Advanced Persistent Threat | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have discovered a new Lua-based malware created years before the notorious Stuxnet worm that aimed to sabotage Iran's nuclear program by destroying uranium enrichment centrifuges. According to a new report published by SentinelOne, the previously undocumented cyber sabotage framework dates back to 2005, primarily targeting high-precision calculation software to tamper with results. It has been codenamed fast16 . "By combining this payload with self-propagation mechanisms, the attackers aim to produce equivalent inaccurate calculations across an entire facility," researchers Vitaly Kamluk and Juan Andrés Guerrero-Saade said in an exhaustive report published this week. Fast16 is estimated to predate Stuxnet – the world's first known digital weapon designed for disruptive actions – by at least five years. While Stuxnet is widely attributed to the U.S. and Israel and later served as the architectural foundation for the Duqu information-...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has revealed that an unnamed federal civilian agency's Cisco Firepower device running Adaptive Security Appliance (ASA) software was compromised in September 2025 with a new malware called FIRESTARTER . FIRESTARTER, per CISA and the U.K.'s National Cyber Security Centre (NCSC), is assessed to be a backdoor designed for remote access and control. It's believed to be deployed as part of a "widespread" campaign orchestrated by an advanced persistent threat (APT) actor to obtain access to Cisco Adaptive Security Appliance (ASA) firmware by exploiting now-patched security flaws such as - CVE-2025-20333 (CVSS score: 9.9) - An improper validation of user-supplied input vulnerability that could allow an authenticated, remote attacker with valid VPN user credentials to execute arbitrary code as root on an affected device by sending crafted HTTP requests. CVE-2025-20362 (CVSS score: 6.5) - An improper...

Chinese-speaking individuals are the target of a new campaign that uses a trojanized version of SumatraPDF reader to deploy the AdaptixC2 Beacon post-exploitation agent and ultimately facilitate the abuse of Microsoft Visual Studio Code (VS Code) tunnels for remote access. Zscaler ThreatLabz, which discovered the campaign last month, has attributed it with high confidence to Tropic Trooper (aka APT23, Earth Centaur, KeyBoy, and Pirate Panda), a hacking group known for its targeting of various entities in Taiwan, Hong Kong, and the Philippines. It's assessed to be active since at least 2011. "The threat actors created a custom AdaptixC2 Beacon listener, leveraging GitHub as their command-and-control (C2) platform," security researcher Yin Hong Chang said in an analysis. It's believed that Chinese-speaking individuals in Taiwan, and individuals in South Korea and Japan, are the targets of the campaign. The starting point of the attack is a ZIP archive containing...

Mongolian governmental institutions have emerged as the target of a previously undocumented China-aligned advanced persistent threat (APT) group tracked as GopherWhisper . "The group wields a wide array of tools mostly written in Go, using injectors and loaders to deploy and execute various backdoors in its arsenal," Slovakian cybersecurity company ESET said in a report shared with The Hacker News. "GopherWhisper abuses legitimate services, notably Discord, Slack, Microsoft 365 Outlook, and file.io for command-and-control (C&C) communication and exfiltration." The group was first discovered in January 2025 following the discovery of a never-before-seen backdoor codenamed LaxGopher on a system belonging to a Mongolian governmental entity. GopherWhisper is assessed to be active at least since November 2023. Besides LaxGopher, some of the other malware families part of the threat actor's arsenal are Golang-based tools to receive instructions from the C&...

A previously undocumented threat cluster dubbed UAT-10362 has been attributed to spear-phishing campaigns targeting Taiwanese non-governmental organizations (NGOs) and suspected universities to deploy a new Lua-based malware called LucidRook. "LucidRook is a sophisticated stager that embeds a Lua interpreter and Rust-compiled libraries within a dynamic-link library (DLL) to download and execute staged Lua bytecode payloads," Cisco Talos researcher Ashley Shen said . The cybersecurity company said it discovered the activity in October 2025, with the attack using RAR or 7-Zip archives lures to deliver a dropper called LucidPawn, which then opens a decoy file and launches LucidRook. A notable characteristic of the intrusion set is the use of DLL side-loading to execute both LucidPawn and LucidRook. There are two distinct infection chains that lead to LucidRook, one using a Windows Shortcut (LNK) file with a PDF icon and another involving an executable that masquer...

