Tag: espionage
All items tagged espionage.
- ShinyHunters extortion brand — Council of Europe named, Kodak and One Medical added to the leak-site pressure
- Threat actor: FishMonger (I-SOON) ports SprySOCKS to Windows with a kernel-mode rootkit
- ScarCruft (APT37) delivers NarwhalRAT behind fake Microsoft OTP "security alert" lures
- FishMonger (I-SOON) ports its SprySOCKS backdoor to Windows with a kernel-driver rootkit
- PRC UNC6508 ran year-plus espionage through internet-facing REDCap servers and a Google Workspace BCC rule
- VerdantBamboo (UNC5221 / WARP PANDA) — BSD-compiled BRICKSTORM confirmed on pfSense, plus a new PLENET backdoor
- Velvet Ant "Operation Highland" — Sygnia documents decade-long Linux PAM/sshd subversion
- APT28 (GRU Unit 26165) — Sekoia documents a shift to LLM-generated payloads and cloud-native C2 `[SINGLE-SOURCE]`
- Sekoia: APT28 (GRU Unit 26165) tradecraft shifts to LLM-generated payloads and cloud-native C2 [SINGLE-SOURCE]
- [SINGLE-SOURCE] ESET: OceanLotus (APT32) compromises a stock-trading platform's update server — selective SPECTRALVIPER delivery, no integrity checks to defeat
- Black Lotus Labs: the Volt Typhoon-linked JDY botnet doubles to 1,500+ devices and weaponises CVE disclosures within hours
- ANNUAL REPORT [SINGLE-SOURCE] — CrowdStrike 2026 Technology Threat Landscape Report: technology is now the most-targeted sector
- Year-old WinRAR flaw (CVE-2025-8088) still fuels Ukraine intrusions — GIFTEDCROOK via UAC-0226 and an Earth Dahu chain
- Meta files contempt complaint against NSO Group over fresh WhatsApp spyware phishing
- Unit 42: Microsoft Teams external-chat now a primary phishing surface for APT29 and UNC6692
- Gamaredon: GammaPhish → GammaWorm (NTFS ADS + USB) → GammaSteel (S3 exfil) — the week's most complete intrusion kill-chain disclosure [SINGLE-SOURCE Sekoia TDR]
- Five Eyes "Safeguarding Our Secrets" — Chinese military intelligence systematically recruiting via LinkedIn and job platforms
- VerdantBamboo / UNC5221 / WARP PANDA — 18-month undetected China-nexus intrusion through MSP pfSense [SINGLE-SOURCE]
- Gamaredon — GammaPhish / GammaWorm / GammaSteel: Russian FSB campaign with USB worm and S3 exfiltration (Sekoia TDR part one) [SINGLE-SOURCE Sekoia TDR]
- Five Eyes joint bulletin: Chinese military intelligence recruiting cleared personnel through LinkedIn and job platforms
- OP-512: China-linked cluster runs a cryptographically-unique, self-reporting IIS web-shell framework against legacy .NET servers [SINGLE-SOURCE]
- VerdantBamboo (UNC5221 / WARP PANDA): an 18-month China-nexus intrusion that lived entirely on EDR-blind edge appliances and proxied into Microsoft 365 past Conditional Access `[SINGLE-SOURCE]`
- Symantec: five-month, low-and-slow mailbox-espionage campaign against a global stock exchange
- NCSC Switzerland warns of cyber operations around the G7 Évian summit (15–17 June)
- Operation XENOFISCAL: SideCopy (APT36) hits provincial treasury officials with XenoRAT via an mshta/HTA chain
- UPDATE: Gamaredon weaponises WinRAR CVE-2025-8088 and adds the GammaSteel stealer
- Sekoia consolidates Gamaredon tooling under GammaPhish / GammaWorm, details an NTFS-ADS USB+network worm
- GREYVIBE — newly documented Russia-nexus cluster deploys five parallel attack chains against Ukraine with AI-generated lures and two PowerShell RATs
- ANNUAL REPORT — ESET APT Activity Report Q4 2025–Q1 2026: Sandworm strikes NATO energy, Lazarus targets EU drone sector, UNC5221 pivots to Ivanti SPAWN toolset
- Kimsuky (Velvet Chollima) deploys HTTPSpy RAT and Rust-based HelloDoor via VS Code Remote Tunnel and Cloudflare Quick Tunnel C2
- Wiz CIRT names JINX-0164 — LinkedIn-recruiter lures, AUDIOFIX macOS infostealer, MINIRAT npm pivot into CI/CD
- Iran MOIS attributed to LACMTA destructive breach via "Ababil of Minab" hacktivist front — 700 GB exfiltrated, backups and VMs deliberately destroyed
- MuddyWater / Seedworm — Symantec and Carbon Black document new DLL-side-loading pair via signed Fortemedia and SentinelOne binaries, ChromElevator for Chromium App-Bound Encryption bypass, Node.js orchestration
- Lithuania's Centre of Registers loses ~600,000 state-register records to abused institutional credentials; foreign-state actor suspected
- UPDATE: Nimbus Manticore (UNC1549 / Screening Serpens) — Check Point details MiniFast backdoor, Zoom-task hijacking and SEO-poisoning delivery
