Malware Activity
New Techniques to Bypass Security and Growing Android Malware
Recent developments in cybersecurity reveal both innovative attack methods and increasing malware threats. Security researcher Chris Aziz uncovered “Zombie ZIP,” a clever way to hide malicious payloads inside ZIP files by tampering with headers, tricking antivirus tools into overlooking harmful content. This method has proven highly effective against most security engines, exposing vulnerabilities in current archive verification processes. Meanwhile, cybersecurity experts have identified six (6) new Android malware families, including banking trojans like PixRevolution and remote access tools such as SURXRAT. These malicious apps can steal money, intercept transactions, and even use AI to evolve their tactics, making them harder to detect. Many of these threats spread through fake app pages or exploit banking systems. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- BleepingComputer: New ‘Zombie ZIP’ Technique Lets Malware Slip Past Security Tools article
- TheHackerNews: Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets article
Threat Actor Activity
Iran-Backed Hackers Take MedTech Giant Stryker Offline with Wiper Malware
Stryker, a leading medical technology company, has suffered a significant cyberattack by the Iranian-linked hacktivist group Handala. The attack involved a wiper malware that allegedly wiped over 200,000 systems, servers, and mobile devices, and stole fifty (50) terabytes of data. As a result, Stryker was forced to shut down operations in seventy-nine (79) countries, causing a global network disruption impacting its Microsoft environment. Employees from the United States, Ireland, Costa Rica, and Australia reported that their devices were remotely wiped, and the company’s login pages displayed the Handala logo. Staff were instructed to remove corporate applications from personal devices. The attack has severely disrupted Stryker’s operations, forcing some locations to revert to manual workflows. Handala claims the attack was retaliation for a recent U.S. missile strike on an elementary school in Iran. The group, linked by Unit 42 to Iran’s Ministry of Intelligence and Security (MOIS), is known for data theft, extortion, and deploying destructive malware targeting Israeli organizations. Despite Stryker’s assurance that the incident is contained, the full restoration timeline remains unclear. The attack has raised concerns about supply chain disruptions, as Stryker is a major supplier of medical devices to hospitals worldwide. Some hospitals have temporarily disconnected from Stryker’s services, including LifeNet, to mitigate potential risks. The American Hospital Association is actively monitoring the situation, though no direct impacts on U.S. hospitals have been reported yet. The incident underscores the increasing threat of cyberattacks on critical infrastructure, particularly in the context of geopolitical tensions, and highlights the need for robust cybersecurity measures and preparedness in the healthcare sector.
- Bleeping Computer: Stryker Hack Article
- The Record: Stryker Hack Article
- Krebs on Security: Stryker Hack Article
- Security Week: Stryker Hack Article
Vulnerabilities
Active Exploitation of Critical n8n Vulnerability Prompts Urgent Patching Guidance from CISA
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about the active exploitation of a critical remote code execution (RCE) vulnerability affecting the widely used open-source workflow automation platform n8n, which is commonly deployed to automate data ingestion, operational workflows, and integrations across enterprise systems. The flaw, tracked as CVE-2025-68613 (CVSS score of 9.9), stems from improper control of dynamically managed code resources within n8n’s workflow expression evaluation engine, allowing authenticated attackers to inject malicious expressions that are executed without proper validation. Successful exploitation can enable attackers with low-privilege access to gain full control of vulnerable instances, potentially exposing highly sensitive information like API keys, OAuth tokens, database credentials, cloud storage access, and CI/CD secrets. The flaw also allows threat actors to modify automated workflows or execute system-level commands that could introduce malicious code into connected systems and supply chains. Although the vulnerability was patched in n8n version 1.122.0 released in December, security researchers estimate that tens of thousands of instances remain exposed, with some reporting over 40,000 unpatched systems online and others suggesting that more than 100,000 deployments may be vulnerable out of roughly 230,000 active users. Due to confirmed exploitation activity, CISA added the flaw to its Known Exploited Vulnerabilities (KEV) catalog and mandated that Federal Civilian Executive Branch (FCEB) agencies patch affected systems by no later than March 25, 2026. CISA also urges all organizations to apply patches or implement mitigations like restricting workflow permissions and limiting system privileges. CTIX analysts urge any affected readers to ensure that their instances are patched, and that any necessary mitigations are applied to prevent exploitation.
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura’s Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
© Copyright 2026. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
