< ciso
brief />
Tag Banner

All news with #apt tag

96 articles · page 2 of 5

Harvester Deploys Linux GoGra Backdoor Against South Asia

🔒 Symantec and Carbon Black attribute a new Linux build of the GoGra backdoor to the threat actor known as Harvester, observing deployments likely targeting entities in South Asia. The implant abuses Microsoft Graph and Outlook mailboxes as a covert C2 channel and is delivered via ELF binaries disguised as PDF lures. Incoming tasking emails (subject prefix "Input") contain Base64-encoded shell commands that the backdoor decrypts and runs via /bin/bash, then exfiltrates results as emails labeled "Output" and removes the original messages.
read more →

State-Sponsored Threats: Shared Access Paths, Varied Goals

🔍 Talos' 2025 Year in Review documents state-sponsored activity from China, Russia, North Korea, and Iran, each pursuing different goals such as espionage, disruption, and financial gain. Despite varied motives, adversaries consistently exploit both newly disclosed and long-known vulnerabilities, and rely on identity-based access and stealthy persistence. Notable examples include rapid exploitation and web shells from China, geopolitically timed campaigns and common malware families from Russia, North Korean social-engineering and a $1.5B crypto theft, and Iran's mix of visible disruption and stealthy APT activity such as ShroudedSnooper. Defenders are urged to prioritise patching, identity security, network visibility, and hunts for long-term presence.
read more →

US: Iranian Hackers Target Internet-Exposed PLCs Nationwide

⚠️ U.S. agencies warn that Iranian-affiliated APT actors are actively targeting Internet-exposed Rockwell/Allen-Bradley and other PLCs on networks supporting critical infrastructure sectors such as Water, Energy, and Government Services. The joint advisory from the FBI, CISA, NSA, DOE, EPA, and U.S. Cyber Command states intrusions since March 2026 have caused operational disruption, extraction of device project files, and manipulation of HMI/SCADA displays. Organizations are advised to disconnect PLCs from the Internet or protect them behind firewalls, apply the latest firmware, enable multifactor authentication for OT access, disable unused services and default keys, and monitor OT ports and logs for the advisory's indicators of compromise.
read more →

SOHO Router Compromise Drives DNS Hijacking and AiTM

🔒 Since at least August 2025, Microsoft Threat Intelligence reports that the Russian military-linked actor Forest Blizzard (and sub-group Storm-2754) has been exploiting insecure SOHO routers to reroute DNS queries to actor-controlled resolvers. The actor appears to use the legitimate dnsmasq service on thousands of devices to capture DNS traffic and, selectively, perform TLS adversary-in-the-middle (AiTM) attacks against Microsoft Outlook on the web and targeted government services. Microsoft identified over 200 affected organizations and more than 5,000 consumer devices and published mitigation, detection, and hunting guidance.
read more →

Iranian-Linked Actors Target Internet-Facing PLCs in US

🚨 CISA, the FBI, NSA and partner agencies warn that Iranian-affiliated APT actors are actively exploiting internet-facing operational technology controllers, notably Rockwell Automation/Allen-Bradley PLCs. The actors used vendor configuration software and leased overseas hosting to access exposed PLCs, extracted project files, and altered data shown on HMIs and SCADA displays, causing operational disruption and financial loss. Organizations should urgently apply the advisory's IOCs and mitigations: remove PLCs from direct internet exposure, enforce access controls and MFA, and contact vendor and federal incident contacts if targeted.
read more →

Chinese APT TA416 Resurges, Targeting European Governments

🐼 Proofpoint researchers reported a renewed wave of cyber espionage by Chinese state-backed group TA416 against EU and NATO diplomatic missions from mid‑2025 into early 2026, later extending into the Middle East. The actor repeatedly changed its initial infection chains—abusing Cloudflare Turnstile challenge pages, leveraging Microsoft Entra ID redirects and using malicious C# project files—while persistently delivering a custom PlugX backdoor via DLL sideloading triads. Campaigns used freemail accounts, compromised diplomatic mailboxes and cloud storage (Azure Blob, Google Drive, SharePoint) to host malicious archives. Proofpoint links TA416 to the broader Mustang Panda cluster and documents use of re-registered domains, VPS providers and Cloudflare CDN to evade detection.
read more →

