Tag: Cyber Threats

A new Qualcomm bug has been exploited in limited and targeted attacks against vulnerable Android devices. 

Google published its monthly Android security bulletin on March 2 with, as per usual, a number of vulnerabilities affecting Android devices. Among the more than 100 CVEs listed, two in particular stand out. 

One is CVE-2026-21385, a high severity vulnerability in Qualcomm’s graphics kernel, which affects a wide range of chipsets. Though few details are available, it’s an integer overflow issue that requires local access to exploit. In its own bulletin, Qualcomm describes it as “Memory corruption while using alignments for memory allocation.” The flaw, which received a CVSS score of 7.8, was added to the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog on Monday.

Possible Spyware Attack?

The reason CVE-2026-21385 stands out is that Google said in the Android bulletin, “There are indications that CVE-2026-21385 may be under limited, targeted exploitation.” It is unclear what “limited and targeted exploitation” means, and Dark Reading contacted both Google and Qualcomm for additional information.

Related:As War Continues, Pro-Iranian Actors Launch Barrage of Cyberattacks

However, Adam Boynton, senior security strategy manager at endpoint security vendor Jamf, says that while one should be careful about speculating, this “is the specific language Google uses when activity is too narrow to be criminal infrastructure but too deliberate to be opportunistic.” As in, possibly a nation-state actor or commercial surveillance vendor. 

“CVE-2024-43047 — another Qualcomm zero-day — used the same language when it was disclosed, and it was later tied to commercial spyware tooling via Amnesty International’s Security Lab,” Boynton says. “That’s not confirmation of the same here, but the profile is consistent. We don’t know who is behind this. But the way Google and Qualcomm are describing it tells you something about what they think they’re looking at.”

The other vulnerability of note this month is CVE-2026-0047, a critical local privilege escalation flaw in Android’s System component “that could lead to remote code execution with no additional execution privileges needed,” the bulletin read. No user interaction is needed, either. It’s caused by a missing permission check in dumpBitmapsProto of ActivityManagerService.java.

“The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed,” Google warned.

Related:30 Alleged Members of ‘The Com’ Arrested in Project Compass

Boynton says the fact that an attacker already needs to be on a device to use it offers a meaningful barrier to attack, hence why it likely hasn’t been exploited in the wild just yet. It would be used as part of a chained attack rather than a standalone one.

“Someone gets initial access through a phishing link, a malicious app, or an RCE like CVE-2026-0006, and then uses the escalation to go deeper and persist,” he says. “The question isn’t really whether it will be exploited. It’s whether it will be visible when it is. These chained techniques are harder to attribute and often only surface in post-incident forensics, long after the damage is done.”

The Complexities of Patching Android Flaws

Patches for CVE-2026-21385 are currently available, and Qualcomm says they’re being shared with relevant OEMs, “who have been notified and strongly recommended to deploy those patches on released devices as soon as possible.”

Patches are also available for CVE-2026-0047 via the Android Open Source Project (AOSP).

One issue to consider is that Android flaws, particularly like the Qualcomm one, are beholden to OEMs at the consumer level. This, as Boynton points out, means that consumers are reliant on manufacturers (that aren’t necessarily Google or Qualcomm) to fix an impacted device with a patch, even if the patch was released at disclosure. That lag matters when vulnerabilities are being exploited faster than ever.

Related:RAMP Forum Seizure Fractures Ransomware Ecosystem

As a result, Qualcomm, in its bulletin, urged customers to “Please contact the device manufacturer for information on the patching status of released devices.”

Most people would never imagine that the innocuous tire pressure monitoring system (TPMS) in their vehicles could be used to track their movements. 

But, as with many things digital, it turns out the feature, designed for vehicle safety and maintenance, can also expose unintended signals that enable precisely that capability.

Low Cost Vehicle Tracking

A team of researchers from universities in Spain, Switzerland, and Luxembourg recently conducted a study where they deployed a small network of low-cost spectrum receivers, priced at around $100 each, along a road to capture TPMS transmissions from passing vehicles. Their goal was to explore the potentially sensitive information they could infer by analyzing the TPMS transmission data from a set of 12 test vehicles.

Over a 10-week period, the researchers gathered more than six million TPMS transmissions from some 20,000 vehicles that used the road. The researchers then used custom-developed algorithms to try and match TPMS signals from each of the different tires on a vehicle to the same car and from there to infer movement of the 12 vehicles in the study.

Related:Quantum-Resistant Data Diode Secures Sensitive Data on Edge Devices, Critical Systems

“Our results show that TPMS transmissions can be used to systematically infer potentially sensitive information such as the presence, type, weight or driving pattern of the driver,” the researchers noted in a research paper. Anyone can misuse a TPMS signal to track vehicles and, by extension, the movements of their owners, the researchers said.

TPMS sensors — mandated in the US since 2007 — transmit tire pressure readings automatically and at regular intervals whenever a vehicle is in motion. It requires no pairing or authentication and cannot be disabled without compromising the safety function it is designed to provide. The data is sent wirelessly to a receiver module, which is often integrated with the vehicle’s onboard computer or a dedicated TPMS controller. The receiver monitors tire pressure and triggers a dashboard alert if the pressure drops below a predetermined safe threshold.

In the Clear (Text)

The security issue the researchers discovered is that TPMS transmissions are sent over the air in clear text without any authentication. Thus, anyone with a receiver capable of picking up that frequency — like the $100 devices the researchers used — can intercept the transmission from outside the vehicle, just as the vehicle’s own internal receiver can. 

As the researchers noted in their report, previous studies have “highlighted that TPMS signals can be intercepted up to 40m from the car.” Their own study showed data capture is possible from 50 meters away from a vehicle and even when a receiver might be located inside a building without any nearby windows.

Related:‘Richter Scale’ Model Measures Magnitude of OT Cyber Incidents

What makes the tracking itself possible is the fact that when a sensor transmits tire pressure data, it includes a unique ID so the vehicle’s TPMS control module can tell which specific tire the data is coming from. The unique IDs also allows the control module to ignore signals from other vehicles nearby. “Researchers have discovered that most TPMS sensors transmit a unique identifier in clear text that never changes during the lifetime of the tire,” the researchers pointed out. “This unencrypted wireless communication makes the signals susceptible to eavesdropping and potential tracking by any third party in proximity to the car.”

