Apple Patches (almost) everything again. March 2026 edition.

Published: 2026-03-25. Last Updated: 2026-03-25 21:29:57 UTC
by Johannes Ullrich (Version: 1)

Apple released the next version of its operating system, patching 85 different vulnerabilities across all of them. None of the vulnerabilities are currently being exploited. The last three macOS "generations" are covered, as are the last two versions of iOS/iPadOS. For tvOS, watchOS, and visionOS, only the current version received patches. This update also includes the recently released Background Security Improvements. Some older watchOS versions received updates, but these updates do not address any security issues.

iOS 26.4 and iPadOS 26.4	iOS 18.7.7 and iPadOS 18.7.7	macOS Tahoe 26.4	macOS Sequoia 15.7.5	macOS Sonoma 14.8.5	tvOS 26.4	watchOS 26.4	visionOS 26.4	Safari 26.4	Xcode 26.4
CVE-2025-43376: A remote attacker may be able to view leaked DNS queries with Private Relay turned on. Affects WebKit
	x
CVE-2025-43534: A user with physical access to an iOS device may be able to bypass Activation Lock. Affects iTunes Store
	x
CVE-2026-20607: An app may be able to access protected user data. Affects libxpc
		x	x	x
CVE-2026-20631: A user may be able to elevate privileges. Affects PackageKit
		x
CVE-2026-20632: An app may be able to access sensitive user data. Affects Music
		x
CVE-2026-20633: An app may be able to access user-sensitive data. Affects Archive Utility
		x	x	x
CVE-2026-20637: An app may be able to cause unexpected system termination. Affects AppleKeyStore
	x		x	x
CVE-2026-20639: Processing a maliciously crafted string may lead to heap corruption. Affects configd
			x	x
CVE-2026-20643: Processing maliciously crafted web content may bypass Same Origin Policy. Affects WebKit
x	x	x					x	x
CVE-2026-20651: An app may be able to access sensitive user data. Affects Messages
			x
CVE-2026-20657: Parsing a maliciously crafted file may lead to an unexpected app termination. Affects Vision
	x		x	x
CVE-2026-20660: A remote user may be able to write arbitrary files. Affects CFNetwork
			x
CVE-2026-20665: Processing maliciously crafted web content may prevent Content Security Policy from being enforced. Affects WebKit
x	x	x			x	x	x	x
CVE-2026-20668: An app may be able to access sensitive user data. Affects Focus
	x		x	x
CVE-2026-20684: An app may bypass Gatekeeper checks. Affects AppleScript
		x
CVE-2026-20687: An app may be able to cause unexpected system termination or write kernel memory. Affects Kernel
x	x	x	x		x	x
CVE-2026-20688: An app may be able to break out of its sandbox. Affects Printing
x		x	x	x			x
CVE-2026-20690: Processing an audio stream in a maliciously crafted media file may terminate the process. Affects CoreMedia
x	x	x	x	x	x	x	x
CVE-2026-20691: A maliciously crafted webpage may be able to fingerprint the user. Affects WebKit Sandboxing
x		x				x	x	x
CVE-2026-20692: "Hide IP Address" and "Block All Remote Content" may not apply to all mail content. Affects Mail
x		x	x	x
CVE-2026-20693: An attacker with root privileges may be able to delete protected system files. Affects PackageKit
		x	x	x
CVE-2026-20694: An app may be able to access user-sensitive data. Affects MigrationKit
		x	x	x
CVE-2026-20695: An app may be able to determine kernel memory layout. Affects Kernel
		x	x	x
CVE-2026-20697: An app may be able to access sensitive user data. Affects Spotlight
		x	x	x
CVE-2026-20698: An app may be able to cause unexpected system termination or corrupt kernel memory. Affects Kernel
x		x			x	x	x
CVE-2026-20699: An app may be able to access user-sensitive data. Affects AppleMobileFileIntegrity
		x	x	x
CVE-2026-20701: An app may be able to connect to a network share without user consent. Affects NetAuth
		x	x	x
CVE-2026-28816: An app may be able to delete files for which it does not have permission. Affects Notes
		x	x	x
CVE-2026-28817: A sandboxed process may be able to circumvent sandbox restrictions. Affects Printing
		x	x	x
CVE-2026-28818: An app may be able to access sensitive user data. Affects Spotlight
		x	x	x
CVE-2026-28820: An app may be able to access sensitive user data. Affects StorageKit
		x
CVE-2026-28821: An app may be able to gain elevated privileges. Affects CoreServices
		x	x	x
CVE-2026-28822: An attacker may be able to cause unexpected app termination. Affects Audio
x		x	x	x	x	x	x
CVE-2026-28823: An app with root privileges may be able to delete protected system files. Affects Admin Framework
		x
CVE-2026-28824: An app may be able to access sensitive user data. Affects AppleMobileFileIntegrity
		x	x	x
CVE-2026-28825: An app may be able to modify protected parts of the file system. Affects SMB
		x	x	x
CVE-2026-28826: A malicious app may be able to break out of its sandbox. Affects NSColorPanel
		x
CVE-2026-28827: An app may be able to break out of its sandbox. Affects NetFSFramework
		x	x	x
CVE-2026-28828: An app may be able to access sensitive user data. Affects TCC
		x	x	x
