CyberSecurity news

FlagThis - #cyberespionage

sila.ozeren@picussecurity.com (Sıla@Resources-2 //
A new report has revealed that the Silver Fox APT group, a China-based state-sponsored actor active since 2024, is targeting the public sector through trojanized medical software. The group, also known as Void Arachne or The Great Thief of Valley, is known for cyber espionage, data theft, and financially motivated intrusions, targeting healthcare organizations, government entities, and critical infrastructure. Their campaigns involve a custom remote access trojan called Winos 4.0 (ValleyRAT), derived from the Gh0st RAT malware family.

The Silver Fox APT employs a multi-stage campaign that utilizes backdoored medical software and cloud infrastructure to deploy remote access tools, disable antivirus software, and exfiltrate data from healthcare and public sector targets. One confirmed case involves a trojanized MediaViewerLauncher.exe, disguised as a Philips DICOM Viewer. This trojanized binary acts as a first-stage loader, initiating the malware chain. The group also exploits popular applications like Chrome, VPN clients, deepfake tools, and voice changers with backdoored installers, distributed through phishing or poisoned search results.

Once executed, the malware reaches out to an Alibaba Cloud Object Storage bucket to retrieve an encrypted configuration file (i.dat), containing URLs and filenames for second-stage payloads disguised as benign media files (e.g., a.gif, s.jpeg). These payloads then deploy DLL loaders, anti-virus evasion logic, and a vulnerable driver (TrueSightKiller) to disable security software. The group also uses PowerShell exclusions to suppress Defender scans and employs RPC-based task creation and BYOVD techniques to terminate processes like MsMpEng.exe (Windows Defender). In a separate campaign, Silver Fox is also targeting Taiwan via phishing emails with malware families HoldingHands RAT and Gh0stCringe, using fake tax lures and PDF documents.

Recommended read:
References :
  • Resources-2: Picus Security blog discussing Silver Fox APT targeting public sector via trojanized medical software.
  • securityonline.info: The post appeared first on .

rulesbot@community.emergingthreats.net //
Emerging Threats has released a significant ruleset update, v10950, aimed at bolstering network security and threat detection. The update includes 73 new open rules and 136 new pro rules, totaling 209 enhancements to the existing security framework. These rules are designed to address a wide spectrum of threats, ranging from general malware to web application-specific vulnerabilities and hunting activities, enabling organizations to strengthen their defenses against an evolving threat landscape. The release date for this update is June 13, 2025.

Among the key targets of this update is the Predator spyware, which remains a persistent threat despite US sanctions. The ruleset includes specific signatures to detect DNS queries associated with Predator spyware domains, such as gilfonts .com, zipzone .io, and numerous others. This highlights the ongoing efforts to identify and neutralize the infrastructure used by Intellexa, the maker of Predator, even as they attempt to evade detection through new servers and domains. This focus underscores the importance of continuous monitoring and adaptation in the face of sophisticated surveillance tools.

In addition to addressing the Predator spyware, the ruleset update also tackles a critical vulnerability in Fortinet Admin APIs, specifically a Stack-based Buffer Overflow in the AuthHash Cookie, identified as CVE-2025-32756. This rule aims to protect against potential exploits targeting this weakness in Fortinet systems. Furthermore, the update incorporates rules for hunting SQL Database Version Discovery, enhancing the ability to proactively identify and address potential vulnerabilities within network environments. This comprehensive approach ensures a multi-layered defense against various attack vectors.

Recommended read:
References :

Cynthia B@Metacurity //
References: Risky.Biz , Metacurity , cyberscoop.com ...
Despite US sanctions, Intellexa's Predator spyware continues to operate, adapting to setbacks and surfacing in new locations with innovative techniques to evade detection. Security firm Recorded Future revealed they had linked Intellexa infrastructure to new locations. Their findings suggest Intellexa, also known as the Intellexa Consortium, is actively responding to the challenges posed by sanctions and public exposure and is likely to continue adapting its methods. This highlights the ongoing struggle to effectively curb the proliferation of sophisticated surveillance tools.

Recorded Future's Insikt Group has identified a previously unknown customer in Mozambique, a connection to a Czech entity, and activity linked to an Eastern European country. The Eastern European activity, though brief, suggests possible development or testing of the spyware. The discovery of the Mozambique customer is consistent with the already known high level of Predator activity across Africa. Intellexa has also adopted strategies such as using fake websites, including counterfeit login pages and sites claiming association with conferences, to mask its operations.

Julian-Ferdinand Vögele, a threat researcher with Recorded Future, stated that “Intellexa’s Predator remains active and adaptive, relying on a vast network of vendors, subsidiaries, and other companies.” While Predator activity has declined since sanctions and public exposure, the spyware maker is still finding ways to keep the spyware active and available to customers. The report from Recorded Future warns that "Sanctions and other pressures are likely to drive efforts to increase the complexity of corporate structures, making operations harder to trace and disrupt," emphasizing the importance of continued vigilance and proactive measures to counter the evolving threat posed by Predator.

Recommended read:
References :
  • Risky.Biz: Risky Bulletin: Predator spyware alive despite US sanctions
  • Metacurity: Customers keep buying Predator spyware despite US sanctions
  • Risky Business Media: Risky Bulletin: Predator spyware alive despite US sanctions
  • cyberscoop.com: Predator spyware activity surfaces in new places with new tricks

Kaspersky@Securelist //
References: Securelist , Catalin Cimpanu
The Librarian Ghouls APT group, also known as Rare Werewolf, is actively targeting Russian entities, with additional victims reported in Belarus and Kazakhstan. According to a recent report by Kaspersky, this sophisticated threat actor employs a range of techniques to compromise systems, including the use of RAR archives and BAT scripts. The group leverages legitimate software and multiple communication channels like email, Facebook, and Telegram to deliver malicious payloads, often operating during night hours to minimize detection. The APT has been consistently targeting Russian companies, with attacks continuing almost unabated since 2024, with a slight decline in December followed by a new wave of attacks.

