EvilBit Threat Digest - Blackouts, Backdoors, and Browser Brainworms

This week doesn't split neatly into categories. The kinetic escalation between the US, Israel, and Iran has spilled into cyberspace in ways that are already measurable, and the ripple effects touch everything from OT environments in manufacturing plants to the DNS resolution of calendar apps in Tehran. Layer on top a fresh APT chain targeting Iraqi officials, a reminder that your AI workflows are browsing the open web with no seatbelt, and a licensing server that's become an initial access appliance, and you've got a week that demands attention across the entire stack.

The Iran thread runs through most of this issue. That's not editorial bias; it's where the signal is.

The geopolitics-shaped denial of service

Iran's connectivity issues weren't just "the internet is having a moment." Following the 28 February coordinated strikes (Israel's Operation Roaring Lion and the US Operation Epic Fury targeting IRGC facilities, leadership compounds, and nuclear infrastructure), multiple outlets documented a near-total blackout and broad disruptions tied to retaliatory cyber activity. Reports span DDoS, destructive operations, targeted takedowns, and defacement campaigns, with Iran's BadeSaba calendar app among the collateral. (Hackers Hit Iranian Apps, Websites After US-Israeli Strikes, US-Israel and Iran Trade Cyberattacks, Iran's internet down for second day...)

Attribution is the usual thicket, but Unit 42's threat brief names specific actors now in play: Handala Hack (MOIS-affiliated, data exfiltration against Israeli targets), Dark Storm Team (DDoS and ransomware), FAD Team (wiper malware), and Cyber Islamic Resistance coordinating synchronized attacks across multiple collectives. Pro-Russian groups including NoName057(16) have also joined the pile-on, and at least one ransomware-as-a-service outfit (Tarnished Scorpius/INC Ransomware) has started listing Israeli targets. (Unit 42 Threat Brief: March 2026 Escalation of Cyber Risk Related to Iran)

The operational takeaway is clean: regional crises now routinely include connectivity attacks as a first-class weapon, and the actor ecosystem responding to this one is broader and more layered than previous escalations.

If you run infrastructure with users, suppliers, or dependencies in the region, treat this like weather: plan for intermittent reachability, upstream DNS weirdness, and traffic spikes that look like attacks even when they're just panic-refreshing. Also consider geographic IP blocking from high-risk regions on internet-facing assets and prepare breach validation protocols, because some of these groups will claim compromises they haven't actually achieved.

Heads up for fed teams: CISA's own website disclosed a "lapse in federal funding" as of February 17, with cybersecurity assessments and engagements cancelled. The agency's capacity to respond is diminished at exactly the wrong moment. (CISA stretched thin as Iran hacking threat escalates) If you're a federal ISSO waiting for updated guidance, don't hold your breath; operationalize the existing advisories linked at the bottom of this issue.

APT tradecraft: "ClickFix" meets .NET backdoors (Dust Specter)

Zscaler's ThreatLabz dropped a thick report on Dust Specter, a suspected Iran-nexus threat actor targeting Iraqi government officials by impersonating the Ministry of Foreign Affairs. ThreatLabz assesses with medium-to-high confidence that this is an Iranian operation based on TTP and victimology overlap with known Iran-nexus APT groups. The headline isn't "new backdoor": it's that the operator playbook is getting cleaner. We see two chains (SPLITDROP with TWINTASK/TWINTALK, plus GHOSTFORM), solid operational infrastructure, randomized paths, and enough obfuscation to keep triage busy while the actor gets on with their day. ThreatLabz also found fingerprints suggesting the actor used generative AI for malware development, a trend we're likely to see more of as the conflict intensifies the operational tempo. (Dust Specter APT Targets Gov't Officials in Iraq | ThreatLabz)

The initial access relies heavily on social engineering, including ClickFix-style lures that push victims to copy/paste commands. It's a nasty little inversion: the "payload" is user-assisted execution, which means many classic detections (attachments, macros, exploit telemetry) never get a vote.

Once execution starts, the chain leans on familiar-but-effective plumbing:

• password-protected archives (RAR) to frustrate scanning and email gateways,
• DLL side-loading to get code running under a trusted process name,
• in-memory PowerShell for staging and flexibility,
• and a C2 design that tries hard to look like normal HTTPS... right up until you correlate the process tree and wonder why a "document workflow" app is beaconing at 3 AM.

