Month: March 2026

Last week’s cyberattack on medical technology giant Stryker was limited to its internal Microsoft environment and remotely wiped tens of thousands of employee devices.

The organization says in an update on Sunday that all its medical devices are safe to use but electronic ordering systems remain offline, and customers must place orders manually through sales representatives.

Stryker emphasizes that the incident was not a ransomware attack and that the threat actor did not deploy any malware on its systems.

Last week, Stryker was the target of a cyberattack claimed by the Handala hacktivist group, believed to be linked to Iran.

The attacker alleged that they wiped “over 200,000 systems, servers, and mobile devices” and stole 50 terabytes of data. However, investigators did not find any indication that data was exfiltrated.

Following the disruption, Stryker employees in multiple countries started to complain that their managed devices had been remotely wiped overnight.

Some employees had their personal devices enrolled in the company network and lost personal data during the wiping process.

Hackers had Global Admin privileges

A source familiar with the attack told BleepingComputer that the threat actor used the wipe command in Intune, Microsoft’s cloud-based endpoint management service, to erase data from nearly 80,000 devices between 5:00 and 8:00 a.m. UTC on March 11.

The attacker carried out the action after compromising an administrator account and creating a new Global Administrator account.

The investigation is being conducted by the Microsoft Detection and Response Team (DART) in collaboration with cybersecurity experts from Palo Alto Unit 42.

Stryker’s update highlights that the attack did not impact any of its products, connected or otherwise, and was limited exclusively to the internal Microsoft corporate environment.

“All Stryker products across our global portfolio, including connected, digital, and life-saving technologies, remain safe to use,” the company says.

Restoration efforts are currently underway, the main focus being on resuming shipping and transactional services. Customers are encouraged to maintain normal communication with company personnel while the infrastructure is steadily recovered.

Any order placed before the cyberattack will be honored as systems are restored, while those placed during the disruption will be processed when systems are back online, and the supply flow resumes to normal.

The company is working with its global manufacturing sites to deal with potential operational impact.

Stryker’s current priority is to restore the supply-chain system and resume customer orders and shipping. “Our core transactional systems are already on a clear path to full recovery,” the company says.

The AppsFlyer Web SDK was temporarily hijacked this week with malicious code used to steal cryptocurrency in a supply-chain attack.

The payload can intercept cryptocurrency wallet addresses entered on websites and replace them with attacker-controlled addresses to divert funds to the threat actor.

Since the AppsFlyer SDK is used by thousands of applications for marketing analytics (user engagement and retention), the impact extends to a significant number of end users.

According to AppsFlyer, its SDK platform is used by 15,000 businesses worldwide for over 100,000 mobile and web applications. It is one of the leading “mobile measurement partner” (MMP) SDKs used to track marketing campaign attribution and in-app events.

The suspected compromise was discovered by Profero researchers, who confirmed the presence of obfuscated attacker-controlled JavaScript being delivered to users visiting websites and applications that loaded the AppsFlyer SDK.

AppsFlyer has not confirmed any incidents beyond a domain availability issue published on its status page on March 10, 2026.

On March 9, Profero discovered a malicious payload served by the SDK from its official domain, at ‘websdk.appsflyer.com,’ which was also reported by multiple users.

“While the full scope, duration, and root cause of the incident remain unverified, the activity highlights how threat actors can abuse trust in widely deployed third-party SDKs to impact downstream websites, applications, and end users,” Profero explains.

The injected JavaScript was designed to preserve normal SDK functionality, but in the background, it loads and decodes obfuscated strings at runtime and hooks into browser network requests.

The malware monitors pages for cryptocurrency wallet input activity. When it detects a wallet address, it replaces it with the attacker’s wallet while exfiltrating the original wallet address and associated metadata.

The targeted addresses include Bitcoin, Ethereum, Solana, Ripple, and TRON, covering a large swath of mainstream cryptocurrency transactions.

The researchers suggest that the exposure window is likely between March 9, 22:45 UTC, and March 11. It is unclear if the compromise impacted SDK users beyond that point.

BleepingComputer has contacted AppsFlyer with questions on Profero’s findings, and a spokesperson confirmed via a statement that unauthorized code was delivered through the AppsFlyer SDK:

“AppsFlyer detected and contained a domain registrar incident on March 10 that temporarily exposed the AppsFlyer Web SDK running on a segment of customer websites to unauthorized code.

“The mobile SDK was not affected, and our investigation to date has not identified evidence that customer data on AppsFlyer systems was accessed. We take this incident very seriously and have been actively communicating with customers,” AppsFlyer told BleepingComputer.

The vendor said that the issue has been resolved and that AppsFlyer customers received direct communication and updates about the incident.”

