SIGNALS WEEKLY: Seedworm in U.S. Networks, Coruna on iPhones, and a Patch Window Measured in Days

This week’s pattern is ugly and simple: Seedworm is reportedly already sitting inside multiple U.S. organizations, Coruna shows spy-grade iPhone exploitation bleeding into broader use, and KEV + March patch drops are shrinking defender response time from “soon” to “right now.”

[DEEP RESEARCH] When Gambling Becomes a Money-Transfer Rail

Casinos and iGaming platforms can quietly act like informal money-transfer channels when intermediaries use gaming flows to move value between third parties. This summary highlights where that happens, what it looks like in logs, and how technical teams can help shut it down.

[DEEP RESEARCH] Who’s Most Likely to Abuse MCP Integrations? UNC3944, TraderTraitor, UNC6293

Three intrusion sets already excel at getting users to approve tools and auth flows. This assessment is probabilistic: it highlights who is best positioned to adapt that tradecraft to MCP-style environments next..

SIGNALS WEEKLY: Cisco Catalyst SD-WAN Exploitation + OAuth Redirect Abuse + Prompt Injection Observed in the Wild

Edge + identity + AI = the new “oops.” 😬🧨🤖 ED 26-03 on Cisco Catalyst SD-WAN exploitation, OAuth redirect abuse that lands users in malware without token theft, plus Gemini panel hijack vs indirect prompt injection in the wild.

[FORECAST UPDATED] AI Agents as Regulated C2: Will Anyone Be Forced to Act?

🤖🔒 AI agents = privileged integrations you can’t see. After GTG-1002 + vendors pushing agent access standards, the next shoe drops: do regulators/hyperscalers force default-on signed connectors + audit logs (aka “regulated C2”)?

[FORECAST] Fortune 500s: Will Prompt Injection Trick IDE Agent Mode into Running Commands—or Leaking Secrets—by 2026?

Recent agent-mode rollouts make ‘read files + run tasks’ normal. Prompt injection makes that risky. Here’s the forecast..

SIGNALS WEEKLY: How AI Is Turbocharging Attacks on 600+ FortiGate Firewalls

Your firewall isn’t the perimeter. It’s the onboarding portal. 🔥

CISA Flags Dell RecoverPoint Zero-Day: Backup Systems as the New Beachhead

Your backup system isn’t your parachute. It’s a beachhead. 🏖️ Mandiant/GTIG report UNC6201 exploiting Dell RP4VM (CVE-2026-22769, CVSS 10.0). Hardcoded credential → OS-level control + root persistence.

[FORECAST] Dismantled or Displaced? Cambodia’s Scam-Compound Crackdown by 2030?

Cambodia says it sealed off ~190 scam sites. 🧨 Now the real question: dismantled or displaced? 🧱🚚 Our forecast uses grown-up metrics (convictions + asset denial + independent compound counts).

SIGNALS WEEKLY: Active Ivanti EPMM Zero-Days — What Defenders Must Do Now

Your control plane isn’t infrastructure. It’s leverage. 🔥

The 90-Day Disruption Dividend: How Intel-Led Hunting Reduces Dwell Time Without a Massive SOC

Your SOC isn’t understaffed. It’s late. ⏱️😈 Attackers aren’t scaling with malware—they’re scaling with OAuth + tokens + “normal” API exports. Big tech wins by yanking kill-switches fast. Can you revoke an OAuth grant in <30 min?

ClickFix to Linked-Device Takeovers: Will Star Blizzard Introduce a New Initial-Access Vector by Oct 2026?

Fake CAPTCHA ➜ “paste this PowerShell.” 🙃 Linked-device pairing ➜ quiet account takeovers. 👻 Device-code phishing ➜ legit login page, attacker gets tokens. 🔑