Independent film makers
May 21, 2025
•[ espionage, malware, government ]
While detained in May 2025, filmmakers phones were allegedly infected with FlexiSPY; forensic analysis ties installation to police custody (May 21). Devices were returned July 10. CPJ/Citizen Lab publicly detailed findings on Sept 1012; The Standard reported the allegations Sept 10.
Kurdish forces
May 14, 2025
•[ espionage, vulnerability, zero-day ]
Turkey-linked espionage operators exploited a zero-day in Output Messenger to surveil Iraq-based Kurdish forces, collecting communications and device data; Microsoft attributed the activity to a Turkey-aligned group focused on intelligence collection.
Government entities (36, Central Asia & APAC)
May 1, 2025
•[ espionage, phishing, malware ]
Phishing lures and Telegram botbased malware were used by the ShadowSilk cluster to compromise 36 government entities across Central Asia and the Asia-Pacific region between May and July 2025. The campaign focused on espionage, enabling unauthorized access and data theft, and was publicly reported in August 2025 by The Hacker News.
Multiple devices at undisclosed telecommunications firm(s)
May 1, 2025
•[ social, espionage, phishing ]
UNC1549 (Subtle Snail) compromised multiple devices at an undisclosed telecommunications firm in France using LinkedIn job-lures and the MINIBIKE backdoor; Azure-hosted C2 infrastructure was observed. No confirmed data exfiltration volumes or operational disruption reported.
Defense and critical-infrastructure entities in Kazakhstan
May 1, 2025
•[ phishing, data leak, espionage ]
Rare Werewolf APT, a Russia-aligned espionage group, conducted spear-phishing and remote-administration toolbased intrusions in MayJune 2025 targeting defense and critical-infrastructure entities in Kazakhstan, resulting in unauthorized access and data exfiltration.
Defense and critical-infrastructure entities in Ukraine
May 1, 2025
•[ phishing, unauthorized access, data leak ]
Rare Werewolf APT, a Russia-aligned espionage group, conducted spear-phishing and remote-administration toolbased intrusions in MayJune 2025 targeting defense and critical-infrastructure entities in Ukraine, resulting in unauthorized access and data exfiltration.
Defense and critical-infrastructure entities in Armenia
May 1, 2025
•[ phishing, data leak, espionage ]
Rare Werewolf APT, a Russia-aligned espionage group, conducted spear-phishing and remote-administration toolbased intrusions in MayJune 2025 targeting defense and critical-infrastructure entities in Armenia, resulting in unauthorized access and data exfiltration.
Multiple French government and critical infrastructure organizations
April 30, 2025
•[ espionage, data leak, vulnerability exploitation ]
On April 30 2025, Frances national cybersecurity agency (ANSSI) attributed a campaign of at least twelve cyberattacks on French entities to Russias GRU 85th Main Special Service Center (Unit 26165), known as FANCYBEAR. The espionage activity targeted government, media, energy, and critical-infrastructure organizations via exploitation of vulnerable Cisco routers to gain persistence and exfiltrate sensitive data. No operational disruption was reported.
At least one government agency or state-owned enterprise in Southeast Asia
April 10, 2025
•[ data leak, espionage, government ]
The Record, citing Symantecs Threat Hunter Team, reported that the China-linked APT group Billbug (also known as Thrip and Lotus Blossom) compromised multiple government and critical infrastructure organizations in a Southeast Asian country in April 2025. The campaign involved exploitation of legitimate digital certificates and living-off-the-land tools to exfiltrate sensitive documents from government and military networks. No encryption or disruption was reported, and the activity is assessed as political espionage conducted under Chinas Ministry of State Security.
Ukrainian government and military entities
April 1, 2025
•[ malware, data leak, espionage ]
Russian FSB 18th Center for Information Security (Gamaredon) deployed updated GammaSteel malware to exfiltrate sensitive data from Ukrainian government and defense networks in an ongoing espionage campaign; no operational disruption reported.
Deutsche Gesellschaft für Osteuropakunde (DGO)
March 30, 2025
•[ espionage, data leak, state-sponsored attack ]
In late March 2025, German officials reported a cyber-espionage incident targeting the Deutsche Gesellschaft fr Osteuropakunde (DGO), a nonprofit academic association focused on Eastern Europe. Investigators attributed the intrusion to Russias Foreign Intelligence Service (SVR), also known as Midnight Blizzard, APT29, or NOBELIUM. Attackers accessed email servers and internal communications for intelligence-gathering purposes. No data encryption or operational disruption was reported, indicating a stealthy exploitation of application servers.
German Association for Eastern European Studies (DGO)
March 27, 2025
•[ data leak, espionage, government ]
SVR (COZYBEAR) infiltrated email servers of the German Association for Eastern European Studies in late March 2025, exfiltrating correspondence and membership data; the German Interior Ministry formally attributed the intrusion to Russias foreign intelligence service on April 22 2025.
Undisclosed European drone manufacturer
March 25, 2025
•[ phishing, social engineering, malware ]
North Korean operators approached European defense engineers with fake job offers, delivering loaders that sideloaded ScoringMathTea and BinMergeLoader/MISTPEN to exfiltrate proprietary UAV designs and manufacturing know-how. Intelligence-collection focus; campaign targets several firms rather than one discrete victim record.
French government officials
March 9, 2025
•[ espionage, malware, government ]
Apple notified French officials of targeted mercenary-spyware attacks (latest Sep 3, 2025); CERT-FR says this is the fourth wave in 2025; highly targeted espionage against high-profile users; Apple recommends Lockdown Mode and expert assistance; no attribution disclosed.
U.S.–China Business Council
March 7, 2025
•[ espionage, phishing, government ]
China-linked APT41/TA415 impersonated Rep. Moolenaar and USCBC in July 2025 spear-phishing to deliver malware and create remote tunnels to spy on U.S. trade-policy stakeholders; investigations ongoing; success not verified.
Polish Space Agency (Polsa)
March 2, 2025
•[ cyberattack, network intrusion, service disruption ]
The Polish Space Agency (POLSA) went offline after detecting a cyberattack that forced it to disconnect its internal network from the internet to contain the incident. National cybersecurity teams, including CSIRT NASK and CSIRT MON, were engaged to assist in investigating and restoring operations. While POLSA did not disclose specific details, internal sources suggested that email systems were compromised. As a member of the European Space Agency, POLSA temporarily suspended several digital services while ensuring containment, system recovery, and investigation into potential espionage or disruption motives behind the attack.
Multiple U.S. Targets (Law Firms, SaaS, Tech Firms)
March 1, 2025
•[ espionage, malware, technology ]
Chinese APT UNC5221 deployed the BRICKSTORM backdoor to infiltrate U.S. law firms and SaaS providers for intelligence collection. Campaign active from March through September 2025.
Multiple U.K. Targets (Professional Services, Law Firms)
March 1, 2025
•[ espionage, technology ]
UNC5221 targeted British professional-services firms for espionage, part of the broader BRICKSTORM campaign observed globally in 2025.
Multiple Netherlands Targets (BPO, MSP Providers)
March 1, 2025
•[ espionage, technology ]
UNC5221 compromised Netherlands-based BPO and MSP providers to gain secondary access to client environments; activity attributed to Chinese cyber-espionage operations.
Multiple German Targets (Corporate Legal, Professional Services)
March 1, 2025
•[ espionage, technology ]
German professional-services and corporate-law entities were likely compromised by UNC5221 during the 2025 BRICKSTORM espionage campaign exploiting Ivanti edge devices.
