In this weekly roundup from The Cyber Express, the global cybersecurity landscape continues to show rapid and uneven change, shaped by both regulatory shifts and escalating cyber threats. Governments are tightening oversight of new technologies such as artificial intelligence, while threat actors are simultaneously refining their techniques to exploit businesses, infrastructure, and end users across multiple platforms.  This edition of cybersecurity news brings together some of the most important developments of the week, ranging from significant amendments to the European Union’s AI Act to the expansion of malware campaigns into macOS environments and the discovery of a critical vulnerability in widely used enterprise firewall software.   It also covers major sentencing in a global ransomware case and a fresh warning from the FBI about the growing scale of cyber-enabled cargo theft targeting logistics and supply chain organizations. 

The Cyber Express Weekly Roundup 

EU Updates AI Act with Simpler Rules and New AI Content Bans 

In a significant regulatory update, the European Union has agreed to revise parts of the EU AI Act. The updated framework aims to simplify compliance requirements for businesses while simultaneously introducing stricter restrictions on harmful AI-generated content. Read more.. 

ClickFix Malware Campaign Expands to macOS 

Another key development is the expansion of the ClickFix malware campaign beyond Windows systems. Security researchers at Microsoft have confirmed that the operation is now targeting macOS users using deceptive troubleshooting content. Read more... 

Critical PAN-OS Vulnerability Enables Remote Code Execution 

A critical security flaw has been identified in Palo Alto Networks’ PAN-OS firewall software. Tracked as CVE-2026-0300, the vulnerability carries a CVSS score of 9.3, indicating severe risk. The issue originates from a buffer overflow vulnerability in the User-ID Authentication Portal. Read more... 

Latvian Cybercriminal Sentenced in Global Ransomware Case 

Latvian national Deniss Zolotarjovs has been sentenced to 102 months in prison for his role in a large-scale ransomware operation. According to the U.S. Department of Justice, the group operated under multiple ransomware brands, including Conti, Royal, Akira, and Karakurt. Between 2021 and 2023, the organization carried out attacks against more than 54 companies worldwide, using data theft and encryption-based extortion tactics to pressure victims into paying ransom demands. Read more... 

FBI Warns of Rising Cyber-Enabled Cargo Theft 

The FBI has issued an alert regarding a sharp rise in cyber-enabled cargo theft. Criminal actors are using impersonation techniques to pose as legitimate logistics providers, allowing them to intercept and redirect freight shipments. The agency noted that logistics, shipping, and insurance companies have been targeted since at least 2024. Read more... 

Weekly Takeaway 

This week’s The Cyber Express weekly roundup highlights the growing convergence of regulatory change, advanced malware threats, critical infrastructure vulnerabilities, ransomware enforcement actions, and supply chain fraud. As the global cybersecurity landscape continues to evolve, organizations across all sectors remain under increasing pressure to strengthen defenses and adapt to emerging risks. 

Vercel CEO Guillermo Rauch, in an update today said that after scanning through petabytes of logs of the company's networks and APIs, his security team concluded that the threat actor behind the Vercel breach had been active well beyond Context.ai's compromise. Rauch said that the "threat intel points to the distribution of malware to computers in search of valuable tokens like keys to Vercel accounts and other providers. Once the attacker gets ahold of those keys, our logs show a repeated pattern: rapid and comprehensive API usage, with a focus on enumeration of non-sensitive environment variables." Researchers at Hudson Rock had earlier confirmed that the attack actually initiated in February itself when a Context.ai employee’s computer was infected with Lumma Stealer malware after they searched for Roblox game exploits, a common vector for infostealer deployments. What the latest findings mean is that there could be a wider net of victims that the threat actor may have phished for and what we know is just the tip of the iceberg - or not.

Also read: Vercel Incident Linked to AI Tool Hack, Internal Access Gained

Vercel Finds Customers Breached in Separate Malware, Social Engineering Attacks

In an official update, the company also stated that initially it identified a limited subset of customers whose non-sensitive environment variables stored on Vercel were compromised. However, a deeper assessment of the their network, as well as environment variable read events in the company's logs uncovered two additional findings.

"First, we have identified a small number of additional accounts that were compromised as part of this incident," the company noted.

But the main concern is the next finding: "Second, we have uncovered a small number of customer accounts with evidence of prior compromise that is independent of and predates this incident, potentially as a result of social engineering, malware, or other methods." 

The company did not disclose who were the attackers, what was the motive, or the impact on customers, and is yet to respond to these queries from The Cyber Express. It only stated: "In both cases, we have notified the affected customers."

Meanwhile, Rauch said, Vercel had notified other suspected victims and encouraged them to rotate credentials and adopt best practices.

Over 200,000 files containing sensitive personal information have been leaked following the University of Warsaw cyberattack that targeted the institution’s digital systems. The attack, which resulted in the publication of the stolen data on the darknet in mid-April 2026, has raised significant concerns about the university's cybersecurity protocols.

In response to the breach, the University of Warsaw took immediate action, isolating affected systems and working closely with relevant authorities to assess the scope of the incident. Rector Alojzy Z. Nowak commented, “Immediately after detecting the incident, the University undertook a series of actions aimed at limiting its impact and securing the IT environment. These included isolating affected systems, terminating unauthorized access, enforcing password resets for all users, strengthening authentication mechanisms, and conducting a comprehensive security review of the infrastructure.”

How the University of Warsaw Cyberattack Unfolded 

The cyberattack unfolded over several months, with attackers gaining access to the university's systems using valid login credentials. These credentials were likely obtained through malware that infected a user’s device, allowing the attackers to quietly exfiltrate large amounts of data over time. The stolen data was eventually posted on the darknet on the night of April 15, 2026, in an 850-gigabyte data dump.

The breach was initially detected on February 9, 2026, during a routine security scan, triggered by global ransomware threats. At first, it was believed that the stolen data had not left the university’s infrastructure. However, subsequent investigation revealed that a significant portion had already been leaked online.

In response to our inquiry, the university clarified: “At this stage, the investigation is ongoing, and no definitive attribution has been publicly confirmed. The incident involved unauthorized access using valid credentials that had likely been previously compromised, most probably through malware on a user’s device.”

What Data Was Exposed? 

The leaked files, which total over 200,000 documents, include a broad range of sensitive information. A large portion of the data came from the Faculty of Applied Social Sciences and Resocialization, as well as the Faculty of Neophilology. The breach exposed approximately 650 GB of publicly accessible audiovisual materials, along with 200 GB of sensitive personal data.

Among the types of personal data exposed were:

• Identification details: Full names, birthdates, gender, nationality, PESEL numbers, and identity document numbers (e.g., passport numbers).
• Contact information: Home addresses, phone numbers, email addresses, and usernames.
• Financial and tax information: Bank account numbers and tax records.
• Employment data: Employment contracts and career histories.
• Health records: Information from medical certificates, including sick leave records.

The university has acknowledged that it’s still too early to definitively determine which individuals' data has been impacted. In an official statement, they noted, “Given the nature of the incident, it is not yet possible to conclusively determine which specific individuals’ data may have been impacted; therefore, we encourage all members of the academic community to follow the recommended guidance and monitor further updates.”

Official Response and Security Measures 

Following the breach, the university has worked diligently to mitigate further damage. In addition to isolating the affected systems, the university has collaborated with Poland’s Central Bureau for Combating Cybercrime (CBZC) and CERT Polska to investigate the incident and fortify its cybersecurity defenses.

“We remain committed to fully clarifying the circumstances of this incident and to continuously improving the protection of personal data,” Rector Nowak stated. The university also emphasized its ongoing efforts to enhance security measures, including expanding advanced authentication methods, increasing network monitoring, and further segmenting IT infrastructure to reduce exposure to future risks.

Moreover, the university has published a detailed communication, following GDPR guidelines, to inform affected individuals about the breach and provide recommendations on how they can protect themselves. “Affected individuals are being informed through an official public communication available on the University’s website,” the statement said. “These include, among others, monitoring financial activity, securing personal data (e.g., PESEL number), changing passwords, enabling multi-factor authentication, and remaining vigilant against phishing or fraud attempts.”

Consequences of the Warsaw University Data Leak 

The leaked data presents a serious risk to those affected. The exposure of personal identification details, financial information, and health records could lead to a range of harmful outcomes, including: 

• Identity theft: Cybercriminals could use the stolen data to impersonate individuals, open accounts in their names, or conduct fraudulent transactions.  
• Financial fraud: With access to sensitive financial information, attackers may attempt to take out loans, make unauthorized purchases, or commit tax fraud.  
• Health and privacy violations: Unauthorized access to medical records could lead to misuse of health-related information for fraud or exploitation.  

Moreover, the data leak also carries legal and operational risks, such as wrongful use of personal data in official systems or academic environments. University applicants could face fraudulent claims or be targeted by scams related to university admissions or scholarship offers. 

Preventive Actions and Recommendations 

While the university has taken immediate steps to isolate the affected systems and enhance its security infrastructure, there are additional measures individuals can take to protect themselves from potential fallout: 

• Monitor financial and credit activity: Individuals should check their credit reports for any suspicious activity and set up alerts for new credit inquiries.  
• Change passwords and use multi-factor authentication: Affected individuals should update their passwords for email, bank accounts, and university systems, ensuring they use strong, unique passwords for each service.  
• Be cautious of phishing attempts: The exposure of personal data may lead to targeted phishing attacks. Individuals should remain vigilant when receiving unsolicited messages, particularly those related to banking or health services.

Rockstar Games has confirmed a new security breach involving unauthorized access to internal data. The company behind GTA 5 and the Grand Theft Auto franchise acknowledged that the Rockstar cyberattack stemmed from a third-party vulnerability, though it maintains the impact is limited.  At the same time, the hacking group ShinyHunters has claimed responsibility for the cyberattack on Rockstar, alleging it has obtained company data and is now attempting to extort the developer. The group has issued a deadline, threatening to leak the data if its demands are not met. 

