Full List

Search

Search Results (espionage)

• At least one US government official January 19, 2026 • [ spearphishing, espionage, DLL sideloading ] HackRead summarized Acronis research describing an espionage-oriented spearphishing campaign targeting U.S. government entities using Venezuela-related news as bait. The described chain used a lure archive and DLL sideloading to load a backdoor dubbed LOTUSLITE, enabling remote access actions such as file collection and command execution on compromised systems. The article stated the researchers attributed the activity with moderate confidence to the China-backed group Mustang Panda (aka HoneyMyte).
• Congressional Staff email platform January 11, 2026 • [ cyber intrusion, state-backed hacking, email compromise ] TechStory reported that a cyber intrusion linked to the China-associated group known as Salt Typhoon compromised email systems used by staff supporting multiple powerful U.S. House committees (including foreign affairs, intelligence, and defense-related panels). The report said the intrusions were detected in December 2025, but investigators were still determining how long access persisted, what data was viewed or extracted, and whether any lawmakers personal accounts were affected. U.S. agencies and House offices were described as offering limited public comment while investigations continued, and China was reported as denying allegations of state-backed hacking.
• At least one Telecom company in South Asia January 8, 2026 • [ espionage, malware, threat intelligence ] The Hacker News summarized Cisco Talos research attributing espionage-focused intrusions to a China-nexus actor tracked as UAT-7290. The campaign reportedly targets telecom entities in South Asia and Southeastern Europe, performing extensive reconnaissance followed by compromise activity that can lead to deployment of malware families including RushDrop, DriveSwitch, and SilentRaid. The article is threat-intelligence reporting focused on actor behavior, tooling, and geographic targeting, and it does not provide a bounded, single victim incident record with confirmed impact metrics (e.g., downtime or specific data stolen) for one named organization.
• At least one government official January 1, 2026 • [ espionage, phishing, surveillance tools ] A Mustang Panda espionage campaign (late Dec 2025 to mid-Jan 2026) using fake diplomatic briefing documents to trick high-level targets into installing surveillance tools. It does not provide a single named victim organization with a confirmed primary effect suitable for one incident record; it is campaign-level reporting.
• Undetermined government and diplomatic entities (Oman, Morocco, Palestinian Authority) December 12, 2025 • [ malware, information theft, espionage ] The Record summarized threat-intelligence reporting alleging a Hamas-affiliated group (called Ashen Lepus) used malware-laden documents to compromise multiple government and diplomatic entities tied to Oman, Morocco, and the Palestinian Authority, including a malware strain referred to as AshTag used for information theft.
• China Xinchuang Initiative (at least one affiliated organization) December 9, 2025 • [ phishing, malware, espionage ] Security researchers reported a spear-phishing and malware campaign attributed to APT32 that successfully compromised at least one organization within Chinas Xinchuang Initiative IT ecosystem, resulting in unauthorized access for espionage purposes.
• At least one policy expert on Iran November 5, 2025 • [ phishing, credential theft, espionage ] The Hacker News, citing a Proofpoint investigation, describes a newly identified threat cluster dubbed UNK_SmudgedSerpent conducting credential phishing and remote access operations against more than twenty Iran focused subject matter experts at a U.S. based foreign policy think tank between June and August 2025, amid heightened IranIsrael tensions. Attackers impersonated prominent policy figures and used benign email conversations to lure victims to fake Microsoft Teams and OnlyOffice login pages hosted on health themed domains that captured account credentials. In some cases the operation progressed to deploying legitimate remote monitoring tools such as PDQ Connect and ISL Online for hands on keyboard access, supporting longer term espionage against the target institution and aligning with tactics used by established Iranian cyber intelligence groups.
