Iranian state-sponsored and affiliated cyber threat actors have **formalized a cyber-kinetic war doctrine**, integrating digital reconnaissance with physical strikes following the February 28, 2026, joint US-Israel military operation (*Epic Fury*). New research confirms Iran’s systematic compromise of **Hikvision and Dahua IP cameras** across Israel, Qatar, Bahrain, Kuwait, the UAE, Cyprus, and Lebanon—exploiting **five patched but widely unpatched vulnerabilities** to enable **real-time battle damage assessment and missile-targeting support**. Check Point Research assesses this activity as a **predictive indicator of kinetic strikes**, mirroring tactics used during the June 2025 Israel-Iran conflict. **As of April 2026, Iranian APT actors have escalated direct targeting of U.S. critical infrastructure**, focusing on **Rockwell/Allen-Bradley PLCs** in Government Services, Water and Wastewater Systems, and Energy sectors. The joint FBI/CISA/NSA advisory warns of **financial losses, operational disruptions, and malicious manipulation of HMI/SCADA displays**, with confirmed extraction of PLC project files. This follows prior CyberAv3ngers (IRGC-linked) campaigns that compromised **75 Unitronics PLCs** in 2023–2024. In parallel, **pro-Iranian hacktivist group Handala wiped 80,000 devices** on U.S. medical giant Stryker’s network in March 2026, signaling a shift toward **destructive hybrid operations** blending state-backed and proxy activity. The campaign extends beyond surveillance: **pro-Iranian actors breached Jordan’s Silos and Supply General Company via phishing**, while IRGC-linked groups conducted **limited but targeted ICS/SCADA attacks** and **DDoS campaigns against UAE/Bahrain government entities**. CrowdStrike and Flashpoint warn of escalating hybrid tactics, including **propaganda operations, data center missile strikes, and hacktivist proxies** (e.g., Russian Legion) expanding targets to US-based critical infrastructure. **Pay2Key**, an Iranian-linked ransomware group active since 2020, has **re-emerged in March 2026 with enhanced evasion capabilities**, targeting a US healthcare provider in a three-hour encryption blitz that leveraged TeamViewer, credential harvesting (Mimikatz/LaZagne), and backup enumeration—raising concerns about its **strategic destruction motives** amid geopolitical tensions.

APT28 (Fancy Bear/Forest Blizzard), attributed to Russia’s GRU unit GTsSS Military Unit 26165, has conducted opportunistic DNS hijacking campaigns since at least August 2025 by compromising small office/home office (SOHO) routers—primarily TP-Link models such as WR841N—to redirect victim traffic through attacker-controlled DNS servers and steal credentials. The campaign peaked in December 2025, compromising over 18,000 networks, including 200 organizations and 5,000 consumer devices, and specifically targeted government agencies such as ministries of foreign affairs, law enforcement, and third-party email providers. TP-Link routers were likely exploited via CVE-2023-50224 to retrieve credentials, which were then used in adversary-in-the-middle attacks against browser sessions and desktop applications to harvest credentials for web and email services. APT28 operates a persistent infrastructure of VPSs repurposed as malicious DNS servers, receiving DNS requests from exploited routers and enabling opportunistic triage to identify high-value targets. Microsoft reported this is the first time APT28 has used DNS hijacking at scale to support post-compromise adversary-in-the-middle (AiTM) attacks on TLS connections against Microsoft Outlook on the web domains, intercepting OAuth authentication tokens after successful MFA authentication without requiring additional malware on compromised routers.

Threat actors are actively exploiting CVE-2025-59528, a maximum-severity (CVSS 10.0) code injection vulnerability in Flowise, an open-source AI agent builder platform. The flaw allows unauthenticated remote code execution via the CustomMCP node, which parses user-supplied mcpServerConfig strings without sanitization, enabling execution of arbitrary JavaScript code with full Node.js runtime privileges. Successful exploitation grants attackers access to dangerous modules (e.g., child_process, fs), leading to full system compromise, arbitrary command execution, file system access, and sensitive data exfiltration. VulnCheck’s Canary network has detected early-stage exploitation of the flaw, originating from a single Starlink IP address. Between 12,000 and 15,000 Flowise instances remain exposed online, creating a significant and opportunistic attack surface for mass scanning and exploitation attempts. The vendor addressed the issue in versions 3.0.6 and later; users are advised to upgrade to at least 3.0.6 or the current 3.1.1.