Rockstar Cyberattack Confirmed by Company 

According to the GTA 5 developer, the cyberattack on Rockstar systems did occur, but the overall impact appears to be limited. In a statement shared with Kotaku, a company spokesperson clarified: “We can confirm that a limited amount of non-material company information was accessed in connection with a third-party data breach. This incident has no impact on our organization or our players.”  This statement indicates that although the Rockstar cyberattack resulted in unauthorized access, it did not compromise sensitive player data or disrupt operations tied to popular titles like GTA 5 or the broader Grand Theft Auto franchise. Rockstar noted that the breach involved non-essential company information, suggesting minimal operational risk. 

Cyberattack on Rockstar Linked to ShinyHunters Extortion 

The situation escalated when ShinyHunters, a cybercrime group active since 2020, claimed responsibility for the cyberattack on Rockstar. The group alleges it infiltrated the company’s cloud infrastructure and obtained a large volume of internal data. To increase pressure, the hackers posted an extortion message on their dark web leak site, demanding payment before April 14, 2026.  Their warning reads: “Rockstar Games, your Snowflake instances were compromised thanks to Anodot.com. Pay or leak. This is a final warning to reach out by 14 Apr 2026 before we leak, along with several annoying (digital) problems that’ll come your way. Make the right decision, don’t be the next headline.”  Reports suggest that the attackers did not directly breach Snowflake, the cloud data platform used by Rockstar. Instead, the vulnerability appears to stem from Anodot, a cloud cost monitoring and analytics service integrated with Rockstar’s systems. Anodot itself has reportedly suffered a recent security incident, which may have provided ShinyHunters with indirect access.  This method of intrusion would have appeared legitimate within Rockstar’s infrastructure, making detection more difficult and potentially allowing the attackers to gather a significant amount of corporate data. 

Rockstar Cyberattack Raises Concerns for Grand Theft Auto Future 

At this stage, ShinyHunters has not disclosed exactly what files or information they possess. However, early assessments suggest the stolen data is likely limited to internal corporate materials rather than user-sensitive information. This could include contracts, financial records, marketing strategies, and other proprietary assets, valuable information that Rockstar would prefer to keep confidential, especially with anticipation building around future Grand Theft Auto releases.  ShinyHunters has a well-established track record of targeting major corporations. Previous victims attributed to the group include Microsoft, Ticketmaster, Cisco, AT&T, and Wattpad. Their typical strategy involves stealing data and then either ransoming it back to the victim or selling it on underground marketplaces.  

The FBI Internet Crime Report 2025 shows just how expensive cybercrime has become. In 2025, the FBI’s Internet Crime Complaint Center (IC3) received over one million complaints, with reported losses touching $20.8 billion, the highest ever recorded. That figure is not just a statistic. It reflects everyday incidents, individuals losing life savings to investment scams, businesses wiring money to fraudulent accounts, and organizations dealing with disruptions from ransomware attacks. What used to be isolated cases are now happening at scale. The FBI Internet Crime Report 2025 also shows how the nature of cybercrime is changing. Fraud is no longer limited to suspicious emails or obvious scams. Criminals are using social platforms, messaging apps, and now even artificial intelligence to make their operations look legitimate. In many cases, victims don’t realize they are being targeted until the money is already gone. At the same time, the report highlights that law enforcement is trying to keep pace. Operations targeting crypto scams and international fraud networks are making an impact, but the overall trend shows that cybercrime is expanding faster than it is being contained.

Cyber-Enabled Fraud Remains the Biggest Driver

A large share of these losses comes from cyber-enabled fraud, which alone accounts for nearly 85% of the total financial damage, or about $17.7 billion. Investment fraud continues to cause the most damage. In 2025, it led to $8.6 billion in losses, followed by business email compromise (BEC) and tech support scams. Within this, cryptocurrency investment fraud stands out. Losses linked to crypto scams reached $7.2 billion, making it the biggest single category. [caption id="attachment_111088" align="aligncenter" width="577"] Image Source: FBI Report[/caption] These scams are no longer basic phishing attempts. Attackers spend time building trust, approaching victims through social media, messaging apps, or even dating platforms. Once trust is established, victims are guided toward fake investment platforms that show fabricated profits. By the time withdrawals are attempted, the money is gone.

AI-Enabled Scams Are Growing Fast

The FBI Internet Crime Report 2025 includes a separate section on AI-enabled scams for the first time, and the early numbers are already concerning.

• More than 22,000 complaints linked to AI
• Around $893 million in losses

AI is making scams more convincing. Fake profiles, cloned voices, and realistic conversations can now be created quickly and at scale. This allows attackers to run highly targeted campaigns without much effort. The challenge is that these scams often look legitimate, making it harder for individuals and even businesses to identify red flags in time.

Ransomware Continues to Target Critical Sectors

Ransomware remains a steady threat, especially for critical infrastructure.

• Over 3,600 complaints reported in 2025
• Losses crossed $32 million

The actual impact is likely much higher. Many organizations do not report full losses, especially indirect costs like downtime or recovery expenses. The report also notes 63 new ransomware variants identified during the year, showing how quickly these attacks continue to evolve. Sectors such as healthcare, manufacturing, and government facilities remain frequent targets, where even short disruptions can have serious consequences.

FBI Operations Are Preventing Some Losses

The report also highlights efforts by law enforcement to limit the damage. One example is Operation Level Up, focused on cryptocurrency investment scams. Since its launch in 2024, the initiative has helped reduce potential losses by more than $500 million. In many cases, victims did not realize they were being scammed until they were contacted. This reflects a larger issue, many cyber fraud cases go unnoticed until significant financial damage has already occurred.

Cybercrime Is Becoming More Structured

The report also points to broader trends. Cybercriminal groups are operating more like organized businesses. At the same time, state-linked actors are becoming more active, targeting infrastructure and sensitive data. One example highlighted is the DPRK IT worker scam, where individuals posing as remote IT workers gain access to company systems and use that access for data theft or further attacks. These developments show that cybercrime is no longer limited to isolated incidents. It is part of a larger, global ecosystem.

A Growing Gap Between Threats and Preparedness

The FBI Internet Crime Report 2025 shows a clear pattern—cybercrime is scaling faster than awareness and response.

• Fraud tactics are becoming more personal and long-term
• AI is helping attackers improve success rates
• Cryptocurrency is making transactions harder to trace

While recovery efforts and law enforcement actions are improving, most interventions still happen after the damage is done.

Final Take on FBI Internet Crime Report 2025

The FBI Internet Crime Report 2025 highlights a shift in how cybercrime operates today. The scale—over $20 billion in losses—is significant, but the methods behind these numbers are just as important. From cyber-enabled fraud to AI-enabled scams and cryptocurrency investment fraud, attackers are using a mix of technology and human psychology to succeed. For individuals and organizations, the risk is no longer occasional—it is constant, and it is evolving.

In this week’s weekly roundup, The Cyber Express delivers a concise overview of the latest cybersecurity news, highlighting major cyberattacks, new ransomware risks, and supply chain vulnerabilities. Organizations across industries continue to face a surge in modern cyber threats, ranging from targeted breaches to large-scale exploitation campaigns that disrupt operations and expose sensitive data.  The current threat landscape reflects a growing convergence of cybercrime, geopolitical motives, and technological dependencies. As highlighted in this weekly roundup, both private enterprises and public institutions are increasingly recognizing that resilience depends not only on advanced tools but also on coordinated strategies and proactive risk management. 

The Cyber Express Weekly Roundup 

Hasbro Cyberattack Disrupts Operations Amid Rising Ransomware Concerns 

Hasbro has reported a cyberattack after detecting unauthorized network access on March 28, 2026. The company responded swiftly by initiating containment measures, isolating affected systems, and engaging external experts to assess the breach. While core operations remain functional under contingency plans, some delays are expected. Read more...

Mercor Breach Exposes Supply Chain Risks in AI Ecosystems 

A significant development in this weekly roundup involves AI startup Mercor, which confirmed a breach linked to a supply chain compromise in the LiteLLM open-source project. The attack stemmed from a malicious package update, affecting thousands of organizations relying on the software. The group known as TeamPCP has been associated with the incident, while Lapsus$ has also claimed involvement. Read more...

Lazarus Group Tied to Axios Supply Chain Attack 

Another major highlight is a widespread attack targeting the Axios JavaScript library. The operation has been attributed to North Korea’s Lazarus Group, known for conducting advanced cyber campaigns. Attackers inserted a malicious dependency into the package, enabling backdoor access across multiple operating systems through automated installations. Read more...

Personal Email Breach of FBI Director Raises Security Questions 

Hackers linked to Iran compromised the personal email account of FBI Director Kash Patel. The breach resulted in the leak of emails and personal data as part of a coordinated “hack-and-leak” campaign. Attributed to the Handala Hack Team, the attack appears designed to inflict reputational damage and psychological pressure. Read more...

CareCloud Cyberattack Impacts Health Records System 

Healthcare provider CareCloud disclosed a cyberattack involving unauthorized access to its electronic health record system. Detected on March 16, the incident lasted approximately eight hours before being contained. While investigations are ongoing, the breach raises concerns about potential exposure to sensitive patient data. Read more...

"764" Cybercrime Case Highlights Dark Web Exploitation Networks 

In a separate case, a U.S. individual pleaded guilty to charges related to child exploitation and cyberstalking linked to the extremist “764” network. The case illustrates how cybercriminal ecosystems extend beyond financial motives, involving coordinated abuse, manipulation, and exploitation facilitated by online platforms. Read more...

Weekly Takeaway

This edition of The Cyber Express weekly roundup emphasizes the growing scale and complexity of global cybersecurity news, where ransomware, supply chain compromises, and targeted attacks intersect. From corporate breaches and nation-state operations to exploitation networks, the threat landscape continues to expand in both scope and impact.  To mitigate these risks, organizations must strengthen supply chain oversight, enforce robust access controls, and prioritize rapid incident response capabilities. As highlighted throughout this weekly roundup, maintaining resilience in today’s environment requires a multi-layered approach that integrates technology, governance, and continuous monitoring to stay ahead of modern-day cyber threats. 

In this week’s weekly roundup, The Cyber Express brings together the latest developments in global cybersecurity news, from high-profile ransomware attacks to emerging risks in AI adoption and geopolitical cyber activity.   Organizations worldwide are grappling with a combination of disruptive cyberattacks, espionage campaigns, and ongoing threats to critical infrastructure, reflecting the complex and interconnected nature of today’s threat landscape. Intelligence reports continue to highlight nation-state cyber operations, while companies and governments are recognizing that operational resilience, secure technology adoption, and coordinated defense strategies are essential to managing fast-evolving risks.

The Cyber Express Weekly Roundup 

Human Behavior Remains the Weakest Link 

Cybersecurity experts stress that the most significant vulnerabilities often stem from human behavior rather than technical shortcomings. In a recent discussion covered by The Cyber Express weekly roundup, Dr. Sheeba Armoogum emphasized that modern cyberattacks increasingly exploit trust, emotion, and predictable behavior through techniques like social engineering and AI-driven impersonation. Read more... 

Energy Sector Ransomware: Lessons from 2025 

The energy sector recorded 187 successful ransomware attacks in 2025, demonstrating the real-world consequences of cybercrime on critical infrastructure. Incidents such as Halliburton’s $35 million loss and significant outages in Ukraine revealed vulnerabilities in outdated systems, IT-OT convergence, and slow patching practices. Read more... 

EU Investigates Snapchat for Child Safety 

The European Commission has launched a formal investigation into Snapchat under the Digital Services Act (DSA), examining child protection, privacy, and content moderation practices. Concerns include insufficient age verification, exposure to harmful content, and the accessibility of reporting tools, with potential fines reaching 6% of Snapchat’s global turnover if non-compliance is confirmed. Read more... 

Hackmanac CEO Warns: Cybersecurity Still Fails at the Basics 

Sofia Scozzari, CEO of Hackmanac, emphasized that cybersecurity remains too focused on technology and often overlooks business risk, human behavior, and the operational impact of breaches. She explained that attackers collaborate and exploit known vulnerabilities, while organizations continue to treat cybersecurity as an IT issue rather than a strategic business challenge. Read more... 

Port of Vigo Disrupted by Ransomware 

The Port of Vigo experienced a ransomware attack early Tuesday, shutting down cargo management systems and digital services. Physical port operations remain functional, but manual processes are slowing workflows, particularly at the Border Inspection Post. Authorities confirmed servers linked to the port’s website remain offline as part of containment efforts. Read more... 

Russian Cybercrime Leader Sentenced 

In Detroit, Illya Angelov, head of the Russian cybercriminal group “Mario Kart,” was sentenced for running a botnet operation that infected thousands of computers daily and sold backdoor access to ransomware operators. Active from 2017 to 2021, the scheme targeted 72 U.S. companies across 31 states, sending 700,000 malware-laden emails daily and compromising roughly 3,000 systems each day. Read more... 

Crunchyroll Cyberattack Highlights Outsourced Risk 

Crunchyroll confirmed a cyber incident linked to a third-party vendor, likely affecting customer service ticket data. There is no evidence of ongoing access to internal systems, though early reports suggest a threat actor may have gained access through an infected vendor device. Read more... 

Weekly Takeaway 

This week’s weekly roundup highlights the growing complexity of the global cybersecurity landscape. From critical supply chain disruptions and challenges in AI governance to ransomware attacks, escalating geopolitical cyber threats, and vulnerabilities in third-party systems, organizations face an increasingly interconnected and high-stakes risk environment. To navigate these threats effectively, companies must prioritize human-centric security practices, enforce proactive governance frameworks, and implement continuous monitoring across all systems. Only through a strategic, multi-layered approach can organizations stay ahead in today’s hostile and fast-evolving digital ecosystem.

Seventeen months after international law enforcement dismantled one of the world's most damaging infostealing malware networks, a second defendant has arrived in a U.S. federal courtroom — this time extradited from Armenia — as the prosecution of the RedLine infostealer operation continues to work through the criminal network that built and sustained it. Hambardzum Minasyan, an Armenian national, appeared in an Austin federal court after being extradited to the United States to face charges related to his alleged role in the RedLine infostealer scheme. The Justice Department's Office of International Affairs secured Minasyan's arrest and extradition on March 23, 2026, with significant assistance from Eurojust's ICHIP attorney adviser based at The Hague. Minasyan faces three counts: conspiracy to commit access device fraud, conspiracy to violate the Computer Fraud and Abuse Act, and conspiracy to commit money laundering. If convicted, he faces up to 10 years in prison on the access device fraud charge and up to 20 years each on the remaining two counts. An infostealer is malware designed to silently harvest credentials, browser cookies, saved passwords, financial data, and cryptocurrency wallet information from an infected device, then transmit that data to attackers — often in seconds, without any visible sign of compromise. The indictment alleges that Minasyan and his co-conspirators maintained digital infrastructure, including command-and-control servers and administrative panels, to deploy the malware and collected payments from affiliates using RedLine against victims. Minasyan specifically registered two virtual private servers and two internet domains to support the RedLine scheme, created repositories on an online file-sharing site to distribute RedLine to affiliates, and registered a cryptocurrency account in November 2021 to receive payments. RedLine operated on a Malware-as-a-Service model. It is a criminal franchise structure where the core developers build and maintain the malware platform, then license it to affiliates who run their own infection campaigns in exchange for a fee. Affiliates distributed RedLine to victims using malvertising, phishing emails, fraudulent software downloads, and malicious software sideloading, with various ruses — including COVID-19 and Windows update lures — used to trick victims into downloading the malware. RedLine and its derivative Meta infostealer could also enable cybercriminals to bypass multifactor authentication through the theft of authentication cookies and session tokens. Multifactor authentication is a security layer requiring users to verify their identity through a second method beyond a password; stealing session cookies allows attackers to impersonate an already-authenticated user and render that protection useless. The Lapsus$ threat group used RedLine to obtain passwords and cookies from an employee account at a major technology company and subsequently used that access to obtain and leak limited source code. RedLine also infected hundreds of systems belonging to U.S. Department of Defense personnel, and authorities have described its victim count in the millions globally. Minasyan's extradition represents the second defendant charged in connection with Operation Magnus, the joint international takedown announced in October 2024.

Read: Law Enforcement Puts a Damning Dent in RedLine and Meta Infostealer Operations

Operation Magnus — a Joint Cybercrime Action Taskforce operation supported by Europol — resulted in Dutch authorities seizing three servers running the malware, Belgian authorities seizing communication channels and Telegram accounts used by the operators, and the recovery of a database of thousands of RedLine and Meta clients. That client database gave investigators a roadmap for follow-on prosecutions that continues to generate results. The first defendant charged, Russian national Maxim Rudometov, was identified as a developer and administrator of RedLine and unsealed in the Western District of Texas in October 2024. Rudometov, believed to reside in Krasnodar, Russia, is not expected to face extradition given his location.

Read: U.S. Charges Man Behind RedLine Infostealer that Infected U.S. DoD Personnel Systems

Minasyan's extradition from Armenia, by contrast, demonstrates the value of maintaining extradition treaty relationships and Eurojust cooperation frameworks that can reach defendants outside of jurisdictions beyond U.S. reach. The investigation is a joint effort by the FBI Austin Cyber Task Force, which includes the Naval Criminal Investigative Service, IRS Criminal Investigation, the Department of Defense Office of Inspector General's Defense Criminal Investigative Service, and the Army Criminal Investigation Division. The case demonstrates a sustained prosecution strategy, where rather than treating Operation Magnus as a one-time disruption event, the DOJ has continued converting the intelligence gained from seized infrastructure and client databases into individual criminal referrals across multiple jurisdictions.

A federal court in Detroit sentenced Russian national Illya Angelov, on Tuesday, for running a botnet operation that infected thousands of computers daily, sold backdoor access to ransomware groups and victimized 72 companies across 31 U.S. states.

The extortion scheme involving Angelov and his criminal organization, known by the FBI as "Mario Kart," ran from 2017 to 2021. Prosecutors said Angelov and co-conspirators built a network of compromised computers that distributed malware-infected files attached to spam emails.

Angelov and his co-manager then monetized this botnet by selling access to individual compromised computers to other criminal groups, who typically engaged in ransomware extortion schemes — locking victims out of their computer networks and demanding extortion payments to restore access.

A botnet is a network of devices secretly infected with malware and controlled remotely by an attacker without the device owners' knowledge. The court records describe a scheme that was lucrative and prolific, sending 700,000 emails a day to computers around the world and infecting approximately 3,000 computers daily.

The Mario Kart malware provided a backdoor through which software could be uploaded to victims' computers. Instead of directly exploiting this access, the Mario Kart group sold it to customers, that is, other cybercriminal groups. These customers typically used the backdoor access to distribute ransomware, encrypting victims' data and demanding extortion payments to decrypt it.

Angelov's group included software coders who developed programs to distribute spam emails and malware so advanced it could evade virus-detection software. The operation sold backdoor access at scale, functioning as a criminal wholesale supplier to ransomware operators who lacked the infrastructure to breach targets themselves.

Angelov pleaded guilty in secret in October to one count of conspiracy to commit wire fraud. Prosecutors requested he serve 61 months in prison — a significant break from advisory sentencing guidelines calling for more than 12 years — and he was ordered to pay a $100,000 fine and a $1.6 million money judgment. The reduction reflected both his voluntary cooperation and the circumstances of his surrender.

Angelov was sentenced four years after an associate, Vyacheslav Igorevich Penchukov, was arrested in Switzerland and later extradited to the U.S. Penchukov was a member of a group that negotiated a $1 million payment to Angelov and a second individual for access to Mario Kart. A few days after Penchukov's arrest, Angelov contacted U.S. authorities and eventually negotiated his surrender. At the time of his travel and surrender, he was living in the United Kingdom, a country from which the U.S. could have sought his extradition.

