Cobalt Strike
-
KnowledgeDeliver flaw used in zero-day attacks to deploy Godzilla web shell
A zero-day flaw in Digital Knowledge’s KnowledgeDeliver learning management system was used to deploy the Godzilla web shell and later Cobalt Strike Beacon. The issue stemmed from hard-coded ASP.NET machine keys and affected deployments before Feb. 24, 2026.
-
Ghostwriter targets Ukrainian government entities in fresh phishing campaign
Ghostwriter has been tied to new attacks on Ukrainian government entities since March 2026, using malicious PDFs, geofencing checks and a JavaScript version of PicassoLoader to deliver Cobalt Strike, according to an ESET technical analysis.
-
China-linked Ink Dragon group targets European government networks, Check Point says
Check Point Research says a China-linked hacking cluster known as Ink Dragon has focused on European government targets since July 2025, using web shells, ShadowPad relays and modular tooling including FINALDRAFT to maintain stealthy, long-term access across multiple regions.
-
China-linked APT31 used local cloud services and public tools to target Russian IT sector, Positive Technologies reports
Researchers at Positive Technologies say China-linked APT31 targeted Russian IT firms between 2024 and 2025, using Yandex Cloud and a mix of public and custom tools to maintain long-term access and exfiltrate data.
-
Google: APT24 Used New ‘BADAUDIO’ Malware in Years-Long Espionage Campaign
Google Threat Intelligence Group says a China-nexus actor tracked as APT24 used a previously undocumented downloader called BADAUDIO in a campaign from November 2022 into 2025, employing watering holes, supply-chain compromises and spear-phishing to deliver backdoors and second-stage payloads.
-
Kaspersky outlines ‘PassiveNeuron’ campaign using bespoke implants and Cobalt Strike
Kaspersky has reported a sustained espionage campaign named PassiveNeuron that has targeted government, financial and industrial servers across Asia, Africa and Latin America since mid-2024, using bespoke implants Neursite and NeuralExecutor alongside Cobalt Strike; the activity remains unattributed.
-
UK regulator fines Capita £14m over 2023 cyberattack that exposed 6.6m people
The UK Information Commissioner’s Office has fined Capita £14 million after a 2023 cyberattack exposed data on about 6.6 million people; the ICO said failures in detection and privileged account controls allowed attackers to exfiltrate roughly 1 TB and deploy ransomware.
-
Researchers say Chinese-speaking group UAT-8099 uses IIS servers for global SEO fraud
Researchers say a Chinese-speaking group dubbed UAT-8099 has been exploiting Microsoft IIS servers to run SEO fraud and steal credentials and certificate data, using web shells, Cobalt Strike and a modified BadIIS backdoor across targets in Asia and the Americas.
-
Chinese state-sponsored group RedNovember exploited enterprise network gear in global campaign, researchers say
Recorded Future says a Chinese state-sponsored group called RedNovember ran a global espionage campaign from June 2024 to July 2025, exploiting vulnerabilities in enterprise network appliances to breach defense contractors, government agencies and other organizations and using publicly available tools to maintain persistent access.
-
CountLoader: New Russian-linked malware loader broadens post-exploitation toolkit, researchers warn
Cybersecurity researchers have identified CountLoader, a new malware loader used by Russian ransomware groups to deliver post-exploitation tools such as Cobalt Strike, AdaptixC2, and the PureHVNC RAT. The loader, observed in variants across .NET, PowerShell, and JavaScript, targets Ukrainian users with PDF phishing lures and features a BrowserVenom proxy capability, multiple download/execution methods, and a…