Researchers from the University of of Toronto demonstrated the GPUBreach attack, a new Rowhammer-based technique that corrupts GDDR6 GPU page tables to grant unprivileged CUDA kernels arbitrary read/write access to GPU memory. The vulnerability is chained with memory-safety flaws in the NVIDIA driver to escalate privileges from an unprivileged context to full system compromise—including root shell access—without disabling IOMMU or relying on prior GPU Rowhammer research. The attack bypasses IOMMU protection by corrupting trusted driver state via GPU-controlled memory, making it effective even on systems with hardware memory isolation enabled. Demonstrated on NVIDIA RTX A6000 GPUs with GDDR6 memory, the technique enables cross-process data exposure, cryptographic key leakage, manipulation of ML processes (reducing accuracy from 80% to 0%), and extraction of sensitive data such as LLM weights. While ECC mitigation exists, it may fail to detect multiple bit-flips, leaving systems exposed. The research is scheduled for presentation at the 47th IEEE Symposium on Security & Privacy in 2026 and follows NVIDIA’s November 2025 notification of related risks.

At RSAC 2026, industry leaders emphasized the unprecedented speed of AI integration into cybersecurity workflows, reshaping defensive and offensive capabilities faster than anticipated. Organizations are now predominantly in reactive mode, with threat actors leveraging AI more effectively than defenders' adoption rates. The event also highlighted persistent challenges in authentication and software vulnerabilities, underscoring the need for historical lessons in addressing modern threats. Informa TechTarget’s cybersecurity portfolio brands (Dark Reading, Cybersecurity Dive, TechTarget SearchSecurity) demonstrated a coordinated "360-degree" coverage strategy to address the fragmented yet interconnected needs of CISOs, SOC managers, and risk professionals. Analysts noted the industry’s 20-year evolution from fewer than a dozen vendors to over 4,000, with threats escalating from rudimentary social engineering to ransomware capable of disrupting critical infrastructure. Quantum computing was framed as a future concern rather than an immediate crisis, with experts describing it as a manageable evolution rather than a disruptive inflection point.

Automated penetration testing tools often deliver initial high-value findings but degrade into reporting stale, repetitive issues by the fourth or fifth execution, revealing a structural limitation known as the Proof-of-Concept (PoC) Cliff. This pattern stems from the deterministic, chained nature of automated tools, which exhaust exploitable paths within their fixed scope and fail to validate security controls such as firewalls, EDR, WAF, or SIEM in real adversary scenarios. As a result, organizations experience a widening Validation Gap where reported findings do not reflect actual control effectiveness, leaving critical attack surfaces unassessed and creating false confidence in security posture.

A novel attack chain dubbed GrafanaGhost leverages indirect prompt injection and application logic weaknesses to silently extract highly sensitive enterprise data from Grafana monitoring environments. Instead of phishing or stolen credentials, attackers manipulate Grafana's input processing and AI guardrails to automatically transmit financial metrics, infrastructure health data, and customer records to external attacker-controlled servers. The exfiltration occurs in the background during routine dashboard activities, triggered by manipulated inputs designed to mimic legitimate requests, bypass domain validation, and embed instructions via specific keywords like 'INTENT'.

An opportunistic cryptomining and proxy botnet campaign is actively recruiting over 1,000 internet-exposed ComfyUI instances—an open-source Stable Diffusion platform—via remote code execution (RCE) exploits against unauthenticated deployments and ComfyUI-Manager installations. The attack chain begins with a Python-based scanner that enumerates cloud IP ranges for vulnerable ComfyUI instances, identifying those with custom node families that accept raw Python code execution or ComfyUI-Manager installations. Successful exploitation installs malware that mines Monero and Conflux, and adds compromised hosts to the Hysteria V2 botnet, all managed through a Flask-based C2 dashboard. The operation includes sophisticated persistence mechanisms, competitor botnet sabotage, and evidence-clearing techniques, indicating a technically competent yet opportunistic actor targeting widely deployed AI inference services for financial gain.

In 2025, cyber fraud losses in the U.S. exceeded $17.7 billion, with over 1 million complaints filed to the FBI’s IC3, marking a significant year-over-year increase from 2024. Cryptocurrency investment scams were the most financially damaging, accounting for $7.2 billion in losses, followed by Business Email Compromise (BEC) fraud at over $3 billion and fake tech support scams at over $2 billion. AI-enabled fraud contributed nearly $893 million in losses, reflecting the growing sophistication of cybercriminal tactics leveraging synthetic content for phishing, deepfakes, and fraudulent employment schemes.

