APT Blog- 2026 2025 2024 2023 2022 2021 2020 2019 2018
APT blog Attack blog BigBrother blog BotNet blog Cyber blog Cryptocurrency blog Exploit blog Hacking blog ICS blog Incident blog IoT blog Malware blog OS Blog Phishing blog Ransom blog Safety blog Security blog Social blog Spam blog Vulnerebility blog
DATE | NAME | Info | CATEG. | WEB |
| 16.5.26 | Seedworm: Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign | Iran-linked threat actor abused signed Fortemedia and SentinelOne binaries for DLL sideloading and exfiltrated data through a public file-transfer service. | APT blog | SECURITY.COM |
| 16.5.26 | FrostyNeighbor: Fresh mischief and digital shenanigans | ESConflict is a boon for opportunistic fraudsters. Look out for their ploys.ET researchers uncovered new activities attributed to FrostyNeighbor, updating its compromise chain to support the group’s continual cyberespionage operations | APT blog | Eset |
| 9.5.26 | UAT-8302 and its box full of malware | Cisco Talos is disclosing UAT-8302, a sophisticated, China-nexus advanced persistent threat (APT) group targeting government entities in South America since at least late 2024 and government agencies in southeastern Europe in 2025. | APT blog | CISCO TALOS |
| 9.5.26 | A rigged game: ScarCruft compromises gaming platform in a supply-chain attack | ESET researchers have investigated an ongoing attack by the ScarCruft APT group that targets the Yanbian region via backdoor-laced Windows and Android games | APT blog | Eset |
| 2.5.26 | Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia | A China-aligned threat group is exploiting unpatched Microsoft Exchange vulnerabilities to conduct cyberespionage against government and critical infrastructure targets across Asia and beyond. | APT blog | Trend Micro |
| 25.4.26 | Harvester: APT Group Expands Toolset With New GoGra Linux Backdoor | The Harvester APT group has developed a new, highly-evasive, Linux version of its GoGra backdoor. The malware uses the legitimate Microsoft Graph API and Outlook mailboxes as a covert command-and-control (C2) channel, allowing it to bypass traditional perimeter network defenses. | APT blog | SECURITY.COM |
| 18.4.26 | State-sponsored threats: Different objectives, similar access paths | A look at 2025 state-sponsored threats, exploring how actors linked to China, Russia, North Korea, and Iran use vulnerabilities, identity, and trusted access paths to achieve their goals. | APT blog | CISCO TALOS |
| 4.4.26 | Google Threat Intelligence Group (GTIG) is tracking an active software supply chain attack targeting the popular Node Package Manager (NPM) package "axios." Between March 31, 2026, 00:21 and 03:20 UTC, an attacker introduced a malicious dependency named "plain-crypto-js" into axios NPM releases versions 1.14.1 and 0.30.4. Axios is the most popular JavaScript library used to simplify HTTP requests, and these packages typically have over 100 million and 83 million weekly downloads, respectively. | APT blog | GTI | |
| 4.4.26 | Professional Networks Under Attack: Vietnam-Linked Actors Deploy PXA Stealer in Global Infostealer Campaign | Cyble dissects a LinkedIn job‑lure campaign, exposing its multi‑stage PXA Stealer tactic that hijacks accounts and steals sensitive data. | APT blog | Cyble |
| 28.3.26 | China’s APT41 and the Expanding Enterprise Attack Surface: What Security Teams Must Prepare For | APT41’s hybrid model exposes gaps in enterprise security, targeting cloud, supply chains, and OT with advanced tactics and persistent access. | APT blog | Cyble |
| 21.3.26 | Inside Russia’s Shift to Credential-Based Intrusions: What CISOs Need to Know in 2026 | Russia’s credential-based intrusions are rising, leading to more account takeover attacks and new risks for critical infrastructure in 2026. | APT blog | Cyble |
| 14.3.26 | Initial access techniques used by Iran-based threat actors | Analysis of attacks originating from Iran-linked threat groups reveals a preference for certain techniques | APT blog | SOPHOS |
| 14.3.26 | Deno Runtime Exploited: The Emerging Threat You Can’t Ignore | Recently, the SonicWall Capture Labs threat research team observed threat actors have started abusing Deno, a modern JavaScript runtime, to run malicious JavaScript outside the browser, bypassing the need for Node.js. | APT blog | SonicWall |
| 14.3.26 | Suspected China-Based Espionage Operation Against Military Targets in Southeast Asia | We identified a cluster of malicious activity targeting Southeast Asian military organizations, suspected with moderate confidence to be operating out of China. We designate this cluster as CL-STA-1087, with STA representing our assessment that the activity is conducted by state-sponsored actors. We traced this activity back to at least 2020. | APT blog | Palo Alto |
