APT List - 2026 2025 2024 2021 2020 2019 2018 2017 2016
DATE | NAME |
Info | CATEG. |
WEB |
| 7.2.26 | Notepad++ update feature hijacked by Chinese state hackers for months | Chinese state-sponsored threat actors were likely behind the hijacking of Notepad++ update traffic last year that lasted for almost half a year, the developer states in an official announcement today. | APT | |
| 7.2.26 | Mandiant details how ShinyHunters abuse SSO to steal cloud data | Mandiant says a wave of recent ShinyHunters SaaS data-theft attacks is being fueled by targeted voice phishing (vishing) attacks and company-branded phishing sites that steal single sign-on (SSO) credentials and multi-factor authentication (MFA) codes. | APT | |
| 6.2.26 | China-Linked DKnife AitM Framework Targets Routers for Traffic Hijacking, Malware Delivery | Cybersecurity researchers have taken the wraps off a gateway-monitoring and adversary-in-the-middle (AitM) framework dubbed DKnife that's operated by | APT | The Hacker News |
| 6.2.26 | Asian State-Backed Group TGR-STA-1030 Breaches 70 Government, Infrastructure Entities | A previously undocumented cyber espionage group operating from Asia broke into the networks of at least 70 government and critical infrastructure | APT | The Hacker News |
| 5.2.26 | Prince of Persia, Part II: Covering Tracks, Striking Back & a Revealing Link to the Iranian Regime Amid the Country’s Internet Blackout | Get SafeBreach Labs’s latest update on the threat actor, including new details about their Telegram attack vector, a strike back attempt at SafeBreach researchers, the discovery of a new Tornado malware variant, and activity that indicates a definitive connection to the Iranian government. | APT | SAFEBREACH |
| 5.2.26 | Infy Hackers Resume Operations with New C2 Servers After Iran Internet Blackout Ends | The elusive Iranian threat group known as Infy (aka Prince of Persia) has evolved its tactics as part of efforts to hide its tracks, even as it readied new | APT | The Hacker News |
| 4.2.26 | China-Linked Amaranth-Dragon Exploits WinRAR Flaw in Espionage Campaigns | Threat actors affiliated with China have been attributed to a fresh set of cyber espionage campaigns targeting government and law enforcement agencies | APT | The Hacker News |
| 3.2.26 | APT28 Uses Microsoft Office CVE-2026-21509 in Espionage-Focused Malware Attacks | The Russia-linked state-sponsored threat actor known as APT28 (aka UAC-0001) has been attributed to attacks exploiting a newly disclosed security flaw | APT | The Hacker News |
| 3.2.26 | Notepad++ Hosting Breach Attributed to China-Linked Lotus Blossom Hacking Group | A China-linked threat actor known as Lotus Blossom has been attributed with medium confidence to the recently discovered compromise of the | APT | The Hacker News |
| 31.1.26 | Iran-Linked RedKitten Cyber Campaign Targets Human Rights NGOs and Activists | A Farsi-speaking threat actor aligned with Iranian state interests is suspected to be behind a new campaign targeting non-governmental organizations and | APT | The Hacker News |
| 31.1.26 | China-Linked UAT-8099 Targets IIS Servers in Asia with BadIIS SEO Malware | Cybersecurity researchers have discovered a new campaign attributed to a China-linked threat actor known as UAT-8099 that took place between late | APT | The Hacker News |
| 28.1.26 | APT Attacks Target Indian Government Using GOGITTER, GITSHELLPAD, and GOSHELL | Part 1 | In September 2025, Zscaler ThreatLabz identified two campaigns, tracked as Gopher Strike and Sheet Attack, by a threat actor that operates in Pakistan and primarily targets entities in the Indian government. | APT | ZSCALER |
| 28.1.26 | Experts Detect Pakistan-Linked Cyber Campaigns Aimed at Indian Government Entities | Indian government entities have been targeted in two campaigns undertaken by a threat actor that operates in Pakistan using previously undocumented | APT | The Hacker News |
| 25.1.26 | Sandworm hackers linked to failed wiper attack on Poland’s energy systems | A cyberattack targeting Poland's power grid in late December 2025 has been linked to the Russian state-sponsored hacking group Sandworm, which attempted to deploy a new destructive data-wiping malware dubbed DynoWiper during the attack.. | APT | |
| 25.1.26 | Konni hackers target blockchain engineers with AI-built malware | The North Korean hacker group Konni (Opal Sleet, TA406) is using AI-generated PowerShell malware to target developers and engineers in the blockchain sector. | APT | |
| 25.1.26 | UK govt. warns about ongoing Russian hacktivist group attacks | The U.K. government is warning of continued malicious activity from Russian-aligned hacktivist groups targeting critical infrastructure and local government organizations in the country in disruptive denial-of-service (DDoS) attacks. | APT | |
| 22.1.26 | North Korean PurpleBravo Campaign Targeted 3,136 IP Addresses via Fake Job Interviews | As many as 3,136 individual IP addresses linked to likely targets of the Contagious Interview activity have been identified, with the campaign claiming | APT | The Hacker News |
| 22.1.26 | North Korea-Linked Hackers Target Developers via Malicious VS Code Projects | The North Korean threat actors associated with the long-running Contagious Interview campaign have been observed using malicious Microsoft Visual | APT | The Hacker News |
| 18.1.26 | China-linked hackers exploited Sitecore zero-day for initial access | An advanced threat actor tracked as UAT-8837 and believed to be linked to China has been focusing on critical infrastructure systems in North America, gaining access by exploiting both known and zero-day vulnerabilities. | APT | |
| 16.1.26 | China-Linked APT Exploits Sitecore Zero-Day in Attacks on American Critical Infrastructure | A threat actor likely aligned with China has been observed targeting critical infrastructure sectors in North America since at least last year. Cisco Talos, which is tracking the activity | APT | The Hacker News |
| 11.1.26 | New China-linked hackers breach telcos using edge device exploits | A sophisticated threat actor that uses Linux-based malware to target telecommunications providers has recently broadened its operations to include organizations in Southeastern Europe. | APT | |
| 10.1.26 | FBI warns about Kimsuky hackers using QR codes to phish U.S. orgs | The North Korean state-sponsored hacker group Kimsuki is using malicious QR codes in spearphishing campaigns that target U.S. organizations, the Federal Bureau of Investigation warns in a flash alert. | APT | |
| 10.1.26 | China-Linked Hackers Exploit VMware ESXi Zero-Days to Escape Virtual Machines | Chinese-speaking threat actors are suspected to have leveraged a compromised SonicWall VPN appliance as an initial access vector to deploy a VMware ESXi exploit that may have | APT | The Hacker News |
| 10.1.26 | Russian APT28 Runs Credential-Stealing Campaign Targeting Energy and Policy Organizations | Russian state-sponsored threat actors have been linked to a fresh set of credential harvesting attacks targeting individuals associated with a Turkish energy and nuclear | APT | The Hacker News |
| 8.1.26 | China-Linked UAT-7290 Targets Telecoms with Linux Malware and ORB Nodes | A China-nexus threat actor known as UAT-7290 has been attributed to espionage-focused intrusions against entities in South Asia and Southeastern Europe. The activity cluster, which | APT | The Hacker News |
| 6.1.26 | Russia-Aligned Hackers Abuse Viber to Target Ukrainian Military and Government | The Russia-aligned threat actor known as UAC-0184 has been observed targeting Ukrainian military and government entities by leveraging the Viber messaging platform to deliver | APT | The Hacker News |