Malware Activity
How Modern Cyber Attacks Are Targeting Both Executives and Developers
Recent cybersecurity investigations reveal a clear shift in how attackers are breaching organizations by going after people with the highest access and trust. In the VENOM campaign, threat actors target senior executives with convincing Microsoft SharePoint–themed emails that look like real internal messages and use QR codes to bypass email security. These attacks steal passwords, multi-factor authentication codes, and session tokens, allowing attackers to maintain access even after credentials are changed. At the same time, the GlassWorm campaign focuses on software developers by spreading malware through a fake version of a widely trusted coding productivity extension. Once installed, the malicious tool quietly spreads across multiple development environments, stealing data and opening doors for deeper compromise. Together, these campaigns show how attackers are abusing trusted workflows and tools to reach sensitive data and systems. Security researchers warn that traditional defenses, including MFA and basic extension vetting, are no longer enough without stronger controls and user awareness. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- BleepingComputer: New VENOM Phishing Attacks Steal Senior Executives Microsoft Logins article
- TheHackerNews: GlassWorm Campaign Uses Zig Dropper to Infect Multiple Developer IDEs article
Threat Actor Activity
AI-Driven Attack Breaches Nine (9) Mexican Government Agencies
Researchers a Gambit Security recently released a technical report detailing a single hacker who used commercial AI tools to breach nine (9) Mexican government agencies between December 2025 and February 2026, stealing hundreds of millions of citizen records and building live data forgery capabilities. The attacker relied on Anthropic’s Claude Code for active exploitation and OpenAI’s GPT 4.1/ChatGPT for large scale reconnaissance and analysis. Claude Code generated about 75% of all remote commands: 1,088 prompts produced 5,317 AI executed commands across thirty-four (34) live sessions, enabling one operator to work at the speed of a full intrusion team. GPT 4.1, driven by a custom 17,550 line Python tool, processed data from 305 internal servers and produced 2,597 structured intelligence reports, mapping complex environments in hours. Targets included the federal tax authority SAT (195M taxpayer records, domain wide credentials, live API for forged tax certificates), Mexico City’s civil registry (~220M records), Jalisco’s health and social services infrastructure (thirty-seven (37) databases, domestic violence and patient data), multiple state governments, the electoral institute, and utilities. Exposed data spans tax, civil, health, electoral, property, procurement, and sensitive victim information, creating long term risks of fraud, coercion, and political misuse. The attacker bypassed AI safeguards with false “bug bounty” framing and a long hacking manual, then used AI to rapidly refine exploits for twenty (20) known CVEs. Despite the sophistication, entry points were conventional, consisting of unpatched systems, weak credential hygiene, poor segmentation, and aging infrastructure. The case shows AI as a force multiplier, compressing attack timelines and letting a single operator scale across many networks. Defenses still hinge on fundamentals, and CTIX analysts recommend rapid patching, strong credential management, network segmentation, and behavioral detection to catch fast, AI assisted intrusions.
- Cyber Security News: AI Hack on Mexican Agencies Article
- SOC Radar: AI Hack on Mexican Agencies Report
- Hack Read: AI Hack on Mexican Agencies Article
- Gambit Security: AI Hack on Mexican Agencies Report
Vulnerabilities
Iranian-Linked Cyber Campaign Targets U.S. Industrial Control Systems via Exposed PLCs
Iranian state-backed threat actors have escalated cyberattacks against U.S. critical infrastructure, specifically targeting internet-exposed programmable logic controllers (PLCs) manufactured by Rockwell Automation (Allen-Bradley devices) since March 2026, according to a joint U.S. federal advisory. These attacks have led to operational disruptions and financial losses, with observed activity including the extraction of PLC project files and manipulation of HMI and SCADA systems. Research from Censys identified over 5,200 exposed PLC devices globally, with approximately 74.6% (3,891) located in the United States. Many of them are deployed in the field via cellular networks, increasing their exposure risk. The campaign reflects broader geopolitical tensions involving Iran, the United States, and Israel, and follows prior Iranian-linked operations such as CyberAv3ngers targeting Unitronics PLCs in U.S. water infrastructure (impacting at least 75 devices between late 2023 and early 2024), as well as destructive activity by the Handala group, which reportedly wiped 80,000 devices at medical firm Stryker. Authorities recommend immediate mitigation measures including removing PLCs from direct internet exposure, implementing firewalls and MFA for OT environments, monitoring logs, and OT network traffic, and ensuring systems are fully patched and unnecessary services disabled to reduce attack surface. CTIX analysts urge all critical infrastructure security personnel to ensure that they are following the guidance and hardening their security posture.
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura’s Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
© Copyright 2026. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
