Iranian Cyber Campaign Targets 3,900 Critical Infrastructure Devices as Adobe Reader Zero-Day Exploited Since December

Executive Summary

This week's intelligence reveals a significantly elevated threat environment for critical infrastructure operators, driven by escalating Iranian cyber operations and the discovery of long-running zero-day exploitation campaigns.

• Iranian Critical Infrastructure Campaign: Censys researchers have identified approximately 3,900 devices exposed to an ongoing Iranian government-linked campaign targeting energy, water, and U.S. government facilities. This campaign coincides with heightened geopolitical tensions following recent U.S. strikes on Iran, with the Strait of Hormuz experiencing near-standstill conditions as Iran warns commercial vessels to remain in Iranian waters.
• Adobe Reader Zero-Day Exploitation: Security researchers have confirmed that threat actors have been exploiting an unpatched vulnerability in Adobe Reader via malicious PDF documents since at least December 2025—a four-month exploitation window that likely affected numerous organizations before detection.
• Healthcare Sector Under Attack: Dutch healthcare software vendor ChipSoft suffered a ransomware attack forcing offline operations, while a newly identified "VENOM" phishing-as-a-service platform is actively targeting C-suite executives across multiple industries.
• Supply Chain Compromise: The Smart Slider 3 Pro plugin update system for WordPress and Joomla was hijacked to distribute malicious versions containing multiple backdoors, potentially affecting thousands of websites.
• Quantum Security Urgency: Google and Cloudflare are accelerating quantum-resistant cryptography timelines amid concerns about advancing Chinese quantum computing capabilities, signaling that organizations should prioritize post-quantum migration planning.

Threat Landscape

Nation-State Threat Actor Activities

Iranian Cyber Operations Intensify

The most significant development this week involves Iranian government-linked threat actors conducting an aggressive campaign against U.S. critical infrastructure. According to Censys researchers, approximately 3,900 devices across energy, water, and government sectors are currently exposed to this campaign. Water ISAC has issued a TLP:AMBER+STRICT situation report warning of potential retaliation following U.S. military strikes on Iran.

Despite a shaky ceasefire, SecurityWeek reports that Iranian-linked hackers have vowed to revive operations against American targets "when the time is right," demonstrating how digital warfare has become ingrained in military conflict. Infrastructure operators should maintain heightened vigilance regardless of diplomatic developments.

Russian APT Activity

The FBI disclosed details of a successful operation that disrupted APT28 (Russian GRU) infrastructure exploiting vulnerable routers for DNS hijacking. FBI Cyber Chief Brett Leatherman characterized the campaign as unique in its ability to propagate from compromised routers to broader network infrastructure, describing it as providing "tremendous access" to targeted networks. Water ISAC has issued guidance on this threat vector.

Chinese Threat Activity

In a notable development, Security Magazine reports that a state-run Chinese supercomputer was allegedly compromised with 10 petabytes of data stolen—a rare instance of successful offensive operations against Chinese state infrastructure. Separately, Microsoft threat intelligence has linked China-based threat actors to Medusa ransomware campaigns targeting internet-facing assets.

Emerging Threat Clusters

• UAT-10362: A newly documented threat cluster is conducting spear-phishing campaigns against Taiwanese NGOs and universities using novel "LucidRook" Lua-based malware. The Hacker News reports this campaign demonstrates sophisticated targeting of civil society organizations.
• Bitter APT: A hack-for-hire campaign with suspected ties to Indian government interests has been targeting journalists, activists, and government officials across the Middle East and North Africa region.
• UNC6783: Google's threat intelligence team has identified a new extortion group targeting Business Process Outsourcing (BPO) companies and enterprise helpdesks, potentially linked to the "Mr. Raccoon" persona behind alleged Adobe data theft.