Vitlalii Alexandrovich Balint, who provided essential coding to Mario Kart, was sentenced five months earlier in federal court in Detroit to 20 months in prison. While Balint's role in Mario Kart was significant, he was Angelov's subordinate.

The Mario Kart case sits inside a broader DOJ enforcement pattern targeting the upstream criminal economy — the access brokers and botnet operators who supply the tools and entry points that ransomware groups deploy.

The day before Angelov's sentencing, a separate federal court sentenced Russian access broker Aleksei Volkov to 81 months for supplying network access to the Yanluowang ransomware group across dozens of U.S. organizations.

Read: Russian Access Broker Gets Nearly 7 Yrs for Enabling Millions in Ransomware Extortion

Two Russian cybercriminals sentenced in two consecutive days across two different federal districts signals a deliberate prosecutorial push against the ransomware supply chain's foundational layer, not just its most visible operators.

The scheme operated before the peak of ransomware extortion payments, which reached a high of $1.25 billion in 2023. That trajectory makes the infrastructure Angelov built — and the model it demonstrated — directly relevant to understanding how the ransomware economy scaled to where it stands today.

A single individual selling stolen network credentials to the right buyers can cause more damage than any ransomware group operating alone and a federal court in Indiana made that arithmetic concrete by sentencing a 26-year-old Russian citizen to 81 months in prison for precisely that role — of being an access broker.

Aleksei Volkov, of St. Petersburg, Russia, was sentenced in the Southern District of Indiana for assisting major cybercrime groups, including the Yanluowang ransomware group, in carrying out numerous attacks against U.S. companies and other organizations. Volkov facilitated dozens of ransomware attacks throughout the United States, causing over $9 million in actual losses and over $24 million in intended losses.

Volkov operated as what the cybersecurity industry calls an initial access broker, which is a specialized criminal role that sits upstream of ransomware deployment. Rather than executing attacks himself, Volkov found vulnerabilities in computer networks and systems, identified ways to access those networks and systems without authorization, and sold that illicit access to conspirators who were also cybercriminals.

Also read: Iranian State Hackers Act as Access Brokers for Ransomware Gangs, Target U.S. and Allies’ Critical Infrastructure

Those co-conspirators then used the access Volkov provided to infect the affected computer networks and systems with malware, encrypting victims' data and preventing them from accessing it, damaging their business operations.

The conspirators then demanded that the victims pay ransom in cryptocurrency — sometimes in the tens of millions of dollars — in exchange for restoring access to the data and promising not to publicly disclose the hack or release victims' stolen data on a leak website.

The access broker model is a critical enabler of the modern ransomware economy. By separating the intrusion skill from the extortion operation, it allows ransomware groups to scale attacks without needing every member to possess deep technical exploitation expertise. Volkov effectively ran a supply chain for cybercrime — sourcing the raw ingredient that ransomware operators cannot easily produce at volume themselves.

Volkov was arrested on January 18, 2024, in Italy after a Bitcoin transaction originating in Indianapolis tied him to the cybercrime group. He was subsequently extradited to the United States and pleaded guilty to charges including aggravated identity theft and access device fraud.

As part of his plea agreement, Volkov agreed to pay $9,167,198.19 in restitution to known victims. In addition to the 81-month prison term, he received two years of supervised probation. He had been indicted in both the Southern District of Indiana and the Eastern District of Pennsylvania.

The Yanluowang ransomware group, one of the criminal organizations Volkov supplied, previously claimed responsibility for high-profile breaches including a 2022 intrusion into Cisco's corporate network. The group's willingness to target major enterprise organizations shows the downstream risk that a single access broker enabling their operations can create across the entire victim landscape.

Prosecuting access brokers — rather than only the ransomware operators who deploy the final payload — directly attacks the supply chain that makes large-scale ransomware campaigns economically viable. Targeting that upstream layer forces criminal networks to either develop intrusion capabilities in-house — a significant barrier — or risk greater exposure by broadening their supplier relationships.

The Iran Telegram malware campaign has once again put the spotlight on how state-backed cyber actors are adapting their tactics by blending into widely used digital platforms. In a recent alert, the Federal Bureau of Investigation (FBI) revealed that cyber actors linked to Iran’s Ministry of Intelligence and Security (MOIS) are using Telegram as a command-and-control (C2) infrastructure to deploy malware. The campaign specifically targets Iranian dissidents, journalists, and individuals or groups perceived as opposing the Iranian government. According to the FBI, these operations have led to intelligence collection, data leaks, and reputational damage, indicating that the intent goes beyond simple access and leans toward sustained monitoring and impact.

Iran Telegram Malware Reflects Targeted Surveillance Strategy

The Iran Telegram malware activity dates back to at least Fall 2023, with multiple malware variants identified targeting Windows systems. The victim profile is not random. It is clearly defined, focused on individuals whose views or affiliations are seen as a threat by the Iranian government. However, the FBI also notes that the malware can be used against any individual of interest, suggesting the capability is broader than the currently observed targets. What stands out is the level of preparation. The malware is not just deployed, it is tailored. Attackers appear to study their targets in advance, customizing lures to increase the chances of success. This points to a deliberate and intelligence-driven approach rather than opportunistic attacks.

How the Iran Telegram Malware Operates

The FBI outlines a structured, multi-stage malware framework that combines deception with persistence.

Social Engineering Drives Initial Access

Attackers reach out through messaging platforms, impersonating trusted contacts or even technical support. Victims are persuaded to download files disguised as legitimate applications. These files often appear as commonly used software, including messaging tools or utilities, making them harder to question.

Multi-Stage Malware Deployment

• Stage 1: Masquerades as legitimate applications such as Telegram-related tools, KeePass, or other software
• Stage 2: Installs a persistent implant after user interaction

Once executed, the second stage connects the infected device to a Telegram bot, establishing a C2 channel via Telegram’s infrastructure.

Persistent Access and Control

At this stage, attackers gain remote access to the compromised system. The use of Telegram allows bidirectional communication, enabling continuous control without raising immediate suspicion.

Data Collection and Exfiltration via Telegram

The primary objective of the Iran Telegram malware campaign is data collection. The malware is capable of:

• Recording screen activity and audio
• Capturing cached data and files
• Compressing and staging data for exfiltration
• Deleting files after extraction

Some variants were even designed to record screen and audio during active Zoom sessions, highlighting a focus on capturing sensitive, real-time information. All collected data is routed through Telegram infrastructure, reinforcing its role as a central component of the attack chain.

Links to Handala Hack and Proxy Operations

The FBI also connects this campaign to the online entity “Handala Hack,” which claimed responsibility for a 2025 hack-and-leak operation targeting individuals critical of Iran. The agency assesses that some of the leaked data was obtained using malware associated with this campaign. Handala Hack is known for phishing, data theft, extortion, and destructive cyber activities, including the use of wiper malware. Additionally, the group is linked to “Homeland Justice,” another entity assessed to be operated by MOIS cyber actors. This reflects a broader pattern where technical intrusions are followed by public data exposure. The goal is not just access, but also reputational and political damage through controlled information release.

Execution Techniques and Persistence Mechanisms

The malware used in the Iran Telegram malware campaign employs several techniques to maintain access and avoid detection:

• Use of PowerShell execution without warnings
• Registry modifications to ensure persistence
• Deployment of multiple malware files for different functions

Observed file names include variants mimicking legitimate tools, such as Telegram_authenticator.exe and WhatssApp.exe, further reinforcing the deception strategy. [caption id="attachment_110479" align="aligncenter" width="826"] Image Source: FBI[/caption] Once inside a system, additional malware components are downloaded to expand capabilities and maintain long-term access.

Why This Campaign Stands Out

What makes the Iran Telegram malware campaign particularly concerning is its simplicity combined with precision.

• It relies heavily on human interaction rather than technical exploits
• It uses trusted platforms instead of suspicious infrastructure
• It focuses on specific individuals rather than mass attacks

This combination makes detection harder and increases the likelihood of success.

Mitigation- Simple Steps, Critical Impact

Despite the sophistication of the campaign, the FBI’s recommendations remain grounded in basic cybersecurity practices:

• Be cautious of unexpected messages, even from known contacts
• Avoid downloading files from unverified sources
• Keep systems updated with the latest software patches
• Use strong passwords and enable multi-factor authentication
• Regularly run antivirus or anti-malware tools

The advisory makes one thing clear: even advanced campaigns often succeed because of small lapses in user awareness.

A Clear Signal for Cyber Defenders

The Iran Telegram malware campaign is a reminder that cyber threats are no longer confined to obscure or easily identifiable channels. By embedding malicious activity within widely used platforms like Telegram, attackers are reducing friction and increasing stealth. For defenders, this raises an important challenge, security strategies must account not just for malicious code, but for how and where that code is delivered. In this case, the platform is familiar. The method is simple. And that is exactly what makes it effective.

A ransomware attack has disrupted municipal operations in Foster City, California, as officials continue to respond.  The Bay Area city, home to roughly 34,000 residents, was forced to suspend most public services after suspicious activity was detected early Thursday morning.  According to city officials, the Foster City cyberattack prompted immediate activation of “incident response protocols.” Authorities stated that, as a precaution, most government computer systems were taken offline to protect the network and prevent further compromise.   “As a precaution, we have taken most of our computer systems offline while we ensure the security of our network,” the city said in a news release. “We are engaging with independent cybersecurity specialists to assist with the investigation and remediation.” 

Foster City Cyberattack Caused Disruptions Across the Bay Area City 

The Foster City cyberattack has effectively paralyzed nearly all non-emergency services in the Bay Area city. While emergency services such as 911 and police dispatch remained operational, there were temporary outages. Both emergency and non-emergency phone lines for the Foster City Police Department were briefly down on Thursday, but were later restored.  City officials confirmed that all public-facing services, aside from emergency response, have been paused. Even civic processes have been affected; a scheduled city council meeting was shifted to an in-person-only format and was not made available via Zoom due to system outages tied to the Foster City cyberattack.  At City Hall, the disruption was visible. Offices were largely empty on Friday, with most employees working remotely, and many customer service operations shut down. The sudden halt underscores the extent of the impact caused by the Foster City ransomware attack. 

