APT HOME ALERTS GROUP ARTICLES BLOG | 2025(65) 2024(215)
| DATE | NAME | CATEGORY | SUB | TYPE | INFO |
| 22.4.25 | Microsoft Secures MSA Signing with Azure Confidential VMs Following Storm-0558 Breach | APT | APT | ARTICLES | Microsoft on Monday announced that it has moved the Microsoft Account (MSA) signing service to Azure confidential virtual machines (VMs) and that it's also in the process of migrating the Entra ID signing service as well. |
| 22.4.25 | Lotus Panda Hacks SE Asian Governments With Browser Stealers and Sideloaded Malware | APT | APT | ARTICLES | The China-linked cyber espionage group tracked as Lotus Panda has been attributed to a campaign that compromised multiple organizations in an unnamed |
| 22.4.25 | Kimsuky Exploits BlueKeep RDP Vulnerability to Breach Systems in South Korea and Japan | APT | APT | ARTICLES | Cybersecurity researchers have flagged a new malicious campaign related to the North Korean state-sponsored threat actor known as Kimsuky that exploits a now- |
| 22.4.25 | Hackers Abuse Russian Bulletproof Host Proton66 for Global Attacks and Malware Delivery | APT | APT | ARTICLES | Cybersecurity researchers have disclosed a surge in "mass scanning, credential brute-forcing, and exploitation attempts" originating from IP addresses associated |
| 21.4.25 | State-sponsored hackers embrace ClickFix social engineering tactic | APT | APT | ARTICLES | ClickFix attacks are being increasingly adopted by threat actors of all levels, with researchers now seeing multiple advanced persistent threat (APT) groups from North Korea, Iran, and Russia utilizing the tactic to breach networks. |
| 21.4.25 | APT29 Deploys GRAPELOADER Malware Targeting European Diplomats Through Wine-Tasting Lures | APT | APT | ARTICLES | The Russian state-sponsored threat actor known as APT29 has been linked to an advanced phishing campaign that's targeting diplomatic entities across Europe with |
| 20.4.25 | Midnight Blizzard deploys new GrapeLoader malware in embassy phishing | APT | APT | ARTICLES | Russian state-sponsored espionage group Midnight Blizzard is behind a new spear-phishing campaign targeting diplomatic entities in Europe, including embassies. |
| 19.4.25 | APT | APT blog | BLOG | We discovered China-nexus threat actors deployed custom backdoors on Juniper Networks’ Junos OS routers. | |
| 19.4.25 | APT | APT blog | BLOG | Executive Summary Check Point Research has been observing a sophisticated phishing campaign conducted by Advanced ... | |
| 19.4.25 | APT PROFILE – EARTH ESTRIES | APT | APT blog | BLOG | Earth Estries is a Chinese Advanced Persistent Threat (APT) group that has gained prominence for its sophisticated cyber espionage activities targeting critical infrastructure and |
| 19.4.25 | Cyber Espionage Among Allies: Strategic Posturing in an Era of Trade Tensions | APT | APT blog | BLOG | Executive Summary In the past decade, a pattern of cyber operations and espionage between the United States and its allies has emerged, complicating relationships traditionally |
| 19.4.25 | Slow Pisces Targets Developers With Coding Challenges and Introduces New Customized Python Malware | APT | APT blog | BLOG | Slow Pisces (aka Jade Sleet, TraderTraitor, PUKCHONG) is a North Korean state-sponsored threat group primarily focused on generating revenue for the DPRK regime, typically by targeting large organizations in the cryptocurrency sector. This article analyzes their campaign that we believe is connected to recent cryptocurrency heists. |
| 19.4.25 | Renewed APT29 Phishing Campaign Against European Diplomats | APT | APT blog | BLOG | Check Point Research has been tracking an advanced phishing campaign conducted by APT29, a Russia linked threat group, which is targeting diplomatic entities across Europe. |
| 18.4.25 | A recent campaign attributed to the Fritillary APT group | APT | APT | ALERTS | A new malicious campaign targeting diplomatic entities in Europe has been attributed to the cyberespionage group called Fritillary (aka Midnight Blizzard, APT29). According to a recent research by Checkpoint, the attackers have been leveraging a new custom malware loader dubbed GrapeLoader as well as an updated variant of the WineLoader backdoor. |
| 18.4.25 | Mustang Panda Targets Myanmar With StarProxy, EDR Bypass, and TONESHELL Updates | APT | APT | ARTICLES | The China-linked threat actor known as Mustang Panda has been attributed to a cyber attack targeting an unspecified organization in Myanmar with previously |