The finding adds to a growing body of research showing how modern vehicles have become unintended platforms for all kinds of surveillance and exploits. Modern cars contain numerous components that emit signals that can be intercepted, analyzed, and exploited in ways the equipment manufacturers never intended. Researchers previously demonstrated how to track vehicles through their keyless entry fobs, spy on drivers through in-car entertainment systems, and even remotely manipulate safety-critical functions through connected diagnostic ports. 

Related:OT Attacks Get Scary With ‘Living-off-the-Plant’ Techniques

Becky Bracken

Hello everyone, and welcome to Dark Reading Confidential. It’s a podcast with the editors of Dark Reading, bringing you real world stories straight from the cyber trenches. I’m Becky Bracken, your host. And today I am thrilled to welcome Will Thomas, who is a senior threat researcher with Team Cymru. He was recently involved in a blockbuster breakup of an African cybercrime syndicate operation in conjunction with Interpol. So we wanted to welcome Will today to give us some insights into how that came about and what that was like. So welcome, Will.

Will Thomas 

Thanks for having me on. It’s been a good opportunity to chat, and I’m happy to dive into a little bit more about the types of role that Team Cymru can play in these international law enforcement operations.

Becky Bracken

Yes, OK, so this was a biggie, and I covered this (Operation Sentinel) just before the end of the year on Dec. 23. And, according to the report from Interpol, involved law enforcement across 19 countries, made 574 arrests, and recovered three million. That’s quite a bust, I would say.

Related:Qualcomm Zero-Day Exploited in Targeted Android Attacks

Will Thomas 

Yes, they did a lot there. Makes me smile, makes me proud to think that we’ve been involved in this and, you know, hopefully improved a lot of people’s lives as a result.

Becky Bracken 

So, help us get an idea of how this comes about. How do you first learn about Operation Sentinel? How do you first learn about what your role is potentially going to be working with Interpol on this?

Will Thomas 

Yeah, there are a lot of people in Team Cymru, lot of the researchers and experts in Team Cymru, the company is made of many experts and researchers, and we have a lot of people who’ve been involved in fighting cybercrime and fighting various hostile state campaigns as well. And through that experience, we’ve kind of built up these relationships over the many, many years that the company’s been around.

Team Cymru goes back 25 years since it was created. And the whole time it’s always been about, you know, it has a mission to save and improve human lives. And through that simple slogan, you know, we work with law enforcement, we help with takedowns, using the unique data sets that Team Cymru has, we’re able to stop these cybercriminal campaigns, because we are able to watch them do things that they don’t think they are being watched doing.

Becky Bracken 

So your boss comes into your office or pings you on Teams, I assume, and says, Hey, I’ve got this project for you to work on. Is that how the work gets disseminated out?

Related:As War Continues, Pro-Iranian Actors Launch Barrage of Cyberattacks

Will Thomas 

Yes, it can start like that. We have only senior experts in Team Cymru and those people have used their relationships to receive sort of ad hoc requests. So Team Cymru is a strategic private sector partner for multiple law enforcement groups and agencies around the world. And we’ll just get an ad hoc request from them. So we will receive these email requests and then we will look into what we can do to help them. And it’s always been, there’s been basically a way that we’ve supported these campaigns.

Becky Bracken

So this isn’t new work for you or your team over there.

Will Thomas

No, Cymru has been involved in multiple operations in 2025 alone. Multiple Interpol operations. There was one such as Operation Serengeti, MENA, and Synergia, and then this one, Sentinel, which is the one that recently took place across Africa. It’s something that they come to us for because of our expertise, but also the data that we have, which we can talk more about in a minute.

Becky Bracken

Yes, so I would like to know more about sort of your specific area of expertise and the data and sort of how you went about tracking down these crime syndicates, which I guess it was several operating in unison, is that correct?

Will Thomas

Related:30 Alleged Members of ‘The Com’ Arrested in Project Compass

Yeah. So the interesting thing about this operation, and my expertise as well, is that it’s mainly focused on three types of cybercrime that many of the listeners will probably be familiar with. Ransomware, business email compromise, and then data extortion as well. And those types of threat actors are not the most sophisticated, but they are very persistent. They do cause a lot of damage and disruption to various organizations around the world.

And particularly in Africa, where they’re not as well defended, right? So as our expertise comes in tracking the infrastructure of these types of threat actors, so that comes in two parts as well. Where are the IP addresses hosting the tools used by these ransomware gangs? And then where are the threat actors who are remoting into them and controlling those IP addresses? And where are and who are the victims? Because we can use our NetFlow data, which I can dive into more as well. We are able to identify not only the victim of a certain C2 server, offensive security tool, hacking tools hosted online, who are the victims of those tools, and then also who’s controlling those tools, who’s remoting in and taking control of those command and control servers.

Becky Bracken

I would imagine that also comes in pretty frequently when you’re trying to do attribution work as well, trying to tie certain infrastructures to various campaigns and groups. Is that something else you’re involved in?

Will Thomas

Exactly. My expertise often comes in tracking ransomware campaigns. And from tracking the ransomware threat actors, I like to map out what tools they use and also the infrastructure that they launch those capabilities from. So for example, I created this project called the Ransomware Tool Matrix. It takes all of the tools used by various different ransomware gangs, probably about over 100 on tracking and all of the different tools that they use.

