APT Groups
30 articles
Nation-state and advanced persistent threat campaigns, actors, and tooling.
HIGHSecret Blizzard Upgrades Kazuar Backdoor Into P2P Botnet
Secret Blizzard evolved Kazuar into a modular P2P botnet with 150 config options, AMSI/ETW bypass, and silent-mode nodes. Microsoft details the three-module architecture.
HIGHOceanLotus APT Uses PyPI Packages to Deliver ZiChatBot Malware
Kaspersky attributes a PyPI supply chain campaign to OceanLotus APT, using fake wheel packages to drop ZiChatBot malware that abuses Zulip chat APIs for C2 on Windows and Linux.
HIGHAPT37 Targets Ethnic Koreans in China With Android BirdCall Malware
ESET says APT37 compromised Sqgame card game platform to deliver BirdCall backdoor to Android devices, stealing SMS, call logs, and private keys from ethnic Koreans in Yanbian.
CRITICALNorth Korea Laundered 76% of All Stolen Crypto in 2026
North Korean hackers laundered 76% of all stolen cryptocurrency in 2026 — $2.3 billion — per Chainalysis.
HIGHAPT29, Intellexa, NSO Share Identical Exploit Chains
Google TAG finds APT29 using exploit chains identical to those deployed by Intellexa and NSO Group, suggesting shared access to zero-day suppliers or exploit resale.
HIGHSilver Dragon APT Targets Southeast Asia, Europe in Espionage Campaign
Check Point Research tracks Silver Dragon, a Chinese-aligned APT group operationally linked to APT41, targeting government and telecom entities in Southeast Asia and Europe with…
HIGHIran Conflict Spills Over: Cyber Threats to Critical Infrastructure
ESET warns of increased Iranian cyber activity targeting energy, water, and transportation sectors globally as Middle East conflict escalates.
HIGHSilver Fox APT Spoofs Japanese Tax Emails in Targeted Campaign
ESET details Silver Fox APT targeting Japanese firms with tax-themed phishing emails delivering malware via weaponized Excel attachments during tax season.
HIGHCyberattackers Weaponize Voltage Fluctuations Against Power Grids
Dark Reading reports attackers are manipulating voltage to destabilize power grids — a growing cyber-physical threat vector targeting electricity infrastructure with no patch…
HIGHGopherWhisper APT Targets Mongolian Government in Espionage Campaign
ESET discovered China-aligned APT GopherWhisper targeting Mongolian government institutions with custom Go-based malware, leveraging legitimate services for C2.
HIGHLazarus Hijacks macOS via ClickFix to Target Executives
Lazarus APT uses ClickFix social engineering to deliver macOS malware — fake browser update prompts trick executives into running AppleScript payloads that steal credentials and…
HIGHTropic Trooper APT Hijacks Home Routers to Target Japanese Networks
Chinese state-sponsored Tropic Trooper is compromising home routers as proxy footholds to infiltrate Japanese organizations, shifting to novel TTPs and victim sectors.
HIGHUnit 42 Tracks TGR-STA-1030 Activity in Central and South America
Palo Alto Unit 42 reports TGR-STA-1030 remains active in Central and South America, targeting government and energy sectors with custom malware and living-off-the-land techniques.
HIGHNorth Korean Hackers Steal $12 Million in Crypto via Trojanized
North Korean hackers siphoned over $12 million from crypto users in Q1 2026 using trojanized trading apps like CoinStats and TradingView AI Agent to steal recovery phrases and…
HIGHChina-Linked GopherWhisper Hits 12 Mongolian Gov Systems
ESET identified GopherWhisper, a China-aligned APT, breaching 12 Mongolian government systems with Go-based backdoors, injectors, and loaders since early 2026.
HIGHGopherWhisper APT Uses Go Tools, Legit Services in Gov Attacks
GopherWhisper, a new state-backed APT, targets government entities with a Go-based toolkit abusing Outlook, Slack, and Discord for C2.
HIGHLotus Wiper Targets Venezuelan Energy Sector Before US Intervention
Lotus Wiper malware targeted Venezuela's state-owned energy firm PDVSA, destroying data by overwriting drives and deleting files before a US-led intervention in March 2026.
HIGHUK Cyber Agency Handles Four Major Incidents Weekly
The UK's NCSC reports handling four nationally significant cyber incidents per week, with most now attributed to hostile foreign states like China and Russia, up from two per week…
HIGHNorth Korean Fake Job Scams Spread Malware via 'Contagious Interview'
North Korean operatives use a 'contagious interview' tactic, where a compromised developer's GitHub repo spreads RATs to other job seekers.
HIGHSideWinder APT Deploys Fake Chrome PDF Viewer and Zimbra Clone to Steal
SideWinder APT targets South Asian government bodies with a phishing campaign using a fake Chrome PDF viewer and a cloned Zimbra login portal to steal webmail credentials, active since February 2026.
CRITICALLazarus Group Steals $290 Million in KelpDAO Cross-Chain Bridge Attack
North Korea's Lazarus Group exploited a smart contract flaw to steal $290 million from the KelpDAO cross-chain bridge, marking one of the largest DeFi heists of 2026 and highlighting persistent risks in cross-chain infrastructure.
HIGHNorth Korean Operatives Use AI and Fake Identities to Infiltrate Companies via
North Korean operatives are using AI tools and forged documents to pass remote job interviews, according to Flare research. The tactic aims to place threat actors inside target companies for long-term espionage and network access.
HIGHUNC1069 Targets Crypto Professionals with Fake Zoom and Teams Meetings
North Korean threat actor UNC1069 lures Web3 professionals with fake Zoom and Microsoft Teams meetings to deploy malware that steals cryptocurrency, according to new research.
HIGHUAC-0247 Threat Actor Deploys Data-Stealing Malware Against Ukrainian Targets
The Ukrainian CERT-UA attributes a new campaign to threat actor UAC-0247, which uses phishing lures to deploy malware that steals data from Chromium browsers and WhatsApp on government and healthcare systems.
HIGHSapphire Sleet Targets macOS Users with Fake Zoom SDK Update
North Korean threat actor Sapphire Sleet is distributing a new macOS malware via a fake Zoom SDK installer, stealing passwords, crypto wallets, and personal data through a multi-stage social engineering campaign.
HIGHAPT37 Targets Individuals via Facebook to Deploy RokRAT Malware
North Korea's APT37 group is conducting a social engineering campaign on Facebook, using fake profiles to build trust and deliver the RokRAT remote access trojan to targeted individuals.
HIGHAPT41 Deploys Stealthy Backdoor to Harvest Cloud Credentials
China-linked threat actor APT41 is deploying a novel, low-detection backdoor against AWS, Google, Azure, and Alibaba Cloud to harvest credentials and establish persistence.
HIGHFancy Bear APT Exploits Unpatched Flaws in Global Espionage Campaign
Russia's APT28 (Fancy Bear) is conducting a global cyber espionage campaign, exploiting unpatched vulnerabilities in routers and network devices to infiltrate government and defense targets.
HIGHIranian CyberAv3ngers Escalate Attacks on US Water, Industrial Infrastructure
The Iran-backed threat actor CyberAv3ngers, linked to the IRGC, has evolved from hacktivism to conducting disruptive cyber operations against US water utilities and programmable logic controllers (PLCs).
HIGHNorth Korean Lazarus Group Compromises OpenAI via Axios Supply Chain Attack
North Korea's Lazarus Group compromised OpenAI's internal systems via a supply chain attack on the Axios client library, using a stolen macOS code-signing certificate to sign malware.
Stay Updated
Get the latest cybersecurity news delivered to your inbox.