Table of Contents

Cyberthreat Analysis

• Iranian State-Sponsored Threat Actors are Using Fake Software Downloads to Break Into Critical Infrastructure Companies
• Google Addresses Actively Exploited Chrome Vulnerability CVE-2026-2441 - SecPod Blog
• VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731)
  
• 2026 Global Threat Report | Latest Cybersecurity Trends & Insights | CrowdStrike
• The 2026 Annual Cyber Threat Report | ReliaQuest Threat Research 2026 Automotive Cybersecurity Report

Industry News

#NMFTACyber On Demand

Iranian State-Sponsored Threat Actors are Using Fake Software Downloads to Break Into Critical Infrastructure Companies.

A state-sponsored threat group with ties to Iran’s government is running an active campaign targeting US critical infrastructure. Transportation and Logistics companies are in scope. 

The advanced persistent threat (APT) group known as MuddyWater has been running a widespread software poisoning campaign since at least early February 2026. The group creates convincing fake download pages and installer files for commonly used business software, including Obsidian, FreeCAD, and Tableau. When an employee downloads and runs one of these files, it installs a backdoor on their device, inside the company's network, giving the attackers access and persistence. 

MuddyWater is affiliated with Iran's Ministry of Intelligence and Security (MOIS). This is not an opportunistic criminal group. These are nation-state operators with specific strategic objectives. 

Confirmed targets to date include a US bank, a US airport, a US and Canadian non-profit, and a US software company that supplies the defense and aerospace sectors. The transportation sector is explicitly listed as an elevated-risk industry for the near term. 

In this attack, there is no phishing email that needs to be opened, no attachment to scrutinize. This campaign is utilizing a delivery technique known as SEO poisoning. Attackers manipulate search engine results so that fake software download pages rank high enough that users click them. Then when an employee searches for software they need, they click what looks like a legitimate result, download the installer, and run it. That is the entire attack chain. 

The Tools, Tactics and Procedures (TTPs) being leveraged include two distinct backdoors have been identified in this campaign: 
•            Dindoor: Uses the Deno JavaScript runtime and has been found on the networks of a software company, a US bank, and a Canadian non-profit. 
•            Fakeset: A Python-based backdoor downloaded from Backblaze, a legitimate cloud storage service. It was found on a US airport network and a US non-profit. Using legitimate cloud services as a delivery mechanism makes this traffic difficult to detect and block. 

Deploying two different backdoors against the same targets is not accidental. If defenders detect and remove one, the other maintains access. This is deliberate operational resilience. 

The tactics used in this campaign overlap with known Akira ransomware delivery infrastructure. This means the same initial access event may serve both Iranian state espionage and financially motivated ransomware actors simultaneously. A single infected installer could lead to both data exfiltration and a ransomware deployment. 

The geopolitical context matters here. This campaign accelerated in early 2026 in direct response to ongoing US and Israeli military operations. Cyber activity is being used as a retaliatory instrument. The assessment is that this campaign will expand in scope and intensity over the next one to three months.

The controls that stop this attack are not complex or expensive. They are some of the same controls that appear throughout the NMFTA Cybersecurity Best Practices Guidebook: application control, MFA, software procurement discipline, and user awareness. The difference between an organization that gets breached by this campaign and one that does not may be as simple as having good cyber hygiene. 

This is a nation-state campaign with active infrastructure, confirmed victims across US critical sectors, and an assessed trajectory of escalation. The trucking industry is a named target category. The attack vector, fake software installers delivered through search results, is specifically designed to bypass the training most employees have received about phishing emails.

Google Addresses Actively Exploited Chrome Vulnerability CVE-2026-2441 - SecPod Blog

The discovery of CVE-2026-2441 reveals a critical zero-day vulnerability in Google Chrome that is actively being exploited in the wild. Successful exploitation could allow remote attackers to execute arbitrary code within Chrome’s sandbox environment, putting millions of users across Windows, macOS, and Linux at risk.

A high-severity use-after-free vulnerability, tracked as CVE-2026-2441, has been identified in Google Chrome’s CSS component. The issue stems from an iterator invalidation flaw within the CSSFontFeatureValuesMap implementation, which manages CSS font feature values.

