Threat Alerts

Cisco disclosed two maximum-severity vulnerabilities within its firewall ecosystem, both carrying a CVSS score of 10.0. The flaws affect the Cisco Secure Firewall Management Center (FMC) Software and the Cisco Security Cloud Control (SCC). These flaws represent a significant threat to network perimeters, as the FMC serves as the centralized administration point for multiple security appliances. Successful exploitation allows an unauthenticated remote attacker to execute arbitrary code and gain root-level privileges, with the impact further amplified by the broad visibility and control management interfaces hold over an organization’s network traffic — effectively equating to a total loss of administrative control over the network security layer.
The first vulnerability, CVE-2026-20079 (CVSS 10.0), is an authentication bypass flaw rooted in the improper creation of a system process during the device’s boot sequence. This allows an unauthenticated attacker to bypass standard authentication mechanisms by sending specially crafted HTTP requests. Once the check is bypassed, arbitrary scripts are executed with high-level system permissions, granting the attacker root access. The second, CVE-2026-20131 (CVSS 10.0), involves an insecure deserialization flaw triggered when the system processes an untrusted, user-supplied Java byte stream without proper validation. A remote attacker sends a malicious stream to the management interface, which upon deserialization executes embedded malicious code, resulting in remote code execution with root-level privileges.

Fake tech support scams are evolving beyond simple fraud. What once ended with a gift card purchase now ends with a modified command-and-control framework embedded deep in a victim’s environment, using advanced evasion techniques that stock versions of the tool don’t even include.
The attack began with a mass spam campaign to overwhelm targets, after which attackers posed as IT support and contacted victims directly. They falsely claimed to need remote access to perform email client updates or remediations, persuading users to approve remote sessions. Once in, the attacker navigated to a fraudulent cloud-hosted control panel and instructed the user to download an “antispam patch” and trigger a “test rules” button — which silently deployed a follow-up malware payload. From there, DLL sideloading was the method of choice, placing maliciously crafted DLL files within legitimate application search paths so that trusted, signed binaries would unknowingly load the malicious code — a tactic that points to a sophisticated and relatively advanced threat actor.
At the core of the payload was a modified open-source C2 framework agent that bypasses endpoint security by avoiding hooked system functions entirely, instead extracting system call numbers directly and executing them from within legitimate system memory — making the activity appear normal to security tooling. Crucially, the agent was further customized beyond its default capabilities: whereas the original framework bakes C2 addresses into the payload at compile time with no fallback, this version can recover a fresh set of C2 addresses from the registry if the primary servers are taken down — giving the operator a resilience layer that standard builds simply don’t have. In total, the attacker spread across ten endpoints using three distinct persistence mechanisms, deliberately distributing different tools across different hosts so that finding and cleaning one would not eliminate access to the rest of the environment.

Since at least 2020, a Chinese threat actor tracked as CL-UNK-1068 has been conducting a sustained campaign against high-value organizations across South, Southeast, and East Asia, targeting critical sectors including aviation, energy, government, law enforcement, pharmaceuticals, technology, and telecommunications. The group’s primary objective is assessed to be cyberespionage, though cybercriminal motivations cannot be fully ruled out.
Initial access is gained through the deployment of web shells, after which the attackers move laterally to additional hosts and SQL servers. From there, the group heavily relies on DLL side-loading using legitimate Python executables, deploying a malicious loader alongside them to read and deobfuscate shellcode in memory, ultimately executing the final payload within the context of a trusted process. The overall toolkit is multi-faceted, combining custom malware, modified open-source utilities, and living-off-the-land techniques, with a particular preference for tools popular within Chinese-speaking security communities.
Once inside a target environment, the attackers deploy custom batch scripts to gather host telemetry and map the local network, with consistent naming conventions across multiple campaigns serving as a recognizable signature. Sensitive data collection extends beyond configuration files to include browser history, spreadsheet files, and database backups, with the use of a universal database interface suggesting a focused effort to extract data directly from SQL servers. Privilege escalation is achieved through a combination of known exploits, including a local privilege escalation vulnerability on Linux systems and a remote code execution vulnerability affecting a widely used virtualization platform — CVE-2021-4034 (CVSS Score 7.8) and CVE-2023-34048 (CVSS Score 9.8) respectively. Through a combination of primarily open-source tools, community-shared malware, and batch scripts, the group has sustained stealthy operations across both Windows and Linux environments, with the consistent focus on credential theft and sensitive data exfiltration from critical infrastructure pointing firmly toward an espionage-driven agenda.

