InfoSec Briefing - March 24, 2026

🎧 Audio Briefing

Playback Speed:

Good morning. This is your security briefing for Monday, March 23, 2026, covering six articles analyzed overnight. All attribution is by the article authors. All article analysis is automated.

According to Nikita Shah, Iranian cyber actors have conducted diverse operations including destructive attacks against U.S. medical technology firms like Stryker, reconnaissance embedding in U.S. and Israeli networks, and influence campaigns. These operations range from data wiping and DDoS attacks to espionage and hack-and-leak tactics, serving both domestic control objectives and international destabilization goals in the U.S.-Iran conflict.

The Federal Communications Commission has updated its Covered List to prohibit approval of new consumer-grade routers produced in foreign countries, citing unacceptable national security risks including supply chain vulnerabilities exploited in Volt, Flax, and Salt Typhoon campaigns. Existing routers remain unaffected, but new foreign-made models cannot receive the FCC authorization required for U.S. import and sale.

According to Auriga Aristo on Medium, organizations systematically reward CISOs who excel at compliance, audits, and post-incident reporting rather than those who build resilient security architectures. This creates a culture where security is treated as a bureaucratic checkbox exercise instead of a strategic enabler, resulting in organizations that may pass audits but lack genuine resilience against real threats.

Huntress reports a malvertising campaign targeting users searching for W-2 tax forms that exploits a Windows kernel vulnerability to achieve kernel-mode execution. Attackers are using Bring Your Own Vulnerable Driver techniques to disable EDR and AV solutions at the kernel level, creating blind spots for defenders and enabling further malicious activities.

According to Wiz, threat actor TeamPCP compromised the KICS GitHub Action repository and two OpenVSX extensions by gaining access to service accounts. The attack distributed credential-stealing malware with second-stage payloads from C2 infrastructure, establishing persistence on non-CI systems via systemd services, affecting users who pinned to compromised tags during the twelve fifty-eight to sixteen fifty UTC window.

Backdoorskid has published details on CustomLoadImage, a tool that enables stealthy loading of .NET assemblies by directly calling AssemblyNative::LoadFromBuffer, bypassing standard loading mechanisms and detection hooks. This reflective loading technique allows malicious code to execute in memory without disk writes, evading traditional security solutions and facilitating advanced persistent threats and payload delivery.

That concludes today's briefing.

📰 Articles Covered

How a Tax Search Leads to Kernel-Mode AV/EDR Kill | Huntress - Huntress

The cybersecurity article details a malvertising campaign that exploits a vulnerability to gain kernel-mode access, allowing attackers to disable Endpoint Detection and Response (EDR) solutions. 【1】

**What Happened:**
Attackers utilized malvertising, specifically targeting users searching for W-2 tax forms. These malicious ads led users to compromised websites that, in turn, exploited a vulnerability in the Windows kernel. The exploitation allowed for the execution of malicious code at the kernel level, enabling the attackers to disable security software like EDRs. 【1】

**Who is Affected:**
The campaign primarily affects **end-users who fall victim to the malvertising ads** and subsequently visit compromised websites. Organizations with employees who might search for tax-related information and are not adequately protected by robust security measures are also at risk. 【1】

**Security Implications:**
The primary security implication is the **ability of attackers to disable critical security defenses**, such as EDR solutions, at the kernel level. This grants them a significant advantage, allowing for further malicious activities like data exfiltration or ransomware deployment without detection. The exploitation of a kernel-level vulnerability is particularly concerning due to the high level of privilege it grants. 【1】

**Technical Details:**
The attack chain begins with malvertising that redirects users to a website hosting an exploit kit. This kit targets a **vulnerability in the Windows kernel**, specifically an issue that allows for arbitrary read/write operations. Successful exploitation enables the attackers to achieve kernel-mode execution. Once in kernel mode, they can manipulate or disable security software, effectively creating a blind spot for defenders. The article mentions the use of **"Bring Your Own Vulnerable Driver" (BYOVD)** techniques, where attackers leverage legitimate but vulnerable drivers to achieve their malicious goals. 【1】

**What Defenders Should Know:**
Defenders need to be aware of the evolving tactics used in malvertising campaigns. Key takeaways include:
- **Kernel-level exploits are a significant threat:** These can bypass traditional security measures.
- **BYOVD is a growing concern:** Attackers are finding ways to leverage legitimate drivers for malicious purposes.
- **Visibility is crucial:** Maintaining visibility into kernel activity and detecting attempts to tamper with security software is paramount.
- **Patching and EDR integrity:** Keeping systems patched and ensuring the integrity and resilience of EDR solutions against kernel-level manipulation are vital.
- **User education:** Educating users about the dangers of malvertising and suspicious search results can help prevent initial infection. 【1】
KICS GitHub Action Compromised: TeamPCP Supply Chain Attack - Wiz

On March 23rd, 2026, the **KICS GitHub Action**, a tool for scanning infrastructure as code, was compromised by a group known as **TeamPCP**, which was also responsible for a previous attack on the Trivy scanner 【1】. This compromise allowed for the distribution of **credential-stealing malware** to users who pinned to specific compromised tags of the GitHub Action 【1】.

