Threat Alerts

Evolving Cyber Threat Landscape: Following the escalation triggered by Operation Epic Fury, cyber activity has continued to evolve with increased disruption campaigns, reconnaissance operations, and vulnerability exploitation attempts linked to Iranian-aligned actors and hacktivist collectives.
Seedworm / MuddyWater Espionage Activity: The Iranian APT group Seedworm—also tracked as MuddyWater—has expanded its cyber espionage operations, maintaining access inside multiple organizations including a bank, airport, and software company, demonstrating long-term infiltration strategies during the conflict escalation.

New Malware and Backdoor Deployment: Iranian campaigns have introduced additional malware tooling including GhostFetch downloaders, CHAR backdoors, and HTTP_VIP loaders, which enable attackers to download payloads, maintain command-and-control communication, and sustain persistent access in compromised environments.

Emergence of the Dindoor Backdoor: Threat researchers identified a new malware implant known as Dindoor, deployed by Seedworm/MuddyWater to maintain remote command execution and persistence within targeted networks.

Expansion of Iranian Cyber Infrastructure: Intelligence investigations indicate a large operational ecosystem, with analysts tracking dozens of Iranian threat groups and infrastructure clusters supporting espionage and intrusion operations targeting government, energy, defense, and financial sectors.

Increased Targeting of ICS and OT Environments: Intelligence reporting indicates growing reconnaissance activity targeting Industrial Control Systems (ICS) and Operational Technology (OT) environments. Iranian-aligned actors are scanning internet-exposed industrial devices and management systems within sectors such as energy, utilities, and critical infrastructure, potentially identifying vulnerabilities that could be leveraged for intelligence collection or operational disruption during periods of heightened geopolitical tension.

Structured Cyber Campaigns: Operations such as Operation Olalampo highlight a more coordinated Iranian cyber strategy involving reconnaissance, exploitation of exposed services, and long-term persistence within targeted networks.

Following the escalation triggered by coordinated U.S. and Israeli strikes under Operation Epic Fury on 28 February 2026, the cyber dimension of the conflict has continued to evolve. Recent intelligence indicates increased hacktivist mobilization, vulnerability exploitation attempts, and reconnaissance activity targeting organizations perceived to support Western geopolitical interests.

Expanded Hacktivist Activity: Cyber activity following Operation Epic Fury has seen a significant increase in hacktivist participation. Groups such as DieNet, Keymous+, NoName057(16) and previously active Sylhet Gang have conducted coordinated DDoS campaigns, with 149 attacks targeting 110 organizations across 16 countries, primarily affecting government and public-facing infrastructure.

State-Linked Reconnaissance and Exploitation: Iranian cyber operations linked to the Islamic Revolutionary Guard Corps and the Ministry of Intelligence and Security continue to focus on stealthier intrusion campaigns. Threat actors such as APT42 and MuddyWater have been observed conducting reconnaissance and attempting to exploit vulnerabilities across enterprise platforms.

Increased Vulnerability Exploitation Risk: Multiple actors have been scanning for and attempting to exploit recently disclosed vulnerabilities across widely used enterprise technologies, highlighting an elevated risk of initial access through exposed services and misconfigured infrastructure

On 28 February 2026, the United States and Israel conducted coordinated strikes under Operation Epic Fury targeting Iranian military and strategic infrastructure. Iran responded with missile and drone launches across the Middle East, triggering parallel cyber escalation. Increased cyber activity has been observed, including high-volume distributed denial-of-service (DDoS) attacks, limited website defacements and propaganda-amplified intrusion claims targeting regional digital assets.

Iranian cyber operations are primarily orchestrated through the Islamic Revolutionary Guard Corps and the Ministry of Intelligence and Security. Key state-aligned threat actors include APT42 (APT35 / Charming Kitten) and MuddyWater, alongside pro-Iranian hacktivist groups conducting opportunistic disruption campaigns. Iran has also imposed domestic internet restrictions, limiting visibility into Iran-hosted cyber operations. While visible disruption dominates reporting, the greater strategic risk lies in sustained credential compromise and persistent access operations.