The primary initial infection vector for Librarian Ghouls involves targeted phishing emails containing password-protected archives with executable files inside. These malicious emails are typically disguised as messages from legitimate organizations, containing attachments that appear to be official documents or payment orders. Once the victim opens the archive and extracts the files, the infection process begins. The group's objective is to establish remote access to compromised hosts, steal credentials, and deploy the XMRig cryptocurrency miner.

Rare Werewolf stands out for its preference for legitimate third-party software over developing its own malicious binaries. For example, in some attacks, a legitimate tool called 4t Tray Minimizer is used. The malicious functionality is implemented through command files and PowerShell scripts. A salient aspect of their tactics is launching a PowerShell script that wakes up the victim system at 1 a.m. local time and allows the attackers remote access to it for a four-hour window via AnyDesk, before shutting down the machine at 5 a.m.

Recommended read:
References :
  • Securelist: Sleep with one eye open: how Librarian Ghouls steal data by night
  • Catalin Cimpanu: Mastodon post mentioning Librarian Ghouls Stealing data at night

Eric Geller@cybersecuritydive.com //
SentinelOne, a cybersecurity firm, has revealed that it was the target of a year-long reconnaissance campaign by China-linked espionage groups, identified as APT15 and UNC5174. This campaign, dubbed "PurpleHaze," involved network reconnaissance and intrusion attempts, ultimately aiming to gather strategic intelligence and potentially establish access for future conflicts. SentinelOne discovered the campaign when the suspected Chinese spies tried to break into the security vendor's own servers in October 2024. The attempted intrusion on SentinelOne's systems failed, but it prompted a deeper investigation into the broader campaign and the malware being used.

The investigation revealed that over 70 organizations across multiple sectors globally were targeted, including a South Asian government entity and a European media organization. The attacks spanned from July 2024 to March 2025 and involved the use of ShadowPad malware and post-exploitation espionage activity. These targeted sectors include manufacturing, government, finance, telecommunications, and research. The coordinated attacks are believed to be connected to Chinese government spying programs.

SentinelOne has expressed high confidence that the PurpleHaze and ShadowPad activity clusters can be attributed to China-nexus threat actors. This incident underscores the persistent threat that Chinese cyber espionage actors pose to global industries and public sector organizations. The attack on SentinelOne also highlights that cybersecurity vendors themselves are prime targets for these groups, given their deep visibility into client environments and ability to disrupt adversary operations. SentinelOne recommends that more proactive steps are taken to prevent future attacks.

Recommended read:
References :
  • The Register - Security: Chinese spy crew appears to be preparing for conflict by backdooring 75+ critical orgs
  • hackread.com: Chinese-Linked Hackers Targeted 70+ Global Organizations, SentinelLABS
  • www.scworld.com: FAILED ATTACK ON SENTINELONE REVEALS CAMPAIGN BY CHINA-LINKED GROUPS
  • The Hacker News: Over 70 Organizations Across Multiple Sectors Targeted by China-Linked Cyber Espionage Group
  • www.cybersecuritydive.com: SentinelOne rebuffs China-linked attack — and discovers global intrusions
  • SecureWorld News: Chinese Hackers Target SentinelOne in Broader Espionage Campaign
  • securityaffairs.com: China-linked threat actor targeted +70 orgs worldwide, SentinelOne warns
  • Cyber Security News: New Report Reveals Chinese Hackers Targeted to Breach SentinelOne Servers
  • www.sentinelone.com: The security firm said the operatives who tried to breach it turned out to be responsible for cyberattacks on dozens of critical infrastructure organizations worldwide.
  • BleepingComputer: SentinelOne shares new details on China-linked breach attempt
  • cyberpress.org: A newly published technical analysis by SentinelLABS has exposed a sophisticated, multi-phase reconnaissance and intrusion campaign orchestrated by Chinese-nexus threat actors, aimed explicitly at SentinelOne’s digital infrastructure between mid-2024 and early 2025.
  • gbhackers.com: New Report Reveals Chinese Hackers Attempted to Breach SentinelOne Servers
  • industrialcyber.co: SentinelOne links ShadowPad and PurpleHaze attacks to China-aligned threat actors

Rescana@Rescana //
References: be4sec , Rescana
Void Blizzard, a cyber threat actor with ties to Russia, has been identified as conducting extensive cyberespionage operations targeting critical sectors across Europe and North America. These operations, active since at least April 2024 and escalating in 2025, are aimed at gathering intelligence crucial to Russian governmental objectives. The targeted sectors include government, defense, transportation, media, NGOs, and healthcare, reflecting a broad scope of interest. Void Blizzard, also known as LAUNDRY BEAR, employs various techniques to infiltrate organizations and steal sensitive data.

Spear phishing and credential theft are among the primary methods used by Void Blizzard. The group has been observed using stolen credentials sourced from infostealer ecosystems and launching spear phishing campaigns with typosquatted domains to mimic authentication portals. They also utilize adversary-in-the-middle (AitM) tactics with tools like Evilginx to intercept credentials. A notable campaign in April 2025 targeted over 20 NGOs with a spear phishing attack using a typosquatted domain resembling a Microsoft Entra authentication page. Their post-compromise activities include cloud service abuse, leveraging legitimate cloud APIs for data enumeration and exfiltration, and automating the collection of emails and files from cloud services like Exchange Online and SharePoint.

Meanwhile, security researchers at ESET have uncovered a separate but related cyberespionage campaign dubbed "BladedFeline" targeting Iraqi and Kurdish officials. This operation, linked to OilRig, an Iran-based APT group, utilizes malicious tools such as Whisper, PrimeCache, and Shahmaran to gain unauthorized access to computer systems. The attackers primarily compromise webmail servers to deploy Whisper, a tool designed for data exfiltration and command execution. PrimeCache, a backdoor Internet Information Services (IIS) module, allows persistent covert access to targeted servers. The campaign also highlights the continued use of the Shahmaran backdoor, previously associated with attacks targeting Kurdish diplomatic officials, indicating a sustained interest in intelligence gathering related to Kurdish affairs.

