Threat Briefing: March 6, 2026

Attackers are using fake Zoom and Google Meet waiting-room pages to distribute stealthy monitoring tools that capture keystrokes, screenshots, and browsing activity, raising the risk of credential theft and unauthorized access to financial systems. A related supply-chain concern: a Florida operator’s large-scale trafficking of stolen Microsoft COA activation keys shows how illicit software licensing can introduce untracked devices into corporate networks.

Meanwhile, a phishing campaign targeting LastPass users aims to harvest master passwords, potentially exposing banking credentials and vault-stored secrets. On mobile, the Coruna iOS exploit kit, once the domain of nation-state actors, is now in the hands of financially motivated criminals, increasing the risk of MFA bypass and compromise of banking apps used by remote employees. Compounding these threats, the bulk sale of stolen cPanel credentials is giving attackers turnkey infrastructure for phishing and data theft, putting customer-facing web assets at growing risk.

• Fake Zoom and Google Meet Pages Push Surveillance Software – Attackers are using phishing links disguised as meeting invitations to lure users onto fake Zoom and Google Meet waiting room pages. Victims are prompted to download a fake “update” that’s actually repurposed employee monitoring software, giving attackers silent access to keystrokes, screenshots, and browsing history. A separate variant targets Google Meet users through a fake Microsoft Store page. Hack Read
• Florida Woman Sentenced for Microsoft License Key Fraud – Heidi Richards of Florida received a 22-month federal prison sentence and a $50,000 fine for running a multi-year scheme through her business, Trinity Software Distribution. She bought genuine Windows and Office COA stickers cheaply, extracted their product keys, and sold the activation codes in bulk worldwide, generating millions of dollars between 2018 and 2023. BleepingComputer
• Phishing Campaign Targets LastPass Master Passwords – LastPass is warning users of a phishing campaign using spoofed emails that claim unauthorized account activity, pushing recipients to click links leading to a fake login page designed to steal master passwords. LastPass has shared indicators of compromise and is working with Fortra Brand Protection to take down the malicious sites. Users should verify email sources carefully before clicking any links. SecurityWeek
• iOS Exploit Kit Coruna Moves from Spies to Cybercriminals – Google’s Threat Intelligence Group has identified an iOS exploit kit called Coruna, comprising five full exploit chains and 23 total exploits, that has migrated from commercial surveillance vendors to state-sponsored actors, and now to financially motivated criminals. The kit’s evolution reflects a broader trend of sophisticated espionage tools trickling down into the wider cybercrime ecosystem. Help Net Security
• Stolen cPanel Credentials Being Sold in Bulk Underground – Threat actors are selling compromised website management panel credentials, particularly cPanel logins, across underground markets as ready-made infrastructure for phishing, malware deployment, and data theft. Analysis of over 200,000 underground posts by Flare researchers revealed a structured marketplace where attackers use legitimate credentials to plant backdoors and exfiltrate data, often bypassing traditional security controls. Bleeping Computer