APT HOME ALERTS GROUP ARTICLES BLOG | 2025(65) 2024(215)
| DATE | NAME | INFO | CATEGORY | SUB |
| 28.5.24 | Swan Vector APT campaign | A newly APT campaign, dubbed “Swan Vector” has been targeting East Asian nations, particularly Japan and Taiwan. | APT | |
| 27.5.24 | Russia-Linked Hackers Target Tajikistan Government with Weaponized Word Documents | The Russia-aligned threat actor known as TAG-110 has been observed conducting a spear-phishing campaign targeting Tajikistan using macro-enabled Word templates | APT | The Hacker News |
| 24.5.24 | Operation Sindoor – Anatomy of a Digital Siege | Overview Seqrite Labs, India’s largest Malware Analysis lab, has identified multiple cyber events linked to Operation Sindoor, involving state-sponsored APT activity and coordinated hacktivist operations. Observed tactics included spear phishing, deployment of malicious scripts, website defacements, and unauthorized data.. | APT blog | Seqrite |
| 24.5.24 | Earth Ammit Disrupts Drone Supply Chains Through Coordinated Multi-Wave Attacks in Taiwan | Trend™ Research discusses the evolving tradecraft of threat actor Earth Ammit, proven by the advanced toolset used in its TIDRONE and VENOM campaigns that targeted the drone supply chain. | APT blog | Trend Micro |
| 24.5.24 | Earth Ammit Disrupts Drone Supply Chains Through Coordinated Multi-Wave Attacks in Taiwan | In July 2024, we disclosed the TIDRONE campaign, in which threat actors targeted Taiwan’s military and satellite industries. During our investigation, we discovered that multiple compromised entities were using the same enterprise resource planning (ERP) software. | APT blog | Trend Micro |
| 24.5.24 | Iranian Cyber Actors Impersonate Model Agency in Suspected Espionage Operation | Unit 42 recently identified suspected covert Iranian infrastructure impersonating a German model agency. This infrastructure hosted a fraudulent website designed to mimic the authentic agency’s branding and content. | APT blog | Palo Alto |
| 24.5.24 | The who, where, and how of APT attacks in Q4 2024–Q1 2025 | An overview of the activities of selected APT groups investigated and analyzed by ESET Research in Q4 2024 and Q1 2025 | APT blog | Eset |
| 24.5.24 | ESET APT Activity Report Q4 2024–Q1 2025 | An overview of the activities of selected APT groups investigated and analyzed by ESET Research in Q4 2024 and Q1 2025 | APT blog | Eset |
| 22.5.24 | Russian Hackers Exploit Email and VPN Vulnerabilities to Spy on Ukraine Aid Logistics | Russian cyber threat actors have been attributed to a state-sponsored campaign targeting Western logistics entities and technology companies since 2022. The | APT | The Hacker News |
| 20.5.24 | South Asian Ministries Hit by SideWinder APT Using Old Office Flaws and Custom Malware | High-level government institutions in Sri Lanka, Bangladesh, and Pakistan have emerged as the target of a new campaign orchestrated by a threat actor known as | APT | The Hacker News |
| 22.5.24 | SideWinder APT using old Office Vulnerabilities | A new cyber-espionage campaign by APT group SideWinder has been targeting high-profile government institutions in Bangladesh, Pakistan, and Sri Lanka. The attackers leverage spear-phishing lures paired with geofenced payloads to ensure that only victims in specific countries receives the malicious content. To activate the infection process and deploy the StealerBot malware a combined exploitation of old vulnerabilities (CVE-2017-0199 and CVE-2017-11882) takes place. | ALERTS | APT |
| 22.5.24 | Russian Hackers Exploit Email and VPN Vulnerabilities to Spy on Ukraine Aid Logistics | Russian cyber threat actors have been attributed to a state-sponsored campaign targeting Western logistics entities and technology companies since 2022. The | APT | The Hacker News |
| 20.5.24 | South Asian Ministries Hit by SideWinder APT Using Old Office Flaws and Custom Malware | High-level government institutions in Sri Lanka, Bangladesh, and Pakistan have emerged as the target of a new campaign orchestrated by a threat actor known as | APT | The Hacker News |
| 18.5.24 | Government webmail hacked via XSS bugs in global spy campaign | Hackers are running a worldwide cyberespionage campaign dubbed 'RoundPress,' leveraging zero-day and n-day flaws in webmail servers to steal email from high-value government organizations. | APT | BleepingComputer |
| 17.5.24 | North Korea ramps up cyberspying in Ukraine to assess war risk | The state-backed North Korean threat group Konni (Opal Sleet, TA406) was observed targeting Ukrainian government entities in intelligence collection operations. | APT | BleepingComputer |