| 14.3.26 | Iranian MOIS Actors & the Cyber Crime Connection | Iran-linked actors are increasingly engaging with the cyber crime ecosystem. Their activity suggests a growing reliance on criminal tools, services, and operational models in support of state objectives. | APT blog | CHECKPOINT |
| 14.3.26 | “Handala Hack” – Unveiling Group’s Modus Operandi | Handala Hack is an online persona operated by Void Manticore (aka Red Sandstorm, Banished Kitten), an actor affiliated with Iranian Ministry of Intelligence and Security (MOIS) | APT blog | CHECKPOINT |
| 14.3.26 | Sednit reloaded: Back in the trenches | The resurgence of one of Russia’s most notorious APT groups | APT blog | Eset |
| 7.3.26 | Middle East on the Brink: Iran-US-Israel Hostilities Trigger Cyber-Kinetic Conflict | Middle East faces unprecedented hybrid warfare as Iran, US, and Israel clash through cyberattacks, missile strikes, and hacktivist campaigns. | APT blog | Cyble |
| 7.3.26 | Seedworm: Iranian APT on Networks of U.S. Bank, Airport, Software Company | This activity began in early February and has continued in recent days. What organizations should expect next from Iran-aligned groups and the steps they should take to guard against cyberattacks. | APT blog | SECURITY.COM |
| 7.3.26 | An Investigation Into Years of Undetected Operations Targeting High-Value Sectors | Since at least 2020, we have observed a cluster of activity targeting high-value organizations across South, Southeast and East Asia. The attacks focus on critical sectors such as aviation, energy, government, law enforcement, pharmaceutical, technology and telecommunications. | APT blog | Palo Alto |
| 7.3.26 | Threat Brief: March 2026 Escalation of Cyber Risk Related to Iran | On Feb. 28, 2026, the United States and Israel launched a significant joint offensive code named Operation Epic Fury (U.S.) and Operation Roaring Lion (Israel). In the hours following the initial strikes, Iran began a multi-vector retaliatory campaign, which has evolved into a significant trans-regional conflict. | APT blog | Palo Alto |
| 7.3.26 | Interplay between Iranian Targeting of IP Cameras and Physical Warfare in the Middle East | During the ongoing conflict, we identified intensified targeting of IP cameras from two manufacturers starting on February 28, originating from infrastructure we attribute to Iranian threat actors. | APT blog | CHECKPOINT |
| 7.3.26 | Silver Dragon Targets Organizations in Southeast Asia and Europe | Check Point Research (CPR) is tracking Silver Dragon, an advanced persistent threat (APT) group which has been actively targeting organizations across Europe and Southeast Asia since at least mid-2024. The actor is likely operating within the umbrella of Chinese-nexus APT41. | APT blog | CHECKPOINT |
| 7.3.26 | Talos on the developing situation in the Middle East | Cisco Talos continues to monitor the ongoing conflict in the Middle East. As always, we will be watching closely for any cyber-related incidents that are tied to the conflict. | APT blog | CISCO TALOS |
| 7.3.26 | UAT-9244 targets South American telecommunication providers with three new malware implants | Cisco Talos is disclosing UAT-9244, who we assess with high confidence is a China-nexus advanced persistent threat (APT) actor closely associated with Famous Sparrow. | APT blog | CISCO TALOS |
| 7.3.26 | The Iranian Cyber Capability 2026 | This report examines Iranian-linked threat activity from 2024 onward. | APT blog | Trelix |
| 28.2.26 | North Korean Lazarus Group Now Working With Medusa Ransomware | North Korean attackers continuing to mount extortion attacks against the U.S. healthcare sector despite indictment. | APT blog | SECURITY.COM |
| 14.2.26 | A Peek Into Muddled Libra’s Operational Playbook | During a September 2025 incident response investigation, Unit 42 discovered a rogue virtual machine (VM) which we believe with high confidence to be used by the cybercrime group Muddled Libra (aka Scattered Spider, UNC3944). The contents of this rogue VM and activity from the attack provide valuable insight into the operational playbook of this threat actor. | APT blog | Palo Alto |
| 13.2.26 | Lotus Blossom (G0030) and the Notepad++ Supply-Chain Espionage Campaign | In late 2025 and early 2026, a series of independent disclosures by software maintainers, security researchers, and national cyber authorities converged on an unsettling conclusion: for months, the update mechanism of one of the world’s most widely used open-source text editors had been quietly subverted. | APT blog | DomainTools Investigation |
