APT Blog 2025- 2026 2025 2024 2023 2022 2021 2020 2019 2018
APT blog Attack blog BigBrother blog BotNet blog Cyber blog Cryptocurrency blog Exploit blog Hacking blog ICS blog Incident blog IoT blog Malware blog OS Blog Phishing blog Ransom blog Safety blog Security blog Social blog Spam blog Vulnerebility blog
| 20.12.25 | Executive Summary Ink Dragon, a Chinese espionage group, has expanded from Asia and South America . | APT blog | CHECKPOINT | |
| 20.12.25 | APT36 LNK-BASED MALWARE CAMPAIGN LEVERAGING MSI PAYLOAD DELIVERY | EXECUTIVE SUMMARY CYFIRMA is dedicated to providing advanced warning and strategic analysis of the evolving cyber threat landscape. Our latest report analyzes a targeted malware campaign attributed to APT-36, which… | APT blog | |
| 20.12.25 | Inside Ink Dragon: Revealing the Relay Network and Inner Workings of a Stealthy Offensive Operation | In recent months, Check Point Research has identified a new wave of attacks attributed to the Chinese threat actor Ink Dragon. Ink Dragon overlaps with threat clusters publicly reported as Earth Alux, Jewelbug, REF7707, CL-STA-0049, among others. | APT blog | CHECKPOINT |
| 20.12.25 | UAT-9686 actively targets Cisco Secure Email Gateway and Secure Email and Web Manager | Cisco Talos is tracking the active targeting of Cisco AsyncOS Software for Cisco Secure Email Gateway, formerly known as Cisco Email Security Appliance (ESA), and Cisco Secure Email and Web Manager, formerly known as Cisco Content Security Management Appliance (SMA). | APT blog | |
| 20.12.25 | LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan | ESET researchers discovered a China-aligned APT group, LongNosedGoblin, which uses Group Policy to deploy cyberespionage tools across networks of governmental institutions | APT blog | |
| 13.12.25 | Unveiling WARP PANDA: A New Sophisticated China-Nexus Adversary | Throughout 2025, CrowdStrike has identified multiple intrusions targeting VMware vCenter environments at U.S.-based entities, in which newly identified China-nexus adversary WARP PANDA deployed BRICKSTORM malware. WARP PANDA exhibits a high level of technical sophistication, advanced operations security (OPSEC) skills, and extensive knowledge of cloud and virtual machine (VM) environments. | APT blog | CROWDTRIKE |
| 13.12.25 | Sharpening the knife: GOLD BLADE’s strategic evolution | Updates include novel abuse of recruitment platforms, modified infection chains, and expansion into a | APT blog | SOPHOS |
| 13.12.25 | Operation MoneyMount-ISO — Deploying Phantom Stealer via ISO-Mounted Executables | Table of Contents: Introduction: Targeted sectors: Initial Findings about Campaign: Analysis of Phishing Mail: Infection Chain: Technical Analysis: Stage-1: Analysis of Malicious ISO file. Stage-2: Analysis of Executable. Analysis of 1st Payload Analysis of 2nd Payload (Phantom Stealer) Conclusion:... | APT blog | Seqrite |
| 13.12.25 | Operation FrostBeacon: Multi-Cluster Cobalt Strike Campaign Targets Russia | Operation FrostBeacon: Multi-Cluster Cobalt Strike Campaign Targets Russia Contents Introduction Key Targets Geographical Focus Industries Affected LNK Cluster Initial Access: Archive Delivery Phishing Email and Decoys Malicious LNK and HTA Loader Obfuscated PowerShell Payload CVE Cluster Phishing Emails Chaining... | APT blog | Seqrite |
| 13.12.25 | RTO Challan Fraud: A Technical Report on APK-Based Financial and Identity Theft | EXECUTIVE SUMMARY CYFRIMA’s research team uncovered a sophisticated mobile-based fraud operation distributing a malicious “RTO Challan / e-Challan” Android application | APT blog | |
| 13.12.25 | APT PROFILE – GROUP 123 | Group123 is a North Korean state-sponsored advanced persistent threat (APT) group active since at least 2012. It is also tracked under other names such as APT37, Reaper, and | APT blog | |
| 13.12.25 | Trend Vision One™ Stacks Up Against Scattered Spider and Mustang Panda in 2025 MITRE ATT&CK® Evaluations | Enterprise 2025 introduces the first full cloud adversary emulation and expanded multi-platform testing, focusing on two advanced threat areas: Scattered Spider’s cloud-centric attacks and Mustang Panda’s long-term espionage operations. | APT blog | |
| 13.12.25 | Exploitation of Critical Vulnerability in React Server Components | Unit 42 has identified activity that reportedly shares overlap with North Korean (DPRK) Contagious Interview tooling, though no formal attribution has occurred at this time. Contagious Interview is a campaign where threat actors associated with the DPRK pose as recruiters to install malware on the devices of job seekers in the tech industry. | APT blog | |
