Your car knows where you go, how fast you drive, how hard you brake, and what time you get home at night. And in millions of cases, your car manufacturer has been quietly selling that information to data brokers, who pass it to insurance companies, who use it to raise your premiums.

You probably did not agree to this. You may not even know it is happening. 82% of connected car drivers have no idea how much data their vehicle collects. The FTC just took action against General Motors for doing exactly this. And GM is far from the only brand involved.

What Happened?

On January 14, 2026, the Federal Trade Commission finalized a consent order against General Motors and its OnStar subsidiary. The FTC found that GM had been collecting detailed driving behavior data from more than 14 million vehicles and selling it to data brokers, specifically Verisk Analytics and LexisNexis Risk Solutions. Those data brokers then made the information available to insurance companies.

The data was granular. OnStar recorded precise geolocation every 3 seconds, hard braking, hard acceleration, speeding (anything over 80 mph was flagged), late-night driving patterns, trip times, and seatbelt usage. GM earned approximately $20 million from selling this data. Honda sold similar data for about $0.26 per car. The financial incentive for the manufacturer is modest. The financial impact on the driver can be anything but.

Your car is not the only device in your life with this problem. Smart TVs, fitness trackers, doorbell cameras, thermostats, and yes, even smart refrigerators collect data about your daily habits and routines. Your car just happens to be the one the FTC caught selling it to your insurance company. The principle is the same across every connected device you own: if it is connected to the internet, it is collecting data. The question is who else is seeing it.

What Happened to Real People

When the New York Times investigated in 2024, they found consumers whose insurance premiums had increased by 21% and 80% after their driving data was shared without their knowledge. One driver reported being rejected by seven insurers. Another discovered a 258-page LexisNexis report documenting every trip they had taken for months.

A 2024 study found that only 31% of drivers who participated in telematics programs (voluntarily or not) saw lower premiums. 24% paid more. The rest saw no change, meaning the data collection provided no benefit to them but still created a permanent record of their driving behavior in a third-party database.

Why Should You Care?

This affects most people who drive a car manufactured in roughly the last decade. The Mozilla Foundation evaluated 25 major car brands for privacy in 2023. Every single one failed. Mozilla called cars “the worst product category for privacy we have ever reviewed.” For example, Nissan’s privacy policy claims the right to collect “sexual activity” and “genetic data.” Most brands reserve the right to share data with law enforcement without a warrant.

• 82% of connected car drivers don’t know how much data their car collects

• 40% don’t even know they have connected services active in their vehicle

• 96% of consumers say they should own the data their car generates

• A modern connected car transmits 1 to 1.5 gigabytes per day to the manufacturer’s cloud

How Does This Work?

Think of your car as a smartphone on wheels. It has a cellular connection, a GPS receiver, and dozens of sensors. Every time you drive, the car records where you went, how you got there, and how you drove along the way. That data is transmitted to the manufacturer through the car’s built-in cellular connection.

Historically, this data was used for services like navigation, crash detection, and remote diagnostics. Those are legitimate functions. The problem is that manufacturers began selling the same data to third parties, particularly data brokers who aggregate driving records and sell “risk profiles” to insurers.

Here is how the pipeline works:

1. Your car collects driving data (speed, braking, location, time of day) and transmits it to the manufacturer’s cloud.

2. The manufacturer sells or shares the data with a data broker like Verisk or LexisNexis.

3. The data broker builds a driving profile on you, which may include a risk score, trip history, and behavioral patterns.

4. Your insurance company purchases or accesses the profile and uses it to adjust your premium at renewal, sometimes without telling you why your rate changed.

The consent you gave was typically buried in the terms of service you accepted when you set up OnStar, FordPass, or Toyota Connected Services. The FTC found that GM’s enrollment process was designed to obscure the data-sharing, with consent bundled into multi-step flows that most consumers clicked through without reading.

Which Brands Are Doing This?

The brands that have been confirmed selling or sharing driving data with insurance-related data brokers include:

• General Motors (OnStar, sold to Verisk and LexisNexis)

• Honda (sold to Verisk)

• Hyundai (shared with Verisk)

• Kia (shared with LexisNexis)

• Subaru (shared with LexisNexis)

• Mitsubishi (shared with LexisNexis)

• Ford (shared with Verisk)

Verisk announced in early 2025 that it would stop collecting driving data from automakers. LexisNexis continues to operate its driving data program.

Toyota, Tesla, BMW, Mercedes-Benz, and other brands collect extensive driving data but the specifics of their third-party sharing arrangements are less well-documented. Their privacy policies broadly reserve the right to share data with “business partners” and “affiliates.”

What Can You Do?

Step 1: Find Out What Data Brokers Already Have on You

You have a legal right under the Fair Credit Reporting Act to request a free copy of your consumer file from data brokers. Two reports to request:

• LexisNexis Consumer Disclosure: consumer.risk.lexisnexis.com/request. This is the report that has documented 258-page driving histories for some consumers. Request it and see what they have.

• Verisk Consumer Report: fcra.verisk.com. Even though Verisk says they stopped collecting new data from automakers, they may still have your historical records.

Both reports are free. They take about 15 minutes to request and typically arrive within 30 days.

Step 2: Check Your Vehicle’s Privacy Settings

You can also check what your specific car is sharing using Privacy4Cars, a free tool at VehiclePrivacyReport.com. Enter your VIN and it tells you what data your car collects and shares.

Step 3: Opt Out of Data Sharing

Most manufacturers provide a way to opt out, though they do not make it easy. Here is how to do it for the most common brands:

• GM/OnStar: Call OnStar (1-888-466-7827) or go to your OnStar account settings and disable “Connected Vehicle Data Sharing.” Under the FTC consent order, GM must now provide clear opt-out mechanisms and honor deletion requests.

• Ford: Open the FordPass app, go to Settings, then Privacy, and disable data sharing. You can also call Ford customer service.

• Toyota: Call Toyota Connected Services (1-800-331-4331) and request deactivation of data sharing. You can also manage settings through the Toyota app.

• Honda: Call 1-800-999-1009 and request opt-out from data sharing programs.

• Tesla: Go to Controls > Software > Data Sharing on the touchscreen and toggle off.

• Hyundai/Kia: Call Hyundai (1-800-633-5151) or Kia (1-800-333-4542) and request opt-out. You can also manage through the Bluelink or Kia Connect apps.

A word of caution: opting out of data sharing may disable some connected features you use, like remote start, stolen vehicle tracking, or automatic crash notification. You will need to decide which features are worth the trade-off.

Step 4: Dispute Inaccurate Driving Data With Your Insurer

If you discover that a data broker has inaccurate driving data about you, or if your insurance premium increased and you suspect it was based on vehicle telematics data, you have the right to dispute it. Under the FCRA, both the data broker and the insurer must investigate disputes and correct inaccuracies. Contact your insurance company and ask directly: “Are you using telematics or driving behavior data in my rate calculation?”

Step 5: Wipe Your Data When You Sell Your Car

When you sell or trade in your vehicle, your personal data goes with it unless you manually remove it. Connected cars can store saved addresses (including your home and workplace), Wi-Fi passwords, contacts synced from your phone, garage door codes, credit card information from in-car payment systems, and your complete trip history.

Before handing over the keys:

1. Perform a factory reset through the car’s settings menu

2. Remove the car from your manufacturer account (OnStar, FordPass, Toyota app, etc.)

3. Un-pair your phone from the Bluetooth system

4. Delete your home address and saved locations from the navigation system

5. Remove any stored garage door opener codes

A Note on the Law

Three states have now banned this practice outright: Maryland (2024), Oregon (January 2026), and Virginia (effective July 2026). California imposed a $12.75 million CCPA penalty on GM, the largest CCPA penalty ever. The Texas Attorney General sued multiple automakers over data collection affecting 45 million Americans. There is no federal law prohibiting this. If you do not live in one of those three states, opting out directly with the manufacturer is your only protection.

One more thing: rental cars. Roughly 90% of rental vehicles have GPS tracking and store the data for months. When you return a rental, disconnect your phone from Bluetooth, delete your navigation history, and sign out of any accounts on the infotainment system.

The Bottom Line

Your car is one of the most prolific data collectors in your life, and until recently, most manufacturers were sharing that data without meaningful consent. The FTC’s action against GM is a start, but it only covers one company. The driving data that has already been collected and sold is sitting in broker databases and may already be influencing your insurance rates.

Four things to do to address this:

1. Request your LexisNexis report at consumer.risk.lexisnexis.com/request. Find out what they have on you. It is free.

2. Check your car’s privacy settings using VehiclePrivacyReport.com. Enter your VIN.

3. Opt out of data sharing through your manufacturer’s app or by calling them directly.

4. Ask your insurer whether they are using telematics or driving behavior data in your rate calculation.

You probably gave your car permission to do this when you tapped “Agree” on a screen during setup. Now you know what you agreed to. Share this with anyone who drives.

Sources

• FTC: Order settling GM/OnStar geolocation data allegations (January 14, 2026)

• Mozilla Foundation: Privacy Not Included, Cars (2023)

• New York Times: Carmakers Are Sharing Driver Data With Insurers (March 2024)

• LexisNexis: Consumer Disclosure Request

• Verisk: Consumer Report Request

• Privacy4Cars: Vehicle Privacy Report

• FTC: New Trends in Imposter Scams (May 7, 2026)

Prevent This is a weekly cybersecurity newsletter from Intruvent Technologies. Each week, we break down one cyber threat in plain language and give you the tools to protect yourself and the people you care about. For our bi-weekly technical deep dive, check out Intruvent Edge.

The Short Version

For the first time, a criminal hacking group used artificial intelligence to find a security flaw that nobody knew existed, write the code to exploit it, and deploy that code against real targets. The AI tool handled the entire exploit lifecycle by itself. Google’s security team caught it, worked with the affected software vendor to fix the flaw, and shut the operation down.

This matters because it changes the math on how quickly attackers can move. Finding and exploiting unknown security flaws used to require deep expertise and significant time. AI compresses both. If you run a business, manage IT infrastructure, or make decisions about technology risk, this article explains what happened, what it means, and what you should be paying attention to going forward.

Some Quick Definitions

Before we go further, a few terms that will come up throughout:

• Zero-day: A security flaw in software that the software maker does not yet know about. The name comes from the idea that developers have had “zero days” to fix it. These are the most dangerous type of vulnerability because there is no patch available when attackers start using them.

• Exploit: A piece of code designed to take advantage of a specific flaw. Think of the flaw as an unlocked window. The exploit is the burglar who knows exactly which window and how to climb through it.

• Two-factor authentication (2FA): The second verification step when you log in, typically a code sent to your phone or generated by an app. The flaw in this case allowed attackers to skip that second step entirely.

• CVE: A standardized ID number assigned to known security flaws, like a case number. When the security community refers to “CVE-2026-31431,” everyone knows exactly which flaw is being discussed.

• APT (Advanced Persistent Threat): A government-sponsored hacking team. These are professional, well-funded groups that conduct cyber operations on behalf of nation-states. They are named and tracked by the security industry the way intelligence agencies track foreign operatives.

What Happened

On May 11, 2026, Google’s Threat Intelligence Group (their security research division, often shortened to GTIG) published a report tracking how threat actors are using AI. Among dozens of findings, one stood out: a criminal hacking group used an AI model to discover a previously unknown security flaw and write a working exploit for it.

The exploit is a Python script that bypasses two-factor authentication on a popular, widely used system administration tool. The underlying flaw is a hard-coded trust assumption in the software’s login process. In plain terms: the software was programmed to trust certain login attempts automatically, skipping the second verification step. The AI found that blind spot and wrote the code to walk through it.

Google identified the exploit in active use, coordinated with the software vendor to get the flaw patched, and disrupted the operation before it could spread further.

How Did Google Know AI Was Involved?

The exploit code contained telltale signs of AI authorship, the digital equivalent of a forged painting that uses pigments that did not exist when the original was supposedly created. Specifically:

• Excessive documentation: The code included detailed explanatory notes throughout, the kind a teacher would write for a student. Real attackers do not document their exploits. They want their code to be hard to understand, not easy.

• A fabricated severity score: The code included a CVSS score (a standardized severity rating, like a hurricane category for software flaws) that the AI made up. The score did not correspond to any real entry in the vulnerability database.

• Textbook code structure: The code was organized with a precision and readability that prioritized clarity over stealth. Human exploit developers optimize for evasion. AI optimizes for correctness.

• Built-in help menus: The exploit included usage instructions. No human attacker builds a help menu into their attack tool.

Google stated there was no evidence that its own Gemini AI was used, and assessed with high confidence that an AI model was involved. The specific model and the specific group remain undisclosed.

Three Findings, Three Actors: Getting the Story Right

Several publications reported this story as “North Korea used AI to build a zero-day.” That is not what Google said. The GTIG report contains three distinct findings involving three different groups doing three different things. Conflating them creates a misleading picture. Here is what actually happened:

Finding 1: The AI-generated zero-day. An unnamed group of cybercrime actors used an AI model to discover a zero-day and write a working exploit. Google caught it in active use and shut it down. The group, the model, and the target product remain undisclosed. This is the headline finding.

Finding 2: North Korea’s APT45 using AI to research vulnerabilities at scale. Separately, Google found that a North Korean government hacking team called APT45 (also known as Andariel) sent “thousands of repetitive prompts” to AI models, asking them to analyze known security flaws and validate whether existing proof-of-concept exploits actually work. Think of it as using AI to do the research grunt work: reading thousands of vulnerability reports and testing whether the published attack code is functional. This is a serious capability, but it is vulnerability research, not zero-day creation. APT45 did not produce the AI-generated zero-day in Finding 1.

Finding 3: China’s APT27 using AI to build operational tools. A Chinese government hacking team called APT27 (also known as Threat Group-3390) used Google’s Gemini to write a fleet management application for their proxy network. A proxy network is a series of relay points that attackers route their traffic through to hide their real location, like forwarding mail through multiple PO boxes so the return address cannot be traced. APT27 used AI to build the software that manages those relay points. This is software engineering, not exploit development.

The distinction matters. One unnamed criminal group created an AI-generated zero-day. A North Korean government team is using AI to accelerate vulnerability research. A Chinese government team is using AI to build infrastructure tools. All three are significant. None of them should be described as the same thing.

Why This Matters

The security industry has debated whether AI would be used for exploit development since ChatGPT launched in late 2022. That debate is settled. The question now is how fast this scales.

Three dynamics make this consequential for anyone who manages technology risk:

1. The Clock Is Faster Now

When a security flaw is discovered and publicly disclosed, a race begins. Defenders race to install the patch. Attackers race to build an exploit before the patch is applied. Historically, building a working exploit took days to weeks of skilled manual work. AI compresses that timeline.

In April, a security research team demonstrated this directly: they used AI-assisted analysis to turn a newly disclosed Linux kernel vulnerability (the “Copy Fail” flaw we covered in our April 30 newsletter) into a complete attack chain in approximately one hour. Google’s finding confirms that criminal groups are achieving similar speeds.

For organizations that patch on a monthly cycle, this is a problem. When the time from disclosure to exploit drops from weeks to hours, a monthly patch schedule means spending most of the month exposed.

2. The Expertise Barrier Is Lower

Building exploits used to require rare, specialized skills. Google’s report describes APT45’s approach as “thousands of repetitive prompts” rather than sophisticated engineering. That is not an elite technique. It is a volume play, like running a thousand internet searches instead of crafting one perfect query.

The AI artifacts in the zero-day exploit (the help menus, the documentation, the fabricated severity score) suggest the developer leaned heavily on the AI’s raw output rather than refining it. That implies someone with moderate technical skills, not a world-class exploit developer, produced a working zero-day with AI assistance.

The analogy in other fields: it is the difference between needing a board-certified specialist for a procedure versus a general practitioner with the right diagnostic tool. The tool does not replace expertise entirely, but it lowers the bar for who can produce a competent result.

3. The Trajectory Is Clear and Accelerating

Google has now published three AI Threat Tracker reports. Each one documents capabilities that were theoretical in the previous edition:

• Early 2024: Attackers used AI mostly for writing phishing emails and generating basic code. Think of this as using AI as a research assistant.

• November 2025: Google discovered experimental malware called PROMPTFLUX that queried an AI model to rewrite its own code hourly, changing its appearance to avoid detection. The malware was still in testing, but it proved the concept of using AI as a live mutation engine.

• April 7, 2026: Anthropic (the company behind the Claude AI) disclosed that its Mythos model discovered over 2,000 previously unknown security flaws in seven weeks during internal testing, including bugs that had gone undetected for 17 and 27 years. Anthropic restricted Mythos’s release because of its offensive potential.

• May 11, 2026: Google confirmed the first AI-assisted zero-day exploit used in a real-world criminal operation.

Each milestone arrived faster than the previous one. The gap between Anthropic’s controlled testing disclosure and a real-world AI-generated exploit in the wild was approximately one month.

What Else Was in the Report

The zero-day was the headline, but Google’s full report documents AI being integrated across every phase of cyberattack operations:

• Autonomous phone malware: Android malware called PROMPTSPY uses an AI model to navigate a phone’s screen and replay biometric data without human guidance. This is malware that can operate your phone by itself.

• AI-generated decoy documents: Russian-linked actors are using AI to produce convincing fake documents for phishing campaigns targeting Ukraine. AI makes the lure material faster and more believable at scale.

• AI voice cloning for impersonation: A pro-Russia influence operation used AI-generated voice clones to impersonate journalists.

• Software supply chain attacks: A group called TeamPCP compromised popular security scanning tools (Trivy, Checkmarx, LiteLLM), affecting over 1,000 business software environments.

• Autonomous reconnaissance: Chinese actors deployed AI-powered tools called Hexstrike and Strix that can scan and map target networks without human direction.

The pattern is consistent. AI is not being used for one thing. It is being used for everything: research, reconnaissance, exploit development, malware creation, phishing, impersonation, and infrastructure management.

The Actors Behind This

APT45 / Andariel (North Korea)

APT45 is a hacking team that operates under North Korea’s military intelligence agency, the Reconnaissance General Bureau. The security industry also tracks them as Andariel, Silent Chollima, and Onyx Sleet. They are a sub-unit of the Lazarus Group, the umbrella organization behind North Korea’s most prominent cyber operations (Intruvent Codex; MITRE ATT&CK G0138).

APT45 has been active since at least 2015. Their primary mission is generating revenue for North Korea’s weapons programs through ransomware, cryptocurrency theft, and extortion. They target defense contractors, financial institutions, and government agencies. They have also targeted hospitals with ransomware (the Maui campaign) and conducted espionage against nuclear research programs.

Google’s report reveals that APT45 is now using AI at an industrial scale to analyze security flaws and test whether published exploits actually work. Their approach (sending thousands of repetitive prompts, using automated testing tools in practice environments) suggests they have built AI into their standard research workflow. This is not an experiment. It is how they operate now.

APT27 / Threat Group-3390 (China)

APT27 is a Chinese government espionage group that has been active since at least 2010. The security industry tracks them under a long list of names: Threat Group-3390, Emissary Panda, BRONZE UNION, Iron Tiger, and LuckyMouse (Intruvent Codex; MITRE ATT&CK G0027). The US Department of Justice indicted members of the group in 2020.

APT27 is one of the more technically sophisticated state-sponsored groups. The Intruvent Codex maps them to 57 distinct attack techniques and 24 malware families. They target defense, government, energy, manufacturing, and technology organizations.

Google’s finding that APT27 used Gemini to build a proxy network management tool is significant because it shows AI being used for operational plumbing, not just flashy capabilities. They needed a piece of software to manage their network of relay servers (which disguise the origin of their attacks by routing traffic through multiple hops, including consumer-grade 4G/5G connections). Instead of writing it from scratch, they had an AI build it. It is the cyber equivalent of hiring a contractor through an app instead of building the addition yourself.

What Should Organizations Do?

Patch Faster

If your organization patches software on a monthly cycle, this report is a signal to reassess. When AI can analyze a published security flaw and produce an exploit in hours, a 30-day patch window means spending most of the month with a known, exploitable weakness. For systems that face the internet (web servers, VPNs, email gateways, login portals), the target should be patching critical flaws within 24 to 72 hours of disclosure, not 30 days.

Know What AI-Written Exploits Look Like

The AI fingerprints Google identified (excessive documentation, fabricated severity scores, textbook code structure, help menus) are a temporary detection opportunity. If your security team investigates an incident and finds exploit code on a compromised system, these patterns can help determine whether AI was involved. Think of it like identifying a counterfeiter: the first generation of AI-generated exploits has tells that experienced analysts can spot. Those tells will fade as attackers learn to clean up after their AI, but right now, they are useful.

Audit Your Two-Factor Authentication

The specific zero-day exploited a flaw in how a product implemented two-factor authentication. The software had a built-in exception that trusted certain login attempts without requiring the second step. These kinds of shortcuts are common in software development (they make testing easier, or they accommodate legacy systems), and they are exactly the kind of subtle flaw that AI is good at finding.

Ask your IT team or security vendor: are there any conditions under which our two-factor authentication can be bypassed? Is there a fallback path that skips the second factor? Are there API endpoints (programmatic access points) that do not enforce it?

Prepare for More Exploits, Faster

APT45’s “thousands of repetitive prompts” approach is a preview. When vulnerability research becomes a volume game played by AI, the number of working exploits for known flaws will increase and the time between a flaw being disclosed and an exploit being available will decrease. Your security team should be planning for a world where every major vulnerability has a working exploit within days of disclosure, not weeks or months.

The Bigger Picture

The security industry has spent three years debating whether AI would be used to build cyberweapons. Google’s report ends that debate. It is happening. The first AI-assisted zero-day was caught in active use. The next one may not be caught at all.

The trajectory from Anthropic’s controlled disclosure of 2,000+ AI-discovered flaws in April to a real-world AI-generated exploit in May is a one-month gap. The trajectory from APT45’s brute-force approach to something more refined is measured in AI model generations, not years. The models themselves are improving faster than defensive tooling is adapting.

There is a silver lining. The exploit Google caught was identifiable precisely because AI leaves fingerprints that human developers do not. The help menus, the documentation, the fabricated scores: these are artifacts of an AI trying to be helpful in a context where helpfulness is a tell. That detection window is real, but it is closing. As models improve and attackers learn to strip the artifacts, the fingerprints will fade.

For decision-makers, the takeaway is straightforward: the speed and scale at which attackers can find and exploit security flaws just changed. The organizations that adapt their patching speed, their detection capabilities, and their risk models to reflect this new reality will be in a stronger position than those that treat it as a future problem. The future arrived last Sunday.

Sources

• The Hacker News: Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation (May 11, 2026)

• Google Threat Intelligence Group, AI Threat Tracker, Third Edition (May 11, 2026)

• The Hacker News: Google Uncovers PROMPTFLUX Malware That Uses Gemini AI to Rewrite Its Code Hourly (November 5, 2025)

• The Hacker News: Anthropic’s Claude Mythos Finds Thousands of Zero-Day Flaws(April 7, 2026)

• Intruvent Technologies, Golden CTI Database (Codex): Andariel (G0138), Threat Group-3390 (G0027), Lazarus Group (G0032), queried May 14, 2026

• MITRE ATT&CK: Andariel (G0138), Threat Group-3390 (G0027)

• Xint Code: Copy Fail, 732 Bytes to Root (April 29, 2026)

You know the drill. You get a suspicious email, you check the sender address, and if it looks fake, you delete it. That one simple habit has protected millions of people from phishing scams for years.

It doesn’t work anymore.

Scammers have figured out how to send phishing emails that genuinely come from Apple’s own servers. The sender address is real. The email authentication checks all pass. Your spam filter waves it right through. And the message inside tells you that someone just bought an $899 iPhone with your Apple account.

Your heart rate spikes. You call the number in the email. And now you’re talking to a scammer.

What Happened?

In April 2026, security researchers at BleepingComputer and Malwarebytes documented a phishing technique that abuses Apple’s own notification system to deliver scam emails from Apple’s legitimate email address: appleid@id.apple.com.

These emails are not spoofed. They are not faked. They are real Apple notifications, triggered by real Apple systems, delivered from real Apple servers. Every email authentication check (SPF, DKIM, DMARC, for the technically curious) passes with flying colors. Gmail, Outlook, Yahoo, and every other email provider treat them as legitimate because they are.

The scam has already cost people real money. Dorothy, a woman in her 60s, received one of these emails in early April. A scammer who already knew her personal details convinced her over the phone that her accounts had been compromised. He coached her through a series of steps and told her to drive to the bank to withdraw $15,000. A bank teller recognized the signs and intervened before Dorothy handed over the cash.

Not everyone is that lucky.

Why Should You Care?

• Apple has 2.5 billion active devices worldwide. If you own an iPhone, iPad, Mac, or Apple Watch, you are a potential target.

• Apple is now the #2 most impersonated brand in phishing attacks, accounting for 11% of all phishing attempts in Q1 2026 (Check Point Research).

• At least five distinct Apple scam campaigns were running concurrently in April 2026.

• Tech support scams (the category this falls into) cost Americans $924.5 million in 2023 alone (FTC). Vishing (voice phishing) attacks increased 442% in 2024.

