Subscribe to get the latest updates and resources
This blog provides a summary of findings from Cynet’s March 2026 Cyber Threat Intelligence Report. To read the full report, download it here.
March saw ransomware gangs forging criminal alliances, infostealers targeting your browser’s deepest secrets, and a trusted developer tool turned against its own users. Taken together, the month’s activity signals a maturing threat ecosystem in which adversaries are collaborating more effectively, automating more aggressively, and attacking the tools defenders rely on.
March 2026 was one of the most active months for ransomware in recent memory. A total of 790 victims were recorded across the month, a figure that underscores how relentlessly industrialized these operations have become. The most prolific group, Qilin, claimed 136 victims alone, more than double the tally of the second-ranked group, Akira, at 75. Manufacturing was the most targeted sector for the second consecutive month, reflecting the operational pressure that downtime creates for industrial organizations and the leverage it gives ransomware operators at the negotiating table. The United States remained by far the most targeted country. On the vulnerability front, the report covers ten high-severity CVEs, including one rated a perfect 10.0 — a remote code execution flaw in Cisco Secure Firewall Management Center that allows an unauthenticated attacker to run arbitrary code as root. Three further CVEs scored 9.8, covering Langflow, SimStudio, and Spring AI. Defenders should treat patching these as urgent.
Vect serves as a blueprint for how criminal ecosystems are industrializing. We break down its technical capabilities, the BreachForums partnership that gave it 300,000 potential recruits overnight, and what the TeamPCP alliance means for the access-to-ransomware pipeline. Plus: how this breaks from the traditional affiliate model, and what defenders should do now.
Credentials, cookies, credit cards, Discord tokens — your browser holds more sensitive data than most file shares. WhoUser exploits ChromeElevator to bypass Google’s App-Bound Encryption, monitors your clipboard in real time, and sends it all out over Discord webhooks. We walk through the full attack chain and place it in the broader infostealer-as-a-service economy powering credential markets in 2026.
On March 19, attackers used stolen credentials to push a trojanized Trivy release that ran inside thousands of CI/CD pipelines, targeting SSH keys, cloud credentials, Kubernetes configs, and more. The same group, TeamPCP, was already linked to the European Commission breach. We trace the full attack chain from credential theft to weaponization, cover the downstream cascade, and lay out both immediate containment steps and structural fixes for your software supply chain.
The complete report covers all critical CVEs, ransomware group activity, deep-dive malware analysis of Vect, WhoUser, Reynolds, and the Phantom Stealer phishing campaign, plus exclusive darknet intelligence from Cynet Lighthouse. Download the CTI Report and stay a step ahead of threat actors.
Search results for:
