Microsoft Teams will introduce a feature to automatically tag third-party bots in meeting lobbies, allowing organizers to control their access. This update is scheduled for May 2026 and will be available across all major platforms and cloud environments. The feature aims to prevent accidental admission of bots, ensuring organizers have explicit control over their presence in meetings. This development follows previous enhancements, including a call reporting feature and fraud-protection measures for calls, which help users identify and flag suspicious or unwanted calls.

Salesforce is warning customers of an **ongoing campaign** by the ShinyHunters extortion gang, which is exploiting misconfigured Experience Cloud instances to steal data via the /s/sfsites/aura API endpoint. The attackers leverage excessive guest user permissions—**not a platform vulnerability**—to query CRM objects without authentication, using a modified version of Mandiant’s *AuraInspector* tool for reconnaissance. ShinyHunters claims to have compromised **300–400 organizations**, including 100 high-profile targets, since September 2025, and asserts it has bypassed Salesforce’s query limits and discovered a new method to exfiltrate data even from properly configured instances. Salesforce denies any inherent platform flaw but urges customers to audit guest permissions, disable public API access, and monitor for suspicious activity. This follows the **Salesloft Drift OAuth breach** (August 2025), where UNC6395/GRUB1 stole tokens to access Salesforce customer data, impacting over 700 organizations, including Zscaler, Palo Alto Networks, and Cloudflare. The FBI previously linked UNC6395 and UNC6040 (a vishing specialist) to broader Salesforce-targeted extortion campaigns, with ShinyHunters claiming responsibility for many attacks. Salesforce and Salesloft have since revoked compromised tokens, disabled Drift integrations, and recommended credential rotation. The new Aura/Experience Cloud attacks represent a **shift in tactics**, exploiting misconfigurations rather than stolen OAuth tokens, though the same threat actor (ShinyHunters) is implicated.

A threat actor exploited multiple software vulnerabilities to steal data from at least 216 systems across 34 Active Directory domains. The attacker used a free-trial instance of Elastic Cloud's SIEM platform to collect, store, and analyze stolen data, turning a legitimate security tool into a repository for exfiltrated information. The campaign affected organizations across various sectors, including government, education, finance, and manufacturing. The infrastructure was taken down after discovery.

The FBI warns of phishing attacks where criminals impersonate U.S. city and county officials to target businesses and individuals requesting planning and zoning permits. Victims receive emails with permit details and are instructed to pay fraudulent fees via wire transfer, peer-to-peer payment, or cryptocurrency. The scammers use publicly available information to make their messages appear legitimate. The FBI advises verifying the legitimacy of such communications by checking email domains and contacting local government offices. Victims are urged to report incidents to the FBI's Internet Crime Complaint Center (IC3).

The Trump Administration has unveiled a new national cyber strategy focused on strengthening US digital defenses, countering foreign adversaries, and accelerating innovation. The strategy outlines six policy pillars to guide federal cybersecurity policy and resource allocation, emphasizing proactive measures and government coordination. The document frames cyberspace as central to US economic strength, national security, and technological leadership, highlighting the growing threats from hostile states and cyber-criminal groups. It prioritizes offensive cyber operations, law enforcement measures, and economic sanctions to deter attacks and dismantle criminal networks. Implementation of the strategy will depend on funding and operational capabilities, with experts noting the need for rapid classified offensive work contracting vehicles.

UNC4899, a North Korean threat actor, breached a cryptocurrency firm in 2025 by exploiting an AirDrop file transfer to a developer's work device. The attackers used social engineering to deliver a trojanized file, then pivoted to the cloud environment, employing living-off-the-cloud (LOTC) techniques to steal millions in cryptocurrency. The attack involved abusing DevOps workflows, harvesting credentials, and tampering with Cloud SQL databases. The incident highlights risks associated with personal-to-corporate P2P data transfers, privileged container modes, and insecure handling of secrets in cloud environments.

Password audits often miss high-risk accounts that attackers target, such as orphaned accounts, service accounts, and those with reused or breached credentials. Standard audits focus on complexity and expiry policies but fail to address contextual risks like over-privileged users or credentials exposed in previous breaches. Effective audits should include breached-password screening, continuous monitoring, and coverage of all account types, including dormant and service accounts.

