< ciso
brief />
Tag Banner

All news with #apt tag

96 articles · page 4 of 5

Taiwan Faces Surge in Chinese Cyber Intrusion Attempts

🔎 Taiwan’s National Security Bureau (NSB) reports a dramatic rise in Chinese-sourced cyber intrusion attempts against the island’s critical infrastructure in 2025, totaling 960,620,609 recorded attempts. The NSB highlights a tenfold surge against the energy sector and a 54% rise targeting emergency rescue and hospitals, while water resources and finance saw notable declines. Top groups named include BlackTech, Mustang Panda and APT41, which used vulnerability exploitation, DDoS, social engineering and supply-chain methods, often timed to coincide with military or political events.
read more →

China-linked Evasive Panda Used DNS Poisoning for Espionage

🐼 Kaspersky attributes a targeted espionage campaign to the China-linked APT cluster tracked as Evasive Panda, which used DNS cache and response poisoning between November 2022 and November 2024 to deliver the MgBot backdoor to victims in Türkiye, China, and India. The intrusions relied on multi-stage AitM techniques, trojanized updates, and per-victim encrypted payloads fetched via legitimate domains to maintain stealth. Kaspersky highlights the actor's long-term refinement of these methods to evade detection.
read more →

Infy APT Resurfaces with Updated Foudre and Tonnerre

🔍 SafeBreach has linked renewed operations to the Iranian APT known as Infy (Prince of Persia), revealing updated Foudre downloader and Tonnerre implants active across Iran, Iraq, Turkey, India, Canada and parts of Europe. The campaign, tracked through September 2025 samples, shifts from macro-laced Excel to embedded executables and employs a DGA plus RSA-signed C2 validation. SafeBreach identified C2 folders including a 'key' directory and a Telegram integration used selectively via a tga.adr file. Analysts warn Infy remains active and dangerous to high-value targets.
read more →

Prince of Persia APT Returns with New Malware, C2 Ops

🛡️ Researchers have observed renewed activity from the Prince of Persia threat actor, long linked to Iran, after an apparent 2022 hiatus. SafeBreach found updated Foudre and Tonnerre variants, a new domain generation algorithm and altered delivery using Excel files with embedded SFX payloads alongside legacy malicious macros. Select victims can now be controlled via the Telegram API, and identified targets are predominantly in Iran with some victims across Europe, Iraq, Turkey, India and Canada.
read more →

LongNosedGoblin APT Targets SE Asia and Japan Officials

🕵️ ESET researchers discovered a previously undocumented China-aligned APT, named LongNosedGoblin, after investigation of compromises at a Southeast Asian governmental network with additional targeting of Japan. The group abuses Active Directory Group Policy for deployment and lateral movement and relies on cloud services (OneDrive, Google Drive, Google Docs) for C2 and exfiltration. Notable custom tools include NosyDoor, NosyHistorian, NosyStealer and NosyLogger, which use multi-stage loaders, AMSI bypasses and scheduled-task persistence. ESET published IoCs and recommends hardening Group Policy, auditing scheduled tasks and monitoring cloud storage for suspicious files.
read more →

Ashen Lepus Deploys AshTag Malware Against Diplomats

🔐 Unit 42 details activity by Hamas-affiliated Ashen Lepus using a new modular .NET suite named AshTag, alongside custom loaders and revised C2 techniques to evade detection. The actors targeted Arabic-speaking government and diplomatic entities across the Middle East, delivering malware via RAR archives, DLL sideloading, and payloads hidden in benign HTML. Operators improved encryption and domain masquerading and performed hands-on exfiltration using Rclone. Organizations should monitor the provided IOCs and strengthen EDR and egress controls.
read more →

Tomiris Shifts to Public Services for C2 Evasion Tactics

🛡️ Kaspersky researchers report that the Tomiris threat actor has increasingly used legitimate public services such as Telegram and Discord as command-and-control channels to blend malicious traffic with benign activity. The campaign relies on tailored spear-phishing with password-protected RAR attachments, multi-language implants, and open-source C2 frameworks like Havoc and AdaptixC2. Targeting focuses on Russian-speaking governmental and diplomatic entities across Central Asia and Russia, enabling long-term persistence and covert intelligence collection.
read more →

