Security Check-in Quick Hits: DarkSword iPhone Malware, Marquis Banking Vendor Ransomware Breach, 54 EDR Killers via BYOVD, The Gentlemen RaaS FortiGate Campaign, and Citrix NetScaler Exploit Surge
For March 20, 2026
DarkSword iPhone Malware: Hundreds of Millions Potentially at Risk
A new malware tool dubbed DarkSword is raising alarms for iPhone users worldwide. According to a TIME report amplified across X, cybersecurity researchers warn that hundreds of millions of devices could be vulnerable to this spyware/malware, which targets personal and wallet data.
The buzz centers on its stealth and scale—potentially turning everyday iPhones into data exfiltration machines. While full technical details are still emerging, the threat underscores how mobile platforms remain prime targets for sophisticated actors. X users are sharing the story rapidly, urging immediate action.
What you should do right now: Update to the latest iOS version, enable automatic updates, avoid sideloading apps or clicking suspicious links, and monitor for unusual battery drain or data usage. Turn on Lockdown Mode if you’re in a high-risk category. Simple habits like these can blunt many spyware campaigns before they take hold.
Marquis Software Ransomware Breach: Customer Data from 74 Lenders Exposed
A Texas-based financial software vendor called Marquis became the latest supply-chain casualty. A ransomware gang breached its systems (initially via a compromised SonicWall firewall) back in August 2025, but notifications and impact details surfaced this week. The fallout? Personal and financial records of 672,000+ individuals across 74 banks and credit unions were stolen, including names, SSNs, addresses, dates of birth, and account details.
X cybersecurity accounts flagged this as a textbook third-party risk example—one vendor compromise ripples across dozens of lenders. No evidence of customer funds being directly drained yet, but identity theft and fraud risks are now elevated for hundreds of thousands.
Takeaway for organizations and individuals: Vet vendors aggressively, demand proof of segmentation and rapid incident response. Consumers should freeze credit, monitor accounts, and enable fraud alerts. Supply-chain attacks aren’t slowing down—assume your data is already in the wild and act accordingly.
54 EDR Killers Leverage BYOVD: Ransomware’s New Favorite Pre-Attack Weapon
Endpoint detection and response (EDR) tools just got harder to trust. A fresh analysis reveals 54 dedicated “EDR killer” tools now abuse 34–35 signed vulnerable drivers through Bring Your Own Vulnerable Driver (BYOVD) attacks. These tools grant kernel-level access to terminate security processes before ransomware even deploys its encryptor.
Ransomware operators are shifting evasion upstream—killing defenses outright rather than hiding inside payloads. The Hacker News post detailing the trend lit up X feeds, with defenders noting the reliability of signed drivers makes detection a nightmare.
Defensive steps: Maintain an up-to-date blocklist of vulnerable drivers, monitor for suspicious kernel driver loads, and layer behavioral detection on top of EDR. Organizations should also test “assume breach” scenarios where EDR is already disabled. The era of “set and forget” endpoint protection is over.
The Gentlemen RaaS: Fresh Ransomware Group Feasting on FortiGate Flaws
A nascent Ransomware-as-a-Service operation called The Gentlemen (roughly 20 members) is making rapid waves. It primarily exploits CVE-2024-55591 (authentication bypass in FortiOS/FortiProxy) plus brute-forced VPN credentials. The group maintains a database of ~14,700 already-compromised FortiGate devices and has hit at least 94 organizations since mid-2025. They also love BYOVD for evasion, PowerShell for lateral movement, and aggressive backup destruction.
X roundups highlighted how this group emerged from a public dispute with Qilin ransomware operators—drama that now translates into real victim pain across manufacturing, healthcare, and more.
Immediate actions: Patch FortiGate devices yesterday (or isolate them). Enable MFA everywhere, restrict VPN exposure, and audit for anomalous admin logins. If you run FortiGate, treat it as internet-facing critical infrastructure.
Citrix NetScaler Under Mass Exploitation: 500+ Attempts in One Honeypot Alone
Old vulnerabilities in Citrix NetScaler ADC/Gateway are seeing renewed fury. Researchers logged more than 500 exploit attempts against a single honeypot on March 16, targeting flaws like CVE-2025-5777 and CVE-2023-4966. Analysts warn this spike often precedes fresh zero-days or broader campaigns.
X threat-intel accounts called it a classic reconnaissance-before-ransomware pattern. With thousands of exposed appliances still online, the risk window is wide open.
What to do: Upgrade NetScaler instances immediately, block unnecessary internet exposure, and deploy WAF rules or behavioral monitoring. If patching isn’t instant, segment or take appliances offline until you can.
These stories dominated X’s cybersecurity corner today because they blend fresh research, real victim counts, and actionable urgency. The common thread? Attackers are moving faster, leveraging supply chains, and disabling defenses earlier in the kill chain. Patch relentlessly, monitor third parties, and treat every endpoint and appliance as potentially compromised. Stay safe out there—tomorrow’s quick hits are already loading.