Microsoft has released the KB5070311 optional preview cumulative update for Windows 11, addressing File Explorer freezes, search issues, and other bugs. The update includes 49 changes and is part of the monthly preview updates that precede Patch Tuesday releases. It fixes issues with explorer.exe process responsiveness, SMB share search problems, and LSASS instability. However, the update also introduced a new bug causing bright white flashes when launching File Explorer in dark mode. Microsoft has since fixed this issue with the December KB5072033 Patch Tuesday cumulative update. The update is available for manual installation and updates Windows 11 25H2 and 24H2 devices to builds 26200.7309 and 26100.7309, respectively. Additionally, Microsoft announced there will be no preview update in December 2025 due to minimal operations during the Western holidays, with normal updates resuming in January 2026. Microsoft is still working to fully address the File Explorer white flash issue in dark mode, with the bug fix rolling out to all Windows Insiders in the Beta and Dev channels who install the Windows 11 Build 26220.7961 (KB5079382) and Windows 11 Build 26300.7965 (KB5079385) preview builds. The latest Windows 11 preview builds also add support for voice typing (Windows key plus H) when renaming files in File Explorer and improve reliability when unblocking files downloaded from the internet to preview them in File Explorer. Starting in November, Microsoft began testing an optional Windows 11 feature that preloads File Explorer in the background to improve performance and speed up launch times.

The UK government has launched an Online Crime Centre as part of an expanded anti-fraud strategy. The centre will combine expertise from government, intelligence agencies, law enforcement, banks, mobile networks, and tech firms to disrupt cyber-criminal operations, including overseas scam compounds. The initiative aims to tackle a £14bn annual fraud issue by identifying and shutting down accounts, websites, and phone numbers used by fraudsters. The strategy also includes the use of AI to detect and stop suspicious bank fraud transfers and deploy 'scam-baiting chatbots' to gather intelligence and disrupt operations. Additionally, a new fraud victims charter will provide improved support and consistent advice for victims of cyber-fraud.

Transparent Tribe, a Pakistan-aligned threat actor, has leveraged AI-powered coding tools to develop malware written in niche programming languages like Nim, Zig, and Crystal. This malware, dubbed Vibeware, targets the Indian government and its embassies in multiple foreign countries. The use of AI-assisted malware industrialization allows the actor to flood target environments with disposable, polyglot binaries, evading detection. The campaign highlights a shift towards AI-assisted malware development, enabling threat actors to create more sophisticated and evasive malware. The use of niche programming languages makes it difficult for traditional security tools to detect and mitigate the threats effectively.

The 2026 Cyber 150 awards, announced by IT-Harvest, highlight the rapid growth of AI-focused cybersecurity startups. 22% of the winners are AI security firms, reflecting a significant trend in the industry. The awards recognize the fastest-growing mid-size cybersecurity companies worldwide, with a focus on innovation and market traction. The 2026 cohort includes 33 AI security companies, with notable entrants such as 7AI, Adaptive Security, and Noma Security. Tenex.ai, a US-based startup, ranked as the top-growing startup with a 318% growth rate. The awards also highlight the dominance of US-based companies, with 89 nominees from the US alone.

A previously undocumented Chinese threat actor, CL-UNK-1068, has been targeting critical infrastructure in South, Southeast, and East Asia since at least 2020. The campaign, attributed to cyber espionage with moderate-to-high confidence, has affected sectors including aviation, energy, government, law enforcement, pharmaceutical, technology, and telecommunications. The attackers use a mix of custom malware, open-source utilities, and LOLBINs to maintain persistence and exfiltrate data. The group employs tools like Godzilla, ANTSWORD, Xnote, and Fast Reverse Proxy (FRP) to target both Windows and Linux environments. They exploit web servers to deliver web shells, move laterally, and steal sensitive files. The attackers also use Mimikatz and other tools to dump passwords and extract credentials. Additionally, CL-UNK-1068 uses ScanPortPlus for network scanning and employs DLL side-loading through legitimate Python executables to execute malicious payloads under trusted processes.

