CybserSecurity News

Category: Cyber Security

  • Infrastructure Under Siege: China-Linked UAT-8837 Targets North American Utilities

    Since the dawn of 2025, the threat intelligence practitioners at Cisco Talos have documented the persistent operations of a collective designated as UAT-8837. This entity is attributed to Chinese interests based on significant overlaps in methodology and infrastructure with established regional adversaries. Their offensive focus has primarily targeted critical infrastructure sectors within North America, where their primary objective is to secure initial access to high-value assets. Once a breach is consolidated, the group establishes multifaceted command channels to maintain enduring dominion over the compromised environment.

    To achieve their initial foothold, UAT-8837 leverages a combination of software vulnerabilities and exfiltrated credentials. A recent incursion exploited a zero-day flaw, CVE-2025-53690, within SiteCore products. Following a successful compromise, the perpetrators initiate comprehensive telemetry gathering on system configurations and user identities, neutralize defensive mechanisms, and execute commands via the system console. For the sequestration of their toolkit, they utilize ephemeral and public directories within the operating system.

    UAT-8837 employs an expansive and evolving arsenal, frequently iterating upon software versions to evade heuristic detection. Their repertoire includes GoTokenTheft for the exfiltration of authentication tokens, Earthworm for the construction of tunnels between internal networks and external command servers, DWAgent for remote administration, and SharpHound for the systematic harvesting of Active Directory data. Furthermore, the deployment of Impacket, GoExec, and Rubeus allows for lateral movement, command execution under assumed identities, and sophisticated interactions with the Kerberos protocol.

    On compromised hosts, evidence of systematic reconnaissance using native administrative utilities—such as dsquery, dsget, secedit, and setspn—has been identified. By repurposing these legitimate system tools, the collective effectively masks its presence. In a particularly concerning development, the group was observed exfiltrating dynamic-link libraries (DLLs) associated with the victim’s proprietary products. This suggests a strategic intent to either orchestrate a supply chain compromise by injecting malicious code into future updates or to perform offline vulnerability research on these components.

    Beyond the utilization of specialized utilities, UAT-8837 ensures persistence by generating unauthorized user accounts and escalating their privileges via administrative group memberships. They meticulously test various iterations of their tools to ascertain which versions remain opaque to security solutions. To counter these activities, Cisco recommends the deployment of the ClamAV signature Win.Malware.Earthworm, alongside Snort rules 61883, 61884, 63727, 63728, and 300585. While the group remains agile in its adaptation, the rigorous application of these defensive protocols significantly fortifies the security posture against such incursions.

  • Defense Through Offense: US Lawmakers Debate 2026 Shift to Cyber Warfare

    United States authorities are engaged in a vigorous deliberation regarding the necessity of intensifying offensive cyber operations amidst persistent incursions against the nation’s critical infrastructure. During a hearing before the House Committee on Homeland Security, participants emphasized that the current threat landscape necessitates a fundamental paradigm shift, including the proactive deployment of offensive measures against foreign adversarial syndicates.

    The primary impetus for this discourse is the escalation of activities attributed to Chinese-linked cyber actors. Analysts estimate that in recent months, these operatives have infiltrated pivotal non-military infrastructure, potentially signaling a strategic positioning for future conflicts, such as a localized crisis in the Taiwan Strait. Furthermore, these entities have reportedly compromised interception systems utilized by American law enforcement for court-authorized surveillance.

    Key testimony was provided by the head of an institute at Auburn University, who asserted that cyberspace has evolved into a definitive theater of military confrontation and must be integrated into national strategy at every echelon. Without such integration, he argued, the U.S. remains incapable of effectively neutralizing these existential threats. The CEO of a private firm specializing in offensive network operations added that the prevailing strategy fails to deter adversaries. He observed that Chinese offensives are incessant and increasingly automated, designed to precipitate systemic crises rather than mere data exfiltration. In his view, American restraint only emboldens further escalation.

    He proposed the industrial-scale development of offensive capabilities, transmuting professional cyber-tactics into automated tools under human oversight. Such a transformation would empower the U.S. to respond to external provocations with greater velocity and efficacy. The discussion also revisited the long-debated proposal to establish a distinct Cyber Branch within the Armed Forces. A think-tank representative and former CIA official underscored that the nation has yet to architect a credible deterrent in the digital realm, thereby ceding the initiative to rival states.

