At least one government, military, and technology entity in Ukraine
January 30, 2026
•[ APT, vulnerability exploitation, state-sponsored attack ]
Security researchers reported that state-sponsored advanced persistent threat groups exploited a WinRAR vulnerability in real-world attacks that successfully compromised at least one government, military, and technology organization in Ukraine, using malicious archive files to gain unauthorized access to victim systems.
At least one blockchain developer
January 22, 2026
•[ phishing, blockchain, credential theft ]
IT technicians and blockchain developers were targeted in a phishing campaign attributed to the NGB 3rd Technical Surveillance Bureau (KONNI/APT37), resulting in unauthorized access to end-user systems and the compromise of stored development and infrastructure credentials.
Attorney General’s Office of the State of Guanajuato (FGEG)
November 13, 2025
•[ ransomware, data leak, double-extortion ]
Mexico Business News reports Guanajuatos Attorney Generals Office confirmed a cybersecurity incident after a ransomware attack attributed to Tekir APT. Attackers claim they stole 250GB+ of confidential data, including judicial files and internal databases. Officials are reviewing controls, without confirming attribution or ransom payment. Hackmanac alleges subdomain encryption and double-extortion.
Russian IT service provider
October 15, 2025
•[ data leak, espionage, apt ]
China-linked Jewelbug infiltrated Russian IT provider for months, exfiltrating repositories and data
KakaoTalk account of a South Korea–based counselor
September 5, 2025
•[ spear-phishing, malware, credential theft ]
According to research by Genians reported by BleepingComputer, a North Korean activity cluster linked to APT37 and KONNI targets South Koreans via spear-phishing emails that spoof national agencies and deliver signed MSI installers. Once executed, the chain installs a remote access toolkit that steals Google and Naver account credentials, giving attackers full
Undisclosed European ministry
July 31, 2025
•[ malware, apt, intelligence collection ]
HackRead reports DoNot APT deployed LOPTiKMod malware against a European ministry to collect intelligence; attribution aligns with prior DoNot operations.
Undisclosed European telecommunications organisation
July 3, 2025
•[ espionage, malware, vulnerability exploitation ]
Darktrace reports a China-aligned espionage actor (Salt Typhoon) breached a European telecom by exploiting a Citrix NetScaler Gateway, deploying SnappyBee malware for persistence and data staging. Activity reflects classic intelligence collection rather than service disruption; defenders observed beaconing, credential access, and movement to support systems.
Multiple Ukrainian Government Ministries
June 6, 2025
•[ wiper malware, data destruction, government ]
Pro-Russian wiper campaign deployed PathWiper malware across multiple Ukrainian government networks around June 6, 2025; Cisco Talos and CERT-UA confirmed data destruction without exfiltration; activity attributed to a Russia-linked APT.
Undisclosed Ukrainian Energy Organization
June 6, 2025
•[ malware, apt, data destruction ]
PathWiper malware associated with a pro-Russian APT destroyed data at an undisclosed Ukrainian energy organization on June 6, 2025; Cisco Talos and CERT-UA confirmed data destruction; no data theft reported.
Defense and critical-infrastructure entities in Kazakhstan
May 1, 2025
•[ phishing, data leak, espionage ]
Rare Werewolf APT, a Russia-aligned espionage group, conducted spear-phishing and remote-administration toolbased intrusions in MayJune 2025 targeting defense and critical-infrastructure entities in Kazakhstan, resulting in unauthorized access and data exfiltration.
Defense and critical-infrastructure entities in Ukraine
May 1, 2025
•[ phishing, unauthorized access, data leak ]
Rare Werewolf APT, a Russia-aligned espionage group, conducted spear-phishing and remote-administration toolbased intrusions in MayJune 2025 targeting defense and critical-infrastructure entities in Ukraine, resulting in unauthorized access and data exfiltration.
At least one government agency or state-owned enterprise in Southeast Asia
April 10, 2025
•[ data leak, espionage, government ]
The Record, citing Symantecs Threat Hunter Team, reported that the China-linked APT group Billbug (also known as Thrip and Lotus Blossom) compromised multiple government and critical infrastructure organizations in a Southeast Asian country in April 2025. The campaign involved exploitation of legitimate digital certificates and living-off-the-land tools to exfiltrate sensitive documents from government and military networks. No encryption or disruption was reported, and the activity is assessed as political espionage conducted under Chinas Ministry of State Security.
Civic Platform (Platforma Obywatelska)
April 2, 2025
•[ cyberattack, APT ]
The GRUs 85th Main Special Service Center (Unit 26165) (FANCYBEAR) targeted IT systems belonging to Polands ruling Civic Platform party in early April 2025; no operational disruption confirmed.
Undisclosed software and services company (South Asia)
February 12, 2025
•[ data exfiltration, vulnerability, APT ]
A China-linked group known as Emperor Dragonfly exploited a Palo Alto PAN-OS vulnerability (CVE-2024-0012) to compromise an undisclosed medium-sized software and services company in South Asia. The attackers exfiltrated d
