โŒ

Normal view

The Iran War: What You Need to Know

1 May 2026 at 02:00

Last updated: 1 May 2026 at 1500 GMT

New from Insikt Group: Iran War โ€” Future Scenarios and Business Implications

Insikt Group has published a dedicated Cone of Plausibility analysis examining how the Iran conflict could evolve over the next 6โ€“12 months โ€” from a fragile ceasefire baseline to regional war, regime collapse, and nuclear crisis. Each scenario includes business implications and 0โ€“90 day priority actions.

This report is updated as the situation evolves across the geopolitical, cyber, and influence operations dimensions of this conflict. It will be of greatest interest to organizations in the US, Israel, and Gulf states concerned about targeting by Iranian state-sponsored or state-aligned threat actors, as well as those with exposure to energy markets, maritime shipping, and critical infrastructure potentially impacted by regional escalation.

The Latest Updates

Geopolitical Landscape

  • Iranโ€™s hardliners are driving strategic deadlock, blockade resilience, and Strait closure. Insikt Group assesses Iranโ€™s calculus is very likely shaped by IRGC influence and hardliner dominance: Supreme Leader Khameneiโ€™s Aprilย 30 statement frames Iranian control of the Strait of Hormuz as a post-American regional order, chief negotiator Ghalibaf has reportedly resigned after a reprimand for raising nuclear issues in talks, and Iranโ€™s public position has converged on a single precondition โ€” the US must lift its naval blockade before negotiations can resume.
  • The US blockade has cut Iranian oil exports by ~70% but has not achieved its strategic objectives. Iran faces critical oil storage constraints โ€” Bloomberg reported 22 days or less of unused capacity as of Aprilย 27 โ€” yet Insikt Group assesses Iran can very likely survive the current pressure level, and the full financial blow will lag three to four months as ~130 million barrels already loaded before the blockade remain in transit.
  • Maritime standoff deepens as Iran seizes vessels, lays additional mines, and ceasefire talks stall. Following the US seizure of the Touska, the IRGC seized the MSC Francesca and Epaminondes and fired on a third vessel transiting the Strait; the IRGC reportedly dropped additional mines during the final week of April, and the Pentagon assesses mine-clearing could take up to six months after a formal end to hostilities.

Latin America's Cybersecurity Turning Point: From Reactive Defense to Threat Intelligence

3 March 2026 at 01:00

Key Takeaways

  • Latin America faces a distinct and evolving cyber threat landscape, from PIX payment fraud to ransomware hitting critical infrastructure.
  • Most LATAM security teams are still reactive by necessity, and that posture is costing organizations in downtime, data, and trust.
  • Recorded Future offers LATAM-specific threat intelligence, automation, and 100+ integrations to help stretched teams get ahead of attacks before they land.
  • Meet us at RSA Booth N-6090 to see how intelligence-led security can transform your team's posture, from response to prevention.
  • Join our upcoming webinar to learn what proactive intelligence looks like for your region.
    Understanding the Dark Covenant, Its Evolution, and Impact

Recorded Future Expands Coverage of Scams and Financial Fraud with Money Mule Intelligence from CYBERA

26 February 2026 at 01:00

Recorded Future is expanding its payment fraud prevention capabilities through a partnership with CYBERA, the industry leader in detecting and verifying data on scam-linked bank accounts.

Available for purchase now via the Recorded Future Platform, Money Mule Intelligence helps fraud teams identify the accounts criminals use to extract and move stolen fundsโ€”addressing a critical gap as scams increasingly become banks' most pressing fraud challenge.

The Growing Threat of Authorized Push Payment Fraud

Authorized Push Payment (APP) fraud is accelerating. In the U.S., APP fraud losses are projected to reach nearly $15B by 2028, up from $8.3B in 2024, according to Deloitte. While traditional card fraud continues to decline, APP fraud is climbing, fueled by AI-generated deepfakes, personalized scam scripts, and instant payment systems like FedNow and Zelle that move money faster than conventional fraud controls can intercept it.

Mule accounts, or money mules, are part of the critical infrastructure that makes these scams possible. They provide the bridge that converts stolen payments into untraceable cash or cryptocurrency. Without them, most APP fraud would collapse because criminals cannot risk receiving funds directly into their own accounts. By the time victims realize they've been scammed, mule accounts have already moved the money through multiple layers, typically ending in cash withdrawals or crypto conversions.

