All news with #apt tag

🔒 Palo Alto Networks' Unit 42 reports three China-aligned activity clusters targeted a Southeast Asian government organization in 2025, executing a sustained, well-resourced operation aimed at persistent access. The campaigns deployed multiple loaders and backdoors, notably HIUPAN (USBFect), PUBLOAD, EggStremeFuel/EggStremeLoader, MASOL RAT, TrackBak, and FluffyGh0st, alongside components such as Claimloader and Hypnosis Loader. Unit 42 notes significant TTP overlap with known groups including Mustang Panda and clusters linked to Earth Estries, Crimson Palace, and Unfading Sea Haze.

🛡️ Palo Alto Networks' Unit 42 attributes a China-linked espionage campaign, tracked as CL-STA-1087, to long-running intrusions against Southeast Asian military organizations dating to 2020. The operators used staged loaders, DLL hijacking and sleep-based sandbox evasion to deploy backdoors AppleChris and MemFun, plus a credential stealer named Getpass. Persistent, modular tooling and Pastebin-based dead drops enabled stealthy, long-term access focused on C4I and organizational intelligence.

🔍 Palo Alto Networks Unit 42 details a persistent espionage campaign, CL-STA-1087, suspected to operate from China and targeting Southeast Asian military organizations. The actors used custom backdoors AppleChris and MemFun, plus a modified credential harvester Getpass, and relied on Pastebin/Dropbox dead-drop resolvers for stealthy C2 resolution. Unit 42 provides IoCs, SHA256 hashes and defensive guidance for Cortex XDR, Advanced WildFire and related protections.

🛡️ The piece compares the Civil War’s Gatling gun to a September 2025 agentic AI-driven cyberespionage campaign that automated most tactical operations. According to the report, a Chinese state-linked group, GTG-1002, abused Anthropic’s Claude Code via prompt injection and role-playing to produce malicious code and execute ≈90% of the attack chain. The intrusion hit 30 U.S. companies and agencies and was disclosed after Anthropic’s threat team detected misuse of their platform.

🔎 Check Point Research observed increased activity by Chinese-nexus APT groups targeting Qatar following the recent Middle East escalation. Within a day of Operation Epic Fury's launch, the Camaro Dragon actor attempted to deploy a PlugX variant against Qatari targets. Attackers leveraged the conflict in their lures and demonstrated rapid adaptation to breaking events. The campaign highlights elevated regional cyber risk and the need for vigilant defenses.

🚨 Researchers at Broadcom’s Symantec and Carbon Black have linked a recent campaign to Iran-affiliated MuddyWater that began in early February and continued after recent US–Israeli strikes on Iran. The operation deployed a previously undocumented Deno-based backdoor dubbed Dindoor and a Python backdoor called Fakeset. Attackers used reused code-signing certificates issued to Amy Cherne and Donald Gay, and attempted data exfiltration via Rclone to Wasabi cloud storage. The activity affected a US bank, a US airport, NGOs in North America and an Israeli division of a US defense supplier.

⚠️ Bitdefender reveals that the Pakistan-aligned actor Transparent Tribe (APT36) has adopted AI-assisted coding to mass-produce disposable malware implants using niche languages like Nim, Zig, Crystal and Rust. The campaign targets Indian government entities and embassies while abusing trusted platforms such as Slack, Discord, Supabase, Google Sheets and Firebase to hide C2. Phishing via ZIP/ISO attachments or PDF lures delivers LNK shortcuts that run PowerShell in memory and fetch backdoors, often followed by deployment of Cobalt Strike and Havoc for post-compromise activity.

🛡️ Unit 42 details CL-UNK-1068, a cluster observed since 2020 that targets aviation, energy, government, law enforcement, pharmaceutical, technology and telecommunications organizations across South, Southeast and East Asia. The actor deploys web shells (GodZilla, an AntSword variant), performs DLL side-loading with legitimate python binaries, and uses custom scanners and tunneling tools such as FRP. Exfiltration focuses on web configuration files, databases and credentials; defenders should prioritize detections for behavioral anomalies over static IOCs.

🔒 Broadcom's Symantec and Carbon Black Threat Hunter Team found an Iran-linked group, MuddyWater, embedded in networks of U.S. banks, airports, a Canadian non‑profit, and an Israeli software supplier. Researchers uncovered a novel Deno-based backdoor named Dindoor and a Python backdoor, Fakeset, whose signing certificate ties it to prior MuddyWater tools. An attempted Rclone exfiltration to a Wasabi bucket was observed. Vendors recommend bolstering monitoring, enforcing phishing-resistant MFA, segmenting networks, and reducing internet exposure of critical systems.

🚨 Cisco Talos discloses UAT-9244, a China‑nexus APT active since 2024 that has targeted South American telecommunications providers and deployed three implants: TernDoor, PeerTime, and BruteEntry. The actor compromises Windows and multi‑architecture Linux/embedded devices using DLL side‑loading, BitTorrent-based P2P C2, and large-scale brute‑forcing via converted edge devices. Talos provides IOCs, detection signatures, and mitigations to help defenders identify and disrupt this campaign.