### What Happened
The attack occurred between 12:58 and 16:50 UTC on March 23rd, 2026 【1】. TeamPCP gained access to the KICS GitHub Action repository, likely through the compromise of the `cx-plugins-releases` service account, and updated project tags with malicious code 【1】. Additionally, two OpenVSX extensions, **cx-dev-assist** (v1.7.0) and **ast-results** (v2.53.0), were also compromised with identical payloads, published via the `ast-phoenix` account 【1】. The malicious payload, `environmentAuthChecker.js`, would retrieve a second-stage payload from a command-and-control (C2) server (`checkmarx.zone`) upon extension activation if credentials were detected 【1】. This second-stage payload included credential-stealing capabilities and, on non-CI systems, persistence mechanisms via a systemd user service 【1】. A fallback C2 repository named `docs-tpcp` was also established 【1】.

### Who is Affected
Users of the **KICS GitHub Action** who pinned to compromised tags during the exposure window are affected 【1】. Additionally, users of the **cx-dev-assist v1.7.0** and **ast-results v2.53.0** OpenVSX extensions were also impacted 【1】. The VS Code Marketplace versions of these extensions appear to be unaffected 【1】.

### Security Implications
The primary security implication is the **theft of credentials** from affected systems 【1】. The malware's ability to establish persistence on non-CI systems and download further payloads from C2 servers poses a significant risk of ongoing compromise and lateral movement within an organization's infrastructure 【1】. This attack highlights the vulnerability of supply chains in open-source software and the potential for attackers to leverage trusted tools for malicious purposes.

### Technical Details
- **Compromised Artifacts**: The malicious releases included `ast-results-2.53.0.vsix`, `cx-dev-assist-1.7.0.vsix`, `checkmarx-util-1.0.4.tgz`, and `environmentAuthChecker.js` 【1】.
- **KICS GitHub Action Tags**: Malicious tags ranged from `v1` up to `v2.1.20`, with `v1.1` being the only malicious release for this action 【1】.
- **OpenVSX Extensions**: Payload published at 12:53 UTC on March 23, 2026, via the `ast-phoenix` account 【1】.
- **Malware Execution**: The `environmentAuthChecker.js` script is invoked on extension activation. If credentials are found, a second-stage payload is downloaded from `checkmarx.zone/static/checkmarx-util-1.0.4.tgz` 【1】.
- **Credential Exfiltration**: Harvested credentials are encrypted and sent to `checkmarx.zone/vsx` as `tpcp.tar.gz` 【1】.
- **Persistence**: On non-CI systems, the malware installs persistence via a systemd user service, polling `checkmarx.zone/raw` every 50 minutes for additional payloads 【1】.
- **Fallback C2**: A fallback C2 repository named `docs-tpcp` was created 【1】.

### What Defenders Should Know
Security teams should **audit their references to the KICS GitHub Action** and review workflows that utilize it. If version tags were used instead of specific SHAs, it is crucial to **examine workflow run logs** from the exposure window for signs of compromise 【1】. Defenders should also **search their GitHub organizations for repositories named `docs-tpcp`**, as this could indicate successful data exfiltration via the fallback mechanism 【1】. For long-term security, hardening GitHub Actions practices is recommended 【1】.
FCC Updates Covered List to Include Foreign-Made Consumer Routers, Prohibiting Approval of New Models - "the FCC updated its Covered List to include all consumer-grade routers" - Federal Communications Commission (FCC)

The Federal Communications Commission (FCC) has updated its **Covered List** to include all **consumer-grade routers produced in foreign countries** 【1】. This action prohibits the approval of new models of these routers, effectively barring them from import and sale in the U.S. 【1】.

**What Happened:**
The FCC's decision stems from a determination by an Executive Branch interagency body that foreign-produced consumer-grade routers pose "unacceptable risks to the national security of the United States or the safety and security of United States persons" 【1】. This determination highlights two key concerns:
- **Supply Chain Vulnerability:** These routers introduce a vulnerability that could disrupt the U.S. economy, critical infrastructure, and national defense 【1】.
- **Cybersecurity Risk:** They pose a severe cybersecurity risk that could be exploited to disrupt U.S. critical infrastructure and directly harm U.S. persons 【1】.

