Tag: government

29 Attack Reports | 0 Vulnerabilities

Attack reports

Russian APT actor phishes the Baltics and the Balkans

A Russian Advanced Persistent Threat (APT) group has been targeting government entities in the Baltic and Balkan regions with sophisticated phishing campaigns. The attackers use email attachments spoofing official documents to lure victims into entering their credentials on fake login pages. The ph…
apt
phishing
credential-theft
government
eastern europe
2025-12-16
Published: December 16, 2025
Downloadable IOCs: 0

TransparentTribe Targets Indian Military with DeskRAT Malware

TransparentTribe, a Pakistani-nexus intrusion set, has launched a new cyber espionage campaign targeting Indian military organizations with DeskRAT malware. The infection chain begins with phishing emails containing links to malicious ZIP archives hosted on staging servers. These archives contain D…
government
2025-10-23
deskrat
Published: October 23, 2025
Downloadable IOCs: 0

Operation SouthNet: SideWinder Expands Phishing and Malware Operations in South Asia

APT SideWinder has launched a new targeted operation dubbed Operation SouthNet, focusing on the maritime sector in South Asia, particularly Pakistan and Sri Lanka. The group leverages free hosting platforms to deploy credential-harvesting portals and weaponized lure documents, while staging malware…
apt
phishing
government
credential harvesting
south asia
military
2025-10-06
Published: October 6, 2025
Downloadable IOCs: 0

Werewolf raids Russia's public sector with trusted relationship attacks

Cavalry Werewolf, a malicious actor group, targeted Russian state agencies and enterprises in the energy, mining, and manufacturing sectors from May to August 2025. The attackers used targeted phishing emails, posing as Kyrgyz government officials, to gain initial access. They employed custom malwa…
rat
phishing
russia
government
asyncrat
mining
telegram
reverse shell
manufacturing
kyrgyzstan
2025-10-02
energy
foalshell
stallionrat
Published: October 2, 2025
Downloadable IOCs: 0

Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite

Phantom Taurus, a newly identified Chinese state-sponsored threat actor, has been conducting espionage operations targeting government and telecommunications organizations across Africa, the Middle East, and Asia. The group's primary focus includes ministries of foreign affairs, embassies, and mili…
espionage
plugx
government
africa
gh0st rat
telecommunications
china chopper
middle east
chinese apt
asia
iis backdoor
2025-09-30
ntospy
specter
iiservercore
assemblyexecuter
net-star
database targeting
Published: September 30, 2025
Downloadable IOCs: 4

Threat Profile: Conti Ransomware Group

Conti, a notorious ransomware operation identified in 2019, quickly gained infamy for its advanced encryption, rapid lateral movement, and double extortion tactics. Operated by the Russia-based Wizard Spider group, Conti evolved from Ryuk ransomware and maintained suspected ties to Russian state in…
ransomware
cobalt strike
government
healthcare
conti
ryuk
double extortion
critical infrastructure
education
trickbot
2025-09-30
wizard spider
russia-based
Published: September 30, 2025
Downloadable IOCs: 2

APT36: Targets Indian BOSS Linux Systems with Weaponized AutoStart Files

APT36, a Pakistan-based threat actor, is conducting a cyber-espionage campaign against Indian Government entities, targeting BOSS Linux systems with weaponized .desktop files. The group uses spear-phishing emails to deliver malicious payloads, exploiting the Linux environment to maintain persistent…
pakistan
persistence
india
government
spear-phishing
cyber-espionage
elf
boss linux
2025-08-23
.desktop files
Published: August 23, 2025
Downloadable IOCs: 0

SOC files: an APT41 attack on government IT services in Africa

Kaspersky's MDR team detected a targeted attack by APT41 against government IT services in Africa. The attackers used Impacket tools, Cobalt Strike, and custom agents for lateral movement and data collection. They leveraged DLL sideloading techniques and publicly available tools like Mimikatz and R…
cobalt strike
government
dll sideloading
africa
credential harvesting
lateral movement
mimikatz
data exfiltration
web shell
sharepoint
targeted attack
2025-07-21
checkout
pillager
2025-08-20
Published: August 20, 2025
Downloadable IOCs: 0

