Cisco has disclosed and patched a critical vulnerability in the RADIUS subsystem of Secure Firewall Management Center (FMC) Software. The flaw, CVE-2025-20265, allows unauthenticated, remote attackers to execute arbitrary shell commands on affected systems. This vulnerability affects FMC Software versions 7.0.7 and 7.7.0 when RADIUS authentication is enabled for web-based management or SSH. The issue arises from improper handling of user input during the authentication phase, enabling attackers to inject malicious commands. Successful exploitation can lead to high-privilege command execution. There are no workarounds other than applying the provided patches. The flaw was discovered by Brandon Sakai during internal security testing. Cisco has also resolved several high-severity bugs in various products. Additionally, Cisco has released security updates to patch two maximum-severity vulnerabilities in its Secure Firewall Management Center (FMC) software. The authentication bypass flaw (CVE-2026-20079) allows attackers to gain root access to the underlying operating system, while the remote code execution (RCE) vulnerability (CVE-2026-20131) lets them execute arbitrary Java code as root on unpatched devices. Cisco's Product Security Incident Response Team (PSIRT) has no evidence that these flaws are exploited in attacks or that proof-of-concept (PoC) exploit code has been published online.

Google's Threat Intelligence Group identified the Coruna exploit kit, targeting iOS versions 13.0 to 17.2.1. The kit includes five exploit chains and 23 exploits, some using non-public techniques. It has been used by multiple threat actors, including government-backed groups and financially motivated actors. The kit was first observed in February 2025 and has since been linked to campaigns involving Russian and Chinese actors. The exploit kit leverages vulnerabilities in WebKit and other components, some of which were patched by Apple but remained undocumented until later. The kit is designed to fingerprint devices and deliver appropriate exploits based on the iOS version. It avoids execution on devices in Lockdown Mode or private browsing. The Coruna exploit kit marks a shift from targeted spyware attacks to broader exploitation of iOS devices, including crypto theft attacks. The kit includes a stager loader called PlasmaGrid, which targets cryptocurrency wallet apps such as MetaMask, Phantom, Exodus, BitKeep, and Uniswap. The exploit kit was used in watering hole attacks targeting iPhone users visiting compromised Ukrainian websites in summer 2025 and on fake Chinese gambling and crypto websites in late 2025.

A threat actor is mass-emailing restaurant patrons using the HungerRush POS platform, claiming to have access to customer and restaurant data. The attacker demands a response from HungerRush or threatens to expose the data. The emails were sent using Twilio SendGrid, a service previously used by HungerRush for legitimate communications. The attacker claims to have access to millions of customer records, including names, emails, passwords, addresses, phone numbers, dates of birth, and credit card information. HungerRush has not confirmed a breach, but customers are advised to be vigilant for potential phishing attempts.

The FBI has seized the RAMP cybercrime forum, a platform known for facilitating ransomware operations and other cybercriminal activities. The seizure includes both the forum's Tor site and its clearnet domain, ramp4u[.]io, which now display a seizure notice. The forum was a hub for ransomware gangs to advertise their operations and recruit affiliates. The seizure provides law enforcement with access to a significant amount of data tied to the forum's users, including email addresses, IP addresses, and private messages. This could lead to the identification and potential arrest of threat actors who failed to follow proper operational security (opsec). RAMP was created in 2021 by individuals linked to the now-defunct Babuk ransomware group and was administered by key operators such as Mikhail Matveev (also known as Orange, Wazawaka, and BorisElcin) and Stallman. The forum was a prime hub for various ransomware groups, including LockBit, ALPHV/BlackCat, Conti, DragonForce, Qilin, Nova, Radiant, and RansomHub. Following the seizure, Stallman confirmed there were no plans to rebuild the forum, indicating a significant disruption to the cybercriminal ecosystem. Additionally, the FBI has seized the LeakBase cybercrime forum, a major online forum used by cybercriminals to buy and sell hacking tools and stolen data. This seizure is part of an international joint operation coordinated by Europol, known as 'Operation Leak,' involving law enforcement agencies in 14 countries.