• Apple has not acknowledged or patched the flaw that makes this possible.

How Does This Work?

Think of Apple’s notification system like an automated receptionist. When you update your account information, the receptionist sends you a polite confirmation email: “Hi [Your Name], your Apple Account was updated.”

The receptionist doesn’t check what your name actually says. It just reads whatever is in the name field and puts it in the email.

Scammers figured this out. Here’s what they do:

1. Create a new Apple ID using a throwaway email address.

2. Set the first name to something like: “User 899 USD iPhone Purchase Via”

3. Set the last name to something like: “Pay-Pal To Cancel Call 1-802-353-0761”

4. Change the shipping address on the account. This triggers Apple’s automated notification system.

5. Apple’s servers dutifully send out an email that reads: “Dear User 899 USD iPhone Purchase Via Pay-Pal To Cancel Call 1-802-353-0761, your Apple Account was used to sign in...”

The email lands in your inbox looking like a legitimate Apple alert. Because it is one. The scam message is smuggled inside Apple’s own greeting line.

If you call the number, you reach a scammer running a tech support con. They will tell you your account has been compromised. They will ask you to install remote access software, hand over login credentials, or (like Dorothy’s case) withdraw cash.

The reason this works so well is that it weaponizes the one thing you were taught to trust: the sender address. Every guide, every tip sheet, every cybersecurity awareness training tells you to “check the sender.” When the sender is actually Apple, that advice breaks down.

What Can You Do?

Step 1: Never Call a Phone Number From an Email

This is the single most important rule. Apple will never put a phone number in an email and ask you to call it. Neither will your bank, the IRS, or any legitimate company. If an email includes a phone number and urgency, treat it as a scam by default. If you want to call Apple, go to support.apple.com and find the number yourself.

Step 2: Check Your Actual Purchases

If you get an email claiming someone bought a $899 iPhone with your account, do not click anything in the email. Instead:

• On your iPhone or iPad: Open Settings, tap your name at the top, tap Subscriptions or Media & Purchases. Check your purchase history directly.

• On a computer: Go to reportaproblem.apple.com and sign in. This shows every real purchase on your account.

• Check your bank or credit card statement. If there’s no $899 charge, there was no $899 purchase. Close the email.

Step 3: Read the Email Carefully

Even though these emails come from a real Apple address, the scam text is stuffed into the greeting line. Legitimate Apple emails address you by your actual name. If the greeting reads like a sentence fragment about a purchase or a phone number to call, that is the tell. Real Apple notifications say “Dear [Your Name],” not “Dear User 899 USD iPhone Purchase Via Pay-Pal.”

Step 4: Turn On Two-Factor Authentication

If you have not already, enable two-factor authentication on your Apple account. This protects you even if a scammer somehow gets your password.

• iPhone/iPad: Settings → [Your Name] → Sign-In & Security → Two-Factor Authentication

• Mac: System Settings → [Your Name] → Sign-In & Security → Two-Factor Authentication

Step 5: Report It

Forward phishing emails to reportphishing@apple.com. Apple does investigate these reports, and enough reports from users may push them to fix the name-field vulnerability that makes this attack possible.

You can also report the scam to the FTC at reportfraud.ftc.gov.

The Bottom Line

“Check the sender address” used to be reliable advice. For this scam, the sender address is legitimate. The email is legitimate. The only thing that is fake is the message smuggled into the greeting line.

Three things to remember:

1. Never call a phone number from a suspicious email. Look up the number yourself.

2. Verify purchases directly. Check your account or your bank statement, not the email.

3. Read the greeting line. If your name looks like a sentence about a purchase, delete the email.

Apple has 2.5 billion devices in the world and has not yet fixed this flaw. Until they do, you are your own last line of defense. Share this with anyone who uses Apple products.

Sources

• BleepingComputer: Apple account change alerts abused to send phishing emails (April 2026)

• Malwarebytes: Real Apple notifications used to drive tech support scams (April 2026)

• Tom’s Guide: Scammers weaponizing Apple’s own notifications (April 2026)

• TechRepublic: Apple phishing scam, fake $899 iPhone purchase alert (April 2026)

• Fox News: Apple Pay scam nearly cost woman $15,000 (April 8, 2026)

• Check Point Research: Most impersonated brands Q1 2026

• Apple Support: Recognize and avoid phishing

• FTC: Impersonation scam losses

Prevent This is a weekly cybersecurity newsletter from Intruvent Technologies. Each week, we break down one cyber threat in plain language and give you the tools to protect yourself and the people you care about. For our bi-weekly technical deep dive, check out Intruvent Edge.

If your child has done homework online in the past few years, there is a good chance they used Canvas. It is one of the most widely used learning management systems in the country and the dominant platform in higher education, where it holds nearly 40% market share. Teachers post assignments on it. Students submit work through it. Parents log in to check grades. And last week, hackers broke into Canvas, stealing student data and school information.

The hackers claim the breach affects 275 million users across roughly 9,000 schools. Instructure, the company that owns Canvas, has confirmed the breach but has not confirmed those numbers. What we know for certain is that the stolen data includes names, email addresses, student IDs, and private messages. If you are reading this newsletter and have a school aged child, there is a real probability that your family’s data is in that pile.

Here is the good news: your passwords, Social Security numbers, and credit card information were almost certainly not taken. Here is the bad news: what the hackers did get might be more useful to them than you think.

What Happened?

On April 30, 2026, Instructure (the company that owns Canvas) detected service disruptions on their platform. By May 1, their Chief Information Security Officer confirmed that a criminal threat actor had breached their network. On May 3, a hacking group called ShinyHunters claimed responsibility, posting a sample of the stolen data on their leak site and giving Instructure until May 6 to respond before publishing everything.

ShinyHunters claims to have stolen 3.65 terabytes of data. TechCrunch independently verified a sample of the stolen data, confirming records from at least two U.S. schools (one in Massachusetts, one in Tennessee) containing names, email addresses, phone numbers, and student messages. ShinyHunters describes the message archive as “several billion” private messages exchanged between students, teachers, and parents within the Canvas platform.

This is not the first time Instructure has been hit. In September 2025, the same group, ShinyHunters, compromised Instructure’s Salesforce instance through social engineering. That breach exposed customer support data. This time, the attackers accessed the Canvas platform itself. Two breaches by the same group in eight months.

Instructure has confirmed the breach and published guidance at their security incident page. A law firm has already opened a class action investigation.

The Good News (What Was Not Taken)

Before the panic sets in, here is what Instructure says the hackers did not get:

• Passwords. Canvas did not store your child’s password in a way the attackers could access. Many school districts use what is called Single Sign-On (SSO), meaning students log into Canvas through their school’s Google or Microsoft account. Canvas never sees or stores that password. If your child logs into Canvas through a Google or Clever login page, their password was never in Canvas’s system to begin with. However, see the important caveat about student IDs below.

• Social Security numbers. Schools store SSNs in their Student Information Systems (PowerSchool, Infinite Campus, etc.), not in Canvas. Canvas is a learning tool, not an enrollment database.

• Financial information. Canvas does not process payments. If your school charges fees, that goes through a separate payment system.

• Dates of birth. Also stored in the student information system, not Canvas.

So the most sensitive categories of personal data appear to be out of scope. That matters, and it is worth taking a breath over.

One Important Caveat: Student IDs Are More Than ID Numbers

Here is where the “good news” gets complicated. In many school districts, especially K-12, the student ID number is not just an identifier. It is the username. Your child might log into Canvas, PowerSchool, the lunch payment system, the library catalog, and the school’s Chromebook with the same student ID as their username.

And in a lot of districts, particularly for younger students, the password is something the district assigned using a predictable pattern: the child’s birthday, their initials plus a number, or (in the worst cases) the student ID itself with a simple modification. Teachers have to manage 25 to 30 kids who forget their passwords constantly, so many districts default to something simple and consistent.

That means the exposed student ID might effectively be half the login credentials for every system your child’s school district uses. Not because Canvas stored passwords, but because the student ID is the key that unlocks the front door, and the password behind that door might be guessable if an attacker knows the district’s pattern.

This does not mean every student is at risk. Districts that use SSO through Google or Microsoft, where the child has a unique password managed through the district’s identity system, are in a much better position. But districts that still rely on student-ID-as-username with simple assigned passwords should be treating this breach as a credential exposure event, not just a data exposure event.

The Bad News (What Was Taken, and Why It Matters)

What the hackers did get is a different kind of valuable. Instructure confirmed the breach exposed:

• Names (student, teacher, and parent/observer names)

• Email addresses (institutional and, for parents, sometimes personal)

• Student ID numbers

• Private messages (conversations between students, teachers, and parents within Canvas)

On the surface, names and school email addresses might not sound alarming. But this data becomes dangerous when it is combined and used creatively. Here is what a motivated attacker can do with it:

1. Hyper-Targeted Phishing That Looks Like Your Child’s School

Imagine getting an email from what appears to be your child’s teacher: “Hi [your name], I noticed [your child’s name] hasn’t submitted their assignment for [actual class name]. Please log in to review their grade.” That email contains your real name, your child’s real name, and a real class. The link goes to a fake login page that steals your Google or Microsoft credentials.

This is the difference between a generic phishing email and one that references your actual life. Because the hackers have access to real messages, real class names, and real teacher names, they can build phishing emails that are nearly impossible to distinguish from legitimate school communications.

2. Social Engineering Parents

Armed with parent email addresses, student names, school names, and teacher names, a scammer can impersonate school administrators. “We are updating our payment system for school lunch accounts. Please verify your payment method.” The email comes with enough real details about your child’s school that it feels trustworthy.

3. Child Identity Theft (The Longer-Term Risk)

A child’s name and student ID number, combined with their school and approximate age, gives an identity thief a building block. To be clear: this data alone is not enough to open a credit card or take out a loan. That requires a Social Security number, which was not exposed in this breach. But it is one more piece in a puzzle that gets assembled over time as breaches accumulate, and children are attractive targets because nobody checks their credit for years.

Javelin Strategy & Research found that approximately 1 in 50 children (about 1.25 million kids) experience identity fraud each year in the United States, costing families roughly $1 billion annually. Most of that fraud involves someone the child knows, not a hacker with breach data. But for older students, especially college students whose names, school emails, and course information are now exposed alongside years of private messages, the risk profile is more direct. A college student’s identity is closer to fully formed and more immediately useful to a thief.

4. Private Message Exposure

Canvas stores every message sent between users on the platform. For college students, this could include conversations about academic struggles, accommodation requests, personal disclosures to advisors, or sensitive communications with professors. For younger students, the content may be less sensitive, but the principle remains: private conversations between children and their teachers were never meant to be public.

What Can You Do?

Step 1: Find Out If Your School Uses Canvas

If you are not sure, ask your school’s front office or check your child’s school website. Look for references to “Canvas,” “Instructure,” or a login link that goes to a .instructure.com domain. Canvas is used by roughly 4,000 K-12 districts and 5,000 colleges in the United States. Chances are reasonable that at least one school your family has interacted with uses it.

Step 2: Ask Your District How Your Child Logs In

This is the most important step and it takes one phone call or email. Contact your school’s front office or IT department and ask two questions:

1. “Does my child’s student ID serve as their username for any school systems?”

2. “Are student passwords assigned by the district using a standard pattern, or does each student set their own?”

If the answer to both is yes, the student IDs exposed in this breach are effectively half a set of login credentials. Ask the district to reset your child’s password across all systems and, if possible, move to a unique password that does not follow a predictable pattern. If your district uses Google or Microsoft SSO with individual passwords, you are in better shape, but change that password anyway.

Step 3: Change the Passwords Around Canvas

Even if Canvas passwords were not directly compromised, secure the accounts connected to your child’s school life:

• Your child’s school Google or Microsoft account. If their school uses SSO, this is the password that unlocks everything. Change it.

• Your parent portal account for your school district (PowerSchool, Infinite Campus, etc.). Change it.

• Your personal email if it is the same one linked to your parent/observer Canvas account.

If any of these passwords are reused across other sites, change those too.

Step 4: If the Student is 18+, Consider Freezing Credit (Good Practice, Not Urgent)

This breach did not expose Social Security numbers, so it does not give attackers what they need to open accounts in your child’s name right now. But a credit freeze is one of the best long-term protections against child identity theft from any source, and it is free. If you have not done this already, this is a reasonable time to take care of it.

For college students (18+): This is more directly relevant. Their identities are more fully formed and more immediately useful to a thief. They should freeze their own credit at all three bureaus:

• Equifax: equifax.com/personal/credit-report-services/credit-freeze

• Experian: experian.com/freeze/center.html

• TransUnion: transunion.com/credit-freeze

Step 5: Watch for Phishing Emails From “School”

For the next several months, treat any email that appears to come from your child’s school with extra caution, especially if it asks you to click a link, log in, update payment information, or download an attachment. If something looks off, call the school directly using the phone number from their website, not from the email.

This is especially true for end-of-year emails about report cards, summer programs, or registration for next year. Scammers will time their phishing to match the school calendar.

Step 6: Talk to Your Kids (Especially Teens and College Students)

Older students need to know that their Canvas messages may have been exposed. If your college student sent sensitive messages through Canvas (academic concerns, personal issues, accommodation requests), they should be aware that this information could surface. They should also watch for phishing emails impersonating their university and avoid clicking links in any email that references their courses by name.

A Note on FERPA

Student education records are protected under FERPA (the Family Educational Rights and Privacy Act). When those records are breached, your child’s school district holds the notification obligation, not Instructure. If your school uses Canvas, your district should be communicating with you about this breach and what they are doing about it. If they have not, ask them. You have a right to know.

The Bottom Line

The Canvas breach is real, large, and affects a population that deserves extra protection: children. The good news is that the most dangerous data categories (passwords, SSNs, financial info) were not part of it. The bad news is that the data that was taken (names, emails, student IDs, and private messages) gives attackers the raw material for highly convincing phishing campaigns targeting families.

Three things to do this week:

1. Be skeptical of school emails that ask you to click, log in, or pay, especially if they reference your child by name and class. That specificity is exactly what this breach enables. Call the school directly to verify.

2. Ask your district if your child’s student ID is used as a username, and whether passwords follow a standard pattern. If yes, request a password reset.

3. Change the passwords on your child’s school Google/Microsoft account and your parent portal.

This breach hit the system our kids use every single day. Share this with other parents at your school. They need to know.

Sources

• BleepingComputer: Instructure confirms data breach, ShinyHunters claims attack(May 2026)

• TechCrunch: Hackers steal students’ data during breach at Instructure (May 2026)

• SecurityWeek: Edtech firm Instructure discloses data breach (May 2026)

• FOX 9: Canvas data breach, hackers claim info of 275 million users (May 2026)

• Javelin Strategy & Research: Child Identity Fraud Study (2021)

• Equifax: Credit Freeze

• U.S. Department of Education: FERPA FAQ

Prevent This is a weekly cybersecurity newsletter from Intruvent Technologies. Each week, we break down one cyber threat in plain language and give you the tools to protect yourself and the people you care about. For any feedback or if your company is experiencing a breach and you need help, contact us at contact@intruvent.com

The Vulnerability

Yesterday, security researchers at Theori published a complete privilege escalation exploit for CVE-2026-31431, a logic bug in the Linux kernel’s cryptographic subsystem that has existed since August 2017. The exploit is a 10-line Python script. It requires no compiled payloads, no version-specific offsets, and no race conditions. It works on every major Linux distribution released in the past nine years.

Every. Major. Linux. Distribution.

Linux runs approximately 96% of the world’s top one million web servers, the majority of cloud infrastructure, most containers and Kubernetes clusters, and billions of IoT and embedded devices. Conservative estimates place the affected device count in the billions. With a B.

This one is bad, and needs your attention.

The vulnerability, nicknamed “Copy Fail,” allows any unprivileged local user to gain a root shell in seconds. On a multi-tenant system, a shared Kubernetes cluster, or a CI/CD runner, that means any user with shell access can take complete control of the host.

A fully weaponized proof-of-concept is already public on GitHub. Exploitation at scale is now a matter of when, not if. If your home or work uses any affected systems, please read on. Please forward this to anybody who needs it.

How It Works

Caption suggestion: “CVE-2026-31431 exploitation flow: from AF_ALG socket to root shell in six steps.”

The bug lives in algif_aead.c, a component of the Linux kernel’s AF_ALG cryptographic socket interface. Specifically, it affects the authencesn algorithm, which handles authenticated encryption with sequence numbers for IPsec.

Three individually reasonable kernel changes created the vulnerability:

1. 2011: The authencesn cryptographic wrapper was added for IPsec support

2. 2015: AF_ALG gained AEAD (Authenticated Encryption with Associated Data) socket support, allowing userspace programs to invoke kernel crypto operations

3. 2017 (kernel 4.14): An in-place optimization in commit 72548b093ee3 placed page cache pages directly into a writable scatterlist

That third change is the fatal one. When the kernel performs an AEAD decrypt operation, authencesn writes a 4-byte sequence number (seqno_lo) past the output buffer boundary via scatterwalk_map_and_copy(). Because the optimization placed page cache pages in the writable scatterlist, those 4 bytes land directly in the page cache.

The page cache is the kernel’s in-memory copy of file contents. Every executable you run, every library you load, comes from the page cache. If you can write arbitrary bytes into it, you can corrupt any readable file’s in-memory representation without touching the on-disk copy.

The exploit sequence:

1. Open an AF_ALG socket bound to authencesn(hmac(sha256),cbc(aes))

2. Use splice() to feed page cache pages of a setuid binary (such as /usr/bin/su) into the crypto pipeline

3. Construct sendmsg() with shellcode bytes positioned in the AAD at offsets 4 through 7

4. Issue recvmsg(), which triggers AEAD decrypt. The authencesn algorithm writes past the output boundary into the mapped page cache page

5. The HMAC verification fails and returns EBADMSG, but the write has already occurred and persists

6. Execute the corrupted setuid binary. The kernel loads it from page cache. Shellcode runs as root.

The entire sequence fits in 732 bytes of Python using only the os, socket, and zlibstandard library modules.

Why This Is Worse Than Dirty Pipe

Security professionals will immediately compare CVE-2026-31431 to Dirty Pipe (CVE-2022-0847) and Dirty COW (CVE-2016-5195), the two most notorious Linux kernel privilege escalation vulnerabilities of the past decade. Copy Fail is worse than both.

Dirty COW required winning a race condition. Exploitation was probabilistic and often crashed the target system. Copy Fail has no race condition. The exploit is deterministic and 100% reliable.

Dirty Pipe required knowledge of specific kernel version offsets and was limited to kernels 5.8 through 5.16 (roughly an 18-month window). Copy Fail requires no offsets and works across a nine-year window of kernel versions, from 4.14 through current mainline.

Both left forensic evidence that file integrity monitoring tools could detect. Copy Fail corrupts only the in-memory page cache. The page is never marked dirty for writeback, so the on-disk file remains pristine. Inotify sees nothing. AIDE sees nothing. OSSEC sees nothing. Tripwire sees nothing.

One additional dimension makes this especially dangerous in modern infrastructure: the page cache is shared across the entire host, including all containers running on that host. A process inside a Kubernetes pod can corrupt the page cache entry of a setuid binary on the host filesystem. Copy Fail functions as a container escape primitive that bypasses namespace isolation entirely.

What’s Affected

Every Linux distribution shipping a kernel from version 4.14 (August 2017) onward is vulnerable unless patched. Confirmed affected systems include:

• Ubuntu 24.04 LTS (kernel 6.17.0-1007-aws)

• Amazon Linux 2023 (kernel 6.18.8-9.213.amzn2023)

• RHEL 10.1 (kernel 6.12.0-124.45.1.el10_1)

• SUSE 16 (kernel 6.12.0-160000.9-default)

• Rocky Linux 9.7 (confirmed independently by Solar Designer)

• Debian, Arch Linux, Fedora, Oracle Linux

• Embedded Linux distributions used in IoT, networking equipment, and industrial systems

Not affected: RHEL 6 and 7 (kernel versions predate the vulnerable commit), and Ubuntu 26.04 (Resolute) which ships a patched kernel.

Linux runs approximately 96% of the world’s top one million web servers, the majority of cloud infrastructure, most containers and Kubernetes clusters, and billions of IoT and embedded devices. Conservative estimates place the affected device count in the billions.

Detection Is Hard

Traditional security tooling is largely blind to this attack. The corruption happens entirely in kernel memory, with no disk writes, no file modifications, and no network traffic.

Will NOT detect exploitation:

• File integrity monitoring (AIDE, OSSEC, Tripwire, Samhain)

• Inotify-based watchers

• Hash-based allowlisting tools

• Standard auditd file access rules

CAN detect exploitation:

• eBPF-based monitoring that tracks AF_ALG socket creation and splice() calls targeting setuid binaries

• Falco/Sysdig rules detecting SOCK_SEQPACKET AF_ALG socket creation from unexpected processes

• Auditd rules configured to audit socket() calls with AF_ALG family (family 38)

• Behavioral detection looking for EBADMSG return codes from AEAD operations followed by execution of setuid binaries

A community detection toolkit is already available on GitHub, including Falco rules, auditd configurations, and an eBPF monitor.

The key behavioral sequence to detect:

1. AF_ALG socket creation by a non-root, non-crypto process

2. splice() calls feeding a setuid binary into that socket

3. recvmsg() returning EBADMSG

4. execve() of the same setuid binary shortly after

Any security operations team monitoring Linux hosts should deploy at minimum the auditd rule for AF_ALG socket creation today.

Patch and Mitigation

The Fix

The upstream kernel team committed the fix on April 1, 2026 (commit a664bf3d603d). The patch reverts algif_aead.c to out-of-place AEAD operation, permanently separating the TX scatterlist from the RX scatterlist so that page cache pages can never be placed in a writable context.

Patched kernel versions: 7.0+, 6.19.12+, 6.18.22+.

As of today, Debian, Ubuntu, and SUSE have issued patched packages. Red Hat initially deferred the patch but has since reversed course.

Interim Mitigation (If You Cannot Patch Immediately)

The simplest and most effective mitigation is to disable the algif_aead kernel module:

# Prevent the module from loading
echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif-aead.conf

# Unload if currently loaded
sudo rmmod algif_aead 2>/dev/null

This does NOT affect dm-crypt/LUKS, kTLS, IPsec/XFRM, OpenSSL, GnuTLS, NSS, or SSH. Most systems never load this module at all. The only software that uses AF_ALG AEAD sockets is libkcapi and a small number of specialized cryptographic testing tools.

For containerized environments: Block AF_ALG socket creation via seccomp profiles on all pods, CI/CD runners, and container workloads. The exploit requires opening an AF_ALG socket as its first step; blocking that syscall prevents exploitation entirely.

{
  "names": ["socket"],
  "action": "SCMP_ACT_ERRNO",
  "args": [
    {
      "index": 0,
      "value": 38,
      "op": "SCMP_CMP_EQ"
    }
  ]
}

This blocks socket(AF_ALG, ...) calls. AF_ALG is protocol family 38.

Timeline

DateEventAugust 2017Vulnerable commit introduced in kernel 4.14March 23, 2026Theori reports vulnerability to Linux kernel security teamMarch 24, 2026Kernel team acknowledges the reportMarch 25, 2026Patches proposed and reviewedApril 1, 2026Fix committed to mainlineApril 22, 2026CVE-2026-31431 assignedApril 23, 2026NVD publishes CVE detailsApril 29, 2026Full public disclosure with proof-of-conceptApril 30, 2026CERT-EU publishes Security Advisory 2026-005

The 37-day window between the fix commit and public disclosure gave major distributions time to prepare patches. Whether your organization has applied them is another question.

Who Found It

Taeyang Lee of Theori, a South Korean security research firm, discovered the vulnerability. The Xint Code Research Team subsequently used AI-assisted analysis to scale the initial finding into a complete exploitation chain in approximately one hour, demonstrating how quickly modern tooling can weaponize a vulnerability once the root cause is understood.

Alexander Peslyak (Solar Designer), founder of the Openwall Project and one of the most respected voices in Linux security, independently confirmed exploitation on Rocky Linux 9.7.

What You Should Do Today

1. Check if you’re affected. Any system running a kernel from 4.14 onward that has not applied the latest security updates is vulnerable. Run uname -r and check against your distribution’s security advisory.

2. Apply patches if available. Debian, Ubuntu, and SUSE have issued fixes. If patched packages are available, apply them immediately. A public PoC exists and exploitation is trivial.

3. Deploy the module mitigation on unpatched systems. If you cannot patch within 24 hours, disable algif_aead with the modprobe rule above. This closes the attack vector at negligible operational cost.

4. Harden container workloads. Add AF_ALG socket blocking to your seccomp profiles. If you operate Kubernetes clusters, update your PodSecurityPolicies or OPA/Gatekeeper constraints to block protocol family 38.

5. Deploy detection. At minimum, add an auditd rule for AF_ALG socket creation. For higher-fidelity detection, deploy the eBPF monitor from the community toolkit.

