Blogs

Blog

Escalation in the Middle East: Tracking “Operation Epic Fury” Across Military and Cyber Domains

This post tracks the convergence of kinetic warfare, psychological operations, and cyber activity as the conflict expands across the Middle East and beyond.

On February 28, the United States and Israel launched coordinated strikes across Iran under Operation Epic Fury (also referenced in reporting as Operation Lion’s Roar). The opening phase focused on decapitating senior Iranian leadership while degrading missile infrastructure, launch systems, and air defenses. In the hours that followed, Iran initiated large-scale retaliation — expanding the conflict beyond Iranian territory and into a region-wide exchange that touched multiple Gulf states and allied military assets.

Since those initial strikes, the conflict has rapidly widened and accelerated. What began as a concentrated campaign against leadership and missile capabilities has developed into a sustained regional war with an expanding set of targets, including economic and logistical infrastructure. Simultaneously, cyber operations and psychological messaging have been used alongside kinetic action, creating a hybrid operating environment in which disruption is shaped as much by information control and infrastructure compromise as it is by missiles and airstrikes.

Flashpoint analysts are tracking the conflict across physical, cyber, and geopolitical domains. The timeline and sections below summarize key developments and risk indicators observed from February 28 through March 10.

Operation Epic Fury Timeline: March 2026 Conflict Updates

February 28, 2026 — Initial Strikes and Regional Retaliation

In parallel to these events, Flashpoint observed immediate system-level disruption: flight suspensions at Dubai airports following nearby strikes, and Iran’s move to blockade the Strait of Hormuz, elevating global energy and logistics risk.

March 1, 2026 — Air War Over Tehran, Soft Targets, and Hybrid Expansion

By March 1, the conflict had shifted from stand-off strikes to direct air operations over Tehran, signaling degradation of Iran’s integrated air defenses over the capital. Iranian state media described a transition to “offensive defense,” and retaliatory activity expanded across the region.

Notable developments included the reported strike on the Crowne Plaza Hotel in Manama, Bahrain, signaling increased risk to soft targets and commercial environments. Flashpoint also observed indicators of command-and-control friction on the Iranian side, including a reported friendly-fire incident involving the sanctioned “shadow fleet” tanker Skylight.

March 2, 2026 — Infrastructure and Economic Warfare Escalation

March 3, 2026 — Expansion of Infrastructure Warfare and Regional Combat

March 5, 2026 — Offensive Defense and Geographic Expansion

March 6, 2026 — Regime Fragmentation and Strategic Targeting

March 8–9, 2026 — Leadership Consolidation and Hybrid Warfare Expansion

March 10, 2026 — Decentralized Retaliation and Economic Pressure

March 1–10, 2026 — Infrastructure Targeting and Internationalization

Between March 1 and March 10, Flashpoint analysis indicates the conflict has evolved from broad regional exchanges into systematic targeting of energy, data, and command-and-control infrastructure with global downstream impact. Key reported incidents included a strike on Saudi Aramco’s facility at Ras Tanura and a disruption at an AWS data center in the UAE attributed to physical impact on the facility. The Israel–Lebanon front also intensified following Hezbollah missile launches and a broad Israeli response across Lebanon. March 2 also featured expanded strikes against Tehran’s state apparatus, including reported destruction of Iran’s national broadcasting headquarters and the Assembly of Experts’ building.

Flashpoint also tracked growing exposure for NATO-aligned assets, including reported damage at RAF Akrotiri (Cyprus). Meanwhile, the UK, France, and Germany signaled readiness to support action focused on Iran’s missile and drone capabilities — an indicator of potential further conflict expansion.

By March 3 and March 4, targeting patterns expanded further to include strategic communications infrastructure and hardened military facilities. Satellite analysis confirmed damage to US military communication nodes and early-warning radar infrastructure across multiple Gulf bases, while naval combat escalated with a US submarine sinking the Iranian frigate IRIS Dena in the Indian Ocean. These developments signal a shift toward degrading regional command-and-control networks alongside continued pressure on energy and logistics infrastructure.

Developments on March 5 further expanded the geographic scope of the conflict. Iranian drone strikes targeted infrastructure in Azerbaijan, drawing the country’s military onto high alert and raising the possibility of a northern expansion of the kinetic theater. At the same time, complex missile and drone attacks continued against US military facilities in the Gulf, including a major strike that caused significant damage at Ali Al Salem Air Base in Kuwait. These developments reflect a continued shift toward distributed regional engagements rather than isolated bilateral exchanges.