Bitdefender is promoting its GravityZone security platform as a solution for mid-market organizations to achieve enterprise-level security with lean IT and security teams. The platform aims to simplify operations, reduce costs, and strengthen security posture, addressing the challenges of limited budgets and resources. The upcoming webinar highlights how GravityZone can help organizations demonstrate reduced risk and increased security posture to leadership, business partners, and customers. It also discusses reducing security fire-fighting and freeing up teams to focus on strategic projects.

TriZetto Provider Solutions, a healthcare IT company under Cognizant, suffered a data breach that exposed sensitive health data of over 3.4 million individuals. The breach began on November 19, 2024, and was detected on October 2, 2025. The exposed data includes names, addresses, Social Security numbers, and health insurance details. Affected providers were notified in December 2025, and customer notifications started in February 2026. TriZetto has enhanced its cybersecurity measures and offered free credit monitoring services to affected individuals. No financial data was compromised, and no misuse of the data has been reported. The breach was discovered in a web portal used by some of its healthcare provider customers, and TriZetto's platform is certified to SOC 2, EHNAC, and HITRUST.

The QuickLens Chrome extension, initially a legitimate tool for Google Lens searches, was compromised to push malware and steal cryptocurrency and credentials from approximately 7,000 users. The malicious version 5.8, released on February 17, 2026, introduced ClickFix attacks and info-stealing functionality. The extension was removed from the Chrome Web Store by Google after the discovery. The compromised extension stripped browser security headers, communicated with a command-and-control (C2) server, and executed malicious JavaScript scripts on every page load. It targeted various cryptocurrency wallets, login credentials, payment information, and sensitive form data. The extension was sold on ExtensionHub on October 11, 2025, and ownership changed to '[email protected]' on February 1, 2026. The malicious update introduced code to fingerprint the user's country, detect the browser and operating system, and poll an external server every five minutes to receive JavaScript. The JavaScript code is stored in the browser's local storage and executed on every page load by adding a hidden 1x1 GIF <img> element. The same threat actor is behind the compromise of the QuickLens and ShotBird extensions, using an identical command-and-control (C2) architecture pattern. Users are advised to remove the extension, scan their devices for malware, and reset passwords.

Derrick Van Yeboah, a Ghanaian national, pleaded guilty to his role in a fraud ring that stole over $100 million from U.S. victims through business email compromise (BEC) attacks and romance scams. The operation, active from 2016 to May 2023, involved multiple accomplices and targeted vulnerable individuals and businesses. Van Yeboah, a high-ranking member, impersonated romantic partners to gain trust and then tricked victims into sending money. He also helped launder funds from other victims and participated in BEC attacks by impersonating senior corporate leaders or suppliers. Van Yeboah is set to pay over $10 million in restitution and faces up to 20 years in prison.

AI assistants, particularly OpenClaw, are rapidly gaining popularity among developers and IT workers due to their ability to autonomously manage tasks. However, their powerful capabilities and potential misconfigurations pose significant security risks. OpenClaw can access and manage users' digital lives, including emails, calendars, and various online services. Recent incidents, such as an AI assistant mass-deleting emails and exposing sensitive credentials, highlight the dangers of poorly secured AI agents. Attackers can exploit misconfigured OpenClaw interfaces to impersonate users, inject messages, and exfiltrate data. Additionally, supply chain attacks involving AI assistants demonstrate the ease with which malicious actors can compromise systems. The rise of AI assistants is shifting security priorities and blurring the lines between trusted coworkers and insider threats.

The Advocate General of the Court of Justice of the EU (CJEU) has issued an opinion stating that banks must immediately refund customers affected by unauthorized transactions due to phishing, even if the customer's negligence contributed to the fraud. The opinion clarifies that banks can later seek recovery of the losses if they can prove gross negligence or intentional misconduct by the customer. The case involved a Polish bank, PKO BP S.A., and a customer who fell victim to a phishing scam. The customer entered their credentials on a fake bank login page, leading to an unauthorized transaction. The bank refused to refund the victim, arguing the customer's negligence caused the loss. The Advocate General ruled that under the EU Payment Services Directive (PSD2), banks must first refund the victim unless they have reasonable grounds to suspect fraud.