Ransomware and Cybercriminal Developments

Healthcare Ransomware Attack

ChipSoft, a Dutch healthcare software vendor serving numerous healthcare providers, was forced to take its website and digital services offline following a ransomware attack. This incident affects patient portals and healthcare provider systems, demonstrating continued targeting of healthcare supply chain vendors.

VENOM Phishing-as-a-Service Platform

A previously undocumented PhaaS platform called "VENOM" has been identified targeting C-suite executives across multiple industries. The platform specifically focuses on harvesting Microsoft credentials from senior leadership, representing a significant threat to enterprise security.

Financial Sector Targeting

• STX RAT: Infosecurity Magazine reports on a newly identified remote access trojan specifically targeting the finance sector with advanced command-and-control capabilities and stealthy delivery methods.
• Bitcoin Depot Breach: The Bitcoin ATM operator lost $3.66 million (over 50 Bitcoin) after attackers compromised credentials and accessed cryptocurrency wallets.

Physical Security Threats

ISIS Easter Threat

Homeland Security Today reports that ISIS has issued a call for attacks on churches and synagogues globally during the Easter period. Critical infrastructure operators with facilities near religious sites should coordinate with local law enforcement and increase situational awareness.

Strait of Hormuz Disruption

The Strait of Hormuz is experiencing near-standstill conditions as Iran warns commercial vessels to remain in Iranian territorial waters. This has significant implications for global energy supply chains and maritime transportation security.

Labor Actions Affecting Security

Security guards in Baltimore are participating in a strike, potentially affecting physical security coverage at various facilities. Organizations relying on contracted security services should assess potential impacts and develop contingency plans.

Sector-Specific Analysis

Energy Sector

The energy sector faces elevated risk from the Iranian cyber campaign identified by Censys researchers. With 3,900 devices reportedly exposed, energy operators should immediately:

• Audit internet-facing assets and operational technology (OT) systems
• Review and restrict remote access capabilities
• Implement enhanced monitoring for indicators of compromise associated with Iranian threat actors
• Coordinate with sector ISACs for threat intelligence sharing

The Strait of Hormuz disruption may impact petroleum supply chains, warranting contingency planning for potential supply disruptions.

Water & Wastewater Systems

Water ISAC has issued multiple advisories this week addressing the heightened threat environment:

• TLP:AMBER+STRICT Situation Report: Updated guidance on potential Iranian retaliation targeting water infrastructure
• TLP:AMBER Advisory: Warning about nation-state actors exploiting compromised security cameras for targeting critical infrastructure
• Weekly Vulnerability Prioritization: Guidance on critical patches for water sector systems

Water utilities should review the Water ISAC portal for detailed threat intelligence and implement recommended defensive measures.

Communications & Information Technology

Supply Chain Compromise

The Smart Slider 3 Pro plugin compromise represents a significant supply chain attack affecting WordPress and Joomla installations. Organizations using this plugin should:

• Immediately audit installations for indicators of compromise
• Review plugin update mechanisms and implement verification procedures
• Consider web application firewall rules to detect backdoor activity

Microsoft Cloud Security Concerns

Bruce Schneier highlights ProPublica reporting on federal cyber experts characterizing Microsoft's cloud security as inadequate, raising concerns about organizations' reliance on Microsoft cloud services for critical operations.

Mobile SDK Vulnerability

A critical flaw in the EngageLab SDK exposed 50 million Android users, including 30 million cryptocurrency wallet users, demonstrating the cascading risk of third-party SDK vulnerabilities.

Transportation Systems

Eurail Data Breach

Eurail B.V. disclosed that a December 2025 breach compromised personal information of over 300,000 individuals, including names and passport numbers. This breach affects European rail travel operations and highlights the importance of protecting traveler data.

Maritime Security

The Strait of Hormuz situation requires heightened awareness for maritime transportation operators. Organizations should monitor developments and prepare for potential supply chain disruptions.