Developments on March 6 through March 9 indicate continued degradation of Iranian command infrastructure alongside widening regional impacts. Precision strikes reportedly targeted remaining Iranian leadership compounds and clandestine missile and nuclear facilities, while diplomatic evacuations and military mobilization along Iran’s northern border suggested the potential expansion of the conflict into new geographic theaters. At the same time, infrastructure targeting expanded beyond energy and communications to include water desalination facilities and additional cloud and data infrastructure, highlighting the growing risk to civilian survival systems and regional economic stability.

Developments on March 10 further underscored the economic dimension of the conflict. A drone strike on the Ruwais industrial complex in Abu Dhabi forced the shutdown of the region’s largest oil refinery, while global shipping giant MSC suspended exports from Gulf ports due to continued instability in the Strait of Hormuz. These disruptions highlight how the conflict is increasingly affecting global energy production and maritime supply chains beyond the immediate combat zone.

The Escalating Cyber and Information Front

From the opening hours, Flashpoint assessed that cyber activity in this conflict is not ancillary — it is being used as a synchronized force multiplier.

One of the most consequential developments has been the use of infrastructure compromise for psychological operations at national scale. Flashpoint observed the compromise of the BadeSaba prayer app ecosystem, enabling push notifications to be delivered to large user populations. Messaging included calls for mobilization and later content aimed at regime security forces and protest coordination. This reflects a shift from influence on social platforms toward platform-layer manipulation, where trusted everyday applications become vectors for narrative control during kinetic shock.

Flashpoint also observed disruption and interference affecting state-run Iranian outlets (including IRNA and ISNA), contributing to an information vacuum and driving users toward unverified channels for situational awareness.

As kinetic pressure increased, Flashpoint tracking indicated fluctuations in cyber tempo. Some updates suggested a temporary lull in broader Iranian cyber activity — potentially due to operational disruption from physical strikes — while other indicators pointed to a risk of renewed disruptive campaigns, including activity linked to personas associated with state-aligned hacktivist ecosystems.

On March 2, Flashpoint observed reporting on a coordinated campaign branded #OpIsrael, involving pro-Iranian and pro-Russian-aligned actors, with activity spanning DDoS, data exposure, and claimed intrusions.

• NoName057(16) + Cyber Islamic Resistance: Claimed large-scale DDoS activity targeting Israeli defense and municipal entities (including Elbit Systems).
  
• Cyber Islamic Resistance: Claimed breach of an Israeli health insurance provider and released internal CCTV footage as evidence of access.
  
• FAD Team (Iraq’s “Resistance Hub”): Claimed SQL injection activity and PII exposure across a wide set of targets, including US and non-US entities.
  
• Fatimion Cyber Team: Claimed disruption targeting Gulf states perceived as US-aligned, including Bahrain and Qatar-linked targets.
  
• Infrastructure claims: FAD Team claimed access to firewall monitoring dashboards in Mecca and Medina.
  

Additional activity observed March 3–4 includes:

• Handala Team: Claimed a breach of Saudi Aramco infrastructure and released internal documentation and schematics intended to validate the attack. Flashpoint has not verified these claims.
  
• PalachPro: Signaled coordination with Iranian hackers to amplify cyber campaigns targeting US and Israeli organizations.
  
• NoName057(16): Claimed access to an Israeli water management SCADA system under the ongoing #OpIsrael campaign. These claims remain unverified.
  
• Fatemiyoun Electronic Team: Conducted a denial-of-service attack against the Kuwaiti News Agency website.
  
• Targeting rhetoric shift: Pro-IRGC propaganda channels began framing major technology companies — including Google — as potential targets due to alleged support of US military operations.
  

Additional activity reported on March 5 indicates a renewed surge in coordinated cyber operations under the #OpIsrael banner:

• NoName057(16): Claimed administrative access to Israeli industrial control systems and SCADA interfaces, alleging the ability to manipulate pump activity and water flow. These claims remain unverified but represent a high-risk threat to essential services.
  
• Handala Group: Claimed the exfiltration and wiping of approximately 1.3 TB of data from Atlas Insurances Ltd., while simultaneously launching a doxxing campaign targeting individuals alleged to be connected to Israeli intelligence.
  
• Fatemiyoun Electronic Team: Claimed responsibility for taking multiple government ministry websites offline in Jordan and Kuwait and releasing personal data from a Kuwaiti government application.
  
• Cyber Islamic Resistance (Team 313): Claimed disruptions targeting Bahraini government infrastructure and published images allegedly taken from compromised surveillance camera networks.
  