| 7.12.25 | Smile, You’re on Camera: A Live Stream from Inside Lazarus Group’s IT Workers Scheme | his work is a collaboration between Mauro Eldritch from BCA LTD, a company dedicated to threat intelligence and hunting, Heiner García from NorthScan, a threat intelligence initiative uncovering North Korean IT worker infiltration, and ANY.RUN, the leading company in malware analysis and threat intelligence. | APT blog | ANYRUN |
|
6.12.25 |
|
Updates include novel abuse of recruitment platforms, modified infection chains, and expansion into a hybrid operation that combines data theft and ransomware deployment |
||
|
6.12.25 |
In early 2025, Volexity published two blog posts detailing a new trend among Russian threat actors targeting organizations through the abuse of Microsoft 365 OAuth and Device Code authentication workflows to |
|||
|
6.12.25 |
FortiGuard Labs uncovers UDPGangster campaigns linked to MuddyWater, using macro-laden phishing lures, evasion techniques, and UDP backdoors to target multiple countries |
|||
|
6.12.25 |
APT36 Python Based ELF Malware Targeting Indian Government Entities |
EXECUTIVE SUMMARY CYFIRMA has uncovered an active cyber-espionage campaign conducted by APT36 (Transparent Tribe), a Pakistan-based threat actor known for persistent |
||
|
6.12.25 |
||||
| 29.11.25 | Beyond the Watering Hole: APT24's Pivot to Multi-Vector Attacks | Google Threat Intelligence Group (GTIG) is tracking a long-running and adaptive cyber espionage campaign by APT24, a People's Republic of China (PRC)-nexus threat actor. Spanning three years, APT24 has been deploying BADAUDIO, a highly obfuscated first-stage downloader used to establish persistent access to victim networks. | APT blog | Google Threat Intelligence |
| 29.11.25 | Operation Hanoi Thief: Threat Actor targets Vietnamese IT professionals and recruitment teams. | Operation Hanoi Thief: Threat Actor targets Vietnamese IT professionals and recruitment teams. Introduction Key Targets. Industries Affected. Geographical Focus. Infection Chain. Initial Findings Looking into the decoy-document Technical Analysis Stage 1 – Malicious LNK Script Stage 2 – Pseudo-Polyglot... | APT blog | Seqrite |
| 29.11.25 | NORTH KOREAN CYBER CRIME AS A STATECRAFT TOOL | INTRODUCTION Russia’s March 2024 veto of the renewal of the UN Panel of Experts on North Korea ended 15 years of unanimous Security Council support for the sole independent | APT blog | Cyfirma |
| 22.11.25 | Google Threat Intelligence Group (GTIG) is tracking a long-running and adaptive cyber espionage campaign by APT24, a People's Republic of China (PRC)-nexus threat actor. Spanning three years, APT24 has been deploying BADAUDIO, a highly obfuscated first-stage downloader used to establish persistent access to victim networks. | APT blog | Google Threat Intelligence | |
| 22.11.25 | PlushDaemon compromises network devices for adversary-in-the-middle attacks | ESET researchers have discovered a network implant used by the China-aligned PlushDaemon APT group to perform adversary-in-the-middle attacks | APT blog | Eset |
| 18.11.25 | Frontline Intelligence: Analysis of UNC1549 TTPs, Custom Tools, and Malware Targeting the Aerospace and Defense Ecosystem | Last year, Mandiant published a blog post highlighting suspected Iran-nexus espionage activity targeting the aerospace, aviation, and defense industries in the Middle East. In this follow-up post, Mandiant discusses additional tactics, techniques, and procedures (TTPs) observed in incidents Mandiant has responded to. | APT blog | Google Threat Intelligence |
| 16.11.25 | Amazon discovers APT exploiting Cisco and Citrix zero-days | The Amazon threat intelligence teams have identified an advanced threat actor exploiting previously undisclosed zero-day vulnerabilities in Cisco Identity Service Engine (ISE) and Citrix systems. | APT blog | AWS |
| 15.11.25 | Germany Urges Attack Surface Management Adoption as Routinely as Antivirus Protection | Germany’s Threat Landscape is growing at an unprecedented pace with attack surfaces expanding, APT actors dominating, and SMEs bearing the brunt of this offense. Here’s what you need to know. | APT blog | Cyble |
| 15.11.25 | APT PROFILE – BRONZE BUTLER | BRONZE BUTLER, also known as Tick or REDBALDKNIGHT, is a sophisticated and persistent cyber espionage group believed to originate from China. The group primarily targets Japanese | APT blog | Cyfirma |
| 8.11.25 | China-linked Actors Maintain Focus on Organizations Influencing U.S. Policy | Recent compromise of a non-profit organization reflects continued interest in U.S. policy. | APT blog | SECURITY.COM |
| 8.11.25 | Google Threat Intelligence Group (GTIG) is tracking a cluster of financially motivated threat actors operating from Vietnam that leverages fake job postings on legitimate platforms to target individuals in the digital advertising and marketing sectors. | APT blog | Google Threat Intelligence | |