| 17.5.24 | APT GROUP123 | Group123 is a North Korean state-sponsored advanced persistent threat (APT) group active since at least 2012. | APT blog | Cyfirma |
| 17.5.24 | APT PROFILE : Transparent Tribe aka APT36 | APT36, also known as Transparent Tribe, is a Pakistan-based advanced persistent threat (APT) group active since at least 2013. | APT blog | Cyfirma |
| 17.5.24 | Earth Ammit Disrupts Drone Supply Chains Through Coordinated Multi-Wave Attacks in Taiwan | Trend™ Research discusses the evolving tradecraft of threat actor Earth Ammit, proven by the advanced toolset used in its TIDRONE and VENOM campaigns that targeted the drone supply chain. | APT blog | Trend Micro |
| 17.5.24 | Iranian Cyber Actors Impersonate Model Agency in Suspected Espionage Operation | Unit 42 recently identified suspected covert Iranian infrastructure impersonating a German model agency. This infrastructure hosted a fraudulent website designed to mimic the authentic agency’s branding and content. | APT blog | Palo Alto |
| 15.5.24 | Russia-Linked APT28 Exploited MDaemon Zero-Day to Hack Government Webmail Servers | A Russia-linked threat actor has been attributed to a cyber espionage operation targeting webmail servers such as Roundcube, Horde, MDaemon, and Zimbra via | APT | |
| 14.5.24 | Earth Ammit Disrupts Drone Supply Chains Through Coordinated Multi-Wave Attacks in Taiwan | Trend™ Research discusses the evolving tradecraft of threat actor Earth Ammit, proven by the advanced toolset used in its TIDRONE and VENOM campaigns that targeted the drone supply chain. | APT | Trend Micro |
| 14.5.24 | Earth Ammit Breached Drone Supply Chains via ERP in VENOM, TIDRONE Campaigns | A cyber espionage group known as Earth Ammit has been linked to two related but distinct campaigns from 2023 to 2024 targeting various entities in Taiwan and | APT | The Hacker News |
| 14.5.24 | China-Linked APTs Exploit SAP CVE-2025-31324 to Breach 581 Critical Systems Worldwide | A recently disclosed critical security flaw impacting SAP NetWeaver is being exploited by multiple China-nexus nation-state actors to target critical infrastructure | APT | The Hacker News |
| 13.5.24 | North Korean Konni APT Targets Ukraine with Malware to track Russian Invasion Progress | The North Korea-linked threat actor known as Konni APT has been attributed to a phishing campaign targeting government entities in Ukraine, indicating the threat | APT | |
| 10.5.24 | OtterCookie v4 Adds VM Detection and Chrome, MetaMask Credential Theft Capabilities | The North Korean threat actors behind the Contagious Interview campaign have been observed using updated versions of a cross-platform malware called | APT | The Hacker News |
| 9.5.24 | Earth Kasha threat actor targets Taiwan and Japan in a recent campaign | As recently reported by the researchers from Trend Micro, Earth Kasha threat group continues to target users in Taiwan and Japan. The attackers leverage a dropper malware dubbed RoamingMouse that comes in the form of a macro-enabled MS Excel file. | APT | |
| 8.5.24 | Earth Kasha Updates TTPs in Latest Campaign Targeting Taiwan and Japan | This blog discusses the latest modifications observed in Earth Kasha’s TTPs from their latest campaign detected in March 2025 targeting Taiwan and Japan. | APT | Trend Micro |
| 2.5.24 | ClickFix social engineering tactic being used by various APT groups | ClickFix has gained traction in targeted espionage operations across multiple APT groups from North Korea, Iran, and Russia. This is a social engineering tactic where malicious websites impersonate legitimate software or document sharing platforms. | APT | |
| 2.5.24 | Iranian threat actor targeted critical Middle Eastern infrastructure | Researchers at Fortinet have recently published their investigation into an Iranian threat actor's attack against critical infrastructure in the Middle East. | APT | |
| 2.5.24 | France ties Russian APT28 hackers to 12 cyberattacks on French orgs | Today, the French foreign ministry blamed the APT28 hacking group linked to Russia's military intelligence service (GRU) for targeting or breaching a dozen French entities over the last four years. | APT | BleepingComputer |
| 30.4.25 | Chinese Hackers Abuse IPv6 SLAAC for AitM Attacks via Spellbinder Lateral Movement Tool | A China-aligned advanced persistent threat (APT) group called TheWizards has been linked to a lateral movement tool called Spellbinder that can facilitate | APT | The Hacker News |
| 29.4.25 | Multi-Stage malware campaign targeting South Korean entities linked to Konni APT | A sophisticated multi-stage malware campaign potentially linked to the North Korean Konni APT group has been observed targeting entities primarily in South Korea. The attack begins with a ZIP file containing a disguised .lnk shortcut which executes an obfuscated PowerShell script designed to download and run additional malicious payloads. | APT | |
| 29.4.25 | Earth Kurma APT Campaign Targets Southeast Asian Government, Telecom Sectors | An APT group dubbed Earth Kurma is actively targeting government and telecommunications organizations in Southeast Asia using advanced malware, rootkits, and trusted cloud services to conduct cyberespionage. | APT blog | Trend Micro |
| 28.4.25 | SentinelOne Uncovers Chinese Espionage Campaign Targeting Its Infrastructure and Clients | Cybersecurity company SentinelOne has revealed that a China-nexus threat cluster dubbed PurpleHaze conducted reconnaissance attempts against its infrastructure | APT | The Hacker News |
| 28.4.25 | Earth Kurma Targets Southeast Asia With Rootkits and Cloud-Based Data Theft Tools | Government and telecommunications sectors in Southeast Asia have become the target of a "sophisticated" campaign undertaken by a new advanced persistent | APT | The Hacker News |
| 27.4.25 | Storm-1977 Hits Education Clouds with AzureChecker, Deploys 200+ Crypto Mining Containers | Microsoft has revealed that a threat actor it tracks as Storm-1977 has conducted password spraying attacks against cloud tenants in the education sector over the | APT | The Hacker News |
| 27.4.25 | FBI seeks help to unmask Salt Typhoon hackers behind telecom breaches | The FBI has asked the public for information on Chinese Salt Typhoon hackers behind widespread breaches of telecommunications providers in the United States and worldwide. | APT | |
| 27.4.25 | Hackers abuse OAuth 2.0 workflows to hijack Microsoft 365 accounts | In a recent espionage campaign, the infamous North Korean threat group Lazarus targeted multiple organizations in the software, IT, finance, and telecommunications sectors in South Korea. | APT | BleepingComputer |
| 26.4.25 | Lazarus hackers breach six companies in watering hole attacks | In a recent espionage campaign, the infamous North Korean threat group Lazarus targeted multiple organizations in the software, IT, finance, and telecommunications sectors in South Korea. | APT | |
| 25.4.25 | False Face: Unit 42 Demonstrates the Alarming Ease of Synthetic Identity Creation | Evidence suggests that North Korean IT workers are using real-time deepfake technology to infiltrate organizations through remote work positions, which poses significant security, legal and compliance risks. The detection strategies we outline in this report provide security and HR teams with practical guidance to strengthen their hiring processes against this threat. | APT blog | Palo Alto |
| 25.4.25 | Contagious Interview (DPRK) Launches a New Campaign Creating Three Front Companies to Deliver a Trio of Malware: BeaverTail, InvisibleFerret, and OtterCookie | Silent Push Threat Analysts have uncovered three cryptocurrency companies that are actually fronts for the North Korean advanced persistent threat (APT) group Contagious Interview: BlockNovas LLC, Angeloper Agency, and SoftGlide LLC. | APT blog | Silent Push |
| 25.4.25 | SK Telecom warns customer USIM data exposed in malware attack | South Korea's largest mobile operator, SK Telecom, is warning that a malware infection allowed threat actors to access sensitive USIM-related information for customers. | APT | |
| 25.4.25 | North Korean Hackers Spread Malware via Fake Crypto Firms and Job Interview Lures | North Korea-linked threat actors behind the Contagious Interview have set up front companies as a way to distribute malware during the fake hiring process. "In this | APT | The Hacker News |
| 24.4.25 | Lazarus Hits 6 South Korean Firms via Cross EX, Innorix Zero-Day and ThreatNeedle Malware | At least six organizations in South Korea have been targeted by the prolific North Korea-linked Lazarus Group as part of a campaign dubbed Operation SyncHole . | APT | The Hacker News |
| 24.4.25 | DPRK Hackers Steal $137M from TRON Users in Single-Day Phishing Attack | Multiple threat activity clusters with ties to North Korea (aka Democratic People's Republic of Korea or DPRK) have been linked to attacks targeting organizations and | APT | The Hacker News |