CVE-2026-28829: An app may be able to modify protected parts of the file system. Affects WebDAV
		x	x	x
CVE-2026-28831: An app may be able to access sensitive user data. Affects Printing
		x	x	x
CVE-2026-28832: An app may be able to disclose kernel memory. Affects File System
		x	x	x
CVE-2026-28833: An app may be able to enumerate a user's installed apps. Affects iCloud
x		x					x
CVE-2026-28834: An app may be able to cause unexpected system termination. Affects GPU Drivers
		x	x	x
CVE-2026-28835: Mounting a maliciously crafted SMB network share may lead to system termination. Affects SMB
		x	x	x
CVE-2026-28837: An app may be able to access sensitive user data. Affects System Settings
		x
CVE-2026-28838: An app may be able to break out of its sandbox. Affects CoreServices
		x	x	x
CVE-2026-28839: An app may be able to access sensitive user data. Affects NetAuth
		x	x	x
CVE-2026-28841: A buffer overflow may result in memory corruption and unexpected app termination. Affects IOGraphics
		x
CVE-2026-28842: A buffer overflow may result in memory corruption and unexpected app termination. Affects IOGraphics
		x
CVE-2026-28844: An attacker may gain access to protected parts of the file system. Affects SystemMigration
		x
CVE-2026-28845: An app may be able to access protected user data. Affects LaunchServices
		x
CVE-2026-28852: An app may be able to cause a denial-of-service. Affects UIFoundation
x	x	x	x		x	x	x
CVE-2026-28856: An attacker with physical access to a locked device may be able to view sensitive user information. Affects Siri
x						x	x
CVE-2026-28857: Processing maliciously crafted web content may lead to an unexpected process crash. Affects WebKit
x		x					x	x
CVE-2026-28858: A remote user may be able to cause unexpected system termination or corrupt kernel memory. Affects Telephony
x
CVE-2026-28859: A malicious website may be able to process restricted web content outside the sandbox. Affects WebKit
x		x			x	x	x	x
CVE-2026-28861: A malicious website may be able to access script message handlers intended for other origins. Affects WebKit
x	x	x					x	x
CVE-2026-28862: An app may be able to access user-sensitive data. Affects Phone
		x	x	x
CVE-2026-28863: An app may be able to fingerprint the user. Affects Sandbox Profiles
x					x	x	x
CVE-2026-28864: A local attacker may gain access to user's Keychain items. Affects Security
x	x	x	x	x		x	x
CVE-2026-28865: An attacker in a privileged network position may be able to intercept network traffic. Affects 802.1X
x	x	x	x	x	x	x	x
CVE-2026-28866: An app may be able to access sensitive user data. Affects Clipboard
x	x	x	x	x
CVE-2026-28867: An app may be able to leak sensitive kernel state. Affects Kernel
x	x	x	x		x	x	x
CVE-2026-28868: An app may be able to disclose kernel memory. Affects Kernel
x	x	x	x	x		x	x
CVE-2026-28870: An app may be able to access sensitive user data. Affects GeoServices
x		x			x	x	x
CVE-2026-28871: Visiting a maliciously crafted website may lead to a cross-site scripting attack. Affects WebKit
x	x	x						x
CVE-2026-28874: A remote attacker may cause an unexpected app termination. Affects Baseband
x
CVE-2026-28875: A remote attacker may be able to cause a denial-of-service. Affects Baseband
x
CVE-2026-28876: An app may be able to access sensitive user data. Affects DeviceLink
x	x	x	x	x			x
CVE-2026-28877: An app may be able to access sensitive user data. Affects Accounts
x		x	x			x	x
CVE-2026-28878: An app may be able to enumerate a user's installed apps. Affects Crash Reporter
x	x	x		x	x	x	x
CVE-2026-28879: Processing maliciously crafted web content may lead to an unexpected process crash. Affects Audio
x	x	x	x	x	x	x	x
CVE-2026-28880: An app may be able to enumerate a user's installed apps. Affects iCloud
	x		x	x
CVE-2026-28881: An app may be able to access sensitive user data. Affects iCloud
		x
CVE-2026-28882: An app may be able to enumerate a user's installed apps. Affects libxpc
x		x			x	x	x
CVE-2026-28886: A user in a privileged network position may be able to cause a denial-of-service. Affects CoreUtils
x	x	x	x	x	x	x	x
CVE-2026-28888: An app may be able to gain root privileges. Affects CUPS
		x	x	x
CVE-2026-28889: An app may be able to read arbitrary files as root. Affects Simulator
									x
CVE-2026-28890: An app may be able to cause unexpected system termination. Affects otool
									x
CVE-2026-28891: An app may be able to break out of its sandbox. Affects NetAuth
		x	x	x
CVE-2026-28892: An app may be able to modify protected parts of the file system. Affects Diagnostics
		x	x	x
CVE-2026-28893: A document may be written to a temporary file when using print preview. Affects CUPS
		x
CVE-2026-28894: A remote attacker may be able to cause a denial-of-service. Affects Calling Framework
x		x	x	x
CVE-2026-28895: An attacker with physical access to an iOS device with Stolen Device Protection enabled may be able to access biometrics-gated Protected Apps with the passcode. Affects App Protection
x

