Threat Alerts

Following the escalation triggered by coordinated U.S. and Israeli strikes under Operation Epic Fury on 28 February 2026, the cyber dimension of the conflict has continued to evolve. Recent intelligence indicates increased hacktivist mobilization, vulnerability exploitation attempts, and reconnaissance activity targeting organizations perceived to support Western geopolitical interests.

Expanded Hacktivist Activity: Cyber activity following Operation Epic Fury has seen a significant increase in hacktivist participation. Groups such as DieNet, Keymous+, NoName057(16) and previously active Sylhet Gang have conducted coordinated DDoS campaigns, with 149 attacks targeting 110 organizations across 16 countries, primarily affecting government and public-facing infrastructure.

State-Linked Reconnaissance and Exploitation: Iranian cyber operations linked to the Islamic Revolutionary Guard Corps and the Ministry of Intelligence and Security continue to focus on stealthier intrusion campaigns. Threat actors such as APT42 and MuddyWater have been observed conducting reconnaissance and attempting to exploit vulnerabilities across enterprise platforms.

Increased Vulnerability Exploitation Risk: Multiple actors have been scanning for and attempting to exploit recently disclosed vulnerabilities across widely used enterprise technologies, highlighting an elevated risk of initial access through exposed services and misconfigured infrastructure

On 28 February 2026, the United States and Israel conducted coordinated strikes under Operation Epic Fury targeting Iranian military and strategic infrastructure. Iran responded with missile and drone launches across the Middle East, triggering parallel cyber escalation. Increased cyber activity has been observed, including high-volume distributed denial-of-service (DDoS) attacks, limited website defacements and propaganda-amplified intrusion claims targeting regional digital assets.

Iranian cyber operations are primarily orchestrated through the Islamic Revolutionary Guard Corps and the Ministry of Intelligence and Security. Key state-aligned threat actors include APT42 (APT35 / Charming Kitten) and MuddyWater, alongside pro-Iranian hacktivist groups conducting opportunistic disruption campaigns. Iran has also imposed domestic internet restrictions, limiting visibility into Iran-hosted cyber operations. While visible disruption dominates reporting, the greater strategic risk lies in sustained credential compromise and persistent access operations.

A critical vulnerability in Cisco’s SD-WAN platform, CVE-2026-20127 (CVSS Score 10.0), has been actively exploited since at least 2023, allowing remote, unauthenticated attackers to bypass authentication and gain full administrative control over affected systems. The flaw impacts all deployment types — on-premises and cloud-hosted environments alike — making its reach exceptionally broad and the risk to network infrastructure severe.

The vulnerability stems from a broken peering authentication mechanism, which attackers exploit by sending specially crafted requests to exposed systems. Once inside, they gain access to a high-privileged internal account, which they then use to manipulate network configurations across the SD-WAN fabric via NETCONF. The threat actor behind the campaign, did not stop at initial access — evidence was found that the attacker deliberately downgraded the software version to escalate privileges to root, leveraging a separate known vulnerability, CVE-2022-20775 (CVSS Score 7.8), before restoring the original version to maintain stealthy, persistent root access.

This multi-stage infection chain — initial authentication bypass, privilege escalation through version manipulation, and silent restoration of the environment — reflects a level of operational sophistication designed to evade detection over extended periods.

