Top 3 Cyber Attacks In March 2026 - CyberSecurityNews

Home Cyber Attack News Top 3 Cyber Attacks In March 2026 March 2026 delivered a surge in cyber threats targeting users and organizations alike from banking apps hijacked to siphon personal data, to trusted domains exploited for phishing redirects. Cybercriminals unleashed increasingly cunning and perilous tactics. Here’s a breakdown of the three headline-grabbing attacks that dominated the month. 1. Fake Banking App Targeting Android Users via Telegram  A sophisticated malware dropper was spotted mimicking the IndusInd Bank app, targeting Android users in a phishing scheme aimed at stealing sensitive financial information.   Once installed, the malicious app displays a fake banking interface, tricking users into entering critical details like their mobile number, Aadhaar and PAN numbers, and net banking credentials.  After the victims submit the data, it is sent to both a phishing server and a Telegram-controlled command and control (C2) channel.  The APK itself contains base.apk, the core malicious payload, and has permissions to install other apps. The dropper is also obfuscated and uses XOR-encryption with a key (“npmanager”) to conceal its code and behavior.  You can see a real-world sample of this attack in ANY.RUN’s new Android sandbox:  View analysis session  Banking app interface displayed inside ANY.RUN sandbox  Inside the sandbox, let’s explore the actual interface of the fake banking app and trace how the attack unfolds.   By following the process tree and network connections, you can observe how a user was tricked into submitting their credentials.  Sensitive information entered by the user  Network activity also reveals how the stolen data is sent to a phishing site, then forwarded to a Telegram-controlled command server.  Communication with Telegram captured by ANY.RUN Android sandbox  This type of attack highlights just how quickly mobile threats are growing. One compromised employee can open the door to sensitive data, internal systems, and even financial accounts, putting the entire business in danger.   That’s why it’s so important for organizations to stay ahead of these threats. Giving your team the right tools to check suspicious apps before they become a problem is a lot easier and safer than dealing with a full-blown breach later.  Equip your team with the right tools to analyze suspicious threats in seconds inside a secure, isolated sandbox environment -> Sign up for 14-day ANY.RUN trial  2. Trusted Websites Exploited for Malicious Redirects  In another campaign exposed by ANY.RUN researchers in March, attackers abused redirect functions on long-standing, trusted domains to reroute users to phishing pages.  One such domain, registered back in 1996, was flagged as clean by antivirus tools giving users no reason to suspect anything was wrong.  View analysis session  Exploitation of trusted website inside ANY.RUN sandbox  In this ANY.RUN sandbox analysis, we can see the full picture of how the attack happens, starting with the targeted domain that was originally registered in 1996.  By exploiting weak redirect validation, threat actors turned these safe-looking URLs into a launchpad for malicious sites. Since users believed they were still on legitimate pages, or moving between them, they were far more likely to fall for the scam.  One of those redirects is a fake CAPTCHA page, which is automatically bypassed inside the sandbox thanks to its built-in interactivity feature, saving valuable time for security teams during analysis.  CAPTCHA solved inside ANY.RUN sandbox  After that, the user lands on a phishing page designed to look like a legitimate Microsoft login screen. But a closer look at the URL reveals it’s anything but real, packed with random characters and clearly not tied to Microsoft. Fake Microsoft login page analyzed inside ANY.RUN sandbox  These kinds of redirects damage user trust and make threat detection more difficult, especially when antivirus engines don’t flag them as dangerous.  3. Fake Booking.com Pages Delivering XWorm and Stealing Card Data  Cybercriminals love a familiar name, and this time, it was Booking.com in their target.  This campaign used fake Booking-branded pages created through cybersquatting. The attackers registered domains that closely resembled the legitimate Booking site, then led users through a convincing flow that ended in either malware execution or data theft.  View analysis session  Fake booking page delivering XWorm inside ANY.RUN sandbox  In this case, the fake page instructed users to press Win + R, paste a script, and hit enter. This launched XWorm malware, capable of stealing data and giving attackers remote control.  XWorm detected by ANY.RUN sandbox  In another ANY.RUN analysis session, the phishing site prompted users to enter their credit card information to “verify their stay.” The page looked legit, but it was nothing more than a front for harvesting sensitive financial data.  Domains like Iili[.]io were linked to this campaign and were also seen in use with the Tycoon2FA phishing toolkit pointing to a more extensive infrastructure behind the scenes.  The attacks we saw in March all had one thing in common: they exploited trusted names and platforms to slip past users and security tools. That’s a wake-up call for organizations everywhere.  Here’s why quick, hands-on threat analysis is more important than ever:  Popular websites and brands are being used as bait  From Booking.com to Microsoft, attackers are mimicking sites people trust.  Redirects and fake apps are harder to catch  Many of these campaigns go unnoticed by antivirus tools until it’s too late.  One employee’s mistake can expose your whole company  A single data theft can open access to internal systems, accounts, and sensitive data.  That’s why giving your team the right tools to investigate suspicious files and links is critical.  ANY.RUN’s interactive sandbox provides a secure, cloud-based environment to analyze threats in Windows, Linux, and Android systems fast and safely. Your team can trace how an attack unfolds, capture network activity, and collect IOCs in real time.  Protect your business before threats break through -> Start your 14-Day Trial of ANY.RUN today  RELATED ARTICLESMORE FROM AUTHOR Cyber Security RedAmon AI Tool that Chains Reconnaissance, Exploitation, and Post-exploitation Cyber Security 15 Best Linux Network Monitoring Tools in 2026 Cyber Security News Hackers Compromised 10,000+ GitHub Repositories to Inject Malicious Script Cyber Security CyberSentinel AI with 33 Security Tools, Including Nmap, SQLMap, ZAP, and uses Claude, GPT Cyber Security AIRecon: AI-Powered Penetration Testing Tool with Kali Linux Sandbox