FlagThis

Russian state-sponsored hackers are actively exploiting the “linked devices� feature in Signal Messenger to conduct cyber-espionage campaigns. Groups like APT44 (Sandworm), UNC5792, UNC4221, and Turla target military personnel, politicians, and activists to compromise their secure communications. These actors abuse Signal’s feature to gain persistent access to accounts, using phishing tactics to trick users into linking their devices to attacker-controlled systems. Mandiant warns of the real-time spying risks associated with this activity, which primarily targets Ukrainian entities amidst Russia’s ongoing invasion.

The Chinese nation-state-backed threat actor Salt Typhoon has been actively targeting telecommunications providers, compromising at least five companies between December and January of 2025. This campaign demonstrates the persistence of the group, despite sanctions. Exploitation attempts involved vulnerabilities in Cisco devices, highlighting the continued need for robust security measures in the telecommunications sector.

The Chinese cyber espionage group Salt Typhoon is actively expanding its espionage campaign by compromising additional telecom networks globally between December 2024 and January 2025. They are using a custom malware called JumbledPath to monitor network traffic. They are gaining access primarily through stolen credentials and exploiting a six-year-old vulnerability in Cisco routers.

Multiple reports detail Chinese APT groups using custom malware, like JumbledPath, and exploiting vulnerabilities to target U.S. telecom providers and European healthcare organizations. These attacks involve advanced techniques such as exploiting Check Point flaws, deploying ShadowPad and NailaoLocker ransomware, and using PowerShell for data exfiltration, blurring the lines between espionage and financially-motivated cybercrime. The campaigns aim to steal data, conduct espionage, and potentially deploy ransomware. The attackers are using techniques like exploiting Check Point flaws to deploy ShadowPad and ransomware.

A new malware called FinalDraft is using Microsoft Outlook email drafts for command-and-control communication. This method allows for stealthy communication and is being used in attacks against a ministry in South America. The malware blends into typical Microsoft 365 traffic to avoid detection. The technique involves storing commands and responses in draft emails, which are subsequently deleted, making detection and tracing challenging. This illustrates the ongoing adaptation of malware techniques to exploit legitimate software functionalities.

The North Korea-linked APT group Kimsuky, also known as Emerald Sleet, is using a new tactic to compromise its traditional espionage targets. The group is tricking targets into running PowerShell as an administrator and executing malicious code. They build rapport with targets before sending a spear-phishing email with an attached PDF. The registration link has instructions to open PowerShell as an administrator and paste code provided by Emerald Sleet. If the target runs the code as an administrator, the code downloads and installs a browser-based remote desktop tool. This allows the threat actor to access the device and carry out data exfiltration.

The DONOT APT group deployed malicious Android applications, ‘Tanzeem’ and ‘Tanzeem Update,’ to conduct intelligence gathering operations targeting individuals and groups in India. These apps, disguised as legitimate tools, are designed to collect sensitive information and pose a threat to national security interests. The campaign highlights the targeted use of mobile malware for espionage.

Multiple reports indicate a surge in cyberattacks targeting Taiwan amidst rising tensions with China and also a Russian Malware Campaign which is hitting Central Asian Diplomatic Files. It has been observed that Russian State aligned APT groups are also increasingly deploying ransomware. These attacks involve malware and other techniques. Diplomatic organizations and critical infrastructure in the targeted regions should increase their security posture and keep an eye for suspicious activities.

The MirrorFace APT, linked to China, has been conducting extensive cyber espionage campaigns against Japan since 2019. The group uses malware delivered via email attachments, and exploits VPN vulnerabilities to steal sensitive information. Targets include the Japanese government, defense, aerospace, semiconductor, communications and research organizations. The group uses tools like ANEL and NOOPDOOR for its attacks. The campaign shows a deep focus on infiltrating Japanese national security and advanced technology sectors.

Chinese state-sponsored threat actors compromised the US Treasury Department by exploiting a vulnerability in a third-party software provider, BeyondTrust. The attackers accessed employee workstations and exfiltrated unclassified documents. This incident highlights the risk associated with third-party dependencies and supply chain attacks. The attackers gained remote access, raising concerns about the security posture of government agencies. The affected systems were not immediately identified but were confirmed to be workstations.