Tag: cyberespionage

28 Attack Reports | 0 Vulnerabilities

Attack reports

MuddyWater: Snakes by the riverbank

MuddyWater, an Iran-aligned cyberespionage group, has been targeting critical infrastructure in Israel and Egypt with custom malware and improved tactics. The campaign uses previously undocumented tools like the Fooder loader and MuddyViper backdoor to enhance defense evasion and persistence. Foode…
iran
credential theft
cyberespionage
defense evasion
critical infrastructure
blub
lp-notes
go-socks5
muddyviper
ce-notes
fooder
reverse tunneling
2026-01-03
fooder loader
muddyviper backdoor
Published: January 3, 2026
Downloadable IOCs: 9

LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan

ESET researchers have uncovered a new China-aligned APT group named LongNosedGoblin targeting governmental entities in Southeast Asia and Japan for cyberespionage. The group employs a varied custom toolset of C#/.NET applications and abuses Group Policy for lateral movement. Key tools include NosyH…
backdoor
apt
china
cyberespionage
cloud services
japan
southeast asia
browser data
group policy
nosydoor
nosydownloader
nosyhistorian
nosylogger
nosystealer
2026-01-03
reversesocks5
Published: January 3, 2026
Downloadable IOCs: 10

Attempts to sniff out governmental affairs in Southeast Asia and Japan

A newly discovered China-aligned APT group named LongNosedGoblin has been targeting governmental entities in Southeast Asia and Japan for cyberespionage purposes. The group employs a varied custom toolset consisting mainly of C#/.NET applications and notably uses Group Policy to deploy malware and …
apt
cyberespionage
custom malware
cloud services
japan
southeast asia
china-aligned
2025-12-19
group policy
nosydoor
nosydownloader
nosyhistorian
nosylogger
nosystealer
Published: December 19, 2025
Downloadable IOCs: 6

Sharpening the knife: strategic evolution of GOLD BLADE

GOLD BLADE, a threat group previously focused on cyberespionage, has evolved into a hybrid operation combining data theft with selective ransomware deployment. The group has refined its intrusion methods, shifting from traditional phishing to abusing recruitment platforms for delivering weaponized …
ransomware
cyberespionage
byovd
redloader
canada
2025-12-06
qwcrypt
recruitment platforms
terminator
zemana driver
Published: December 6, 2025
Downloadable IOCs: 28

Snakes by the riverbank

ESET researchers have identified new MuddyWater activity targeting organizations in Israel and Egypt. The Iran-aligned cyberespionage group deployed custom tools to improve defense evasion and persistence, including a Fooder loader to execute the MuddyViper backdoor. The campaign demonstrates a mor…
backdoor
spearphishing
iran
cyberespionage
custom malware
defense evasion
critical infrastructure
israel
2025-12-02
blub
lp-notes
go-socks5
muddyviper
ce-notes
fooder
egypt
Published: December 2, 2025
Downloadable IOCs: 9

APT35 Internal Leak of Hacking Campaigns Against Lebanon, Kuwait, Turkey, Saudi Arabia, Korea, and Domestic Iranian Targets

An internal leak from APT35 (Charming Kitten) reveals a sophisticated, state-directed cyber-intelligence operation targeting diplomatic, government, and corporate networks in the Middle East and Asia. The documents expose a bureaucratic structure with defined workflows, performance metrics, and spe…
phishing
iran
cyberespionage
proxyshell
middle east
intelligence collection
exchange
2025-11-22
irgc
herv phishing kit
powershort
rat-2ac2
Published: November 22, 2025
Downloadable IOCs: 1

Gotta fly: Targeting the UAV sector

ESET researchers have uncovered a new instance of Operation DreamJob, a cyberespionage campaign attributed to the North Korea-aligned Lazarus group. The attackers targeted European companies in the defense industry, particularly those involved in unmanned aerial vehicle (UAV) technology. The campai…
social engineering
north korea
cyberespionage
defense industry
trojanized software
scoringmathtea
quanpinloader
operation dreamjob
2025-11-09
uav
binmergeloader
Published: November 9, 2025
Downloadable IOCs: 0