A critical vulnerability in Cisco’s SD-WAN platform, CVE-2026-20127 (CVSS Score 10.0), has been actively exploited since at least 2023, allowing remote, unauthenticated attackers to bypass authentication and gain full administrative control over affected systems. The flaw impacts all deployment types — on-premises and cloud-hosted environments alike — making its reach exceptionally broad and the risk to network infrastructure severe.

The vulnerability stems from a broken peering authentication mechanism, which attackers exploit by sending specially crafted requests to exposed systems. Once inside, they gain access to a high-privileged internal account, which they then use to manipulate network configurations across the SD-WAN fabric via NETCONF. The threat actor behind the campaign, did not stop at initial access — evidence was found that the attacker deliberately downgraded the software version to escalate privileges to root, leveraging a separate known vulnerability, CVE-2022-20775 (CVSS Score 7.8), before restoring the original version to maintain stealthy, persistent root access.

This multi-stage infection chain — initial authentication bypass, privilege escalation through version manipulation, and silent restoration of the environment — reflects a level of operational sophistication designed to evade detection over extended periods.

A newly identified malware, RESURGE, targets Ivanti Connect Secure appliances by exploiting a critical unauthenticated remote code execution vulnerability, CVE-2025-0282(CVSS Score 9.0). Because Ivanti’s affected products serve as internet-facing VPN gateways, this flaw provides attackers with a direct entry point into enterprise networks without requiring valid credentials. The combination of a highly accessible attack surface and a sophisticated, multi-functional implant makes this threat particularly severe for organizations relying on these appliances for remote access.
The vulnerability itself stems from improper bounds checking when the appliance processes certain protocol packets from unauthenticated clients, allowing a specially crafted request to overflow stack memory and redirect execution flow. Attackers typically identify exposed appliances and send malformed requests, often routing their activity through anonymizing infrastructure to obscure their origin. Once remote code execution is achieved, RESURGE is deployed directly onto the compromised device. The malware operates simultaneously as a backdoor, dropper, rootkit, and trojan, and distinguishes itself through a fully passive command and control architecture — it never initiates outbound connections, instead embedding itself into the appliance’s native web server process and silently monitoring inbound traffic for specially crafted operator commands. Authentication is handled covertly within the TLS handshake itself, making all sessions appear legitimate to outside observers.
Beyond initial access, the malware establishes deep persistence through multiple mechanisms: it hooks into system startup processes, tampers with the device’s built-in integrity checker by replacing file hashes, modifies integrity scanning scripts to suppress detection, and even injects malicious components into the boot image in a way that can survive reboots and potentially factory resets. An embedded log-manipulation module further suppresses forensic evidence by intercepting and altering log entries at runtime. Bundled utilities give operators broad capabilities for file manipulation and system modification once inside. The layered nature of this implant — combining covert communication, anti-forensic capabilities, and boot-level persistence — makes it exceptionally difficult to detect and fully eradicate from a compromised environment.

A highly critical vulnerability has been disclosed in Angular Server-Side Rendering (SSR), tracked as CVE-2026-27739 (CVSS 9.2). The flaw enables Server-Side Request Forgery (SSRF) by exploiting weaknesses in how the framework constructs and processes URLs during server-side request handling. Successful exploitation allows attackers to coerce vulnerable applications into issuing unauthorized internal requests, potentially exposing sensitive credentials, internal services and cloud metadata endpoints that are not accessible from the public internet.

The root cause stems from insufficient validation of HTTP headers used to determine request origin and routing. Attackers can manipulate these headers to spoof domains, inject malformed port values and alter path components, which are then incorporated into URL construction logic without sanitization. Because Angular’s internal HTTP client resolves relative URLs using this attacker-controlled base, subsequent server-side requests can be redirected to malicious endpoints, leaking authorization tokens and session cookies. The vulnerability affects deployments where SSR is enabled, the application server is directly reachable and upstream infrastructure fails to normalize or filter incoming headers. Patched versions are available, along with interim mitigations, but the high severity and potential for internal network exposure make this one of the most serious SSR-related flaws disclosed in recent years.