6. Audit multi-tenant systems first. Shared hosting environments, CI/CD runners, Kubernetes clusters, and any system where untrusted users have shell access are the highest-priority targets. The vulnerability requires only local access.

7. Do not rely on file integrity monitoring. If your security strategy for Linux hosts depends primarily on hash-based FIM tools, this vulnerability bypasses that layer entirely. Update your detection architecture.

The Bigger Picture

Copy Fail is a reminder that kernel attack surface accumulates invisibly over time. The three code changes that created this vulnerability were each reasonable in isolation. The dangerous interaction between them went undetected for nine years, hidden behind a kernel subsystem that most security researchers never examine because “it’s just crypto plumbing.”

The exploit’s simplicity is the real story. A 10-line Python script with no dependencies achieving deterministic root on nine years of kernels is the kind of vulnerability that shifts the risk calculus for any organization running multi-tenant Linux infrastructure. Patch today.

Sources

• Xint Code: “Copy Fail: 732 Bytes to Root on Every Major Linux Distribution” (original technical disclosure)

• CERT-EU Security Advisory 2026-005

• NVD: CVE-2026-31431

• Sysdig: CVE-2026-31431 Analysis

• Help Net Security: Nine-year-old Linux kernel flaw

• The Register: Linux cryptographic code flaw offers fast route to root

• SOCRadar: CVE-2026-31431 Copy Fail Analysis

• Bugcrowd: What We Know About Copy Fail

• Community Detection Toolkit (GitHub)

• Theori PoC Repository (GitHub)

Free Linux Security Assessment

Copy Fail is the latest in a growing list of Linux kernel privilege escalations (Dirty COW, Dirty Pipe, StackRot, and now Copy Fail) that bypass traditional detection. If your organization relies on Linux for production workloads, we can help you assess your exposure.

Shoot us an email at: contact@intruvent.com to book a 30 minute assessment discussion.

We also offer:

• Linux kernel vulnerability exposure assessments

• Container security and Kubernetes hardening reviews

• Detection engineering for kernel-level threats

• Managed threat hunting across your Linux infrastructure

A reader of this newsletter reached out to me this week with two stories that really hit home with me.

The first: several of her friends, all women in their 70s and 80s, have been targeted by scammers after their husbands passed away. Accounts taken over. Identities stolen. Fraud that started within days of the obituary going live. She wanted to know if this was a known pattern or just terrible luck.

It is a known pattern. A well-documented, growing, and organized one. We will get into the details below.

The second: she received a suspicious email claiming a close friend was in the hospital and needed help. When she responded, the person on the other end seemed to know a lot about her friend, enough that it felt real. They described the injury, referenced details that checked out. Then they asked her to send DoorDash gift cards to help cover expenses while her friend recovered.

That is where her training kicked in. As a reader of Prevent This, she recognized the gift card request for what it was: the unmistakable fingerprint of a scam. No hospital, no doctor, no friend in genuine need has ever asked for DoorDash gift cards. She did not send them.

But the experience shook her. The scammer knew too much. The story was too specific. And she asked the question that inspired this edition: what can I do right now, today, to make sure I do not become an actual victim?

This newsletter is the answer. Part 1 covers the bereavement scam pattern and what to do if you or someone you love is going through a loss. Part 2 is a quick-start security checkup, the essentials that anyone can knock out today to raise their baseline protection.

Her friends’ experiences are far from unique. Here is what the pattern looks like when it shows up in the news.

What Happened?

A suburban Chicago widow published her husband’s obituary in January. By April, someone had quietly forwarded her mail to an unknown Chicago address without her knowledge. Fraudulent credit card charges started appearing: a hotel in Atlanta, tickets to the Atlanta Aquarium, $200 for cleaning services she never ordered. Scammers also attempted to open new credit cards in her name.

She caught it. Many do not.

The U.S. Postal Inspection Service reversed the mail forwarding and opened an investigation, but the damage extended beyond dollars. As the victim told NBC Chicago: “The emotional impact of this, even though there wasn’t any financial impact, is not going to go away for a while.”

She is far from alone. A 77-year-old widow named Marjorie Bloom received a call from someone claiming to be a “fraud investigator” at her bank. Over the following weeks, at the caller’s instruction, she liquidated everything: savings, stocks, an annuity. The total: $661,000. The scammer told her not to tell anyone, including her children, claiming secrecy was necessary to protect the investigation. By the time she realized what had happened, her entire nest egg was gone.

In Georgia, identity thieves used an obituary to redirect a deceased man’s mail just two days after his death, then opened new lines of credit in his name before his family had finished planning the funeral.

These are not isolated incidents. They are a pattern, and the pattern is accelerating.

Why Should You Care?

The numbers tell a grim story:

• $7.7 billion lost by Americans 60 and older to internet crime in 2025, up 60% from 2024 (FBI IC3)

• 2.5 million deceased Americans have their identities stolen annually (ID Analytics study, corroborated by TIME and NBC News)

• 167% increase in fraudulent mail forwarding between 2020 and 2021 (U.S. Postal Inspection Service)

• $584 million in romance and confidence scam losses targeting older adults in 2025 alone (FBI IC3)

• The FTC estimates actual elder fraud losses may reach $81.5 billion per year when accounting for unreported cases

The FBI, FTC, AARP, multiple state attorneys general, and the VA have all issued specific warnings about scams targeting the recently bereaved. The FBI’s El Paso field office published a dedicated alert on “bereavement scams.” Michigan’s Attorney General warned the public about “obituary pirates” who scrape death notices. The LA County District Attorney’s office issued a fraud alert specifically about obituary-based targeting.

The pattern is organized, documented, and growing. And the people hit hardest are those least equipped to fight back: elderly widows navigating finances alone, often for the first time, during the worst period of their lives.

How Does This Work?

Think of it like reconnaissance before a burglary, except the reconnaissance is public and free.

The obituary is ground zero. A typical obituary contains the deceased’s full name, date and place of birth, mother’s maiden name, home city, surviving family members, workplace history, church and club memberships, and the date, time, and location of funeral services. That is enough information to answer most security questions, build a complete social engineering profile, and even plan a physical burglary of a home that will be empty during the service.

The Better Business Bureau has warned directly: “They’re putting too much info into obituaries, especially mother’s maiden names and things like that actually needed for identity theft.”

But obituaries are only the start. Scammers have multiple channels feeding them targets:

Data brokers sell lists of the recently widowed. According to reporting from Komando.com and the Brennan Center for Justice, data brokers compile and sell categorized lists that include “Suffering Seniors” and lists sorted by life events, including bereavement. Scammers buy these lists because, as one analysis noted, “they assume there’s a life insurance payout and someone navigating money alone for the first time.” The CFPB proposed a rule in 2024 to restrict these sales. It was withdrawn in 2025. There is currently no federal regulation preventing this practice.

Probate records are public. In most U.S. jurisdictions, probate filings include heir names and addresses, detailed asset inventories, property descriptions, and executor contact information. Scammers monitor these filings to build target lists.

Social media fills in the gaps. Memorial posts, condolence threads, and tribute pages provide additional personal details that supplement what the obituary reveals. They also give romance scammers a way to identify and contact the surviving spouse.

AI makes all of this worse. According to Blackbird.AI research, threat actors now use language models to extract personal data from obituaries at scale, cross-reference it with news articles and social media, generate complete character profiles of plausible friends or acquaintances of the deceased, and craft messages with fabricated but contextually accurate “shared memories.” The FBI’s 2025 IC3 report documented over $893 million in AI-linked fraud losses, with older adults accounting for $352 million.

Once a target is identified, the attacks come in several forms:

“Ghosting” the deceased: Opening credit cards, taking loans, or filing tax returns using the dead person’s identity before financial institutions are notified. There is a gap between the time of death and when SSN databases are updated, and scammers exploit it.

Account takeover of the surviving spouse: Redirecting mail, resetting passwords, and draining accounts using obituary-sourced personal details and security question answers.

The Phantom Hacker: A three-phase scam where the victim is contacted first by a fake tech support agent, then by a fake bank representative, and finally by a fake government official, each reinforcing the last. This scam has stolen over $1 billion from seniors since 2024.

Romance scams: Scammers identify recently widowed individuals and initiate contact through dating sites, Facebook, or even “condolence” emails. They build emotional dependency over weeks or months before introducing financial requests.

Fake debt collectors: Callers claim the deceased had outstanding debts and pressure the surviving spouse for payment. In reality, the estate (not the survivor) generally bears liability for a deceased person’s debts unless the survivor was a co-signer or joint account holder.

What Can You Do?

Whether you are the person grieving, or you are looking out for someone who is, these steps can close the gaps that scammers exploit.

If You (or Someone You Know) Have Recently Lost a Loved One

In the first week:

1. Contact the Social Security Administration (800-772-1213) to report the death. This starts the process of flagging the SSN.

2. Notify all three credit bureaus and request a death notice on the deceased’s credit file:

Equifax: 800-525-6285

Experian: 888-397-3742

TransUnion: 800-680-7289

3. Notify every financial institution where the deceased held an account: banks, credit cards, investment accounts, insurance companies. Ask that closed accounts be listed as “Closed: Account holder is deceased.”

4. Send a copy of the death certificate to the IRS to flag the deceased’s tax account against fraudulent returns.

5. Secure the mail. Lock the mailbox. Monitor for unexpected forwarding notices. Consider a P.O. Box for sensitive mail during the transition.

6. Cancel the deceased’s driver’s license with the DMV to prevent it from being used as identification.

In the first month:

7. Pull a credit report for the deceased and review it for unfamiliar accounts. Pull another one in three to six months.

8. Monitor or memorialize the deceased’s social media accounts. Unmonitored accounts leak personal information and become targets for impersonation.

9. Close or secure the deceased’s email accounts. An active, unmonitored email address is a gateway to password resets on every linked service.

Protect the Surviving Spouse

10. Enable multi-factor authentication on every account: email, banking, social media. Authenticator apps are better than SMS, but SMS is better than nothing.

11. Set up credit monitoring and fraud alerts on your own accounts, not just the deceased’s.

12. Remove personal information from data broker sites. Services like DeleteMe or Privacy Duck handle this, or you can manually opt out from sites like Spokeo, WhitePages, and BeenVerified.

13. Treat every unsolicited contact with suspicion, especially anyone referencing the deceased, claiming to be from a bank, or presenting an urgent financial situation.

14. Never allow remote access to your computer based on a phone call, pop-up, or email you did not initiate.

15. Designate a “verification buddy.” Any financial request, transaction, or decision gets run past a trusted family member before you act. Scammers rely on isolation and secrecy; a second opinion breaks that cycle.

Write a Safer Obituary

16. Leave out: date of birth, mother’s maiden name, home address, specific funeral times and locations (use “private services” or share details only with those who call the funeral home directly).

17. Include instead: the person’s life story, accomplishments, and character. None of that information helps a scammer.

For Family Members: Have the Conversation Now

Do not wait until someone dies. Talk to your parents, grandparents, aunts, and uncles about these scams now, while the conversation is calm and theoretical.

Agree on a verification process for unexpected financial contacts.

Offer to review the obituary before it is published.

Set up monitoring on shared or connected accounts.

Know the reporting numbers (below) so you are not searching for them during a crisis.

Part 2: The Essentials, a Quick-Start Security Checkup

This is the part our reader was really asking about. She spotted the DoorDash gift card scam because she knew the signs. But the fact that the scammer knew so much about her friend bothered her. Where did they get those details? How personalized can these attacks get? And what can she do right now to reduce the chances that she, or someone she cares about, becomes the next target?

The honest answer: there is no single checklist that makes you bulletproof. Digital security is layered, and a full lockdown covers far more ground than we can fit in one newsletter. But most account takeovers succeed not because the attacker was sophisticated, but because the victim reused a password from a breach they never knew about, or never turned on two-factor authentication. Those are basics, and basics matter.

What follows are the highest-impact steps you can take today. Think of it as tightening the locks on the front door, not installing a full alarm system. It will not stop every threat, but it will stop the most common ones and make you a harder target than the person who skipped this section.

Step 1: Check Your Passwords for Breaches

If you use an iPhone, iPad, or Mac, Apple has a built-in tool that does this for you. No downloads, no subscriptions required.

How to use Apple Passwords:

1. Open the Passwords app (iOS 18+ and macOS Sequoia) or go to Settings > Passwords on older devices.

2. Look for the Security section at the top. Apple automatically flags three categories:

Compromised Passwords: These appeared in a known data breach. Change them immediately.

Reused Passwords: The same password used on multiple sites. If one site is breached, every account sharing that password is exposed.

Weak Passwords: Short, predictable, or commonly used passwords that are easy to guess.

3. Tap any flagged entry. Apple provides a Change Password link that takes you directly to the site’s password reset page.

4. When you create the replacement, let Apple generate a strong password for you. It saves automatically to your keychain and syncs across your devices.

Not an Apple user? Google Password Manager (built into Chrome) has the same feature at passwords.google.com. Go to Password Checkup and it will flag compromised, reused, and weak passwords. Samsung users can check via Samsung Pass in device settings.

Step 2: Change Any Password Older Than One Year

Even if a password has not appeared in a known breach, old passwords carry risk. Breaches are not always disclosed immediately, and some are never made public at all. A password that looks clean today may have been compromised months ago.

Work through your password manager and sort by “last changed” date. Any password older than 12 months should be updated. Prioritize these accounts first:

• Email (this is the master key to everything else; password resets flow through it)

• Banking and financial accounts

• Health insurance and medical portals

• Government accounts (SSA, IRS, state tax portals)

• Social media (Facebook, Instagram, LinkedIn)

  Let your password manager generate each new password. Long, random, and unique to every site.

Step 3: Turn On Two-Factor Authentication Everywhere

A strong password alone is not enough. Two-factor authentication (2FA) adds a second layer: even if someone steals your password, they cannot get in without the second factor.

Where to enable it (in priority order):

1. Email (Gmail, iCloud, Outlook, Yahoo)

2. Banking and financial apps

3. Social media (Facebook, Instagram, LinkedIn, X)

4. Shopping accounts that store payment information (Amazon, PayPal)

5. Cloud storage (iCloud, Google Drive, Dropbox)

Which 2FA method to use:

Best: A hardware security key (YubiKey) or passkeys (supported by Apple, Google, and Microsoft). These are phishing-resistant.

Good: An authenticator app (Apple’s built-in Passwords app supports verification codes, as do Google Authenticator and Microsoft Authenticator).

Acceptable: SMS text codes. Vulnerable to SIM-swapping attacks, but still far better than no 2FA at all.

Apple Passwords tip: When you set up 2FA for a site, Apple Passwords can store and auto-fill your verification codes. During the 2FA setup process, choose “Set Up Verification Code” when you scan the QR code, and your codes will auto-fill alongside your passwords going forward. No separate authenticator app needed.

Step 4: Scan Your Devices for Malicious Software

Scammers do not always ask for your information directly. Malware, keyloggers, and spyware can quietly capture passwords, banking credentials, and personal data in the background.

On a Mac:

Make sure your operating system is up to date (System Settings > General > Software Update). macOS includes built-in malware protection (XProtect) that updates silently, but it only works if your system is current.

Review your installed applications (Finder > Applications). If you see anything you do not recognize or did not install, research it before keeping it.

Consider running a scan with Malwarebytes for Mac (free version available). It catches threats that slip past built-in protections.

On an iPhone/iPad:

Keep iOS updated (Settings > General > Software Update).

Review installed apps and delete anything unfamiliar.

Check Settings > General > VPN & Device Management for any profiles you did not install. Unknown profiles can be a sign of compromise.

On Windows:

Run Windows Security > Virus & threat protection > Quick scan.

Make sure Real-time protection is turned on.

Check your browser extensions and remove any you do not recognize.

For everyone:

Check your browser extensions (in Chrome: three dots menu > Extensions; in Safari: Settings > Extensions). Remove anything you did not install or no longer use. Malicious browser extensions are one of the most common ways attackers capture credentials.

The Quick-Start Checklist

These are the essentials. Print this out. Tape it to the fridge. Hand it to your parents next time you visit.

1. Open Apple Passwords (or your password manager) and fix every flagged password

2. Change any password you have not updated in the past 12 months

3. Turn on two-factor authentication for email, banking, and social media

4. Run a malware scan on your computer

5. Review and remove unfamiliar browser extensions

6. Delete apps you no longer use from your phone

7. Check for unknown device management profiles on your phone

This is not a complete security overhaul. There is more you can do: removing your information from data broker sites, setting up credit monitoring and fraud alerts, reviewing your privacy settings on social media, and hardening your home network. We will cover those in future editions.

But these seven steps hit the highest-impact areas. Most attacks succeed because one of these basics was left undone. Fifteen minutes now raises the bar for anyone trying to get in.

Thanks for reading, I hope this newsletter helped you. If it did, or if you know anyone who needs this info, please forward this to them!

Research Sources:

Intruvent CTI Cloud

FBI Internet Crime Complaint Center, 2025 Annual Report ($7.7B in elder fraud losses)

FBI El Paso Field Office, “Bereavement Scams” public warning

FTC, “Protecting Older Consumers 2024-2025” report to Congress

AARP Fraud Watch Network, “Obituary Scams Target Grieving Loved Ones”

Blackbird.AI, “AI-Powered Obituary Scams & Targeted Phishing”

NBC Chicago, “Obit Scam: Illinois Widow Targeted” (case study)

CNBC, “How One Retired Woman Lost Her Life Savings” (Marjorie Bloom case)

Experian, “What You Need to Know About Obituaries and Identity Theft”

Komando.com / Brennan Center for Justice, data broker targeting practices

ID Analytics / TIME / NBC News, 2012 study on deceased identity theft (2.5M annually)

New York Department of State, “Ghosting” identity theft of the deceased

Aura, “Identity Theft of a Deceased Person” (Georgia widow case)

Michigan Attorney General, “Obituary Pirates” warning

LA County District Attorney, “Obituary Scams Target Grieving Families”

U.S. Department of Veterans Affairs, surviving family member scam warnings

Malwarebytes, “Data Broker Protection Rule Quietly Withdrawn by CFPB”

USPS Office of Inspector General, change-of-address fraud report (167% increase, 2020-2021)

Apple, “Passwords app” and iCloud Keychain documentation

Last Updated: April 28, 2026

In January 2026, the Clop ransomware group published 43 new victims to its leak site in a single 24-hour period. Among them: Hilton, The Weather Company, multiple law firms, managed service providers, financial institutions, and universities across the U.S., U.K., Europe, Canada, and New Zealand.

The attackers never encrypted a single file. They did not need to. They exploited vulnerabilities in file transfer software, extracted sensitive data, and threatened to publish it. Pay up or your data goes public.

This was not an anomaly. It was the new playbook.

Clop pioneered this approach at scale with the MOVEit Transfer campaign in 2023, impacting approximately 2,000 organizations and 17 million individuals without deploying any encryption. They have continued refining the model ever since.

The BianLian group followed the same evolution. After a free decryptor neutralized their encryption capability in 2023, BianLian pivoted entirely to stealing data and demanding payment to keep it private. Their ransom demands have climbed from an average of $100,000 to $350,000 to around $3 million per victim. No encryption required.

And they are not alone. Karakurt. RansomHouse. A growing number of threat actors have abandoned encryption entirely. They steal your data, send you a ransom note, and wait. If you do not pay, your files appear on a leak site for competitors, criminals, and regulators to find.

Why Should You Care?

The numbers show a dramatic shift:

Elevenfold increase: Data extortion-only attacks rose from 2% of incident response cases to 22% between November 2024 and November 2025

• 6,182 extortion attacks occurred in 2025, a 23% increase over 2024, with data-theft-only attacks driving the growth

• 6% of ransomware attacks in 2025 involved no encryption at all, double the 3% seen in 2024

• Average dwell time for exfiltration attacks can stretch to weeks or months, compared to hours or days for encryption attacks

• 94% of leaked passwords are reused across multiple accounts, giving attackers easy paths from one breach to your network

Here is what makes this worse: your backup strategy will not help you.

Organizations have spent years building robust backup and recovery capabilities to survive ransomware. Attackers noticed. If your systems can be restored in hours, encryption loses its leverage. But stolen data cannot be “restored.” Once it is out, it is out. You cannot undo the leak of customer records, employee Social Security numbers, or proprietary business information.

This is why attackers are pivoting. Encryption was always just a means to an end. The real leverage is the data itself.

How Does This Work?

Think of it like a silent burglary versus a smash-and-grab.

Traditional ransomware is loud. Files stop opening. Ransom notes appear on every screen. Systems grind to a halt. Security teams scramble. Everyone knows something is wrong.

Exfiltration-only attacks are quiet. The attacker gains access (often through stolen credentials or a vulnerable internet-facing system), moves laterally to find valuable data, and copies it out of the network. No files are modified. No services go offline. No alarms ring. The first indication that anything happened may be a ransom note in your inbox, weeks after the theft occurred.

The tools they use make detection even harder. Instead of obviously malicious software like Rclone or custom exfiltration tools, attackers increasingly use legitimate cloud utilities:

Azure Copy (AzCopy) has become a favorite. It is Microsoft’s official utility for transferring data to Azure Blob storage. It is rarely blocked by endpoint detection and response (EDR) solutions. It uses standard HTTPS connections to *.blob.core.windows.net domains that are typically allowed through firewalls. And the destination is a fully legitimate cloud provider.

When an attacker uses AzCopy to upload your data to their Azure storage account, it looks almost identical to normal cloud operations. Security teams monitoring for “malicious” file transfers may never see it.

Other common exfiltration methods include:

• Azure Storage Explorer: A GUI version of the same capability

• Standard cloud sync tools: Dropbox, OneDrive, Google Drive used to upload stolen data

• Archive utilities: Data compressed into smaller packages before transfer

• Living-off-the-land binaries: Built-in Windows tools repurposed for data theft

The result: without an encryption event, there is no clear “moment of compromise” to trigger incident response. Attackers have days, weeks, or months to find and extract the most valuable data before anyone notices.

What Can You Do?

Defending against exfiltration-only attacks requires a different mindset than defending against traditional ransomware. Your backup strategy is necessary but not sufficient. You need to catch the theft before it happens.

Step 1: Know What Data You Have and Where It Lives

You cannot protect what you cannot find. Map your sensitive data:

• Where is personally identifiable information (PII) stored?

• Where are financial records, intellectual property, and trade secrets?

• Which systems have access to this data?

• Who has credentials to those systems?

Data Loss Prevention (DLP) tools like Microsoft Purview can help identify and monitor sensitive data. The goal is visibility: if you do not know what is valuable, you will not notice when it leaves.

Step 2: Monitor for Unusual Data Movement

Exfiltration attacks create data movement patterns that differ from normal operations. Look for:

Volume anomalies:

• Large file transfers from servers that normally do not send data externally

• Unusual compression activity (creating large archives before transfer)

• Spikes in outbound traffic, especially outside business hours

Destination anomalies:

• Connections to Azure Blob storage (*.blob.core.windows.net) from systems that do not normally use Azure

• Data flowing to personal cloud storage accounts (Dropbox, Google Drive, OneDrive personal)

• Transfers to IP addresses or domains with no business justification

Tool anomalies:

• AzCopy or Azure Storage Explorer running on systems where cloud migration is not occurring

• Archive utilities (7zip, WinRAR) compressing large volumes of files

• PowerShell or command-line tools accessing sensitive file shares

Configure alerts for these patterns. Endpoint detection tools, network monitoring, and SIEM platforms can all contribute.

Step 3: Restrict Outbound Network Access

Most servers do not need direct internet access. Lock it down:

• Implement egress filtering: servers should only reach the specific external endpoints they require (update servers, API endpoints, etc.)

• Block or alert on connections to cloud storage providers from systems that do not have a legitimate business need

• Use a proxy or secure web gateway for outbound traffic so you have visibility and control

• Consider application allowlisting on critical servers to prevent unauthorized tools from running

Step 4: Harden Your Identity Layer

Most exfiltration attacks begin with compromised credentials. Make initial access harder:

• Phishing-resistant MFA everywhere: Hardware security keys (FIDO2/WebAuthn) are ideal. Authenticator apps are acceptable. SMS is better than nothing but vulnerable.

• Privileged access management: Admin accounts should have separate credentials, time-limited access, and enhanced monitoring.

• Credential hygiene: Audit for password reuse, default credentials, and service accounts with excessive permissions.

• Conditional access policies: Block logins from unexpected locations, devices, or risk levels.

Step 5: Segment Your Network

If attackers gain access to one system, limit how far they can move:

• Separate sensitive data repositories from general user networks

• Restrict lateral movement between segments

• Apply the principle of least privilege: users and systems should only access what they need

An attacker who compromises a workstation should not be able to reach your file servers, customer databases, or intellectual property repositories without triggering additional authentication or alerts.

Step 6: Prepare for the Call

Despite your best efforts, an exfiltration attack may still succeed. Have a plan:

Legal counsel: Know who to call when you receive a ransom demand. Decisions about payment, disclosure, and law enforcement involvement require legal guidance.

Incident response retainer: Have a relationship with an IR firm before you need one.