The C2 details are the part that defenders can actually operationalize. ThreatLabz notes randomized URI paths with checksum values appended to verify requests originate from actual infected systems, non-standard patterns like in.txt / out.txt style polling, geofencing, and User-Agent verification on the server side, and JWT artifacts with odd fields. That's not a "block this one domain" story; it's a "baseline your environment and catch the stuff that doesn't match any known business" story.

This campaign is also a reminder that "living off the land" isn't just LOLBINs: it's workflows. If the user can be convinced they're "fixing" something by pasting commands, the attacker has replaced exploit dev with stage magic. Lock down who can launch scripting engines, and don't let the Run dialog be an unsupervised airlock.

OT warning light: Iranian APTs at the IT/OT seam

This is the story that connects the geopolitical section above to your patch Tuesday spreadsheet. Nozomi Networks is flagging a 133% surge in early-stage reconnaissance and credential abuse activity from Iranian threat groups, with Manufacturing and Transportation as the most targeted sectors. (Iranian APT Activity During Geopolitical Escalation, Nozomi finds 133% surge)

These aren't new actors. They're known groups with documented histories, and the current escalation is widening their aperture:

• MuddyWater (MOIS-affiliated): the most active Iranian APT right now. Their January 2026 Operation Olalampo targeted MENA organizations with four new malware variants, including a Rust backdoor dubbed CHAR and downloaders called GhostFetch and HTTP_VIP. In a separate RustyWater campaign, they've deployed sophisticated Rust-based implants against Israeli government, military, financial, and critical infrastructure targets. MuddyWater's calling card is spear-phishing followed by living-off-the-land techniques. In November 2025, Amazon Threat Intelligence published findings showing MuddyWater accessed compromised servers hosting live CCTV feeds from Jerusalem on 17 June 2025; six days later, Iran launched missile strikes against the city. This group connects intelligence collection to kinetic operations. The known RustyWater C2 domain is nomercys[.]it[.]com. (MuddyWater 2026 Campaign, RustyWater Campaign, Operation Olalampo, Amazon: Nation-state actors bridging cyber and kinetic warfare)
• APT33 (Elfin/Refined Kitten): operational since 2013, with a consistent focus on aerospace, energy, and defense. In 2025, they initiated campaigns targeting energy and oilfield service companies by harvesting credentials to map industrial control networks. Between 2023 and 2025, they shifted to identity-based attacks, deploying custom malware like Tickler and FalseFont while using cloud infrastructure for C2. Their February 2023 password-spraying campaign targeted thousands of organizations, breaching defenses across the satellite and pharmaceutical sectors. (APT33 Profile)
• CyberAv3ngers (IRGC-affiliated): the group that put OT targeting on the front page. In November 2023, they compromised at least 75 Unitronics PLCs across water, energy, and distribution sectors, including 34 in US wastewater facilities, exploiting default passwords on internet-accessible HMIs. Between November 2023 and January 2024, they conducted four separate waves of attacks against US-based Unitronics devices. CISA's joint advisory AA23-335A documents its TTPs in detail. The current geopolitical escalation makes a return to OT targeting highly likely.
• OilRig (APT34/Helix Kitten): government and financial sector espionage, with overlapping tooling and infrastructure with MuddyWater operations.
• UNC1549 (CURIUM/Tortoise Shell/Crimson Sandstorm): the fourth most active Iranian actor in H2 2025, focused on defense, aerospace, telecoms, and regional government.

The current tactics are brutally old-school: default-credential abuse, valid-account exploitation, brute-force and password spraying, and active network scanning. That's exactly why it's dangerous in OT: the easiest door is often the one you can't patch quickly. These are reconnaissance-phase behaviors. Nozomi's assessment is that these playbooks will expand into privilege escalation, lateral movement into OT environments, and potentially data wipers, which Iran has deployed before (see: Shamoon against Saudi Aramco in 2012 and 2016, ZeroCleare in 2019, and the FAD Team's wiper activity documented in the current conflict).

The regional vulnerability landscape exacerbates this. In the Middle East, 61% of detected vulnerabilities have HIGH or CRITICAL CVSS scores, well above the global average of 48%.

Hunting note: Nozomi's blog includes three IPs associated with current Iranian APT reconnaissance: 37.1.213.152, 184.75.210.206, 162.0.230.185. Check your netflow and firewall logs.

