Undisclosed Indian government entity
April 30, 2026
•[ espionage, web shell, ShadowPad ]
Shadow-Earth-053, a China-aligned espionage cluster, was reported to have compromised an undisclosed Indian government environment by exploiting unpatched Microsoft Exchange and IIS servers, deploying web shells and ShadowPad, collecting credentials, and exporting mailbox contents.
At least one compromised Iranian device
April 13, 2026
•[ spyware, cyber espionage, pegasus ]
The article reports that the US Central Intelligence Agency used Israeli-made Pegasus spyware as part of a deception campaign inside Iran during an operation to rescue a downed American airman. According to the report, Pegasus was used to send fake messages to Iranian leadership and Islamic Revolutionary Guard Corps (IRGC) operatives, making it appear the missing airman had already been located. The piece says Pegasus enabled messages to be sent through apps like WhatsApp and Signal that looked like they came from compromised devices, helping mislead Iranian forces during the rescue effort. The report also says the CIA used a separate classified system called Ghost Murmur to locate the airman by detecting a heartbeat from a distance, though experts cited in the article expressed skepticism about that capability.
FBI Director Kash Patel's personal Gmail
March 27, 2026
•[ data leak, email breach, state-sponsored attack ]
Iran-linked group Handala claimed it breached FBI Director Kash Patel's personal Gmail account and published historical emails, photographs, and files; the FBI said the exposed material did not involve government information.
Bitrefill
March 1, 2026
•[ data breach, cryptocurrency theft, PII leak ]
Bitrefill published a post-mortem stating it was attacked on March 1, 2026 and attributed the activity to North Koreas Lazarus Group. The breach was discovered after suspicious purchasing patterns suggested gift card stock and supplier supply lines were being exploited. Bitrefill said attackers accessed about 18,500 purchase records containing customer email addresses, crypto payment addresses, and metadata including IP addresses. The attackers also drained some Bitrefill cryptocurrency wallets and transferred funds to attacker-controlled wallets; the company did not disclose the amount stolen and said it would absorb the losses.
Simba Telecom
February 10, 2026
•[ cyber espionage, network data exfiltration, telecom infrastructure ]
Singapore confirmed that China-linked cyber espionage group UNC3886 targeted the countrys telecom infrastructure, including Simba Telecom. The government said attackers gained limited access to parts of telecom systems, did not disrupt services, and did not access personal data, but did exfiltrate a small amount of technical (network-related) data to advance operational objectives.
Singtel
February 10, 2026
•[ cyber espionage, telecom infrastructure, network data exfiltration ]
Singapore confirmed that China-linked cyber espionage group UNC3886 targeted the countrys telecom infrastructure, including Singtel. The government said attackers gained limited access to parts of telecom systems, did not disrupt services, and did not access personal data, but did exfiltrate a small amount of technical (network-related) data to advance operational objectives.
M1
February 10, 2026
•[ cyber espionage, telecom infrastructure, technical data exfiltration ]
Singapore confirmed that China-linked cyber espionage group UNC3886 targeted the countrys telecom infrastructure, including M1. The government said attackers gained limited access to parts of telecom systems, did not disrupt services, and did not access personal data, but did exfiltrate a small amount of technical (network-related) data to advance operational objectives.
At least one government, military, and technology entity in Ukraine
January 30, 2026
•[ APT, vulnerability exploitation, state-sponsored attack ]
Security researchers reported that state-sponsored advanced persistent threat groups exploited a WinRAR vulnerability in real-world attacks that successfully compromised at least one government, military, and technology organization in Ukraine, using malicious archive files to gain unauthorized access to victim systems.
Delta (Russian Security and Alarm Services Company)
January 26, 2026
•[ cyberattack, service disruption, state-sponsored attack ]
A cyberattack attributed to a hostile foreign state disrupted Deltas alarm and vehicle services for thousands of users. No customer data compromise confirmed.
Venezuelan Ministry of Foreign Affairs
January 1, 2026
•[ espionage, state-sponsored attack, data breach ]
The same China-linked espionage campaign that compromised the Cuban Embassy in Washington D.C. also reportedly exploited Microsoft Exchange servers used by Venezuelas Ministry of Foreign Affairs and accessed officials email communications during the same January 2026 regional campaign.