Communication templates: Draft holding statements for customers, employees, regulators, and media.

Data inventory: Know what was likely stolen based on what the attackers accessed. This will inform your disclosure obligations.

The Bottom Line

Ransomware is evolving. The encryption that used to be the attack’s signature is becoming optional. Attackers have realized that stolen data is leverage enough, especially when victims have backups that make encryption pointless.

This shift has real implications. Your disaster recovery playbook will not help you. Your backups will not undo a data breach. And the quiet nature of exfiltration attacks means you may not know you have been compromised until the ransom note arrives.

The defense is detection: know your data, watch your network, and catch the theft before it is complete. Because once your data is in an attacker’s hands, your options narrow dramatically.

Do not let the first sign of compromise be an email demanding millions to keep your data private.

Research Sources:

• Intruvent Cloud CTI Engine (Codex)

• Morphisec, “Ransomware Without Encryption: Why Pure Exfiltration Attacks Are Surging” (2026)

• HIPAA Journal, “Elevenfold Increase in Data-only Extortion Attacks”

• Industrial Cyber, “Ransomware Reaches Elevated New Normal” (2026)

• BlackFog, “Clop’s New Extortion Wave Hits Oracle” (2026)

• GuidePoint Security, “The Economics of Clop’s Zero-Day Campaigns”

• CISA, “#StopRansomware Guide” and BianLian Advisory (AA23-136A)

• Unit 42/Palo Alto Networks, “BianLian Threat Assessment”

• Cisco Talos, “Everyday Tools, Extraordinary Crimes: The Ransomware Exfiltration Playbook”

• FBI Internet Crime Complaint Center, 2025 Annual Report

• Heimdal Security, “Password Breach Statistics 2026”

Last Updated: April 21, 2026*

On April 7, 2026, six federal agencies published joint advisory AA26-097A with two phrases that should concern every critical infrastructure operator in America: “operational disruption” and “financial loss.”

The advisory, signed by the FBI, CISA, NSA, EPA, Department of Energy, and US Cyber Command, confirms that Iranian-affiliated cyber actors have actively disrupted programmable logic controllers across US water and wastewater systems, energy facilities, and government installations. Not “attempted to access.” Not “may have compromised.” Disrupted. With confirmed operational and financial impact.

The threat actor is CyberAv3ngers, a persona operated by Iran’s Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC). The same group that compromised water utility PLCs in Pennsylvania in November 2023. The same group whose six operators were designated by the US Treasury in February 2024. The same group the State Department has offered a $10 million bounty on.

They have advanced their tradecraft. Where earlier operations relied on internet-exposed devices with default credentials, they are now targeting Rockwell Automation controllers, the most widely deployed industrial automation platform in North America, using legitimate Rockwell engineering software to establish connections that read as normal operator activity on most network sensors.

If your organization operates Rockwell CompactLogix or Micro850 PLCs, particularly in water, energy, or government sectors, this advisory is about you.

From Public Defacement to Legitimate Tooling: The CyberAv3ngers Evolution

CyberAv3ngers first surfaced in October 2020 on Telegram, claiming responsibility for power outages in Israel. The group’s early public activity emphasized messaging, and some claims were later correlated to imagery from separate incidents. Those years established the brand. The years that followed established the capability.

In November 2023, the Municipal Water Authority of Aliquippa, Pennsylvania discovered that their Unitronics Vision Series PLC had been compromised and was displaying a defacement message. CISA confirmed the attack and published advisory AA23-335A. The operators took a pragmatic technical approach, exploiting internet-exposed PLCs running default credentials. Within weeks, CISA documented at least 75 similar compromises across multiple states. The target selection was deliberate: a specific vendor, in a specific sector, at a scale that demonstrated operational tempo.

The 2023 campaign confirmed CyberAv3ngers as a capable operational group with sustained interest in US critical infrastructure. The 2026 campaign shows where that capability has grown.

According to AA26-097A, the operators are now using “leased, third-party hosted infrastructure with configuration software, such as Rockwell Automation’s Studio 5000 Logix Designer software, to create an accepted connection to the victim’s PLC.” They are not exploiting a software vulnerability in the traditional sense. They are using the exact tools that legitimate engineers use to program and maintain these controllers, which means the resulting network traffic looks like engineering activity to most detection tooling.

This is a meaningful escalation in capability. Studio 5000 Logix Designer is Rockwell’s professional engineering environment. Using it requires stolen credentials, a compromised engineering workstation, or exploitation of CVE-2021-22681, a cryptographic key vulnerability that permits an actor who obtains a specific key to authenticate to affected PLCs without valid credentials. CISA added CVE-2021-22681 to its Known Exploited Vulnerabilities catalog in March 2026, confirming active exploitation.

The target set has expanded in proportion to the capability. Rockwell Automation dominates the North American industrial automation market. CompactLogix and ControlLogix controllers run water treatment plants, power generation facilities, manufacturing lines, and oil and gas operations across the continent. Censys identified 5,219 internet-exposed hosts globally responding to EtherNet/IP protocols and identifying as Rockwell Automation devices. 74.6% of them, approximately 3,890 devices, are in the United States.

Inside the Attack Chain

The AA26-097A advisory describes a multi-phase operation targeting specific ports on exposed Rockwell controllers:

• Port 44818 (EtherNet/IP): The primary Rockwell Automation industrial protocol. This is how Studio 5000 communicates with CompactLogix and other Logix-family controllers.

• Port 2222: Used for OT configuration and some Rockwell-specific services.

• Port 102 (ISO-TSAP): The Siemens S7 communication protocol. Its presence in the advisory suggests the operators are scanning for multiple PLC vendors in parallel.

• Port 502 (Modbus TCP): A legacy industrial protocol still widely used. Many Rockwell controllers support Modbus for integration with third-party systems.

• Port 22 (SSH): Indicates deployment of persistent access mechanisms. Picus Security’s analysis of the campaign notes that “attackers deployed Dropbear SSH on victim endpoints, providing persistent remote access surviving PLC reboots.”

Once connected, the operators performed two categories of post-access activity:

Project file extraction. PLC project files (with .ACD extension in Rockwell environments) contain the ladder logic, control sequences, and configuration parameters that define how the controller operates. Extracting these files yields a complete blueprint of the target facility’s automation logic, useful for reconnaissance, follow-on operations, or potential kinetic effects.

HMI/SCADA display manipulation. The operators modified data displayed on human-machine interfaces and SCADA systems. This is particularly consequential in critical infrastructure environments. If operators cannot trust what their screens tell them, they cannot safely run the facility. A manipulated display could show normal pressure readings while a tank overflows, or hide a dangerous temperature rise until equipment fails.

The advisory confirms that “some of the victims experienced operational disruption and financial loss.” The FBI declined to provide additional details about specific incidents.

Who Is CyberAv3ngers?

CyberAv3ngers is a state-sponsored program run by the IRGC-CEC, the cyber-electronic warfare arm of Iran’s Islamic Revolutionary Guard Corps. It is a well-resourced group with sustained access to infrastructure, tooling, and personnel, operating within an established national cyber program.

The US Treasury designated six IRGC-CEC officials in February 2024 for their roles in the group. The State Department has offered a $10 million reward for information leading to the identification or location of any person who, while acting at the direction of a foreign government, participates in malicious cyber activities against US critical infrastructure.

The group is tracked under multiple names across the vendor community:

• Storm-0784 (Microsoft)

• Bauxite (Dragos)

• UNC5691 (Mandiant)

• G1027 (MITRE ATT&CK)

In January 2026, the group rebranded its Telegram channel from “CyberAv3ngers” to “Cyber4vengers.” The rebrand coincided with a shift toward more technically mature operations.

Leaked records from December 2025 confirmed operational connections between CyberAv3ngers and Moses Staff, another Iranian state-sponsored group known for destructive wiper operations. Check Point Research has documented approximately 60 affiliated pro-Iranian groups that adopt CyberAv3ngers techniques.

The IOCONTROL Connection

The Rockwell campaign is not the only active CyberAv3ngers toolset. A parallel thread in the group’s capability development was documented two years earlier.

In mid-2024, Claroty’s Team82 published analysis of a custom malware family called IOCONTROL, attributed to CyberAv3ngers. IOCONTROL is designed to run on a variety of IoT and OT devices, including PLCs, HMIs, routers, and IP cameras. The malware uses:

• MQTT over TLS on port 8883 for command and control

• DNS-over-HTTPS to resolve C2 infrastructure, evading traditional DNS monitoring

• AES-256-CBC encryption for all communications

IOCONTROL marked a clear step beyond the 2023 Unitronics operations. Where the earlier work centered on public-facing defacement, IOCONTROL extended the toolkit to persistent access and programmatic manipulation of industrial processes across a broader range of device types. By 2024, the group was already investing in purpose-built OT malware, a year and a half before the Rockwell activity in AA26-097A surfaced publicly.

The relationship between the IOCONTROL work and the 2026 Rockwell exploitation is not explicitly stated in public reporting. Both lines of operation target overlapping sectors and reflect a consistent trajectory toward persistent, vendor-agnostic access to industrial control environments.

Why This Advisory Is Different

CISA has published many advisories about threats to critical infrastructure. Most describe potential risks or document intrusion attempts. AA26-097A is different because it confirms actual impact.

On March 18, 2026, the CISA Acting Director stated that CISA was operating at “steady state” regarding Iranian cyber threats, despite the ongoing military conflict between the US, Israel, and Iran. The implication at the time was that threat activity remained within normal parameters.

AA26-097A, published 20 days later, functionally updates that assessment. The advisory confirms that Iranian actors have not merely attempted to access critical infrastructure; they have disrupted it. Facilities have experienced operational impacts. Organizations have incurred financial losses.

This is also the first joint advisory of the current conflict signed by six federal agencies, including US Cyber Command’s Cyber National Mission Force. The breadth of signatories signals the severity of the threat and the confidence level in the attribution.

The geopolitical context matters. Since Operation Epic Fury began on February 28, 2026, the US and Israel have conducted sustained military operations against Iran. The Strait of Hormuz has been effectively closed for over a month. Iran’s Supreme Leader was killed in an early strike. This week, President Trump issued an ultimatum threatening to destroy “every bridge” and “every power plant in Iran” if the Strait is not reopened.

CyberAv3ngers is one of Iran’s primary instruments of asymmetric cyber operations. The confirmed disruptions in AA26-097A indicate that instrument is in active use against American infrastructure.

What You Should Do

A Note Before You Act

The guidance below describes general defensive practices for OT and ICS environments. It is not prescriptive direction for your specific network.

Operational technology environments are safety-critical. Taking a PLC offline, altering network segmentation, disabling services, or changing keyswitch positions can produce consequences that extend well beyond IT, including process upsets, equipment damage, safety incidents, and regulatory exposure.

Before implementing any step in this section:

1. Review the guidance with your OT engineering team, facility operators, and safety personnel.

2. Verify compatibility with your specific device models, firmware versions, and operational context.

3. Consult vendor documentation, including Rockwell Automation advisories, for device-specific procedures.

4. Coordinate changes through your organization’s change-management and outage-planning processes.

5. Where doubt exists, engage a qualified OT cybersecurity professional familiar with your environment.

This newsletter is threat intelligence reporting, not engineering direction. Intruvent Technologies provides this information on an “as is” basis, without warranties of any kind, and accepts no liability for any operational, safety, financial, or other consequences arising from actions taken on the basis of this content. Decisions about your systems are yours to make, with your team, based on your knowledge of your environment.

Right Away

Take internet-exposed PLCs offline. There is no legitimate reason for a PLC to be directly accessible from the public internet. Every Rockwell CompactLogix, Micro850, or similar controller that responds to public internet queries is a potential target. If your organization has exposed devices, disconnect them now. Remote access should be routed through secured gateways, jump servers, or VPNs with multi-factor authentication.

Check the ports. Scan your external perimeter for services on TCP 44818 (EtherNet/IP), 2222, 102 (ISO-TSAP), 502 (Modbus), and 22 (SSH). Any inbound access to these ports from untrusted networks should be blocked.

Set physical mode switches to RUN. CompactLogix controllers have a physical keyswitch that can be set to RUN mode, preventing remote programming changes. This is a simple, effective control that many operators overlook. An actor who gains network access to a controller in RUN mode cannot upload new logic without physical access to the device.

Audit for Dropbear SSH. The advisory indicates operators deployed Dropbear SSH for persistence. Dropbear is a lightweight SSH server that does not belong on most PLCs. Search for unexpected SSH services on your OT devices.

This week

Patch CVE-2021-22681. This cryptographic key vulnerability affects Rockwell Studio 5000 Logix Designer and enables authentication bypass. Rockwell has released mitigations, check them out.

Review your cellular connectivity. Many PLCs in remote locations use cellular modems for remote access. These connections often bypass corporate firewalls and security controls. Audit which devices have cellular connectivity and whether that connectivity is necessary.

Enable network monitoring at OT boundaries. If you do not have visibility into traffic entering and leaving your OT networks, you cannot detect this activity. Deploy network detection and response capabilities that understand industrial protocols like EtherNet/IP and Modbus.

Going forward

Implement network segmentation. PLCs should sit on isolated network segments with controlled access points. Traffic between IT and OT networks should flow through monitored chokepoints. “Air gaps” that exist only on network diagrams provide no protection.

Disable unnecessary services. VNC, Telnet, FTP, and HTTP management interfaces on PLCs provide additional attack surface. Disable anything not required for operation.

Monitor for configuration changes. Establish baselines for PLC project files and alert on unexpected modifications. A change to ladder logic should trigger immediate investigation.

Develop offline recovery procedures. If your PLCs are compromised, can you restore them from known-good backups? Are those backups stored offline where they cannot be modified by the same actor? Test your ability to rebuild a compromised controller from scratch.

Indicators of Compromise

The CISA advisory includes a STIX file with machine-readable indicators at https://www.cisa.gov/sites/default/files/2026-04/AA26-097A.stix_.xml.

Target ports:

• TCP 44818 (EtherNet/IP)

• TCP 2222 (OT configuration)

• TCP 102 (ISO-TSAP)

• TCP 502 (Modbus)

• TCP 22 (SSH)

Affected devices:

• Rockwell Automation CompactLogix

• Rockwell Automation Micro850

• Any Rockwell/Allen-Bradley device on EtherNet/IP

CVE:

• CVE-2021-22681 (CVSS 9.8): Authentication bypass via insufficiently protected cryptographic key in Studio 5000 Logix Designer

Behavioral indicators:

• Studio 5000 connections from non-engineering workstations

• Dropbear SSH processes on PLC or HMI devices

• Modified PLC project files (.ACD)

• Inconsistencies between SCADA displays and physical process values

• Outbound connections from OT devices to unexpected IP ranges

Sources

• CISA Advisory AA26-097A, April 7, 2026

• Picus Security Analysis of AA26-097A

• Industrial Cyber: Censys Warns of Rockwell PLC Exposure

• Tenable: CyberAv3ngers FAQ

• The Register: Iran Intruders Disrupting US Water, Energy Facilities

• CISA Advisory AA23-335A, November 2023 Unitronics Campaign

More Iran Cyber Threat Intelligence

The CyberAv3ngers campaign is part of a broader pattern of Iranian cyber operations escalating alongside the ongoing military conflict. We’re tracking 16+ Iranian threat groups actively targeting US and allied infrastructure.

For continuously updated threat actor profiles, IOC feeds, detection rules, and geopolitical context on the Iran cyber threat, visit the Intruvent Iran Cyber Threat Intelligence Center.

Resources include:

• CyberAv3ngers, Handala, MuddyWater, and 13+ other Iranian APT profiles

• Iran Conflict SITREP (updated bi-weekly)

• OT/ICS-specific detection queries for Splunk and Microsoft Sentinel

• Indicators of compromise with blocking guidance

Intruvent Edge is a bi-weekly threat intelligence newsletter from Intruvent Technologies. For monthly threat reporting and detection, visit intruvent.com/brace.

What Happened?

In March 2025, hackers hit five Australian superannuation funds (retirement accounts) simultaneously. Within 48 hours, they accessed over 20,000 customer accounts and stole AUD $500,000. The victims did nothing wrong. They never clicked a phishing link. They never downloaded malware. They never shared their passwords.

Their passwords had been stolen years earlier, from completely unrelated breaches, and they were still using them.

The attackers used a technique called credential stuffing: they took massive lists of usernames and passwords from old data breaches (LinkedIn 2012, Adobe 2013, Dropbox 2016, and hundreds of others) and systematically tried them against fresh targets. When people reuse passwords across sites, one old breach becomes the key to everything.

The Australian attack was not sophisticated. It was inevitable. When 109 million email addresses and passwords from a single “stealer log” collection appeared online earlier this year, followed by another 183 million from a separate dump, the raw material for these attacks has never been more abundant.

And it is not just happening in Australia. The FBI issued a public service announcement in March 2026 warning that credential stuffing attacks against financial institutions are surging, with attackers routing their attempts through residential proxy networks to evade detection.

Why Should You Care?

The numbers are staggering:

• 26 billion automated login attempts happen every month using stolen credentials

• 76% of leaked password/login combinations still work when tried against other sites

• 83% of organizations experienced at least one account takeover last year

• $4.8 million is the average cost of a credential stuffing breach

• 972 breached websites are currently tracked by HaveIBeenPwned, with billions of compromised accounts

Here is the uncomfortable truth: if you have been using the internet for more than a few years, your credentials have almost certainly been exposed in at least one breach. The question is not whether your password is out there. The question is whether you are still using it.

Every dormant account you have ever created, that old forum from 2011, the streaming service free trial you forgot about, the shopping site you used once, is a liability. If that service gets breached (or already has been), your email and password are now in a database that attackers will use against your bank, your email, your work accounts.

Dormant accounts are 10 times less likely to have two-factor authentication enabled than active accounts. They are not monitored. Nobody notices when they are compromised. They sit there, waiting to be exploited.

According to a Beyond Identity survey, 10% of people are still using a password they first created as a teenager. That means somewhere out there, a bank account, an email inbox, or a corporate VPN is protected by the same password someone picked for their Neopets account in 2007. Which brings us to this week’s Oreo and Bean comic:

How Does This Work?

Think of it like a master key ring.

Every time a company gets breached, the attackers add another set of keys to the ring. LinkedIn breach? That is 117 million keys. Adobe breach? Another 153 million. Dropbox? 68 million more. These “combolists” (username/password combinations) circulate freely on criminal forums, often for free.

Attackers then run automated tools that try these credentials against valuable targets: banks, email providers, corporate VPNs, streaming services. They rotate through thousands of residential proxy IP addresses (rented from services like IPRoyal for as little as $4 per gigabyte) so their attempts look like they are coming from ordinary home internet connections all over the world, not a single attacker.

Rate limiting does not stop them, because each IP only makes a few attempts. Geographic blocking does not stop them, because the proxies are everywhere. Even “impossible travel” detection struggles, because the attackers are patient.

The attack is simple: if you used the same password for LinkedIn in 2012 that you use for your bank today, they are in.

What Can You Do?

This is your credential cleanup checklist. Set aside 30 minutes this week and work through it.

Step 1: Check What Has Been Exposed

Go to HaveIBeenPwned.com and enter every email address you have ever used. Yes, that old Hotmail account too. The site will show you every known breach that included your email.

Do not panic at the list. The point is not to feel bad. The point is to know which passwords are definitely compromised so you can stop using them.

Bonus: Check HaveIBeenPwned.com/Passwords to see if any specific password you use has appeared in a breach. (The site uses a clever privacy technique so your actual password never leaves your device.)

Step 2: Delete Accounts You Do Not Use

This is the step most people skip, and it is the most important.

Every old account is an attack surface. If you are not using it, delete it. Here is how to find them:

1. Search your email for phrases like “welcome to,” “confirm your account,” “thanks for signing up,” or “verify your email.” This will surface accounts you have forgotten about.

2. Check your password manager (if you use one) for sites you have not visited in over a year.

3. Review “Sign in with Google/Apple/Facebook” connections in your account settings. Revoke access to apps and services you no longer use.

4. Use a service like JustDeleteMe to find the account deletion page for specific services. (Some make it deliberately hard to find.)

For each account you find: if you use it, update the password. If you do not use it, delete it. No exceptions.

Step 3: Fix Your Password Hygiene

You have heard this before, but here it is again, because it is the single most effective defense:

1. Use a password manager. Bitwarden (free), Apple Passwords, 1Password, Dashlane, or the one built into your browser. The specific tool matters less than actually using one.

2. Every account gets a unique password. Let the password manager generate random 16+ character passwords. You do not need to remember them.

3. Turn on two-factor authentication everywhere it is offered. Authenticator apps (Google Authenticator, Authy, Microsoft Authenticator) are better than SMS, but SMS is better than nothing.

4. Secure your password manager recovery. Your master password should be strong and unique. Store backup codes in a safe place (not a cloud document). If you use biometrics, make sure your backup method is also secure.

Step 4: Secure Your Backup Codes

Here is a detail most people miss: in the Australian superannuation attack, some victims had MFA enabled, but attackers used stolen backup codes to bypass it.

Backup codes are the “break glass in emergency” option for two-factor authentication. They are also often stored carelessly (in notes apps, cloud documents, or email drafts).

- Store backup codes in your password manager, or

- Print them and keep them in a physical safe, or

- Store them in an encrypted note

Never store them in plain text in the cloud.

The Bottom Line

Your passwords from 2015 are still circulating on criminal forums. Your dormant accounts from services you forgot about are still vulnerable. And attackers are running 26 billion automated attempts every month to see which old keys still open new doors.

The good news: you can fix this in an afternoon. Check what has been exposed. Delete what you do not need. Update what remains. Turn on two-factor authentication. And stop reusing passwords.

The Australian victims lost half a million dollars because they were still using passwords from years ago. Do not be the next case study.

Sources:

FBI IC3 (March 2026), HaveIBeenPwned.com, HUMAN Security, Trend Micro, Bitdefender, Consumer Reports Security Planner*

Picture your building’s security company storing a copy of every tenant’s master key in a warehouse. A thief breaks into the warehouse, copies the keys, then robs 80 apartments. The tenants’ locks were fine. The security company’s warehouse was the weak link.

That is almost exactly what happened to Marquis Software Solutions.

According to Marquis’ lawsuit against SonicWall, In February 2025, attackers compromised SonicWall’s cloud portal and stole firewall configuration data, including emergency backup passcodes, for a subset of customers. Those passcodes were designed to bypass normal authentication in emergencies. The attackers sat on the stolen keys for months.

Then, in August 2025, they used those passcodes to walk straight into Marquis Software’s network. Marquis provides core banking software to community banks and credit unions across the country. Once inside, the attackers exfiltrated Social Security numbers, bank account details, and credit card numbers belonging to 823,548 people across 80 banks and credit unions, then deployed ransomware.

No bank was directly attacked. Every bank was affected.

This is a double supply chain attack: SonicWall (the firewall vendor) fell first, which enabled the breach of Marquis (the banking software vendor), which exposed data from 80+ financial institutions and their customers. Two links in the chain, hundreds of thousands of victims.

And Marquis was not alone. In March 2026:

• APT41 (a Chinese state-backed group) was revealed to have been inside F5 Networks for over 12 months, potentially deploying backdoors on customer systems. F5 makes the access control software that banks, hospitals, and government agencies depend on.

• The Trivy vulnerability scanner (covered last week), a security tool used by thousands of enterprises, was itself compromised when attackers poisoned 76 of 77 release tags on GitHub. The tool organizations trusted to find vulnerabilities became the vulnerability.

• The GlassWorm campaign planted malicious code in 433 packages, repositories, and IDE extensions across GitHub, npm, and VSCode marketplaces, hiding payloads in invisible Unicode characters.

The good news is that there are steps that you can take to minimize the risk from your supply chain…. Like insisting on a Software Bill of Materials (SBOM) among other controls.

Why Should You Care?

Supply chain attacks are growing faster than almost any other category:

• 30% of all data breaches in 2025 involved a third-party vendor, double the rate from previous years (DeepStrike)

• Supply chain breaches cost $4.91 million on average and take the longest to detect, averaging 267 days from compromise to containment (IBM Cost of a Data Breach Report, 2025)

• 877,522 malicious packages were detected in open-source software repositories in 2025, a 73% increase over 2024 (ReversingLabs/Sonatype)

• $60 billion in global losses from software supply chain attacks in 2025, projected to reach $138 billion by 2031 (Cybersecurity Ventures)

Here is the part that makes supply chain attacks different from every other type: you can do everything right and still get hit. Your firewalls are configured correctly. Your employees passed phishing training. Your systems are patched. But if your software vendor, or your vendor’s vendor, gets compromised, the attackers ride in on trusted software through the front door.

How Does This Work?

Think of it like a contaminated ingredient in a food supply. The restaurant did nothing wrong. The ingredient passed inspection. But everyone who eats the meal gets sick.

Software supply chains work the same way. Modern organizations depend on dozens (sometimes hundreds) of vendors, each of which depends on their own set of vendors, open-source libraries, cloud providers, and service partners. An attacker who compromises one link anywhere in that chain can reach every organization downstream.

