Threat Intelligence Briefing Iranian APT Threat Landscape Report Date: March 2026 11Tracked Threat Actors 10+CVEs Actively Exploited 15+Targeted Sectors 20+Countries at Risk 2Sponsoring Agencies (IRGC / MOIS) Landscape Overview Primary Target Sectors Aerospace & Defense Energy / Oil & Gas Telecommunications Government Healthcare ICS / OT / PLC IT Providers Finance
TRENDING TOPICS MAR 04, 2026 Iranian APT Escalation Targets Global Critical Infrastructure Amid Expanding Regional Conflict Following the joint U.S.–Israeli strike known as Operation Lion’s Roar, Iran has escalated retaliatory cyber operations against global critical infrastructure. Iranian state-sponsored threat groups, including MuddyWater, OilRig, APT33, and UNC1549, have
Recon and Workflow Discovery Hackerbot-claw identified Trivy's vulnerable pull_request_target workflow ("API Diff Check"), which checked out PR code and used a PAT with broad permissions, not only the ephemeral GITHUB_TOKEN. Initial Access via PR and CI Execution The bot forked aquasecurity/trivy and
TRENDING TOPICS MAR 03, 2026 Scattered Lapsus$ Expands to Targeted Recruitment The cybercriminal group Scattered Lapsus$ (SLSH), a successor to the disbanded Lapsus$ collective known for high-profile breaches of Microsoft, NVIDIA, and Okta, is reportedly recruiting women to bolster its social engineering operations. According to a Telegram post by Dataminr
TRENDING TOPICS MAR 02, 2026 Update: Hackers Conduct Mass Scanning Campaign Against SonicWall Firewalls Using 4,000+ IPs A large-scale reconnaissance campaign is actively targeting SonicWall firewall infrastructure worldwide, with attackers using more than 4,000 unique IP addresses to identify vulnerable systems ahead of potential exploitation, according to new
CVE-2026-20127 Critical Severity Vulnerability Description A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering
TRENDING TOPICS FEB 26, 2026 GRIDTIDE Disruption: PRC-Linked UNC2814 Abused Google Sheets API for Global Espionage Google Threat Intelligence Group (GTIG), alongside Mandiant and other partners, disrupted a large-scale espionage campaign attributed to UNC2814, a suspected PRC-nexus threat actor active since at least 2017. The operation leveraged a novel C-based
Workforce Workflow Compromise Targeted outreach to employees and applicants through personal email and professional networking channels to avoid corporate security controls. Credential harvesting via cloned recruitment portals, interview scheduling pages, document-sharing prompts, and fake "candidate" communications. Secondary abuse of captured identities to access workforce-facing SaaS, internal collaboration platforms,
TRENDING TOPICS FEB 25, 2026 Malicious npm Package ambar-src Shows Fast Moving Supply Chain Risk Tenable research reported that a malicious npm package named ambar-src reached roughly 50,000 downloads before removal, showing how quickly supply chain threats can spread across developer environments. The package appears to have been built
TRENDING TOPICS FEB 24, 2026 Update: Lazarus Expands Ransomware Playbook, Leveraging Medusa Against U.S. Healthcare North Korea’s Lazarus Group has expanded its financially motivated operations by leveraging the Medusa ransomware. Security researchers at Symantec assess that a Lazarus Group subgroup, commonly tracked as Andariel or Stonefly and linked
TRENDING TOPICS FEB 23, 2026 Starkiller PHaaS Raises the Risk of MFA Bypass Phishing Starkiller is a phishing framework that increases the credibility and scale of credential theft by showing victims the real login page during the attack, rather than a copy that can become outdated. It does this by
CVE-2026-22769 Critical Severity Vulnerability Description Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credential vulnerability. This is considered critical as an unauthenticated remote attacker with knowledge of the hardcoded credential could potentially exploit this vulnerability leading to unauthorized access to the underlying
AI
TRENDING TOPICS FEB 19, 2026 AI as Infrastructure: Covert C2 Relays and the Emergence of Prompt-Driven Malware Security researchers at Check Point Research demonstrated that modern AI assistants with web-fetch or browsing capabilities can be repurposed as covert command-and-control relays, effectively turning trusted AI platforms into proxy infrastructure. By abusing