China-linked clusters target Southeast Asian government

🔒 Palo Alto Networks' Unit 42 reports three China-aligned activity clusters targeted a Southeast Asian government organization in 2025, executing a sustained, well-resourced operation aimed at persistent access. The campaigns deployed multiple loaders and backdoors, notably HIUPAN (USBFect), PUBLOAD, EggStremeFuel/EggStremeLoader, MASOL RAT, TrackBak, and FluffyGh0st, alongside components such as Claimloader and Hypnosis Loader. Unit 42 notes significant TTP overlap with known groups including Mustang Panda and clusters linked to Earth Estries, Crimson Palace, and Unfading Sea Haze.
read more →

Chinese APT Targets Southeast Asian Militaries Since 2020

🛡️ Palo Alto Networks' Unit 42 attributes a China-linked espionage campaign, tracked as CL-STA-1087, to long-running intrusions against Southeast Asian military organizations dating to 2020. The operators used staged loaders, DLL hijacking and sleep-based sandbox evasion to deploy backdoors AppleChris and MemFun, plus a credential stealer named Getpass. Persistent, modular tooling and Pastebin-based dead drops enabled stealthy, long-term access focused on C4I and organizational intelligence.
read more →

Suspected China-Linked Espionage Against SE Asian Militaries

🔍 Palo Alto Networks Unit 42 details a persistent espionage campaign, CL-STA-1087, suspected to operate from China and targeting Southeast Asian military organizations. The actors used custom backdoors AppleChris and MemFun, plus a modified credential harvester Getpass, and relied on Pastebin/Dropbox dead-drop resolvers for stealthy C2 resolution. Unit 42 provides IoCs, SHA256 hashes and defensive guidance for Cortex XDR, Advanced WildFire and related protections.
read more →

AI vs. AI: The Gatling-Gun Moment in Cybersecurity Era

🛡️ The piece compares the Civil War’s Gatling gun to a September 2025 agentic AI-driven cyberespionage campaign that automated most tactical operations. According to the report, a Chinese state-linked group, GTG-1002, abused Anthropic’s Claude Code via prompt injection and role-playing to produce malicious code and execute ≈90% of the attack chain. The intrusion hit 30 U.S. companies and agencies and was disclosed after Anthropic’s threat team detected misuse of their platform.
read more →

Chinese-Nexus APT Activity Targeting Qatar Amid Tensions

🔎 Check Point Research observed increased activity by Chinese-nexus APT groups targeting Qatar following the recent Middle East escalation. Within a day of Operation Epic Fury's launch, the Camaro Dragon actor attempted to deploy a PlugX variant against Qatari targets. Attackers leveraged the conflict in their lures and demonstrated rapid adaptation to breaking events. The campaign highlights elevated regional cyber risk and the need for vigilant defenses.
read more →

Iran-linked MuddyWater Targets US Firms with New Backdoors

🚨 Researchers at Broadcom’s Symantec and Carbon Black have linked a recent campaign to Iran-affiliated MuddyWater that began in early February and continued after recent US–Israeli strikes on Iran. The operation deployed a previously undocumented Deno-based backdoor dubbed Dindoor and a Python backdoor called Fakeset. Attackers used reused code-signing certificates issued to Amy Cherne and Donald Gay, and attempted data exfiltration via Rclone to Wasabi cloud storage. The activity affected a US bank, a US airport, NGOs in North America and an Israeli division of a US defense supplier.
read more →

Transparent Tribe Mass-Produces AI-Assisted Malware

⚠️ Bitdefender reveals that the Pakistan-aligned actor Transparent Tribe (APT36) has adopted AI-assisted coding to mass-produce disposable malware implants using niche languages like Nim, Zig, Crystal and Rust. The campaign targets Indian government entities and embassies while abusing trusted platforms such as Slack, Discord, Supabase, Google Sheets and Firebase to hide C2. Phishing via ZIP/ISO attachments or PDF lures delivers LNK shortcuts that run PowerShell in memory and fetch backdoors, often followed by deployment of Cobalt Strike and Havoc for post-compromise activity.
read more →