Emergency Declaration and Data Concerns 

In response to the incident, the city manager declared a state of emergency, a move that enables access to additional financial and technical resources from outside agencies. Officials have also warned that sensitive public data may have been compromised. Residents and individuals who have conducted business with the city were urged to take immediate precautions. Authorities advised changing usernames and passwords and remaining vigilant against potential misuse of personal information. “The public’s safety is our highest priority, so we encourage members of our community to take precautions that would best assure the security of their personal information,” said City Manager Stefan Chatwin. He added that city staff, along with external cybersecurity experts, are “working diligently to restore the integrity of the City’s system and ensure there are no further security issues impacting services to our community.” 

A Growing Trend in Cyber Threats

The Foster City ransomware attack reflects a broader trend affecting municipalities across California and the United States. Over the past four years, ransomware groups have targeted government systems, particularly in smaller cities that may lack robust cybersecurity infrastructure.  Other Bay Area cities, including Oakland, San Francisco, and Hayward, have also experienced similar cyber incidents. In 2023, Oakland suffered a major breach attributed to the hacker group Play, which exposed sensitive employee data and led to a class-action lawsuit that was later settled. 

Ongoing Response 

As the investigation into the Foster City cyberattack continues, officials remain focused on restoring services and securing systems. Independent cybersecurity experts are working alongside city staff to assess the damage, identify vulnerabilities, and prevent further incidents.  For now, the Bay Area city remains in recovery mode, with limited services available and heightened concern over potential data exposure. The Cyber Express has also reached out to the city officials to learn more about this Foster City ransomware attack.   However, at the time of writing this, no official statement or response has been received. This is an ongoing story, and The Cyber Express will be closely monitoring the situation. We will update this post once we have more information on the cyberattack or any additional statement from the city officials.  

In this week’s cybersecurity roundup, The Cyber Express covers key global security developments, including a major supply chain disruption affecting a global manufacturer, rising concerns over security and legal risks linked to rapid AI adoption, and the continued escalation of cyber activity driven by geopolitical tensions.

Across industries, organizations are facing a mix of disruptive attacks and long-term espionage campaigns targeting both operational systems and critical infrastructure. Intelligence reports also continue to highlight sustained nation-state activity shaping the global threat landscape.

These developments reflect a cybersecurity environment where operational resilience, secure technology adoption, and coordinated defense strategies are increasingly essential to managing interconnected and fast-evolving risks.

The Cyber Express Weekly Roundup 

Stryker Cyberattack Disrupts Supply Chain, Recovery Timeline Unclear 

A cyberattack on Stryker Corporation has disrupted manufacturing, shipping, and order processing operations, with no clear recovery timeline announced. While internal systems were impacted, customer products have not been affected. The incident has been linked to the Handala group, and authorities, including the Cybersecurity and Infrastructure Security Agency (CISA), are currently investigating the attack. Read more… 

AI Legal Risks Rise as Businesses Rush Adoption, Expert Warns 

Cybersecurity expert Lisa Fitzgerald has warned that rapid adoption of AI tools without proper governance can expose organizations to data breaches, regulatory violations, and loss of control over sensitive information. In an interview with The Cyber Express, she emphasized the importance of structured risk assessments, employee training, and clear governance frameworks to manage AI-related risks effectively. Read more… 

Bonnie Butlin Highlights Role of Collaboration in Modern Security 

Bonnie Butlin has stressed the importance of global collaboration in addressing complex cyber, physical, and geopolitical threats. She highlighted the need to break down industry silos, strengthen cross-sector cooperation, and build more inclusive leadership models to improve resilience against evolving risks. Read more… 

US Intel Warns China Is Top Cyber Threat Ahead of Other Nation-States 

A new U.S. intelligence assessment identifies China as the most persistent cyber threat actor, with ongoing operations reportedly embedded within critical infrastructure systems. The report also highlights cyber activities from Russia, North Korea, and Iran, each employing different tactics ranging from espionage and sabotage to cybercrime and disinformation campaigns. Read more… 

Middle East Cyber Warfare Intensifies Amid Rising Geopolitical Conflict 

According to Cyble Research and Intelligence Labs, cyberattacks in the Middle East are increasing in parallel with ongoing geopolitical tensions. Critical sectors such as energy, finance, and communications have been identified as primary targets in this escalating cyber conflict landscape. Read more… 

Also Read: Top 50 Women Leaders in Cybersecurity to Watch in 2026

Weekly Takeaway 

This week’s The Cyber Express weekly roundup highlights the growing complexity of the global cybersecurity environment, from supply chain disruptions and AI governance risks to escalating nation-state cyber operations and regional cyber warfare.  Organizations, governments, and individuals must remain vigilant, prioritize strong governance frameworks, and adopt proactive security measures, including timely patching and continuous monitoring, to effectively respond to the evolving threat landscape. 

The U.S. Justice Department has seized four domains tied to Iran-linked cyberattacks, disrupting what officials describe as a coordinated effort to combine hacking with online intimidation and propaganda. The domains—Justicehomeland[.]org, Handala-Hack[.]to, Karmabelow80[.]org, and Handala-Redwanted[.]to—were allegedly operated by Iran’s Ministry of Intelligence and Security (MOIS). According to investigators, these sites were used to claim responsibility for cyberattacks, publish stolen data, and issue threats targeting journalists, dissidents, and individuals linked to Israel. This action highlights a shift in how Iran-linked cyberattacks are being carried out—moving beyond system breaches into public messaging and pressure tactics.

Iran-Linked Cyberattacks Used Fake Hacktivist Fronts

Authorities say the domains were connected through shared infrastructure, including Iranian IP ranges and common leak platforms. More importantly, they followed a similar pattern of activity. The sites operated under the guise of hacktivist groups, but investigators say they were part of a state-backed effort. This included launching disruptive cyberattacks, leaking sensitive data, and amplifying the impact by publicly claiming responsibility. One such platform, Handala-hack[.]to, was used to claim a March 2026 malware attack on a U.S.-based medical technology company. The group framed the attack as retaliation linked to ongoing geopolitical tensions. This mix of hacking and messaging is becoming a defining feature of Iran-linked cyberattacks, where the goal is not just access, but visibility.

Data Leaks and Threats Target Individuals Directly

The same infrastructure was also used to expose personal data and issue threats. According to court documents, the Handala-redwanted[.]to domain published identifying details of nearly 190 individuals associated with the Israeli Defense Force and government. The posts included messages suggesting these individuals were being tracked and could face consequences. Other posts named individuals allegedly linked to Israeli institutions, warning that their locations were known and encouraging others to act. In another instance, the group claimed to have stolen 851 gigabytes of data from members of the Sanzer Hasidic Jewish community, along with a warning that more information would follow. These actions show how Iran-linked cyberattacks are increasingly focused on individuals, not just organizations.

Threats Extended Beyond Websites

Investigators found that the campaign did not stop at public posts. Email accounts tied to the same operation were used to send direct threats to journalists and Iranian dissidents living in the United States and abroad. In some messages, the senders claimed to have shared victims’ home addresses and offered financial rewards for acts of violence. The emails also referenced alleged links to criminal groups, adding another layer of intimidation. The use of direct communication alongside public leaks suggests a more aggressive approach in Iran-linked cyberattacks, where the aim is to pressure targets both publicly and privately.

Justice Department Targets Infrastructure Behind Iran-Linked Cyberattacks

The Justice Department’s move focused on taking down the infrastructure enabling these activities. “Terrorist propaganda online can incite real-world violence — thanks to our National Security Division and the U.S. Attorney’s Office for the District of Maryland, this network of Iranian-backed sites will no longer broadcast anti-American hate,” said Attorney General Pamela Bondi. FBI Director Kash Patel added, “Iran thought they could hide behind fake websites and keyboard threats to terrorize Americans and silence dissidents. We took down four of their operation's pillars and we're not done. This FBI will hunt down every actor behind these cowardly death threats and cyberattacks and will bring the full force of American law enforcement down on them.” [caption id="attachment_110420" align="aligncenter" width="600"] Image Source: FBI[/caption] Officials also confirmed that the domains Justicehomeland[.]org and Karmabelow80[.]org had previously been used to claim responsibility for data theft targeting Albanian government systems, linked to tensions over support for an Iranian dissident group.

Iran-Linked Cyberattacks Show a Broader Shift

The takedown reflects a wider pattern. Iran-linked cyberattacks are no longer limited to stealing data or disrupting systems—they are being used to send messages, target individuals, and amplify political narratives. By combining cyberattacks with data leaks and direct threats, these campaigns extend their reach beyond technical impact. The Justice Department’s action removes part of that network, but it also points to how these operations are evolving. For now, the focus is on disruption. But the methods behind these Iran-linked cyberattacks suggest this kind of activity is unlikely to disappear anytime soon.

Amazon’s threat intelligence teams have uncovered a new cyber campaign linked to the Interlock ransomware group. The campaign centers around a flaw affecting Cisco Secure Firewall Management Center (FMC) software. The vulnerability, tracked as CVE-2026-20131, was disclosed by Cisco on March 4. It allows an unauthenticated remote attacker to execute arbitrary Java code with root privileges on affected FMC devices. However, research conducted through Amazon MadPot, a global honeypot network designed to observe malicious activity, revealed that Interlock had already begun exploiting this flaw as early as January 26, 2026, 36 days before public disclosure.  This meant the attackers were operating with a zero-day advantage, enabling them to compromise organizations before defenders were even aware of the risk. According to Amazon’s findings, the exploitation involved crafted HTTP requests targeting specific paths in vulnerable systems. These requests carried embedded Java code and URLs—one delivering configuration data to support the exploit, and another confirming successful compromise by triggering an HTTP PUT request from the victim system.  To deepen the investigation, researchers simulated a compromised device by responding to the attacker’s verification mechanism. This triggered the next phase of the attack, where Interlock issued commands to download and execute a malicious Linux binary. 

