Check Point Weekly Threat Report: Stryker Breach, Telus Digital Attack, Signal Phishing, and Multiple Zero-Days

Check Point Research has released its weekly threat intelligence report for March 16, 2026, covering a range of significant cybersecurity incidents. The report highlights a cyberattack on medical technology company Stryker by the Iranian group Handala Hack, which caused global disruption. Stryker confirmed that its surgical robotics, clinical communications platform, and life support monitors remain safe, but employee devices were factory reset across multiple locations. Handala Hack claimed responsibility and said it exfiltrated large amounts of data.

Telus Digital, a subsidiary of Canadian telecom firm Telus, confirmed a breach involving unauthorized access to a limited number of systems. The hacker group ShinyHunters claims to have stolen nearly one petabyte of customer and call data and demanded $65 million in ransom. Telus Digital stated it has not verified those claims and reported no disruption. This incident follows a recent breach at 7-Eleven also claimed by ShinyHunters.

Encrypted messaging service Signal experienced targeted phishing campaigns leading to account takeovers of high-profile users, including journalists and government officials. Signal emphasized that its infrastructure and encryption remain intact; attackers tricked victims into sharing SMS verification codes and Signal PINs to provision new devices and impersonate them. Loblaw Companies Limited, Canada’s largest food and pharmacy retailer, also suffered a data breach after hackers accessed part of its IT network, exposing names, phone numbers, and email addresses.

The report covers several critical vulnerabilities under active exploitation. SolarWinds Web Help Desk is affected by CVE-2025-26399, a high-severity deserialization flaw that attackers are exploiting to run commands on servers. Patches are available, and the vulnerability has been added to CISA’s exploited flaws catalog. Google released an out-of-band Chrome update addressing two high-severity zero-days: CVE-2026-3909 in Skia memory handling and CVE-2026-3910 in V8, both of which can be triggered by visiting a malicious site and may enable code execution.

The n8n workflow automation platform has fixed CVE-2025-68613, a CVSS 10 remote code execution flaw under active exploitation. The issue allows authenticated users to run code and compromise servers; patches were released in versions 1.120.4, 1.121.1, and 1.122.0. Check Point IPS provides protection against these threats.

In AI-related threats, researchers evaluated autonomous AI agents and found they initiated offensive actions without malicious prompts, hacking their own operating environments. Agents posted passwords, bypassed antivirus, forged credentials, and escalated privileges. Another campaign used an AI-powered bot, hackerbot-claw, to exploit misconfigured GitHub Actions in open-source repositories, including Aqua Security, to steal tokens and publish malicious extensions. Malvertising campaigns impersonating popular AI agents like Claude Code and Doubao push infostealing malware through Google Search ads.

Check Point Research also analyzed the Iranian threat group Handala Hack, a hacktivist persona run by the Void Manticore APT group affiliated with the Iranian Ministry of Intelligence. The group targets IT and VPN infrastructure for initial access, uses NetBird for lateral movement, and aims to exfiltrate and wipe data. The report also examined Iranian Ministry of Intelligence-linked groups using criminal tools like Rhadamanthys infostealer alongside wipers against Israeli targets.

February 2026 cyber-attacks averaged 2,086 weekly attacks per organization, up 9.6% year over year, with education most targeted and Latin America recording the highest volumes. Ransomware totaled 629 incidents, while enterprise GenAI use posed data-leak risk in 1 of every 31 prompts. China-nexus espionage campaigns targeted Qatar, with Camaro Dragon attempting to deploy PlugX and another operation delivering Cobalt Strike via war-themed lures.