Summary5 min read

Cybersecurity Headlines

Episode Summary: Iran boosts cyberattacks, VENON targets Brazilian banks, England Hockey investigates breach

Date: March 13, 2026
Host: Sarah Lane, CISO Series

Episode Overview

This episode offers a rapid-fire rundown of major cybersecurity developments worldwide, focusing on Iran's increasing collaboration with cybercriminals, a sophisticated banking malware targeting Brazil, a ransomware attack on England Hockey, SEO poisoning techniques for credential theft, advances in AI-assisted ransomware campaigns, a large international law enforcement seizure of a proxy botnet, urgent Veeam vulnerabilities, and a payment hijacking trojan plaguing Brazil's Pix system.

Key Discussion Points

1. Iran’s Cybercrime Collaboration and Operational Stealth

Research Source: Check Point
Summary: The Iranian Ministry of Intelligence and Security is strengthening its cyber operations by partnering with cybercriminal entities.
Methods:
- Use of APTs (Advanced Persistent Threats) like Void Manticore.
- Incorporation of criminal malware such as Radomanthus infostealer.
- Participation in ransomware-as-a-service (RaaS) ecosystems.
- Purchase of malware and initial access from underground markets rather than developing tools in-house.
- Complicates attribution and detection efforts.
Notable Moment:
- “Iranian APTs such as Void Manticore have incorporated criminal tools like the Radomanthus infosteeler and may participate in ransomware as a service ecosystems blending state and cybercrime activity.” (00:16)

2. VENON Banking Malware Targets 33 Brazilian Banks

Research Source: Xenox (Brazil)
Summary: VENON, a Rust-based malware, uses DLL sideloading and social engineering to infect Windows systems, focusing on hijacking credentials from massive Brazilian financial institutions, notably the iTau banking app.
Key Tactics:
- Delivers fake overlays for credential theft.
- Utilizes nine different evasion techniques.
- Can undo modifications to hide its presence.
Quote:
- “Venon infects Windows systems via DLL, sideloading social engineering campaigns like click fix and nine evasion techniques. It monitors active windows and hijacks shortcuts to deliver fake overlays for credential theft...” (00:37)

3. England Hockey Ransomware Breach Investigation

Summary: England Hockey suffered a possible ransomware breach, with the AI Lock gang claiming to have stolen 121 GB of sensitive data, demanding ransom under threat of publication.
Impacted Entities: 800+ clubs, 150,000 players.
Response: Collaboration with law enforcement and security experts; warning to stakeholders.
AI Lock Tactics: Double extortion, sophisticated encryption since April 2025.
Quote:
- “England Hockey is investigating a potential ransomware breach...after the AI law gang claimed to have stolen 121 gigabytes of data and threaten to publish it unless a ransom is paid.” (01:09)
- “Players are advised to watch for suspicious activity and phishing attempts.” (01:36)

4. Credential Theft via SEO Poisoning – Storm 2561

Research Source: Microsoft Threat Intelligence
Summary: The group Storm 2561 uses SEO poisoning to trick users into downloading fake, malware-laden VPN clients.
Modus Operandi:
- Redirecting VPN searchers to malicious sites with signed MSI installers.
- Installs the Hirax infostealer, collects VPN credentials.
- Achieves persistence via Windows registry key (“run Once”).
- Advice: Enable Defender, use MFA, block untrusted executables.
Quote:
- “Microsoft Threat Intelligence reports that the cybercriminal group Storm2561 is running a credential theft campaign using SEO poisoning to distribute fake VPN clients.” (01:51)

5. AI-Assisted “Sloppily” Malware – Hive 0163

Research Source: IBM X-Force, Golo Merchant
Summary: Hive 0163 leverages AI to write "Sloppily" malware, maintaining access during ransomware attacks.
Tactics:
- Deployed by PowerShell, scheduled tasks.
- Acts as a backdoor for system info exfiltration and C2 commands.
- Uses click-fix malvertising, access brokers.
- Delivers additional malware: Node Snake, Interlock RATs, Interlock Ransomware.
Memorable Point: AI yields readable, structured code, but uses standard post-exploitation tactics.
Quote:
- “Hive0163 is using AI assisted malware called Sloppily to maintain persistent access during ransomware attacks. It's deployed via PowerShell scripts and scheduled tasks and functions as a backdoor beaconing system info and executing commands from a C2 server.” (03:13)