| 24.4.25 | Billbug APT continues campaigns in Southeast Asia | The Billbug espionage group (aka Lotus Blossom, Lotus Panda, Bronze Elgin) compromised multiple organizations in a single Southeast Asian country during an intrusion campaign that ran between August 2024 and February 2025. | APT | |
| 23.4.25 | Iran-Linked Hackers Target Israel with MURKYTOUR Malware via Fake Job Campaign | The Iran-nexus threat actor known as UNC2428 has been observed delivering a backdoor known as MURKYTOUR as part of a job-themed social engineering | APT | The Hacker News |
| 22.4.25 | Microsoft Secures MSA Signing with Azure Confidential VMs Following Storm-0558 Breach | Microsoft on Monday announced that it has moved the Microsoft Account (MSA) signing service to Azure confidential virtual machines (VMs) and that it's also in the process of migrating the Entra ID signing service as well. | APT | APT |
| 22.4.25 | Lotus Panda Hacks SE Asian Governments With Browser Stealers and Sideloaded Malware | The China-linked cyber espionage group tracked as Lotus Panda has been attributed to a campaign that compromised multiple organizations in an unnamed | APT | APT |
| 22.4.25 | Kimsuky Exploits BlueKeep RDP Vulnerability to Breach Systems in South Korea and Japan | Cybersecurity researchers have flagged a new malicious campaign related to the North Korean state-sponsored threat actor known as Kimsuky that exploits a now- | APT | APT |
| 22.4.25 | Hackers Abuse Russian Bulletproof Host Proton66 for Global Attacks and Malware Delivery | Cybersecurity researchers have disclosed a surge in "mass scanning, credential brute-forcing, and exploitation attempts" originating from IP addresses associated | APT | APT |
| 21.4.25 | State-sponsored hackers embrace ClickFix social engineering tactic | ClickFix attacks are being increasingly adopted by threat actors of all levels, with researchers now seeing multiple advanced persistent threat (APT) groups from North Korea, Iran, and Russia utilizing the tactic to breach networks. | APT | APT |
| 21.4.25 | APT29 Deploys GRAPELOADER Malware Targeting European Diplomats Through Wine-Tasting Lures | The Russian state-sponsored threat actor known as APT29 has been linked to an advanced phishing campaign that's targeting diplomatic entities across Europe with | APT | APT |
| 20.4.25 | Midnight Blizzard deploys new GrapeLoader malware in embassy phishing | Russian state-sponsored espionage group Midnight Blizzard is behind a new spear-phishing campaign targeting diplomatic entities in Europe, including embassies. | APT | APT |
| 19.4.25 | We discovered China-nexus threat actors deployed custom backdoors on Juniper Networks’ Junos OS routers. | APT blog | APT blog | |
| 19.4.25 | Executive Summary Check Point Research has been observing a sophisticated phishing campaign conducted by Advanced ... | APT blog | APT blog | |
| 19.4.25 | APT PROFILE – EARTH ESTRIES | Earth Estries is a Chinese Advanced Persistent Threat (APT) group that has gained prominence for its sophisticated cyber espionage activities targeting critical infrastructure and | APT blog | APT blog |
| 19.4.25 | Cyber Espionage Among Allies: Strategic Posturing in an Era of Trade Tensions | Executive Summary In the past decade, a pattern of cyber operations and espionage between the United States and its allies has emerged, complicating relationships traditionally | APT blog | APT blog |
| 19.4.25 | Slow Pisces Targets Developers With Coding Challenges and Introduces New Customized Python Malware | Slow Pisces (aka Jade Sleet, TraderTraitor, PUKCHONG) is a North Korean state-sponsored threat group primarily focused on generating revenue for the DPRK regime, typically by targeting large organizations in the cryptocurrency sector. This article analyzes their campaign that we believe is connected to recent cryptocurrency heists. | APT blog | APT blog |
| 19.4.25 | Renewed APT29 Phishing Campaign Against European Diplomats | Check Point Research has been tracking an advanced phishing campaign conducted by APT29, a Russia linked threat group, which is targeting diplomatic entities across Europe. | APT blog | APT blog |
| 18.4.25 | A recent campaign attributed to the Fritillary APT group | A new malicious campaign targeting diplomatic entities in Europe has been attributed to the cyberespionage group called Fritillary (aka Midnight Blizzard, APT29). According to a recent research by Checkpoint, the attackers have been leveraging a new custom malware loader dubbed GrapeLoader as well as an updated variant of the WineLoader backdoor. | APT | |