What Team Cymru does is we’ll scan and track across the internet where these tools are hosted. So take Cobalt Strike, for example. That’s a very common tool that multiple ransomware gangs like to use. Using our NetFlow data, we can see where those Cobalt Strike IPs are hosted, and we can see who are the victims of those Cobalt Strike IPs. And for this specific operation with Interpol, we could see there’s a set number of countries that they wanted to support and build this operation around. And we could see victims coming, communicating, beaconing out from their corporate networks to those Cobalt Strike IPs. And the way Team Cymru can do that is we have these partnerships, hundreds of partnerships around the world where we receive NetFlow data. And then that NetFlow data is enriched with, because we know what the victim IP is. Maybe it’s like an enterprise gateway, a WAN IP, and then we also know the other side of it, which is this malicious Cobalt strike IP. And if we see the two communicating, then we found a victim. So all of that intelligence about where the threat actors are hosting their control tools, their hacking tools, and the net flow to the victims, then that goes to Interpol and then they can use that to take down these operations.

Becky Bracken 

So in the case of Operation Sentinel, which came first? Were you seeing nefarious beacons going to these cobalt strikes C2s? Or did Interpol come to you and say, We think there’s some weird stuff going on. Can you take a look at the digital footprint of this?

Will Thomas 

As with most law enforcement engagements that we have, law enforcement came to us. But there are other occasions when we’ll investigate and identify some malicious activity and we can tip off various agencies. The interesting thing about Team Cymru or the unique thing about Team Cymru, is that as law enforcement, many people may not realize that they can’t really act unless there’s victims in their jurisdiction. For Interpol to come here and help coordinate this operation, they had to have the cooperation of all the different African countries, police forces, who can respond to these incidents. So that as long as there’s a victim in their jurisdiction, then they can respond to it. Unfortunately, because of the nature of the internet, a threat actor who’s maybe in Russia could host a C2 server in the Netherlands and then communicate with victims across Africa, for example. So because of the dynamics of international jurisdictions, it takes an international law enforcement agency like Interpol to coordinate those requests, those takedowns, helping police forces work with attorneys and lawyers and things to help prosecute and pass things along and get sign-offs from judges to do those takedowns.

Becky Bracken 

That’s so interesting because it does hit home when I see, because Interpol has been launching these large scale multinational takedowns and I hadn’t considered that it requires them to find and pinpoint victims in their individual jurisdictions and that must be a pretty hefty digital lift if you don’t know what you’re doing.

Will Thomas

Exactly. And for a lot of organizations, you kind of run into a problem where the threat actor may be hosting something in a country where the law enforcement there are not, not advanced as the US, they’re not advanced as the UK, or whoever. Maybe they don’t even have a cybercrime unit. So if a threat actor hosts that command and control infrastructure in that country, then getting them to do a take down, getting them to disrupt and seize things can be a lot harder. So that’s one of the reasons why threat actors do that. But then that’s, again, one of the reasons why Team Cymru is able to come in and help there, because we can show them, here’s malicious activity emanating from that jurisdiction, and here’s what you can do to stop it.

Becky Bracken

And just to give our audience an idea, this Operation Sentinel, it’s spanned 19 countries and involved the takedown of more than 6,000 malicious links and the decryption of six individual ransomware variants. That’s an incredible amount of work. And it said that it was a month, months long. I mean, how long of a span of time were you spending on this?

Will Thomas

I believe it was multiple months essentially, was throughout 2025, these operations, they can go on several months and then they can also be divided up into multiple parts. So other previous operations, you know, we’re up to part two, part three for some of them. And then for others, you know, there may be just some new initiative that comes along, but maybe the first one can be a year long and the next one can be half a year, depends on the impact of and the progress that we’re making.

Becky Bracken 

Can you give us some insights into what sort of was the turning point on this operation when you were digging into all of this sort of digital information that was out there? At what point did you realize what you had was a big deal? This wasn’t just a run-of-the-mill take down operation.

Will Thomas

Yeah, think Team Cymru, whilst we played a pivotal role, we were one of a group of organizations that helped Interpol here. Our contribution was more strategic to help them with this key aspect of their operation. Whereas some of the other activities they did, like the decryption of ransomware and the arresting of the criminals, that’s kind of beyond Team Cymru’s. … We’re not out there kicking the doors down as much as we wish. We’re more play more of a strategic role. So I think our ability to support them in their mission to do that is really the thing that was enabled them. How can I re-explain it? Our ability to show them where the victims are, as well as other cybersecurity vendors that help them do that as well. It gives them that power to then go and truly investigate things. Instead of essentially just staring at a list of victims, knowing potentially which vector actor is responsible, you actually have to have that technical data, that evidence that you can actually use to go and do real world actions, real world impact.

Becky Bracken

Through a lot of my reporting, it does seem as if at least maybe spiritually the tide seems to be turning with some of these big multinational crackdowns. At least it’s sending a message that these cybercriminals can’t just operate with impunity because they’re in some far-flung outpost, I guess. Is that an outlook that you share? Do you see this sort of as a bigger trend toward getting our arms wrapped around this?

Will Thomas 

Yeah, I think that’s a great point to raise because from my experience of tracking ransomware over the last four or five years, we have seen a lot of success from law enforcement doing takedowns of malware loader botnets. You know when I first started out in CTI around 2019 we were talking we were discussing things like Emotet and TrickBot, QuackBot, IcedID, you know the massive malware loader botnets that would drop tools like Cobalt Strike and other follow up secondary payloads that would then lead to ransomware deployment. Nowadays, we don’t really see that. That’s kind of gone away. Ever since we’ve seen those coordinated takedowns of Emotet and QuackBot, and now with Operation Endgame that Europol has been coordinating, which Team Camry is also part of, we have seen that type of threat evolve. And now I think the initial access the threat actors and the threats that are providing initial access for ransomware gangs is kind of decentralizing. And now it’s all becoming about InfoStealers, InfoStealer malware, well as Exploitation of Edge devices, brute forcing, SSH and RDP brute forcing. So these types of threats are actually becoming a little bit more spread out. You know, there’s not so much a massive big botnet that we all have to worry about. Now it’s just a constant threat from all sorts of different angles.

So the threat is evolving and it just means maybe the gaps aren’t as big anymore but they’re smaller and more numerous.

Becky Bracken 

What is your sense of the impact this is having on what about a year ago we were reporting on as this highly professionalized, sort of mechanized ransomware operations that were, you you could have your affiliates, you know, they were just these becoming these really professionalized operations. Have we been able to make a dent in those and sort of halt any of their progress?