    Notwithstanding the prevailing sentiment favoring aggression, some participants urged caution. Drew Bagley, representing the cybersecurity luminary CrowdStrike, cautioned that retaliatory “hack-back” operations could inflict collateral damage on businesses, jeopardize ongoing investigations, and trigger unpredictable international repercussions. Bagley maintained that any offensive measures must remain the exclusive prerogative of authorized governmental agencies, governed by rigorous protocols and stringent oversight.

  • The Tenfold Surge: China’s 2025 Cyber Blitz on Taiwan’s Power Grid

    In its most recent assessment, Taiwan’s National Security Bureau has characterized 2025 as an epoch in which Chinese cyber incursions transcended mere background noise to become an instrument of systemic coercion against critical industries. The most precipitous surge was observed within the energy sector, where the bureau contends that the frequency of incidents has escalated tenfold compared to 2024.

    According to official metrics, aggregate Chinese-affiliated activity increased by 6%, with offensives penetrating nine pivotal infrastructure sectors. Beyond energy, a substantial proliferation of attacks targeted emergency services and healthcare facilities, which witnessed a 54% spike. Telecommunications and data transmission networks similarly experienced an uptick in hostilities, albeit at a more tempered pace.

    The report highlights a significant correlation between peaks in cyber activity and military maneuvers or sensitive political milestones, such as major policy pronouncements and high-level diplomatic excursions abroad. Authorities in Taipei interpret these synchronicity patterns as hallmarks of hybrid warfare, wherein cyber operations serve as a digital auxiliary to conventional displays of force.

    The primary methodologies identified include the exploitation of hardware and software vulnerabilities, alongside Distributed Denial of Service (DDoS) attacks, sophisticated social engineering, and supply chain compromises. Within the energy domain, adversaries reportedly demonstrated a profound interest in Industrial Control Systems (ICS). They specifically targeted intervals of scheduled maintenance to surreptitiously inject malicious code under the guise of legitimate updates, thereby gaining a vantage point to surveil critical management, procurement, and redundancy protocols.

    Taiwan attributes these sophisticated operations to an array of Chinese threat actors, including BlackTech, Flax Typhoon, Mustang Panda, APT41, and UNC3886. Furthermore, the report emphasizes an deepening collaborative framework for intelligence sharing with over thirty nations that recognize China as a preeminent source of global cyber threats.

  • The Digital Insider: Why Autonomous AI Agents Are 2026’s Biggest Security Risk

    Artificial intelligence, now an indispensable assistant in business, is increasingly being viewed as a potential source of internal threats. According to Wendy Whitmore, head of security research at Palo Alto Networks, autonomous AI agents may become the most serious internal risk facing organizations in 2026.

    The rapid proliferation of such agents within corporate environments has raised significant concern among security professionals. Gartner analysts predict that by the end of 2026, specialized AI systems will handle tasks in 40 percent of enterprise applications—a dramatic increase from less than 5 percent in 2025. While this growth helps alleviate talent shortages in cybersecurity, it simultaneously introduces entirely new risk vectors.

    AI agents accelerate log analysis, threat detection, and vulnerability remediation, allowing human analysts to focus on higher-level strategic work. Yet automation that extends beyond effective oversight carries a hidden cost: systems designed to protect organizations may themselves become points of failure. This risk is especially acute when AI agents are granted broad access rights, creating a “superuser” effect in which an agent can control critical resources without the knowledge or involvement of security teams.

    Whitmore stresses the importance of strictly limiting AI privileges, applying the same least-privilege principles used for human employees. The issue is further compounded by the fact that some companies are already experimenting with scenarios in which AI systems approve financial transactions or sign documents on behalf of executives.

    While such technologies can enhance operational efficiency, they also open the door to abuse. A single successful compromise—whether through malicious prompt injection or exploitation of software flaws—could cause an AI agent to act in an attacker’s interests: authorizing payments, deleting backups, or harvesting sensitive data.

    The threat is no longer theoretical. In 2025, Palo Alto Networks documented cases in which cybercriminals used AI to automate attacks and generate novel exploitation techniques. In one campaign, dubbed the “Anthropic attack,” a Chinese threat group leveraged the AI tool Claude Code to conduct reconnaissance across multiple organizations.

    Attackers have begun interacting directly with language models embedded in corporate systems, bypassing traditional steps such as gaining control over a domain controller. This shift suggests that AI can not only amplify attacks, but fundamentally reshape their structure and execution.

