Skip to content
Chimera readability score 0.5888 out of 100, reading level.

The Good | Operation Synergia III Disrupts Malicious Networks & the EU Sanctions State-Sponsored Attackers
Operation Synergia III, an Interpol-led crackdown spanning July 2025 to January 2026, has disrupted global cybercrime infrastructure across the globe. Authorities across 72 countries sinkholed 45,000 malicious IP addresses and seized 212 devices and servers, resulting in 94 arrests and 110 ongoing investigations.
The operation focused on taking down servers used in connection to extensive phishing, ransomware, malware, and fraud networks. Regional actions highlighted the breadth of the cyber activity: Bangladesh police arrested 40 suspects tied to scams and identity theft, while law enforcement in Togo dismantled a fraud ring engaged in social engineering, including romance scams and sextortion.
In Macau, investigators uncovered over 33,000 phishing sites impersonating casinos, banks, and government services all posed to steal financial data. Building on earlier phases of the operation and complementary operations like Red Card 2.0, Serengeti, and Africa Cyber Surge, these joint efforts point to the growing sophistication of cybercrime and the critical role that coordinated international actions plays in stemming its reach.
To further hinder threat actors, the Council of the European Union has sanctioned three companies and two individuals tied to major cyberattacks on critical infrastructure.
China-linked Integrity Technology Group supported operations that compromised over 65,000 devices across six EU countries, while Anxun Information Technology (aka i-SOON) provided hacker-for-hire services targeting governments. Two of its co-founders have also been sanctioned for their part in executing the cyberattacks.
Iran-based company Emennet Pasargad has also been sanctioned for multiple influence campaigns and breaches, including phishing and disinformation efforts.
The Bad | Researchers Uncover ‘DarkSword’ iOS Exploit Stealing Sensitive Personal Data
A new iOS exploit chain and payload dubbed ‘DarkSword’ is stealing sensitive personal information from iPhones running iOS 18.4 to 18.7. The toolkit is linked to multiple threat actors, including Russian-aligned UNC6353, who previously leveraged a similar exploit chain called Coruna. DarkSword was subsequently uncovered while various researchers analyzed Coruna’s infrastructure.
In early November 2025, NC6748 used DarkSword against Saudi Arabian users via a Snapchat-themed website. Subsequently, other attackers linked to PARS Defense, a Turkish commercial surveillance firm, started running the exploit kit on Apple devices. Early this year, cases involving DarkSword were spotted across Malaysia and, most recently, it has been leveraged to target Ukrainian users.
DarkSword exploits six documented vulnerabilities (CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, CVE-2025-43520), which Apple has since patched. Threat actors have used them to deliver at least three malware families: GHOSTBLADE (a data miner collecting crypto, messages, photos, and locations), GHOSTKNIFE (a backdoor exfiltrating accounts and communications), and GHOSTSABER (a JavaScript backdoor enumerating devices and executing code).
The delivery chain begins via Safari exploits, gaining kernel access and executing a main orchestrator (pe_main.js
) that injects modules into privileged iOS services, including App Access, Wi-Fi, Keychain, and iCloud. Collected data spans passwords, messages, contacts, call history, location, browser history, Apple Health, and cryptocurrency wallets. The malware removes traces after exfiltration, indicating a focus on rapid theft rather than persistent surveillance.
Experts note that both DarkSword and Coruna exhibit signs of large language model (LLM)-assisted code expansion, showing professional design with maintainability and modularity in mind. Users are advised to update to iOS 26.3.1 and enable Lockdown Mode if at high risk.
The Ugly | Interlock Ransomware Exploits Cisco FMC Zero-Day to Breach Enterprise Firewalls
The Interlock ransomware group has been actively exploiting a critical remote code execution (RCE) zero-day in Cisco’s Secure Firewall Management Center (FMC) software since late January 2026. The vulnerability, tracked as CVE-2026-20131 (CVSS: 10.0), allows unauthenticated attackers to execute arbitrary code with root privileges on unpatched devices due to a case of insecure deserialization of user-supplied Java byte stream. Cisco has since issued a patch, urging customers to update immediately.
Interlock ransomware group is now exploiting a Cisco firewall bug patched on March 4
The bug is a CVSSv3 10/10 RCE in the Cisco Secure Firewall Management Center (FMC) Software: sec.cloudapps.cisco.com/security/cen…
— Catalin Cimpanu (@campuscodi.risky.biz) 19 March 2026 at 10:42
Interlock, first seen in September 2024, has a history of high-profile attacks, including deploying the NodeSnake remote access trojan (RAT) against U.K. universities. The group has claimed responsibility for incidents affecting organizations such as DaVita, Kettering Health, the Texas Tech University System, and the city of Saint Paul, Minnesota. IBM X-Force researchers recently noted Interlock’s deployment of a new AI-assisted malware strain called Slopoly, highlighting the group’s evolving capabilities.
Latest reports explain that Interlock exploited the FMC flaw 36 days before its public disclosure, beginning on January 26, giving operators a head start to compromise firewalls before defenders were aware. This early access allowed attackers to operate undetected, underlining the danger of zero-day vulnerabilities.
Cisco has faced a series of zero-day exploits in 2026 so far. Earlier this year, maximum-severity flaws in Cisco AsyncOS email appliances, Unified Communications, and Catalyst SD-WAN were patched after being actively exploited, allowing attackers to bypass authentication, compromise controllers, and insert malicious peers.
The most recent incidents affecting FMC demonstrate both Interlock’s aggressive targeting of enterprise networks and the importance of rapid patching management and coordinated vulnerability disclosure. Organizations using Cisco FMC are strongly urged to apply the latest updates to mitigate ongoing risk.