Meanwhile, the line between state operations and cybercriminal tactics continues to blur. A new ransomware strain called Sicarii (emerged December 2025) discards its own encryption keys after use, making decryption permanently impossible. Halcyon discusses it in the context of Iranian cyber tactics, but attribution is contested: Check Point Research notes that Sicarii uses Hebrew text and Haganah imagery and avoids Israeli targets, a pattern consistent with previous Iranian false-flag operations like Moses Staff and Abraham's Ax, though primary communications occur in Russian. Whether state-directed or opportunistic, the operational effect is the same: destruction disguised as extortion. Separately, destructive attacks on AWS data centers in the UAE and Bahrain have already been observed. (Iranian Use of Cybercriminal Tactics: 2026 Updates, Sicarii Ransomware: Truth vs Myth)

What to do now: CISA maintains a standing Iran Threat Overview page with current advisories, IOCs, and detection guidance. Their October 2024 advisory on Iranian brute force and credential access activity maps directly to the TTP patterns Nozomi is observing now. The UK NCSC has also issued updated guidance for organizations to take action following the Middle East conflict.

Here's the concrete checklist:

• Kill default credentials. Yes, all of them. Especially on HMIs, PLCs, and anything running a web management interface on a flat network.
• Prove your IT/OT segmentation actually holds under pressure. If an attacker with valid AD creds can reach your SCADA VLAN, your segmentation is a diagram, not a control.
• Watch for authentication patterns that don't belong: new geographies, new device classes, new access times, new protocols hitting management interfaces.
• Fine-tune OT monitoring baselines for protocol anomalies. MuddyWater's living-off-the-land approach means malicious traffic often looks legitimate at the packet level; behavioral baselines catch what signatures miss.
• Maintain offline, air-gapped backups of critical data. The Sicarii ransomware strain deliberately destroys keys; your only recovery path is the integrity of your backups.
• If you're running Unitronics, Siemens, or Rockwell gear in water, energy, or manufacturing, revisit CISA AA23-335A and verify your mitigations are still in place.
• Update business continuity and disaster recovery plans. Anticipate false claims of compromise from hacktivist groups; prepare breach validation protocols.

RondoDox (UPDATE): same brand, different monetization

We've talked about RondoDox before, historically as an "exploit-shotgun" botnet vibe. This week's angle is more straightforward: Linux servers being recruited for cryptomining, with botnet-style loader behavior and xmrig as the payday. NICTER's write-up reads like a defender's grocery list: IoCs, infrastructure, hashes, and the familiar pattern of an exposed service leading to shell commands, a dropper, and a miner. (RondoDox Mining Activity (NICTER Blog, Japanese))

The important shift: miners aren't "low priority" anymore when they arrive with loader/C2 behavior. Mining is frequently just the first monetization module. The same access can be resold, repurposed for proxying, or upgraded to ransomware delivery when the operator finds a host with better margins. In the current threat environment, "low-priority" compromised servers serve as staging infrastructure for state-aligned actors seeking proxy chains.

If you needed a sign to tighten egress controls on servers that "shouldn't talk to the internet," consider your sign delivered in the form of a hotter CPU and a colder budget.

AI agents meet the web: indirect prompt injection gets real

Unit 42 documented web-based indirect prompt injection (IDPI) activity "in the wild," including practical abuse cases such as ad-review bypass, SEO poisoning, data theft, and pushing AI-enabled workflows to do things the operator never intended. This isn't a theoretical jailbreak contest anymore; it's content-as-command. (Fooling AI Agents: Web-Based Indirect Prompt Injection Observed in the Wild)

Two takeaways worth printing and taping to the nearest product manager:

1. Your AI agent is part browser. Treat every untrusted page like an untrusted file.
2. Trust boundaries must be explicit. If untrusted web content can influence prompts, tools, or actions, you built a neat little remote-control interface and called it "automation."

Separately, Unit 42 also disclosed CVE-2026-0628, a high-severity flaw (CVSS 8.8) in Chrome's WebView tag that allowed malicious extensions to inject scripts into the privileged Gemini panel. It's a related but distinct attack surface: where IDPI poisons content that AI agents consume, this one lets a rogue extension hijack the AI assistant directly. Update Chrome to 143.0.7499.192+. (CVE-2026-0628 Detail - NVD, Stable Channel Update for Desktop)

Disinformation ops: Doppelganger/RRN's infrastructure playbook

DomainTools mapped out the Doppelganger / RRN disinformation ecosystem, and it's exactly what you'd expect from an operator who treats infrastructure like disposable cutlery: automated domain generation, rapid turnover, CDN/proxy layers, and brand-impersonation patterns built for scale. This is less "one campaign" and more a repeatable factory for fake outlets. Worth noting in the current environment: Russian-aligned information operations and Iranian cyber operations are showing increasing coordination, with pro-Russian groups like NoName057(16) actively joining attacks against Israeli infrastructure. (Doppelganger / RRN Disinformation Infrastructure Ecosystem 2026)

Defender note: This is one of the rare cases where Certificate Transparency (CT) monitoring can actually pay off, because domain templates and naming patterns are more consistent than hosting.