Will Thomas

Yeah, from what I’ve seen over the last four or five years, has been a significant number of takedowns. Law enforcement has been putting a lot of pressure on ransomware gangs over the last couple of years. I will say law enforcement’s tactics have evolved. There has been some interesting strategies taken, things like sanctioning a ransomware gang only for them to rebrand. We’ve seen law enforcement kind of hacking back, hacking into the infrastructure and basically collecting, retrieving, seizing the decryption keys and helping victims decrypt. And then more recently, maybe the beginning of last year, we saw, or the beginning of 2024, we saw Operation Chronos, which kind of stands out in my mind, which was led by the UK and actually was shown to be that if you can sow distrust, if you can show the criminals, tarnish the criminals reputation, make them think that they can’t trust anyone anymore, make them know that show them that law enforcement is watching them. That really disrupts the ecosystem as well. That really causes them to stop trusting on brands, you know, with the lock bit ransomware gang. I don’t think any serious threat actor would consider partnering with them anymore due to the fact that the law enforcement compromised them and was watching them for months. And even took over their own darknet infrastructure. So with all that disruption going on, I think again, the same thing is happening in the ransomware ecosystem as it happened with the malware ecosystem. Things have decentralized. There’s a lot of leaked tools out there that a lot of groups are picking up, spinning up a very simple concept of a group or a brand.

Only to as soon as they get reported on a few times disappear and rebrand I mean, it’s not that hard anymore when all the tools are free. They’re freely available on GitHub or some free website out there. Or the ransomware code itself is spread around freely on the underground, too.

Becky Bracken 

It strikes me that the work you do is sort of the purest aspirational when you dream of, you know, going to work and hunting down cyber criminals and engaging with law enforcement. That seems like, to say the least, a really exciting piece of working in cybersecurity.

If there are listeners out there, and I know there are, who would like to work their way into the kind of work that you do, whether you or your teammates, what sort of skill set do you think that they might consider working on and tooling up on, scaling up on?

Will Thomas 

Great question. I often come across and talk to aspiring researchers, people who have shown a lot of skill and talent. They want to be a part of helping to disrupt these operations. But at the end of the day, the researchers must cooperate with the law enforcement, otherwise we’re never going to get anything done.

And when you have researchers disrupting law enforcement operations, you know, that’s when, you know, we’re not helping each other. So my key advice for any researcher who feels like they would want their skills and their research to be more impactful, then it’s all about building those relationships and it’s all about trust. At the end of the day, a lot of the cybersecurity industry is built on trust. You’re not going to hire someone that you don’t trust. A lot of the, a lot of the jobs and things out there are based on, you know, I know this, I know this person already and I trust them. So I trust them to do the job for dealing with sensitive data. I trust they’re not going to exploit it. 

So it’s going, going to conferences, going to not just, you know, your Infosecurity Europe or something like that. That is a great conference, has its purpose, but going to the more specific, law enforcement, researcher, private public industry collaboration events, getting invited to those would probably be the key way to do it. That’s the way that I did it. The UK has a pretty good community of law enforcement and then also the government, the UK NCSC. They’ve been very inviting. They’ve been working, bringing researchers in, doing conferences together, presentations.

As long as you show that you’re good at doing cybersecurity research, you’re good at investigating cyber criminals, eventually you’ll come across someone who knows someone who’s willing to give you a chance. As long as you don’t burn that chance and you trust each other and you don’t overshare or do any disruptive activities, then you can foster those relationships for years to come, as I have done.

Becky Bracken 

That’s excellent advice. I wanted to know for my own curiosity: Do you have to concern yourself with your own security based on this work that you’re doing? How much extra effort are you putting into covering your tracks and making sure you don’t get cross ways with some of these people?

Will Thomas

Yeah, I mean, it’s a fair comment. It is always important to go over your own personal security. You know, I’ve created guides to help other people to maintain their own personal security. As long as you follow your own advice, then things should be OK. It’s kind of difficult for me in some ways because I’m somewhat have to be public facing. I have to go to conferences. I have to do podcasts and you know, you put my name out there a little bit my face out there. But I will, you know, try and do things to make sure that, you know, people who I’m with, my friends and family, are not not exposed to that not expect not going to face repercussions. By taking various measures, you know training them giving them to cybersecurity awareness training. Because I may have the best, you know, cybersecurity personal security out there, not saying that I do, but it’s going to be as good as I can make it, but it could just take one slip from someone else who I’m connected to, for them to have a really bad day because of, because of the work that I do. So I do have to be, you know, education. I do have to talk about education. You know, don’t, don’t share pictures of me in social media or that sort of stuff. and yeah, it’s all you just, it’s a constant battle. You have to constantly, it’s constant education. You can’t say it once. You have to always remind people.

Becky Bracken 

Well, Will Thomas, I want to thank you so much for the work that you do and for being willing to share it with us and put your face out there. We very much appreciate it. Your work is fascinating and so important. So thank you so much.

Will Thomas 

Thank you. Yeah, I appreciate the opportunity to come on. And the last thing I’ll say is that Team Cymru is a very community-focused organization. And this is kind of a, in a way, it’s a call to action for organizations to potentially hear us out when we say, can make a difference, you can help us make a difference in the world through our partnerships that we have.

Becky Bracken

That is a perfect place to leave it. Thank you so much, Will Thomas. This has been Dark Reading Confidential, a podcast from the editors of Dark Reading. And on behalf of everyone over here, I want to thank you so much for listening. We’ll see you on a future episode. Bye.

Ravie LakshmananMar 04, 2026Vulnerability / Enterprise Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a recently disclosed security flaw impacting Broadcom VMware Aria Operations to its Known Exploited Vulnerabilities (KEV) catalog, citing active exploitation in the wild.

The high-severity vulnerability, CVE-2026-22719 (CVSS score: 8.1), has been described as a case of command injection that could allow an unauthenticated attacker to execute arbitrary commands.

