Tag: nation-state
All items tagged nation-state.
- Threat actor: DPRK Sapphire Sleet escalates npm supply-chain attacks with the Mastra compromise
- Threat actor: FishMonger (I-SOON) ports SprySOCKS to Windows with a kernel-mode rootkit
- UPDATE: Mastra npm scope compromise attributed to North Korea, with the access vector our deep dive could not name
- ScarCruft (APT37) delivers NarwhalRAT behind fake Microsoft OTP "security alert" lures
- FishMonger (I-SOON) ports its SprySOCKS backdoor to Windows with a kernel-driver rootkit
- PRC UNC6508 ran year-plus espionage through internet-facing REDCap servers and a Google Workspace BCC rule
- DPRK UNK_DeadDrop weaponises VS Code / Cursor auto-run to hit developers, including EU targets
- CVE-2025-8088 — WinRAR path traversal: still fuelling Ukraine intrusions a year after the fix `[SINGLE-SOURCE]`
- Public administration — the week's centre of gravity
- CrowdStrike 2026 Technology Threat Landscape Report — "technology = most-targeted" reads as prophecy against this week's incidents `[SINGLE-SOURCE]`
- VerdantBamboo (UNC5221 / WARP PANDA) — BSD-compiled BRICKSTORM confirmed on pfSense, plus a new PLENET backdoor
- Velvet Ant "Operation Highland" — Sygnia documents decade-long Linux PAM/sshd subversion
- APT28 (GRU Unit 26165) — Sekoia documents a shift to LLM-generated payloads and cloud-native C2 `[SINGLE-SOURCE]`
- Cyber Europe 2026 tests the revised EU Cyber Blueprint and triggers the first live activation of the EU Cybersecurity Reserve
- Sekoia: APT28 (GRU Unit 26165) tradecraft shifts to LLM-generated payloads and cloud-native C2 [SINGLE-SOURCE]
- [SINGLE-SOURCE] ESET: OceanLotus (APT32) compromises a stock-trading platform's update server — selective SPECTRALVIPER delivery, no integrity checks to defeat
- Black Lotus Labs: the Volt Typhoon-linked JDY botnet doubles to 1,500+ devices and weaponises CVE disclosures within hours
- ANNUAL REPORT [SINGLE-SOURCE] — CrowdStrike 2026 Technology Threat Landscape Report: technology is now the most-targeted sector
- Unit 42: Microsoft Teams external-chat now a primary phishing surface for APT29 and UNC6692
- Gamaredon: GammaPhish → GammaWorm (NTFS ADS + USB) → GammaSteel (S3 exfil) — the week's most complete intrusion kill-chain disclosure [SINGLE-SOURCE Sekoia TDR]
- Public sector — most-targeted sector this week by volume and by operational severity
- Five Eyes "Safeguarding Our Secrets" — Chinese military intelligence systematically recruiting via LinkedIn and job platforms
- ENISA NIS360 2026 (3rd edition) — seven sectors in the persistent risk zone where criticality outpaces maturity
- VerdantBamboo / UNC5221 / WARP PANDA — 18-month undetected China-nexus intrusion through MSP pfSense [SINGLE-SOURCE]
- Gamaredon — GammaPhish / GammaWorm / GammaSteel: Russian FSB campaign with USB worm and S3 exfiltration (Sekoia TDR part one) [SINGLE-SOURCE Sekoia TDR]
- Germany's Gesetzentwurf zur Stärkung der Cybersicherheit: cabinet-approved active-cyberdefence powers for BKA, Bundespolizei and BSI
- EU 20th Russia sanctions package: managed security services prohibition in force since 25 May; Commission interpretive guidance outstanding
- Five Eyes joint bulletin: Chinese military intelligence recruiting cleared personnel through LinkedIn and job platforms
- OP-512: China-linked cluster runs a cryptographically-unique, self-reporting IIS web-shell framework against legacy .NET servers [SINGLE-SOURCE]
- VerdantBamboo (UNC5221 / WARP PANDA): an 18-month China-nexus intrusion that lived entirely on EDR-blind edge appliances and proxied into Microsoft 365 past Conditional Access `[SINGLE-SOURCE]`
