PHANTOMPULSE is a sophisticated RAT attributed to DPRK-aligned actors that utilizes hardware breakpoints to bypass AMSI, WLDP, and ETW. It establishes a resilient, sinkhole-able command and control channel by resolving C2 URLs from blockchain transaction inputs and employs multiple process injection and UAC bypass techniques.
Kimsuky (APT43) has updated its arsenal with new PebbleDash and AppleSeed malware variants, including the Rust-based HelloDoor and httpMalice backdoors. The group is increasingly utilizing legitimate services like VSCode Remote Tunnels, Cloudflare Quick Tunnels, and DWAgent for covert C2 and post-exploitation access, primarily targeting South Korean entities and global defense sectors.
Arctic Wolf Labs identified a highly targeted campaign by the DPRK-nexus threat actor BlueNoroff against the Web3 sector. The attackers utilize sophisticated social engineering, including AI-generated deepfakes and stolen webcam footage, to lure victims into fake Zoom or Teams meetings. Once engaged, a ClickFix clipboard injection attack deploys a fileless PowerShell C2 implant, leading to the theft of cryptocurrency wallets, browser credentials, and Telegram sessions.
On March 31, 2026, the popular Axios npm package was compromised in a supply chain attack attributed to North Korean threat actor Sapphire Sleet. Malicious versions 1.14.1 and 0.30.4 included a fake dependency that silently executed a post-install script to download and install OS-specific Remote Access Trojans (RATs) on Windows, macOS, and Linux systems.
AI Weaponization and Developer Supply Chain Attacks Redefine the Perimeter
Attackers are aggressively targeting the software development process because compromising a single developer tool can unlock thousands of corporate networks. In parallel, artificial intelligence is collapsing the cost of attacks, allowing criminals to build convincing deepfakes and automated phishing campaigns in minutes. As a result, traditional security like multi-factor authentication is increasingly bypassed using tricks that steal active login sessions rather than passwords. These trends together suggest that relying on perimeter defenses and basic hygiene is no longer enough, as attackers hide inside trusted cloud services and legitimate software updates. This matters because organizations are losing visibility into where their sensitive data actually lives, especially as AI tools create hidden pathways into company systems. Defenders must shift their focus to monitoring user behavior after login and securing the automated systems that build their software. Watch for unusual activity in your developer tools and implement stricter checks on third-party software.
AI Weaponization Collapses Trust as Identity Becomes the Perimeter
Attackers are using artificial intelligence to make phishing and social engineering dramatically cheaper and more convincing, as seen in BlueNoroff's AI-generated deepfake meetings targeting Web3 executives and the Bluekit phishing platform's built-in AI assistant that crafts lures on demand. Because these AI tools can generate convincing scams and steal session cookies to bypass multi-factor authentication, traditional email filters and basic MFA are no longer sufficient barriers. In parallel, attackers are shifting from hacking infrastructure to hijacking identity and trust systems—installing legitimate remote-access tools via phishing, exploiting API authentication flaws like BOLA, and harvesting credentials through malicious AI browser extensions that spy on users in real time. This identity-focused shift compounds with the persistent exploitation of older vulnerabilities; groups like SHADOW-EARTH-053 still use years-old ProxyLogon flaws on unpatched Exchange servers, while CISA confirms CVE-2026-32202 (Microsoft Windows) and CVE-2026-41940 (cPanel) are already being exploited in the wild. Because AI models like Claude Mythos can now autonomously chain these vulnerabilities into working exploits at machine speed, defenders cannot rely on manual patching cadences to stay safe. These trends together suggest that the real perimeter is no longer the firewall but the identity layer, and defending it requires phishing-resistant authentication, automated response, and rigorous vetting of developer pipelines and third-party trust. Watch for AI-accelerated exploitation of unpatched systems and invest in identity-centric, machine-speed defenses before the next wave of automated attacks outpaces your team's response.