Iranian state-sponsored and affiliated cyber threat actors have escalated retaliatory campaigns following the February 28, 2026, joint Israeli-US military strikes (codenamed *Epic Fury* and *Roaring Lion*), with a documented surge of **149 hacktivist DDoS attacks** targeting **110 organizations across 16 countries**—primarily Kuwait (28%), Israel (27.1%), and Jordan (21.5%). Over 70% of this activity was driven by just two groups, **Keymous+ and DieNet**, while pro-Russian actors (Cardinal, Russian Legion) claimed breaches of Israeli military networks, including the Iron Dome system. Concurrently, Iran’s IRGC launched disruptive strikes against **Saudi Aramco and an AWS data center in the U.A.E.**, aiming to inflict global economic pain, and revived old personas (e.g., Cotton Sandstorm’s *Altoufan Team*) to target Bahraini infrastructure. The campaign aligns with Iran’s established playbook of blending espionage, disruption, and psychological operations, leveraging **ransomware-as-a-smokescreen**, destructive wipers, and multi-actor obfuscation. UNC1549 (Nimbus Manticore/Subtle Snail) remained the **fourth most active threat actor in H2 2025**, focusing on defense, aerospace, and telecommunications sectors, while SMS phishing campaigns exploited wartime urgency to deploy mobile surveillance malware via fake *RedAlert* app updates. The UK NCSC and Google’s Threat Intelligence Group (GTIG) continue to warn of heightened risks for organizations with Middle East exposure, emphasizing **DDoS resilience, ICS segmentation, and supply-chain hardening** as critical mitigations. Iranian cryptocurrency exchanges, meanwhile, adjusted operations to manage volatility under sanctions and connectivity constraints, signaling the regime’s reliance on shadow economic infrastructure during conflict.

The article draws parallels between the Netflix show Stranger Things and modern cybersecurity threats, highlighting the risks of botnets, APTs, and AI-enabled cyberattacks. It emphasizes the importance of telemetry data, early warning insights, and agentic workflows in defending against these threats. The narrative underscores the need for unified visibility and control to protect enterprise networks from sophisticated attacks.

A global operation led by Microsoft and Europol, supported by multiple industry partners, seized infrastructure linked to the Tycoon2FA phishing-as-a-service (PhaaS) operation. Tycoon2FA offered subscription-based services that intercepted live authentication sessions, bypassing multi-factor authentication (MFA) and enabling large-scale attacks on corporate inboxes. The operation resulted in the seizure of over 300 domains associated with Tycoon2FA, which had around 2000 users and used more than 24,000 domains since its launch in August 2023. The primary operator, identified as using the online identities 'SaaadFridi' and 'Mr_Xaad,' remains at large. Tycoon2FA was generating tens of millions of phishing emails each month by mid-2025, reaching more than 60% of all blocked phishing attempts. The platform was sold through Telegram for $120 for 10 days of access, lowering the barrier for low-skilled criminals to launch sophisticated, MFA-bypassing attacks at scale.

A coalition of seven governments, including Australia, Canada, Japan, the UK, and the US, along with Finland and Sweden, has launched voluntary cybersecurity and cyber resilience principles for 6G networks. The Global Coalition on Telecoms (GCOT) aims to guide the development of secure and resilient 6G infrastructure, targeting initial commercial rollouts in 2029-2030. The guidelines emphasize containment, confidentiality, integrity, resilience, and regulatory compliance, with support from industry partners like AT&T, BT, Ericsson, and NVIDIA.

The University of Mississippi Medical Center (UMMC) has resumed normal operations nine days after a ransomware attack disrupted IT systems and blocked access to electronic medical records. All clinics statewide have reopened, and UMMC is working to reschedule missed appointments. The attack led to the cancellation of outpatient procedures, ambulatory surgeries, and imaging appointments, but hospital operations continued using downtime procedures. UMMC is investigating with assistance from CISA, the FBI, and the Department of Homeland Security. The attackers have communicated with UMMC, but no ransomware group has claimed responsibility. UMMC operates seven hospitals, 35 clinics, and over 200 telehealth sites statewide, including the state's only organ and bone marrow transplant program, the only children's hospital, the only Level I trauma center, and one of two Telehealth Centers of Excellence in the United States.

A brute force attack on an exposed RDP server led to the discovery of a ransomware infrastructure network. The attack, initially dismissed as routine, uncovered unusual credential-hunting behavior, a web of geo-distributed infrastructure, and a shady VPN service linked to ransomware-as-a-service operations. The investigation revealed a sophisticated network of IP addresses and domain names associated with Hive ransomware and BlackSuite, highlighting the need for thorough incident response beyond traditional methods.