Additional activity reported March 6–9 includes:

• MuddyWater (MOIS / Seedworm): Verified intrusions into US aerospace, defense, aviation, and financial networks using a newly identified backdoor known as “Dindoor.” These operations reportedly began prior to the kinetic phase of the conflict and have continued during the war.
• Telegram-Based Recruitment Networks: Iranian intelligence is reportedly using Telegram channels to recruit loosely affiliated operatives and criminal intermediaries across Europe for espionage and potential sabotage operations.
• Handala: Claimed to have wiped Israeli military weather servers and intercepted urban security feeds in Jerusalem (unverified).
• Cyber Islamic Resistance (Team 313): Claimed multiple website defacements targeting regional institutions, including Kurdish and Saudi organizations (unverified).
• NoName057(16): Continued distributed denial-of-service attacks under the #OpIsrael banner targeting Israeli political parties, telecommunications companies, and defense contractors.
  

Additional activity reported March 10 includes:

• Suspected banking-sector attacks: Multiple reports indicate that Iran’s largest banks, including Bank Melli Iran and Bank Sepah, experienced widespread service disruptions following suspected cyberattacks.
• NoName057(16): The pro-Russian group continued operations under the #OpIsrael banner, claiming distributed denial-of-service attacks targeting Israeli and Cypriot infrastructure, including Israel’s national water company Mekorot and UAV firm E.M.I.T. Aviation (unverified).
• BD Anonymous & MrSutrator Alliance: A newly formed pro-Palestinian cyber alliance announced “Operation Electronic Holocaust,” targeting Israeli defense contractor Rafael (unverified).
• DieNet: The group issued warnings of a potential large-scale cyber campaign targeting Israeli government infrastructure (unverified).

These developments indicate continued expansion of cyber activity across both offensive and retaliatory fronts, including financial infrastructure and public-facing services.

Strategic Chokepoints and Systemic Risk

Two chokepoints have emerged as persistent systemic risk drivers: maritime energy transit and regional air mobility.

Iran’s reported blockade of the Strait of Hormuz remains the primary near-term global economic concern. Flashpoint reporting also indicates an explicit escalation toward energy system disruption, with IRGC messaging framing a “war on energy supplies” and kinetic targeting expanding to oil and gas infrastructure. Even partial disruption introduces immediate volatility in energy markets and maritime logistics, increasing shipping costs, insurance premiums, and delivery delays well beyond the region.

Additional developments reported on March 3 indicate the IRGC has conducted strikes against multiple oil tankers operating in the Strait of Hormuz, further elevating risks to global energy transport. Iran has also declared the waterway effectively closed to most commercial shipping, introducing the possibility of sustained maritime disruption.

Infrastructure targeting has expanded to include desalination facilities and water supply systems in the Gulf. Because these plants provide essential potable water to large urban populations, attacks on desalination infrastructure represent a significant escalation that directly threatens civilian survival systems and urban stability across the region.

Global shipping disruption has also intensified. As of March 10, following continued instability and the effective closure of the Strait of Hormuz, major shipping firms including MSC have suspended exports from Gulf ports, introducing additional pressure on global logistics and energy markets.

Airspace disruption and interruptions to transit hubs — especially the reported suspensions affecting Dubai — compound that risk. Taken together, the maritime and aviation constraints create a reinforcing cycle: constrained routes increase congestion elsewhere, raise operational costs, and compress the time available for organizations to reroute people and goods.

With regional airports and Gulf maritime corridors under threat, organizations should plan for sustained degradation of commercial mobility and service availability rather than short-lived closures.

Business and Security Implications

As the conflict expands into commercial infrastructure and civilian logistics, enterprise exposure now extends well beyond traditional “high-risk” sectors. The targeting patterns observed throughout this conflict indicate that energy infrastructure, cloud assets, maritime corridors, and civilian-facing systems are all within scope.

Organizations should plan for volatility across personnel security, supply chains, cyber disruption, and regional service availability.

1. Personnel and Physical Security

Recent incidents including strikes near Gulf transit hubs, the targeting of a Western-branded hotel in Bahrain, and warnings regarding potential asymmetric attacks underscore that risk is no longer confined to military installations.

• The US State Department issued an expanded “DEPART NOW” advisory for Americans across 16 Middle Eastern countries, reflecting elevated risk to civilian and commercial environments.
  
• US Embassy in Amman reported active “duck and cover” alarms, signaling increased threat pressure on diplomatic facilities beyond core combat zones.
  
• Reporting indicates Iranian threats now extend to US bases in Europe, expanding the geographic risk envelope.
  
• Drone attacks targeting diplomatic facilities — including the US Consulate in Dubai and attempted strikes on the US Embassy in Riyadh — indicate expanding risk to diplomatic and government installations.
  
• Precautionary evacuations have also been implemented near US embassies across several Gulf states as regional tensions and retaliatory threats continue to rise.
  

