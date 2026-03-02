Malware Activity

Hidden Surveillance and Sophisticated Cyber Attacks: New Threats Uncovered

Cybersecurity researchers have revealed that Intellexa's Predator spyware can secretly monitor iPhone users by hiding the usual camera and microphone activity indicators, making surveillance invisible. It does this by intercepting system functions responsible for updating these indicators, preventing them from appearing on the screen, even when the device is being recorded. This method relies on a single hook in the system's core component, allowing the spyware to stream feeds without alerting the user. Separately, a new cyber campaign called ClickFix has been discovered, which uses compromised websites to deliver a powerful remote access Trojan named MIMICRAT. This malware can run entirely in memory, evade detection, and provide extensive control over infected systems, targeting various organizations worldwide. Both threats highlight how cybercriminals are developing increasingly sophisticated methods to stay hidden and gain access to sensitive information. CTIX analysts will continue to report on the latest malware strains and attack methodologies.

Threat Actor Activity

Amazon Threat Intelligence Reports Threat Actor using AI Assistance to Breach Fortinet Firewalls

Researchers from Amazon Threat Intelligence have reported that a Russian-speaking threat actor used generative AI services to breach over 600 FortiGate firewalls across fifty-five (55) countries within five (5) weeks, from January 11 to February 18, 2026. The campaign exploited exposed management interfaces and weak credentials lacking MFA protection, bypassing the need for zero-day exploits. The compromised firewalls were found globally, including in South Asia, Latin America, and Northern Europe. The threat actor employed AI-powered tools to automate network access, reconnaissance, and lateral movement within breached systems. These tools, written in Python and Go, demonstrated AI-assisted development, with simplistic architecture and redundant coding characteristics typical of AI-generated code. The campaign targeted Veeam Backup and Replication servers and attempted to exploit various known Veeam vulnerabilities, including

CVE-2019-7192

and

CVE-2023-27532

. Amazon's findings suggest the threat actor had limited technical capabilities but significantly amplified their operations through AI, utilizing large language models (LLMs) to generate attack methodologies and reconnaissance frameworks. This approach lowered the barrier to entry for cybercrime, enabling extensive network compromises. Separate research by Cyber and Ramen highlighted the use of AI models like DeepSeek and Claude to generate attack plans. A custom Model Context Protocol (MCP) server named ARXON was used to bridge reconnaissance data with language models, automating post-compromise analysis and attack planning. The campaign's integration of AI demonstrates how unsophisticated actors can scale operations efficiently, a highly forecasted threat for 2026. CTIX Analysts recommend securing FortiGate management interfaces, enabling MFA, and isolating backup servers. Organizations should also anticipate continued AI-augmented threat activity and prioritize stronger defensive measures such as patch management and credential hygiene. CTIX Analysts will continue providing updates on emerging AI tactics being used by Threat Actors.

Vulnerabilities

Actively Exploited Roundcube Vulnerabilities Drive Federal Patch Mandate and Heightened Espionage Risk

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two (2) Roundcube Webmail vulnerabilities,

CVE-2025-49113

and

CVE-2025-68461

, to its Known Exploited Vulnerabilities (KEV) Catalog following confirmed active exploitation and directed all Federal Civilian Executive Branch (FCEB) agencies to remediate affected systems by no later than March 13, 2026.

CVE-2025-49113

is a critical remote code execution (RCE) flaw stemming from unsafe deserialization and improper validation of the "_from" parameter within upload functionality, enabling authenticated attackers to execute code and posing elevated risk given its presence in the codebase for over a decade and reliable exploitation on default installations. Researchers reported that threat actors rapidly reverse engineered and weaponized the vulnerability within forty-eight (48) hours of disclosure, with exploit code quickly appearing for sale, while internet scanning has identified tens of thousands of publicly exposed Roundcube instances potentially at risk. The second vulnerability,

CVE-2025-68461

, is a lower-complexity cross-site scripting (XSS) flaw leveraging SVG animate tag abuse that can be exploited remotely by unauthenticated attackers. Although attribution for current activity has not been disclosed, Roundcube has historically been targeted by both cybercriminal and state-sponsored threat actors, including APT28 and Winter Vivern, which previously exploited Roundcube XSS vulnerabilities in espionage campaigns against European and Ukrainian government entities, reinforcing concerns that widely deployed webmail platforms remain high-value initial access and persistence vectors. CTIX analysts urge any affected administrators to follow the Roundcube guidance and patch the flaw before the CISA deadline to prevent exploitation.