- Transport — Iran-MOIS destructive breach against LACMTA with deliberate backup and VM destruction
- ESET APT Activity Report Q4 2025–Q1 2026 — three state programmes converging on EU energy, defence and edge appliances
- GREYVIBE — independent corroboration; OPSEC slips enabled attribution; charity-front sub-campaign
- Unit 42 — Iran's Screening Serpens (UNC1549 / Smoke Sandstorm / Nimbus Manticore): AppDomainManager hijacking silently disables ETW + strong-name checks in six new RATs
- Unit 42 — ROADtools operationalised by Midnight Blizzard, Curious Serpens and UTA0355 for Entra ID device registration, token theft and tenant enumeration
- ANNUAL REPORT — Check Point Research March-April 2026 AI Threat Landscape Digest: a single operator runs two AI platforms in parallel to breach nine Mexican government agencies [SINGLE-SOURCE]
- UPDATE: Ghostwriter / UAC-0057 / FrostyNeighbor — CERT-UA documents new OYSTERFRESH → OYSTERBLUES → OYSTERSHUCK implant chain via Prometheus learning-platform lures
- Calypso/Red Lamassu (Bronze Medley) deploys Showboat (Linux) and JFMBackdoor (Windows) against telecoms — new implant pair disclosed by Lumen Black Lotus Labs and PwC Threat Intelligence
- Webworm (China-aligned) shifts to EU government targets — EchoCreep (Discord C2) and GraphWorm (Microsoft Graph / OneDrive C2) backdoors documented by ESET, with Belgian, Italian, Serbian, Polish and Spanish governmental victims
- Symantec / Carbon Black document Fast16 hook engine targeting LS-DYNA/AUTODYN nuclear-simulation codes; Kim Zetter corrects "pre-Stuxnet" framing to contemporaneous-and-simulation-sabotage
- Telecom — sustained pressure from espionage tradecraft and fragile carrier infrastructure
- Check Point Research March–April 2026 AI Threat Landscape Digest — operator-run AI platforms breach government agencies [SINGLE-SOURCE]
- Webworm (China-aligned; FishMonger / Aquatic Panda) — pivots to EU government targets
- Ghostwriter / UAC-0057 / FrostyNeighbor (Belarus-aligned) — new OYSTER implant chain
- Midnight Blizzard and others operationalise ROADtools for Entra ID abuse
- Screening Serpens / UNC1549 (Iran; Smoke Sandstorm / Nimbus Manticore) — AppDomainManager hijacking in six new RATs
- Calypso / Red Lamassu (Bronze Medley, China-aligned) — Showboat and JFMBackdoor against telecoms
- Public administration and government
- Secret Blizzard / Turla — Kazuar evolved into three-module P2P botnet, European government / diplomatic / defence sectors in scope
- FrostyNeighbor / Ghostwriter (UNC1151) — ESET analysis corroborated, Poland / Lithuania / Ukraine in EU scope
- Kaspersky GReAT documents Kimsuky's Rust-based HelloDoor and TryCloudflare-tunnel C2 added to the PebbleDash toolkit [SINGLE-SOURCE]
- Secret Blizzard (Turla / FSB Centre 16) evolves Kazuar into a three-module peer-to-peer botnet — worldwide ministries, embassies, defence sector targeted; European environments squarely in scope
- FrostyNeighbor / Ghostwriter (UNC1151, Belarus state-aligned): ESET documents March–May 2026 campaign targeting Polish, Lithuanian, and Ukrainian government and industrial sectors
- Hardening / detection summary
- CVE-2026-32202 — Windows Shell NTLM coercion; Akamai's PatchDiff-AI shows the residual zero-click path left by the CVE-2026-21510 patch
- Public-sector administration and digital identity (FR, EU, FI, CH)
- DAEMON Tools Lite supply-chain compromise — China-nexus QUIC RAT delivered via signed installers; ~12 selective government / scientific / manufacturing targets
- Europol IOCTA 2026
- Mandiant M-Trends 2026
- CL-STA-1132 (PAN-OS CVE-2026-0300 exploitation cluster, likely state-sponsored)
- UAT-8302 (China-nexus, Talos; SE European government victims)
- MuddyWater (Iran / MOIS) Chaos ransomware false-flag + Teams BEC
- Sandworm / GRU Unit 74455 — Bauman pipeline disclosure
- Bauman University "Department No. 4" — leaked GRU cyber-operator training pipeline reveals direct line to Sandworm and APT28 operations against European targets
- DAEMON Tools Lite supply chain — QUIC RAT deployed via signed installer; EU governments among targeted victims
- PamDOORa — malicious PAM module with credential interception, magic-password SSH access, and anti-forensic log manipulation, sold on Rehub cybercrime forum
- CVE-2026-32202 — Windows Shell NTLM coercion / credential capture, APT28 active against EU governments (CISA KEV deadline **2026-05-12**)
- MuddyWater (Iran/MOIS) deploys Chaos ransomware as false flag; harvests credentials via Teams