APT List - 2026 2025 2024 2021 2020 2019 2018 2017 2016
DATE | NAME |
Info | CATEG. |
WEB |
| 7.3.26 | Iran-Linked MuddyWater Hackers Target U.S. Networks With New Dindoor Backdoor | New research from Broadcom's Symantec and Carbon Black Threat Hunter Team has discovered evidence of an Iranian hacking group embedding itself in | APT | The Hacker News |
| 6.3.26 | China-Linked Hackers Use TernDoor, PeerTime, BruteEntry in South American Telecom Attacks | A China-linked advanced persistent threat (APT) actor has been targeting critical telecommunications infrastructure in South America since 2024, | APT | The Hacker News |
| 6.3.26 | APT28-Linked Campaign Deploys BadPaw Loader and MeowMeow Backdoor in Ukraine | Cybersecurity researchers have disclosed details of a new Russian cyber campaign that has targeted Ukrainian entities with two previously | APT | The Hacker News |
| 4.3.26 | APT41-Linked Silver Dragon Targets Governments Using Cobalt Strike and Google Drive C2 | Cybersecurity researchers have disclosed details of an advanced persistent threat (APT) group dubbed Silver Dragon that has been linked to cyber attacks | APT | The Hacker News |
| 3.3.26 | SloppyLemming Targets Pakistan and Bangladesh Governments Using Dual Malware Chains | The threat activity cluster known as SloppyLemming has been attributed to a fresh set of attacks targeting government entities and critical infrastructure | APT | The Hacker News |
| 2.3.26 | APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday | A recently disclosed security flaw patched by Microsoft may have been exploited by the Russia-linked state-sponsored threat actor known as APT28 , | APT | The Hacker News |
| 2.3.26 | North Korean Hackers Publish 26 npm Packages Hiding Pastebin C2 for Cross-Platform RAT | Cybersecurity researchers have disclosed a new iteration of the ongoing Contagious Interview campaign, where the North Korean threat actors have | APT | The Hacker News |
| 1.3.26 | APT37 hackers use new malware to breach air-gapped networks | North Korean hackers are deploying newly uncovered tools to move data between internet-connected and air-gapped systems, spread via removable drives, and conduct covert surveillance. | APT | |
| 28.2.26 | North Korean Lazarus group linked to Medusa ransomware attacks | North Korean state-backed hackers associated with the Lazarus threat group are targeting U.S. healthcare organizations in extortion attacks using the Medusa ransomware. | APT | |
| 26.2.26 | UAT-10027 Targets U.S. Education and Healthcare with Dohdoor Backdoor | A previously undocumented threat activity cluster has been attributed to an ongoing malicious campaign targeting education and healthcare sectors in the | APT | The Hacker News |
| 24.2.26 | UAC-0050 Targets European Financial Institution With Spoofed Domain and RMS Malware | A Russia-aligned threat actor has been observed targeting a European financial institution as part of a social engineering attack to likely facilitate | APT | The Hacker News |
| 24.2.26 | UnsolicitedBooker Targets Central Asian Telecoms With LuciDoor and MarsSnake Backdoors | The threat activity cluster known as UnsolicitedBooker has been observed targeting telecommunications companies in Kyrgyzstan and Tajikistan, marking a shift from prior attacks aimed at Saudi Arabian entities. The attacks | APT | The Hacker News |
| 24.2.26 | APT28 Targeted European Entities Using Webhook-Based Macro Malware | The Russia-linked state-sponsored threat actor tracked as APT28 has been attributed to a new campaign targeting specific entities in Western and Central | APT | The Hacker News |
| 23.2.26 | MuddyWater Targets MENA Organizations with GhostFetch, CHAR, and HTTP_VIP | The Iranian hacking group known as MuddyWater (aka Earth Vetala, Mango Sandstorm, and MUDDYCOAST) has targeted several organizations and | APT | The Hacker News |
| 22.2.26 | Texas sues TP-Link over Chinese hacking risks, user deception | Texas sued networking giant TP-Link Systems, accusing the company of deceptively marketing its routers as secure while allowing Chinese state-backed hackers to exploit firmware vulnerabilities and access users' devices. | APT | |
| 21.2.26 | Chinese hackers exploiting Dell zero-day flaw since mid-2024 | A suspected Chinese state-backed hacking group has been quietly exploiting a critical Dell security flaw in zero-day attacks that started in mid-2024. | APT | |
| 18.2.26 | From BRICKSTORM to GRIMBOLT: UNC6201 Exploiting a Dell RecoverPoint for Virtual Machines Zero-Day | Mandiant and Google Threat Intelligence Group (GTIG) have identified the zero-day exploitation of a high-risk vulnerability in Dell RecoverPoint for Virtual Machines, tracked as CVE-2026-22769, with a CVSSv3.1 score of 10.0. | APT | GTI |
