Afghanistan Ministry of Finance
May 29, 2026
•[ spear-phishing, malware, XenoRAT ]
SideCopy, a suspected Pakistan-linked threat group, targeted Afghanistan's Ministry of Finance and provincial revenue and finance directorates with spear-phishing emails containing a malicious ZIP/LNK file in Pashto. When executed, the malware chain installed XenoRAT, enabling long-term remote access, spying on infected computers, and additional malicious activity.
Undisclosed Myanmar government entity
April 30, 2026
•[ cyber espionage, vulnerability exploitation, web shells ]
Shadow-Earth-053, a China-aligned espionage cluster, was reported to have compromised an undisclosed Myanmar government environment by exploiting unpatched Microsoft Exchange and IIS servers, deploying web shells and ShadowPad, collecting credentials, and exporting mailbox contents.
Undisclosed Sri Lankan government entity
April 30, 2026
•[ cyber espionage, Shadow-Earth-053, unpatched servers ]
Shadow-Earth-053, a China-aligned espionage cluster, was reported to have compromised an undisclosed Sri Lankan government environment by exploiting unpatched Microsoft Exchange and IIS servers, deploying web shells and ShadowPad, collecting credentials, and exporting mailbox contents.
Undisclosed Pakistani government entity
April 30, 2026
•[ cyber espionage, Shadow-Earth-053, Microsoft Exchange ]
Shadow-Earth-053, a China-aligned espionage cluster, was reported to have compromised an undisclosed Pakistani government environment by exploiting unpatched Microsoft Exchange and IIS servers, deploying web shells and ShadowPad, collecting credentials, and exporting mailbox contents.
At least one compromised Iranian device
April 13, 2026
•[ spyware, cyber espionage, pegasus ]
The article reports that the US Central Intelligence Agency used Israeli-made Pegasus spyware as part of a deception campaign inside Iran during an operation to rescue a downed American airman. According to the report, Pegasus was used to send fake messages to Iranian leadership and Islamic Revolutionary Guard Corps (IRGC) operatives, making it appear the missing airman had already been located. The piece says Pegasus enabled messages to be sent through apps like WhatsApp and Signal that looked like they came from compromised devices, helping mislead Iranian forces during the rescue effort. The report also says the CIA used a separate classified system called Ghost Murmur to locate the airman by detecting a heartbeat from a distance, though experts cited in the article expressed skepticism about that capability.
Undisclosed critical infrastructure organization
April 6, 2026
•[ Chinese-nexus intrusions, critical infrastructure, lateral movement ]
Darktrace reported Chinese-nexus intrusions affecting critical infrastructure organizations, with some high-value intrusions involving lateral movement before data exfiltration.
FBI Director Kash Patel's personal Gmail
March 27, 2026
•[ data leak, email breach, state-sponsored attack ]
Iran-linked group Handala claimed it breached FBI Director Kash Patel's personal Gmail account and published historical emails, photographs, and files; the FBI said the exposed material did not involve government information.
The Ukrainian State Hydrology Agency
March 19, 2026
•[ phishing, vulnerability exploitation, XSS ]
BleepingComputer reported that Russia-linked APT28 (GRU) exploited a Zimbra Collaboration Suite vulnerability (CVE-2025-66376) in attacks targeting Ukrainian government entities. Researchers described a phishing operation (Operation GhostMail) where a single HTML email body triggered obfuscated JavaScript exploiting the Zimbra XSS flaw when opened in a vulnerable webmail session. The payload was described as harvesting credentials, session tokens, backup 2FA codes, browser-saved passwords, and mailbox contents going back 90 days, with exfiltration over DNS and HTTPS. One referenced target was the Ukrainian State Hydrology Agency.
Iraqi Ministry of Foreign Affairs email account
March 12, 2026
•[ cyber espionage, phishing, intelligence collection ]
Proofpoint reported a surge in Iran-linked and conflict-themed cyber espionage activity targeting governments, diplomats, and organizations across the Middle East, often using compromised government email accounts to deliver phishing lures and collect intelligence. Check Point analysis cited overlaps between Iran-linked actors (including MuddyWater and Void Manticore/Handala) and cybercrime tools and infrastructure. This is campaign-level reporting without a single named victim incident and bounded primary-effect metrics.
One Syrian government email account
March 12, 2026
•[ phishing, credential harvesting, account compromise ]
Proofpoint also observed activity from a cluster tracked as UNK_NightOwl that sent phishing emails to a Middle Eastern government ministry using both a compromised Syrian government account and an attacker-controlled address. The emails referenced the escalating conflict and directed recipients to a domain spoofing Microsoft OneDrive that hosted an Outlook Web App-style credential harvesting page before redirecting victims to a legitimate conflict monitoring site.
