Undetermined government and diplomatic entities (Oman, Morocco, Palestinian Authority)
December 12, 2025
•[ malware, information theft, espionage ]
The Record summarized threat-intelligence reporting alleging a Hamas-affiliated group (called Ashen Lepus) used malware-laden documents to compromise multiple government and diplomatic entities tied to Oman, Morocco, and the Palestinian Authority, including a malware strain referred to as AshTag used for information theft.
China Xinchuang Initiative (at least one affiliated organization)
December 9, 2025
•[ phishing, malware, espionage ]
Security researchers reported a spear-phishing and malware campaign attributed to APT32 that successfully compromised at least one organization within Chinas Xinchuang Initiative IT ecosystem, resulting in unauthorized access for espionage purposes.
At least one policy expert on Iran
November 5, 2025
•[ phishing, credential theft, espionage ]
The Hacker News, citing a Proofpoint investigation, describes a newly identified threat cluster dubbed UNK_SmudgedSerpent conducting credential phishing and remote access operations against more than twenty Iran focused subject matter experts at a U.S. based foreign policy think tank between June and August 2025, amid heightened IranIsrael tensions. Attackers impersonated prominent policy figures and used benign email conversations to lure victims to fake Microsoft Teams and OnlyOffice login pages hosted on health themed domains that captured account credentials. In some cases the operation progressed to deploying legitimate remote monitoring tools such as PDQ Connect and ISL Online for hands on keyboard access, supporting longer term espionage against the target institution and aligning with tactics used by established Iranian cyber intelligence groups.
Two undisclosed government departments in a South American country
October 22, 2025
•[ vulnerability exploitation, espionage, data leak ]
Actors exploited a patched SharePoint ToolShell flaw to gain initial access at a telecom, harvest credentials, and pivot across AD-joined systems. Activity included beaconing and data staging consistent with telecom espionage. No operational shutdown reported; primary effect is unauthorized access and data collection.
National Time Service Center
October 20, 2025
•[ espionage, state-sponsored attack ]
China accuses U.S. NSA of cyber-espionage against NTSC timing systems
Russian IT service provider
October 15, 2025
•[ data leak, espionage, apt ]
China-linked Jewelbug infiltrated Russian IT provider for months, exfiltrating repositories and data
MAYA Systems Ltd.
October 12, 2025
•[ data leak, hacktivism, espionage ]
An Iran-linked hacktivist group known as Cyber Toufan claimed responsibility for breaching Israeli defense contractor MAYA Systems in October 2025, stealing and releasing files allegedly showing Iron Beam laser-defense system designs and other IDF technologies. Israeli authorities have not verified the authenticity of the leaked materials.
Francesco Gaetano Caltagirone
October 9, 2025
•[ spyware, espionage, government ]
Report that Graphite spyware was used to spy on the businessman; tool sold to governments.
Williams & Connolly
October 8, 2025
•[ espionage, state-sponsored attack, data leak ]
Breach of U.S. law firm with major political clients linked to Chinese espionage campaign.
Kansas City National Security Campus network
October 1, 2025
•[ vulnerability exploitation, espionage, nation-state actor ]
CSO reports KCNSC (NNSA nuclear components plant) was infiltrated via unpatched on-prem SharePoint. Microsoft tied the wider wave to China-linked actors, while a KCNSC source suggested a Russian group; DOE later said the department was minimally impacted. Primary effect: covert access/collection, not OT disruption.
At least one undisclosed government entity in the MENA region
September 1, 2025
•[ espionage, malware, government ]
Reporting indicates a sustained espionage wave using updated Phoenix implants against government entities, with goals of persistence and data collection rather than overt disruption; activity aligns with prior MuddyWater TTPs and region-focused intelligence objectives.
Undisclosed Indian government or infrastructure organisation(s)
September 1, 2025
•[ espionage, malware, credential theft ]
Pakistan-linked APT36 used themed lures and HTML/shortcut droppers to deliver cross-platform implants on Windows and BOSS Linux systems used by Indian government organizations, enabling credential theft, persistence and covert collection. Activity is espionage-oriented with no reported service outage.
Government, tech, academic & telecom entities; global
August 22, 2025
•[ espionage, malware, government ]
CrowdStrike reports that multiple Chinese-linked groupsMurky Panda, Genesis Panda, and Glacial Pandahave exploited vulnerabilities (e.g., Citrix CVE-2023-3519, Commvault CVE-2025-3928) to deploy the CloudedHope malware for covert espionage against cloud, telecom, government, tech, academic, legal, and professional services organizations worldwide.
Multiple critical infrastructure sectors (via Cisco devices)
August 20, 2025
•[ espionage, technology ]
FBI and Cisco warn of ongoing Russian FSB Center 16 campaign exploiting CVE-2018-0171 in Cisco Smart Install, compromising thousands of network devices across critical infrastructure globally for reconnaissance and persistent access.
Foreign embassies in Moscow (multiple missions)
July 31, 2025
•[ espionage, malware, government ]
FSB-linked APT Secret Blizzard (Turla) used ISP-level access in Russia to deliver espionage malware against multiple foreign embassies in Moscow; campaign disclosed by Microsoft. Data stolen likely includes diplomatic emails/credentials; exact volume not reported.
One undisclosed university in the United States
July 15, 2025
•[ espionage, vulnerability exploitation, malware ]
China-linked operators abused CVE-2025-53770 (ToolShell) weeks after Microsofts July patch to gain initial access at a telecom, escalate privileges (e.g., PetitPotam), harvest credentials, and deploy ShadowPad/Zingdoor/KrustyLoader for persistent espionage against telecom and government networks. Primary effect was covert access and collection, not service outage.
Undisclosed European telecommunications company
July 15, 2025
•[ espionage, vulnerability exploitation, malware ]
China-nexus operators breached a telecom by exploiting an edge service (e.g., NetScaler/SharePoint), then established persistence with SnappyBee-family tooling, harvested credentials and moved laterally to support systems for intelligence collection. No service interruption reported; primary effect is covert access and data staging.
Wiley Rein LLP
July 12, 2025
•[ espionage, unauthorized access, state-sponsored attack ]
Firm notified clients that Microsoft 365 accounts of certain personnel were accessed in an apparent intelligence-gathering operation; suspected China-affiliated group.
Undisclosed European telecommunications organisation
July 3, 2025
•[ espionage, malware, vulnerability exploitation ]
Darktrace reports a China-aligned espionage actor (Salt Typhoon) breached a European telecom by exploiting a Citrix NetScaler Gateway, deploying SnappyBee malware for persistence and data staging. Activity reflects classic intelligence collection rather than service disruption; defenders observed beaconing, credential access, and movement to support systems.
Undisclosed Ukrainian local government entity
July 1, 2025
•[ espionage, webshell, intrusion ]
Symantec observed multi-week summer 2025 espionage intrusion against a Ukrainian local government network using LocalOlive webshell and dual-use Windows tools; no operational disruption reported.