| 18.4.25 | A recent campaign attributed to the Fritillary APT group | A new malicious campaign targeting diplomatic entities in Europe has been attributed to the cyberespionage group called Fritillary (aka Midnight Blizzard, APT29). According to a recent research by Checkpoint, the attackers have been leveraging a new custom malware loader dubbed GrapeLoader as well as an updated variant of the WineLoader backdoor. | APT | APT |
| 18.4.25 | Mustang Panda Targets Myanmar With StarProxy, EDR Bypass, and TONESHELL Updates | The China-linked threat actor known as Mustang Panda has been attributed to a cyber attack targeting an unspecified organization in Myanmar with previously | APT | APT |
| 15.4.25 | Crypto Developers Targeted by Python Malware Disguised as Coding Challenges | The North Korea-linked threat actor assessed to be behind the massive Bybit hack in February 2025 has been linked to a malicious campaign that targets developers | APT | APT |
| 12.4.25 | Goodbye HTA, Hello MSI: New TTPs and Clusters of an APT driven by Multi-Platform Attacks | Seqrite Labs APT team has uncovered new tactics of Pakistan-linked SideCopy APT deployed since the last week of December 2024. The group has expanded its scope of targeting beyond Indian government, defence, maritime sectors, and university students to now. | APT blog | APT blog |
| 12.4.25 | Kimsuky: A Continuous Threat to South Korea with Deceptive Tactics | Kimsuky: A Continuous Threat to South Korea with Deceptive Tactics Contents Introduction Infection Chain Initial Findings Campaign 1 Looking into PDF document. Campaign 2 Looking into PDF document. Technical Analysis Campaign 1 & 2 Conclusion Seqrite Protection MITRE ATT&CK... | APT blog | APT blog |
| 9.4.25 | Springtail APT group targets South Korean government entities | The Springtail (aka Kimsuky) APT group recently engaged in campaigns targeting South Korean government entities. The campaigns leveraged government-themed messaging (one being tax related and another regarding a policy on the topic of sex offenders) to distribute malicious LNK files as malspam attachments. | ALERTS | ALERTS |
| 5.4.25 | North Korean IT worker army expands operations in Europe | North Korea's IT workers have expanded operations beyond the United States and are now increasingly targeting organizations across Europe. | APT | APT |
| 4.4.25 | North Korean hackers adopt ClickFix attacks to target crypto firms | The notorious North Korean Lazarus hacking group has reportedly adopted 'ClickFix' tactics to deploy malware targeting job seekers in the cryptocurrency industry, particularly centralized finance (CeFi). | APT | APT |
| 4.4.25 | Lazarus Group Targets Job Seekers With ClickFix Tactic to Deploy GolangGhost Malware | The North Korean threat actors behind Contagious Interview have adopted the increasingly popular ClickFix social engineering tactic to lure job seekers in the | APT | APT |
| 2.4.25 | FIN7 Deploys Anubis Backdoor to Hijack Windows Systems via Compromised SharePoint Sites | The financially motivated threat actor known as FIN7 has been linked to a Python-based backdoor called Anubis (not to be confused with an Android banking trojan | APT | APT |
| 1.4.25 | China-Linked Earth Alux Uses VARGEIT and COBEACON in Multi-Stage Cyber Intrusions | Cybersecurity researchers have shed light on a new China-linked threat actor called Earth Alux that has targeted various key sectors such as government, | APT | APT |
|
29.3.25 |
FamousSparrow resurfaces to spy on targets in the US, Latin America | Once thought to be dormant, the China-aligned group has also been observed using the privately-sold ShadowPad backdoor for the first time | APT blog | APT blog |
|
29.3.25 |
You will always remember this as the day you finally caught FamousSparrow | ESET researchers uncover the toolset used by the FamousSparrow APT group, including two undocumented versions of the group’s signature backdoor, SparrowDoor | APT blog | APT blog |
|
27.3.25 |
APT36 Spoofs India Post Website to Infect Windows and Android Users with Malware | An advanced persistent threat (APT) group with ties to Pakistan has been attributed to the creation of a fake website masquerading as India's public sector postal system as part of a campaign designed to infect both Windows and | APT | APT |
|
27.3.25 |
New SparrowDoor Backdoor Variants Found in Attacks on U.S. and Mexican Organizations | The Chinese threat actor known as FamousSparrow has been linked to a cyber attack targeting a trade group in the United States and a research institute in | APT | APT |