Gamaredon X Turla collaboration

ESET Research has uncovered collaboration between notorious APT groups Gamaredon and Turla, both associated with Russia's FSB, targeting high-profile victims in Ukraine. The research reveals Gamaredon tools being used to restart and deploy Turla's Kazuar backdoor on compromised machines. This marks…
backdoor
apt
russia
ukraine
cyberespionage
fsb
2025-09-19
kazuar
pterographin
pterolnk
pteroeffigy
collaboration
pteroodd
pteropaste
pterostew
2025-09-27
Published: September 27, 2025
Downloadable IOCs: 0

Significant Risk and Proactive Defense

A comprehensive analysis reveals a substantial threat posed by domains linked to Salt Typhoon and UNC4841, likely China-associated cyberespionage actors. The investigation uncovered a larger network of domain names beyond those publicly known, indicating a pattern of long-term access and sophistica…
cyberespionage
telecommunications
persistent threat
domain infrastructure
2025-09-08
long-term access
Published: September 8, 2025
Downloadable IOCs: 47

Analysis of APT-C-53 (Gamaredon) Attack on Ukrainian Government Agencies

APT-C-53, also known as Gamaredon, is a Russian state-sponsored threat group active since 2013, targeting Ukrainian government and military entities. The group has upgraded its attack techniques, focusing on dynamic cloud-based C2 infrastructure and targeted delivery of cloud storage tools. In 2025…
apt
dropbox
powershell
russia
ukraine
cyberespionage
vbscript
2025-09-01
cloudflareworkers
devtunnels
Published: September 1, 2025
Downloadable IOCs: 11

Frozen in transit: Secret Blizzard's AiTM campaign against diplomats

Secret Blizzard, a Russian state actor, has been conducting a cyberespionage campaign targeting embassies in Moscow using an adversary-in-the-middle (AiTM) position to deploy ApolloShadow malware. This campaign, ongoing since 2024, poses a high risk to diplomatic entities relying on local internet …
aitm
russia
cyberespionage
embassies
diplomats
2025-08-01
root certificates
apolloshadow
2025-08-08
isp
Published: August 8, 2025
Downloadable IOCs: 2

Stealth Falcon and Horus: A Saga of Middle Eastern Cyber Espionage

Check Point Research (CPR) uncovered an active-weaponized Microsoft WebDAV zero‑day (CVE‑2025‑33053) exploited by the Stealth Falcon APT in a targeted campaign against defense and government organizations across the Middle East and Africa. The attack began with a spear-phishing-disguised .url file …
apt
cyberespionage
webdav
keylogger
mythic
CVE-2025-33053
2025-06-11
zeroday
Published: June 11, 2025
Downloadable IOCs: 40

Whispering in the dark

ESET researchers uncovered a cyberespionage campaign by BladedFeline, an Iran-aligned APT group likely tied to OilRig. The group has targeted Kurdish and Iraqi government officials since at least 2017, using various malicious tools including the Whisper backdoor, PrimeCache IIS module, and reverse …
backdoor
apt
iran
cyberespionage
iis module
iraq
kurdistan
whisper
shahmaran
slippery snakelet
2025-06-10
reverse tunnel
rdat
primecache
laret
pinar
flog
Published: June 10, 2025
Downloadable IOCs: 12

APT 41: Threat Intelligence Report and Malware Analysis

APT41, a sophisticated Chinese state-sponsored threat actor, blends cyber espionage with cybercrime tactics. They target various sectors globally, including healthcare, telecom, and government entities. Recently, APT41 was observed using Google Calendar for malware command-and-control on a Taiwanes…
state-sponsored
china
cyberespionage
spear-phishing
google calendar
plusdrop
2025-06-10
plusinject
Published: June 10, 2025
Downloadable IOCs: 10

Follow the Smoke | China-nexus Threat Actors Hammer At the Doors of Top Tier Targets