6. Operation Lightning – SOX Escort Proxy Network Takedown

Summary: An international law enforcement collaboration dismantles SOX Escort, a botnet selling access to infected residential IPs.
Impact:
- Seized 34 domains, 23 servers, froze $3.5M in crypto.
- Service utilized AV Recon malware on routers.
- Network size: 369,000 compromised IPs, ~124,000 users.
- Used for massive scale fraud, ransomware, and account takeover attacks—causing tens of millions in losses.
Quote:
- “Operation Lightning, seizing 34 domains and 23 servers across seven countries and freezing about $3.5 million in cryptocurrency. The service infected routers with AV Recon malware and sold access to roughly 369,000 compromised IP addresses...” (03:56)

7. Veeam Backup Server Critical Vulnerabilities

Summary: Veeam patched several serious RCE vulnerabilities in its backup and replication products.
Details:
- Four vulnerabilities allow privilege escalation and credential theft by low-privilege users.
- Hunters are warned that attackers reverse-engineer patches, target unpatched systems.
- Fixes issued in new software versions; urges immediate updating.
Quote:
- “Veeam patched multiple vulnerabilities in its backup and replication software, including four critical remote code execution flaws that could allow low privileged users to run code on backup servers.” (04:45)

8. Pix Revolution – Android Trojan Attacks Brazil's Pix Transfers

Research Source: Zimperium
Summary: Pix Revolution, an Android banking trojan, intercepts and redirects instant payment transactions in Brazil.
Technique:
- Hijacks accessibility permissions, streams screen activity to attackers.
- Allows real-time intervention in user transactions.
- Distributed via fake app stores mimicking Google Play.
- Poses significant risk as Pix handles 3+ billion transactions monthly for 76%+ of Brazil’s population.
Quote:
- “[Pix Revolution] hijacks Brazil's Pix instant payment transfers by replacing the recipient's payment key during a transaction and redirecting funds to attacker controlled accounts.” (05:13)

Notable Quotes

On Iranian Hybrid Operations:
- “[Iranian] approach is said to complicate attribution and allows Iranian actors to buy malware infrastructure or initial access from underground markets instead of developing their own tools.” – Sarah Lane (00:25)
On the Scale of Brazil’s Pix Risk:
- “Targets Brazil's Pix network, used by more than 76% of Brazilians and handling more than 3 billion transactions monthly.” – Sarah Lane (05:45)

Timestamps for Key Segments

Iran boosts cyberattacks with criminal partnerships: 00:07–00:36
VENON malware targets Brazilian banks: 00:36–01:09
England Hockey ransomware breach: 01:09–01:51
Storm 2561, SEO poisoning, VPN credential theft: 01:51–03:11
AI-assisted ‘Sloppily’ malware, Hive 0163: 03:13–03:55
Operation Lightning vs. SOX Escort botnet: 03:56–04:44
Veeam backup vulnerabilities: 04:45–05:13
Pix Revolution Android banking trojan: 05:13–06:01