**Who is Affected:**
- **Consumers:** The action **does not affect consumers' continued use of routers they have already lawfully purchased or acquired** 【1】. Retailers can also continue to sell, import, or market router models that were previously approved by the FCC 【1】. The restrictions apply only to **new device models** 【1】.
- **Producers:** Producers of consumer-grade routers that receive **Conditional Approval from the Department of War (DoW) or the Department of Homeland Security (DHS)** can still obtain FCC equipment authorizations 【1】.

**Security Implications:**
Malicious actors have exploited security vulnerabilities in foreign-made routers for various nefarious purposes, including attacking American households, disrupting networks, enabling espionage, and facilitating intellectual property theft 【1】. These routers have also been implicated in significant cyberattacks targeting vital U.S. infrastructure, such as the Volt, Flax, and Salt Typhoon attacks 【1】. The broader implication is a significant **supply chain vulnerability** that could be leveraged for widespread disruption 【1】.

**Technical Details:**
The FCC's action involves updating its **Covered List**, which identifies equipment that poses national security risks. New devices added to this list are **prohibited from receiving FCC authorization**, which is a prerequisite for import and sale in the U.S. 【1】. The specific technical vulnerabilities exploited are not detailed in the provided text, but the focus is on the inherent risks associated with the supply chain of foreign-produced routers.

**What Defenders Should Know:**
- **Focus on Approved Devices:** Defenders should be aware that new foreign-made consumer-grade routers will no longer be authorized for import or sale in the U.S. 【1】.
- **Existing Devices Remain a Risk:** While new devices are being restricted, the security implications of existing, previously approved foreign-made routers remain. These devices have been exploited in the past and could continue to be targets or vectors for attack 【1】.
- **Conditional Approval Pathway:** Producers seeking to continue offering new router models can pursue Conditional Approval from the DoW or DHS 【1】.
- **Supply Chain Security:** The action underscores the importance of supply chain security in network infrastructure. Defenders should consider the origin and security posture of network devices.
Most Organisations Reward the Wrong Kind of CISO - The content posted at the URL is by **Auriga Aristo** . Medium is a platform where anyone can share perspectives and knowledge . Publications on Medium are collections of articles organized by an editor .

The article argues that organizations often reward the wrong type of Chief Information Security Officer (CISO), leading to a focus on compliance rather than genuine resilience 【1】.

- **What happened**: Organizations tend to reward CISOs who are adept at compliance, audits, and post-incident reporting. This creates a system where security is viewed as a bureaucratic obstacle rather than a strategic advantage 【1】.
- **Who is affected**: This systemic issue affects organizations broadly, as it leads to suboptimal security outcomes. CISOs themselves are also affected, often finding themselves in reactive roles with limited influence on upstream design and decision-making 【1】.
- **Security implications**: The primary implication is that organizations may meet compliance requirements on paper but lack true robustness and resilience when faced with actual security challenges. This indicates a confusion between being "governable" and being "resilient" 【1】.
- **Technical details**: The article does not delve into specific technical exploits or incidents. Instead, it focuses on the organizational and governance issues that lead to these security shortcomings 【1】.
- **What defenders should know**: Defenders should understand that true security maturity is achieved by building resilient systems through influence in the early stages of design, not solely through downstream compliance checks. Organizations need to shift their reward systems to value CISOs who enable safer decisions and foster resilience, thereby positioning security as a strategic enabler for business success 【1】.
CustomLoadImage: Stealthy .NET assembly loading using AssemblyNative::LoadFromBuffer - backdoorskid

The cybersecurity article discusses **CustomLoadImage**, a tool that enables stealthy loading of .NET assemblies, potentially for malicious purposes 【1】.

**What Happened:**
CustomLoadImage facilitates the **reflective loading of .NET assemblies** by directly calling `AssemblyNative::LoadFromBuffer` 【1】【5】. This method bypasses standard loading mechanisms, specifically avoiding hooks on `RuntimeAssembly.nLoadImage`, which are often used for detection 【1】. This technique allows malicious code to be loaded into memory without being written to disk, making it harder to detect 【2】.

**Who is Affected:**
The primary targets are **organizations and their assets** that could be compromised by sophisticated malware 【3】. Any system running .NET applications could potentially be vulnerable if this technique is employed by attackers.