The most common supply chain attack patterns right now:

1. Vendor credential theft (the Marquis pattern): Steal login credentials or backup codes from a vendor’s systems, then use that access to reach their customers. The attackers never need to touch the target directly.

2. Software update poisoning (the Trivy pattern): Inject malicious code into a legitimate software update or open-source package. Every organization that installs the update gets compromised automatically.

3. Developer environment infiltration (the GlassWorm pattern): Plant malicious code in developer tools, IDE extensions, or code repositories. When developers use these tools, the malicious code harvests credentials and tokens that open doors to production systems.

4. Cloud infrastructure compromise (the Resolv DeFi pattern): Target the cloud management layer, such as AWS key management or Microsoft Intune admin accounts, rather than the application itself. One privileged cloud key can unlock an entire organization.

What makes these attacks so effective is trust. Organizations trust their vendors. Developers trust their tools. Automated systems trust signed updates. Attackers exploit that trust.

What Can You Do?

If You Run an Organization

1. Know your ingredient list.
You cannot protect what you do not know about. Build and maintain a Software Bill of Materials (SBOM), an inventory of every piece of software and every vendor your organization depends on. Our colleagues at NetRise have built an excellent platform for exactly this: their tools generate SBOMs from binaries, firmware, and containers, then map every component back to known vulnerabilities and, with their new Provenance feature (launched March 2026), trace which developers and organizations are behind each open-source component. If the Trivy compromise taught us anything, knowing what is inside your software stack is no longer optional.

2. Verify your vendors’ vendors.
Third-party risk assessments should not stop at your direct vendors. Ask them: who are your critical vendors? How do you secure their access? According to Marquis, the Marquis breach happened because SonicWall’s cloud backup practices were inadequate. Marquis trusted SonicWall. Eighty banks trusted Marquis. The chain broke at the link nobody was watching.

3. Lock down admin accounts like they are the crown jewels.
Phishing-resistant multi-factor authentication (hardware keys, not SMS codes) on every administrative account. No exceptions. The Stryker wiper attack (200,000 devices destroyed in March 2026) started with a single compromised Microsoft Intune admin account.

4. Segment your network so one breach cannot reach everything.
If a vendor is compromised, limit what they can access. Your banking software vendor does not need access to your HR systems. Your HVAC vendor does not need access to your customer database.

5. Plan for your vendor getting breached.
Have an incident response plan that specifically addresses the scenario where a trusted vendor is compromised. Know which data is at risk, how to isolate affected systems, and who to call. Practice it.

If You Are a Professional (Any Field)

1. Use a password manager and unique passwords everywhere.
If one service is breached, reused passwords give attackers access to your other accounts. A password manager makes unique passwords easy.

2. Turn on multi-factor authentication, and secure the backup codes.
MFA is essential, but in the Marquis case, attackers bypassed it using stolen emergency backup passcodes. Store your backup codes in a secure location (a password manager or a physical safe), not in a cloud document.

3. Be cautious with browser extensions and software add-ons.
The GlassWorm campaign hid malicious code inside 72 fake VSCode extensions that mimicked popular developer tools. The same approach works with browser extensions, mobile apps, and plugins of all kinds. Stick to well-known, well-reviewed tools, and remove anything you are not actively using.

4. Update deliberately, not blindly.
Patching remains critical, but after the Trivy compromise, security experts recommend a brief waiting period (24 to 48 hours) before adopting updates from sources that are not critical security patches. This gives the community time to catch poisoned updates before they spread.

The Bottom Line

The biggest cybersecurity risk to your organization may not be your own security. It may be your vendor’s. Supply chain attacks exploit the trust between organizations, and they are growing in frequency, sophistication, and impact. You cannot eliminate the risk, but you can reduce your exposure by knowing your software ingredients, verifying your vendors, and planning for the day one of them gets compromised.

Research Sources:

Intruvent CTI Cloud

American Banker, “Marquis Breach Toll Rises to 80 Banks, 824,000 Consumers”

TechCrunch, “Marquis Sues SonicWall Over Ransomware Breach”

IBM, 2025 Cost of a Data Breach Report

DeepStrike, “Supply Chain Attack Statistics 2025”

Cybersecurity Ventures, “Software Supply Chain Attack Costs”

Microsoft Security Blog, “Trivy Supply Chain Compromise Guidance”

Intruvent Technologies, BRACE Threat Intelligence Reports, March 2026

Last Updated: March 31, 2026

On March 19, 2026, a threat actor called TeamPCP compromised Trivy, one of the most widely used open-source vulnerability scanners in the world. The tool that thousands of organizations run inside their CI/CD pipelines to find security flaws was itself weaponized to steal credentials, backdoor developer machines, and spread laterally through cloud infrastructure.

Over 1,000 cloud environments have been confirmed infected. Aqua Security, Trivy’s maintainer, is still investigating the full scope. Microsoft, Palo Alto Unit 42, Wiz, Sysdig, GitGuardian, and Arctic Wolf have all published independent analyses. CVE-2026-33634 has been assigned with a CVSS score of 9.4.

If your organization uses Trivy, GitHub Actions, or any npm packages updated in the last week, keep reading.

How the Attack Unfolded

The compromise happened in five phases, each building on the last. Understanding this chain matters because the same pattern can be replicated against any open-source project with CI/CD automation.

Phase 1: A Misconfigured Workflow and an Incomplete Fix

Sometime in late February 2026, an automated bot called “hackerbot-claw” found a misconfigured `pull_request_target` workflow in Trivy’s GitHub repository. This is a well-documented vulnerability in GitHub Actions: the `pull_request_target` event runs workflows with write access to the repository and makes secrets available to the workflow, even when triggered by a pull request from a fork.

The bot exploited this to steal a Personal Access Token (PAT) from Trivy’s CI environment. Aqua Security discovered the theft and rotated credentials, but the rotation was incomplete. According to GitGuardian’s analysis, residual access paths remained open. TeamPCP retained access to surviving tokens, including credentials for the `aqua-bot` service account, and waited.

Phase 2: Binary Poisoning Through Official Channels

On March 19 at 17:43 UTC, TeamPCP used the compromised service account to push a malicious Trivy release: version 0.69.4. The commits were crafted to spoof legitimate maintainer identities, reusing original author metadata and timestamps to create a deceptive Git history. The release triggered Aqua’s automated build pipelines, which published the infected binary to GitHub Releases, Docker Hub, GitHub Container Registry (GHCR), and Amazon ECR.

Two days later, on March 22, TeamPCP pushed additional malicious Docker images tagged 0.69.5 and 0.69.6 directly to Docker Hub, without corresponding GitHub releases. The last clean version is 0.69.3.

Phase 3: Tag Poisoning Turns Every Pipeline into a Weapon

This is where the attack scaled. TeamPCP force-pushed malicious commits to 75 of 76 version tags in the `trivy-action` GitHub Action and all 7 tags in `setup-trivy`. Because most GitHub Actions workflows reference actions by version tag (e.g., `@v0.28.0`) rather than by commit SHA, every CI/CD pipeline that referenced these actions began running TeamPCP’s code on its next execution. No workflow file changed. No pull request was created. The tag simply pointed somewhere new.

The poisoned actions executed a three-step credential theft operation:

Collection. The malware read directly from GitHub Actions Runner memory (`/proc/<pid>/mem`), bypassing GitHub’s log-masking to harvest credentials. Targeted secrets included SSH keys, AWS/GCP/Azure cloud credentials, Kubernetes tokens, Docker registry credentials, database passwords, TLS private keys, and cryptocurrency wallet files. It also scraped credentials from over 50 filesystem paths.

Encryption. Stolen data was encrypted with AES-256-CBC wrapped in RSA-4096, making network-layer inspection ineffective.

Exfiltration. Primary exfiltration went to a typosquatted domain: `scan.aquasecurtiy[.]org` (note the misspelling of “security”), resolving to 45.148.10.212 (TECHOFF SRV LIMITED, Amsterdam). As a fallback, the malware used the victim’s own stolen GitHub PAT to create a public repository named `tpcp-docs` and uploaded the encrypted credential dump there, using trusted infrastructure as a dead drop.

Phase 4: Persistent Backdoor via Blockchain C2

When the malicious Trivy binary ran on developer workstations (not just in CI/CD), it installed a systemd service (`sysmon.py`) that polled an Internet Computer Protocol (ICP) blockchain canister every 50 minutes for command-and-control instructions. Because the C2 infrastructure lives on a decentralized blockchain, it resists DNS sinkholes, domain takedowns, and traditional network-based blocking. The low beacon frequency (every 50 minutes) was designed to evade statistical anomaly detection.

Phase 5: CanisterWorm Spreads Through npm

Using credentials stolen in Phase 3, TeamPCP launched CanisterWorm, a self-propagating worm that compromised 47+ npm packages across multiple scopes (including @emilgroup, @opengov, and @teale.io namespaces). Twenty-eight packages were compromised within 60 seconds. Later variants added token theft and malicious publishing in postinstall hooks, turning every developer or CI pipeline that installed an affected package into an unwitting propagation vector.

On March 22, TeamPCP also used a compromised long-lived PAT from the `Argon-DevOps-Mgt` bot account (created July 2023) to breach Aqua Security’s internal GitHub organization. Within a two-minute window (20:31-20:32 UTC), 44 internal repositories were renamed with a `tpcp-docs-` prefix, exposing Tracee source code, internal forks, CI/CD pipelines, and Kubernetes operators.

The Kubernetes Wiper: “Kamikaze”

One payload deserves special attention. TeamPCP deployed a Kubernetes wiper that deploys privileged DaemonSets across cluster nodes. The behavior is geographically targeted:

On systems geolocated to Iran: executes `rm -rf / --no-preserve-root` and forces a system reboot via a container named “kamikaze”

On all other systems: installs CanisterWorm as a systemd service for persistent backdoor access

The Iranian targeting is notable given the current geopolitical context, but attribution to any state actor has not been established. TeamPCP’s motivations appear primarily criminal (credential theft, infrastructure compromise) with the Iranian wiper component potentially representing hacktivism, a false flag, or an unrelated vendetta. No vendor has attributed TeamPCP to a nation-state.

Why This Matters

This attack exploits a fundamental trust assumption: that security tools are trustworthy. Organizations run Trivy inside their most privileged environments (CI/CD pipelines with access to production credentials, cloud infrastructure tokens, and signing keys) precisely because it is a security tool. That trust relationship made the compromise devastatingly effective.

Three structural problems made this possible:

1. Tag-based GitHub Action references are inherently fragile. If you reference `uses: aquasecurity/trivy-action@v0.28.0`, you are trusting that the tag will always point to the same commit. Tags can be force-pushed. There is no integrity guarantee. This is a known risk that the GitHub Actions ecosystem has not adequately addressed. The fix is to pin actions by full commit SHA, which is immutable.

2. Incomplete credential rotation created the window. Aqua Security detected the initial PAT theft in late February and rotated credentials, but missed residual access paths. TeamPCP waited and re-entered through a surviving token. As GitGuardian’s analysis puts it: the core lesson extends beyond detection. Organizations must “trace blast radius, prioritize rotation, verify remediation, and prove that the same credential cannot be reused tomorrow.”

3. Official distribution channels became the delivery mechanism. The malicious binary was published through GitHub Releases, Docker Hub, GHCR, and ECR. These are the channels organizations trust. There was no phishing email, no drive-by download, no exploitation of a vulnerability in the traditional sense. The attacker simply published a new version through legitimate automation.

What You Should Do

Immediate (today)

Check for affected Trivy versions. Search your environments for Trivy 0.69.4, 0.69.5, or 0.69.6. The last clean version is 0.69.3. Check GitHub Actions logs, Docker image registries, and developer workstations.

Audit GitHub Actions workflow runs from March 19 onward. Review execution logs for `trivy-action` and `setup-trivy`. Look for unexpected network connections, repository creation (especially repositories prefixed with `tpcp-docs`), or credential access patterns.

Rotate all secrets that were accessible to affected pipelines. If any pipeline ran a compromised action or binary after March 19, treat every secret accessible to that pipeline as compromised. This includes cloud provider credentials, Docker registry tokens, npm publish tokens, SSH keys, database credentials, and Kubernetes service account tokens.

Search for persistence mechanisms. On Linux systems, look for suspicious systemd services: `sysmon.py`, `pgmon.py`, `pgmonitor.service`, `internal-monitor.service`. Check for outbound connections to the ICP canister endpoint (`tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io`) or the typosquatted domain (`scan.aquasecurtiy[.]org`).

This week

Pin all GitHub Actions by full commit SHA. Replace every tag-based action reference in your workflows with the full 40-character commit hash. This is the single most effective mitigation against tag poisoning attacks. Yes, it makes updates harder. That friction is the point.

Audit npm dependencies installed since March 19. Check for packages in the @emilgroup, @opengov, and @teale.io scopes. Review postinstall hooks in all recently updated packages.

Review CI/CD pipeline permissions. Apply least privilege to workflow tokens. Restrict `GITHUB_TOKEN` permissions to the minimum required for each workflow. Eliminate long-lived PATs wherever possible and replace with short-lived, scoped tokens.

Going forward

Treat CI/CD runners as production infrastructure. Monitor them with the same rigor you apply to production servers. Credential theft from a CI/CD runner can be more damaging than a production server compromise because runners have access to deployment credentials, signing keys, and cross-environment tokens.

Implement secret scanning and rotation verification. When you rotate credentials after an incident, verify the rotation was complete. Test that the old credential no longer works. GitGuardian, GitHub Advanced Security, and similar tools can help detect lingering exposure.

Indicators of Compromise

Network:

- `scan.aquasecurtiy[.]org` (typosquatted exfiltration domain)

- `45.148.10.212` (TECHOFF SRV LIMITED, Amsterdam)

- `tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0[.]io` (ICP blockchain C2)

- `plug-tab-protective-relay.trycloudflare.com` (Cloudflare tunnel exfil)

- `souls-entire-defined-routes.trycloudflare.com`

- `checkmarx[.]zone`

- `63.251.162.11`

- `23.142.184.129` (ICP blockchain infrastructure; monitor only, do not block as this serves legitimate traffic.)

Note on Cloudflare tunnel domains: The `trycloudflare[.]com` subdomains above are ephemeral Cloudflare quick tunnels that may already be rotated or expired. Monitor for the pattern but do not rely on these as durable indicators.

Note on checkmarx[.]zone: This is a typosquatted domain impersonating Checkmarx (legitimate domain: checkmarx.com). Confirmed as attacker infrastructure by Palo Alto Unit 42.

Affected versions:

- Trivy 0.69.4, 0.69.5, 0.69.6 (last clean: 0.69.3)

- trivy-action: 75 of 76 tags compromised

- setup-trivy: all 7 tags compromised

- 47+ npm packages across @emilgroup, @opengov, @teale.io scopes

Persistence indicators:

- systemd services: `sysmon.py`, `pgmon.py`, `pgmonitor.service`, `internal-monitor.service`

- Repositories prefixed with `tpcp-docs` in your GitHub organization

File hashes (select):

- `e9b1e069efc778c1e77fb3f5fcc3bd3580bbc810604cbf4347897ddb4b8c163b`

- `61ff00a81b19624adaad425b9129ba2f312f4ab76fb5ddc2c628a5037d31a4ba`

The Bottom Line

The Trivy compromise demonstrates that software supply chain attacks are no longer limited to obscure packages or niche tools. A security scanner used by thousands of organizations to protect their infrastructure was turned into a credential harvesting platform, a persistent backdoor, and a worm propagation vector, all distributed through official channels that defenders are conditioned to trust.

The fix is not complicated, but it requires discipline. Pin your actions by SHA. Rotate credentials completely. Monitor your CI/CD runners. And stop assuming that because a tool is designed to improve your security, it cannot be used to destroy it.

*Research sources: Intruvent CTI Cloud, Microsoft Defender Security Research (March 24, 2026), Palo Alto Unit 42 Cloud Security (March 25, 2026), Wiz Research (March 20-23, 2026), GitGuardian (March 24, 2026), The Hacker News (March 25, 2026), Sysdig Threat Research (March 23, 2026), Arctic Wolf (March 24, 2026), Aqua Security formal advisory (March 23, 2026)*

For threat hunting queries and detection rules for your SIEM, visit the Intruvent Threat Intelligence Hub or for CTU related to the Iran conflict visit the Intruvent Iran Cyber Threat Intelligence Center or contact us at contact@intruvent.com.

Want sector-specific threat intelligence for your organization? Check out our BRACE CTI platform

What Happened?

Last week, we published Threat Actor Profiles (TAPs) and Threat Hunting Guides (THGs) for Iran’s most dangerous cyber operators and the escalating threat they pose to Western organizations. If you haven’t seen them yet, our Iran Cyber Threat Intelligence Center is the go-to resource for tracking every active Iranian threat group, complete with detection rules, hunting queries, and tactical guidance. Go check it out.

One technique kept showing up across almost every group we profiled: bypassing multi-factor authentication.

Not breaking it. Not cracking it. Bypassing it entirely.

Here’s how it works. You get an email that looks like it came from Microsoft or Google. The login page looks real. The URL looks close enough. You type your password, get the MFA prompt on your phone, and approve it. You did everything right. You followed the training. You used MFA.

And the attacker now has your session.

The page you logged into was running through a reverse proxy: a server sitting invisibly between you and the real Microsoft login. When you completed your MFA challenge, the proxy captured the session token that Microsoft issued after your successful authentication. The attacker takes that token, loads it into their own browser, and they’re in. Microsoft thinks they’re you. MFA never fires again because the token says authentication already happened.

This isn’t theoretical. This is the primary access technique for multiple Iranian state-sponsored groups operating right now.

Why Should You Care?

Because MFA has become the security equivalent of “I eat healthy” while surviving on protein bars and Diet Coke. It feels like you’re covered. The checkbox is checked. And for years, that was good enough.

It’s not good enough anymore.

APT42, the IRGC Intelligence Organization’s dedicated credential harvesting unit (also tracked as Charming Kitten and Mint Sandstorm), has built an industrial-scale phishing operation specifically designed to defeat MFA. Check Point Research documented over 130 phishing domains operated by the group, many running custom React-based phishing kits that intercept MFA tokens in real time. Their targets include journalists, academics, policy researchers, government officials, and cybersecurity professionals. They build trust over weeks of correspondence before sending the malicious link. By the time the phishing page loads, the victim has every reason to believe the interaction is legitimate.

APT33 (Peach Sandstorm) takes a different approach to the same problem. Rather than sophisticated phishing proxies, they run massive password spraying campaigns against Azure AD and Microsoft 365 environments. The technique is blunt but effective: try common passwords across thousands of accounts. When they find one that works, they look for ways around MFA. Legacy authentication protocols like IMAP, POP3, and SMTP AUTH don’t support MFA at all. If your organization hasn’t explicitly blocked these protocols, an attacker with a valid password can walk right past your MFA controls using a protocol from 1996.

Then there’s the Stryker attack. Two weeks ago, Handala (a front for Iran’s MOIS destructive operations unit, Void Manticore) compromised a Stryker Corporation admin account and used Microsoft Intune to remotely wipe 200,000 devices across 79 countries. MFA was in place. It didn’t prevent the initial credential theft from being leveraged into catastrophic admin abuse. Once the attackers had a single valid session with administrative privileges, every device enrolled in the management platform became a target.

MuddyWater rounds out the picture. Iran’s MOIS-affiliated group harvests credentials and then operates entirely within legitimate cloud services for command and control. They don’t need to bypass your MFA repeatedly because they’re working within trusted authentication contexts, using your own cloud infrastructure against you.

The pattern across all four groups is the same: MFA is a speed bump, not a wall.

How Does This Actually Work?

The tool that makes this possible is called Evilginx. Originally built as a penetration testing tool, it’s an open-source reverse proxy framework that sits between a victim and a legitimate login page. The attacker sets up a server, registers a domain that looks similar to the real one, and configures Evilginx to proxy traffic to the actual Microsoft or Google login.

When you visit the phishing page, Evilginx forwards your request to the real login server. You see the real login page, rendered through the proxy. You enter your password. The real server sends back an MFA challenge. You approve it on your phone. The real server issues a session token. Evilginx captures that token before passing the authenticated page back to you.

You see a successful login. The attacker sees your session token.

From there, the attacker loads your stolen token into their own browser. To Microsoft’s servers, the request looks identical to yours: same token, valid authentication, MFA already completed. The attacker can now read your email, access your files, and move laterally through your organization. Unless someone notices that your account is suddenly being accessed from two different countries at the same time, there’s no alert.

The commercial ecosystem around this technique has matured rapidly. Phishing-as-a-Service platforms like Tycoon 2FA, Sneaky2FA, and Flowerstorm sell ready-made kits that handle the entire reverse proxy setup. No technical expertise required. Push Security’s 2025 analysis found that MFA bypass is now standard fare in the criminal phishing marketplace, and that roughly one in three phishing attacks they detected were delivered outside of email entirely, through LinkedIn messages, Google search results, and other channels that email security tools never see.

Token theft accounted for 31% of Microsoft 365 breaches in 2025, making it the leading attack vector ahead of traditional credential compromise. Microsoft documented over 382,000 MFA fatigue attacks in a single year, with research showing that 1% of users blindly accept the first push notification they receive.

One percent sounds small until you calculate it across an organization with 10,000 employees.

What Can You Do?

For Everyone:

Stop approving MFA prompts you didn’t initiate. This is the single most important takeaway from this entire article. If your phone buzzes with a login approval request and you aren’t actively logging into something, deny it. Every time. That unexpected prompt could be an attacker who already has your password, waiting for you to tap “Approve” so they can walk into your account.

Use a password manager. A good password manager auto-fills credentials only on the exact domain they were saved for. If you land on a phishing page at “micros0ft-login.com” instead of “microsoft.com,” your password manager will refuse to fill in your credentials. That moment of friction could save your organization.

For IT and Security Teams:

Deploy phishing-resistant MFA. Hardware security keys (FIDO2/WebAuthn) and passkeys defeat reverse proxy attacks entirely because the authentication is cryptographically bound to the legitimate domain. The key literally cannot produce a valid response for a phishing site because the domain doesn’t match. Google deployed hardware security keys to all 85,000+ employees and reported zero successful phishing attacks afterward. Cloudflare survived a sophisticated phishing campaign that compromised other tech companies because their hardware keys refused to authenticate on the phishing domain, even after employees clicked the malicious links and entered their credentials.

Adoption of phishing-resistant authenticators grew 63% in 2024, according to Okta’s research. CISA calls FIDO2 and PKI-based authentication the gold standard. Multiple countries are now mandating the retirement of SMS-based authentication. The technology is mature and the deployment playbooks are proven.

Block legacy authentication protocols. If IMAP, POP3, SMTP AUTH, and other legacy protocols are still enabled in your Microsoft 365 or Entra ID environment, you have a backdoor that bypasses MFA entirely. Create Conditional Access policies that block legacy authentication. Start in report-only mode to identify any legitimate usage, then enforce. This single change eliminates the attack vector that APT33 and dozens of other groups exploit through password spraying.

Implement Conditional Access policies with teeth. Require compliant devices for access to sensitive resources. Restrict authentication to managed devices and known network locations for administrative accounts. Require step-up authentication for high-risk actions. These policies create layers of verification that survive a stolen session token.

Monitor for token replay. When an attacker steals a session token, there’s a window where two different sessions using the same token are active from different IP addresses and user agents. Enable Continuous Access Evaluation in Entra ID, which can detect and revoke tokens when conditions change. Watch for impossible travel patterns. Alert on sessions where the user agent or IP address changes mid-session.

Shorten token lifetimes for sensitive accounts. The shorter the session token validity, the smaller the window an attacker has to exploit a stolen token. This creates friction for legitimate users, so apply it selectively to high-privilege accounts where the security tradeoff is worth it.

For Security Leaders:

Audit your MFA deployment honestly. Check which accounts still use SMS-based MFA. Identify where legacy protocols remain enabled. Find the administrative accounts that have permanently assigned privileges rather than just-in-time access. The Stryker attack demonstrated what happens when a single admin account with broad permissions gets compromised. Least privilege and just-in-time access aren’t theoretical best practices. They’re the difference between a compromised account and a compromised enterprise.

The Bottom Line

MFA still matters. Having MFA enabled is dramatically better than not having it. The vast majority of credential attacks still fail against accounts with any form of MFA enabled.

But “I have MFA” has become the new “I have antivirus.” It’s a starting point, not a finish line. The Iranian groups we profiled on our Iran Cyber Threat Intelligence Center have built entire operational playbooks around the assumption that their targets use MFA. Their attacks are designed from the ground up to defeat it.

The fix exists. Hardware security keys and passkeys are cryptographically immune to these attacks. Blocking legacy protocols closes the password-spraying backdoor. Conditional Access policies and token monitoring catch what gets through. None of this is exotic or experimental. It’s available today, from the vendors you already use.

The question isn’t whether your MFA can be bypassed. It can. The question is whether you’ve deployed the controls that make bypass meaningless.

