Trending Topics

Iranian APT Escalation Targets Global Critical Infrastructure Amid Expanding Regional Conflict

Following the joint U.S.–Israeli strike known as Operation Lion’s Roar, Iran has escalated retaliatory cyber operations against global critical infrastructure. Iranian state-sponsored threat groups, including MuddyWater, OilRig, APT33, and UNC1549, have intensified campaigns targeting energy, transportation, and manufacturing sectors. Security researchers tracking the activity report a spike in phishing, credential theft, and early-stage reconnaissance, signaling a coordinated effort to disrupt adversaries through digital means alongside military escalation. Recent telemetry from Nozomi Networks and partner threat intelligence feeds indicates that these adversaries are leveraging default credentials, brute-force attacks, and network scanning to gain footholds in operational environments. Organizations across the Middle East face elevated risk, with over 60% of detected vulnerabilities rated High or Critical and twice the global average of exploitable EPSS scores. This reconnaissance phase highlights a deliberate attempt to map target environments before launching potentially destructive payloads. Defenders are advised to immediately enhance continuous monitoring, enforce strict segmentation between IT and OT networks, and refresh Iranian APT indicators on a rolling basis. Rapid credential resets, prioritized patching of exposed systems, and adaptive anomaly detection across industrial protocols remain critical steps to mitigate the growing threat landscape as the conflict expands across both physical and cyber domains.

Qilin and INC_Ransom Drive Targeted Surge Against Legal and Accounting Sectors

Ransomware activity declined by 17.6% in early March 2026, but threat actors are growing more calculated in their targeting. Of the 225 confirmed incidents tracked by Ransom‑DB between February 25 and March 4, Qilin and INC_Ransom accounted for nearly a quarter of global victim volume. Both groups focused on U.S.‑based law and accounting firms, exploiting their access to confidential financial and client data to maximize their leverage in extortions. Peak activity on March 3, with 54 disclosed victims, aligned with a coordinated data‑dump cycle typical of major RaaS affiliates winding down one campaign and pivoting to the next. Geographic distribution again centered on the United States (112 incidents), followed by Germany, France, and Canada, reflecting a sustained preference for high‑value Western markets. Beyond professional services, isolated attacks also hit energy and recycling firms in Peru and Central Europe, signaling continued APT‑style interest in operational technology environments. Secondary groups like The_Gentleman and AiLock maintained high‑frequency but lower‑impact operations, reinforcing the maturity of the affiliate ecosystem sustaining mid‑tier ransomware brands. For defenders, the data underscores a decisive behavioral shift: ransomware groups are evolving from opportunistic scanning to strategic victim profiling. Legal and accounting firms, which house sensitive third‑party data, now rank among the most lucrative targets for extortion. Analysts recommend tightening credential hygiene, segmenting network access, and deploying DLP and hardened, encrypted backup systems, essential defenses in a threat landscape where professional trust has become the new currency of cybercrime.

Update: Fake Zoom and Google Meet Pages Deploy Employee Monitoring Software in New Phishing Wave

Researchers uncovered another deceptive phishing campaign that impersonates Zoom and Google Meet to trick users into installing a legitimate, but repurposed, employee-monitoring tool on Windows systems. Fake meeting invitations direct victims to cloned waiting pages nearly identical to the real platforms, complete with simulated participant lists and audio cues. After displaying a fabricated “connection error,” the sites prompt users to download a supposed “update.” Once installed, the software deploys a Teramind agent in stealth mode. According to Malwarebytes, the malicious installer hides its presence by omitting program listings and using concealed background services, tsvchst and pmon, that automatically restart if terminated. The agent logs keystrokes, captures screenshots, monitors browsing activity, and grants attackers remote access. Initially focused on Zoom, the campaign has since expanded to target Google Meet using a fake Microsoft Store interface, both versions sharing the same infrastructure and command‑and‑control endpoints. Security experts warn that because the payload uses legitimate software, antivirus tools rarely flag it as malicious. They recommend verifying meeting invitations through trusted communication channels, avoiding any in‑call update prompts, and double‑checking URLs before entering credentials. Organizations are also urged to reinforce phishing awareness, as attackers increasingly exploit trusted corporate tools to gain persistent access and collect sensitive data.