Péter Magyar, a conservative politician and the new Hungarian prime minister, says CPAC was paid by the Hungarian government and will not be any longer.

Hungary also paid consulting firms in DC as well as conservative influencers.

March 31, 2026

Cyber Operations

Axios npm Supply Chain Attack Deploys Cross-Platform RAT

A supply chain attack compromised the widely used Axios HTTP client library on npm, affecting versions 1.14.1 and 0.30.4. The attacker hijacked a maintainer account and injected a malicious dependency called "plain-crypto-js," which delivers a remote access trojan capable of executing arbitrary commands, exfiltrating data, and persisting across Windows, macOS, and Linux systems. Socket's automated detection flagged the package within six minutes of publication. With Axios receiving approximately 100 million weekly downloads, the blast radius is significant. The attack was carefully staged: payloads for three operating systems were pre-built, both release branches were hit within 39 minutes, and every trace was designed to self-destruct.

European Commission Confirms Cloud Data Breach

The European Commission confirmed a cyberattack affecting its cloud infrastructure hosting the Europa.eu platform. The ShinyHunters extortion gang claimed responsibility, posting screenshots suggesting possession of approximately 350 GB of data including mail server contents, databases, and confidential documents. The Commission stated its internal systems were not affected. This marks the second breach of EU institutions this year, following an earlier compromise of the Commission's mobile device management platform.

Citrix NetScaler Vulnerability Under Active Exploitation

CISA added CVE-2026-3055—a critical out-of-bounds read vulnerability (CVSS 9.3) in Citrix NetScaler ADC and Gateway—to its known exploited vulnerabilities list on March 30, based on evidence of active exploitation. The flaw affects systems configured as SAML Identity Providers and can leak sensitive memory contents. Threat actors have been probing honeypots to enumerate vulnerable configurations since at least March 27.

Iran-Linked Cyber Campaigns Escalate Amid Conflict

Iranian-linked groups have mounted nearly 5,800 cyberattacks since hostilities began, according to security firm DigiCert. A recent operation targeted Israeli Android users with texts offering bomb shelter information that instead downloaded spyware granting access to cameras, location data, and all device contents. Palo Alto's Unit 42 has identified 7,381 conflict-themed phishing URLs across 1,881 unique hostnames.

Information Operations & Foreign Influence

Iran's AI Deepfake Campaign Draws Hundreds of Millions of Views

A pro-Iran disinformation campaign has generated over 145 million views and nine million interactions across social media platforms. The New York Times identified more than 110 unique deepfakes conveying pro-Iran messaging in a two-week span. The majority are produced by Iranian government-linked networks and amplified by Russian and Chinese information ecosystems. The campaign uses tens of thousands of fake accounts to portray Iran as victorious and its adversaries as weakened. X announced it would penalize creators who post unlabeled AI war content by removing them from revenue-sharing for 90 days.

Russia–China–Iran Convergence in Cognitive Warfare

A Small Wars Journal analysis published March 18 documents how Russia, Iran, and China are coordinating narrative warfare to erode Western cohesion. Russia's 2026 budget increased information operations funding by 54%, adding $458 million for state-run media. Generative AI allows a single adversary to manage thousands of personas producing unique content at scale, while China uses state-aligned media accounts to echo anti-U.S. narratives.

Espionage

Russia Expels British Diplomat on Espionage Allegations

Russia's FSB ordered the expulsion of British Embassy second secretary Albertus Gerhardus Janse van Rensburg, accusing him of economic espionage and providing false information to obtain entry to Russia. The FSB alleged he attempted to obtain sensitive information during informal meetings with Russian economic experts. The British Embassy dismissed the allegations as "completely unacceptable." Russian state TV reported he is the 16th British diplomat expelled over the past two years.

Pakistan-Linked Spy Network Dismantled in India

Indian police arrested 22 individuals operating a Pakistan-linked espionage network that used solar-powered CCTV cameras and GPS-enabled apps to monitor troop movements and critical infrastructure. The network installed surveillance equipment along the Delhi-Jammu railway corridor, with cameras recovered from Delhi Cantonment and Haryana's Sonipat found actively transmitting footage to Pakistan-based handlers. Nearly 50 such installations were planned nationwide. The Indian government has ordered a nationwide CCTV audit in response.