A Phishing Campaign Targeting Indian Government Entities

A sophisticated phishing campaign, likely attributed to Pakistan-linked APT36 (Transparent Tribe), is targeting Indian defense organizations and government entities using spoofed domains. The attackers employ advanced social engineering techniques, including real-time OTP harvesting, to bypass mult…
phishing
typosquatting
pakistan
india
defense
government
credential-harvesting
2025-08-03
kavach
otp
Published: August 3, 2025
Downloadable IOCs: 2

Active Exploitation of Microsoft SharePoint Vulnerabilities

Unit 42 is tracking ongoing threat activity targeting on-premises Microsoft SharePoint servers, particularly within government, schools, healthcare, and large enterprises. Multiple vulnerabilities (CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, CVE-2025-53771) allow unauthenticated attackers to ac…
vulnerability
government
healthcare
exploitation
education
cve
CVE-2025-53770
CVE-2025-53771
2025-07-22
CVE-2025-49704
CVE-2025-49706
microsoft sharepoint
on-premises
Published: July 22, 2025
Linked vulnerabilities : CVE-2024-1182 (CVSS 7.0), CVE-2024-7587 (CVSS 7.8), CVE-2024-0012 (CVSS 9.8), CVE-2024-9474 (CVSS 7.2), CVE-2024-8299 (CVSS 7.8), CVE-2025-0282 (CVSS 9.0), CVE-2025-0283 (CVSS 7.0), CVE-2024-53870 (CVSS 3.3), CVE-2025-31324 (CVSS 10.0), CVE-2025-53770 (CVSS 9.8), CVE-2025-53771 (CVSS 7.1), CVE-2025-49704, CVE-2025-49706
Downloadable IOCs: 24

SadFuture: Mapping XDSpy latest evolution

This report examines recent activities attributed to the XDSpy threat actor, focusing on an ongoing campaign targeting Eastern European and Russian governmental entities using the XDigo malware since March 2025. The investigation stemmed from analyzing a vulnerability in LNK files, leading to the d…
government
infrastructure analysis
eastern europe
xdigo
2025-06-26
etdownloader
lnk exploitation
Published: June 26, 2025
Downloadable IOCs: 134

Cyber Attacks on Government Agencies: Detect and Investigate

This analysis examines cyber threats targeting government institutions worldwide, focusing on three case studies: a phishing email targeting the South Carolina Department of Employment and Workforce, a fraudulent domain mimicking the U.S. Social Security Administration, and a malicious PDF posing a…
screenconnect
phishing
stealer
government
pdf
remote-access
formbook
domain-spoofing
2025-06-04
credential-harvesting
Published: June 4, 2025
Downloadable IOCs: 2

Targets Tajikistan: New Macro Word Documents Phishing Tactics

From January to February 2025, a phishing campaign targeting Tajikistan was detected and attributed to TAG-110, a Russia-aligned threat actor. The campaign used Tajikistan government-themed documents as lures, shifting from previous tactics to macro-enabled Word template files for initial payload d…
espionage
phishing
government
cherryspy
hatvibe
pyplunderplug
logpie
2025-05-22
russia-aligned
tajikistan
Published: May 22, 2025
Downloadable IOCs: 6

Blind Eagle: ...And Justice for All

Check Point Research uncovered ongoing campaigns by Blind Eagle (APT-C-36) targeting Colombian institutions since November 2024. The group utilized malicious .url files, similar to CVE-2024-43451, to deliver HeartCrypt-packed malware and Remcos RAT. Campaigns infected over 1,600 victims in a single…
phishing
remcos
government
purecrypter
webdav
remcos rat
CVE-2024-43451
heartcrypt
2025-04-10
apt-c-36
colombia
Published: April 10, 2025
Downloadable IOCs: 0

