Incident: Kinetic Attack on Key Port Infrastructure

• Date: March 28, 2026
• Location: Port of Salalah, Oman
• Key Actors: Unidentified actors (drone/projectile activity)
• Key Facts: A security incident involving confirmed drone activity and subsequent explosions targeted the Port of Salalah [Link]. A terminal crane sustained damage, and a port worker received minor injuries [Link]. Port operations were immediately evacuated and temporarily suspended for an estimated 48 hours [Link].
• Security & Recommendations:
  1. Reroute critical high-value or highly sensitive cargo away from facilities in the immediate AOR until threat actor attribution and TTPs are confirmed.
  2. Review insurance coverage (Warlike Operations & Detention/Delay) for all vessels scheduled to call at Omani and UAE ports.

Incident: Strait of Hormuz Disruption & Sanction Evasion

• Date: Ongoing, last update March 30, 2026
• Location: Strait of Hormuz / Persian Gulf / Southeast Asia (Malaysia)
• Key Actors: Iranian regime forces, Iranian “Ghost Fleet” tankers
• Key Facts: Iranian efforts to disrupt maritime traffic continue, with at least 21 commercial vessels hit since the start of the conflict [Link]. Marine traffic data confirms growing clusters of loitering vessels on both sides of the Strait, avoiding transit due to safety concerns [Link]. At least 35 oil-laden tankers were observed inside the Persian Gulf, and at least 23 ghost fleet tankers left the Persian Gulf bound for Malaysia to conduct Ship-to-Ship (STS) transfers to evade sanctions [Link].
• Security & Recommendations:
  1. Maintain heightened security posture (MARSEC Level 3 equivalent) for all transits in the Strait of Hormuz, incorporating intelligence on AIS cloaking methods.
  2. Conduct enhanced due diligence on all STS transfers involving Southeast Asian anchorages (especially the EOPL anchorage off Malaysia) to mitigate secondary sanctions risk.

Incident: Iranian MOIS Coordination with Transnational Crime

• Date: DOJ Action March 30, 2026 (Reflecting operations dating to March 1, 2026)
• Location: United States, Global (Targeting Dissidents and IDF/Israeli Government)
• Key Actors: Iran’s Ministry of Intelligence and Security (MOIS), Handala Hack persona, Jalisco New Generation Cartel (CJNG) [Link]
• Key Facts: The Department of Justice (DOJ) announced the seizure of four internet domains tied to the MOIS and the Handala Hack persona [Link]. Court documents revealed Handala Hack used associated email accounts to send death threats and offer bounties to Mexican cartel partners, specifically the CJNG, to commit acts of violence against targets in the U.S. and abroad [Link, 7]. These domains were also used to post stolen PII of Israeli Defense Force (IDF) personnel and claim responsibility for destructive malware attacks against U.S. critical sector firms [Link].
• Security & Recommendations:
  1. Alert executive travelers to countries where CJNG has operational reach regarding potential MOIS-directed physical threats.
  2. Implement strong geo-fencing and MFA policies for all endpoints to mitigate credential harvesting utilized by MOIS/Handala for initial access [Link].

Incident: ICS Vulnerability Alert

• Date: March 26, 2026
• Location: Global CI/Manufacturing Sector
• Key Actors: Exploited Vulnerabilities (CVE-2026-4681)
• Key Facts: CISA released an advisory detailing a critical Remote Code Execution (RCE) vulnerability in PTC Windchill Product Lifecycle Management (PLM) and PTC FlexPLM [Link]. The vulnerability can be exploited through the deserialization of untrusted data and is a high priority for organizations managing industrial control systems (ICS) [Link].
• Security & Recommendations:
  1. Prioritize the immediate patching or application of vendor-provided mitigations for all exposed PTC Windchill and FlexPLM installations.
  2. Conduct an audit of the entire PLM infrastructure to identify and isolate critical data sets potentially exposed by RCE vulnerabilities.

Incident: Industrialization of AI-Enabled Fraud

• Date: Report released March 28, 2026 (Covering last 12 months)
• Location: Global, impacting banking and finance sectors
• Key Actors: Transnational Criminal Organizations (TCOs), Generative AI/LLMs
• Key Facts: Global scam losses reached $442 billion over the past year [Link]. The surge is attributed to the weaponization of Artificial Intelligence (AI), which reduces the time required to build a credible phishing campaign from 16 hours to under five minutes [Link]. INTERPOL notes that AI-enhanced fraud is 4.5 times more profitable than traditional methods and that TCOs are increasingly collaborating to scale operations [Link].
• Security & Recommendations:
  1. Review anti-fraud systems for Generative AI detection capabilities, focusing on identifying hyper-personalized social engineering attempts (e.g., executive impersonation fraud).
  2. Enhance cross-sector collaboration to identify and disrupt rapidly deployed financial crime infrastructure, especially given that nearly two-thirds of scams now succeed within a single day of initial contact [Link].

Incident: Terrorist Funding through Crypto Scams

• Date: Assessment released March 16, 2026 (Ongoing trend)
• Location: Africa, targeting global victims
• Key Actors: Terrorist groups, Organized Crime syndicates
• Key Facts: The latest INTERPOL assessment highlights that terrorist groups in parts of Africa are utilizing sophisticated financial fraud schemes, particularly crypto-based scams, as a critical source of funding [Link]. This intersection of terrorism and organized crime is part of a broader trend of “polycriminality” where groups share expertise and technology [Link].
• Security & Recommendations:
  1. Enhance monitoring of cryptocurrency transactions tied to identified African extremist group hotspots.
  2. Provide awareness training to employees on common romance and investment fraud typologies, as these methods often funnel funds into terrorist and organized crime financing networks.