Singtel
February 10, 2026
•[ cyber espionage, telecom infrastructure, network data exfiltration ]
Singapore confirmed that China-linked cyber espionage group UNC3886 targeted the countrys telecom infrastructure, including Singtel. The government said attackers gained limited access to parts of telecom systems, did not disrupt services, and did not access personal data, but did exfiltrate a small amount of technical (network-related) data to advance operational objectives.
StarHub
February 10, 2026
•[ cyber espionage, state-sponsored, data exfiltration ]
Singapore confirmed that China-linked cyber espionage group UNC3886 targeted the countrys telecom infrastructure, including StarHub. The government said attackers gained limited access to parts of telecom systems, did not disrupt services, and did not access personal data, but did exfiltrate a small amount of technical (network-related) data to advance operational objectives.
M1
February 10, 2026
•[ cyber espionage, telecom infrastructure, technical data exfiltration ]
Singapore confirmed that China-linked cyber espionage group UNC3886 targeted the countrys telecom infrastructure, including M1. The government said attackers gained limited access to parts of telecom systems, did not disrupt services, and did not access personal data, but did exfiltrate a small amount of technical (network-related) data to advance operational objectives.
Simba Telecom
February 10, 2026
•[ cyber espionage, network data exfiltration, telecom infrastructure ]
Singapore confirmed that China-linked cyber espionage group UNC3886 targeted the countrys telecom infrastructure, including Simba Telecom. The government said attackers gained limited access to parts of telecom systems, did not disrupt services, and did not access personal data, but did exfiltrate a small amount of technical (network-related) data to advance operational objectives.
At least one government, military, and technology entity in Ukraine
January 30, 2026
•[ APT, vulnerability exploitation, state-sponsored attack ]
Security researchers reported that state-sponsored advanced persistent threat groups exploited a WinRAR vulnerability in real-world attacks that successfully compromised at least one government, military, and technology organization in Ukraine, using malicious archive files to gain unauthorized access to victim systems.
At least one blockchain developer
January 22, 2026
•[ phishing, blockchain, credential theft ]
IT technicians and blockchain developers were targeted in a phishing campaign attributed to the NGB 3rd Technical Surveillance Bureau (KONNI/APT37), resulting in unauthorized access to end-user systems and the compromise of stored development and infrastructure credentials.
At least one Afghan government worker
January 20, 2026
•[ phishing, malware, data exfiltration ]
The Record reported that attackers targeted Afghan government workers with phishing emails disguised as official correspondence from the office of the countrys prime minister. Researchers said the campaign, first detected in December, used a decoy document resembling a government letter (including a forged signature) to entice recipients in ministries/administrative offices to open it. Once opened, the document delivered malware dubbed FalseCub, designed to collect and exfiltrate data from infected computers. The report is focused on the campaign and malware behavior; it does not list specific compromised agencies, confirmed infection counts, or stolen data volumes, so impacts are coded as undetermined.
At least one organization in Southeastern Europe
January 8, 2026
•[ cyber espionage, vulnerability exploitation, SSH brute force ]
BleepingComputer reported on Cisco Talos research describing a sophisticated China-nexus actor tracked as UAT-7290 targeting telecommunications providers, historically in South Asia and recently expanded into Southeastern Europe. The group was described as conducting extensive reconnaissance and using one-day exploits plus target-specific SSH brute force to compromise public-facing edge devices for initial access and privilege escalation. Talos reported the actor deploys a primarily Linux-based malware suite (with occasional Windows implants) and establishes Operational Relay Box (ORB) infrastructure that can be used by other China-aligned threat actors. The report is campaign-level and does not enumerate a single named victim breach event date.
Undisclosed strategic advisory firm in the US
January 8, 2026
•[ spearphishing, QR codes, credential theft ]
An FBI flash alert described North Korea-linked Kimsuky (APT43) using spearphishing emails that contain QR codes to lure recipients to fake questionnaires, secure-drive links, or login pages, with the goal of stealing credentials or session tokens and hijacking cloud identities. The warning said the observed targeting includes U.S. organizations involved in North Korea policy/research/analysis such as NGOs, think tanks, academic institutions, strategic advisory firms, and government entities. The alert included examples (e.g., a June 2025 conference-invite lure) and explained that QR-driven flows can bypass traditional email controls by shifting the interaction to unmanaged mobile devices.
Former Minister Ayelet Shaked
January 3, 2026
•[ data leak, unauthorized access, cyber espionage ]
Iran-linked hacking group Handala claimed it breached the mobile phone of former Israeli minister Ayelet Shaked and published roughly 60 photos and videos it said were stolen from her device. The group alleged it held additional messages, documents, and other confidential material and urged followers to expect further releases. The reported effect is limited to alleged unauthorized access and data theft/exposure involving a single political figure, with no operational disruption to organizations reported.
Knownsec
November 9, 2025
•[ data leak, cyber espionage, malware ]
According to coverage in The Register of research by Chinese blog MXRN, attackers breached the systems of Beijing linked security company Knownsec and leaked more than twelve thousand classified documents describing Chinese state cyber weapons, internal tools and global targeting lists, along with code for remote access trojans that can compromise major desktop and mobile operating systems; the cache also reportedly includes a spreadsheet of 80 successfully attacked overseas targets and massive datasets such as Indian immigration records, South Korean telecom call logs and Taiwanese road planning information that Knownsec had previously obtained in offensive operations, some of which were briefly published to GitHub before being removed.
Australian Treasury Department
November 1, 2025
•[ cyber espionage, phishing, Shadow Campaigns ]
BleepingComputer summarized Unit 42 research on a state-aligned espionage group tracked as TGR-STA-1030/UNC6619 conducting global operations dubbed Shadow Campaigns. The report said the actor compromised at least 70 government and critical infrastructure organizations across 37 countries and conducted reconnaissance activity targeting government entities connected to 155 countries during NovDec 2025. The article describes initial access via tailored phishing (Mega-hosted archives) and exploitation of multiple known vulnerabilities, use of webshells and tunneling tools, and a custom Linux eBPF rootkit (ShadowGuard)
At least one official in Ukraine's Defense Forces
October 1, 2025
•[ phishing, malware, backdoor ]
BleepingComputer reported that officials of Ukraines Defense Forces were targeted in a charity-themed operation between October and December 2025 that delivered a backdoor malware family called PluggyApe. CERT-UA assessed the activity as likely linked to the Russian-aligned threat group known as Void Blizzard (also referred to as Laundry Bear), with medium confidence in attribution. The infection chain described begins with instant messages over Signal or WhatsApp directing targets to a purported charity website and prompting them to download a password-protected archive containing documents, which then leads to backdoor execution and follow-on access for information theft. The report focuses on the campaigns TTPs and targeting rather than publishing a confirmed list of compromised entities.
Foreign embassies in Moscow
July 30, 2025
•[ cyber espionage ]
MarketScreener cites Microsoft: Russias FSB targeted foreign embassies in Moscow in a cyber espionage campaign.
baltictimes.com
December 19, 2019
•[ cyber espionage, influence campaign, disinformation ]
Ghostwriter, a suspected Belarus-backed hacking group, has compromised websites and email accounts in Latvia, Lithuania, and Poland'to publish fabricated documents pushing anti-North Atlantic Treaty Organization (NATO) narratives consistent with Kremlin talking points. The influence campaign started in 2017.
