Tag: espionage
-
Iran-Linked MuddyWater Poses as Ransomware Gang to Mask Cyber Espionage
An NCC Group report warns state-backed hackers are attempting to hide activity by posing as ransomware groups and deploying commercially available malware First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/iranlinked-muddywater-poses-as/
-
Hackers Exploit RAR Vulnerability to Drop Startup VBS in Ukraine UAV Malware Campaign
A newly observed espionage campaign targeting Ukraine’s unmanned aerial vehicle (UAV) ecosystem leverages a RAR archive exploit to install a persistent VBS loader, which then retrieves a Windows payload linked to an emergent actor the researcher calls GhostShell (Malwarebox ID MB-0009). The initial artifact is an archive named Besomar_documentation.rar, distributed with decoy PDF files mimicking…
-
Hackers Exploit RAR Vulnerability to Drop Startup VBS in Ukraine UAV Malware Campaign
A newly observed espionage campaign targeting Ukraine’s unmanned aerial vehicle (UAV) ecosystem leverages a RAR archive exploit to install a persistent VBS loader, which then retrieves a Windows payload linked to an emergent actor the researcher calls GhostShell (Malwarebox ID MB-0009). The initial artifact is an archive named Besomar_documentation.rar, distributed with decoy PDF files mimicking…
-
Hackers Exploit RAR Vulnerability to Drop Startup VBS in Ukraine UAV Malware Campaign
A newly observed espionage campaign targeting Ukraine’s unmanned aerial vehicle (UAV) ecosystem leverages a RAR archive exploit to install a persistent VBS loader, which then retrieves a Windows payload linked to an emergent actor the researcher calls GhostShell (Malwarebox ID MB-0009). The initial artifact is an archive named Besomar_documentation.rar, distributed with decoy PDF files mimicking…
-
Peter Thiel ‘s Secret Society Leak Creates a Perfect Target List for Espionage, Influence Operations, and Blackmail
A simple website flaw exposed members, political profiles, login tokens, and dating data from Peter Thiel ‘s secretive Dialog network. Dialog, a private invitation-only organization cofounded in 2006 by billionaire tech investor Peter Thiel, has spent two decades refusing to disclose its membership. That position became harder to maintain last week when Swiss hacktivist maia…
-
State Digital Surveillance Puts Foreign Travelers and Businesses at Risk Across 31 Countries
A new state-surveillance assessment finds that foreign travelers and business staff face high or very high digital risk in 31 countries, where governments increasingly use telecom interception, spyware, AI-enabled monitoring, and data aggregation with little meaningful oversight. The concern is not just espionage in the classic sense; it is the routine conversion of travel, communications,…
-
FortiBleed Exploit Campaign Hits 70,000+ Fortinet Firewalls Worldwide
A large-scale cyber espionage campaign dubbed “FortiBleed” has compromised more than 70,000 Fortinet firewalls and VPN gateways worldwide, exposing enterprise networks across 194 countries. The activity, first identified by security researcher Volodymyr Diachenko and further analyzed by Hudson Rock and Kevin Beaumont, reveals a coordinated effort targeting internet-exposed FortiGate management interfaces. The dataset contains 73,932…
-
Chinese Espionage Actor Abuses Email Rules to Steal Research Data
Tags: china, compliance, credentials, data, email, espionage, google, group, intelligence, malware, threatThreat Actor Silently Forwarded Sensitive Emails Matching Strategic Topics. Google says Chinese espionage group UNC6508 compromised REDCap environments at North American research institutions, deployed custom malware, stole credentials and covertly forwarded strategically relevant emails through abused compliance rules to support long-term intelligence collection. First seen on govinfosecurity.com Jump to article: www.govinfosecurity.com/chinese-espionage-actor-abuses-email-rules-to-steal-research-data-a-31993
-
Chinese Hacking Firm Upgrades With New Windows Backdoor
Researchers Identified Two Undocumented Variants Used Since 2023. Eset uncovered two previously undocumented Windows variants of the China-linked SprySocks backdoor tied to FishMonger and iSoon, revealing expanded espionage capabilities, rootkit-based stealth and continued targeting of government organizations across Asia and Central America. First seen on govinfosecurity.com Jump to article: www.govinfosecurity.com/chinese-hacking-firm-upgrades-new-windows-backdoor-a-31977
-
Chinese Hackers Abused Google Workspace Rules to Steal Research and Defense Emails