**Security Implications:**
The use of CustomLoadImage presents significant security risks:
- **Stealthy Execution:** By avoiding disk writes and bypassing common detection hooks, malware can operate undetected 【1】.
- **Evasion of Traditional Security:** Customized malware, like that facilitated by CustomLoadImage, is designed to evade traditional security solutions 【2】.
- **Advanced Persistent Threats (APTs):** This technique can be used by threat actors to maintain a persistent presence within a network.
- **Payload Delivery:** It can serve as a method for delivering various types of malicious payloads, including custom Trojans 【3】.

**Technical Details:**
CustomLoadImage's core functionality lies in its direct use of the `AssemblyNative::LoadFromBuffer` method 【1】【5】. This bypasses the typical .NET assembly loading process, which involves checks and potential logging by security software. The tool's name itself, "CustomLoadImage," suggests its purpose is to load custom or malicious .NET code in a way that is not easily identifiable as a standard image file or executable 【4】【7】. This is a form of **in-memory execution**, a common tactic in advanced malware to avoid detection 【2】.

**What Defenders Should Know:**
Defenders need to be aware of and prepare for advanced techniques that bypass traditional security measures:
- **In-Memory Detection:** Focus on **detecting malicious activity in memory** rather than solely relying on file-based scanning.
- **Behavioral Analysis:** Implement **behavioral analysis and endpoint detection and response (EDR)** solutions that can identify suspicious process behavior, such as unexpected .NET assembly loading.
- **Runtime Monitoring:** Monitor .NET runtime events and API calls for anomalies.
- **Threat Intelligence:** Stay updated on emerging malware techniques and custom trojans 【3】.
- **Customized Malware Awareness:** Recognize that malware is increasingly customized to evade detection 【2】.
- **AI-Assisted Attacks:** Be aware that AI tools can empower attackers to create sophisticated attacks rapidly 【6】.
Demystifying Iranian Cyber Operations in the U.S.-Iran Conflict - The content posted on the page is by **Nikita Shah**.

Iranian cyber operations are a significant aspect of the U.S.-Iran conflict, serving both domestic and international objectives. These operations range from cyber espionage and destructive attacks to influence campaigns, aiming to destabilize adversaries and preserve the regime domestically 【1】.

**What Happened:**
Iranian cyber actors have engaged in various activities, including shutting down domestic internet access to control information flow 【1】. They have also conducted destructive attacks, such as wiping data from systems of critical medical equipment suppliers like Stryker, and have been involved in reconnaissance efforts, embedding in U.S. and Israeli company networks 【1】. Influence operations and hack-and-leak tactics have also been employed to sow dissent and control narratives 【1】.

**Who is Affected:**
The targets of these operations are diverse, including **regional rivals, global foes (particularly the United States and Israel), critical infrastructure, U.S. medical technology firms, and even Iran's own population** through internet shutdowns 【1】. Companies involved in critical supply chains, such as medical equipment suppliers, are also affected 【1】.

**Security Implications:**
Iranian cyber operations pose a threat by **destabilizing adversaries, disrupting critical supply chains, and undermining information integrity** 【1】. While some attacks, like website defacements and DDoS, are considered lower sophistication, others, such as data wiping and network infiltration, have more significant disruptive potential 【1】. The use of cyber capabilities is part of a broader hybrid threats campaign aimed at projecting power and raising the cost for countries involved in the conflict 【1】.

**Technical Details:**
Iranian cyber operations encompass a range of tactics, including:
- **Destructive Attacks:** Wiping data, disrupting systems, website defacements, and Distributed Denial-of-Service (DDoS) attacks 【1】.
- **Reconnaissance:** Embedding in networks, using security cameras for intelligence, and exfiltrating data 【1】.
- **Influence Operations:** Utilizing social media and hacktivist groups to spread disinformation and sow division, potentially using AI 【1】.
- **Espionage:** Penetrating U.S. and regional targets, including critical infrastructure and supply chains 【1】.
- **Internet Shutdowns:** Reducing domestic internet connectivity to control information and isolate citizens 【1】.

**What Defenders Should Know:**
Defenders should be aware that:
- **The information domain is a primary battleground** 【1】.
- **Iran's cyber capabilities are sophisticated** and used to further political goals 【1】.
- **Attacks can be disruptive**, even if they don't alter the course of the conflict significantly 【1】.
- **Future operations may target critical sectors** like energy and tourism, and aim to cause collateral damage to exert psychological pressure 【1】.
- **An uptick in Iranian cyber operations is possible**, indicated by disruptions to linked companies, hack-and-leak operations, increased hacktivism, and potential use of AI 【1】.
- **It's important to avoid overstating the impact of cyber activity** and mistaking "noise" for decisive military advantage 【1】.
- **High-grade destructive cyber capabilities require significant preparation time** and are difficult to sustain once detected 【1】.