Daily Briefing for 03.02.26

Top stories.

• Cyber operations accompany the war in Iran.
• CISA issues updated advisory on RESURGE malware targeting Ivanti devices.
• New RAT streamlines dual-extortion attacks against Windows systems.

Cyber operations accompany the war in Iran.

Disruptive cyberattacks followed the outbreak of war between the US, Israel, and Iran, SecurityWeek reports. After coordinated US and Israeli airstrikes on February 28th killed Iranian Supreme Leader Ali Khamenei and other senior officials, Iran responded with missile and drone attacks on US bases and Israel, causing some casualties and damage.

In cyberspace, reported US-Israeli operations disrupted Iranian news outlets, government services, and Islamic Revolutionary Guard Corps communications, and allegedly included distributed denial-of-service attacks and deeper intrusions into energy and aviation systems. A prolonged nationwide internet blackout followed, though it remains unclear whether that outage stemmed from external cyber activity or internal government controls. Pro-Western hackers also hijacked a popular Iranian prayer app, sending out push notifications that called for Iranians to take up arms against their government.

Pro-Iranian groups also launched cyberattacks against their adversaries, claiming to have breached fuel infrastructure in Jordan and manufacturing and energy distribution systems in Israel. Hacktivists frequently exaggerate the impact of their attacks, but experts caution that cyber operations are now tightly integrated with kinetic conflict, raising the risks for critical infrastructure across the region.

CISA issues updated advisory on RESURGE malware targeting Ivanti devices.

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an updated advisory on RESURGE, a strain of malware that exploits CVE-2025-0282 to breach Ivanti Connect Secure devices, BleepingComputer reports. A China-nexus threat actor began exploiting the Ivanti vulnerability in December 2024, and CISA published its initial report on RESURGE in March 2025.

The agency now warns that the malware "may be dormant and undetected on Ivanti Connect Secure devices and remains an active threat." CISA says RESURGE "has sophisticated network-level evasion and authentication techniques, leveraging advanced cryptographic methods and forged TLS certificates to facilitate covert communications." Once installed, the implant waits indefinitely for a specific inbound TLS connection.

CISA has released updated indicators of compromise to help organizations detect and remove infections.

New RAT streamlines dual-extortion attacks against Windows systems.

Researchers at BlackFog have observed a new commodity remote access Trojan called "Steaelite" that gives operators "browser-based control over infected Windows machines, covering remote code execution, credential theft, live surveillance, file exfiltration, and ransomware deployment from a single dashboard." Notably, the malware bundles data theft and ransomware into a single web panel, streamlining dual-extortion attacks.

The malware is being peddled on multiple criminal forums, advertised as a "fully undetectable" Windows RAT. The developers are also advertising an upcoming module that will enable ransomware attacks against Android devices.