Threats

Iranian Threat Actors Intensify IP Camera Exploitation Across Six Countries to Support Missile Operations and Battle Damage Assessment

Check Point Research has disclosed that multiple Iran-nexus threat actors have intensified exploitation of IP cameras across six countries in the Middle East and Eastern Mediterranean since the onset of hostilities — activity assessed to support battle damage assessment (BDA) and target correction for Iranian missile operations. The targeting, which

Breaches

Iranian Drone Strikes Hit Three AWS Data Centers in UAE and Bahrain — First Kinetic Attacks on Major Cloud Infrastructure

Iranian drone strikes have physically damaged three Amazon Web Services data centers across the Middle East — two in the United Arab Emirates that were "directly struck" and a third in Bahrain damaged when a drone landed nearby — marking the first time a major cloud infrastructure provider has suffered

Threats

APT41-Linked Silver Dragon Targets Governments Across Europe and Southeast Asia Using Google Drive C2 and Three Distinct Infection Chains

Check Point has disclosed a previously undocumented APT group dubbed Silver Dragon operating within the APT41 umbrella that has been targeting government entities across Europe and Southeast Asia since at least mid-2024 using three distinct infection chains, custom loaders, and a backdoor that uses Google Drive as its command-

Alerts

CISA Adds VMware Aria Operations RCE Flaw to KEV Catalog After Reports of Active Exploitation

CISA has added CVE-2026-22719 to its Known Exploited Vulnerabilities catalog after reports of active exploitation targeting VMware Aria Operations, the widely deployed enterprise monitoring platform used to track server, network, and cloud infrastructure performance. The vulnerability, a CVSS 8.1 command injection flaw, allows an unauthenticated attacker to

Breaches

French Health Ministry Software Supplier Breached — 15.8 Million Patient Records Stolen Including Doctors' Notes on HIV and Sexual Orientation

Attackers breached Cegedim Santé, a software supplier to France's health ministry, stealing approximately 15.8 million administrative patient files — including 165,000 containing free-text notes written by doctors that in some cases documented HIV/AIDS status, sexual orientation, and other sensitive medical history. The breach, confirmed in

Threats

SloppyLemming Targets Pakistan and Bangladesh Government and Critical Infrastructure With Dual Malware Chains and 112 Cloudflare Workers Domains

The South Asian threat actor SloppyLemming (also tracked as Outrider Tiger and Fishing Elephant) has been attributed to a sustained campaign targeting government entities and critical infrastructure operators in Pakistan and Bangladesh spanning January 2025 through January 2026, according to new research from Arctic Wolf. The campaign deploys two distinct

Threats

Steaelite RAT Bundles Ransomware, Credential Theft, and Live Surveillance Into Single Double-Extortion Platform

A new remote access trojan called Steaelite is being sold on cybercrime forums and Telegram that consolidates nearly every offensive capability an attacker needs — credential theft, ransomware deployment, cryptocurrency stealing, live surveillance, and DDoS — into a single browser-based dashboard, effectively eliminating the need for multiple tools or coordination between

Threats

ScarCruft Deploys Six Malware Families in Ruby Jumper Campaign to Breach Air-Gapped Networks via USB Propagation

North Korean threat actor ScarCruft has deployed a fresh arsenal of six malware families in a campaign codenamed Ruby Jumper that targets air-gapped networks through USB-based propagation and abuses Zoho WorkDrive as command-and-control infrastructure — the first time the group has used this cloud service in its

Threats

New Threat Actor UAT-10027 Deploys Dohdoor Backdoor Against US Education and Healthcare Using DNS-over-HTTPS for Stealth C2

Cisco Talos has disclosed a previously undocumented threat activity cluster tracked as UAT-10027 that has been targeting US education and healthcare organizations since at least December 2025 with a novel backdoor called Dohdoor. The backdoor uses DNS-over-HTTPS (DoH) for command-and-control communications and hides behind Cloudflare

Threats

Aeternum C2 Botnet Uses Polygon Blockchain as Sole Command Infrastructure, Making Traditional Takedowns Impossible

Qrator Research Lab has identified a new botnet called Aeternum C2 that represents a fundamental shift in how botnets maintain command and control: it uses the Polygon blockchain as its sole C2 infrastructure, publishing all operator commands through smart contracts that are replicated across thousands of nodes worldwide. Unlike previous

Threats

US Sanctions Russian Exploit Broker Operation Zero for Acquiring Stolen Zero-Days From Jailed L3Harris Executive

The US government has sanctioned Russian exploit broker Operation Zero (Matrix LLC), its owner Sergey Sergeyevich Zelenyuk, and six associated individuals and entities for acquiring and distributing cyber exploits that harmed national security. The sanctions directly follow the sentencing of Peter Williams, the former L3Harris/Trenchant cyber executive who was

Alerts

Cisco SD-WAN Zero-Day Exploited Since 2023 by Sophisticated Threat Actor — CVSS 10.0 Authentication Bypass Triggers CISA Emergency Directive

A CVSS 10.0 authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and SD-WAN Manager has been under active exploitation since 2023 — over two years before disclosure — by a highly sophisticated threat actor that used it to compromise network management infrastructure and establish persistent footholds in high-value