Additionally, the sophistication of mule operations is increasing. Criminal organizations now employ "mule herders" who manage hundreds of accounts at once, using AI to simulate normal transaction behavior (grocery purchases, streaming subscriptions, etc.) so accounts don't appear dormant or suspicious. This makes detection through traditional pattern analysis increasingly difficult.

Regulators are responding by shifting liability to banks, often viewing those allowing mule accounts to operate as part of the criminal infrastructure itself. For example, the UK now requires banks to reimburse scam victims and allows them to delay suspicious payments for investigation, while U.S. regulators are signaling that banks may be held liable for failing to detect mule accounts.

Detecting mule accounts is fundamentally difficult. Theyโ€™re designed to blend in with legitimate activity, and traditional fraud controls can struggle to distinguish between a genuine customer payment and a scam transfer until it's too late.

CYBERA's Approach to Mule Intelligence

The challenge of detecting and disrupting mule account networks is what led CYBERA's founders to build their solution. Coming from legal practice and law enforcement, CYBERA's leadership team worked scam cases where they witnessed how recovery becomes impossible once funds move through the financial system. They realized that money mule networks represent a central vulnerability in the scam economy, one that banks had limited visibility into.

Today, CYBERA helps banks and payment networks disrupt scams at the point where funds are extracted. CYBERA's AI-powered Scam Engagement System generates intelligence on bank accounts and payment endpoints actively used by scam networks.

Unlike probabilistic risk scoring, CYBERA verifies each account, providing evidence and contextual metadata to enable proactive prevention across both internal accounts and outbound payments while minimizing false positives.

CYBERA supports two core use cases:

  • On-Us Mule Detection, which helps identify mule accounts held at your institution that are already linked to confirmed scam activity. This enables early detection and disruption of high-risk accounts, reducing downstream fraud, repeat victimization, and regulatory exposure within a bankโ€™s accountholders.
  • Off-Us Screening, which screens outbound payments to external beneficiary accounts before execution, helping to prevent customers from sending funds to scammer-controlled accounts. This is particularly valuable for high-value transfers, social engineering attacks, and customer-initiated payments where traditional controls are limited.

Large financial institutions have already prevented multiple six-figure losses by embedding CYBERAโ€™s intelligence into their transaction monitoring workflows. CYBERA has also been accepted as a member of the Mastercard Start Path program, making it the first Recorded Future partner to achieve this distinction and further validating its role in the payments ecosystem.

How Money Mule Intelligence Expands Payment Fraud Intelligence

Payment Fraud Intelligence (PFI) correlates the widest set of disparate, pre-monetization indicators of fraud to help teams act before their customers are impacted. Money Mule Intelligence extends that capability, giving fraud teams the verified intelligence needed to make high-confidence decisions that disrupt scams by flagging accounts that have been confirmed as mule infrastructure through direct investigation. Together, they provide coverage from initial compromise through attempted cash-out, helping fraud teams prevent losses at multiple intervention points.

โ€œSecuring payments requires more than reacting to fraud โ€” it requires anticipating it. Integrating Money Mule Intelligence strengthens our ability to illuminate the infrastructure behind financial crime, which is fully aligned with our strategy of securing payments with intelligence.โ€

Jamie Zajac

Chief Product Officer at Recorded Future

As regulators increasingly expect banks to prevent scam-enabled transfers, Money Mule Intelligence provides the verified data needed to comply with emerging reimbursement requirements while reducing the operational burden of post-incident investigation and remediation.

PFI users that purchase this capability, can now act on both sides of the transactionโ€”compromised payment instruments and scam-linked receiving accountsโ€”with evidence-backed intelligence that minimizes false positives and aligns with the industry's shift toward proactive fraud prevention.

January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day

24 February 2026 at 01:00

January 2026 saw a modest 5% increase in high-impact vulnerabilities, with Recorded Future's Insikt Groupยฎ identifying 23 vulnerabilities requiring immediate remediation, up from 22 in December 2025. Noteworthy trends last month included Russian state-sponsored exploitation of a Microsoft Office zero-day and critical authentication bypass flaws affecting enterprise infrastructure.

