Spear phishing
-
Mustang Panda-linked LOTUSLITE variant targets India banking sector
A new LOTUSLITE malware variant has been spotted in a campaign aimed at India’s banking sector, with related lures also tied to South Korean and U.S. policy communities.
-
Konni uses compromised KakaoTalk desktops to spread EndRAT via spear-phishing
Konni used spear-phishing to install EndRAT and other RATs then abused compromised KakaoTalk desktops to send malicious ZIP attachments to selected contacts maintaining long-term persistence and stealing internal documents.
-
BlackSanta EDR killer used in year long campaign targeting HR departments
A Russian speaking actor ran a year long campaign against HR departments deploying BlackSanta, an EDR killer that disables endpoint protections, uses DLL sideloading and vulnerable drivers to gain kernel level access.
-
SloppyLemming deploys BurrowShell and Rust keylogger against Pakistan and Bangladesh
SloppyLemming attacked government and critical infrastructure in Pakistan and Bangladesh from January 2025 to January 2026, deploying the BurrowShell backdoor and a Rust keylogger through spear-phishing PDF and Excel lures.
-
APT28 targets Western and Central Europe with document beacons and webhook exfiltration
APT28 ran Operation MacroMaze from September 2025 to January 2026 targeting Western and Central Europe, using spear-phishing documents that beacon to webhook hosts and exfiltrate command output through browser-based HTML forms.
-
Bloody Wolf campaign installs NetSupport RAT in Uzbekistan and Russia
A spear-phishing campaign installed NetSupport RAT on about 50 devices in Uzbekistan and 10 in Russia using PDF-based loaders that enforce install limits and set persistent autorun scripts while Mirai payloads were staged.
-
Konni uses AI generated PowerShell malware to target blockchain developers
Konni used AI generated PowerShell malware to target blockchain developers in Japan, Australia and India, using spear-phishing with LNK files and multi stage loaders to deploy a persistent backdoor, according to a Check Point Research technical report.
-
MuddyWater using UDP-based backdoor ‘UDPGangster’ in Turkey, Israel and Azerbaijan campaigns
Fortinet FortiGuard Labs says MuddyWater has been using a UDP-based backdoor named UDPGangster to target users in Turkey, Israel and Azerbaijan via spear-phishing Word documents that rely on macros; the backdoor includes persistence mechanisms and extensive anti-analysis checks before contacting a UDP command-and-control server.
-
Bloody Wolf campaign expands from Kyrgyzstan to Uzbekistan, delivers NetSupport RAT via Java loaders
Researchers report the Bloody Wolf hacking group used impersonated government PDFs and Java JAR loaders to deliver an older NetSupport RAT to targets in Kyrgyzstan and, later, Uzbekistan, employing geofencing and simple persistence techniques.
-
China-linked APT31 used local cloud services and public tools to target Russian IT sector, Positive Technologies reports
Researchers at Positive Technologies say China-linked APT31 targeted Russian IT firms between 2024 and 2025, using Yandex Cloud and a mix of public and custom tools to maintain long-term access and exfiltrate data.
