AdaptixC2
-
Tropic Trooper campaign uses trojanized SumatraPDF to deploy AdaptixC2
A campaign tied to Tropic Trooper is using a trojanized SumatraPDF reader to deploy AdaptixC2 and, in some cases, Visual Studio Code tunnels for remote access against targets in Taiwan, South Korea and Japan.
-
China-linked GopherWhisper infiltrates Mongolian government systems, ESET says
ESET says a China-aligned group called GopherWhisper targeted Mongolian government institutions, infecting about 12 systems and using Discord, Slack, Outlook and file.io for control and exfiltration.
-
Suspected Chinese cyberespionage used Google Sheets API to hide C2 in campaign affecting 53 organisations
A suspected Chinese threat actor used Google Sheets API calls for command-and-control in a global campaign that affected 53 organisations in 42 countries since 2023. A technical analysis details the GRIDTIDE backdoor and mitigation steps.
-
China-linked APT used DNS poisoning to deliver MgBot backdoor, Kaspersky says
Kaspersky linked a China-aligned APT known as Evasive Panda to a campaign from November 2022 to November 2024 that used DNS poisoning to deliver an MgBot backdoor to targets in Türkiye, China and India, employing staged loaders, custom encryption and host-specific payloads.
-
Iran-linked APT Infy resurfaces with updated Foudre and Tonnerre malware
SafeBreach and other researchers reported renewed activity by the Iranian APT known as Infy (Prince of Persia), documenting updated Foudre and Tonnerre malware, use of a domain generation algorithm for C2 resilience, and a Telegram-based channel in recent campaigns affecting targets in the Middle East, India, Canada and Europe.
-
New ‘SantaStealer’ infostealer marketed on forums
Rapid7 researchers said a new malware-as-a-service infostealer called SantaStealer is being marketed on Telegram and forums, offers subscription plans, includes multiple data-theft modules and appears to have leaked samples that undermine claims of stealth.
-
MuddyWater using UDP-based backdoor ‘UDPGangster’ in Turkey, Israel and Azerbaijan campaigns
Fortinet FortiGuard Labs says MuddyWater has been using a UDP-based backdoor named UDPGangster to target users in Turkey, Israel and Azerbaijan via spear-phishing Word documents that rely on macros; the backdoor includes persistence mechanisms and extensive anti-analysis checks before contacting a UDP command-and-control server.
-
Kaspersky: Tomiris APT increasingly uses Telegram and Discord as command-and-control channels
Kaspersky researchers reported that the Tomiris threat actor has targeted diplomatic and government entities, increasingly using public services like Telegram and Discord as command-and-control channels and deploying multi-language implants and open-source C2 frameworks.
-
Kaspersky flags expanding ‘Tsundere’ botnet that uses Ethereum to host C2 details
Kaspersky researchers have identified an expanding Windows-targeting botnet called Tsundere that deploys a Node.js-based payload via MSI or PowerShell, retrieves C2 details from the Ethereum blockchain and offers a control panel and marketplace for operators; attribution remains unclear.
-
Researchers detail use of Tuoni C2 in attack on U.S. real-estate firm
Researchers said attackers used the Tuoni C2 framework in a mid-October 2025 intrusion attempt against a U.S. real-estate firm, employing social engineering, PowerShell downloaders, BMP steganography and in-memory execution; the campaign was detected and blocked.