Patch and perimeter reality: HPE auth bypass + scanner updates that matter

A clean enterprise risk item: CVE-2026-23600 is a remote authentication bypass in HPE AutoPass License Server (APLS) prior to 9.19. CVSS v3.1 scores it 7.3 (High) per HPE; CVSS v4.0 rates it 10.0 (Critical). It's the sort of bug that turns "license management" into "initial access appliance," which is never the vibe. In an environment where Iranian APTs are actively scanning for any internet-facing management interface with weak auth, this one deserves same-week attention. Patch to 9.19+ and restrict access to the management interface. (HPE security advisory (AV26-185), HPESBGN05003: APLS Remote Authentication Bypass)

Also: Tenable shipped more Nessus plugin updates, expanding detection coverage across a grab bag of platforms (Linux distros, GitLab, ImageMagick, FreeRDP, Mozilla apps, and more). This isn't glamorous, but it's operationally important: your vulnerability program can't act on what it can't see. Update the scanner, then patch what it finds. (Nessus Plugin Updates, GitLab 18.9.1 patch release, ImageMagick advisory, FreeRDP advisory)

Policy and policing: hospitals (maybe) get help, and Interpol brings receipts

On the policy side, US lawmakers are again circling healthcare cybersecurity reforms and funding mechanisms. The shape is familiar: grants, updated expectations, resilience language. The practical impact depends on how the requirements get written and whether funding shows up like an actual check or a PDF full of dreams. The irony of healthcare cybersecurity legislation advancing while CISA's own operations are curtailed by a funding lapse is not lost on anyone paying attention. Keep an eye on it if you support hospitals or critical care networks. (Senate moves one step closer to passing health care cyber reforms, Top NATO allies believe cyberattacks on hospitals are an act of war)

Meanwhile, Interpol's Operation Sentinel (late 2025) led to 574 arrests across 19 African nations, the recovery of approximately 3 million, the disruption of ransomware/BEC ecosystems responsible for an estimated 21 million in losses, and the decryption of six distinct ransomware variants. It won't end cybercrime (nothing does), but it does force adversaries to rebuild trust, infrastructure, and pipelines, creating friction you can feel. (Interpol press release, Team Cymru supports Operation Sentinel)

Closing: The boring parts are the battlefield now

This edition didn't revolve around a single magical vulnerability. It was a collage of uncomfortable truths: credential abuse still works, prompt injection is just social engineering for machines, and geopolitics can reach right through your uptime charts. The Iran thread running through most of these stories isn't going to thin out any time soon. If you haven't reviewed your exposure to the TTPs documented in CISA's Iran advisory page this week, that's the one action item that connects all of the above.

Patch the "who cares" servers. Segment the "we'll do it later" networks. Kill the default creds you've been meaning to rotate since 2024. And don't give an AI agent the keys to anything you wouldn't hand to a stranger holding a convincing clipboard.

Patch list/reference links (ops-friendly)

1. Tenable: Nessus Plugin Updates
2. HPE APLS: AV26-185 / HPESBGN05003
3. Chrome: Stable Channel Update for Desktop / CVE-2026-0628 (NVD)
4. GitLab: 18.9.1 patch release
5. ImageMagick: GHSA-qpgx-jfcq-r59f
6. FreeRDP: GHSA-7g72-39pq-4725
7. CISA Iran Overview: Iran Threat Advisories
8. CISA Iranian Credential Access: AA24-290A
9. CISA CyberAv3ngers: AA23-335A
10. Unit 42 Iran Threat Brief: March 2026 Escalation
11. UK NCSC: Middle East Conflict Guidance
12. Halcyon: Iranian Cybercriminal Tactics 2026
13. Check Point: Sicarii Ransomware: Truth vs Myth
14. Amazon: Nation-state actors bridging cyber and kinetic warfare