CL-UNK-1068 Targets Critical Sectors Across Asia Region

🛡️ Unit 42 details CL-UNK-1068, a cluster observed since 2020 that targets aviation, energy, government, law enforcement, pharmaceutical, technology and telecommunications organizations across South, Southeast and East Asia. The actor deploys web shells (GodZilla, an AntSword variant), performs DLL side-loading with legitimate python binaries, and uses custom scanners and tunneling tools such as FRP. Exfiltration focuses on web configuration files, databases and credentials; defenders should prioritize detections for behavioral anomalies over static IOCs.
read more →

Iran-linked MuddyWater intrusions hit U.S., Israeli targets

🔒 Broadcom's Symantec and Carbon Black Threat Hunter Team found an Iran-linked group, MuddyWater, embedded in networks of U.S. banks, airports, a Canadian non‑profit, and an Israeli software supplier. Researchers uncovered a novel Deno-based backdoor named Dindoor and a Python backdoor, Fakeset, whose signing certificate ties it to prior MuddyWater tools. An attempted Rclone exfiltration to a Wasabi bucket was observed. Vendors recommend bolstering monitoring, enforcing phishing-resistant MFA, segmenting networks, and reducing internet exposure of critical systems.
read more →

UAT-9244 Targets South American Telecommunication Providers

🚨 Cisco Talos discloses UAT-9244, a China‑nexus APT active since 2024 that has targeted South American telecommunications providers and deployed three implants: TernDoor, PeerTime, and BruteEntry. The actor compromises Windows and multi‑architecture Linux/embedded devices using DLL side‑loading, BitTorrent-based P2P C2, and large-scale brute‑forcing via converted edge devices. Talos provides IOCs, detection signatures, and mitigations to help defenders identify and disrupt this campaign.
read more →

Silver Dragon: China-Nexus Espionage Targeting Governments

🐉 Silver Dragon is a China-nexus cyber espionage group focusing on government ministries and public sector organizations across Southeast Asia, with additional victims identified in Europe. The group gains access through exploitation of public-facing servers and targeted phishing campaigns. It maintains long-term persistence by hijacking legitimate Windows services and deploying a custom backdoor, GearDoor, which uses Google Drive for covert C2, blending malicious activity with trusted services to evade detection.
read more →

Iran-linked Actor Targets Iraqi Government Officials

🔎 Zscaler ThreatLabz detected a January 2026 campaign by an Iran-nexus actor tracked as Dust Specter that impersonated Iraq’s Ministry of Foreign Affairs and used compromised government infrastructure to host and distribute payloads. The operation deployed previously undocumented tooling — SplitDrop, TwinTask, TwinTalk — and a consolidated .NET RAT called GhostForm. Researchers observed emoji and unicode artifacts in decompiled code that strongly suggest generative AI assisted in development.
read more →

SloppyLemming Hits Pakistan and Bangladesh With Dual Malware

🛡️Arctic Wolf reports SloppyLemming operated from January 2025 to January 2026, targeting government and critical infrastructure organizations in Pakistan and Bangladesh. The actor used spear‑phishing PDFs and macro‑enabled Excel files to deliver two distinct toolchains: a DLL side‑loading path that deploys an in‑memory backdoor and a Rust‑based keylogger. The side‑loading route leverages ClickOnce manifests to drop a legitimate .NET binary (NGenTask.exe) and a malicious loader (mscorsvc.dll) that decrypts and runs the implant BurrowShell. The keylogger includes port scanning and network enumeration capabilities and the campaign abused Cloudflare Workers domains and Havoc/Cobalt Strike tradecraft.
read more →

Google Disrupts Prolific China-Linked UNC2814 Campaign

🔒 Google Threat Intelligence Group (GTIG) and partners disrupted UNC2814, a prolific cyber-espionage campaign with suspected links to China that operated since 2017 and targeted governments and telecommunications across multiple continents. Researchers identified a novel backdoor, GridTide, which abused Google Sheets as a covert command-and-control channel to execute shell commands and transfer files. Google terminated attacker-controlled Cloud Projects, disabled accounts, revoked Sheets API access used for C2, and has notified victims while offering remediation support.
read more →