Threat Brief: March 27, 2026 — Handala Claims FBI, Publishes Lockheed Passports, PreCog Stays Red
- Patrick Duggan
- Mar 27
- 3 min read
Updated: Apr 25
# Threat Brief: March 27, 2026 — Handala Claims FBI, Publishes Lockheed Passports, PreCog Stays Red
March 27, 2026 — DugganUSA
PreCog is still CRITICAL. Handala escalated twice overnight. The scanning infrastructure rotated but didn't stop. Here's what changed since yesterday.
Handala Claims FBI Breach
Handala published photos of FBI Director Kash Patel and claims to have breached the Bureau. This is the fourth major target in 16 days:
Date | Target | Claim | Verified? |
Mar 11 | Stryker | 200,000 devices wiped | Yes — DOJ confirmed |
Mar 25 | Tamir Pardo (ex-Mossad chief) | 14GB personal data | Unverified |
Mar 25 | Lockheed Martin | 375TB, F-35 data, 28 engineers | Partial — passport scans match LinkedIn |
Mar 27 | FBI | Director Kash Patel photos | Unverified |
The escalation trajectory: medical devices → intelligence → defense industrial base → law enforcement. Each target is a higher-value symbol than the last.
Lockheed Passports Are Real
Cybernews confirmed: passport scans published by Handala match LinkedIn profiles of Lockheed Martin senior staff stationed in Israel. The doxxing is verified even if the 375TB exfiltration claim remains unproven.
Handala issued a 48-hour ultimatum: named employees must "cease cooperation with the Zionist regime and leave the occupied territories immediately." If they don't comply, Handala stated their homes will become "missile targets."
This is no longer a cyber operation. It's targeting specific humans with death threats backed by published personal data. The FBI seized Handala's domains a week ago. They stood up replacements in hours and are now claiming to have breached the FBI itself.
PreCog: Still CRITICAL
Infrastructure Activation Surge remains at maximum. The scanning clusters rotated overnight:
Yesterday | Today |
China 110.249.0.0/16 (53 blocks) | 198.235.0.0/16 (91 blocks) — NEW |
China 180.153.0.0/16 (34) | 205.210.0.0/16 (90 blocks) — NEW |
Singapore (60) | 205.169.0.0/16 (41 blocks) — NEW |
Hong Kong (33) | Taiwan (45), Belgium (46), Brazil (48) — NEW |
The scan wave didn't stop. It rotated. New source networks, same 500 blocks per 2-hour window. Spamhaus DROP spike continues at 441 IPs (7x daily average).
What Else Is On Fire
PolyShell (Magento/Adobe Commerce) �� Mass exploitation since March 19. 56.7% of all vulnerable stores compromised. 50+ scanning IPs. If you run Magento, assume you've been hit and check for webshells.
Microsoft pulls this feed daily. AT&T pulls this feed daily. Starlink pulls this feed daily. Get the DugganUSA STIX feed — $9/mo →
WebRTC payment skimmer — New technique: exfiltrates credit card data through WebRTC data channels instead of traditional HTTP requests. Bypasses most security monitoring that only inspects HTTP/HTTPS traffic. Novel evasion.
Microsoft 365 device code phishing — 340+ organizations targeted since February 19 via Cloudflare Workers redirects. Active campaign using device authorization flow to steal OAuth tokens. If your org uses M365, check for anomalous device code redemptions.
Cisco FMC CVE-2026-20131 — Still the most important patch of the week. CVSS 10.0. Unauthenticated RCE as root. Exploited by Interlock ransomware since January. If you haven't patched, you're already behind.
What We Fixed
Our blog publish pipeline was rendering raw markdown (tables, bold text, links) as plain text instead of formatted content. A reader caught it. Fixed this morning — inline decorations, tables, blockquotes, and bullet lists now convert to proper Wix rich content. Thanks to whoever spotted it.
What Defenders Should Do
Handala watch: The 48-hour Lockheed ultimatum expires today. Watch for data dumps. Our STIX feed has 148 Handala IOCs including post-seizure infrastructure nobody else has published.
Magento audit: PolyShell hit 56.7% of vulnerable stores. Check for unauthorized file uploads and webshells in your Magento deployment.
M365 device code review: Query Azure AD sign-in logs for device code flow authentications. Flag any you don't recognize.
Cisco FMC: Patch. Today. CVSS 10.
STIX feed: Free at analytics.dugganusa.com/stix. 148 Handala, 18 AtomSilo, Interlock, Pay2Key — all indexed this week.
Patrick Duggan is the founder of DugganUSA LLC. PreCog has been red for 48 hours. The FBI's domain seizure lasted one day. Handala's response has lasted a week and counting. The STIX feed is free. The passport scans are not.
Her name was Renee Nicole Good.
His name was Alex Jeffery Pretti.
The cheapest, fastest, most accurate threat feed on the internet.
275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor’s sales demo.
Comments