    Whitmore compares the current AI adoption wave to the migration to cloud computing that began two decades ago. At that time, the most severe data breaches stemmed not from the technology itself, but from misconfigurations and inadequate security controls. A similar pattern is now emerging with AI: while model development races ahead, security measures lag behind.

    As AI agents grow more autonomous, the most critical task for organizations is to enforce foundational safeguards—restricting privileges, monitoring activity, and rapidly detecting anomalies. Without these controls, AI risks evolving from a defensive asset into a fully fledged digital insider.

  • Thunder & Lightning Return: Iran’s Infy APT Resurfaces with Advanced Foudre Exploits

    After nearly five years of apparent dormancy, the Iranian threat group Infy—also known as Prince of Persia—has resurfaced. Security researchers at SafeBreach have identified a new campaign by this long-standing cyber-espionage operation, which has conducted attacks across multiple countries since 2004 while largely remaining in the shadow of other Iranian groups.

    The recent operation targeted victims in Iran, Iraq, Turkey, India, Canada, and several European countries. The group’s core toolset remains unchanged, relying on the malware families Foudre and Tonnerre. Foudre functions as a loader and reconnaissance tool, responsible for deploying Tonnerre and harvesting system information. In the latest iteration, Foudre version 34, analysts uncovered enhanced delivery techniques: the malware is now embedded directly within an executable attached to a Microsoft Excel document, making the attack significantly more discreet.

    Communication mechanisms with command-and-control servers have also been refined. The malware now employs a domain generation algorithm, complicating efforts to track its infrastructure. In addition, Foudre contacts a remote server daily to retrieve an encrypted digital signature, which it decrypts using an embedded public key to verify that it is communicating with the “correct” server. This method substantially raises the barrier to traffic interception and spoofing.

    On the servers used to manage infected systems, researchers discovered a structured environment containing directories for activity logs, exfiltrated files, and authentication data used to validate the command server. A separate directory labeled “download” was also identified; while its exact purpose remains unclear, it is believed to be intended for delivering updates.

    Particular attention was drawn to a new feature in recent versions of Tonnerre: communication via Telegram. Analysis revealed that the malware can connect to a Telegram group named “سرافراز” (“Proud” in Persian), which consists of only two members—a bot likely used for command and data collection, and a user with the alias @ehsan8999100. Details about this group are stored on the C2 server in a dedicated file and are accessible only to select infected systems.

    While examining Infy’s infrastructure, analysts also uncovered older malware samples actively used between 2017 and 2020. These included applications disguised as news software, the MaxPinner trojan capable of spying on Telegram activity, and a previously undocumented piece of malware named Rugissement.

    Despite the outward silence since 2022, Infy never ceased operations; it merely retreated deeper underground. Activity analysis over the past three years shows continued tool development and ongoing attacks, alongside a marked evolution in both infrastructure and operational methodology.

    Against the backdrop of this renewed activity, the report once again highlights the blurred boundary between cyber-espionage and state structures. Leaks related to another Iranian group, Charming Kitten, suggest that the same administrative mechanisms may operate behind ostensibly distinct cyber actors—overseeing phishing campaigns and ransomware attacks alike under a unified command and logistical framework.

  • The Octopus Trap: Iranian Hackers Breach Naftali Bennett’s Telegram in Bold Cyber Strike

    Former Israeli Prime Minister Naftali Bennett has acknowledged that his Telegram account was accessed without authorization, even though his device itself was not compromised. He made the statement after reports emerged alleging that his iPhone had been hacked and that a data leak was linked to an Iranian hacking group.

    The remarks followed publications by a group calling itself “Handala,” which claims to have gained access to the politician’s personal device as part of an operation dubbed “Octopus.” Bennett has repeatedly used the octopus metaphor himself when describing Iran as a central coordinator of threats against Israel. Responding to the accusations, he stated that neither his smartphone nor any other device had been breached, but that access to his Telegram account had been obtained “through various methods.”

    According to Bennett, unknown actors acquired materials from his contact list, images, and private correspondence. Some of the leaked content was authentic, while other elements were fabricated. One example he cited was a falsified photograph depicting him alongside Israel’s first prime minister, David Ben-Gurion. Bennett stressed that the materials were obtained unlawfully and that their dissemination constitutes a criminal offense.