“A malicious unauthenticated actor may exploit this issue to execute arbitrary commands, which may lead to remote code execution in VMware Aria Operations while support-assisted product migration is in progress,” the company said in an advisory released late last month.

The shortcoming was addressed, along withCVE-2026-22720, a stored cross-site scripting vulnerability, and CVE-2026-22721, a privilege escalation vulnerability that could result in administrative access. It impacts the following products –

• VMware Cloud Foundation and VMware vSphere Foundation 9.x.x.x – Fixed in 9.0.2.0
• VMware Aria Operations 8.x – Fixed in 8.18.6

Customers who cannot apply the patch immediately can download and run a shell script (“aria-ops-rce-workaround.sh”) as root from each Aria Operations Virtual Appliance node.

There are currently no details on how the vulnerability is being exploited in the wild, who is behind it, and the scale of such efforts.

“Broadcom is aware of reports of potential exploitation of CVE-2026-22719 in the wild, but we cannot independently confirm their validity,” the company noted in an update to its bulletin.

In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are required to apply the fixes by March 24, 2026.

The joint US-Israeli attack on Iran already has spurred a cyber response from multiple corners, including a barrage of distributed denial of service (DDoS) hits, critical infrastructure attacks, and network compromises that aim to do significant physical, reputational, and financial damage, according to security researchers.

On Saturday, the US and Israel launched a broad military action in Iran, killing the country’s Supreme Leader Ayatollah Ali Khamenei, as well as dozens of other government officials. Iran has retaliated with both military action and cyber warfare — the latter a realm where it has more leverage against its adversaries than on the physical battlefield. 

The US said it expects a significant cyber response from the prolific array of pro-Iranian cyber actors already working in cyber espionage and cyber sabotage, both in the immediate wake of the initial attacks and for the foreseeable future. The attacks will come from groups linked to Iranian state entities such as the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS), as well as hacktivist groups sympathetic to Iran’s cause. 

Related:Iran’s MuddyWater Targets Orgs With Fresh Malware as Tensions Mount

A coalition of pro-Iranian and pro-Russian cyber actors already has launched the “#OpIsrael” campaign, focusing on critical infrastructure and data exfiltration, while other hacktivists have struck out against individual targets in protest of the military action and as a counter to the Islamic Republic’s military losses, according to research from Check Point Research, Flashpoint, Palo Alto Networks’ Unit 42, Cisco Talos, and others.

Meanwhile, the IRGC has targeted the energy sector with a cyberattack on Saudi Arabia’s Aramco facility at Ras Tanura, and an Amazon Web Services (AWS) data center in the United Arab Emirates, both countries where the US have military installations, according to a report by Flashpoint emailed to Dark Reading.

Indeed, Iran’s intent appears to be to inflict maximum global economic pain and infrastructure disruption via cyber means as a counter-pressure to its military losses, in “a shift to severe economic warfare and a higher risk for global energy supply,” according to Flashpoint.

“This ecosystem supports a broad set of objectives: espionage to gain intelligence and footholds; disruption and destructive activity, including DDoS attacks, pseudo-ransomware, and data wipers to impose costs; and information operations that pair destructive activity or data leaks with coordinated online amplification,” Check Point Research wrote in its analysis of the activity, noting it expects the targeting to intensify and broaden across the US and its allied countries. 

Related:Latin America’s Cyber Maturity Lags Threat Landscape

Specific Cyberattacks from Various Groups

Researchers from Check Point, Flashpoint, and Unit 42 have revealed a laundry list of specific attacks and activity from Iran-linked or pro-Iranian groups that have already occurred since the initial bombing started Saturday. 

These attacks include several by Cotton Sandstorm (aka Emennet Pasargad, Aria Sepehr Ayandehsazan, MarnanBridge, and Haywire Kitten), an Iranian cyber actor affiliated with the IRGC. The group revived its old cyber persona, Altoufan Team, which mostly specialized in targeting Bahrain and had been silent for more than a year, according to Check Point. It’s now claimed new alleged targets in Bahrain, where there are US military bases.

Another group, the FAD Team (aka Iran’s Resistance Hub and the Fatimion Cyber Team) has executed a global SQL injection campaign, leaking personally identifiable information (PII) from a wide range of targets, according to Flashpoint. These include a virtual US Air Force group and educational institutions in France, India, and Vietnam. 

The FAD Team also claimed control over network monitoring dashboards for firewall devices in Mecca and Medina and Saudi Arabia, and targeted other US-allied Arab states, disabling the Bahrain News Agency and launching DDoS attacks against Qatari oil firm Gasco and Qatar Radio, according to Flashpoint.

Related:Asia Fumbles With Throttling Back Telnet Traffic in Region

Meanwhile, Unit 42 reports Handala Hack, a hacktivist persona linked to Iran’s MOIS, has combined data exfiltration with cyber operations against the Israeli political and defense establishment. So far, since Saturday, the group has claimed responsibility for compromising an Israeli energy exploration company and the fuel system of the country of Jordan. Handala also claimed to target Israeli civilian healthcare institutions to create domestic pressure just days before the war broke out. 

Another pro-Iranian umbrella collective called the Cyber Islamic Resistance, which coordinates multiple hacktivist teams — including groups like RipperSec and Cyb3rDrag0nzz — has launched synchronized DDoS attacks, data-wiping operations, and website defacements against Israeli and Western infrastructure to support Iran. So far, they have claimed responsibility for compromising an Israeli drone defense and detection system, as well as payment infrastructure in Israel, according to Unit 42.

Iran’s Allies Join the Cyber Fray

Aside from threat groups directly linked to Iran, groups outside of the country with Iranian sympathies are making coordinated cyberattacks to support the Islamic Republic.

Pro-Palestinian group Dark Storm Team (aka DarkStorm or MRHELL112) for instance claims to have targeted several Israeli websites, including that of an Israeli bank, with DDoS attacks, its specialty, according to Unit 42.

Meanwhile, several pro-Russia hacktivist groups have claimed attacks of their own to support Iran. The “Cardinal” group claimed to target the Israel Defense Forces (IDF) systems via their public Telegram board, infiltrating IDF networks and posting the leaked information publicly.

