A surge in phishing campaigns exploiting Microsoft’s OAuth device code authorization flow has been observed, targeting Microsoft 365 accounts. Both state-aligned and financially motivated actors are using social engineering to trick users into approving malicious applications, leading to account takeover and data theft. The attacks leverage the OAuth 2.0 device authorization grant, a legitimate process designed for devices with limited input capabilities. Once victims enter a device code generated by an attacker-controlled application, the threat actor receives a valid access token, granting control over the compromised account. The campaigns use QR codes, embedded buttons, and hyperlinked text to initiate the attack chain, often claiming to involve document sharing, token reauthorization, or security verification. The growth of these campaigns is linked to readily available phishing tools like SquarePhish2 and Graphish, which simplify device code abuse and require limited technical skill. Proofpoint observed financially motivated actor TA2723 and Russia-linked group UNK_AcademicFlare adopting this technique, targeting various sectors in the US and Europe. Microsoft recently warned of phishing campaigns using OAuth URL redirection mechanisms to bypass conventional phishing defenses. These campaigns target government and public-sector organizations, redirecting victims to attacker-controlled infrastructure without stealing their tokens. Attackers abuse OAuth's standard behavior by crafting URLs with manipulated parameters or associated malicious applications to redirect users to malicious destinations. The attack starts with a malicious application created by the threat actor, configured with a redirect URL pointing to a rogue domain hosting malware. The malicious payloads are distributed as ZIP archives, leading to PowerShell execution, DLL side-loading, and pre-ransom or hands-on-keyboard activity. The activity, ongoing since September 2025, is being tracked by Proofpoint under the moniker UNK_AcademicFlare. The attacks involve using compromised email addresses belonging to government and military organizations to strike entities within government, think tanks, higher education, and transportation sectors in the U.S. and Europe. The adversary claims to share a link to a document that includes questions or topics for the email recipient to review before the meeting. The URL points to a Cloudflare Worker URL that mimics the compromised sender's Microsoft OneDrive account and instructs the victim to copy the provided code and click 'Next' to access the supposed document. Device code phishing was documented in detail by both Microsoft and Volexity in February 2025, attributing the use of the attack method to Russia-aligned clusters such as Storm-2372, APT29, UTA0304, and UTA0307. The October 2025 campaign is assessed to have been fueled by the ready availability of crimeware offerings like the Graphish phishing kit and red-team tools such as SquarePhish. To counter the risk posed by device code phishing, the best option is to create a Conditional Access policy using the Authentication Flows condition to block device code flow for all users. If that's not feasible, it's advised to use a policy that uses an allow-list approach to allow device code authentication for approved users, operating systems, or IP ranges. Threat actors are now targeting technology, manufacturing, and financial organizations in campaigns that combine device code phishing and voice phishing (vishing) to abuse the OAuth 2.0 Device Authorization flow and compromise Microsoft Entra accounts. Unlike previous attacks that utilized malicious OAuth applications to compromise accounts, these campaigns instead leverage legitimate Microsoft OAuth client IDs and the device authorization flow to trick victims into authenticating. This provides attackers with valid authentication tokens that can be used to access the victim's account without relying on regular phishing sites that steal passwords or intercept multi-factor authentication codes. Hackers are abusing the legitimate OAuth redirection mechanism to bypass phishing protections in email and browsers to take users to malicious pages. The attacks target government and public-sector organizations with phishing links that prompt users to authenticate to a malicious application. The malicious OAuth applications are registered with an identity provider, such as Microsoft Entra ID, and leverage the OAuth 2.0 protocol to obtain delegated or application-level access to user data and resources. The attackers create malicious OAuth applications in a tenant they control and configure them with a redirect URI pointing to their infrastructure. The researchers say that even if the URLs for Entra ID look like legitimate authorization requests, the endpoint is invoked with parameters for silent authentication without an interactive login and an invalid scope that triggers authentication errors. This forces the identity provider to redirect users to the redirect URI configured by the attacker. In some cases, the victims are redirected to phishing pages powered by attacker-in-the-middle frameworks such as EvilProxy, which can intercept valid session cookies to bypass multi-factor authentication (MFA) protections. Microsoft found that the 'state' parameter was misused to auto-fill the victim’s email address in the credentials box on the phishing page, increasing the perceived sense of legitimacy. In other instances, the victims are redirected to a 'download' path that automatically delivers a ZIP file with malicious shortcut (.LNK) files and HTML smuggling tools. Opening the .LNK launches PowerShell, which performs reconnaissance on the compromised host and extracts the components required for the next step, DLL side-loading. A malicious DLL (crashhandler.dll) decrypts and loads the final payload (crashlog.dat) into memory, while a legitimate executable (stream_monitor.exe) loads a decoy to distract the victim. Microsoft suggests that organizations should tighten permissions for OAuth applications, enforce strong identity protections and Conditional Access policies, and use cross-domain detection across email, identity, and endpoints.