Threat actors are exploiting the .arpa domain and IPv6 reverse DNS to evade phishing defenses. They abuse reverse DNS zones to host phishing sites, leveraging reputable DNS providers like Cloudflare and Hurricane Electric. The campaign uses short-lived phishing links and other techniques such as hijacking dangling CNAME records and subdomain shadowing. The attackers reserve IPv6 address space, configure additional DNS records, and use reverse DNS hostnames to redirect victims to phishing sites. The lack of WHOIS data and domain age information in the .arpa domain makes detection harder. Infoblox observed over 100 instances of hijacked CNAMEs from well-known organizations, including government agencies, universities, and retailers.

OpenAI has introduced Aardvark, an agentic security researcher powered by GPT-5, designed to automatically detect, assess, and patch security vulnerabilities in code repositories. The agent integrates into the software development pipeline to continuously monitor code changes and propose fixes. Aardvark has already identified at least 10 CVEs in open-source projects during its beta testing phase. The agent uses GPT-5's advanced reasoning capabilities and a sandboxed environment to validate and patch vulnerabilities. OpenAI envisions Aardvark as a tool to enhance security without hindering innovation. OpenAI has rolled out Codex Security, an evolution of Aardvark, which is available in a research preview to ChatGPT Pro, Enterprise, Business, and Edu customers. Codex Security has scanned over 1.2 million commits, identifying 792 critical and 10,561 high-severity findings. The tool leverages advanced models and automated validation to minimize false positives and propose actionable fixes.

The threat group Velvet Tempest, also tracked as DEV-0504, has been observed using the ClickFix technique and legitimate Windows utilities to deploy DonutLoader malware and CastleRAT backdoor in a simulated environment. The group, known for deploying multiple ransomware strains, conducted Active Directory reconnaissance, credential harvesting, and environment profiling over a 12-day period. Initial access was gained through a malvertising campaign leading to a ClickFix and CAPTCHA mix. Despite their history with ransomware, Termite ransomware was not deployed in this observed intrusion.

North Korean threat actors, specifically clusters Jasper Sleet and Coral Sleet, are using AI to enhance their IT worker scams. These groups employ AI to fabricate identities, maintain digital personas, and socially engineer potential employers. The AI tools help them research job postings, generate fake resumes, and create convincing digital identities. Once employed, they use AI to perform job tasks, generate code snippets, and develop web infrastructure for malicious purposes. The use of AI complicates detection and response efforts, making these scams more effective and harder to detect. Microsoft has observed Jasper Sleet using generative AI platforms to streamline the development of fraudulent digital personas, including generating culturally appropriate name lists and email address formats. Jasper Sleet also uses AI to review job postings for software development and IT-related roles on professional platforms, prompting the tools to extract and summarize required skills. Coral Sleet uses AI to quickly generate fake company sites, provision infrastructure, and test and troubleshoot their deployments. Threat actors are also using AI coding tools to generate and refine malicious code, troubleshoot errors, or port malware components to different programming languages. Some malware experiments show signs of AI-enabled malware that dynamically generate scripts or modify behavior at runtime. Threat actors are using jailbreaking techniques to trick LLMs into generating malicious code or content. Microsoft advises organizations to treat these schemes and similar activity as insider risks and focus on detecting abnormal credential use, hardening identity systems against phishing, and securing AI systems.

Anthropic, in partnership with Mozilla, identified 22 security vulnerabilities in Firefox using its Claude Opus 4.6 AI model. The vulnerabilities, discovered over two weeks in January 2026, include 14 high-severity, 7 moderate-severity, and 1 low-severity issues. These were addressed in Firefox 148, released late last month. The AI model detected a use-after-free bug in the browser's JavaScript within 20 minutes, highlighting its efficiency in vulnerability discovery. Anthropic also tested the AI's ability to develop exploits from the identified vulnerabilities, finding that it could only successfully create exploits in two cases out of several hundred attempts. The company emphasized the cost-effectiveness of identifying vulnerabilities compared to exploit development. One of the vulnerabilities, CVE-2026-2796, is a just-in-time (JIT) miscompilation in the JavaScript WebAssembly component with a CVSS score of 9.8. Mozilla confirmed the AI-assisted approach discovered 90 additional bugs, most of which have been fixed.

