cyber espionage | Breaking Cybersecurity News | The Hacker News

A China-affiliated threat actor known as UNC6384 has been linked to a fresh set of attacks exploiting an unpatched Windows shortcut vulnerability to target European diplomatic and government entities between September and October 2025. The activity targeted diplomatic organizations in Hungary, Belgium, Italy, and the Netherlands, as well as government agencies in Serbia, Arctic Wolf said in a technical report published Thursday. "The attack chain begins with spear-phishing emails containing an embedded URL that is the first of several stages that lead to the delivery of malicious LNK files themed around European Commission meetings, NATO-related workshops, and multilateral diplomatic coordination events," the cybersecurity company said. The files are designed to exploit ZDI-CAN-25373 to trigger a multi-stage attack chain that culminates in the deployment of the PlugX malware using DLL side-loading. PlugX is a remote access trojan that's also referred to as Destroy...

The exploitation of a recently disclosed critical security flaw in Motex Lanscope Endpoint Manager has been attributed to a cyber espionage group known as Tick . The vulnerability, tracked as CVE-2025-61932 (CVSS score: 9.3), allows remote attackers to execute arbitrary commands with SYSTEM privileges on on-premise versions of the program. JPCERT/CC, in an alert issued this month, said that it has confirmed reports of active abuse of the security defect to drop a backdoor on compromised systems. Tick, also known as Bronze Butler, Daserf, REDBALDKNIGHT, Stalker Panda, Stalker Taurus, and Swirl Typhoon (formerly Tellurium), is a suspected Chinese cyber espionage actor known for its extensive targeting of East Asia, specifically Japan. It's assessed to be active since at least 2006. "We're aware of very targeted activity in Japan and believe the exploitation by Bronze Butler was limited to sectors aligned with their intelligence objectives," Rafe Pilling, directo...

Organizations in Ukraine have been targeted by threat actors of Russian origin with an aim to siphon sensitive data and maintain persistent access to compromised networks. The activity, according to a new report from the Symantec and Carbon Black Threat Hunter Team, targeted a large business services organization for two months and a local government entity in the country for a week. The attacks mainly leveraged living-off-the-land (LotL) tactics and dual-use tools, coupled with minimal malware, to reduce digital footprints and stay undetected for extended periods of time. "The attackers gained access to the business services organization by deploying web shells on public-facing servers, most likely by exploiting one or more unpatched vulnerabilities," the Broadcom-owned cybersecurity teams said in a report shared with The Hacker News. One of the web shells used in the attack was Localolive, which was previously flagged by Microsoft as put to use by a sub-group of the ...

The zero-day exploitation of a now-patched security flaw in Google Chrome led to the distribution of an espionage-related tool from Italian information technology and services provider Memento Labs, according to new findings from Kaspersky. The vulnerability in question is CVE-2025-2783 (CVSS score: 8.3), a case of sandbox escape which the company disclosed in March 2025 as having come under active exploitation as part of a campaign dubbed Operation ForumTroll targeting organizations in Russia. The cluster is also tracked as TaxOff/Team 46 by  Positive Technologies , Dante APT by F6, and  Prosperous Werewolf by BI.ZONE. It's known to be active since at least February 2024. The wave of infections involved sending phishing emails containing personalized, short-lived links inviting recipients to the Primakov Readings forum. Clicking the links through Google Chrome or a Chromium-based web browser was enough to trigger an exploit for CVE-2025-2783, enabling the attackers t...

A European embassy located in the Indian capital of New Delhi, as well as multiple organizations in Sri Lanka, Pakistan, and Bangladesh, have emerged as the target of a new campaign orchestrated by a threat actor known as SideWinder in September 2025. The activity "reveals a notable evolution in SideWinder's TTPs, particularly the adoption of a novel PDF and ClickOnce -based infection chain, in addition to their previously documented Microsoft Word exploit vectors," Trellix researchers Ernesto Fernández Provecho and Pham Duy Phuc said in a report published last week. The attacks, which involved sending spear-phishing emails in four waves from March through September 2025, are designed to drop malware families such as ModuleInstaller and StealerBot to gather sensitive information from compromised hosts. While ModuleInstaller serves as a downloader for next-stage payloads, including StealerBot, the latter is a .NET implant that can launch a reverse shell, deliver addi...

A Pakistan-nexus threat actor has been observed targeting Indian government entities as part of spear-phishing attacks designed to deliver a Golang-based malware known as DeskRAT . The activity, observed in August and September 2025 by Sekoia, has been attributed to Transparent Tribe (aka APT36), a state-sponsored hacking group known to be active since at least 2013. It also builds upon a prior campaign disclosed by CYFIRMA in August 2025. The attack chains involve sending phishing emails containing a ZIP file attachment, or in some cases, a link pointing to an archive hosted on legitimate cloud services like Google Drive. Present within the ZIP file is a malicious Desktop file embedding commands to display a decoy PDF ("CDS_Directive_Armed_Forces.pdf") using Mozilla Firefox while simultaneously executing the main payload. Both the artifacts are pulled from an external server "modgovindia[.]com" and executed. Like before, the campaign is designed to target BO...

