Malware Roundup: Iranian APTs, Zero-Days, and Developer Tool Exploits

Cyber Threat Intelligence recently highlighted a critical roundup of malware activity, with several concerning developments making waves. The firm reported that Censys identified 5,219 devices vulnerable to attacks by Iranian APTs, with a significant majority located in the United States. This isn’t just about the numbers; it’s about the strategic implications of nation-state actors targeting critical infrastructure or sensitive data within a rival’s borders.

Further analysis by Cyber Threat Intelligence revealed the evolution of GlassWorm, now leveraging a Zig dropper to compromise multiple developer tools. This is a classic supply-chain vector, hitting developers means hitting hundreds, if not thousands, of downstream users. On the vulnerability front, CVE-2026-39987, a Marimo RCE, was actively exploited mere hours after its disclosure – a stark reminder that disclosure doesn’t mean safety, it means a race against time. Adding to the list of woes, UAT-10362 is now linked to LucidRook attacks specifically targeting institutions in Taiwan, indicating a clear geopolitical focus.

The roundup wasn’t without its data breach warnings either. An EngageLab SDK flaw exposed private data for an estimated 50 million Android devices, underscoring the pervasive risks in third-party libraries. A Bitcoin Depot hack resulted in a $3.6 million Bitcoin theft via stolen credentials, a painful reminder that even crypto exchanges aren’t immune to basic credential stuffing or phishing. Eurail also confirmed a breach affecting 308,777 individuals. Finally, Cyber Threat Intelligence noted a malicious PDF actively exploiting an Adobe Reader zero-day in the wild, an old trick that still works, proving that some threats never truly die, they just get a fresh coat of paint.