|
23.3.25 |
US removes sanctions against Tornado Cash crypto mixer | The U.S. Department of Treasury announced today that it has removed sanctions against the Tornado Cash cryptocurrency mixer, which North Korean Lazarus hackers used to launder hundreds of millions stolen in multiple crypto heists. | APT | APT |
|
27.3.25 |
APT36 TURNING AID INTO ATTACK | TURNING AID INTO ATTACK: EXPLOITATION OF PAKISTAN’S YOUTH LAPTOP SCHEME TO TARGET INDIA | BLOG | BLOG |
|
22.3.25 |
Recent UAT-5918 APT malicious activities targeting entities in Taiwan | Researchers from Cisco Talos have reported a long-lasting campaign targeting entities in Taiwan and attributed to the UAT-5918 APT. The attackers are known to obtain access to the targeted environments usually via vulnerability exploitation. | ALERTS | ALERTS |
|
21.3.25 |
China-Linked APT Aquatic Panda: 10-Month Campaign, 7 Global Targets, 5 Malware Families | The China-linked advanced persistent threat (APT) group. known as Aquatic Panda has been linked to a "global espionage campaign" that took place in 2022 targeting | APT | APT |
|
20.3.25 |
OKX suspends DEX aggregator after Lazarus hackers try to launder funds | OKX Web3 has decided to suspend its DEX aggregator services to implement security upgrades following reports of abuse by the notorious North Korean Lazarus hackers, who recently conducted a $1.5 billion crypto heist. | APT | APT |
|
19.3.25 |
Unpatched Windows Zero-Day Flaw Exploited by 11 State-Sponsored Threat Groups Since 2017 | An unpatched security flaw impacting Microsoft Windows has been exploited by 11 state-sponsored groups from China, Iran, North Korea, and Russia as part of data theft, espionage, and financially motivated campaigns that date back to 2017. | APT | APT |
|
15.3.25 |
Chinese cyberspies backdoor Juniper routers for stealthy access | Chinese hackers are deploying custom backdoors on Juniper Networks Junos OS MX routers that have reached end-of-life (EoL) and no longer receive security updates. | APT | APT |
|
15.3.25 |
North Korean Lazarus hackers infect hundreds via npm packages | Six malicious packages have been identified on npm (Node package manager) linked to the notorious North Korean hacking group Lazarus. | APT | APT |
| 13.3.25 | Blind Eagle malicious .url files variant | Blind Eagle (aka APT-C-36), is a threat actor group that engages in both espionage and cyber-crime. | ALERTS | ALERTS |
| 13.3.25 | Leafperforator APT conducts attacks on maritime sector | A new malicious campaign targeting the maritime and nuclear energy sector across South and Southeast Asia, the Middle East, and Africa has been attributed to the Leafperforator (also known as SideWinder) APT group. | ALERTS | ALERTS |
| 13.3.25 | North Korea's ScarCruft Deploys KoSpy Malware, Spying on Android Users via Fake Utility Apps | The North Korea-linked threat actor known as ScarCruft is said to have been behind a never-before-seen Android surveillance tool named KoSpy targeting | APT | APT |
| 13.3.25 | Chinese Hackers Breach Juniper Networks Routers With Custom Backdoors and Rootkits | The China-nexus cyber espionage group tracked as UNC3886 has been observed targeting end-of-life MX routers from Juniper Networks as part of a campaign | APT | APT |
| 12.3.25 | Blind Eagle: | Blind Eagle: …And Justice for All | APT | APT |
| 12.3.25 | Blind Eagle Hacks Colombian Institutions Using NTLM Flaw, RATs and GitHub-Based Attacks | The threat actor known as Blind Eagle has been linked to a series of ongoing campaigns targeting Colombian institutions and government entities since | APT | APT |
| 11.3.25 | SideWinder APT Targets Maritime, Nuclear, and IT Sectors Across Asia, Middle East, and Africa | Maritime and logistics companies in South and Southeast Asia, the Middle East, and Africa have become the target of an advanced persistent threat (APT) group | APT | APT |
| 11.3.25 | SideWinder | SideWinder targets the maritime and nuclear sectors with an updated toolset | APT | APT |
| 8.3.25 | Silk Typhoon hackers now target IT supply chains to breach networks | Microsoft warns that Chinese cyber-espionage threat group 'Silk Typhoon' has shifted its tactics, now targeting remote management tools and cloud services in supply chain attacks that give them access to downstream customers. | APT | APT |
