{"id":196087,"date":"2026-03-15T05:00:00","date_gmt":"2026-03-15T09:00:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/03\/15\/week-in-review-aitm-phishing-kit-used-to-hijack-aws-accounts-year-long-malware-campaign-targets-hr\/"},"modified":"2026-03-15T11:05:21","modified_gmt":"2026-03-15T15:05:21","slug":"week-in-review-aitm-phishing-kit-used-to-hijack-aws-accounts-year-long-malware-campaign-targets-hr","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/03\/15\/week-in-review-aitm-phishing-kit-used-to-hijack-aws-accounts-year-long-malware-campaign-targets-hr\/","title":{"rendered":"Week in review: AiTM phishing kit used to hijack AWS accounts, year-long malware campaign targets HR"},"content":{"rendered":"

Week in review: AiTM phishing kit used to hijack AWS accounts, year-long malware campaign targets HR<\/a><\/p>\n

https:\/\/www.helpnetsecurity.com\/2026\/03\/15\/week-in-review-aitm-phishing-kit-used-to-hijack-aws-accounts-year-long-malware-campaign-targets-hr\/<\/a><\/p>\n

Publish Date: 2026-03-15 05:00:00<\/a><\/p>\n

Source Domain: www.helpnetsecurity.com<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points.
\n Here\u2019s an overview of some of last week\u2019s most interesting news, articles, interviews and videos:<\/p>\n

Turning expertise into opportunity for women in cybersecuritySpeaker diversity in cybersecurity has been a talking point for over a decade, with panels, pledges, and dedicated conference tracks failing to produce change. Stages still skew heavily male, even as women represent millions of qualified professionals in the field. SheSpeaksCyber, a free and open directory launched by the Women4Cyber Foundation, aims to close that gap by making female experts discoverable to event organizers worldwide. We spoke with founder Erlend Andreas Gj\u00e6re about how it works and why now.
\nDecoding silence: How deaf and hard-of-hearing pros are breaking into cybersecurityStu Hirst was already a CISO when he started to go deaf. It was 2023, and the hearing loss crept in over months, enough for him to adapt, to lean on hearing aids and captions, to quietly reorganize his calendar around the cognitive load of processing sound. It was manageable. Then, in July 2025, it wasn\u2019t.
\nAirbus CSO on supply chain blind spots, space threats, and the limits of AI red-teamingPascal Andrei, CSO at Airbus, knows that the aerospace and defense sector is facing a threat environment that is evolving faster than most organizations can track. From sub-tier suppliers quietly becoming entry points for state-backed attackers, to satellites emerging as targets in an increasingly contested space domain, the risks are real and growing.
\nCloud-audit: Fast, open-source AWS security scannerRunning AWS security audits without a dedicated security team typically means choosing between enterprise platforms with per-check billing and generic open-source scanners that produce findings with no remediation guidance. Cloud-audit, a Python CLI tool published on GitHub by Mariusz Gebala, takes a narrower scope and attaches a fix to every finding it generates.
\nAgentic attack chains advance as infostealers flood criminal marketsCybercriminals spent much of 2025 automating their operations, shifting from one-off attacks to systems that can run entire intrusion cycles with minimal human input. Data collected from criminal forums, illicit marketplaces, and underground chat services shows a threat environment where stolen identity data, unpatched vulnerabilities, and ransomware operations are interdependent. The findings come from Flashpoint\u2019s 2026 Global Threat Intelligence Report, pulling data directly from sources across open and restricted online spaces.
\nStop fixing OT security with IT thinkingIn this Help Net Security interview, Ejona Pre\u00e7i, Group CISO at Lindal Group, discusses the specific cybersecurity challenges in manufacturing environments. The conversation covers why standard IT security practices break down on shop floors, where PLCs and decade-old firmware were never designed to be networked.
\nThis spy tool has been quietly stealing data for yearsESET researchers have traced the resurgence of Sednit through a modern toolkit built around two complementary implants, BeardShell and Covenant, each relying on a separate cloud provider to ensure operational resilience. This dual-implant architecture has enabled sustained surveillance of Ukrainian military personnel since at least April 2024.
