Current Cyber Threats

The U.S. Federal Bureau of Investigation (FBI) has confirmed that it is investigating a breach involving systems used to manage surveillance and wiretap warrants. According to the agency,

Bitdefender's latest research details a pivot by APT36 from high-sophistication exploits toward a model dubbed "Vibeware."

An older but critical vulnerability (CVE-2021-22681) affecting Rockwell Automation industrial control system (ICS) products is actively being exploited in the wild.

Push Security researchers have identified an active malvertising campaign leveraging a technique they call "InstallFix,"

In the wake of recent kinetic military strikes between the U.S., Israel, and Iran, security researchers have documented a significant surge in Iranian-aligned cyber activity.

Cisco Talos has identified a new China-nexus threat actor, designated as UAT-9244, which has been actively targeting telecommunications providers in South America since at least 2024.

In February 2026, Microsoft Defender Experts identified an advanced phishing campaign orchestrated by an unknown threat actor that utilized workplace meeting lures and fake PDF attachments to deliver signed malware.

Zscaler ThreatLabz identified a sophisticated cyber-espionage campaign conducted by an Iran-nexus threat actor tracked as Dust Specter.

Researchers observed a surge in attempts to exploit internet-connected IP cameras beginning on February 28, targeting devices from Hikvision and Dahua across Israel, Qatar, Bahrain, Kuwait, the UAE, Cyprus, and later Lebanon.

Google Threat Intelligence Group (GTIG) tracked 90 zero-day vulnerabilities exploited in the wild in 2025. Both the raw number and proportion of vulnerabilities impacting enterprise technologies reached all-time highs, with 43 zero-days (48%) affecting enterprise products, driven heavily by security and networking appliances.

On March 3, 2026, security researchers disclosed CVE-2026-28289, a critical Zero-Click Unauthenticated RCE vulnerability affecting FreeScout, a popular open-source help desk and shared mailbox application.

LastPass is warning customers about a phishing campaign that began around March 1, 2026, designed to trick users into entering their credentials on a fake login page.

Tycoon 2FA, a phishing-as-a-service (PhaaS) platform offering multi-factor authentication bypass capabilities, was taken offline this week through a coordinated effort led by Europol and Microsoft, with support from private industry partners including Trend Micro, Proofpoint, Cloudflare, Coinbase, Intel471, SpyCloud, Health-ISAC, and others.

Researchers have identified a highly coordinated campaign where threat actors masquerade as legitimate IT support personnel to deploy the Havoc command-and-control (C2) framework.

Check Point Research has identified a sophisticated Chinese-nexus Advanced Persistent Threat (APT) group, dubbed Silver Dragon, which has been targeting government and public sector organizations across Southeast Asia and Europe since at least mid-2024.

AuraStealer is an emerging information-stealing malware that first surfaced on underground hacker forums around July 2025. It is developed and actively marketed by a Russian-speaking group under a malware-as-a-service (MaaS) model, with tiered subscription offerings that include Basic and Advanced packages and a web-based control panel for customers.

Team Cymru has identified a significant uptick in the use of CyberStrikeAI, an open-source, AI-augmented offensive security tool (OST) developed by a China-based individual, "Ed1s0nZ," who is assessed to have ties to Chinese state-sponsored cyber operations.

Microsoft has identified a sophisticated phishing campaign that abuses the legitimate OAuth 2.0 protocol to bypass traditional email and browser security defenses.

The StegaBin campaign is a sophisticated software supply chain attack involving 26 malicious npm packages that deploy a multistage credential and secret harvesting operation targeting developers.

Iranian drone strikes struck three Amazon data center facilities in the UAE and Bahrain this week, disrupting cloud services across parts of the Middle East.

Between February 22 and 25, 2026, GreyNoise recorded 84,142 scanning sessions targeting SonicWall SonicOS devices' SSL VPN interfaces, originating from 4,305 unique IP addresses across 20 autonomous systems.

Security researchers at Oasis Security recently disclosed a critical vulnerability chain in OpenClaw, an increasingly popular open-source autonomous AI agent framework, codenamed “ClawJacked.”

The Iranian cyber threat landscape has undergone a significant transformation, evolving from localized, reactive strikes into a sophisticated, global operation characterized by "influence-driven disruption."

Google Cloud API keys (identifiable by the AIza... prefix), which have traditionally been designed and documented as safe to embed in public client-side code for services like Maps and Firebase, are inadvertently functioning as highly privileged authentication credentials for Google's Gemini AI.

Microsoft patched CVE-2026-21513 during February 2026's Patch Tuesday, a security features bypass vulnerability within the MSHTML framework carrying a CVSS score of 8.8.