| 8.3.25 | US charges Chinese hackers linked to critical infrastructure breaches | The US Justice Department has charged Chinese state security officers along with APT27 and i-Soon hackers for network breaches and cyberattacks that have targeted victims globally since 2011. | APT | APT |
| 8.3.25 | FIN7, FIN8, and Others Use Ragnar Loader for Persistent Access and Ransomware Operations | Threat hunters have shed light on a "sophisticated and evolving malware toolkit" called Ragnar Loader that's used by various cybercrime and ransomware groups | APT | APT |
| 6.3.25 | China-Linked Silk Typhoon Expands Cyber Attacks to IT Supply Chains for Initial Access | The China-linked threat actor behind the zero-day exploitation of security flaws in Microsoft Exchange servers in January 2021 has shifted its tactics to target the information technology (IT) supply chain as a means to obtain initial access to | APT | APT |
| 6.3.25 | Chinese APT Lotus Panda Targets Governments With New Sagerunex Backdoor Variants | The threat actor known as Lotus Panda has been observed targeting government, manufacturing, telecommunications, and media sectors in the Philippines, | APT | APT |
| 5.3.25 | Suspected Iranian Hackers Used Compromised Indian Firm's Email to Target U.A.E. Aviation Sector | Threat hunters are calling attention to a new highly-targeted phishing campaign that singled out "fewer than five" entities in the United Arab Emirates (U.A.E.) to | APT | APT |
| 1.3.25 | Silent Killers: Unmasking a Large-Scale Legacy Driver Exploitation Campaign | While the abuse of vulnerable drivers has been around for a while, those that can terminate arbitrary processes have drawn increasing attention in recent years. | APT blog | APT blog |
| 1.3.25 | Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools | Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools | APT blog | APT blog |
| 1.3.25 | Sellers can get scammed too, and Joe goes off on a rant about imposter syndrome | Joe has some advice for anyone experiencing self doubt or wondering about their next career move. Plus, catch up on the latest Talos research on scams targeting sellers, and the Lotus Blossom espionage group. | APT blog | APT blog |
| 1.3.25 | Billbug (aka Lotus Blossom) threat group uses Sagerunex malware to target numerous victims | The Billbug (aka Lotus Blossom) threat group has been observed leveraging Sagerunex malware, along with other hacking tools, to target numerous victims across industries. | ALERTS | ALERTS |
| 28.2.25 | Angry Likho | Angry Likho: Old beasts in a new forest | APT | APT |
| 27.2.25 | Vedalia APT group phishing campaign delivers RokRat malware across Asia | phishing campaign by the North Korean-linked threat actor Vedalia (also known as APT37, RedEyes and ScarCruft) has been reported delivering fileless RokRat malware. The campaign targets government and corporate entities across South Korea and Asia. | ALERTS | ALERTS |
| 27.2.25 | Silver Fox APT Uses Winos 4.0 Malware in Cyber Attacks Against Taiwanese Organizations | A new campaign is targeting companies in Taiwan with malware known as Winos 4.0 as part of phishing emails masquerading as the country's National Taxation | APT | APT |
|
22.2.25 | Chinese-Speaking Group Manipulates SEO with BadIIS | This blog post details our analysis of an SEO manipulation campaign targeting Asia. We also share recommendations that can help enterprises proactively secure their environment. | APT blog | APT blog |
|
22.2.25 | Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection | Our Threat Hunting team discusses Earth Preta’s latest technique, in which the APT group leverages MAVInject and Setup Factory to deploy payloads, and maintain control over compromised systems. | APT blog | APT blog |
|
22.2.25 | ||||
|
22.2.25 |
Cisco Talos has been closely monitoring reports of widespread intrusion activity against several major U.S. telecommunications companies, by a threat actor dubbed Salt Typhoon. This blog highlights our observations on this campaign and identifies recommendations for detection and prevention. |
|||
| 22.2.25 | Data Leak Exposes TopSec's Role in China's Censorship-as-a-Service Operations | An analysis of a data leak from a Chinese cybersecurity company TopSec has revealed that it likely offers censorship-as-a-service solutions to prospective | APT | APT |
| 22.2.25 | North Korean Hackers Target Freelance Developers in Job Scam to Deploy Malware | Freelance software developers are the target of an ongoing campaign that leverages job interview-themed lures to deliver cross-platform malware families known as BeaverTail and InvisibleFerret. The activity, linked to North Korea, has | APT | APT |