The pro-Russian hacktivist group NoName057(16) also has claimed multiple Israeli targets, including disruptive operations against a range of Israeli municipal, political, telecom, and defense-related entities. Meanwhile, a partnership between this group and the Cyber Islamic Resistance has conducted DDoS attacks against Israeli defense contractor Elbit Systems and municipal governments, according to Unit 42.

Buckle Up, Cyber Defenders

What all this amounts to is that organizations, critical infrastructure operators, and even individuals on the ground will feel the impact, both cyber and physical, from the conflict, and should buckle up and get ready for a bumpy ride in the weeks and months ahead, according to the researchers.

Organizations across the board should implement maximum-security protocols and prepare for physical-to-cyber hybrid attacks, with special attention paid to secure third-party partners or customers in the Middle East region with network links to US-based companies, Cisco Talos researchers noted.

“Since this activity appears to be regionally focused, making sure enterprises are aware of any impacts to partners and third-party suppliers in the region will be paramount,” according to a post by Cisco Talos. “Additional inspection or controls may be warranted to insulate potential larger impacts to the wider organization.”

In general, all organizations should ensure they are practicing sound security hygiene, including having multifactor authentication (MFA) enabled, being diligent around any links or documents that are circulating, and ensuring proper monitoring is in place to confront any collateral impacts as they arise.

Authenticating workloads is becoming more and more complex, particularly given things like AI agents and the wide range of identity permissions they need. Organizations need to be thinking ahead on securing workloads in complicated modern environments, but it’s not an easy task.

Researchers at Zscaler hope to explore this evolution in an upcoming RSAC 2026 Conference session entitled, “What Are You, Really? Authenticating Workloads in a Zero Trust World.” 

In computing terms, workloads cover the tasks applications and services conduct in order to do their job, and the IT resources those tasks consume. Workloads can refer to a wide range of things, from processing front-end user requests on a Web server (like managing a shopping cart) to cloud-native microservices, complex data analysis, AI training, and more. 

The Challenges of Tackling Workloads in 2026

Many workloads conduct their tasks quietly in the background and are considered non-human identities (NHI) because they require permission and authentication, much like human IT personnel would. 

Related:The Tug-of-War Over Firewall Backlogs in the AI-Driven Development Era

When you consider AI agents, which attempt to emulate the job a human might do, down to autonomous reasoning and decision-making (to whatever extent an agent can), the workloads get more complicated and require more stringent security controls. Also, especially in large companies, they could be using Azure, Google Cloud, and AWS to meet different needs, alongside on-premises services. Organizations need to authenticate workloads in a way that scales across the different aspects of a given environment. 

During their upcoming technical session, Zscaler chief information security officer (CISO) Sam Curry and chief scientist Yaroslav Rosomakho will cover multiple specific methods for authentication, such as the mutual TLS (mTLS) security protocol, workload identity tokens, and remote attestation, as well as offer specific insights into which methods scale better than others. 

Rosomakho tells Dark Reading that, historically, workload authentication and identity were not top of mind for organizations, and that while earlier on “it was a simpler world,” things have quickly grown complex. That complexity, unfortunately, doesn’t match the way many organizations currently secure their non-human identities. 

“What we observe is that, right now, there are widespread insecure practices when it comes to workload identity,” the chief scientist says. “In many organizations, they simply rely on static IP addresses for identity mapping, and obviously that scales poorly. It’s spoofable, and any change to infrastructure collapses your workload identity definitions. We also see plenty of organizations that rely on all sorts of static credentials, such as HTTP basic authentication.”

Related:Marquis v. SonicWall Lawsuit Ups the Breach Blame Game

Moreover, Rosomakho says the most common way organizations identify and authenticate AI agents specifically is through static headers and keys that are never rotated. 

“It’s a significant problem,” he says, adding that tying important processes to static keys can be a recipe for major technical and financial damage against an unprepared defender. 

How to Authenticate Workloads in Your Environment

Curry tells Dark Reading that, from a defender standpoint, there are many options to solve these problems and remediate the weaknesses. At a basic level, he says organizations should be looking for secrets, taking inventory of AI agents (as well as other NHI processes and services), adopting standards, and working toward zero-trust. They should also be talking to their platform providers about also adopting workload authentication standards. 

“It’s about testing federation and defining [a data security] policy,” he explains.

All of that said, the appropriate defense posture does depend on what the organization’s specific needs are. For example, Kubernetes Service Accounts make it so that workloads spun up in Kubernetes get dynamic short-term identities and can authenticate themselves to the outside world safely. 

Related:AI Agents ‘Swarm,’ Security Complexity Follows Suit

An organization may alternatively or additionally want to consider adopting one of the many open source standards that exist for this exact purpose, such as Secure Production Identity Framework for Everyone (SPIFFE), which, according to its website, is used “for securely identifying software systems in dynamic and heterogeneous environments.” At the heart of SPIFFE, as well as many of the better solutions, is creating a well-defined environment built on short-lived identities. 

There’s also the Internet Engineering Task Force’s Workload Identity in Multi-System Environments working group, or WIMSE. WIMSE focuses primarily on defining standardized solutions for tackling the many problems that come up in addressing workloads today. They have meetings, a charter, a mailing list, and relevant documents. 

Whether an organization wants to adopt either of these standards or another like Security Assertion Markup Language (SAML), Curry and Rosomakho argue in favor of taking steps now, as workloads show no sign of getting less complex. 

“It’s arguable that the most interesting and most common and most valuable communications that will be happening in our economy are going to involve no humans,” Curry says. “And so, it behooves us to be able to apply confidentiality, integrity, and availability in those circumstances. We can’t do that without a more advanced schema for authentication and then authorization. It might be one of the most important subjects for people in the cyber world or the IT world to say, OK, what’s our strategy here?”

Ravie LakshmananMar 03, 2026Malware / Phishing

The threat activity cluster known as SloppyLemming has been attributed to a fresh set of attacks targeting government entities and critical infrastructure operators in Pakistan and Bangladesh.

