Trending Topics

How Iran’s Threats Turn Tech Infrastructure into a Warfront

Iran’s threat to attack facilities of major U.S. tech and finance firms in the Middle East, including Apple, Google, Microsoft, Nvidia, Meta, IBM, Oracle, Tesla, Boeing, JPMorgan, and others, marks a clear shift toward treating commercial cloud and AI infrastructure as strategic wartime assets. Even if physical strikes are limited to Gulf data centers and related facilities, associated cyber operations (DDoS, wipers, ransomware‑like incidents, and hack‑and‑leak campaigns) are highly likely to spill over into Europe and North America, targeting not only the named companies but also their customers, suppliers, and shared cloud or identity platforms. Other states and criminal groups may exploit the chaos by disguising their campaigns as Iran‑aligned hacktivism, increasing overall noise and complicating attribution. Over the next 3–6 months, organizations should assume elevated multi‑vector risk, particularly around cloud regions in the Gulf, subsea cable landing points, telcos, managed service providers, and SaaS platforms that provide access to larger ecosystems. Threat actors aligned with or inspired by Iran are likely to favor familiar techniques: exploitation of exposed VPNs and edge devices, credential‑based intrusions, destructive malware, and noisy DDoS or web defacement for psychological effect. At the same time, more capable operators may focus on targeted intrusions and data theft against financial systems, strategic industrial firms, and AI or defense‑adjacent technology providers whose compromise offers long‑term intelligence or disruptive potential. In this environment, priority defensive actions include hardening identity (phishing‑resistant MFA on all admin and remote access, conditional access, and geo‑velocity checks), rapidly reducing exposed attack surface (patching and locking down internet‑facing services, enforcing DDoS protections), and segmenting critical workloads so destructive attacks cannot easily propagate. Executives should drive scenario planning for sudden loss of a cloud region or key data center, demand updated threat and continuity statements from major vendors in affected regions, and ensure staff training and phishing simulations reflect current Iran/IRGC narratives and lures. Boards and leadership teams should treat this as a strategic risk inflection point, integrating geopolitical cyber exposure into enterprise risk, insurance decisions, and investment in resilience and incident response capabilities.

Anthropic’s Claude Code Spill and the New AI Security Reality

Anthropic reportedly exposed around 512,000 lines of Claude‑related source code via a misconfigured public repository, including core components, internal tools, and supporting services for its AI platform. Even though no customer data has been confirmed leaked, the exposure gives adversaries an unusually detailed view into Claude’s architecture, pipelines, and safety mechanisms, turning the codebase into a blueprint for targeted attack and abuse. This significantly raises the strategic value of the incident for both sophisticated threat actors and commercial competitors. From a security standpoint, large‑scale source exposure accelerates vulnerability discovery, model‑stealing attempts, and jailbreaking techniques tuned specifically to Claude’s guardrails and internal APIs. Attackers can mine the code for hard‑coded secrets, weak authentication paths, and assumptions about how prompts, responses, and safety filters are processed, enabling more precise prompt‑injection and bypass strategies. If CI/CD or infrastructure details are included, the leak may also reveal lateral‑movement paths into Anthropic’s broader environment or that of its partners. AI builders should now treat source, configuration, and safety‑pipeline code as crown‑jewel assets, enforcing strict access controls, secret management, automated scanning, and rigorous checks before any repository is made public. Enterprises consuming frontier AI should assume that at least some internals of major models will eventually become known to adversaries and design compensating controls, such as robust input validation, output monitoring, rate‑limiting, and human review for decision‑critical use cases, rather than over‑trusting opaque AI APIs. Security and governance teams should also push vendors for clear disclosure on their secure‑development lifecycle and their playbook for handling source‑code exposures of this kind.

Ransomware Gangs Turn Everyday IT Tools into Stealth Weapons

New research from Seqrite highlights a growing “dual‑use dilemma,” where ransomware operators repurpose legitimate IT utilities, such as Process Hacker, IOBit Unlocker, ProcessKO, PowerRun, YDArk, Mimikatz, and Unlock_IT, to disable defenses, gain SYSTEM‑ or kernel‑level control, and cover their tracks. These tools, often digitally signed and trusted by default, are being woven into campaigns by families like LockBit Black 3.0, Dharma, Phobos, Makop, MedusaLocker, and INC Ransomware to silently kill antivirus processes, steal credentials, and wipe logs as part of a structured kill chain that typically starts with phishing or stolen credentials. The result is that ransomware is no longer just malware but an operator‑driven operation using the same toolset as legitimate administrators and penetration testers. This trend is accelerating as RaaS offerings like LockBit 3.0 and BlackCat increasingly ship with built‑in AV‑killing features and curated collections of “admin” tools that help attackers blend in with normal IT activity. Researchers warn that future waves may feature AI‑assisted tooling that automatically selects the best method to disable security controls and evade detection in a given environment, turning trusted utilities and security products themselves into ideal disguises for intruders. Organizations should therefore assume that commodity malware detection alone is insufficient and that living‑off‑the‑land and dual‑use tooling will continue to dominate hands‑on‑keyboard intrusions. To respond, defenders need to treat powerful IT tools as high‑risk assets: tightly control who can use them, restrict where they can run, and monitor their execution as potential early‑stage ransomware indicators. Practical steps include application allow‑listing and least‑privilege policies for admin utilities; EDR rules that flag or block tools like Process Hacker, IOBit Unlocker, PowerRun, and Mimikatz when used outside approved workflows; and stronger hardening of email, identity, and endpoint controls to disrupt the initial phishing‑ and credential‑driven footholds described in the research. Security teams should also update incident playbooks to account for log wiping and AV‑kill stages, ensuring redundant telemetry and response capabilities remain available even when primary security tools are disabled.