Cyber Espionage using PowerShell stealer WRECKSTEEL

Ukrainian government's CERT-UA has identified a series of cyberattacks against government agencies and critical infrastructure facilities in Ukraine during March 2025. The attacks, aimed at information theft, utilize compromised accounts to distribute emails with links to public file services. Thes…
powershell
ukraine
cyber espionage
government
vbscript
critical infrastructure
2025-04-03
file stealing
wrecksteel
Published: April 3, 2025
Downloadable IOCs: 71

Operation FishMedley targeting governments, NGOs, and think tanks

ESET researchers have uncovered a global espionage operation called Operation FishMedley, conducted by the FishMonger APT group, which is operated by the Chinese contractor I-SOON. The campaign targeted governments, NGOs, and think tanks across Asia, Europe, and the United States during 2022. The a…
apt
espionage
china
government
shadowpad
ngo
2025-03-21
spyder
sodamaster
think tank
i-soon
rpipecommander
Published: March 21, 2025
Downloadable IOCs: 12

Auto-Color: An Emerging and Evasive Linux Backdoor

Auto-color is a newly discovered Linux malware that employs sophisticated evasion techniques. It renames itself to benign-looking filenames, hides remote C2 connections using advanced methods similar to Symbiote malware, and uses proprietary encryption for communication. The malware installs a mali…
linux
backdoor
evasion
encryption
government
c2
proxy
universities
reverse shell
2025-02-25
auto-color
library implant
symbiote
Published: February 25, 2025
Downloadable IOCs: 10

The ticket that doesn't exist: a new threat discovered - FakeTicketer

A new threat actor named FakeTicketer has been identified by F.A.C.C.T. Threat Intelligence, operating since June 2024 with a focus on espionage. The actor targets government officials and sports functionaries using malicious software disguised as tickets for Russian Premier League football matches…
espionage
rat
phishing
stealer
dropper
government
2025-01-22
sports
zagrebator
zagrebator.stealer
zagrebator.dropper
zagrebator.rat
Published: January 22, 2025
Downloadable IOCs: 0

Unveiling Silent Lynx APT Targeting Entities Across Kyrgyzstan & Neighboring Nations

A new threat group dubbed Silent Lynx has been uncovered targeting entities in Kyrgyzstan and neighboring nations. The group, believed to be Kazakhstan-based, employs sophisticated multi-stage attack strategies using ISO files, C++ loaders, PowerShell scripts, and Golang implants. Their campaigns f…
apt
espionage
powershell
government
golang
telegram
central asia
2025-01-21
yorotrooper
gservice.exe
xerox_scan17510875802718752175.exe
kyrgyzstan
resocks
Published: January 21, 2025
Downloadable IOCs: 12

Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions

Earth Estries, a Chinese APT group, has been aggressively targeting critical sectors globally since 2023. The group employs advanced techniques and multiple backdoors, including GHOSTSPIDER, SNAPPYBEE, and MASOL RAT, to compromise organizations in telecommunications, government, and other industrie…
government
telecommunications
demodex
crowdoor
2024-12-03
chinese apt
masol rat
sparrowdoor
snappybee
Published: December 3, 2024
Linked vulnerabilities : CVE-2024-21887, CVE-2023-46805, CVE-2021-26855, CVE-2023-48788, CVE-2022-3236, CVE-2021-26858, CVE-2021-26857, CVE-2021-27065
Downloadable IOCs: 57

Arsenal honed against Russia's government organizations

Core Werewolf, a threat actor targeting Russia's defense industry and critical infrastructure since 2021, has evolved its tactics. The group now employs a new loader written in AutoIt and has expanded its delivery methods to include Telegram alongside email. Their campaign involves RAR archives con…
loader
government
autoit
telegram
2024-10-11
critical infrastructure
sfx executables
rar archives
Published: October 11, 2024
Downloadable IOCs: 25

Aiming at domestic government and enterprises! Deeply revealed ransomware operator Rast gang