Three threat activity clusters aligned with China have targeted a government organization in Southeast Asia as part of what has been described as a "complex and well-resourced operation." The campaigns have led to the deployment of various malware families, including HIUPAN (aka USBFect, MISTCLOAK, or U2DiskWatch), PUBLOAD , EggStremeFuel (aka RawCookie), EggStremeLoader (aka Gorem RAT), MASOL RAT , PoshRAT , TrackBak Stealer, RawCookie, Hypnosis Loader, and FluffyGh0st . The activity has been attributed to the following clusters - June - August 2025: Mustang Panda (aka Stately Taurus).  March - September 2025: CL-STA-1048, which overlaps with clusters publicly documented under the monikers Earth Estries and Crimson Palace . April and August 2025 - CL-STA-1049, which overlaps with a publicly documented cluster known as Unfading Sea Haze . Activity timeline "These activity clusters overlap with publicly reported campaigns aimed at establishing persistent ...

A long-term and ongoing campaign attributed to a China-nexus threat actor has embedded itself in telecom networks to conduct espionage against government networks. The strategic positioning activity, which involves implanting and maintaining stealthy access mechanisms within critical environments, has been attributed to Red Menshen , a threat cluster that's also tracked as Earth Bluecrow, DecisiveArchitect, and Red Dev 18. The group has a track record of striking telecom providers across the Middle East and Asia since at least 2021. Rapid7 described the covert access mechanisms as "some of the stealthiest digital sleeper cells" ever encountered in telecommunications networks. The campaign is characterized by the use of kernel-level implants, passive backdoors, credential-harvesting utilities, and cross-platform command frameworks, giving the threat actor the ability to persistently inhabit networks of interest. One of the most recognized tools in its malware arsenal i...

A suspected China-based cyber espionage operation has targeted Southeast Asian military organizations as part of a state-sponsored campaign that dates back to at least 2020. Palo Alto Networks Unit 42 is tracking the threat activity under the moniker CL-STA-1087 , where CL refers to cluster, and STA stands for state-backed motivation. "The activity demonstrated strategic operational patience and a focus on highly targeted intelligence collection, rather than bulk data theft," security researchers Lior Rochberger and Yoav Zemah said. "The attackers behind this cluster actively searched for and collected highly specific files concerning military capabilities, organizational structures, and collaborative efforts with Western armed forces." The campaign exhibits hallmarks commonly associated with advanced persistent threat (APT) operations, including carefully crafted delivery methods, defense evasion strategies, highly stable operational infrastructure, and custom ...

The Cyber Security Agency (CSA) of Singapore on Monday revealed that the China-nexus cyber espionage group known as UNC3886 targeted its telecommunications sector. "UNC3886 had launched a deliberate, targeted, and well-planned campaign against Singapore's telecommunications sector," CSA said . "All four of Singapore's major telecommunications operators ('telcos') – M1, SIMBA Telecom, Singtel, and StarHub – have been the target of attacks." The development comes more than six months after Singapore's Coordinating Minister for National Security, K. Shanmugam, accused UNC3886 of striking high-value strategic threat targets. UNC3886 is assessed to be active since at least 2022, targeting edge devices and virtualization technologies to obtain initial access. In July 2025, Sygnia disclosed details of a long-term cyber espionage campaign attributed to a threat cluster it tracks as Fire Ant and which shares tooling and targeting overlaps with UNC...

Cybersecurity researchers have taken the wraps off a gateway-monitoring and adversary-in-the-middle (AitM) framework dubbed DKnife that's operated by China-nexus threat actors since at least 2019. The framework comprises seven Linux-based implants that are designed to perform deep packet inspection, manipulate traffic, and deliver malware via routers and edge devices. Its primary targets seem to be Chinese-speaking users, an assessment based on the presence of credential harvesting phishing pages for Chinese email services, exfiltration modules for popular Chinese mobile applications like WeChat, and code references to Chinese media domains. "DKnife's attacks target a wide range of devices, including PCs, mobile devices, and Internet of Things (IoT) devices," Cisco Talos researcher Ashley Shen noted in a Thursday report. "It delivers and interacts with the ShadowPad and DarkNimbus backdoors by hijacking binary downloads and Android application updates....