Organizations with personnel in the Gulf region and surrounding areas should:

• Reassess travel posture to the UAE, Qatar, Bahrain, Kuwait, and Saudi Arabia.
  
• Elevate security protocols at commercial offices, hotels, and logistics facilities.
  
• Reinforce operational security practices (routine variation, avoidance of identifiable clothing tied to government or defense sectors).
  
• Coordinate closely with local authorities and diplomatic advisories regarding movement restrictions and emerging threat indicators.
  

2. Supply Chain and Energy Exposure

The reported blockade of the Strait of Hormuz, disruption to Dubai aviation, and the strike on Saudi Arabia’s Ras Tanura oil facility demonstrate that global energy and logistics systems are active pressure points. Iranian naval forces reportedly struck multiple oil tankers transiting the Strait of Hormuz on March 3, increasing the likelihood of extended maritime disruption and global energy price volatility.

IRGC statements framing a “war on energy supplies” increase the likelihood of sustained pressure on Gulf oil and gas infrastructure. Organizations must reassess exposure not only to energy price volatility, but also to infrastructure-driven availability shocks.

Organizations should:

• Model extended disruption to Gulf maritime routes rather than short-term interruption.
  
• Identify alternative shipping corridors and overland routing options.
  
• Stress-test supplier dependencies tied to Gulf ports or energy inputs.
  
• Prepare for price volatility and delivery delays impacting downstream operations.
  

3. Cloud and Technology Infrastructure

The reported physical impact to an AWS data center in the UAE reflects a significant escalation: commercial cloud infrastructure is no longer insulated from kinetic spillover. More recent reporting also indicates Iranian strikes targeting Microsoft Azure data infrastructure in the Gulf, expanding the threat profile to additional Western cloud platforms.

Iranian strikes against early-warning radars and satellite communication terminals across Gulf bases indicate a coordinated effort to degrade regional missile defense networks.

Enterprises should:

• Confirm geographic redundancy for critical workloads.
  
• Validate disaster recovery timelines (RTO/RPO) for Middle East–hosted environments.
  
• Review third-party dependencies tied to regional data centers.
  
• Ensure executive teams understand potential cascading impacts from localized physical disruption.
  
• Organizations operating near or dependent on US or allied military infrastructure in the region should monitor potential disruptions to air defense coverage and communications networks.
  

4. ICS / OT Environments

Claims of intrusion into industrial control systems — including grain silo logistics and remote control infrastructure — signal elevated risk to operational technology environments. March 2 cyber reporting also emphasized blended risk: cyber operations paired with physical disruption, increasing the chance of cascading outages and degraded visibility during response.

Organizations operating ICS/SCADA systems, particularly in energy, logistics, water, and manufacturing sectors, should:

• Audit all remote access pathways and eliminate unnecessary external exposure.
  
• Enforce phishing-resistant MFA for privileged and engineering accounts.
  
• Segment industrial networks from corporate IT and public internet access.
  
• Validate incident response plans for destructive malware or system manipulation scenarios.
  
• Conduct tabletop exercises assuming loss of visibility or control in critical systems.

What to Expect Next (48–72 Hours)

Flashpoint analysis indicates the conflict is entering a more decentralized phase characterized by hybrid warfare and expanding geographic scope.

Following the formal appointment of Mojtaba Khamenei as Supreme Leader, the Iranian state is expected to maintain a hardline military posture under strong IRGC influence. With conventional military capabilities increasingly degraded, Iranian strategy may rely more heavily on asymmetric tactics, including cyber operations, proxy mobilization, and attacks against economic and civilian infrastructure.

The fatwa issued by Grand Ayatollah Sistani introduces an additional destabilizing variable, potentially mobilizing Shiite militias across Iraq and the broader region. Combined with Kurdish mobilization along Iran’s western border and Azerbaijan’s heightened military posture in the north, the conflict may increasingly involve non-state and regional actors.

At the same time, cyber operations targeting Western defense, aviation, and infrastructure networks are likely to intensify as Iranian-linked actors attempt to expand the conflict’s impact beyond the immediate battlefield.

The activation of Iran’s decentralized “Mosaic Defense” protocol further complicates potential de-escalation. Because retaliatory authority is distributed across regional commanders, localized strike cycles may continue even if diplomatic negotiations emerge at higher political levels. This structure increases the likelihood of continued intermittent attacks across multiple theaters even as international pressure for conflict termination grows.

Ongoing Updates

Flashpoint will continue monitoring developments across physical, cyber, and geopolitical domains. Bookmark this page for updates as the situation evolves.

For organizations seeking deeper visibility into emerging threats, proxy activity, infrastructure targeting, and cross-domain escalation indicators, schedule a demo to see Flashpoint’s intelligence platform deliver timely, decision-ready intelligence.

