Global Cyber Incidents Target Education, Retail and Automotive Sectors in Coordinated Campaign
AI-generated from multiple sources. Verify before acting on this reporting.
LONDON (May 11, 2026) — A comprehensive threat intelligence report released Monday details a wave of cyber incidents targeting major corporations across the education, retail, and automotive sectors, alongside active espionage campaigns attributed to state-sponsored groups.
Check Point Research published the findings on May 11, outlining data breaches at U.S.-based education technology firm Instructure and Spanish fashion retailer Inditex, the parent company of Zara. The report also confirmed extortion attacks against Mediaworks and security incidents affecting Škoda Auto in the Czech Republic.
The incidents span 26 countries, with significant activity detected in the United States, Spain, Hungary, India, Russia, South America, and southeastern Europe. The report identifies three primary threat actors: Iran’s MuddyWater group, the Silver Fox campaign, and a newly identified entity designated UAT-8302.
Instructure, which provides the Canvas learning management system, reported unauthorized access to user data. Inditex disclosed a breach affecting customer information across its global retail network. Mediaworks, a digital marketing agency, stated it was the target of ransomware demands, while Škoda Auto confirmed disruptions to internal systems.
Beyond corporate breaches, the report highlights vulnerabilities in artificial intelligence and software infrastructure. Companies including Cline, Anthropic, Progress, Ivanti, and Palo Alto Networks were cited in connection with various security flaws. These vulnerabilities range from AI model exploitation to unpatched software components that could allow remote code execution.
MuddyWater, a group linked to Iranian intelligence, was observed conducting phishing campaigns targeting government and private sector entities. The Silver Fox campaign, associated with Russian actors, focused on espionage activities in southeastern Europe and South America. UAT-8302, a previously unclassified group, demonstrated capabilities in both data theft and infrastructure disruption.
Security experts note the diversity of attack vectors, including supply chain compromises, credential stuffing, and zero-day exploits. The timing of the incidents suggests coordinated efforts to maximize impact across multiple industries simultaneously.
Instructure and Inditex have engaged third-party forensic teams to investigate the scope of the breaches. Škoda Auto has temporarily restricted access to certain internal networks. Mediaworks declined to comment on the status of negotiations with attackers.
The report does not specify the volume of data compromised or the financial impact of the extortion demands. It remains unclear whether the incidents are linked to a single overarching campaign or represent independent operations by different threat actors.
Cybersecurity firms are urging organizations to update systems and monitor for suspicious activity. The U.S. Cybersecurity and Infrastructure Security Agency has issued an advisory regarding the vulnerabilities identified in AI and software platforms.
As investigations continue, the full extent of the breaches and the identities of those behind the UAT-8302 campaign remain under review. Authorities in multiple countries have opened inquiries into the espionage activities attributed to MuddyWater and Silver Fox.