Originally reported by Security Affairs, The Record, Palo Alto Unit 42
TL;DR
APT28 exploited an MSHTML zero-day while APT37 developed new air-gapped infiltration techniques using cloud storage and USB implants. Meanwhile, Iranian cyber threats are escalating amid Middle East tensions, prompting warnings from UK and US authorities.
Multiple actively exploited zero-day vulnerabilities by nation-state actors (APT28's MSHTML exploit, Chrome Gemini vulnerability) combined with escalating Iranian cyber threats warrant high severity classification.
Nation-state threat actors are adapting their tactics with sophisticated new approaches targeting AI systems, air-gapped networks, and browser vulnerabilities. Recent developments span from zero-day exploitation campaigns to emerging AI prompt injection attacks, while geopolitical tensions drive increased Iranian cyber activity.
Palo Alto Networks researchers discovered a critical Chrome vulnerability (CVE-2026-0628) that allows malicious extensions to hijack Google's Gemini Live AI assistant. The flaw enables attackers to spy on users and exfiltrate sensitive files by taking control of the AI interface. This represents a new attack vector targeting AI-powered browser features, demonstrating how threat actors are adapting to exploit emerging technologies integrated into everyday tools.
Akamai researchers report that Russia-linked APT28 (Fancy Bear) exploited CVE-2026-21513, a high-severity MSHTML vulnerability with a CVSS score of 8.8, before Microsoft patched it in February 2026. The Internet Explorer security control bypass vulnerability can lead to code execution, highlighting APT28's continued capability to weaponize zero-day vulnerabilities for espionage operations. The pre-patch exploitation underscores the group's access to previously unknown vulnerabilities.
North Korean group APT37 (ScarCruft) deployed new tools in the "Ruby Jumper" campaign, combining cloud storage and USB-based malware to breach air-gapped systems. Zscaler ThreatLabz discovered the group using a backdoor that leverages Zoho WorkDrive for command and control communications alongside USB-based implants designed to traverse air-gapped network boundaries. This dual-vector approach represents a significant evolution in techniques for infiltrating highly secured environments.
Geopolitical tensions in the Middle East have triggered widespread concern about Iranian cyber capabilities. The UK's National Cyber Security Centre (NCSC) issued warnings about potential Iranian cyberattacks, urging British organizations to strengthen defensive measures amid escalating regional conflict. Unit 42 researchers documented recent Iranian cyberattack activity including phishing campaigns, hacktivist operations, and cybercrime activities, noting a marked increase in aggressive posturing.
Simultaneously, U.S. Cyber Command confirmed conducting offensive cyber operations against Iranian communications systems and sensors, with the country's top general stating these attacks helped set conditions for joint bombing campaigns with Israel. This represents a significant escalation in cyber warfare operations targeting Iranian infrastructure.
Unit 42 researchers documented real-world indirect prompt injection attacks where adversaries weaponize hidden web content to exploit large language models for high-impact fraud. These attacks represent a new category of threats targeting AI agents, demonstrating how malicious actors can manipulate AI systems through carefully crafted web content that appears benign to human users but triggers malicious behavior in AI processing systems.
The University of Hawaii Cancer Center confirmed a data breach following a ransomware attack, with compromised information traced back to a 1993 Multiethnic Cohort Study that used driver's license numbers and voter registration records. German courts convicted an alleged mastermind behind a global investment scam network, with the Bamberg Regional Court conducting an 11-day trial under heightened security measures.
Originally reported by Security Affairs, The Record, Palo Alto Unit 42