The activity, per Arctic Wolf, took place between January 2025 and January 2026. It involves the use of two distinct attack chains to deliver malware families tracked as BurrowShell and a Rust-based keylogger. 

“The use of the Rust programming language represents a notable evolution in SloppyLemming’s tooling, as prior reporting documented the actor using only traditional compiled languages and borrowed adversary simulation frameworks such as Cobalt Strike, Havoc, and the custom NekroWire RAT,” the cybersecurity company said in a report shared with The Hacker News.

SloppyLemming is the moniker assigned to a threat actor that’s known to target government, law enforcement, energy, telecommunications, and technology entities in Pakistan, Sri Lanka, Bangladesh, and China since at least 2022. It’s also tracked under the names Outrider Tiger and Fishing Elephant.

Prior campaigns mounted by the hacking crew have leveraged malware families like Ares RAT and WarHawk, which are often attributed to SideCopy and SideWinder, respectively.

ArcticWolf’s analysis of the latest attacks has uncovered the use of spear-phishing emails to deliver PDF lures and macro-enabled Excel documents to kick-start the infection chains. It described the threat actor as operating with moderate capability.

The PDF decoys contain URLs designed to lead victims to ClickOnce application manifests, which then deploy a legitimate Microsoft .NET runtime executable (“NGenTask.exe”) and a malicious loader (“mscorsvc.dll”). The loader is launched using DLL side-loading to decrypt and execute a custom x64 shellcode implant codenamed BurrowShell.

“BurrowShell is a full-featured backdoor providing the threat actor with file system manipulation, screenshot capture capabilities, remote shell execution, and SOCKS proxy capabilities for network tunneling,” Arctic Wolf said. “The implant masquerades its command-and-control (C2) traffic as Windows Update service communications and employs RC4 encryption with a 32-character key for payload protection.”

The second attack chain employs Excel documents containing malicious macros to drop the keylogger malware, while also incorporating features to conduct port scanning and network enumeration.

Further investigation of the threat actor’s infrastructure has identified 112 Cloudflare Workers domains registered during the one-year time period, marking an eight-fold jump from the 13 domains flagged by Cloudflare in September 2024.

The campaign’s links to SloppyLemming are based on continued exploitation of Cloudflare Workers infrastructure with government-themed typo-squatting patterns, deployment of the Havoc C2 framework, DLL side-loading techniques, and victimology patterns.

It’s worth noting that some aspects of the threat actor’s tradecraft, including the use of ClickOnce-enabled execution, overlap with a recent SideWinder campaign documented by Trellix in October 2025.

“In particular, the targeting of Pakistani nuclear regulatory bodies, defense logistics organizations, and telecommunications infrastructure – alongside Bangladeshi energy utilities and financial institutions – aligns with intelligence collection priorities consistent with regional strategic competition in South Asia,” Arctic Wolf said.

“The deployment of dual payloads – the in-memory shellcode BurrowShell for C2 and SOCKS proxy operations, and a Rust-based keylogger for information stealing – suggests the threat actor maintains flexibility to deploy appropriate tools based on target value and operational requirements.”

Ravie LakshmananMar 03, 2026Vulnerability / Mobile Security

Google on Monday disclosed that a high-severity security flaw impacting an open-source Qualcomm component used in Android devices has been exploited in the wild.

The vulnerability in question is CVE-2026-21385 (CVSS score: 7.8), a buffer over-read in the Graphics component.

“Memory corruption when adding user-supplied data without checking available buffer space,” Qualcomm said in an advisory, describing it as an integer overflow.

The chipmaker said the flaw was reported to it through Google’s Android Security team on December 18, 2025. Customers were notified of the security defect on February 2, 2026.

There are currently no details on how the vulnerability is being exploited in the wild. However, Google acknowledged in its monthly Android security bulletin that “there are indications that CVE-2026-21385 may be under limited, targeted exploitation.”

Google’s March 2026 update contains patches for a total of 129 vulnerabilities, including a critical flaw in the System component (CVE-2026-0006) that could lead to remote code execution without requiring any additional privileges or user interaction. In contrast, Google addressed one Android vulnerability in January 2026 and none last month.

Also patched by Google are multiple critical-rated bugs: a privilege escalation bug in Framework (CVE-2026-0047), a denial-of-service (DoS) in System (CVE-2025-48631), and seven privilege escalation flaws in Kernel components (CVE-2024-43859, CVE-2026-0037, CVE-2026-0038, CVE-2026-0027, CVE-2026-0028, CVE-2026-0030, and CVE-2026-0031).

The Android security bulletin includes two patch levels – 2026-03-01 and 2026-03-05 – to give Android partners the flexibility to address common vulnerabilities on different devices more quickly.

The second patch level includes fixes for Kernel components, as well as those from Arm, Imagination Technologies, MediaTek, Qualcomm, and Unisoc.

Ravie LakshmananMar 03, 2026Phishing / Malware

Microsoft on Monday warned of phishing campaigns that employ phishing emails and OAuth URL redirection mechanisms to bypass conventional phishing defenses implemented in email and browsers.

The activity, the company said, targets government and public-sector organizations with the end goal of redirecting victims to attacker-controlled infrastructure without stealing their tokens. It described the phishing attacks as an identity-based threat that takes advantage of OAuth’s standard, by-design behavior rather than exploiting software vulnerabilities or stealing credentials.

“OAuth includes a legitimate feature that allows identity providers to redirect users to a specific landing page under certain conditions, typically in error scenarios or other defined flows,” the Microsoft Defender Security Research Team said.

“Attackers can abuse this native functionality by crafting URLs with popular identity providers, such as Entra ID or Google Workspace, that use manipulated parameters or associated malicious applications to redirect users to attacker-controlled landing pages. This technique enables the creation of URLs that appear benign but ultimately lead to malicious destinations.”

The starting point of the attack is a malicious application created by the threat actor in a tenant under their control. The application is configured with a redirect URL pointing to a rogue domain that hosts malware. The attackers then distribute an OAuth phishing link that instructs the recipients to authenticate to the malicious application by using an intentionally invalid scope.