Russia Shifts to Vulnerable Recruits for European Operations

Following the mass expulsion of Russian intelligence officers from Europe, the GRU and FSB have shifted to recruiting financially vulnerable Europeans—including migrants, criminals, and the unemployed—for low-level sabotage and surveillance. Former Wagner Group operatives have been tasked with identifying recruits willing to carry out arson, assaults, or vandalism for small payments. More than 150 suspected hybrid incidents linked to Russia have been reported across the EU and NATO in early 2026.

Assessments & Reports

ODNI Releases 2026 Annual Threat Assessment

DNI Gabbard released the 2026 Annual Threat Assessment on March 26. The report identifies lone wolf attackers as the most likely terrorist threat to the U.S. homeland, highlights Mexican cartels and Venezuelan organized crime as top domestic concerns, and warns that nuclear-capable adversaries could collectively field more than 16,000 missiles by 2035. The assessment also flags AI and quantum computing as critical emerging technology challenges, alongside cyberthreats from China and North Korea.

March 29, 2026

Cyber Operations

Iran-linked cyber campaign reaches 5,800 attacks since start of war. A Washington Post investigation published today details how hacking, disinformation, and AI-generated content have become embedded in the U.S.–Israel–Iran conflict. Investigators at security firm DigiCert have tracked nearly 5,800 cyberattacks by roughly 50 Iran-linked groups since the war began last month, targeting U.S., Israeli, and Gulf state organizations. Iranian hackers and their proxies are targeting supply chains supporting the war effort, as well as critical infrastructure including ports, rail stations, water plants, data centers, and hospitals.

Stryker medical device attack disrupted Maryland hospitals. As part of the broader Iranian cyber campaign, hackers wiped more than 200,000 devices at medical device manufacturer Stryker on March 11, directly impacting emergency medical services and hospitals in Maryland. Some hospitals reportedly postponed surgeries because Stryker implants became unavailable. A separate Iran-linked ransomware group encrypted a U.S. healthcare provider's systems in under three hours in late February.

Iran-linked Handala group claims breach of FBI Director Patel's email. The Handala Hack Team, which the U.S. has linked to Iranian intelligence, claimed responsibility for breaching the personal Gmail account of FBI Director Kash Patel. The group published photographs, a work resume, and personal documents. The FBI stated the information is "historical in nature" from the early 2010s and does not include government information. Handala framed the breach as retaliation for the FBI's seizure of several Handala domains and the announcement of a $10 million reward for information on group members.

FDD analysis finds Iranian cyber operations exploiting weakened U.S. defenses. The Foundation for Defense of Democracies published an assessment noting that the dismantling of the State Department's Global Engagement Center and the FBI's Foreign Malign Influence Task Force under the current administration has reduced the U.S. government's capacity to monitor and counter Iranian cyber and influence operations during the conflict.

Espionage

China-linked APT embeds stealthy backdoors in global telecom infrastructure. Rapid7 Labs disclosed that the Chinese APT group Red Menshen has deployed upgraded BPFdoor backdoor implants inside telecom networks across South Korea, Hong Kong, Myanmar, Malaysia, Egypt, and the Middle East. The implants operate at the kernel level using Berkeley Packet Filter functionality, activating only when they receive a specially crafted "magic packet." Newer variants monitor SCTP signaling traffic used in 4G and 5G core networks and disguise themselves as legitimate HPE ProLiant or Kubernetes processes. Rapid7 coordinated with national CERTs and released a detection script.

Three charged with smuggling AI-capable Nvidia chips to China. A federal indictment unsealed this week charges three individuals with conspiring to divert high-performance AI server hardware assembled in the United States to China through Super Micro Computer, in violation of U.S. export control laws. Separately, a Chinese national and two U.S. citizens were arrested and charged with attempting to procure millions of dollars' worth of restricted computer chips for export to China.

Information Operations & Foreign Influence

Iran deploys AI-generated deepfakes as part of wartime influence campaign. The Foundation for Defense of Democracies reported that Iranian government-linked networks are producing AI-generated videos and imagery propagated through state-affiliated channels and inauthentic social media accounts. These are then amplified by Russian bot networks and echoed by Chinese state-aligned media accounts, demonstrating the coordinated information alliance among the three states.