See Flashpoint in Action

Blogs

Blog

Navigating 2026’s Converged Threats: Insights from Flashpoint’s Global Threat Intelligence Report

In this post, we preview the critical findings of the 2026 Global Threat Intelligence Report, highlighting how the collapse of traditional security silos and the rise of autonomous, machine-speed attacks are forcing a total reimagining of modern defense.

The cybersecurity landscape has reached a point of total convergence, where the silos that once separated malware, identity, and infrastructure have collapsed into a single, high-velocity threat engine. Simultaneously, the threat landscape is shifting from human-led attacks to machine-speed operations as a result of agentic AI, which acts as a force multiplier for the modern adversary.

Flashpoint’s 2026 Global Threat Intelligence Report

Flashpoint’s 2026 Global Threat Intelligence Report (GTIR) was developed to anchor security leaders — from threat intelligence and vulnerability management teams to physical security professionals and the CISO’s office — with the data required to navigate this year’s greatest threats, rife with infostealers, vulnerabilities, ransomware, and malicious insiders.

Our report uncovers several staggering metrics that illustrate the industrialization of modern cybercrime:

• AI-related illicit activity skyrocketed by 1,500% in a single month at the end of 2025.
• 3.3 billion compromised credentials and cloud tokens have turned identity into the primary exploit vector.
• From January 2025 to December 2025, ransomware incidents rose by 53%, as attackers pivot from technical encryption to “pure-play” identity extortion.
• Vulnerability disclosures surged by 12% from January 2025 to December 2025, with the window between discovery and mass exploitation effectively vanishing.

These findings are derived from Flashpoint’s Primary Source Collection (PSC), a specialized operating model that collects intelligence directly from original sources, driven by an organization’s unique Priority Intelligence Requirements (PIR). The 2026 Global Threat Intelligence Report leverages this ground-truth data to provide a strategic framework for the year ahead. Download to gain:

1. A Clear Understanding of the New Convergence Between Identity and AI
   Discover how threat actors are preparing to transition from generative tools to sophisticated agentic frameworks. Learn how 3.3 billion compromised credentials are being weaponized via automated orchestration to bypass legacy defenses and exploit the connective tissue of modern corporate APIs.
   
2. Intelligence on the “Franchise Model” of Global Extortion
   Gain deep insight into the professionalized operations of today’s most prolific threat actors. From the industrial efficiency of RaaS groups like RansomHub and Clop to the market dominance of the next generation of infostealer malware, we break down the economics driving today’s cybercrime ecosystem.
   
3. A Blueprint for Proactive Defense and Risk Mitigation
   Leverage the latest trends, in-depth analysis, and data-driven insights driven by Primary Source Collection to bolster your security posture by identifying and proactively defending against rising attack vectors.

“As attackers automate exploitation of identity, vulnerabilities, and ransomware, defenders who rely on fragmented visibility will fall behind. To keep pace, organizations must ground their decisions in primary-source intelligence that is drawn from adversarial environments, so that decision-makers can get ahead of this accelerating threat cycle.”

Josh Lefkowitz, CEO & Co-Founder at Flashpoint

The Top Threats at a Glance

Our latest report identifies four driving themes shaping the 2026 threat landscape:

2026 Is the Era of Agentic-Based Cyberattacks

Flashpoint identified a 1,500% rise in AI-related illicit discussions between November and December 2025, signaling a rapid transition from criminal curiosity to the active development of malicious frameworks. Built on data pulled from criminal environments and shaped by fraud use cases, these systems scrape data, adjust messaging for specific targets, rotate infrastructure, and learn from failed attempts without the need for constant human involvement.

“2026 is the era of agentic-based cyberattacks. We’ve seen a 1,500% increase in AI-related illicit discussions in a single month, signaling increased interest in developing malicious frameworks. The discussions evolve into vibe-coded, AI-supported phishing lures, malware, and cybercrime venues. When iteration becomes cheap through automation, attackers can afford to fail repeatedly until they find a successful foothold.”

Ian Gray, Vice President of Cyber Threat Intelligence Operations at Flashpoint

Identity Is the New Exploit

Flashpoint observed over 11.1 million machines infected with infostealers in 2025, fueling a massive inventory of 3.3 billion stolen credentials and cloud tokens. The fundamental mechanics of cybercrime have shifted from breaking in to logging in, as attackers leverage stolen session cookies to behave like legitimate users.

The Patching Window Is Rapidly Closing

Vulnerability disclosures surged by 12% in 2025, with 1 in 3 (33%) vulnerabilities having publicly available exploit code. The strategic gap between discovery and weaponization is increasingly vanishing, as evidenced by mass exploitation of zero-day vulnerabilities in as little as 24 hours after discovery.