Healthcare & Public Health

The healthcare sector faces multiple active threats this week:

• ChipSoft Ransomware: The attack on this healthcare software vendor demonstrates continued targeting of healthcare supply chain
• VENOM PhaaS: Executive credential theft campaigns may target healthcare leadership
• Adobe Reader Zero-Day: Healthcare organizations frequently use PDF workflows and should prioritize mitigation

Healthcare organizations should review business continuity plans for vendor disruptions and implement enhanced email security controls.

Financial Services

Financial sector threats this week include:

• STX RAT: Purpose-built malware targeting financial institutions with advanced evasion capabilities
• Bitcoin Depot Breach: $3.66 million cryptocurrency theft highlighting risks to digital asset custodians
• VENOM Phishing: Executive-targeted credential theft campaigns

Financial institutions should enhance monitoring for the STX RAT indicators and review cryptocurrency custody security controls.

Vulnerability & Mitigation Updates

Critical Vulnerabilities Requiring Immediate Attention

Adobe Reader Zero-Day (CRITICAL)

Security researcher Haifei Li has documented an unpatched Adobe Reader vulnerability being actively exploited via malicious PDF documents since December 2025. No patch is currently available.

Recommended Mitigations:

• Implement strict controls on PDF file handling from untrusted sources
• Consider alternative PDF readers for high-risk environments
• Deploy enhanced email filtering for PDF attachments
• Enable Protected View in Adobe Reader where possible
• Monitor for Adobe security updates and apply immediately when available

Google API Key Exposure in Android Apps

SecurityWeek reports that dozens of Google API keys can be extracted from Android apps' decompiled code, providing unauthorized access to Gemini AI endpoints. Organizations developing Android applications should audit API key handling practices.

CISA ICS Advisories

CISA released two Industrial Control System advisories on April 9, 2026:

• ICSA-26-099-02: GPL Odorizers GPL750 - Vulnerability in gas odorization equipment used in natural gas distribution
• ICSA-26-099-01: Contemporary Controls BASC 20T - Vulnerability in building automation system controllers

Organizations using these products should review the advisories and implement recommended mitigations.

Network Security Appliance Patches

Palo Alto Networks and SonicWall have released patches for high-severity vulnerabilities that could allow attackers to modify protected resources and escalate privileges to administrator level. Organizations should prioritize patching these network security devices.

Browser Security Enhancement

Google Chrome 146 introduces Device Bound Session Credentials (DBSC) protection for Windows, designed to block info-stealing malware from harvesting session cookies. Organizations should ensure Chrome deployments are updated to benefit from this protection.

macOS Security Bypass

A new ClickFix variant bypasses Apple's Terminal security warnings introduced in macOS 26.4 by shifting to Script Editor for malicious script execution. macOS users should exercise caution with any prompts to execute scripts.

Resilience & Continuity Planning

Lessons Learned

Patch Window Compression

CSO Online analysis confirms that time-to-exploit continues to accelerate, with patch windows collapsing as threat actors rapidly weaponize disclosed vulnerabilities. Organizations should:

• Implement automated patch management where feasible
• Prioritize internet-facing and critical systems for rapid patching
• Develop compensating controls for situations where immediate patching is not possible
• Consider virtual patching through WAF/IPS rules

FBI Router Takedown Lessons

The FBI's successful disruption of APT28's router-based infrastructure highlights the importance of:

• Maintaining current firmware on network edge devices
• Implementing network segmentation to limit lateral movement
• Monitoring DNS traffic for anomalies indicating hijacking
• Participating in public-private threat intelligence sharing

Supply Chain Security

This week's Smart Slider plugin compromise underscores ongoing supply chain risks. Recommended practices:

• Implement software composition analysis for third-party components
• Verify update authenticity through multiple channels when possible
• Maintain inventory of all third-party software and plugins
• Establish vendor security assessment procedures

Cross-Sector Coordination

Homeland Security Today reports the launch of a new Center for Cross-Sector Coordination to address rising cyber and physical threats. This initiative aims to improve information sharing and coordinated response across critical infrastructure sectors.