The Russia-linked state-sponsored threat actor known as APT28 (aka UAC-0001) has been attributed to attacks exploiting a newly disclosed security flaw in Microsoft Office as part of a campaign codenamed Operation Neusploit . Zscaler ThreatLabz said it observed the hacking group weaponizing the shortcoming on January 29, 2026, in attacks targeting users in Ukraine, Slovakia, and Romania, three days after Microsoft publicly disclosed the existence of the bug. The vulnerability in question is CVE-2026-21509 (CVSS score: 7.8), a security feature bypass in Microsoft Office that could allow an unauthorized attacker to send a specially crafted Office file and trigger it. The Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC), and Office Product Group Security Team, along with Google Threat Intelligence Group (GTIG), have been credited with discovering and reporting the flaw. "Social engineering lures were crafted in both English and localized ...

Threat actors with ties to China have been observed using an updated version of a backdoor called COOLCLIENT in cyber espionage attacks in 2025 to facilitate comprehensive data theft from infected endpoints. The activity has been attributed to Mustang Panda (aka Earth Preta, Fireant, HoneyMyte, Polaris, and Twill Typhoon) with the intrusions primarily directed against government entities located across campaigns across Myanmar, Mongolia, Malaysia, and Russia. Kaspersky, which disclosed details of the updated malware, said it's deployed as a secondary backdoor along with PlugX and LuminousMoth infections. "COOLCLIENT was typically delivered alongside encrypted loader files containing encrypted configuration data, shellcode, and in-memory next-stage DLL modules," the Russian cybersecurity company said . "These modules relied on DLL side-loading as their primary execution method, which required a legitimate signed executable to load a malicious DLL." Betwe...

Indian government entities have been targeted in two campaigns undertaken by a threat actor that operates in Pakistan using previously undocumented tradecraft. The campaigns have been codenamed Gopher Strike and Sheet Attack by Zscaler ThreatLabz, which identified them in September 2025. "While these campaigns share some similarities with the Pakistan-linked Advanced Persistent Threat (APT) group, APT36 , we assess with medium confidence that the activity identified during this analysis might originate from a new subgroup or another Pakistan-linked group operating in parallel," researchers Sudeep Singh and Yin Hong Chang said . Sheet Attack gets its name from the use of legitimate services like Google Sheets, Firebase, and email for command-and-control (C2). On the other hand, Gopher Strike is assessed to have leveraged phishing emails as a starting point to deliver PDF documents containing a blurred image that's superimposed by a seemingly harmless pop-up instructi...

Cybersecurity researchers have discovered a JScript -based command-and-control (C2) framework called PeckBirdy that has been put to use by China-aligned APT actors since 2023 to target multiple environments. The flexible framework has been put to use against Chinese gambling industries and malicious activities targeting Asian government entities and private organizations, according to Trend Micro. "PeckBirdy is a script-based framework which, while possessing advanced capabilities, is implemented using JScript, an old script language," researchers Ted Lee and Joseph C Chen said . "This is to ensure that the framework could be launched across different execution environments via LOLBins (living-off-the-land binaries)." The cybersecurity company said it identified the PeckBirdy script framework in 2023 after it observed multiple Chinese gambling websites being injected with malicious scripts, which are designed to download and execute the primary payload in order...

A threat actor likely aligned with China has been observed targeting critical infrastructure sectors in North America since at least last year. Cisco Talos, which is tracking the activity under the name UAT-8837 , assessed it to be a China-nexus advanced persistent threat (APT) actor with medium confidence based on tactical overlaps with other campaigns mounted by threat actors from the region. The cybersecurity company noted that the threat actor is "primarily tasked with obtaining initial access to high-value organizations," based on the tactics, techniques, and procedures (TTPs) and post-compromise activity observed. "After obtaining initial access — either by successful exploitation of vulnerable servers or by using compromised credentials — UAT-8837 predominantly deploys open-source tools to harvest sensitive information such as credentials, security configurations, and domain and Active Directory (AD) information to create multiple channels of access to their v...

