Good Morning, Security Gang!

This week’s stories share a single, uncomfortable thread: attackers are winning not by breaking through walls, but by walking through trusted doors. A medical technology giant had 200,000 devices wiped not by exotic malware, but by attackers who simply used Microsoft Intune admin credentials and did exactly what admins do. Iranian operators have been quietly sitting inside U.S. networks, undetected, waiting. North Korean IT workers are on corporate payrolls generating revenue for the regime. An identity protection company got breached. A retail giant’s email system was hijacked to run crypto scams. The Stryker attack that dominated last week returned with new details that made it even more alarming.

Meanwhile, a supply chain attack called GlassWorm expanded to over 400 code repositories. A botnet is exploiting 174 known vulnerabilities at scale. Ransomware groups are quietly pivoting away from encryption toward data theft because defenses improved, so they adapted. And AI is now being actively manipulated through font rendering tricks to evade detection systems we built to catch exactly this kind of thing.

The week closed on a clear theme: trust is the attack surface now. If you have it, adversaries want to exploit it. Below is everything you need to know, organized by category, with a prioritized action list and James Azar’s CISO’s Take to close it out.

Let’s get into it.

🌐 Geopolitical Cyber Warfare

Iranian Cyber Operators Maintain Persistent Footholds in U.S. Networks

The most strategically alarming story this week: Iranian cyber operators have successfully maintained long-term persistent access inside U.S. networks. This is not opportunistic intrusion. This is deliberate, patient pre-positioning embedding quietly, waiting for a trigger event to activate operations at scale. The goal isn’t immediate disruption. It’s leverage.

This aligns directly with the Stryker attack timeline and Iran’s broader pattern of establishing access during geopolitical escalation windows. Once inside, these actors conduct reconnaissance, map environments, and identify chokepoints. Organizations must treat any Iranian-attributed indicator of compromise as a potential precursor to something larger because in this environment, it almost certainly is.

Iranian Handala Group Exploits RDP for Initial Access

The Handela group — the same actors linked to the Stryker attack is actively exploiting exposed Remote Desktop Protocol services to gain initial footholds. Handala has conducted operations against organizations in Israel, Albania, and the United States, with researchers linking the group to the Iranian Ministry of Justice. RDP exposed to the public internet remains one of the most abused entry points in all of cybercrime. There is no reason any organization’s RDP should be directly internet-accessible in 2026.

Israel Strikes Iranian Cyber Warfare Headquarters

Israeli military operations this week included strikes targeting Iran’s cyber warfare headquarters as part of the broader ongoing conflict. This is the clearest demonstration yet of how cyber capabilities have been fully integrated into traditional military strategy. Cyber infrastructure is now a kinetic target. The implications extend beyond the conflict zone escalation cycles in the physical domain accelerate activity in the digital one.

China Conducts Long-Term Espionage Against Asian Militaries

Researchers uncovered a sustained Chinese state-linked espionage campaign tracked as CL-STA-1087 — targeting military organizations across Asia. Unlike Iran’s disruptive playbook, China’s approach prioritizes stealth and patience: quietly infiltrating defense networks over months or years to harvest sensitive communications, operational data, and strategic planning documents. These campaigns can persist undetected for years. Continuous threat hunting is the only reliable countermeasure.

Chinese Espionage Targets Southeast Asian Government and Infrastructure

A separate Chinese state-linked campaign is targeting government entities and infrastructure organizations across Southeast Asia, focused on long-term intelligence collection. China’s cyber doctrine is consistent: strategic information gathering to support geopolitical planning and military development. Organizations in telecommunications, technology, and government contracting in the region should treat stealthy lateral movement detection as a primary security priority.

EU Sanctions Chinese and Iranian Cyber Actors

The European Union announced sanctions against entities linked to Chinese and Iranian cyber operations. While the diplomatic signal is meaningful, the practical deterrence effect remains limited these actors operate outside EU jurisdictions and hold no sanctioned assets within reach of enforcement. Policy-based responses have a role in the broader geopolitical response, but they are not a substitute for operational defense.

Poland’s Nuclear Research Center Targeted

Poland’s nuclear research center was struck in a cyberattack that forced portions of the network offline as a precautionary measure. Nuclear safety systems were reportedly unaffected. Attribution is still under investigation, with Iranian actors among those being examined. Research institutions holding sensitive scientific data tied to national security projects are high-value espionage targets. Segmentation between research and administrative systems is essential.

