Weekly Threat Brief: Feb 23 - Mar 2, 2026 , Critical Infrastructure Under Active Exploitation

Executive Summary

The threat landscape reached critical intensity this week with the revelation of a Cisco SD-WAN zero-day exploited for three years undetected, while nation-state actors demonstrated sophisticated AI weaponization capabilities. Critical infrastructure vulnerabilities dominated headlines as attackers targeted networking equipment, cloud platforms, and development tools. Geopolitical tensions escalated cyber risks, with Iranian capabilities under scrutiny following military operations.

Key Threats This Week

Critical Infrastructure Zero-Days

The week's most significant development was CISA's disclosure of active Cisco SD-WAN exploitation dating back to 2023. Five Eyes intelligence agencies warned of widespread targeting, with the vulnerability affecting core networking infrastructure globally. BeyondTrust suffered parallel critical RCE exploitation, while VMware patched additional critical flaws in their infrastructure stack.

FileZen joined CISA's Known Exploited Vulnerabilities catalog following confirmed active exploitation of command injection flaws. The convergence of multiple networking platform compromises signals coordinated infrastructure targeting campaigns.

Nation-State AI Weaponization

Russian threat actors demonstrated mass FortiGate compromise using AI-assisted attack automation, marking a tactical evolution in state-sponsored operations. APT28 launched new MacroMaze campaigns targeting European entities, while Iranian MuddyWater deployed fresh malware variants across MENA organizations.

Chinese actors exploited Claude AI vulnerabilities to enable remote code execution against Mexican government systems, showcasing the weaponization of commercial AI platforms. Intelligence suggests systematic AI model theft through massive query campaigns targeting Western AI firms.

Supply Chain Infiltration

Npm ecosystem faced sustained attack from supply chain worms mimicking Shai-Hulud malware, harvesting cryptocurrency keys and CI/CD secrets from developer environments. North Korean actors evolved their npm targeting strategies while malicious NuGet packages hit financial sector development pipelines.

A compromised Chrome extension QuickLens deployed crypto-stealing malware to thousands of users via ClickFix tactics, demonstrating browser extension supply chain risks.

Massive Data Exposure Events

ShinyHunters claimed a devastating 21 million record breach at Dutch telecommunications provider Odido. France's FICOBA banking registry disclosed 1.2 million account compromises, while TriZetto healthcare breach impacted over 3 million users.

South Korea's National Tax Service accidentally published cryptocurrency wallet recovery phrases in press releases, enabling $4.8 million in asset theft from seized criminal funds.

By the Numbers

• Critical Severity: 12 stories (17%) , Dominated by infrastructure exploitation
• High Severity: 27 stories (39%) , Nation-state activity and major breaches
• Active Exploitation: 5 confirmed KEV additions, including 3-year-old Cisco flaw
• Geographic Impact: 42+ countries targeted in China-linked espionage campaign
• Financial Impact: $4.8M stolen from accidentally exposed wallet seeds

Category breakdown reveals infrastructure vulnerabilities (12 stories) and nation-state activity (11 stories) driving threat escalation, while malware campaigns (13 stories) maintained consistent pressure across all sectors.

Notable Developments

AI-Powered Attack Evolution

Threat actors demonstrated significant AI integration capabilities this week. Amateur operators compromised 600+ FortiGate devices using AI-assisted techniques, while sophisticated actors weaponized Claude AI for government targeting. The democratization of AI attack tools lowered entry barriers for mass infrastructure compromise.

Geopolitical Cyber Escalation

Escalating Middle East tensions raised immediate concerns about retaliatory cyberattacks against US critical infrastructure. Iran's digital infrastructure suffered blackouts during military operations, while psychological operations targeted Iranian civilians through compromised prayer applications.

Steganographic Campaign Surge

Multiple campaigns deployed advanced steganographic techniques, hiding malware in JPEG images and Excel files. XWorm 7.2 and Pulsar RAT distribution demonstrated sophisticated evasion tactics targeting enterprise environments.

Outlook

Next week demands heightened focus on:

• Infrastructure Hardening: Cisco SD-WAN patching urgency and expanded KEV monitoring
• Geopolitical Spillover: Iranian retaliatory cyber capability assessment
• AI Security: Claude and similar platform vulnerability management
• Supply Chain: Enhanced npm/NuGet package vetting procedures
• Developer Targeting: Increased scrutiny of development tool compromise vectors

The convergence of nation-state AI weaponization and critical infrastructure vulnerabilities suggests an inflection point in threat sophistication. Organizations should prioritize zero-trust architectures and assume persistent compromise of internet-facing infrastructure.

Sources

• Active RoundCube Exploitation, AI-Generated Stealers, and France's FICOBA Breach
• Critical BeyondTrust RCE Under Active Exploitation, Romanian Hacker Pleads Guilty to State Network Breach
• Nation-State Roundup: Russian AI-Powered Campaigns and Hybrid Warfare Operations
• Critical Cisco SD-WAN Exploitation, Claude AI Vulnerabilities, and Million-Scale Data Breaches
• APT28 Exploits MSHTML Zero-Day; North Korean npm Campaign Evolves
• CISA Adds FileZen to KEV as Multiple Critical Vulnerabilities Surface
• Treasury Sanctions Russian Exploit Broker as Critical SolarWinds Flaws Hit Servers
• Iran Conflict Escalation Raises Critical Infrastructure Cyber Threat Concerns
• Compromised QuickLens Chrome Extension Deploys Crypto-Stealing Malware via ClickFix Tactics
• Korean Tax Agency Accidentally Exposes Seized Wallet Seed, Enables $4.8M Theft