Threat Alerts

Following the escalation triggered by Operation Epic Fury, cyber activity linked to the conflict continues to expand, with increased reconnaissance, cybercrime-linked tooling, and coordinated operations by Iranian-aligned actors and hacktivist groups.

Handala Hack Team Expanding Operational Visibility: The threat actor persona Handala has recently emerged as an active participant in cyber operations associated with the conflict, combining influence campaigns with cyber incident claims targeting organizations perceived to support Israel or Western interests.

Shift Toward Destructive Malware Capabilities: Security researchers observed the use of wiper-style malware in operations attributed to Handala, suggesting a potential transition from traditional espionage toward more disruptive cyber actions capable of impacting targeted systems.

Increase in Targeted Espionage Operations Across Middle East: Threat intelligence reporting indicates a rise in reconnaissance and credential-harvesting campaigns targeting government entities, telecommunications providers, defense organizations, and regional infrastructure operators.
Expansion of Iranian-Aligned Cyber Ecosystem: Multiple Iranian-associated threat clusters including UNK_InnerAmbush, TA402, TA473, UNK_NightOwl, UNK_RobotDreams, and TA453 have been linked to phishing, credential harvesting, and influence operations coordinated through social media and messaging platforms.
Hacktivist DDoS Campaigns Expanding Across Regions: The 313 Team claimed attacks against 20 UAE government portals and Romania’s National Tax Agency, while NoName057(16) continued its #OpCyprus campaign targeting Cypriot government and infrastructure entities including the Electricity Authority and Supreme Court.

Cisco disclosed two maximum-severity vulnerabilities within its firewall ecosystem, both carrying a CVSS score of 10.0. The flaws affect the Cisco Secure Firewall Management Center (FMC) Software and the Cisco Security Cloud Control (SCC). These flaws represent a significant threat to network perimeters, as the FMC serves as the centralized administration point for multiple security appliances. Successful exploitation allows an unauthenticated remote attacker to execute arbitrary code and gain root-level privileges, with the impact further amplified by the broad visibility and control management interfaces hold over an organization’s network traffic — effectively equating to a total loss of administrative control over the network security layer.
The first vulnerability, CVE-2026-20079 (CVSS 10.0), is an authentication bypass flaw rooted in the improper creation of a system process during the device’s boot sequence. This allows an unauthenticated attacker to bypass standard authentication mechanisms by sending specially crafted HTTP requests. Once the check is bypassed, arbitrary scripts are executed with high-level system permissions, granting the attacker root access. The second, CVE-2026-20131 (CVSS 10.0), involves an insecure deserialization flaw triggered when the system processes an untrusted, user-supplied Java byte stream without proper validation. A remote attacker sends a malicious stream to the management interface, which upon deserialization executes embedded malicious code, resulting in remote code execution with root-level privileges.

Fake tech support scams are evolving beyond simple fraud. What once ended with a gift card purchase now ends with a modified command-and-control framework embedded deep in a victim’s environment, using advanced evasion techniques that stock versions of the tool don’t even include.
The attack began with a mass spam campaign to overwhelm targets, after which attackers posed as IT support and contacted victims directly. They falsely claimed to need remote access to perform email client updates or remediations, persuading users to approve remote sessions. Once in, the attacker navigated to a fraudulent cloud-hosted control panel and instructed the user to download an “antispam patch” and trigger a “test rules” button — which silently deployed a follow-up malware payload. From there, DLL sideloading was the method of choice, placing maliciously crafted DLL files within legitimate application search paths so that trusted, signed binaries would unknowingly load the malicious code — a tactic that points to a sophisticated and relatively advanced threat actor.
At the core of the payload was a modified open-source C2 framework agent that bypasses endpoint security by avoiding hooked system functions entirely, instead extracting system call numbers directly and executing them from within legitimate system memory — making the activity appear normal to security tooling. Crucially, the agent was further customized beyond its default capabilities: whereas the original framework bakes C2 addresses into the payload at compile time with no fallback, this version can recover a fresh set of C2 addresses from the registry if the primary servers are taken down — giving the operator a resilience layer that standard builds simply don’t have. In total, the attacker spread across ten endpoints using three distinct persistence mechanisms, deliberately distributing different tools across different hosts so that finding and cleaning one would not eliminate access to the rest of the environment.

Since at least 2020, a Chinese threat actor tracked as CL-UNK-1068 has been conducting a sustained campaign against high-value organizations across South, Southeast, and East Asia, targeting critical sectors including aviation, energy, government, law enforcement, pharmaceuticals, technology, and telecommunications. The group’s primary objective is assessed to be cyberespionage, though cybercriminal motivations cannot be fully ruled out.
Initial access is gained through the deployment of web shells, after which the attackers move laterally to additional hosts and SQL servers. From there, the group heavily relies on DLL side-loading using legitimate Python executables, deploying a malicious loader alongside them to read and deobfuscate shellcode in memory, ultimately executing the final payload within the context of a trusted process. The overall toolkit is multi-faceted, combining custom malware, modified open-source utilities, and living-off-the-land techniques, with a particular preference for tools popular within Chinese-speaking security communities.
Once inside a target environment, the attackers deploy custom batch scripts to gather host telemetry and map the local network, with consistent naming conventions across multiple campaigns serving as a recognizable signature. Sensitive data collection extends beyond configuration files to include browser history, spreadsheet files, and database backups, with the use of a universal database interface suggesting a focused effort to extract data directly from SQL servers. Privilege escalation is achieved through a combination of known exploits, including a local privilege escalation vulnerability on Linux systems and a remote code execution vulnerability affecting a widely used virtualization platform — CVE-2021-4034 (CVSS Score 7.8) and CVE-2023-34048 (CVSS Score 9.8) respectively. Through a combination of primarily open-source tools, community-shared malware, and batch scripts, the group has sustained stealthy operations across both Windows and Linux environments, with the consistent focus on credential theft and sensitive data exfiltration from critical infrastructure pointing firmly toward an espionage-driven agenda.

A high-severity vulnerability in Google Chrome, tracked as CVE-2026-0628 (CVSS 8.8), could have enabled attackers to escalate privileges and access sensitive local resources on affected systems. The flaw originated from insufficient policy enforcement in the WebView tag, allowing malicious browser extensions to interact with privileged browser components. Successful exploitation could grant unauthorized access to local files, enable screenshots of visited websites and activate a victim’s camera and microphone without explicit permission.

The vulnerability specifically allowed malicious extensions with basic permissions to manipulate the Gemini Live side panel an AI-powered feature integrated into Chrome. By leveraging a commonly used web request API, attackers could inject arbitrary JavaScript into the Gemini panel when the application loaded, abusing its elevated capabilities. If users were tricked into installing a specially crafted extension, the injected code could interact with system resources, capture screenshots and activate device sensors. The issue highlights the risks posed by AI-integrated browser components that require elevated privileges to execute multi-step tasks, where hidden prompts or malicious extensions could influence the assistant to perform restricted actions or exfiltrate data. While extensions interacting with web pages is expected behavior, influencing internal browser components introduces a far more severe security risk.