# Top Stories

Google and iVerify researchers discovered the Coruna iOS exploit kit containing 23 exploits across five full chains targeting iOS versions 13.0 to 17.2.1. Originally deployed by Russian state actors, the sophisticated toolkit has now expanded beyond nation-state use into broader criminal campaigns including cryptocurrency theft, demonstrating the proliferation of advanced mobile exploitation capabilities from state to criminal actors.

Microsoft-led international coalition dismantled the Tycoon 2FA phishing-as-a-service platform, seizing 330 domains and targeting over 500,000 organizations monthly. The operation involved law enforcement from multiple countries and resulted in a civil complaint against the alleged creator, marking a significant disruption of a major phishing infrastructure that bypassed two-factor authentication protections.

FBI and 14 countries seized LeakBase, one of the world's largest cybercrime forums with over 142,000 members trafficking in hacking tools and stolen data. The international operation captured the site's database and arrested multiple suspects, delivering a major blow to the underground economy for stolen credentials and cybercrime services.

VMware Aria Operations vulnerability CVE-2026-22719 is being exploited in the wild as a command injection flaw allowing unauthenticated remote code execution. CISA added the high-severity vulnerability (CVSS 8.1) to its KEV catalog, indicating active exploitation that could grant attackers broad access to victims' cloud environments through the management platform.

FreeScout helpdesk platform contains a maximum severity zero-click vulnerability dubbed Mail2Shell that allows remote code execution without authentication or user interaction. The flaw represents a patch bypass for an authenticated code execution bug, enabling attackers to achieve full server compromise through email-based exploitation of the open-source support ticket system.

LexisNexis confirmed a data breach after hackers leaked 2GB of files containing approximately 400,000 personal information records. The legal research giant acknowledged the compromise of legacy systems, representing a significant exposure of sensitive legal and personal data maintained by the widely-used legal information service.

Cisco released patches for two maximum-severity vulnerabilities in Secure Firewall Management Center (FMC) software that grant root access to attackers. The critical flaws in the enterprise firewall management platform pose significant risk to organizations' network security infrastructure, requiring immediate patching to prevent complete system compromise.

Silver Dragon APT group, linked to the APT41 nexus, has targeted government entities in Europe and Southeast Asia since mid-2024 using Cobalt Strike and Google Drive for command-and-control. The threat actor gains initial access through public-facing server exploitation and phishing emails, representing an evolution in how established Chinese cyber espionage groups operate against Western governments.

Two hacktivist groups, Keymous+ and DieNet, conducted 149 DDoS attacks against 110 organizations across 16 countries following the U.S.-Israel military campaign against Iran codenamed Epic Fury and Roaring Lion. The surge occurred between February 28 and March 2, with these two groups driving nearly 70% of all Middle East hacktivist activity during the retaliatory period.

Iranian drone strikes damaged three Amazon AWS data centers in UAE and one in Bahrain, causing widespread cloud service disruptions across the Middle East. The physical attacks on critical cloud infrastructure represent an escalation in regional cyber-physical warfare, directly impacting global cloud computing services and demonstrating vulnerabilities in geographically distributed data center operations.