- NCSC Switzerland warns of cyber operations around the G7 Évian summit (15–17 June)
- Operation XENOFISCAL: SideCopy (APT36) hits provincial treasury officials with XenoRAT via an mshta/HTA chain
- UPDATE: Gamaredon weaponises WinRAR CVE-2025-8088 and adds the GammaSteel stealer
- Sekoia consolidates Gamaredon tooling under GammaPhish / GammaWorm, details an NTFS-ADS USB+network worm
- GREYVIBE — newly documented Russia-nexus cluster deploys five parallel attack chains against Ukraine with AI-generated lures and two PowerShell RATs
- ANNUAL REPORT — ESET APT Activity Report Q4 2025–Q1 2026: Sandworm strikes NATO energy, Lazarus targets EU drone sector, UNC5221 pivots to Ivanti SPAWN toolset
- Kimsuky (Velvet Chollima) deploys HTTPSpy RAT and Rust-based HelloDoor via VS Code Remote Tunnel and Cloudflare Quick Tunnel C2
- Iran MOIS attributed to LACMTA destructive breach via "Ababil of Minab" hacktivist front — 700 GB exfiltrated, backups and VMs deliberately destroyed
- MuddyWater / Seedworm — Symantec and Carbon Black document new DLL-side-loading pair via signed Fortemedia and SentinelOne binaries, ChromElevator for Chromium App-Bound Encryption bypass, Node.js orchestration
- Lithuania's Centre of Registers loses ~600,000 state-register records to abused institutional credentials; foreign-state actor suspected
- UPDATE: Nimbus Manticore (UNC1549 / Screening Serpens) — Check Point details MiniFast backdoor, Zoom-task hijacking and SEO-poisoning delivery
- Transport — Iran-MOIS destructive breach against LACMTA with deliberate backup and VM destruction
- ESET APT Activity Report Q4 2025–Q1 2026 — three state programmes converging on EU energy, defence and edge appliances
- GREYVIBE — independent corroboration; OPSEC slips enabled attribution; charity-front sub-campaign
- Unit 42 — Iran's Screening Serpens (UNC1549 / Smoke Sandstorm / Nimbus Manticore): AppDomainManager hijacking silently disables ETW + strong-name checks in six new RATs
- Unit 42 — ROADtools operationalised by Midnight Blizzard, Curious Serpens and UTA0355 for Entra ID device registration, token theft and tenant enumeration
- ANNUAL REPORT — Rapid7 Q1 2026 Threat Landscape Report: vulnerability exploitation now top initial-access vector at 38 %; KEV median time to listing collapses to 5 days
- UPDATE: Ghostwriter / UAC-0057 / FrostyNeighbor — CERT-UA documents new OYSTERFRESH → OYSTERBLUES → OYSTERSHUCK implant chain via Prometheus learning-platform lures
- Calypso/Red Lamassu (Bronze Medley) deploys Showboat (Linux) and JFMBackdoor (Windows) against telecoms — new implant pair disclosed by Lumen Black Lotus Labs and PwC Threat Intelligence
- UPDATE: TeamPCP Mini Shai-Hulud — Unit 42 and StepSecurity confirm SLSA Build Level 3 attestation invalidated as integrity gate
- Webworm (China-aligned) shifts to EU government targets — EchoCreep (Discord C2) and GraphWorm (Microsoft Graph / OneDrive C2) backdoors documented by ESET, with Belgian, Italian, Serbian, Polish and Spanish governmental victims
- Huawei VRP enterprise-router zero-day caused POST Luxembourg nationwide telecom outage (July 2025) — no CVE filed 10 months later [SINGLE-SOURCE]
- Symantec / Carbon Black document Fast16 hook engine targeting LS-DYNA/AUTODYN nuclear-simulation codes; Kim Zetter corrects "pre-Stuxnet" framing to contemporaneous-and-simulation-sabotage
- Public administration — web-CMS and identity estate under multi-vector pressure
- Telecom — sustained pressure from espionage tradecraft and fragile carrier infrastructure
- Rapid7 Q1 2026 Threat Landscape Report — corroborates the structural shift; KEV-to-listing window collapsing