Recommended read:
References :
  • be4sec: Cyberespionage Campaign Targets Iraqi and Kurdish Officials with Sophisticated Malware
  • Rescana: Void Blizzard Cyberespionage: Targeting Critical Sectors and Systems in Europe and North America

Pierluigi Paganini@securityaffairs.com //
OpenAI is facing scrutiny over its ChatGPT user logs due to a recent court order mandating the indefinite retention of all chat data, including deleted conversations. This directive stems from a lawsuit filed by The New York Times and other news organizations, who allege that ChatGPT has been used to generate copyrighted news articles. The plaintiffs believe that even deleted chats could contain evidence of infringing outputs. OpenAI, while complying with the order, is appealing the decision, citing concerns about user privacy and potential conflicts with data privacy regulations like the EU's GDPR. The company emphasizes that this retention policy does not affect ChatGPT Enterprise or ChatGPT Edu customers, nor users with a Zero Data Retention agreement.

Sam Altman, CEO of OpenAI, has advocated for what he terms "AI privilege," suggesting that interactions with AI should be afforded the same privacy protections as communications with professionals like lawyers or doctors. This stance comes as OpenAI faces criticism for not disclosing to users that deleted and temporary chat logs were being preserved since mid-May in response to the court order. Altman argues that retaining user chats compromises their privacy, which OpenAI considers a core principle. He fears that this legal precedent could lead to a future where all AI conversations are recorded and accessible, potentially chilling free expression and innovation.

In addition to privacy concerns, OpenAI has identified and addressed malicious campaigns leveraging ChatGPT for nefarious purposes. These activities include the creation of fake IT worker resumes, the dissemination of misinformation, and assistance in cyber operations. OpenAI has banned accounts linked to ten such campaigns, including those potentially associated with North Korean IT worker schemes, Beijing-backed cyber operatives, and Russian malware distributors. These malicious actors utilized ChatGPT to craft application materials, auto-generate resumes, and even develop multi-stage malware. OpenAI is actively working to combat these abuses and safeguard its platform from being exploited for malicious activities.

Recommended read:
References :
  • chatgptiseatingtheworld.com: After filing an objection with Judge Stein, OpenAI took to the court of public opinion to seek the reversal of Magistrate Judge Wang’s broad order requiring OpenAI to preserve all ChatGPT logs of people’s chats.
  • Reclaim The Net: Private prompts once thought ephemeral could now live forever, thanks for demands from the New York Times.
  • Digital Information World: If you’ve ever used ChatGPT’s temporary chat feature thinking your conversation would vanish after closing the window — well, it turns out that wasn’t exactly the case.
  • iHLS: AI Tools Exploited in Covert Influence and Cyber Ops, OpenAI Warns
  • Schneier on Security: Report on the Malicious Uses of AI
  • The Register - Security: ChatGPT used for evil: Fake IT worker resumes, misinfo, and cyber-op assist
  • Jon Greig: Russians are using ChatGPT to incrementally improve malware. Chinese groups are using it to mass create fake social media comments. North Koreans are using it to refine fake resumes is likely only catching a fraction of nation-state use
  • Jon Greig: Russians are using ChatGPT to incrementally improve malware. Chinese groups are using it to mass create fake social media comments. North Koreans are using it to refine fake resumes is likely only catching a fraction of nation-state use
  • www.zdnet.com: How global threat actors are weaponizing AI now, according to OpenAI
  • thehackernews.com: OpenAI has revealed that it banned a set of ChatGPT accounts that were likely operated by Russian-speaking threat actors and two Chinese nation-state hacking groups to assist with malware development, social media automation, and research about U.S. satellite communications technologies, among other things.
  • securityaffairs.com: OpenAI bans ChatGPT accounts linked to Russian, Chinese cyber ops
  • therecord.media: Russians are using ChatGPT to incrementally improve malware. Chinese groups are using it to mass create fake social media comments. North Koreans are using it to refine fake resumes is likely only catching a fraction of nation-state use
  • siliconangle.com: OpenAI to retain deleted ChatGPT conversations following court order
  • eWEEK: ‘An Inappropriate Request’: OpenAI Appeals ChatGPT Data Retention Court Order in NYT Case
  • gbhackers.com: OpenAI Shuts Down ChatGPT Accounts Linked to Russian, Iranian & Chinese Cyber
  • Policy ? Ars Technica: OpenAI is retaining all ChatGPT logs “indefinitely.†Here’s who’s affected.
  • AI News | VentureBeat: Sam Altman calls for ‘AI privilege’ as OpenAI clarifies court order to retain temporary and deleted ChatGPT sessions
  • www.techradar.com: Sam Altman says AI chats should be as private as ‘talking to a lawyer or a doctor’, but OpenAI could soon be forced to keep your ChatGPT conversations forever
  • aithority.com: New Relic Report Shows OpenAI’s ChatGPT Dominates Among AI Developers
  • the-decoder.com: ChatGPT scams range from silly money-making ploys to calculated political meddling
  • hackread.com: OpenAI Shuts Down 10 Malicious AI Ops Linked to China, Russia, N. Korea
  • Tech Monitor: OpenAI highlights exploitative use of ChatGPT by Chinese entities

iHLS News@iHLS //
OpenAI has revealed that state-linked groups are increasingly experimenting with artificial intelligence for covert online operations, including influence campaigns and cyber support. A newly released report by OpenAI highlights how these groups, originating from countries like China, Russia, and Cambodia, are misusing generative AI technologies, such as ChatGPT, to manipulate content and spread disinformation. The company's latest report outlines examples of AI misuse and abuse, emphasizing a steady evolution in how AI is being integrated into covert digital strategies.

OpenAI has uncovered several international operations where its AI models were misused for cyberattacks, political influence, and even employment scams. For example, Chinese operations have been identified posting comments on geopolitical topics to discredit critics, while others used fake media accounts to collect information on Western targets. In one instance, ChatGPT was used to draft job recruitment messages in multiple languages, promising victims unrealistic payouts for simply liking social media posts, a scheme discovered accidentally by an OpenAI investigator.

Furthermore, OpenAI shut down a Russian influence campaign that utilized ChatGPT to produce German-language content ahead of Germany's 2025 federal election. This campaign, dubbed "Operation Helgoland Bite," operated through social media channels, attacking the US and NATO while promoting a right-wing political party. While the detected efforts across these various campaigns were limited in scale, the report underscores the critical need for collective detection efforts and increased vigilance against the weaponization of AI.