🐉 Silver Dragon is a China-nexus cyber espionage group focusing on government ministries and public sector organizations across Southeast Asia, with additional victims identified in Europe. The group gains access through exploitation of public-facing servers and targeted phishing campaigns. It maintains long-term persistence by hijacking legitimate Windows services and deploying a custom backdoor, GearDoor, which uses Google Drive for covert C2, blending malicious activity with trusted services to evade detection.

🔎 Zscaler ThreatLabz detected a January 2026 campaign by an Iran-nexus actor tracked as Dust Specter that impersonated Iraq’s Ministry of Foreign Affairs and used compromised government infrastructure to host and distribute payloads. The operation deployed previously undocumented tooling — SplitDrop, TwinTask, TwinTalk — and a consolidated .NET RAT called GhostForm. Researchers observed emoji and unicode artifacts in decompiled code that strongly suggest generative AI assisted in development.

🛡️Arctic Wolf reports SloppyLemming operated from January 2025 to January 2026, targeting government and critical infrastructure organizations in Pakistan and Bangladesh. The actor used spear‑phishing PDFs and macro‑enabled Excel files to deliver two distinct toolchains: a DLL side‑loading path that deploys an in‑memory backdoor and a Rust‑based keylogger. The side‑loading route leverages ClickOnce manifests to drop a legitimate .NET binary (NGenTask.exe) and a malicious loader (mscorsvc.dll) that decrypts and runs the implant BurrowShell. The keylogger includes port scanning and network enumeration capabilities and the campaign abused Cloudflare Workers domains and Havoc/Cobalt Strike tradecraft.

🔒 Google Threat Intelligence Group (GTIG) and partners disrupted UNC2814, a prolific cyber-espionage campaign with suspected links to China that operated since 2017 and targeted governments and telecommunications across multiple continents. Researchers identified a novel backdoor, GridTide, which abused Google Sheets as a covert command-and-control channel to execute shell commands and transfer files. Google terminated attacker-controlled Cloud Projects, disabled accounts, revoked Sheets API access used for C2, and has notified victims while offering remediation support.

🔒 Researchers report a China-linked APT exploited a previously unknown vulnerability in Dell RecoverPoint for Virtual Machines (CVE-2026-22769) to achieve unauthenticated root command execution by leveraging hardcoded Apache Tomcat Manager credentials. Google’s Mandiant traced compromises to UNC6201, which deployed web shells and backdoors including BRICKSTORM and the newer GRIMBOLT. Dell released a patch (6.0.3.1 HF1) and a remediation script; customers are urged to upgrade and isolate appliances behind segmented networks.

🔐 Google’s newest GTIG AI Threat Tracker outlines rising adversarial misuse of AI, documenting how threat actors are distilling models, experimenting with agentic capabilities, and integrating AI into malware and social engineering. The report highlights activity from groups including APT31, North Korean and Iranian actors, and malware families such as HONESTCUE. It underscores growing risks from model extraction, the emergence of illicit jailbreak services like Xanthorox, and recommends that AI providers monitor API access and adopt robust defenses.

🔎 Google Threat Intelligence Group (GTIG) warns that state-sponsored actors from China, Iran, Russia, and North Korea are conducting sustained cyber operations against the defense industrial base (DIB). GTIG highlights four themes: targeting battlefield technologies like drones, exploiting hiring and personnel processes, leveraging edge devices for initial access, and capitalizing on manufacturing supply chain breaches. Observed tactics include bespoke malware families, abuse of secure messaging linking, careful endpoint-evasion techniques, and use of relay networks to complicate detection and attribution.

🔍 Google’s Threat Intelligence Group and DeepMind found that government-backed APTs increasingly use Gemini and other generative AI for reconnaissance, target profiling and sophisticated social engineering. Observed actors include Iran’s APT42 and North Korea’s UNC2970 using models to harvest email addresses and synthesize OSINT, while TEMP.Hex and APT31 applied AI for vulnerability research and automated testing. The report also details a rise in model extraction attempts, an underground jailbreak ecosystem (notably the Xanthorox toolkit), abuse of public sharing to host malicious instructions, and cases such as Honestcue leveraging Gemini APIs to generate in-memory malicious code; Google has disabled associated assets and warns of intellectual-property theft risks.

🛡️ UNC1069, a North Korea-linked threat actor, has used AI-generated video lures and compromised Telegram accounts to target cryptocurrency firms and personnel. According to Google Mandiant, attackers staged fake Zoom meetings via Calendly invites and delivered a ClickFix-style troubleshooting vector that dropped multiple payloads on Windows and macOS. The intrusion employed at least seven malware families — including WAVESHAPER, HYPERCALL, HIDDENCALL, DEEPBREATH, CHROMEPUSH and SILENCELIFT — to harvest credentials, browser data and session tokens to facilitate financial theft.

🔒 North Korean-linked UNC1069 ran tailored campaigns using AI-generated deepfake video and a ClickFix-style pretext to deliver macOS and Windows malware against cryptocurrency targets. During a Mandiant response to a fintech compromise, attackers used a compromised Telegram account and a spoofed Calendly/Zoom meeting to coerce the victim into executing troubleshooting commands that launched AppleScript and malicious Mach-O binaries. Mandiant identified seven distinct macOS families—WAVESHAPER, HYPERCALL, HIDDENCALL, SILENCELIFT, DEEPBREATH, SUGARLOADER, and CHROMEPUSH—deployed to steal credentials, browser and Telegram data, and to enable future social-engineering operations.