Third-Party Risk Management

Recorded Future emphasizes that third-party risk management should be treated as an intelligence operation, moving beyond simple ratings-based approaches to comprehensive vendor risk assessment incorporating threat intelligence.

Regulatory & Policy Developments

Quantum Cryptography Migration

Multiple reports this week indicate accelerating timelines for quantum-resistant cryptography adoption:

• CyberScoop reports that advancements in hardware, mathematics, and concerns about Chinese quantum computing breakthroughs are driving Google and others to call for speedier migration
• Cloudflare is "actively adjusting" quantum priorities following Google's warnings

Organizations should begin inventorying cryptographic dependencies and developing post-quantum migration roadmaps.

AI Governance Gaps

SANS Institute research reveals that AI agents are driving a 76% surge in non-human identities (NHIs), creating significant governance gaps. Organizations deploying AI systems should:

• Inventory all AI agents and their associated credentials
• Implement identity governance for non-human identities
• Establish monitoring for AI agent behavior anomalies

Shadow AI Risks

The Hacker News highlights growing concerns about shadow AI adoption in enterprises, where employees deploy AI tools without formal IT approval. Organizations should develop clear AI acceptable use policies and provide approved alternatives.

Data Privacy Concerns

CSO Online raises questions about LinkedIn's data collection practices, highlighting broader concerns about enterprise social media data handling that may inform future regulatory action.

Training & Resource Spotlight

New Resources

FBI IC3 2025 Internet Crime Report

Water ISAC has highlighted the FBI's IC3 2025 Internet Crime Report, providing valuable statistics and trends on cyber-enabled crime affecting critical infrastructure.

2025 Annual Review of Plots and Attacks

A new research report reviewing plots and attacks across the U.S. in 2025 is available, providing context for physical security planning.

AI Security Research

RSAC researchers have demonstrated methods to bypass Apple Intelligence AI guardrails using "Neural Exect" methods and Unicode manipulation, providing valuable insights for organizations deploying AI systems.

Security Visibility ROI

SecurityWeek analysis explores how security visibility provides returns beyond monitoring and compliance, including deterrence effects and improved decision-making—useful context for security investment justification.

Looking Ahead: Upcoming Events

April 2026

• April 13, 2026: MLXN: Machine Learning for X-ray and Neutron Scattering - NIST workshop on AI/ML applications
• April 16, 2026: NIST Workshop on Blockchain and Distributed Ledger Technologies - Discussion of DLT applications for digital infrastructure and recordkeeping
• April 23, 2026: IAEM Webinar: Practical AI for Emergency Managers - Guidance on AI applications for emergency management
• April 30, 2026: Improving the Nation's Cybersecurity - Open Forum - Red Hat and NIST co-hosted fifth annual Cybersecurity Open Forum

May 2026

• May 13, 2026: NICE Webinar: Beyond Technical Skills - The Human Element of a Cyber Career - Discussion of non-technical aspects of cybersecurity careers
• May 27, 2026: Artificial Intelligence (AI) for Manufacturing Workshop - NIST workshop on AI integration in manufacturing

June-July 2026

• June 25, 2026: Iris Experts Group Annual Meeting - Forum for USG agencies employing iris recognition
• July 21, 2026: 2026 Time and Frequency Seminar - NIST annual seminar on precision timing systems

Heightened Awareness Periods

• Easter Weekend (April 11-13, 2026): Elevated threat period based on ISIS call for attacks on religious sites
• Ongoing: Heightened vigilance for Iranian cyber operations targeting critical infrastructure
• Ongoing: Monitor for Adobe Reader patch release and apply immediately

---

This intelligence briefing is compiled from open-source reporting and is intended to support critical infrastructure protection efforts. Recipients are encouraged to share relevant information with sector partners through appropriate channels and report suspicious activity to relevant authorities and sector ISACs.