| 15.4.25 | Crypto Developers Targeted by Python Malware Disguised as Coding Challenges | APT | APT | ARTICLES | The North Korea-linked threat actor assessed to be behind the massive Bybit hack in February 2025 has been linked to a malicious campaign that targets developers |
| 12.4.25 | Goodbye HTA, Hello MSI: New TTPs and Clusters of an APT driven by Multi-Platform Attacks | APT | APT blog | BLOG | Seqrite Labs APT team has uncovered new tactics of Pakistan-linked SideCopy APT deployed since the last week of December 2024. The group has expanded its scope of targeting beyond Indian government, defence, maritime sectors, and university students to now. |
| 12.4.25 | Kimsuky: A Continuous Threat to South Korea with Deceptive Tactics | APT | APT blog | BLOG | Kimsuky: A Continuous Threat to South Korea with Deceptive Tactics Contents Introduction Infection Chain Initial Findings Campaign 1 Looking into PDF document. Campaign 2 Looking into PDF document. Technical Analysis Campaign 1 & 2 Conclusion Seqrite Protection MITRE ATT&CK... |
| 9.4.25 | Springtail APT group targets South Korean government entities | APT | ALERTS | ALERTS | The Springtail (aka Kimsuky) APT group recently engaged in campaigns targeting South Korean government entities. The campaigns leveraged government-themed messaging (one being tax related and another regarding a policy on the topic of sex offenders) to distribute malicious LNK files as malspam attachments. |
| 5.4.25 | North Korean IT worker army expands operations in Europe | APT | APT | ARTICLES | North Korea's IT workers have expanded operations beyond the United States and are now increasingly targeting organizations across Europe. |
| 4.4.25 | North Korean hackers adopt ClickFix attacks to target crypto firms | APT | APT | ARTICLES | The notorious North Korean Lazarus hacking group has reportedly adopted 'ClickFix' tactics to deploy malware targeting job seekers in the cryptocurrency industry, particularly centralized finance (CeFi). |
| 4.4.25 | Lazarus Group Targets Job Seekers With ClickFix Tactic to Deploy GolangGhost Malware | APT | APT | ARTICLES | The North Korean threat actors behind Contagious Interview have adopted the increasingly popular ClickFix social engineering tactic to lure job seekers in the |
| 2.4.25 | FIN7 Deploys Anubis Backdoor to Hijack Windows Systems via Compromised SharePoint Sites | APT | APT | ARTICLES | The financially motivated threat actor known as FIN7 has been linked to a Python-based backdoor called Anubis (not to be confused with an Android banking trojan |
| 1.4.25 | China-Linked Earth Alux Uses VARGEIT and COBEACON in Multi-Stage Cyber Intrusions | APT | APT | ARTICLES | Cybersecurity researchers have shed light on a new China-linked threat actor called Earth Alux that has targeted various key sectors such as government, |
|
29.3.25 |
FamousSparrow resurfaces to spy on targets in the US, Latin America | APT | APT blog | BLOG | Once thought to be dormant, the China-aligned group has also been observed using the privately-sold ShadowPad backdoor for the first time |
|
29.3.25 |
You will always remember this as the day you finally caught FamousSparrow | APT | APT blog | BLOG | ESET researchers uncover the toolset used by the FamousSparrow APT group, including two undocumented versions of the group’s signature backdoor, SparrowDoor |
|
27.3.25 |
APT36 Spoofs India Post Website to Infect Windows and Android Users with Malware | APT | APT | ARTICLES | An advanced persistent threat (APT) group with ties to Pakistan has been attributed to the creation of a fake website masquerading as India's public sector postal system as part of a campaign designed to infect both Windows and |
|
27.3.25 |
New SparrowDoor Backdoor Variants Found in Attacks on U.S. and Mexican Organizations | APT | APT | ARTICLES | The Chinese threat actor known as FamousSparrow has been linked to a cyber attack targeting a trade group in the United States and a research institute in |
|
23.3.25 |
US removes sanctions against Tornado Cash crypto mixer | APT | APT | ARTICLES | The U.S. Department of Treasury announced today that it has removed sanctions against the Tornado Cash cryptocurrency mixer, which North Korean Lazarus hackers used to launder hundreds of millions stolen in multiple crypto heists. |
|
27.3.25 |
APT36 TURNING AID INTO ATTACK | APT | BLOG | BLOG | TURNING AID INTO ATTACK: EXPLOITATION OF PAKISTAN’S YOUTH LAPTOP SCHEME TO TARGET INDIA |
|
