MuddyWater Breaches US Networks; Broadcom Flags Dindoor and Fakeset
Operational Synopsis
Broadcom threat hunters detected a sustained espionage campaign whose artifacts Broadcom links to the Iran‑aligned cluster often labeled MuddyWater. In Broadcom telemetry analysts recovered two previously unpublicized implants — a native/PHP‑like payload referred to as Dindoor and a Python loader/stager called Fakeset — both observed using code‑signing certificates populated with fabricated personal names (one certificate lists a person rendered as Ms. Cherne). Forensic linkage shows confirmed exposures across four civilian and commercial environments: an airport, a bank, an NGO operating in two countries, and an aerospace/defense supplier with an overseas branch.
Broadcom teams removed live implants and disrupted active command channels, but their report — reinforced by independent vendor telemetry — warns that dormant credentials, lateral access paths and implanted artifacts likely persist across supply‑chain partners and third‑party estates. Timeline reconstruction indicates many footholds predate the recent kinetic escalation, suggesting deliberate long‑dwell positioning rather than a single opportunistic burst.
Complementary telemetry from Check Point describes a concentrated wave of probes and takeover attempts timed to late February through early March 2026 that targeted consumer- and enterprise-grade camera fleets and management-plane interfaces across Bahrain, Cyprus, Kuwait, Lebanon, Qatar and the UAE, with notable activity observed inside Israel. That vendor found attackers exploiting long‑known firmware and network‑service flaws (not novel zero‑days), staging mass validation and follow‑up observation using commodity VPNs and rented infrastructure — a pattern consistent with automated credential‑validation pipelines and rapid exploitation steps observed broadly across industry telemetry.
Across disclosures the technical picture converges on low‑noise persistence mechanisms (memory‑resident or transient stages), cloud‑hosted command‑and‑control and hybrid bridging techniques (removable‑media relays, innocuous cloud callbacks or abused edge appliances). Check Point’s camera findings underscore a significant, visible attack surface: many devices remain internet‑accessible and unpatched, enabling high‑volume enumeration that fuels automated pipelines. Combined with Broadcom’s certificate reuse observations, the operational tradecraft prioritizes stealthy long‑term access while compressing attacker time‑to‑exploit once credentials or management-plane access are validated.
Attribution across vendors is inconsistent — Broadcom maps artifacts into a MuddyWater cluster while Check Point ties camera activity to actors tracked as Handala — but these differences likely arise from overlapping toolchains, shared or recycled signing artefacts and convergent automation rather than indisputable proof of fully distinct operators. Practically, defenders should accept attribution ambiguity and prioritize containment, credential and certificate revocation, and exhaustive identity‑centric hunts over waiting for attribution consensus.
Immediate defensive priorities are accelerated token and credential revocation, expedited invalidation of discovered certificates, extended endpoint and identity hunts looking for anomalous scheduled tasks and memory‑resident stages, and urgent validation of third‑party and supplier estates. Specifically for camera and edge fleets: isolate management planes, rotate credentials, move vulnerable feeds behind VPNs/proxies where possible, and accelerate emergency patch cycles for firmware and network‑service bugs.
Longer‑term mitigations include hardware‑backed MFA, stricter browser and session governance, segmentation of management and operational planes (including SD‑WAN and edge appliances), controls on removable media and staged interpreters, and cross‑provider coordination to disrupt cloud‑hosted C2. Given the affected sectors — aviation, finance, NGOs and defense supply chains — organizations should also prepare for regulatory scrutiny, insurance impacts and cross‑border investigative cooperation.
In short, Broadcom’s disruption removed active processes and blocked immediate exfiltration, but the strategic risk endures: pre‑positioned implants, recycled signing artefacts and the broad abuse of cloud and edge infrastructure (amplified by automation and commodity infrastructure) create a durable collection capability that requires identity‑first, cross‑domain hunting and stricter supply‑chain trust validations.