Storm-1175, a financially motivated cybercrime group, has conducted high-tempo Medusa ransomware attacks over the past three years by exploiting both n-day and zero-day vulnerabilities during the patch gap between disclosure and remediation. The actor primarily targets exposed perimeter assets, achieving initial access via web shells or remote access payloads and deploying ransomware within one to six days. Victims include healthcare, education, professional services, and finance sectors across Australia, the UK, and the US. Since 2023, Storm-1175 has weaponized at least 16 vulnerabilities, including the zero-day CVE-2025-10035 in GoAnywhere Managed File Transfer, exploited one week prior to public disclosure.

Fortinet has released **emergency patches** for **CVE-2026-35616**, a critical **pre-authentication API access bypass** in FortiClient EMS 7.4.5/7.4.6, enabling unauthenticated attackers to execute arbitrary code via crafted requests. The flaw, described by Defused as a **zero-day vulnerability**, has been **actively exploited in the wild** since at least late March 2026, prompting CISA to add it to its **Known Exploited Vulnerabilities (KEV) catalog** on April 6, 2026, with a patching deadline of **April 9, 2026**, for U.S. federal agencies. Federal and private-sector organizations are urged to apply hotfixes immediately or upgrade to **FortiClientEMS 7.4.7** upon release. This follows the **active exploitation of CVE-2026-21643**, a critical SQL injection (CVSS 9.8) in FortiClientEMS, also under attack since late March. Nearly **1,000–2,000 FortiClient EMS instances** remain exposed online, primarily in the U.S. and Europe, with Shadowserver tracking ongoing scans. Fortinet warns that compromising EMS infrastructure allows attackers to **push malicious updates to endpoints**, escalating risks of ransomware, espionage, or destructive attacks. Earlier in 2026, Fortinet addressed **CVE-2026-24858**, a critical FortiCloud SSO authentication bypass (CVSS 9.4) exploited to hijack admin accounts and exfiltrate configurations from **over 25,000 exposed devices**. CISA mandated patches for federal agencies by **January 30, 2026**, while Fortinet temporarily disabled FortiCloud SSO to mitigate zero-day attacks. Organizations are advised to **disable FortiCloud SSO until patches are applied**, restrict management interface access, and treat compromised systems as fully breached—requiring credential rotation and configuration restoration.

German Federal Police (BKA) announced the identification of two Russian nationals, Daniil Maksimovich Shchukin (31) and Anatoly Sergeevitsch Kravchuk (43), as the leaders of the GandCrab and REvil ransomware operations spanning from at least early 2019 to July 2021. The duo, with Shchukin operating under aliases UNKN/UNKNOWN on cybercrime forums, is linked to at least 130 extortion cases targeting German companies, including 25 victims who paid $2.2 million in ransoms, while total financial damage exceeded $40 million. Authorities believe both individuals are now in Russia and have requested public assistance, including entries on the EU’s Most Wanted portal. BKA has released images of the suspects to aid tracking efforts. The operations under Shchukin and Kravchuk followed the GandCrab model, which launched in early 2018 and reportedly earned $2 billion in ransom payments before its leader retired in June 2019. REvil, emerging afterward, adopted GandCrab’s affiliate structure, public leak sites, and data auctions, targeting high-profile victims such as Texas local governments, Acer, and the Kaseya supply-chain compromise affecting approximately 1,500 downstream victims. Following the Kaseya attack, REvil took a two-month operational break during which law enforcement infiltrated their infrastructure, leading to disruptions. In January 2022, Russian authorities arrested over a dozen REvil members, who were released in 2025 after serving time for carding-related charges.

A threat actor leveraged AI-assisted automation to orchestrate a large-scale supply chain attack against open source repositories on GitHub by exploiting the pull_request_target workflow trigger in GitHub Actions. The campaign, codenamed prt-scan, began on March 11 and spanned six waves executed via six coordinated GitHub accounts, resulting in at least two compromised NPM packages out of over 450 exploitation attempts. The actor primarily targeted repositories with the pull_request_target trigger, which automatically runs workflows in the main repository when a pull request is submitted from an untrusted fork, granting workflows full repository permissions and access to secrets. Successful intrusions predominantly exposed ephemeral GitHub credentials for workflows, though broader implications highlight the facilitation of low-sophistication attackers to scale supply chain attacks rapidly.