\nFake Claude Code install pages highlight rise of \u201cInstallFix\u201d attacksUsers looking for Anthropic\u2019s Claude Code agentic AI coding tool are being tricked via fake Claude Code install pages into running malware, Push Security researchers have warned. The attackers behind this scheme are faithfully cloning Anthropic\u2019s installation page, hosting it on a lookalike domain, and paying Google to surface those fake pages on the top of its results when users ask how to \u201cinstall Claude Code\u201d, \u201cClaude Code CLI\u201d, or simply \u201cClaude Code\u201d.
\nAttackers use AiTM phishing kit, typosquatted domains to hijack AWS accountsPhishers are targeting AWS accounts holders with fake email security alerts and redirecting them to a high-fidelity clone of the AWS Management Console sign-in page, Datadog researchers have warned. The campaign has been running since the end of February and possibly earlier. \u201cIn one observed case, the operator authenticated to a compromised AWS account within 20 minutes of credential submission,\u201d the researchers noted.
\nHR, recruiters targeted in year-long malware campaignAn attack campaign targeting HR departments and job recruiters has been stealthily compromising systems, Aryaka researchers have discovered. By avoiding analysis environments and leveraging a specialized module designed to kill antivirus and endpoint detection software, the Russian-speaking attacker(s) behind this campaign have managed to keep their activity largely under the radar.
\nMicrosoft patches 80+ vulnerabilities, six flagged as \u201cmore likely\u201d to be exploitedOn March 2026 Patch Tuesday, Microsoft addressed 80+ vulnerabilities affecting its software and cloud services. Of these, two were publicly disclosed, but not actively exploited. The two publicly disclosed flaws are CVE-2026-21262, a vulnerability in SQL Server that may allow attackers to gain SQLAdmin privileges, and CVE-2026-26127, a .NET flaw that can be triggered for a denial of service attack.
\nResearchers uncover AI-powered vishing platformA vishing-as-a-service platform that helps scammers carry out so-called \u201cpress 1\u201d scams is misusing text-to-speech (TTS) capabilities provided by AI voice technology company ElevenLabs, Mirage Security researchers claim. For \u201cpress 1\u201d scams, fraudsters spoof phone numbers of trusted institutions (e.g., bank), call up potential victims and try to scare them with pre-recorded messages into sharing sensitive information.
\nShinyHunters claims new campaign targeting Salesforce Experience Cloud sitesSalesforce customers have, once again, been targeted by the ShinyHunters group \u2013 or, at least, it\u2019s what the group claims. On Saturday, Saleforce confirmed that its security team has identified an attack campaign by unnamed malicious actors looking to access customers\u2019 data.
\nDoes Anthropic deserve the trust of the cybersecurity community?The cybersecurity industry runs on trust. The belief that when a vendor says they will behave a certain way, they will, that critical CVEs are in fact critical, or when companies say they\u2019re GDPR compliant, they really are. But earning trust is not a one-and-done thing.
\nZero trust, zero buzzwords: Here\u2019s what it meansIn this Help Net Security video, Murat Balaban, CEO of Zenarmor, breaks down zero trust and zero trust network access (ZTNA) without the buzzwords. The video covers why this approach matters, including the risk of lateral movement after a breach and the growing number of remote workers accessing private resources.
\nPasswords, MFA, and why neither is enoughPasswords weren\u2019t enough, so we added MFA. Now MFA isn\u2019t enough either. In this Help Net Security video, Karlo Zatylny, CTO\/CISO at Portnox, walks through why each layer of identity security has failed and what comes next.
\nOpenAI joins the race in AI-assisted code securityOpenAI introduced Codex Security\u2060, an AI agent that reviews codebases to find, verify, and help fix software vulnerabilities. The launch comes a few weeks after rival Anthropic unveiled its Claude Code Security tool. The feature is available in research preview via Codex Web for ChatGPT Pro, Enterprise, Business, and Edu customers, with free access for the next month.
\nNo more soft play, President Trump warns in new cyber strategyThe White House released \u201cPresident Trump\u2019s Cyber Strategy for America,\u201d a policy framework outlining the administration\u2019s priorities for maintaining U.S. leadership in cyberspace. The seven-page cyber strategy commits to a coordinated, government-wide response to cyber threats that extends beyond cyberspace and relies on close cooperation with allies, industry, and academia.
\nRussian hackers crack into officials\u2019 Signal and WhatsApp accountsRussian state hackers are trying to break into Signal and WhatsApp accounts used by diplomats, military staff, and government officials worldwide, Dutch intelligence agencies warned. They believe journalists and other people who attract attention from Moscow may also be affected.