Read Our Expert Analysis
Create an account or login for free to unlock our expert analysis and key takeaways for this development.
By continuing, you agree to receive marketing communications and our weekly newsletter. You can opt-out at any time.
Recommended for you
APT37 expands toolkit to pierce air gaps using removable media and cloud C2
Zscaler observed a December 2025 APT37 campaign that combined five newly identified modules — including a memory‑resident loader, a backdoored interpreter runtime, a USB relay spreader and an Android surveillance app — to pierce air‑gapped enclaves while using a mainstream cloud storage service for command-and-control. Defenders should couple stricter removable‑media controls with identity‑first telemetry and cross‑service signal fusion; platform takedowns help but do not eliminate the underlying tradecraft.
Cisco SD‑WAN Compromised; CISA and Five Eyes Order Emergency Hunts
CISA and Five Eyes partners warned of active exploitation against Cisco SD‑WAN, flagging two tracked CVEs and urging immediate hunts, log preservation, and patching. The alert joins a string of rapid, high‑impact exploit events (Fortinet, SolarWinds and other KEV additions), compressing remediation windows and forcing both near‑term incident response and longer‑term edge‑device inventory and replacement planning.
Investigations Find Ubiquiti Networking Equipment Accessible to Russian Forces and Used in Drone Operations
Independent reports allege Ubiquiti networking devices are being acquired through third-party channels and repurposed to support Russian military communications, including for unmanned aircraft. The revelations expose supply-chain and compliance gaps that could trigger regulatory scrutiny and force operational and product changes at the vendor level.
Operation Bizarre Bazaar: Criminal Network Hijacks Exposed LLM Endpoints for Profit and Access
A coordinated criminal campaign scans for unauthenticated LLM and model-control endpoints, then validates and monetizes access—running costly inference workloads, selling API access, and probing internal networks. Some exposed targets are agentic connectors and admin interfaces that can leak tokens, credentials, or execute commands, dramatically raising the stakes beyond billable inference.
Stryker Breach Tied to Infostealer-Harvested Credentials and Intune Abuse
Stryker experienced a March intrusion that disrupted order processing after administrator credentials — apparently harvested by commodity infostealer malware — were used to manipulate its Microsoft Intune tenancy and issue disruptive remote device actions. The event has drawn coordination from CISA and the FBI, vendor telemetry pointing to long‑dwell tooling and certificate reuse, and conflicting vendor attributions that underscore an identity‑first tradecraft rather than a single bespoke destructive toolkit.
Amazon: Hackers Used AI to Breach 600+ Firewalls in Weeks
Security teams at Amazon traced a compact, likely Russian‑speaking operation that used widely available AI tooling and automated agents to compromise more than 600 perimeter firewalls across roughly 55 countries in about five weeks. The campaign—which automated reconnaissance, credential validation and rapid probing—typifies a broader 2026 trend in which off‑the‑shelf AI compresses the time from discovery to exploitation, forcing defenders to treat exposed management interfaces and self‑hosted AI endpoints as high‑risk assets.
Global cyber-espionage campaign breaches sensitive targets in 37 countries
A coordinated, long-duration hacking campaign has established persistent access to high-value government and diplomatic networks in 37 countries, prioritizing intelligence collection over immediate disruption. The operation leverages polymorphic tooling, credential harvesting and social-engineering techniques that complicate detection and raise urgent needs for identity-focused defenses and cross-border incident coordination.
Handala: U.S. Links Hackers to Iran’s MOIS and Seizes Domains
The U.S. Justice Department publicly attributed the Handala campaign to Iran’s Ministry of Intelligence and Security, executed court-authorized seizures of four domains used to publish threats and doxed material, and paired the action with a $10,000,000 State Department reward offer — a move that reduces a visible propaganda node, preserves evidence for potential prosecutions, but also increases escalation risk amid contested attribution and strained defensive capacity.