Verticals Targeted: Government, Defense, Technology, Transportation, Critical Infrastructure
Regions Targeted: South Asia, Southeast Asia, East Asia
Related Families: ShadowPad, GODZILLA, NOODLERAT, IOX, GOST, Wstunnel, RingQ, VShell

Executive Summary

A newly identified China-aligned cyberespionage campaign tracked as SHADOW-EARTH-053 is targeting government agencies, defense-adjacent contractors, and critical infrastructure organizations across Asia through exploitation of unpatched Microsoft Exchange and IIS vulnerabilities. The operation relies heavily on legacy Exchange flaws, web shell persistence, ShadowPad malware deployment, credential theft, and covert tunneling infrastructure to maintain long-term access within victim environments. The campaign demonstrates that older but still-exploitable enterprise infrastructure continues to provide reliable access opportunities for state-aligned espionage operators and reinforces the operational importance of proactive detection, behavioral monitoring, and layered telemetry visibility.

Verticals Targeted: Government, Scientific Research, Manufacturing, Retail, Education
Regions Targeted: Russia, Belarus, Thailand, Brazil, Turkey, Spain, Germany, France, Italy, China
Related Families: QUIC RAT

Executive Summary

A large-scale supply chain compromise involving the widely used DAEMON Tools software platform has exposed organizations and consumers to malicious payload deployment through digitally signed installers distributed from the vendor’s legitimate infrastructure. The attack, active since at least April 8, 2026, involved trojanized versions of DAEMON Tools containing embedded backdoors capable of downloading and executing additional malware. While thousands of infection attempts were observed globally, the operation appears selectively targeted, with advanced payloads deployed against a small subset of victims.

Executive Summary

65% of organizations report experiencing at least one AI agent-related security incident in the past year. That’s not a projection. It’s a warning about the future. And it’s already happening.

Verticals Targeted: Healthcare
Regions Targeted: US, Global
Related Families & Threat Actors: Lynx, ANUBIS, Rhysida, LockBit, ALPHV/BlackCat, Qilin, Medusa, The Gentleman, Payload, NetRunner, Genesis, ShinyHunters, Pay2Key, Handala

Executive Summary

Healthcare remains the most targeted critical infrastructure sector for cyberattacks, driven by ransomware, large-scale data theft, and increasing geopolitical activity. In 2026, threat activity reflects a convergence of ransomware operators, data extortion groups, and Iran-linked cyber operations, significantly increasing risk to healthcare delivery, patient safety, and supply chain stability.

Verticals Targeted: Aviation, Aerospace
Regions Targeted: US, Global
Related Threat Actors: Scattered Spider, Refined Kitten, Wicked Panda, Fancy Bear
Related Families: Qilin, LockBit, Cl0p

Executive Summary

Cyber risk in the aviation and aerospace sector is evolving toward ransomware, identity-based intrusion, platform-level disruption, and potential impacts to navigation and satellite-dependent services. Recent reporting on airport disruption in April 2026, combined with the confirmed 2025 Collins Aerospace/MUSE ransomware incident, shows how cyber incidents can rapidly affect passenger processing, baggage handling, scheduling, and broader aviation continuity.

Verticals Targeted: Enterprise Networks
Regions Targeted: US, UK, Germany
Related Families: SystemBC, Cobalt Strike

Executive Summary

The Gentlemen ransomware-as-a-service (RaaS) operation has rapidly scaled in early 2026, leveraging multi-platform encryption capabilities and enterprise-focused intrusion techniques. Recent DFIR analysis shows affiliates using tools such as SystemBC and Cobalt Strike to establish covert access, pivot laterally, and deploy ransomware at scale via Group Policy, enabling rapid domain-wide encryption events. The Gentlemen has been observed targeting enterprise networks primarily in the US, UK, and Germany.

Verticals Targeted: Water, Critical Infrastructure
Regions Targeted: Israel

Executive Summary

ZionSiphon is an OT-focused malware sample designed to identify and interact with water treatment and desalination environments. It was used to target water treatment systems in Israel. Although the analyzed version appears partially non-functional, it demonstrates ICS-aware targeting, industrial protocol interaction, and politically motivated intent. The sample provides insight into evolving adversary interest in manipulating systems that underpin critical infrastructure operations.

Verticals Targeted: Critical Infrastructure, ONG, Electricity, Water, Government
Regions Targeted: US
Related Threat Actors: CyberAv3ngers, Static Kitten, Refined Kitten, Helix Kitten, Banished Kitten

Executive Summary

A joint US government advisory confirmed that Iran-affiliated cyber actors are actively exploiting internet-facing industrial control systems, particularly Rockwell Automation/Allen-Bradley PLCs, across US critical infrastructure. The activity has resulted in operational disruption, manipulation of HMI/SCADA data, and financial loss in sectors including water, energy, and government facilities. The campaign reflects a continuation of Iran’s established OT targeting playbook, prioritizing exposed industrial assets over sophisticated intrusion chains. Recent activity indicates a shift from defacement and signaling toward direct process interference, increasing the risk of real-world operational impact during periods of geopolitical tension.