The result of this redirection is that users inadvertently download and infect their own devices with malware. The malicious payloads are distributed in the form of ZIP archives, which, when unpacked, result in PowerShell execution, DLL side-loading, and pre-ransom or hands-on-keyboard activity, Microsoft said.

The ZIP file contains a Windows shortcut (LNK) that executes a PowerShell command as soon as it’s opened. The PowerShell payload is used to conduct host reconnaissance by running discovery commands. The LNK file extracts from the ZIP archive an MSI installer, which then drops a decoy document to mislead the victim, while a malicious DLL (“crashhandler.dll”) is sideloaded using the legitimate “steam_monitor.exe” binary.

The DLL proceeds to decrypt another file named “crashlog.dat” and executes the final payload in memory, allowing it to establish an outbound connection to an external command-and-control (C2) server.

Microsoft said the emails use e-signature requests, Teams recordings, social security, financial, and political themes as lures to trick users into clicking the link. The emails are said to have been sent via mass-sending tools and custom solutions developed in Python and Node.js. The links are either directly included in the email body or placed within a PDF document.

“To increase credibility, actors passed the target email address through the state parameter using various encoding techniques, allowing it to be automatically populated on the phishing page,” Microsoft said. “The state parameter is intended to be randomly generated and used to correlate request and response values, but in these cases it was repurposed to carry encoded email addresses.”

While some of the campaigns have been found to leverage the technique to deliver malware, others send users to pages hosted on phishing frameworks such as EvilProxy, which act as an adversary-in-the-middle (AitM) kit to intercept credentials and session cookies.

Microsoft has since removed several malicious OAuth applications that were identified as part of the investigation. Organizations are advised to limit user consent, periodically review application permissions, and remove unused or overprivileged apps.

Cybersecurity researchers have disclosed details of a new phishing suite called Starkiller that proxies legitimate login pages to bypass multi-factor authentication (MFA) protections.

It’s advertised as a cybercrime platform by a threat group calling itself Jinkusu, granting customers access to a dashboard that lets them select a brand to impersonate or enter a brand’s real URL. It also lets users choose custom keywords like “login,” “verify,” “security,” or “account,” and integrates URL shorteners such as TinyURL to obscure the destination URL.

“It launches a headless Chrome instance – a browser that operates without a visible window – inside a Docker container, loads the brand’s real website, and acts as a reverse proxy between the target and the legitimate site,” Abnormal researchers Callie Baron and Piotr Wojtyla said.

“Recipients are served genuine page content directly through the attacker’s infrastructure, ensuring the phishing page is never out of date. And because Starkiller proxies the real site live, there are no template files for security vendors to fingerprint or blocklist.”

This login page proxying technique obviates the need for attackers to update their phishing page templates periodically as the real pages they’re impersonating get updated.

Put differently, the container acts as an AitM reverse proxy, forwarding the end user’s inputs entered on the spoofed live page to the legitimate site and returning the site’s responses. Under the hood, every keystroke, form submission, and session token is routed through attacker-controlled infrastructure and is captured for account takeover.

“The platform streamlines phishing operations by centralizing infrastructure management, phishing page deployment, and session monitoring within a single control panel,” Abnormal said. “Combined with URL masking, session hijacking, and MFA bypass, it gives low-skill cybercriminals access to attack capabilities that were previously out of reach.”

The development comes as Datadog revealed that the 1Phish kit had evolved from a basic credential harvester in September 2025 into a multi-stage phishing kit targeting 1Password users.

The updated version of the kit incorporates a pre-phishing fingerprint and validation layer, support for capturing one-time passcodes (OTPs) and recovery codes, and browser fingerprinting logic to filter out bots.

“This progression reflects deliberate iteration rather than simple template reuse,” security researcher Martin McCloskey said. “Each version builds upon the previous one, introducing controls designed to increase conversion rates, reduce automated analysis, and support secondary authentication harvesting.”

The findings show that turkey solutions like Starkiller and 1Phish are increasingly turning phishing into SaaS-style workflows, further lowering the skill barrier necessary to pull off such attacks at scale.

They also coincide with a sophisticated phishing campaign targeting North American businesses and professionals by abusing the OAuth 2.0 device authorization grant flow to sidestep multi-factor authentication (MFA) and compromise Microsoft 365 accounts.

To achieve this, the attacker registers on the Microsoft OAuth application and generates a unique device code, which is then delivered to the victim via a targeted phishing email.

“The victim is directed to the legitimate Microsoft domain (microsoft.com/devicelogin) portal to enter an attacker-supplied device code,” researchers Jeewan Singh Jalal, Prabhakaran Ravichandhiran, and Anand Bodke said. “This action authenticates the victim and issues a valid OAuth access token to the attacker’s application. The real-time theft of these tokens grants the attacker persistent access to the victim’s Microsoft 365 accounts and corporate data.”

In recent months, phishing campaigns have also targeted financial institutions, specifically U.S.-based banks and credit unions, to harvest credentials. The campaign is said to have taken place over two distinct phases, an initial wave beginning in late June 2025 and a more sophisticated set of attacks beginning in mid-November 2025.

“The actors began registering [.]co[.]com domains spoofing financial institution websites, presenting credible impersonations of real financial institutions,” BlueVoyant researchers Shira Reuveny and Joshua Green said. “These [.]co[.]com domains serve as the initial entry point in a refined multi-stage chain.”

The domain, when visited from a clickable link in a phishing email, is designed to load a fraudulent Cloudflare CAPTCHA page that mimics the targeted institution. The CAPTCHA is non-functional and creates a deliberate delay before a Base64-encoded script redirects users to the credential harvesting page.

In an effort to evade detection and prevent automated scanners from flagging the malicious content, directly accessing the [.]co[.]com domains trigger a redirect to a malformed “www[.]www” URL.

“The adversary’s deployment of a more advanced multi-layered evasion chain – incorporating referrer validation, cookie-based access controls, intentional delays, and code obfuscation – effectively creates a more resilient infrastructure that presents barriers for automated security tools and manual analysis,” BlueVoyant said.