22.3.25 |
Recent UAT-5918 APT malicious activities targeting entities in Taiwan | APT | ALERTS | ALERTS | Researchers from Cisco Talos have reported a long-lasting campaign targeting entities in Taiwan and attributed to the UAT-5918 APT. The attackers are known to obtain access to the targeted environments usually via vulnerability exploitation. |
|
21.3.25 |
China-Linked APT Aquatic Panda: 10-Month Campaign, 7 Global Targets, 5 Malware Families | APT | APT | ARTICLES | The China-linked advanced persistent threat (APT) group. known as Aquatic Panda has been linked to a "global espionage campaign" that took place in 2022 targeting |
|
20.3.25 |
OKX suspends DEX aggregator after Lazarus hackers try to launder funds | APT | APT | ARTICLES | OKX Web3 has decided to suspend its DEX aggregator services to implement security upgrades following reports of abuse by the notorious North Korean Lazarus hackers, who recently conducted a $1.5 billion crypto heist. |
|
19.3.25 |
Unpatched Windows Zero-Day Flaw Exploited by 11 State-Sponsored Threat Groups Since 2017 | APT | APT | ARTICLES | An unpatched security flaw impacting Microsoft Windows has been exploited by 11 state-sponsored groups from China, Iran, North Korea, and Russia as part of data theft, espionage, and financially motivated campaigns that date back to 2017. |
|
15.3.25 |
Chinese cyberspies backdoor Juniper routers for stealthy access | APT | APT | ARTICLES | Chinese hackers are deploying custom backdoors on Juniper Networks Junos OS MX routers that have reached end-of-life (EoL) and no longer receive security updates. |
|
15.3.25 |
North Korean Lazarus hackers infect hundreds via npm packages | APT | APT | ARTICLES | Six malicious packages have been identified on npm (Node package manager) linked to the notorious North Korean hacking group Lazarus. |
| 13.3.25 | Blind Eagle malicious .url files variant | APT | ALERTS | ALERTS | Blind Eagle (aka APT-C-36), is a threat actor group that engages in both espionage and cyber-crime. |
| 13.3.25 | Leafperforator APT conducts attacks on maritime sector | APT | ALERTS | ALERTS | A new malicious campaign targeting the maritime and nuclear energy sector across South and Southeast Asia, the Middle East, and Africa has been attributed to the Leafperforator (also known as SideWinder) APT group. |
| 13.3.25 | North Korea's ScarCruft Deploys KoSpy Malware, Spying on Android Users via Fake Utility Apps | APT | APT | ARTICLES | The North Korea-linked threat actor known as ScarCruft is said to have been behind a never-before-seen Android surveillance tool named KoSpy targeting |
| 13.3.25 | Chinese Hackers Breach Juniper Networks Routers With Custom Backdoors and Rootkits | APT | APT | ARTICLES | The China-nexus cyber espionage group tracked as UNC3886 has been observed targeting end-of-life MX routers from Juniper Networks as part of a campaign |
| 12.3.25 | Blind Eagle: | APT | APT | GROUP | Blind Eagle: …And Justice for All |
| 12.3.25 | Blind Eagle Hacks Colombian Institutions Using NTLM Flaw, RATs and GitHub-Based Attacks | APT | APT | ARTICLES | The threat actor known as Blind Eagle has been linked to a series of ongoing campaigns targeting Colombian institutions and government entities since |
| 11.3.25 | SideWinder APT Targets Maritime, Nuclear, and IT Sectors Across Asia, Middle East, and Africa | APT | APT | ARTICLES | Maritime and logistics companies in South and Southeast Asia, the Middle East, and Africa have become the target of an advanced persistent threat (APT) group |
| 11.3.25 | SideWinder | APT | APT | GROUP | SideWinder targets the maritime and nuclear sectors with an updated toolset |
| 8.3.25 | Silk Typhoon hackers now target IT supply chains to breach networks | APT | APT | ARTICLES | Microsoft warns that Chinese cyber-espionage threat group 'Silk Typhoon' has shifted its tactics, now targeting remote management tools and cloud services in supply chain attacks that give them access to downstream customers. |
| 8.3.25 | US charges Chinese hackers linked to critical infrastructure breaches | APT | APT | ARTICLES | The US Justice Department has charged Chinese state security officers along with APT27 and i-Soon hackers for network breaches and cyberattacks that have targeted victims globally since 2011. |
| 8.3.25 | FIN7, FIN8, and Others Use Ragnar Loader for Persistent Access and Ransomware Operations | APT | APT | ARTICLES | Threat hunters have shed light on a "sophisticated and evolving malware toolkit" called Ragnar Loader that's used by various cybercrime and ransomware groups |