“The mobile SDK has remained safe to use throughout the process, and the web SDK is safe to use.” – AppsFlyer spokesperson

The company said that the investigation is ongoing and it is working with external forensic experts. More information will be shared after completing the investigation.

Given the uncertainty about exactly what happened and the scope of the incident, organizations deploying the SDK should review telemetry logs for suspicious API requests from websdk.appsflyer.com, downgrade to known-good versions of the SDK, and investigate potential compromise.

AppsFlyer was implicated in a cybersecurity incident again earlier this year, when the notorious threat group ShinyHunters claimed that it leveraged the SDK to achieve a supply chain breach at Match Group, stealing over 10 million records of Hinge, Match.com, and OkCupid users.

The FBI is asking gamers who installed Steam titles containing malware to provide information as part of an ongoing investigation into eight malicious games uploaded to the gaming platform.

In a notice published today by the FBI’s Seattle Division, the agency said it is attempting to identify individuals who were affected after installing one of the malicious games on Steam between May 2024 and January 2026.

“The FBI’s Seattle Division is seeking to identify potential victims installing Steam games embedded with malware. The FBI believes the threat actor primarily targeted users between the timeframe of May 2024 and January 2026,” reads the notice.

“In the investigation, several games have been identified to include, BlockBlasters, Chemia, Dashverse/DashFPS, Lampy, Lunara, PirateFi, and Tokenova.”

“If you and/or your minor dependent(s) were victimized from installing one of these games or have information relevant to this investigation, please fill out this short form.”

The questionnaire indicates that the FBI is focused on cryptocurrency theft and account hijacks after the installation of the malware, asking questions about cryptocurrency transactions, compromised accounts, and stolen funds.

The form also asks for any screenshots of communications with individuals who promoted the games, which could help investigators track the stolen cryptocurrency and trace it to those who distributed the malware.

“The FBI is legally mandated to identify victims of federal crimes it investigates. Victims may be eligible for certain services, restitution, and rights under federal and/or state law. All identities of victims will be kept confidential,” the FBI told BleepingComputer.

The FBI is also asking anyone who knows someone who may have been affected to encourage them to submit an inquiry to [email protected]. 

BleepingComputer also sent questions to Valve about the investigation, but did not receive a reply to our email.

Malware hidden in Steam games

Multiple malicious games discovered on Steam over the past two years have distributed information-stealing malware designed to harvest credentials, cryptocurrency wallets, and other sensitive data from players’ devices.

One of the most notable cases involved BlockBlasters, a free-to-play 2D platformer available on Steam from July to September 2024. While initially uploaded to Steam as a clean program, cryptodrainer malware was later added to the game.

News that the Steam game was malicious was revealed during a livestream by video game streamer Raivo Plavnieks (RastalandTV), who was raising money for cancer treatment.

After downloading the verified Steam game, the streamer reported losing more than $32,000 from his cryptocurrency wallet.

Blockchain investigator ZachXBT later estimated that attackers stole roughly $150,000 from 261 Steam accounts. Cybersecurity researcher VX-Underground later reported a higher count of 478 victims.

In the malicious Chemia survival crafting game, a threat actor known as EncryptHub added the HijackLoader malware, which downloaded the Vidar information stealer. It was later discovered that the game also installed EncryptHub’s custom Fickle Stealer malware, which steals credentials, browser data, cookies, and cryptocurrency wallets.

The PirateFi game also distributed the Vidar infostealer and was available on Steam for about a week in February 2025. Up to 1,500 users may have downloaded the game before it was removed from Steam.

Steam later warned players who launched the game that malicious files may have been executed on their computers and advised them to run antivirus scans, review installed software, and consider reinstalling their operating system.

A suspected China-based cyber espionage operation has targeted Southeast Asian military organizations as part of a state-sponsored campaign that dates back to at least 2020.

Palo Alto Networks Unit 42 is tracking the threat activity under the moniker , where CL refers to cluster, and STA stands for state-backed motivation.

“The activity demonstrated strategic operational patience and a focus on highly targeted intelligence collection, rather than bulk data theft,” security researchers Lior Rochberger and Yoav Zemah said. “The attackers behind this cluster actively searched for and collected highly specific files concerning military capabilities, organizational structures, and collaborative efforts with Western armed forces.”

The campaign exhibits hallmarks commonly associated with advanced persistent threat (APT) operations, including carefully crafted delivery methods, defense evasion strategies, highly stable operational infrastructure, and custom payload deployment designed to support sustained unauthorized access to compromised systems.

The tools used by the threat actor in the malicious activity include backdoors named AppleChris and MemFun, and a credential harvester called Getpass.

The cybersecurity vendor said it detected the intrusion set after identifying suspicious PowerShell execution, allowing the script to enter into a sleep state for six hours and then create reverse shells to a threat actor-controlled command-and-control (C2) server. The exact initial access vector used in the attack remains unknown.