\nPhishing campaign spoofs local officials to steal permit feesThe FBI is warning about a phishing scheme in which cybercriminals impersonate city and county officials to solicit fraudulent payments for planning and zoning permits. Criminals mine publicly available permit data to find likely targets and make their outreach appear legitimate.
\nTeen crew caught selling DDoS attack toolsSeven minors who distributed online programs designed to facilitate DDoS attacks have been identified by Poland\u2019s Central Bureau for Combating Cybercrime (CBZC). They were between 12 and 16 at the time of the crime. According to investigators, using the tools they administered, the minors attacked popular websites, including auction and sales portals, IT domains, hosting services and accommodation booking sites. The activity was profit-driven, with the suspects earning money from the operation.
\nMicrosoft flips Windows Autopatch to default hotpatch security updatesMicrosoft is changing the default behavior in Windows Autopatch so that hotpatch security updates are enabled automatically for eligible devices managed through Microsoft Intune or the Microsoft Graph API starting with the May 2026 Windows security update.
\nSoftware vulnerabilities push credential abuse aside in cloud intrusionsCloud intrusions are unfolding on shorter timelines, with attackers leaning more on unpatched software and compromised identities. Google Cloud\u2019s Cloud Threat Horizons Report H1 2026 reflects incident response and intelligence findings from the second half of 2025 and shows how access methods and objectives are changing in cloud and SaaS environments.
\nYouTube draws a line on deepfakes involving politicians and journalistsWith deepfakes becoming more common, YouTube has expanded access to its AI-driven likeness detection system to a pilot group of government officials, journalists and political candidates. The step follows an earlier rollout of the tool to creators in the company\u2019s Partner Program.
\nAnthropic forms institute to study long-term AI risks facing societyAnthropic has established the Anthropic Institute, a research unit focused on studying the societal effects of AI and informing policy responses to risks from more advanced systems. The company believes rapid advances in AI will force governments and industries to confront difficult questions about jobs, economic disruption and system governance. It also raises concerns about how AI systems express values, how those standards are set and how future self-improving systems should be monitored and regulated.
\nWireless vulnerabilities are doubling every few yearsWireless vulnerabilities are being disclosed at a rate that has no precedent in the fifteen-year history of systematic tracking. In 2025, researchers published 937 new wireless-related CVEs, an average of 2.5 per day, according to a threat report from Bastille Networks based on data from the NIST National Vulnerability Database.
\nWhatsApp is giving parents peace of mind over their kids\u2019 privacyWhatsApp has introduced parent-managed accounts designed for pre-teens, giving parents and guardians new controls over contacts, group participation, and how the app is used.
\nWar spreads into cyberspace after Iran-linked hackers hit medtech giant StrykerAn Iran-linked hacking group has claimed responsibility for a cyberattack on U.S. medical device giant Stryker, marking a potential escalation of cyber activity tied to the ongoing conflict in the Middle East.
\nAuthorities dismantle SocksEscort proxy network behind millions in fraudSocksEscort, a residential proxy network used to exploit thousands of compromised home routers worldwide and facilitate large-scale fraud that cost victims millions of dollars, has been disrupted in an international law enforcement operation led by the U.S. Department of Justice.
\nSubmarine cables move to the center of critical infrastructure security debateThe cables running along the ocean floor carry the overwhelming majority of the world\u2019s cross-border data traffic, and for most of their operational history they have attracted little strategic attention. That is changing. A new sector report from Capacity Insights draws on interviews with senior executives across the subsea industry to examine how demand growth, hyperscaler investment, and geopolitical pressure are converging on infrastructure that governments and operators are only beginning to treat as a security priority.
\nProduct showcase: Fing Desktop puts network visibility on your screenPhones, laptops, smart TVs, cameras, and smart home equipment all use the same network. Knowing what\u2019s connected helps users manage performance and security. Fing Desktop provides tools that identify devices, test connectivity, and analyze network activity.
\nOpen-source tool Sage puts a security layer between AI agents and the OSAutonomous AI agents running on developer workstations execute shell commands, fetch URLs, and write files with little or no inspection of what they are doing. Open-source project Sage inserts an interception layer between an AI agent and those operations, checking each action before it proceeds.
