[SIGNALS WEEKLY] Quiet Shifts In Tradecraft, Loud Signals In Exposure
Everyone waits for the sexy zero-day. Meanwhile “IT” is in your Teams chat asking for Quick Assist, and your user clicks yes. The breach starts looking a lot like normal work.
![[SIGNALS WEEKLY] Quiet Shifts In Tradecraft, Loud Signals In Exposure](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w1200/2026/04/z-8.png)
TL;DR
- [ICS/OT] Iran-linked actors are actively manipulating internet-exposed PLCs and OT HMIs in U.S. critical infrastructure, turning visibility gaps and weak remote access into real-world disruption and operator deception.
- [Intrusion Tradecraft] Human-operated intrusion paths are increasingly user-mediated and “tool-blended”: cross-tenant Teams helpdesk phishing, Quick Assist–based remote control, QEMU/hidden-VM staging, and SaaS workflow abuse (n8n) all erode traditional endpoint-centric defenses.
- [Vulnerabilities/Policy] Rapid KEV growth (PaperCut, TeamCity, Kentico, KACE, Zimbra, Cisco SD-WAN) plus EU sanctions on Russian influence networks signal a near-term cycle of opportunistic exploitation of exposed admin/perimeter services, alongside continued state-aligned OT, macOS (Sapphire Sleet), and information operations activity.
AlphaHunt
Stop doomscrolling, start decisioning. We chewed through the muck so your team doesn’t have to. → Subscribe!
Like this? Forward this to a friend!
(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))
Current Stories
TL;DR
-
[ICS/OT] Iran PLC advisory: Iran-affiliated actors are exploiting internet-facing PLCs and OT systems to cause real disruption (logic/HMI manipulation) in U.S. critical infrastructure.
-
[Vulnerabilities] CISA KEV update: 8 more vulnerabilities were added to KEV (incl. PaperCut, TeamCity, Kentico, Quest KACE SMA, Zimbra, Cisco Catalyst SD‑WAN Manager) → treat as active-exploitation patch priority.
-
[Intrusion Tradecraft] Teams helpdesk playbook: Cross-tenant Teams is being used for helpdesk impersonation, followed by Quick Assist and lateral movement (incl. signed-binary abuse) to reach data theft.
-
[Threat Actors] Sapphire Sleet macOS: North Korea–linked activity is using social engineering to get users to run scripts/Terminal commands, then stealing credentials/crypto data and persisting.
-
[Geopolitics/Influence Ops] EU sanctions: EU sanctioned two pro-Russian entities for hybrid influence/information manipulation → likely continued alignment with broader pressure campaigns.
References
-
(2026-04-07) Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure
-
(2026-04-20) CISA Adds Eight Known Exploited Vulnerabilities to Catalog
-
(2026-04-18) Crosstenant helpdesk impersonation to data exfiltration: A human-operated intrusion playbook
-
(2026-04-16) Dissecting Sapphire Sleets macOS intrusion from lure to compromise
-
(2026-04-21) EU targets two Russian propaganda networks with new sanctions
AlphaHunt Converge - Plug in your Flight Crew
Get intelligence where it counts. No dashboards. No detours. AlphaHunt Converge teases out your intent, reviews the results and delivers actionable intel right inside Slack. We turn noise into signal and analysts into force multipliers.
Anticipate, Don’t Chase.
![[RESEARCH] CPU-Z was the lure. The real story is who buys the foothold.](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/04/z-7.png)
![[FORECAST] Two New App-Layer Campaigns by Year-End? Watch the Attribution Line](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/04/z-6.png)
![[SIGNALS WEEKLY] Edge Devices, Identity Abuse, and KEV-Driven Exploitation Converge](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/04/z-5.png)