| 6.3.25 | China-Linked Silk Typhoon Expands Cyber Attacks to IT Supply Chains for Initial Access | APT | APT | ARTICLES | The China-linked threat actor behind the zero-day exploitation of security flaws in Microsoft Exchange servers in January 2021 has shifted its tactics to target the information technology (IT) supply chain as a means to obtain initial access to |
| 6.3.25 | Chinese APT Lotus Panda Targets Governments With New Sagerunex Backdoor Variants | APT | APT | ARTICLES | The threat actor known as Lotus Panda has been observed targeting government, manufacturing, telecommunications, and media sectors in the Philippines, |
| 5.3.25 | Suspected Iranian Hackers Used Compromised Indian Firm's Email to Target U.A.E. Aviation Sector | APT | APT | ARTICLES | Threat hunters are calling attention to a new highly-targeted phishing campaign that singled out "fewer than five" entities in the United Arab Emirates (U.A.E.) to |
| 1.3.25 | Silent Killers: Unmasking a Large-Scale Legacy Driver Exploitation Campaign | APT | APT blog | BLOG | While the abuse of vulnerable drivers has been around for a while, those that can terminate arbitrary processes have drawn increasing attention in recent years. |
| 1.3.25 | Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools | APT | APT blog | BLOG | Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools |
| 1.3.25 | Sellers can get scammed too, and Joe goes off on a rant about imposter syndrome | APT | APT blog | BLOG | Joe has some advice for anyone experiencing self doubt or wondering about their next career move. Plus, catch up on the latest Talos research on scams targeting sellers, and the Lotus Blossom espionage group. |
| 1.3.25 | Billbug (aka Lotus Blossom) threat group uses Sagerunex malware to target numerous victims | APT | ALERTS | ALERTS | The Billbug (aka Lotus Blossom) threat group has been observed leveraging Sagerunex malware, along with other hacking tools, to target numerous victims across industries. |
| 28.2.25 | Angry Likho | APT | APT | GROUP | Angry Likho: Old beasts in a new forest |
| 27.2.25 | Vedalia APT group phishing campaign delivers RokRat malware across Asia | APT | ALERTS | ALERTS | phishing campaign by the North Korean-linked threat actor Vedalia (also known as APT37, RedEyes and ScarCruft) has been reported delivering fileless RokRat malware. The campaign targets government and corporate entities across South Korea and Asia. |
| 27.2.25 | Silver Fox APT Uses Winos 4.0 Malware in Cyber Attacks Against Taiwanese Organizations | APT | APT | ARTICLES | A new campaign is targeting companies in Taiwan with malware known as Winos 4.0 as part of phishing emails masquerading as the country's National Taxation |
|
22.2.25 | Chinese-Speaking Group Manipulates SEO with BadIIS | APT | APT blog | BLOG | This blog post details our analysis of an SEO manipulation campaign targeting Asia. We also share recommendations that can help enterprises proactively secure their environment. |
|
22.2.25 | Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection | APT | APT blog | BLOG | Our Threat Hunting team discusses Earth Preta’s latest technique, in which the APT group leverages MAVInject and Setup Factory to deploy payloads, and maintain control over compromised systems. |
|
22.2.25 | APT | BLOG | |||
|
22.2.25 | APT | BLOG |
Cisco Talos has been closely monitoring reports of widespread intrusion activity against several major U.S. telecommunications companies, by a threat actor dubbed Salt Typhoon. This blog highlights our observations on this campaign and identifies recommendations for detection and prevention. |
||
| 22.2.25 | Data Leak Exposes TopSec's Role in China's Censorship-as-a-Service Operations | APT | APT | ARTICLES | An analysis of a data leak from a Chinese cybersecurity company TopSec has revealed that it likely offers censorship-as-a-service solutions to prospective |
| 22.2.25 | North Korean Hackers Target Freelance Developers in Job Scam to Deploy Malware | APT | APT | ARTICLES | Freelance software developers are the target of an ongoing campaign that leverages job interview-themed lures to deliver cross-platform malware families known as BeaverTail and InvisibleFerret. The activity, linked to North Korea, has |
| 22.2.25 | Chinese Hackers Exploit MAVInject.exe to Evade Detection in Targeted Cyber Attacks | APT | APT | ARTICLES | The Chinese state-sponsored threat actor known as Mustang Panda has been observed employing a novel technique to evade detection and maintain control |