Threat actors impersonating IT support have deployed the Havoc C2 framework across multiple organizations using email spam and phone calls. The campaign, identified by Huntress, involved initial access followed by rapid lateral movement, suggesting data exfiltration or ransomware as the end goal. The attackers used a mix of custom Havoc Demon payloads and legitimate RMM tools for persistence. The tactics resemble those used by the Black Basta ransomware group, indicating possible affiliation or adoption of their methods. The attack chain begins with email spam, followed by a phone call from fake IT support. Victims are tricked into granting remote access, leading to the deployment of Havoc shellcode via DLL sideloading. The attackers also use legitimate RMM tools for persistence and employ defense evasion techniques to bypass security software.

Google Chrome is transitioning from a four-week to a two-week release cycle for stable and beta versions across Desktop, Android, and iOS. Starting with Chrome 153, this change aims to deliver new features, bug fixes, and performance improvements more frequently while maintaining stability. The Dev and Canary channels, as well as the Extended Stable branch for enterprise customers, will retain their current schedules. Security updates will continue to be released weekly, as per the existing model. This shift is designed to reduce disruption and simplify debugging, though users may notice more frequent restart prompts.

A new mobile espionage campaign, dubbed RedAlert, targets civilians during the Israel-Iran conflict by distributing a trojanized version of Israel's official Red Alert rocket warning app. The malicious app mimics the legitimate application, delivering real alerts while running a surveillance payload in the background. The malware aggressively requests high-risk permissions, including access to SMS messages, contacts, and precise GPS location data. It uses sophisticated anti-detection techniques to evade standard integrity checks and conceal secondary payloads. The campaign poses strategic and physical security risks, including the potential exposure of civilian shelter locations and the bypassing of two-factor authentication (2FA).

LexisNexis Legal & Professional confirmed a data breach after hackers exploited the React2Shell vulnerability in an unpatched React frontend app. The breach exposed legacy, non-critical data, including customer names, user IDs, and business contact information. The threat actor, FulcrumSec, leaked 2GB of files on underground forums, claiming to have accessed sensitive data related to U.S. government employees and other officials. LexisNexis stated that the intrusion has been contained and no sensitive personally identifiable information or financial data was compromised. The company has notified law enforcement and engaged external cybersecurity experts to assist with the investigation.

Cloudflare's 2026 Threat Report highlights how AI tools, particularly large language models (LLMs), have significantly lowered the barrier to entry for cybercriminals, enabling them to conduct more effective and impactful attacks rapidly and at scale. The report details how various threat actors, including state-sponsored groups, financially motivated cybercriminals, and hacktivists, are leveraging AI to enhance phishing emails, write malware, and map networks in real-time. Additionally, AI-generated deepfakes are being used to bypass hiring filters and embed malicious insiders within organizations. The report warns of the 'total industrialization of cyber threats' and emphasizes the need for organizations to adopt real-time, actionable intelligence to stay ahead of evolving attack tactics.

Threat actors are actively trading compromised cPanel credentials in underground markets, offering them as ready-to-use infrastructure for phishing and scam campaigns. Research by Flare security analysts reveals a structured ecosystem where cPanel access is commoditized, with pricing tiers based on quality, geography, and infrastructure reputation. Compromised cPanels enable a wide range of malicious activities, including deploying backdoors, creating admin users, and exfiltrating sensitive data. The analysis highlights that over 1.5 million internet-connected servers run cPanel, making it a prime target for attackers. Common compromise vectors include credential abuse, web application exploits, and server-level vulnerabilities. The market for these credentials is highly commoditized, with sellers repeatedly advertising the same inventory across multiple fraudulent chat groups. Organizations are advised to enable multi-factor authentication, enforce strong passwords, and monitor outbound SMTP activity to mitigate the risk of cPanel compromise.