A new RFP Guide for Evaluating AI Usage Control (AUC) and AI Governance Solutions has been released to help organizations structure their AI security requirements. The guide shifts focus from app proliferation to interaction-level inspection, emphasizing measurable criteria over vague goals. It includes an 8-pillar framework to assess vendor capabilities in AI discovery, contextual awareness, policy governance, real-time enforcement, auditability, architecture fit, deployment, and future-proofing. The guide aims to prevent feature-washing by legacy vendors and ensures enforceable, measurable controls for AI governance.

The OpenID Foundation warns of systemic gaps in handling digital accounts of the deceased, which could lead to fraud and exploitation. The absence of global standards for managing devices, email, social media, cryptocurrency, and other accounts after death could be exploited using AI deepfakes for manipulation, disinformation, or profit. The report calls for a coordinated framework to ensure proper access and protection of digital assets post-mortem.

Malicious PHP packages on Packagist, disguised as Laravel utilities, deploy a cross-platform remote access trojan (RAT) affecting Windows, macOS, and Linux systems. The packages 'nhattuanbl/lara-helper' and 'nhattuanbl/simple-queue' contain obfuscated PHP code that connects to a C2 server, enabling full remote access to compromised hosts. The RAT supports various commands, including system reconnaissance, shell execution, and file operations. The packages remain available for download, and users are advised to assume compromise, remove the packages, and audit their systems.

The Silver Dragon APT group, linked to APT41, has been targeting government entities in Europe and Southeast Asia since mid-2024. The group exploits public-facing servers and uses phishing emails with malicious attachments for initial access. They maintain persistence by hijacking legitimate Windows services and use Cobalt Strike beacons, DNS tunneling, and Google Drive for command-and-control (C2) communication. The group employs multiple infection chains, including AppDomain hijacking, service DLL, and email-based phishing, to deliver Cobalt Strike payloads. The group's activities include the use of custom tools like SilverScreen for screen monitoring, SSHcmd for remote command execution, and GearDoor for backdoor communication via Google Drive. The backdoor uses various file extensions to indicate different tasks and communicates with an attacker-controlled Google Drive account.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a VMware Aria Operations vulnerability, CVE-2026-22719, to its Known Exploited Vulnerabilities catalog, indicating it is being exploited in attacks. The flaw, patched on February 24, 2026, allows unauthenticated attackers to execute arbitrary commands on vulnerable systems. Federal agencies must address the issue by March 24, 2026. The vulnerability impacts VMware Cloud Foundation and VMware vSphere Foundation 9.x.x.x (fixed in version 9.0.2.0) and VMware Aria Operations 8.x (fixed in version 8.18.6). Broadcom has acknowledged reports of exploitation but cannot confirm them independently. A temporary workaround script, 'aria-ops-rce-workaround.sh,' is available for organizations unable to apply patches immediately.

AkzoNobel, a multinational Dutch paint company, confirmed a cyberattack on one of its U.S. sites by the Anubis ransomware gang. The breach was contained, and the impact was reported as limited. The attackers claimed to have stolen 170GB of data, including confidential agreements, personal information, and internal documents. AkzoNobel is taking steps to notify and support affected parties and is working with relevant authorities.

Facebook experienced a worldwide outage starting around 4:15 PM ET, preventing users from accessing their accounts. The outage message indicated a site issue, expecting resolution shortly. DownDetector reported widespread impact, while Meta's status page noted disruptions to Facebook ad manager, Instagram Boost, and WhatsApp Business API.

