ThreatsDay Bulletin: FortiGate RaaS, Citrix Exploits, MCP Abuse, LiveChat Phish & More

ThreatsDay Bulletin is back on ZeroOwl, and this week feels like the same old thing This article explores threatsday bulletin zeroowl. . Nothing loud, and nothing that breaks everything at once.

A lot of little things that shouldn't work anymore but do. At first, some of it looks simple, even sloppy, but then you see how well it lands. Some parts feel a little too practical, like they're already closer to being used in the real world than anyone wants to admit. "The cursor:// protocol handler could be misused through social engineering in certain setups," the company said.

"A single click followed by the user agreeing to an install prompt could lead to the execution of any command.

You could use the command parameter to run code on your own computer or the URL parameter to set up a malicious remote MCP server.The business security company has also put a proof-of-concept (PoC) exploit on GitHub. A new campaign is actively going after known security holes in Citrix NetScaler, such as CVE-2025-5777 and CVE-2023-4966. Defused Cyber says that on March 16, 2026, there were more than 500 attempts to exploit its honeypot system.

"This is not unusual in APT operations: in-country targeting can be used to complicate attribution (e.g., by creating noisy 'domestic' victimology) or to reach foreign diplomats/missions operating inside India—a pattern explicitly noted in reporting on SideWinder’s broader geographic targeting and diplomatic victim set," ITSEC Asia said.

The most recent campaigns show that the threat actor has moved its operations from South Asia to Africa, Europe, the Middle East, and Southeast Asia. WhatsApp has started testing the ability to set an alphanumeric password for your account. It should have at least one letter and one number and be between six and twenty characters long.

Adding a password with letters and numbers is probably an attempt to make it harder for brute-force attacks to work. A phishing URL has been found to be part of a previously unknown attack chain that sends a ZIP file containing a C++ trojan downloader. This downloader then starts a loader that decrypts and sets up the Rhadamanthys stealer and XMRig cryptocurrency miner.

Cyderes said, "The campaign's main evasion relies on .NET Native Ahead-of-Time (AOT) compiled binaries, which strip traditional .NET metadata, frustrate common .NET analysis tools, and force analysts to fall back on native-level tooling, making detection and reverse engineering significantly harder." "Advanced anti-analysis features: The AOT loader uses a sandbox scoring system to check RAM size, system uptime, user file counts, and the presence of AV processes. It also detects virtual machines by looking at the registry and stops miner activity when monitoring tools like Task Manager, Process Hacker, or x64dbg are found.

""GitGuardian's State of Secrets The Sprawl report says that 28,649,024 new secrets were added to public GitHub commits in 2025. That's a 34% increase from the year before.

The number also shows that the number of leaked secrets has grown by 152% since 2021. In 2025, the number of AI service secrets grew by 81% from the year before, reaching 1,275,105.