Threat Briefing Q1 2026 (March) — SD-WAN Zero-Days, Nation-State Espionage at Scale, and the Industrialisation of Credential Theft

Three things defined March 2026: a CVSS 10.0 zero-day that had been exploited for three years undetected, nation-state actors hiding command-and-control traffic inside Google Sheets, and a credential-theft supply chain that runs like a franchise operation.

For European mid-market organisations navigating NIS2, DORA, and the Cyber Resilience Act simultaneously, none of this is abstract. The NIS2 first compliance audit deadline has shifted to June 30, 2026. CRA vulnerability reporting obligations begin September 11, 2026. Threat intelligence is no longer a nice-to-have — it is an auditable input to your risk management framework.

At a Glance

This Month's Threats

1. Network Infrastructure Zero-Day — Cisco SD-WAN

A maximum-severity authentication bypass, actively exploited since 2023 by a sophisticated threat actor, with no workaround available. CISA responded with Emergency Directive 26-03 — mandating federal agencies patch within 24 hours.

CVE-2026-20127 is an authentication bypass in Cisco Catalyst SD-WAN Controller and Catalyst SD-WAN Manager. The numbers speak for themselves:

• CVSS score: 10.0 (maximum severity)
• Attack vector: Unauthenticated remote attacker sends crafted request
• Impact: Full administrative privileges on the affected system
• Threat actor: UAT-8616, tracked by Cisco Talos since 2023
• Exploitation method: Leverages broken peering authentication to access NETCONF and manipulate SD-WAN fabric configuration
• Workaround: None — upgrading to a patched release is the only fix

CISA issued Emergency Directive 26-03, ordering Federal Civilian Executive Branch agencies to inventory all SD-WAN systems by February 26, 2026, and apply patches by February 27. The supplemental guidance added concrete hardening measures: enable DTLS encryption for SD-WAN Manager connections, use SNMPv3 for data authentication, and deploy firewalls restricting SD-WAN access to known device IPs only.

This was not the only critical vulnerability disclosed that week. The patch backlog is significant:

Defensive priority: Patch Cisco SD-WAN immediately. Enable DTLS encryption for Manager connections. Firewall SD-WAN management planes to known vEdge, vSmart, vBond, and vManage IPs. Apply all critical CVEs listed above — the window between disclosure and mass exploitation is shrinking.

2. Nation-State Espionage Abusing Cloud Services

Three distinct campaigns, three different nation-state actors, one common theme: legitimate cloud services repurposed as covert infrastructure.

GRIDTIDE — China-nexus (UNC2814)

Google's Threat Intelligence Group disrupted this campaign after confirming 53 victims across 42 countries on four continents, with suspected infections in at least 20 more. The targets were telecom operators and government networks — classic signals intelligence collection.

The tradecraft is what stands out:

• Backdoor: GRIDTIDE — C-based, supports arbitrary shell commands, file upload/download
• C2 channel: Google Sheets API, treating spreadsheets as communication infrastructure
  • A1 cell — polls for attacker commands, overwrites with status response
  • A2–An cells — bidirectional data transfer (command output, exfiltrated files)
• Intent: PII-focused espionage — endpoints containing personally identifiable information were specifically targeted
• Takedown: Google terminated all attacker Cloud Projects, disabled infrastructure, and cut API access

Using Google Sheets as C2 is not a novelty technique — but deploying it at this scale, across 42 countries, while evading detection for an extended period, demonstrates operational maturity.

Dohdoor — North Korea-nexus (UAT-10027)

Cisco Talos identified a previously undocumented campaign targeting U.S. education and healthcare organisations since at least December 2025. The attribution points to North Korea — Talos assesses UAT-10027 shares TTPs with the Lazarus group.