A surge in phishing campaigns exploiting Microsoft’s OAuth device code authorization flow has been observed, targeting Microsoft 365 accounts. Both state-aligned and financially motivated actors are using social engineering to trick users into approving malicious applications, leading to account takeover and data theft. The attacks leverage the OAuth 2.0 device authorization grant, a legitimate process designed for devices with limited input capabilities. Once victims enter a device code generated by an attacker-controlled application, the threat actor receives a valid access token, granting control over the compromised account. The campaigns use QR codes, embedded buttons, and hyperlinked text to initiate the attack chain, often claiming to involve document sharing, token reauthorization, or security verification. The growth of these campaigns is linked to readily available phishing tools like SquarePhish2 and Graphish, which simplify device code abuse and require limited technical skill. Proofpoint observed financially motivated actor TA2723 and Russia-linked group UNK_AcademicFlare adopting this technique, targeting various sectors in the US and Europe. Microsoft recently warned of phishing campaigns using OAuth URL redirection mechanisms to bypass conventional phishing defenses. These campaigns target government and public-sector organizations, redirecting victims to attacker-controlled infrastructure without stealing their tokens. Attackers abuse OAuth's standard behavior by crafting URLs with manipulated parameters or associated malicious applications to redirect users to malicious destinations. The attack starts with a malicious application created by the threat actor, configured with a redirect URL pointing to a rogue domain hosting malware. The malicious payloads are distributed as ZIP archives, leading to PowerShell execution, DLL side-loading, and pre-ransom or hands-on-keyboard activity. The activity, ongoing since September 2025, is being tracked by Proofpoint under the moniker UNK_AcademicFlare. The attacks involve using compromised email addresses belonging to government and military organizations to strike entities within government, think tanks, higher education, and transportation sectors in the U.S. and Europe. The adversary claims to share a link to a document that includes questions or topics for the email recipient to review before the meeting. The URL points to a Cloudflare Worker URL that mimics the compromised sender's Microsoft OneDrive account and instructs the victim to copy the provided code and click 'Next' to access the supposed document. Device code phishing was documented in detail by both Microsoft and Volexity in February 2025, attributing the use of the attack method to Russia-aligned clusters such as Storm-2372, APT29, UTA0304, and UTA0307. The October 2025 campaign is assessed to have been fueled by the ready availability of crimeware offerings like the Graphish phishing kit and red-team tools such as SquarePhish. To counter the risk posed by device code phishing, the best option is to create a Conditional Access policy using the Authentication Flows condition to block device code flow for all users. If that's not feasible, it's advised to use a policy that uses an allow-list approach to allow device code authentication for approved users, operating systems, or IP ranges. Threat actors are now targeting technology, manufacturing, and financial organizations in campaigns that combine device code phishing and voice phishing (vishing) to abuse the OAuth 2.0 Device Authorization flow and compromise Microsoft Entra accounts. Unlike previous attacks that utilized malicious OAuth applications to compromise accounts, these campaigns instead leverage legitimate Microsoft OAuth client IDs and the device authorization flow to trick victims into authenticating. This provides attackers with valid authentication tokens that can be used to access the victim's account without relying on regular phishing sites that steal passwords or intercept multi-factor authentication codes. Hackers are abusing the legitimate OAuth redirection mechanism to bypass phishing protections in email and browsers to take users to malicious pages. The attacks target government and public-sector organizations with phishing links that prompt users to authenticate to a malicious application. The malicious OAuth applications are registered with an identity provider, such as Microsoft Entra ID, and leverage the OAuth 2.0 protocol to obtain delegated or application-level access to user data and resources. The attackers create malicious OAuth applications in a tenant they control and configure them with a redirect URI pointing to their infrastructure. The researchers say that even if the URLs for Entra ID look like legitimate authorization requests, the endpoint is invoked with parameters for silent authentication without an interactive login and an invalid scope that triggers authentication errors. This forces the identity provider to redirect users to the redirect URI configured by the attacker. In some cases, the victims are redirected to phishing pages powered by attacker-in-the-middle frameworks such as EvilProxy, which can intercept valid session cookies to bypass multi-factor authentication (MFA) protections. Microsoft found that the 'state' parameter was misused to auto-fill the victim’s email address in the credentials box on the phishing page, increasing the perceived sense of legitimacy. In other instances, the victims are redirected to a 'download' path that automatically delivers a ZIP file with malicious shortcut (.LNK) files and HTML smuggling tools. Opening the .LNK launches PowerShell, which performs reconnaissance on the compromised host and extracts the components required for the next step, DLL side-loading. A malicious DLL (crashhandler.dll) decrypts and loads the final payload (crashlog.dat) into memory, while a legitimate executable (stream_monitor.exe) loads a decoy to distract the victim. Microsoft suggests that organizations should tighten permissions for OAuth applications, enforce strong identity protections and Conditional Access policies, and use cross-domain detection across email, identity, and endpoints.

Threat actors impersonating IT support have deployed the Havoc C2 framework across multiple organizations using email spam and phone calls. The campaign, identified by Huntress, involved initial access followed by rapid lateral movement, suggesting data exfiltration or ransomware as the end goal. The attackers used a mix of custom Havoc Demon payloads and legitimate RMM tools for persistence. The tactics resemble those used by the Black Basta ransomware group, indicating possible affiliation or adoption of their methods. The attack chain begins with email spam, followed by a phone call from fake IT support. Victims are tricked into granting remote access, leading to the deployment of Havoc shellcode via DLL sideloading. The attackers also use legitimate RMM tools for persistence and employ defense evasion techniques to bypass security software.

