ai
The Next 3–6 Months: Where Threat Actors Will Move Faster Than Defenders
Everyone’s hunting “AI attacks.” Meanwhile the ugly money is still in trusted pages, stolen sessions, and users politely pasting the command for them.
![[FORECASTS] From Password Sprays to Tenant Sabotage: The 8-Week Iran Cyber Risk for U.S. and Israeli Orgs - UPDATED: 2026-03-26](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/03/z-6.png)
forecasts
[FORECASTS] From Password Sprays to Tenant Sabotage: The 8-Week Iran Cyber Risk for U.S. and Israeli Orgs - UPDATED: 2026-03-26
Iran cyber risk is not about whether they’ll be active. They will. The real question is whether the next 8 weeks produce a publicly attributed, materially disruptive hit with a new twist beyond the usual password-spray sludge. Tenant sabotage is the part to watch. 👀🔥
![[SIGNALS WEEKLY] Ransomware’s New Priority Targets—Hypervisors, Recovery Paths, and Control Planes](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/03/z-5.png)
weekly
[SIGNALS WEEKLY] Ransomware’s New Priority Targets—Hypervisors, Recovery Paths, and Control Planes
Ransomware crews aren’t stopping at endpoints. They’re going after hypervisors, backups, and control planes now. KEV keeps growing, exploitation stays hot, and defender timelines keep getting shorter. Lovely. 🔥💀⚙️
![[FORECAST] Will RedNovember be publicly reported to exploit at least one zero-day vulnerability in 2026? Updated 2026-03-24](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/03/z-4.png)
forecasts
[FORECAST] Will RedNovember be publicly reported to exploit at least one zero-day vulnerability in 2026? Updated 2026-03-24
RedNovember is the kind of crew that turns “it was only an N-day” into a post-incident coping mechanism. We’re at 25% odds they get publicly tied to a true 0-day in 2026. With edge exploitation surging, that’s not exactly comforting. 👀🔥
![[DEEP RESEARCH] How Malware Uses Solana and EVM Chains to Rotate C2 Without Burning Infrastructure](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/03/z-3.png)
c2
[DEEP RESEARCH] How Malware Uses Solana and EVM Chains to Rotate C2 Without Burning Infrastructure
Malware is using blockchains as durable configuration mailboxes, not full C2. If you can spot the read→decode→connect sequence, you can preempt and burn the real infrastructure before it’s useful.
![[SIGNALS WEEKLY] GitHub, npm, and Fake Interviews: Why Developer Supply Chain Attacks Are Converging](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/03/zz-3.png)
weekly
[SIGNALS WEEKLY] GitHub, npm, and Fake Interviews: Why Developer Supply Chain Attacks Are Converging
2026 cyber lesson: attackers don’t need your prod box first. They want your dev, your repo, your package manager, and your CI runner. Force-pushes, fake interviews, poisoned installers. Real classy stuff. 🤡🔧🔥
![[FORECASTS] From Password Sprays to Tenant Sabotage: The 8-Week Iran Cyber Risk for U.S. and Israeli Orgs](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/03/z-2.png)
forecasts
[FORECASTS] From Password Sprays to Tenant Sabotage: The 8-Week Iran Cyber Risk for U.S. and Israeli Orgs
Iran cyber risk isn’t just “watch for wipers.” It’s the same ugly identity-first playbook: password sprays, MFA abuse, cloud access… then maybe admin-plane sabotage. Recent reporting says activity is already reaching U.S. targets. Cute.
![[FORECAST UPDATED] After LockBit and BlackCat, Is Cl0p Really Next in Line?](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/03/zz-1.png)
forecasts
[FORECAST UPDATED] After LockBit and BlackCat, Is Cl0p Really Next in Line?
LockBit got Cronos’d. BlackCat caught a DOJ wrench to the teeth. Cl0p is still hanging around the enterprise software aisle like it owns the place. So… is it really next, or are we just recycling takedown fan fiction?
weekly
SIGNALS WEEKLY: Seedworm in U.S. Networks, Coruna on iPhones, and a Patch Window Measured in Days
This week’s pattern is ugly and simple: Seedworm is reportedly already sitting inside multiple U.S. organizations, Coruna shows spy-grade iPhone exploitation bleeding into broader use, and KEV + March patch drops are shrinking defender response time from “soon” to “right now.”
![[DEEP RESEARCH] When Gambling Becomes a Money-Transfer Rail](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/03/z-1.png)
deep research
[DEEP RESEARCH] When Gambling Becomes a Money-Transfer Rail
Casinos and iGaming platforms can quietly act like informal money-transfer channels when intermediaries use gaming flows to move value between third parties. This summary highlights where that happens, what it looks like in logs, and how technical teams can help shut it down.
![[DEEP RESEARCH] Who’s Most Likely to Abuse MCP Integrations? UNC3944, TraderTraitor, UNC6293](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/03/z.png)
ai
[DEEP RESEARCH] Who’s Most Likely to Abuse MCP Integrations? UNC3944, TraderTraitor, UNC6293
Three intrusion sets already excel at getting users to approve tools and auth flows. This assessment is probabilistic: it highlights who is best positioned to adapt that tradecraft to MCP-style environments next..
weekly
SIGNALS WEEKLY: Cisco Catalyst SD-WAN Exploitation + OAuth Redirect Abuse + Prompt Injection Observed in the Wild
Edge + identity + AI = the new “oops.” 😬🧨🤖 ED 26-03 on Cisco Catalyst SD-WAN exploitation, OAuth redirect abuse that lands users in malware without token theft, plus Gemini panel hijack vs indirect prompt injection in the wild.