Recommended read:
References :
  • Schneier on Security: Report on the Malicious Uses of AI
  • iHLS: AI Tools Exploited in Covert Influence and Cyber Ops, OpenAI Warns
  • www.zdnet.com: The company's new report outlines the latest examples of AI misuse and abuse originating from China and elsewhere.
  • The Register - Security: ChatGPT used for evil: Fake IT worker resumes, misinfo, and cyber-op assist
  • cyberpress.org: CyberPress article on OpenAI Shuts Down ChatGPT Accounts Linked to Russian, Iranian, and Chinese Hackers
  • securityaffairs.com: SecurityAffairs article on OpenAI bans ChatGPT accounts linked to Russian, Chinese cyber ops
  • thehackernews.com: OpenAI has revealed that it banned a set of ChatGPT accounts that were likely operated by Russian-speaking threat actors and two Chinese nation-state hacking groups
  • Tech Monitor: OpenAI highlights exploitative use of ChatGPT by Chinese entities

@therecord.media //
ESET researchers have revealed a long-running cyber espionage campaign conducted by an Iranian APT group named BladedFeline. The group has been actively targeting government and telecom networks in Kurdistan, Iraq, and Uzbekistan since at least 2017. BladedFeline is believed to be a subgroup of OilRig, a well-documented Iranian state-backed actor, and has managed to stay undetected within these networks for approximately eight years, continually expanding its cyber espionage capabilities.

BladedFeline utilizes a variety of malicious tools for maintaining and expanding access within targeted organizations. Notable malware includes Shahmaran, a simple backdoor used against Kurdish diplomatic officials, and more sophisticated tools like Whisper and PrimeCache. Whisper communicates with attackers through email attachments sent via compromised Microsoft Exchange webmail accounts, while PrimeCache bears similarities to RDAT, a backdoor previously associated with OilRig. Researchers suggest that BladedFeline may have initially gained access to Iraqi government systems by exploiting vulnerabilities in internet-facing servers, using a webshell called Flog to maintain control.

The group's targeting reflects Iran's strategic interests in the Middle East. The Kurdistan Regional Government's diplomatic relationships and oil reserves make it an attractive target for espionage, while the focus on Iraqi governmental circles suggests an attempt to counter Western influence. ESET warns that BladedFeline is likely to continue developing its malware arsenal to retain access to compromised systems for cyber espionage purposes. The discovery highlights the persistent threat posed by Iranian APT groups and the need for robust cybersecurity measures to protect critical infrastructure and sensitive government data.

Recommended read:
References :
  • cyberpress.org: Iranian APT ‘BladedFeline’ Stays Undetected in Networks for 8 Years
  • The Hacker News: Iran-Linked BladedFeline Hits Iraqi and Kurdish Targets with Whisper and Spearal Malware
  • therecord.media: Iran-linked hackers target Kurdish, Iraq cyber espionage
  • Cyber Security News: Iranian APT ‘BladedFeline’ Stays Undetected in Networks for 8 Years
  • Catalin Cimpanu: -New Imn Crew ransomware gang -Malware reports on ViperSoftX, Play ransomware, Chaos RAT -PathWiper destructive attacks hit Ukraine -UNC1151 targets Roundcube servers in Poland -Bitter APT formally linked to India -BladedFeline APT (aka Oilrig) op targets Iraq -OpenAI disrupts APTs and info-ops abusing ChatGPT -New Roundcube under attack -Cellebrite buys Corellium -OWASP Top 10 for Business Logic Abuse -YARA-X reaches v1.0
  • www.welivesecurity.com: ESET researchers analyse a cyberespionage campaign conducted by BladedFeline, an Iran-aligned APT group with likely ties to OilRig. The group added 2 reverse tunnels (Laret & Pinar), a backdoor (Whisper), a malicious IIS module (PrimeCache) & various tools
  • www.scworld.com: Multi-year cyberespionage campaign launched by BladedFeline APT
  • WeLiveSecurity: BladedFeline: Whispering in the dark
  • The Record: Researchers at ESET describe the activities of an Iran-linked group that has been operating since at least 2017, initially breaching systems belonging to the Kurdistan Regional Government and expanding its reach to the Central Government of Iraq as well as a telecommunications provider in Uzbekistan.
  • ciso2ciso.com: Iran-Linked BladedFeline Hits Iraqi and Kurdish Targets with Whisper and Spearal Malware – Source:thehackernews.com
  • ciso2ciso.com: Iran-Linked BladedFeline Hits Iraqi and Kurdish Targets with Whisper and Spearal Malware – Source:thehackernews.com
  • ESET Research: analyzed a campaign deployed by BladedFeline, an Iran-aligned threat actor with likely ties to . We discovered the campaign, which targeted Kurdish and Iraqi government officials, in 2024.
  • github.com: analyzed a campaign deployed by BladedFeline, an Iran-aligned threat actor with likely ties to . We discovered the campaign, which targeted Kurdish and Iraqi government officials, in 2024.

@www.microsoft.com //
References: www.microsoft.com
Microsoft is aggressively integrating artificial intelligence across its products and services, striving to revolutionize the user experience. The company is focused on developing agentic systems that can work independently, proactively identify problems, suggest solutions, and maintain context across interactions. Microsoft envisions a future where AI agents will augment and amplify organizational capabilities, leading to significant transformations in various fields. To facilitate secure and flexible interactions, Microsoft is employing Model Context Protocol (MCP) to enable AI models to interact with external services.

As AI agents become more sophisticated and integrated into business processes, Microsoft recognizes the importance of evolving identity standards. The company is actively working on robust mechanisms to ensure agents can securely access data and act across connected systems, including APIs, code repositories, and enterprise systems. Microsoft emphasizes that industry collaboration on identity standards is crucial for the safe and effective deployment of AI agents.

To aid organizations in safely adopting AI, Microsoft Deputy CISO Yonatan Zunger shares guidance for efficient implementation and defense against evolving identity attack techniques. Microsoft CVP Charles Lamanna offers an AI adoption playbook, emphasizing the importance of "customer obsession" and "extreme ownership" for both startups and large enterprises navigating the age of AI. Lamanna suggests focusing on a few high-impact AI projects instead of spreading resources thinly across numerous pilots.