CISOs face significant challenges with Tier 1 SOC analysts, who are often inexperienced and overloaded, leading to alert fatigue, decision fatigue, and high turnover rates. This weakens the SOC's overall performance and increases dwell time, incident costs, and regulatory exposure. To address these issues, CISOs are advised to implement three key steps: enhancing monitoring with live threat intelligence feeds, enriching alerts with contextual threat intelligence, and integrating these capabilities into existing security stacks.

A leaked database from Iranian cryptocurrency exchange Ariomex, analyzed by Resecurity, reveals potential involvement in sanctions evasion and large-scale capital transfers. The database, covering 2022 to 2025, includes 11,826 verified user records, with 27 potential matches against sanctions lists. The majority of transactions involved Tether and Tron, with significant transfers ranging from $50,000 to $19 million. The findings highlight mechanisms like shell accounts, layered transactions, and stablecoin routing used to evade sanctions.

A Russian-speaking, financially motivated hacker used generative AI services to breach over 600 FortiGate firewalls across 55 countries in five weeks. The campaign, which occurred between January 11 and February 18, 2026, targeted exposed management interfaces and weak credentials lacking MFA protection. The attacker used AI to automate access to other devices on breached networks, extracting sensitive configuration data and conducting reconnaissance. The attacker successfully compromised multiple organizations' Active Directory environments, extracted complete credential databases, and targeted backup infrastructure, likely in a lead-up to ransomware deployment. The threat actor used the CyberStrikeAI AI-powered security testing platform, which integrates over 100 security tools and allows for end-to-end automation of attacks. The developer of CyberStrikeAI, known as "Ed1s0nZ," has links to Chinese government-affiliated cyber operations and has worked on additional AI-assisted security tools. Team Cymru detected 21 unique IP addresses running CyberStrikeAI between January 20 and February 26, 2026, primarily hosted in China, Singapore, and Hong Kong. Additional servers related to CyberStrikeAI have been detected in the U.S., Japan, and Switzerland. The developer has interacted with organizations supporting potentially Chinese government state-sponsored cyber operations, including Knownsec 404, a Chinese security vendor with ties to the Chinese Ministry of State Security (MSS). Ed1s0nZ has removed references to a CNNVD Level 2 Contribution Award from their GitHub profile.

US cybersecurity leaders are experiencing significant workload increases, with 45% working 11+ extra hours per week and 20% working 16+ extra hours. This has led to emotional exhaustion for 44% of respondents, rising to 56% among C-level executives. Despite this, 94% would still choose cybersecurity as a career. The proliferation of AI is shifting the role of CISOs towards more business-centric responsibilities, emphasizing communication and interpersonal skills. Failure to adapt may result in governance gaps where automated tools lack human oversight.

Researchers from UC Riverside and KU Leuven discovered vulnerabilities in Wi-Fi client isolation, allowing attacks that bypass security features in home, work, and public networks. The attacks exploit weaknesses in group temporal keys, gateway bouncing, and machine-in-the-middle (MitM) techniques. The lack of standardization in client isolation implementations across vendors leads to inconsistent and incomplete security measures. All tested networks were vulnerable to at least one attack, highlighting a significant risk in current Wi-Fi security practices. The researchers responsibly disclosed the findings to manufacturers, but long-term solutions require ecosystem-level coordination.

Organizations face growing complexity in authenticating workloads, especially with AI agents and diverse cloud environments. Researchers at Zscaler highlight the need for advanced authentication methods to secure non-human identities (NHI) and prevent insecure practices. The upcoming RSAC 2026 session will discuss solutions like mutual TLS (mTLS), workload identity tokens, and remote attestation.

Drone strikes have damaged three AWS data centers in the UAE and one in Bahrain, causing extensive outages across multiple cloud services. The attacks are suspected to be part of Iran's response to recent U.S. and Israeli strikes in the Middle East. The incidents have disrupted the AWS Middle East (UAE) Region (ME-CENTRAL-1) and the AWS Middle East (Bahrain) Region (ME-SOUTH-1), with significant structural and power infrastructure damage reported. Amazon is working on recovery efforts, including restoring physical infrastructure and implementing software-based recovery paths. Customers are advised to back up data and migrate workloads to unaffected regions.