💥 Destructive Attacks & Living-Off-the-Land Techniques

Stryker: 200,000 Devices Wiped via Microsoft Intune — Without Malware

The full picture of the Stryker attack came into clearer focus this week, and it’s more alarming than the initial reporting. Attackers did not deploy traditional wiper malware. They gained administrative access to Stryker’s Microsoft Intune environment and used the platform’s own device management capabilities to trigger mass wipe commands across more than 200,000 managed devices across 79 countries.

This is a “living off the land” attack at devastating scale. No malware. No exotic exploit. Just admin credentials and a legitimate enterprise tool doing exactly what it was designed to do. The activity was indistinguishable from normal system administration until it was far too late.

Healthcare infrastructure is uniquely exposed to this attack pattern because device availability directly impacts medical operations. The lesson here is clear: multi-approval workflows for destructive administrative actions are not a compliance checkbox. They are an operational necessity.

🔓 Data Breaches

Aura Identity Protection: 900,000 Marketing Contacts Exposed

Identity protection company Aura confirmed a breach exposing approximately 900,000 marketing contacts names, email addresses, and business-related data. On the surface, marketing data looks low-risk. It isn’t. These datasets are structured, segmented, and tied to specific roles and behaviors, making them ideal fuel for precision spear-phishing campaigns. The fact that this data came from a trusted identity protection brand makes it exponentially more dangerous attackers will impersonate Aura to exploit the trust the brand carries.

Starbucks Confirms Employee Data Breach

Starbucks confirmed a breach affecting employee workforce records and personal data. Employee data breaches fuel social engineering, credential harvesting, payroll fraud, and help desk manipulation attackers use workforce information to impersonate employees and bypass identity verification processes. As identity becomes the primary security perimeter, breaches involving employee records become as dangerous as any system compromise.

Loblaw Customer Data Breach: Canada’s Largest Retailer

Canadian retail giant Loblaw operating over 2,400 stores and pharmacies disclosed a breach affecting customer data. Loblaw’s pharmacy operations mean this dataset may include healthcare-adjacent information alongside standard loyalty and purchase data. Retail breaches are not just a customer notification problem. They fuel credential stuffing, fraud campaigns, and identity chaining across ecosystems.

Marquis Ransomware: 672,000 Individuals Impacted

Newly disclosed details from the Marquis ransomware attack confirm that approximately 672,000 individuals had data compromised. The attack reflects the broader ransomware shift away from encryption and toward data theft and extortion because ransomware payments are declining and defenders are getting better at recovery. Stolen data fuels fraud for years after the initial breach. Data classification, encryption, and sensitive dataset monitoring are essential mitigations.

UK Companies House Registry Exposes Business Data

A vulnerability in the United Kingdom’s Companies House registry exposed business registration data tied to millions of companies executive identities, corporate filings, financial disclosures. Government databases holding corporate intelligence are high-value targets for fraud and targeted phishing. Bulk data access validation and extraction monitoring are required controls for public-facing registries.

Russian Fancy Bear Exposed Server Reveals Stolen Credential Trove

An exposed server linked to Russia’s Fancy Bear threat group revealed a large collection of stolen credentials from government and defense organizations. This provides rare visibility into how state-sponsored actors operate: credential collection at scale, followed by systematic exploitation for follow-on operations. The volume and targeting suggest active, ongoing campaigns against sensitive government environments.

Nordstrom Email System Hijacked for Crypto Scams

Attackers abused Nordstrom’s legitimate email infrastructure to send cryptocurrency scam messages to customers. Because the emails originated from a trusted brand domain, they bypassed traditional phishing detection and carried inherent credibility with recipients. Hijacking legitimate communication channels is more effective than building fake ones and significantly harder to detect. Outbound email monitoring and anomaly detection must be standard practice for consumer-facing enterprises.

🕵️ Nation-State & Insider Threats

“The line between cybercrime, espionage, and cyber warfare is disappearing faster than most organizations are ready for.” James Azar

North Korean IT Workers Infiltrate Global Companies

One of the most operationally complex threats this week: North Korean IT workers are posing as legitimate remote employees to gain authorized access to corporate systems, generate revenue for the regime, and conduct potential espionage. This is not a cyberattack in the traditional sense. It is an insider threat operating under legitimate employment conditions — with all the access and trust that comes with it.

