The Good | Authorities Arrest Hacktivist & Convict L3Harris Insider for Selling Secrets to Russia
Spanish authorities have arrested four suspected members of “Anonymous Fénix”, a hacktivist group accused of launching distributed denial-of-service (DDoS) attacks against government ministries, political parties, and public institutions in Spain and parts of South America.
According to the Spanish Civil Guard, the group intensified its operations after the deadly Valencia floods in October 2024, blaming officials for the disaster. The suspects allegedly used X and Telegram to spread anti-government propaganda and recruit volunteers. Courts have since shut down the group’s social media accounts and messaging channels as part of a broader crackdown on cybercrime networks.
In the U.S., a former executive at defense contractor L3Harris Technologies has been sentenced to over seven years in prison for stealing classified zero-day exploits and selling them to a Russian cyber-weapons broker. Peter Williams, who led the firm’s Trenchant cybersecurity unit, admitted taking at least eight sensitive exploit components between 2022 and 2025, using an external drive and encrypted transfers. He sold the tools, developed exclusively for U.S. and allied intelligence agencies, for millions of dollars in cryptocurrency.
U.S. prosecutors said the theft caused tens of millions in losses and posed a severe national security risk. The broker, Operation Zero, allegedly resells exploits to Russian government and private clients. The Department of the Treasury simultaneously imposed sanctions on the company, its owner Sergey Sergeyevich Zelenyuk, and affiliated entities under a law targeting intellectual property theft by foreign adversaries.
Williams pleaded guilty in October 2025 and was ordered to forfeit cash, cryptocurrency, property, and luxury assets. Insider threats endangering national defense capabilities continue to rise and officials warn that trafficking in offensive cyber tools has become a lucrative global black market.
The Bad | ‘MuddyWater’ Actors Launch Operation Across the MENA Region with New Malware
MuddyWater (aka TEMP.Zagros, TA450, G0069), an Iranian state-linked threat actor, has initiated a new cyber campaign dubbed “Operation Olalampo”, which targets organizations and individuals across the Middle East and North Africa (MENA) amid ongoing regional tensions. First observed in January, new research observes the operation introducing novel malware variants while maintaining tactics consistent with the group’s past intrusions.
The campaign relies heavily on phishing emails carrying malicious Microsoft Office attachments that trigger macro-based infections. Victims are tricked into enabling macros, which deploy novel downloaders GhostFetch and HTTP_VIP. These tools profile compromised systems, evade legacy defenses, and deliver secondary payloads including the novel GhostBackDoor malware, an implant capable of remote command execution, file manipulation, and persistent access. In some cases, attackers deploy legitimate remote administration software to blend malicious activity with normal operations.
A notable addition is CHAR, another novel Rust-based backdoor controlled through a Telegram bot for command-and-control (C2), enabling attackers to execute commands, exfiltrate data, and launch additional malware. Analysis indicates possible AI-assisted development, reflecting threat actors increasing experimentation with generative tools to accelerate malware creation. Researchers also noted infrastructure reuse from late 2025, suggesting sustained operations rather than isolated attacks.
Operation Olalampo points to MuddyWater’s focus on post-exploitation control, including reconnaissance, credential harvesting, and lateral movement. The group has also exploited vulnerabilities in public-facing servers to gain initial access. Security analysts warn that the campaign is a sign of broader plans to target network edge systems and critical sectors to establish long-term footholds, reinforcing concerns about nation-state-backed cyber operations expanding in scope and sophistication across the MENA region.
Defenders are urged to prioritize phishing resistance and monitor for unusual outbound communications to messaging platforms often used as C2 channels.
The Ugly | Attackers Exploit Critical Cisco SD-WAN Flaw to Target National Infrastructure
Cisco has disclosed an active zero-day exploitation of a critical authentication bypass in its Catalyst SD-WAN platform, a maximum-severity flaw that lets remote attackers compromise controllers and insert malicious peers into targeted networks. The flaw, tracked as CVE-2026-20127, affects both on-premises and cloud deployments of SD-WAN Controller, Manager, and Cloud products.
The vulnerability stems from a broken peering authentication mechanism that can be abused with crafted requests. Successful exploitation grants attackers high-privilege internal access, enabling manipulation of network configurations via NETCONF. By adding malicious peers that appear legitimate, adversaries can route traffic, advertise attacker-controlled networks, and pivot deeper into affected environments.
Cisco Talos attributes the campaign, tracked as UAT-8616, to a sophisticated threat actor active since at least 2023. Investigators believe attackers escalated privileges by downgrading to an older version of the software, exploiting an older root-level flaw (CVE-2022-20775), then restoring the original version to evade detection while retaining control. Talos also links the activity to a broader pattern of targeting network edge devices to gain footholds in high-value organizations, including critical national infrastructure (CNI) operators, suggesting possible nation-state backing.
Government agencies warn the threat is global and ongoing. So far, CISA has issued an emergency directive ordering federal agencies to inventory devices, collect forensic evidence, and patch immediately, while the UK’s National Cyber Security Centre urges organizations to report signs of compromise and follow hardening guidance to minimize risk.
Indicators or compromise include suspicious authentication logs, unauthorized SSH keys, rogue accounts, log tampering, and unexplained software downgrades. Authorities also stress that SD-WAN management interfaces should never be internet-exposed and recommend isolating control systems, forwarding logs externally, and applying updates.