The U.S. Secret Service has seized 300 SIM servers and 100,000 SIM cards in the New York tri-state area, which were used to threaten U.S. government officials and posed an imminent threat to national security. The seizure occurred near the United Nations General Assembly, and the devices could be weaponized for various attacks on telecommunications infrastructure. The FBI is also investigating a breach affecting systems used to manage surveillance and wiretap warrants, which was addressed but details on scope and impact remain undisclosed. Early evidence suggests involvement of nation-state threat actors, including the Chinese hacker group Salt Typhoon, which compromised U.S. federal government systems for court-authorized network wiretapping requests in 2024. The FBI began investigating abnormal log information related to a system on its network on February 17, 2026, and the affected system contains law enforcement sensitive information, including returns from legal process such as pen register and trap and trace surveillance returns, and personally identifiable information pertaining to subjects of FBI investigations.

Google's Threat Intelligence Group identified the Coruna exploit kit, targeting iOS versions 13.0 to 17.2.1. The kit includes five exploit chains and 23 exploits, some using non-public techniques. It has been used by multiple threat actors, including government-backed groups and financially motivated actors. The kit was first observed in February 2025 and has since been linked to campaigns involving Russian and Chinese actors. The exploit kit leverages vulnerabilities in WebKit and other components, some of which were patched by Apple but remained undocumented until later. The kit is designed to fingerprint devices and deliver appropriate exploits based on the iOS version. It avoids execution on devices in Lockdown Mode or private browsing. The Coruna exploit kit marks a shift from targeted spyware attacks to broader exploitation of iOS devices, including crypto theft attacks. The kit includes a stager loader called PlasmaGrid, which targets cryptocurrency wallet apps such as MetaMask, Phantom, Exodus, BitKeep, and Uniswap. The exploit kit was used in watering hole attacks targeting iPhone users visiting compromised Ukrainian websites in summer 2025 and on fake Chinese gambling and crypto websites in late 2025. The exploit kit includes a binary loader that deploys the final stage of the attack after the initial browser exploit succeeds. It uses custom encryption and compression methods to deliver payloads and is ineffective against the latest iOS versions. CISA added three of the 23 Coruna vulnerabilities to its catalog of Known Exploited Vulnerabilities, ordering federal agencies to patch the vulnerabilities by March 26, 2026. CISA also urged all organizations to prioritize patching these flaws to secure their devices against attacks.

