Presidential Office of the Republic of North Macedonia
May 21, 2026
•[ insider threat, espionage, data theft ]
An unnamed IT administrator in the Presidential Office of the Republic of North Macedonia was reportedly suspected of copying, decrypting, encrypting, and storing confidential state data from presidential administration computer systems, with allegations that the material may have been intended for a foreign intelligence service. Public reporting did not name the administrator, identify the foreign service, quantify the data, or confirm operational disruption.
Undisclosed Thai government entity
April 30, 2026
•[ espionage, vulnerability exploitation, web shells ]
Shadow-Earth-053, a China-aligned espionage cluster, was reported to have compromised an undisclosed Thai government environment by exploiting unpatched Microsoft Exchange and IIS servers, deploying web shells and ShadowPad, collecting credentials, and exporting mailbox contents.
Undisclosed Taiwanese government entity
April 30, 2026
•[ espionage, state-sponsored, web shells ]
Shadow-Earth-053, a China-aligned espionage cluster, was reported to have compromised an undisclosed Taiwanese government environment by exploiting unpatched Microsoft Exchange and IIS servers, deploying web shells and ShadowPad, collecting credentials, and exporting mailbox contents.
Undisclosed Polish defense-sector organization
April 30, 2026
•[ espionage, web shells, ShadowPad ]
Shadow-Earth-053, a China-aligned espionage cluster, was reported to have compromised an undisclosed Polish defense-sector organization by exploiting unpatched Microsoft Exchange and IIS servers, deploying web shells and ShadowPad, collecting credentials, and exporting mailbox contents.
Undisclosed Malaysian government entity
April 30, 2026
•[ espionage, vulnerability exploitation, unpatched software ]
Shadow-Earth-053, a China-aligned espionage cluster, was reported to have compromised an undisclosed Malaysian government environment by exploiting unpatched Microsoft Exchange and IIS servers, deploying web shells and ShadowPad, collecting credentials, and exporting mailbox contents.
Undisclosed Indian government entity
April 30, 2026
•[ espionage, web shell, ShadowPad ]
Shadow-Earth-053, a China-aligned espionage cluster, was reported to have compromised an undisclosed Indian government environment by exploiting unpatched Microsoft Exchange and IIS servers, deploying web shells and ShadowPad, collecting credentials, and exporting mailbox contents.
Former Mossad Chief Tamir Pardo
March 25, 2026
•[ data leak, espionage, email breach ]
Handala published material from the personal Gmail account of former Mossad chief Tamir Pardo, and later reporting said the leak included business correspondence and a draft letter addressed to a CIA chief.
At least one member of the Ukrainian armed forces
March 16, 2026
•[ espionage, spyware, phishing ]
The Record reported researchers attributed a new espionage campaign targeting Ukrainian organizations to the Russia-linked group Laundry Bear (Void Blizzard), active since at least 2024. The campaign used spyware embedded in documents themed around Starlink satellite terminals and a well-known Ukrainian charity. The article is campaign reporting (multiple targets) and does not provide a single named victim incident with bounded impact metrics.
Israeli surveillance cameras
March 10, 2026
•[ espionage, security cameras, password security ]
Israels National Cyber Directorate stated it had identified dozens of Iranian breaches into security cameras for espionage purposes since the start of the regional war. The directorate said it was alerting hundreds of camera owners and urged the public to change passwords and update software to reduce both national and personal security risk.
Tehran traffic cameras
March 3, 2026
•[ hacking, surveillance, espionage ]
DataBreaches summarized reporting alleging Israeli intelligence hacked or accessed a very large portion of Tehrans traffic camera network over multiple years to track senior Iranian officials, including Ayatollah Ali Khamenei. The reporting claimed real-time camera data (including cameras around Khameneis compound) was encrypted and transmitted to servers in Israel and used to build pattern of life intelligence, such as where security teams parked vehicles.
Undisclosed Qatari organization
March 1, 2026
•[ DLL hijacking, PlugX, backdoor malware ]
HackRead summarized Check Point Research describing a China-linked campaign beginning March 1, 2026 that used conflict-themed lures and DLL hijacking to install PlugX backdoor malware against targets in Qatar. The report described lures disguised as war news and a separate energy-sector lure delivering a Rust loader and ultimately Cobalt Strike, with the goal of espionage against Qatars military and oil/gas interests.