Next time you get an unexpected MFA prompt on your phone, remember: that approval button might be the most dangerous click you make all year. Deny it. Call your IT team.

Research Sources: Intruvent CTI Cloud, Google Cloud/Mandiant APT42 Research, Check Point Research, Microsoft Threat Intelligence, Cisco Talos, Push Security 2025 Phishing Trends Report, Okta Secure Sign-in Trends Report 2025, Obsidian Security, CISA Phishing-Resistant MFA Guidance, Malwarebytes, Infoblox

For the complete Iranian threat actor profiles, detection queries, and hunting guides, visit the Iran Cyber Threat Intelligence Center.

Last Updated: March 24, 2026

Want sector specific threat intelligence for your organization? Check out our BRACE CTI platform at https://intruvent.com/brace

Welcome to new readers! If this is your first time here, here’s how this works. Prevent This publishes weekly and covers a specific type of cyber attack, breaks down how it works, and gives you practical steps to protect yourself. Every other week, we also publish Intruvent Edge, our cyber threat intelligence newsletter that takes a deep dive into a specific threat actor, complete with hunting logic and actionable intelligence.

From the Intruvent Intel Desk

Our latest analysis on Iranian cyber threats is live. If you missed it, check out our Iran Cyber Threat overview at our website. You can find the most recent Iran Conflict SITREP here.

A big thank you to Shane Shook, advisor to Intruvent and someone whose insight consistently makes our intelligence better. Shane recently shared research on Iranian threat activity that added depth to our own analysis, and we’ve incorporated his findings into our ongoing coverage. Shane also recently published a piece at the National Security Institute regarding the new US Cyber Strategy which can be found here, and is well worth the read.

Now, on to this week’s topic...

What is Instagram?

Instagram is a photo and video sharing platform owned by Meta (formerly Facebook). With over 2 billion monthly active users, Instagram started as a simple photo filter app. It has evolved into a sprawling ecosystem of Stories, Reels, DMs, shopping, and live streaming. It is the second most popular social media app among U.S. teens behind YouTube, with 61% of 13 to 17 year olds using it regularly and 47% opening it daily.

If your teenager has a phone, there is a better than coin-flip chance they are on Instagram right now.

What Happened?

In September 2024, Meta announced Instagram Teen Accounts with fanfare. Built-in protections. Private by default. Messaging restrictions. Content filters. Adam Mosseri, Instagram’s head, wrote that Teen Accounts were “designed to give parents peace of mind.”

Researchers tested that claim. The results were not encouraging.

A joint study by ParentsTogether Action, the HEAT Initiative, and Design It for Us found that nearly 60% of teens aged 13 to 15 still encountered unsafe content and unwanted messages on Instagram within a six-month window after Teen Accounts launched. Nearly 60% of kids who received unwanted messages said those messages came from users they believe to be adults. And roughly 40% of those unwanted messages were from people trying to start a sexual or romantic relationship with the teen.

A separate independent review of Meta’s 47 stated safety features found that only eight worked as advertised. Nine others reduced harm but had limitations. Thirty features, 64% of the total, were either ineffective or no longer available.

It was a good start, but not a full solution…

Researchers found that adults could still message teenagers who did not follow them. Instagram’s algorithm continued recommending sexual content, violent content, and self-harm material to teen accounts despite filters that were supposed to block it. They also found evidence that children under 13 were actively using the platform and that the algorithm was incentivizing their engagement.

In October 2025, Meta introduced PG-13 content standards for teen users, promising to filter content the way movie ratings filter what kids see in theaters. Posts showing marijuana use, alcohol content, and extreme stunts would be hidden from most teen accounts. Parents could also opt into a stricter “Limited Content” mode.

The safety measures keep coming. The underlying problems keep staying.

Why Should You Care?

Because Instagram is ground zero for teen sextortion in America, and the numbers are staggering.

A joint report from the National Center for Missing and Exploited Children (NCMEC) and Thorn (child safety advocacy experts) analyzed sextortion data from 2020 to 2023. Instagram was the most mentioned platform in financial sextortion reports. In cases where an offender threatened to distribute intimate imagery online, 81% of threats named Instagram as the distribution platform. When images were actually distributed, 60% of the time it happened on Instagram. And in 45% of reports that identified where offenders first made contact with victims, that first contact happened on Instagram.

The typical victim is not who most parents picture. Ninety percent of financial sextortion victims are boys between the ages of 14 and 17. They are catfished by someone posing as a peer, persuaded to share explicit images, and then blackmailed. The rise of financial sextortion has been linked to organized crime networks in Nigeria and Cote d’Ivoire, where the tactic is promoted as a way to get rich fast.

A February 2026 study published in the Journal of Adolescent Health surveyed 3,466 U.S. teens and found that nearly 1 in 3 had received a sext and almost 1 in 4 had sent one. Those numbers are up sharply from 2019. Among teens who sent a sext, nearly half reported their image was shared without their permission. And half of teens who sent a sext reported being targeted with sextortion afterward.

Teens who sexted someone outside of a current romantic relationship were 13 times more likely to have their images shared without consent and five times more likely to experience sextortion.

This is not hypothetical risk. This is happening to kids in your neighborhood, at your school, right now.

How Does This Work?

Instagram’s risk profile for teens breaks down into four categories.

The Algorithm Problem

Instagram’s recommendation engine is designed to maximize engagement. For teens, that means the algorithm learns what gets a reaction and serves more of it. Internal Meta research leaked in 2021 showed that Instagram’s own researchers knew the platform was contributing to body image issues and mental health harm, particularly for teenage girls. Despite years of promises, independent researchers continue to find that the algorithm recommends eating disorder content, self-harm material, and sexually suggestive posts to teen accounts. The algorithm does not care about your child’s wellbeing. It cares about keeping them scrolling.

The “Private Account” Myth

Many parents believe that setting their teen’s account to private solves the problem. It helps, but it does not solve it. A private account means new followers need approval. It does not prevent your teen from accepting a follow request from a stranger who looks like a peer. It does not prevent screenshots of their content by approved followers. It does not prevent their profile photo, bio, and username from being visible to everyone. And it does not prevent them from being found through friends’ tagged photos, school hashtags, or location tags. A private account is a speed bump, not a wall.

The Direct Message (DM) Pipeline

Even with messaging restrictions, teens can still receive messages from anyone they follow or are connected to. Predators and sextortion operators know this. They create accounts that look like peers, engage with the same content, follow friends of the target, and eventually get followed back. Once that connection is made, the messaging restrictions disappear. The conversation often moves quickly to Snapchat or another platform where messages are harder to trace.

The Finsta Problem

Finstas, or “fake Instagrams,” are secondary accounts teens create specifically to post content they do not want parents or their wider social circle to see. These accounts typically have no parental supervision enabled, use a different email address, and exist entirely outside whatever safety guardrails parents have set up on the primary account. Meta’s own data suggests this is widespread, and Teen Account protections can be bypassed by anyone willing to create a new account with a false birthdate.

What Can You Do?

Step 1: Set Up Parental Supervision Through Family Center

Meta’s Family Center is the hub for parental oversight on Instagram. It is not perfect, but it is the foundation.

1. Open Instagram and tap your profile icon (bottom right)

2. Tap the menu (☰) in the top right, then tap “Settings and privacy”

3. Scroll to “Supervision” under the “For families” section and tap “Family Center”

4. Follow the prompts to send a supervision invitation to your teen’s account

5. Your teen must accept the invitation from their device

Once connected, you can see who your teen follows and who follows them (but not their messages), set daily time limits from 15 minutes to 2 hours, schedule break times and sleep mode hours, and receive notifications if your teen reports content.

Important: teens under 16 need your permission to change default safety settings to be less strict. Teens 16 and 17 can change settings on their own. And your teen can remove supervision at any time. Have a conversation about why it stays on.

Step 2: Verify Teen Account Settings

If your teen is under 16, these should already be the defaults. Verify them anyway.

Account Privacy: Profile > Menu (☰) > Settings and privacy > Account privacy > Private Account should be ON.

Messaging: Profile > Menu (☰) > Settings and privacy > Messages and story replies > set to “Only people you follow.” This prevents strangers from sliding into DMs. Confirm this has not been changed.

Sensitive Content Control: Profile > Menu (☰) > Settings and privacy > Content preferences > Sensitive content > Set to “Less.” This is the most restrictive option and limits what appears in Explore and Reels. For the updated PG-13 settings, parents can also enable “Limited Content” mode here for even stricter filtering.

Comments: Profile > Menu (☰) > Settings and privacy > Comments > Select “People you follow” to limit who can comment on posts.

Tags and Mentions: Profile > Menu (☰) > Settings and privacy > Tags and mentions > Select “People you follow” or “No one.”

Activity Status: Profile > Menu (☰) > Settings and privacy > Activity status (under “How others can interact with you”) > Toggle OFF. This prevents others from seeing when your teen was last active.

Story Sharing: Profile > Menu (☰) > Settings and privacy > Story > Disable “Allow sharing to messages.” This prevents your teen’s Stories from being forwarded via DM.

Step 3: Lock Down Location and Data Exposure

Remove location from posts. Before posting, tap the location field and remove it. This is a phone-level setting, not inside Instagram.

On iPhone: go to your phone’s Settings > Privacy & Security > Location Services > Instagram > Set to “Never.”

On Android: phone Settings > Location > App permissions > Instagram > Deny or “Only while using the app.” GPS coordinates embedded in photos are metadata gold for anyone building a profile on your child.

Disable contact syncing. Profile > Menu (☰) > Settings and privacy > Accounts Center > Your information and permissions > Upload contacts > Instagram > Toggle OFF. This prevents Instagram from mapping your teen’s entire contact list and suggesting connections to people they may know in real life but should not be connected to online.

Review connected apps. Profile > Menu (☰) > Settings and privacy > Accounts Center > Your information and permissions > Apps and websites. Remove any third-party apps your teen has connected to Instagram. These often have broad permissions to access profile data, follower lists, and messages.

Step 4: Have the Conversations That Matter

Settings are guardrails. Conversations are the actual protection.

About sextortion: “There are criminals who specifically target teenagers on Instagram. They pretend to be your age, build a friendship, and then pressure you into sharing photos. Then they threaten to send those photos to everyone you know unless you pay them. This happens to smart kids every single day. If it ever happens to you, come to me immediately. You will not be in trouble. The person doing it is the criminal.” Direct them to NCMEC’s CyberTipline at 1-800-843-5678 or report.cybertip.org.

About the algorithm: “Instagram is designed to show you more of whatever gets a reaction from you. If you pause on something that makes you feel bad about yourself, it will show you more of it. That is not a reflection of reality. It is a machine optimizing for your attention. If your feed starts making you feel worse instead of better, you can reset your recommendations in Settings and privacy > Content preferences > Reset suggested content.”

About finstas: “If you feel like you need a secret account to be yourself, let’s talk about why. I would rather know about it and help you navigate it than find out after something goes wrong.”

About follower requests: “If someone you have never met in real life sends you a follow request, do not accept it. If they have mutual friends, ask those friends if they actually know the person offline. Bots and fake accounts copy real people’s photos to look legitimate.”

Step 5: Use Your Phone’s Built-In Tools

Instagram’s controls have gaps. Supplement with operating system level tools.

Apple Screen Time (iPhone): Settings > Screen Time > App Limits. Set a daily limit for Instagram. Enable “Prevent Changes” under Content & Privacy Restrictions so your teen cannot override it.

Google Family Link (Android): Set daily app limits, approve or block apps, and monitor usage. These controls operate at the system level, so they cannot be bypassed from within Instagram.

What’s Next on Their Phones: The Apps You Should Know About

This is the final installment of Social Media’s Open Door. We have covered Snapchat, TikTok, Facebook, and now Instagram. But new platforms are showing up on your kids’ phones all the time. Here are three to watch right now.

Coverstar is marketed as the “safe TikTok alternative.” No DMs, moderated content, and community guidelines focused on positivity. It sounds great on paper. In practice, profiles are public by default, age verification is easy to bypass by simply deleting and recreating an account with a fake birthdate, the app serves inappropriate advertisements alongside kid content, and a virtual currency system called Starcoins lets followers send real-money gifts during livestreams. A former FBI agent has publicly flagged safety concerns. The user base is almost entirely tween girls dancing on camera for public audiences. The app markets itself with the tagline “Go viral, not toxic.” Parenting advocacy group Brave Parenting does not recommend it, noting that despite the safety branding, the platform still promotes comparison, competition, and objectification among children. If your child is using Coverstar, set their profile to private, talk about the difference between creativity and performing for strangers, and monitor for adults attempting to move conversations to other platforms through public comments.

Lemon8 is owned by ByteDance, the same Chinese company behind TikTok. Think Instagram meets Pinterest: lifestyle content, curated aesthetics, recipes, fashion, and beauty tips. It uses the same algorithmic approach as TikTok to surface content, and it carries the same data privacy concerns. When TikTok was briefly banned in January 2025, Lemon8 disappeared from app stores too because it falls under the same divest-or-ban legislation. ByteDance has been actively paying TikTok influencers to promote Lemon8 as a “backup app.” If you had concerns about TikTok’s data practices, those concerns apply here.

The common thread across every platform in this series is the same: default settings are not enough, privacy controls have gaps, and the most effective protection is a parent who understands how the app works and talks about it regularly.

The Bottom Line

Instagram is the most popular image-sharing platform among American teenagers and the number one platform for sextortion. Meta continues to announce new safety features, and independent researchers continue to find that most of those features do not work as advertised. Teen Accounts are a step in the right direction, but they are not a solution.

Set up Family Center supervision. Verify every default setting yourself. Lock down location services and contact syncing. Have the hard conversations about sextortion, the algorithm, and secret accounts. Supplement with your phone’s built-in parental controls.

And remember the lesson from this entire series: every app on your kid’s phone is an unlocked door. Your job is to know which doors are open, teach your kids how to recognize who is standing on the other side, and make sure they know they can always come to you when something feels wrong.

Your kid’s phone is a gateway to more than just their friends. It connects to your home network, your family’s location data, and in some cases, your workplace systems. The threat does not stop at their device. But neither does your ability to protect them.

Thanks for reading Intruvent Edge! This post is public so feel free to share it.

This is the final installment of the Prevent This: Social Media’s Open Door series. Catch up on the full series: Part 1 — Snapchat, Part 2 — TikTok, Part 3 — Facebook.

Research Sources: NCMEC/Thorn Financial Sextortion Report (2024), ParentsTogether Action/HEAT Initiative/Design It For Us Instagram Teen Accounts Study (2025), TIME Magazine Instagram Investigation (October 2025), Journal of Adolescent Health — Patchin & Hinduja Sextortion Study (February 2026), Florida Atlantic University Sexting Research (2026), Pew Research Center Teens & Social Media (December 2025), Meta Family Center Documentation, Instagram Teen Accounts Announcement (September 2024), ABC News PG-13 Content Standards Report (October 2025), ConnectSafely Parent’s Guide to Instagram (2025), Brave Parenting Coverstar Guide (2026), Bark Technologies App Reviews, Gabb Noplace Safety Review (2024)

Last Updated: March 17, 2026

On Tuesday morning, employees at Stryker Corporation’s headquarters in Cork, Ireland walked into work and found every screen displaying the same image: a cartoon of a barefoot boy staring defiantly over his shoulder.

Their laptops wouldn’t boot. Their phones had been factory reset. Manufacturing systems across 79 countries: offline. The cartoon was the logo of Handala Hack Team. And the tool they used to pull it off? The same one Stryker’s own IT department uses every day to manage its devices.

Microsoft Intune.

Handala didn’t deploy custom malware. They didn’t need a zero-day exploit. They compromised Stryker’s Intune administration and pushed legitimate remote wipe commands to every enrolled device: Windows, macOS, iOS, Android. Laptops, phones, tablets. 200,000 devices, according to Handala’s claim. Including employees’ personal devices.

Stryker (NYSE: SYK), a $100 billion medtech company with 56,000 employees, told workers to immediately uninstall Intune, Company Portal, Teams, and VPN apps from their personal phones. Employees resorted to WhatsApp to communicate. SYK shares dropped roughly 4.5%. Ireland’s National Cyber Security Centre was notified.

This is the first confirmed large-scale weaponization of enterprise device management in a cyber attack. And it should concern anyone running Intune, Jamf, SCCM, Google Workspace MDM, or any other platform that has remote wipe authority over your fleet.

Want to make sure that your company isn’t the next target? We built a complete intelligence package to help you respond to 4 of the top Iranian cyber threat groups. Situation reports, threat actor profiles, and hunting queries you can run today (click on the image below:

(Alternative link: https://intruvent.com/iran-cyber-threat/)

This Isn’t a Hacktivist Group. This isn’t a ransomware operation. This is a skilled, determined nation state actor. One of many professional threat actor groups that work for the Iranian Government.

Handala is the latest person for this skilled adversary, the name comes from Naji al-Ali’s famous 1969 political cartoon character, a ten-year-old refugee.

Check Point Research connected Handala to Void Manticore in May 2024. Void Manticore, also tracked as Storm-0842 by Microsoft and BANISHED KITTEN by CrowdStrike, is a destructive operations unit inside Iran’s Ministry of Intelligence and Security (MOIS). They operate under the Counter-Terrorism Division, led by Seyed Yahya Hosseini Panjaki, a sanctioned intelligence official who also goes by “Seyed Yahya Hamidi.”

Here’s how the MOIS model works. One unit, Scarred Manticore (Storm-0861), handles the espionage phase: breaking in, establishing persistent access, collecting intelligence. When Tehran decides it’s time to break things, that access gets handed off to Void Manticore for the destructive phase. Check Point calls it the “one-two punch” model. It was used in the 2022 Albania campaign. It’s been used repeatedly against Israel. The gap between initial intrusion and destruction can exceed twelve months.

Before Handala, this same unit operated as “HomeLand Justice” (Albania), “Karma”, and “DarkBit”.

The Escalation Arc You Should Know

Void Manticore’s capabilities have gotten steadily more dangerous since 2022. Here’s the trajectory:

Albania, July 2022: CL Wiper and GoXML ransomware against government systems. Entry via a SharePoint vulnerability. CISA published a full advisory (AA22-264A) after the FBI confirmed Iranian state attribution.

Israel, October 2023: BiBi-Linux — their first custom wiper targeting Israel, named to mock PM Netanyahu. Corrupts files with random data and slaps on a “.BiBi” extension. A Windows variant followed within weeks.

Early 2024, Operation HamsaUpdate: Supply-chain-style delivery. Wipers disguised as security updates. Both Windows and Linux variants. Telegram bots for command and control.

July 2024, The CrowdStrike Lure: When CrowdStrike’s Falcon agent caused a global outage, Handala exploited the chaos within hours. Phishing emails from a spoofed domain delivered a wiper through a sophisticated chain that included Bring Your Own Vulnerable Driver (BYOVD) for privilege escalation and a technique that copies a clean .text section over the hooked version to neutralize endpoint detection.

Late 2024: Check Point observed Void Manticore pairing the commercial Rhadamanthys infostealer with custom wipers. Researchers described this as a shift from imitating cybercriminals to actively leveraging the cybercrime ecosystem.

January 2025, School Sirens: Handala hijacked emergency PA systems in 20 Israeli kindergartens, broadcasting rocket sirens and audio on a Sunday morning. A mass SMS campaign followed.

March 11, 2026, Stryker: MDM weaponization. No custom malware required.

Look at that arc. Web shells in 2022. Custom wipers in 2023. Supply-chain delivery in 2024. Psychological warfare in 2025. Legitimate enterprise tool weaponization in 2026. Each phase more operationally sophisticated than the last.

Why This Changes the Threat Model

The Stryker attack inverts a fundamental assumption in endpoint security: that your management tools are on your side.

Every organization running Intune has given it the ability to remotely wipe any enrolled device. That is one of the main functions of enterprise MDM. IT teams use it daily: offboarding employees, handling lost devices, enforcing compliance. The capability isn’t a vulnerability. It’s a feature.

But when an attacker gains Intune administrative access, every enrolled device becomes a target for destruction with a single API call. No malware to deploy. No EDR to evade. No YARA rules to match. The wipe command comes from a trusted source through a trusted channel, executed by a trusted agent already installed on every device.

The Microsoft Graph API exposes this programmatically. An attacker with a compromised admin token or service principal can script a POST request to /deviceManagement/managedDevices/{id}/wipe and hit every device in the tenant. The entire operation can be automated.

For the technically curious: passive analysis of public data on Stryker’s external footprint shows a cloud-first environment: Azure, M365, Entra ID. No internet-facing Pulse Secure, Fortinet, PAN-OS, or Citrix appliances visible in public scan data. That’s significant because Scarred Manticore’s standard playbook relies on exploiting perimeter VPN appliances. Those targets don’t appear to exist here.

The most probable initial access path? Cloud identity compromise: adversary-in-the-middle phishing to hijack Entra ID session tokens, credential stuffing, or OAuth consent phishing. All well-documented in the Iranian state playbook.

[Editor’s note: we wrote about the “red hot” AiTM technique family on Tuesday’s edition of Prevent This. If a small firm like Intruvent has multiple cases in our lab where AiTM was the vector, it shows that it is VERY wide spread]

One more data point. Stryker disclosed a data breach affecting the period May through June 2024. That timeline aligns uncomfortably well with Scarred Manticore’s documented persistence model: 12+ months of silent access before handoff to the destructive team. Whether that 2024 breach was the initial intrusion that enabled the March 2026 handoff remains unconfirmed. But that pattern fits, too.

The Bigger Picture: Operation Epic Fury

The Stryker attack didn’t happen in a vacuum.

On February 28, the US and Israel launched Operation Epic Fury: a coordinated military campaign against Iranian military infrastructure. US Cyber Command degraded Iran’s internet connectivity to 1-4%. Supreme Leader Khamenei was killed in a targeted strike.

Within hours, Iran activated the Electronic Operations Room on Telegram to coordinate retaliatory cyber operations. Palo Alto’s Unit 42 counted approximately 60 hacktivist groups mobilized under this umbrella, though CrowdStrike assessed that much of the activity was claim-driven rather than evidence-backed.

Handala’s claims were different. Handala backed them up with confirmed destruction.

Twelve days in, the military situation continues to escalate. CENTCOM reports 5,500+ targets struck. Iran’s True Promise IV missile campaign has reached 37 waves. Israeli forces have entered southern Lebanon. Oil prices spiked to $119/barrel before the IEA released 400 million barrels from strategic reserves. Iranian drones struck three AWS data centers in the UAE and Bahrain. The Strait of Hormuz remains effectively closed.

Mojtaba Khamenei, the killed Supreme Leader’s son, was named as Iran’s third Supreme Leader on March 8. The IRGC pledged full obedience. Iran’s Foreign Minister stated that Iran is not seeking a ceasefire.

In this environment, cyber operations aren’t a side note. They’re a primary instrument of Iranian asymmetric response.

We published a comprehensive situation report on the Iran conflict that covers all of this and more — including a full sector risk assessment and 19-action response framework. It’s available free and ungated on our new Iran Cyber Threat Intelligence Center.

What Should You Do Right Now

If you run Intune or any MDM platform:

1. Restrict remote wipe permissions to the absolute minimum number of accounts

2. Require approval workflows for bulk device actions

3. Enforce phishing-resistant MFA on all admin accounts… not SMS, not push notifications. FIDO2 or Windows Hello for Business

4. Implement Conditional Access policies requiring compliant, managed devices for admin portal access

5. Enable Privileged Identity Management (PIM) with time-limited activations

6. Segment MDM administrative access from general IT accounts

7. Review your BYOD enrollment: ensure personal devices use MAM-only (App Protection Policies) rather than full MDM, so a compromised admin can’t wipe employees’ personal data

If you have exposure to the conflict (reports state that ALL US AND ISRAELI BUSINESSES are targets:

1. If you can, elevate SOC to 24/7 staffing

2. Alert/Activate incident response retainers. At the very least, get your responders to a ready state. Better yet, see if they can do a Compromise Assessment for you.

3. Review cloud infrastructure for single-region Middle East dependencies

4. Assess supply chain exposure to Strait of Hormuz disruption

5. Brief executive leadership on the sustained nature of the threat — a diplomatic resolution is assessed as very unlikely within 30 days

Deploy the hunting queries on our Iran Cyber Threat Intelligence Center. We’ve published copy-paste-ready KQL and Sigma detection rules for Handala’s MDM weaponization, Lemon Sandstorm’s VPN exploitation, Agrius wiper families, and MuddyWater’s RMM tool abuse.

What Else Is Moving

Handala is the loudest actor in this conflict (to date), but not the only one. MuddyWater is deploying new Dindoor and FakeSet backdoors against US financial and aviation targets. Lemon Sandstorm has been pre-positioned inside Western critical national infrastructure for at least two years and may activate dormant access for disruptive ICS/SCADA operations. Agrius is assessed as likely to target energy and financial services within the next 30 days. CrowdStrike recently identified a new group, Hydro Kitten, targeting Western financial services.