| 22.2.25 | Chinese Hackers Exploit MAVInject.exe to Evade Detection in Targeted Cyber Attacks | The Chinese state-sponsored threat actor known as Mustang Panda has been observed employing a novel technique to evade detection and maintain control | APT | APT |
| 22.2.25 | Earth Preta | Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection | APT | APT |
| 18.02.25 | Recent RedCurl (aka EarthKapre) APT activity | RedCurl (also known as EarthKapre) is a threat group known for conducting espionage and data exfiltration activities. The recently observed campaign attributed to this threat actor has been leveraging legitimate Adobe executable (ADNotificationManager.exe) to sideload malicious binaries. The infection chain has been initiated via crafted PDF malspam leading to ZIP compressed .img binaries. | ALERTS | ALERTS |
| 11.02.25 | Trojanized KMS activation tools leveraged in latest Sandworm APT campaigns | According to the latest report published by EclecticIQ researchers, Sandworm APT (aka APT44, UAC-0145) has been recently engaged in espionage activities against users in Ukraine. The attackers have been leveraging trojanized Microsoft Key Management Service (KMS) activator tools and fake update installers in efforts aimed at distribution of a new BackOrder loader variant. | ALERTS | ALERTS |
| 5.2.25 | Silent Lynx | Silent Lynx APT Targets Various Entities Across Kyrgyzstan & Neighbouring Nations | APT | APT |
|
19.1.25 | US cracks down on North Korean IT worker army with more sanctions | The U.S. Treasury Department has sanctioned a network of individuals and front companies linked to North Korea's Ministry of National Defense that have generated revenue via illegal remote IT work schemes. | APT | APT |
|
18.1.25 | U.S. Sanctions Chinese Cybersecurity Firm Over Treasury Hack Tied to Silk Typhoon | The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) has imposed sanctions against a Chinese cybersecurity company and a Shanghai- | APT | APT |
|
18.1.25 | U.S. Sanctions North Korean IT Worker Network Supporting WMD Programs | The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned two individuals and four entities for their alleged involvement in illicit | APT | APT |
|
18.1.25 | Recent malicious activities of the Fireant APT group | Fireant (aka RedDelta, Mustang Panda) advanced persistent threat (APT) group has been targeting Mongolia, Taiwan, Myanmar, Vietnam, and Cambodia in recent campaign spreading an updated variant of the PlugX backdoor. | ALERTS | ALERTS |
|
16.1.25 | Lazarus Group Targets Web3 Developers with Fake LinkedIn Profiles in Operation 99 | The North Korea-linked Lazarus Group has been attributed to a new cyber attack campaign dubbed Operation 99 that targeted software developers looking for | APT | APT |
|
16.1.25 | North Korean IT Worker Fraud Linked to 2016 Crowdfunding Scam and Fake Domains | Cybersecurity researchers have identified infrastructure links between the North Korean threat actors behind the fraudulent IT worker schemes and a 2016 crowdfunding scam. The new evidence suggests that Pyongyang-based | APT | APT |
|
12.1.25 | MirrorFace hackers targeting Japanese govt, politicians since 2019 | The National Police Agency (NPA) and the Cabinet Cyber Security Center in Japan have linked a cyber-espionage campaign targeting the country to the Chinese state-backed "MirrorFace" hacking group. | APT | APT |
|
12.1.25 | US Treasury hack linked to Silk Typhoon Chinese state hackers | Chinese state-backed hackers, tracked as Silk Typhoon, have been linked to the U.S. Office of Foreign Assets Control (OFAC) hack in early December. | APT | APT |
|
11.1.25 | APT groups are increasingly deploying ransomware – and that’s bad news for everyone | The blurring of lines between cybercrime and state-sponsored attacks underscores the increasingly fluid and multifaceted nature of today’s cyberthreats | APT blog | APT blog |
|
4.1.25 | U.S. Treasury Sanctions Beijing Cybersecurity Firm for State-Backed Hacking Campaigns | The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) on Friday issued sanctions against a Beijing-based cybersecurity company known as | APT | APT |
|
3.1.25 | US sanctions Chinese company linked to Flax Typhoon hackers | The U.S. Treasury Department has sanctioned Beijing-based cybersecurity company Integrity Tech (also known as Yongxin Zhicheng) for its involvement in cyberattacks attributed to the Chinese state-sponsored Flax Typhoon hacking group. | APT | APT |