\nMore AI tools, more burnout! New research explains whyWorkflows built around multiple AI agents and constant tool switching are adding cognitive strain across large enterprises. A recent Harvard Business Review analysis describes this pattern as \u201cAI brain fry,\u201d a form of mental fatigue tied to intensive use and oversight of AI systems.
\nOpenWrt 25.12.0 ships with new package manager, built-in upgrade tool, support for 2200+ devicesOpenWrt 25.12.0 is now available for download. The release incorporates over 4,700 commits since branching from OpenWrt 24.10. One of the most significant structural changes in 25.12.0 is the replacement of the opkg package manager with apk, the Alpine Package Keeper. The OpenWrt fork of opkg is no longer maintained, and the project moved to apk as an actively maintained alternative.
\nBug bounties are broken, and the best security pros are moving onPenetration testing engagements are organized as scheduled contracts with defined scope, set testing windows, and direct communication channels with client teams. Cobalt\u2019s 2026 Pentester Profile Report describes growing preference for penetration testing as a service (PTaaS) and contract-based testing models.
\nThe people behind cyber extortion are often in their fortiesMany cybercrime investigations end with arrests or indictments that reveal little about the people behind the operations. When authorities do disclose demographic details, the pattern that emerges does not match the common assumption that cyber offenders are mostly very young. Analysis in the Security Navigator 2026 report from Orange Cyberdefense points to a different age profile, with a strong concentration of offenders in mid-career adulthood.
\nNew Claude tool uses AI agents to find bugs in pull requestsAnthropic\u2019s Claude Code Review is a new tool, available as a research preview beta for Team and Enterprise plans, that sends a team of AI agents to examine every pull request. The system dispatches multiple agents that look for bugs in parallel. Findings go through a verification step to filter out false positives, and confirmed issues are ranked by severity.
\nMessenger can warn you about sketchy links without knowing what you clickedMeta\u2019s Advanced browsing protection (ABP) helps Messenger identify and warn users about potentially harmful websites they open from a chat. Malicious sites can try to steal passwords, collect personal information, or install malware.
\nMeta turns to AI to sniff out scams on Facebook, Messenger and WhatsAppMeta\u2019s new tools on Facebook, Messenger, and WhatsApp protect users from scams. They use advanced AI systems to analyze text, images, and surrounding context and identify sophisticated scam patterns. The systems detect impersonation of celebrities, public figures, and brands. They also identify deceptive links and domain impersonation and take action against content that redirects people to sites that mimic legitimate ones.
\nENISA advisory examines package manager security risksDevelopers install external libraries with a single command, and that step can introduce more code than expected into a project environment. Dependency resolution inside package managers extends software supply chains across large collections of external components. ENISA\u2019s Technical Advisory for Secure Use of Package Managers, released in March 2026, examines how this development practice expands exposure across software ecosystems.
\nAI coding agents keep repeating decade-old security mistakesCoding agents are now writing production features on real development teams, and a new report from DryRun Security shows that those agents introduce security vulnerabilities at a high rate across nearly every type of application they build.
\nEU Parliament backs extension of CSAM detection rules until 2027The European Parliament has voted to extend a temporary exemption to EU privacy legislation that allows online platforms to voluntarily detect child sexual abuse material (CSAM).
\nCybersecurity jobs available right now: March 10, 2026We\u2019ve scoured the market to bring you a selection of roles that span various skill levels within the cybersecurity field. Check out this weekly selection of cybersecurity jobs available right now.
\nNew infosec products of the week: March 13, 2026Here\u2019s a look at the most interesting products from the past week, featuring releases from Binary Defense, Mend.io, OPSWAT, Singulr AI, SOC Prime, Terra Security, and Vicarius.<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

Week in review: AiTM phishing kit used to hijack AWS accounts, year-long malware campaign targets…<\/p>\n","protected":false},"author":1,"featured_media":196088,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/img.helpnetsecurity.com\/wp-content\/uploads\/2023\/12\/01112502\/cybersecurity_week_in_review1.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,30,24,31,32,25,27],"class_list":["post-196087","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-breach","tag-cybersecurity","tag-exploit","tag-malware","tag-phishing","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/196087"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=196087"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/196087\/revisions"}],"predecessor-version":[{"id":196089,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/196087\/revisions\/196089"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/196088"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=196087"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=196087"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=196087"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}