What security teams need to know:

  • APT28's Operation Neusploit: Russian state-sponsored actors exploited CVE-2026-21509 (Microsoft Office) via weaponized RTF files, delivering MiniDoor, PixyNetLoader, and Covenant Grunt implants
  • Microsoft and SmarterTools lead concerns: These vendors accounted for 30% of January's vulnerabilities, with multiple critical authentication bypass and RCE flaws
  • Public exploits proliferate: Fourteen of the 23 vulnerabilities reported have public proof-of-concept exploit code available
  • Code Injection dominates: CWE-94 (Code Injection) was the most common weakness type, followed by CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor)

Bottom line: The slight increase masks significant threats. APT28's zero-day exploitation and multiple critical authentication bypass flaws demonstrate that threat actors continue targeting enterprise communication and management platforms for initial access and persistence.

Quick Reference Table

All 23 vulnerabilities below were actively exploited in January 2026.

#
Vulnerability
Risk
Score
Affected Vendor/Product
Vulnerability Type/Component
Public PoC
1
99
Cisco Identity Services Engine Software
CWE-611 (Improper Restriction of XML External Entity Reference)
No
2
99
Microsoft Windows
CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor)
3
99
Microsoft Windows
CWE-73 (External Control of File Name or Path)
No
4
99
Modular DS Plugin
CWE-266 (Incorrect Privilege Assignment)
5
99
GNU InetUtils
CWE-88 (Argument Injection)
6
99
Cisco Unified Communications Manager
CWE-94 (Code Injection)
7
99
SmarterTools SmarterMail
CWE-288 (Authentication Bypass Using an Alternate Path or Channel)
8
99
SmarterTools SmarterMail
CWE-306 (Missing Authentication for Critical Function)
9
99
Microsoft Office
CWE-807 (Reliance on Untrusted Inputs in a Security Decision)
10
99
Fortinet Multiple Products
CWE-288 (Authentication Bypass Using an Alternate Path or Channel)
11
99
SolarWinds Web Help Desk
CWE-502 (Deserialization of Untrusted Data)
No
12
99
Ivanti Endpoint Manager Mobile (EPMM)
CWE-94 (Code Injection)
13
99
Ivanti Endpoint Manager Mobile (EPMM)
CWE-94 (Code Injection)
14
99
Linux Kernel
CWE-190 (Integer Overflow or Wraparound)
15
99
SmarterTools SmarterMail
CWE-434 (Unrestricted Upload of File with Dangerous Type)
16
99
Broadcom VMware vCenter Server
CWE-787 (Out-of-bounds Write)
No
17
99
Synacor Zimbra Collaboration Suite (ZCS)
CWE-98 (PHP Remote File Inclusion)
18
99
Versa Concerto
CWE-288 (Authentication Bypass Using an Alternate Path or Channel)
No
19
99
Vite Vitejs
CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), CWE-284 (Improper Access Control)
20
99
Prettier eslint-config-prettier
CWE-506 (Embedded Malicious Code)
No
21
89
Gogs
CWE-22 (Path Traversal)
22
89
Microsoft Office
CWE-94 (Code Injection)
No
23
89
Hewlett Packard Enterprise OneView
CWE-94 (Code Injection)

Table 1: List of vulnerabilities that were actively exploited in January based on Recorded Future data (Source: Recorded Future)

Key Trends in January 2026

Affected Vendors

  • Microsoft faced four critical vulnerabilities across Windows and Office products, including APT28's zero-day exploitation of CVE-2026-21509
  • SmarterTools accounted for three critical vulnerabilities affecting SmarterMail, all enabling authentication bypass or RCE
  • Cisco saw two critical flaws in Identity Services Engine and Unified Communications Manager
  • Ivanti dealt with two pre-authentication RCE vulnerabilities in Endpoint Manager Mobile
  • Additional affected vendors/projects: Fortinet, SolarWinds, Broadcom, Synacor, Versa, Hewlett Packard Enterprise, GNU, Linux, Vite, Prettier, Gogs, and Modular DS

Most Common Weakness Types

  • CWE-94 โ€“ Code Injection
  • CWE-288 โ€“ Authentication Bypass Using an Alternate Path or Channel
  • CWE-200 โ€“ Exposure of Sensitive Information to an Unauthorized Actor