We’ve published full threat actor profiles and hunting guides for each of these groups. All TLP:CLEAR. All free and ungated. Go get them:

intruvent.com/iran-cyber-threat

The Bottom Line

Handala spent two years conducting psychological warfare and operating under multiple personas. The Stryker attack shows they’ve crossed a capability threshold.

MDM weaponization requires no custom malware, no zero-day exploits, and no advanced tradecraft. It requires administrative access to a platform that already has permission to wipe every device in your organization.

The countermeasures aren’t exotic. They’re the same controls security teams have been advocating for years: least privilege, phishing-resistant MFA, just-in-time access, conditional access policies, and monitoring for anomalous admin actions. The difference is that, as of March 11, 2026, those controls are no longer theoretical best practices. They’re the difference between operations continuing and 200,000 devices going dark.

If your Intune admin accounts are protected by SMS-based MFA and permanently assigned Global Administrator roles, you already know what needs to change.

Stay vigilant. Stay prepared. And stay tuned.

Research Sources: CISA Advisory AA22-264A, Check Point Research, Palo Alto Unit 42, Splunk, Trellix, Intezer, SecurityJoes, BlackBerry Research, Krebs on Security, Zetter Zero Day

For the complete IOC list, detection queries, and hunt procedures, visit the Iran Cyber Threat Intelligence Center.

Facebook is the world’s largest social media platform, owned by Meta Platforms, Inc. With over 3 billion monthly active users, it tries to be your number one social stop on the Internet. It’s a marketplace, a news feed, a business directory, a messaging platform, a dating app, and increasingly, an AI training dataset, all rolled into one account tied to your real name, your real face, and likely your real phone number.

Unlike Snapchat (built for teenagers) or TikTok (built for entertainment), Facebook was engineered from the start around identity. Your actual name. Your actual network. That design choice is both its power and its most significant security liability.

The Good

Facebook has real value. For many families, it’s how grandparents stay connected with grandchildren. For small businesses, it’s often their primary online presence. For community organizations, nonprofits, and local news, it’s become the town square. Facebook Groups and Marketplace are genuinely useful tools, and Facebook’s infrastructure for staying in touch with people across time zones and generations is unmatched.

Meta has also invested heavily in security infrastructure over the years. It employs thousands of security engineers, runs a robust bug bounty program, and offers two-factor authentication, login alerts, and account recovery tools that are, when actually turned on, quite effective.

But the gap between what Facebook can do to protect you and what it does by default is wide. And the company’s history with your data deserves an honest look before we get to the settings.

The Track Record: A Pattern Worth Understanding

Facebook has been fined, sued, and hauled before Congress more times than any other technology company in history. Here are some notable instances:

The Cambridge Analytica Scandal remains the most significant data privacy incident in social media history. In 2014, a psychology researcher named Aleksandr Kogan built a quiz app that collected data not only from the 270,000 people who took it, but through a loophole in Facebook’s API, from all of their friends as well. The result: personal data from approximately 87 million Facebook users was harvested and handed to Cambridge Analytica, a political consulting firm, without those users ever knowing. The data was used to build psychological profiles for targeted political advertising.

Facebook knew about it in 2015 and asked Cambridge Analytica to delete the data. They didn’t. The public didn’t find out until 2018.

The FTC fined Facebook $5 billion in 2019 to settle the investigation into the incident, according to Wikipedia. As recently as November 2025, Facebook executives and a group of Meta shareholders agreed to a $190 million settlement in a lawsuit alleging that leadership prioritized executives over the company’s fiduciary responsibility to investors. And in July 2025, an $8 billion class action lawsuit against Meta Founder Mark Zuckerberg and other Meta board members went to trial according to CBC News. The legal fallout from that single incident is still unfolding, a decade later.

The Cambridge Analytica scandal mattered because it exposed something most users didn’t understand: your Facebook data doesn’t stay between you and Facebook. Every app you’ve ever connected to your account, every quiz you’ve taken, every “Login with Facebook” button you’ve ever clicked, those are all doors. And Facebook’s history shows those doors haven’t always had locks.

The 2021 Data Breach is less famous but directly relevant. Phone numbers, full names, birth dates, email addresses, and location data from 533 million Facebook users were published in a hacker forum. If you had a Facebook account before 2019, your phone number was likely in that dataset. Attackers routinely reuse data from breaches like this for targeted phishing, profile-based extortion, credential stuffing, and SIM swap attacks that can escalate from social media into banking and email account takeovers (source: ExpressVPN).

AI Training is the newest front. Facebook uses public data for AI training, which has raised privacy concerns (source: All Things Secured). In May 2025, Meta confirmed it was using public posts, photos, and comments from Facebook and Instagram to train its AI models, including content posted by users going back years. The opt-out exists, but it’s buried and doesn’t apply to data already used.

Why Parents Should Care

Facebook’s minimum age is 13, but a 2011 study found that 76% of parents reported their child joined Facebook younger than 13 according to Wikipedia. The platform removes roughly 20,000 underage accounts per day, which tells you both that the problem is massive and that they are trying to handle enforcement of their rules.

For teenagers on the platform, the risks aren’t hypothetical. Predators use Facebook’s search features and public group memberships to identify and target minors. Scammers impersonate classmates or run fake marketplace listings targeting teens. And the “real name” requirement that makes Facebook feel safer than anonymous platforms actually makes it easier for bad actors to build convincing fake profiles that exploit your family’s trust network.

The account cloning attack is particularly relevant for parents: a criminal copies your profile photo and name, creates a new account, and then sends friend requests to everyone on your list, your kids included. Once connected, they have access to your network and a credible-looking identity to run scams from.

Why Business Leaders Should Care Specifically

Facebook offers “Login with Facebook” as an authentication method for any business system or application. This means that employees or customers can use their Facebook login credentials to authenticate to 3rd party applications. But, the security of that system is now tied to the security of each employee’s personal Facebook account. Many organizations don’t realize they’ve accepted that risk.

Beyond that, business pages and Facebook Business Manager accounts are high-value targets. Hackers who gain access to your Business Manager can run paid ad campaigns on your credit card, impersonate your brand, access customer data in connected apps, and lock you out of your own page. These attacks are common, sophisticated, and often executed through phishing emails that look exactly like official Meta security alerts.

Employee social engineering is another vector. Attackers research leadership teams on Facebook to build convincing pretexts, the same technique that powers the vishing attacks covered in an earlier issue of this newsletter. A company org chart can be reconstructed from public Facebook profiles in under an hour.

How to Make Facebook (More) Secure

Fair warning: Meta updates its interface frequently, and settings move. If you can’t find something exactly where described, use the search function within Settings to locate it.

Here’s a sharable cheat sheet, followed by the long form instructions:

For Personal Accounts

Step 1: Lock Down Your Login

Enable Two-Factor Authentication (2FA). This is non-negotiable

• Go to Settings & Privacy > Settings > Accounts Center > Password and Security > Two-Factor Authentication

• Choose an authenticator app (Google Authenticator, Authy, or similar) rather than SMS. SMS codes can be intercepted via SIM swap attacks

Turn on Login Alerts

• In the same Password and Security section, enable Get alerts about unrecognized logins

• Set alerts to both email and in-app notifications

Review Active Sessions

• Under Password and Security > Where You’re Logged In, review every active session

• Log out of anything you don’t recognize immediately

Step 2: Audit Connected Apps — This Is the Cambridge Analytica Fix

This is the single most overlooked security action on Facebook, and it’s where the Cambridge Analytica-style risk lives

• Go to Settings > Your Activity > Apps and Websites

• Review everything listed. Be ruthless. If you haven’t used an app in the past year, remove it

• When you remove an app, also select the option to delete your activity on that app

• Pay special attention to apps that have access to your friends list or your profile information

Do this every six months. Apps change ownership, get acquired by data brokers, or simply go dark while retaining the data access they were granted years ago

Step 3: Tighten Your Privacy Settings

• Settings > Privacy Checkup > Who Can See What You Share

  • Who can see your future posts? Set to Friends (not Public)

  • Limit the audience for past posts? Run this once to retroactively restrict everything you’ve shared publicly

  • Who can see the people, Pages, and lists you follow? Set to Only me

• Settings > Privacy Checkup > How People Find and Contact You

  • Who can send you friend requests? Set to Friends of Friends

  • Who can look you up using your email address? Set to Only me

  • Who can look you up using your phone number? Set to Only me

  • Do you want search engines outside of Facebook to link to your profile? Set to No

Step 4: Lock Down Your Profile Information

• Go to your Profile > About and review every field

• Birthday: set to Only Me or remove the year entirely (birthdates are commonly used in identity theft)

• Phone number: Only Me, or remove it from your profile entirely

• Workplace and hometown: consider whether this information needs to be public

• Check-ins and location: disable automatic location tagging on posts

Step 5: Opt Out of AI Training

• This option has (apparently) been removed in the latest versions of the Facebook Application.

For Parents of Teens (Under 18)

Use Supervision Tools.

• Facebook has a Supervision feature for teens under 18, accessible through Settings > Family Center on a parent account

• This lets you see who your teen is connected with and receive activity updates

• Similar to TikTok’s Family Pairing, set it up even if your teen pushes back

Review Their “About” Section Together.

• Walk through every piece of information your teen has posted publicly

• No phone numbers, no school name visible to non-friends, no location

• The rule: if you wouldn’t put it on a flyer stapled to a telephone pole, it shouldn’t be public

Have the “Stranger” Conversation for Social Media.

• The threat isn’t a stranger in a van. It’s a person who sent a friend request that looked like it came from someone they know.

• Teach them: if someone they don’t recognize adds them, they don’t need to accept. Ever.

• The platform makes it easy to accept because it suggests people. Suggestion is not endorsement.

Clone Attack Awareness.

• Tell your teen: if they get a second friend request from someone already on their list, that’s a cloned account. Don’t accept it. Report it. Tell you.

For Business Pages and Business Manager

Secure Your Business Manager Account First.

• Go to business.facebook.com > Business Settings > Security Center

• Enable Two-Factor Authentication for Everyone to force all users on your Business Manager to use 2FA, not just admins

• Review People and remove anyone who no longer works for your company. This is routinely neglected after employee departures.

Limit Ad Account Permissions.

• Under Business Settings > Ad Accounts, restrict who has financial control over adding payment methods or running campaigns

• Set spending limits on all active ad accounts

• Enable email alerts for all ad account activity

Set Up Brand Impersonation Monitoring.

• Regularly search for your company name on Facebook to find pages impersonating your brand

• Use Facebook’s Brand Rights Protection tools if you have a trademark

• Report fake pages immediately. Cloned business pages are used to run scams targeting your customers.

Never Click Security Emails Without Verifying.

• Phishing emails impersonating Meta Business security alerts are extremely common

• Always go directly to business.facebook.com rather than clicking any email link claiming to be from Meta

• Real Meta alerts will be waiting for you inside Business Manager when you log in directly

The Bottom Line

Facebook is the most powerful identity platform on the internet. That power cuts both ways. It connects you to real people in your life, and it hands your real identity to anyone who gains access to your account, your connected apps, or your data.

The company’s track record is mixed when dealing with privacy vs monetization decisions. That’s not a reason to delete your account. It’s a reason to stop treating Facebook like a trusted friend and start treating it like a business relationship, one where you’ve read the contract, audit the terms regularly, and don’t hand over more than you have to.

The settings above take about 30 minutes to implement. They won’t make you invisible. But they’ll close the doors that Cambridge Analytica walked through, limit what third parties can see and harvest, and give you a fighting chance if someone tries to take over your account or clone your identity.

If you use Facebook, you should implement these steps as soon as possible.

Research Sources: Meta Privacy Policy and Terms of Service (2025), FTC v. Facebook enforcement records, Cambridge Analytica Congressional testimony and court records, ExpressVPN Facebook Data Breach Analysis, Keller & Heckman Kids and Teens Privacy Report (January 2026), Internet 2.0, Meta Business Help Center, Thomas Law Offices Meta/Facebook Minor Safety Analysis, CBC News Cambridge Analytica lawsuit coverage (July 2025)

Last Updated: March 10, 2026

What Happened?

In January 2026, Microsoft flagged a multi-stage attack campaign hitting energy companies across multiple countries. The attackers weren’t stealing passwords. They were stealing something better.

The attack started with a SharePoint link. Looked normal. Came from a legitimate vendor email that had already been compromised. When employees clicked and logged in, attackers captured their session token in real time.

That token is basically a digital keycard. Once the attacker has it, they’re already inside. No password needed. MFA already bypassed.

Within 14 minutes of capturing a token, attackers were creating inbox rules to hide their activity and sending 600+ phishing emails from the compromised account. Internal contacts. External partners. Distribution lists. All from a trusted sender.

By the time IT noticed, the attack had spread to multiple organizations.

The technique is called Adversary-in-the-Middle (AiTM). And it’s everywhere right now. We have multiple cases in the Intruvent Forensic Lab right now where this is the attack vector the bad guys used.

Wait... Didn’t We Cover This Before?

You might be thinking “this sounds like the Man-in-the-Middle attacks we covered last month.” You’re half right.

Traditional MitM attacks intercept data flowing between two parties. Someone tapping a phone line to eavesdrop, or stealing your password as it travels to the server. The defense was straightforward: encryption and multi-factor authentication. For a while, that worked.

AiTM attacks evolved specifically to defeat MFA.

Classic MitM attackers eavesdrop passively. AiTM attackers set up a fake login page that relays everything in real-time to the legitimate site, including your MFA code. They’re not just listening to the conversation. They’re participating in it, handing your credentials to Microsoft on your behalf and pocketing the session token that comes back.

Think of it via this analogy: Classic MitM steals your key. AiTM waits for you to unlock the door, then clones the “already verified” badge before you step inside.

This is why phishing-resistant MFA matters. Hardware security keys and passkeys are bound to the legitimate site’s domain and can’t be relayed through a fake page. Wrong domain, no authentication.

Why Should You Care?

You’ve probably heard that MFA stops 99% of attacks. That was true. Past tense.

AiTM attacks don’t try to guess your password or brute-force your MFA code. They sit between you and the login page, relaying everything in real time. You enter your password. They capture it. You enter your MFA code. They capture that too. You get logged in. So do they.

The session token you receive? They have a copy. And that token works from anywhere.

Password resets don’t help. The attacker already has a valid session. MFA resets don’t help either. The session is already authenticated.

This is why Microsoft explicitly warned that “password reset is not an effective solution” for these attacks. Organizations need to revoke active sessions and hunt for inbox rules the attacker created to stay hidden.

How Does This Work?

Think of it like a relay race, except the baton is your login.

You click a link. It looks like your normal Microsoft login page. Same colors, same logo. But you’re actually on an attacker-controlled server that’s sitting in the middle.

When you type your password, the attacker’s server passes it to the real Microsoft. When Microsoft asks for your MFA code, the attacker relays that request to you. You enter the code. The attacker passes it along. Microsoft says “welcome” and issues a session token.

That token goes to you. And to the attacker.

Now they’re logged in as you. No alerts. No warnings. Your session, their control.

Once inside, attackers typically:

• Create inbox rules that auto-delete security alerts

• Mark incoming emails as read so you don’t notice new messages

• Send phishing emails to your contacts using your identity

• Monitor for financial transactions to intercept

• Delete evidence of their activity

The whole process takes minutes. Recovery takes weeks.

What Can You Do?

For Organizations:

Stop trusting passwords alone. Even with MFA. Implement phishing-resistant authentication like hardware security keys (FIDO2/WebAuthn). These can’t be relayed because they verify you’re on the legitimate site.

Require dual approval for financial transactions. Wire transfer requests should always be verified through a separate channel. Not email. Not the same Teams chat. Pick up the phone and call a known number.

Monitor for suspicious inbox rules. Attackers create rules to hide their tracks. If you see rules auto-deleting emails with words like “security,” “alert,” “hack,” or “phish,” you have a problem.

Use conditional access policies. If your users shouldn’t be logging in from Nigeria, Eastern Europe or Asia, lock this places out.

Disable legacy authentication protocols. This one is huge. The big AiTM attackers will use these protocols to rapidly conduct their attacks (see 14 minute window section above). By blocking them it short circuits their attack capabilities.

Set aggressive session timeouts. The longer a session stays active, the longer an attacker can use a stolen token. Microsoft’s default timeouts can stretch for days. That’s too long.

Hunt for impossible travel. If someone logs in from New York at 9am and Tokyo at 9:15am, that’s not jet lag. That’s a compromised session.

For Everyone:

Check URLs before entering credentials. AiTM attacks rely on lookalike domains. “microsoft-login.com” is not “login.microsoft.com.”

If a login page comes from an email link, stop. Go directly to the site by typing the address yourself. Bookmark your important logins.

Use hardware security keys if your employer offers them. They’re the only MFA method that can’t be phished in real time.

Report suspicious emails even if you clicked. Speed matters. The faster security knows, the faster they can revoke sessions.

The Bottom Line

MFA was supposed to be the lock that kept attackers out. AiTM attacks turned that lock into a revolving door.

Your password gets you in. So does the attacker. Your MFA code verifies you. And the attacker. The session token proves you’re legitimate. The attacker has one too.

Next time you click a login link from an email, pause. Is this the real site? Or are you about to hand someone your digital keycard?

Research Sources: Intruvent BRACE reporting, Microsoft Security Blog (January 2026), FBI IC3 2024 Report, eSentire 2026 Threat Report, ReliaQuest BEC Detection Research, Palo Alto Networks

Last Updated: March 3, 2026

She wasn’t being dramatic.

Cybercriminals had quietly copied 3 terabytes of patient data from her organization’s servers. Genetic reports. Letters between doctors. Psychological evaluations. Records affecting up to 150,000 people. And they were threatening to publish everything unless the NHS paid up.

The group called themselves INC Ransom. Within eight months, they would hit Alder Hey Children’s Hospital in Liverpool, one of Europe’s largest pediatric facilities. Same playbook. Same ruthlessness. Sophisticated attacks by skilled attackers.

[Editor's Note] If you work in cybersecurity at a children's hospital, or know someone who does, please reach out (contact@intruvent.com). Intruvent provides free threat intelligence to children's hospitals worldwide. You all have a hard enough job already. Thank you for all that you do!

Welcome to INC Ransomware, an operation that has positioned itself as one of the most prolific groups in the ransomware ecosystem. Defenders and Threat Hunters, we have FREE Intel Guides available, please see the links below.

📄 Download the Threat Actor Profile →

🔍 Download the Threat Hunting Guide →

The Origin Story

INC appeared in July 2023, seemingly from nowhere. Unlike most ransomware groups that splinter from existing operations, INC showed up as an original creation. Secureworks tracks them as GOLD IONIC. MITRE cataloged them as G1032. By September 2023, just two months in, they had posted 12 victims to their dark web leak site.

What set INC apart was their messaging. They framed intrusions as unauthorized security audits. “We’re making your environment more secure” was the implicit pitch. It’s manipulation dressed up as customer service.

The numbers tell the story: 162 victims in 2024. Over 300 in 2025. In July 2025, INC became the most deployed ransomware by victim count. They average 11 organizations per month.

How INC Gets In

The trail often starts with internet-facing systems.

CVE-2023-3519 (Remote Code Execution) in Citrix NetScaler stands out as a consistent favorite. This vulnerability allows attackers to execute code without authentication. CISA issued an advisory in July 2023. INC was exploiting it almost immediately.

INC affiliates have also exploited Fortinet products, including FortiClient EMS (CVE-2023-48788) and FortiOS (FG-IR-24-535). In one documented case, attackers created new SSL VPN configurations on a compromised FortiGate to maintain persistent access.

But the scariest entry point might be the most mundane. Microsoft tracks an affiliate called Vanilla Tempest (formerly Vice Society) that adopted INC ransomware for healthcare targeting. Their approach? SEO poisoning. They manipulate search results so that when employees search for common business documents, they land on malicious sites that deploy Gootloader malware. No vulnerability required. Just someone searching for a contract template.

Once inside, real people poke around the network. They run reconnaissance with netscan.exe and AdFind. They harvest credentials using tools like lsassy.py and Impacket’s secretsdump. In one case documented by HvS-Consulting, INC operators performed Kerberoasting and cracked the Domain Admin password within 48 hours of initial access.

Double Extortion

By the time encryption begins, attackers have typically spent days inside the network. They’ve exfiltrated terabytes using MEGASync, Rclone, or Restic. They’ve mapped backup systems.

Then files get the “.INC” extension. Ransom notes appear everywhere. Sometimes the ransomware sends notes to network printers, ensuring everyone in the building knows what’s happening.

INC operates two leak sites: a private one for negotiations, and a public one for dumping data from organizations that refuse to pay. The demands are calibrated. Attackers review financial records and cyber insurance policies to set their price. You pay one sum to unlock your files, you pay another sum to ensure they don’t leak your files.

Some attacks skip encryption entirely. ReliaQuest documented cases where INC affiliates exfiltrated data but never deployed the encryptor. Pure extortion, no encryption required.

Healthcare in the Crosshairs

Healthcare accounted for 29% of INC’s attacks in early 2025. Sophos identified INC as one of the three most prominent ransomware groups targeting healthcare organizations last year.

Beyond the NHS attacks, the victim list reads like a healthcare industry directory. Compass Health Network, a mental health provider, lost 500,000 sensitive records including therapy notes and psychiatric diagnoses. OnePoint Patient Care, a hospice pharmacy provider, had a breach affecting 1.74 million individuals.

The UK’s NHS has a policy of not paying ransoms. INC knows this. They keep targeting British healthcare anyway.

The implication: INC isn’t targeting healthcare solely because these organizations might pay. Medical records have long shelf lives on criminal marketplaces. They enable identity theft and fraud for years after the initial breach.

The Code That Wouldn’t Die

In March 2024, someone using the handle “salfetka” appeared on Russian-language forums selling INC’s complete source code for $300,000, limited to three buyers.

By July 2024, a new operation called Lynx emerged. Binary analysis showed 48% overall code similarity with INC. The Linux variants showed 91% overlap.

But here’s the twist: INC didn’t go away. Both operations continue claiming victims in parallel. Some incident responders have seen Lynx ransomware deployed in attacks later claimed on INC’s leak site. For defenders, detection rules for one catch both.

And then came the opsec failure. In January 2026, security researchers discovered that INC operators had reused Restic backup infrastructure across multiple intrusions without properly securing it. The mistake allowed data recovery for 12 US organizations.

Even cybercriminals make configuration errors.

Beyond Healthcare

While healthcare dominates the victim list, INC’s appetite extends further.

Stark Aerospace, a US missile systems and aerial weapons manufacturer, had 4TB of data claimed stolen. The attackers allegedly accessed source code, design plans, employee passports, and UAV firmware.

OnSolve, the company behind the CodeRED emergency alert system used by municipalities nationwide, was hit in November 2025. The attackers demanded $950,000 and exfiltrated customer data including plaintext passwords. The breach forced decommissioning of legacy infrastructure that affected emergency communication capabilities across the country.

Critical infrastructure. Defense contractors. Emergency services. INC doesn’t have any off-limit sectors.

Detection Quick Reference

See our full guides for more info, but here is a cheat sheet for you on quick detection items.

Pre-encryption warning signs:

• AnyDesk, ScreenConnect, or TightVNC on servers where they don’t belong

• netscan.exe or AdFind.exe execution

• MEGASync, Rclone, or Restic on non-backup systems

• Shadow copy deletion commands

Ransomware execution indicators:

• Files with .INC extension

• INC-README.TXT or INC-README.HTML in directories

• INC_Update scheduled task

Patch priority:

• Citrix NetScaler: CVE-2023-3519, CVE-2023-4966

• Fortinet: CVE-2023-48788, FG-IR-24-535

Full guides are available for FREE on the Intruvent site:

📄 Download the Threat Actor Profile →

🔍 Download the Threat Hunting Guide →

What This Means For You

INC represents exactly the threat mid-market enterprises and healthcare organizations need to plan for: sophisticated enough to bypass basic defenses, patient enough to conduct proper reconnaissance, ruthless enough to publish your data regardless of harm.

[IMPORTANT] Patch perimeter devices. Citrix NetScaler, FortiClient EMS, and FortiOS have all featured in INC intrusions. Verify your patch status today.

Monitor living-off-the-land techniques. INC operators use PsExec, WMI, and legitimate remote tools. Behavioral detection catches what signatures miss.

Watch for unauthorized RMM tools. AnyDesk, ScreenConnect, and TightVNC on servers where they don’t belong is a red flag.

Assume breach in your backup strategy. INC operators study networks before encryption. Air-gapped or immutable backups provide the recovery option they work hardest to eliminate.

The Uncomfortable Truth

INC has operated continuously for over two and a half years. They sold their source code and kept going. They spawned Lynx, adding hundreds more victims. They made an opsec mistake that cost them leverage over a dozen organizations, and they’re still running.

The 150,000 people in Scotland whose medical records ended up on the dark web didn’t choose to become part of this story. Neither did the patients at Alder Hey or the communities relying on CodeRED for emergency alerts.

Understanding how groups like INC operate won’t prevent every attack. But it helps organizations focus limited security resources where they matter most.

That’s the work. One intrusion at a time.

Thanks for reading Intruvent Edge!

