Front Page

State-Sponsored Intrusion

Seedworm Strikes the Homeland: Iranian APT Infiltrates US Bank, Airport, and Defense Supply Chain

Symantec's threat intelligence team confirmed this week that Seedworm — an Iranian state-sponsored APT also tracked as MuddyWater — has successfully infiltrated networks belonging to a US financial institution, a major airport operator, and multiple defense supply chain firms. The campaign leverages spearphishing and living-off-the-land techniques to avoid detection, making behavioral forensics the only reliable detection path.

For forensic examiners, Seedworm intrusions present a compounded challenge: the group deliberately times operations to overlap with hacktivist noise campaigns, using the influx of false-positive alerts to mask lateral movement. Investigators responding to Seedworm incidents must segregate threat streams carefully — hacktivist DDoS activity hitting the same target is frequently a deliberate smoke screen.

Espionage Under Cover

WezRat Resurges: APT42 Harvests Credentials While the World Watches the Hacktivists

While 60+ hacktivist groups dominate headlines with defacement campaigns and DDoS attacks, APT42 — Iran's elite intelligence cyber unit — has quietly resumed WezRat infostealer operations targeting media organizations, academic institutions, and defense contractors. WezRat establishes persistence through legitimate cloud services, harvesting credentials and session tokens with minimal system footprint.

The pattern is deliberate: APT42 uses the operational cover of loud hacktivist activity to conduct methodical, long-term espionage. Examiners should treat any concurrent hacktivist activity on a target network as a potential distraction operation and prioritize hunting for subtle persistence mechanisms in cloud-connected environments alongside the more obvious indicators.

Threat Bulletin

CRITICAL
CVE-2026-0145

Palo Alto PAN-OS GlobalProtect Authentication Bypass. Allows unauthenticated remote access to VPN infrastructure — a preferred initial-access vector for Iranian APT groups including Seedworm and APT42. Emergency patching ordered across federal agencies. Forensic Note: Audit GlobalProtect session logs for anomalous authentication patterns predating the alert.

ACTIVE EXPLOIT
CVE-2026-1834

Fortinet FortiGate SSL-VPN Remote Code Execution. Actively weaponized by Iran-aligned actors as a secondary access mechanism when PAN-OS targets are patched. Forensic Note: Look for unauthorized SSL-VPN session initiations and anomalous HTTPD child processes in FortiGate logs.

Malware Spotlight

BaqiyatLock Wiper

Iran-aligned destructive malware deployed simultaneously as a ransomware facade and true wiper — no decryption key is ever issued. Forensic recovery is largely impossible post-execution. Targets the Master Boot Record and overwrites file headers. Forensic Note: Prioritize volatile memory and network flow capture the moment BaqiyatLock is suspected — disk artifacts will not survive.