Recommended read:
References :

Pierluigi Paganini@Security Affairs //
The Czech Republic has formally accused China of orchestrating a "malicious cyber campaign" targeting an unclassified communication network within its Ministry of Foreign Affairs. The attacks, attributed to the China-linked APT31 hacking group, are believed to have been ongoing since 2022. This action represents a significant escalation in tensions between the two nations regarding cyber espionage. In response to the detected activity, the Czech government summoned the Chinese ambassador to express its strong condemnation of these hostile actions and to convey the damaging impact on bilateral relations. The European Union has voiced its solidarity with Prague following this announcement, further highlighting the international implications of the cyberattack.

The Czech government, in a formal statement, identified the People's Republic of China as responsible for the cyber campaign. The government believes with a high degree of certainty that APT31, also known as Judgement Panda, Bronze Vinewood or RedBravo, a cyber-espionage group linked to China's Ministry of State Security, was behind the attacks. This group has a history of targeting government and defense supply chains. Czech authorities said the malicious activity “affected an institution designated as Czech critical infrastructure,” and targeted one of the Ministry of Foreign Affairs’ unclassified networks.

The Czech Republic asserts that the cyberattacks violate responsible state behavior in cyberspace, as endorsed by members of the United Nations, and undermine the credibility of China. The government is demanding that China adhere to these norms and refrain from similar activities in the future. The Czech Foreign Affairs Minister stated that the attribution was intended to expose China, “which has long been working to undermine our resilience and democracy". The detection of the attackers during the operation allowed for the implementation of a new communication system for the ministry, significantly strengthening its security.

Recommended read:
References :
  • Lukasz Olejnik: The Czech Republic has accused China of a "malicious cyber campaign" targeting an unclassified communication network at its Foreign Affairs Ministry since 2022, summoning the Chinese ambassador in protest. The EU expressed solidarity with Prague following the announcement.
  • securityaffairs.com: Czech Republic accuses China’s APT31 of a cyberattack on its Foreign Ministry
  • BleepingComputer: Czechia blames China for Ministry of Foreign Affairs cyberattack
  • bsky.app: The Czech Republic says the Chinese-backed APT31 hacking group was behind cyberattacks targeting the country's Ministry of Foreign Affairs and critical infrastructure organizations.
  • The Hacker News: The Czech Republic on Wednesday formally accused a threat actor associated with the People's Republic of China (PRC) of targeting its Ministry of Foreign Affairs.
  • therecord.media: Czech authorities said they assessed with “a high degree of certainty†that a Chinese cyber-espionage group known as APT31, tried to hack into a government network.
  • mzv.gov.cz: Statement by the Government of the Czech Republic.

@cyble.com //
A China-linked Advanced Persistent Threat (APT) group, known as UNC5221, has been actively exploiting critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) software. Researchers from EclecticIQ have observed this group chaining two specific flaws, identified as CVE-2025-4427 and CVE-2025-4428, to target organizations across Europe, North America, and the Asia-Pacific region. These vulnerabilities allow for unauthenticated remote code execution, potentially granting the attackers deep access to compromised systems.

The targeted sectors include critical infrastructure such as telecommunications, healthcare, government, defense, finance, and aviation. The exploitation of these flaws began shortly after their disclosure, highlighting the speed at which UNC5221 moved to take advantage of the vulnerabilities. CISA has added the Ivanti EPMM flaw, among others, to its Known Exploited Vulnerabilities catalog, emphasizing the severity of the risk and urging organizations to apply necessary patches.

The attacks facilitate further intrusion and data exfiltration, potentially leading to significant breaches and compromise of sensitive information. This campaign underscores the ongoing threat posed by state-sponsored cyberespionage and the importance of proactive security measures to defend against such attacks.

Recommended read:
References :
  • securityaffairs.com: China-linked APT UNC5221 started exploiting Ivanti EPMM flaws shortly after their disclosure
  • ciso2ciso.com: China-linked APT exploit Ivanti EPMM flaws to target critical sectors across Europe, North America, and Asia-Pacific, according to EclecticIQ.
  • The Hacker News: Researchers from EclecticIQ observed a China-linked APT group that chained two Ivanti EPMM flaws, tracked as CVE-2025-4427 and CVE-2025-4428, in attacks against organizations in Europe, North America, and Asia-Pacific.

@www.helpnetsecurity.com //
A newly identified Russian cyber-espionage group, known as Laundry Bear by Dutch intelligence and Void Blizzard by Microsoft, has been actively targeting Western organizations since at least April 2024. This group is believed to be backed by the Russian government and is primarily focused on gathering intelligence to support Russian strategic interests. Laundry Bear's targets include government entities, defense contractors, aerospace firms, and high-tech businesses in Europe and North America, particularly those supporting Ukraine. The group's activities suggest an interest in sensitive information related to military goods, weapons deliveries, and advanced technologies that are difficult for Russia to acquire due to Western sanctions.

The primary objective of Laundry Bear is to steal sensitive emails and files from compromised systems. They achieve this by targeting cloud-based email environments, specifically Microsoft Exchange. The group employs a range of techniques, including pass-the-cookie attacks, password spraying, and spear phishing aimed at credential theft. Notably, the Dutch intelligence services identified Laundry Bear during an investigation into a credential-stealing attack against the Dutch National Police in September 2024. During this attack, Laundry Bear gained access to an account belonging to a Dutch police employee by using a stolen session cookie to obtain work-related contact information of other police employees.

Microsoft has also observed Laundry Bear targeting critical sectors such as government, defense, transportation, media, NGOs, and healthcare, with a focus on organizations in Europe, North America, NATO member states, and Ukraine. The group frequently gains access by using stolen credentials, likely purchased from online marketplaces. Despite employing relatively simple attack methods and readily available tools, Laundry Bear has achieved a high success rate due to quick-paced cyber operations and efficient automation. Microsoft recommends organizations implement robust security measures to defend against such threats.

