SOC Threat Radar — March 2026

Latest threats facing businesses seen by Barracuda Managed XDR

Takeaways

• The continued rise of identity-based threats — with one in 16 suspicious logins during February coming from Romania
• Abuse of update mechanism with weaponized NotePad ++ installer
• A busy month for PDF-related malware and infostealers

Identity attacks are on the rise — login locations a red flag

What’s happening?

Identity-based threats continue to rise — particularly those involving anomalous logins using stolen credentials (see SOC Threat Radar — December 2025). During February, around one in every 16 suspicious logins came from Romania. This is an unexpected and anomalous increase compared to previous months, which is a clear indicator of suspicious activity.

Your organization may be at risk if you are:

• Not implementing geo-blocking or location-based login rules that reflect where the organization does business.
• Allowing employees to use weak or reused passwords.
• Lack multifactor authentication (MFA) or don’t enforce it consistently across the organization.
• Not monitoring logins for unusual locations or times.

To protect your organization:

• Enforce the use of complex, unique passwords and consider password managers.
• Enable MFA everywhere — this is the single most effective step you can take.
• Monitor login alerts.
• Implement conditional access policies that block logins originating from a restricted or unexpected country/region.
• Train employees to spot phishing attempts and know how to report them.
• Implement a strong, multilayered security solution such as Barracuda Managed XDR that can spot and block incidents at different stages of the attack chain.

Infostealers 1: Attackers compromise the Notepad++ update mechanism in supply chain cyberespionage

What’s happening?

The SOC detected attacks leveraging the compromised update infrastructure for Notepad ++.

Notepad ++  is a free source-code editor that supports several programming languages.  The attackers didn’t hack the Notepad++ application but compromised its update mechanism, which allowed them to redirect selective targets toward a malicious installer that contained a custom espionage backdoor called Chrysalis.

Multiple security firms have attributed the campaign to a Chinese state‑sponsored threat actor, and the attacks have a regional focus across Asia-Pacific.

Your organization may be at risk of this — or any — supply chain attack if you are:

• Not controlling how third-party software is installed and updated.
• Not keeping software regularly updated with the latest patches — and then blocking older versions.
• Unable to automatically detect unusual or unexpected activity.

To protect your organization:

• Update Notepad++ to v8.9.1 with a manual download from the official project site or release location.
• Temporarily block or disable all other update routes for all endpoints and users, including in‑app or automated updates and even ‘check for updates’ functionality.
• Implement a strong, multilayered security solution such as Barracuda XDR Managed Endpoint Security that can spot and contain suspicious installation.
• Ensure all downloads originate from approved domains.
• For further information, check out the Cybersecurity Threat Advisory on Notepad ++ here.

Infostealers 2: Multiple campaigns using toxic PDFs to steal sensitive data

What’s happening?

The SOC has recently neutralized several malware attacks distributing weaponized PDFs.

This includes campaigns leveraging the information stealing malware TamperedChef that are designed to harvest sensitive data such as credentials and web cookies. The malware is distributed from fraudulent websites promoted through a Google advertising campaign. Once on the website, the targets are lured into downloading and installing a ‘free’ PDF editor that has been loaded with the TamperedChef malware.

Other attacks involve Santa Stealer, a new malware-as-a-service (MaaS) infostealer targeting Windows users. Santa Stealer operates in memory to evade detection and steal user credentials, cryptocurrency wallet data and documents from a wide range of applications.

Infostealers are a diverse and widespread threat. The stolen information can be used to gain access to victim networks, for extortion or sold by initial access brokers to ransomware gangs and others.

Your organization may be at risk if you are:

• Allowing employees to use weak or reused passwords.
• Lacking MFA or don’t enforce it consistently across the organization.
• Not monitoring logins or the use of admin tools.
• Not detecting suspicious remote access or script execution.
• Lacking visibility into unusual changes in account behavior, such as unauthorized logins or transactions.
• Experiencing a slowdown in system performance as the malware consumes computing power.

To protect your organization:

• Implement robust endpoint security solution such as Barracuda Managed XDR Endpoint Security that can detect and block malware in real time.
• Enforce the use of MFA to make it harder for attackers to breach accounts even if credentials are compromised.
• Implement security awareness training for employees on the latest phishing tactics and safe browsing.
• Implement advanced email security to detect and block phishing attempts before they reach users.
• Keep systems and software updated with the latest security patches.

How Barracuda Managed XDR can help your organization

Barracuda Managed XDR delivers advanced protection against the threats identified in this report by combining cutting-edge technology with expert SOC oversight. With real-time threat intelligence, automated responses, a 24/7/365 SOC team, and 

XDR Managed Vulnerability Security that identifies security gaps and oversights, Barracuda Managed XDR ensures comprehensive, proactive protection across your network, cloud, email, servers, and endpoints, giving you the confidence to stay ahead of evolving threats.

For further information on how we can help, please get in touch with Barracuda Managed XDR.