Amazon MadPot Reveals Interlock’s Toolkit 

The use of Amazon MadPot proved critical in exposing the full scope of the operation. A misconfigured infrastructure server used by the attackers inadvertently revealed their entire toolkit. This included reconnaissance scripts, custom remote access trojans (RATs), and evasion mechanisms, offering rare visibility into Interlock’s multi-stage attack chain.  The infrastructure was organized in a way that separated data by target, with directories used both to distribute tools and collect stolen information. This level of organization reflects a structured and repeatable attack methodology.  Importantly, Amazon confirmed that its own cloud infrastructure and customer workloads were not impacted by this campaign. 

Interlock Ransomware Tactics and Attribution 

The recovered malware and artifacts were attributed to the Interlock ransomware family based on several consistent indicators. These included a ransom note and a TOR-based negotiation portal aligned with Interlock’s known branding and operational style.  The ransom notes notably referenced multiple data protection regulations, a tactic used by Interlock to pressure victims by threatening not only data encryption but also potential regulatory penalties. Each victim was assigned a unique organization identifier, consistent with the group’s tracking model.  Historically, Interlock has targeted industries where disruption creates maximum leverage. The education sector has been the most affected, followed by engineering, construction, manufacturing, healthcare, and public sector organizations.  Temporal analysis of the attack activity suggests the operators likely function in a UTC+3 time zone, with activity typically beginning around 08:30, peaking between 12:00 and 18:00, and declining overnight. 

Post-Exploitation 

Once access is gained through CVE-2026-20131, Interlock deploys a range of tools to expand control within the compromised network. A PowerShell-based reconnaissance script systematically collects detailed system and network information, including installed software, running services, browser data, and active connections.  The script organizes this data into per-host directories on a centralized network share, compressing it into ZIP archives for exfiltration. This structured approach indicates preparation for large-scale ransomware deployment across multiple systems.  Interlock uses multiple RATs to maintain persistent access. One variant, written in JavaScript, suppresses debugging output and gathers system details before establishing encrypted communication with command-and-control servers via WebSockets. Messages are encrypted using RC4 with unique keys for each transmission.  A second variant, implemented in Java, provides the same capabilities using different libraries. This dual-implementation strategy ensures continued access even if one version is detected and removed.  To hide their tracks, Interlock employs a Bash script that converts compromised Linux servers into HTTP reverse proxies. These proxies forward traffic to attacker-controlled systems while erasing logs every five minutes, making forensic analysis extremely difficult. 

Fileless Backdoors and Advanced Techniques 

One of the more advanced components observed in the campaign is a memory-resident webshell. Delivered as a Java class, it operates entirely in memory, avoiding disk-based detection. It intercepts HTTP requests and executes encrypted payloads dynamically within the Java Virtual Machine.  Additionally, a lightweight TCP server tool was identified, used to verify successful exploitation by confirming connectivity on a specific port.  Interlock also blends malicious activity with legitimate software. The group deployed ConnectWise ScreenConnect, a commercial remote desktop tool, to maintain access while avoiding detection. This redundancy ensures attackers retain control even if custom malware is removed.  Other tools found in the attack environment include Volatility, typically used for memory forensics, and Certify, an offensive security tool targeting Active Directory Certificate Services. These tools enable credential access, privilege escalation, and persistent footholds within compromised environments. 

Tensions between China and Costa Rica have intensified following allegations tied to an ICE cyberattack that Costa Rican authorities say was linked to the cyberespionage group UNC2814. The dispute centers on a breach affecting Costa Rica’s state-run electricity and telecommunications provider and has quickly evolved from a domestic cybersecurity issue into a diplomatic disagreement involving competing narratives and demands for proof.  China has now publicly asked the government of Costa Rica to provide evidence supporting claims that Chinese-linked actors were behind the ICE cyberattack. The request came from Chinese Ambassador Wang Xiaoyao on Friday, one day after Costa Rican officials attributed the breach to UNC2814, a group that cybersecurity researchers have described as a suspected cyberespionage actor with ties to the People’s Republic of China. 

China Requests Evidence in ICE Cyberattack Case 

Ambassador Wang Xiaoyao said China wants to review any technical evidence related to the ICE cyberattack so the allegations can be verified and, if necessary, addressed through legal channels. According to the ambassador, providing proof would allow the matter to be examined under established legal frameworks rather than through political accusations.  Wang also said that China has been attempting since 2024 to engage Costa Rica in cybersecurity cooperation. The initiatives reportedly included technical consultations, professional exchanges, and other collaborative efforts, but the Chinese side claims it received no response from Costa Rican authorities.  The Chinese embassy added that it proposed using mechanisms linked to the United Nations cybercrime framework to address cybersecurity concerns. It also suggested activating a bilateral joint commission between China and Costa Rica, which, according to the embassy, has not yet convened. 

Costa Rica Identifies UNC2814 as Suspected Actor 

The diplomatic dispute began after Costa Rican officials revealed details of the ICE cyberattack at a press conference on March 12. Authorities said the Costa Rican Electricity Institute, known as ICE, discovered cyberespionage activity affecting its administrative email systems.  Investigators determined that the intrusion was first detected in late January. During the operation, attackers extracted approximately nine gigabytes of internal email data. Despite the breach, ICE officials stated that electricity generation and telecommunications services remained unaffected.  Marco Acuña Mora, executive president of ICE, said the incident did not disrupt the country’s critical infrastructure. He confirmed that the ICE cyberattack did not compromise sensitive customer information or interrupt services provided to residents of Costa Rica.  The Costa Rican government linked the incident to UNC2814 after receiving intelligence from Mandiant, the cybersecurity division of Google. The information was shared through Costa Rica’s national incident response system, which coordinates cybersecurity investigations involving government institutions. 

Global Espionage Campaign Linked to UNC2814 

Google had previously reported on the activities of UNC2814, describing the group as a cyberespionage actor it has tracked since 2017. On February 25, the company announced that it had worked with partners to disrupt a global campaign attributed to the group.  According to Google’s analysis, UNC2814 targeted telecommunications providers and government organizations across multiple regions. At the time of the disruption, confirmed intrusions had been identified in 42 countries across four continents.  Costa Rican Minister Paula Bogantes Zamora said the actor responsible for the ICE cyberattack specializes in operations targeting the telecommunications sector. She added that the group has been associated with cyberespionage activities affecting dozens of countries. 

China Rejects Allegations 

China has firmly rejected the accusations linking it to the ICE cyberattack. The Chinese embassy in Costa Rica said it was “deeply surprised and disappointed” by what it described as unfounded claims made by some Costa Rican officials.  In its statement, the embassy said China had not received any request for evidence or investigative cooperation from the Costa Rican government regarding the ICE cyberattack. It also stated that China has “no interest in the data of Costa Rica” and opposes all forms of cyberattacks.  The embassy further warned against politicizing cybersecurity issues. Chinese officials argued that disputes related to cyber incidents should be handled through dialogue and cooperation rather than public accusations.  The statement also included a broader diplomatic message, warning that “sacrificing relations between China and Costa Rica to please other countries does not gain respect.” 

This week’s The Cyber Express weekly roundup highlights major cybersecurity developments affecting organizations, governments, and individuals worldwide. Key stories include destructive cyberattacks, such as system-wide wipes and targeted breaches, as well as state-backed cyber espionage targeting technology and research sectors.   The roundup also covers proactive defense measures, including bug bounty programs, critical software patches, and industry responses to emerging malware. Together, these incidents highlight the technical prowess of cyber threats, the direct impact on operations and data security, and the urgent need for timely mitigation strategies across both public and private sectors. 

The Cyber Express Weekly Roundup 

Iran-Linked Hackers Wipe 200,000 Devices in Stryker Cyberattack 

In one of the most significant cybersecurity incidents this week, an Iran-linked hacker group known as Handala carried out a large-scale attack on Stryker Corporation. The group remotely wiped over 200,000 devices across 79 countries, bringing portions of the company’s operations to a halt. Handala has claimed responsibility, stating the attack was retaliation for a recent U.S. military strike in Iran. Read more... 

India Launches Bug Bounty to Secure Aadhaar Ecosystem 

India’s Unique Identification Authority (UIDAI) has launched a structured bug bounty program aimed at strengthening the Aadhaar ecosystem. Twenty expert ethical hackers have been enlisted to rigorously test core platforms, including the myAadhaar portal, the official website, and the Secure QR Code app. Read more... 

Finland Issues Warning on Russian and Chinese Cyber Espionage 

Finland’s Security and Intelligence Service (SUPO) has issued a warning regarding ongoing cyber espionage campaigns from Russian and Chinese state-backed actors. These campaigns are targeting technology companies, research institutions, and government networks. Read more... 

Microsoft March 2026 Patch Tuesday Addresses Critical Vulnerabilities 

Microsoft’s March 2026 Patch Tuesday update addresses 79 vulnerabilities across its ecosystem, including SQL Server, .NET, Office, SharePoint, Azure, and Windows. Notably, the update resolves two zero-day vulnerabilities and multiple remote code execution flaws. Additional updates target SharePoint, Azure MCP Tools, and Windows privilege escalation vectors. Read more... 

Cyberattack Forces Polish Hospital to Revert to Paper Operations 

The Independent Public Regional Hospital in Szczecin, Poland, experienced a cyberattack on March 7–8, 2026, which encrypted parts of its IT system and blocked access to critical digital records. Hospital officials confirmed that patient care continued without interruption, but administrative processes slowed considerably. Read more... 

ClipXDaemon: Linux Malware Hijacks Cryptocurrency Transactions 

A new Linux-based malware, ClipXDaemon, has been discovered targeting cryptocurrency users. The malware silently replaces copied wallet addresses with attacker-controlled addresses, allowing the theft of Ethereum, Bitcoin, Monero, Dogecoin, and Litecoin. ClipXDaemon operates locally without network communication, disguises itself as a kernel process, and persists by modifying the user’s ~/.profile file. Read more... 