Research Sources: Secureworks CTU, Palo Alto Unit 42, Trend Micro, MOXFIVE, Microsoft Threat Intelligence, Check Point Research, Sophos X-Ops, HvS-Consulting, ReliaQuest, Huntress, CISA

Last Updated: February 2026

What is TikTok?

TikTok is a short-form video platform owned by ByteDance, a Chinese technology company. With over 170 million users in the United States alone, it’s become the digital hangout spot for an entire generation. Users create and share videos ranging from 15 seconds to 10 minutes, covering everything from dance challenges to educational content.

But beneath the entertaining surface lies a complex web of security concerns that have caught the attention of lawmakers, security researchers, and intelligence agencies worldwide. But like any technology, there are pros and cons to using it.

The Good

Like any application, there are both positive and negative uses for TikTok, and pros and cons to using it. My outspoken colleague Gregg Yurchak uses TikTok as well as YouTube Shorts to reach his audience of almost 700 people for his “Cybersecurity in 60 seconds” channel (@cybersecsec). Folks like Gregg use TikTok as a means to reach an audience that may not be accessible on another platform.

Also, recent legislation and Executive Orders forced ByteDance to sell the majority of TikTok in the US. This sale and the laws surrounding it may mean that TikTok is more secure than it has been in the past. Lets dive in.

The Growing Concerns

TikTok’s security issues are documented by security researchers, investigated by government agencies, and rooted in the legal framework under which ByteDance operates. A 2022 analysis by Internet 2.0, an Australian cybersecurity firm, found TikTok’s data collection exceeded typical social media platforms, harvesting device identifiers, location data, and biometric data including faceprints and voiceprints. BuzzFeed News reported that ByteDance employees in China accessed U.S. user data despite TikTok’s assurances otherwise, while security researchers discovered TikTok was accessing clipboard data that could expose passwords and credit card numbers. China’s National Intelligence Law requires all Chinese companies to “support, assist, and cooperate with state intelligence work.” This is a legal mandate that concerns U.S. lawmakers.

The biometric data collection is particularly alarming. In June 2021, immediately after paying $92 million to settle an Illinois lawsuit for collecting biometric data without consent, TikTok quietly updated its U.S. Privacy Policy to explicitly permit collecting “faceprints and voiceprints.” The catch: TikTok only seeks permission “where required by law.” Only five states have biometric privacy laws, meaning in 45 states, TikTok can collect this data without asking. As Carnegie Mellon privacy expert Alessandro Acquisti told TIME Magazine, biometric data represents permanent identifiers; unlike passwords, you can’t change your faceprint if it’s compromised. The potential uses range “from benign, such as secure access to the app, to chilling, such as mass re-identification and surveillance.”

Legal Action

Because of concerns like those outlined above, the US Government decided to step in and help work out a solution. What followed was years of legal battles, failed negotiations, and regulatory uncertainty spanning two administrations.

Congress finally took decisive action in April 2024, passing the Protecting Americans from Foreign Adversary Controlled Applications Act (PAFACA), which gave ByteDance nine months to sell or face a nationwide ban. After the Supreme Court unanimously upheld the law in January 2025 and the app briefly went dark for U.S. users, President Trump (now in his second term) stepped in with multiple deadline extensions while brokering a deal. The resolution came in January 2026 when TikTok's U.S. operations were transferred to a new joint venture controlled by American investors including Oracle, Silver Lake, and Abu Dhabi's MGX, with ByteDance reduced to a minority stake below the 20% threshold required by law.

What the TikTok Deal Actually Means

So what actually changed? As of January 2026, American users' data now lives on Oracle's servers here in the U.S., not overseas. The algorithm, that secret sauce that decides which videos you see, is being retrained using only American user data, and Oracle is responsible for making sure TikTok follows all the national security rules. Content moderation (deciding what stays up and what gets taken down) is now handled by people in the U.S., and a new board with mostly American members is calling the shots.

But here's the catch: ByteDance didn't fully walk away. They still run the advertising, e-commerce, and marketing side of things for American users, which means your TikTok experience probably feels exactly the same as before. The algorithm retraining is also still a work in progress. It's not like someone flipped a switch and everything became "American" overnight.

How to Make TikTok (More) Secure

If your teenager uses TikTok, the settings you configure today can make the difference between a relatively safe experience and one that exposes them to strangers, predators, and data harvesting on a massive scale. The good news is that TikTok has built in some solid parental controls. The bad news is that most parents have no idea they exist.

The platform now defaults accounts for users under 18 to private, and users under 16 have direct messaging disabled entirely. But defaults only go so far. The following steps will help you lock down your teen's account, limit data collection, and set up Family Pairing so you can monitor their activity from your own device. Fair warning: TikTok updates its interface frequently, so if you cannot find an exact setting, use the search bar within Settings and privacy to locate it.

The Bottom Line

TikTok’s security concerns aren’t theoretical. They’re documented by security researchers, investigated by government agencies, and serious enough that federal law required divestment. The January 2026 sale creates a complex ownership structure that complies with the law, and should make the application more secure.

If TikTok remains part of your family’s digital life, treat it like any other calculated risk. Implement every security control available, have ongoing conversations about digital safety, and stay informed as the legal, technical, and geopolitical landscape continues to evolve.

The best defense against any platform’s security risks is an informed user who understands both the capabilities of the technology and the motivations of those who control it.

Join me for our next Intruvent Edge Newsletter on Thursday where we dive into the disappearance and possible re-emergence of a Threat Actor Group.

Disclaimer: TikTok is a registered trademark of ByteDance Ltd. This article is published for educational and informational purposes as part of cybersecurity awareness. All cited claims are attributed to their original sources. The views expressed are those of the author based on publicly available information and do not constitute legal advice.

Research Sources:

Internet 2.0 cybersecurity analysis (September 2022)

BuzzFeed News investigative reporting (June 2022)

National Intelligence Law of the People’s Republic of China (2017)

Microsoft Security Response Center advisories

Congressional legislation (H.R. 7521, H.R. 2617, Public Law 118-50)

Department of Defense memoranda

Executive Orders 13942 (2020) and enforcement pause orders (2025)

TikTok official privacy policy and settings documentation

Axios, CNN Business, NPR, CNBC reporting on TikTok sale (December 2025-January 2026)

Congressional statements from Rep. Moolenaar and Sen. Markey (December 2025-January 2026)

Last Updated:February 24 2026

Your kid's phone is a gateway to more than just their friends. It connects to your home network, your family's location data, and in some cases, your workplace systems. When a predator targets your teenager on Snapchat or a scammer tricks them into clicking a malicious link on Instagram, the threat doesn't stop at their device. It can pivot to your home security cameras, your work laptop on the same Wi-Fi, or your personal or financial information.

This “Social Media” series breaks down the most popular social platforms your kids are using, the specific risks each one presents, and the settings you need to lock down to protect them from both predators and cyber threat actors. This week we’ll start with Snapchat.

What Happened?

If you’re not on Snapchat yourself, here’s the short version: it’s a messaging app built around photos and short videos that disappear after viewing. It also offers Stories (24-hour visible content), augmented reality filters, real-time location sharing, and an AI chatbot. It launched in 2011, it’s owned by Snap Inc., and its official minimum age is 13.

Kids love it because it feels more private and lower-pressure than Instagram or TikTok. No public follower count, no permanent feed to curate, and disappearing messages make everything feel casual and off-the-record. For teenagers, it’s replaced texting as the place they make plans, joke around, and stay connected. According to Pew Research Center, roughly 130 million teens use it daily worldwide.

In January 2026, Snapchat settled a lawsuit with New Mexico accusing the platform of fueling addiction and mental health harm among minors, TechCrunch reported. Two days later, the company rolled out new parental controls. The timing wasn’t subtle.

The lawsuit was just the latest. In 2024, the New Mexico Department of Justice sent undercover agents posing as teenagers onto Snapchat. According to the state’s complaint, within minutes of creating a fake account for a 14-year-old, agents were flooded with predatory messages, including usernames that explicitly referenced child abuse. Internal Snap documents cited in the lawsuit revealed the company was receiving roughly 10,000 sextortion reports per month. Employees had been raising alarms for years, according to NPR’s reporting on the case.

Florida, Utah, Kansas, and other states have filed their own lawsuits. Over 600 cases naming Snap Inc. have been filed since 2022, according to court records. The consistent allegation across these suits: disappearing messages, minimal age verification, and algorithmic friend suggestions create an environment where predators thrive.

Despite this, Snapchat remains one of the most popular apps among American teenagers, according to Pew Research Center surveys. For many kids, leaving the platform means leaving their entire social circle.

Why Should You Care?

You probably can’t keep your teenager off Snapchat entirely, and a growing body of research suggests that banning social media outright tends to backfire. Studies published in Nature and JAMA Network Open point to a consistent finding: digital literacy and supervised engagement outperform prohibition. Bans push kids to unmonitored spaces, erode trust, and skip the part where teenagers learn to navigate digital life responsibly.

That said, “supervised” is doing a lot of heavy lifting in that sentence. Snapchat has specific, well-documented risks that parents need to understand.

Sextortion is surging. Nearly one in four Gen Z teens and young adults surveyed across six countries reported being victims of sextortion. Among minors who shared intimate images, 76% said they were lied to by the abuser, and 66% lost control of the material. The National Center for Missing and Exploited Children (NCMEC) is one of the premiere agencies in the US dedicated to helping protect children from predators. NCMEC received over 456,000 reports of online enticement in 2024. The FBI, DHS, and multiple state attorneys general have all flagged apps like Snapchat as a primary vector for this type of crime.

“Disappearing” messages create a false sense of safety. Teens think Snaps vanish, so there’s no risk. But screenshots happen. Screen recordings happen. Predators know this illusion makes kids more likely to share content they’d never put in a regular text.

Snap Map broadcasts your kid’s location. It can pinpoint a user down to a specific building. If your teen’s settings aren’t locked down, anyone on their friends list (including strangers accepted through Quick Add) can see exactly where they are.

Quick Add connects strangers to kids. This feature suggests new friends based on mutual connections and phone contacts. Safety researchers have identified it as one of the main ways adult predators access minors on the platform.

How Does This Work?

A quick guide to the features that matter most:

Snaps are photos or videos sent to friends. They disappear after viewing, usually within seconds. Recipients can replay once or screenshot (the sender gets notified of a screenshot, but that doesn’t prevent the capture).

Stories are Snap collections visible to friends (or the public, depending on settings) for 24 hours.

Spotlight is Snapchat’s short-form video feed, similar to TikTok. An algorithm recommends content based on engagement. This is where teens encounter content from strangers.

Snap Map shows friends’ real-time locations whenever they open the app, unless Ghost Mode is enabled.

Quick Add suggests new connections based on mutual friends, contacts, and communities. Safety advocates have pushed Snap to disable this for minors.

My AI is a built-in chatbot. Parents can disable it through Family Center.

Streaks track consecutive days two users have exchanged Snaps. Sounds harmless, but they create compulsive patterns. Teens describe feeling obligated to send content daily just to keep the counter alive, often without thinking about what they’re sending.

What Can You Do?

Set Up Family Center

Both you and your teen need Snapchat accounts, and your teen must accept your invitation to connect.

Family Center lets you:

• See your teen’s full friends list and new friends from the past 7 days

• See who they’ve chatted with (usernames only, not message content)

• See how they might know new friends (mutual connections, shared contacts)

• View daily screen time broken down by feature

• Restrict sensitive content on Spotlight and Stories

• Disable the My AI chatbot

• Request your teen’s location and share yours

• Report accounts to Snapchat’s Trust and Safety team

Family Center does NOT let you:

• Read messages or view Snaps

• Set screen time limits or lock the app

• Prevent your teen from removing your access (Snapchat won’t notify you if they do)

Setup: Open Snapchat > Profile icon > Settings (gear) > Family Center > “Get Started.” Your teen accepts from their end.

Lock Down These Settings

Walk through your teen’s phone together and adjust these:

***1. Ghost Mode: ON. The most important setting. Snap Map > gear icon > Ghost Mode > “Until turned off.” Hides your teen’s real-time location from everyone.

***2. Contacts: Friends Only. Should be the default for teen accounts, but verify. Settings > Privacy Controls > Contact Me > “Friends and Contacts.”

3. Quick Add: OFF. Settings > Privacy Controls > See Me in Quick Add > toggle off. Stops Snapchat from suggesting your teen’s profile to strangers.

4. Story Privacy: Friends Only. Settings > Privacy Controls > View My Story > “My Friends” or “Custom.”

5. My AI: OFF. Disable through Family Center if you have concerns about unsupervised chatbot conversations.

6. Content Restrictions: ON. Through Family Center, restrict sensitive content on Spotlight and Stories.

Supplement with Phone-Level Controls

Snapchat doesn’t offer screen time management, so use your phone’s tools:

Apple Screen Time (iPhone) lets you set daily app limits, enforce downtime, and restrict downloads. Google Family Link (Android) offers similar controls. These operate at the system level and can’t be bypassed from within Snapchat.

Have the Conversation

On disappearing messages: “Nothing online truly disappears. Screenshots and screen recordings can capture anything. Before you share something, ask yourself if you’d be okay with it showing up on a billboard.”

On strangers: “If someone you don’t know in real life adds you, don’t accept. If someone starts asking personal questions or pressuring you for photos, tell me immediately.”

On sextortion: “Criminals trick teenagers into sharing images and then blackmail them. It happens to smart kids every day. If it ever happens to you or a friend, come to me. You won’t be in trouble. The person doing it is the criminal.” Direct them to NCMEC’s CyberTipline (1-800-843-5678) or report.cybertip.org.

On streaks: “The app is designed to make you feel like you have to be on it constantly. That’s product design, not friendship. It’s okay to put it down.”

On Snap Map: “Would you walk around holding a sign with your exact address? Ghost Mode stays on.”

The Bottom Line

Social Media apps serve a purpose: They are the new norm for teen communications. Snapchat isn’t going away. Chance are that your teen’s friends are on it. And the research shows that education and supervised engagement protect kids better than blanket bans.

But Snapchat’s default settings are more permissive than most parents realize, and the platform’s parental tools still have real gaps. Set up Family Center. Enable Ghost Mode. Kill Quick Add. Then have the conversation. The 15 minutes it takes to walk through these settings together could save your family from a crisis.

Thanks for reading Intruvent Edge! This post is public so feel free to share it.

Research Sources: Snap Inc. Newsroom & Family Center Documentation, Snapchat Support (help.snapchat.com), New Mexico DOJ v. Snap Inc. (2024), NPR (Dara Kerr, 2024), TechCrunch (January 2026), Snap Inc./Western Sydney University Sextortion Research (2025), NCMEC CyberTipline Reports (2024), Thorn Sextortion Study (2025), DHS Know2Protect Campaign (2025), After Babel Platform Analysis (2025), Malwarebytes Online Safety Research (2025), Pew Research Center (2025), Nature (2025), JAMA Network Open (2024)

Last Updated: February 17, 2026

Cross-sector analysis for our January BRACE reports was telling. January’s threat landscape delivered a verdict: the traditional security perimeter is gone. Attackers are targeting things outside the traditional parameter: operating iyour cloud APIs, your SaaS integrations, your OT networks. Often without ever touching your endpoints. You’ll need to move fast to regain the advantage.

The Numbers That Matter

Active Threat Groups: 70 (up 12% month-over-month, highest count since tracking began)

Cross-Sector Actors: 17 (Qilin leading, cartel coordination accelerating)

Critical CVEs: 85 tracked (58 rated CRITICAL or HIGH, exploitation pace exceeds patching)

Emerging Signals: 107 indicators (AI-enabled attacks surging across sectors)

1. Codefinger: Ransomware Without the Malware

The first ransomware that doesn’t need your network.

In January, Halcyon’s researchers disclosed “Codefinger,” a ransomware operation weaponizing AWS S3’s Server-Side Encryption with Customer-Provided Keys (SSE-C) to lock organizations out of their own cloud storage. No malware. No lateral movement. No endpoint compromise. Just API calls.

How it works:

Attackers obtain leaked AWS credentials from GitHub commits, phishing, or infostealer logs. They enumerate S3 buckets and identify valuable data. Using the S3 API, they re-encrypt objects with attacker-controlled SSE-C keys. Original data becomes mathematically unrecoverable without the key.

Why your current defenses won’t help: EDR doesn’t see it because there’s no malware. Network monitoring misses it because the traffic is legitimate API calls to AWS. Backup systems can’t help if backups are stored in the same S3 buckets. The attack happens entirely within AWS’s legitimate service layer. CloudTrail logs show the activity, but only if you’re watching.

Defensive priority: Audit IAM permissions for s3:PutObject with SSE-C capabilities. Enable S3 Object Lock for critical data. Deploy CloudTrail alerting for unusual SSE-C operations. Segregate backup storage with separate credentials.

Source: Halcyon Research, January 2026

2. Eight Minutes: When Attackers Move Faster Than Your SOC

From phishing email to full AWS environment compromise in under 10 minutes.

A January incident reconstructed by cloud security researchers at Wiz revealed a new operational tempo: threat actors using AI-assisted tooling achieved complete cloud environment takeover in just 8 minutes.

The attack chain:

0:00: Spear-phishing email with malicious OAuth consent link

0:45: Victim grants OAuth app access to M365 mailbox

2:30: Automated credential harvesting from mailbox attachments

4:00: AWS console login using harvested service account credentials

5:30: Lambda functions enumerated, secrets extracted

8:00: New IAM admin user created, persistence established

Traditional incident response assumes hours or days. Eight minutes doesn’t give SOC teams time to triage an alert, let alone contain a breach.

The takeaway: Speed is the new competitive advantage for attackers. Detection must be automated, and response playbooks need to trigger without human approval for high-confidence signals.

Source: Wiz Cloud Threat Intelligence, January 2026

3. Bybit’s $1.5 Billion Lesson: Lazarus Never Sleeps

The largest single crypto theft in history. Here’s how they did it.

North Korea’s Lazarus Group executed a $1.5 billion heist against cryptocurrency exchange Bybit in January, eclipsing the $620M Ronin Bridge attack as the largest crypto theft ever recorded.

Technical execution:

Social engineering campaign targeting exchange developers. Supply chain compromise of a trading interface component. Hot wallet credentials exfiltrated via memory scraping. Funds dispersed across 50+ wallets within 90 minutes.

The strategic angle: At $1.5B, this single operation likely funds a significant portion of North Korea’s weapons programs for 2026. Lazarus isn’t criminal in the traditional sense. It’s a revenue-generating arm of a sanctions-evading government. The financial services sector remains the highest-value target for state-sponsored actors with economic motivations.

For financial institutions: Third-party code review isn’t optional. Hot wallet architecture must assume compromise. Behavioral analytics on transaction patterns are essential.

Source: Chainalysis, FBI IC3 Advisory, January 2026

4. Sandworm Returns: DynoWiper and Poland’s Grid

Russia’s elite cyber unit tests new destructive capabilities in NATO territory.

January saw Sandworm (GRU Unit 74455) deploy “DynoWiper,” a new destructive malware variant, against Polish energy infrastructure. The attack was contained before causing outages, but the technical sophistication marks an evolution from their 2015-2016 Ukraine grid attacks.

Key findings:

DynoWiper specifically targets Schneider Electric SCADA systems. Uses legitimate OT protocols (Modbus, IEC 61850) to blend with normal traffic. Includes anti-forensics modules that corrupt PLC firmware after wiping. Pre-positioned for months before activation.

The timing isn’t coincidental. Poland’s critical role in NATO logistics and Ukraine support makes it a high-priority target. This operation signals preparation for potential escalation.

This marks the first known Sandworm attack targeting a NATO member’s critical infrastructure. That detail matters.

OT/ICS operators: Baseline legitimate OT traffic patterns now. Detection rules for anomalous Modbus commands should be deployed across all energy sector SCADA environments.

Source: Dragos Threat Intelligence, CERT Polska, January 2026

5. When Hacktivists Cause Physical Impact

CISA Alert AA25-343A: The line between digital and physical has dissolved.

In January, CISA issued a rare alert documenting pro-Russia hacktivist groups achieving physical impact on US critical infrastructure. Water treatment facilities experienced pump failures. Manufacturing PLCs entered unsafe states.

What changed:

Hacktivist groups are now sharing ICS exploitation guides on Telegram. Operational technology defaults (default passwords, exposed HMIs) create attack surface. Groups previously limited to DDoS and defacement have upskilled to OT compromise.

The attacks weren’t sophisticated. They didn’t need to be. Internet-exposed HMIs with default credentials were the only requirement.

Critical infrastructure operators have known about these exposures for years. Regulators have issued guidance. Hacktivists have now become the enforcement mechanism.

Action required: Internet-exposed ICS asset discovery should be a weekly automated scan. Default credential campaigns need executive sponsorship and deadlines.

Source: CISA Advisory AA25-343A, January 2026

6. OAuth: The Supply Chain You Forgot to Secure

Two SaaS supply chain compromises expose the trust problem in enterprise OAuth.

January saw back-to-back OAuth-based supply chain attacks targeting enterprise SaaS platforms:

Salesloft-Drift Compromise: Attacker compromised Drift’s OAuth integration with Salesloft. All customers with the integration active had mailbox access exposed. Estimated 4,200 organizations affected.

Gainsight Customer Data Exfiltration: OAuth token theft from Gainsight’s customer success platform. Product usage data for 800+ enterprise customers exfiltrated. Competitive intelligence implications significant.

The pattern: OAuth tokens are persistent, broadly scoped, and rarely audited. Once compromised, they provide silent access until explicitly revoked.

OAuth security priorities:

Inventory all OAuth grants across your SaaS portfolio. Implement just-in-time access for sensitive integrations. Monitor for OAuth grants from unusual locations or devices. Establish a periodic OAuth grant review process.

Source: Obsidian Security, January 2026

Quick Hit: Scattered Spider Joins DragonForce

The social engineering experts have a new home.

Following the disruption of their infrastructure in late 2025, Scattered Spider operators have affiliated with the DragonForce ransomware cartel. This partnership combines Scattered Spider’s elite social engineering capabilities with DragonForce’s infrastructure and ransom negotiation experience.

Expect SIM swapping and help desk social engineering attacks to increase through Q1 2026, now backed by more robust ransomware deployment.

Source: Mandiant M-Trends, January 2026

Trend Watch: Encryption Is Optional

Quadruple extortion becomes the new baseline.

January data confirms a shift in ransomware economics: encryption is increasingly optional. The modern extortion playbook:

Data theft: Exfiltrate before announcing presence

Encryption: Sometimes deployed, sometimes skipped

Public shaming: Victim names posted to leak sites

Third-party notification: Customers, regulators, and partners contacted directly

Groups like BianLian have abandoned encryption entirely. Why invest in complex crypto when data theft alone generates payments?

Defensive implication: Data Loss Prevention (DLP) and exfiltration detection are now as critical as backup integrity.

January 2026 By The Numbers

Qilin led all actors, active in 17 of 18 sectors analyzed

T1078 (Valid Accounts) was the #1 technique, used by 65 actors across all sectors

Russia accounted for 61% of attributed actor activity

AI-enabled attacks flagged as emerging signal in 17 sectors

Custom Sector - Amazon AWS Cloud Technologies sector had highest severity concentration (6 CRITICAL)

Defensive Playbook: February Priorities

Given the wide spread of attack vectors this month, here are some defensive measures that you can take to protect your organization over the next 90+ days.

NOTE: Every environment is different, and Intruvent has not examined your environment. These are general recommendations that you should undertake only after evaluating their usefulness and efficacy for your specific circumstances.

Immediate (This Week)

Audit S3 bucket SSE-C permissions and access patterns

Review OAuth grants for all SaaS integrations

Scan for internet-exposed ICS/OT assets

Short-Term (30 Days)

Deploy CloudTrail alerting for unusual S3 encryption operations

Implement automated response for OAuth-based compromise indicators

Baseline OT network traffic for anomaly detection

Strategic (90 Days)

Evaluate data exfiltration detection capabilities vs. encryption-focused controls

Develop 8-minute response playbook for cloud credential compromise

Third-party OAuth integration security review program

Sources

1. Intruvent BRACE Sector Reports - Cross-Sector Threat Intelligence, January 2026

2. Halcyon Research - Codefinger SSE-C Analysis, January 2026

3. Wiz Cloud Threat Intelligence - AI-Accelerated Breach Study, January 2026

4. Chainalysis - Bybit Incident Analysis, January 2026

5. FBI IC3 - North Korea Cryptocurrency Advisory, January 2026

6. Dragos Threat Intelligence - DynoWiper Technical Report, January 2026

7. CERT Polska - Energy Sector Incident Report, January 2026

8. CISA - Advisory AA25-343A, January 2026

9. Obsidian Security - OAuth Supply Chain Report, January 2026

10. Mandiant M-Trends - RaaS Evolution Update, January 2026

INTRUVENT EDGE is published monthly. For the complete cross-sector technical analysis, see the January 2026 Cross-Sector Trends Report.

Questions? Feedback? Reply to this email or reach out at contact@intruvent.com