A “potentially destructive actor” aligned with the government of Iran is actively exploiting the well-knownLog4j vulnerabilityto infect unpatched VMware Horizon servers with ransomware. Cybersecurity firm SentinelOne dubbed the group “TunnelVision” owing to their heavy reliance on tunneling tools, with overlaps in tactics observed to that of a broader group tracked under the monikerPhosphorus