A newly identified malware, RESURGE, targets Ivanti Connect Secure appliances by exploiting a critical unauthenticated remote code execution vulnerability, CVE-2025-0282(CVSS Score 9.0). Because Ivanti’s affected products serve as internet-facing VPN gateways, this flaw provides attackers with a direct entry point into enterprise networks without requiring valid credentials. The combination of a highly accessible attack surface and a sophisticated, multi-functional implant makes this threat particularly severe for organizations relying on these appliances for remote access.
The vulnerability itself stems from improper bounds checking when the appliance processes certain protocol packets from unauthenticated clients, allowing a specially crafted request to overflow stack memory and redirect execution flow. Attackers typically identify exposed appliances and send malformed requests, often routing their activity through anonymizing infrastructure to obscure their origin. Once remote code execution is achieved, RESURGE is deployed directly onto the compromised device. The malware operates simultaneously as a backdoor, dropper, rootkit, and trojan, and distinguishes itself through a fully passive command and control architecture — it never initiates outbound connections, instead embedding itself into the appliance’s native web server process and silently monitoring inbound traffic for specially crafted operator commands. Authentication is handled covertly within the TLS handshake itself, making all sessions appear legitimate to outside observers.
Beyond initial access, the malware establishes deep persistence through multiple mechanisms: it hooks into system startup processes, tampers with the device’s built-in integrity checker by replacing file hashes, modifies integrity scanning scripts to suppress detection, and even injects malicious components into the boot image in a way that can survive reboots and potentially factory resets. An embedded log-manipulation module further suppresses forensic evidence by intercepting and altering log entries at runtime. Bundled utilities give operators broad capabilities for file manipulation and system modification once inside. The layered nature of this implant — combining covert communication, anti-forensic capabilities, and boot-level persistence — makes it exceptionally difficult to detect and fully eradicate from a compromised environment.

A highly critical vulnerability has been disclosed in Angular Server-Side Rendering (SSR), tracked as CVE-2026-27739 (CVSS 9.2). The flaw enables Server-Side Request Forgery (SSRF) by exploiting weaknesses in how the framework constructs and processes URLs during server-side request handling. Successful exploitation allows attackers to coerce vulnerable applications into issuing unauthorized internal requests, potentially exposing sensitive credentials, internal services and cloud metadata endpoints that are not accessible from the public internet.

The root cause stems from insufficient validation of HTTP headers used to determine request origin and routing. Attackers can manipulate these headers to spoof domains, inject malformed port values and alter path components, which are then incorporated into URL construction logic without sanitization. Because Angular’s internal HTTP client resolves relative URLs using this attacker-controlled base, subsequent server-side requests can be redirected to malicious endpoints, leaking authorization tokens and session cookies. The vulnerability affects deployments where SSR is enabled, the application server is directly reachable and upstream infrastructure fails to normalize or filter incoming headers. Patched versions are available, along with interim mitigations, but the high severity and potential for internal network exposure make this one of the most serious SSR-related flaws disclosed in recent years.

A newly identified supply chain campaign has introduced 26 malicious npm packages into the developer ecosystem, designed to steal credentials, secrets, and sensitive data from developer environments. The campaign is attributed to a North Korean-aligned threat actor with a documented history of targeting software developers, particularly those working in cryptocurrency and Web3 development.
The infection begins at install time, where a built-in hook automatically triggers a loader that uses character-level steganography to decode command-and-control infrastructure hidden inside seemingly ordinary text hosted on a public paste service. Characters at evenly spaced positions within what appears to be a benign computer science essay are systematically substituted to spell out a list of C2 domains distributed across dozens of cloud deployments. The loader then fetches platform-specific shell payloads for macOS, Linux, and Windows, which in turn install a Remote Access Trojan that connects to attacker-controlled infrastructure and awaits commands. The malicious packages also declare the legitimate libraries they imitate as dependencies, allowing compromised projects to continue functioning normally and delaying victim awareness.
Once the RAT establishes a connection, the C2 automatically deploys a nine-module infostealer toolkit targeting virtually every sensitive asset in a developer’s workspace. The modules collectively perform keylogging and clipboard monitoring, browser credential and cookie theft, cryptocurrency wallet extension harvesting, SSH key collection, Git repository and credential exfiltration, and broad filesystem sweeps for private keys, seed phrases, password files, and environment variables containing API keys. One module abuses a legitimate open-source secret scanning tool to sweep the victim’s home directory. Another establishes persistent re-infection by embedding hidden shell commands in the developer’s code editor configuration, ensuring the malware reinstalls itself on every new session.