Handala (Void Manticore) and DarkSword iOS Exploit Chain: Critical Escalations in March 2026
FBI and DOJ Seize Handala Leak Sites
Confidence: High
The DOJ and FBI seized key infrastructure of Handala (Void Manticore) leak sites in the wake of the destructive Stryker attack on March 19, 2026. Attribution to Iranian MOIS is confirmed. Despite the disruption, adversaries maintain access via pre-positioned "Dindoor" backdoors in US networks, sustaining retaliatory capability.
DarkSword iOS Exploit Chain Fully Disclosed and Actively Weaponized
Confidence: High
Google GTIG and other sources documented a complex exploit chain targeting iOS 18.4–18.7. This kit uses six vulnerabilities, including three zero-days (CVE-2026-20700 among them), to bypass kernel protections via pure JavaScript attacks. It is used for rapid "hit-and-run" data theft by UNC6353 and commercial spyware PARS Defense.
GlassWorm Supply Chain Attack Escalation
Confidence: High
The GlassWorm campaign has expanded to over 400 repositories and multiple npm extensions. Using stolen GitHub tokens, attackers force-push malicious code with invisible Unicode characters, enabling stealthy compromise of Python/Django/ML supply chains with Solana blockchain C2.
Interlock Cisco FMC Zero-Day Exploitation Confirmed Since January
Confidence: High
Exploitation of CVE-2026-20131 by Interlock ransomware began as early as January 26, 2026, 36 days before Cisco patched the flaw. The full attack toolkit, including PowerShell and RAT components, has been exposed via an operational staging server leak. Immediate forensic review is required for all unpatched FMC deployments.
Earth Kurma Using Cisco Webex for C2
Confidence: Medium
Rapid7's report disclosed Earth Kurma APT abusing Cisco Webex legitimate infrastructure for command-and-control activities, evading typical egress controls and trusted traffic monitoring.
CISA Adds SharePoint and Zimbra to KEV Following Active Exploitation
Confidence: High
The critical SharePoint CVE-2026-20963 and Zimbra XSS CVE-2025-66376 vulnerabilities are now federally mandated patch priorities, reflecting active exploitation in sensitive environments.
Stryker Wiper Attack Executed via Compromised Intune Admin Account
Confidence: High
Technical forensics reveal the destructive wipe was performed using an existing Intune admin account, underscoring urgent need for behavioural anomaly detection and MDM API call monitoring.
Why This Matters
These intertwined threat developments highlight an escalated cyber conflict phase focusing on destructive attacks, rapid exploit chains, and supply chain compromises. The persistent Iranian adversary infrastructure challenges shorten incident response timelines. High-fidelity behavioural detection for MDM abuse and supply chain integrity is urgently needed.
- Recommended Actions
- Confirm Intune admin account security posture and monitor for anomalous wipe requests.
- Audit all Python and npm repositories for force-push events and invisible Unicode payloads.
- Update iOS devices to latest patched versions addressing DarkSword vulnerabilities.
- Immediate FMC zero-day incident response triage for all relevant Cisco deployments.
- Integrate detection for trusted app abuse (Cisco Webex) in network security monitoring.
- Prioritise patching and monitoring for CISA KEV catalog vulnerabilities, especially SharePoint and Zimbra.
All findings grounded in A13E intelligence sweeps through 07:00 UTC 20 March 2026.