All news with #apt tag

🔒 Singapore’s Cyber Security Agency disclosed that Operation Cyber Guardian disrupted attacks by Chinese-linked APT UNC3886 targeting the nation’s four major telcos between summer 2025 and early 2026. The response involved over 100 cyber defenders across six agencies and identified use of a zero-day and rootkits to maintain persistent access. CSA reported no evidence of service disruption or sensitive personal data exfiltration and implemented remediation and enhanced monitoring. Telcos have been urged to continue strengthening systems and vigilance against re-entry attempts.

🕵️‍♂️ Palo Alto Networks' Unit 42 reports a state-sponsored threat actor tracked as TGR-STA-1030/UNC6619 has run global-scale "Shadow Campaigns," compromising at least 70 government and critical infrastructure organizations across 37 countries and conducting reconnaissance tied to 155 countries. The actor has been active since at least January 2024 and is assessed to operate from Asia. Initial access combined tailored phishing lures hosted on Mega.nz with exploitation of known flaws in SAP Solution Manager, Microsoft Exchange, D-Link, and Windows to deploy loaders such as Diaoyu. Victim environments were instrumented with Cobalt Strike, webshells, tunneling tools, and a bespoke Linux eBPF rootkit named ShadowGuard to hide activity and evade detection.

🔎 Palo Alto Networks has identified a new Asia-based cyberespionage group, tracked as TGR-STA-1030 (UNC6619), that has compromised 70 government and critical-infrastructure organizations across 37 countries over the past year. The actor employs phishing, N-day exploits, and a multifaceted toolset including a custom loader named Diaoyu, Cobalt Strike implants, multiple web shells, and a bespoke eBPF-based Linux rootkit called ShadowGuard. Researchers report the group conducts extensive scanning and targeted reconnaissance tied to regional events, operates on GMT+8 hours, and shows indicators consistent with nation-state activity.

🔎 Unit 42 details a newly tracked, state-aligned cyberespionage group labeled TGR-STA-1030 that has targeted government and critical infrastructure across 37 countries. The report documents coordinated phishing using a Diaoyu loader, exploitation of known N-day vulnerabilities, and a transition from Cobalt Strike to Go-based C2 frameworks. It also describes a bespoke Linux eBPF rootkit, ShadowGuard, and provides actionable IoCs (IPs, domains, hashes) to support defenders.

🛡️ CrowdStrike reports that the long-running North Korean-linked operator Labyrinth Chollima has fragmented into three distinct teams: Labyrinth Chollima, Golden Chollima and Pressure Chollima. All three trace their roots to the legacy KorDLL framework but now employ separate evolved frameworks (Hoplight, Jeus, MataNet/TwoPence) and divergent toolsets. CrowdStrike assesses with high confidence that Labyrinth remains focused on espionage while Golden and Pressure have largely shifted to cryptocurrency-targeted activity, though shared code and infrastructure indicate ongoing centralized coordination.

🔐 This Unit 42 analysis outlines the evolving Russian cyber threat to the Milano Cortina 2026 Winter Olympics, framing Russia’s IOC exclusion as a geopolitical grievance that raises the risk of disruptive operations. It reviews historical GRU-linked campaigns against prior Games and projects plausible scenarios ranging from destructive OT malware to AI-driven deepfakes and V2X manipulation. The report recommends zero‑trust visibility, IoT anomaly detection, telemetry verification, and micro‑segmentation to reduce operational impact.

🔍 CrowdStrike details that LABYRINTH CHOLLIMA has diverged into three distinct DPRK-linked adversaries — GOLDEN CHOLLIMA, PRESSURE CHOLLIMA, and a narrowed espionage-focused LABYRINTH CHOLLIMA. Each subgroup maintains dedicated malware families and targeting priorities: GOLDEN and PRESSURE focus on cryptocurrency and fintech thefts while core LABYRINTH targets industrial, defense, and logistics sectors. Despite operational separation, shared tools and infrastructure point to centralized coordination within the DPRK cyber ecosystem.

⚠️ A coordinated late-December cyberattack targeted distributed energy resource (DER) sites across Poland, impacting roughly 30 facilities including combined heat and power (CHP) plants and wind and solar dispatch systems. Researchers at Dragos say attackers damaged OT equipment beyond repair and wiped Windows hosts while disabling remote monitoring, though generation continued and no outages occurred. Dragos links the operation with moderate confidence to the cluster it calls Electrum, noting overlaps with Sandworm/APT44 and ties to destructive wipers used in Ukraine.

🚨 Kaspersky reports that China-linked Mustang Panda used an updated COOLCLIENT backdoor in 2025 to exfiltrate data from government targets across Myanmar, Mongolia, Malaysia, and Russia. The implant was deployed as a secondary backdoor alongside PlugX and LuminousMoth, delivered via encrypted loaders and abusing DLL side-loading of legitimately signed binaries. COOLCLIENT harvests keystrokes, clipboard data, files, and HTTP proxy credentials, can establish reverse tunnels, and loads in-memory plugins; recent waves also incorporated browser credential stealers and a previously unseen rootkit.

🔍 PeckBirdy is a previously undocumented, JScript-based command-and-control framework active since 2023 that researchers have linked to China-aligned APT activity across Asia. Trend Micro observed the framework used in multiple roles — watering-hole controller, reverse shell and C2 server — deployed via living-off-the-land binaries and browser-based social engineering. Modular implants such as HOLODONUT and MKDOOR extend capabilities with in-memory execution and attempts to evade Microsoft Defender, complicating detection and response.