| 8.11.25 | Operation Peek-a-Baku: Silent Lynx APT makes sluggish shift to Dushanbe | Introduction Timeline Key Targets. Industries Affecte d. Geographical Focus. Infection Chain. Initial Findings. Technical Analysis. Campaign – I The LNK Way. Malicious SILENT LOADER Malicious LAPLAS Implant – TCP & TLS. Malicious .NET Implant – SilentSweeper Campaign –.. | APT blog | Seqrite |
| 8.11.25 | The who, where, and how of APT attacks in Q2 2025–Q3 2025 | ESET Chief Security Evangelist Tony Anscombe highlights some of the key findings from the latest issue of the ESET APT Activity Report | APT blog | Eset |
| 8.11.25 | ESET APT Activity Report Q2 2025–Q3 2025 | An overview of the activities of selected APT groups investigated and analyzed by ESET Research in Q2 2025 and Q3 2025 | APT blog | Eset |
| 1.11.25 | BRONZE BUTLER exploits Japanese asset management software vulnerability | The threat group targeted a LANSCOPE zero-day vulnerability (CVE-2025-61932) | APT blog | SOPHOS |
| 1.11.25 | A new ideologically-motivated threat actor has emerged and growing technical capabilities: Hezi Rash. This Kurdish ... | APT blog | CHECKPOINT | |
| 1.11.25 | APT-C-60 Escalates SpyGlace Campaigns Targeting Japan with Evolved Malware, Advanced Evasion TTPs | APT-C-60 intensified operations against Japanese organizations during Q3 2025, deploying three updated SpyGlace backdoor versions with refined tracking mechanisms, modified encryption, and sophisticated abuse of GitHub, StatCounter, and Git for stealthy malware distribution. | APT blog | Cyble |
| 25.10.25 | Silent Push Detects Salt Typhoon Infrastructure Months Before It Went Live, New IOFA™ Feeds Provide Customers With Early Detection Ahead of Operational Use | Back in June, Silent Push provided our enterprise customers with unpublished infrastructure related to the Chinese APT group Salt Typhoon, giving our customers the early visibility and historical reach-back they needed for both security and their own investigations. | APT blog | Silent Push |
| 25.10.25 | Google Threat Intelligence Group (GTIG) observed multiple instances of pro-Russia information operations (IO) actors promoting narratives related to the reported incursion of Russian drones into Polish airspace that occurred on Sept. 9-10, 2025. | APT blog | Google Threat Intelligence | |
| 25.10.25 | Google Threat Intelligence Group (GTIG) is tracking a cluster of financially motivated threat actors operating from Vietnam that leverages fake job postings on legitimate platforms to target individuals in the digital advertising and marketing sectors. | APT blog | Google Threat Intelligence | |
| 25.10.25 | The Rise of Collaborative Tactics Among China-aligned Cyber Espionage Campaigns | Trend™ Research examines the complex collaborative relationship between China-aligned APT groups via the new “Premier Pass-as-a-Service” model, exemplified by the recent activities of Earth Estries and Earth Naga. | APT blog | Trend Micro |
| 25.10.25 |
The Smishing Deluge: China-Based Campaign Flooding Global Text |
We investigated a campaign waged by financially motivated threat actors operating out of Morocco. We refer to this campaign as Jingle Thief, due to the attackers’ modus operandi of conducting gift card fraud during festive seasons. Jingle Thief attackers use phishing and smishing to steal credentials, to compromise organizations that issue gift cards. | APT blog | Palo Alto |
| 25.10.25 | Gotta fly: Lazarus targets the UAV sector | ESET research analyzes a recent instance of the Operation DreamJob cyberespionage campaign conducted by Lazarus, a North Korea-aligned APT group | APT blog | Eset |
| 25.10.25 | SideWinder's Shifting Sands: Click Once for Espionage | SideWinder APT evolves with PDF and ClickOnce attacks targeting South Asia. Discover their new TTPs and how to protect your organization. | APT blog | Trelix |
| 18.10.25 | Jewelbug: Chinese APT Group Widens Reach to Russia | Russian IT company among group’s latest targets. Attackers may have been attempting to target company’s customers in Russia with software supply chain attack. | APT blog | SECURITY.COM |
|
11.10.25 |
APT PROFILE – HAFNIUM | Hafnium is a Chinese state-sponsored advanced persistent threat (APT) group, also referred to as Silk Typhoon, and is known for sophisticated cyber espionage targeting critical | APT blog | Cyfirma |
|
11.10.25 |
Family group chats: Your (very last) line of cyber defense | Amy gives an homage to parents in family group chats everywhere who want their children to stay safe in this wild world. | APT blog | CISCO TALOS |
|
11.10.25 |