| 22.2.25 | Earth Preta | APT | APT | GROUP | Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection |
| 18.02.25 | Recent RedCurl (aka EarthKapre) APT activity | APT | ALERTS | ALERTS | RedCurl (also known as EarthKapre) is a threat group known for conducting espionage and data exfiltration activities. The recently observed campaign attributed to this threat actor has been leveraging legitimate Adobe executable (ADNotificationManager.exe) to sideload malicious binaries. The infection chain has been initiated via crafted PDF malspam leading to ZIP compressed .img binaries. |
| 11.02.25 | Trojanized KMS activation tools leveraged in latest Sandworm APT campaigns | APT | ALERTS | ALERTS | According to the latest report published by EclecticIQ researchers, Sandworm APT (aka APT44, UAC-0145) has been recently engaged in espionage activities against users in Ukraine. The attackers have been leveraging trojanized Microsoft Key Management Service (KMS) activator tools and fake update installers in efforts aimed at distribution of a new BackOrder loader variant. |
| 5.2.25 | Silent Lynx | APT | APT | BLOG | Silent Lynx APT Targets Various Entities Across Kyrgyzstan & Neighbouring Nations |
|
19.1.25 | US cracks down on North Korean IT worker army with more sanctions | APT | APT | ARTICLES | The U.S. Treasury Department has sanctioned a network of individuals and front companies linked to North Korea's Ministry of National Defense that have generated revenue via illegal remote IT work schemes. |
|
18.1.25 | U.S. Sanctions Chinese Cybersecurity Firm Over Treasury Hack Tied to Silk Typhoon | APT | APT | ARTICLES | The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) has imposed sanctions against a Chinese cybersecurity company and a Shanghai- |
|
18.1.25 | U.S. Sanctions North Korean IT Worker Network Supporting WMD Programs | APT | APT | ARTICLES | The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned two individuals and four entities for their alleged involvement in illicit |
|
18.1.25 | Recent malicious activities of the Fireant APT group | APT | ALERTS | ALERTS | Fireant (aka RedDelta, Mustang Panda) advanced persistent threat (APT) group has been targeting Mongolia, Taiwan, Myanmar, Vietnam, and Cambodia in recent campaign spreading an updated variant of the PlugX backdoor. |
|
16.1.25 | Lazarus Group Targets Web3 Developers with Fake LinkedIn Profiles in Operation 99 | APT | APT | ARTICLES | The North Korea-linked Lazarus Group has been attributed to a new cyber attack campaign dubbed Operation 99 that targeted software developers looking for |
|
16.1.25 | North Korean IT Worker Fraud Linked to 2016 Crowdfunding Scam and Fake Domains | APT | APT | ARTICLES | Cybersecurity researchers have identified infrastructure links between the North Korean threat actors behind the fraudulent IT worker schemes and a 2016 crowdfunding scam. The new evidence suggests that Pyongyang-based |
|
12.1.25 | MirrorFace hackers targeting Japanese govt, politicians since 2019 | APT | APT | ARTICLES | The National Police Agency (NPA) and the Cabinet Cyber Security Center in Japan have linked a cyber-espionage campaign targeting the country to the Chinese state-backed "MirrorFace" hacking group. |
|
12.1.25 | US Treasury hack linked to Silk Typhoon Chinese state hackers | APT | APT | ARTICLES | Chinese state-backed hackers, tracked as Silk Typhoon, have been linked to the U.S. Office of Foreign Assets Control (OFAC) hack in early December. |
|
11.1.25 | APT groups are increasingly deploying ransomware – and that’s bad news for everyone | APT | APT blog | BLOG | The blurring of lines between cybercrime and state-sponsored attacks underscores the increasingly fluid and multifaceted nature of today’s cyberthreats |
|
4.1.25 | U.S. Treasury Sanctions Beijing Cybersecurity Firm for State-Backed Hacking Campaigns | APT | APT | ARTICLES | The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) on Friday issued sanctions against a Beijing-based cybersecurity company known as |
|
3.1.25 | US sanctions Chinese company linked to Flax Typhoon hackers | APT | APT | ARTICLES | The U.S. Treasury Department has sanctioned Beijing-based cybersecurity company Integrity Tech (also known as Yongxin Zhicheng) for its involvement in cyberattacks attributed to the Chinese state-sponsored Flax Typhoon hacking group. |