May 04, 2026

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. Iran-Linked Hackers Disrupt U.S. Critical Infrastructure by Targeting Internet-Exposed PLCs – The Hacker News

The Cybersecurity and Infrastructure Security Agency (CISA) announced advanced persistent threat (APT) actors are conducting “exploitation activity targeting internet-facing operational technology (OT) devices, including programmable logic controllers (PLCs) manufactured by Rockwell Automation/Allen-Bradley.“ Specifically, the activity has caused PLC disruptions across multiple U.S. critical infrastructure sectors through malicious project file interactions and manipulation of HMI and SCADA display data. These attacks have targeted Rockwell Automation and Allen-Bradley PLCs used in government facilities, water and wastewater systems, and the energy sector. Following initial access, the threat actors launch C2 using Dropbear, Secure Shell (SSH) software, on victim endpoints to enable remote access. Read full article.

2. FBI confirms hack of Director Patel’s personal email inbox – Bleeping Computer

On March 27, the Iranian hacking group Handala claimed it had breached the personal email account of FBI Director Kash Patel. “All personal and confidential email of Kash Patel, including emails, conversations, documents, and even classified files, is now available for public download” the group stated. Watermarked personal photos and documents were subsequently released, including email correspondence from Director Patel’s time prior to assuming the role. The attack was carried out in retaliation for the FBI’s seizure of Handala-linked domains after its earlier cyberattack on medical technology company Stryker. Article here.

3. North Korea’s APT37 Uses Facebook Social Engineering to Deliver RokRAT Malware – The Hacker News

The North Korean hacking group APT37 has been running a social engineering campaign on Facebook, using direct messages to build trust with targets before ultimately delivering the RokRAT malware. Using two separate accounts the threat actor employed a pretexting tactic, pretending to share encrypted PDF files with technical details about military weapons via Facebook Messenger or Telegram. They then convinced recipients to install a specialized PDF viewer in order to access the documents. The malware uses Zoho WorkDrive as a control server. This allows it to take screenshots, run commands remotely, gather information about the infected computer, and explore the system. It can also avoid being detected by security tools like Qihoo’s 360 Total Security while hiding its malicious activity within normal-looking traffic. Read more here.

4. Stolen Rockstar Games analytics data leaked by extortion gang – Bleeping Computer

Rockstar Games is the latest company reportedly targeted by the hacking group ShinyHunters, which has claimed responsibility for a recent data breach. The information was obtained following a security incident with Anodot, a data anomaly detection company. ShinyHunters discovered the information from “Snowflake environments using authentication tokens stolen during a recent Anodot security incident.” The group published over 70 million records from Rockstar Games data that included “in-game revenue and purchase metrics, player behavior tracking, and game economy data for Grand Theft Auto Online and Red Dead Online.” Read here.

6. Fake Ledger Live app on Apple’s App Store stole $9.5M in crypto – Bleeping Computer

A fake Ledger Live App, available via the Apple App Store, has stolen $9.5 million in cryptocurrency from 50 victims. The victims were tricked into entering their seed/recovery phrases into the app, giving attackers full access to their wallets and allowing them to spend digital assets. Investigators claim, “the attackers used several wallet addresses to receive funds across multiple chains, including Bitcoin, Ethereum, Tron, Solana, and Ripple.” The stolen accounts were laundered through 150 deposit addresses on KuCoin. The company announced the accounts were frozen until April 20. Read full article.

7. Lotus Wiper Malware Targets Venezuelan Energy Systems in Destructive Attack – The Hacker News

Lotus, a data-wiping malware, was uploaded to a publicly accessible platform in December 2025 and subsequently used in targeted attacks against energy and utilities organizations in Venezuela. Two batch scripts initiate the destructive phase of the attack and prepare the environment for execution of the final wiper payload. Upon execution, the wiper neutralizes recovery mechanisms, overwrites physical drive contents, and recursively deletes files across affected volumes, leaving systems nonfunctional. No embedded extortion or payment instructions are present, indicating a non-financial motive. Read full article.

8. Researchers Detect ZionSiphon Malware Targeting Israeli Water, Desalination OT Systems – The Hacker News

The malware, ZionSiphon, was designed to target Israeli water treatment and desalination systems. The virus was first discovered following the Twelve-Day War between Israel and Iran in June 2025. Once executed, ZionSiphon scans the local subnet for devices, attempts communication via Modbus, DNP3, and S7comm, and alters configuration parameters such as chlorine dosing and pressure. The Modbus attack path is the most developed, while DNP3 and S7comm components remain incomplete, suggesting ongoing development. It can also spread via removable media and will self-delete on systems that do not meet its targeting criteria. Numerous implementation flaws suggest the malware has either been prematurely deployed or still in a developmental stage. Learn more.

Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.