Threat Actor Activity

APT28's Operation Neusploit marked January's most sophisticated campaign:

  • Exploited CVE-2026-21509 (Microsoft Office) via weaponized RTF files
  • Deployed MiniDoor, a malicious Outlook VBA project designed to collect and forward victim emails to hardcoded addresses
  • Deployed PixyNetLoader, which staged additional components and culminated in a Covenant Grunt implant
  • Abused Filen API as a C2 bridge between the implant and actor-controlled Covenant listener

Priority Alert: Active Exploitation

These vulnerabilities demand immediate attention due to confirmed exploitation in the wild.

CVE-2026-21509 | Microsoft Office

Risk Score: 99 (Very Critical) | Active exploitation by APT28

Why this matters: Zero-day exploitation by Russian state-sponsored actors bypasses Office security features, enabling delivery of email collection implants and backdoors. The vulnerability stems from reliance on untrusted inputs in security decisions, allowing unauthorized attackers to bypass OLE mitigations.

Affected versions: Microsoft 365 and Microsoft Office (versions not specified in advisory)

Immediate actions:

  • Install Microsoft's out-of-band update released January 26, 2026
  • Search email systems for RTF attachments with embedded malicious droppers
  • Check for modifications to %appdata%\Microsoft\Outlook\VbaProject.OTM
  • Review registry keys: HKCU\Software\Microsoft\Office\16.0\Outlook\Security\Level, Software\Microsoft\Office\16.0\Outlook\Options\General\PONT_STRING, and Software\Microsoft\Office\16.0\Outlook\LoadMacroProviderOnBoot
  • Monitor for connections to 213[.]155[.]157[.]123:443 and remote connectivity to Microsoft Office CDN endpoints
  • Hunt for scheduled tasks named "OneDriveHealth" and suspicious files in %programdata%\Microsoft\OneDrive\setup\Cache\SplashScreen.png
  • Block email addresses: ahmeclaw2002@outlook[.]com and ahmeclaw@proton[.]me
Figure 1: Vulnerability Intelligence Cardยฎ for CVE-2026-21509 in Recorded Future (Source: Recorded Future)

CVE-2026-23760 | SmarterTools SmarterMail

Risk Score: 99 (Very Critical) | CISA KEV: Added January 26, 2026

Why this matters: Unauthenticated attackers can reset system administrator passwords without any credentials or prior access, enabling complete administrative takeover and potential RCE through volume mount command injection.

Affected versions: SmarterTools SmarterMail prior to build 9511

Immediate actions:

  • Upgrade to build 9511 or later immediately
  • Review administrator account activity logs for unauthorized password resets
  • Check Volume Mounts configuration for suspicious command entries (this one IS correct for SmarterMail)
  • Review administrator access patterns and session logs
  • Audit system for unauthorized changes made with compromised admin access

CVE-2026-1281 & CVE-2026-1340 | Ivanti Endpoint Manager Mobile

Risk Score: 99 (Very Critical) | CISA KEV: CVE-2026-1281 added January 29, 2026

Why this matters: Pre-authentication RCE vulnerabilities in EPMM enable unauthenticated attackers to execute arbitrary code by exploiting Apache RewriteMap helper scripts that pass attacker-controlled strings to Bash.

Affected versions: Ivanti EPMM 12.5.0.0 and earlier, 12.5.1.0 and earlier, 12.6.0.0 and earlier, 12.6.1.0 and earlier, and 12.7.0.0 and earlier

Immediate actions:

  • Install temporary fixes via RPM packages: EPMM_RPM_12.x.0 - Security Update - 1761642-1.0.0S-5.noarch.rpm and EPMM_RPM_12.x.1 - Security Update - 1761642-1.0.0L-5.noarch.rpm
  • Plan migration to EPMM 12.8.0.0 (scheduled for Q1 2026 release)
  • Monitor for unusual Apache RewriteMap activity
  • Review logs for crafted HTTP parameters to app store retrieval routes
  • Check for unauthorized code execution attempts via RewriteRule handling

Exposure: EPMM instances accessible over corporate networks or VPN connections

Figure 2: Risk Rules History from Vulnerability Intelligence Cardยฎ for CVE-2026-1340 in Recorded Future (Source: Recorded Future)