A financially motivated North Korea-nexus threat actor (UNC1069) compromised the npm account of axios maintainer Jason Saayman through a two-week social engineering campaign involving cloned personas, fake Slack workspaces, and deceptive Microsoft Teams meetings. The attackers published malicious axios versions v1.14.1 and v0.30.4 containing plain-crypto-js as a dependency to deliver cross-platform RATs with full unilateral control capabilities, bypassing 2FA. The attack was part of an industrialized social engineering campaign targeting high-value individuals and open source maintainers, leveraging AI-enhanced trust-building, matured attacker tooling, and convincing delivery mechanisms. The blast radius of compromised packages like axios—downloaded over 100 million times weekly—amplifies the impact, with similar campaigns observed against cryptocurrency founders, venture capital executives, and other developers. Malicious packages were swiftly removed, but the incident underscores the evolving threat model where traditional social engineering now scales through supply chain compromises.

Exploit code for an unpatched Windows privilege escalation vulnerability, tracked as BlueHammer, has been publicly released by a disgruntled security researcher. The flaw enables local attackers to escalate privileges to SYSTEM or elevated administrator levels, allowing full system compromise. Microsoft has not issued a patch, classifying the issue as a zero-day. The exploit combines a TOCTOU (time-of-check to time-of-use) and path confusion, granting access to the Security Account Manager (SAM) database to extract local account password hashes. The leak follows frustration with Microsoft’s Security Response Center (MSRC) over disclosure handling, with the researcher citing insufficient response as the trigger for public disclosure. The PoC code contains reliability issues, particularly on Windows Server platforms.

Microsoft has resolved a bug causing email delivery issues for some Classic Outlook users sending via Outlook.com, which previously prevented messages from reaching intended recipients and triggered 0x80070005-0x0004dc-0x000524 non-delivery reports. The issue primarily affected users with Outlook profiles linked to Exchange accounts or those with Exchange Online mail contacts sharing SMTP addresses. Microsoft deployed a server-side fix on April 3, 2026, though some users may still encounter temporary issues until OAuth tokens expire. Earlier investigations revealed that Microsoft was addressing multiple problems in classic Outlook, including mouse pointer disappearance that also impacted OneNote and other Microsoft 365 apps, synchronization and connection issues with Gmail and Yahoo accounts, and "Can't connect to the server" errors when creating groups with EWS enabled. Temporary workarounds were provided for these issues while Microsoft worked on permanent fixes.

Microsoft has deprecated and removed the Support and Recovery Assistant (SaRA) command-line utility from all supported Windows versions starting March 10, 2026. The tool, which automated diagnostic tests for Office, Microsoft 365, Outlook, and Windows systems, has been superseded by the Get Help command-line tool, which offers similar capabilities with enhanced security infrastructure. The deprecation affects Windows 7 through Windows 11 systems and requires IT administrators to migrate from SaRA to the recommended GetHelpCmd.exe tool for endpoint troubleshooting. The transition is positioned as a security hardening measure to protect enterprise environments.

Storm-1175, a China-based cybercriminal affiliate deploying Medusa ransomware, has escalated attacks by weaponizing n-day and zero-day vulnerabilities in rapid succession, often within days or even hours of discovery. The group targets exposed perimeter assets across multiple sectors—including healthcare, education, professional services, and finance—in Australia, the United Kingdom, and the United States. Exploitation chains involve initial access via chained vulnerabilities, followed by credential theft, persistence mechanisms such as new user account creation, deployment of remote monitoring tools, and security software disablement, culminating in Medusa ransomware deployment.

Drift Protocol’s April 1, 2026, $285 million loss was the culmination of a six-month in-person social engineering campaign, where North Korea-linked threat actors (UNC4736, a.k.a. AppleJeus/Labyrinth Chollima) infiltrated the ecosystem by posing as a quantitative trading firm at crypto conferences. The attackers compromised contributors via malicious code repositories (exploiting VSCode/Cursor vulnerabilities) and fraudulent TestFlight wallet applications, enabling them to hijack Security Council multisig controls. Post-takeover, they deployed the CarbonVote Token as collateral, removed withdrawal limits, and drained funds across deposits and trading accounts within minutes. Drift has frozen all protocol functions, flagged attacker wallets globally, and is collaborating with intelligence firms (Elliptic, TRM Labs) and law enforcement to trace and recover stolen assets. On-chain analysis confirms North Korean involvement, aligning with prior state-sponsored campaigns targeting crypto infrastructure.