Bloody Wolf Expands Java-Based NetSupport Campaign Regionally

🐺 Group-IB and Ukuk report that the actor known as Bloody Wolf has conducted spear-phishing campaigns since June 2025 targeting Kyrgyzstan and, by October 2025, expanded into Uzbekistan to deliver NetSupport RAT. Attackers impersonate government ministries using malicious PDFs that host Java Archive (JAR) loaders built for Java 8, instructing victims to install Java so the loader can execute. The loader fetches the NetSupport payload and establishes persistence via scheduled tasks, registry entries, and a startup batch script in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup.
read more →

Bloody Wolf APT Expands NetSupport Campaign in Central Asia

🔎 Researchers at Group-IB and UKUK have identified a widening campaign by the Bloody Wolf APT that uses streamlined Java-based loaders to deliver NetSupport remote administration software to government targets. The operation, active since late 2023 and observed in Kyrgyzstan from at least June 2025 before spreading to Uzbekistan in early October, relies on convincing PDF lures, spoofed domains and geofenced infrastructure. Simple Java 8 loaders fetch NetSupport over HTTP, add persistence via autorun entries and scheduled tasks, display fake error messages, and include a launch-limit counter to limit execution and avoid detection. The group has shifted from using STRRAT to deploying an older 2013 build of NetSupport Manager and uses a custom JAR generator to mass-produce variants.
read more →

ToddyCat APT Targets Outlook Archives and M365 Tokens

🔒 Kaspersky Labs reports that the ToddyCat APT refined its toolkit in late 2024 and early 2025 to harvest Outlook offline archives and Microsoft 365 OAuth tokens in addition to browser credentials. New PowerShell and C++ components — notably TomBerBill and TCSectorCopy — copy browser artifacts and sector‑level OST files while attackers also attempt in‑memory token grabs from Outlook processes to maintain persistent access.
read more →

RomCom via SocGholish Fake Update Targets US Civil Firm

🔒 Arctic Wolf Labs reports that a RomCom payload was delivered via a JavaScript loader known as SocGholish to a U.S.-based civil engineering company, marking the first observed use of this distribution method. The chain relied on fake browser update prompts to run a loader that established a reverse shell, dropped a custom Python backdoor called VIPERTUNNEL, and installed a RomCom DLL loader that launched the Mythic Agent. Attribution to GRU Unit 29155 is assessed at medium-to-high confidence, and the intrusion was blocked before it could progress further.
read more →

ToddyCat Tools Target Outlook, Steal M365 Tokens Now

🛡️ Kaspersky researchers report that the ToddyCat APT has evolved tactics to harvest corporate email and Microsoft 365 access tokens. Operators deployed a C++ utility, TCSectorCopy, to copy Outlook OST files sector-by-sector and then extract messages with XstReader. They also used SharpTokenFinder to enumerate and steal JWTs and, when blocked, relied on ProcDump to obtain Outlook memory dumps. PowerShell variants of TomBerBil were observed stealing browser cookies, credentials and DPAPI keys across network shares.
read more →

APT24 Deploys BADAUDIO in Multi-Year Espionage Campaign

🛡️ APT24 has deployed a previously undocumented downloader called BADAUDIO to maintain persistent remote access in a nearly three-year campaign beginning November 2022. The highly obfuscated C++ downloader uses control-flow flattening and DLL search-order hijacking to fetch AES-encrypted payloads from hard-coded C2s; analysts observed Cobalt Strike delivered in at least one case. Operators distributed BADAUDIO via watering holes, supply-chain compromises, typosquatted CDNs and targeted phishing, employing FingerprintJS and encrypted cloud-hosted archives to selectively target victims and evade detection.
read more →

