Executive Summary

65% of organizations report experiencing at least one AI agent-related security incident in the past year. That’s not a projection. It’s a warning about the future. And it’s already happening.

Verticals Targeted: Healthcare
Regions Targeted: US, Global
Related Families & Threat Actors: Lynx, ANUBIS, Rhysida, LockBit, ALPHV/BlackCat, Qilin, Medusa, The Gentleman, Payload, NetRunner, Genesis, ShinyHunters, Pay2Key, Handala

Executive Summary

Healthcare remains the most targeted critical infrastructure sector for cyberattacks, driven by ransomware, large-scale data theft, and increasing geopolitical activity. In 2026, threat activity reflects a convergence of ransomware operators, data extortion groups, and Iran-linked cyber operations, significantly increasing risk to healthcare delivery, patient safety, and supply chain stability.

Verticals Targeted: Aviation, Aerospace
Regions Targeted: US, Global
Related Threat Actors: Scattered Spider, Refined Kitten, Wicked Panda, Fancy Bear
Related Families: Qilin, LockBit, Cl0p

Executive Summary

Cyber risk in the aviation and aerospace sector is evolving toward ransomware, identity-based intrusion, platform-level disruption, and potential impacts to navigation and satellite-dependent services. Recent reporting on airport disruption in April 2026, combined with the confirmed 2025 Collins Aerospace/MUSE ransomware incident, shows how cyber incidents can rapidly affect passenger processing, baggage handling, scheduling, and broader aviation continuity.

Verticals Targeted: Enterprise Networks
Regions Targeted: US, UK, Germany
Related Families: SystemBC, Cobalt Strike

Executive Summary

The Gentlemen ransomware-as-a-service (RaaS) operation has rapidly scaled in early 2026, leveraging multi-platform encryption capabilities and enterprise-focused intrusion techniques. Recent DFIR analysis shows affiliates using tools such as SystemBC and Cobalt Strike to establish covert access, pivot laterally, and deploy ransomware at scale via Group Policy, enabling rapid domain-wide encryption events. The Gentlemen has been observed targeting enterprise networks primarily in the US, UK, and Germany.

Verticals Targeted: Water, Critical Infrastructure
Regions Targeted: Israel

Executive Summary

ZionSiphon is an OT-focused malware sample designed to identify and interact with water treatment and desalination environments. It was used to target water treatment systems in Israel. Although the analyzed version appears partially non-functional, it demonstrates ICS-aware targeting, industrial protocol interaction, and politically motivated intent. The sample provides insight into evolving adversary interest in manipulating systems that underpin critical infrastructure operations.

Verticals Targeted: Critical Infrastructure, ONG, Electricity, Water, Government
Regions Targeted: US
Related Threat Actors: CyberAv3ngers, Static Kitten, Refined Kitten, Helix Kitten, Banished Kitten

Executive Summary

A joint US government advisory confirmed that Iran-affiliated cyber actors are actively exploiting internet-facing industrial control systems, particularly Rockwell Automation/Allen-Bradley PLCs, across US critical infrastructure. The activity has resulted in operational disruption, manipulation of HMI/SCADA data, and financial loss in sectors including water, energy, and government facilities. The campaign reflects a continuation of Iran’s established OT targeting playbook, prioritizing exposed industrial assets over sophisticated intrusion chains. Recent activity indicates a shift from defacement and signaling toward direct process interference, increasing the risk of real-world operational impact during periods of geopolitical tension.

Verticals Targeted: Cryptocurrency, Gaming, Social Messaging, Enterprise Systems
Regions Targeted: Russia
Related Families: WebRAT (aka Salat Stealer)

Executive Summary

CrystalX RAT is a newly identified malware-as-a-service (MaaS) platform combining traditional remote access, credential theft, and surveillance capabilities with disruptive prankware features, signaling a shift toward multi-purpose, user-impacting cybercrime tooling. It has been observed targeting consumer endpoints, cryptocurrency users, gaming and messaging platforms, and general enterprise users across Russia, with the potential for global reach.

Verticals Targeted: Healthcare
Regions Targeted: US

Executive Summary

Iran-linked cyber threats have elevated risk across the US healthcare sector, driven by the disruptive March 11 attack on Stryker, increased geopolitical tensions, and explicit warning signals from government and industry. A CISA acting director threat brief identifies healthcare as an actively targeted and highly exposed civilian sector, while vendor reporting links recent disruptive activity to MOIS-affiliated actors operating under personas such as Handala. Although widespread direct intrusions into hospitals have not been publicly confirmed, the convergence of supplier disruption, proxy activity, and sector vulnerabilities creates a credible near-term threat environment for healthcare entities and their supporting ecosystem.