Threat actors are actively exploiting a critical remote code execution (RCE) flaw (CVE-2025-11953, CVSS 9.8) in the Metro Development Server within the @react-native-community/cli npm package, enabling unauthenticated OS command execution. Exploits deliver a PowerShell script that disables Microsoft Defender exclusions and downloads a Rust-based binary with anti-analysis features from an attacker-controlled host. The attacks, first observed on December 21, 2025, originate from multiple IP addresses and indicate operational use rather than experimental probing. A separate campaign is exploiting React2Shell (CVE-2025-55182), a pre-authentication RCE flaw in React Server Components (RSCs) affecting Next.js applications, for large-scale credential theft. This campaign, attributed to UAT-10608, uses the NEXUS Listener automated tool to harvest credentials, SSH keys, cloud tokens, and environment secrets from at least 766 compromised hosts across multiple industries and regions. Attackers leverage automated scanning to identify vulnerable deployments and deploy NEXUS Listener for post-exploitation data collection and further malicious activity.

Organizations relying on periodic breach checks, MFA, and EDR remain vulnerable to credential theft via infostealers. Stolen credentials, including session tokens and cookies, bypass authentication controls and enable rapid enterprise network access. In 2025, 4.17 billion compromised credentials were observed, with infostealers like LummaC2, Rhadamanthys, and Atomic macOS Stealer (AMOS) evading legacy defenses. Credential-related breaches now average $4.81–4.88 million per incident, underscoring the need for continuous, forensic-grade monitoring and automated response.

The OWASP Foundation updated its GenAI Security Project to address evolving risks in generative and agentic AI ecosystems, publishing two new solution guides and a data security risks list. The project now tracks over 170 providers, expanding from 50, and documents 21 risks for GenAI systems while introducing 21 GenAI Data Security risks. Updates reflect rapid adoption of AI technologies and growing attack surfaces, including vulnerabilities in emerging protocols like MCP and A2A. Security concerns highlighted include sensitive data leakage, prompt injection, unsafe tool execution, goal drift, and inter-agent collusion. The project emphasizes the need for visibility into AI agent activity and introduces a six-month update cadence to reflect stabilizing but still dynamic industry development.

Enterprise security operations centers (SOCs) face escalating operational gaps due to multi-platform cyberattack campaigns that exploit fragmented detection and response workflows across Windows endpoints, macOS devices, Linux infrastructure, and mobile platforms. Attackers leverage platform-specific behaviors to evade early triage, split investigations, and delay containment, increasing credential theft, persistence establishment, and lateral movement opportunities. SOC inefficiencies—such as delayed validations, fragmented evidence, and escalation bottlenecks—create measurable business exposure windows where threats advance before detection and response processes consolidate. Campaigns such as ClickFix illustrate how threat actors customize execution paths per operating system, using deceptive techniques (e.g., Google ad redirects to fake documentation pages) to deliver platform-specific payloads like AMOS Stealer and persistent backdoors.

A financially motivated North Korean-aligned threat actor with the moniker UNC1069 compromised the npm account of the maintainer of the Axios library, a widely used HTTP client with approximately 100 million weekly downloads, to publish malicious versions containing the cross-platform WAVESHAPER.V2 malware. The malicious builds were available for only a few hours but were automatically pulled into downstream environments via CI/CD pipelines and dependency chains, exposing enterprises that never directly installed Axios. The malware implements anti-forensic cleanup mechanisms and leverages the build pipeline as the new front line for software supply chain compromise at scale.

TeamPCP has escalated its multi-vector CanisterWorm campaign into a geopolitically targeted operation, compromising trusted PyPI packages (LiteLLM versions 1.82.7–1.82.8 and Telnyx versions 4.87.1–4.87.2) to deliver credential-stealing malware that harvests SSH keys, cloud credentials, Kubernetes secrets, database credentials, cryptocurrency wallets, TLS/SSL private keys, and bash history files. The malware exfiltrates stolen data to attacker-controlled infrastructure and establishes persistent backdoors, with evidence linking TeamPCP to the Vectr ransomware group for follow-on operations. The campaign began as a supply-chain attack involving 47 compromised npm packages and escalated to include GitHub repository hijacking (e.g., Aqua Security), Docker Hub compromise, and direct targeting of CI/CD pipelines via GitHub Actions workflows (e.g., Checkmarx, Trivy). Recent compromises of LiteLLM and Telnyx demonstrate rapid iteration and maturation of supply-chain attack methodology, while destructive payloads targeting Iranian systems in Kubernetes environments (e.g., time-zone/locale-based wipers) highlight the group’s geopolitical alignment. The LiteLLM compromise specifically turned developer endpoints into systematic credential harvesting operations, with malware activating during installation/updates and cascading through transitive dependencies (e.g., dspy, opik) to affect organizations that never directly used LiteLLM.