The MuddyWater threat actor, linked to Iran and also known as Static Kitten, Mercury, and Seedworm, has conducted a global phishing campaign targeting over 100 organizations, including government entities, embassies, diplomatic missions, foreign affairs ministries, consulates, international organizations, and telecommunications firms in the Middle East and North Africa (MENA) region. The campaign used compromised email accounts to send phishing emails with malicious Microsoft Word documents containing macros that dropped and launched the Phoenix backdoor, version 4. This backdoor provided remote control over infected systems. The campaign was active starting August 19, 2025, and used a command-and-control (C2) server registered under the domain screenai[.]online. The attackers employed three remote monitoring and management (RMM) tools and a custom browser credential stealer, Chromium_Stealer. The malware and tools were hosted on a temporary Python-based HTTP service linked to NameCheap's servers. The campaign highlights the ongoing use of trusted communication channels by state-backed threat actors to evade defenses and infiltrate high-value targets. The server and server-side command-and-control (C2) component were taken down on August 24, 2025, likely indicating a new stage of the attack. The MuddyWater threat actor has also targeted Israeli entities spanning academia, engineering, local government, manufacturing, technology, transportation, and utilities sectors. The hacking group has delivered a previously undocumented backdoor called MuddyViper. The attacks also singled out one technology company based in Egypt. The attack chains involve spear-phishing and the exploitation of known vulnerabilities in VPN infrastructure to infiltrate networks and deploy legitimate remote management tools. The campaign uses a loader named Fooder that decrypts and executes the C/C++-based MuddyViper backdoor. The MuddyViper backdoor enables the attackers to collect system information, execute files and shell commands, transfer files, and exfiltrate Windows login credentials and browser data. Additionally, the MuddyWater threat actor has deployed a new backdoor called UDPGangster that uses the User Datagram Protocol (UDP) for command-and-control (C2) purposes. The attack chain involves using spear-phishing tactics to distribute booby-trapped Microsoft Word documents that trigger the execution of a malicious payload once macros are enabled. The phishing messages impersonate the Turkish Republic of Northern Cyprus Ministry of Foreign Affairs and purport to invite recipients to an online seminar titled "Presidential Elections and Results." The VBA script in the dropper file is equipped to conceal any sign of malicious activity by displaying a Hebrew-language decoy image from Israeli telecommunications provider Bezeq about supposed disconnection periods in the first week of November 2025 across various cities in the country. UDPGangster establishes persistence through Windows Registry modifications and boasts of various anti-analysis checks to resist efforts made by security researchers to take it apart. UDPGangster connects to an external server ("157.20.182[.]75") over UDP port 1269 to exfiltrate collected data, run commands using "cmd.exe," transmit files, update C2 server, and drop and execute additional payloads. The MuddyWater threat actor has launched a new campaign targeting diplomatic, maritime, financial, and telecom entities in the Middle East with a Rust-based implant codenamed RustyWater. The campaign uses icon spoofing and malicious Word documents to deliver Rust-based implants capable of asynchronous C2, anti-analysis, registry persistence, and modular post-compromise capability expansion. The RustyWater implant gathers victim machine information, detects installed security software, sets up persistence by means of a Windows Registry key, and establishes contact with a command-and-control (C2) server (nomercys.it[.]com) to facilitate file operations and command execution. The RustyWater implant is also referred to as Archer RAT and RUSTRIC. The use of RUSTRIC was previously flagged by Seqrite Labs as part of attacks targeting IT, MSPs, human resources, and software development companies in Israel. Historically, MuddyWater has relied on PowerShell and VBS loaders for initial access and post-compromise operations, but the introduction of Rust-based implants represents a notable tooling evolution toward more structured, modular, and low noise RAT capabilities. The MuddyWater threat actor has launched a new campaign codenamed Operation Olalampo targeting organizations and individuals in the Middle East and North Africa (MENA) region. The campaign involves the deployment of new malware families including GhostFetch, HTTP_VIP, CHAR, and GhostBackDoor. GhostFetch is a first-stage downloader that profiles the system, validates mouse movements, checks screen resolution, and fetches and executes secondary payloads directly in memory. GhostBackDoor is a second-stage backdoor delivered by GhostFetch that supports an interactive shell, file read/write, and re-run GhostFetch. HTTP_VIP is a native downloader that conducts system reconnaissance and deploys AnyDesk from the C2 server. CHAR is a Rust backdoor controlled by a Telegram bot (username "stager_51_bot") that executes cmd.exe or PowerShell commands. The PowerShell command executed by CHAR is designed to execute a SOCKS5 reverse proxy or another backdoor named Kalim, upload data stolen from web browsers, and run unknown executables referred to as "sh.exe" and "gshdoc_release_X64_GUI.exe." The MuddyWater threat actor has been observed exploiting recently disclosed vulnerabilities on public-facing servers to obtain initial access to target networks. The MuddyWater APT group remains an active threat within the MENA region, with this operation primarily targeting organizations in the MENA region. The MuddyWater threat actor has targeted US companies in a new campaign that started in early February 2026. The campaign involves a previously unknown backdoor dubbed 'Dindoor' by cyber threat researchers. The Dindoor backdoor leverages Deno, the secure runtime for JavaScript and TypeScript, to execute. The backdoor was signed with a certificate issued to 'Amy Cherne'. An attempt to exfiltrate data from a software company using Rclone to a Wasabi cloud storage bucket was observed. A different, Python backdoor called Fakeset was found on the networks of a US airport. The Fakeset backdoor was signed by certificates issued to 'Amy Cherne' and 'Donald Gay'. The Donald Gay certificate has been used previously to sign malware linked to MuddyWater. The Donald Gay certificate was also used to sign a sample from the malware family tracked as 'Stagecomp', which downloads the Darkcomp backdoor. The Stagecomp and Darkcomp malware have been linked to MuddyWater by security vendors including Google, Microsoft, and Kaspersky.