A China-linked espionage group hid inside North American medical, academic, and military research networks for more than a year, quietly stealing sensitive research and defense email.The way in was a backdoor on their REDCap research servers that stole login credentials. The exfiltration was the unusual part: the attackers rewired the victims’ own Google Workspace rules…
-
Google exposes China espionage group that’s been lurking in networks undetected since 2023
The revelation mirrors an alarming pattern of Chinese espionage groups dropping backdoors into critical infrastructure to intercept research and steal data with national security implications. First seen on cyberscoop.com Jump to article: cyberscoop.com/google-unc6508-china-espionage-threat/
-
Chinese hackers breached North American research institutions via REDCap servers
A China-linked cyber espionage operation targeted North American medical research institutions through compromised REDCap servers, using custom malware to gain persistent … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2026/06/15/chinese-hackers-redcap-medical-research-institutions-breach/
-
China-nexus group linked to multiyear campaign targeting US, Canadian medical research
A report from Google links a sophisticated espionage effort targeting information about viruses, AI and military information. First seen on cybersecuritydive.com Jump to article: www.cybersecuritydive.com/news/china-nexus-multiyear-hacking-us-canadian-medical-research/822912/
-
China-linked spies backdoored authentication stack to stay hidden for years
A China-linked cyber espionage group known as Velvet Ant spent nearly a decade inside the internal network of an unnamed organization without being detected, according to the … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2026/06/15/velvet-ant-backdoored-authentication-persistence/
-
Chinese hackers breach REDCap servers, steal medical research
A China-linked espionage campaign targeted exposed REDCap servers to deploy the InfiniteRed malware and steal sensitive data from a medical institution in North America. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/chinese-hackers-breach-redcap-servers-steal-medical-research/
-
FBI shuts down 13 ‘consulting’ websites used for suspected Chinese espionage
First seen on scworld.com Jump to article: www.scworld.com/news/fbi-shuts-down-13-consulting-websites-used-for-suspected-chinese-espionage
-
Hackers Use UAE-India Diplomatic Lure to Deliver SHEETCREEP RAT via Google Sheets
An active espionage campaign tracked as SHEETCREEP that leverages a UAE”‘India diplomatic-themed ISO lure to deliver a compact C# remote access trojan (RAT) and uses Google Sheets as its command-and-control (C2) channel. The ISO, named UAE-India_Strategic_Partnership_Week.iso, contains a deceptively iconized LNK file that launches a C# dropper. The dropper extracts a decoy PDF to temp,…
-
Russian national charged in connection with Void Blizzard espionage campaign
Denis Obrezko accused of orchestrating cyberattacks that compromised at least 11 U.S. companies as part of the Kremlin-linked group’s sprawling espionage operation.\ First seen on cyberscoop.com Jump to article: cyberscoop.com/russian-national-charged-void-blizzard-cyber-espionage/
-
OceanLotus Targets Stock Investors in FireAnt MetaKit Supply-Chain Hack
OceanLotus APT has executed a precision supply”‘chain operation that implanted its SPECTRALVIPER backdoor into FireAnt MetaKit, a popular Vietnamese market”‘data component. Telemetry collected from mid”‘2024 through early 2026 shows OceanLotus (aka APT32) conducting two distinct campaigns: a long”‘running espionage intrusion against a Vietnamese infrastructure and transport construction company, and a targeted supply”‘chain compromise of FireAnt…
-
OceanLotus Targets Stock Investors in FireAnt MetaKit Supply-Chain Hack
OceanLotus APT has executed a precision supply”‘chain operation that implanted its SPECTRALVIPER backdoor into FireAnt MetaKit, a popular Vietnamese market”‘data component. Telemetry collected from mid”‘2024 through early 2026 shows OceanLotus (aka APT32) conducting two distinct campaigns: a long”‘running espionage intrusion against a Vietnamese infrastructure and transport construction company, and a targeted supply”‘chain compromise of FireAnt…
-
OceanLotus Targets Stock Investors in FireAnt MetaKit Supply-Chain Hack