OFAC sanctioned the networks supporting these operations this week, signaling that the U.S. government views this as a systemic threat requiring both legal and defensive responses. For organizations, the risk extends beyond security into compliance exposure. Integrating sanctions screening into hiring and vendor onboarding is no longer optional.

🛡️ Vulnerabilities & Active Exploitation

Cisco Firewall Zero-Day Actively Exploited by Ransomware Groups

A Cisco firewall zero-day is being actively exploited by ransomware operators. Perimeter firewalls compromise at this level means attackers gain direct access to internal networks, can create backdoor accounts, and establish long-term persistence often without triggering standard alerts. Immediate patching of perimeter infrastructure and real-time vulnerability scanning are the required responses.

Google Chrome Zero-Days: Version 146 Released

Google released Chrome version 146 addressing two actively exploited zero-day vulnerabilities. Browsers are the gateway between users and the internet — exploiting browser flaws allows attackers to compromise endpoints through malicious websites and crafted content. Enforce automatic browser updates across all enterprise endpoints. This is not optional remediation.

Fortinet FortiGate Actively Exploited

FortiGate firewall appliances are under active exploitation. Management interfaces exposed to the internet remain a critical vulnerability across enterprise environments. Enforce MFA for administrative access, restrict management interfaces from public exposure, and maintain detailed logging of all configuration changes.

ConnectWise ScreenConnect: Session Hijacking Vulnerability

ConnectWise disclosed a vulnerability in its ScreenConnect remote access platform enabling session hijacking. Remote access tools carry administrative-level capabilities by design — when compromised, attackers inherit full system control. Session-level authentication, privileged access monitoring, and anomaly detection for remote access activity are essential mitigations.

CISA Warns of Active Wing FTP Server Exploitation

CISA issued an alert regarding active exploitation of Wing FTP Server vulnerabilities. FTP servers frequently host sensitive corporate files and internal data transfers, making them attractive initial access targets. Restrict FTP services to internal networks and apply updates immediately.

CISA Warns of Active Zimbra XSS Exploitation

A Zimbra cross-site scripting vulnerability is being actively exploited. Email platforms are critical infrastructure XSS vulnerabilities in these systems enable account takeover, data theft, and malicious script execution at enterprise scale. Deploy web application firewall protections and prioritize email infrastructure patching.

HP AOS-CX Network OS: Administrative Password Reset Vulnerability

Hewlett Packard warned of a critical vulnerability allowing attackers to reset administrative passwords on AOS-CX network devices. Network operating systems are under-secured relative to their access footprint. Enforce MFA for all network device administration and restrict management interfaces from public exposure.

DarkSword iOS Exploit Kit Used in State-Sponsored Spyware Campaigns

A sophisticated iOS exploit kit called DarkSword is being used by state-sponsored actors and spyware vendors in targeted surveillance campaigns. Mobile devices are among the highest-value espionage targets due to the density of sensitive data credentials, communications, behavioral patterns. Deploy mobile threat defense solutions and restrict untrusted application installation across enterprise-managed devices.

🤖 AI, Supply Chain & Developer Threats

Rondo Botnet Exploits 174 Known Vulnerabilities at Scale

The Rondo botnet has been observed exploiting 174 different vulnerabilities to compromise internet-facing systems at industrial scale. This is not sophisticated tradecraft, it is automation applied to known, unpatched vulnerabilities. Organizations that fail at basic patch hygiene are handing attackers an automated path inside. Internet-facing asset discovery and continuous vulnerability management are the only effective countermeasures.

Ransomware Groups Pivot from Encryption to Data Theft and Stealth

Google published research confirming what practitioners have been observing: ransomware operators are shifting away from encryption-based attacks toward quiet data exfiltration and extortion. As encryption-based ransomware defenses improved and payments declined, attackers adapted. Stealthy data theft bypasses traditional ransomware detection entirely. Egress traffic monitoring and data loss prevention controls are now frontline defenses — not supplementary ones.

GlassWorm Supply Chain Attack Expands to 400+ Repositories

The GlassWorm supply chain attack which we covered earlier this week has expanded to more than 400 code repositories across GitHub, NPM, VS Code, and OpenVSX. This is one of the largest coordinated supply chain attacks in recent memory. Poisoned dependencies propagate quickly into enterprise environments through normal software build processes. Code signing verification and dependency validation for all third-party packages must be enforced immediately.

