Israeli firm Gambit Security has forensically linked the late-March attack on the Los Angeles County Metropolitan Transportation Authority to Iran's Ministry of Intelligence and Security (MOIS), despite the attackers branding themselves as the pro-Iran hacktivist collective 'Ababil of Minab.' The group posted videos claiming it wiped hundreds of terabytes and stole over a terabyte of files. LA Metro confirmed the breach on April 2, 2026, and had to check hundreds of servers for compromise before bringing them back online. The case illustrates a recurring pattern of state operations wearing a hacktivist costume to provide deniability while targeting critical infrastructure.
Symantec's Threat Hunter Team detailed a global cyber-espionage campaign by MuddyWater (a.k.a. Seedworm, Static Kitten, Temp Zagros), an APT linked to Iran's Ministry of Intelligence and Security. The group hit at least nine organizations on four continents in Q1 2026 - including a major unnamed South Korean electronics manufacturer where attackers maintained access from February 20 to 27. They abused signed legitimate binaries fmapp.exe (a Fortemedia audio utility) and sentinelmemoryscanner.exe (a SentinelOne component) to sideload malicious DLLs called fmapp.dll and sentinelagentcore.dll, both carrying the ChromElevator post-exploitation tool that lifts data from Chrome-based browsers. Stolen files were staged through public file-transfer service sendit[.]sh to blend in.