Ransomware Is Hacking the Person, Not the Code

As technical defenses against encryption harden, ransomware groups are pivoting to the path of least resistance: human trust. This approach has led to a 53% increase in ransomware, with RaaS groups being responsible for over 87% of all ransomware attacks.

Build Resilience in a Converged Landscape

The findings in the 2026 Global Threat Intelligence Report make one thing clear: incremental improvements to legacy security models are no longer sufficient. As adversaries transition to machine-speed operations, the strategic advantage shifts to organizations that can maintain visibility into the adversarial environments where these attacks are born.

Protecting organizations and communities requires an intelligence-first approach. Download Flashpoint’s 2026 Global Threat Intelligence Report to gain clarity and the data-driven insights needed to safeguard critical assets.

Blogs

Blog

What to Know About the Notepad++ Supply-Chain Attack

In this post we examine the mechanics of the CVE-2025-15556 supply-chain attack and provide actionable steps to secure your environment.

The cybersecurity community is still grappling with a sobering realization: one of the most ubiquitous tools in the developer’s toolkit, Notepad++, was hiding a critical vulnerability for over six months. Being so deeply embedded in daily workflows, many organizations did not realize they were vulnerable until a recent security update pulled back the curtain on a sophisticated Chinese state-sponsored campaign, dubbed “Lotus Blossom.”

Investigations have confirmed that the issue wasn’t just a coding error, it was a compromise at the hosting provider level. This means that for much of 2025, even organizations that followed best practices were still potentially open to backdoors from Chinese advanced persistent threat (APT) groups. Here is what you need to know to secure your environment.

Understanding the Notepad++ Vulnerability (CVE-2025-15556)

The vulnerability, tracked as CVE-2025-15556 (VulnDB ID: 430205), exploits a critical flaw in the Notepad++ updater component, WinGUP. In versions prior to the February 2026 patch, the updater failed to verify the file integrity signatures of downloaded installers.

By exploiting this lack of verification, threat actors are able to:

• Intercept legitimate update requests originating from WinGUp servers
• Redirect traffic to malicious servers via Man-in-the-Middle (MitM) attacks or DNS cache poisoning
• Deliver trojanized executables (disguised as update.exe) that appeared to be legitimate software patches

Leveraging this vulnerability, attackers have gained a persistent presence in high-value sectors. According to reports from Kaspersky, the impact has spanned government and telecommunications, critical infrastructure, and financial services.

How CVE-2025-15556 Works

The state-sponsored Lotus Blossom campaign was executed in three attack chains, between July and October 2025. Each phase evolved to evade detection by changing file sizes, IP addresses, and delivery methods.

Phase	Timeline (2025)	Execution Method	Payload
Chain #1	July – August	1MB NSIS installer (update.exe)	Multi-stage attack launching a Cobalt Strike beacon via ProShow.exe.
Chain #2	September	140KB NSIS installer (update.exe)	Rotated C2 URLs to maintain stealth while dropping a Cobalt Strike beacon.
Chain #3	October	Backdoor Deployment	Dropped BluetoothService.exe, log.DLL, and shellcode to establish the Chrysalis backdoor.

Mapping CVE-2025-15556 to MITRE ATT&CK

Flashpoint has mapped Lotus Blossom TTPs (tactics, tools, and procedures) to the MITRE ATT&CK framework. Flashpoint analysts have identified the following techniques:

Execution

Technique Title	ID	Recommendations
User Execution: Malicious File	T1204.002	M1040: Behavior Prevention on Endpoint M1038: Execution Prevention M1017: User Training
Native API	T1106	M1040: Behavior Prevention on Endpoint M1038: Execution Prevention
Command and Scripting Interpreter: Windows Command Shell	T1059.003	M1038: Execution Prevention

Persistence

Technique Title	ID	Recommendations
Hijack Execution Flow: DLL	T1574.002	M1013: Application Developer Guidance M1047: Audit M1038: Execution Prevention M1044: Restrict Library Loading M1051: Update Software
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	T1547.001	*MITRE currently does not list any mitigation guidance to combat this attack technique.
Create or Modify System Process: Windows Service	T1543.003	M1047: Audit M1040: Behavior Prevention on Endpoint M1045: Code Signing M1028: Operating System Configuration M1018: User Account Management