Threat actors with ties to North Korea have been attributed to a new wave of attacks targeting European companies active in the defense industry as part of a long-running campaign known as Operation Dream Job . "Some of these [companies] are heavily involved in the unmanned aerial vehicle (UAV) sector, suggesting that the operation may be linked to North Korea's current efforts to scale up its drone program," ESET security researchers Peter Kálnai and Alexis Rapin said in a report shared with The Hacker News. It's assessed that the end goal of the campaign is to plunder proprietary information and manufacturing know-how using malware families such as ScoringMathTea and MISTPEN. The Slovak cybersecurity company said it observed the campaign starting in late March 2025. Some of the targeted entities include a metal engineering company in Southeastern Europe, a manufacturer of aircraft components in Central Europe, and a defense company in Central Europe. While Sc...

The Iranian nation-state group known as MuddyWater has been attributed to a new campaign that has leveraged a compromised email account to distribute a backdoor called Phoenix to various organizations across the Middle East and North Africa (MENA) region, including over 100 government entities. The end goal of the campaign is to infiltrate high-value targets and facilitate intelligence gathering, Singaporean cybersecurity company Group-IB said in a technical report published today. More than three-fourths of the campaign's targets include embassies, diplomatic missions, foreign affairs ministries, and consulates, followed by international organizations and telecommunications firms. "MuddyWater accessed the compromised mailbox through NordVPN (a legitimate service abused by the threat actor), and used it to send phishing emails that appeared to be authentic correspondence," said security researchers Mahmoud Zohdy and Mansour Alhmoud. "By exploiting the trust a...

Threat actors with ties to China exploited the ToolShell security vulnerability in Microsoft SharePoint to breach a telecommunications company in the Middle East after it was publicly disclosed and patched in July 2025. Also targeted were government departments in an African country, as well as government agencies in South America, a university in the U.S., as well as likely a state technology agency in an African country, a government department in the Middle East, and a finance company in a European country. According to Broadcom's Symantec Threat Hunter Team, the attacks involved the exploitation of CVE-2025-53770 , a now-patched security flaw in on-premise SharePoint servers that could be used to bypass authentication and achieve remote code execution. CVE-2025-53770, assessed to be a patch bypass for CVE-2025-49704 and CVE-2025-49706, has been weaponized as a zero-day by three Chinese threat groups , including Linen Typhoon (aka Budworm), Violet Typhoon (aka Sheathminer)...

Government, financial, and industrial organizations located in Asia, Africa, and Latin America are the target of a new campaign dubbed PassiveNeuron , according to findings from Kaspersky. The cyber espionage activity was first flagged by the Russian cybersecurity vendor in November 2024, when it disclosed a set of attacks aimed at government entities in Latin America and East Asia in June, using never-before-seen malware families tracked as Neursite and NeuralExecutor. It also described the operation as exhibiting a high level of sophistication, with the threat actors leveraging already compromised internal servers as an intermediate command-and-control (C2) infrastructure to fly under the radar. "The threat actor is able to move laterally through the infrastructure and exfiltrate data, optionally creating virtual networks that allow attackers to steal files of interest even from machines isolated from the internet," Kaspersky noted at the time. "A plugin-based ap...

A new malware attributed to the Russia-linked hacking group known as COLDRIVER has undergone numerous developmental iterations since May 2025, suggesting an increased "operations tempo" from the threat actor. The findings come from Google Threat Intelligence Group (GTIG), which said the state-sponsored hacking crew has rapidly refined and retooled its malware arsenal merely five days following the publication of its LOSTKEYS malware around the same time. While it's currently not known for how long the new malware families have been under development, the tech giant's threat intelligence team said it has not observed a single instance of LOSTKEYS since disclosure. The new malware, codenamed NOROBOT, YESROBOT, and MAYBEROBOT, is "a collection of related malware families connected via a delivery chain," GTIG researcher Wesley Shields said in a Monday analysis. The latest attack waves are something of a departure from COLDRIVER's typical modus opera...

A European telecommunications organization is said to have been targeted by a threat actor that aligns with a China-nexus cyber espionage group known as Salt Typhoon . The organization, per Darktrace , was targeted in the first week of July 2025, with the attackers exploiting a Citrix NetScaler Gateway appliance to obtain initial access. Salt Typhoon, also known as Earth Estries, FamousSparrow, GhostEmperor, and UNC5807, is the name given to an advanced persistent threat actor with ties to China. Known to be active since 2019, the group gained prominence last year following its attacks on telecommunications services providers, energy networks, and government systems in the U.S. The adversary has a track record of exploiting security flaws in edge devices, maintaining deep persistence, and exfiltrating sensitive data from victims in more than 80 countries across North America, Europe, the Middle East, and Africa. In the incident observed against the European telecommunications enti...