🐞 Check Point Research is tracking an active phishing campaign by KONNI, a North Korea–linked actor that has shifted from geopolitical targets to software developers and engineering teams. The campaign specifically targets blockchain and cryptocurrency projects and uses lures crafted to resemble legitimate project documentation. Attackers deliver malicious attachments and payloads intended to compromise developer credentials and infrastructure, and the activity displays expanded geographic reach and sophisticated social-engineering techniques.

⚠️ Cisco Talos says a China-aligned advanced persistent threat tracked as UAT-8837 has been leveraging a critical Sitecore zero-day (CVE-2025-53690, CVSS 9.0) to gain initial access to North American critical infrastructure. The actor uses both exploit-based access and compromised credentials, then deploys open-source tools for credential harvesting, Active Directory reconnaissance, and persistent remote access. Observed artifacts include GoTokenTheft, EarthWorm, DWAgent, SharpHound, Impacket, Rubeus, and Certipy, raising supply chain and OT exposure concerns.

🔍 Cisco Talos is tracking UAT-8837, an assessed China-nexus APT that since 2025 has focused on obtaining initial access to high-value and critical infrastructure organizations in North America. The actor uses both n-day and zero-day exploits (including CVE-2025-53690 in SiteCore) and often deploys open-source tooling—Earthworm, SharpHound, DWAgent, Certipy, and GoTokenTheft—to harvest credentials, enumerate Active Directory, and create remote tunnels. Operators perform hands-on-keyboard reconnaissance, create backdoored accounts and remote admin access, and cycle tools when endpoint protections block their payloads. Talos provides IOCs, Snort rules, and ClamAV signatures to detect and mitigate this activity.

🔍 Cisco Talos discloses UAT-7290, a China‑nexus APT active since at least 2022 that targets telecommunications infrastructure in South Asia and has recently expanded into Southeastern Europe. The actor conducts extensive reconnaissance, uses one‑day exploits and target-specific SSH brute force, and primarily deploys a Linux-centric toolset including RushDrop, DriveSwitch, SilentRaid, and Bulbature. Talos notes UAT-7290 also provisions Operational Relay Box (ORB) nodes that may support other China-nexus operators and provides ClamAV and Snort signatures for detection.

🔎 Taiwan’s National Security Bureau (NSB) reports a dramatic rise in Chinese-sourced cyber intrusion attempts against the island’s critical infrastructure in 2025, totaling 960,620,609 recorded attempts. The NSB highlights a tenfold surge against the energy sector and a 54% rise targeting emergency rescue and hospitals, while water resources and finance saw notable declines. Top groups named include BlackTech, Mustang Panda and APT41, which used vulnerability exploitation, DDoS, social engineering and supply-chain methods, often timed to coincide with military or political events.

🐼 Kaspersky attributes a targeted espionage campaign to the China-linked APT cluster tracked as Evasive Panda, which used DNS cache and response poisoning between November 2022 and November 2024 to deliver the MgBot backdoor to victims in Türkiye, China, and India. The intrusions relied on multi-stage AitM techniques, trojanized updates, and per-victim encrypted payloads fetched via legitimate domains to maintain stealth. Kaspersky highlights the actor's long-term refinement of these methods to evade detection.

🔍 SafeBreach has linked renewed operations to the Iranian APT known as Infy (Prince of Persia), revealing updated Foudre downloader and Tonnerre implants active across Iran, Iraq, Turkey, India, Canada and parts of Europe. The campaign, tracked through September 2025 samples, shifts from macro-laced Excel to embedded executables and employs a DGA plus RSA-signed C2 validation. SafeBreach identified C2 folders including a 'key' directory and a Telegram integration used selectively via a tga.adr file. Analysts warn Infy remains active and dangerous to high-value targets.

🛡️ Researchers have observed renewed activity from the Prince of Persia threat actor, long linked to Iran, after an apparent 2022 hiatus. SafeBreach found updated Foudre and Tonnerre variants, a new domain generation algorithm and altered delivery using Excel files with embedded SFX payloads alongside legacy malicious macros. Select victims can now be controlled via the Telegram API, and identified targets are predominantly in Iran with some victims across Europe, Iraq, Turkey, India and Canada.

🕵️ ESET researchers discovered a previously undocumented China-aligned APT, named LongNosedGoblin, after investigation of compromises at a Southeast Asian governmental network with additional targeting of Japan. The group abuses Active Directory Group Policy for deployment and lateral movement and relies on cloud services (OneDrive, Google Drive, Google Docs) for C2 and exfiltration. Notable custom tools include NosyDoor, NosyHistorian, NosyStealer and NosyLogger, which use multi-stage loaders, AMSI bypasses and scheduled-task persistence. ESET published IoCs and recommends hardening Group Policy, auditing scheduled tasks and monitoring cloud storage for suspicious files.

🔐 Unit 42 details activity by Hamas-affiliated Ashen Lepus using a new modular .NET suite named AshTag, alongside custom loaders and revised C2 techniques to evade detection. The actors targeted Arabic-speaking government and diplomatic entities across the Middle East, delivering malware via RAR archives, DLL sideloading, and payloads hidden in benign HTML. Operators improved encryption and domain masquerading and performed hands-on exfiltration using Rclone. Organizations should monitor the provided IOCs and strengthen EDR and egress controls.