The infection sequence involves the deployment of AppleChris, different versions of which are dropped across target endpoints following lateral movement to maintain persistence and evade signature-based detection. The threat actors have also been observed conducting searches related to official meeting records, joint military activities, and detailed assessments of operational capabilities.

“The attackers showed particular interest in files related to military organizational structures and strategy, including command, control, communications, computers, and intelligence (C4I) systems,” the researchers noted.

Both AppleChris variants and MemFun are designed to access a shared Pastebin account, which acts as a dead drop resolver to fetch the actual C2 address stored in Base64-decoded format. One version of AppleChris also relies on Dropbox to extract the C2 information, with the Pastebin-based approach used as a fallback option. The Pastebin pastes date back to September 2020.

Launched via DLL hijacking, AppleChris initiates contact with the C2 server to receive commands that allow it to conduct drive enumeration, directory listing, file upload/download/deletion, process enumeration, remote shell execution, and silent process creation.

The second tunneler variant represents an evolution of its predecessor, using just Pastebin to get the C2 address, in addition to introducing advanced network proxy capabilities.

“To bypass automated security systems, some of the malware variants employ sandbox evasion tactics at runtime,” Unit 42 said. “These variants trigger delayed execution through sleep timers of 30 seconds (EXE) and 120 seconds (DLL), effectively outlasting the typical monitoring windows of automated sandboxes.”

MemFun is launched by means of a multi-stage chain: an initial loader injects shellcode responsible for launching an in-memory downloader, whose main purpose is to retrieve C2 configuration details from Pastebin, communicate with the C2 server, and obtain a DLL that, in turn, triggers the execution of the backdoor.

Since the DLL is fetched from the C2 at runtime, it gives threat actors the ability to easily deliver other payloads without having to change anything. This behavior transforms MemFun into a modular malware platform as opposed to a static backdoor like AppleChris.

The execution of MemFun begins with a dropper that runs anti-forensic checks before altering its own file creation timestamp to match the creation time of the Windows System directory. Subsequently, it injects the main payload into the memory of a suspended process associated with “dllhost.exe” using a technique referred to as process hollowing.

In doing so, the malware runs under the guise of a legitimate Windows process to fly under the radar and avoid leaving additional artifacts on disk.

Also put to use in the attacks is a custom version of Mimikatz known as Getpass that escalates privileges and attempts to extract plaintext passwords, NTLM hashes and authentication data directly from the “lsass.exe” process memory.

“The threat actor behind the cluster demonstrated operational patience and security awareness,” Unit 42 concluded. “They maintained dormant access for months while focusing on precision intelligence collection and implementing robust operational security measures to ensure campaign longevity.”

A threat actor tracked as Storm-2561 is distributing fake enterprise VPN clients from Ivanti, Cisco, and Fortinet to steal VPN credentials from unsuspecting users.

The attackers manipulate search results (SEO poisoning) for common queries like “Pulse VPN download” or “Pulse Secure client” to redirect victims to spoofed VPN vendor sites that closely mimic VPN solutions from legitimate software vendors.

After examining the attack and command-and-control (C2) infrastructure, Microsoft researchers discovered that the same campaign used domains related to Sophos, Sonicwall, Ivanti, Check Point, Cisco, WatchGuard, and others, targeting users of multiple enterprise VPN products.

In the observed attack, Microsoft found that the fake sites link to a GitHub repository (now taken down) that hosts a ZIP archive containing a fake VPN MSI installer.

When executed, this file installs ‘Pulse.exe’ into %CommonFiles%\Pulse Secure, and drops a loader (dwmapi.dll) and a variant of the Hyrax infostealer (inspector.dll).

The fake VPN client displays a legitimate-looking login interface that invites victims to enter their credentials, which are captured and exfiltrated to the attacker’s infrastructure.

The malware, which is digitally signed with a legitimate, but now revoked, certificate from Taiyuan Lihua Near Information Technology Co., Ltd., also steals VPN configuration data stored in the ‘connectionsstore.dat’ file from the legitimate program’s directory.

To reduce suspicion, the fake VPN client displays an installation error after stealing the credentials, and redirects them to the real vendor’s site to download the legitimate VPN client.

“If users successfully install and use legitimate VPN software afterward, and the VPN connection works as expected, there are no indications of compromise to the end users […], [who] are likely to attribute the initial installation failure to technical issues, not malware,” explains Microsoft.

Meanwhile, in the background, the infostealer malware creates persistence for Pulse.exe via the Windows RunOnce registry key, ensuring the infection survives system reboots.

The researchers recommend that system administrators enable cloud-delivered protection in Defender, run EDR in block mode, enforce multi-factor authentication, and use SmartScreen-enabled browsers.

Microsoft has also provided indicators of compromise (IoCs) and hunting guidance to help detect and block this campaign early.