Overall Tone and Takeaway

Sarah Lane keeps a brisk, informative tone, prioritizing actionable intelligence and global relevance. The episode highlights the growing overlap between state and criminal cyber tactics, the evolving sophistication of financial malware (especially in Brazil), and the ongoing arms race in defensive patching and law enforcement. For security professionals and concerned organizations, the message is clear: vigilance, quick patching, and layered defenses are crucial as threat actors adapt and automate.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series, It's Cybersecurity Headlines
[00:07]
B
these are the cybersecurity headlines for Friday, March 13, 2026. I'm Sarah Lane. Iran boosts cyber Attacks According to research from Checkpoint, Iran's Ministry of Intelligence and Security is working with cybercriminal groups to strengthen and obscure its cyber operations. Iranian apts such as Void Manticore have incorporated criminal tools like the Radomanthus infosteeler and may participate in ransomware as a service ecosystems blending state and cybercrime activity. The approach is said to complicate attribution and allows Iranian actors to buy malware infrastructure or initial access from underground markets instead of developing their own tools. Venon malware targets Brazilian Banks Brazilian cybersecurity firm Xenox has disclosed Venon, a new Rust based banking malware targeting 33 banks in Brazil. Venon infects Windows systems via DLL, sideloading social engineering campaigns like click fix and nine evasion techniques. It monitors active windows and hijacks shortcuts to deliver fake overlays for credential theft, notably targeting iTau's banking app. The malware can also undo modifications to cover its tracks. England Hockey investigating Breach England Hockey is investigating a potential ransomware breach after the AI law gang claimed to have stolen 121 gigabytes of data and and threaten to publish it unless a ransom is paid. The organization, which oversees field hockey across more than 800 clubs and 150,000 players, is working with internal teams, external experts and law enforcement to assess the impact. AI Lock has been active since April of 2025 and uses double extortion tactics and advanced encryption to lock files. Please Players are advised to watch for suspicious activity and phishing attempts. Storm 2561 uses SEO poisoning for fake VPN clients Microsoft Threat Intelligence reports that the cybercriminal group Storm2561 is running a credential theft campaign using SEO poisoning to distribute fake VPN clients. Users searching for legitimate VPN software are redirected to malicious sites for hosting zip files with MSI installers that sideload DLLs, including the Hirax infostealer, to capture VPN credentials. The malware is digitally signed to appear legitimate and maintains persistence via the Windows run Once key. Microsoft advises enabling defender protections, multi factor authentication and blocking untrusted executables. Huge thanks to our sponsor Drop Zone AI. If you're heading to RSAC next week, here are three things worth seeing at the Drop Zone AI diner. That's Booth 455 South Expo hall number one watch their AI SOC agents investigate real alerts live with every reasoning step exposed. Number two meet the AI Threat Hunter, the newest agent joining the team and number three enter the investigation competition and go head to head against the AI. Schedule your stop at DropZone AI RSA2026AI Diner Hive 0163 uses AI assisted sloppily malware IBM X Force researcher Golo Merchant said in a report shared with the Hacker News that Hive 0163 is using AI assisted malware called Sloppily to maintain persistent access during ransomware attacks. It's deployed via PowerShell scripts and scheduled tasks and functions as a backdoor beaconing system info and executing commands from a C2 server. AI helped generate readable, well structured code, but the malware is reliant on standard persistence and post exploitation techniques. Hive0163 often uses click fix, malvertising and access brokers to deliver malware like Node Snake, Interlock Rats and Interlock Ransomware. Operation Lightning takes down SOX escort proxy network Law enforcement from eight countries disrupted the SOX Escort residential proxy network in an operation called Operation Lightning, seizing 34 domains and 23 servers across seven countries and freezing about $3.5 million in cryptocurrency. The service infected routers with AV Recon malware and sold access to roughly 369,000 compromised IP addresses used for fraud, ransomware, account takeovers and other cybercrime that caused tens of millions of dollars in losses. Authorities say the Network had about 124,000 users. Veeam warns of flaws exposing backup servers to RCE attacks Veeam patched multiple vulnerabilities in its backup and replication software, including four critical remote code execution flaws that could allow low privileged users to run code on backup servers. The bugs could also enable privilege escalation and credential theft. The fixes are included in versions 12.3.2.4465 and 13.0.1.2067. Veeam warned attackers often reverse engineer patches to target unpatched systems, noting backup servers are frequent ransomware targets. Pix Revolution hijacks Brazil's Pix Transfers we're going back to Brazil. Researchers at Zimperium uncovered Pix Revolution, an Android banking trojan that hijacks Brazil's Pix instant payment transfers by replacing the recipient's payment key during a transaction and redirecting funds to attacker controlled accounts. The malware abuses Android accessibility permissions to monitor screens, stream activity to a command server, and let a remote operator intervene in real time. It spreads through fake app pages, mimicking the Google Play store and and targets Brazil's Pix network, used by more than 76% of Brazilians and handling more than 3 billion transactions monthly. Thank you for listening to Cybersecurity Headlines this week. We appreciate everybody who invites our show into their podcast feed. Remember, if you enjoy the show, make sure you join us for the Department of no live stream each and every Monday happens at 4pm Eastern Time. On the CISO series, YouTube Channel 8, we break down what the news of the week actually means for security professionals, going beyond the headlines to give you the context you need. We hope you can join us this next Monday. If you have thoughts on the news from today or about our show in general, be sure to reach out to us@feedbackisoseries.com we would love to hear from you. I am Sarah Lane reporting for the CISO Series. You stay safe out there.
[07:55]
A
Cybersecurity headlines are available every weekday. Head to CISO Series for the full stories behind the headlines.