EC-Council has expanded its certification portfolio with the launch of the Enterprise AI Credential Suite, introducing four new AI-focused certifications alongside the updated Certified CISO v4. This initiative aims to address the growing gap between AI adoption and workforce readiness, particularly in the U.S., where 700,000 workers need reskilling. The new certifications cover various aspects of AI adoption, security, and governance, aligning with U.S. priorities on workforce development and AI education. The launch is driven by the urgent need to prepare professionals for AI-driven risk environments, as AI adoption accelerates and attack surfaces expand. The certifications are designed to provide practical capabilities across AI adoption, security, and governance, helping organizations scale AI with confidence. The launch marks the largest single expansion of EC-Council's portfolio in its 25-year history, with the certifications structured around the Adopt. Defend. Govern. (ADG) framework. The International Monetary Fund (IMF) and the World Economic Forum (WEF) have highlighted workforce readiness as a primary constraint on AI-driven productivity and growth, with 67 percent of AI talent located in just 15 U.S. cities and women representing only 28 percent of the AI workforce.

Threat actors are using a new social engineering technique called InstallFix to trick users into executing malicious commands under the guise of installing legitimate CLI tools, such as Claude Code. The attackers create cloned installation pages with malicious commands that deliver the Amatera infostealer. The campaigns are promoted through malvertising on Google Ads, targeting users searching for installation guides. The Amatera infostealer steals browser credentials, cookies, and session tokens while evading detection.

Microsoft is rolling out an upgrade to Microsoft 365 Backup that enables file-level restore capabilities. This enhancement allows administrators to restore individual files and folders, reducing recovery time and improving efficiency. The feature is currently in public preview and is expected to reach general availability by late April or early May 2026. The upgrade is designed to protect against data loss from ransomware, accidental deletion, or data corruption, and is available exclusively to tenants with Microsoft 365 Backup already enabled. Admins with the SharePoint Backup Administrator role can use this feature to browse and search existing restore points for SharePoint sites and OneDrive accounts.

Iranian state-sponsored and affiliated cyber threat actors have **formalized a cyber-kinetic war doctrine**, integrating digital reconnaissance with physical strikes following the February 28, 2026, joint US-Israel military operation (*Epic Fury*). New research confirms Iran’s systematic compromise of **Hikvision and Dahua IP cameras** across Israel, Qatar, Bahrain, Kuwait, the UAE, Cyprus, and Lebanon—exploiting **five patched but widely unpatched vulnerabilities** (CVE-2017-7921, CVE-2021-36260, CVE-2023-6895, CVE-2025-34067, CVE-2021-33044) to enable **real-time battle damage assessment and missile-targeting support**. Check Point Research assesses this activity as a **predictive indicator of kinetic strikes**, mirroring tactics used during the June 2025 Israel-Iran conflict, such as the Weizmann Institute attack. The campaign extends beyond surveillance: **pro-Iranian actors breached Jordan’s Silos and Supply General Company via phishing**, while IRGC-linked groups conducted **limited but targeted ICS/SCADA attacks** and **DDoS campaigns against UAE/Bahrain government entities**. CrowdStrike and Flashpoint warn of escalating hybrid tactics, including **propaganda operations, data center missile strikes, and hacktivist proxies** (e.g., Russian Legion) expanding targets to US-based critical infrastructure. Analysts emphasize Iran’s strategy blends **cyber-enabled kinetic warfare, economic coercion, and psychological operations** to stretch adversary defenses, with **low-cost, high-impact cyber operations** becoming standard doctrine. Organizations are urged to **segment ICS networks, eliminate public WAN exposure for cameras, and monitor for unusual CCTV login patterns** as early warnings of physical threats. Prior waves included **149 hacktivist DDoS attacks** (70% by Keymous+/DieNet) against **110 organizations in 16 countries**, IRGC strikes on **Saudi Aramco and a U.A.E. AWS data center**, and **SMS phishing** via fake *RedAlert* app updates. UNC1549 (Nimbus Manticore) remains a top-tier threat, while Iranian cryptocurrency exchanges adjust operations amid sanctions-induced connectivity blackouts (internet at ~4% capacity). The UK NCSC and GTIG reiterate calls for **DDoS resilience, ICS segmentation, and supply-chain hardening**, with warnings that Iran’s **ransomware-as-smokescreen** and **wiper attacks** may intensify as the conflict progresses.