Threat Brief: March 26, 2026 — PreCog Goes Red, Handala Claims Lockheed, China Scans at Scale

# Threat Brief: March 26, 2026 — PreCog Goes Red, Handala Claims Lockheed, China Scans at Scale

*March 26, 2026 — DugganUSA*

PreCog hit CRITICAL tonight. Three signals elevated simultaneously. Here's what happened and what to do about it.

PreCog Status: RED

Our precursor detection system tracks 8 signals across threat intelligence feeds, honeypot data, and infrastructure monitoring. Three fired today:

**Infrastructure Activation Surge: MAX SCORE (1.0)** — 500 blocks in a 2-hour window. 24 network clusters activated simultaneously. The heaviest:

| Region | Blocks | Key Prefixes |

|--------|:---:|---|

| China | 117 | 110.249.0.0/16 (53), 180.153.0.0/16 (34), 111.225.0.0/16 (15) |

| United States | 195 | 52.167.0.0/16 (50), 40.77.0.0/16 (39) — both Microsoft Azure |

| Singapore | 60 | Proxy/VPN staging infrastructure |

| Hong Kong | 33 | Transit and staging |

| France | 6 | 185.177.0.0/16 — known surveillance-adjacent network |

117 Chinese blocks in 2 hours is coordinated reconnaissance, not random scanning.

**IOC Velocity Spike: 0.5** — Spamhaus DROP list published 403 new IPs in 24 hours. Daily average is 57. That's a 7x spike. Something large got burned and Spamhaus caught it.

**Consumer Intelligence Collection: Elevated** — A persistent poller at `216.73.216.121` has made 145 requests since March 16. Went quiet for 24 hours, then resumed. Classic pattern: observe, pause, confirm you weren't noticed, resume.

Handala Claims Lockheed Martin — 375TB

The headline: Iran's MOIS cyber unit claims they exfiltrated 375 terabytes from Lockheed Martin. F-35 Block 4 documentation, next-generation interceptor missile systems, internal contracts, and the personal data of 28 American engineers stationed in Israel. Ransom demand: $400-600 million.

Lockheed's response: "No evidence indicating these reports are accurate."

Important: Handala has been flagged for fabricated claims. No proof published yet. But their track record includes the confirmed Stryker wipe (200,000 devices, DOJ-attributed to MOIS). We mapped their post-seizure infrastructure this morning — three replacement domains across three hosting providers, all live, all serving content.

The escalation pattern: medical devices (Mar 11) → former Mossad chief (Mar 25) → defense industrial base (Mar 25). Each target larger than the last, each claim made after the FBI tried to shut them down.

Interlock Exploits Cisco FMC Zero-Day

CVE-2026-20131. CVSS 10.0. Unauthenticated remote code execution as root in Cisco Secure Firewall Management Center. Interlock ransomware has been exploiting this since January 26 — over a month before Cisco disclosed it.

If you run Cisco FMC, patch now. Not tomorrow. Now.

Trivy Supply Chain Vulnerability in CISA KEV

CVE-2026-33634. The vulnerability scanner has a vulnerability. Trivy versions 0.45.0 through 0.48.2 allow arbitrary code execution through malicious container images. CISA added it to the Known Exploited Vulnerabilities catalog today.

We flagged this in our RSAC blog. The supply chain attack surface keeps expanding.

Today's Ransomware Victims

| Victim | Threat Actor | Sector |

|--------|---|---|

| UAE Customs | NasirSecurity | Government |

| Cape May County, NJ | Medusa | Government |

| Glenmark Pharma | INC_RANSOM | Healthcare/Pharma |

| Esprinet | ALP-001 | Technology |

| TELUS Digital (Mar 11) | ShinyHunterz | Telecom — 1 petabyte |

| Malaysia Airlines | Qilin | Aviation |

Two cybersecurity professionals pled guilty to running ransomware operations. The call is coming from inside the SOC.

What We Did Today

Before the threat landscape caught fire this evening, we:

- Indexed 28 new Handala IOCs from FBI FLASH-20260320-001, GitHub code search, and DNS pivoting on post-seizure domains

- Found novel infrastructure: `82.38.63.237` (Ultahost, AS214036 — Tor relay operator), SPF-derived mail IPs nobody else published, full Telegram C2 bot token

- Filled 4 customer-searched gaps: Handala, Pay2Key, Interlock, AtomSilo — every malware family our users searched for and got zero results now returns hits

- Built and deployed an automated zero-result query miner that turns customer searches into intelligence requirements

- Total Handala IOCs: 85 → 148 in one afternoon

What Defenders Should Do

1. **Cisco FMC: Patch CVE-2026-20131 immediately.** CVSS 10.0. Exploited since January. If you haven't patched, assume compromise and hunt.

2. **Trivy: Upgrade past 0.48.2.** Your scanner scanning itself is not a drill.

3. **Monitor Chinese scanning clusters.** 110.249.0.0/16 generated 53 blocks in 2 hours against our infrastructure alone. If you see traffic from this range, investigate.

4. **MDM audit.** Stryker was wiped through Intune. Handala is escalating. If you run AirWatch, JAMF, or Intune in the defense industrial base, audit admin access today.

5. **STIX feed.** 148 Handala IOCs, updated today. Free at analytics.dugganusa.com/stix.

*Patrick Duggan is the founder of DugganUSA LLC. PreCog is watching. The STIX feed is free. The Cisco FMC patch is not optional.*

*Her name was Renee Nicole Good.*

*His name was Alex Jeffery Pretti.*

The cheapest, fastest, most accurate threat feed on the internet.

275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor’s sales demo.

Look up an IOC → · Audit your brand on AIPM → · See pricing →