OceanLotus APT has executed a precision supply”‘chain operation that implanted its SPECTRALVIPER backdoor into FireAnt MetaKit, a popular Vietnamese market”‘data component. Telemetry collected from mid”‘2024 through early 2026 shows OceanLotus (aka APT32) conducting two distinct campaigns: a long”‘running espionage intrusion against a Vietnamese infrastructure and transport construction company, and a targeted supply”‘chain compromise of FireAnt…
-
OceanLotus Hits Vietnam Investors With SPECTRALVIPER in FireAnt Attack
The Vietnam-aligned threat actor known as OceanLotus has been attributed to two distinct campaigns that targeted domestic entities and stock investors with a backdoor known as SPECTRALVIPER.The campaigns involve a prolonged cyber espionage operation aimed at a Vietnamese infrastructure and transport construction corporation between mid-2024 and February 2026, as well as a supply chain attack…
-
Hackers Abuse VMware-Signed Binary to Deploy NIGHTFORGE Loader
Two closely related espionage campaigns targeting Cambodian government organizations that abuse a legitimate VMware-signed binary to sideload a custom loader dubbed NIGHTFORGE, which in turn deploys a Havoc Demon implant in memory. TRU attributes both operations to a previously unreported cluster it calls Khmer Shadow, based on targeting, lure construction and shared infrastructure; the activity…
-
VerdantBamboo Deploys BSD Variant of BRICKSTORM on Linux Appliances
A China-nexus cyber espionage group has been observed deploying a BSD variant of a known backdoor called BRICKSTORM, as well as two other malware families codenamed PLENET (aka GRIMBOLT) and AGENTPSD to target Linux systems.The activity has been attributed by Volexity to a threat cluster it tracks as VerdantBamboo, which it said overlaps with hacking…
-
China-Linked OP-512 Targets IIS Servers With Unique Web Shell Framework
A suspected China-linked espionage cluster dubbed OP-512 after rapidly correlating many low-fidelity events into a single high-priority incident that human analysts then validated. OP-512 compromised an Internet Information Services (IIS) server and deployed a custom web shell framework built to evade signature-based detection. Each web shell instance is cryptographically unique, restricts access with layered encryption,…
-
China-Linked Espionage Cluster Deploys Custom ASPX/ASHX Shells on IIS
A previously disclosed China-linked threat cluster, tracked as OP-512, has been observed deploying a purpose-built web shell framework to compromise Internet Information Services (IIS) servers. Identified by ReliaQuest, the espionage operation targeted a Windows Server 2016 environment running an end-of-life .NET Framework 4.0. Telemetry revealed the threat actors established access 75 days prior to the…
-
Chinese APT deploys new malware to keep access to hacked networks
A Chinese espionage group tracked as UNC5221 has been accessing Microsoft 365 environments using the Brickstorm backdoor and previously undocumented malware named Plenet and AgentPSD. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/chinese-apt-deploys-new-malware-to-keep-access-to-hacked-networks/
-
New Threat Cluster OP-512 Targets Microsoft IIS Servers with Custom Web Shell Framework
Cybersecurity researchers have discovered a previously unreported threat cluster dubbed OP-512 that has been observed targeting Microsoft Internet Information Services (IIS) servers to deploy a bespoke web shell framework.ReliaQuest has assessed with moderate to high confidence that the espionage-focused activity is linked to China.”OP-512 was highly likely conducting espionage through a First seen on thehackernews.com…
-
New Threat Cluster OP-512 Targets Microsoft IIS Servers with Custom Web Shell Framework
Cybersecurity researchers have discovered a previously unreported threat cluster dubbed OP-512 that has been observed targeting Microsoft Internet Information Services (IIS) servers to deploy a bespoke web shell framework.ReliaQuest has assessed with moderate to high confidence that the espionage-focused activity is linked to China.”OP-512 was highly likely conducting espionage through a First seen on thehackernews.com…
-
The Cyber Express Weekly Roundup: Cloud Extortion, Long-Term Espionage, Android Zero-Days, and Public Sector Security Reviews
The cybersecurity landscape in this weekly roundup continues to show a clear shift toward identity-driven attacks, long-term persistence operations, and exploitation of trusted cloud environments. Threat actors are increasingly focusing on stealing credentials, abusing administrative access, and leveraging legitimate platforms to scale impact across organizations. First seen on thecyberexpress.com Jump to article: thecyberexpress.com/tce-weekly-roundup-extortion-android-cloud/