Technical Deep Dive: Exploitation Analysis

APT28's Operation Neusploit (CVE-2026-21509)

The multi-stage attack chain: CVE-2026-21509 enables bypass of Office OLE mitigations through weaponized RTF files:

  • Initial delivery โ€“ Specially-crafted RTF file exploits CVE-2026-21509
  • Server-side evasion โ€“ Malicious DLL returned only for requests from targeted geographies with an expected HTTP User-Agent
  • Dropper variants โ€“ Two distinct infection paths deployed based on targeting:
    • Variant 1 (MiniDoor): Writes VBA project to Outlook, modifies registry settings to enable macro execution, forwards emails to hardcoded recipient addresses
    • Variant 2 (PixyNetLoader): Creates mutex asagdugughi41, decrypts embedded payloads using rolling XOR key, establishes persistence via COM hijacking

Why this matters: APT28 demonstrates sophisticated exploitation combining zero-day vulnerabilities with anti-analysis techniques, targeting government and business users for email collection and persistent access.

Modular DS WordPress Plugin Exploitation (CVE-2026-23550 & CVE-2026-23800)

The authentication bypass chain: CVE-2026-23550 enables administrator-level access without authentication:

  • Plugin treats requests as trusted based on request-supplied indicators rather than cryptographic verification
  • /api/modular-connector/login flow grants access based on site connector enrollment state
  • If no user identifier is supplied, the code selects an existing administrative user and establishes a privileged session
  • CVE-2026-23800 represents the second exploitation path via REST API user creation: /?rest_route=/wp/v2/users&origin=mo&type=x

Known IoCs associated with CVE-2026-23550:

  • 45[.]11[.]89[.]19
  • 185[.]196[.]0[.]11
  • 64[.]188[.]91[.]37

Known IoCs associated with CVE-2026-23800:

  • 62[.]60[.]131[.]161
  • 185[.]102[.]115[.]27
  • backup[@]wordpress[.]com
  • backup1[@]wordpress[.]com

Why this matters: WordPress plugin vulnerabilities enable threat actors to compromise multiple sites from a single centralized management platform, amplifying attack impact.

SmarterMail Authentication Bypass (CVE-2026-23760)

The password reset flaw: CVE-2026-23760 exposes privileged password reset to anonymous callers:

  • ForceResetPassword controller attribute explicitly permits unauthenticated access
  • Backend ForcePasswordReset routine branches on client-supplied IsSysAdmin boolean rather than deriving account type from server-side context
  • System administrator branch performs basic checks, then sets Password directly from the supplied NewPassword
  • Logic fails to validate OldPassword, lacks an authenticated session requirement, and omits authorization controls

Why this matters: Complete administrative takeover without credentials enables threat actors to deploy web shells, modify configurations, and establish persistent access to mail server infrastructure.

Detection & Remediation Resources

Nuclei Templates from Insikt Groupยฎ

Recorded Future customers can access Nuclei templates for:

  • CVE-2025-8110 (Gogs) - Version detection and fingerprinting check
  • CVE-2026-23760 (SmarterMail) - Authentication bypass validation

Recorded Future Product Integrations

January 2026 Summary

State-sponsored zero-days return. APT28's exploitation of CVE-2026-21509 demonstrates continued Russian interest in email collection and persistent access through Office vulnerabilities.

Authentication bypass dominates enterprise risk. Multiple critical flaws in SmarterMail, Modular DS, and Cisco products enable complete administrative takeover without credentials.

Legacy vulnerabilities persist. CVE-2009-0556 (Microsoft Office) highlights how threat actors continue targeting unretired systems where patching has lagged for over a decade.

Take Action

Ready to see how Recorded Future can help your team detect state-sponsored exploitation, prioritize authentication bypass fixes, and reduce enterprise attack surface? Explore our demo center for live examples, or dive deeper with Insikt Group research for technical threat intelligence.

About Insikt Groupยฎ:

Recorded Future's Insikt Groupยฎ is a team of elite analysts, linguists, and security researchers providing actionable intelligence to protect organizations worldwide. Our research combines human expertise with AI-powered analytics to deliver timely, relevant threat intelligence on emerging vulnerabilities and threat actor campaigns.

โŒ