• An undisclosed critical infrastructure company in Zambia November 1, 2025 • [ espionage, phishing, vulnerability exploitation ] BleepingComputer summarized Unit 42 research on a state-aligned espionage group tracked as TGR-STA-1030/UNC6619 conducting global operations dubbed Shadow Campaigns. The report said the actor compromised at least 70 government and critical infrastructure organizations across 37 countries and conducted reconnaissance activity targeting government entities connected to 155 countries during NovDec 2025. The article describes initial access via tailored phishing (Mega-hosted archives) and exploitation of multiple known vulnerabilities, use of webshells and tunneling tools, and a custom Linux eBPF rootkit (ShadowGuard), but it does not provide a single discrete victim organization record with a specific primary effect suitable for one CED event entry.
• Two undisclosed government departments in a South American country October 22, 2025 • [ vulnerability exploitation, espionage, data leak ] Actors exploited a patched SharePoint ToolShell flaw to gain initial access at a telecom, harvest credentials, and pivot across AD-joined systems. Activity included beaconing and data staging consistent with telecom espionage. No operational shutdown reported; primary effect is unauthorized access and data collection.
• National Time Service Center October 20, 2025 • [ espionage, state-sponsored attack ] China accuses U.S. NSA of cyber-espionage against NTSC timing systems
• Russian IT service provider October 15, 2025 • [ data leak, espionage, apt ] China-linked Jewelbug infiltrated Russian IT provider for months, exfiltrating repositories and data
• MAYA Systems Ltd. October 12, 2025 • [ data leak, hacktivism, espionage ] An Iran-linked hacktivist group known as Cyber Toufan claimed responsibility for breaching Israeli defense contractor MAYA Systems in October 2025, stealing and releasing files allegedly showing Iron Beam laser-defense system designs and other IDF technologies. Israeli authorities have not verified the authenticity of the leaked materials.
• Francesco Gaetano Caltagirone October 9, 2025 • [ spyware, espionage, government ] Report that Graphite spyware was used to spy on the businessman; tool sold to governments.
• Williams & Connolly October 8, 2025 • [ espionage, state-sponsored attack, data leak ] Breach of U.S. law firm with major political clients linked to Chinese espionage campaign.
• Kansas City National Security Campus network October 1, 2025 • [ vulnerability exploitation, espionage, nation-state actor ] CSO reports KCNSC (NNSA nuclear components plant) was infiltrated via unpatched on-prem SharePoint. Microsoft tied the wider wave to China-linked actors, while a KCNSC source suggested a Russian group; DOE later said the department was minimally impacted. Primary effect: covert access/collection, not OT disruption.
• At least one organization in Southeast Asia October 1, 2025 • [ espionage, APT activity, vulnerability exploitation ] BleepingComputer summarized Check Point research on a newly tracked actor Amaranth Dragon, linked to China-aligned APT activity, which exploited WinRAR CVE-2025-8088 in espionage operations against government and law enforcement entities in Singapore, Thailand, Indonesia, Cambodia, Laos, and the Philippines. The actor used geofenced infrastructure and a custom loader to deliver encrypted payloads (including Havoc and a newer TGAmaranth RAT using Telegram for C2). Because the article is campaign/threat-research reporting without a discrete, named victim event record and bounded impacts, event_type and event_subtype are coded as NA for CED incident purposes.
• At least one undisclosed government entity in the MENA region September 1, 2025 • [ espionage, malware, government ] Reporting indicates a sustained espionage wave using updated Phoenix implants against government entities, with goals of persistence and data collection rather than overt disruption; activity aligns with prior MuddyWater TTPs and region-focused intelligence objectives.
• Undisclosed Indian government or infrastructure organisation(s) September 1, 2025 • [ espionage, malware, credential theft ] Pakistan-linked APT36 used themed lures and HTML/shortcut droppers to deliver cross-platform implants on Windows and BOSS Linux systems used by Indian government organizations, enabling credential theft, persistence and covert collection. Activity is espionage-oriented with no reported service outage.
• Government, tech, academic & telecom entities; global August 22, 2025 • [ espionage, malware, government ] CrowdStrike reports that multiple Chinese-linked groupsMurky Panda, Genesis Panda, and Glacial Pandahave exploited vulnerabilities (e.g., Citrix CVE-2023-3519, Commvault CVE-2025-3928) to deploy the CloudedHope malware for covert espionage against cloud, telecom, government, tech, academic, legal, and professional services organizations worldwide.
• Multiple critical infrastructure sectors (via Cisco devices) August 20, 2025 • [ espionage, technology ] FBI and Cisco warn of ongoing Russian FSB Center 16 campaign exploiting CVE-2018-0171 in Cisco Smart Install, compromising thousands of network devices across critical infrastructure globally for reconnaissance and persistent access.