German authorities via the Federal Criminal Police (BKA) have publicly identified 31-year-old Russian national Daniil Maksimovich Shchukin as UNKN, the alleged head of the GandCrab and REvil ransomware operations. Between 2019 and 2021, Shchukin and a co-defendant are accused of conducting at least 130 cyberattacks across Germany, extorting nearly €2 million from 24 victims while causing over €35 million in economic damage. Shchukin is believed to be residing in Krasnodar, Russia, and remains at large despite international law enforcement scrutiny.

A phishing campaign distributing fraudulent court notices via SMS targets U.S. residents with fake traffic violation claims, instructing recipients to scan a QR code that leads to a credential-stealing site. The messages impersonate state courts or DMVs and demand a $6.99 payment under threat of court action. Recipients across multiple states including New York, California, and Texas have reported the campaign, which uses CAPTCHAs and intermediary domains to evade detection. Scanned QR codes redirect victims to spoofed agency portals where personal and financial data is harvested.

A large-scale automated credential theft campaign has compromised at least 766 hosts across multiple cloud providers and geographies by exploiting the React2Shell vulnerability (CVE-2025-55182) in vulnerable Next.js applications. The attack leverages a framework called NEXUS Listener and automated scripts to extract and exfiltrate sensitive data, including database credentials, AWS and cloud tokens, SSH private keys, API keys, environment secrets, Kubernetes tokens, Docker information, command history, and process data. The exfiltration occurs in chunks via HTTP requests over port 8080 to a command-and-control server running the NEXUS Listener component.

A maintainer of the widely used Axios npm package was targeted in a highly tailored social engineering campaign attributed to North Korean threat actor UNC1069, resulting in the compromise of npm account credentials and the publication of two trojanized versions of Axios (1.14.1 and 0.30.4). Google Threat Intelligence Group (GTIG) attributed the attack to UNC1069 based on the use of WAVESHAPER.V2 and infrastructure overlaps with past activities. The malicious packages were available for roughly three hours and injected a plain-crypto-js dependency that installed a cross-platform RAT, enabling credential theft and downstream compromise. The campaign also targeted additional maintainers, including Pelle Wessman (Mocha framework) and Node.js core contributors, revealing a coordinated effort against high-impact maintainers. The intrusion began with reconnaissance-driven impersonation of a legitimate company founder, engagement via a cloned Slack workspace and Microsoft Teams call, and execution of a fake system update that deployed the RAT. Post-incident, the maintainer reset devices, rotated all credentials, adopted immutable releases, introduced OIDC-based publishing flows, and updated GitHub Actions workflows to mitigate future risks.

A rapidly escalating device code phishing campaign continues to target Microsoft 365 accounts across at least 340 organizations in multiple countries since mid-February 2026, with attacks surging 37.5 times in early 2026 compared to baseline levels at the start of March. The campaign abuses legitimate OAuth device authorization flows to harvest credentials and establish persistent access tokens, primarily via the EvilTokens PhaaS platform and at least 10 other competing phishing kits (e.g., VENOM, DOCUPOLL, SHAREFILE). These attacks now incorporate advanced features such as anti-bot evasion techniques, multi-hop redirect chains leveraging legitimate vendor services, and SaaS-themed lures impersonating business content (e.g., DocuSign, SharePoint, Adobe Acrobat). The EvilTokens platform, sold over Telegram, has democratized device code phishing, enabling low-skilled cybercriminals to execute attacks that grant persistent access to victim accounts, including email, files, Teams data, and SSO impersonation capabilities. The campaign’s global reach extends to at least 10 countries, with sectors including construction, non-profits, real estate, manufacturing, financial services, healthcare, legal, and government being targeted. Mitigation efforts focus on disabling the device code flow via conditional access policies and monitoring for anomalous authentication events.