| 7.2.2026 | The Shadow Campaigns: Uncovering Global Espionage | This investigation unveils a new cyberespionage group that Unit 42 tracks as TGR-STA-1030. We refer to the group’s activity as the Shadow Campaigns. We assess with high confidence that TGR-STA-1030 is a state-aligned group that operates out of Asia. Over the past year, this group has compromised government and critical infrastructure organizations across 37 countries. | APT blog | Palo Alto |
| 7.2.2026 | Amaranth-Dragon: Weaponizing CVE-2025-8088 for Targeted Espionage in the Southeast Asia | Check Point Research (CPR) has been tracking Amaranth-Dragon, a nexus of APT-41, previously aligned with Chinese interests. The group launched highly targeted cyber-espionage campaigns throughout 2025 against government and law enforcement agencies in Southeast Asia. | APT blog | CHECKPOINT |
| 7.2.2026 | APT28’s Stealthy Multi-Stage Campaign Leveraging CVE‑2026‑21509 and Cloud C2 Infrastructure | Russian state-sponsored threat group APT28 (aka Fancy Bear or UAC-0001) has launched a sophisticated espionage campaign targeting European military and government entities, specifically targeting maritime and transport organizations across Poland, Slovenia, Turkey, Greece, the UAE, and Ukraine. | APT blog | Trelix |
| 1.2.26 | Dissecting UAT-8099: New persistence mechanisms and regional focus | Cisco Talos has identified a new, regionally targeted campaign by UAT-8099 that leverages advanced persistence techniques and custom BadIIS malware variants to compromise IIS servers, particularly in Thailand and Vietnam. | APT blog | CISCO TALOS |
| 24.1.26 | The Invisible Insider: Why AML and KYC Compliance Fail Against Digital Deception | North Korean operatives and professional money launderers have been drawing six-figure salaries from Fortune Global 500 companies by exploiting a fundamental flaw in identity verification. | APT blog | Silent Push |
| 24.1.26 | From the Shadows to the Headlines: A Decade of State-Sponsored Cyber Leaks | Analysis of a decade of major state-sponsored cyber leaks (Shadow Brokers, Vault 7, i-Soon, KittenBusters): patterns, impact, and the centrality of human vulnerability. | APT blog | Trelix |
| 17.1.26 | Unmasking the DPRK Remote Worker Problem | The DPRK remote worker program functions as a high-volume revenue engine for the North Korean regime. These state-sponsored operatives use stolen identities to secure remote roles within Western enterprises. They establish long-term persistence inside corporate infrastructure before their first meeting. These actors bypass standard IAM and EDR by mimicking the behavior, location, and hardware signatures of a domestic employee. | APT blog | Silent Push |
| 17.1.26 | APT PROFILE – KIMSUKI | Kimsuki, an advanced persistent threat (APT) group active since at least 2012, is suspected to be operating out of North Korea in direct support of the regime’s strategic objectives. The… | APT blog | |
| 17.1.26 | Inside RedVDS: How a single virtual desktop provider fueled worldwide cybercriminal operations | Microsoft’s investigation into RedVDS services and infrastructure uncovered a global network of disparate cybercriminals purchasing and using to target multiple sectors. | APT blog | Microsoft blog |
| 17.1.26 | UAT-8837 targets critical infrastructure sectors in North America | Cisco Talos is closely tracking UAT-8837, a threat actor we assess with medium confidence is a China-nexus advanced persistent threat (APT) actor. | APT blog | CISCO TALOS |
| 10.1.26 | Initial Access Sales Accelerated Across Australia and New Zealand in 2025 | Cyble’s 2025 report analyzes Initial Access sales, ransomware operations, and data breaches shaping the cyber threat landscape in Australia and New Zealand. | APT blog | |
| 10.1.26 | Resurgence of Scattered Lapsus$ hunters | Executive Summary: Recent monitoring of underground forums and Telegram communities has identified the resurgence of the Scattered Lapsus$ collective. The actors appear to be | APT blog | Cyfirma |
| 10.1.26 | UAT-7290 targets high value telecommunications infrastructure in South Asia | Talos assesses with high confidence that UAT-7290 is a sophisticated threat actor falling under the China-nexus of advanced persistent threat actors (APTs). UAT-7290 primarily targets telecommunications providers in South Asia. | APT blog | |
| 10.1.26 | Resolutions, shmesolutions (and what’s actually worked for me) | Talos' editor ditches the pressure of traditional New Year’s resolutions in favor of practical, in-the-moment changes, and finds more success by letting go of perfection. Plus, we break down the latest on UAT-7290, a newly disclosed threat actor targeting critical infrastructure. | APT blog |