    The former prime minister said the incident is already under review by the security services. He views it as an attempt to undermine his political activity ahead of upcoming elections, in which he is regarded as a serious challenger to incumbent Prime Minister Benjamin Netanyahu.

    In his view, the pressure reflects opponents’ fears of his return to the highest levels of politics. Despite the incident, he has stated that he intends to continue both his public engagement and his political campaign.

  • The Accounting of Intrusion: How the “Episode 4” Leak Exposed APT35’s Bureaucratic Machine

    The leak of a fourth episode linked to the APT35 hacking group—also known as Charming Kitten—dramatically reshapes perceptions of the organization. In the previous three installments, meticulously analyzed by researcher Nariman Gharib, attention centered on the group’s internal structure, including separate male and female hacking teams and even approximate compensation levels for operators. The latest tranche of disclosures continues this trajectory, shifting focus to accounting records, infrastructure management, and the logistics underpinning cyber operations.

    The released files reveal how a state-backed entity disguises itself as an informal hacker collective. Instead of exploit code, the archives contain Excel spreadsheets listing servers, credentials, cryptocurrency payments, and VPS rental orders. At the heart of this system lies not creativity, but bookkeeping. Every action is validated by a ticket, a price, a date, and an order number. The entire apparatus is built around internal auditability—indistinguishable from a conventional government agency, except that the “goods and services” consist of cyber-espionage infrastructure.

    APT35’s self-exposure stemmed from its own negligence. After the breach, operators failed to revoke access to servers, passwords, and accounts, leaving portions of the infrastructure live for weeks. This carelessness highlights a striking duality within Charming Kitten: rigorous discipline at the process level, paired with a blatant disregard for basic security hygiene.

    Among the most revealing discoveries is a spreadsheet detailing payment activity via the Cryptomus platform. It documents dozens of transactions ranging from €12 to €18, executed under fictitious names through pseudo-European accounts. Each payment corresponds to an internal request, and the entire scheme is designed to evade financial oversight. The absence of large transfers and the uniformity of transactions create the appearance of routine purchases by ordinary users.

    The most consequential insight emerges from the link between Charming Kitten and another Iranian cyber entity—Moses Staff. Long regarded as an independent hacktivist collective operating under ideological banners, Moses Staff is now revealed, through data from the fourth episode, to be driven by the same administrative machinery as APT35. Domain and account lists repeatedly surface moses-staff.io, while identical ProtonMail accounts appear across both Charming Kitten records and Moses Staff infrastructure.

    It becomes clear that data leaks from Israeli companies, destructive attacks, and propagandistic manifestos were not the product of spontaneous radical activism, but of carefully planned operations managed as routine projects. Individuals, domains, payments, and servers are tracked within a unified registry, with every step recorded using standardized templates. Even details such as consistent pricing ranges and recurring European hosting providers point to a finely tuned supply chain.

    These files do more than lift the curtain on APT35’s internal workings; they illustrate how cyber conflict is structured around a subscription-like model. Every breach, phishing page, or command-and-control server is the outcome of a payment, an order, a service renewal. It is this meticulous “accounting of intrusion” that stands as the central revelation of the fourth episode.

  • The Plagiarism Trap: How ForumTroll APT is Holding Academic Careers Hostage to Deploy Spyware

    In October 2025, experts at Kaspersky Lab uncovered a new wave of targeted attacks attributed to the ForumTroll group. Whereas earlier campaigns primarily focused on organizations, this iteration shifted its attention to individuals—political scientists, international relations specialists, and economists affiliated with leading Russian universities and research institutions. The attackers used lure emails alleging the discovery of plagiarism and inviting recipients to download a supposed “verification report.”

    The messages were sent from the address support@e-library[.]wiki. The domain e-library[.]wiki hosted a counterfeit website that closely mimicked the design of the legitimate eLibrary digital library (the genuine site being elibrary.ru). Each email contained a personalized link to access the report; clicking it triggered the download of a ZIP archive named after the recipient’s full name, reinforcing the impression of a targeted and “official” inquiry.

    Inside the archive were a folder named .Thumbs containing numerous ordinary image files with Russian-language titles, alongside a shortcut (.lnk) file also bearing the recipient’s name. Researchers believe the images were included as a decoy to make the archive appear less suspicious. When the shortcut was opened, a PowerShell script executed, downloading and launching the malicious payload. At the same time, a decoy PDF was displayed—a blurred “report” from a plagiarism-checking system that contained virtually no meaningful information and served solely to mask the infection.