- Webworm (China-aligned; FishMonger / Aquatic Panda) — pivots to EU government targets
- Ghostwriter / UAC-0057 / FrostyNeighbor (Belarus-aligned) — new OYSTER implant chain
- Midnight Blizzard and others operationalise ROADtools for Entra ID abuse
- Screening Serpens / UNC1549 (Iran; Smoke Sandstorm / Nimbus Manticore) — AppDomainManager hijacking in six new RATs
- Calypso / Red Lamassu (Bronze Medley, China-aligned) — Showboat and JFMBackdoor against telecoms
- Public administration and government
- GTIG AI Threat Tracker (May 2026) — first AI-generated zero-day exploit ITW
- Secret Blizzard / Turla — Kazuar evolved into three-module P2P botnet, European government / diplomatic / defence sectors in scope
- FrostyNeighbor / Ghostwriter (UNC1151) — ESET analysis corroborated, Poland / Lithuania / Ukraine in EU scope
- Kaspersky GReAT documents Kimsuky's Rust-based HelloDoor and TryCloudflare-tunnel C2 added to the PebbleDash toolkit [SINGLE-SOURCE]
- Secret Blizzard (Turla / FSB Centre 16) evolves Kazuar into a three-module peer-to-peer botnet — worldwide ministries, embassies, defence sector targeted; European environments squarely in scope
- UAT-8616 exploits Cisco Catalyst SD-WAN CVE-2026-20182; 10+ clusters exploit companion February 2026 CVEs; CISA Emergency Directive ED-26-03 issued
- FrostyNeighbor / Ghostwriter (UNC1151, Belarus state-aligned): ESET documents March–May 2026 campaign targeting Polish, Lithuanian, and Ukrainian government and industrial sectors
- Sophos 2026 State of Identity Security: Switzerland records highest identity-breach incidence globally; energy and federal government hardest-hit sectors [SINGLE-SOURCE]
- Hardening / detection summary
- CVE-2026-0300 — Palo Alto PAN-OS Captive Portal unauthenticated root RCE; CL-STA-1132 active since 2026-04-09; no patch until 2026-05-13
- CL-STA-1132 — PAN-OS CVE-2026-0300 exploitation cluster: disclosure-to-deadline-to-deadline-expiry inside the window
- CVE-2026-32202 — Windows Shell NTLM coercion; Akamai's PatchDiff-AI shows the residual zero-click path left by the CVE-2026-21510 patch
- Critical infrastructure water (PL)
- Europol IOCTA 2026
- Mandiant M-Trends 2026
- ABW (Poland) 2025 Annual Report — APT28/APT29/UNC1151 tri-attribution on small-municipal water facilities
- CL-STA-1132 (PAN-OS CVE-2026-0300 exploitation cluster, likely state-sponsored)
- UAT-8302 (China-nexus, Talos; SE European government victims)
- MuddyWater (Iran / MOIS) Chaos ransomware false-flag + Teams BEC
- APT28 / APT29 / UNC1151 (Polish water OT)
- Sandworm / GRU Unit 74455 — Bauman pipeline disclosure
- Bauman University "Department No. 4" — leaked GRU cyber-operator training pipeline reveals direct line to Sandworm and APT28 operations against European targets
- PamDOORa — malicious PAM module with credential interception, magic-password SSH access, and anti-forensic log manipulation, sold on Rehub cybercrime forum
- UPDATE: Ivanti EPMM CVE-2026-5787 / CVE-2026-6973 — KEV deadline TOMORROW (2026-05-10); EU victim organisations named; 508 internet-exposed EU instances
- UPDATE: Polish water OT intrusions — ABW annual report names five facilities; APT28 / APT29 / UNC1151 formally attributed; NIS2 enforcement context
- CVE-2026-32202 — Windows Shell NTLM coercion / credential capture, APT28 active against EU governments (CISA KEV deadline **2026-05-12**)
- Pro-Russian hacktivists modify OT pump settings at five Polish water treatment facilities
- MuddyWater (Iran/MOIS) deploys Chaos ransomware as false flag; harvests credentials via Teams
- CVE-2026-32202 — Windows Shell NTLM coercion, APT28 ITW (CVSS 4.3, CISA KEV deadline 2026-05-12)