Espionage

Chinese national Xu Zewei faces nine federal counts after extradition from Italy for alleged role in Silk Typhoon attacks stealing COVID-19 vaccine research from U.S. universities and research institutions.

Russian GRU's APT28 uses new PRISMEX malware suite with steganography and COM hijacking to target Ukraine defense and NATO logistics. Includes wiper capability.

Unit 42 exposes Phantom Taurus, a Chinese APT targeting embassies and foreign ministries with fileless NET-STAR malware. The group resurfaces within hours after discovery.

New infostealer parasitizes legitimate document security software, exfiltrating data through trusted server infrastructure. Targets include Dongfeng-27 ballistic missile documents.

New JavaScript backdoor targets Ukrainian entities using Microsoft Edge's debugging features for stealth. S2 Grupo links campaign to Laundry Bear threat group.

Camaro Dragon weaponized missile strike lure documents to deploy PlugX backdoor against Qatari targets, exploiting Operation Epic Fury tensions for access.

North Korean APT37's Ruby Jumper campaign uses RESTLEAF, THUMBSBD, and FOOTWINE malware to exfiltrate data from isolated systems via USB drives.

China-linked UAT-9244 deploys TernDoor backdoor and peer-to-peer implants against telecom infrastructure across South America, North America, and Europe.

Russian GRU-linked APT28 deploys BEARDSHELL and COVENANT implants for long-term surveillance of Ukrainian military personnel. ESET research reveals cloud storage abuse for C2.

India-linked APT deploys BurrowShell backdoor and Rust-based RAT against Pakistan nuclear agencies, Bangladesh banks, and Sri Lankan government. 112 C2 domains identified.

New espionage campaign uses protest-themed lures and Chrome DLL side-loading to deploy RAT malware against Iranian diaspora, activists, and journalists.

Germany's BfV and BSI issued a joint advisory warning of state-sponsored phishing campaigns targeting politicians, military officials, and journalists through Signal's device linking feature.

SafeBreach tracks Infy APT deploying Tornado v51 malware with blockchain-based C2 after Iran's internet blackout, confirming state sponsorship ties.

Asia-based APT TGR-STA-1030 compromised 70+ government and critical infrastructure targets across 37 countries using eBPF rootkits and Cobalt Strike.

Operation Neusploit saw Russia's APT28 exploit CVE-2026-21509 against 60+ Ukrainian targets within 72 hours of Microsoft's disclosure, delivering MiniDoor and BEARDSHELL backdoors.

French researchers uncover SloppyMIO, an AI-assisted malware campaign using fabricated victim lists to target individuals documenting human rights abuses during Iranian protests.

Federal jury convicts Linwei Ding on 14 counts of economic espionage and trade secret theft for stealing Google's AI infrastructure secrets for China.

Chinese APT adds clipboard monitoring, browser stealing, and enhanced plugins to its long-running backdoor. Government entities in Asia remain primary targets.

Recorded Future tracks APT28 harvesting credentials from energy, defense, and government targets in the Balkans, Middle East, and Central Asia using free hosting infrastructure.

APT42 campaign compromises government ministers, activists, and journalists through fake login pages and real-time surveillance capabilities.

Void Blizzard deploys PLUGGYAPE backdoor through Signal and WhatsApp, impersonating charitable organizations to compromise Ukrainian defense forces.

Chinese state hackers accessed email accounts of House staffers working on China, foreign affairs, and defense. The intrusion was discovered in December.

Newly disclosed threat actor compromises telecom providers in South Asia and Southeastern Europe, establishing relay infrastructure for other Chinese APT groups.

Microsoft and CrowdStrike warn of intensified Silk Typhoon operations targeting US government agencies and IT supply chains, with 150% increase in China-linked intrusions.

CloudSEK identifies Chinese threat group Silver Fox targeting Indian organizations with phishing emails disguised as income tax department communications.

SafeBreach uncovers new Prince of Persia campaign using updated Foudre and Tonnerre malware, now leveraging Telegram for command and control.

ESET researchers discover sophisticated threat actor targeting Southeast Asian and Japanese governments using Windows Group Policy for lateral movement.

Sophisticated threat group escalates operations against European government entities using relay networks that route attacks through multiple victim organizations.