While the line between hacktivist and state-sponsored threat actors can be blurry, Iran is a formidable adversary hosting several prominent threat actors. Iran's geopolitical objectives range from disruptive and destructive attacks, cyber espionage, and financially motivated cyber attacks in collaboration with ransomware actors.

Check Point Research recently identified critical vulnerabilities (CVE-2025-59536 and CVE-2026-21852) in Anthropic's Claude Code, an AI-powered command-line development tool.

For over a decade, Google told developers that standard Google Cloud API keys (the familiar “AIza…” format used for services like Maps and Firebase) were not secrets and were safe to embed in client-side code.

Aeternum C2 represents a significant evolution in botnet architecture, specifically in its use of the Polygon blockchain for command-and-control (C2) operations.

A recent deep-dive analysis by FortiGuard Labs has unmasked a sophisticated, multi-stage infection chain used to deliver the Agent Tesla infostealer. The campaign begins with business-themed phishing emails, often using lures such as "New Purchase Orders" to create urgency.

Vshell is a mature, Go-based command-and-control (C2) framework that has been actively developed since 2021 within Chinese-speaking offensive security ecosystems. Originally released as an open-source RAT,

In December 2025, Zscaler's ThreatLabz identified a new cyberespionage campaign dubbed "Ruby Jumper," orchestrated by the DPRK-sponsored threat group, APT37 (AKA ScarCruft, Ruby Sleet, and Velvet Chollima).

Zyxel has disclosed and patched a critical command injection vulnerability, CVE-2025-13942 (CVSS 9.8), affecting more than a dozen of its router and CPE models, including 4G LTE/5G NR CPEs, DSL/Ethernet CPEs, Fiber ONTs, and wireless extenders.

Steaelite is a newly observed remote access trojan (RAT) that is rapidly gaining attention on underground cybercrime networks for combining multiple malicious capabilities into a single, browser-based control panel.

Zoom meeting interface to trick users into installing surveillance software. Victims are typically lured via an email or text containing a link to a fraudulent domain, uswebzoomus[.]com/zoom/, which presents a realistic "waiting room" experience.

Microsoft Defender Experts have uncovered a highly coordinated campaign targeting software developers through malicious repositories hosted on platforms like Bitbucket, disguised as legitimate Next.js projects and recruitment "coding tests."

UNC2814, a suspected People's Republic of China (PRC)-nexus cyber espionage group active since at least 2017, has orchestrated a massive global espionage campaign targeting telecommunications and government entities across four continents.

A 39-year-old Australian national, Peter Williams, a former employee of U.S. defense contractor L3Harris, has been sentenced to 87 months in prison for selling eight zero-day exploits to Russian exploit broker Operation Zero in exchange for millions of dollars in cryptocurrency.

Summary: The "Diesel Vortex" operation, active from late 2025 through February 2026, represents a highly industrialized approach to logistics-themed cybercrime.

A recent intelligence brief from Dataminr has identified a tactical evolution in the operations of the cybercrime "supergroup" known as Scattered Lapsus$ Hunters (SLH).

A critical authentication bypass vulnerability exists in the peering authentication mechanism of Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage).

Severity - High: The attack relies on ClickFix social engineering, preying on the habit of quickly copying and pasting curl installation commands from documentation or websites into the macOS Terminal.

Sinobi is a financially motivated Ransomware-as-a-Service (RaaS) operation that emerged in mid-2025. Employing a double-extortion strategy, the threat actor exfiltrates sensitive data before executing high-speed encryption, forcing victims into negotiations under the threat of public data release.

North Korean state-backed hackers linked to the Lazarus Group are targeting U.S. healthcare organizations in extortion attacks using the Medusa ransomware, according to a new report from Symantec.

Trend Micro researchers have identified a novel distribution campaign for the Atomic macOS Stealer (AMOS), targeting users of the OpenClaw AI agent framework. Historically, AMOS was distributed through "cracked" software or malvertising; however, threat actors are now weaponizing the emerging "agentic AI" ecosystem.

The "SANDWORM_MODE" campaign represents a highly sophisticated evolution in software supply chain attacks, specifically targeting the JavaScript (npm) ecosystem and modern AI-driven development workflows.

Starkiller is a commercially sold phishing-as-a-service framework developed by a threat group called Jinkusu, first reported by Abnormal AI in February 2026. Unlike traditional phishing kits that rely on static HTML clones of legitimate login pages, Starkiller takes a fundamentally different approach: it spins up a headless Chrome instance inside a Docker container that loads a brand's real website and proxies it live to the victim.