Recommended read:
References :
  • The Hacker News: Microsoft has shed light on a previously undocumented cluster of malicious activity originating from a Russia-affiliated threat actor dubbed Void Blizzard (aka Laundry Bear) that it said is attributed to worldwide cloud abuse.
  • www.helpnetsecurity.com: Microsoft, Dutch security agencies lift veil on Laundry Bear cyber espionage group
  • Threats | CyberScoop: New Russian state-sponsored APT quickly gains global reach, hitting expansive targets
  • therecord.media: Recent attacks on institutions in the Netherlands were the work of a previously unknown Russian hacking group that Dutch intelligence agencies are labeling Laundry Bear. Microsoft also reported on the group, naming it Void Blizzard.
  • www.microsoft.com: Microsoft Threat Intelligence has discovered a cluster of worldwide cloud abuse activity conducted by a threat actor we track as Void Blizzard, who we assess with high confidence is Russia-affiliated and has been active since at least April 2024. Void Blizzard’s cyberespionage operations tend to be highly targeted at specific organizations of interest to Russia, including in government, defense, transportation, media, non-governmental organizations (NGOs), and healthcare sectors primarily in Europe and North America. The post appeared first on Microsoft Security Blog.
  • www.defensie.nl: Onbekende Russische groep achter hacks Nederlandse doelen - Unknown Russian group behind hacks of Dutch targets - "is behind the hacks on several Dutch organizations, including the police in September 2024.
  • Help Net Security: Microsoft, Dutch security agencies lift veil on Laundry Bear cyber espionage group
  • thecyberexpress.com: New Russian Cyber Threat ‘Laundry Bear’ Hits Western Targets
  • www.csoonline.com: New Russian APT group Void Blizzard targets NATO-based orgs after infiltrating Dutch police
  • The Register - Security: New Russian cyber-spy crew Laundry Bear joins the email-stealing pack
  • securityonline.info: Void Blizzard: New Russian Cyberespionage Group Targets NATO and Ukraine
  • securityonline.info: Void Blizzard: New Russian Cyberespionage Group Targets NATO and Ukraine
  • securityaffairs.com: Russia-linked APT Laundry Bear linked to 2024 Dutch Police attack
  • industrialcyber.co: Microsoft details Void Blizzard as Russian cyber threat targeting global critical infrastructure
  • Virus Bulletin: Microsoft Threat Intelligence, in colaboration with Dutch security organizations AIVD & MIVD, observed Void Blizzard (a.k.a. LAUNDRY BEAR) conducting espionage operations primarily targeting organizations that are important to Russian government objectives.
  • Industrial Cyber: Microsoft details Void Blizzard as Russian cyber threat targeting global critical infrastructure
  • www.cybersecuritydive.com: Microsoft, Dutch government spot new Russian hacking group targeting critical infrastructure
  • Metacurity: Russian group Laundry Bear hacked Dutch police, targets Ukraine-allied nations
  • www.metacurity.com: Russian group Laundry Bear hacked Dutch police, targets Ukraine-allied nations
  • Vulnerable U: Void Blizzard hackers raid NATO cloud tenants with Evilginx phishing
  • Danny Palmer: A new Russian APT (LAUNDRY BEAR) is tearing through defence and government entities in NATO member states using stripped back and heavily automated threat techniques that nonetheless went widely undetected until they were spotted by the Dutch police, the Netherlands’s security services revealed.
  • The Record: Recent attacks on institutions in the Netherlands were the work of a previously unknown Russian hacking group that Dutch intelligence agencies are labeling Laundry Bear. Microsoft also reported on the group, naming it Void Blizzard.
  • www.scworld.com: Russian hackers Void Blizzard step up espionage campaign
  • The Hacker News: Russia-Linked Hackers Target Tajikistan Government with Weaponized Word Documents

Ddos@securityonline.info //
A new cyber-espionage campaign has been uncovered, targeting public sector organizations in Tajikistan. The threat actor behind this campaign is TAG-110, a group linked to Russia and also known as UAC-0063 and APT28 (BlueDelta). Recorded Future’s Insikt Group discovered that TAG-110 is using macro-enabled Microsoft Word templates (.dotm files) to gain access to and exfiltrate intelligence from Tajik government, educational, and research institutions, particularly those involved in military affairs or electoral processes. This campaign reflects Russia’s strategic interest in Central Asia through intelligence-gathering operations.

These malicious Word templates are deployed through phishing lures disguised as official Tajik government documents. The templates are saved in the Microsoft Word STARTUP folder, ensuring automatic execution each time Word is launched. This tactic represents a shift from TAG-110’s previous use of HTA-based payloads like HATVIBE. The two malicious documents identified are themed around radiation safety for Tajikistan’s armed forces and election schedules in Dushanbe.

Upon execution, the embedded VBA macros collect system metadata such as username, computer name, language, and resolution. This data is then sent to a hardcoded command-and-control (C2) server. The macros also establish persistence by copying themselves to the %APPDATA%\Microsoft\Word\STARTUP\ directory. Researchers state that this evolution highlights a tactical shift prioritizing persistence. The use of .dotm files and VBA macros allows TAG-110 to maintain a stealthy presence and collect data from compromised systems, turning them into surveillance nodes.

Recommended read:
References :
  • securityonline.info: Russian-Aligned TAG-110 Targets Tajikistan Governments with Stealthy Cyber-Espionage
  • cyberpress.org: TAG-110 Hackers Use Malicious Word Templates for Targeted Attacks
  • gbhackers.com: TAG-110 Hackers Deploy Malicious Word Templates in Targeted Attacks
  • securityonline.info: Russian-Aligned TAG-110 Targets Tajikistan Governments with Stealthy Cyber-Espionage
  • The Hacker News: The Russia-aligned threat actor known as TAG-110 has been observed conducting a spear-phishing campaign targeting Tajikistan using macro-enabled Word templates as an initial payload.

@industrialcyber.co //
A joint cybersecurity advisory has been issued by intelligence and cybersecurity agencies from multiple Western nations, including the United States, the United Kingdom, Germany, and France, warning of an aggressive cyber espionage campaign orchestrated by a Russian military cyber unit. The advisory directly implicates the Russian General Staff Main Intelligence Directorate (GRU) unit 26165, also known as APT28, Fancy Bear, and Forest Blizzard. This group has been actively targeting logistics and technology companies that are involved in providing aid to Ukraine. Their operations, ongoing for over two years, involve infiltrating networks to spy on arms shipments and logistics operations.

