Originally reported by Security Affairs
TL;DR
Check Point researchers observed Iran-linked actors targeting IP cameras across Israel and Gulf states for military intelligence, while Broadcom's Symantec team uncovered MuddyWater deploying the new Dindoor backdoor against U.S. banks, airports, and nonprofits.
Multiple Iranian APT campaigns targeting critical infrastructure and U.S. organizations, combined with active exploitation of Cisco SD-WAN vulnerabilities, represent significant nation-state threats requiring immediate defensive attention.
Nation-state cyber operations continue to escalate across multiple theaters, with Iranian APT groups conducting surveillance and infiltration campaigns while critical infrastructure vulnerabilities face active exploitation.
Check Point researchers observed Iran-linked threat actors conducting systematic targeting of IP cameras across Israel and Gulf countries, likely to support military intelligence gathering and battle damage assessment operations. According to Check Point's Cyber Security Report 2026, cyber operations are increasingly integrated with kinetic military activities, particularly during periods of heightened regional tensions.
The campaign demonstrates the convergence of cyber espionage with traditional military intelligence requirements, leveraging compromised surveillance infrastructure to provide real-time situational awareness. The targeting of IP cameras across strategic locations suggests preparation for or support of broader military operations.
Broadcom's Symantec Threat Hunter Team uncovered a campaign by the Iran-linked MuddyWater APT group (also tracked as SeedWorm, TEMP.Zagros, Mango Sandstorm, TA450, and Static Kitten) targeting multiple U.S. organizations with a previously unknown backdoor dubbed Dindoor.
The campaign affected organizations across critical sectors including banking, aviation, and nonprofit organizations. MuddyWater's deployment of new tooling demonstrates continued evolution of Iranian cyber capabilities and persistent focus on U.S. targets across diverse economic sectors.
Cisco warned customers that threat actors are actively exploiting two recently patched Catalyst SD-WAN vulnerabilities: CVE-2026-20128 and CVE-2026-20122. The networking vendor urged immediate application of security updates to prevent compromise of SD-WAN infrastructure.
The rapid exploitation of these vulnerabilities following patch release highlights the critical nature of SD-WAN security in enterprise networks and the speed with which threat actors weaponize newly disclosed flaws.
Microsoft security researchers revealed a new ClickFix social engineering campaign exploiting Windows Terminal to deliver Lumma Stealer malware. The attack chain uses deceptive prompts to trick users into executing malicious commands through the Windows Terminal application.
This campaign represents an evolution in social engineering tactics, leveraging legitimate system tools to bypass security controls and establish persistence on target systems.
Originally reported by Security Affairs