The research outlines China-nexus threat actors targeting SentinelOne and other organizations between 2024 and 2025. It details intrusions into an IT services company managing SentinelOne's hardware logistics and reconnaissance of SentinelOne's servers. The attacks involved ShadowPad malware and a …
obfuscation
CVE-2024-1709
cyberespionage
backdoors
reconnaissance
shadowpad
infrastructure
CVE-2023-46747
CVE-2024-8190
CVE-2024-8963
vulnerabilities
unc5174
2025-06-10
apt15
goreshell
nailaolocker
nimbo-c2
Published: June 10, 2025
Linked vulnerabilities : CVE-2024-8190 (CVSS 7.2), CVE-2024-8963 (CVSS 9.1), CVE-2024-1709, CVE-2023-46747
Downloadable IOCs: 24

New Russia-affiliated actor Void Blizzard targets critical sectors for espionage

Void Blizzard, a newly identified Russia-affiliated threat actor, has been conducting global cyberespionage operations since April 2024. Their primary targets are organizations in critical sectors, particularly in NATO member states and Ukraine, including government, defense, transportation, media,…
ukraine
cyberespionage
nato
spear phishing
evilginx
critical sectors
CVE-2025-27920
2025-05-27
azurehound
stolen credentials
russia-affiliated
cloud abuse
Published: May 27, 2025
Downloadable IOCs: 3

The Espionage Toolkit: A Closer Look at its Advanced Techniques

Earth Alux, a China-linked APT group, is actively conducting cyberespionage attacks against key sectors in the APAC and Latin American regions. The group exploits vulnerable services in exposed servers to gain initial access and deploys web shells like GODZILLA. Their primary backdoor, VARGEIT, is …
apt
cyberespionage
godzilla
dll side-loading
latin america
2025-03-31
apac
vargeit
railsetter
masqloader
rsbinject
railload
cobeacon
Published: March 31, 2025
Downloadable IOCs: 0

CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks

A zero-day vulnerability in 7-Zip (CVE-2025-0411) was exploited by Russian cybercrime groups to target Ukrainian organizations. The vulnerability allows bypassing Windows Mark-of-the-Web protections through double archiving, enabling execution of malicious content. The campaign involved spear-phish…
zero-day
cyberespionage
smokeloader
spear-phishing
CVE-2025-0411
2025-02-04
7-zip
homoglyph attacks
mark-of-the-web bypass
Published: February 4, 2025
Downloadable IOCs: 0

Hunt for RedCurl

Huntress uncovered RedCurl activity across several Canadian organizations in late 2024, tracing back to November 2023. RedCurl, known for cyberespionage, targets various industries to access confidential data without encrypting systems or demanding ransom. The group employs unique tactics, includin…
cyberespionage
2025-01-10
redloader
cloud exfiltration
Published: January 10, 2025
Downloadable IOCs: 14

Unveiling WolfsBane: Linux counterpart to Gelsevirine

ESET researchers have discovered previously unknown Linux backdoors attributed to the China-aligned Gelsemium APT group. The main backdoor, named WolfsBane, is the Linux equivalent of Gelsemium's Gelsevirine backdoor for Windows. Another backdoor, FireWood, is connected to the group's Project Wood …
linux
backdoor
apt
rootkit
persistence
cyberespionage
2024-11-22
wolfsbane
gelsevirine
project wood
firewood
Published: November 22, 2024
Downloadable IOCs: 41

Mind the (air) gap: GoldenJackal gooses government guardrails

ESET researchers uncovered two distinct toolsets used by the GoldenJackal APT group to breach air-gapped systems in government organizations. The first toolset, observed in 2019, included GoldenDealer for delivering executables via USB drives, GoldenHowl as a modular backdoor, and GoldenRobo for fi…
apt
cyberespionage
2024-11-17
jackalworm
goldenusbgo
goldenblacklist
goldenrobo
modular malware
goldendealer
goldendrive
goldenmailer
goldenace
goldenhowl
usb propagation
goldenpyblacklist
goldenusbcopy
air-gapped systems
Published: November 17, 2024
Downloadable IOCs: 0