Russia, China, and Iran ramp up spending on influence infrastructure. According to a Small Wars Journal analysis, Russia's 2026 budget increased state media and information operations funding by 54 percent (an additional $458 million), Iran's broadcasting budget rose 46 percent year-over-year to approximately $580 million, and China is restructuring its operations into a "Cognitive Domain" framework under its 15th Five-Year Plan.

Sanctions Enforcement

Three sentenced in North Korean IT worker fraud scheme. A federal court sentenced three U.S. nationals — Alexander Paul Travis, Jason Salazar, and Audricus Phagnasay — for conspiracy to commit wire fraud after they allowed North Korean IT workers to use their identities to gain remote employment at U.S. companies. Travis, a former Fort Gordon soldier, received 12 months in prison. The scheme used identity fraud and remote access software to bypass corporate hiring safeguards, with revenue believed to support North Korean weapons programs.

March 24, 2026

Information Operations & Foreign Influence

A former NSA analyst published a detailed investigation exposing a coordinated multi-nation disinformation network on X involving Russia, China, Iran, and Turkey. The network used a central account called "Global Insight Journal" that followed a three-phase amplification strategy — Turkish seeding, Iranian boosting, and Russian boosting — to spread narratives favorable to those states during the U.S.-Iran conflict. Posting volume dropped between March 3–5, coinciding with the destruction of Iran's state propaganda headquarters (IRIB), suggesting operational dependency on Iranian state infrastructure.

The Foundation for Defense of Democracies published an analysis arguing the 2026 Annual Threat Assessment omits key Russian threats, particularly Moscow's routine probing of NORAD airspace near Alaska, GPS interference in the Arctic, and simulated strikes against NATO targets. NORAD responded nine times to Russian aircraft near Alaska in 2025 and twice already in 2026.

PolitiFact published a detailed overview of Iran's influence operations during the current conflict, documenting the use of AI-generated imagery through state-affiliated channels and inauthentic social media accounts to spread favorable messaging — conducted even as Iran's internet connectivity has been reduced to 1–4% since strikes began on February 28.

Cyber Operations

Citrix released security updates addressing two vulnerabilities in NetScaler ADC and NetScaler Gateway, including a critical flaw (CVE-2026-3055, CVSS 9.3) involving insufficient input validation that could allow unauthenticated remote attackers to leak sensitive information from appliance memory.

Threat actors are suspected of actively exploiting a maximum-severity flaw in Quest KACE Systems Management Appliance (CVE-2025-32975, CVSS 10.0). Malicious activity was first observed the week of March 9 in customer environments. The authentication bypass vulnerability allows attackers to impersonate legitimate users and take over administrative accounts.

Iran-linked cyber operations continue in the wake of the February 28 U.S.-Israel strikes. The Iran-linked group Handala previously claimed the cyberattack on Stryker, the medical device company, which was the first destructive cyberattack to hit a U.S.-based company during the war. Palo Alto Networks' Unit 42 continues to track the broader escalation of Iranian cyber risk, noting multiple state-aligned personas coordinating under an "Electronic Operations Room" formed on February 28, with some estimates of 60 individual hacktivist groups now active.

Espionage

Ukraine's Security Service (SBU) announced it had identified Hungarian military intelligence officer Zoltan Andre as the handler of a spy network in the Zakarpattia region. Andre allegedly exploited Hungarian diplomatic institutions to recruit agents from among locals applying for Hungarian citizenship. The network collected intelligence on Ukrainian defense force deployments, including attempts to identify air defense positions in western Ukraine. Two members of the cell were detained. This is the first time Ukraine has publicly exposed an intelligence network run by a NATO ally.

The U.S. Department of Justice unsealed an indictment charging three individuals — Yih-Shyan "Wally" Liaw (U.S. citizen), Ruei-Tsang "Steven" Chang, and Ting-Wei "Willy" Sun (both Taiwanese citizens) — with conspiring to illegally divert high-performance AI server technology to China. The defendants allegedly used false documents, staged dummy servers to mislead inspectors, and convoluted transshipment schemes to evade U.S. export controls. Liaw and Sun were arrested; Chang remains a fugitive.

In Vienna, the trial of former Austrian intelligence officer Egisto Ott continues — Austria's biggest espionage case in years. Ott is accused of passing information to Russian intelligence and fugitive Wirecard executive Jan Marsalek, including allegedly obtaining a laptop containing secret EU electronic security hardware that was handed to Russian intelligence in 2022.

