Threat Briefing: March 27, 2026

Recent incidents highlight a converging threat landscape of social engineering, stealthy malware, and nation-state activity.

Phishing campaigns are growing more targeted as attackers impersonate trusted brands like Palo Alto Networks using LinkedIn data to deceive senior professionals. Malvertising tied to U.S. tax searches is delivering malware that disables endpoint defenses via BYOVD techniques.

Nation-state threats are escalating, with Iranian actors confirmed at Stryker and Chinese groups found embedded in global telecom infrastructure using kernel-level implants for long-term espionage.

Voice phishing (vishing) is rapidly displacing email attacks, bypassing technical controls by exploiting real-time human trust.

• Fake Palo Alto Networks Recruiters Target Senior Professionals – Cybercriminals have been impersonating Palo Alto Networks recruiters since August 2025, using scraped LinkedIn data to craft personalized job phishing emails. Victims are pressured into paying $400–$800 for fake resume services. Report suspicious outreach and never pay fees during a legitimate recruitment process. Dark Reading
• Malvertising Campaign Uses Tax Searches to Deploy Endpoint-Killing Malware – A campaign active since January 2026 is using Google Ads targeting tax-related searches to deliver rogue ConnectWise installers. Once installed, a BYOVD technique disables EDR solutions, potentially a precursor to ransomware. The attack chains readily available tools into a sophisticated, hard-to-detect threat. The Hacker News
• Stryker Confirms Iranian-Linked Cyberattack Impacted Global Operations – Stryker, a leading medical technology company, has confirmed a cyberattack by Iranian-linked group Handala, which claimed to have wiped over 200,000 devices. Investigators found attackers used a malicious file to execute commands and hide activity. No traditional malware or ransomware was deployed. The U.S. government has since tied Handala to Iran’s Ministry of Intelligence and Security. SecurityWeek
• Chinese State Hackers Embedded Deep in Global Telecom Infrastructure – Rapid7 has uncovered a Chinese state-sponsored group using kernel implants and a sophisticated backdoor called BPFdoor to maintain persistent, long-term access inside global telecom networks. Designed to blend into legitimate traffic, these “sleeper cells” pose a significant espionage risk to critical infrastructure worldwide. SecurityWeek
• Voice Phishing Surges Past Email as Attackers Exploit Human Trust – Mandiant’s M-Trends report found vishing accounted for 11% of all cyber incidents in 2025, surpassing traditional email phishing at just 6%. Groups like Scattered Spider are impersonating IT support over phone calls to bypass technical defenses, a reminder that human instinct remains one of the most exploitable vulnerabilities. Cyberscoop