Knownsec
November 9, 2025
•[ data leak, cyber espionage, malware ]
According to coverage in The Register of research by Chinese blog MXRN, attackers breached the systems of Beijing linked security company Knownsec and leaked more than twelve thousand classified documents describing Chinese state cyber weapons, internal tools and global targeting lists, along with code for remote access trojans that can compromise major desktop and mobile operating systems; the cache also reportedly includes a spreadsheet of 80 successfully attacked overseas targets and massive datasets such as Indian immigration records, South Korean telecom call logs and Taiwanese road planning information that Knownsec had previously obtained in offensive operations, some of which were briefly published to GitHub before being removed.
National Time Service Center
October 20, 2025
•[ espionage, state-sponsored attack ]
China accuses U.S. NSA of cyber-espionage against NTSC timing systems
Williams & Connolly
October 8, 2025
•[ espionage, state-sponsored attack, data leak ]
Breach of U.S. law firm with major political clients linked to Chinese espionage campaign.
Jordan Civil Aviation Commission
September 1, 2025
•[ APT35, Charming Kitten, data exfiltration ]
KittenBusters/CloudSEK reporting described APT35 activity in which files from Jordans Civil Aviation Commission were silently exfiltrated before Irans February 2026 regional missile and drone campaign; the reporting linked APT35/Charming Kitten to Irans IRGC Intelligence Organization.
U.S. National Nuclear Security Administration (NNSA)
July 18, 2025
•[ data breach, vulnerability, zero-day ]
Breach of NNSA systems through a Microsoft SharePoint zero-day vulnerability. DOE stated a small number of systems were impacted and are being restored. Attack was later linked to Chinese state hacking groups Linen Typhoon and Violet Typhoon.
Netherlands Public Prosecution Service (Openbaar Ministerie)
July 17, 2025
•[ cyberattack, vulnerability exploit, state-sponsored attack ]
Strong indications that Russia was behind a cyberattack exploiting a Citrix vulnerability; the OM took systems offline on July 17 as a response; extent of data access not yet disclosed.
One undisclosed university in the United States
July 15, 2025
•[ espionage, vulnerability exploitation, malware ]
China-linked operators abused CVE-2025-53770 (ToolShell) weeks after Microsofts July patch to gain initial access at a telecom, escalate privileges (e.g., PetitPotam), harvest credentials, and deploy ShadowPad/Zingdoor/KrustyLoader for persistent espionage against telecom and government networks. Primary effect was covert access and collection, not service outage.
Wiley Rein LLP
July 12, 2025
•[ espionage, unauthorized access, state-sponsored attack ]
Firm notified clients that Microsoft 365 accounts of certain personnel were accessed in an apparent intelligence-gathering operation; suspected China-affiliated group.
Municipality of Tirana (City of Tirana)
June 20, 2025
•[ data leak, denial of service, state-sponsored attack ]
Iran-linked MOIS cluster EUROPIUM (Homeland Justice) conducted a coordinated cyberattack on Tiranas municipal government on Jun 20 2025, taking the city website offline and disrupting services; attackers claimed data theft and wiping of city databases; Microsoft and Albanian officials attributed the activity to MOIS-linked operators; restoration completed by Jun 24 2025.
At least one Ukrainian grain producer
June 1, 2025
•[ malware, wiper attack, state-sponsored attack ]
Russian state-backed threat group Sandworm, also known as APT44, used several data-wiping malware families in a series of destructive attacks against Ukrainian organizations in 2025, including newly reported operations targeting the countrys grain sector. An ESET APT activity report cited by BleepingComputer says that in June and September Sandworm deployed wipers like ZEROLOT and Sting against entities in the governmental, energy, logistics, and grain industries, with the grain sector highlighted as a less frequent but strategically important target. The wipers corrupt files, disk partitions, and master boot records in ways that prevent recovery, likely aiming to weaken Ukraines war economy by disrupting a critical export industry.
