The threat landscape for March 7-8, 2026 reveals a concerning convergence of advanced attack techniques and critical vulnerabilities. Notably, ransomware operators are now leveraging social engineering through ClickFix techniques to deploy sophisticated malware chains, while Microsoft reports widespread AI abuse across all attack stages. The vulnerability landscape is dominated by critical remote code execution flaws in popular frameworks, with CVEs affecting WeKnora, Soft Serve, and ZITADEL platforms scoring 9.9 on CVSS. These vulnerabilities enable unauthenticated attackers to execute arbitrary code, bypass authentication, and compromise multi-tenant environments.
Malware distribution infrastructure remains highly active, with 50 malicious URLs identified distributing IoT botnets (Mozi, Mirai variants) and information stealers (ACRStealer, AsyncRAT). The Mozi botnet continues targeting MIPS and ARM architectures through vulnerable IoT devices, while ClearFake campaigns deploy ACRStealer via sophisticated domain infrastructure. Additionally, multiple WordPress plugins exhibit critical vulnerabilities including authentication bypass, arbitrary file deletion, and SQL injection, creating widespread exposure across the web application ecosystem.
Organizations should prioritize patching the critical RCE vulnerabilities in WeKnora (CVE-2026-30861, CVE-2026-30860) and ZITADEL (CVE-2026-29191), implement enhanced monitoring for ClickFix social engineering techniques, and review WordPress plugin security postures. The convergence of AI-enhanced attacks with traditional exploitation methods signals an evolution in threat actor capabilities that requires updated detection and response strategies.
Ransomware groups and state-sponsored actors are adopting AI-enhanced techniques and sophisticated social engineering methods.
Ransomware operator Velvet Tempest is using ClickFix social engineering techniques combined with legitimate Windows utilities to deploy DonutLoader malware and CastleRAT backdoor, ultimately leading to Termite ransomware deployment. This multi-stage attack chain demonstrates increasing sophistication in initial access vectors.
Microsoft reports that threat actors are increasingly integrating artificial intelligence into every stage of cyberattacks, from reconnaissance to payload delivery. AI is being used to accelerate attack timelines, scale malicious operations, and lower technical barriers for less sophisticated attackers, representing a fundamental shift in the threat landscape.
Multiple critical remote code execution and authentication bypass vulnerabilities discovered across enterprise frameworks and content management systems.
Critical unauthenticated RCE vulnerability in WeKnora MCP stdio configuration validation (versions 0.2.5-0.2.10). Unrestricted user registration combined with command injection allows any attacker to bypass whitelists and execute arbitrary commands. CVSS 9.9.
Critical RCE vulnerability in WeKnora database query functionality (pre-0.2.12). Validation failure in PostgreSQL array and row expressions enables SQL injection bypass, allowing attackers to smuggle dangerous functions and achieve code execution. CVSS 9.9.
Critical SSRF vulnerability in Soft Serve (0.6.0 to 0.11.4) allows authenticated SSH users to force HTTP requests to internal networks via crafted LFS endpoints. Can be chained with fake LFS server to achieve full read access to internal services. CVSS 9.1.
Critical XSS vulnerability in ZITADEL login V2 interface (4.0.0 to 4.11.1) via /saml-post endpoint enables account takeover. Allows arbitrary JavaScript execution in authentication context. CVSS 9.3.
Authorization bypass in WeKnora tenant management (pre-0.3.2) allows any authenticated user to access, modify, or delete any tenant by ID. Combined with open registration, enables cross-tenant account takeover. CVSS 8.8.
Three stack-based buffer overflow vulnerabilities in Tenda FH451 router firmware 1.0.0.9 affecting formQuickIndex, AdvSetWan, and setcfm functions. All remotely exploitable with public exploits available. CVSS 8.8 each.
Multiple high-severity vulnerabilities discovered in WordPress plugins including stored XSS (WP App Bar), arbitrary file deletion leading to RCE (Meta Box), privilege escalation (Paid Videochat), PHP code injection (Easy PHP Settings), and SQL injection (ZIP Code Protection). CVSS scores ranging from 7.2 to 8.8.
Active malware distribution campaigns targeting IoT devices and Windows systems with botnets, RATs, and information stealers.
Extensive Mozi botnet distribution targeting MIPS and ARM architectures through 15+ active C2 servers. Malware delivered via shell scripts to vulnerable IoT devices including routers and network appliances. Targets include devices from multiple Chinese ISPs.
Sophisticated phishing infrastructure using domains parishwhale.in.net, clingway.in.net, and sunvalley.in.net to distribute ACRStealer information stealer via fake Google verification pages. Multiple subdomains active indicating organized campaign infrastructure.
AsyncRAT remote access trojan hosted on compromised Turkish website fertas.com.tr. RAT provides full remote control capabilities including keylogging, screen capture, and credential theft.
Multiple Mirai botnet variants distributed via compromised infrastructure targeting ARM, MIPS, x86, and other architectures. Includes geofenced payloads specifically targeting USA systems. Distribution via shell scripts and wget user-agents.
Emerging attack techniques leveraging social engineering, legitimate tools abuse, and authentication bypasses.
Velvet Tempest ransomware operators utilizing ClickFix technique to trick users into executing malicious payloads. This technique abuses user trust in troubleshooting prompts and system dialogs to achieve initial execution, followed by deployment of DonutLoader and CastleRAT.
Novel technique discovered in WeKnora exploiting PostgreSQL array and row expressions to bypass SQL injection filters. Attackers craft nested expressions that validators fail to recursively inspect, smuggling dangerous functions into queries.
ZITADEL vulnerability demonstrates password reset poisoning via Forwarded/X-Forwarded-Host header manipulation. Attackers can redirect password reset links to attacker-controlled domains, capturing reset tokens.
Meta Box plugin vulnerability allows authenticated attackers to delete arbitrary files including wp-config.php, creating pathway to remote code execution through subsequent file upload or configuration manipulation.