Cisco on Thursday released security updates for a maximum-severity security flaw impacting Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager, nearly a month after the company disclosed that it had been exploited as a zero-day by a China-nexus advanced persistent threat (APT) actor codenamed UAT-9686. The vulnerability, tracked as CVE-2025-20393 (CVSS score: 10.0), is a remote command execution flaw arising as a result of insufficient validation of HTTP requests by the Spam Quarantine feature. Successful exploitation of the defect could permit an attacker to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance. However, for the attack to work, three conditions must be met - The appliance is running a vulnerable release of Cisco AsyncOS Software The appliance is configured with the Spam Quarantine feature The Spam Quarantine feature is exposed to and reachable from the internet L...

The Chinese hacking group known as Mustang Panda (aka HoneyMyte) has leveraged a previously undocumented kernel-mode rootkit driver to deliver a new variant of backdoor dubbed TONESHELL in a cyber attack detected in mid-2025 targeting an unspecified entity in Asia. The findings come from Kaspersky, which observed the new backdoor variant in cyber espionage campaigns mounted by the hacking group targeting government organizations in Southeast and East Asia, primarily Myanmar and Thailand. "The driver file is signed with an old, stolen, or leaked digital certificate and registers as a minifilter driver on infected machines," the Russian cybersecurity company said . "Its end-goal is to inject a backdoor trojan into the system processes and provide protection for malicious files, user-mode processes, and registry keys." The final payload deployed as part of the attack is TONESHELL, an implant with reverse shell and downloader capabilities to fetch next-stage malwa...

A China-linked advanced persistent threat (APT) group has been attributed to a highly-targeted cyber espionage campaign in which the adversary poisoned Domain Name System (DNS) requests to deliver its signature MgBot backdoor in attacks targeting victims in Türkiye, China, and India. The activity, Kaspersky said, was observed between November 2022 and November 2024. It has been linked to a hacking group called Evasive Panda , which is tracked as Bronze Highland, Daggerfly, and StormBamboo. It's assessed to be active since at least 2012. "The group mainly performed adversary-in-the-middle (AitM) attacks on specific victims," Kaspersky researcher Fatih Şensoy said in a deep-dive analysis. "These included techniques such as dropping loaders into specific locations and storing encrypted parts of the malware on attacker-controlled servers, which were resolved as a response to specific website DNS requests." This is not the first time Evasive Panda's DNS pois...

Threat hunters have discerned new activity associated with an Iranian threat actor known as Infy (aka Prince of Persia), nearly five years after the hacking group was observed targeting victims in Sweden, the Netherlands, and Turkey. "The scale of Prince of Persia's activity is more significant than we originally anticipated," Tomer Bar, vice president of security research at SafeBreach, said in a technical breakdown shared with The Hacker News. "This threat group is still active, relevant, and dangerous." Infy is one of the oldest advanced persistent threat (APT) actors in existence, with evidence of early activity dating all the way back to December 2004, according to a report released by Palo Alto Networks Unit 42 in May 2016 that was also authored by Bar, along with researcher Simon Conant. The group has also managed to remain elusive, attracting little attention, unlike other Iranian hacking crews such as Charming Kitten , MuddyWater , and OilRig ...

A previously undocumented China-aligned threat cluster dubbed LongNosedGoblin has been attributed to a series of cyber attacks targeting governmental entities in Southeast Asia and Japan. The end goal of these attacks is cyber espionage, Slovak cybersecurity company ESET said in a report published today. The threat activity cluster has been assessed to be active since at least September 2023. "LongNosedGoblin uses Group Policy to deploy malware across the compromised network, and cloud services (e.g., Microsoft OneDrive and Google Drive) as command and control (C&C) servers," security researchers Anton Cherepanov and Peter Strýček said . Group Policy is a mechanism for managing settings and permissions on Windows machines. According to Microsoft, Group Policy can be used to define configurations for groups of users and client computers, as well as manage server computers. The attacks are characterized by the use of a varied custom toolset that mainly consists of C#...