UAT-8099: Chinese-speaking cybercrime group targets high-value IIS for SEO fraud | Cisco Talos is disclosing details on UAT-8099, a Chinese-speaking cybercrime group mainly involved in SEO fraud and theft of high-value credentials, configuration files, and certificate data. | APT blog | CISCO TALOS |
|
11.10.25 |
The Evolution of Russian Physical-Cyber Espionage | From Rio to The Hague: How Russia’s evolving close-access cyber ops raise new risks. Learn what’s next—and how defenders can respond. | APT blog | Trelix |
| 4.10.25 | TYPHOON IN THE FIFTH DOMAIN : CHINA’S EVOLVING CYBER STRATEGY | EXECUTIVE SUMMARY China’s cyber operations have evolved from economic espionage to strategic, politically driven campaigns that pose significant threats to Western critical | APT blog | Cyfirma |
| 4.10.25 | Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite | Phantom Taurus is a previously undocumented nation-state actor whose espionage operations align with People’s Republic of China (PRC) state interests. Over the past two and a half years, Unit 42 researchers have observed Phantom Taurus targeting government and telecommunications organizations across Africa, the Middle East, and Asia. | APT blog | Palo Alto |
| 27.9.25 | Iranian Threat Actor Nimbus Manticore Expands Campaigns into Europe with Advanced Malware and Fake Job Lures | Check Point Research is actively tracking Iranian threat actor Nimbus Manticore. Our latest findings show it is expanding operations into Europe and now targeting the defense, telecom, and aerospace sectors. | APT blog | CHECKPOINT |
| 27.9.25 | Eclypsium Acknowledged for the Firmware Protection as A Service Category in two Gartner® Hype Cycle™ R | Firmware protection is gaining increased urgency as cyberattackers from ransomware gangs to nation state APTs target firmware vulnerabilities to maintain persistence in target environments. Eclypsium has been mentioned as a sample vendor in two Gartner Hype Cycles in 2025 under the Firmware Protection as a Service product category. | APT blog | Eclypsium |
| 27.9.25 | Nimbus Manticore Deploys New Malware Targeting Europe | Check Point Research is tracking a long‑running campaign by the Iranian threat actor Nimbus Manticore, which overlaps with UNC1549, Smoke Sandstorm, and the “Iranian Dream Job” operations. The ongoing campaign targets defense manufacturing, telecommunications, and aviation that are aligned with IRGC strategic priorities. | APT blog | Checkpoint |
| 27.9.25 | Unmasking Hidden Threats: Spotting a DPRK IT-Worker Campaign | In the North Korean IT worker employment campaign, skilled operatives from the DPRK (North Korea) pose as remote IT professionals to get hired at Western companies. | APT blog | Trelix |
| 20.9.25 | Going Underground: China-aligned TA415 Conducts U.S.-China Economic Relations Targeting Using VS Code Remote Tunnels | Throughout July and August 2025, TA415 conducted spearphishing campaigns targeting United States government, think tank, and academic organizations utilizing U.S.-China economic-themed lures. | APT blog | PROOFPOINT |
| 20.9.25 | Gamaredon X Turla collab | Notorious APT group Turla collaborates with Gamaredon, both FSB-associated groups, to compromise high‑profile targets in Ukraine | APT blog | Eset |
| 13.9.25 | Salt Typhoon and UNC4841: Silent Push Discovers New Domains; Urges Defenders to Check Telemetry and Log Data | It’s extremely rare for our team to publicly share details on how we found the technical fingerprints for an Advanced Persistent Threat (APT) group. We are making these details public now due to our belief that these are legacy fingerprints unlikely to appear again. | APT blog | Silent Push |
| 13.9.25 | Silent Pivot: Detecting Fileless Lateral Movement via Service Manager with Trellix NDR | The tactics of cyber adversaries continue to evolve as they attempt to bypass security vendors. | APT blog | Trelix |
| 6.9.25 | How Chinese State-Sponsored APT Actors Exploit Routers for Stealthy Cyber Espionage | Chinese state-sponsored APT groups target global telecom, government, and military networks, exploiting router vulnerabilities for stealthy, long-term cyber espionage since 2021. | APT blog | Cyble |
| 6.9.25 | TYPHOON IN THE FIFTH DOMAIN : CHINA’S EVOLVING CYBER STRATEGY | EXECUTIVE SUMMARY China’s cyber operations have evolved from economic espionage to strategic, politically driven campaigns that pose significant threats to Western critical | APT blog | Cyfirma |
| 30.8.25 | An actor tracked as UNC6395 stole OAuth tokens from the Salesloft Drift app and leveraged them for widespread data theft. | APT blog | Google Threat Intelligence | |
