Originally reported by The Hacker News, Microsoft Security, SANS ISC, MSRC Security Updates
TL;DR
Iran-linked Dust Specter and Russian APT28 campaigns unveiled new malware families targeting government officials in Iraq and Ukraine respectively. Meanwhile, Tycoon2FA phishing-as-a-service operations reached over 500,000 organizations monthly before disruption by Microsoft and Europol.
Multiple active state-sponsored campaigns deploying new malware families targeting government entities, combined with a large-scale phishing-as-a-service operation affecting over 500,000 organizations monthly.
Zscaler ThreatLabz identified a suspected Iran-nexus threat actor targeting Iraqi government officials through sophisticated impersonation campaigns. The cluster, tracked as Dust Specter, leveraged fake Ministry of Foreign Affairs communications to deliver two previously unknown malware families: SPLITDROP and GHOSTFORM. The January 2026 campaign demonstrates continued state-sponsored interest in regional government networks through targeted social engineering.
Russian threat actors linked to APT28 launched a new campaign against Ukrainian entities using two undocumented malware families: BadPaw and MeowMeow. The attack chain initiates through phishing emails containing links to ZIP archives. Once extracted, HTA files display Ukrainian-language lure documents concerning border crossing appeals while deploying the malicious payloads. This represents a continuation of sustained Russian cyber operations against Ukrainian infrastructure.
Microsoft's Digital Crimes Unit, working with Europol and industry partners, disrupted the Tycoon2FA phishing-as-a-service platform that enabled campaigns reaching over 500,000 organizations monthly. The AiTM (Adversary-in-the-Middle) phishing kit had become a leading PhaaS platform, demonstrating the industrial scale of modern credential harvesting operations. The disruption highlights the growing threat posed by commercialized cybercrime services.
Google Threat Intelligence Group discovered the Coruna (aka CryptoWaters) exploit kit targeting iPhone models running iOS versions 13.0 through 17.2.1. The sophisticated kit features five complete iOS exploit chains incorporating 23 individual exploits. While ineffective against the latest iOS versions, Coruna represents one of the most comprehensive mobile exploit kits identified to date, emphasizing the importance of maintaining current mobile operating system versions.
Radware researchers documented a surge in retaliatory hacktivist activity following the U.S.-Israel military campaign against Iran. Between February 28 and March 2, threat actors conducted 149 DDoS attacks against 110 organizations across 16 countries. Two groups, Keymous+ and DieNet, drove nearly 70% of all attack activity, demonstrating how geopolitical events rapidly translate into cyber operations.
Security researchers highlighted persistent gaps in MFA implementation across Windows environments. While organizations deploy MFA through identity providers like Microsoft Entra ID and Okta, coverage gaps continue enabling credential-based compromises. The analysis emphasizes that MFA deployment alone insufficient without comprehensive coverage across all authentication points.
Microsoft published information on multiple CVEs affecting various system components:
CVE-2022-4543: EntryBleed vulnerability in Linux Kernel Page Table Isolation enabling KASLR base leakageCVE-2025-8732: libxml2 xmlcatalog recursion vulnerabilityCVE-2026-3336: Certificate chain validation bypass in AWS-LC PKCS7_verify functionThese CVE publications represent ongoing maintenance of the vulnerability database rather than immediate threats requiring emergency patching.
Originally reported by The Hacker News, Microsoft Security, SANS ISC, MSRC Security Updates