Iranian-backed UNC1549 Deploys TWOSTROKE and DEEPROOT

🛡️ Mandiant has linked suspected Iranian espionage actors to a sustained campaign by UNC1549 that deployed backdoors such as TWOSTROKE and DEEPROOT against aerospace, aviation, and defense organizations in the Middle East. Operating from late 2023 through 2025, the group abused trusted third parties and VDI sessions to pivot into customer environments and leveraged highly targeted, role‑relevant phishing. Observed operations combined credential theft, lateral movement, custom tunnellers and credential‑stealing utilities to execute long‑term reconnaissance and data exfiltration.
read more →

Analysis of UNC1549 TTPs Targeting Aerospace & Defense

🔍 This joint analysis from Google Threat Intelligence and Mandiant describes UNC1549 activity observed from late 2023 through 2025 against aerospace, aviation, and defense organizations. The group commonly exploited trusted third‑party relationships, VDI breakouts, and highly targeted spear phishing to gain access, then deployed custom backdoors and tunneling tools to maintain stealth. The report provides IOCs, YARA rules, and detection guidance for Azure and enterprise environments.
read more →

Five Plead Guilty to Enabling DPRK Remote IT and Hacks

🔒 Five individuals have pleaded guilty to serving as facilitators for North Korean cyber operations, the US Department of Justice said. They used false or stolen identities and hosted employer laptops in US residences to create the appearance of domestic remote IT workers, aiding APT38-linked efforts. The DoJ said the activity impacted more than 136 US organizations, generated over $2.2m for Pyongyang and compromised the identities of 18 US residents, and authorities seized $15m in Tether tied to related heists.
read more →

Zero-day Campaign Targets Cisco ISE and Citrix Systems

🔒 Amazon Threat Intelligence disclosed an advanced APT campaign that weaponized zero-day vulnerabilities in Citrix NetScaler (Citrix Bleed 2, CVE-2025-5777) and Cisco Identity Services Engine (CVE-2025-20337). Attackers achieved pre-auth remote code execution via input-validation and deserialization flaws and deployed an in-memory web shell masquerading as the ISE IdentityAuditAction component. The implant registered as a Tomcat HTTP listener, used DES with nonstandard Base-64 encoding, required specific HTTP headers, and relied on Java reflection and bespoke decoding routines to evade detection.
read more →

Amazon: APT Exploits Cisco ISE and Citrix Zero‑Days

🔒 Amazon Threat Intelligence identified an advanced threat actor exploiting undisclosed zero-day vulnerabilities in Cisco Identity Services Engine (ISE) and Citrix products. The actor achieved pre-authentication remote code execution via a newly tracked Cisco deserialization flaw (CVE-2025-20337) and earlier Citrix Bleed Two activity (CVE-2025-5777). Following exploitation, a custom in-memory web shell disguised as IdentityAuditAction was deployed, demonstrating sophisticated evasion using Java reflection, Tomcat request listeners, and DES with nonstandard Base64. Amazon recommends limiting external access to management endpoints and implementing layered defenses and detection coverage.
read more →

Who, Where and How: APT Attacks Q2–Q3 2025 Report Overview

🔍 The ESET research team released its APT Activity Report covering April–September 2025, summarizing operations by state-aligned hacking groups. The report details espionage, disruptive attacks and monetized campaigns targeting government and corporate networks across multiple regions. Notably, the Russia-aligned group Sandworm deployed several data wipers against Ukraine's grain sector, an apparent attempt to harm economic resilience. ESET Chief Security Evangelist Tony Anscombe outlines key findings in an accompanying video and encourages readers to consult the full report for technical specifics.
read more →

ESET APT Activity Report Q2–Q3 2025: Key Findings Overview

🔍 ESET Research summarizes notable APT operations observed from April through September 2025, highlighting activity by China-, Iran-, North Korea-, and Russia-aligned groups. The report documents increased use of adversary-in-the-middle techniques, targeted spearphishing (including emails sent from compromised internal inboxes), and expanded campaigns against government, energy, healthcare, and maritime sectors. Notable tools and threats include BLOODALCHEMY, SoftEther VPN infrastructure, a WinRAR zero-day exploit, and a newly identified Android spyware family named Wibag. Findings are based on ESET telemetry and verified analysis.
read more →