    To establish persistence, the attackers employed a COM hijacking technique. The downloaded DLL was saved within the user’s profile and registered in the system registry to ensure repeated execution, including after reboots. According to the report, the final payload was the commercial Tuoni framework, which is used legitimately for security testing but was repurposed here to grant remote access to victims’ devices and enable subsequent activity within their networks.

    Kaspersky Lab also highlights the meticulous preparation of the attackers’ infrastructure. The malicious domain was registered as early as March 2025, while artifacts on the fake website indicate preparatory work dating back to at least December 2024. The attackers limited repeated downloads to hinder analysis and displayed different messages depending on the operating system, encouraging users to retry from Windows. Command-and-control servers were hosted within the fastly.net network. At the time of publication, the fraudulent site had been taken down.

    Experts estimate that ForumTroll has been targeting individuals in Russia and Belarus since at least 2022. Kaspersky researcher Georgy Kucherín warns that academics are particularly vulnerable due to their publicly available contact information, and that emails accusing them of plagiarism can provoke anxiety and prompt rash actions. To mitigate the risk, he advises deploying security software on all devices and carefully verifying senders and links before opening attachments or following URLs.

  • The Living Mesh: Ink Dragon Turns European Government Servers into a Global ShadowPad Relay Network

    Researchers at Check Point Research have uncovered a large-scale espionage operation conducted by the Chinese APT group Ink Dragon, which repurposes compromised government servers into a distributed command-and-traffic relay network—effectively turning the victims themselves into components of its command-and-control infrastructure.

    Ink Dragon, also known as Earth Alux, Jewelbug, REF7707, and CL-STA-0049, has been active since at least early 2023. Initially focused on government, telecommunications, and public-sector organizations in Southeast Asia and South America, the group has in recent months significantly escalated its operations against government institutions in Europe. Its campaigns are marked by sophisticated engineering, disciplined operational tradecraft, and extensive abuse of legitimate system components, allowing the attacks to remain undetected for prolonged periods.

    A defining characteristic of Ink Dragon is its strategy of embedding compromised servers into a global, distributed relay network rather than using them solely for espionage. To achieve this, the attackers deploy a specialized IIS module known as the ShadowPad Listener, which integrates directly into web servers and covertly intercepts HTTP(S) traffic. Each infected server becomes a node capable of receiving commands, forwarding them to other victims, and proxying connections—thereby expanding the adversary’s control infrastructure without relying on dedicated C2 servers.

    Initial access is most commonly achieved through long-known yet still widespread misconfigurations in IIS and SharePoint. Ink Dragon actively exploits ASP.NET ViewState deserialization vulnerabilities by abusing predictable or leaked machineKey values, enabling arbitrary code execution. In several intrusions, the group also leveraged the ToolShell vulnerability chain in on-premises Microsoft SharePoint deployments, which allows unauthenticated remote code execution and web shell installation. During the summer of 2025, the group conducted large-scale scanning for vulnerable SharePoint servers, suggesting early access to exploit code.

    Once a foothold is established, the attackers pivot rapidly into lateral movement. Service account credentials are harvested from IIS configurations and worker processes—credentials that are often reused across the organization. This enables Ink Dragon to escalate from web process execution to full server control and subsequently authenticate against adjacent hosts. Lateral movement relies heavily on RDP tunneling and built-in ShadowPad capabilities, with malicious activity carefully disguised as legitimate administrative sessions.

    Persistence is achieved through scheduled tasks and the installation of SYSTEM-level services. Payloads are disguised as Windows system components such as conhost.exe and are often signed with valid digital certificates from well-known vendors, significantly reducing the likelihood of detection. For privilege escalation, Ink Dragon combines exploitation of local vulnerabilities—including techniques from the Potato family—with aggressive credential harvesting. Custom tooling is used to dump LSASS, extract NTLM hashes and Kerberos artifacts, and hunt for abandoned administrative RDP sessions from which domain admin tokens can be harvested.

    The group pays particular attention to outbound connectivity. On compromised hosts, local firewall rules are created to allow unrestricted outbound traffic under the guise of legitimate Windows Defender components. This effectively transforms victim servers into open proxy nodes suitable for data exfiltration and command relay.

