml (partial) | Missing: LockAppHost.exe network anomaly, WMI __EventConsumer with PowerShell payload, filemanager.exe process |
Sources: ReliaQuest, The Hacker News, CyberScoop
2. Citrix NetScaler Memory Overread — CVE-2026-3055 (CISA KEV)
TL;DR: CISA added CVE-2026-3055 to KEV on March 30 confirming active exploitation (upgraded from recon). Attackers leak session cookies, private keys, and plaintext credentials via crafted SAML requests. Federal deadline April 2. Metasploit module available.
What’s New:
- CISA KEV addition March 30 — confirmed active exploitation (previously only recon/fingerprinting)
- Exploitation mechanism: malformed
SAMLRequestto/saml/loginomittingAssertionConsumerServiceURLtriggers memory overread - Leaked data returned via
NSC_TASScookie (Base64-encoded memory contents including session tokens, private keys, plaintext creds) - Second exploitation path:
/wsfed/passive?wctx— presence ofwctxparameter without=triggers buffer read - Metasploit module now available, lowering exploitation barrier
- Federal remediation deadline: April 2, 2026
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
POST/GET /saml/login with malformed SAMLRequest | Exploitation attempt | T1190 | WAF, NetScaler syslog, proxy | Block/alert: SAMLRequest missing AssertionConsumerServiceURL |
GET /cgi/GetAuthMethods | Recon/fingerprinting | T1595.002 | NetScaler syslog, proxy | Alert on external requests to this endpoint |
GET /wsfed/passive?wctx (no = after wctx) | Exploitation attempt | T1190 | WAF, NetScaler syslog | Block/alert: wctx param present without value |
NSC_TASS cookie with Base64 blob in response | Data leak indicator | T1005 | NetScaler logs, packet capture | Hunt: oversized NSC_TASS cookies in responses |
| Patch: 14.1-66.59+ / 13.1-62.23+ | Remediation | — | Vuln scanner | Validate patched versions across all SAML IDP-configured instances |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No NetScaler SAML exploitation rule — need custom SPL for /saml/login malformed requests and oversized NSC_TASS response cookies |
| Elastic | None | No coverage — custom rule needed for NetScaler access logs |
| Sigma | None | No NetScaler-specific rules — community rule for /cgi/GetAuthMethods fingerprinting needed |
Sources: CISA KEV, Rapid7, watchTowr, BleepingComputer
Status Updates
- TeamPCP (Trivy/litellm/Telnyx): SIGNIFICANT ESCALATION — TeamPCP launched Vect ransomware mass affiliate program via BreachForums (~300K users received affiliate keys). First confirmed Vect deployment using TeamPCP-sourced credentials. Hunt for
models.litellm[.]cloud,~/.config/sysmon/sysmon.py, unexpected.pthfiles insite-packages/,node-setup-*K8s pods. March 29 brief. SANS ISC Update. - CVE-2025-53521 (F5 BIG-IP APM): Federal CISA KEV deadline passed March 30. UNC5221 BRICKSTORM exploitation ongoing. Patch to 17.1.0.4/16.1.4.3/15.1.10.2 immediately. March 28 brief.
- CVE-2026-4681 (PTC Windchill): Still no patch. CVSS 10.0 pre-auth Java deserialization RCE. Apply servlet path deny rules. Monitor for
GW.class/payload.bin/dpr_*.jsp. March 27 brief. - CVE-2026-20131 (Cisco FMC): Interlock ransomware exploitation ongoing. Public PoC available. No new artifacts. March 19 brief.
- CVE-2026-33017 (Langflow): Exploitation ongoing. CISA KEV deadline April 8. No new IOCs. March 21 brief.