Weekly Takeaway 

This week’s The Cyber Express weekly roundup highlights the breadth of modern cybersecurity challenges, from geopolitically motivated attacks and malware targeting cryptocurrencies to proactive measures such as India’s bug bounty program and Microsoft’s critical patches. Organizations, governments, and individuals must remain vigilant, prioritize timely patching, and adopt proactive monitoring to navigate the complex threat landscape. 

Cyber operations no longer occur only during wartime. Digital activity now runs continuously alongside diplomacy, sanctions, and military tensions. This has become particularly visible amid escalating hostilities involving Iran, Israel, and the United States, where intelligence agencies have warned of possible retaliatory cyber activity linked to the conflict. In this environment, cyber warfare 2026 is highlighted by persistent nation-state cyberattacks, covert intrusion campaigns, and strategic influence operations.  Governments, telecommunications networks, cloud platforms, and identity systems have become the primary targets. Threat researchers point to three converging factors: ongoing state-sponsored cyber threats, a mature cybercriminal ecosystem that sells infrastructure and access, and automation technologies that enable scalable phishing, impersonation, and cyber espionage 2026 operations.  These dynamics have turned cyberspace into a strategic domain of conflict. Espionage, disruption, influence operations, and financial crime frequently overlap, reflecting the realities of hybrid warfare cybersecurity. As geopolitical tensions rise, organizations face geopolitical cyber risk, where real-world conflicts are mirrored in the digital domain. 

Cyber Warfare 2026: What We Know So Far 

From 2025 to 2026, the global threat environment has produced several notable signals indicating how modern cyber conflict is evolving. Threat intelligence monitoring of underground forums revealed multiple offers of high-value system access throughout 2025. Examples include widely confirmed events, like on January 9, 2026, the cybercrime collective ShinyHunters published a manifesto alongside the leaked database of the BreachForums platform, exposing metadata for 323,986 users, including email addresses, hashed passwords, IP addresses, and registration details. Analysts believe some data may have been intentionally falsified for operational security.  Vulnerability exploitation also intensified. In February 2026, Microsoft patched six actively exploited zero-day vulnerabilities affecting components including SmartScreen, Windows Desktop Window Manager, and Remote Desktop Services. Soon afterward, the U.S. Cybersecurity and Infrastructure Security Agency added VMware Aria Operations vulnerability CVE-2026-22719 to its Known Exploited Vulnerabilities catalog due to confirmed exploitation in the wild.  By March 10, 2026, intelligence reporting warned of potential retaliatory cyber activity connected to escalating tensions involving Iran. Following the warning, cyber activity linked to the conflict increased across the Middle East. After the February 2026 U.S.–Israel strikes against Iranian targets, security researchers reported a surge of retaliatory cyber operations and hacktivist campaigns targeting organizations in Israel, the United States, and allied countries. Analysts tracked dozens of incidents ranging from distributed-denial-of-service attacks and website defacements to alleged data breaches claimed by pro-Iranian and pro-Palestinian hacker groups.  Several groups publicly promoted operations such as “#Op_Israel_USA,” claiming attacks against Israeli telecom services, government websites, and Western organizations. Hacktivist collectives, including Handala Hack and Dark Storm Team, used Telegram and underground forums to claim responsibility for disruptions and alleged system compromises. 

Decoding Nation-State Cyberattacks 

China-Linked Cyber Espionage Campaigns 

Strategic espionage still exists as one of the most consistent features of cyber espionage in 2026. National threat assessments highlight that state actors, including China, are almost certainly attempting to cause a disruptive effect and manipulate industrial control systems in support of broader strategic goals.  Government networks, research institutions, and emerging technology sectors remain priority targets. Telecommunications infrastructure has also become a major collection point because it offers both intelligence visibility and operational leverage.  Threat intelligence summaries from the telecom sector, specifically, from Cyble’s Telecommunications Sector Threat Landscape Report 2025, documented 444 security incidents and 90 ransomware attacks against telecom companies in 2025 alone. The concentration of activity reinforces telecom networks as a strategic surveillance layer for nation-state cyberattacks. 

Russia-Linked Operations and Military Intelligence Campaigns 

Russian cyber operations have remained closely tied to geopolitical conflict, particularly in Europe and regions affected by the war in Ukraine. Security research identified activity consistent with the Russian threat group APT28 targeting government and military entities using a Microsoft Office vulnerability, CVE-2026-21509. The campaign reportedly involved a multi-stage attack chain designed to remain stealthy during post-exploitation phases.  Another example involved attackers weaponizing a previously patched WinRAR vulnerability (CVE-2025-8088). Even after patches become available, such flaws frequently remain exploitable due to slow enterprise patch adoption, making them attractive tools in state-sponsored cyber threats. 

North Korea and Financially Motivated Cyber Operations 

North Korean cyber activity continues to blur the line between espionage and organized crime. One of the most widely reported examples involved the attribution of a $1.5 billion cryptocurrency theft from Bybit in February 2025 to the Lazarus Group.  Financial theft serves both economic and strategic purposes for the North Korean state. At the same time, identity-based fraud has become another operational method.  

The New Digital Battlefield 

Critical infrastructure still exists a primary target in cyber warfare 2026, with industrial control systems (ICS) and operational technology networks at high risk of manipulation by state actors to disrupt public administration, utilities, and transportation systems.   While detailed technical disclosures of confirmed sabotage are limited, attackers increasingly focus on cloud and identity systems, exploiting stolen credentials, authentication tokens, and legitimate administrative tools to move laterally and gain broad access.   Supply chains further amplify systemic risk, as compromises of third-party vendors can cascade across multiple organizations, making supply-chain attacks an efficient vector for nation-state cyberattacks, particularly against critical infrastructure and government networks. 

AI and the Evolution of Cyber Operations 

Artificial intelligence is reshaping the cyber threat landscape, although its direct role in confirmed state operations remains difficult to measure.  Threat intelligence monitoring shows the rise of Deepfake-as-a-Service markets and advertisements offering identity verification bypass tools or synthetic video generation. In 2025, deepfakes were involved in more than 30 percent of high-impact corporate impersonation attacks.  Phishing campaigns are also becoming more automated. The CCAPAC Annual Report 2025 indicates that 82.6 percent of phishing emails now contain AI-generated elements, enabling attackers to scale highly convincing impersonation attempts.  Malware development may also be changing. Security researchers have reported experimental malware families capable of modifying behavior during attacks using language-model-based components. While technical documentation remains limited, such developments hint at how automation could shape future cyber warfare 2026 strategies.  Another area of rapid change is vulnerability discovery. AI-assisted code analysis has already demonstrated the ability to locate hundreds of severe software vulnerabilities in open-source projects within short timeframes, accelerating both defensive research and offensive exploitation. 

The Vulnerability Landscape Driving Modern Cyber Conflict 

Software vulnerabilities remain one of the most reliable entry points for attackers.  Examples from 2026 include: 

• CVE-2026-24423, a remote code execution vulnerability in SmarterMail exploited in ransomware campaigns. 
• CVE-2026-22719, a VMware Aria Operations command-injection flaw actively exploited in the wild. 
• CVE-2026-2441, the first actively exploited Chrome zero-day reported in 2026. 

Security researchers documented 90 zero-day vulnerabilities exploited in 2025, nearly half of which targeted enterprise technology systems. The pace of discovery continues to accelerate. One vulnerability monitoring report tracked 1,782 vulnerabilities disclosed in a single week, including 282 public proof-of-concept exploits. This quick weaponization cycle increases geopolitical cyber risk, as attackers can quickly convert newly discovered flaws into operational tools. 

Conclusion 

In 2026, digital conflict is a permanent part of global competition, with state-sponsored cyber threats exploiting supply chains, identity systems, and critical infrastructure to expand geopolitical risk. Criminal ecosystems further blur espionage and financially motivated attacks, complicating attribution. Cyble delivers AI-powered threat intelligence and autonomous defense through platforms like Cyble Blaze AI, giving organizations real-time visibility, automated protection, and proactive mitigation. Book a personalized demo today to stay protected from modern cyber threats. 

References: 

• https://cybersecuritynews.com/breachforums-hack/ 
• https://thecyberexpress.com/microsoft-patch-tuesday-february-2026/ 
• https://nvd.nist.gov/vuln/detail/CVE-2026-22719 
• https://abc17news.com/politics/national-politics/cnn-us-politics/2026/03/10/us-intelligence-community-ramps-up-warnings-of-possible-retaliatory-attacks-by-iran/ 
• https://industrialcyber.co/reports/cyber-retaliation-surges-after-us-israel-strikes-on-iran-as-hacktivists-hit-governments-defense-critical-sectors/ 
• https://www.intel471.com/blog/israeli-us-strikes-against-iran-triggers-a-surge-in-hacktivist-activity 
• https://cyble.com/resources/research-reports/telecommunications-sector-threat-landscape-report-2025/ 
• https://www.helpnetsecurity.com/2026/02/03/russian-hackers-are-exploiting-recently-patched-microsoft-office-vulnerability-cve-2026-21509/ 
• https://www.thaicert.or.th/en/2026/01/29/winrar-vulnerability-cve-2025-8088-continues-to-be-actively-exploited-by-hackers/ 
• https://www.theguardian.com/world/2025/feb/27/north-korea-bybit-crypto-exchange-hack-fbi 
• https://ccapac.asia/wp-content/uploads/2025/10/CCAPAC_AnnualReport2025_AIcybersecTrendsThreatsSolutions.pdf 
• https://www.cybersecuritydive.com/news/half-exploited-zero-day-flaws-enterprise-grade-technology/814021/ 

On the morning of March 11, employees at Stryker offices worldwide switched on their computers and found them blank — login screens replaced by a logo most had never seen. A small, barefoot boy with a slingshot, the symbol of Handala.