A high-severity vulnerability in Google Chrome, tracked as CVE-2026-0628 (CVSS 8.8), could have enabled attackers to escalate privileges and access sensitive local resources on affected systems. The flaw originated from insufficient policy enforcement in the WebView tag, allowing malicious browser extensions to interact with privileged browser components. Successful exploitation could grant unauthorized access to local files, enable screenshots of visited websites and activate a victim’s camera and microphone without explicit permission.

The vulnerability specifically allowed malicious extensions with basic permissions to manipulate the Gemini Live side panel an AI-powered feature integrated into Chrome. By leveraging a commonly used web request API, attackers could inject arbitrary JavaScript into the Gemini panel when the application loaded, abusing its elevated capabilities. If users were tricked into installing a specially crafted extension, the injected code could interact with system resources, capture screenshots and activate device sensors. The issue highlights the risks posed by AI-integrated browser components that require elevated privileges to execute multi-step tasks, where hidden prompts or malicious extensions could influence the assistant to perform restricted actions or exfiltrate data. While extensions interacting with web pages is expected behavior, influencing internal browser components introduces a far more severe security risk.

A newly identified information-stealing malware named BoryptGrab is targeting Windows users by harvesting browser data, system details, screenshots, common files and credentials from platforms such as Telegram and Discord. The malware spreads through numerous fake public repositories hosted on GitHub, where it masquerades as legitimate free software tools. By abusing trust in open-source ecosystems and manipulating search visibility, the campaign is able to reach a wide pool of potential victims who unknowingly download the malicious packages.

The infection chain begins when users download a ZIP archive promoted through repositories whose README files are optimized with search-engine keywords to appear higher in search results. The archive triggers a DLL side-loading routine that decrypts and launches an initial payload responsible for retrieving the core stealer binary. Alternative execution paths use obfuscated Visual Basic scripts that hide encoded commands within integer arrays and attempt privilege escalation before fetching additional malware stages. In some cases, the attack also deploys a PyInstaller-based backdoor that establishes a reverse SSH tunnel and operates as a SOCKS5 proxy. Beyond stealing browser credentials, the malware targets browser extensions also capturing screenshots and system information. Anti-analysis features include virtual machine detection via registry checks and file inspections, process name comparisons against predefined lists and attempts to execute with elevated privileges. Russian-language artifacts within the code and associated infrastructure patterns suggest a likely Russia-linked origin, indicating a technically evolving campaign that combines aggressive data harvesting with layered evasion and staged payload delivery.

Evolving Cyber Threat Landscape: Following the escalation triggered by Operation Epic Fury, cyber activity has continued to evolve with increased disruption campaigns, reconnaissance operations, and vulnerability exploitation attempts linked to Iranian-aligned actors and hacktivist collectives.
Seedworm / MuddyWater Espionage Activity: The Iranian APT group Seedworm—also tracked as MuddyWater—has expanded its cyber espionage operations, maintaining access inside multiple organizations including a bank, airport, and software company, demonstrating long-term infiltration strategies during the conflict escalation.

New Malware and Backdoor Deployment: Iranian campaigns have introduced additional malware tooling including GhostFetch downloaders, CHAR backdoors, and HTTP_VIP loaders, which enable attackers to download payloads, maintain command-and-control communication, and sustain persistent access in compromised environments.

Emergence of the Dindoor Backdoor: Threat researchers identified a new malware implant known as Dindoor, deployed by Seedworm/MuddyWater to maintain remote command execution and persistence within targeted networks.

Expansion of Iranian Cyber Infrastructure: Intelligence investigations indicate a large operational ecosystem, with analysts tracking dozens of Iranian threat groups and infrastructure clusters supporting espionage and intrusion operations targeting government, energy, defense, and financial sectors.

Increased Targeting of ICS and OT Environments: Intelligence reporting indicates growing reconnaissance activity targeting Industrial Control Systems (ICS) and Operational Technology (OT) environments. Iranian-aligned actors are scanning internet-exposed industrial devices and management systems within sectors such as energy, utilities, and critical infrastructure, potentially identifying vulnerabilities that could be leveraged for intelligence collection or operational disruption during periods of heightened geopolitical tension.

Structured Cyber Campaigns: Operations such as Operation Olalampo highlight a more coordinated Iranian cyber strategy involving reconnaissance, exploitation of exposed services, and long-term persistence within targeted networks.