| 30.8.25 | In March 2025, Google Threat Intelligence Group (GTIG) identified a complex, multifaceted campaign attributed to the PRC-nexus threat actor UNC6384. The campaign targeted diplomats in Southeast Asia and other entities globally. GTIG assesses this was likely in support of cyber espionage operations aligned with the strategic interests of the People's Republic of China (PRC). | APT blog | Google Threat Intelligence | |
| 30.8.25 | Operation HanKook Phantom: North Korean APT37 targeting South Korea | Table of Contents: Introduction Threat Profile Infection Chain Campaign-1 Analysis of Decoy: Technical Analysis Fingerprint of ROKRAT’s Malware Campaign-2 Analysis of Decoy Technical analysis Detailed analysis of Decoded tony31.dat Conclusion Seqrite Protections MITRE Att&ck | APT blog | Seqrite |
| 30.8.25 | New Salt Typhoon Defense Guidance from FBI and CISA | The FBI and CISA, along with a coalition of other international cybersecurity agencies, have released a new Cybersecurity Advisory, CSA AA25-239A, about Salt Typhoon and other Chinese State-Sponsored Advanced Persistent Threat (APT) groups. | APT blog | Eclypsium |
| 30.8.25 | Storm-0501’s evolving techniques lead to cloud-based ransomware | Financially motivated threat actor Storm-0501 has continuously evolved their campaigns to achieve sharpened focus on cloud-based tactics, techniques, and procedures (TTPs). | APT blog | Microsoft blog |
| 23.8.25 | APT36: Targets Indian BOSS Linux Systems with Weaponized AutoStart Files | Executive Summary CYFIRMA has identified an ongoing cyber-espionage campaign orchestrated by APT36 (Transparent Tribe), a Pakistan-based threat actor with a sustained focus on Indian Government entities. This operation reflects the… | APT blog | Cyfirma |
| 23.8.25 | Russian state-sponsored espionage group Static Tundra compromises unpatched end-of-life network devices | A Russian state-sponsored group, Static Tundra, is exploiting an old Cisco IOS vulnerability to compromise unpatched network devices worldwide, targeting key sectors for intelligence gathering. | APT blog | CISCO TALOS |
| 17.8.25 | APT PROFILE – LAZARUS GROUP | The Lazarus Group is a highly sophisticated, state-sponsored cyber threat group attributed to the North Korean government. They are also known by many other names, including Hidden | APT blog | Cyfirma |
| 17.8.25 | APT36: A PHISHING CAMPAIGN TARGETING INDIAN GOVERNMENT ENTITIES | EXECUTIVE SUMMARY A sophisticated phishing campaign, possibly attributed to Pakistan-linked APT36 (Transparent Tribe) is targeting Indian defense organizations and related | APT blog | Cyfirma |
| 16.8.25 | UAT-7237 targets Taiwanese web hosting infrastructure | Cisco Talos discovered UAT-7237, a Chinese-speaking advanced persistent threat (APT) group active since at least 2022, which has significant overlaps with UAT-5918. | APT blog | CISCO TALOS |
| 26.7.25 | Dropping Elephant APT Group Targets Turkish Defense Industry With New Campaign and Capabilities: LOLBAS, VLC Player, and Encrypted Shellcode | The Arctic Wolf® Labs team has identified a new campaign by cyber-espionage group Dropping Elephant targeting Turkish defense contractors, specifically a manufacturer of precision-guided missile systems. | APT blog | Arcticwolf.com |
| 26.7.25 | UK Identifies Russian GRU’s “AUTHENTIC ANTICS” Malware in Email Espionage Campaign | The UK linked the AUTHENTIC ANTICS malware to APT 28 and sanctioned GRU units for cyber espionage targeting Microsoft email accounts and hybrid warfare. | APT blog | Cyble |
| 26.7.25 | Muddled Libra Threat Assessment: Further-Reaching, Faster, More Impactful | Unit 42 has tracked and responded to several waves of intrusion operations conducted by the cybercrime group we track as Muddled Libra (aka Scattered Spider, UNC3944) across different sectors in recent months. This article contains observations on Muddled Libra thus far in 2025 based on our incident response insights. We share defensive recommendations that we have seen organizations use successfully against the threat. We also include what’s likely next for this prolific adversary. | APT blog | Palo Alto |
| 26.7.25 | SharePoint under fire: ToolShell attacks hit organizations worldwide | The ToolShell bugs are being exploited by cybercriminals and APT groups alike, with the US on the receiving end of 13 percent of all attacks | APT blog | Eset |
| 25.7.25 | Illusory Wishes: China-nexus APT Targets the Tibetan Community | In June 2025, Zscaler ThreatLabz collaborated with TibCERT to investigate two cyberattack campaigns targeting the Tibetan community. | APT blog | Zscaler |
| 19.7.25 | APT PROFILE – FANCY BEAR | Fancy Bear, also known as APT28, is a notorious Russian cyberespionage group with a long history of targeting governments, military entities, and other high-value | APT blog | Cyfirma |