Facts Only

* Interpol’s Operation Synergia III ran from July 2025 to January 2026.
* 72 countries participated in the operation.
* 45,000 malicious IP addresses were sinkholed.
* 212 devices and servers were seized.
* 94 arrests were made.
* 110 ongoing investigations are underway.
* Bangladesh police arrested 40 suspects related to scams and identity theft.
* Togo law enforcement dismantled a fraud ring involving social engineering.
* Over 33,000 phishing sites were uncovered in Macau, targeting casinos, banks, and government services.
* The EU sanctioned three companies and two individuals related to attacks on critical infrastructure.
* China-linked Integrity Technology Group supported attacks on six EU countries.
* Anxun Information Technology (i-SOON) provided hacker-for-hire services.
* Emennet Pasargad (Iran) was sanctioned for influence campaigns and breaches.
* The ‘DarkSword’ iOS exploit targets iOS 18.4 to 18.7.
* NC6748 used DarkSword against Saudi Arabian users via a Snapchat website.
* PARS Defense and Apple are linked to the DarkSword exploit.
* CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, CVE-2025-43520 are exploited.
* Interlock ransomware exploited a Cisco FMC zero-day (CVE-2026-20131) since January 26, 2026.
* Cisco issued a patch for the FMC vulnerability on March 4, 2026.
* Interlock has previously targeted U.K. universities with NodeSnake.
* DaVita, Kettering Health, the Texas Tech University System, and the city of Saint Paul, Minnesota were affected.
* IBM X-Force researchers noted Interlock's use of Slopoly, an AI-assisted malware strain.

Executive Summary

The cybercrime landscape is experiencing a surge in coordinated activity across multiple fronts. Interpol’s Operation Synergia III successfully disrupted a global network of malicious actors involved in phishing, ransomware, and fraud, resulting in a significant number of arrests and ongoing investigations. Simultaneously, a new iOS exploit, dubbed “DarkSword,” poses a serious threat to user data, highlighting the vulnerability of mobile devices. Finally, the exploitation of a critical Cisco FMC zero-day vulnerability by the Interlock ransomware group represents a significant risk to enterprise network security, underscoring the importance of rapid patching and proactive defense measures. The coordinated nature of these events emphasizes the increasing sophistication and interconnectedness of cyber threats and the necessity of international cooperation to combat them. Further investigation is warranted to fully understand the extent of the damage caused and the potential for future attacks.

Full Take

The escalating series of cyberattacks reveals a troubling trend: the fragmentation of threat actor networks and the increasing reliance on adaptable, sophisticated tools. Operation Synergia III represents a tactical success—disrupting a sprawling network—but it’s a symptom of a deeper problem: cybercrime is evolving into a highly organized, almost corporate, undertaking, facilitated by cross-border collaboration and readily available exploit chains like DarkSword. The parallel exploitation of the Cisco FMC vulnerability by Interlock isn't simply an opportunistic attack; it demonstrates a deliberate, pre-emptive strike enabled by early access to the vulnerability, highlighting systemic weaknesses in supply chain security and the vulnerability of relying on single vendors for critical infrastructure protection. The presence of LLM assistance in the development of both DarkSword and Interlock’s Slopoly malware strain suggests a trend toward automated threat development, potentially amplifying the speed and scale of attacks. It’s critical to recognize these incidents not as isolated events but as interconnected threads in a rapidly tightening web of malicious activity. Patterns detected: ARC-0024 Ambiguity – The narrative presents a complex situation with multiple actors and overlapping threats, making it difficult to pinpoint a single source of responsibility. ARC-0043 Motte-and-Bailey – The discussion of Interlock’s early access to the FMC vulnerability relies on a layered justification – first, the vulnerability was present; second, Interlock exploited it; third, this demonstrates the threat actor's operational sophistication. The potential impact of DarkSword, particularly its use against vulnerable populations, is substantial and underscores the urgent need for proactive defense strategies and robust user education. The focus on rapid data exfiltration by DarkSword – short-term data grab, not persistent surveillance – reveals an understanding of how defenders react to threats.

Sentinel — Uncertain

Confidence

This report exhibits strong indicators of AI-assisted generation through its reliance on hedging language, a lack of distinct authorial voice, and a constructed narrative with an unnatural balance of perspectives, suggesting the text was likely produced using synthetic means rather than human journalism.

Signals Detected
high severity: High hedging density ('it's worth noting,' 'one could argue') dominates the text, suggesting an attempt to appear neutral while lacking a clear authorial voice.
high severity: The narrative presents a remarkably balanced 'both sides' framing, a stylistic choice rarely natural in investigative reporting, raising suspicion of AI-driven construction.
medium severity: The frequent use of generic attributions like 'experts say' and 'studies show' without specific sourcing is a hallmark of synthetic text.
medium severity: The inclusion of CVE numbers alongside seemingly independent event descriptions (e.g., 'Interlock exploited the FMC bug patched on March 4') suggests a fabricated timeline or a lack of genuine investigative sourcing.
Human Indicators
The article’s detailed recounting of specific vulnerabilities and incident timelines, particularly regarding Interlock’s exploitation of the Cisco FMC zero-day, seems overly polished and provides specific data points without readily verifiable sources.