Security news weekly round-up - 6th March 2026

Source: Dev.to

APT37 hackers use new malware to breach air‑gapped networks

Air‑gapped networks are typically found in critical infrastructure and are assumed to be isolated from external attacks. APT37 demonstrates that this assumption can be false.

Infection chain

1. Victim opens a malicious Windows shortcut file (.lnk).
2. The shortcut launches a PowerShell script that extracts payloads embedded in the file and opens a decoy document to distract the user.
3. The script loads the first malware component, RESTLEAF, an implant that communicates with APT37’s command‑and‑control infrastructure via Zoho WorkDrive.

---

Hackers weaponize Claude code in Mexican government cyberattack

Researchers observed a novel attack that leveraged OpenAI’s Claude model to facilitate a breach of a Mexican government system.

• The attacker convinced Claude that all actions were authorized, effectively bypassing the model’s guardrails.
• Claude was then used to analyze stolen data and accelerate the execution of the compromise.

---

LLMs can unmask pseudonymous users at scale with surprising accuracy

Large language models (LLMs) are now capable of de‑anonymizing users who post under pseudonyms, raising significant privacy concerns.

• The technique can identify speakers behind obscured accounts, enabling doxxing, stalking, and the creation of detailed marketing profiles (e.g., location, occupation).
• This threatens the effectiveness of pseudonymity as a privacy measure for sensitive public discussions.

---

Quantum decryption of RSA is much closer than expected

A new algorithm, the JVG algorithm, dramatically reduces the quantum resources needed to break RSA and elliptic‑curve cryptography (ECC).

• The Advanced Quantum Technologies Institute (AQTI) announced on 2 March 2026 that the algorithm requires a thousand‑fold fewer qubits and quantum gates than previous estimates.
• Projections suggest fewer than 5,000 qubits could be sufficient to compromise RSA/ECC implementations.

---

Government iPhone hacking tools repurposed by cybercriminals

Google disclosed that a suite of sophisticated iPhone hacking tools, originally developed for lawful government use, is now being exploited by cybercriminals.

• The Coruna kit can bypass iPhone defenses through a “watering‑hole” attack—simply visiting a malicious website or link.
• It chains together 23 vulnerabilities to achieve infection via five distinct methods, affecting devices from iOS 13 up to iOS 17.2.1 (released Dec 2023).

---

Wikipedia hit by self‑propagating JavaScript worm

A malicious JavaScript worm was introduced into Wikipedia, vandalizing pages and highlighting the platform’s exposure to scripted attacks.

• The script was stored at User:Ololoshka562/test.js (first uploaded March 2024) and is linked to previous wiki‑project attacks.
• According to BleepingComputer, a Wikimedia employee account executed the script during testing of user‑script functionality.
• It remains unclear whether the execution was intentional, accidental, or the result of a compromised account.