Cyware Daily Threat Intelligence, March 16, 2026

Attackers are increasingly bypassing standard Windows security by trading common APIs for low-level system interactions. A new variant of ACRStealer is now being deployed via HijackLoader. By mimicking legitimate HTTPS traffic and targeting the gaming community through the PiviGames ecosystem, the malware silently harvests AES master keys and credentials.

Strategic patience is the hallmark of CL-STA-1087, a suspected Chinese espionage operation that has spent years quietly infiltrating Southeast Asian military networks. Unlike typical bulk-data operations, this group focuses on precision intelligence, deploying custom backdoors like AppleChris and MemFun to collect specific files on military capabilities and Western collaborations.

The battle for browser security has hit a critical point as Google issues emergency patches for two high-severity zero-days—CVE-2026-3909 and CVE-2026-3910—already being weaponized in the wild. The CISA has added these two flaws to its KEV catalog.

Top Malware Reported in the Last 24 Hours

New ACRStealer variant targets gamers' data

A new variant of ACRStealer is actively deployed by HijackLoader, utilizing advanced techniques such as syscall evasion and AFD-based networking to enhance data theft while evading detection. This variant, linked to the Amatera Stealer lineage, is distributed through the PiviGames ecosystem, specifically targeting gaming-related infections. It employs low-level syscalls instead of traditional Win32 APIs to bypass security measures, allowing it to perform sensitive operations undetected. The malware establishes raw TCP connections via AFD endpoints and upgrades these to TLS, mimicking legitimate HTTPS traffic for data exfiltration. Additionally, ACRStealer incorporates sophisticated browser data theft methods, including decrypting AES master keys and extracting credentials from gaming platforms like Steam.

AppsFlyer SDK hijacked with malware

The AppsFlyer Web SDK was compromised in a recent supply-chain attack, allowing attackers to inject malicious JavaScript designed to intercept cryptocurrency wallet addresses on websites. This vulnerability affected numerous applications utilizing the SDK for marketing analytics, potentially impacting thousands of users globally. Researchers from Profero identified the malicious code, which was delivered through the official AppsFlyer domain between March 9 and March 11. The injected script preserved the SDK's normal functionality while secretly monitoring wallet input activity, replacing legitimate addresses with those controlled by the attackers. AppsFlyer acknowledged the incident, confirming that unauthorized code had been delivered but stated that the mobile SDK remained unaffected. 

Chinese hackers target Southeast Asian militaries

A suspected state-sponsored Chinese cyber espionage operation, identified as CL-STA-1087, has been targeting Southeast Asian military organizations since at least 2020. This campaign focuses on collecting highly specific intelligence rather than engaging in bulk data theft. The attackers utilize APT techniques, deploying custom malware tools like AppleChris, MemFun, and a credential harvester named Getpass. These tools allow sustained unauthorized access while evading detection. The operation involves the use of Pastebin and Dropbox for command-and-control communication, with a particular interest in military organizational structures and strategies. The malware employs sophisticated methods such as sandbox evasion, delayed execution, and process hollowing to maintain stealth and adaptability.

Top Vulnerabilities Reported in the Last 24 Hours

Microsoft releases hotpatch for Windows 11

Microsoft has released an OOB hotpatch update, KB5084597, for Windows 11 Enterprise devices to address security vulnerabilities in the Routing and Remote Access Service (RRAS) management tool. These vulnerabilities could allow remote code execution when connecting to malicious servers and are tracked as CVE-2026-25172, CVE-2026-25173, and CVE-2026-26111. Although these issues were previously fixed in the March 2026 Patch Tuesday updates, the hotpatch provides a solution without requiring device reboots, making it suitable for mission-critical systems. The update is cumulative, incorporating all fixes from the March security update. Notably, the hotpatch is available only to devices enrolled in the hotpatch update program and managed through Windows Autopatch, ensuring automatic installation without the need for restarts.

Google fixes two Chrome zero-day bugs

Google has released security updates for its Chrome browser to address two high-severity zero-day vulnerabilities, CVE-2026-3909 and CVE-2026-3910, which have been actively exploited in the wild. The first vulnerability involves an out-of-bounds write issue in the Skia graphics library, allowing remote attackers to access memory improperly through a crafted HTML page. The second vulnerability pertains to an inappropriate implementation in the V8 JavaScript engine, enabling arbitrary code execution within a sandboxed environment via similar crafted pages. In total, Google has patched three actively weaponized zero-days in Chrome this year.