The GRU hackers are targeting a range of entities critical to the supply chain supporting Ukraine, including defense contractors, transport hubs like airports and ports, air traffic control systems, maritime operators, and IT service providers. Affected countries include the United States, Germany, Poland, France, Romania, Ukraine, the Netherlands, and others. The attackers not only infiltrate the main target company but also go after partners and connected firms, abusing trust relationships to spread deeper. In one instance, hackers stole credentials, gaining access to sensitive information on shipments, such as train schedules and shipping manifests.

The Russian hackers are employing a mix of both established and novel tactics to breach security. These tactics include credential guessing, brute-force attacks, and spearphishing emails disguised as legitimate login pages from Western email platforms. The GRU unit is also known for exploiting IP cameras in Ukraine and bordering NATO countries, likely to gather intelligence and monitor activities. Cybersecurity agencies urge logistics entities and technology companies to enhance monitoring, proactively hunt for known tactics and indicators of compromise, and fortify their network defenses, presuming they are targets.

Recommended read:
References :
  • www.esecurityplanet.com: Russian Hackers Target Western Firms Aiding Ukraine, Spy on Shipments
  • Industrial Cyber: Russian GRU’s Unit 26165 conducts two-year cyber espionage on logistics, tech firms using IP cameras, supply chains

info@thehackernews.com (The@The Hacker News //
Chinese-speaking hackers have exploited a zero-day vulnerability, CVE-2025-0994, in Trimble Cityworks software to breach multiple local governing bodies across the United States. This vulnerability, a remote code execution flaw, has been actively exploited since January 2025 by a threat actor tracked as UAT-6382. The attackers targeted enterprise networks of local governing bodies, conducting reconnaissance and deploying web shells and custom-made malware to maintain long-term access, with a particular interest in systems related to utilities management.

UAT-6382 utilized a variety of tools and techniques in their attacks. They rapidly deployed web shells such as AntSword and chinatso/Chopper on the underlying IIS web servers. Additionally, they employed Rust-based loaders, known as TetraLoader, to deliver Cobalt Strike and VShell malware, ensuring persistent access to compromised systems. The TetraLoader was built using MaLoader, a malware building framework written in Simplified Chinese, further indicating the origin of the threat actor.

Cisco Talos researchers have assessed with high confidence that UAT-6382 is a Chinese-speaking threat actor, based on tooling, TTPs, hands-on-keyboard activity, and victimology. Indicators of compromise (IOCs) related to these intrusions overlap with those listed in Trimble’s advisory. The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-0994 to its Known Exploited Vulnerabilities (KEV) catalog in February 2025. The exploitation of this flaw highlights the risk of nation-state actors targeting critical infrastructure software used by U.S. local governments and utilities.

Recommended read:
References :
  • Cisco Talos Blog: Talos has observed exploitation of CVE-2025-0994 in the wild by UAT-6382, a Chinese-speaking threat actor, who then deployed malware payloads via TetraLoader.
  • securityonline.info: Critical 0-Day: Cityworks Flaw Actively Exploited by Chinese APT UAT-6382
  • The Hacker News: Chinese Hackers Exploit Trimble Cityworks Flaw to Infiltrate U.S. Government Networks
  • BleepingComputer: Chinese hackers breach US local governments using Cityworks zero-day
  • bsky.app: Cisco Talos says a group tracked as UAT-6382 has used a recent Trimble CityWorks zero-day (CVE-2025-0944) to breach local governing bodies in the US
  • securityonline.info: SecurityOnline.info article on critical 0-day Cityworks flaw exploited by Chinese APT UAT-6382
  • malware.news: Trimble Cityworks zero-day attacks on US local governments detailed
  • The DefendOps Diaries: Chinese Hackers Exploit Cityworks Zero-Day Vulnerability in US Local Governments
  • www.scworld.com: Trimble Cityworks zero-day attacks on US local governments detailed
  • The DefendOps Diaries: Exploitation of Ivanti EPMM Vulnerabilities by Chinese Hackers: A Detailed Analysis
  • BleepingComputer: Ivanti EPMM flaw exploited by Chinese hackers to breach govt agencies
  • securityaffairs.com: Chinese threat actors exploited Trimble Cityworks flaw to breach U.S. local government networks
  • www.csoonline.com: A now-patched high-severity security flaw affecting Trimble Cityworks — a specialized software used by local governments in the US, utilities, and public agencies to manage their infrastructure and community services—was abused by Chinese hackers to compromise systems before a patch was available.
  • blog.talosintelligence.com: UAT-6382 exploits Cityworks zero-day vulnerability to deliver malware
  • www.techradar.com: The Chinese used the Cityworks bug to deploy Cobalt Strike beacons and backdoors.
  • www.cybersecuritydive.com: Cisco Talos researchers attribute the exploitation of the CVE-2025-0994 in Trimble Cityworks to Chinese-speaking threat actor UAT-6382, based on tools and TTPs used in the intrusions.
  • www.csoonline.com: A now-patched high-severity security flaw affecting Trimble Cityworks — a specialized software used by local governments in the US, utilities, and public agencies to manage their infrastructure and community services—was abused by Chinese hackers to compromise systems before a patch was available.
  • Blog: The Chinese-speaking cyber-espionage group identified as UAT-6382 has been observed exploiting a critical vulnerability in Trimble's Cityworks software to infiltrate U.S. government networks.
  • StateScoop: Report: Chinese hackers used Cityworks vulnerability to deliver malware
  • Cisco Talos Blog: Hazel observes that cybercriminals often fumble teamwork, with fragile alliances crumbling over missed messages. Plus, how UAT-6382 is exploiting Cityworks and what you can do to stay secure.
  • hackread.com: Warnings on active exploitation of a zero-day vulnerability (CVE-2025-0994) in Cityworks.

@industrialcyber.co //
A Russian state-sponsored cyber espionage campaign, attributed to the GRU's APT28 (also known as Fancy Bear or Forest Blizzard), has been actively targeting Western logistics entities and technology companies since 2022. This campaign focuses on organizations involved in the coordination, transport, and delivery of foreign assistance to Ukraine. The goal is to gain access to sensitive information and disrupt operations, presenting a serious risk to these targeted organizations and sectors across more than a dozen countries.