In practical terms, this means:

• Memory that has already been released can be re-accessed.

• Attackers may manipulate heap memory layout to control reclaimed memory regions.

• Carefully crafted HTML/CSS content can influence memory allocation patterns to increase exploit reliability.

When a victim visits a malicious webpage containing specially crafted CSS rules, the vulnerability can be triggered during style recalculation or rendering. Successful exploitation may allow an attacker to achieve arbitrary code execution within Chrome’s sandbox environment.

Because the flaw exists in the browser’s rendering process, no additional user interaction beyond visiting a webpage is required. This significantly lowers the exploitation barrier and increases real-world attack feasibility.

Security researchers reported the issue to Google on February 11, 2026. Google acknowledged that the vulnerability was being actively exploited in the wild prior to patch availability, classifying it as a zero-day vulnerability.

While exploitation is currently limited to code execution within the sandbox, sophisticated attackers may chain this flaw with additional vulnerabilities to attempt a sandbox escape, potentially leading to full system compromise.

VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731)

On Feb. 6, 2026, BeyondTrust released a security advisory regarding CVE-2026-1731. BeyondTrust is an identity and access management platform. This specific vulnerability involves a pre-authentication remote code execution (RCE) issue within BeyondTrust remote support software. It could allow attackers to execute operating system commands in the context of the site user, which may lead to system compromise, including unauthorized access, data exfiltration and service disruption.

Unit 42 is actively investigating exploitation of this vulnerability and has observed attacker activity consistent with the following:

• Network reconnaissance and account creation

• Webshell deployment

• Command-and-control (C2) traffic

• Backdoor and remote management tool deployment

• Lateral movement

• Data Theft

The campaign tracked by Unit 42 has so far affected the following sectors in the U.S., France, Germany, Australia and Canada: 

• Financial services
• Legal services
• High technology
• Higher education
• Wholesale and retail
• Healthcare

Due to the severity of the risk and confirmed active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog on Feb. 13, 2026. This addition mandated immediate remediation for federal agencies and signaled urgent prioritization for the private sector.

2026 Global Threat Report | Latest Cybersecurity Trends & Insights | CrowdStrike

Staying informed is critical for organizations across the transportation and logistics industry. The latest 2026 Global Threat Report from CrowdStrike provides an inside look at the tactics, trends, and threat actors shaping today’s cybersecurity landscape. Drawing on real-world intelligence from millions of sensors worldwide, the report highlights how attackers are operating and where businesses remain most vulnerable. For supply chain leaders, the insights offer valuable context on how cyber risks can impact operations, data security, and business continuity. Read the report to better understand the threat environment and strengthen your organization’s defenses.

The 2026 Annual Cyber Threat Report | ReliaQuest Threat

The 2026 Annual Cyber Threat Report from ReliaQuest provides a clear snapshot of how the threat environment shifted from 2024 to 2025 and what those changes mean for security teams. Built from real-world incident data and threat research, the report highlights emerging attacker tactics, rising risks, and the strategies organizations can use to stay ahead of adversaries. It also offers practical insights to help leaders strengthen defenses and better prepare for the next wave of cyber threats. Read the executive summary to quickly understand the trends shaping today’s threat landscape.

2026 Automotive Cybersecurity Report

The 2026  Global Automotive Cybersecurity Report from Upstream Security offers a data-driven look at the latest threats, vulnerabilities, and attack trends impacting connected vehicles and mobility services. Based on real-world incidents and threat intelligence, the report highlights how cyber incidents are increasing in scale, with many capable of affecting thousands to millions of vehicles and mobility assets. It also explores emerging risks tied to software-defined vehicles, ransomware, and the expanding digital infrastructure surrounding transportation systems. **Read the report to understand the evolving automotive threat landscape and what organizations can do to strengthen their cybersecurity posture.

Refer a Colleague

Would you like others at your company to be added to the NMFTA Headline Newsletter email distribution list? Send them this link or fill out the form for them on their behalf below!