Undisclosed strategic advisory firm in the US
January 8, 2026
•[ spearphishing, QR codes, credential theft ]
An FBI flash alert described North Korea-linked Kimsuky (APT43) using spearphishing emails that contain QR codes to lure recipients to fake questionnaires, secure-drive links, or login pages, with the goal of stealing credentials or session tokens and hijacking cloud identities. The warning said the observed targeting includes U.S. organizations involved in North Korea policy/research/analysis such as NGOs, think tanks, academic institutions, strategic advisory firms, and government entities. The alert included examples (e.g., a June 2025 conference-invite lure) and explained that QR-driven flows can bypass traditional email controls by shifting the interaction to unmanaged mobile devices.
At least one organization in Southeastern Europe
January 8, 2026
•[ cyber espionage, vulnerability exploitation, SSH brute force ]
BleepingComputer reported on Cisco Talos research describing a sophisticated China-nexus actor tracked as UAT-7290 targeting telecommunications providers, historically in South Asia and recently expanded into Southeastern Europe. The group was described as conducting extensive reconnaissance and using one-day exploits plus target-specific SSH brute force to compromise public-facing edge devices for initial access and privilege escalation. Talos reported the actor deploys a primarily Linux-based malware suite (with occasional Windows implants) and establishes Operational Relay Box (ORB) infrastructure that can be used by other China-aligned threat actors. The report is campaign-level and does not enumerate a single named victim breach event date.
Former Minister Ayelet Shaked
January 3, 2026
•[ data leak, unauthorized access, cyber espionage ]
Iran-linked hacking group Handala claimed it breached the mobile phone of former Israeli minister Ayelet Shaked and published roughly 60 photos and videos it said were stolen from her device. The group alleged it held additional messages, documents, and other confidential material and urged followers to expect further releases. The reported effect is limited to alleged unauthorized access and data theft/exposure involving a single political figure, with no operational disruption to organizations reported.
Knownsec
November 9, 2025
•[ data leak, cyber espionage, malware ]
According to coverage in The Register of research by Chinese blog MXRN, attackers breached the systems of Beijing linked security company Knownsec and leaked more than twelve thousand classified documents describing Chinese state cyber weapons, internal tools and global targeting lists, along with code for remote access trojans that can compromise major desktop and mobile operating systems; the cache also reportedly includes a spreadsheet of 80 successfully attacked overseas targets and massive datasets such as Indian immigration records, South Korean telecom call logs and Taiwanese road planning information that Knownsec had previously obtained in offensive operations, some of which were briefly published to GitHub before being removed.
Australian Treasury Department
November 1, 2025
•[ cyber espionage, phishing, Shadow Campaigns ]
BleepingComputer summarized Unit 42 research on a state-aligned espionage group tracked as TGR-STA-1030/UNC6619 conducting global operations dubbed Shadow Campaigns. The report said the actor compromised at least 70 government and critical infrastructure organizations across 37 countries and conducted reconnaissance activity targeting government entities connected to 155 countries during NovDec 2025. The article describes initial access via tailored phishing (Mega-hosted archives) and exploitation of multiple known vulnerabilities, use of webshells and tunneling tools, and a custom Linux eBPF rootkit (ShadowGuard)
At least one official in Ukraine's Defense Forces
October 1, 2025
•[ phishing, malware, backdoor ]
BleepingComputer reported that officials of Ukraines Defense Forces were targeted in a charity-themed operation between October and December 2025 that delivered a backdoor malware family called PluggyApe. CERT-UA assessed the activity as likely linked to the Russian-aligned threat group known as Void Blizzard (also referred to as Laundry Bear), with medium confidence in attribution. The infection chain described begins with instant messages over Signal or WhatsApp directing targets to a purported charity website and prompting them to download a password-protected archive containing documents, which then leads to backdoor execution and follow-on access for information theft. The report focuses on the campaigns TTPs and targeting rather than publishing a confirmed list of compromised entities.
Foreign embassies in Moscow
July 30, 2025
•[ cyber espionage ]
MarketScreener cites Microsoft: Russias FSB targeted foreign embassies in Moscow in a cyber espionage campaign.
Undisclosed Mongolian government entity
January 1, 2025
•[ cyber espionage, backdoor, data exfiltration ]
In January 2025, China-aligned GopherWhisper deployed Go-based backdoors and an exfiltration tool on roughly a dozen systems at an undisclosed Mongolian government institution, using Discord, Slack, Microsoft 365 Outlook, and File.io for command-and-control and data exfiltration.
baltictimes.com
December 19, 2019
•[ cyber espionage, influence campaign, disinformation ]
Ghostwriter, a suspected Belarus-backed hacking group, has compromised websites and email accounts in Latvia, Lithuania, and Poland'to publish fabricated documents pushing anti-North Atlantic Treaty Organization (NATO) narratives consistent with Kremlin talking points. The influence campaign started in 2017.