--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

Keywords: apple ios iPadOS macOS visionos watchos

0 comment(s)

SmartApeSG campaign pushes Remcos RAT, NetSupport RAT, StealC, and Sectop RAT (ArechClient2)

Published: 2026-03-25. Last Updated: 2026-03-25 17:44:25 UTC
by Brad Duncan (Version: 1)

0 comment(s)

Introduction

This diary provides indicators from the SmartApeSG (ZPHP, HANEYMANEY) campaign I saw on Tuesday, 2026-03-24. SmartApeSG is one of many campaigns that use the ClickFix technique. This past week, I've seen NetSupport RAT as follow-up malware from Remcos RAT pushed by this campaign. But this time, I also saw indicators for StealC malware and Sectop RAT (ArecheClient2) after NetSupport RAT appeared on my infected lab host.

Not all of the follow-up malware appears shortly after the initial Remcos RAT malware. Here's the timeline for malware from my SmartApeSG activity on Tuesday 2026-03-24:

17:11 UTC - Ran ClickFix script from SmartApeSG fake CAPTCHA page
17:12 UTC - Remcos RAT post-infection traffic starts
17:16 UTC - NetSupport RAT post-infection traffic starts
18:18 UTC - StealC post-infection traffic starts
19:36 UTC - Sectop RAT post-infection traffic starts

While the NetSupport RAT activity happened approximately 4 minutes after the Remcos RAT activity, the StealC traffic didn't happen until approximately 1 hour after the NetSupport RAT activity started. And the traffic for Sectop RAT happened approximately 1 hour and 18 minutes after the StealC activity started.

Images from the infection

Shown above: Page from a legitimate but compromised website with injected script for the fake CAPTCHA page.

Shown above: Fake CAPTCHA page with ClickFix instructions. This image shows the malicious script injected into a user's clipboard.

Shown above: Traffic from the infection filtered in Wireshark.

Indicators of Compromise

Associated domains and IP addresses:

fresicrto[.]top - Domain for server hosting fake CAPTCHA page
urotypos[.]com - Called by ClickFix instructions, this domain is for a server hosting the initial malware
95.142.45[.]231:443 - Remcos RAT C2 server
185.163.47[.]220:443 - NetSupport RAT C2 server
89.46.38[.]100:80 - StealC C2 server
195.85.115[.]11:9000 - Sectop RAT (ArechClient2) C2 server

Example of HTA file retrieved by ClickFix script:

SHA256 hash: 212d8007a7ce374d38949cf54d80133bd69338131670282008940f1995d7a720
File size: 47,714 bytes
File type: HTML document text, ASCII text, with very long lines (6272)
Retrieved from: hxxps[:]//urotypos[.]com/cd/temp
Saved location: C:\Users\[username]\AppData\Local\post.hta
Note: ClickFix script deletes the file after retrieving and running it

Example of ZIP archive for Remcos RAT retrieved by the above HTA file:

SHA256 hash: a6a748c0606fb9600fdf04763523b7da20b382b054b875fdd1ef1c36fc16079a
File size: 85,328,653 bytes
File type: Zip archive data, at least v2.0 to extract, compression method=deflate
Retrieved from: hxxps[:]//urotypos[.]com/ls/production
Saved location: C:\Users\[username]\AppData\Local\361118191\361118191.pdf

ZIP archive containing NetSupport RAT package:

SHA256 hash: 6e26ff49387088178319e116700b123d27216d98ba3ae1ce492544cb9acd38f0
File size: 9,171,647 bytes
File type: Zip archive data, at least v2.0 to extract, compression method=deflate
File name: UpdateInstaller.zip
Note: I created this zip archive from the extracted files under C:\ProgramData\UpdateInstaller\

RAR archive for StealC package:

SHA256 hash: a7b9be1211c6de76bab31dbcd3a1c99861cf18e3230ea9f634e07d22c179d1ca
File size: 6,178,471 bytes
File type: RAR archive data, v5
Saved location: C:\Users\Public\Music\finalmesh.zip

RAR archive for Sectop RAT (ArechClient2) package:

SHA256 hash: c90435370728d48cba1c00d92cc3bf99e85f01aa52ecd6c6df2e8137db964796
File size: 6,908,049 bytes
File type: RAR archive data, v5
Saved location: C:\ProgramData\drag2pdf.zip

Final words

The archive files for Remcos RAT, StealC and Sectop RAT are packages that use legitimate EXE files to side-load malicious DLLs (a technique called DLL side-loading). The NetSupport RAT package is a legitimate tool that's configured to use an attacker-controlled server.

As always, the files, URLs and domains for SmartApeSG activity change on a near-daily basis. And names of the HTA file and ZIP archive for Remcos RAT are different for each infection. The indicators described in this article may no longer be current as you read this. However, this activity confirms that the SmartApeSG campaign can push a variety of malware after an initial infection.

---
Bradley Duncan
brad [at] malware-traffic-analysis.net