Enterprises are rapidly adopting AI agents that operate as non-human identities, creating significant governance and security challenges. These agents, enabled by the Model Context Protocol (MCP), automate workflows but often operate outside traditional Identity and Access Management (IAM) systems, becoming 'identity dark matter.' This poses risks such as over-permissioned access, untracked usage, and privilege drift, which can be exploited by both internal and external actors. Gartner and industry experts emphasize the need for governance frameworks to manage these agents effectively.

A new phishing kit called Starkiller has emerged, allowing attackers to bypass multi-factor authentication (MFA) by proxying legitimate login pages. The kit is distributed as a subscription-based service on the dark web, offering real-time session monitoring and keylogging capabilities. It mimics login pages of major services like Google, Microsoft, and banks, routing traffic through attacker-controlled infrastructure to steal credentials and authentication tokens. Starkiller uses Docker containers running headless Chrome instances to serve genuine page content, making it difficult for security vendors to detect or block. The toolkit is sold with updates and customer support, posing a significant escalation in phishing infrastructure. The service is part of a broader cybercrime offering by a threat group called Jinkusu, which provides additional features such as email harvesting and campaign analytics. Starkiller integrates URL shorteners such as TinyURL to obscure the destination URL. It uses a headless Chrome instance inside a Docker container to act as a reverse proxy between the target and the legitimate site. The platform centralizes infrastructure management, phishing page deployment, and session monitoring within a single control panel, combining URL masking, session hijacking, and MFA bypass to streamline phishing operations.

In 2025, 136 verified third-party breaches impacted 433 million individuals and 719 downstream companies, with an additional 26,000 corporate victims unlisted. The median time for breach detection was 10 days, and notification took 73 days on average. Over half of monitored organizations had critical vulnerabilities, and 23% had credentials on the dark web. The report highlights significant delays in breach detection and notification, emphasizing the systemic risk posed by third-party breaches. Software services vendors were the primary source of breaches, affecting sectors like healthcare, education, and financial services. The analysis of top shared vendors revealed widespread critical vulnerabilities and active targeting, indicating a growing crisis in third-party risk management.

Cloud Imperium Games (CIG), developer of Star Citizen and Squadron 42, disclosed a breach on January 21, 2026, where attackers accessed backup systems containing basic user account information. The compromised data includes metadata, contact details, usernames, dates of birth, and names. CIG stated that no financial information, passwords, or payment details were accessed, and the incident was read-only. The company has not found evidence of data leakage or further incidents. The breach could potentially be used for phishing attacks, despite CIG's assertion that the incident poses no risk to user safety.

An Iran-linked cyber threat actor, Dust Specter, has been targeting Iraqi government officials using AI-powered tools and previously undocumented malware. The campaign, detected in January 2026, involves impersonating the Iraqi Ministry of Foreign Affairs and compromising government infrastructure to host malicious payloads. The attack chains include the use of SplitDrop, TwinTask, and TwinTalk malware, with TwinTalk also linked to a previous campaign in July 2025.

The University of Hawaii Cancer Center suffered a ransomware attack on August 31, 2025, compromising a single research project. The breach resulted in the theft of historical data, including Social Security numbers from the 1990s, affecting nearly 1.2 million individuals. The university engaged with the threat actors to secure a decryptor and ensure the destruction of stolen data. The attack did not impact clinical operations or patient care but delayed restoration efforts. The university has since taken measures to secure its systems, including installing endpoint protection software and conducting third-party security audits.

Google confirmed that CVE-2026-21385, a high-severity buffer over-read vulnerability in Qualcomm's Graphics component, is being exploited in the wild. The flaw, reported to Qualcomm by Google's Android Security team, is an integer overflow leading to memory corruption. Google's March 2026 update includes patches for 129 vulnerabilities, including critical flaws in System, Framework, and Kernel components. The exploit is under limited, targeted use, but details on the exploitation method remain undisclosed. The vulnerability affects 235 Qualcomm chipsets and Android devices using the impacted Qualcomm component, with patches available in the March 2026 Android security bulletin.

The tension between application developers and security teams is intensifying due to mounting firewall backlogs, exacerbated by the accelerated pace of AI-driven development and cloud adoption. Developers face delays in deploying applications due to lengthy firewall rule approval processes, while security teams struggle with overwhelming firewall logs and the need to reduce risk. This ongoing conflict highlights the need for organizations to adapt their processes and technologies to balance speed and security effectively.