| 15.2.26 | Fake job recruiters hide malware in developer coding challenges | A new variation of the fake recruiter campaign from North Korean threat actors is targeting JavaScript and Python developers with cryptocurrency-related tasks. | APT | |
| 13.2.26 | Google Links China, Iran, Russia, North Korea to Coordinated Defense Sector Cyber Operations | Several state-sponsored actors, hacktivist entities, and criminal groups from China, Iran, North Korea, and Russia have trained their sights on the defense | APT | The Hacker News |
| 13.2.26 | Lazarus Campaign Plants Malicious Packages in npm and PyPI Ecosystems | Cybersecurity researchers have discovered a fresh set of malicious packages across npm and the Python Package Index (PyPI) repository linked to a fake | APT | The Hacker News |
| 11.2.26 | APT36 and SideCopy Launch Cross-Platform RAT Campaigns Against Indian Entities | Indian defense sector and government-aligned organizations have been targeted by multiple campaigns that are designed to compromise Windows | APT | The Hacker News |
| 11.2.26 | DPRK Operatives Impersonate Professionals on LinkedIn to Infiltrate Companies | The information technology (IT) workers associated with the Democratic People's Republic of Korea (DPRK) are now applying to remote positions using | APT | The Hacker News |
| 10.2.26 | China-Linked UNC3886 Targets Singapore Telecom Sector in Cyber Espionage Campaign | The Cyber Security Agency (CSA) of Singapore on Monday revealed that the China-nexus cyber espionage group known as UNC3886 targeted its | APT | The Hacker News |
| 9.2.26 | Bloody Wolf Targets Uzbekistan, Russia Using NetSupport RAT in Spear-Phishing Campaign | The threat actor known as Bloody Wolf has been linked to a campaign targeting Uzbekistan and Russia to infect systems with a remote access trojan | APT | The Hacker News |
| 8.2.26 | New Amaranth Dragon cyberespionage group exploits WinRAR flaw | A new threat actor called Amaranth Dragon, linked to APT41 state-sponsored Chinese operations, exploited the CVE-2025-8088 vulnerability in WinRAR in espionage attacks on government and law enforcement agencies. | APT | |
| 7.2.26 | Notepad++ update feature hijacked by Chinese state hackers for months | Chinese state-sponsored threat actors were likely behind the hijacking of Notepad++ update traffic last year that lasted for almost half a year, the developer states in an official announcement today. | APT | |
| 7.2.26 | Mandiant details how ShinyHunters abuse SSO to steal cloud data | Mandiant says a wave of recent ShinyHunters SaaS data-theft attacks is being fueled by targeted voice phishing (vishing) attacks and company-branded phishing sites that steal single sign-on (SSO) credentials and multi-factor authentication (MFA) codes. | APT | |
| 6.2.26 | China-Linked DKnife AitM Framework Targets Routers for Traffic Hijacking, Malware Delivery | Cybersecurity researchers have taken the wraps off a gateway-monitoring and adversary-in-the-middle (AitM) framework dubbed DKnife that's operated by | APT | The Hacker News |
| 6.2.26 | Asian State-Backed Group TGR-STA-1030 Breaches 70 Government, Infrastructure Entities | A previously undocumented cyber espionage group operating from Asia broke into the networks of at least 70 government and critical infrastructure | APT | The Hacker News |
| 5.2.26 | Prince of Persia, Part II: Covering Tracks, Striking Back & a Revealing Link to the Iranian Regime Amid the Country’s Internet Blackout | Get SafeBreach Labs’s latest update on the threat actor, including new details about their Telegram attack vector, a strike back attempt at SafeBreach researchers, the discovery of a new Tornado malware variant, and activity that indicates a definitive connection to the Iranian government. | APT | SAFEBREACH |
| 5.2.26 | Infy Hackers Resume Operations with New C2 Servers After Iran Internet Blackout Ends | The elusive Iranian threat group known as Infy (aka Prince of Persia) has evolved its tactics as part of efforts to hide its tracks, even as it readied new | APT | The Hacker News |
| 4.2.26 | China-Linked Amaranth-Dragon Exploits WinRAR Flaw in Espionage Campaigns | Threat actors affiliated with China have been attributed to a fresh set of cyber espionage campaigns targeting government and law enforcement agencies | APT | The Hacker News |
| 3.2.26 | APT28 Uses Microsoft Office CVE-2026-21509 in Espionage-Focused Malware Attacks | The Russia-linked state-sponsored threat actor known as APT28 (aka UAC-0001) has been attributed to attacks exploiting a newly disclosed security flaw | APT | The Hacker News |
| 3.2.26 | Notepad++ Hosting Breach Attributed to China-Linked Lotus Blossom Hacking Group | A China-linked threat actor known as Lotus Blossom has been attributed with medium confidence to the recently discovered compromise of the | APT | The Hacker News |
