Cyware Daily Threat Intelligence, March 03, 2026

The threat actor known as SloppyLemming has intensified its focus on South Asia, launching a year-long offensive against government and nuclear sectors in Pakistan and Bangladesh. By disguising malicious command-and-control traffic as routine Windows Updates, the group has successfully embedded its BurrowShell backdoor into critical infrastructure.

The cybercrime underworld has a fast-rising contender in AuraStealer, a modular infostealer that has rapidly emerged as a formidable rival to the notorious LummaC2. Distributed through a sprawling network of TikTok ads and cracked software sites, this malware harvests sensitive data from over 100 applications.

Google’s March 2026 security update has neutralized a dangerous "buffer over-read" vulnerability in a widely used Qualcomm graphics component that was already being weaponized in the wild. Tracked as CVE-2026-21385, this high-severity flaw allows attackers to trigger memory corruption and potentially take full control of an Android device with minimal effort.

Top Malware Reported in the Last 24 Hours

SloppyLemming targets governments with dual malware

SloppyLemming, a threat actor known for targeting government and critical infrastructure entities, has launched a series of attacks against Pakistan and Bangladesh. Utilizing dual malware chains, the group deployed BurrowShell, a sophisticated backdoor, alongside a Rust-based keylogger. These attacks, occurring between January 2025 and January 2026, involved spear-phishing emails containing PDF lures and macro-enabled Excel documents to initiate infections. BurrowShell enables file manipulation, remote shell execution, and network tunneling while disguising its command-and-control traffic as legitimate Windows Update communications. The keylogger is designed for information theft and network enumeration. Notably, SloppyLemming has significantly increased its use of Cloudflare Workers domains, employing advanced techniques such as DLL side-loading and ClickOnce execution, targeting sectors like nuclear regulation and telecommunications to gather intelligence in the region.

AuraStealer infostealer targets users aggressively

AuraStealer is a newly emerged infostealer actively targeting users through 48 C2 domains, primarily utilizing platforms like TikTok and cracked software sites for distribution. Launched in mid-2025 on Russian cybercrime forums, it positions itself as a competitor to LummaC2, rapidly gaining traction among cybercriminals. The malware is available under a subscription model, with frequent updates enhancing its capabilities. AuraStealer employs various delivery methods, including social engineering tactics and deceptive tools, to infect systems. It utilizes inexpensive top-level domains and sophisticated anti-analysis techniques to evade detection. Once installed, it harvests sensitive data from over 100 browsers and applications, exfiltrating this information via encrypted channels to its rotating C2 infrastructure. 

Top Vulnerabilities Reported in the Last 24 Hours

Google reveals critical Qualcomm vulnerability

Google has confirmed a critical vulnerability, identified as CVE-2026-21385, affecting an open-source Qualcomm component used in Android devices. This high-severity flaw, which has a CVSS score of 7.8, involves a buffer over-read in the Graphics component, leading to potential memory corruption when user-supplied data is added without proper checks. Discovered by Google’s Android Security team in December 2025, the vulnerability was reported to Qualcomm, with customers notified by February 2026. In its March 2026 security update, Google addressed this issue along with 128 other vulnerabilities, including critical flaws that could allow remote code execution and privilege escalation. The update features two patch levels to facilitate quicker responses from Android partners.

New Chrome vulnerability allows privilege escalation

A recently discovered vulnerability in Google Chrome, tracked as CVE-2026-0628, has raised significant security concerns due to its potential for privilege escalation. This flaw, which has a CVSS score of 8.8, stems from insufficient policy enforcement in the WebView tag, allowing attackers to exploit malicious extensions to gain unauthorized access to local files and sensitive system resources. The vulnerability specifically affects the Gemini Live panel, a feature that integrates AI capabilities into Chrome. By tricking users into installing these crafted extensions, attackers could manipulate the panel to access cameras, microphones, and other sensitive data.