AI Used to Hide Malicious Code from AI Detection Systems

Researchers uncovered a new evasion technique where attackers use font rendering manipulation to hide malicious commands from AI-based security tools. As organizations lean more heavily on AI for threat detection and code analysis, adversaries are actively learning how to defeat AI detection specifically. AI-only defenses have a blind spot that attackers are now deliberately exploiting. Layered defenses combining AI detection with traditional static and dynamic analysis are required.

Vulnerabilities Discovered in AWS Bedrock and Langsmith

Security researchers identified vulnerabilities in AWS Bedrock and Langsmith two platforms widely used for building and managing AI applications. These flaws could allow attackers to manipulate AI outputs or access sensitive data processed through these systems. AI platforms are being deployed faster than they are being secured. Strict input validation and output monitoring across AI systems must be implemented as foundational controls.

LeakNet Ransomware Group Deploys ClickFix and Deno for Stealth

The LeakNet ransomware group is now using legitimate development tools ClickFix and the Deno runtime to execute attacks that blend seamlessly into normal developer activity. By operating through trusted tools rather than malicious binaries, these attacks evade signature-based detection. Runtime monitoring and behavioral anomaly detection for developer environments are critical.

Supply Chain Attack Abuses AppsFlyer Web SDK

Attackers injected cryptocurrency-stealing JavaScript into the AppsFlyer Web SDK, affecting analytics tools deployed across numerous websites. Third-party scripts are a persistent, undermanaged risk in web application security. Content Security Policies restricting unauthorized script execution are one of the most effective mitigations available and among the most underdeployed.

Malicious GitHub Repositories Distribute Credential-Stealing Malware

Researchers discovered over 100 GitHub repositories distributing credential-stealing malware disguised as legitimate development tools. Developer workstations with access to production environments are high-value targets. Automated dependency scanning and open-source verification must be standard before integrating any third-party tooling.

VPN Credential Theft Campaign Targets Remote Workers

A new campaign is targeting VPN users through phishing pages mimicking legitimate VPN login portals. VPN credentials grant direct access to corporate networks — bypassing perimeter defenses entirely. Device-based authentication and contextual access policies provide meaningful protection where passwords alone do not.

⚖️ Law Enforcement, Policy & Industry

INTERPOL Synergia III: 45,000 Malicious IPs Sinkholed

INTERPOL’s Operation Synergia III involved 72 nations, resulted in the sinkholing of 45,000 malicious IP addresses, seizure of more than 200 servers and devices, and nearly 100 arrests, with 110 additional suspects under investigation. These operations meaningfully disrupt botnet infrastructure and slow criminal campaigns, even if they don’t permanently eliminate the underlying ecosystems.

New York Introduces Cybersecurity Rules for Water Systems

New York announced new cybersecurity regulations for water utilities, including training requirements, incident response planning, and cybersecurity leadership designations. However, the rules stop short of mandating technical standards, no requirements for OT/IT segmentation, air-gapping, or data diodes. Compliance-focused regulation without technical architecture requirements leaves the actual attack surface largely unchanged. Critical infrastructure protection requires engineering solutions, not just policy frameworks.

U.S. Department of Energy Prepares First Comprehensive Cybersecurity Strategy

The U.S. Department of Energy is developing its first comprehensive cybersecurity strategy for energy infrastructure protection, emphasizing public-private collaboration and resilience over strict regulatory mandates. Given the criticality of energy systems, this initiative represents a meaningful step particularly if it produces operational frameworks with technical specificity.

Tech Giants Form Coalition to Combat Online Fraud

Google, Microsoft, Meta, Amazon, and others announced a coalition to combat online scams and fraud. The scale of cyber-enabled fraud has outgrown any single organization’s ability to address it. Cross-industry collaboration on threat intelligence and fraud infrastructure disruption is a necessary evolution. Execution will determine whether this initiative produces lasting impact.

EU Court Overturns Amazon’s $858M GDPR Fine

A Luxembourg court overturned the $858 million GDPR fine previously imposed on Amazon. The ruling could reshape how GDPR enforcement is interpreted across Europe and may reduce the deterrence effect of future large-scale privacy enforcement actions. Organizations operating in Europe are watching this decision closely.

Georgia Arrest: Phishing Campaign Targeting NBA and NFL Affiliates

Authorities arrested an individual in Georgia for operating targeted phishing campaigns against NBA and NFL affiliates. High-value individuals with access to financial resources or sensitive systems are increasingly targeted with tailored attacks. User awareness training and identity protection controls remain essential defenses against this type of precision social engineering.