| 11.7.25 | From Click to Compromise: Unveiling the Sophisticated Attack of DoNot APT Group on Southern European Government Entities | The DoNot APT group, also identified by various security vendors as APT-C-35, Mint Tempest, Origami Elephant, SECTOR02, and Viceroy Tiger, has been active since at least 2016, and has been attributed by several vendors to have links to India. | APT blog | Trelix |
| 1.7.25 | Patch and Persist: Darktrace’s Detection of Blind Eagle (APT-C-36) | Since 2018, Blind Eagle has targeted Latin American organizations using phishing and RATs. Darktrace detected Blind Eagle activity on a customer network involving C2 connectivity, malicious payload downloads and data exfiltration. | APT blog | DARKTRACE |
| 1.7.25 | Tracing Blind Eagle to Proton66 | Trustwave SpiderLabs has assessed with high confidence that the threat group Blind Eagle, aka APT-C-36, is associated with the Russian bulletproof hosting service provider Proton66. | APT blog | SPIDERLABS BLOG |
| 28.6.25 | Unmasking A New China-Linked Covert ORB Network: Inside the LapDogs Campaign | LapDogs: China-Linked ORB Network Revealed in Global Espionage Campaign | APT blog | SECURITYSCORECARD |
| 28.6.25 | The Cisco Vulnerability Salt Typhoon Weaponized Against Canadian Telcos and Viasat | Canadian telecommunications companies are the most recently disclosed victims of China’s Salt Typhoon advanced persistent threat (APT) group, as reported by Bleeping Computer and other outlets. | APT blog | Eclypsium |
| 28.6.25 | Threat Brief: Escalation of Cyber Risk Related to Iran (Updated June 26) | The recent conflict involving Iran, particularly its military engagements with Israel and the U.S., significantly heightens the risk of cyber spillover. This extends traditional battlegrounds into the digital realm. | APT blog | Palo Alto |
| 28.6.25 | Understanding Iranian Capabilities and Hacktivist Activities | At Trellix, we’ve been closely tracking Iranian cyber operations for years. Our research has shown that Iran maintains a mature and diverse cyber capability, executed through a combination of government agencies, contractors, and loosely affiliated proxy groups. | APT blog | Trelix |
| 27.6.25 | OneClik: A ClickOnce-Based APT Campaign Targeting Energy, Oil and Gas Infrastructure | The Trellix Advanced Research Center has uncovered a sophisticated APT malware campaign that we’ve dubbed OneClik. | APT blog | Trelix |
| 26.6.25 | Iranian Educated Manticore Targets Leading Tech Academics | Amid ongoing tensions between Iran and Israel, the Iranian threat group Educated Manticore, associated with the Islamic Revolutionary Guard Corps, has launched spear-phishing campaigns targeting Israeli journalists, high-profile cyber security experts and computer science professors from leading Israeli universities. | APT blog | Checkpoint |
| 26.6.25 | Iran-Linked Threat Actors Leak Visitors and Athletes' Data from Saudi Games | Today (June 22, 2025) — the threat actors associated with the "Cyber Fattah" movement leaked thousands of records containing information about visitors and athletes from past Saudi Games, one of the major sports events in the Kingdom. | APT blog | RESECURITY |
| 25.6.25 | Threat Actors Modify and Re-Create Commercial Software to Steal Users’ Information | In collaboration with Microsoft Threat Intelligence (MSTIC), SonicWall has identified a deceptive campaign to distribute a hacked and modified version of SonicWall’s SSL VPN NetExtender application that closely resembles the official SonicWall NetExtender software. | APT blog | SonicWall |
| 25.6.25 | Another Wave: North Korean Contagious Interview Campaign Drops 35 New Malicious npm Packages | North Korean threat actors linked to the Contagious Interview campaign return with 35 new malicious npm packages using a stealthy multi-stage malware loader. | APT blog | SOCKET DEV |
| 21.6.25 | Threat actor Banana Squad exploits GitHub repos in new campaign | ReversingLabs researchers discovered more than 60 GitHub repositories that contain hundreds of trojanized files. | APT blog | Reversinglabs |
| 21.6.25 | Threat Group Targets Companies in Taiwan | FortiGuard Labs has uncovered an ongoing cyberattack, targeting companies in Taiwan using phishing emails disguised as tax-related communications | APT blog | FOTINET |
| 21.6.25 | APT36 Phishing Campaign Targets Indian Defense Using Credential-Stealing Malware | Executive Summary APT36, also known as Transparent Tribe, is a Pakistan-based cyber espionage group that has been actively targeting Indian defense personnel through highly | APT blog | Cyfirma |