The attack on Stryker Corporation — a Fortune 500 medical technology giant that supplies surgical equipment, orthopedic implants, and neurotechnology to hospitals globally — ranks as one of the most operationally destructive cyberattacks ever executed against a U.S. healthcare company.

Stryker reported $25 billion in revenue in 2025 and employs approximately 56,000 people, with its products embedded in hospital supply chains worldwide. What hit it was not ransomware. The attackers came to destroy, not extort.

Stryker confirmed the incident in a Form 8-K filing with the U.S. SEC, describing "a global disruption to the Company's Microsoft environment" and stating it had no indication of ransomware or malware and believed the incident was contained. The company's own filing, however, understated what employees were already reporting on the ground.

Employees in the United States, Ireland, Costa Rica, and Australia reported that managed Windows laptops and mobile devices had been remotely wiped.

"My wife had 3 Stryker managed devices wiped around 3:30 AM EDT. Their Entra login page was defaced with the Handala logo," a Reddit user said.

Another claimed the situation as "bad" and said: "Many colleagues phones have been wiped. Instructed to remove intune, company portal, teams, VPN from personal devices. Personal phone so have lost access to my eSim. Unable to log in to many things due to 2-factor authentication. Have lost all personal data from personal devices that were enrolled and now unable to access emails and teams.

Handala claimed to have wiped more than 200,000 systems, servers, and mobile devices and extracted 50 terabytes of data, forcing Stryker to shut down operations across 79 countries. Stryker in a midnight update said it was still working on complete restoration post the cyberattack.

"We are continuing to resolve the disruption impacting our global network, resulting from the cyber attack.  At this time, there is no indication of malware or ransomware and we believe the situation is contained to our internal Microsoft environment only.  Our products like Mako, Vocera and LIFEPAK35 are fully safe to use.  We have visibility to the orders entered before the event, and they will be shipped as soon as our system communications are restored. Any orders that have come in after the event are being examined. We are working to ensure our electronic ordering system is back up and running as quickly as possible. It is safe to communicate with Stryker employees and sales representatives by email and phone, and within your facility." - Stryker's update on the cyberattack

The mechanism behind the attack points to a calculated abuse of Microsoft Intune — a cloud-based platform enterprises use to manage and push policy updates to all enrolled devices from a single console. A wiper is malware that permanently erases data rather than encrypting it for ransom.

In short, an attacker with admin-level access to Intune effectively is holding a kill switch for every enrolled endpoint in the organization. The Handala branding that appeared on screens before the wipe confirmed that access had been established and held well before the destructive phase began — this was a deliberate, staged operation.

So Who Exactly is Handala?

Handala — also known as Handala Hack Team, Hatef, and Hamsa — first surfaced in December 2023 as a hacktivist operation linked to Iran's Ministry of Intelligence and Security (MOIS), initially targeting Israeli organizations with destructive malware designed to wipe both Windows and Linux devices, explained researchers at AI-powered threat intelligence firm, Cyble.

The group takes its name and visual branding from the iconic Palestinian cartoon character created by Naji al-Ali — a child refugee who never grows up and always turns his back to the viewer.

The hacktivist branding, however, obscures a more serious intelligence attribution. Multiple threat intelligence firms assess Handala as one of several online personas maintained by Void Manticore, a MOIS-affiliated actor optimized for psychological and reputational disruption — breaking into systems, conducting hack-and-leak activity, and timing the publication of stolen material to maximize pressure.

Check Point Research found repeated overlaps between MuddyWater — another MOIS-affiliated group — and Void Manticore, including shared criminal tooling. Handala has used Rhadamanthys, a commercial infostealer sold on dark web forums, pairing it with custom data wipers in phishing lures that impersonated F5 software updates and even Israel's own National Cyber Directorate.

Cyble has observed Handala hackers using Hamsa and Hatef data wipers in its previous campaigns targeted mainly at Israeli entities. [caption id="attachment_110112" align="aligncenter" width="500"] Source: Cyble Research and Intelligence Labs[/caption]

Also read: Iran-linked Threat Group Handala Actively Targets Israel

Void Manticore's attack playbook follows a consistent pattern of Handala too. Initial access through unpatched web servers, VPN gateways, and remote access solutions; lateral movement using living-off-the-land tools like PowerShell and scheduled tasks; and final-stage deployment of destructive wiper families designed to erase file systems and corrupt boot records.

The group's prior targets read like a map of sensitive sectors. Since the start of the Iran-Israel war, Handala has claimed to have wiped Israeli military weather servers, intercepted security feeds in Jerusalem, stolen and wiped data from various companies, doxxed Israeli intelligence officers, and breached an Israeli oil and gas exploration company.

Most recently, threat intelligence reporting documented the group publishing identifying details for 50 senior Israeli Air Force officers — names, IDs, addresses, and phone numbers.

Handala stated the Stryker attack was carried out in retaliation for a U.S. military strike on a school in Minab, Iran, that reportedly killed more than 175 people, most of them children.

[caption id="attachment_110115" align="aligncenter" width="500"] Stryker Cyberattack Claim by Handala (Source: X)[/caption]

Stryker has no direct connection to military operations, though it did secure a $450 million Department of Defense contract in 2025 to supply medical devices to the U.S. military.

That contract likely put a target on Stryker's back.

Recent reporting indicates that MOIS-affiliated groups, including Handala, infiltrated U.S. and Israeli infrastructure weeks before the military operations conducted as part of Operation Epic Fury, suggesting pre-positioned access rather than reactive intrusion. In other words, Handala may have been inside Stryker's environment long before anyone noticed.

Check Point researchers also observed Handala routing operations through Starlink IP ranges to probe externally facing applications for misconfigurations and weak credentials — a deliberate technique to blend reconnaissance traffic into legitimate satellite internet usage and frustrate IP-based blocking.

The hacker collective on Wednesday also claimed hacking another Israeli company Verifone, a leading provider of payment solutions and point-of-sale terminals to countries across the globe. However, a spokesperson for the company told The Cyber Express that all such claims are "fake news" and do not hold any substance. “Verifone closely monitors the security and integrity of its systems worldwide. We have observed recent allegations on March 11, 2026 from threat actors claiming an intrusion into our systems in Israel. Verifone has found no evidence of any incident related to this claim and has no service disruption to our clients," the spokesperson said. Updated on March 13, 2026 1:24 AM ET: The article was updated with a statement from Verifone spokesperson confirming no evidence of intrusion and no authenticity in Handala's claims.

The Middle East has entered a critical tipping point, as tensions between Iran, the United States, and Israel escalated into a complex hybrid conflict that blends traditional military operations with cyber and information warfare. The offensive, identified as Operation Epic Fury by the US and Operation Roaring Lion by Israel, demonstrates how modern hostilities can no longer be understood through conventional lenses alone.  Unlike previous confrontations, this campaign combined kinetic strikes, cyber intrusions, psychological operations, and information manipulation into a single, synchronized effort. Cyber capabilities were leveraged as a co-equal domain alongside air and missile strikes, revealing a new level of strategic integration that reshapes the dynamics of regional warfare.   Independent monitoring from Cyble Research and Intelligence Labs (CRIL) highlighted how these combined operations exposed both strengths and vulnerabilities among the actors involved. 

Strategic Build-Up and Diplomatic Limitations 

In the lead-up to the offensive, the United States mobilized its largest Middle East deployment since the 2003 Iraq invasion, positioning aircraft carriers, fighter squadrons, and intelligence assets near Iran’s borders.   Parallel diplomatic initiatives in Geneva offered a fleeting possibility of negotiation, as Tehran agreed to halt nuclear enrichment under IAEA oversight. However, mutual distrust, strategic imperatives, and long-standing hostilities rendered these measures ineffective, creating conditions ripe for Operation Epic Fury and Operation Roaring Lion.

Hybrid Warfare: The Cyber-Kinetic Nexus in the Middle East

The campaign’s defining feature was the integration of cyber operations with kinetic attacks. Iran’s domestic internet infrastructure was reportedly reduced to 1–4% functionality, as state media, government services, and military communications came under sustained digital assault. Popular services, mobile applications, and religious platforms were compromised, while government websites displayed defaced content intended to undermine Tehran’s official narratives.  Pre-existing cyber actors, including MuddyWater, APT42 (Charming Kitten), Prince of Persia/Infy, UNC6446, and CRESCENTHARVEST, amplified the conflict through phishing, data theft, and server exploitation. Simultaneously, psychological operations extended into Israel, delivering threatening messages about fuel shortages and national ID numbers.

Retaliation and Regional Cyber Convergence 

Iran’s response combined missile and drone attacks targeting Israel, Gulf Cooperation Council (GCC) states, and US military bases, causing civilian casualties and infrastructure damage, including at Dubai International Airport and an AWS cloud data center.   Hacktivist groups surged in parallel, with over 70 organizations conducting DDoS attacks, website defacements, and credential theft campaigns across multiple countries. Malicious payloads, such as a RedAlert APK mimicking Israel’s missile alert app, showcased tradecraft usually associated with state-sponsored operations.  Pro-Russian groups like NoName057(16) and Russian Legion opportunistically aligned with Iranian interests, while cybercriminal actors exploited chaos to launch ransomware and social engineering campaigns, demonstrating the convergence of ideological and financial motivations in modern hybrid warfare. 

Lessons and Implications 

The ongoing operations stress several key lessons for the region and global observers: cyber operations now function as coequal with kinetic action; hacktivist networks can act as force multipliers across borders; and opportunistic cybercrime thrives in environments of geopolitical uncertainty. Analysts emphasize the need for continuous vigilance, from credential monitoring and DDoS mitigation to proactive defense against emerging malware campaigns.  Operation Epic Fury and Operation Roaring Lion highlight that the current Middle East conflict extends far beyond conventional warfare. Even as Iran’s networks remain degraded, pre-positioned cyber capabilities and hacktivist activity could sustain prolonged disruption, signaling a persistent and modern threat landscape that will influence regional and global security calculations for months to come.