Defense Evasion

Technique Title	ID	Recommendations
Masquerading	T1036	M1049: Antivirus/Antimalware M1047: Audit M1040: Behavior Prevention on Endpoint M1045: Code Signing M1038: Execution Prevention M1022: Restrict File and Directory Permissions M1018: User Account Management M1017: User Training
Obfuscated Files or Information	T1027	M1049: Antivirus/Antimalware M1047: Audit M1040: Behavior Prevention on Endpoint M1017: User Training
Obfuscated Files or Information: Dynamic API Resolution	T1027.007	*MITRE currently does not list any mitigation guidance to combat this attack technique.
Deobfuscate/Decode Files or Information	T1140	*MITRE currently does not list any mitigation guidance to combat this attack technique.
Process Injection	T1055	M1040: Behavior Prevention on Endpoint M1026: Privileged Account Management
Reflective Code Loading	T1620	*MITRE currently does not list any mitigation guidance to combat this attack technique.
Execution Guardrails: Mutual Exclusion	T1480.002	M1055: Do Not Mitigate
Indicator Removal: File Deletion	T1070.004	*MITRE currently does not list any mitigation guidance to combat this attack technique.

Discovery

Technique Title	ID	Recommendations
File and Directory Discovery	T1083	*MITRE currently does not list any mitigation guidance to combat this attack technique.
Ingress Tool Transfer	T1105	M1031: Network Intrusion Prevention

Collection

Technique Title	ID	Recommendations
Data from Local System	T1005	M1057: Data Loss Prevention

Command and Control

Technique Title	ID	Recommendations
Application Layer Protocol: Web Protocols	T1071.001	M1031: Network Intrusion Prevention
Encrypted Channel	T1573	M1031: Network Intrusion Prevention M1020: SSL/TLS Inspection

Exfiltration

Technique Title	ID	Recommendations
Exfiltration Over C2 Channel	T1041	M1057: Data Loss Prevention M1031: Network Intrusion Prevention

Protecting Against CVE-2025-15556

Proactive defense requires not only reactive patching of CVE-2025-15556, but also active threat hunting using the TTPs identified by Flashpoint analysts. Flashpoint recommends the following actions:

1. Immediate Update: Ensure all instances of Notepad ++ are updated to v8.9.1 or higher immediately. This version enforces the signature verification that was missing in previous releases.
2. Audit System Paths: Scan for malicious file paths used for persistence.
3. Network Defense: Monitor and block traffic to malicious domains.
4. Endpoint Hardening: Implement Behavior Prevention on Endpoints (M1040) and Audit (M1047) to detect unauthorized registry run keys or new system services.

Outpace Threat Actors Using Flashpoint

Software trust is only as strong as the infrastructure behind it. As organizations respond to these recent updates, having best-in-class vulnerability intelligence and direct visibility into threat actor TTPs is the best defense.

Leveraging Flashpoint vulnerability intelligence, organizations can move beyond CVE and NVD, by gaining deeper technical analysis and MITRE ATT&CK mapping to defend against sophisticated threat actors. Request a demo to learn more.

Begin your free trial today.

Blogs

Blog

Understanding the DarkCloud Infostealer

In this post, we analyze DarkCloud, a commercially available infostealer written in Visual Basic 6.0, examine its encryption and evasion techniques, and assess how this low-cost malware can provide threat actors with enterprise-wide access through harvested credentials.

Infostealers continue to dominate the initial access landscape in 2026, lowering the barrier to breach through scalable credential theft. DarkCloud illustrates how low-cost, commercialized malware is reshaping the initial access landscape.

First observed in 2022 and attributed to a developer known as “Darkcloud Coder” (formerly “BluCoder” on Telegram), DarkCloud is openly sold through Telegram and a clearnet storefront with subscription tiers starting at just US$30. Despite being marketed as “surveillance software,” its technical focus is unmistakable: high-volume credential harvesting and structured data exfiltration across browsers, email clients, financial data, and contact networks.

At the technical level, DarkCloud is written in Visual Basic 6.0 and compiled into a native C/C++ application. This legacy language choice is unusual in modern malware development — and likely deliberate. By leveraging outdated but still supported runtime components, DarkCloud appears to benefit from lower detection rates while maintaining full credential theft functionality.

Despite its relatively low cost, DarkCloud should not be dismissed as unsophisticated. Flashpoint assesses it as a potent entry-level threat that can provide adversaries with the keys to an entire corporate network through harvested credentials.

The Commercialization of DarkCloud

DarkCloud represents a mature example of commodity malware-as-a-service.

It is openly sold through Telegram and a clearnet website, where it is misleadingly labeled as a keylogger. While it does include keylogging capabilities, this is only a minor component of a much broader infostealing toolkit.

Its real value proposition is credential harvesting across browsers, email clients, file transfer applications, VPN software, and more.

This dual positioning — public-facing “surveillance software” and underground stealer — provides plausible deniability while enabling large-scale credential operations.