| 18.6.25 | Heightened Cyberthreat Amidst Israel-Iran Conflict | In the wake of Israel’s large-scale military operation, Operation Rising Lion, which targeted Iranian nuclear and military infrastructure on June 13, 2025, the Israelian cyberthreat landscape has escalated significantly. | APT blog | REDWARE |
| 18.6.25 | Threat Group Targets Companies in Taiwan | In January 2025, FortiGuard Labs observed an attack targeting users in Taiwan. The threat actor is spreading the malware known as winos 4.0 via an email masquerading as being from Taiwan's National Taxation Bureau | APT blog | FOTINET |
| 14.6.25 | Multiple Russian Threat Actors Targeting Microsoft Device Code Authentication | Starting in mid-January 2025, Volexity identified several social-engineering and spear-phishing campaigns by Russian threat actors aimed at compromising Microsoft 365 (M365) accounts. These attack campaigns were highly targeted and carried out in a variety of ways. The majority of these attacks originated via spear-phishing emails with different themes. In one case, the eventual breach began with highly tailored outreach via Signal. | APT blog | VELOXITY |
| 14.6.25 | The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access | In early February 2022, notably just ahead of the Russian invasion of Ukraine, Volexity made a discovery that led to one of the most fascinating and complex incident investigations Volexity had ever worked. | APT blog | VELOXITY |
| 14.6.25 | APT PROFILE – MISSION2025 | MISSION2025 is a Chinese state-sponsored advanced persistent threat (APT) group linked to APT41. Active since at least 2012, the group has conducted cyberespionage and | APT blog | Cyfirma |
| 10.6.25 | Follow the Smoke | China-nexus Threat Actors Hammer At the Doors of Top Tier Targets | In October 2024, SentinelLABS observed and countered a reconnaissance operation targeting SentinelOne, which we track as part of a broader activity cluster named PurpleHaze. | APT blog | SENTINEL LABS |
| 7.6.25 | The Bitter End: Unraveling Eight Years of Espionage Antics—Part One | Analyst note: Throughout this blog, researchers have defanged TA397-controlled indicators and modified certain technical details to protect investigation methods. | APT blog | PROOFPOINT |
| 7.6.25 | BladedFeline: Whispering in the dark | ESET researchers analyzed a cyberespionage campaign conducted by BladedFeline, an Iran-aligned APT group with likely ties to OilRig | APT blog | Eset |
| 5.6.25 | The Bitter End: Unraveling Eight Years of Espionage Antics – Part Two | Bitter's malware has significantly evolved since 2016, moving from basic downloaders to more capable RATs. The group primarily uses simple and home-grown payloads delivered via their infection chain, rather than relying on advanced anti-analysis techniques within the payloads itself. | APT blog | THREATRAY |
| 5.6.25 | The Bitter End: Unraveling Eight Years of Espionage Antics—Part One | Proofpoint Threat Research assesses it is highly likely that TA397 is a state-backed threat actor tasked with intelligence gathering in the interests of the Indian state. | APT blog | PROOFPOINT |
| 1.6.25 | Earth Lamia Develops Custom Arsenal to Target Multiple Industries | Trend™ Research has been tracking an active APT threat actor named Earth Lamia, targeting multiple industries in Brazil, India and Southeast Asia countries at least since 2023. The threat actor primarily exploits vulnerabilities in web applications to gain access to targeted organizations. | APT blog | Trend Micro |
| 29.4.25 | Earth Kurma APT Campaign Targets Southeast Asian Government, Telecom Sectors | An APT group dubbed Earth Kurma is actively targeting government and telecommunications organizations in Southeast Asia using advanced malware, rootkits, and trusted cloud services to conduct cyberespionage. | APT blog | Trend Micro |
| 25.4.25 | False Face: Unit 42 Demonstrates the Alarming Ease of Synthetic Identity Creation | Evidence suggests that North Korean IT workers are using real-time deepfake technology to infiltrate organizations through remote work positions, which poses significant security, legal and compliance risks. The detection strategies we outline in this report provide security and HR teams with practical guidance to strengthen their hiring processes against this threat. | APT blog | Palo Alto |
| 25.4.25 | Contagious Interview (DPRK) Launches a New Campaign Creating Three Front Companies to Deliver a Trio of Malware: BeaverTail, InvisibleFerret, and OtterCookie | Silent Push Threat Analysts have uncovered three cryptocurrency companies that are actually fronts for the North Korean advanced persistent threat (APT) group Contagious Interview: BlockNovas LLC, Angeloper Agency, and SoftGlide LLC. | APT blog | Silent Push |
| 19.4.25 | We discovered China-nexus threat actors deployed custom backdoors on Juniper Networks’ Junos OS routers. | APT blog | Google Threat Intelligence | |