| 31.1.26 | Iran-Linked RedKitten Cyber Campaign Targets Human Rights NGOs and Activists | A Farsi-speaking threat actor aligned with Iranian state interests is suspected to be behind a new campaign targeting non-governmental organizations and | APT | The Hacker News |
| 31.1.26 | China-Linked UAT-8099 Targets IIS Servers in Asia with BadIIS SEO Malware | Cybersecurity researchers have discovered a new campaign attributed to a China-linked threat actor known as UAT-8099 that took place between late | APT | The Hacker News |
| 28.1.26 | APT Attacks Target Indian Government Using GOGITTER, GITSHELLPAD, and GOSHELL | Part 1 | In September 2025, Zscaler ThreatLabz identified two campaigns, tracked as Gopher Strike and Sheet Attack, by a threat actor that operates in Pakistan and primarily targets entities in the Indian government. | APT | ZSCALER |
| 28.1.26 | Experts Detect Pakistan-Linked Cyber Campaigns Aimed at Indian Government Entities | Indian government entities have been targeted in two campaigns undertaken by a threat actor that operates in Pakistan using previously undocumented | APT | The Hacker News |
| 25.1.26 | Sandworm hackers linked to failed wiper attack on Poland’s energy systems | A cyberattack targeting Poland's power grid in late December 2025 has been linked to the Russian state-sponsored hacking group Sandworm, which attempted to deploy a new destructive data-wiping malware dubbed DynoWiper during the attack.. | APT | |
| 25.1.26 | Konni hackers target blockchain engineers with AI-built malware | The North Korean hacker group Konni (Opal Sleet, TA406) is using AI-generated PowerShell malware to target developers and engineers in the blockchain sector. | APT | |
| 25.1.26 | UK govt. warns about ongoing Russian hacktivist group attacks | The U.K. government is warning of continued malicious activity from Russian-aligned hacktivist groups targeting critical infrastructure and local government organizations in the country in disruptive denial-of-service (DDoS) attacks. | APT | |
| 22.1.26 | North Korean PurpleBravo Campaign Targeted 3,136 IP Addresses via Fake Job Interviews | As many as 3,136 individual IP addresses linked to likely targets of the Contagious Interview activity have been identified, with the campaign claiming | APT | The Hacker News |
| 22.1.26 | North Korea-Linked Hackers Target Developers via Malicious VS Code Projects | The North Korean threat actors associated with the long-running Contagious Interview campaign have been observed using malicious Microsoft Visual | APT | The Hacker News |
| 18.1.26 | China-linked hackers exploited Sitecore zero-day for initial access | An advanced threat actor tracked as UAT-8837 and believed to be linked to China has been focusing on critical infrastructure systems in North America, gaining access by exploiting both known and zero-day vulnerabilities. | APT | |
| 16.1.26 | China-Linked APT Exploits Sitecore Zero-Day in Attacks on American Critical Infrastructure | A threat actor likely aligned with China has been observed targeting critical infrastructure sectors in North America since at least last year. Cisco Talos, which is tracking the activity | APT | The Hacker News |
| 11.1.26 | New China-linked hackers breach telcos using edge device exploits | A sophisticated threat actor that uses Linux-based malware to target telecommunications providers has recently broadened its operations to include organizations in Southeastern Europe. | APT | |
| 10.1.26 | FBI warns about Kimsuky hackers using QR codes to phish U.S. orgs | The North Korean state-sponsored hacker group Kimsuki is using malicious QR codes in spearphishing campaigns that target U.S. organizations, the Federal Bureau of Investigation warns in a flash alert. | APT | |
| 10.1.26 | China-Linked Hackers Exploit VMware ESXi Zero-Days to Escape Virtual Machines | Chinese-speaking threat actors are suspected to have leveraged a compromised SonicWall VPN appliance as an initial access vector to deploy a VMware ESXi exploit that may have | APT | The Hacker News |
| 10.1.26 | Russian APT28 Runs Credential-Stealing Campaign Targeting Energy and Policy Organizations | Russian state-sponsored threat actors have been linked to a fresh set of credential harvesting attacks targeting individuals associated with a Turkish energy and nuclear | APT | The Hacker News |
| 8.1.26 | China-Linked UAT-7290 Targets Telecoms with Linux Malware and ORB Nodes | A China-nexus threat actor known as UAT-7290 has been attributed to espionage-focused intrusions against entities in South Asia and Southeastern Europe. The activity cluster, which | APT | The Hacker News |
| 6.1.26 | Russia-Aligned Hackers Abuse Viber to Target Ukrainian Military and Government | The Russia-aligned threat actor known as UAC-0184 has been observed targeting Ukrainian military and government entities by leveraging the Viber messaging platform to deliver | APT | The Hacker News |