At least one Dutch government official
March 9, 2026
•[ social engineering, phishing, state-sponsored hackers ]
Dutch intelligence services warned that Russian state hackers are attempting to gain access to large numbers of Signal and WhatsApp accounts belonging to senior officials, military personnel, and civil servants worldwide. The campaign uses social engineering to trick users into revealing verification and PIN codes, including posing as a Signal support chatbot. The report notes Dutch government employees have also been targeted and, in some cases, compromised. This is campaign/advisory reporting rather than a single discrete victim event.
At least one Ukrainian government organization
March 1, 2026
•[ spear-phishing, malware, cyber espionage ]
Ghostwriter, also tracked as FrostyNeighbor, UNC1151, UAC-0057, TA445, PUSHCHA, Storm-0257, and related names, conducted a March 2026 spear-phishing campaign against Ukrainian government organizations. The campaign used malicious PDF lures impersonating Ukrtelecom, geofenced delivery to Ukrainian IP addresses, JavaScript PicassoLoader, host fingerprinting, and selective delivery of Cobalt Strike Beacon. Although no specific Ukrainian government agency was publicly named, reporting described successful compromise activity against Ukrainian government targets; no stolen data volume was reported.
Singtel
February 10, 2026
•[ cyber espionage, telecom infrastructure, network data exfiltration ]
Singapore confirmed that China-linked cyber espionage group UNC3886 targeted the countrys telecom infrastructure, including Singtel. The government said attackers gained limited access to parts of telecom systems, did not disrupt services, and did not access personal data, but did exfiltrate a small amount of technical (network-related) data to advance operational objectives.
StarHub
February 10, 2026
•[ cyber espionage, state-sponsored, data exfiltration ]
Singapore confirmed that China-linked cyber espionage group UNC3886 targeted the countrys telecom infrastructure, including StarHub. The government said attackers gained limited access to parts of telecom systems, did not disrupt services, and did not access personal data, but did exfiltrate a small amount of technical (network-related) data to advance operational objectives.
M1
February 10, 2026
•[ cyber espionage, telecom infrastructure, technical data exfiltration ]
Singapore confirmed that China-linked cyber espionage group UNC3886 targeted the countrys telecom infrastructure, including M1. The government said attackers gained limited access to parts of telecom systems, did not disrupt services, and did not access personal data, but did exfiltrate a small amount of technical (network-related) data to advance operational objectives.
Simba Telecom
February 10, 2026
•[ cyber espionage, network data exfiltration, telecom infrastructure ]
Singapore confirmed that China-linked cyber espionage group UNC3886 targeted the countrys telecom infrastructure, including Simba Telecom. The government said attackers gained limited access to parts of telecom systems, did not disrupt services, and did not access personal data, but did exfiltrate a small amount of technical (network-related) data to advance operational objectives.
Undisclosed U.S. organization
February 1, 2026
•[ cyber espionage, APT, backdoor ]
HackRead reported that researchers linked a campaign observed in early February 2026 to Iran-aligned APT MuddyWater, described as operating under Irans Ministry of Intelligence and Security. The report stated attackers infiltrated networks of several U.S. organizations across sectors (including banking and aviation) and an Israeli software development services operation, maintaining persistence and using a new custom backdoor called Dindoor to remotely issue commands and sustain access. The article describes espionage tradecraft and persistence but does not list specific victims or confirm specific data stolen.
At least one government, military, and technology entity in Ukraine
January 30, 2026
•[ APT, vulnerability exploitation, state-sponsored attack ]
Security researchers reported that state-sponsored advanced persistent threat groups exploited a WinRAR vulnerability in real-world attacks that successfully compromised at least one government, military, and technology organization in Ukraine, using malicious archive files to gain unauthorized access to victim systems.
At least one blockchain developer
January 22, 2026
•[ phishing, blockchain, credential theft ]
IT technicians and blockchain developers were targeted in a phishing campaign attributed to the NGB 3rd Technical Surveillance Bureau (KONNI/APT37), resulting in unauthorized access to end-user systems and the compromise of stored development and infrastructure credentials.
At least one Afghan government worker
January 20, 2026
•[ phishing, malware, data exfiltration ]
The Record reported that attackers targeted Afghan government workers with phishing emails disguised as official correspondence from the office of the countrys prime minister. Researchers said the campaign, first detected in December, used a decoy document resembling a government letter (including a forged signature) to entice recipients in ministries/administrative offices to open it. Once opened, the document delivered malware dubbed FalseCub, designed to collect and exfiltrate data from infected computers. The report is focused on the campaign and malware behavior; it does not list specific compromised agencies, confirmed infection counts, or stolen data volumes, so impacts are coded as undetermined.