170 Ukrainian prosecutors and investigators
March 1, 2026
•[ espionage, email compromise, state-sponsored ]
Russia-linked hackers compromised Ukrainian prosecutors and investigators email accounts as part of a broader email-espionage campaign involving at least 284 inboxes.
Undisclosed South Korean electronics manufacturer
February 20, 2026
•[ espionage, DLL side-loading, reconnaissance ]
Ministry of Intelligence and Security (MOIS) (MuddyWater), also tracked as Seedworm, breached a major South Korean electronics manufacturer in February 2026 as part of a broader espionage campaign. The actor spent about one week inside the victim network, abused signed Fortemedia and SentinelOne binaries for DLL side-loading, conducted reconnaissance and credential-access activity, and exfiltrated data through a public file-transfer service.
At least one US government official
January 19, 2026
•[ spearphishing, espionage, DLL sideloading ]
HackRead summarized Acronis research describing an espionage-oriented spearphishing campaign targeting U.S. government entities using Venezuela-related news as bait. The described chain used a lure archive and DLL sideloading to load a backdoor dubbed LOTUSLITE, enabling remote access actions such as file collection and command execution on compromised systems. The article stated the researchers attributed the activity with moderate confidence to the China-backed group Mustang Panda (aka HoneyMyte).
Congressional Staff email platform
January 11, 2026
•[ cyber intrusion, state-backed hacking, email compromise ]
TechStory reported that a cyber intrusion linked to the China-associated group known as Salt Typhoon compromised email systems used by staff supporting multiple powerful U.S. House committees (including foreign affairs, intelligence, and defense-related panels). The report said the intrusions were detected in December 2025, but investigators were still determining how long access persisted, what data was viewed or extracted, and whether any lawmakers personal accounts were affected. U.S. agencies and House offices were described as offering limited public comment while investigations continued, and China was reported as denying allegations of state-backed hacking.
At least one Telecom company in South Asia
January 8, 2026
•[ espionage, malware, threat intelligence ]
The Hacker News summarized Cisco Talos research attributing espionage-focused intrusions to a China-nexus actor tracked as UAT-7290. The campaign reportedly targets telecom entities in South Asia and Southeastern Europe, performing extensive reconnaissance followed by compromise activity that can lead to deployment of malware families including RushDrop, DriveSwitch, and SilentRaid. The article is threat-intelligence reporting focused on actor behavior, tooling, and geographic targeting, and it does not provide a bounded, single victim incident record with confirmed impact metrics (e.g., downtime or specific data stolen) for one named organization.
At least one government official
January 1, 2026
•[ espionage, phishing, surveillance tools ]
A Mustang Panda espionage campaign (late Dec 2025 to mid-Jan 2026) using fake diplomatic briefing documents to trick high-level targets into installing surveillance tools. It does not provide a single named victim organization with a confirmed primary effect suitable for one incident record; it is campaign-level reporting.
At least one unnamed victim organization
January 1, 2026
•[ social engineering, credential theft, MFA manipulation ]
MuddyWater, an Iran-linked APT associated with Iran's Ministry of Intelligence and Security (MOIS), used Microsoft Teams social engineering against an unnamed victim organization in early 2026. The attackers established remote access, stole credentials, manipulated MFA protections, deployed AnyDesk and DWAgent for persistence, moved laterally, harvested VPN configuration files and other sensitive data, and exfiltrated information. The attackers later sent extortion emails referencing Chaos ransomware and directed the victim to a Chaos leak site, but reporting said no file-encrypting ransomware was deployed, indicating the ransomware framing was likely a false flag for espionage activity.
Venezuelan Ministry of Foreign Affairs
January 1, 2026
•[ espionage, state-sponsored attack, data breach ]
The same China-linked espionage campaign that compromised the Cuban Embassy in Washington D.C. also reportedly exploited Microsoft Exchange servers used by Venezuelas Ministry of Foreign Affairs and accessed officials email communications during the same January 2026 regional campaign.
Undetermined government and diplomatic entities (Oman, Morocco, Palestinian Authority)
December 12, 2025
•[ malware, information theft, espionage ]
The Record summarized threat-intelligence reporting alleging a Hamas-affiliated group (called Ashen Lepus) used malware-laden documents to compromise multiple government and diplomatic entities tied to Oman, Morocco, and the Palestinian Authority, including a malware strain referred to as AshTag used for information theft.