Google Chrome is transitioning from a four-week to a two-week release cycle for stable and beta versions across Desktop, Android, and iOS. Starting with Chrome 153, this change aims to deliver new features, bug fixes, and performance improvements more frequently while maintaining stability. The Dev and Canary channels, as well as the Extended Stable branch for enterprise customers, will retain their current schedules. Security updates will continue to be released weekly, as per the existing model. This shift is designed to reduce disruption and simplify debugging, though users may notice more frequent restart prompts.

A new mobile espionage campaign, dubbed RedAlert, targets civilians during the Israel-Iran conflict by distributing a trojanized version of Israel's official Red Alert rocket warning app. The malicious app mimics the legitimate application, delivering real alerts while running a surveillance payload in the background. The malware aggressively requests high-risk permissions, including access to SMS messages, contacts, and precise GPS location data. It uses sophisticated anti-detection techniques to evade standard integrity checks and conceal secondary payloads. The campaign poses strategic and physical security risks, including the potential exposure of civilian shelter locations and the bypassing of two-factor authentication (2FA).

LexisNexis Legal & Professional confirmed a data breach after hackers exploited the React2Shell vulnerability in an unpatched React frontend app. The breach exposed legacy, non-critical data, including customer names, user IDs, and business contact information. The threat actor, FulcrumSec, leaked 2GB of files on underground forums, claiming to have accessed sensitive data related to U.S. government employees and other officials. LexisNexis stated that the intrusion has been contained and no sensitive personally identifiable information or financial data was compromised. The company has notified law enforcement and engaged external cybersecurity experts to assist with the investigation.

Cloudflare's 2026 Threat Report highlights how AI tools, particularly large language models (LLMs), have significantly lowered the barrier to entry for cybercriminals, enabling them to conduct more effective and impactful attacks rapidly and at scale. The report details how various threat actors, including state-sponsored groups, financially motivated cybercriminals, and hacktivists, are leveraging AI to enhance phishing emails, write malware, and map networks in real-time. Additionally, AI-generated deepfakes are being used to bypass hiring filters and embed malicious insiders within organizations. The report warns of the 'total industrialization of cyber threats' and emphasizes the need for organizations to adopt real-time, actionable intelligence to stay ahead of evolving attack tactics.

Threat actors are actively trading compromised cPanel credentials in underground markets, offering them as ready-to-use infrastructure for phishing and scam campaigns. Research by Flare security analysts reveals a structured ecosystem where cPanel access is commoditized, with pricing tiers based on quality, geography, and infrastructure reputation. Compromised cPanels enable a wide range of malicious activities, including deploying backdoors, creating admin users, and exfiltrating sensitive data. The analysis highlights that over 1.5 million internet-connected servers run cPanel, making it a prime target for attackers. Common compromise vectors include credential abuse, web application exploits, and server-level vulnerabilities. The market for these credentials is highly commoditized, with sellers repeatedly advertising the same inventory across multiple fraudulent chat groups. Organizations are advised to enable multi-factor authentication, enforce strong passwords, and monitor outbound SMTP activity to mitigate the risk of cPanel compromise.

CISOs face significant challenges with Tier 1 SOC analysts, who are often inexperienced and overloaded, leading to alert fatigue, decision fatigue, and high turnover rates. This weakens the SOC's overall performance and increases dwell time, incident costs, and regulatory exposure. To address these issues, CISOs are advised to implement three key steps: enhancing monitoring with live threat intelligence feeds, enriching alerts with contextual threat intelligence, and integrating these capabilities into existing security stacks.

A leaked database from Iranian cryptocurrency exchange Ariomex, analyzed by Resecurity, reveals potential involvement in sanctions evasion and large-scale capital transfers. The database, covering 2022 to 2025, includes 11,826 verified user records, with 27 potential matches against sanctions lists. The majority of transactions involved Tether and Tron, with significant transfers ranging from $50,000 to $19 million. The findings highlight mechanisms like shell accounts, layered transactions, and stablecoin routing used to evade sanctions.