✅ This Week’s Priority Action List

Immediate (Do This Now)

• Implement multi-approval workflows for all destructive administrative actions in Intune, Active Directory, and endpoint management platforms — the Stryker attack is the blueprint for why this matters

• Audit privileged administrative accounts and enforce just-in-time access for sensitive operations

• Restrict RDP access to behind VPN or zero-trust gateways — no exceptions for internet-facing exposure

• Enforce code signing and dependency validation across all development pipelines (GlassWorm has hit 400+ repositories)

• Patch Cisco firewall zero-day, Chrome zero-days, Fortinet FortiGate, ConnectWise ScreenConnect, Wing FTP, and Zimbra immediately

• Restrict HP AOS-CX management interfaces and enforce MFA for network device administration

Short-Term (This Month)

• Deploy egress traffic monitoring and DLP controls to detect data exfiltration — ransomware has pivoted to stealth theft

• Implement enhanced identity verification and continuous monitoring for all remote workers

• Integrate OFAC sanctions screening into hiring and vendor onboarding processes

• Deploy mobile threat defense solutions and restrict untrusted app installation on managed devices

• Implement Content Security Policies to block unauthorized third-party script execution on web properties

• Deploy advanced email threat detection tuned for spear-phishing using enriched contact datasets

• Extend behavioral monitoring to developer environments and runtime tools (ClickFix, Deno, scripting runtimes)

• Monitor Cisco network infrastructure for backdoor accounts and configuration anomalies post-patching

Strategic (This Quarter)

• Assess AI platform security for AWS Bedrock, Langsmith, and other AI tooling in your environment

• Combine AI-driven detection with traditional static and dynamic analysis — AI-only defenses have documented blind spots

• Conduct continuous threat hunting specifically for Iranian and Chinese APT persistence indicators

• Strengthen IT/OT segmentation in any critical infrastructure environment regardless of regulatory requirements

• Review zero-trust remote access posture for VPN credential exposure risk

• Integrate geopolitical threat intelligence into SOC monitoring workflows for Iranian, Russian, and North Korean TTPs

🎙️ James Azar’s CISO’s Take

When I look at this week in its entirety, the most important insight isn’t about any individual attack or vulnerability, it’s about the fundamental shift in how adversaries operate. Trust has become the primary attack vector. Legitimate administrative tools. Legitimate employee identities. Legitimate brand names. Legitimate developer ecosystems. In every major story this week, attackers won not by defeating security controls, but by exploiting the trust that makes organizations function. That’s a harder problem than patching a CVE. It requires continuous validation of every trust assumption in your environment identity, access, behavior, and third-party dependencies.

At the same time, the convergence we’ve been tracking for months is accelerating. Cybercrime, espionage, and state-sponsored warfare are no longer distinct categories. North Korean IT workers generate revenue for the regime while conducting espionage. Iranian operators maintain persistent access while executing destructive operations. Russian intelligence harvests credentials at scale while influencing geopolitical narratives. For CISOs, the response is the same regardless of actor category: visibility, identity discipline, behavioral monitoring, and continuous patching executed with the consistency and urgency the threat environment demands.

Share

📋 Week in Summary

This week’s stories converged on a single uncomfortable truth: the most dangerous threats in today’s environment don’t look like attacks. They look like normal operations. An admin wiping devices through Intune. A remote employee accessing corporate systems. A trusted vendor’s email arriving in a customer inbox. A legitimate SDK running JavaScript on a website. Attackers have learned that the fastest path through enterprise defenses is through the trust those defenses are built to protect and this week, they demonstrated that lesson at scale across healthcare, retail, financial services, government, and developer ecosystems simultaneously.

The response isn’t panic, it’s discipline. The organizations that weathered this week’s threat environment are the ones that validate trust continuously rather than granting it permanently. Multi-approval workflows for destructive actions. Behavioral monitoring for privileged accounts. Dependency validation for developer pipelines. Egress monitoring for data exfiltration. Mobile threat defense for executive devices. These are not exotic controls. They are foundational hygiene applied with rigor. The attackers adapted. It’s time to match their pace.

Stay informed. Stay prepared. Stay Cyber Safe. 🔐

Leave a comment

© CyberHub Podcast | Subscribe on Substack | Watch on YouTube | Follow on LinkedIn