A coordinated international operation, Project Compass, has arrested 30 members of 'The Com,' a cybercrime group linked to ransomware attacks, extortion, violent activities, and the production of child sexual exploitation material (CSAM). The group, primarily composed of young individuals, has targeted high-profile entities and engaged in phishing, vishing, and SIM swapping. Project Compass, led by Europol's European Counter Terrorism Centre, involves multiple countries and aims to disrupt the group's operations and safeguard victims. The Com has been connected to Russian cybercriminal gangs and has expanded its activities to include physical violence, extremist links, and the exploitation of minors. The group operates with a decentralized structure, making it particularly difficult to disrupt. Europol splits The Com into three distinct groups of activity: cyber activity, offline activity, and extortion/sextortion activity.

A phishing campaign uses a fake Google Account security page to deliver a Progressive Web App (PWA) that steals one-time passcodes, cryptocurrency wallet addresses, and proxies attacker traffic through victims’ browsers. The attack leverages PWA features and social engineering to deceive users into granting risky permissions and installing the malware. The campaign uses the domain google-prism[.]com and includes an optional Android APK for further device compromise.

A 22-year-old Alabama man, Jamarcus Mosley, pleaded guilty to extortion, cyberstalking, and computer fraud charges. Between April 2022 and May 2025, Mosley hijacked the social media accounts of hundreds of young women, including minors, by tricking them into sharing account recovery codes and passwords. He then threatened to release their private images or lock them out of their accounts unless they complied with his demands, which included surrendering additional accounts, sending sexually explicit content, or paying him money. Mosley's actions involved impersonating friends, accessing private images, and posting stolen content online when victims refused his demands. He is scheduled to be sentenced on May 27.

A Florida woman, Heidi Richards, was sentenced to 22 months in prison for operating a fraud scheme involving the trafficking of thousands of stolen Microsoft Certificate of Authenticity (COA) labels. Richards, who ran Trinity Software Distribution, was ordered to pay a $50,000 fine. The scheme involved buying genuine COA labels at below-retail prices, extracting the product keys, and selling them illegally worldwide, resulting in $5.1 million in payments to the supplier. The COA labels, which authenticate software like Windows and Office, are not legally permitted to be sold separately from the software they accompany. Richards and her accomplices extracted the product keys and sold them in bulk, circumventing Microsoft's licensing requirements. This case highlights the ongoing issue of software piracy and the legal consequences for those involved in trafficking unauthorized license keys.

Researchers disclosed multiple vulnerabilities in Google's Gemini AI assistant that could have exposed users to privacy risks and data theft. The flaws, collectively named the Gemini Trifecta, affected Gemini Cloud Assist, the Search Personalization Model, and the Browsing Tool. These vulnerabilities allowed for prompt injection attacks, search-injection attacks, and data exfiltration. Google has since patched the issues and implemented additional security measures. Additionally, a zero-click vulnerability in Gemini Enterprise, dubbed 'GeminiJack', was discovered in June 2025, allowing attackers to exfiltrate corporate data via indirect prompt injection. Google addressed this flaw by separating Vertex AI Search from Gemini Enterprise and updating their interaction with retrieval and indexing systems. A new prompt injection flaw in Google Gemini allowed attackers to bypass authorization guardrails and use Google Calendar as a data extraction mechanism. The flaw enabled unauthorized access to private meeting data and the creation of deceptive calendar events without any direct user interaction. The attack involved a malicious payload hidden within a standard calendar invite, which was activated when a user asked Gemini about their schedule. The flaw allowed Gemini to create a new calendar event and write a full summary of the target user's private meetings in the event's description. The issue was addressed following responsible disclosure, highlighting the need for evaluating large language models across key safety and security dimensions. Additionally, a high-severity flaw in Google's implementation of Gemini AI in the Chrome browser, tracked as CVE-2026-0628, could allow attackers to escalate privileges, violate user privacy, and access sensitive system resources. The flaw was discovered by researchers from Palo Alto Networks' Unit 42 and was patched by Google in early January. The vulnerabilities highlight the potential risks of AI tools being used as attack vectors rather than just targets.