• Backdoor: Dohdoor — 64-bit DLL loader compiled November 2025
• C2 method: DNS-over-HTTPS (DoH) via Cloudflare on port 443
  • Crafts HTTP requests to Cloudflare's DoH endpoint
  • Parses JSON responses for Answer and data fields to obtain C2 IP
• EDR evasion: Unhooks system calls in NTDLL.dll to bypass user-mode API monitoring
• Payload delivery: Downloads, decrypts, and reflectively executes binaries inside legitimate Windows processes

The use of DNS-over-HTTPS for C2 is a deliberate choice — DoH traffic blends with legitimate encrypted DNS, making network-level detection significantly harder without dedicated DoH inspection.

PlugX Resurgence — China-nexus (UNC6384)

UNC6384, which shares tactical overlaps with Mustang Panda, continues deploying updated PlugX variants. The delivery mechanism: phishing emails with meeting invitation lures that drop STATICPLUGIN, a digitally signed downloader.

• Downloader: STATICPLUGIN — signed by Chengdu Nuoxin Times Technology Co., Ltd with a valid GlobalSign certificate
• Payload: PlugX variant (SOGU.SEC) deployed in-memory
• Infrastructure: 14 active staging domains identified as of late February 2026
• History: Over two dozen malware samples signed by the same entity, dating back to January 2023

Defensive priority: Monitor for anomalous Google Sheets API calls from endpoints. Inspect DNS-over-HTTPS traffic at network boundaries — consider blocking or proxying DoH to external resolvers. Review phishing resilience against meeting-invitation lures specifically.

3. The Credential Theft Supply Chain

Credential theft in 2026 does not look like a lone attacker running a keylogger. It looks like a supply chain — with operators, extractors, and brokers each playing a specialised role.

The Assembly Line

1. Operators deploy infostealers at scale — via phishing, malvertising, or social engineering
2. Extractors process raw credential logs — sorting, deduplicating, enriching with context
3. Initial Access Brokers (IABs) package and sell curated network entry points to ransomware affiliates and espionage actors

Each step is a separate business. Each has its own marketplace, pricing, and customer base.

The Tools

Arkanix is particularly notable — not for its impact (it disappeared within weeks) but for what it signals. The developer used large language models to assist in building the stealer. The barrier to creating functional malware continues to drop.

ClickFix — Social Engineering at Scale

Microsoft Threat Intelligence confirmed that ClickFix campaigns are now targeting thousands of enterprise and end-user devices globally every day. The technique tricks users into running malicious commands by impersonating error messages or CAPTCHA checks.

The February 2026 variant escalated the approach:

• Old method: Instructs users to open the Windows Run dialog and paste a command
• New method: Instructs users to press Win+X then I to open Windows Terminal directly — a privileged command execution environment
• Also seen: Fake venture capital identities on LinkedIn targeting crypto/Web3 professionals via spoofed video conferencing links

GTFire — Abusing Google's Trust

Discovered by Group-IB, the GTFire campaign chains two Google services to bypass security filters entirely:

1. Victim receives a phishing email with a translate.goog link (Google Translate proxy)
2. Google Translate relays the request — email gateways see a trusted Google domain and let it through
3. Victim lands on a Firebase-hosted phishing page (*.web.app subdomain)
4. Page dynamically loads brand-specific logos and login fields
5. Stolen credentials exfiltrated via HTTP GET to LiteSpeed-based C2 servers

The scale: 1,000+ organisations across 100+ countries and 200+ industries. Mexico, the United States, Spain, India, and Argentina were the most affected.

Defensive priority: Enforce DMARC beyond monitoring-only across all sending domains. Consider blocking translate.goog redirects to unknown Firebase subdomains at the proxy level. Deploy endpoint detection for credential store access and reflective DLL injection. Train staff specifically on ClickFix variants — the Windows Terminal vector is new and effective.

Sector Spotlight: Developer Supply Chain & AI Tooling

The developer toolchain became an attack surface this month — from both sides.