WhatsApp Lures, Windows Hijack: Inside the Stealthy VBS Campaign Abusing Legit Tools

Microsoft is warning about a new campaign that delivers malicious Visual Basic Script (VBS) files through WhatsApp messages, kicking off a multi‑stage infection chain that establishes persistence and remote access on Windows systems. The operation leans heavily on social engineering and “living‑off‑the‑land” techniques: once the VBS is executed, it creates hidden folders under C:\ProgramData, then drops and runs renamed Windows utilities, such as curl.exe masquerading as netapi.dll and bitsadmin.exe posing as sc.exe, to download follow‑on payloads from trusted cloud platforms like AWS S3, Tencent Cloud, and Backblaze B2. These secondary VBS scripts ultimately install malicious MSI packages, giving attackers a foothold that blends seamlessly with normal system and network activity. After the initial compromise, the malware focuses on weakening local defenses and escalating privileges by tampering with User Account Control (UAC) settings and repeatedly attempting to launch cmd.exe with elevated rights until it succeeds or is killed. It modifies registry keys under HKLM\Software\Microsoft\Win, embeds persistence mechanisms to survive reboots, and uses a combination of UAC bypass and registry manipulation to deploy unsigned MSI installers without user interaction. Among these installers are legitimate remote‑access tools like AnyDesk, which attackers leverage for persistent remote control, data exfiltration, and the option to deploy additional malware over time. Defenders should treat unexpected WhatsApp‑delivered files, especially VBS scripts, as high‑risk and block or tightly control script execution via Group Policy, application control, or EDR. Hardening steps include monitoring and alerting on renamed or suspicious usage of built‑in tools (curl, bitsadmin, msiexec, cmd.exe), restricting who can install MSI packages, and closely watching for unusual UAC behavior or registry changes under HKLM\Software\Microsoft\Win. Organizations should also tune detections for remote‑access software abuse (e.g., AnyDesk installed outside standard IT workflows) and educate users that WhatsApp and other messaging apps are now common malware delivery channels, not just email.

CERT-UA Lookalike: AGEWHEEZE RAT Phishing Wave Tests Trust in Cyber Alerts

Ukraine’s national computer emergency response team (CERT-UA) has detailed a phishing campaign in which threat actors impersonated the agency itself to deliver a Go-based remote access trojan dubbed AGEWHEEZE. The group, tracked as UAC‑0255 and linked to the alias “Cyber Serp,” sent messages on March 26–27, 2026, from addresses like incidents@cert-ua[.]tech, urging recipients across government, healthcare, security, education, finance, and software development to install a “CERT_UA_protection_tool.zip” archive hosted on Files[.]fm. Inside, the supposed “specialized software” instead fetched AGEWHEEZE, which poses as security tooling from the national cyber agency. Once executed, AGEWHEEZE connects over WebSockets to a command‑and‑control server at 54.36.237[.]92 and supports extensive RAT capabilities: executing commands, performing file operations, modifying the clipboard, emulating mouse and keyboard, taking screenshots, and managing processes and services. It persists by creating scheduled tasks, altering Windows Registry keys, or dropping itself into the Startup folder, giving attackers durable access to compromised Windows systems. Despite claims on Cyber Serp’s Telegram channel, where the group boasts of sending 1 million phishing emails and compromising over 200,000 devices, CERT‑UA assesses the real impact as limited, identifying only a few infected personal devices belonging to staff at educational institutions and providing direct remediation support. The operation also relied on infrastructure meant to appear credible at a glance: the fake cert-ua[.]tech site, likely generated with help from AI tools and even tagged in its HTML with the Russian phrase “С Любовью, КИБЕР СЕРП” (“With Love, CYBER SERP”). Cyber Serp has also claimed responsibility for a previous incident involving the Ukrainian cybersecurity firm Cipher, though the company says only one employee’s credentials were compromised and that sensitive data and core infrastructure remained unaffected. The campaign underscores the need for organizations to verify “official” security notices through known domains and channels, treat password‑protected archives in unsolicited alerts as suspicious, and monitor for unusual WebSocket traffic and persistence mechanisms consistent with RAT activity.