March 25, 2026

Information Operations & Foreign Influence

Iran's AI-driven disinformation campaign continues to escalate. Tehran's state-affiliated channels and allied networks remain the highest-volume producer of fabricated imagery tied to the ongoing U.S.-Israel-Iran conflict. PolitiFact reported that Iran has released AI-generated content through state channels and deployed inauthentic social media accounts to spread favorable messaging, including fabricated proof of military victories that did not occur. The most prominent false claim — that Iranian missiles sank the USS Abraham Lincoln — continues to circulate despite no credible evidence. These narratives are amplified through Russian and Chinese information ecosystems.

Small Wars Journal published an analysis of the 2026 Worldwide Threats Hearing held before the House Permanent Select Committee on Intelligence. The hearing analysis noted that the administration shuttered key counter-influence infrastructure, including the FBI's Foreign Malign Influence Task Force, the State Department's Global Engagement Center, and the DNI's Foreign Malign Influence Center, leaving no designated official for election threat response. The 2026 Annual Threat Assessment, released by ODNI, for the first time elevated AI as a cross-cutting threat shaping operations by China, Russia, Iran, and North Korea rather than treating it as a standalone capability.

Cyber Operations

Iran-linked hackers targeted a second U.S. medical institution. Axios reported on March 24 that an Iran-aligned group struck another healthcare target, following the earlier crippling cyberattack on medical device giant Stryker. The Stryker attack — claimed by Handala Hack, a persona tied to Iran's Ministry of Intelligence and Security (MOIS) — disrupted the company's Lifenet system, which emergency responders use to transmit patient data, rendering electrocardiogram transmissions non-functional across parts of Maryland.

DOJ seized four domains tied to Iranian cyber-psychological operations. The Justice Department announced the court-authorized seizure of domains used by MOIS to claim credit for hacking, post stolen data, and issue death threats against journalists and dissidents. The FBI's investigation revealed the domains shared Iranian IP ranges and a common operational playbook combining destructive cyberattacks with "faketivist" psychological operations. Handala had also posted PII of approximately 190 individuals linked to the IDF and solicited cartel "partners" to carry out violence against its targets.

China-linked group deploys new malware toolkit against telecom providers. CySecurity News reported that a Chinese cyber-espionage group designated UAT-9244 has been targeting South American telecoms using three previously undocumented malware families: TernDoor (a Windows backdoor), PeerTime (a Linux backdoor using the BitTorrent protocol to obscure command infrastructure), and BruteEntry (a credential brute-forcing tool). Separately, Salt Typhoon's global campaign against telecom infrastructure continues, with activity confirmed in Canada, Brazil, Myanmar, South Africa, and across Southeast Asian universities.

Espionage

U.S.-origin iPhone exploit kit proliferating to adversary services. Research published by Google and iVerify confirmed that an exploit kit dubbed "Coruna" — likely built by U.S. military contractor L3Harris — has escaped controlled channels and is now in the hands of Russian espionage operators and Chinese cybercriminals. The toolkit contains five exploit chains leveraging more than 20 iOS vulnerabilities and has likely infected tens of thousands of phones. Russia's UNC6353 used the related DarkSword framework in watering-hole campaigns against Ukrainian users, extracting passwords, messages, and browser history with minimal victim interaction before self-deleting.

Russia's APT28 revives advanced malware for Ukraine espionage. Recorded Future reported that APT28's advanced development team has reemerged with renewed tooling built around two implants — BeardShell and Covenant — deployed together in espionage campaigns. The group compromised a Ukrainian maritime agency through a phishing campaign exploiting a Zimbra webmail vulnerability, continuing its systematic targeting of Ukrainian government communications infrastructure.

March 27, 2026

Cyber Operations

Coruna iOS Exploit Kit Leaked Online. A major iPhone hacking toolkit known as "Coruna," originally developed by U.S. defense contractor L3Harris for government use, has been publicly leaked on GitHub. The kit contains 23 exploits across five exploit chains targeting iOS 13 through 17.2.1 and had already migrated from Russian espionage operations in Ukraine to Chinese cybercriminal campaigns before the public release. Apple has patched the underlying vulnerabilities in newer iOS versions, but millions of devices running older software remain exposed.

