ThreatsDay Bulletin: PQC Push, AI Vuln Hunting, Pirated Traps, Phishing Kits & 20 More Stories
ThreatsDay Bulletin: Mn t-tsri' dyal PQC l-sayd dyal l-tghrat b-l-AI l-mkhbi
ThreatsDay Bulletin: From PQC Fast-Tracking to Stealthy AI Vulnerability Hunting
TL;DR: This week’s cybersecurity landscape is defined by "sneaky" evolution rather than loud explosions. Key updates include Google’s accelerated 2029 Post-Quantum Cryptography (PQC) timeline, GitHub’s new AI-powered vulnerability detection, and a rapid recovery of the Tycoon2FA phishing service following a major law enforcement takedown.
Google Fast-Tracks the Post-Quantum Era
Google has officially set a 2029 deadline to migrate its infrastructure to Post-Quantum Cryptography (PQC). The move is a proactive response to the "store-now-decrypt-later" threat, where attackers harvest encrypted data today to decrypt it once quantum computers become powerful enough.
As part of this shift, Android 17 will integrate PQC digital signature protection using the Module-Lattice-Based Digital Signature Algorithm (ML-DSA). This upgrade targets the Android Verified Boot (AVB) and the Android Keystore to ensure mobile environments remain resistant to future quantum-enabled tampering.
AI and Automation: The New Front Line
The arms race in automated security is heating up on both sides:
- GitHub’s AI Detection: GitHub is introducing AI-powered security detections to complement CodeQL. Launching in public preview in early Q2 2026, this hybrid model aims to find vulnerabilities in complex code patterns that traditional static analysis often misses.
- AI-Generated Malware: Security researchers at AhnLab discovered a new scanner/brute-force tool dubbed ICE Cloud Client, used by the Larva-26002 threat actor. Evidence suggests the author utilized generative AI to craft the malware’s code and strings.
The Persistence of Phishing-as-a-Service
In a sobering reminder of cybercriminal resilience, the Tycoon2FA phishing service has bounced back almost immediately after a high-profile international takedown.
- The Takedown: In early March, Europol and Microsoft seized over 330 domains.
- The Recovery: Within 48 hours, activity returned to nearly 100% of pre-disruption levels. CrowdStrike notes that without physical arrests, infrastructure-only takedowns are often just a temporary "dent" for modern PhaaS operations.
High-Value Targets and State-Sponsored "Cracks"
The Russian-linked actor Sandworm (APT-C-13) is currently targeting Ukrainian users with a classic but effective ploy: pirated software. Using Telegram to distribute "cracked" versions of Microsoft Office 2025, the group is deploying a suite of backdoors (Tambur, Sumbur, Kalambur, and DemiMur). Notably, the DemiMur module forces a forged root certificate into the OS, effectively "tricking" Windows into trusting subsequent malicious scripts.
Mobile and Firmware Threats
- Keenadu Backdoor: Found on over 500 unique Android devices across 40 countries, this firmware infection embeds itself in the
libandroid_runtime.solibrary. By hijacking the Zygote process—the parent of all Android apps—attackers gain total device control. - Oblivion RAT: A new Malware-as-a-Service (MaaS) platform for Android is being sold for up to $2,200 for a "lifetime" license. It uses high-fidelity clones of the Google Play update screen to trick users into granting Accessibility Services permissions.
- Cloud Phone Fraud: Fraudsters are increasingly using "cloud phones" (virtual Android instances) to host pre-verified bank accounts and e-wallets, which are then sold on the darknet for use in financial scams.
Supply Chain and "Stealthy" Leaks
- Polyfill & North Korea: New research has linked the 2024 Polyfill[.]io supply chain attack to North Korean operatives. The link was discovered after an operative accidentally infected their own machine with Lumma Stealer while searching for GTA V cheats, exposing credentials for the Polyfill Cloudflare tenant.
- Malicious npm Packages: Five packages (including
ethersproject-wallet) were found typosquatting legitimate crypto libraries to exfiltrate private keys via Telegram bots.
Regulatory and Legal Updates
- Hong Kong: New National Security rules now empower police to demand phone and computer passwords. Refusal can result in a year of jail time.
- CCTV Crackdown in India: Following the exposure of a Pakistan-linked spy ring, India has ordered a comprehensive audit of its surveillance infrastructure to prevent unauthorized remote access for espionage.
Conclusion
This week serves as a reminder that the most dangerous threats are often the ones that blend into the background. Whether it is a "pixel-perfect" Google Form, a compromised CCTV feed, or a "trusted" pirated ISO, attackers are successfully leveraging built-in trust to bypass sophisticated defenses. As disruptions like the Tycoon2FA takedown show, the industry must move beyond infrastructure Whac-A-Mole toward more systemic, identity-based security.
Source: https://thehackernews.com/2026/03/threatsday-bulletin-pqc-push-ai-vuln.html
