Rapid7 Labs reports a sharp uptick in retaliatory cyber activity against regional and Western infrastructure, blending state-directed espionage with a noisy layer of hacktivist disruption. State-linked groups are weaponizing high-impact CVEs for persistence while collectives stage DDoS and defacements, and many breach claims on Telegram and dark forums are exaggerated or fabricated. #MuddyWater #Seedworm #CyberAv3ngers #KeymousPlus #DieNet #NoName05716 #IvantiEPMM #SmarterMail #NableNCentral #ErlangSSH
Keypoints
- Rapid7 has monitored a sustained campaign since early March targeting Iran, Israel, and Western-aligned partners.
- State-directed actors like MuddyWater/Seedworm and CyberAv3ngers are exploiting high-impact vulnerabilities for espionage and persistence.
- Hacktivist groups such as Keymous+, DieNet, and NoName057(16) are creating outsized visibility via DDoS attacks and website defacements.
- Many breach claims circulating on Telegram and dark web forums are fabricated or recycled to run psychological operations and sow panic.
- Notable exploited CVEs include CVE-2026-1281 (Ivanti EPMM), CVE-2024-4577 (PHP on Windows), CVE-2026-21514 (Microsoft Word), CVE-2025-32433 (Erlang SSH RCE), CVE-2025-52691 (SmarterMail), and CVE-2025-9316 (N-able N-Central).