China-Linked APT Embeds BPFdoor Implants in Telecom Networks. Rapid7 published findings on a sustained espionage campaign by China-nexus group Red Menshen, which deployed kernel-level BPFdoor backdoors deep inside global telecommunications infrastructure. The implants conceal command triggers within legitimate encrypted HTTPS traffic and target providers across South Korea, Hong Kong, Myanmar, Malaysia, Egypt, and the Middle East. Separately, Unit 42 reported that a second China-linked group, UAT-9244, has been targeting South American telecoms with three custom malware families since at least 2024.

Iran Conflict Drives Surge in Hacktivist and Wiper Attacks. Unit 42 updated its Iran threat brief on March 26, warning of escalating wiper attack risk tied to the ongoing U.S.-Israel-Iran conflict. Over 60 active threat groups have been tracked, with 53 operating on the pro-Iranian side. Handala Hack, believed to be a front for Iran's Ministry of Intelligence, claimed a destructive wiper attack on U.S. healthcare firm Stryker in mid-March. Experts warn that Iran-linked hacktivists may increasingly target U.S. state and local government systems, with a Pennsylvania township already hit.

GlassWorm Supply-Chain Campaign Evolves. The GlassWorm campaign, which compromised over 400 packages across GitHub, npm, PyPI, and VS Code extension marketplaces earlier this month, has evolved. Researchers at Malwarebytes identified a new variant deploying a malicious Chrome extension capable of keylogging, session token theft, and screenshot capture. The attack leverages Solana blockchain transactions as dead drop resolvers to fetch payload URLs.

CYFIRMA Publishes Weekly Intelligence Report. CYFIRMA released its weekly intelligence report for March 27, covering current threat actor activity and vulnerability disclosures.

Information Operations & Foreign Influence

Iran's Internet Blackout Enters Day 28. Iran has now surpassed its 27th consecutive day of near-total internet blackout following the February 28 U.S.-Israel strikes, with connectivity hovering between 1–4% of normal levels. The blackout has severely constrained both inbound information access and outbound influence operations, though Iranian state media continues to push disinformation through external channels, with NewsGuard documenting at least 18 false war-related claims since hostilities began.

AI-Generated War Disinformation at Unprecedented Scale. The Iran-Israel-U.S. conflict has produced an information war of historic scale, with the New York Times identifying over 110 distinct AI-generated images and videos in just the first two weeks of fighting. Disinformation and narrative manipulation have been documented from all sides, amplified by generative AI tools that make fabricated content increasingly difficult to distinguish from authentic reporting.

U.S. Foreign Influence Monitoring Capacity Diminished. As the conflict generates record disinformation volumes, the U.S. government's institutional capacity to monitor and counter foreign influence operations has been significantly weakened. The administration shuttered the FBI's Foreign Malign Influence Task Force, the State Department's Global Engagement Center, and the DNI's Foreign Malign Influence Center, leaving no designated official for election threat response.

Espionage

Russian Intelligence Operatives Arrested in Spain and Germany. German and Spanish authorities arrested two individuals — a Ukrainian national in Alicante, Spain, and a Romanian citizen in Germany — on suspicion of spying on a German drone manufacturer that supplies strike UAVs to Ukraine. The Ukrainian suspect had been systematically filming the company's facilities since December 2025, and investigators believe the intelligence was being collected to prepare further actions against the target, possibly including a physical attack.

DRILLAPP Backdoor Targets Ukrainian Defense Sector. A Russia-linked APT assessed to overlap with Laundry Bear (UAC-0190) has been deploying DRILLAPP, a JavaScript-based backdoor that abuses Microsoft Edge debugging to conduct stealth espionage against Ukrainian targets. The malware can upload and download files, activate the microphone, and capture webcam images, using the browser as a covert channel to avoid detection.

Russian Phishing Campaign Targets Government Officials on Signal and WhatsApp. Threat actors affiliated with Russian intelligence services are conducting phishing campaigns to compromise messaging applications used by current and former U.S. government officials, military personnel, political figures, and journalists. Portugal's national intelligence service issued a parallel warning about a global campaign targeting WhatsApp and Signal accounts of diplomats and government officials.

OFAC Sanctions North Korean IT Worker Network. The U.S. Treasury sanctioned six individuals and two entities for their roles in DPRK IT worker fraud schemes that generated nearly $800 million to fund North Korea's weapons programs. The schemes rely on stolen identities and fabricated personas to place workers at legitimate companies, with salaries funneled back through cryptocurrency channels across multiple blockchains.