Lumma Stealer Impact and Exposure Matrix System Assets and Credential Theft Targets Windows Endpoints Windows 7-11 workstations and laptops Exposure Details Primary execution environment for Lumma payloads and credential harvesting activity Web Browsers and Sessions Chromium and Mozilla-based browsers (Chrome, Edge, Firefox, Opera) Exposure Details Theft of saved credentials, cookies,
OpenClaw
TRENDING TOPICS FEB 18, 2026 Update: OpenClaw Ecosystem Hit by Skill Marketplace Malware and Log Injection Weakness A coordinated supply-chain campaign named ClawHavoc targeted OpenClaw’s official skill marketplace, ClawHub, by flooding it with at least 1,184 malicious Skills published over time. Attackers registered developer accounts, uploaded Skills that
Atlassian
TRENDING TOPICS FEB 17, 2026 Attackers Abuse Atlassian Jira Cloud to Deliver Trusted-Looking Spam Campaigns TrendMicro researchers observed threat actors abusing Atlassian Jira Cloud to distribute large-scale spam campaigns by sending emails directly from legitimate atlassian[.]net domains. Since the messages originated from a trusted SaaS platform with valid SPF
ClickFix
Critical Severity 1 CVE CVE-2026-1731 BeyondTrust Remote Support & PRA Critical pre-auth remote code execution in BeyondTrust Remote Support and legacy Privileged Remote Access lets unauthenticated attackers send crafted requests that run OS commands as the site user; patch self‑hosted appliances immediately, remove unnecessary internet exposure, and enable tight
LummaStealer
TRENDING TOPICS FEB 12, 2026 Update: LummaStealer Rebuilds at Scale Using CastleLoader and Social-Engineering-Driven Delivery Chains Security researchers have observed a renewed surge in LummaStealer activity, demonstrating how the infostealer operation has rapidly recovered despite a major law-enforcement disruption in 2025 that dismantled thousands of command-and-control domains. LummaStealer, a malw
Windows Endpoints Exposure Drivers High risk because Windows users frequently download utilities, productivity tools, PDF editors, browsers, remote support tools, and security products from the web. Malvertising and search manipulation can funnel these downloads to convincing counterfeit portals that deliver trojanized EXE/MSI installers, sometimes alongside the legitimate application to
RU-APT-ChainReaver-L
Critical Severity 5 CVEs CVE-2026-21522 Microsoft ACI Confidential Containers Elevation of Privilege Vulnerability (Azure Compute Gallery) CVE-2026-21532 Azure Function Information Disclosure Vulnerability CVE-2026-23655 Microsoft ACI Confidential Containers Information Disclosure Vulnerability (Azure Compute Gallery) CVE-2026-24300 Azure Front Door (AFD) Elevation of Privilege Vulnerability CVE-2026-24302 Azure Arc Elevation of Privilege Vulnerab
ZeroDayRAT
TRENDING TOPICS FEB 10, 2026 ZeroDayRAT Mobile Spyware Enables Cross-Platform Surveillance and Financial Theft Security researchers at iVerify have identified a commercial mobile spyware platform, ZeroDayRAT, openly sold on Telegram, offering full remote control over compromised Android and iOS devices. The platform supports a wide range of operating system versions
ClawHub
TRENDING TOPICS FEB 09, 2026 Update: ClawHub Malicious Skills Shift From Embedded Payloads to Off-Platform Lures Threat actors behind an ongoing ClawHub malicious-skills campaign have changed tactics to evade newer registry defenses. Instead of hiding encoded malware inside SKILL[.]md files, they now keep the skill pages clean and use
ISPsystem
CVE-2026-25049 Critical n8n Workflow Automation COMMAND EXECUTION AUTH REQUIRED Critical vulnerability in the n8n workflow automation platform that allows authenticated users with workflow-editing permissions to trigger unintended system command execution through crafted expressions, potentially compromising the underlying server infrastructure. Mitigation: Update n8n to versions 1.123.17 or 2.5.
LockBit
TRENDING TOPICS FEB 05, 2026 Update: LockBit 5.0 Emerges as Cross-Platform Ransomware Targeting Windows, Linux, and ESXi Environments Kaspersky has identified a new wave of LockBit 5.0 ransomware samples designed to operate across Windows, Linux, and VMware ESXi environments, reflecting a continued shift toward highly scalable, multi-platform ransomware