A Russian-speaking, financially motivated hacker used generative AI services to breach over 600 FortiGate firewalls across 55 countries in five weeks. The campaign, which occurred between January 11 and February 18, 2026, targeted exposed management interfaces and weak credentials lacking MFA protection. The attacker used AI to automate access to other devices on breached networks, extracting sensitive configuration data and conducting reconnaissance. The attacker successfully compromised multiple organizations' Active Directory environments, extracted complete credential databases, and targeted backup infrastructure, likely in a lead-up to ransomware deployment. The threat actor used the CyberStrikeAI AI-powered security testing platform, which integrates over 100 security tools and allows for end-to-end automation of attacks. The developer of CyberStrikeAI, known as "Ed1s0nZ," has links to Chinese government-affiliated cyber operations and has worked on additional AI-assisted security tools. Team Cymru detected 21 unique IP addresses running CyberStrikeAI between January 20 and February 26, 2026, primarily hosted in China, Singapore, and Hong Kong. Additional servers related to CyberStrikeAI have been detected in the U.S., Japan, and Switzerland. The developer has interacted with organizations supporting potentially Chinese government state-sponsored cyber operations, including Knownsec 404, a Chinese security vendor with ties to the Chinese Ministry of State Security (MSS). Ed1s0nZ has removed references to a CNNVD Level 2 Contribution Award from their GitHub profile.

US cybersecurity leaders are experiencing significant workload increases, with 45% working 11+ extra hours per week and 20% working 16+ extra hours. This has led to emotional exhaustion for 44% of respondents, rising to 56% among C-level executives. Despite this, 94% would still choose cybersecurity as a career. The proliferation of AI is shifting the role of CISOs towards more business-centric responsibilities, emphasizing communication and interpersonal skills. Failure to adapt may result in governance gaps where automated tools lack human oversight.

Researchers from UC Riverside and KU Leuven discovered vulnerabilities in Wi-Fi client isolation, allowing attacks that bypass security features in home, work, and public networks. The attacks exploit weaknesses in group temporal keys, gateway bouncing, and machine-in-the-middle (MitM) techniques. The lack of standardization in client isolation implementations across vendors leads to inconsistent and incomplete security measures. All tested networks were vulnerable to at least one attack, highlighting a significant risk in current Wi-Fi security practices. The researchers responsibly disclosed the findings to manufacturers, but long-term solutions require ecosystem-level coordination.

**SloppyLemming (Outrider Tiger/Fishing Elephant)**, an **India-linked APT group**, has escalated its cyber-espionage operations in **2025–2026**, targeting **Pakistani and Bangladeshi government entities, nuclear regulatory bodies, defense logistics, telecommunications, energy utilities, and financial institutions**. The group has evolved from relying on **off-the-shelf tools (Cobalt Strike, Havoc)** to deploying **custom Rust-based malware**, including a **dual-payload approach**: the **BurrowShell backdoor** (with file manipulation, remote shell, SOCKS proxy, and RC4-encrypted C2 traffic masquerading as Windows Update) and a **Rust keylogger** (with port scanning and network enumeration). Their **C2 infrastructure has expanded eightfold**, from **13 Cloudflare Workers domains in 2024 to 112 in 2025**, leveraging **serverless and edge-hosted services** to evade detection and improve scalability. SloppyLemming employs **spear-phishing campaigns** with **PDF lures and macro-enabled Excel documents**, leading to **ClickOnce application manifests** that deploy malicious loaders via **DLL side-loading**. Despite advancements in tooling, the group’s **operational security remains inconsistent**, with researchers identifying **open directories on C2 servers** that exposed their activities. The group operates within a **broader India-aligned ecosystem**, including **TA397 (Bitter), TA399 (Sidewinder), and TA395 (Frantic Tiger)**, with evidence of **shared resourcing and coordinated tasking**, though it remains distinct from other India-nexus actors like **Dropping Elephant and Mysterious Elephant**, which focus on **diplomatic and military targets**. This campaign underscores the **growing regionalization of cyber-espionage in South Asia**, driven by **geopolitical tensions and strategic competition**. *Meanwhile, unrelated but concurrent threat activity involves the **ShinyHunters and Scattered Spider collaboration (SLSH)**, which continues to target **Salesforce, Zendesk, and SaaS platforms** with **vishing, extortion, and RaaS (ShinySp1d3r)**, demonstrating a **multi-pronged expansion in both technical sophistication and psychological warfare*.