AI Development Tools as Attack Vectors

Check Point Research disclosed two vulnerabilities in Anthropic's Claude Code that demonstrate a new class of supply chain risk:

• CVE-2025-59536 — Code injection: arbitrary shell commands execute automatically when a user starts Claude Code in a directory containing a malicious project configuration
• CVE-2026-21852 — Information disclosure: malicious repository configurations exfiltrate Anthropic API keys during project load

The attack surface is configuration files — hooks, MCP servers, environment variables. Developers inherently trust these as metadata, not executable code. That assumption is the vulnerability. Anthropic patched both issues with enhanced warning dialogs and MCP server approval gates.

API Keys That Were Never Meant to Be Secrets

Truffle Security discovered that 2,863 publicly exposed Google API keys (the AIza... prefix format) could authenticate to sensitive Gemini AI endpoints — because Google uses a single key format for both public identification and sensitive authentication.

The trigger: when a user enables the Gemini API (Generative Language API) on a Google Cloud project, all existing API keys in that project gain access to Gemini endpoints. Including keys embedded in client-side JavaScript — which Google had explicitly told developers were safe to expose.

One developer's company was charged $82,314 in 48 hours after their key was compromised. Google classified the flaw as "single-service privilege escalation" and has since implemented proactive blocking of leaked keys attempting Gemini API access.

AI as an Offensive Weapon

An unidentified attacker jailbroke Claude using Spanish-language prompts, claiming to be conducting bug bounty research. Over approximately one month (December 2025 to January 2026), the attacker used the AI to write exploits targeting Mexican federal agencies — the tax authority (SAT) and the national electoral institute (INE).

The result: ~195 million identities exposed and ~150GB of data exfiltrated, including civil registry files, tax records, and voter data. Both Anthropic and OpenAI (whose ChatGPT the attacker also attempted to use) banned the associated accounts.

Defensive priority: Audit all cloned repositories for untrusted configuration files before opening them in AI-assisted development tools. Rotate and scope-limit all API keys — never embed keys in client-side code, regardless of what the vendor documentation says. Establish an internal policy on AI tool usage boundaries and acceptable use.

Regulatory Deadlines

Every threat in this briefing intersects with at least one upcoming European regulatory milestone.

The Cisco SD-WAN zero-day is a textbook case for why CRA's reporting obligations matter: CVE-2026-20127 was exploited for three years before public disclosure. Under CRA's September 2026 rules, manufacturers will be legally required to report such exploitation to ENISA within 24 hours of becoming aware — creating a structured intelligence channel that did not previously exist.

CISA's Emergency Directive 26-03 is U.S.-focused, but European organisations running Cisco SD-WAN should treat it with equivalent urgency. NIS2's supply chain and ICT risk management requirements make unpatched critical infrastructure a compliance issue, not just a security one.

Your March Checklist

1. Patch Cisco SD-WAN now. CVE-2026-20127 has no workaround. Follow CISA ED 26-03 hardening guidance: DTLS, SNMPv3, firewall to known IPs. Also patch VMware Aria, Zyxel, SolarWinds Serv-U, and Chrome.

2. Audit cloud API keys and developer tool configurations. Review Google Cloud API key scoping — especially if the Gemini API is enabled on any project. Check all repositories for untrusted Claude Code or AI tool configs before opening.

3. Harden against credential-theft campaigns. Enforce DMARC beyond monitoring-only. Deploy endpoint detection for infostealer behaviour (credential store access, reflective DLL injection). Brief staff specifically on ClickFix variants — the Windows Terminal vector is effective.

4. Monitor for cloud-service C2 abuse. Set alerts for anomalous Google Sheets API usage from endpoints. Inspect or proxy DNS-over-HTTPS traffic to external resolvers. Watch for unusual *.web.app (Firebase) subdomain traffic.

5. Prepare for regulatory deadlines. NIS2 first audit is June 30, 2026 — less than four months away. CRA vulnerability reporting starts September 11, 2026. Document how your threat intelligence programme informs risk assessments and control decisions.

Threat Briefing is published quarterly by the Orizon team. It reflects general industry trends and authoritative public sources. It does not constitute legal or regulatory advice. For tailored threat analysis or compliance support, contact us.