cyber espionage
-
TA415 Uses Visual Studio Code Remote Tunnels in Targeted U.S.-China Policy Espionage Campaign
A China-aligned threat actor known as TA415 carried out spear-phishing campaigns targeting U.S. policy and economic-relations circles, using VS Code Remote Tunnels and a Python loader, WhirlCoil, to establish a persistent backdoor and harvest data amid ongoing U.S.-China trade talks, according to Proofpoint.
-
North Korea-linked hackers used AI-generated fake military ID in espionage campaign, researchers say
Researchers say North Korea’s Kimsuky used a deepfaked image of a military ID generated with ChatGPT to launch a July spear-phishing campaign against a South Korean defense-related institution, highlighting AI-assisted espionage tactics and the ongoing challenges of AI misuse.
-
Chinese APT deploys EggStreme fileless framework in Philippines attack, Bitdefender says
A Chinese APT group has been linked to compromising a Philippines-based military services company using EggStreme, a new fileless malware framework designed for memory-resident espionage, with a backdoor capable of extensive reconnaissance and data theft.
-
Iranian-aligned group linked to multi-wave spear-phishing targeting embassies worldwide, researchers say
An Iran-linked threat group is behind a coordinated, multi-wave spear-phishing campaign targeting embassies and consulates worldwide, using VBA macro payloads to deploy malware, according to researchers.
-
ScarCruft Uses RokRAT in HanKook Phantom Campaign Targeting South Korea
Researchers have uncovered a targeted phishing campaign by North Korea-linked ScarCruft (APT37), dubbed Operation HanKook Phantom, delivering RokRAT to South Korean academics, former officials, and researchers via a manipulated LNK attack chain and PowerShell-based payloads, with exfiltration to multiple cloud services and a willingness to use decoy documents tied to high-profile statements.
-
Amazon says APT29 attempted watering-hole attack to harvest Microsoft credentials; AWS says no systems affected
Amazon said it disrupted an APT29 watering-hole campaign aimed at harvesting Microsoft credentials, stressing that no AWS systems were compromised. The operation used spoofed Cloudflare pages and randomized redirects to trick users, with Google Threat Intelligence and AWS detailing evasion techniques and previous similar activity.
-
Abandoned Sogou Zhuyin Update Server Hijacked to Deliver Espionage Malware, TAOTH Campaign Reveals
A June 2025 reveal shows attackers hijacking an abandoned Sogou Zhuyin update server to deploy multiple spyware and backdoors (TOSHIS, DESFY, GTELAM, C6DOOR) in a campaign targeting East Asia and overseas Chinese communities, with phishing and OAuth abuse used to gain access to high-value targets.
-
Transparent Tribe targets Indian government with dual-platform Linux and Windows malware, researchers say
Researchers say the Transparent Tribe (APT36) has expanded its assault on Indian government networks with a cross‑platform campaign targeting Windows and Linux‑BOSS systems through spear‑phishing, weaponized desktop shortcuts, and a Go‑based backdoor, complemented by anti‑analysis techniques and 2FA‑focused phishing.
-
State-sponsored XenoRAT campaign targets South Korean embassies, researchers say
A Trellix-led analysis describes a multi-phase, state-sponsored XenoRAT espionage campaign targeting South Korean embassies, with links to North Korea’s Kimsuky and indications of possible China-based sponsorship. The operation has conducted at least 19 spearphishing attacks since March, delivering XenoRAT via password-protected ZIP archives and complex, multilingual lures.
-
Curly COMrades APT Targets Georgia and Moldova, Leveraging Ngen for Persistence, Bitdefender Warns
A new cyber espionage campaign attributed to the Curly COMrades threat actor targets Georgia and Moldova, leveraging a mix of legitimate tools and a bespoke backdoor to establish long-term access and exfiltrate credentials, according to Bitdefender.