Google is developing Merkle Tree Certificates (MTCs) to enhance the security of Chrome's HTTPS certificates against quantum computing threats. MTCs use compact Merkle Tree proofs to reduce bandwidth usage and improve performance while maintaining strong security. Google plans to integrate MTCs into Chrome's Root Store by 2027, ensuring a smooth transition to quantum-resistant certificates without disrupting existing TLS connections. The deployment will occur in three phases, with feasibility studies underway, public deployment scheduled for Q1 2027, and the introduction of the Chrome Quantum-resistant Root Store in Q3 2027. Chrome will also modernize certificate governance with ACME-only workflows, streamlined revocation systems, and enhanced oversight models. Chrome has no immediate plan to add traditional X.509 certificates containing post-quantum cryptography to the Chrome Root Store. MTCs are being developed in the PLANTS working group and aim to reduce the number of public keys and signatures in the TLS handshake to the bare minimum required.

Iranian state-sponsored and affiliated cyber threat actors are actively escalating retaliatory campaigns following joint Israeli-US military strikes on February 28, 2026, with Google’s Threat Intelligence Group (GTIG) warning of imminent, aggressive cyber-attacks against a broadened target set. While Iran’s digital infrastructure remains severely disrupted (internet connectivity at ~4% of normal), over 150 hacktivist incidents—DDoS attacks, defacements, and unverified breach claims—were recorded within 48 hours, targeting government, banking, aviation, and telecom sectors globally. The UK’s NCSC has now issued an urgent advisory for organizations with Middle East exposure to review cybersecurity postures, warning that Iranian actors maintain operational capability despite the blackout and may exploit supply chains or regional offices as attack vectors. Prior to this surge, Iranian actors conducted long-term espionage and destructive campaigns, including the use of ‘wiper’ malware, spear-phishing against global embassies, and cyber-enabled kinetic targeting—such as maritime AIS reconnaissance to facilitate missile strikes. Groups like APT42, Subtle Snail (UNC1549), and Imperial Kitten deployed tailored malware (e.g., MINIBIKE, TAMECAT) to infiltrate telecommunications, aerospace, and defense sectors, while MuddyWater accessed live CCTV streams for real-time attack planning. U.S. agencies, including CISA, continue to urge critical infrastructure operators to implement multi-factor authentication, maintain offline backups, and report incidents promptly, as Iran’s tactics evolve to combine ransomware-as-a-smokescreen, destructive wipers, and multi-actor obfuscation.

The **ShinyHunters and Scattered Spider collaboration**, operating under the **Scattered Lapsus$ Hunters (SLH) alliance**, has escalated its extortion and social engineering tactics in **early 2026** by **recruiting women for vishing attacks** targeting IT help desks, offering **$500–$1,000 per successful call** alongside pre-written scripts. This calculated evolution aims to exploit psychological biases and bypass traditional attacker profiles, increasing the success rate of impersonation and credential harvesting. The group continues to combine **technical intrusions** with **psychological harassment, swatting, and media manipulation** to coerce payments, while leveraging **legitimate services, residential proxies, and tunneling tools** (e.g., Ngrok, Luminati) to evade detection. The alliance’s latest developments include the **ShinySp1d3r RaaS platform**, **Zendesk phishing campaigns**, and **targeted intrusions against financial sectors**, demonstrating a **multi-pronged expansion** in both **technical sophistication** and **psychological warfare**. Their tactics now involve **recruiting diverse social engineering operatives**, deploying **virtual machines for post-exploitation reconnaissance**, and exploiting **cloud APIs (e.g., Microsoft Graph)** to access Azure environments. Despite law enforcement arrests and shutdown claims, SLH remains a **high-risk, low-trust threat actor**, with **no guarantee of data deletion** post-payment and a pattern of **rebranding to evade pressure**. Victims are advised to **refuse engagement** beyond a firm "no payment" stance, as compliance only fuels further escalation and harassment. **Meanwhile, unrelated but concurrent threat activity** reveals that **SloppyLemming (Outrider Tiger/Fishing Elephant)** has been targeting **Pakistani and Bangladeshi government entities and critical infrastructure** since 2022, deploying **dual malware chains (BurrowShell backdoor and Rust-based keylogger)** via spear-phishing and Cloudflare Workers domains. This campaign highlights the **growing use of Rust in malware development** and **regional espionage priorities** in South Asia, though it remains distinct from the SLH alliance’s financially motivated operations.