China on Sunday accused the U.S. National Security Agency (NSA) of carrying out a "premeditated" cyber attack targeting the National Time Service Center ( NTSC ), as it described the U.S. as a "hacker empire" and the "greatest source of chaos in cyberspace." The Ministry of State Security (MSS), in a WeChat post , said it uncovered "irrefutable evidence" of the agency's involvement in the intrusion that dated back to March 25, 2022. The attack was ultimately foiled, it added. Established in 1966 under the jurisdiction of the Chinese Academy of Sciences (CAS), NTSC is responsible for generating, maintaining, and transmitting the national standard of time (Beijing Time). "Any cyberattack damaging these facilities would jeopardize the secure and stable operation of 'Beijing Time,' triggering severe consequences such as network communication failures, financial system disruptions, power supply interruptions, transportation paraly...

A threat actor with ties to the Democratic People's Republic of Korea (aka North Korea) has been observed leveraging the EtherHiding technique to distribute malware and enable cryptocurrency theft, marking the first time a state-sponsored hacking group has embraced the method. The activity has been attributed by Google Threat Intelligence Group (GTIG) to a threat cluster it tracks as UNC5342 , which is also known as CL-STA-0240 (Palo Alto Networks Unit 42), DeceptiveDevelopment (ESET), DEV#POPPER (Securonix), Famous Chollima (CrowdStrike), Gwisin Gang (DTEX), Tenacious Pungsan (Datadog), and Void Dokkaebi (Trend Micro). The attack wave is part of a long-running campaign codenamed Contagious Interview , wherein the attackers approach potential targets on LinkedIn by posing as recruiters or hiring managers, and trick them into running malicious code under the pretext of a job assessment after shifting the conversation to Telegram or Discord. The end goal of these efforts is to ...

A threat actor with ties to China has been attributed to a five-month-long intrusion targeting a Russian IT service provider, marking the hacking group's expansion to the country beyond Southeast Asia and South America. The activity, which took place from January to May 2025, has been attributed by Broadcom-owned Symantec to a threat actor it tracks as Jewelbug , which it said overlaps with clusters known as CL-STA-0049 (Palo Alto Networks Unit 42), Earth Alux (Trend Micro), and REF7707 (Elastic Security Labs). The findings suggest Russia is not off-limits for Chinese cyber espionage operations despite increased "military, economic, and diplomatic" relations between Moscow and Beijing over the years. "Attackers had access to code repositories and software build systems that they could potentially leverage to carry out supply chain attacks targeting the company's customers in Russia," the Symantec Threat Hunter Team said in a report shared with The ...

Threat actors with ties to China have been attributed to a novel campaign that compromised an ArcGIS system and turned it into a backdoor for more than a year. The activity, per ReliaQuest, is the handiwork of a Chinese state-sponsored hacking group called Flax Typhoon , which is also tracked as Ethereal Panda and RedJuliett. According to the U.S. government, it's assessed to be a publicly-traded, Beijing-based company known as Integrity Technology Group. "The group cleverly modified a geo-mapping application's Java server object extension (SOE) into a functioning web shell," the cybersecurity company said in a report shared with The Hacker News. "By gating access with a hardcoded key for exclusive control and embedding it in system backups, they achieved deep, long-term persistence that could survive a full system recovery." Flax Typhoon is known for living up to the "stealth" in its tradecraft by extensively incorporating living-off-the-l...

A China-aligned threat actor codenamed UTA0388 has been attributed to a series of spear-phishing campaigns targeting North America, Asia, and Europe that are designed to deliver a Go-based implant known as GOVERSHELL . "The initially observed campaigns were tailored to the targets, and the messages purported to be sent by senior researchers and analysts from legitimate-sounding, completely fabricated organizations," Volexity said in a Wednesday report. "The goal of these spear phishing campaigns was to socially engineer targets into clicking links that led to a remotely hosted archive containing a malicious payload." Since then, the threat actor behind the attacks is said to have leveraged different lures and fictional identities, spanning several languages, including English, Chinese, Japanese, French, and German. Early iterations of the campaigns have been found to embed links to phishing content either hosted on a cloud-based service or their own infrastruc...

A Chinese company named the Beijing Institute of Electronics Technology and Application (BIETA) has been assessed to be likely led by the Ministry of State Security (MSS). The assessment comes from evidence that at least four BIETA personnel have clear or possible links to MSS officers and their relationship with the University of International Relations, which is known to share links with the MSS, according to Recorded Future. The names of the four individuals include Wu Shizhong, He Dequan, You Xingang, and Zhou Linna. "BIETA and its subsidiary, Beijing Sanxin Times Technology Co., Ltd. (CIII), research, develop, import, and sell technologies that almost certainly support intelligence, counterintelligence, military, and other missions relevant to China's national development and security," the company said in a report shared with The Hacker News. "Their activities include researching methods of steganography that can likely support covert communications (COVCOM) a...