| 19.4.25 | Executive Summary Check Point Research has been observing a sophisticated phishing campaign conducted by Advanced ... | APT blog | Checkpoint | |
| 19.4.25 | APT PROFILE – EARTH ESTRIES | Earth Estries is a Chinese Advanced Persistent Threat (APT) group that has gained prominence for its sophisticated cyber espionage activities targeting critical infrastructure and | APT blog | Cyfirma |
| 19.4.25 | Cyber Espionage Among Allies: Strategic Posturing in an Era of Trade Tensions | Executive Summary In the past decade, a pattern of cyber operations and espionage between the United States and its allies has emerged, complicating relationships traditionally | APT blog | Cyfirma |
| 19.4.25 | Slow Pisces Targets Developers With Coding Challenges and Introduces New Customized Python Malware | Slow Pisces (aka Jade Sleet, TraderTraitor, PUKCHONG) is a North Korean state-sponsored threat group primarily focused on generating revenue for the DPRK regime, typically by targeting large organizations in the cryptocurrency sector. This article analyzes their campaign that we believe is connected to recent cryptocurrency heists. | APT blog | Palo Alto |
| 19.4.25 | Renewed APT29 Phishing Campaign Against European Diplomats | Check Point Research has been tracking an advanced phishing campaign conducted by APT29, a Russia linked threat group, which is targeting diplomatic entities across Europe. | APT blog | Checkpoint |
| 12.4.25 | Goodbye HTA, Hello MSI: New TTPs and Clusters of an APT driven by Multi-Platform Attacks | Seqrite Labs APT team has uncovered new tactics of Pakistan-linked SideCopy APT deployed since the last week of December 2024. The group has expanded its scope of targeting beyond Indian government, defence, maritime sectors, and university students to now. | APT blog | Seqrite |
| 12.4.25 | Kimsuky: A Continuous Threat to South Korea with Deceptive Tactics | Kimsuky: A Continuous Threat to South Korea with Deceptive Tactics Contents Introduction Infection Chain Initial Findings Campaign 1 Looking into PDF document. Campaign 2 Looking into PDF document. Technical Analysis Campaign 1 & 2 Conclusion Seqrite Protection MITRE ATT&CK... | APT blog | Seqrite |
|
29.3.25 |
FamousSparrow resurfaces to spy on targets in the US, Latin America | Once thought to be dormant, the China-aligned group has also been observed using the privately-sold ShadowPad backdoor for the first time | APT blog | |
|
29.3.25 |
You will always remember this as the day you finally caught FamousSparrow | ESET researchers uncover the toolset used by the FamousSparrow APT group, including two undocumented versions of the group’s signature backdoor, SparrowDoor | APT blog | |
| 1.3.25 | Silent Killers: Unmasking a Large-Scale Legacy Driver Exploitation Campaign | While the abuse of vulnerable drivers has been around for a while, those that can terminate arbitrary processes have drawn increasing attention in recent years. As Windows security continues to evolve, it has become more challenging for attackers to execute malicious code without being detected. | APT blog | Checkpoint |
| 1.3.25 | Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools | Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools | APT blog | |
| 1.3.25 | Sellers can get scammed too, and Joe goes off on a rant about imposter syndrome | Joe has some advice for anyone experiencing self doubt or wondering about their next career move. Plus, catch up on the latest Talos research on scams targeting sellers, and the Lotus Blossom espionage group. | APT blog | |
|
22.2.25 | Chinese-Speaking Group Manipulates SEO with BadIIS | This blog post details our analysis of an SEO manipulation campaign targeting Asia. We also share recommendations that can help enterprises proactively secure their environment. | APT blog | |
|
22.2.25 | Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection | Our Threat Hunting team discusses Earth Preta’s latest technique, in which the APT group leverages MAVInject and Setup Factory to deploy payloads, and maintain control over compromised systems. | APT blog | |
|
22.2.25 | ||||
|
22.2.25 |
Cisco Talos has been closely monitoring reports of widespread intrusion activity against several major U.S. telecommunications companies, by a threat actor dubbed Salt Typhoon. This blog highlights our observations on this campaign and identifies recommendations for detection and prevention. |
|||
|
11.1.25 | APT groups are increasingly deploying ransomware – and that’s bad news for everyone | The blurring of lines between cybercrime and state-sponsored attacks underscores the increasingly fluid and multifaceted nature of today’s cyberthreats | APT blog |