    At the core of the entire operation lies the ShadowPad IIS Listener Module. It registers covert URL handlers via the HttpAddUrl API, selectively intercepts only “relevant” requests, and allows all other traffic to be processed normally by IIS. The module can classify connecting nodes as “servers” or “clients,” automatically link them together, and transparently relay data in both directions. As a result, a single compromised organization can quietly function as an intermediary control node for malware operations across entirely different networks, including those of other governments.

    Beyond relay functionality, the same IIS module embeds a full ShadowPad command set for system management: information gathering, file and process control, interactive shell execution, and network proxying. Each node thus serves simultaneously as an access point and as part of a distributed C2 mesh. Analysis of debug strings within the module allowed researchers to reconstruct command relay chains and clearly illustrate how victim systems are interconnected.

    Following persistence, Ink Dragon deploys additional post-exploitation components. These include multiple ShadowPad loaders using DLL sideloading, the bespoke CDBLoader—which abuses the cdb.exe debugger to execute shellcode in memory—and the LalsDumper tool, designed to stealthily dump LSASS via direct system calls. In later stages, the attackers deploy an updated version of the FinalDraft trojan, a modular RAT platform that leverages the Microsoft Graph API and Outlook mailboxes as its command channel.

    FinalDraft supports fine-grained scheduling of communications, collection of RDP connection histories, weakening of Windows security controls, and high-speed data exfiltration through Microsoft cloud services. Its configuration is tightly bound to individual hosts, complicating both analysis and sample reuse.

    Ink Dragon’s victims are predominantly government entities. In recent months, attacks against European organizations have increased markedly, with servers compromised in Europe subsequently used to support operations against targets in Africa and Southeast Asia. In several cases, activity from another Chinese group—RudePanda—was also observed on the same systems, involving separate IIS modules, web shells, and even the deployment of a kernel-level rootkit. However, researchers found no evidence of direct coordination between the two groups.

    According to Check Point Research, Ink Dragon exemplifies a mature cyber-espionage model in which the distinction between “victim” and “command infrastructure” effectively disappears. Each newly compromised server strengthens the overall network, enhancing both its resilience and stealth. In such an environment, defending individual hosts is no longer sufficient: effective countermeasures must identify and dismantle the entire relay chain, or compromised systems will continue to serve the attackers indefinitely.

  • Digital Crosshairs: Iran-Linked “Handala” Group Offers $30K Bounties for Israeli Engineers

    A new wave of pressure targeting Israeli professionals linked to the defense sector has moved beyond conventional cyberattacks and into the realm of personal intimidation. A group allegedly connected to Iran has shifted its tactics toward public doxxing and cash bounties for information about specific individuals.

    According to The Jerusalem Post, the hacker collective known as “Handala” has announced rewards of up to $30,000 for information on more than a dozen Israelis it describes as developers and engineers involved in the Patriot, Arrow, and David’s Sling air defense systems. The group has already published personal details of its targets on its platforms, including photographs and contact information, accompanied by explicit threats. While the newspaper notes that it cannot independently verify the accuracy of all the disclosed data, the materials have already spread widely across Arabic-language media outlets and Telegram channels, including some affiliated with Hamas.

    The disclosures are part of a broader campaign dubbed “RedWanted,” under which new lists of allegedly defense-related Israelis are released every Saturday. Earlier installments included larger, more indiscriminate compilations—for example, naming supposed members of Unit 8200—with individual bounties in some cases set at $10,000 for information on a person’s whereabouts or activities. The report emphasizes that the campaign’s website hosts personalized threats and employs an interface deliberately designed to incite harassment, even overlaying crosshairs on photographs when users hover over them.

    The article also places these actions in the context of Handala’s previous operations. The group has been linked to Iranian intelligence services; the Jerusalem Institute for Strategy and Security has stated that Iran has been using Handala at least since late 2023. Among the incidents attributed to the group is a January 2025 attack on Israeli kindergartens, during which alert systems were disrupted at approximately 20 locations.

    On August 22, 2025, Handala claimed responsibility for breaches of several Israeli organizations, including the Weizmann Institute and a number of commercial companies. In September 2025, Canada’s Rapid Response Mechanism (RRM Canada) reported a “hack-and-leak” campaign targeting journalists from Iran International, noting that the dissemination of stolen data was further amplified through the use of multiple AI chatbots.