Evasive Panda scouting cloud services

CloudScout is a post-compromise toolset used by Evasive Panda to target a Taiwanese government entity and religious organization between 2022 and 2023. The toolset can retrieve data from various cloud services using stolen web session cookies. It works with MgBot, Evasive Panda's malware framework,…
apt
china
cyberespionage
taiwan
mgbot
cloud services
2024-10-28
nightdoor
cookie theft
cloudscout
Published: October 28, 2024
Downloadable IOCs: 17

Unauthorized RDP Connections For Cyberespionage Operations

Cyble Research and Intelligence Labs uncovered an ongoing cyberattack campaign utilizing malicious LNK files to gain unauthorized Remote Desktop access on compromised systems. The sophisticated multi-stage attack chain employs PowerShell and BAT scripts to evade detection, create administrative acc…
powershell
persistence
credential theft
cyberespionage
rdp
multi-stage attack
uac bypass
2024-10-26
bat scripts
chromepass
Published: October 26, 2024
Downloadable IOCs: 0

Chinese APT Abuses VSCode to Target Government in Asia

The report details a campaign by the Chinese advanced persistent threat (APT) group Stately Taurus, which carried out cyberespionage operations against government entities in Southeast Asia. The group employed a novel technique that leveraged the reverse shell feature of Visual Studio Code to gain …
apt
exfiltration
cyberespionage
shadowpad
poisonplug.shadow
toneshell
2024-09-09
credentialtheft
reverseshell
visualstudiocode
Published: September 9, 2024
Downloadable IOCs: 17

Suspected Cyber Espionage Campaign Targeting Global Organizations

An analysis identified a suspected cyber espionage campaign by TAG-100, a threat group exploiting internet-facing devices and utilizing open-source tools like the Go backdoor Pantegana. The campaign compromised two Asia-Pacific intergovernmental organizations and targeted multiple diplomatic, trade…
CVE-2024-3400
exploitation
cyberespionage
backdoors
2024-07-17
sparkrat
pantegana
intergovernmental
opensource
Published: July 17, 2024
Linked vulnerabilities : CVE-2024-3400
Downloadable IOCs: 25

Operation Crimson Palace: A Technical Deep Dive

Sophos Managed Detection and Response initiated a threat hunt across customers after detecting abuse of a vulnerable VMware executable. The hunt uncovered a complex, persistent cyberespionage campaign by Chinese state-sponsored actors targeting a high-profile government organization in Southeast As…
malware
cobalt strike
cyberespionage
lateral movement
intrusion
2024-06-06
impersoni-fake-ator
powheartbeat
credential access
pocoproxy
rudebird
phantomnet
ccoredoor
eagerbee
nupakage
Published: June 6, 2024
Downloadable IOCs: 138

Operation Specter: An Active Cyberespionage Campaign Leverages Rare Tool Set to Target Governmental Entities in the Middle East, Africa and Asia

An analysis reveals long-term espionage operations by a Chinese advanced persistent threat (APT) group against at least seven governmental entities across the Middle East, Africa and Asia since late 2022. The threat actor attempts to obtain sensitive and classified information about diplomatic and …
cyberespionage
2024-05-23
CVE-2021-34473
gh0st rat
moudoor
mydoor
tunnelspecter
email-exfiltration
sweetspecter
embassies
backdoors
CVE-2021-26855
geopolitics
Published: May 23, 2024
Linked vulnerabilities : CVE-2021-34473, CVE-2021-26855
Downloadable IOCs: 28

Cyberespionage Group Earth Hundun's Continuous Refinement of Waterbear and Deuterbear

This comprehensive analysis delves into the continuous evolution and refinement of sophisticated malware entities employed by a persistent cyberespionage group targeting organizations in the Asia-Pacific region. The malware, known as Waterbear and its latest iteration, Deuterbear, have undergone si…
malware
evasion
anti-analysis
encryption
2024-05-21
cyberespionage
deuterbear
waterbear
Published: May 21, 2024
Downloadable IOCs: 29
Click here to see more Attack Reports