Why Visual Basic 6.0 Matters

One of the most notable aspects of DarkCloud is its use of Visual Basic 6.0.

The payload is written in VB6 and compiled into a native C/C++ application. Microsoft no longer supports VB6 in its modern development environment, and VB6 applications rely on legacy components such as MSVBVM60.DLL for execution.

Flashpoint assesses this legacy language choice is deliberate, both for its simplicity and its potential to evade modern detection models.

In testing, Flashpoint analysts generated equivalent payloads in C/C++ and VB6. The VB6 variant produced significantly fewer detections in VirusTotal scans.

The implication is clear: older languages are not necessarily obsolete in adversary tradecraft. In some cases, they may be strategically advantageous.

Encryption and String Obfuscation

DarkCloud employs a layered string encryption scheme that complicates static and dynamic analysis.

Most internal strings are encrypted and decrypted at runtime using Visual Basic’s Rnd() pseudo-random number generator, combined with a custom seed-generation algorithm.

The process involves:

• Hex-encoded encrypted strings
• Base64-encoded keys
• Seed calculation through a custom algorithm
• Resetting the VB pseudo-random number generator to a known state
• Iterative Rnd() calls to reconstruct plaintext strings

By resetting the PRNG with a known value before applying the calculated seed, the malware ensures deterministic output during decryption.

This approach does not rely on novel cryptography, but rather on abusing legacy language behavior to frustrate reverse engineering.

Credential Theft at Scale

DarkCloud’s primary objective is credential collection.

It targets:

Email clients:

• Outlook
• eM Client
• FoxMail
• Thunderbird
• 163Mail
• MailMaster

File transfer applications:

• FileZilla
• WinSCP
• CoreFTP

Browsers:

• Google Chrome
• Microsoft Edge
• Mozilla Firefox
• Brave
• Opera
• Yandex
• Vivaldi
• (and many additional Chromium- and Firefox-based browsers)

Other applications:

• Pidgin
• NordVPN

When extracting browser data, DarkCloud steals:

• Login credentials
• Cookies
• Credit card information

Email applications are additionally scraped for contact lists. This is likely intended to seed future phishing campaigns.

DarkCloud stores collected data locally in two directories under %APPDATA%\Microsoft\Windows\Templates. One directory (“DBS”) stores copied database files, while another (“_”) stores parsed data in unencrypted text format.

This local staging enables continuous exfiltration while maintaining structured log output.

Exfiltration Methods: Flexibility for Threat Actors

DarkCloud supports four exfiltration methods:

• SMTP
• FTP
• Telegram
• HTTP

SMTP and FTP require hardcoded credentials within each binary. Email subjects include the victim machine’s hostname and username, and stolen data is transmitted as attachments.

HTTP exfiltration appears less frequently used, though the capability is present.

This flexibility allows operators to tailor deployments depending on infrastructure preferences and operational security requirements.

From BluStealer to DarkCloud

Flashpoint analysts identified notable similarities between DarkCloud’s regular expressions for credit card parsing and those found in a publicly documented project known as “A310LoggerStealer,” also referred to as BluStealer.

The regex patterns appear in identical order and format.

Combined with the developer’s prior alias “BluCoder,” Flashpoint assesses that A310LoggerStealer likely represents an earlier iteration of what became DarkCloud.

This evolution reflects a common pattern in commodity malware development: incremental refinement rather than radical innovation.

A Potent Entry-Level Threat

Despite its relatively low cost, DarkCloud should not be dismissed as unsophisticated.

Its marketing as surveillance software attempts to normalize its presence while providing plausible deniability for buyers. Technically, however, its focus is clear: large-scale credential harvesting across browsers, email clients, financial data, and contact networks.

Flashpoint assesses DarkCloud as a potent entry-level threat that can provide adversaries with the keys to an entire corporate network through harvested credentials.

In a landscape where identity is the new perimeter, even a US$30 subscription can be operationally devastating.

Defending Against Commodity Infostealers

Commodity infostealers like DarkCloud may be commercially accessible, but defending against them requires enterprise-grade vigilance.

Organizations should:

• Treat phishing-delivered ZIP/RAR attachments as high-risk initial access vectors
• Monitor for abnormal data exfiltration over SMTP, FTP, and Telegram
• Audit credential reuse across browser and email applications
• Prioritize credential rotation and incident response playbooks following suspected compromise

Infostealers like DarkCloud are not breakthrough malware families. They do not rely on zero-days or advanced exploits.

Instead, they exploit scale, accessibility, and identity exposure.

To understand how credential harvesting campaigns are evolving and to embed real-time intelligence into your detection workflows, request a demo today and see how Flashpoint intelligence strengthens your defense posture.

Begin your free trial today.