Verticals Targeted: Aviation, Defense, Telecommunications, Software Development, Government
Regions Targeted: US, Israel, UAE, Saudi Arabia, Western Europe, Middle East, Africa
Related Threat Actors: Nimbus Manticore
Related Families: MiniJunk, MiniFast

Executive Summary

IRGC-affiliated threat actor Nimbus Manticore significantly expanded its operational capabilities during the ongoing 2026 Middle East conflict, introducing a new backdoor dubbed MiniFast alongside advanced delivery mechanisms including AppDomain Hijacking, scheduled task abuse, and SEO poisoning. The campaign has targeted aviation, software, defense, and telecommunications organizations across the US, Europe, and the Middle East using phishing lures, Trojanized software installers, and stealth-focused persistence techniques designed to blend into legitimate enterprise activity.

Verticals Targeted: Financial, Cryptocurrency
Related Threat Actors: Lazarus
Related Families: DPAPILoader, RemotePELoader, RemotePE

Executive Summary

Researchers identified a sophisticated Lazarus-linked malware ecosystem composed of DPAPILoader, RemotePELoader, and RemotePE, a chained toolset designed for stealth, persistence, and long-term access in high-value financial and cryptocurrency environments. The malware leverages DPAPI-based environmental keying, direct syscall techniques, ETW suppression, and memory-only payload execution to minimize forensic visibility and evade modern endpoint defenses.

Verticals Targeted: Government, Defense, Diplomatic Organizations, Research Institutions
Regions Targeted: Europe, Central Asia, Ukraine
Related Threat Actors: Secret Blizzard (aka Turla, Venomous Bear)
Related Families: Kazuar, Pelmeni

Verticals Targeted: Technology, Artificial Intelligence, Cloud, Software Development
Regions Targeted: US, Europe, Global
Related Threat Actors: TeamPCP
Related Families: Mini Shai-Hulud

Executive Summary

A coordinated software supply chain campaign linked to TeamPCP has demonstrated how modern CI/CD ecosystems can be weaponized to distribute malicious code, harvest developer credentials, and potentially enable broader downstream compromise. Recent operations tied to the actor targeted trusted software distribution infrastructure across GitHub Actions, PyPI, Docker Hub, VS Code/OpenVSX, and npm ecosystems through poisoned packages, malicious workflows, and compromised release mechanisms.

Verticals Targeted: Government, Defense, Technology, Transportation, Critical Infrastructure
Regions Targeted: South Asia, Southeast Asia, East Asia
Related Families: ShadowPad, GODZILLA, NOODLERAT, IOX, GOST, Wstunnel, RingQ, VShell

Executive Summary

A newly identified China-aligned cyberespionage campaign tracked as SHADOW-EARTH-053 is targeting government agencies, defense-adjacent contractors, and critical infrastructure organizations across Asia through exploitation of unpatched Microsoft Exchange and IIS vulnerabilities. The operation relies heavily on legacy Exchange flaws, web shell persistence, ShadowPad malware deployment, credential theft, and covert tunneling infrastructure to maintain long-term access within victim environments. The campaign demonstrates that older but still-exploitable enterprise infrastructure continues to provide reliable access opportunities for state-aligned espionage operators and reinforces the operational importance of proactive detection, behavioral monitoring, and layered telemetry visibility.

Verticals Targeted: Government, Scientific Research, Manufacturing, Retail, Education
Regions Targeted: Russia, Belarus, Thailand, Brazil, Turkey, Spain, Germany, France, Italy, China
Related Families: QUIC RAT

Executive Summary

A large-scale supply chain compromise involving the widely used DAEMON Tools software platform has exposed organizations and consumers to malicious payload deployment through digitally signed installers distributed from the vendor’s legitimate infrastructure. The attack, active since at least April 8, 2026, involved trojanized versions of DAEMON Tools containing embedded backdoors capable of downloading and executing additional malware. While thousands of infection attempts were observed globally, the operation appears selectively targeted, with advanced payloads deployed against a small subset of victims.

Executive Summary

65% of organizations report experiencing at least one AI agent-related security incident in the past year. That’s not a projection. It’s a warning about the future. And it’s already happening.

Verticals Targeted: Healthcare
Regions Targeted: US, Global
Related Families & Threat Actors: Lynx, ANUBIS, Rhysida, LockBit, ALPHV/BlackCat, Qilin, Medusa, The Gentleman, Payload, NetRunner, Genesis, ShinyHunters, Pay2Key, Handala

Executive Summary

Healthcare remains the most targeted critical infrastructure sector for cyberattacks, driven by ransomware, large-scale data theft, and increasing geopolitical activity. In 2026, threat activity reflects a convergence of ransomware operators, data extortion groups, and Iran-linked cyber operations, significantly increasing risk to healthcare delivery, patient safety, and supply chain stability.