A new ransomware threat, dubbed Rast, has emerged targeting Chinese government and enterprises since December 2023. Written in Rust, Rast has infected over 6,800 terminals, successfully encrypting more than 5,700. The Rast gang, named after the ransomware, operates primarily between 20:00 and 05:00…
ransomware
china
government
rust
rdp
phobos
2024-09-30
globeimposter
mysql
gandcrab
buran
nday
rast
enterprises
Published: September 30, 2024
Downloadable IOCs: 21

Credential Phishing Pages Mimicking Legitimate Webmail Login Portals

Since August 2024, an India-linked threat actor has been targeting entities in China and South Asia using credential phishing pages that mimic legitimate webmail login portals. The campaign primarily focuses on government and defense sectors. The phishing domains share common characteristics, inclu…
china
government
2024-09-18
south asia
domain spoofing
credential phishing
Published: September 18, 2024
Downloadable IOCs: 20

Targeted Iranian Attacks Against Iraqi Government Infrastructure

Check Point Research uncovered a new malware campaign targeting Iraqi government entities, employing custom tools named Veaty and Spearal. The attack utilizes various techniques including passive IIS backdoors, DNS tunneling, and C2 communication via compromised email accounts. The malware shows co…
backdoor
iran
government
dns tunneling
infrastructure
2024-09-12
spearal
email c2
veaty
cachehttp
iis module
iraq
Published: September 12, 2024
Downloadable IOCs: 16

Report on Ukraine government attack campaign

Ukraine's government cybersecurity incident response team, CERT-UA, obtained information about the distribution of emails themed around prisoners of war, containing links to download an archive named 'spysok_kursk.zip'. This archive contained a CHM file with JavaScript code that launched an obfusca…
malware
powershell
data theft
ukraine
exfiltration
government
spectr
2024-08-23
firmachagent
Published: August 23, 2024
Downloadable IOCs: 33

Quartet of Trouble: XWorm, AsyncRAT, VenomRAT, and...

eSentire's Threat Response Unit (TRU) uncovered a malware campaign affecting a government customer. The infection involved multiple threats - XWorm, VenomRAT, PureLogs Stealer, and AsyncRAT - hosted on a TryCloudflare WebDAV server. The initial vector was a phishing email with a malicious ZIP file.…
xworm
phishing
government
asyncrat
venomrat
2024-08-05
purelogs stealer
Published: August 5, 2024
Downloadable IOCs: 7

espionage group targets government agencies with and more infection techniques

A recently discovered threat actor, dubbed 'SneakyChef,' has been conducting an ongoing espionage campaign targeting government agencies across different regions, primarily utilizing the SugarGh0st malware. The group employs decoy documents impersonating government entities and infects victims thro…
apt
espionage
rat
phishing
government
sugargh0st
2024-06-24
spicerat
Published: June 24, 2024
Downloadable IOCs: 148

Sharp Dragon Expands Towards Africa and The Caribbean

Check Point Research has observed a significant shift in the activities and lures of Sharp Dragon, a Chinese threat actor, now targeting governmental organizations in Africa and the Caribbean. This expansion aligns with Sharp Dragon's known tactics of compromising email accounts to spread weaponize…
espionage
cobalt strike beacon
government
cyber
2024-05-23
CVE-2023-0669
expansion
caribbean
targeting
africa
Published: May 23, 2024
Linked vulnerabilities : CVE-2023-0669
Downloadable IOCs: 38

APT28 campaign against Polish government institutions

The CERT Polska team is investigating a large-scale malware campaign carried out by the Russian intelligence group APT28, which has been targeting Polish government institutions in the past year and is believed to be linked to the GRU.
phishing
apt28
russia
2024-05-03
2024-05-04
2024-05-05
2024-05-06
2024-05-07
2024-05-08
government
microsoft edge
webhook
bat script
mocky
headlace
poland
campaign
Published: May 8, 2024
Downloadable IOCs: 74
Click here to see more Attack Reports