These Russian cyber actors have been using a mix of previously disclosed tactics, techniques, and procedures (TTPs), including credential brute force attacks, spear-phishing using multilingual lures, and malware delivery via malicious archives exploiting vulnerabilities. They've also been observed hacking into IP cameras at Ukrainian border crossings to monitor and track aid shipments. The GRU unit, known as military unit 26165, has been linked to compromising a wide array of entities, spanning air, sea, and rail transportation modes.

To defend against these threats, organizations are urged to familiarize themselves with the identified TTPs and indicators of compromise (IOCs), increase monitoring and threat hunting, and strengthen their network defenses. The attacks have targeted companies and government organizations in numerous countries, including Bulgaria, the Czech Republic, France, Germany, Greece, Italy, Moldova, the Netherlands, Poland, Romania, Slovakia, Ukraine, and the United States. The advisory is co-signed by over 20 agencies from multiple countries, underscoring the global nature of this threat.

Recommended read:
References :
  • Metacurity: This joint cybersecurity advisory (CSA) highlights a Russian state-sponsored cyber campaign targeting Western logistics entities and technology companies.
  • NCSC News Feed: UK and allies expose Russian intelligence campaign targeting western logistics and technology organisations
  • CyberInsider: Russian GRU Cyber Campaign Targets Western Logistics and Tech Firms
  • securityonline.info: Russian GRU’s APT28 Targets Global Logistics Supporting Ukraine Defense
  • securityonline.info: Russian GRU Targets Global Logistics Supporting Ukraine Defense
  • www.cybersecuritydive.com: Russian stepping up attacks on firms aiding Ukraine, Western nations warn
  • cyberinsider.com: Russian GRU Cyber Campaign Targets Western Logistics and Tech Firms
  • BleepingComputer: A Russian state-sponsored cyberespionage campaign attributed to APT28 (Fancy Bear/Forest Blizzard) hackers has been targeting and compromising international organizations since 2022 to disrupt aid efforts to Ukraine.
  • BleepingComputer: A Russian state-sponsored cyberespionage campaign attributed to APT28 (Fancy Bear/Forest Blizzard) hackers has been targeting and compromising international organizations since 2022 to disrupt aid efforts to Ukraine.
  • securityaffairs.com: Russia-linked APT28 targets western logistics entities and technology firms
  • Threats | CyberScoop: Multi-national warning issued over Russia’s targeting of logistics, tech firms
  • socprime.com: russian GRU Unit 26156 Targets Western Logistics and Technology Companies Coordinating Aid to Ukraine in a Two-Year Hacking Campaign
  • Blog: Russian APT28 targets Western firms supporting Ukraine
  • SOC Prime Blog: Detect APT28 Attacks: russian GRU Unit 26156 Targets Western Logistics and Technology Companies Coordinating Aid to Ukraine in a Two-Year Hacking Campaign
  • Metacurity: Russia's APT28 accused of infiltrating Western logistics, technology firms
  • Resources-2: Russian APT28 (aka Fancy Bear/Unit 26165) targets Western logistics and tech firms in Ukraine aid tracking operation
  • Virus Bulletin: Details a Russian state-sponsored cyber campaign targeting Western logistics entities and technology companies involved in the coordination, transport and delivery of foreign assistance to Ukraine.
  • DataBreaches.Net: Western intelligence agencies unite to expose Russian hacking campaign against logistics and tech firms
  • www.scworld.com: CISA warns Russia-linked group APT28 is targeting Western logistics and tech firms aiding Ukraine, posing an elevated threat to supply chains
  • eSecurity Planet: Russian Hackers Target Western Firms Aiding Ukraine, Spy on Shipments
  • www.esecurityplanet.com: Russian military hackers are targeting Western firms aiding Ukraine, using cyberespionage to infiltrate logistics networks and spy on arms shipments.
  • cyberscoop.com: Multi-national warning issued over Russia’s targeting of logistics, tech firms
  • industrialcyber.co: Russian GRU’s Unit 26165 conducts two-year cyber espionage on logistics, tech firms using IP cameras, supply chains
  • www.csoonline.com: Russian APT28 compromised Western logistics and IT firms to track aid to Ukraine
  • Industrial Cyber: Russian GRU’s Unit 26165 conducts two-year cyber espionage on logistics, tech firms using IP cameras, supply chains

Field Effect@Blog //
A Russia-aligned espionage operation, dubbed Operation RoundPress, has been discovered by ESET researchers. The operation targets webmail software to steal secrets from email accounts, primarily those belonging to governmental organizations in Ukraine and defense contractors in the EU. The Sednit group, also known as APT28 and Fancy Bear, is suspected to be behind the attacks, leveraging spear-phishing emails that exploit XSS vulnerabilities to inject malicious JavaScript code into targeted webmail pages.

The attackers initially targeted Roundcube, but later expanded their reach to include other webmail software such as Horde, MDaemon, and Zimbra. The operation exploits security holes in webmail software to target Ukrainian governmental entities and defense companies in Eastern Europe. Some attacks have even circumvented two-factor authentication, demonstrating the sophistication of the operation and the challenges it poses to threat detection and response mechanisms.

While most of the victims are currently based overseas, security experts suggest that North American entities, particularly those in government, defense, and critical infrastructure sectors, could also be targeted. The group's ability to exploit both known and zero-day vulnerabilities across multiple platforms, coupled with the ability to adapt payloads to specific targets, underscores the need for organizations using vulnerable webmail platforms to remain vigilant. According to experts the hackers are able to steal credentials, emails and contacts without persistent malware installation.

Recommended read:
References :
  • Virus Bulletin: ESET researchers uncover a Russia-aligned espionage operation targeting webmail servers with spear-phishing emails leveraging an XSS vulnerability. Most of the victims are government entities and defence companies in Eastern Europe.
  • www.scworld.com: While most of the victims are based overseas, security pros say it’s plausible the group will also target North America.
  • WeLiveSecurity: Operation RoundPress targets webmail software to steal secrets from email accounts belonging mainly to governmental organizations in Ukraine and defense contractors in the EU